xworm | 8716b0aec344d67da46449589ef1d169b42e0f038ba28392825b10a611a0fb3f

Analysis

max time kernel
139s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2024, 23:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

notepad.exe
Size

909KB
MD5

74b16801ca2365d3b29e6194237c665a
SHA1

9d172c5a08c68e8134eaad60063071662afd5057
SHA256

8716b0aec344d67da46449589ef1d169b42e0f038ba28392825b10a611a0fb3f
SHA512

8201c89ce2e7eab9b5bfe3f8da956c73604261e83a3bf5d267be6a9b44790ec714e22a0ddfbc9fd009395893ef68864e5fac54172aceb568aec2270de6700567
SSDEEP

24576:7/dTDkoRaidakIYibePZUM+TrxT1sS5GJ:7xDkoRaFYibE0TFJH5W

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

83.38.24.1:1603

Attributes

Install_directory
%Userprofile%
install_file
USB.exe

Signatures

Detect Xworm Payload 10 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023b24-5.dat	family_xworm
behavioral2/files/0x000a000000023b81-24.dat	family_xworm
behavioral2/files/0x000a000000023b82-28.dat	family_xworm
behavioral2/files/0x000a000000023b84-58.dat	family_xworm
behavioral2/files/0x000a000000023b83-57.dat	family_xworm
behavioral2/memory/3620-63-0x00000000007A0000-0x00000000007C4000-memory.dmp	family_xworm
behavioral2/memory/4196-62-0x0000000000B20000-0x0000000000B62000-memory.dmp	family_xworm
behavioral2/memory/2672-61-0x0000000000720000-0x0000000000744000-memory.dmp	family_xworm
behavioral2/memory/5000-52-0x0000000000FC0000-0x0000000000FF0000-memory.dmp	family_xworm
behavioral2/memory/3144-32-0x0000000000390000-0x00000000003BA000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2316	powershell.exe
3776	powershell.exe
1560	powershell.exe
4184	powershell.exe
2740	powershell.exe
2764	powershell.exe
1912	powershell.exe
1212	powershell.exe
1108	powershell.exe
4432	powershell.exe
340	powershell.exe
2488	powershell.exe
2112	powershell.exe
3120	powershell.exe
2040	powershell.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	SecurityHealthSystray.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	WmiPrvSE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	regedit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	notepad.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	SearchFilterHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	OneDrive.exe

Drops startup file 10 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmiPrvSE.lnk	WmiPrvSE.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk	SecurityHealthSystray.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk	SecurityHealthSystray.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SearchFilterHost.lnk	SearchFilterHost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmiPrvSE.lnk	WmiPrvSE.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regedit.lnk	regedit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SearchFilterHost.lnk	SearchFilterHost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regedit.lnk	regedit.exe

Executes dropped EXE 15 IoCs

pid	Process
5000	OneDrive.exe
3144	SearchFilterHost.exe
4196	SecurityHealthSystray.exe
3620	WmiPrvSE.exe
2672	regedit.exe
1212	OneDrive.exe
5056	SecurityHealthSystray.exe
4352	SearchFilterHost.exe
208	regedit.exe
3756	WmiPrvSE.exe
4360	WmiPrvSE.exe
2848	OneDrive.exe
2168	SecurityHealthSystray.exe
4244	SearchFilterHost.exe
4756	regedit.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\regedit = "C:\\Users\\Public\\regedit.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\ProgramData\\WmiPrvSE.exe"	WmiPrvSE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\Users\\Admin\\OneDrive.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\ProgramData\\SecurityHealthSystray.exe"	SecurityHealthSystray.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchFilterHost = "C:\\Users\\Admin\\SearchFilterHost.exe"	SearchFilterHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Runs regedit.exe 3 IoCs

pid	Process
2672	regedit.exe
208	regedit.exe
4756	regedit.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2312	schtasks.exe
2292	schtasks.exe
4672	schtasks.exe
3004	schtasks.exe
3156	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2740	powershell.exe
2740	powershell.exe
2040	powershell.exe
2040	powershell.exe
2740	powershell.exe
2040	powershell.exe
2316	powershell.exe
2316	powershell.exe
1912	powershell.exe
1912	powershell.exe
2764	powershell.exe
2764	powershell.exe
1912	powershell.exe
2764	powershell.exe
2172	taskmgr.exe
2172	taskmgr.exe
2316	powershell.exe
2172	taskmgr.exe
1560	powershell.exe
1560	powershell.exe
1212	powershell.exe
1212	powershell.exe
1108	powershell.exe
1108	powershell.exe
4432	powershell.exe
4432	powershell.exe
3776	powershell.exe
3776	powershell.exe
3776	powershell.exe
1212	powershell.exe
1560	powershell.exe
2172	taskmgr.exe
1108	powershell.exe
4432	powershell.exe
2488	powershell.exe
2488	powershell.exe
340	powershell.exe
340	powershell.exe
340	powershell.exe
4184	powershell.exe
4184	powershell.exe
2112	powershell.exe
2112	powershell.exe
4184	powershell.exe
3120	powershell.exe
3120	powershell.exe
2172	taskmgr.exe
2172	taskmgr.exe
2488	powershell.exe
2112	powershell.exe
3120	powershell.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeDebugPrivilege	3144	SearchFilterHost.exe
Token: SeDebugPrivilege	5000	OneDrive.exe
Token: SeDebugPrivilege	4196	SecurityHealthSystray.exe
Token: SeDebugPrivilege	2672	regedit.exe
Token: SeDebugPrivilege	3620	WmiPrvSE.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	2172	taskmgr.exe
Token: SeSystemProfilePrivilege	2172	taskmgr.exe
Token: SeCreateGlobalPrivilege	2172	taskmgr.exe
Token: SeDebugPrivilege	1560	powershell.exe
Token: SeDebugPrivilege	1212	powershell.exe
Token: SeDebugPrivilege	1108	powershell.exe
Token: SeDebugPrivilege	4432	powershell.exe
Token: SeDebugPrivilege	3776	powershell.exe
Token: SeDebugPrivilege	340	powershell.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	4184	powershell.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	3120	powershell.exe
Token: SeDebugPrivilege	4196	SecurityHealthSystray.exe
Token: SeDebugPrivilege	2672	regedit.exe
Token: SeDebugPrivilege	3144	SearchFilterHost.exe
Token: SeDebugPrivilege	5000	OneDrive.exe
Token: SeDebugPrivilege	3620	WmiPrvSE.exe
Token: 33	2172	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2172	taskmgr.exe
Token: SeDebugPrivilege	1212	OneDrive.exe
Token: SeDebugPrivilege	5056	SecurityHealthSystray.exe
Token: SeDebugPrivilege	4352	SearchFilterHost.exe
Token: SeDebugPrivilege	208	regedit.exe
Token: SeDebugPrivilege	3756	WmiPrvSE.exe
Token: SeDebugPrivilege	4360	WmiPrvSE.exe
Token: SeDebugPrivilege	2848	OneDrive.exe
Token: SeDebugPrivilege	2168	SecurityHealthSystray.exe
Token: SeDebugPrivilege	4244	SearchFilterHost.exe
Token: SeDebugPrivilege	4756	regedit.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe

Suspicious use of SendNotifyMessage 47 IoCs

pid	Process
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe
2172	taskmgr.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 316 wrote to memory of 5000	316	notepad.exe	84
PID 316 wrote to memory of 5000	316	notepad.exe	84
PID 316 wrote to memory of 3144	316	notepad.exe	85
PID 316 wrote to memory of 3144	316	notepad.exe	85
PID 316 wrote to memory of 4196	316	notepad.exe	86
PID 316 wrote to memory of 4196	316	notepad.exe	86
PID 316 wrote to memory of 3620	316	notepad.exe	87
PID 316 wrote to memory of 3620	316	notepad.exe	87
PID 316 wrote to memory of 2672	316	notepad.exe	88
PID 316 wrote to memory of 2672	316	notepad.exe	88
PID 3144 wrote to memory of 2740	3144	SearchFilterHost.exe	95
PID 3144 wrote to memory of 2740	3144	SearchFilterHost.exe	95
PID 5000 wrote to memory of 2040	5000	OneDrive.exe	97
PID 5000 wrote to memory of 2040	5000	OneDrive.exe	97
PID 4196 wrote to memory of 1912	4196	SecurityHealthSystray.exe	99
PID 4196 wrote to memory of 1912	4196	SecurityHealthSystray.exe	99
PID 3620 wrote to memory of 2764	3620	WmiPrvSE.exe	100
PID 3620 wrote to memory of 2764	3620	WmiPrvSE.exe	100
PID 2672 wrote to memory of 2316	2672	regedit.exe	101
PID 2672 wrote to memory of 2316	2672	regedit.exe	101
PID 3620 wrote to memory of 4432	3620	WmiPrvSE.exe	106
PID 3620 wrote to memory of 4432	3620	WmiPrvSE.exe	106
PID 3144 wrote to memory of 1560	3144	SearchFilterHost.exe	107
PID 3144 wrote to memory of 1560	3144	SearchFilterHost.exe	107
PID 5000 wrote to memory of 1212	5000	OneDrive.exe	108
PID 5000 wrote to memory of 1212	5000	OneDrive.exe	108
PID 2672 wrote to memory of 1108	2672	regedit.exe	109
PID 2672 wrote to memory of 1108	2672	regedit.exe	109
PID 4196 wrote to memory of 3776	4196	SecurityHealthSystray.exe	113
PID 4196 wrote to memory of 3776	4196	SecurityHealthSystray.exe	113
PID 5000 wrote to memory of 4184	5000	OneDrive.exe	116
PID 5000 wrote to memory of 4184	5000	OneDrive.exe	116
PID 4196 wrote to memory of 340	4196	SecurityHealthSystray.exe	118
PID 4196 wrote to memory of 340	4196	SecurityHealthSystray.exe	118
PID 3144 wrote to memory of 2488	3144	SearchFilterHost.exe	119
PID 3144 wrote to memory of 2488	3144	SearchFilterHost.exe	119
PID 2672 wrote to memory of 2112	2672	regedit.exe	123
PID 2672 wrote to memory of 2112	2672	regedit.exe	123
PID 3620 wrote to memory of 3120	3620	WmiPrvSE.exe	125
PID 3620 wrote to memory of 3120	3620	WmiPrvSE.exe	125
PID 5000 wrote to memory of 4672	5000	OneDrive.exe	129
PID 5000 wrote to memory of 4672	5000	OneDrive.exe	129
PID 4196 wrote to memory of 3004	4196	SecurityHealthSystray.exe	128
PID 4196 wrote to memory of 3004	4196	SecurityHealthSystray.exe	128
PID 3144 wrote to memory of 3156	3144	SearchFilterHost.exe	130
PID 3144 wrote to memory of 3156	3144	SearchFilterHost.exe	130
PID 2672 wrote to memory of 2312	2672	regedit.exe	133
PID 2672 wrote to memory of 2312	2672	regedit.exe	133
PID 3620 wrote to memory of 2292	3620	WmiPrvSE.exe	136
PID 3620 wrote to memory of 2292	3620	WmiPrvSE.exe	136

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\notepad.exe
"C:\Users\Admin\AppData\Local\Temp\notepad.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:316
- C:\Users\Admin\AppData\Local\Temp\OneDrive.exe
  "C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5000
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2040
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1212
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4184
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\Users\Admin\OneDrive.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4672
- C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe
  "C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3144
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2740
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SearchFilterHost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1560
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\SearchFilterHost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2488
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SearchFilterHost" /tr "C:\Users\Admin\SearchFilterHost.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3156
- C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe
  "C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4196
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1912
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SecurityHealthSystray.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3776
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\SecurityHealthSystray.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:340
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SecurityHealthSystray" /tr "C:\ProgramData\SecurityHealthSystray.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3004
- C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe
  "C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3620
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2764
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WmiPrvSE.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4432
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WmiPrvSE.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3120
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WmiPrvSE" /tr "C:\ProgramData\WmiPrvSE.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2292
- C:\Users\Admin\AppData\Local\Temp\regedit.exe
  "C:\Users\Admin\AppData\Local\Temp\regedit.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Runs regedit.exe
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\regedit.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2316
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'regedit.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1108
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\regedit.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2112
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "regedit" /tr "C:\Users\Public\regedit.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2312

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2172

C:\Users\Admin\OneDrive.exe
C:\Users\Admin\OneDrive.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1212

C:\ProgramData\SecurityHealthSystray.exe
C:\ProgramData\SecurityHealthSystray.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5056

C:\Users\Admin\SearchFilterHost.exe
C:\Users\Admin\SearchFilterHost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4352

C:\Users\Public\regedit.exe
C:\Users\Public\regedit.exe
1⤵
- Executes dropped EXE
- Runs regedit.exe
- Suspicious use of AdjustPrivilegeToken
PID:208

C:\ProgramData\WmiPrvSE.exe
C:\ProgramData\WmiPrvSE.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3756

C:\ProgramData\WmiPrvSE.exe
C:\ProgramData\WmiPrvSE.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4360

C:\Users\Admin\OneDrive.exe
C:\Users\Admin\OneDrive.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2848

C:\ProgramData\SecurityHealthSystray.exe
C:\ProgramData\SecurityHealthSystray.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2168

C:\Users\Admin\SearchFilterHost.exe
C:\Users\Admin\SearchFilterHost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4244

C:\Users\Public\regedit.exe
C:\Users\Public\regedit.exe
1⤵
- Executes dropped EXE
- Runs regedit.exe
- Suspicious use of AdjustPrivilegeToken
PID:4756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WmiPrvSE.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e58749a7a1826f6ea62df1e2ef63a32b

SHA1
c0bca21658b8be4f37b71eec9578bfefa44f862d

SHA256
0e1f0e684adb40a5d0668df5fed007c9046137d7ae16a1f2f343b139d5f9bc93

SHA512
4cf45b2b11ab31e7f67fff286b29d50ed28cd6043091144c5c0f1348b5f5916ed7479cf985595e6f096b586ab93b4b5dce612f688049b8366a2dd91863e98b70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b51dc9e5ec3c97f72b4ca9488bbb4462

SHA1
5c1e8c0b728cd124edcacefb399bbd5e25b21bd3

SHA256
976f9534aa2976c85c2455bdde786a3f55d63aefdd40942eba1223c4c93590db

SHA512
0e5aa6cf64c535aefb833e5757b68e1094c87424abe2615a7d7d26b1b31eff358d12e36e75ca57fd690a9919b776600bf4c5c0e5a5df55366ba62238bdf3f280

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
50d3033f2bc3a3774c469d03e71a79a9

SHA1
22027b1d52085de99b3bffa276530fea5d961471

SHA256
2987e99ec7fa17bd4ab7de3cb4dc62645e1052012a5a357904d6fc6db9054147

SHA512
ecf7ab1a9e4192454a3e24c60453fd702a8c648e00078fc933b9182f4a3d3c10c6f5da622a5729b35727e6ddc8837029caddcaf76f56e805b9744253b56da5d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0256bd284691ed0fc502ef3c8a7e58dc

SHA1
dcdf69dc8ca8bf068f65d20ef1563bbe283e2413

SHA256
e2fb83098e114084f51ed7187334f861ce670051046c39f338928296ca9a49cf

SHA512
c5b29c1e0a15ddb68b0579848066774fa7cdc6f35087bbbf47c05a5c0dcc1eb3e61b2ddadfbded8c1ed9820e637596a9f08a97db8fb18000d168e6b159060c42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9bc110200117a3752313ca2acaf8a9e1

SHA1
fda6b7da2e7b0175b391475ca78d1b4cf2147cd3

SHA256
c88e4bbb64f7fa31429ebe82c1cf07785c44486f37576f783a26ac856e02a4eb

SHA512
1f1af32aa18a8cbfcc65b0d4fb7e6ca2705f125eaa85789e981ee68b90c64522e954825abf460d4b4f97567715dfae8d9b0a25a4d54d10bc4c257c472f2e80fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe

Filesize
163KB

MD5
abd4141118794cd94979dc12bcded7b7

SHA1
27b11caedb23ea8dab4f36f5865a96e6e7f55806

SHA256
be9f4292935c19f00dcf2a6e09bc63f50cf7caad0d8ea0a45ed7bf86fb14e904

SHA512
d4ddda6b8ac66683e78b78360326ee50edf5edc8278a2f82e414545d4dd2a3d5e4269fe1dd884926b2e6d7e52af030f0b66fcca50cad77b8a31837ff482c4809

Download Submit
C:\Users\Admin\AppData\Local\Temp\SearchFilterHost.exe

Filesize
145KB

MD5
40324e8a46ec891bcb5300f51ddfc335

SHA1
bc5c53d890371bd472c707da8e84c3925bf077d5

SHA256
cc7bcd68ad32d8490fd2d5217b5bace0068a7ebf96831f0373d88e27e6a3ff2c

SHA512
5b2c618234a6b14ea377604f08dd3c6f193be4f593f18b38ff9a3b88f939d61934c3ec4efca91ff98791051eeb79a53315168bfa0fe8466b60249f3bde9b86de

Download Submit
C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe

Filesize
243KB

MD5
f32ac010fcdbc8f8a5582c339ec9d9ea

SHA1
20c06c5a174504c4e28c9aa0b51a62ab8f5c70cb

SHA256
88835382ffaf3f7f0730a0a7edab3d3214cbbfdbc35e7269b80a6bd05b7edd18

SHA512
9798b196315a1e463105b811a0937f763ae21826fa9bd9f346059b5f0a573d48a6f4ed7174fb4551a4ae7ccd089c9cae90c30b38ef6e7c12e896138a0fcaa8f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\WmiPrvSE.exe

Filesize
124KB

MD5
16caf66537fe87d8d9b6a4eb34d9dbff

SHA1
4a399f4229ea5b27963d467223fd4ceb89e545f5

SHA256
64cc787990be5cdc1c25f5cdbfd2a0e93d4c68a888fefa0b7e2b0d12cea4de26

SHA512
a034dba721d36b5396dbe08a581d06c692c84edb0946e45073a8e3eb78a685ad42011b8ffa970190e673e94350dc1feef8d8f51908b53bc23a80536f75bba9d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_41owjl3u.h0b.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\regedit.exe

Filesize
121KB

MD5
005b549e8fa8f966d1c0ce845cfaffce

SHA1
4dc69fa135bec170229863f4d7320b402698cef1

SHA256
8befb7faacdffeb7dd84b629ec7066ed1baf3947a6ed8c1ac8432335e3b2828b

SHA512
1169ec7a0628a03ecb8a924527fa03dd0d391f9d0bf2a537e9ee7022265bfeba57b85759507fbc4962f10a5f43f2ea86d8c18cbf00aa8f5b9a2323174a9663ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk

Filesize
783B

MD5
8e3c31325790c5418657fe50d936f4a8

SHA1
04e1063b04907c93269286a60ed198768491b108

SHA256
227c25883ffc28cf154fd92884fe7253b7769c64f282ce8c898fad20c67eebe8

SHA512
ec7bab50587de30661e6fa137c430ad2609c51e829a3ce5745c153e009bda867deff10e134e3c09ed2b923302bedf639e34ad7287cd2bb1c81d41628726bf66d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SearchFilterHost.lnk

Filesize
823B

MD5
5a86bfe96ef874d7a69974f8dde44a80

SHA1
dee6d8af0785c88dc481559db443914dff6a9b32

SHA256
f18900a290bfb96d79d554bddf006c304e0fa0de6d2850e19d0b2b181ee61861

SHA512
61c9c061612c2b86f83432cbbaa62aac75d5a0f3b438ff60df4ed4d939497d1cd6d7dac510cb425701f5e27a6177181d71a80de66a85a1f4c91c1f1621cc3b62

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecurityHealthSystray.lnk

Filesize
742B

MD5
c5bc6d0e8e8d40407bf51dfefcd23036

SHA1
9198fd45be6e5420bce2b91cc94bf6251bf6addf

SHA256
bbec2291692df2ecfac54df006b793aa43274a44e45c6bc7eadcc536243f2238

SHA512
b70292115221ccd69743bb87d7d587dd379a64becd9088f57961bf9e94f666de3c59d815aece6fc6240d4da45c155c81f44e185957ac472e5448b41811da8c12

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WmiPrvSE.lnk

Filesize
677B

MD5
26738a94136bf929ae077786c0a9b58d

SHA1
de3a001fb01d56a3b733bac8b94f9fd86073328b

SHA256
b7d24ef9dc78574083633f78a6163eb8c1d46114cc7a2cf82a4f1d98bfd24c0c

SHA512
ef76f9f27dc85bd8bd928c2831a0ca56ba686bf7de7698b74db4ecb5206a5f8cadaabb433484a06ffd6c9cc5700c7f5c2f6cae8b88379dd86b06ddd9c15fc633

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\regedit.lnk

Filesize
984B

MD5
0f3cff8ca58419f437b07d9a3a762dfb

SHA1
8db415d806d1fa4cd4ae08f2c3c2cb80a4fa9beb

SHA256
dc820e226e34a139662366a1881af3eabdc445db93a5a3ad577d496ea5c04b62

SHA512
e62e54109678cbc452eac0373a0c1ce849e0854ce165c173b3f945cde15f17901f32770d816810aa419e7455c5c8adcfcc1b0ea0c59d034211c5625c545e650d

Download Submit
memory/316-1-0x0000000000D40000-0x0000000000E28000-memory.dmp

Filesize
928KB

Download
memory/316-0-0x00007FFF703D3000-0x00007FFF703D5000-memory.dmp

Filesize
8KB

Download
memory/2172-124-0x00000239E4920000-0x00000239E4921000-memory.dmp

Filesize
4KB

Download
memory/2172-134-0x00000239E4920000-0x00000239E4921000-memory.dmp

Filesize
4KB

Download
memory/2172-133-0x00000239E4920000-0x00000239E4921000-memory.dmp

Filesize
4KB

Download
memory/2172-132-0x00000239E4920000-0x00000239E4921000-memory.dmp

Filesize
4KB

Download
memory/2172-131-0x00000239E4920000-0x00000239E4921000-memory.dmp

Filesize
4KB

Download
memory/2172-130-0x00000239E4920000-0x00000239E4921000-memory.dmp

Filesize
4KB

Download
memory/2172-128-0x00000239E4920000-0x00000239E4921000-memory.dmp

Filesize
4KB

Download
memory/2172-129-0x00000239E4920000-0x00000239E4921000-memory.dmp

Filesize
4KB

Download
memory/2172-122-0x00000239E4920000-0x00000239E4921000-memory.dmp

Filesize
4KB

Download
memory/2172-123-0x00000239E4920000-0x00000239E4921000-memory.dmp

Filesize
4KB

Download
memory/2672-61-0x0000000000720000-0x0000000000744000-memory.dmp

Filesize
144KB

Download
memory/2740-74-0x000002090C040000-0x000002090C062000-memory.dmp

Filesize
136KB

Download
memory/3144-64-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

Filesize
10.8MB

Download
memory/3144-32-0x0000000000390000-0x00000000003BA000-memory.dmp

Filesize
168KB

Download
memory/3144-294-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

Filesize
10.8MB

Download
memory/3144-290-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

Filesize
10.8MB

Download
memory/3144-295-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

Filesize
10.8MB

Download
memory/3620-63-0x00000000007A0000-0x00000000007C4000-memory.dmp

Filesize
144KB

Download
memory/4196-62-0x0000000000B20000-0x0000000000B62000-memory.dmp

Filesize
264KB

Download
memory/5000-255-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

Filesize
10.8MB

Download
memory/5000-52-0x0000000000FC0000-0x0000000000FF0000-memory.dmp

Filesize
192KB

Download
memory/5000-60-0x00007FFF703D0000-0x00007FFF70E91000-memory.dmp

Filesize
10.8MB

Download