xworm | 3526cd1e1dd45bb9d3153891d5fdca9369a8e96541a45947a5e05b5d03b0b078

Analysis

max time kernel
149s
max time network
158s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
17/08/2024, 10:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

downloader.exe
Size

70.1MB
MD5

7e65c3e3cf7bc0c2f80216cef3bb542b
SHA1

9a0a990498af53743a4b781b8a33100b4a64121b
SHA256

3526cd1e1dd45bb9d3153891d5fdca9369a8e96541a45947a5e05b5d03b0b078
SHA512

7037c1ae7d260449f5a44f9716589b80455f119af981299654327fed812749e9d6cd82d7225fcc8dd6f9338d7e21099298d9844d5c5020e43d9d7f8c277cce9e
SSDEEP

393216:lWxQN89qQk4adiJCuE2fUCdod+OvqKkZHzXhJ/KTe8uiBUtkc0k3qAsGg4GUo3NP:lWoI7zGC5ahWc3ImN

Score

10^/10

xworm agilenet evasion execution persistence rat themida trojan

Malware Config

Extracted

Family

xworm

Version

5.0

88.0.183.177:1603

88.0.172.65:1603

83.36.190.196:1603

83.38.30.219:1603

Mutex

XpRJMNcN9dWrZEo0

Attributes

Install_directory
%ProgramData%
install_file
RuntimeBroker.exe

aes.plain

Extracted

Family

xworm

88.0.183.177:1603

88.0.172.65:1603

83.36.190.196:1603

83.38.30.219:1603

Attributes

Install_directory
%Temp%
install_file
SecurityHealthSystray.exe

Signatures

Detect Xworm Payload 11 IoCs

resource	yara_rule
behavioral1/files/0x0009000000016ccd-49.dat	family_xworm
behavioral1/files/0x0008000000016ceb-55.dat	family_xworm
behavioral1/memory/2624-57-0x0000000001200000-0x0000000001210000-memory.dmp	family_xworm
behavioral1/files/0x0006000000016d20-62.dat	family_xworm
behavioral1/memory/2468-60-0x0000000001260000-0x00000000012A2000-memory.dmp	family_xworm
behavioral1/memory/2504-63-0x00000000012D0000-0x00000000012F4000-memory.dmp	family_xworm
behavioral1/memory/2052-192-0x0000000000990000-0x00000000009D2000-memory.dmp	family_xworm
behavioral1/memory/908-199-0x0000000000A20000-0x0000000000A44000-memory.dmp	family_xworm
behavioral1/memory/916-201-0x0000000000970000-0x0000000000980000-memory.dmp	family_xworm
behavioral1/memory/1856-232-0x00000000001E0000-0x0000000000204000-memory.dmp	family_xworm
behavioral1/memory/1992-235-0x0000000000EF0000-0x0000000000F32000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	OneDriveSetup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	notepadd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	notepadd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	OneDriveSetup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	OneDriveSetup.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2376	powershell.exe
2020	powershell.exe
1124	powershell.exe
1284	powershell.exe
2764	powershell.exe
3060	powershell.exe
2264	powershell.exe
2876	powershell.exe
640	powershell.exe
2244	powershell.exe
1372	powershell.exe
1340	powershell.exe
1528	powershell.exe
2584	powershell.exe
2732	powershell.exe
2576	powershell.exe

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	notepadd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	notepadd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	notepadd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	notepadd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OneDriveSetup.exe

Drops startup file 8 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDriveSetup.lnk	OneDriveSetup.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDriveSetup.lnk	OneDriveSetup.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmiPrvSE.lnk	WmiPrvSE.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmiPrvSE.lnk	WmiPrvSE.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk	SecurityHealthSystray.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk	SecurityHealthSystray.exe

Executes dropped EXE 14 IoCs

pid	Process
2884	OneDriveSetup.exe
1256	notepadd.exe
2624	RuntimeBroker.exe
2468	SecurityHealthSystray.exe
2504	WmiPrvSE.exe
1772	notepadd.exe
908	WmiPrvSE.exe
2052	SecurityHealthSystray.exe
916	RuntimeBroker.exe
2300	OneDriveSetup.exe
1856	WmiPrvSE.exe
2944	RuntimeBroker.exe
1992	SecurityHealthSystray.exe
1944	OneDriveSetup.exe

Loads dropped DLL 5 IoCs

pid	Process
2884	OneDriveSetup.exe
1256	notepadd.exe
1772	notepadd.exe
2300	OneDriveSetup.exe
1944	OneDriveSetup.exe

Obfuscated with Agile.Net obfuscator 6 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/files/0x0009000000015ce6-2.dat	agile_net
behavioral1/memory/2884-5-0x0000000000DB0000-0x00000000014D2000-memory.dmp	agile_net
behavioral1/files/0x0007000000015d79-15.dat	agile_net
behavioral1/memory/1256-18-0x00000000009E0000-0x0000000001156000-memory.dmp	agile_net
behavioral1/memory/1772-69-0x00000000011F0000-0x0000000001966000-memory.dmp	agile_net
behavioral1/memory/2300-202-0x0000000000F40000-0x0000000001662000-memory.dmp	agile_net

Themida packer 28 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x0007000000015d71-11.dat	themida
behavioral1/memory/2884-17-0x000007FEEDCA0000-0x000007FEEE824000-memory.dmp	themida
behavioral1/memory/2884-20-0x000007FEEDCA0000-0x000007FEEE824000-memory.dmp	themida
behavioral1/memory/1256-27-0x000007FEED110000-0x000007FEEDC94000-memory.dmp	themida
behavioral1/memory/1256-37-0x000007FEED110000-0x000007FEEDC94000-memory.dmp	themida
behavioral1/memory/1256-64-0x000007FEED110000-0x000007FEEDC94000-memory.dmp	themida
behavioral1/memory/1772-72-0x000007FEEC580000-0x000007FEED104000-memory.dmp	themida
behavioral1/memory/1772-73-0x000007FEEC580000-0x000007FEED104000-memory.dmp	themida
behavioral1/memory/1772-86-0x000007FEEC580000-0x000007FEED104000-memory.dmp	themida
behavioral1/memory/2884-163-0x000007FEEDCA0000-0x000007FEEE824000-memory.dmp	themida
behavioral1/memory/2884-185-0x000007FEEDCA0000-0x000007FEEE824000-memory.dmp	themida
behavioral1/memory/2884-186-0x000007FEEDCA0000-0x000007FEEE824000-memory.dmp	themida
behavioral1/memory/2300-205-0x000007FEEDCA0000-0x000007FEEE824000-memory.dmp	themida
behavioral1/memory/2300-206-0x000007FEEDCA0000-0x000007FEEE824000-memory.dmp	themida
behavioral1/memory/2884-219-0x000007FEEDCA0000-0x000007FEEE824000-memory.dmp	themida
behavioral1/memory/2300-220-0x000007FEEDCA0000-0x000007FEEE824000-memory.dmp	themida
behavioral1/memory/2884-221-0x000007FEEDCA0000-0x000007FEEE824000-memory.dmp	themida
behavioral1/memory/2884-222-0x000007FEEDCA0000-0x000007FEEE824000-memory.dmp	themida
behavioral1/memory/2884-227-0x000007FEEDCA0000-0x000007FEEE824000-memory.dmp	themida
behavioral1/memory/2884-228-0x000007FEEDCA0000-0x000007FEEE824000-memory.dmp	themida
behavioral1/memory/2884-229-0x000007FEEDCA0000-0x000007FEEE824000-memory.dmp	themida
behavioral1/memory/1944-237-0x000007FEEDCA0000-0x000007FEEE824000-memory.dmp	themida
behavioral1/memory/1944-249-0x000007FEEDCA0000-0x000007FEEE824000-memory.dmp	themida
behavioral1/memory/2884-250-0x000007FEEDCA0000-0x000007FEEE824000-memory.dmp	themida
behavioral1/memory/2884-251-0x000007FEEDCA0000-0x000007FEEE824000-memory.dmp	themida
behavioral1/memory/2884-252-0x000007FEEDCA0000-0x000007FEEE824000-memory.dmp	themida
behavioral1/memory/2884-254-0x000007FEEDCA0000-0x000007FEEE824000-memory.dmp	themida
behavioral1/memory/2884-256-0x000007FEEDCA0000-0x000007FEEE824000-memory.dmp	themida

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDriveSetup = "C:\\Users\\Public\\OneDriveSetup.exe"	OneDriveSetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Users\\Public\\WmiPrvSE.exe"	WmiPrvSE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SecurityHealthSystray.exe"	SecurityHealthSystray.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "C:\\ProgramData\\RuntimeBroker.exe"	RuntimeBroker.exe

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	notepadd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	notepadd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OneDriveSetup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	OneDriveSetup.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

pid	Process
2884	OneDriveSetup.exe
1256	notepadd.exe
1772	notepadd.exe
2300	OneDriveSetup.exe
1944	OneDriveSetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
860	schtasks.exe
2444	schtasks.exe
2224	schtasks.exe
1560	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2244	powershell.exe
2376	powershell.exe
2020	powershell.exe
1372	powershell.exe
1340	powershell.exe
1124	powershell.exe
2764	powershell.exe
1284	powershell.exe
3060	powershell.exe
1528	powershell.exe
2584	powershell.exe
2732	powershell.exe
2264	powershell.exe
2576	powershell.exe
2876	powershell.exe
640	powershell.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	2884	OneDriveSetup.exe
Token: SeDebugPrivilege	2624	RuntimeBroker.exe
Token: SeDebugPrivilege	2468	SecurityHealthSystray.exe
Token: SeDebugPrivilege	2504	WmiPrvSE.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeDebugPrivilege	1340	powershell.exe
Token: SeDebugPrivilege	1124	powershell.exe
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	1284	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	640	powershell.exe
Token: SeDebugPrivilege	2624	RuntimeBroker.exe
Token: SeDebugPrivilege	2884	OneDriveSetup.exe
Token: SeDebugPrivilege	2504	WmiPrvSE.exe
Token: SeDebugPrivilege	2468	SecurityHealthSystray.exe
Token: SeDebugPrivilege	2052	SecurityHealthSystray.exe
Token: SeDebugPrivilege	908	WmiPrvSE.exe
Token: SeDebugPrivilege	916	RuntimeBroker.exe
Token: SeDebugPrivilege	2300	OneDriveSetup.exe
Token: SeDebugPrivilege	1992	SecurityHealthSystray.exe
Token: SeDebugPrivilege	2944	RuntimeBroker.exe
Token: SeDebugPrivilege	1856	WmiPrvSE.exe
Token: SeDebugPrivilege	1944	OneDriveSetup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 2824	1884	downloader.exe	31
PID 1884 wrote to memory of 2824	1884	downloader.exe	31
PID 1884 wrote to memory of 2824	1884	downloader.exe	31
PID 2824 wrote to memory of 2884	2824	cmd.exe	32
PID 2824 wrote to memory of 2884	2824	cmd.exe	32
PID 2824 wrote to memory of 2884	2824	cmd.exe	32
PID 1884 wrote to memory of 1444	1884	downloader.exe	33
PID 1884 wrote to memory of 1444	1884	downloader.exe	33
PID 1884 wrote to memory of 1444	1884	downloader.exe	33
PID 1444 wrote to memory of 1256	1444	cmd.exe	34
PID 1444 wrote to memory of 1256	1444	cmd.exe	34
PID 1444 wrote to memory of 1256	1444	cmd.exe	34
PID 1256 wrote to memory of 2624	1256	notepadd.exe	35
PID 1256 wrote to memory of 2624	1256	notepadd.exe	35
PID 1256 wrote to memory of 2624	1256	notepadd.exe	35
PID 1256 wrote to memory of 2468	1256	notepadd.exe	36
PID 1256 wrote to memory of 2468	1256	notepadd.exe	36
PID 1256 wrote to memory of 2468	1256	notepadd.exe	36
PID 1256 wrote to memory of 2504	1256	notepadd.exe	37
PID 1256 wrote to memory of 2504	1256	notepadd.exe	37
PID 1256 wrote to memory of 2504	1256	notepadd.exe	37
PID 1884 wrote to memory of 1220	1884	downloader.exe	38
PID 1884 wrote to memory of 1220	1884	downloader.exe	38
PID 1884 wrote to memory of 1220	1884	downloader.exe	38
PID 1220 wrote to memory of 1772	1220	cmd.exe	39
PID 1220 wrote to memory of 1772	1220	cmd.exe	39
PID 1220 wrote to memory of 1772	1220	cmd.exe	39
PID 2884 wrote to memory of 2244	2884	OneDriveSetup.exe	40
PID 2884 wrote to memory of 2244	2884	OneDriveSetup.exe	40
PID 2884 wrote to memory of 2244	2884	OneDriveSetup.exe	40
PID 2624 wrote to memory of 2376	2624	RuntimeBroker.exe	42
PID 2624 wrote to memory of 2376	2624	RuntimeBroker.exe	42
PID 2624 wrote to memory of 2376	2624	RuntimeBroker.exe	42
PID 2504 wrote to memory of 1372	2504	WmiPrvSE.exe	44
PID 2504 wrote to memory of 1372	2504	WmiPrvSE.exe	44
PID 2504 wrote to memory of 1372	2504	WmiPrvSE.exe	44
PID 2468 wrote to memory of 2020	2468	SecurityHealthSystray.exe	45
PID 2468 wrote to memory of 2020	2468	SecurityHealthSystray.exe	45
PID 2468 wrote to memory of 2020	2468	SecurityHealthSystray.exe	45
PID 2624 wrote to memory of 1340	2624	RuntimeBroker.exe	48
PID 2624 wrote to memory of 1340	2624	RuntimeBroker.exe	48
PID 2624 wrote to memory of 1340	2624	RuntimeBroker.exe	48
PID 2884 wrote to memory of 1124	2884	OneDriveSetup.exe	50
PID 2884 wrote to memory of 1124	2884	OneDriveSetup.exe	50
PID 2884 wrote to memory of 1124	2884	OneDriveSetup.exe	50
PID 2468 wrote to memory of 2764	2468	SecurityHealthSystray.exe	52
PID 2468 wrote to memory of 2764	2468	SecurityHealthSystray.exe	52
PID 2468 wrote to memory of 2764	2468	SecurityHealthSystray.exe	52
PID 2504 wrote to memory of 1284	2504	WmiPrvSE.exe	54
PID 2504 wrote to memory of 1284	2504	WmiPrvSE.exe	54
PID 2504 wrote to memory of 1284	2504	WmiPrvSE.exe	54
PID 2624 wrote to memory of 3060	2624	RuntimeBroker.exe	56
PID 2624 wrote to memory of 3060	2624	RuntimeBroker.exe	56
PID 2624 wrote to memory of 3060	2624	RuntimeBroker.exe	56
PID 2884 wrote to memory of 1528	2884	OneDriveSetup.exe	58
PID 2884 wrote to memory of 1528	2884	OneDriveSetup.exe	58
PID 2884 wrote to memory of 1528	2884	OneDriveSetup.exe	58
PID 2504 wrote to memory of 2584	2504	WmiPrvSE.exe	60
PID 2504 wrote to memory of 2584	2504	WmiPrvSE.exe	60
PID 2504 wrote to memory of 2584	2504	WmiPrvSE.exe	60
PID 2468 wrote to memory of 2732	2468	SecurityHealthSystray.exe	61
PID 2468 wrote to memory of 2732	2468	SecurityHealthSystray.exe	61
PID 2468 wrote to memory of 2732	2468	SecurityHealthSystray.exe	61
PID 2624 wrote to memory of 2576	2624	RuntimeBroker.exe	64

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\downloader.exe
"C:\Users\Admin\AppData\Local\Temp\downloader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\OneDriveSetup.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Users\Admin\AppData\Local\Temp\OneDriveSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\OneDriveSetup.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Drops startup file
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\OneDriveSetup.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2244
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDriveSetup.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1124
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\OneDriveSetup.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1528
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDriveSetup.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2264
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDriveSetup" /tr "C:\Users\Public\OneDriveSetup.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepadd.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1444
- - C:\Users\Admin\AppData\Local\Temp\notepadd.exe
    "C:\Users\Admin\AppData\Local\Temp\notepadd.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of WriteProcessMemory
    PID:1256
  - - C:\Users\Admin\RuntimeBroker.exe
      "C:\Users\Admin\RuntimeBroker.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2624
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1340
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "RuntimeBroker" /tr "C:\ProgramData\RuntimeBroker.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:860
  - - C:\Users\Admin\SecurityHealthSystray.exe
      "C:\Users\Admin\SecurityHealthSystray.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2468
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\SecurityHealthSystray.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:640
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SecurityHealthSystray" /tr "C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1560
  - - C:\Users\Admin\WmiPrvSE.exe
      "C:\Users\Admin\WmiPrvSE.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2504
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1372
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1284
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WmiPrvSE" /tr "C:\Users\Public\WmiPrvSE.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepadd.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1220
- - C:\Users\Admin\AppData\Local\Temp\notepadd.exe
    "C:\Users\Admin\AppData\Local\Temp\notepadd.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:1772

C:\Windows\system32\taskeng.exe
taskeng.exe {ADB0E3F0-F73F-4904-AE0A-455EA3BE92D8} S-1-5-21-3294248377-1418901787-4083263181-1000:FMEDFXFE\Admin:Interactive:[1]
1⤵
PID:1692
- C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe
  C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2052
- C:\Users\Public\WmiPrvSE.exe
  C:\Users\Public\WmiPrvSE.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:908
- C:\Users\Public\OneDriveSetup.exe
  C:\Users\Public\OneDriveSetup.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  PID:2300
- C:\ProgramData\RuntimeBroker.exe
  C:\ProgramData\RuntimeBroker.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:916
- C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe
  C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1992
- C:\Users\Public\WmiPrvSE.exe
  C:\Users\Public\WmiPrvSE.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1856
- C:\Users\Public\OneDriveSetup.exe
  C:\Users\Public\OneDriveSetup.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  PID:1944
- C:\ProgramData\RuntimeBroker.exe
  C:\ProgramData\RuntimeBroker.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8863a9f867fe4dd6ce1658f6cfefbeee

SHA1
14b0d6f61edbcdb2267d71b7323d1490f9330252

SHA256
4437376008384ed9e8fd46cd2a81e0f345a92fb0dae8d6c040069cbc5200eafd

SHA512
c31e8d364611f5c1065eadda2f36a349dada09d286d1df931d6c870d5664ade801575b842ad4045b47c1b59abd3c3c4428c6d6b7c1c0d62f200ea90fc886b7dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
c3bd67ec63f13a5036c07effcf7f6108

SHA1
e745aec77496f086821f2c0866ad0b60628ca6ab

SHA256
58a903839bc5e2a1eeb3b3c90535189e360f42115b804d44d0e90dcfd4e5ae0a

SHA512
da42453cfdf053a6518985f5fe67f34fe3d948489824174f9872b22141071515628dc6b57c4b83dc60628d45d4e04f6ea4a9057391b7e09fdc623f0d6ec7086d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF344.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneDriveSetup.exe

Filesize
7.1MB

MD5
39c5c9eb7f3f6ebd1cfedb177773a8d1

SHA1
a1833695cbe5ab9cfbd5d4d097634246121c2734

SHA256
bbdef5a4cb10bc47dc4345b9af2debfd17d1bfafdd18e12ae7024cd3001292e7

SHA512
49ca1026e68854df4a04daad5bf37a57b66fc231580eede7dcf2666ffcf1bfce6ada7fc8db38faeec4822c8b08f269426e82b323371356b60ba26eab1448b75c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBD.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\notepadd.exe

Filesize
7.4MB

MD5
c694c8301947af8b5c65e6132581044b

SHA1
d1c7cbb77eff86db70df4feae1c2a849fb695b65

SHA256
0e18f1cd01243a43de369982b88a586b585f2dc34f0c8a942f54f21069e5c71c

SHA512
babe000cade9afcc76cf41b0bd064c0124d5a97ff4e3e52024e25ad39fe8f9f26ac3a4027f4194d19ead2a502df4dbc916f1b2f870a14d4a2ae28a3115804775

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\01JIEJW55P5UJUT6H41Z.temp

Filesize
7KB

MD5
04c09f35a00af2477ba2efcffc1103ac

SHA1
a9a3e0046177c8826963480ededdc52df031f9a7

SHA256
adf4d8271898bd03c042a448d4d344c4a36d5cf5a2aba4bb8668a4a908e578c7

SHA512
df84485056bf5a85690b293025376f96da000b3146a6428e31e9e8ce409345a62894ddd0d93f71fdb6780ac545cb18e1065798a82f46b5b6c239e7606d7484de

Download Submit
C:\Users\Admin\RuntimeBroker.exe

Filesize
36KB

MD5
51b33fef6848fd52da62f31ebe64e1a5

SHA1
740fc31cd7b69aacc11a2377f52ef725fc1d3d77

SHA256
058eb738227f17552cedd86fde447ff319d4b354bef777ff8149a9df30dc6e7f

SHA512
c0727a6ee074dff2b5ac36d086ec86660b287e515fe7422cfc947df47328553a99af0812126d2243f4fefd1a784881dc283e8bac65007b77d487756734a4c0d6

Download Submit
C:\Users\Admin\SecurityHealthSystray.exe

Filesize
244KB

MD5
f16d02b68f259d19e504bedd54d59e39

SHA1
d9102d345fceafd22b5b9a69f62e933f79a10a19

SHA256
b062135658f9e98a3dd7ae2cde12de8db784fd87cce6bf4c42aa0e9b3a775877

SHA512
ab0ea68c5dced9a6b2441f58a5ca6392071f82c700692c7438472be253c51eba2f44a0fdeebd18508af9a6e25ad689219c502cd2b7790a2bb7387a840375b007

Download Submit
C:\Users\Admin\WmiPrvSE.exe

Filesize
127KB

MD5
b57e530c98da33302694a3da8d773e31

SHA1
476a5c20a5ae2e644442057635ea2da77c72a311

SHA256
3ff319a9cc09b0b02a5881a55e15d309f47a8d615912434875a9346153bade6b

SHA512
80ef2f24e6090d9c6c9bf9f54d6796a0066f2c90abcdda16c994b3864096678d9f0a98ff2a479b36acc174bc2d7b3ac15b58b9eefbbe6d88a92364f19206fc60

Download Submit
\Users\Admin\AppData\Local\Temp\da610f43-58d7-4a0e-9b4e-969a1a7bd2ca\AgileDotNetRT64.dll

Filesize
4.2MB

MD5
05b012457488a95a05d0541e0470d392

SHA1
74f541d6a8365508c794ef7b4ac7c297457f9ce3

SHA256
1f77a0749ac730500f203b8c4d072587923ac679e184a3859aeb855c2a2e7d8d

SHA512
6d6e7b838d4425d49ac8d3738135374ef5357f0677b07cecb7afbf5feddc1997bf6dce68d48787eff8a74c4728def8880c8f01842eda35b5815fb561fa401ae6

Download Submit
memory/908-199-0x0000000000A20000-0x0000000000A44000-memory.dmp

Filesize
144KB

Download
memory/916-201-0x0000000000970000-0x0000000000980000-memory.dmp

Filesize
64KB

Download
memory/1256-64-0x000007FEED110000-0x000007FEEDC94000-memory.dmp

Filesize
11.5MB

Download
memory/1256-45-0x000007FEF42C0000-0x000007FEF43EC000-memory.dmp

Filesize
1.2MB

Download
memory/1256-18-0x00000000009E0000-0x0000000001156000-memory.dmp

Filesize
7.5MB

Download
memory/1256-27-0x000007FEED110000-0x000007FEEDC94000-memory.dmp

Filesize
11.5MB

Download
memory/1256-37-0x000007FEED110000-0x000007FEEDC94000-memory.dmp

Filesize
11.5MB

Download
memory/1772-86-0x000007FEEC580000-0x000007FEED104000-memory.dmp

Filesize
11.5MB

Download
memory/1772-69-0x00000000011F0000-0x0000000001966000-memory.dmp

Filesize
7.5MB

Download
memory/1772-72-0x000007FEEC580000-0x000007FEED104000-memory.dmp

Filesize
11.5MB

Download
memory/1772-73-0x000007FEEC580000-0x000007FEED104000-memory.dmp

Filesize
11.5MB

Download
memory/1772-81-0x000007FEF42C0000-0x000007FEF43EC000-memory.dmp

Filesize
1.2MB

Download
memory/1856-232-0x00000000001E0000-0x0000000000204000-memory.dmp

Filesize
144KB

Download
memory/1944-237-0x000007FEEDCA0000-0x000007FEEE824000-memory.dmp

Filesize
11.5MB

Download
memory/1944-249-0x000007FEEDCA0000-0x000007FEEE824000-memory.dmp

Filesize
11.5MB

Download
memory/1944-248-0x000007FEF42C0000-0x000007FEF43EC000-memory.dmp

Filesize
1.2MB

Download
memory/1992-235-0x0000000000EF0000-0x0000000000F32000-memory.dmp

Filesize
264KB

Download
memory/2052-192-0x0000000000990000-0x00000000009D2000-memory.dmp

Filesize
264KB

Download
memory/2244-93-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/2244-88-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/2300-206-0x000007FEEDCA0000-0x000007FEEE824000-memory.dmp

Filesize
11.5MB

Download
memory/2300-220-0x000007FEEDCA0000-0x000007FEEE824000-memory.dmp

Filesize
11.5MB

Download
memory/2300-218-0x000007FEF42C0000-0x000007FEF43EC000-memory.dmp

Filesize
1.2MB

Download
memory/2300-202-0x0000000000F40000-0x0000000001662000-memory.dmp

Filesize
7.1MB

Download
memory/2300-205-0x000007FEEDCA0000-0x000007FEEE824000-memory.dmp

Filesize
11.5MB

Download
memory/2468-60-0x0000000001260000-0x00000000012A2000-memory.dmp

Filesize
264KB

Download
memory/2504-63-0x00000000012D0000-0x00000000012F4000-memory.dmp

Filesize
144KB

Download
memory/2624-57-0x0000000001200000-0x0000000001210000-memory.dmp

Filesize
64KB

Download
memory/2884-163-0x000007FEEDCA0000-0x000007FEEE824000-memory.dmp

Filesize
11.5MB

Download
memory/2884-186-0x000007FEEDCA0000-0x000007FEEE824000-memory.dmp

Filesize
11.5MB

Download
memory/2884-219-0x000007FEEDCA0000-0x000007FEEE824000-memory.dmp

Filesize
11.5MB

Download
memory/2884-185-0x000007FEEDCA0000-0x000007FEEE824000-memory.dmp

Filesize
11.5MB

Download
memory/2884-221-0x000007FEEDCA0000-0x000007FEEE824000-memory.dmp

Filesize
11.5MB

Download
memory/2884-222-0x000007FEEDCA0000-0x000007FEEE824000-memory.dmp

Filesize
11.5MB

Download
memory/2884-227-0x000007FEEDCA0000-0x000007FEEE824000-memory.dmp

Filesize
11.5MB

Download
memory/2884-228-0x000007FEEDCA0000-0x000007FEEE824000-memory.dmp

Filesize
11.5MB

Download
memory/2884-229-0x000007FEEDCA0000-0x000007FEEE824000-memory.dmp

Filesize
11.5MB

Download
memory/2884-168-0x000007FEF5A80000-0x000007FEF646C000-memory.dmp

Filesize
9.9MB

Download
memory/2884-120-0x000007FEF5A83000-0x000007FEF5A84000-memory.dmp

Filesize
4KB

Download
memory/2884-35-0x000007FEF42C0000-0x000007FEF43EC000-memory.dmp

Filesize
1.2MB

Download
memory/2884-20-0x000007FEEDCA0000-0x000007FEEE824000-memory.dmp

Filesize
11.5MB

Download
memory/2884-17-0x000007FEEDCA0000-0x000007FEEE824000-memory.dmp

Filesize
11.5MB

Download
memory/2884-6-0x000007FEF5A80000-0x000007FEF646C000-memory.dmp

Filesize
9.9MB

Download
memory/2884-5-0x0000000000DB0000-0x00000000014D2000-memory.dmp

Filesize
7.1MB

Download
memory/2884-4-0x000007FEF5A83000-0x000007FEF5A84000-memory.dmp

Filesize
4KB

Download
memory/2884-250-0x000007FEEDCA0000-0x000007FEEE824000-memory.dmp

Filesize
11.5MB

Download
memory/2884-251-0x000007FEEDCA0000-0x000007FEEE824000-memory.dmp

Filesize
11.5MB

Download
memory/2884-252-0x000007FEEDCA0000-0x000007FEEE824000-memory.dmp

Filesize
11.5MB

Download
memory/2884-253-0x000000001AEB0000-0x000000001AEBC000-memory.dmp

Filesize
48KB

Download
memory/2884-254-0x000007FEEDCA0000-0x000007FEEE824000-memory.dmp

Filesize
11.5MB

Download
memory/2884-255-0x000000001B780000-0x000000001B830000-memory.dmp

Filesize
704KB

Download
memory/2884-256-0x000007FEEDCA0000-0x000007FEEE824000-memory.dmp

Filesize
11.5MB

Download