Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    24-08-2024 18:54

General

  • Target

    downloader11.exe

  • Size

    70.1MB

  • MD5

    7e4b04a254d52d6745a5d614ad447636

  • SHA1

    09972b7895437ba28485ed0be0fadc22d6b710b6

  • SHA256

    769e75f011679a606c9a6afbb6380942d08389ace334bfa7399b44bfcbc7db19

  • SHA512

    e85d6e25cdbf6833de0586d477e0fe3741d5223e4f3be8ccc96984dc63eef045ccdf68aaae51c2ff2205da7f911008fbba7915d7553abb5ae92f9bc73c2cc2f8

  • SSDEEP

    393216:lWxQN89qQk4adiJCuE2fUCdod+OvqKkZHzXhJ/KTe8uiBUtkc0k3qRsGg4GUo3N3:lWoI7zGP5ahWc3ImF

Malware Config

Extracted

Family

xworm

C2

83.38.19.195:1603

Attributes
  • Install_directory

    %Temp%

  • install_file

    Runtime Broker.exe

Signatures

  • Detect Xworm Payload 15 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 9 IoCs
  • Executes dropped EXE 15 IoCs
  • Loads dropped DLL 1 IoCs
  • Obfuscated with Agile.Net obfuscator 2 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

  • Themida packer 4 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Adds Run key to start application 2 TTPs 5 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 39 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\downloader11.exe
    "C:\Users\Admin\AppData\Local\Temp\downloader11.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2868
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\redline.exe""
      2⤵
        PID:2124
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\notepad.exe""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1976
        • C:\Users\Admin\AppData\Local\Temp\notepad.exe
          "C:\Users\Admin\AppData\Local\Temp\notepad.exe"
          3⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of WriteProcessMemory
          PID:2344
          • C:\Users\Public\OneDrive.exe
            "C:\Users\Public\OneDrive.exe"
            4⤵
            • Drops startup file
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2720
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\OneDrive.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2416
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1904
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2288
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1980
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:2420
          • C:\Users\Public\Runtime Broker.exe
            "C:\Users\Public\Runtime Broker.exe"
            4⤵
            • Drops startup file
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2756
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\Runtime Broker.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1116
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2308
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Runtime Broker.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2512
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:448
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\ProgramData\Runtime Broker.exe"
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:872
          • C:\Users\Public\svhost.exe
            "C:\Users\Public\svhost.exe"
            4⤵
            • Drops startup file
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2568
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\svhost.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1624
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1464
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svhost.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1572
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2276
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\ProgramData\svhost.exe"
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:2940
          • C:\Users\Public\WmiPrvSE.exe
            "C:\Users\Public\WmiPrvSE.exe"
            4⤵
            • Drops startup file
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2528
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\WmiPrvSE.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1388
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WmiPrvSE.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1764
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\WmiPrvSE.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2896
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WmiPrvSE.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2304
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WmiPrvSE" /tr "C:\Users\Public\WmiPrvSE.exe"
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:576
          • C:\Users\Public\SecurityHealthSystray.exe
            "C:\Users\Public\SecurityHealthSystray.exe"
            4⤵
            • Drops startup file
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2508
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\SecurityHealthSystray.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2272
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3024
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\SecurityHealthSystray.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1524
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2956
            • C:\Windows\System32\schtasks.exe
              "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SecurityHealthSystray" /tr "C:\ProgramData\SecurityHealthSystray.exe"
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:1756
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\redline.exe""
        2⤵
          PID:2376
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {43535C7F-18BB-4F13-AC2F-B699BDA212AA} S-1-5-21-3502430532-24693940-2469786940-1000:PSBQWFYT\Admin:Interactive:[1]
        1⤵
          PID:1196
          • C:\ProgramData\svhost.exe
            C:\ProgramData\svhost.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:3056
          • C:\Users\Public\WmiPrvSE.exe
            C:\Users\Public\WmiPrvSE.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2952
          • C:\ProgramData\SecurityHealthSystray.exe
            C:\ProgramData\SecurityHealthSystray.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2348
          • C:\ProgramData\svhost.exe
            C:\ProgramData\svhost.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:1776
          • C:\ProgramData\SecurityHealthSystray.exe
            C:\ProgramData\SecurityHealthSystray.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:844
          • C:\Users\Public\WmiPrvSE.exe
            C:\Users\Public\WmiPrvSE.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2836
          • C:\ProgramData\svhost.exe
            C:\ProgramData\svhost.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:1560
          • C:\Users\Public\WmiPrvSE.exe
            C:\Users\Public\WmiPrvSE.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:948
          • C:\ProgramData\SecurityHealthSystray.exe
            C:\ProgramData\SecurityHealthSystray.exe
            2⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:1540

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\e6acf542-692a-4eeb-8143-80ce8cd764ce\AgileDotNetRT64.dll

          Filesize

          4.2MB

          MD5

          05b012457488a95a05d0541e0470d392

          SHA1

          74f541d6a8365508c794ef7b4ac7c297457f9ce3

          SHA256

          1f77a0749ac730500f203b8c4d072587923ac679e184a3859aeb855c2a2e7d8d

          SHA512

          6d6e7b838d4425d49ac8d3738135374ef5357f0677b07cecb7afbf5feddc1997bf6dce68d48787eff8a74c4728def8880c8f01842eda35b5815fb561fa401ae6

        • C:\Users\Admin\AppData\Local\Temp\notepad.exe

          Filesize

          7.7MB

          MD5

          5dc898e0f4a504cf08b3bf1121108cfd

          SHA1

          ebccf6c07546640bcd6db32d99cf3e1a30a415c9

          SHA256

          14cd22fbf91e4e47cd635359460b65f57ebc39b68956db35b55090890b4a2dcf

          SHA512

          a0ef35d1f21ef2703c27946a57830db25b6ad7f8d01d4439021887f82198d07a4f62417c99590deb29d0c9ea4028d84f72ee37955653f63f57dfe37c90b0db02

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

          Filesize

          7KB

          MD5

          ecda1a56cb9995f8b105f10ab219f0da

          SHA1

          f14408570e2d3076a2b7ab543e01609cb3a70068

          SHA256

          aca3c0516a1e189177874b727ee285b7d796a5b0055cad57e73013aafae46f0e

          SHA512

          803998858414b43686041d357f109029df14e6f93b8d05f10caea4cd88f63a0071b33d452848e3e86ef9d3f049ae930c2d1bcea9b648377344ae0802aca8a5f0

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk

          Filesize

          981B

          MD5

          773692c4d88cc2d3498d6e72dfb9e83f

          SHA1

          930c889933b19556c3ba9dcc31c0eac8d1dc45ea

          SHA256

          347edf31bdac8e3439de757b605285476808fa49a963828fe54508b13a2a3ca7

          SHA512

          0344fa4ee0a34b02ff9ec9dc1eb4b80665172fd5875f803ca38ccb709d48143afa412ac0c605371d2117e738677de6d5efbf74a6fa9a08fab05734e9926e3a58

        • C:\Users\Public\OneDrive.exe

          Filesize

          158KB

          MD5

          f73513e6c124d9749dfd123151e6db5f

          SHA1

          4779c67fd22ca94d8e6493d2ff4926c420a6660d

          SHA256

          1b6126e0c126c7bf6c89a8930e0ae65d09bb8bb6f1a5561e8c7108120ebdd0e0

          SHA512

          7ffa503e5259c3273c64078ee0f7911e037f0a10629078d2ff269ae5db1eab528138c4d02dd06e0668521bc75a8e2a99e5df50002098be9f0dc47b87c0cae7b5

        • C:\Users\Public\Runtime Broker.exe

          Filesize

          61KB

          MD5

          91d837ae278e58ffae9b9cecb989127b

          SHA1

          5d95e758e763ac6390abd58e4e53238c6bb4c7a5

          SHA256

          348d4b3310a62ffa0313285c4e7903d8757b6aa904b8614443a6ac966b4c392a

          SHA512

          b645023240e0cb4029058c235031fed22fed79b93db324c6c385eb02291b3fe1d053585e6372e0f0b96265ff432b8f574d4e0a8c99edfd22069e417375c3870f

        • C:\Users\Public\SecurityHealthSystray.exe

          Filesize

          250KB

          MD5

          ffe034d7354384175a0c41efe19cb7df

          SHA1

          9601ec9a836547f21b39acc43b48fa5258863551

          SHA256

          b3a04200c5bdc579d24c279e04c31db6f623177b629ea1086cb64362417ac910

          SHA512

          e782dece3f1b9fa572f0efb587fdbbee6657c8f089656626c27d1ad032854aabec09eb35e63c91b53f061a44b2a595832ad2d8e01760a7d1df6e09157b3daa92

        • C:\Users\Public\WmiPrvSE.exe

          Filesize

          127KB

          MD5

          669b9254354d91b88d1e2ed0a819ad3a

          SHA1

          aba685e5c4661bcf3b41b26ff7948c785b57a95e

          SHA256

          3e96447e464c59ec274c7cba90ec8e88814273fcdec782ed896949f476c592e4

          SHA512

          e9b268d92737e999d8e5297f6eb4038962d7bc610285dc746dd9d01ebaa1b9789eada1e131ed345a06fb6b608a73c34e7cfebc4797a9f34bdd304f23457ae0a4

        • C:\Users\Public\svhost.exe

          Filesize

          63KB

          MD5

          407deed69dbb3dc1aa3e9fc1befdc54c

          SHA1

          aa58d9656c172cdd23512dfaf14d202fb447ecf9

          SHA256

          3c226cbe5a0e25ca489394ce37951eabb65ae0a86151d16d145fb63df2933128

          SHA512

          45c6b2b9280e288517c8233cb2b90e49f214e354f6056cf7dd163e382c14b82508eaa6590166ffdcd265f2e3a3c612a25bd5166eafef825b896f53ede621b2da

        • \??\PIPE\srvsvc

          MD5

          d41d8cd98f00b204e9800998ecf8427e

          SHA1

          da39a3ee5e6b4b0d3255bfef95601890afd80709

          SHA256

          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

          SHA512

          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

        • memory/844-199-0x0000000001030000-0x0000000001074000-memory.dmp

          Filesize

          272KB

        • memory/1388-80-0x00000000029E0000-0x00000000029E8000-memory.dmp

          Filesize

          32KB

        • memory/1388-79-0x000000001B550000-0x000000001B832000-memory.dmp

          Filesize

          2.9MB

        • memory/1560-204-0x0000000000990000-0x00000000009A6000-memory.dmp

          Filesize

          88KB

        • memory/1776-201-0x0000000000140000-0x0000000000156000-memory.dmp

          Filesize

          88KB

        • memory/2344-56-0x000007FEF2D40000-0x000007FEF38C4000-memory.dmp

          Filesize

          11.5MB

        • memory/2344-24-0x000007FEF4F30000-0x000007FEF505C000-memory.dmp

          Filesize

          1.2MB

        • memory/2344-16-0x000007FEF2D40000-0x000007FEF38C4000-memory.dmp

          Filesize

          11.5MB

        • memory/2344-14-0x000007FEF2D40000-0x000007FEF38C4000-memory.dmp

          Filesize

          11.5MB

        • memory/2344-7-0x0000000000D20000-0x00000000014D4000-memory.dmp

          Filesize

          7.7MB

        • memory/2348-191-0x0000000000230000-0x0000000000274000-memory.dmp

          Filesize

          272KB

        • memory/2508-54-0x0000000000A00000-0x0000000000A44000-memory.dmp

          Filesize

          272KB

        • memory/2528-55-0x0000000000210000-0x0000000000234000-memory.dmp

          Filesize

          144KB

        • memory/2568-51-0x0000000000970000-0x0000000000986000-memory.dmp

          Filesize

          88KB

        • memory/2720-38-0x00000000011E0000-0x000000000120C000-memory.dmp

          Filesize

          176KB

        • memory/2756-49-0x0000000000870000-0x0000000000886000-memory.dmp

          Filesize

          88KB

        • memory/3024-93-0x000000001B740000-0x000000001BA22000-memory.dmp

          Filesize

          2.9MB

        • memory/3024-94-0x0000000002390000-0x0000000002398000-memory.dmp

          Filesize

          32KB

        • memory/3056-188-0x0000000001390000-0x00000000013A6000-memory.dmp

          Filesize

          88KB