xworm | 2b60a21a6c9404364d5cdfac590df4c5a5d9b45b2a9f84ad895ae8c7cab74585

Analysis

max time kernel
150s
max time network
150s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
03-11-2024 19:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClient.exe
Size

40KB
MD5

ad4a9bc7b627772f8cda8d736eb359a9
SHA1

8d277f0b7ee2ec780fb90eddd0ef5c11f5346bc1
SHA256

2b60a21a6c9404364d5cdfac590df4c5a5d9b45b2a9f84ad895ae8c7cab74585
SHA512

eea576c5af88a860e436da57c39dd01d40d1e8d937aa7353e1ff131eeeff22731299898035c37abc2f72bdd407797340b994f84ce0e4c2110a982005cace5b78
SSDEEP

768:ztvDRWjEry5lLJKuuwhSYypufFWPa9bZvf6POwhHambK:hvNWjQ2VJKuuwhSjEFv9bZvf6POw1zm

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

performance-ha.gl.at.ply.gg:33365:2137

performance-ha.gl.at.ply.gg:2137

performance-ha.gl.at.ply.gg:2137:2137

127.0.0.1:2137:2137

147.185.221.19:2137

147.185.221.19:2137:2137

147.185.221.19:33365:2137

Mutex

pV2sMK72YBFm09Q1

Attributes

Install_directory
%AppData%
install_file
Wiindows Update.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/4040-1-0x00000000008B0000-0x00000000008C0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2568	powershell.exe
2232	powershell.exe
520	powershell.exe
636	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation	XClient.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wiindows Update.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wiindows Update.lnk	XClient.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wiindows Update = "C:\\Users\\Admin\\AppData\\Roaming\\Wiindows Update.exe"	XClient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31141414"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{A04802DE-9A19-11EF-913D-C6C8B2E6F645} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31141414"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1984100068"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1958853149"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1958853149"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.4355\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31141414"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437427009"	iexplore.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3164	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2568	powershell.exe
2568	powershell.exe
2232	powershell.exe
2232	powershell.exe
520	powershell.exe
520	powershell.exe
636	powershell.exe
636	powershell.exe
4040	XClient.exe
4040	XClient.exe
4040	XClient.exe
4040	XClient.exe
4040	XClient.exe
4040	XClient.exe
4040	XClient.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4040	XClient.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeIncreaseQuotaPrivilege	2568	powershell.exe
Token: SeSecurityPrivilege	2568	powershell.exe
Token: SeTakeOwnershipPrivilege	2568	powershell.exe
Token: SeLoadDriverPrivilege	2568	powershell.exe
Token: SeSystemProfilePrivilege	2568	powershell.exe
Token: SeSystemtimePrivilege	2568	powershell.exe
Token: SeProfSingleProcessPrivilege	2568	powershell.exe
Token: SeIncBasePriorityPrivilege	2568	powershell.exe
Token: SeCreatePagefilePrivilege	2568	powershell.exe
Token: SeBackupPrivilege	2568	powershell.exe
Token: SeRestorePrivilege	2568	powershell.exe
Token: SeShutdownPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeSystemEnvironmentPrivilege	2568	powershell.exe
Token: SeRemoteShutdownPrivilege	2568	powershell.exe
Token: SeUndockPrivilege	2568	powershell.exe
Token: SeManageVolumePrivilege	2568	powershell.exe
Token: 33	2568	powershell.exe
Token: 34	2568	powershell.exe
Token: 35	2568	powershell.exe
Token: 36	2568	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeIncreaseQuotaPrivilege	2232	powershell.exe
Token: SeSecurityPrivilege	2232	powershell.exe
Token: SeTakeOwnershipPrivilege	2232	powershell.exe
Token: SeLoadDriverPrivilege	2232	powershell.exe
Token: SeSystemProfilePrivilege	2232	powershell.exe
Token: SeSystemtimePrivilege	2232	powershell.exe
Token: SeProfSingleProcessPrivilege	2232	powershell.exe
Token: SeIncBasePriorityPrivilege	2232	powershell.exe
Token: SeCreatePagefilePrivilege	2232	powershell.exe
Token: SeBackupPrivilege	2232	powershell.exe
Token: SeRestorePrivilege	2232	powershell.exe
Token: SeShutdownPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeSystemEnvironmentPrivilege	2232	powershell.exe
Token: SeRemoteShutdownPrivilege	2232	powershell.exe
Token: SeUndockPrivilege	2232	powershell.exe
Token: SeManageVolumePrivilege	2232	powershell.exe
Token: 33	2232	powershell.exe
Token: 34	2232	powershell.exe
Token: 35	2232	powershell.exe
Token: 36	2232	powershell.exe
Token: SeDebugPrivilege	520	powershell.exe
Token: SeIncreaseQuotaPrivilege	520	powershell.exe
Token: SeSecurityPrivilege	520	powershell.exe
Token: SeTakeOwnershipPrivilege	520	powershell.exe
Token: SeLoadDriverPrivilege	520	powershell.exe
Token: SeSystemProfilePrivilege	520	powershell.exe
Token: SeSystemtimePrivilege	520	powershell.exe
Token: SeProfSingleProcessPrivilege	520	powershell.exe
Token: SeIncBasePriorityPrivilege	520	powershell.exe
Token: SeCreatePagefilePrivilege	520	powershell.exe
Token: SeBackupPrivilege	520	powershell.exe
Token: SeRestorePrivilege	520	powershell.exe
Token: SeShutdownPrivilege	520	powershell.exe
Token: SeDebugPrivilege	520	powershell.exe
Token: SeSystemEnvironmentPrivilege	520	powershell.exe
Token: SeRemoteShutdownPrivilege	520	powershell.exe
Token: SeUndockPrivilege	520	powershell.exe
Token: SeManageVolumePrivilege	520	powershell.exe
Token: 33	520	powershell.exe

Suspicious use of FindShellTrayWindow 22 IoCs

pid	Process
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
2980	iexplore.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe
4940	firefox.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4040	XClient.exe
4940	firefox.exe
2980	iexplore.exe
2980	iexplore.exe
4868	IEXPLORE.EXE
4868	IEXPLORE.EXE
4868	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4040 wrote to memory of 2568	4040	XClient.exe	84
PID 4040 wrote to memory of 2568	4040	XClient.exe	84
PID 4040 wrote to memory of 2232	4040	XClient.exe	89
PID 4040 wrote to memory of 2232	4040	XClient.exe	89
PID 4040 wrote to memory of 520	4040	XClient.exe	91
PID 4040 wrote to memory of 520	4040	XClient.exe	91
PID 4040 wrote to memory of 636	4040	XClient.exe	93
PID 4040 wrote to memory of 636	4040	XClient.exe	93
PID 4040 wrote to memory of 3164	4040	XClient.exe	96
PID 4040 wrote to memory of 3164	4040	XClient.exe	96
PID 1208 wrote to memory of 4940	1208	firefox.exe	106
PID 1208 wrote to memory of 4940	1208	firefox.exe	106
PID 1208 wrote to memory of 4940	1208	firefox.exe	106
PID 1208 wrote to memory of 4940	1208	firefox.exe	106
PID 1208 wrote to memory of 4940	1208	firefox.exe	106
PID 1208 wrote to memory of 4940	1208	firefox.exe	106
PID 1208 wrote to memory of 4940	1208	firefox.exe	106
PID 1208 wrote to memory of 4940	1208	firefox.exe	106
PID 1208 wrote to memory of 4940	1208	firefox.exe	106
PID 1208 wrote to memory of 4940	1208	firefox.exe	106
PID 1208 wrote to memory of 4940	1208	firefox.exe	106
PID 4940 wrote to memory of 1808	4940	firefox.exe	107
PID 4940 wrote to memory of 1808	4940	firefox.exe	107
PID 4940 wrote to memory of 1808	4940	firefox.exe	107
PID 4940 wrote to memory of 1808	4940	firefox.exe	107
PID 4940 wrote to memory of 1808	4940	firefox.exe	107
PID 4940 wrote to memory of 1808	4940	firefox.exe	107
PID 4940 wrote to memory of 1808	4940	firefox.exe	107
PID 4940 wrote to memory of 1808	4940	firefox.exe	107
PID 4940 wrote to memory of 1808	4940	firefox.exe	107
PID 4940 wrote to memory of 1808	4940	firefox.exe	107
PID 4940 wrote to memory of 1808	4940	firefox.exe	107
PID 4940 wrote to memory of 1808	4940	firefox.exe	107
PID 4940 wrote to memory of 1808	4940	firefox.exe	107
PID 4940 wrote to memory of 1808	4940	firefox.exe	107
PID 4940 wrote to memory of 1808	4940	firefox.exe	107
PID 4940 wrote to memory of 1808	4940	firefox.exe	107
PID 4940 wrote to memory of 1808	4940	firefox.exe	107
PID 4940 wrote to memory of 1808	4940	firefox.exe	107
PID 4940 wrote to memory of 1808	4940	firefox.exe	107
PID 4940 wrote to memory of 1808	4940	firefox.exe	107
PID 4940 wrote to memory of 1808	4940	firefox.exe	107
PID 4940 wrote to memory of 1808	4940	firefox.exe	107
PID 4940 wrote to memory of 1808	4940	firefox.exe	107
PID 4940 wrote to memory of 1808	4940	firefox.exe	107
PID 4940 wrote to memory of 1808	4940	firefox.exe	107
PID 4940 wrote to memory of 1808	4940	firefox.exe	107
PID 4940 wrote to memory of 1808	4940	firefox.exe	107
PID 4940 wrote to memory of 1808	4940	firefox.exe	107
PID 4940 wrote to memory of 1808	4940	firefox.exe	107
PID 4940 wrote to memory of 1808	4940	firefox.exe	107
PID 4940 wrote to memory of 1808	4940	firefox.exe	107
PID 4940 wrote to memory of 1808	4940	firefox.exe	107
PID 4940 wrote to memory of 1808	4940	firefox.exe	107
PID 4940 wrote to memory of 1808	4940	firefox.exe	107
PID 4940 wrote to memory of 1808	4940	firefox.exe	107
PID 4940 wrote to memory of 1808	4940	firefox.exe	107
PID 4940 wrote to memory of 1808	4940	firefox.exe	107
PID 4940 wrote to memory of 1808	4940	firefox.exe	107
PID 4940 wrote to memory of 1808	4940	firefox.exe	107
PID 4940 wrote to memory of 1808	4940	firefox.exe	107
PID 4940 wrote to memory of 1808	4940	firefox.exe	107
PID 4940 wrote to memory of 1808	4940	firefox.exe	107
PID 4940 wrote to memory of 1808	4940	firefox.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Wiindows Update.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Wiindows Update.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:636
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Wiindows Update" /tr "C:\Users\Admin\AppData\Roaming\Wiindows Update.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3164

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1888 -prefsLen 23603 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {660a9e37-238c-4367-b03b-9e626f55c3cb} 4940 "\\.\pipe\gecko-crash-server-pipe.4940" gpu
    3⤵
    PID:1808
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2388 -prefMapHandle 2376 -prefsLen 23639 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f42ec9b-cb28-435b-8a87-4cba3b18ba9c} 4940 "\\.\pipe\gecko-crash-server-pipe.4940" socket
    3⤵
    PID:4796
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3044 -childID 1 -isForBrowser -prefsHandle 3048 -prefMapHandle 2892 -prefsLen 23780 -prefMapSize 244628 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f882c081-ada0-42c1-8d2e-8b15d26dfc50} 4940 "\\.\pipe\gecko-crash-server-pipe.4940" tab
    3⤵
    PID:400
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3804 -childID 2 -isForBrowser -prefsHandle 3792 -prefMapHandle 3784 -prefsLen 29013 -prefMapSize 244628 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c3dd0b77-cde1-42bd-9e5e-4e3bb3637391} 4940 "\\.\pipe\gecko-crash-server-pipe.4940" tab
    3⤵
    PID:1736
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4552 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4668 -prefMapHandle 4676 -prefsLen 29013 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a18cac1a-0631-4989-81bd-9ccfd4743b19} 4940 "\\.\pipe\gecko-crash-server-pipe.4940" utility
    3⤵
    - Checks processor information in registry
    PID:4576
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5248 -childID 3 -isForBrowser -prefsHandle 5240 -prefMapHandle 5236 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ce906dc-cede-4165-b33f-a2b7c5ca4150} 4940 "\\.\pipe\gecko-crash-server-pipe.4940" tab
    3⤵
    PID:5768
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5504 -childID 4 -isForBrowser -prefsHandle 5496 -prefMapHandle 5424 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bad978e9-d2b7-4109-9c9f-354590da7914} 4940 "\\.\pipe\gecko-crash-server-pipe.4940" tab
    3⤵
    PID:5792
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5700 -childID 5 -isForBrowser -prefsHandle 5620 -prefMapHandle 5628 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bda5508b-82aa-43b7-b3e0-2e0dd47d53d0} 4940 "\\.\pipe\gecko-crash-server-pipe.4940" tab
    3⤵
    PID:5884

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2980
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2980 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\68MRH6MC\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
60b3262c3163ee3d466199160b9ed07d

SHA1
994ece4ea4e61de0be2fdd580f87e3415f9e1ff6

SHA256
e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb

SHA512
081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7881103cdd708794b778f794ad4fec02

SHA1
57ad4936e89341cf2bcc7af52f2cd1908084ebd0

SHA256
043dea147183bf3cdf1dfa9a2938661361e70b1b118631f91184122be37941b6

SHA512
c867d5017fe5e153f848bac6da1667411b6a80af50db657f72dbae1ea9dc20b3026ae53beadc2612ea070fe24ddb164a0295b26f808d2973d4cb1a515c90200c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5961a815c0bfd0a47ea76f6b96a9d016

SHA1
8b626a08f2b71ca64abf42790e976406193efc9a

SHA256
f1bfbb67b28e7d8d92b347e484524cf624593f283d3aaeffbac2c6e794c29e6f

SHA512
524280fff2a5ad9ec2a37282700da11e61011044dccd855e5da8c642eee7161ad922316a06da7ef0db02f7b0746aa7280a9b4dc3111b6468c90a35df4851fa73

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\mfuo34j5.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
4425273c4fdef2cf2984cfd184d373ce

SHA1
ced7dc035e9479814e2a9888d7989a18f7cf672a

SHA256
aea3906488627f865c56d22dc09582309848a672f2d9fe384f292b5776abacde

SHA512
21378b848a221d06ca8e8dfdd62322d9264a5267d1b63a29143de82812cf10f5415a688b29f33fe7e1d5a0e442ee8cc694cde5bed58da9f174e8af81390c5970

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5j1bpwek.2lj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wiindows Update.lnk

Filesize
813B

MD5
9cd2e2338ee5a97782f16b9e66c765c5

SHA1
77974620456609cb2fbcc8dc0e16b8b874ba4fde

SHA256
a7ee985de922bb103d406bc9fcfdaed9f97ac8a081664db44bee830ed6f909a3

SHA512
672ff1b83bd7e65fad8d6f3ca5cfeb89f3f0602f50881267e62a67d8c8d6cdd7d8fc799ef3faefebe17eb15f6dc9bf3eceacf941cd735a2d766302aec7d8ca31

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mfuo34j5.default-release\AlternateServices.bin

Filesize
6KB

MD5
7c0f7299cc98fa27ce3fc655eb5c0640

SHA1
728aaea0b598e7e84fd360e11be9cd16af42248b

SHA256
3c23c460c23a6ea5f2b3dc625525afc259e8c768ae855d898b876b305c2531aa

SHA512
bff6ff345e2d45cec113c1faf96c99a38ccbb9c6327cb2c44b78a2f8f53eb15e6da152a23d83ca672f8b494351b01ffda7216796c738d974ac54604a6d39a264

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mfuo34j5.default-release\AlternateServices.bin

Filesize
8KB

MD5
abf13373b0a935be55d739b5c5d4a6bb

SHA1
2aecd2db34b513bc05a6a4f8627e63c989e3b0e1

SHA256
a098ef1141645bf4878a185f4b010ba6d7592321a9b47ff41d4ec98243a6888c

SHA512
5150f6c983d5ac3db48c7cf1148e9686fd8b53a52c7a3ba55d32cf6fb0d9fe1504cef1195c6a86e28dd6294ccf5e545c3548ca31e7d41584654fe77c1d075fc7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mfuo34j5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
d63b2a356d183aad7bc8c4e6be50cb52

SHA1
6ffe10ccf0083d099a87d68e88c29f2e0b65a24c

SHA256
1b779a756ec05f5a5daa00b5b8ffd16b26890076c9bc50fe99aee00d68060646

SHA512
4112757288290a8b662b9774c3ec40e985f532d35dc6e1833327eb0d7265d3699a21c6977d3aad0fcc4b35450391d327102fa670b650b78d5692a164d6be62c7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mfuo34j5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
3KB

MD5
0c600af62fc854c59aadf80d4c61c596

SHA1
c3e1a4cee084f4229e5e2bb03d0c58086914696f

SHA256
ec697739459928333076b0833cf88987d2ef35ea00c9ee99bb0c914ae4fa3ba9

SHA512
9e769d590908d97ab72ed141108af097b39563ae63158458b478e1e0bd2a19402e452c08454b72c3a082020f8680babb266c9d5ce3ae7d95442361e57a84af26

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mfuo34j5.default-release\datareporting\glean\pending_pings\2795f7fb-acac-4f81-814c-335b4a1a1638

Filesize
982B

MD5
6153bdb13ada5d4f8a87b458c9b0c4eb

SHA1
fdf9f1c1445f2a7467e89f49fa389c75ecb561c5

SHA256
a1a26fc47be388d0759d5f5518831310af39e200f2b2661a631b8d63dbee8164

SHA512
ff61d24d5723284aa85074b264a8ead0867552d0e86387142684e496ed6d85fd04b5acba4ad4a68d6374aaa73adc74e787f9a7790874c9d7f572db1a57524fbf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mfuo34j5.default-release\datareporting\glean\pending_pings\a6aa653b-b2ed-4585-844c-6c047e4dd3f1

Filesize
27KB

MD5
11f17fb6c051188942550acbec516e43

SHA1
bf73eff813ad61e0f13d50a445e8fb0c97537e2f

SHA256
837a074dba483e0eb3b63a649612963f489063c9f9330136e058b291b1d8236c

SHA512
5429134e529dcd56b695ec97aadae20c36bf2b84ab0f201810234e948b9a045183391caab5d872a680de17ac1b09a392edfe85ffda0200b89b1ee514e25a864b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mfuo34j5.default-release\datareporting\glean\pending_pings\ea894e81-bf92-4fd7-acfa-492d400d21c2

Filesize
671B

MD5
e5300de343c29b7adb47f62d4cedffad

SHA1
3a97b2293655630725ff858468c8badb9f03111d

SHA256
f8a735a8e90f789f647208c46a5874b4c85be2f5209a1dd66cf915b1efe6ed05

SHA512
22d387cc4ad7366cfd1fd4f0af3c4748ee8d53a5d1631beb30fc1292fc4de853e12f51e336f72b16c25f3632073f46fb6fbdd335b614d9554a5972b6668f7cec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mfuo34j5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mfuo34j5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mfuo34j5.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mfuo34j5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mfuo34j5.default-release\prefs-1.js

Filesize
10KB

MD5
c6c52444b661cefa10b69c36773254b7

SHA1
093b2b06a5e875411a60b11634478d7f4a7e682c

SHA256
6edb84493421fb630ad4d7169f5453bee9ed477587540736e1bee2bd08a57d14

SHA512
20cb889784bc60102b1e3b11a88baf27bd04a31b67e69da015068785e32145e047c787c8a22a0c0eb7dd108fb7013f1cbc86ae29525f2a1612df2fa56d08caa3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mfuo34j5.default-release\prefs-1.js

Filesize
10KB

MD5
633da8d3ea648034d556a8bcc67a0698

SHA1
dd464ecc257f2487c324e53e2189a69cfbbfd12f

SHA256
f68b956903602657eb339733f9dc83341617cbb27be11e04753a0a9b81c4e218

SHA512
1a9966ca4e9d8b9748f60ead16c9ed4a020b3f40d6be0e97df849883a512312887930a673fc2489ebc41b17830cf74f881b31cea9a8a1a70ffe1c64444b08013

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\mfuo34j5.default-release\prefs.js

Filesize
10KB

MD5
a565a6bacedff6ab15ed048d1c42d0f4

SHA1
14937b4d5cd015f3d4680f0aeaebe7e3e0a61c15

SHA256
59d78a80ea4a9df81a8868b5ce6fa806d13041ee3884d628365a5ca16d3ca64f

SHA512
be21a1bb9df2ad75dae932cb00ca7735173a2e14747bcc2c0049c25ca1add856bd6f5f46e5f8ea810591a2bfddcd91c15c0e3797673dd95ce941f8872efa3141

Download Submit
C:\Users\Admin\Desktop\ResizePing.pps

Filesize
246KB

MD5
cbccbccb653d53f417d689dcc3b2fe41

SHA1
6be3346bcf9fece43f4addcb769d206d00b765d4

SHA256
47245c2e6d46a9819a7399d6dc97115eee8fac40def2f99a23ddca355a381dde

SHA512
78434aa1df7046cc515caff8c1cc3e225f663824a3cefae195c36d6bac9669eeaeb0d0d6fea227281810ded776dc9ec7ab3591b6018f2cf3c790c0594caa38f9

Download Submit
C:\Users\Admin\Desktop\ResolveStop.mpg

Filesize
297KB

MD5
dd20a50c9c1ed4c0bcca1e261fb6eb5b

SHA1
3eaede567e5ee793e81fa2cbbbb2dcead9d8a2fd

SHA256
a0052c6f70c583496f434f1d64bd09550c56b901d07e604a37ed91407f7d43a5

SHA512
a308f062f99a7db018d14c477fbc212e45789e036e7f17b6521bb2171de80a5c246aaf357206fe1cde83659605efabbf5bd02b9bc57e1127e7d9e58d5bd926e8

Download Submit
memory/2568-13-0x00007FF8C1E20000-0x00007FF8C28E2000-memory.dmp

Filesize
10.8MB

Download
memory/2568-19-0x00007FF8C1E20000-0x00007FF8C28E2000-memory.dmp

Filesize
10.8MB

Download
memory/2568-16-0x00007FF8C1E20000-0x00007FF8C28E2000-memory.dmp

Filesize
10.8MB

Download
memory/2568-15-0x00007FF8C1E20000-0x00007FF8C28E2000-memory.dmp

Filesize
10.8MB

Download
memory/2568-14-0x00007FF8C1E20000-0x00007FF8C28E2000-memory.dmp

Filesize
10.8MB

Download
memory/2568-12-0x00007FF8C1E20000-0x00007FF8C28E2000-memory.dmp

Filesize
10.8MB

Download
memory/2568-7-0x00000209ADC50000-0x00000209ADC72000-memory.dmp

Filesize
136KB

Download
memory/4040-60-0x00007FF8C1E20000-0x00007FF8C28E2000-memory.dmp

Filesize
10.8MB

Download
memory/4040-59-0x00007FF8C1E20000-0x00007FF8C28E2000-memory.dmp

Filesize
10.8MB

Download
memory/4040-54-0x00007FF8C1E23000-0x00007FF8C1E25000-memory.dmp

Filesize
8KB

Download
memory/4040-0-0x00007FF8C1E23000-0x00007FF8C1E25000-memory.dmp

Filesize
8KB

Download
memory/4040-1-0x00000000008B0000-0x00000000008C0000-memory.dmp

Filesize
64KB

Download