xworm | a23fdeddb683f716be744ef3fe9a8ce2c87b02f5e5c1f6c8bdb70881de528304

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf79ab31cc7f483d3b8572ef14b47804.exe
Size

4.3MB
MD5

cf79ab31cc7f483d3b8572ef14b47804
SHA1

aea4389610858f29651d64e803966aa2c73fd066
SHA256

1ee95a58aee1db0ccfc2b2e9b101709f900424fc09dfb7546a05e10af585e94e
SHA512

298bb3423ebc4c36f9e995c6c19062e7f690c2a25cf5ff863c1763168408cd9e79f3c8ca903be807d923e2c0f3be3adafb5ea448e96ab0799be658bb6d71d4b1
SSDEEP

98304:QPisBEKH5f3TsmgXBoRapwAY5hB+MgTFDraS:QPisBEKH53TsmlRapwAY/B+xBZ

Score

10^/10

xworm defense_evasion execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%ProgramData%
install_file
USB.exe
pastebin_url
https://pastebin.com/raw/kwXPsDF3

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral25/files/0x0003000000005665-671.dat	family_xworm
behavioral25/memory/844-672-0x0000000000B80000-0x0000000000B94000-memory.dmp	family_xworm
behavioral25/memory/844-680-0x0000000000B80000-0x0000000000B94000-memory.dmp	family_xworm

Modifies security service 2 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection	svchost.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1592	powershell.exe
3044	powershell.exe
2984	powershell.exe
1596	powershell.exe
1800	powershell.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Executes dropped EXE 7 IoCs

pid	Process
2640	zrlhyk1m.l40.exe
2840	taskhostw.exe
2532	vysnfsf1.vuy.exe
844	WizClient.exe
2808	XBinder v2.exe
2124	WizClient.exe
1884	WizClient.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx	svchost.exe

Loads dropped DLL 6 IoCs

pid	Process
1764	cf79ab31cc7f483d3b8572ef14b47804.exe
1764	cf79ab31cc7f483d3b8572ef14b47804.exe
2840	taskhostw.exe
2840	taskhostw.exe
2840	taskhostw.exe
1152	Explorer.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\WizClient = "C:\\ProgramData\\WizClient.exe"	WizClient.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 40 IoCs

Web Service

T1102

flow	ioc
9	pastebin.com
10	pastebin.com
20	pastebin.com
44	pastebin.com
45	pastebin.com
12	pastebin.com
14	pastebin.com
15	pastebin.com
37	pastebin.com
41	pastebin.com
7	discord.com
16	pastebin.com
17	pastebin.com
18	pastebin.com
19	pastebin.com
21	pastebin.com
24	pastebin.com
29	pastebin.com
36	pastebin.com
46	pastebin.com
6	discord.com
13	pastebin.com
23	pastebin.com
27	pastebin.com
30	pastebin.com
38	pastebin.com
43	pastebin.com
32	pastebin.com
33	pastebin.com
39	pastebin.com
11	pastebin.com
26	pastebin.com
34	pastebin.com
40	pastebin.com
42	pastebin.com
22	pastebin.com
25	pastebin.com
28	pastebin.com
31	pastebin.com
35	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Drops file in System32 directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\System32\Tasks\WizClient	svchost.exe
File created	C:\Windows\System32\Tasks\Masoncf79ab31cc7f483d3b8572ef14b47804.exe	svchost.exe
File created	C:\Windows\system32\perfc009.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfc00A.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfc00C.dat	WMIADAP.EXE
File created	C:\Windows\System32\Tasks\MicrosoftEdgeUpdateTaskMachineCoreUAC{78F388DB-0303-409E-A80B-51537E33362A}	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\WizClient	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Masoncf79ab31cc7f483d3b8572ef14b47804.exe	svchost.exe
File created	C:\Windows\system32\perfc007.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh010.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfc011.dat	WMIADAP.EXE
File opened for modification	C:\Windows\system32\PerfStringBackup.INI	WMIADAP.EXE
File created	C:\Windows\System32\Tasks\Masontaskhostw.exe	svchost.exe
File created	C:\Windows\system32\perfh007.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh011.dat	WMIADAP.EXE
File created	C:\Windows\system32\PerfStringBackup.TMP	WMIADAP.EXE
File opened for modification	C:\Windows\System32\Tasks\MicrosoftEdgeUpdateTaskMachineCoreUAC{78F388DB-0303-409E-A80B-51537E33362A}	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\perfh009.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh00A.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh00C.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfc010.dat	WMIADAP.EXE
File opened for modification	C:\Windows\System32\Tasks\Masontaskhostw.exe	svchost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\inf\WmiApRpl\0009\WmiApRpl.ini	WMIADAP.EXE
File opened for modification	C:\Windows\appcompat\programs\RecentFileCache.bcf	svchost.exe
File created	C:\Windows\inf\WmiApRpl\WmiApRpl.h	WMIADAP.EXE
File opened for modification	C:\Windows\inf\WmiApRpl\WmiApRpl.h	WMIADAP.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	lsass.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
228	schtasks.exe
2656	SCHTASKS.exe
1524	SCHTASKS.exe
840	SCHTASKS.exe
1256	SCHTASKS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe
2640	zrlhyk1m.l40.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2808	XBinder v2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1764	cf79ab31cc7f483d3b8572ef14b47804.exe
Token: SeDebugPrivilege	2640	zrlhyk1m.l40.exe
Token: SeAssignPrimaryTokenPrivilege	864	svchost.exe
Token: SeIncreaseQuotaPrivilege	864	svchost.exe
Token: SeSecurityPrivilege	864	svchost.exe
Token: SeTakeOwnershipPrivilege	864	svchost.exe
Token: SeLoadDriverPrivilege	864	svchost.exe
Token: SeSystemtimePrivilege	864	svchost.exe
Token: SeBackupPrivilege	864	svchost.exe
Token: SeRestorePrivilege	864	svchost.exe
Token: SeShutdownPrivilege	864	svchost.exe
Token: SeSystemEnvironmentPrivilege	864	svchost.exe
Token: SeUndockPrivilege	864	svchost.exe
Token: SeManageVolumePrivilege	864	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	864	svchost.exe
Token: SeIncreaseQuotaPrivilege	864	svchost.exe
Token: SeSecurityPrivilege	864	svchost.exe
Token: SeTakeOwnershipPrivilege	864	svchost.exe
Token: SeLoadDriverPrivilege	864	svchost.exe
Token: SeSystemtimePrivilege	864	svchost.exe
Token: SeBackupPrivilege	864	svchost.exe
Token: SeRestorePrivilege	864	svchost.exe
Token: SeShutdownPrivilege	864	svchost.exe
Token: SeSystemEnvironmentPrivilege	864	svchost.exe
Token: SeUndockPrivilege	864	svchost.exe
Token: SeManageVolumePrivilege	864	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	864	svchost.exe
Token: SeIncreaseQuotaPrivilege	864	svchost.exe
Token: SeSecurityPrivilege	864	svchost.exe
Token: SeTakeOwnershipPrivilege	864	svchost.exe
Token: SeLoadDriverPrivilege	864	svchost.exe
Token: SeSystemtimePrivilege	864	svchost.exe
Token: SeBackupPrivilege	864	svchost.exe
Token: SeRestorePrivilege	864	svchost.exe
Token: SeShutdownPrivilege	864	svchost.exe
Token: SeSystemEnvironmentPrivilege	864	svchost.exe
Token: SeUndockPrivilege	864	svchost.exe
Token: SeManageVolumePrivilege	864	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	864	svchost.exe
Token: SeIncreaseQuotaPrivilege	864	svchost.exe
Token: SeSecurityPrivilege	864	svchost.exe
Token: SeTakeOwnershipPrivilege	864	svchost.exe
Token: SeLoadDriverPrivilege	864	svchost.exe
Token: SeSystemtimePrivilege	864	svchost.exe
Token: SeBackupPrivilege	864	svchost.exe
Token: SeRestorePrivilege	864	svchost.exe
Token: SeShutdownPrivilege	864	svchost.exe
Token: SeSystemEnvironmentPrivilege	864	svchost.exe
Token: SeUndockPrivilege	864	svchost.exe
Token: SeManageVolumePrivilege	864	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	864	svchost.exe
Token: SeIncreaseQuotaPrivilege	864	svchost.exe
Token: SeSecurityPrivilege	864	svchost.exe
Token: SeTakeOwnershipPrivilege	864	svchost.exe
Token: SeLoadDriverPrivilege	864	svchost.exe
Token: SeSystemtimePrivilege	864	svchost.exe
Token: SeBackupPrivilege	864	svchost.exe
Token: SeRestorePrivilege	864	svchost.exe
Token: SeShutdownPrivilege	864	svchost.exe
Token: SeSystemEnvironmentPrivilege	864	svchost.exe
Token: SeUndockPrivilege	864	svchost.exe
Token: SeManageVolumePrivilege	864	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	864	svchost.exe
Token: SeIncreaseQuotaPrivilege	864	svchost.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1152	Explorer.EXE
1152	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1152	Explorer.EXE
1152	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
652	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 2640	1764	cf79ab31cc7f483d3b8572ef14b47804.exe	31
PID 1764 wrote to memory of 2640	1764	cf79ab31cc7f483d3b8572ef14b47804.exe	31
PID 1764 wrote to memory of 2640	1764	cf79ab31cc7f483d3b8572ef14b47804.exe	31
PID 2640 wrote to memory of 432	2640	zrlhyk1m.l40.exe	5
PID 2640 wrote to memory of 476	2640	zrlhyk1m.l40.exe	6
PID 2640 wrote to memory of 492	2640	zrlhyk1m.l40.exe	7
PID 2640 wrote to memory of 500	2640	zrlhyk1m.l40.exe	8
PID 2640 wrote to memory of 616	2640	zrlhyk1m.l40.exe	9
PID 2640 wrote to memory of 692	2640	zrlhyk1m.l40.exe	10
PID 2640 wrote to memory of 776	2640	zrlhyk1m.l40.exe	11
PID 2640 wrote to memory of 824	2640	zrlhyk1m.l40.exe	12
PID 2640 wrote to memory of 864	2640	zrlhyk1m.l40.exe	13
PID 2640 wrote to memory of 980	2640	zrlhyk1m.l40.exe	15
PID 2640 wrote to memory of 292	2640	zrlhyk1m.l40.exe	16
PID 2640 wrote to memory of 1068	2640	zrlhyk1m.l40.exe	17
PID 2640 wrote to memory of 1080	2640	zrlhyk1m.l40.exe	18
PID 2640 wrote to memory of 1100	2640	zrlhyk1m.l40.exe	19
PID 2640 wrote to memory of 1152	2640	zrlhyk1m.l40.exe	20
PID 2640 wrote to memory of 1180	2640	zrlhyk1m.l40.exe	21
PID 2640 wrote to memory of 1380	2640	zrlhyk1m.l40.exe	23
PID 2640 wrote to memory of 1572	2640	zrlhyk1m.l40.exe	24
PID 2640 wrote to memory of 268	2640	zrlhyk1m.l40.exe	25
PID 2640 wrote to memory of 2972	2640	zrlhyk1m.l40.exe	26
PID 2640 wrote to memory of 1796	2640	zrlhyk1m.l40.exe	27
PID 2640 wrote to memory of 1920	2640	zrlhyk1m.l40.exe	28
PID 2640 wrote to memory of 1764	2640	zrlhyk1m.l40.exe	30
PID 1764 wrote to memory of 2656	1764	cf79ab31cc7f483d3b8572ef14b47804.exe	32
PID 1764 wrote to memory of 2656	1764	cf79ab31cc7f483d3b8572ef14b47804.exe	32
PID 1764 wrote to memory of 2656	1764	cf79ab31cc7f483d3b8572ef14b47804.exe	32
PID 2640 wrote to memory of 2656	2640	zrlhyk1m.l40.exe	32
PID 2640 wrote to memory of 2656	2640	zrlhyk1m.l40.exe	32
PID 2640 wrote to memory of 1460	2640	zrlhyk1m.l40.exe	33
PID 1764 wrote to memory of 1524	1764	cf79ab31cc7f483d3b8572ef14b47804.exe	34
PID 1764 wrote to memory of 1524	1764	cf79ab31cc7f483d3b8572ef14b47804.exe	34
PID 1764 wrote to memory of 1524	1764	cf79ab31cc7f483d3b8572ef14b47804.exe	34
PID 2640 wrote to memory of 1524	2640	zrlhyk1m.l40.exe	34
PID 492 wrote to memory of 1764	492	lsass.exe	30
PID 492 wrote to memory of 1764	492	lsass.exe	30
PID 492 wrote to memory of 1764	492	lsass.exe	30
PID 492 wrote to memory of 1764	492	lsass.exe	30
PID 492 wrote to memory of 1764	492	lsass.exe	30
PID 492 wrote to memory of 1764	492	lsass.exe	30
PID 492 wrote to memory of 1764	492	lsass.exe	30
PID 492 wrote to memory of 1764	492	lsass.exe	30
PID 492 wrote to memory of 1764	492	lsass.exe	30
PID 616 wrote to memory of 1716	616	svchost.exe	36
PID 616 wrote to memory of 1716	616	svchost.exe	36
PID 616 wrote to memory of 1716	616	svchost.exe	36
PID 2640 wrote to memory of 1716	2640	zrlhyk1m.l40.exe	36
PID 2640 wrote to memory of 1716	2640	zrlhyk1m.l40.exe	36
PID 492 wrote to memory of 1716	492	lsass.exe	36
PID 492 wrote to memory of 1716	492	lsass.exe	36
PID 492 wrote to memory of 1716	492	lsass.exe	36
PID 492 wrote to memory of 1716	492	lsass.exe	36
PID 492 wrote to memory of 1716	492	lsass.exe	36
PID 492 wrote to memory of 1716	492	lsass.exe	36
PID 492 wrote to memory of 1716	492	lsass.exe	36
PID 492 wrote to memory of 1716	492	lsass.exe	36
PID 492 wrote to memory of 1716	492	lsass.exe	36
PID 492 wrote to memory of 1716	492	lsass.exe	36
PID 492 wrote to memory of 292	492	lsass.exe	16
PID 616 wrote to memory of 1060	616	svchost.exe	37
PID 616 wrote to memory of 1060	616	svchost.exe	37
PID 616 wrote to memory of 1060	616	svchost.exe	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:476
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:616
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    3⤵
    PID:1572
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    3⤵
    PID:268
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
    3⤵
    - Checks BIOS information in registry
    - Checks processor information in registry
    PID:1716
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}
    3⤵
    PID:1060
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -Embedding
    3⤵
    PID:2592
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:692
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  - Modifies security service
  - Indicator Removal: Clear Windows Event Logs
  PID:776
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:824
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1068
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:864
- - \\?\C:\Windows\system32\wbem\WMIADAP.EXE
    wmiadap.exe /F /T /R
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:1920
- - C:\Windows\system32\taskeng.exe
    taskeng.exe {105DBA47-4484-40E3-AB05-19BB93B8F0A7} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]
    3⤵
    PID:2848
  - - C:\ProgramData\taskhostw.exe
      C:\ProgramData\taskhostw.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2840
    - - C:\Users\Admin\AppData\Local\Temp\vysnfsf1.vuy.exe
        
        "C:\Users\Admin\AppData\Local\Temp\vysnfsf1.vuy.exe"
        5⤵
        Executes dropped EXE
        
        PID:2532
    - - C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "Masontaskhostw.exe" /tr "'C:\ProgramData\taskhostw.exe'" /sc onlogon /rl HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:840
    - - C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "Masontaskhostw.exe" /tr "'C:\ProgramData\taskhostw.exe'" /sc onlogon /rl HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1256
    - - C:\ProgramData\WizClient.exe
        
        "C:\ProgramData\WizClient.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:844
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WizClient.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        
        PID:1800
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WizClient.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        
        PID:1592
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WizClient.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        
        PID:3044
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WizClient" /tr "C:\ProgramData\WizClient.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:228
    - - C:\ProgramData\XBinder v2.exe
        
        "C:\ProgramData\XBinder v2.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:2808
  - - C:\ProgramData\WizClient.exe
      C:\ProgramData\WizClient.exe
      4⤵
      Executes dropped EXE
      PID:2124
  - - C:\ProgramData\WizClient.exe
      C:\ProgramData\WizClient.exe
      4⤵
      Executes dropped EXE
      PID:1884
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:980
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:292
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1080
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:1100
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1180
- C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
  "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
  2⤵
  PID:1380
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:2972
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:1796
- C:\Windows\system32\vssvc.exe
  C:\Windows\system32\vssvc.exe
  2⤵
  PID:2452
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k swprv
  2⤵
  PID:1008

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:492

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:500

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1152
- C:\Users\Admin\AppData\Local\Temp\cf79ab31cc7f483d3b8572ef14b47804.exe
  "C:\Users\Admin\AppData\Local\Temp\cf79ab31cc7f483d3b8572ef14b47804.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Users\Admin\AppData\Local\Temp\zrlhyk1m.l40.exe
    "C:\Users\Admin\AppData\Local\Temp\zrlhyk1m.l40.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2640
- - C:\Windows\system32\SCHTASKS.exe
    "SCHTASKS.exe" /create /tn "Masoncf79ab31cc7f483d3b8572ef14b47804.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\cf79ab31cc7f483d3b8572ef14b47804.exe'" /sc onlogon /rl HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2656
- - C:\Windows\system32\SCHTASKS.exe
    "SCHTASKS.exe" /create /tn "Masoncf79ab31cc7f483d3b8572ef14b47804.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\cf79ab31cc7f483d3b8572ef14b47804.exe'" /sc onlogon /rl HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1524
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\taskhostw.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2984
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'taskhostw.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1596

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-376979921141788414037372593-879023096-19883582738348890879891974474122805"
1⤵
PID:1460

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1356075736717389398-279930062-1074618531964489565355103017963605953-425261703"
1⤵
PID:1476

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "390582776362986088565694129-1749465114-322017365-13828612219811758521173884204"
1⤵
PID:1256

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-18030465535523293921750510251-1881919537-57881166112350743292057826247-153683307"
1⤵
PID:1600

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2041584937-12031401351883950376-1430240218-11026792667332684411687244841-1099460644"
1⤵
- Suspicious use of SetWindowsHookEx
PID:652

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1829980250-1111455329-336087534601543478-852301069422417321-2070995814-248310171"
1⤵
PID:1320

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "49283423778197884420871730-754814827-1456966064-214837976-1114992310-248419641"
1⤵
PID:2680

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2089309351748378127-1757366091771726916-675236906-1628506302-181763921846950468"
1⤵
PID:224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WizClient.exe

Filesize
55KB

MD5
ee90f24ed0ce3c6ff15634b21e76e461

SHA1
8cb336bf0a41544dba7752732b777b9bd1d88d93

SHA256
82936465db9f948961dc516588207ee4ab5766f6db0604e29cbd318e8a5edc98

SHA512
c3223c9803943bd00689ec4234d1f0ac6cde1c64b4e4b5957529a44a0abd98cc663c5204ca4c688e2fd536c5d8e63042d7bf65f81b5e4ea85d8e557e8c554320

Download Submit
C:\ProgramData\taskhostw.exe

Filesize
4.3MB

MD5
cf79ab31cc7f483d3b8572ef14b47804

SHA1
aea4389610858f29651d64e803966aa2c73fd066

SHA256
1ee95a58aee1db0ccfc2b2e9b101709f900424fc09dfb7546a05e10af585e94e

SHA512
298bb3423ebc4c36f9e995c6c19062e7f690c2a25cf5ff863c1763168408cd9e79f3c8ca903be807d923e2c0f3be3adafb5ea448e96ab0799be658bb6d71d4b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
db8af451bd2a24d3e63ea0f02f3ce11c

SHA1
de04a1eeb013140ddc34d9944db827607aa04736

SHA256
e572a7f724e600237e9f57dcb4dc42bd819d3d92356e30b2a65717b36edd132e

SHA512
eb0d3c5a7aa1e899d152bfe50dca74f2f903ce34c947bfaa832c32488383e84d965b121d44b5f7778b44d7f883618fcef8ab0a813a40dec76b91eb5dd28cceb2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7811f8bd8a60bc5dac09933f46e50fd7

SHA1
d1599fbc85887caf24cf50bbe9bc754ac483596a

SHA256
5db061980a545b1be8c2e46f7b4caa6a36a3d4f27334c3bae30c43704a6d1a8a

SHA512
d702666d8d5797debefeeb87896ce37a8e5e98a9308cd33a234eee1e2b98d8744b596f0a374f4dd71f727e264a4d4f4b776200540c32cccd64a8a8f2c58dcaa0

Download Submit
C:\Windows\System32\Tasks\MicrosoftEdgeUpdateTaskMachineCoreUAC{78F388DB-0303-409E-A80B-51537E33362A}

Filesize
3KB

MD5
d636b3530b0c62e3da30fd128fb21396

SHA1
7e0c353f612130e02a38a22fed8e4281dc00bdcb

SHA256
b29533c7688b90b5cb745e894e122ba0534cdc022971e54dd81741a67df26f4e

SHA512
aafa41e82d2efbb218809e5dd9ba77cf382da93d45ba2fab3349626debe3b7d2ec19a3c6cfd82bdc5596ff297b329940756292465171dddb02e42cae6d5e5260

Download Submit
C:\Windows\System32\Tasks\WizClient

Filesize
3KB

MD5
1b6fe69ce70229c1d16b3e51995e0467

SHA1
fb66925d5ff13fb7cc16f76ba8c09295e591c64f

SHA256
3967477d4d280f991f1c0cc1d39091b2e395ed2931e9558182399108cc020d23

SHA512
37935a2b0ed8b71e9e6280a1b974fae4620c6cafca81b3ad07f257199179ecce660a9abd38630a697f5147f24e3bf4c29afbed96d8e781428cbb25878e6799f3

Download Submit
C:\Windows\System32\perfc007.dat

Filesize
145KB

MD5
19c7052de3b7281b4c1c6bfbb543c5dc

SHA1
d2e12081a14c1069c89f2cee7357a559c27786e7

SHA256
14ed6cb3198e80964cbc687a60aed24fb68d1bbd7588f983dc1fc6ae63514b4a

SHA512
289ca791909882c857014bd24e777fa84b533896508b562051b529d4c27e0d98bc41c801c6384b382f5dc0fa584dc8f713939c636543b0a5cf5ea2b396300f83

Download Submit
C:\Windows\System32\perfc00A.dat

Filesize
154KB

MD5
f0ecfbfa3e3e59fd02197018f7e9cb84

SHA1
961e9367a4ef3a189466c0a0a186faf8958bdbc4

SHA256
cfa293532a1b865b95093437d82bf8b682132aa335957f0c6d95edfbcc372324

SHA512
116e648cb3b591a6a94da5ef11234778924a2ff9e0b3d7f6f00310d8a58914d12f5ee1b63c2f88701bb00538ad0e42ae2561575333c5a1d63bb8c86863ac6294

Download Submit
C:\Windows\System32\perfc00C.dat

Filesize
145KB

MD5
ce233fa5dc5adcb87a5185617a0ff6ac

SHA1
2e2747284b1204d3ab08733a29fdbabdf8dc55b9

SHA256
68d4de5e72cfd117151c44dd6ec74cf46fafd6c51357895d3025d7dac570ce31

SHA512
1e9c8e7f12d7c87b4faa0d587a8b374e491cd44f23e13fdb64bde3bc6bf3f2a2d3aba5444a13b199a19737a8170ee8d4ead17a883fbaee66b8b32b35b7577fc2

Download Submit
C:\Windows\System32\perfc010.dat

Filesize
142KB

MD5
d73172c6cb697755f87cd047c474cf91

SHA1
abc5c7194abe32885a170ca666b7cce8251ac1d6

SHA256
9de801eebbe32699630f74082c9adea15069acd5afb138c9ecd5d4904e3cdc57

SHA512
7c9e4126bed6bc94a211281eed45cee30452519f125b82b143f78da32a3aac72d94d31757e1da22fb2f8a25099ffddec992e2c60987efb9da9b7a17831eafdf6

Download Submit
C:\Windows\System32\perfc011.dat

Filesize
114KB

MD5
1f998386566e5f9b7f11cc79254d1820

SHA1
e1da5fe1f305099b94de565d06bc6f36c6794481

SHA256
1665d97fb8786b94745295feb616a30c27af84e8a5e1d25cd1bcaf70723040ea

SHA512
a7c9702dd5833f4d6d27ce293efb9507948a3b05db350fc9909af6a48bd649c7578f856b4d64d87df451d0efbe202c62da7fffcac03b3fe72c7caaea553de75f

Download Submit
C:\Windows\System32\perfh007.dat

Filesize
680KB

MD5
b69ab3aeddb720d6ef8c05ff88c23b38

SHA1
d830c2155159656ed1806c7c66cae2a54a2441fa

SHA256
24c81302014118e07ed97eaac0819ecf191e0cc3d69c02b16ecda60ac4718625

SHA512
4c7a99d45fb6e90c206439dcdd7cd198870ea5397a6584bb666eed53a8dc36faaac0b9cfc786a3ab4ecbbecc3a4ddd91560246d83b3319f2e37c1ed4bdbec32d

Download Submit
C:\Windows\System32\perfh009.dat

Filesize
646KB

MD5
aecab86cc5c705d7a036cba758c1d7b0

SHA1
e88cf81fd282d91c7fc0efae13c13c55f4857b5e

SHA256
9bab92e274fcc0af88a7fdd143c9045b9d3a13cac2c00b63f00b320128dcc066

SHA512
e0aa8da41373fc64d0e3dc86c9e92a9dd5232f6bcae42dfe6f79012d7e780de85511a9ec6941cb39476632972573a18063d3ecd8b059b1d008d34f585d9edbe8

Download Submit
C:\Windows\System32\perfh00A.dat

Filesize
727KB

MD5
7d0bac4e796872daa3f6dc82c57f4ca8

SHA1
b4f6bbe08fa8cd0784a94ac442ff937a3d3eea0a

SHA256
ce2ef9fc248965f1408d4b7a1e6db67494ba07a7bbdfa810418b30be66ad5879

SHA512
145a0e8543e0d79fe1a5ce268d710c807834a05da1e948f84d6a1818171cd4ef077ea44ba1fe439b07b095721e0109cbf7e4cfd7b57519ee44d9fd9fe1169a3e

Download Submit
C:\Windows\System32\perfh00C.dat

Filesize
727KB

MD5
5f684ce126de17a7d4433ed2494c5ca9

SHA1
ce1a30a477daa1bac2ec358ce58731429eafe911

SHA256
2e2ba0c47e71991d646ec380cde47f44318d695e6f3f56ec095955a129af1c2c

SHA512
4d0c2669b5002da14d44c21dc2f521fb37b6b41b61bca7b2a9af7c03f616dda9ca825f79a81d3401af626a90017654f9221a6ccc83010ff73de71967fc2f3f5b

Download Submit
C:\Windows\System32\perfh010.dat

Filesize
722KB

MD5
4623482c106cf6cc1bac198f31787b65

SHA1
5abb0decf7b42ef5daf7db012a742311932f6dad

SHA256
eceda45aedbf6454b79f010c891bead3844d43189972f6beeb5ccddb13cc0349

SHA512
afecefcec652856dd8b4275f11d75a68a582337b682309c4b61fd26ed7038b92e6b9aa72c1bfc350ce2caf5e357098b54eb1e448a4392960f9f82e01c447669f

Download Submit
C:\Windows\System32\perfh011.dat

Filesize
406KB

MD5
54c674d19c0ff72816402f66f6c3d37c

SHA1
2dcc0269545a213648d59dc84916d9ec2d62a138

SHA256
646d4ea2f0670691aa5b998c26626ede7623886ed3ac9bc9679018f85e584bb5

SHA512
4d451e9bef2c451cb9e86c7f4d705be65787c88df5281da94012bfbe5af496718ec3e48099ec3dff1d06fee7133293f10d649866fe59daa7951aebe2e5e67c1f

Download Submit
C:\Windows\system32\perfc009.dat

Filesize
118KB

MD5
b6a40d83e0fd90f0c9ba062102a8eb99

SHA1
d5b564584ea2b5eab4ddda1a225594d790cc585b

SHA256
0efde37b0dfcd63a634f9448fdfdfb9c689e7f28accaa063e7abfe5747c7a054

SHA512
7b4d6e842ce0433e965eb923f3359634494a735368a04832d85e5778c3a9590144e1c7cc0f336ac9a1208215838433dfb6ff5837c8494231989e3164c10d3f2c

Download Submit
\ProgramData\XBinder v2.exe

Filesize
3.5MB

MD5
a98358eb7f4953aa6d60015ccd8506ce

SHA1
d9be0c9d6d968c1baef11027a7ace6a0e869e75a

SHA256
21e0cc9ef715cc2147b9ec481b3fb876dbae8a4491367b478513128d7f7b8555

SHA512
62389e840c375a15d317d024d2e07b861b5b66447abb0423f603b73d2ec0853e3f947f78498a40dd835b48ca50562af9364c65c448a60172fa9011b6e564fac4

Download Submit
\Users\Admin\AppData\Local\Temp\zrlhyk1m.l40.exe

Filesize
161KB

MD5
94f1ab3a068f83b32639579ec9c5d025

SHA1
38f3d5bc5de46feb8de093d11329766b8e2054ae

SHA256
879cc20b41635709bb304e315aaa5ca4708b480a1bfc2f4935fcf2215188efb0

SHA512
44d5236a804d63302b21ca25ebc148a64605508d03c990a244c44ceb8630849da0510b7b2d0bee72e01ca6681e2d86d7e6aee8847674a26f0028d149b9abee0c

Download Submit
memory/432-50-0x0000000077091000-0x0000000077092000-memory.dmp

Filesize
4KB

Download
memory/432-16-0x0000000000CE0000-0x0000000000D05000-memory.dmp

Filesize
148KB

Download
memory/432-19-0x0000000037080000-0x0000000037090000-memory.dmp

Filesize
64KB

Download
memory/432-15-0x0000000000CE0000-0x0000000000D05000-memory.dmp

Filesize
148KB

Download
memory/432-17-0x0000000000D10000-0x0000000000D3B000-memory.dmp

Filesize
172KB

Download
memory/432-18-0x000007FEBEF40000-0x000007FEBEF50000-memory.dmp

Filesize
64KB

Download
memory/432-49-0x0000000000D10000-0x0000000000D3B000-memory.dmp

Filesize
172KB

Download
memory/476-46-0x000007FEBEF40000-0x000007FEBEF50000-memory.dmp

Filesize
64KB

Download
memory/476-45-0x0000000000160000-0x000000000018B000-memory.dmp

Filesize
172KB

Download
memory/476-52-0x0000000000160000-0x000000000018B000-memory.dmp

Filesize
172KB

Download
memory/476-320-0x0000000000160000-0x000000000018B000-memory.dmp

Filesize
172KB

Download
memory/476-47-0x0000000037080000-0x0000000037090000-memory.dmp

Filesize
64KB

Download
memory/492-56-0x0000000000160000-0x000000000018B000-memory.dmp

Filesize
172KB

Download
memory/492-216-0x0000000000160000-0x000000000018B000-memory.dmp

Filesize
172KB

Download
memory/500-72-0x00000000001D0000-0x00000000001FB000-memory.dmp

Filesize
172KB

Download
memory/500-73-0x000007FEBEF40000-0x000007FEBEF50000-memory.dmp

Filesize
64KB

Download
memory/500-74-0x0000000037080000-0x0000000037090000-memory.dmp

Filesize
64KB

Download
memory/616-78-0x0000000037080000-0x0000000037090000-memory.dmp

Filesize
64KB

Download
memory/616-76-0x0000000000380000-0x00000000003AB000-memory.dmp

Filesize
172KB

Download
memory/616-77-0x000007FEBEF40000-0x000007FEBEF50000-memory.dmp

Filesize
64KB

Download
memory/692-69-0x0000000000480000-0x00000000004AB000-memory.dmp

Filesize
172KB

Download
memory/692-58-0x000007FEBEF40000-0x000007FEBEF50000-memory.dmp

Filesize
64KB

Download
memory/692-321-0x0000000000480000-0x00000000004AB000-memory.dmp

Filesize
172KB

Download
memory/692-59-0x0000000037080000-0x0000000037090000-memory.dmp

Filesize
64KB

Download
memory/692-57-0x0000000000480000-0x00000000004AB000-memory.dmp

Filesize
172KB

Download
memory/776-206-0x000007FF404C0000-0x000007FF40580000-memory.dmp

Filesize
768KB

Download
memory/776-322-0x0000000000CC0000-0x0000000000CEB000-memory.dmp

Filesize
172KB

Download
memory/776-406-0x000007FF404C0000-0x000007FF40580000-memory.dmp

Filesize
768KB

Download
memory/776-61-0x0000000000CC0000-0x0000000000CEB000-memory.dmp

Filesize
172KB

Download
memory/776-63-0x000007FEBEF40000-0x000007FEBEF50000-memory.dmp

Filesize
64KB

Download
memory/776-64-0x0000000037080000-0x0000000037090000-memory.dmp

Filesize
64KB

Download
memory/776-70-0x0000000000CC0000-0x0000000000CEB000-memory.dmp

Filesize
172KB

Download
memory/824-67-0x0000000037080000-0x0000000037090000-memory.dmp

Filesize
64KB

Download
memory/824-62-0x0000000000CA0000-0x0000000000CCB000-memory.dmp

Filesize
172KB

Download
memory/824-66-0x000007FEBEF40000-0x000007FEBEF50000-memory.dmp

Filesize
64KB

Download
memory/824-71-0x0000000000CA0000-0x0000000000CCB000-memory.dmp

Filesize
172KB

Download
memory/824-323-0x0000000000CA0000-0x0000000000CCB000-memory.dmp

Filesize
172KB

Download
memory/844-672-0x0000000000B80000-0x0000000000B94000-memory.dmp

Filesize
80KB

Download
memory/844-680-0x0000000000B80000-0x0000000000B94000-memory.dmp

Filesize
80KB

Download
memory/864-80-0x0000000000C50000-0x0000000000C7B000-memory.dmp

Filesize
172KB

Download
memory/864-81-0x000007FEBEF40000-0x000007FEBEF50000-memory.dmp

Filesize
64KB

Download
memory/864-82-0x0000000037080000-0x0000000037090000-memory.dmp

Filesize
64KB

Download
memory/1592-741-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/1592-739-0x000000001B810000-0x000000001BAF2000-memory.dmp

Filesize
2.9MB

Download
memory/1596-459-0x00000000024D0000-0x00000000024D8000-memory.dmp

Filesize
32KB

Download
memory/1596-458-0x000000001B910000-0x000000001BBF2000-memory.dmp

Filesize
2.9MB

Download
memory/1764-1-0x0000000001330000-0x0000000001780000-memory.dmp

Filesize
4.3MB

Download
memory/1764-154-0x000007FEF5B73000-0x000007FEF5B74000-memory.dmp

Filesize
4KB

Download
memory/1764-0-0x000007FEF5B73000-0x000007FEF5B74000-memory.dmp

Filesize
4KB

Download
memory/1764-2-0x0000000000350000-0x000000000037C000-memory.dmp

Filesize
176KB

Download
memory/1764-255-0x000000001C2E0000-0x000000001C6E4000-memory.dmp

Filesize
4.0MB

Download
memory/1764-325-0x000000001B870000-0x000000001B8F0000-memory.dmp

Filesize
512KB

Download
memory/1800-719-0x000000001B960000-0x000000001BC42000-memory.dmp

Filesize
2.9MB

Download
memory/2640-530-0x0000000077040000-0x00000000771E9000-memory.dmp

Filesize
1.7MB

Download
memory/2640-12-0x0000000076F20000-0x000000007703F000-memory.dmp

Filesize
1.1MB

Download
memory/2640-14-0x0000000077040000-0x00000000771E9000-memory.dmp

Filesize
1.7MB

Download
memory/2640-13-0x0000000077041000-0x0000000077142000-memory.dmp

Filesize
1.0MB

Download
memory/2640-11-0x0000000077040000-0x00000000771E9000-memory.dmp

Filesize
1.7MB

Download
memory/2640-205-0x0000000077040000-0x00000000771E9000-memory.dmp

Filesize
1.7MB

Download
memory/2808-695-0x0000064477B60000-0x0000064477EEE000-memory.dmp

Filesize
3.6MB

Download
memory/2808-696-0x0000000002990000-0x0000000002A2C000-memory.dmp

Filesize
624KB

Download
memory/2840-666-0x000000001C5F0000-0x000000001C9AA000-memory.dmp

Filesize
3.7MB

Download
memory/2840-504-0x00000000013D0000-0x0000000001820000-memory.dmp

Filesize
4.3MB

Download
memory/2984-430-0x0000000002380000-0x0000000002388000-memory.dmp

Filesize
32KB

Download
memory/2984-429-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download