xworm | aff3e08b50336ce6a1cfe39c45d32d918dc6f190662aef666addb193f44d47a8

Analysis

max time kernel
153s
max time network
152s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76055a2e7a65f892affbf012eede61a9ac39fd83a672201e902ce96eb3642ddb.exe
Size

37.3MB
MD5

7c75210de2c558c9050f082e5373ee37
SHA1

a683e20da1195e0e3eacabd19c760ebf9b60768d
SHA256

76055a2e7a65f892affbf012eede61a9ac39fd83a672201e902ce96eb3642ddb
SHA512

874201ba98ebb687f05df0e508ff967b61a6b3d28274a986ee31c8e5d7371e1c6fa24f462125ab7c375d6bd96fed18d5640cba962107d546cfca3c6d147dbf20
SSDEEP

786432:5gB5EOyGOlEaoPvuMMXU2o3SIkDhSdKqlH7R32AsKpDW800m70T+eUNH39:8lyHIPvuMwUp3SVMpHldxM80n7Q+xHN

Score

10^/10

xworm defense_evasion execution persistence rat trojan upx

Malware Config

Extracted

Family

xworm

aboltustimoha-43339.portmap.host:43339

Attributes

Install_directory
%Userprofile%
install_file
svchost.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral3/files/0x000400000001d790-708.dat	family_xworm
behavioral3/memory/3032-710-0x0000000001110000-0x000000000112A000-memory.dmp	family_xworm

Modifies security service 2 TTPs 2 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection	svchost.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2688	powershell.exe
3012	powershell.exe
2780	powershell.exe
948	powershell.exe
324	powershell.exe
2052	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VLKIAJCI\ImagePath = "C:\\ProgramData\\sqqlezmfstqp\\ixoqduepyxci.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinRing0_1_2_0\ImagePath = "\\??\\C:\\Windows\\TEMP\\oktvyrloxnhg.sys"	services.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 7 IoCs

pid	Process
2836	ExLoader_Installer.exe
1948	Built.exe
2028	Built.exe
3032	checker-cheats (1).exe
2872	system.exe
1192	Explorer.EXE
2420	ixoqduepyxci.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Setup.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx	svchost.exe

Loads dropped DLL 8 IoCs

pid	Process
2604	76055a2e7a65f892affbf012eede61a9ac39fd83a672201e902ce96eb3642ddb.exe
2604	76055a2e7a65f892affbf012eede61a9ac39fd83a672201e902ce96eb3642ddb.exe
1948	Built.exe
2028	Built.exe
2604	76055a2e7a65f892affbf012eede61a9ac39fd83a672201e902ce96eb3642ddb.exe
2604	76055a2e7a65f892affbf012eede61a9ac39fd83a672201e902ce96eb3642ddb.exe
464	services.exe
464	services.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ExLoader_Installer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ExLoader_Installer.exe"	76055a2e7a65f892affbf012eede61a9ac39fd83a672201e902ce96eb3642ddb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Built = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Built.exe"	76055a2e7a65f892affbf012eede61a9ac39fd83a672201e902ce96eb3642ddb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\checker-cheats (1) = "C:\\Users\\Admin\\AppData\\Local\\Temp\\checker-cheats (1).exe"	76055a2e7a65f892affbf012eede61a9ac39fd83a672201e902ce96eb3642ddb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Local\\Temp\\system.exe"	76055a2e7a65f892affbf012eede61a9ac39fd83a672201e902ce96eb3642ddb.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	pastebin.com
8	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2932	powercfg.exe
2044	powercfg.exe
2072	powercfg.exe
2140	powercfg.exe
764	powercfg.exe
3044	powercfg.exe
1792	powercfg.exe
2004	powercfg.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	system.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	ixoqduepyxci.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2872 set thread context of 2460	2872	system.exe	65
PID 2420 set thread context of 2436	2420	ixoqduepyxci.exe	95
PID 2420 set thread context of 2996	2420	ixoqduepyxci.exe	97
PID 2420 set thread context of 2992	2420	ixoqduepyxci.exe	101

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/files/0x000400000001cc71-451.dat	upx
behavioral3/memory/2028-596-0x000007FEF7010000-0x000007FEF75F8000-memory.dmp	upx

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\appcompat\programs\RecentFileCache.bcf	svchost.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2504	sc.exe
1576	sc.exe
2676	sc.exe
584	sc.exe
1292	sc.exe
1724	sc.exe
1232	sc.exe
1308	sc.exe
2720	sc.exe
1880	sc.exe
2604	sc.exe
2944	sc.exe
2128	sc.exe
2016	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT\Certificates	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT\CRLs	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT\CTLs	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = d0f600fff29adb01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	dialer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2052	powershell.exe
2688	powershell.exe
3012	powershell.exe
2780	powershell.exe
2872	system.exe
948	powershell.exe
2872	system.exe
2872	system.exe
2872	system.exe
2872	system.exe
2872	system.exe
2872	system.exe
2872	system.exe
2872	system.exe
2872	system.exe
2872	system.exe
2872	system.exe
2872	system.exe
2460	dialer.exe
2460	dialer.exe
2460	dialer.exe
2460	dialer.exe
2872	system.exe
2460	dialer.exe
2460	dialer.exe
2460	dialer.exe
2460	dialer.exe
2872	system.exe
2872	system.exe
2460	dialer.exe
2460	dialer.exe
2460	dialer.exe
2460	dialer.exe
2460	dialer.exe
2460	dialer.exe
2460	dialer.exe
2460	dialer.exe
2460	dialer.exe
2460	dialer.exe
2460	dialer.exe
2460	dialer.exe
2460	dialer.exe
2460	dialer.exe
2460	dialer.exe
2460	dialer.exe
2460	dialer.exe
2460	dialer.exe
2420	ixoqduepyxci.exe
2460	dialer.exe
2460	dialer.exe
2460	dialer.exe
2460	dialer.exe
324	powershell.exe
2460	dialer.exe
2460	dialer.exe
2460	dialer.exe
2460	dialer.exe
2460	dialer.exe
2460	dialer.exe
2460	dialer.exe
2460	dialer.exe
2460	dialer.exe
2460	dialer.exe
2460	dialer.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	services.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	3032	checker-cheats (1).exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	2872	system.exe
Token: SeDebugPrivilege	2460	dialer.exe
Token: SeShutdownPrivilege	1792	powercfg.exe
Token: SeShutdownPrivilege	2140	powercfg.exe
Token: SeShutdownPrivilege	3044	powercfg.exe
Token: SeShutdownPrivilege	764	powercfg.exe
Token: SeAuditPrivilege	848	svchost.exe
Token: SeDebugPrivilege	324	powershell.exe
Token: SeDebugPrivilege	2420	ixoqduepyxci.exe
Token: SeDebugPrivilege	2436	dialer.exe
Token: SeShutdownPrivilege	2932	powercfg.exe
Token: SeShutdownPrivilege	2044	powercfg.exe
Token: SeShutdownPrivilege	2072	powercfg.exe
Token: SeShutdownPrivilege	2004	powercfg.exe
Token: SeLockMemoryPrivilege	2992	dialer.exe
Token: SeAssignPrimaryTokenPrivilege	848	svchost.exe
Token: SeIncreaseQuotaPrivilege	848	svchost.exe
Token: SeSecurityPrivilege	848	svchost.exe
Token: SeTakeOwnershipPrivilege	848	svchost.exe
Token: SeLoadDriverPrivilege	848	svchost.exe
Token: SeSystemtimePrivilege	848	svchost.exe
Token: SeBackupPrivilege	848	svchost.exe
Token: SeRestorePrivilege	848	svchost.exe
Token: SeShutdownPrivilege	848	svchost.exe
Token: SeSystemEnvironmentPrivilege	848	svchost.exe
Token: SeUndockPrivilege	848	svchost.exe
Token: SeManageVolumePrivilege	848	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	848	svchost.exe
Token: SeIncreaseQuotaPrivilege	848	svchost.exe
Token: SeSecurityPrivilege	848	svchost.exe
Token: SeTakeOwnershipPrivilege	848	svchost.exe
Token: SeLoadDriverPrivilege	848	svchost.exe
Token: SeSystemtimePrivilege	848	svchost.exe
Token: SeBackupPrivilege	848	svchost.exe
Token: SeRestorePrivilege	848	svchost.exe
Token: SeShutdownPrivilege	848	svchost.exe
Token: SeSystemEnvironmentPrivilege	848	svchost.exe
Token: SeUndockPrivilege	848	svchost.exe
Token: SeManageVolumePrivilege	848	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	848	svchost.exe
Token: SeIncreaseQuotaPrivilege	848	svchost.exe
Token: SeSecurityPrivilege	848	svchost.exe
Token: SeTakeOwnershipPrivilege	848	svchost.exe
Token: SeLoadDriverPrivilege	848	svchost.exe
Token: SeSystemtimePrivilege	848	svchost.exe
Token: SeBackupPrivilege	848	svchost.exe
Token: SeRestorePrivilege	848	svchost.exe
Token: SeShutdownPrivilege	848	svchost.exe
Token: SeSystemEnvironmentPrivilege	848	svchost.exe
Token: SeUndockPrivilege	848	svchost.exe
Token: SeManageVolumePrivilege	848	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	848	svchost.exe
Token: SeIncreaseQuotaPrivilege	848	svchost.exe
Token: SeSecurityPrivilege	848	svchost.exe
Token: SeTakeOwnershipPrivilege	848	svchost.exe
Token: SeLoadDriverPrivilege	848	svchost.exe
Token: SeSystemtimePrivilege	848	svchost.exe
Token: SeBackupPrivilege	848	svchost.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
848	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 2052	2604	76055a2e7a65f892affbf012eede61a9ac39fd83a672201e902ce96eb3642ddb.exe	29
PID 2604 wrote to memory of 2052	2604	76055a2e7a65f892affbf012eede61a9ac39fd83a672201e902ce96eb3642ddb.exe	29
PID 2604 wrote to memory of 2052	2604	76055a2e7a65f892affbf012eede61a9ac39fd83a672201e902ce96eb3642ddb.exe	29
PID 2604 wrote to memory of 2836	2604	76055a2e7a65f892affbf012eede61a9ac39fd83a672201e902ce96eb3642ddb.exe	31
PID 2604 wrote to memory of 2836	2604	76055a2e7a65f892affbf012eede61a9ac39fd83a672201e902ce96eb3642ddb.exe	31
PID 2604 wrote to memory of 2836	2604	76055a2e7a65f892affbf012eede61a9ac39fd83a672201e902ce96eb3642ddb.exe	31
PID 2604 wrote to memory of 2688	2604	76055a2e7a65f892affbf012eede61a9ac39fd83a672201e902ce96eb3642ddb.exe	32
PID 2604 wrote to memory of 2688	2604	76055a2e7a65f892affbf012eede61a9ac39fd83a672201e902ce96eb3642ddb.exe	32
PID 2604 wrote to memory of 2688	2604	76055a2e7a65f892affbf012eede61a9ac39fd83a672201e902ce96eb3642ddb.exe	32
PID 2604 wrote to memory of 1948	2604	76055a2e7a65f892affbf012eede61a9ac39fd83a672201e902ce96eb3642ddb.exe	34
PID 2604 wrote to memory of 1948	2604	76055a2e7a65f892affbf012eede61a9ac39fd83a672201e902ce96eb3642ddb.exe	34
PID 2604 wrote to memory of 1948	2604	76055a2e7a65f892affbf012eede61a9ac39fd83a672201e902ce96eb3642ddb.exe	34
PID 2604 wrote to memory of 3012	2604	76055a2e7a65f892affbf012eede61a9ac39fd83a672201e902ce96eb3642ddb.exe	35
PID 2604 wrote to memory of 3012	2604	76055a2e7a65f892affbf012eede61a9ac39fd83a672201e902ce96eb3642ddb.exe	35
PID 2604 wrote to memory of 3012	2604	76055a2e7a65f892affbf012eede61a9ac39fd83a672201e902ce96eb3642ddb.exe	35
PID 1948 wrote to memory of 2028	1948	Built.exe	37
PID 1948 wrote to memory of 2028	1948	Built.exe	37
PID 1948 wrote to memory of 2028	1948	Built.exe	37
PID 2604 wrote to memory of 3032	2604	76055a2e7a65f892affbf012eede61a9ac39fd83a672201e902ce96eb3642ddb.exe	38
PID 2604 wrote to memory of 3032	2604	76055a2e7a65f892affbf012eede61a9ac39fd83a672201e902ce96eb3642ddb.exe	38
PID 2604 wrote to memory of 3032	2604	76055a2e7a65f892affbf012eede61a9ac39fd83a672201e902ce96eb3642ddb.exe	38
PID 2604 wrote to memory of 2780	2604	76055a2e7a65f892affbf012eede61a9ac39fd83a672201e902ce96eb3642ddb.exe	39
PID 2604 wrote to memory of 2780	2604	76055a2e7a65f892affbf012eede61a9ac39fd83a672201e902ce96eb3642ddb.exe	39
PID 2604 wrote to memory of 2780	2604	76055a2e7a65f892affbf012eede61a9ac39fd83a672201e902ce96eb3642ddb.exe	39
PID 2604 wrote to memory of 2872	2604	76055a2e7a65f892affbf012eede61a9ac39fd83a672201e902ce96eb3642ddb.exe	41
PID 2604 wrote to memory of 2872	2604	76055a2e7a65f892affbf012eede61a9ac39fd83a672201e902ce96eb3642ddb.exe	41
PID 2604 wrote to memory of 2872	2604	76055a2e7a65f892affbf012eede61a9ac39fd83a672201e902ce96eb3642ddb.exe	41
PID 1708 wrote to memory of 2928	1708	cmd.exe	55
PID 1708 wrote to memory of 2928	1708	cmd.exe	55
PID 1708 wrote to memory of 2928	1708	cmd.exe	55
PID 2872 wrote to memory of 2460	2872	system.exe	65
PID 2872 wrote to memory of 2460	2872	system.exe	65
PID 2872 wrote to memory of 2460	2872	system.exe	65
PID 2872 wrote to memory of 2460	2872	system.exe	65
PID 2872 wrote to memory of 2460	2872	system.exe	65
PID 2872 wrote to memory of 2460	2872	system.exe	65
PID 2872 wrote to memory of 2460	2872	system.exe	65
PID 2460 wrote to memory of 420	2460	dialer.exe	5
PID 2460 wrote to memory of 464	2460	dialer.exe	6
PID 2460 wrote to memory of 480	2460	dialer.exe	7
PID 2460 wrote to memory of 488	2460	dialer.exe	8
PID 2460 wrote to memory of 600	2460	dialer.exe	9
PID 2460 wrote to memory of 676	2460	dialer.exe	10
PID 2460 wrote to memory of 752	2460	dialer.exe	11
PID 2460 wrote to memory of 812	2460	dialer.exe	12
PID 2460 wrote to memory of 848	2460	dialer.exe	13
PID 2460 wrote to memory of 992	2460	dialer.exe	14
PID 2460 wrote to memory of 296	2460	dialer.exe	15
PID 2460 wrote to memory of 108	2460	dialer.exe	16
PID 2460 wrote to memory of 1088	2460	dialer.exe	17
PID 2460 wrote to memory of 1108	2460	dialer.exe	18
PID 2460 wrote to memory of 1160	2460	dialer.exe	19
PID 2460 wrote to memory of 1192	2460	dialer.exe	20
PID 2460 wrote to memory of 1440	2460	dialer.exe	22
PID 2460 wrote to memory of 796	2460	dialer.exe	23
PID 2460 wrote to memory of 1032	2460	dialer.exe	24
PID 2460 wrote to memory of 588	2460	dialer.exe	25
PID 2460 wrote to memory of 364	2460	dialer.exe	26
PID 2460 wrote to memory of 1948	2460	dialer.exe	34
PID 2460 wrote to memory of 2028	2460	dialer.exe	37
PID 2460 wrote to memory of 2872	2460	dialer.exe	41
PID 2460 wrote to memory of 2164	2460	dialer.exe	42
PID 2460 wrote to memory of 1708	2460	dialer.exe	45
PID 2460 wrote to memory of 1228	2460	dialer.exe	48

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Sets service image path in registry
- Loads dropped DLL
- Suspicious behavior: LoadsDriver
PID:464
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:600
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    3⤵
    PID:1440
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    3⤵
    PID:1032
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
    3⤵
    - Checks processor information in registry
    PID:2164
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:676
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  - Modifies security service
  - Indicator Removal: Clear Windows Event Logs
  PID:752
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:812
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1160
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of UnmapMainImage
  PID:848
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:992
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:296
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:108
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1088
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1108
- C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
  "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
  2⤵
  PID:796
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:588
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:364
- C:\ProgramData\sqqlezmfstqp\ixoqduepyxci.exe
  C:\ProgramData\sqqlezmfstqp\ixoqduepyxci.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2420
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:856
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Drops file in Windows directory
      PID:2912
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1880
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2604
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2676
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:2944
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:584
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2072
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2044
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2932
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2004
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2436
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    PID:2996
- - C:\Windows\system32\dialer.exe
    dialer.exe
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    PID:2992

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:480

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:488

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Executes dropped EXE
PID:1192
- C:\Users\Admin\AppData\Local\Temp\76055a2e7a65f892affbf012eede61a9ac39fd83a672201e902ce96eb3642ddb.exe
  "C:\Users\Admin\AppData\Local\Temp\76055a2e7a65f892affbf012eede61a9ac39fd83a672201e902ce96eb3642ddb.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2052
- - C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe
    "C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe"
    3⤵
    - Executes dropped EXE
    PID:2836
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2688
- - C:\Users\Admin\AppData\Local\Temp\Built.exe
    "C:\Users\Admin\AppData\Local\Temp\Built.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1948
  - - C:\Users\Admin\AppData\Local\Temp\Built.exe
      "C:\Users\Admin\AppData\Local\Temp\Built.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2028
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\checker-cheats (1).exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3012
- - C:\Users\Admin\AppData\Local\Temp\checker-cheats (1).exe
    "C:\Users\Admin\AppData\Local\Temp\checker-cheats (1).exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3032
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\system.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2780
- - C:\Users\Admin\AppData\Local\Temp\system.exe
    "C:\Users\Admin\AppData\Local\Temp\system.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:948
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1708
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        Drops file in Windows directory
        
        PID:2928
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:1292
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:2128
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:1724
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:1232
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:2016
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:1792
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:3044
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:764
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:2140
  - - C:\Windows\system32\dialer.exe
      C:\Windows\system32\dialer.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2460
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "VLKIAJCI"
      4⤵
      Launches sc.exe
      PID:2504
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "VLKIAJCI" binpath= "C:\ProgramData\sqqlezmfstqp\ixoqduepyxci.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:1308
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:2720
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "VLKIAJCI"
      4⤵
      Launches sc.exe
      PID:1576

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-355615725271604194-1285705443191891058820598572301786902623906404244-1983108248"
1⤵
PID:1228

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-730439975623031519489461736-227167934-1786323928-33591679379301229-1990444003"
1⤵
PID:3028

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1502247422176474605119806477731543770026805104866-529084875651757386436869327"
1⤵
PID:2512

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "683102116-326982983-1718451386-17802368801489649011-1528962964-12381455822043156782"
1⤵
PID:704

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-31131544194999271992295945986105486-81346647928321740-374012136-238407052"
1⤵
PID:3048

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-60941435823180433-1902099570-269937039-1656571835-189151717019425313301120164173"
1⤵
PID:2632

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "60139767476362356608725505-15905536190489922-1885113324-786936913297697227"
1⤵
PID:776

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1533294647148206240-2102906683457987687-551716629656484658-1286405231008465415"
1⤵
PID:688

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "19206118451248640274-1706324059111287703284332899815345336119846988081736619305"
1⤵
PID:692

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "190866559-20278248771790685882166301306100200889618532324551708798654-524458686"
1⤵
PID:3060

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4677604-246453869-14239702117634782903372623021285305547575541182056026183"
1⤵
PID:2660

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1385700870-1726457667-1493325510-103803732117422436231590934401868461267652379488"
1⤵
PID:1560

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "233845497-686336301729090014-411144720483243881-16410379518676952452136310231"
1⤵
PID:2972

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "255680924-453738179-393134803-715588035-16318743-615028156-6815126311905391813"
1⤵
PID:2248

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-12145289091172830503-1176723244-11277020782038249053-491768680-195916356901160433"
1⤵
PID:1292

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "834928570-276622064-871954321-583235768-1939210671-2221237689589198491402826140"
1⤵
PID:1012

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1901065403336463633719666470-498905063379944032571452443-1211996850-1361975970"
1⤵
PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI19482\python311.dll

Filesize
1.6MB

MD5
bb46b85029b543b70276ad8e4c238799

SHA1
123bdcd9eebcac1ec0fd2764a37e5e5476bb0c1c

SHA256
72c24e1db1ba4df791720a93ca9502d77c3738eebf8b9092a5d82aa8d80121d0

SHA512
5e993617509c1cf434938d6a467eb0494e04580ad242535a04937f7c174d429da70a6e71792fc3de69e103ffc5d9de51d29001a4df528cfffefdaa2cef4eaf31

Download Submit
C:\Users\Admin\AppData\Local\Temp\checker-cheats (1).exe

Filesize
75KB

MD5
04e6de63f885854bc352dcaedf70f687

SHA1
2ab12179885dc57bbf255564012fa8e2b82a3330

SHA256
e7e69559f54ae11b078702201d788c1825a79b8e88a77b1b2fde01c1da1f8b06

SHA512
fe8d496253ceb225c29ed5c3e6074a7d4736fb51b77bee1ee6a118e21f05e461e27462604ff167bc6b468b62a3b6716ebd6cbb1201c9337aac31814661ce0c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\system.exe

Filesize
5.2MB

MD5
332a796dafffbfba2d0655e2f5d72b79

SHA1
41540d6e81ef9afff85b7623115655c245d286e4

SHA256
c26fb59378ead10e14125f1c86c54fb5db72c08eb268d0d01dce864353829769

SHA512
63b91400d5675da0cc290205d845e6fc584c1ed99c2df97fc33f63ddc17e915b605640241e201c8cf1c089213b36dcb0d389ca8aa78db925b46a301503efe9a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2bb3a4ad77f2cd69b6b488dc016764c1

SHA1
8c2404551c083083390bc64df4cdacac99721bad

SHA256
eb2a7319c331de30b56df6604d8e4e47e544df09c6ef10b9a739b2e11322103a

SHA512
9ac596831190e98d152a9afb9e5546807085cfc6cb084c1b0734d84dd8bc9ec8f1806a4824deac5c7a1f16857c8674816e68c2022182938d4eed31fd2a26f075

Download Submit
\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
6.9MB

MD5
6b915cd816ef2570b3c203ff6f4668c4

SHA1
4a96ed7b4e3ee8f553a4e7581bc42df3356856f3

SHA256
12dcc7a7ae7e83049ade18d3699ad8d0fe8b34a5a1f33ad31d825008f2460715

SHA512
06db8f913e06625d8bca3464bd4951d30b0ffd53c60bbbed80216f9e21342cc5fb8d8aaee12e06f6478c976c318eab164f31c7440d8bf0ed40418584544f4a9d

Download Submit
\Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe

Filesize
26.5MB

MD5
dcd3344e5bdca9492706ed74cbf8b233

SHA1
ed0ad8d0e65d27d34644b75fbd73b7ee8a825bc6

SHA256
75243dbdd7668c07417eb463d1b4f24d8ff4781b6d5aa0522afb2509b920cf9c

SHA512
9d31001b90e2610a74aa66b7d9a383094b3d904ad105b50c55be3aa46ef8be2f2a45a082e990a905b8673e4bcf320b4f078a53fe1435bd96e08df0bc9e09bca4

Download Submit
memory/324-1047-0x0000000000990000-0x0000000000998000-memory.dmp

Filesize
32KB

Download
memory/420-746-0x0000000000760000-0x000000000078B000-memory.dmp

Filesize
172KB

Download
memory/420-748-0x0000000037C60000-0x0000000037C70000-memory.dmp

Filesize
64KB

Download
memory/420-747-0x000007FEBE920000-0x000007FEBE930000-memory.dmp

Filesize
64KB

Download
memory/420-745-0x0000000000730000-0x0000000000754000-memory.dmp

Filesize
144KB

Download
memory/420-743-0x0000000000730000-0x0000000000754000-memory.dmp

Filesize
144KB

Download
memory/464-791-0x0000000037C60000-0x0000000037C70000-memory.dmp

Filesize
64KB

Download
memory/464-790-0x000007FEBE920000-0x000007FEBE930000-memory.dmp

Filesize
64KB

Download
memory/464-753-0x0000000000120000-0x000000000014B000-memory.dmp

Filesize
172KB

Download
memory/488-794-0x000007FEBE920000-0x000007FEBE930000-memory.dmp

Filesize
64KB

Download
memory/488-795-0x0000000037C60000-0x0000000037C70000-memory.dmp

Filesize
64KB

Download
memory/488-793-0x00000000003B0000-0x00000000003DB000-memory.dmp

Filesize
172KB

Download
memory/948-731-0x0000000001EA0000-0x0000000001EA8000-memory.dmp

Filesize
32KB

Download
memory/2028-596-0x000007FEF7010000-0x000007FEF75F8000-memory.dmp

Filesize
5.9MB

Download
memory/2052-8-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download
memory/2052-7-0x000000001B240000-0x000000001B522000-memory.dmp

Filesize
2.9MB

Download
memory/2052-6-0x00000000026B0000-0x0000000002730000-memory.dmp

Filesize
512KB

Download
memory/2460-736-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2460-734-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2460-739-0x0000000077A00000-0x0000000077B1F000-memory.dmp

Filesize
1.1MB

Download
memory/2460-738-0x0000000077C20000-0x0000000077DC9000-memory.dmp

Filesize
1.7MB

Download
memory/2460-732-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2460-733-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2460-737-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2460-740-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2604-0-0x000007FEF6253000-0x000007FEF6254000-memory.dmp

Filesize
4KB

Download
memory/2604-43-0x000007FEF6253000-0x000007FEF6254000-memory.dmp

Filesize
4KB

Download
memory/2604-1-0x0000000000E90000-0x00000000033E2000-memory.dmp

Filesize
37.3MB

Download
memory/2688-30-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/2688-23-0x000000001B230000-0x000000001B512000-memory.dmp

Filesize
2.9MB

Download
memory/3032-710-0x0000000001110000-0x000000000112A000-memory.dmp

Filesize
104KB

Download