xworm | ee28f54f43c0bf06067ae14fd538a95de55eb811bab582291fa7688b2c50b46e

Analysis

max time kernel
1796s
max time network
1798s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20-04-2024 11:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClient.exe
Size

74KB
MD5

d3ebbab144d54b4759acdf633ecbee16
SHA1

fa2b167957e2aa8905d3af4f07f80967c819bdab
SHA256

ee28f54f43c0bf06067ae14fd538a95de55eb811bab582291fa7688b2c50b46e
SHA512

9095630280b3140edccf566346b5eb9b72026c772aa64c945d3cf136f51ccac097bd60e58694b41dc00961dfcb1be442f078eebc9d66f934e3436f72b5f5f9d3
SSDEEP

1536:aAaGPPDda5jxH7iqWO3O9pdNb55zO6pyOdT2F6eWr9On6Cn9lAOk:kUbdmjxH7iA3IpDb5VpyK2rIO6S9l+

Score

10^/10

xworm persistence ransomware rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

0.tcp.eu.ngrok.io:12979

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3000-0-0x0000000000C50000-0x0000000000C68000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Roaming\XClient.exe	family_xworm
behavioral1/memory/2300-55-0x0000000000DB0000-0x0000000000DC8000-memory.dmp	family_xworm
behavioral1/memory/2764-64-0x0000000000E80000-0x0000000000E98000-memory.dmp	family_xworm
behavioral1/memory/288-1210-0x0000000001020000-0x0000000001038000-memory.dmp	family_xworm
behavioral1/memory/2548-1218-0x0000000000280000-0x0000000000298000-memory.dmp	family_xworm
behavioral1/memory/1864-1225-0x0000000000ED0000-0x0000000000EE8000-memory.dmp	family_xworm
behavioral1/memory/2316-1229-0x00000000002B0000-0x00000000002C8000-memory.dmp	family_xworm
behavioral1/memory/320-1233-0x0000000000DE0000-0x0000000000DF8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops startup file 2 IoCs

Processes:

XClient.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe

Executes dropped EXE 30 IoCs

Processes:

XClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exe

pid	process
2300	XClient.exe
272	XClient.exe
2764	XClient.exe
2832	XClient.exe
1364	XClient.exe
288	XClient.exe
2056	XClient.exe
2408	XClient.exe
2548	XClient.exe
600	XClient.exe
1864	XClient.exe
2316	XClient.exe
320	XClient.exe
1580	XClient.exe
2300	XClient.exe
2544	XClient.exe
1852	XClient.exe
2352	XClient.exe
920	XClient.exe
640	XClient.exe
1016	XClient.exe
2692	XClient.exe
544	XClient.exe
480	XClient.exe
2860	XClient.exe
1532	XClient.exe
2096	XClient.exe
2072	XClient.exe
2372	XClient.exe
2152	XClient.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

XClient.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	XClient.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 28 IoCs

Web Service

T1102

Processes:

flow	ioc
6	0.tcp.eu.ngrok.io
86	0.tcp.eu.ngrok.io
65	0.tcp.eu.ngrok.io
129	0.tcp.eu.ngrok.io
228	0.tcp.eu.ngrok.io
27	0.tcp.eu.ngrok.io
120	0.tcp.eu.ngrok.io
231	0.tcp.eu.ngrok.io
37	0.tcp.eu.ngrok.io
67	0.tcp.eu.ngrok.io
177	0.tcp.eu.ngrok.io
195	0.tcp.eu.ngrok.io
10	0.tcp.eu.ngrok.io
45	0.tcp.eu.ngrok.io
112	0.tcp.eu.ngrok.io
159	0.tcp.eu.ngrok.io
76	0.tcp.eu.ngrok.io
94	0.tcp.eu.ngrok.io
102	0.tcp.eu.ngrok.io
148	0.tcp.eu.ngrok.io
168	0.tcp.eu.ngrok.io
206	0.tcp.eu.ngrok.io
9	0.tcp.eu.ngrok.io
55	0.tcp.eu.ngrok.io
138	0.tcp.eu.ngrok.io
157	0.tcp.eu.ngrok.io
186	0.tcp.eu.ngrok.io
217	0.tcp.eu.ngrok.io

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com

flow	ioc
4	ip-api.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

XClient.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp"	XClient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2736 schtasks.exe

pid	process
2736	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071c834f68b8ed044a0afda50fbc58a700000000002000000000010660000000100002000000074b75c011b137bc612ecdedf85543a6adc9480aefb9e75b9d5cf8b60b8703880000000000e800000000200002000000024dbd6d57e5227157a61e43fa0a75b269b1eb89293ec3b5eba1c7b08b8ba197320000000ea75555a72cce7cd5fc1402d91ea6ecf8b6a13b41a068f65e816da387cee188c40000000b55b250b0ed561dfb5637533b9ff4a85354d4fae316eac39aa7f4a7c2e4893d91452a19d17df81c348fb8ddb14e76e777678c80a67eae1a4b1ffd6bcaabf7704	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0d2315d1a93da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "419776277"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{88BA6231-FF0D-11EE-A40F-5A791E92BC44} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071c834f68b8ed044a0afda50fbc58a7000000000020000000000106600000001000020000000000121045c08b201191414e1944982354265d334e31b0cfedba77c4564d27410000000000e8000000002000020000000e6509b32de464d0fd1861c58c117d0b85cd5994e5fb25928176fb3acde3e48b5900000005a78aecc330dc63465d8c4d86d8d50accfab4f356ed02b2b536828f57573a8e58a0798c8c3b93063b6d65b8206a52f06cdaee00e8007a1fe9170acf5ffafff89c0f6c318d29add2ada98e5ea6e7c7aad34cb83b3de47fe224271e045fb13f71205dc1c5494b88b9832bcd8274d0cafddcda362a1bfaa4f41a74b3f5083429795d71a1dc52f50be56c7df5b47e60d9038400000004426e832ea89d3cae971ae48d218f6cca92171c7a8646b417fcc40272a0cd383ae0c2c2e97252ce59f6474a927376dd375f90051487e21e9e1fd74f98c076743	iexplore.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exeXClient.exe

pid process

2800 powershell.exe
2432 powershell.exe
1792 powershell.exe
3000 XClient.exe

pid	process
2800	powershell.exe
2432	powershell.exe
1792	powershell.exe
3000	XClient.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

Processes:

XClient.exepowershell.exepowershell.exepowershell.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exe

description	pid	process
Token: SeDebugPrivilege	3000	XClient.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	2300	XClient.exe
Token: SeDebugPrivilege	272	XClient.exe
Token: SeDebugPrivilege	2764	XClient.exe
Token: SeDebugPrivilege	2832	XClient.exe
Token: SeDebugPrivilege	1364	XClient.exe
Token: SeDebugPrivilege	288	XClient.exe
Token: SeDebugPrivilege	2408	XClient.exe
Token: SeDebugPrivilege	2548	XClient.exe
Token: SeDebugPrivilege	600	XClient.exe
Token: SeDebugPrivilege	1864	XClient.exe
Token: SeDebugPrivilege	2316	XClient.exe
Token: SeDebugPrivilege	320	XClient.exe
Token: SeDebugPrivilege	1580	XClient.exe
Token: SeDebugPrivilege	2300	XClient.exe
Token: SeDebugPrivilege	2544	XClient.exe
Token: SeDebugPrivilege	1852	XClient.exe
Token: SeDebugPrivilege	2352	XClient.exe
Token: SeDebugPrivilege	920	XClient.exe
Token: SeDebugPrivilege	640	XClient.exe
Token: SeDebugPrivilege	1016	XClient.exe
Token: SeDebugPrivilege	2692	XClient.exe
Token: SeDebugPrivilege	544	XClient.exe
Token: SeDebugPrivilege	480	XClient.exe
Token: SeDebugPrivilege	2860	XClient.exe
Token: SeDebugPrivilege	1532	XClient.exe
Token: SeDebugPrivilege	2096	XClient.exe
Token: SeDebugPrivilege	2072	XClient.exe
Token: SeDebugPrivilege	2372	XClient.exe
Token: SeDebugPrivilege	2152	XClient.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2432 iexplore.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

XClient.exeiexplore.exeIEXPLORE.EXE

pid process

3000 XClient.exe
2432 iexplore.exe
2432 iexplore.exe
240 IEXPLORE.EXE
240 IEXPLORE.EXE
240 IEXPLORE.EXE
240 IEXPLORE.EXE

pid	process
2432	iexplore.exe

pid	process
3000	XClient.exe
2432	iexplore.exe
2432	iexplore.exe
240	IEXPLORE.EXE
240	IEXPLORE.EXE
240	IEXPLORE.EXE
240	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

XClient.exetaskeng.exeiexplore.exe

description	pid	process	target process
PID 3000 wrote to memory of 2800	3000	XClient.exe	powershell.exe
PID 3000 wrote to memory of 2800	3000	XClient.exe	powershell.exe
PID 3000 wrote to memory of 2800	3000	XClient.exe	powershell.exe
PID 3000 wrote to memory of 2432	3000	XClient.exe	powershell.exe
PID 3000 wrote to memory of 2432	3000	XClient.exe	powershell.exe
PID 3000 wrote to memory of 2432	3000	XClient.exe	powershell.exe
PID 3000 wrote to memory of 1792	3000	XClient.exe	powershell.exe
PID 3000 wrote to memory of 1792	3000	XClient.exe	powershell.exe
PID 3000 wrote to memory of 1792	3000	XClient.exe	powershell.exe
PID 3000 wrote to memory of 2736	3000	XClient.exe	schtasks.exe
PID 3000 wrote to memory of 2736	3000	XClient.exe	schtasks.exe
PID 3000 wrote to memory of 2736	3000	XClient.exe	schtasks.exe
PID 2184 wrote to memory of 2300	2184	taskeng.exe	XClient.exe
PID 2184 wrote to memory of 2300	2184	taskeng.exe	XClient.exe
PID 2184 wrote to memory of 2300	2184	taskeng.exe	XClient.exe
PID 2184 wrote to memory of 272	2184	taskeng.exe	XClient.exe
PID 2184 wrote to memory of 272	2184	taskeng.exe	XClient.exe
PID 2184 wrote to memory of 272	2184	taskeng.exe	XClient.exe
PID 2184 wrote to memory of 2764	2184	taskeng.exe	XClient.exe
PID 2184 wrote to memory of 2764	2184	taskeng.exe	XClient.exe
PID 2184 wrote to memory of 2764	2184	taskeng.exe	XClient.exe
PID 2184 wrote to memory of 2832	2184	taskeng.exe	XClient.exe
PID 2184 wrote to memory of 2832	2184	taskeng.exe	XClient.exe
PID 2184 wrote to memory of 2832	2184	taskeng.exe	XClient.exe
PID 3000 wrote to memory of 2432	3000	XClient.exe	iexplore.exe
PID 3000 wrote to memory of 2432	3000	XClient.exe	iexplore.exe
PID 3000 wrote to memory of 2432	3000	XClient.exe	iexplore.exe
PID 2432 wrote to memory of 240	2432	iexplore.exe	IEXPLORE.EXE
PID 2432 wrote to memory of 240	2432	iexplore.exe	IEXPLORE.EXE
PID 2432 wrote to memory of 240	2432	iexplore.exe	IEXPLORE.EXE
PID 2432 wrote to memory of 240	2432	iexplore.exe	IEXPLORE.EXE
PID 2184 wrote to memory of 1364	2184	taskeng.exe	XClient.exe
PID 2184 wrote to memory of 1364	2184	taskeng.exe	XClient.exe
PID 2184 wrote to memory of 1364	2184	taskeng.exe	XClient.exe
PID 2184 wrote to memory of 288	2184	taskeng.exe	XClient.exe
PID 2184 wrote to memory of 288	2184	taskeng.exe	XClient.exe
PID 2184 wrote to memory of 288	2184	taskeng.exe	XClient.exe
PID 2184 wrote to memory of 2056	2184	taskeng.exe	XClient.exe
PID 2184 wrote to memory of 2056	2184	taskeng.exe	XClient.exe
PID 2184 wrote to memory of 2056	2184	taskeng.exe	XClient.exe
PID 2184 wrote to memory of 2408	2184	taskeng.exe	XClient.exe
PID 2184 wrote to memory of 2408	2184	taskeng.exe	XClient.exe
PID 2184 wrote to memory of 2408	2184	taskeng.exe	XClient.exe
PID 2184 wrote to memory of 2548	2184	taskeng.exe	XClient.exe
PID 2184 wrote to memory of 2548	2184	taskeng.exe	XClient.exe
PID 2184 wrote to memory of 2548	2184	taskeng.exe	XClient.exe
PID 2184 wrote to memory of 600	2184	taskeng.exe	XClient.exe
PID 2184 wrote to memory of 600	2184	taskeng.exe	XClient.exe
PID 2184 wrote to memory of 600	2184	taskeng.exe	XClient.exe
PID 2184 wrote to memory of 1864	2184	taskeng.exe	XClient.exe
PID 2184 wrote to memory of 1864	2184	taskeng.exe	XClient.exe
PID 2184 wrote to memory of 1864	2184	taskeng.exe	XClient.exe
PID 2184 wrote to memory of 2316	2184	taskeng.exe	XClient.exe
PID 2184 wrote to memory of 2316	2184	taskeng.exe	XClient.exe
PID 2184 wrote to memory of 2316	2184	taskeng.exe	XClient.exe
PID 2184 wrote to memory of 320	2184	taskeng.exe	XClient.exe
PID 2184 wrote to memory of 320	2184	taskeng.exe	XClient.exe
PID 2184 wrote to memory of 320	2184	taskeng.exe	XClient.exe
PID 2184 wrote to memory of 1580	2184	taskeng.exe	XClient.exe
PID 2184 wrote to memory of 1580	2184	taskeng.exe	XClient.exe
PID 2184 wrote to memory of 1580	2184	taskeng.exe	XClient.exe
PID 2184 wrote to memory of 2300	2184	taskeng.exe	XClient.exe
PID 2184 wrote to memory of 2300	2184	taskeng.exe	XClient.exe
PID 2184 wrote to memory of 2300	2184	taskeng.exe	XClient.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1792
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
  2⤵
  - Creates scheduled task(s)
  PID:2736
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\How To Decrypt My Files.html
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2432 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:240

C:\Windows\system32\taskeng.exe
taskeng.exe {CB1FEBA1-8CB5-4FF0-A8FC-ECD5109920B3} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2300
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:272
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2764
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2832
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1364
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:288
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  PID:2056
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2408
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2548
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:600
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1864
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2316
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:320
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1580
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2300
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2544
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1852
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2352
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:920
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:640
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1016
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2692
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:544
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:480
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2860
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1532
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2096
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2072
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2372
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1406dfbb03c6f8dd5449497e8586f494

SHA1
cf16e142ffe67732a1a9a18fd196d3493c9e3ecb

SHA256
ee2d37a1d60374d6d923e6247ace94836a3bf0dce32e8897c61605ffc24716a1

SHA512
0a0a63350d3327dc27bcf3e1c228e5bc9d437fe16efb6e6fe418d443fa125330b86ac1302bc6253d87fe8080287a4625f8c0e02d00b0a69b1b5e37f608e71583

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
04783395ea4e885b1b3140658fccf3f3

SHA1
20bed61d6a44b1f23e661202e0b655452620e86f

SHA256
25e4b64d5bddf11448a94d109ea980f53f27c9d9755b22b4dc1e07f20dfe4151

SHA512
d0bcf5716f7eef01cc5fb08872cf34df17011d2791bc7702fca46c68ea34917e02f00cd72b1da529f01cc089c6ed11549cd7e56a4656098040d6308bd4d63347

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4b8cd55f465bdc27ae4b3454207b340a

SHA1
cbe5bb394b35fed38079ef46556369aeae578d66

SHA256
7784bce99968bde652f4ffa34abf969669f99511c8c564ea9fc1ab5bc122e2a1

SHA512
a4462d8b4e6a4d01419b5f14781a030055ed1c11ec414578089ba52c3b140dcebbcddbddfb6270c8ab8ff83df2c27deaf8bdd5a532310a395c10da0badfb0418

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
14c91d8cf3be6f80fe7f515bc6066fb5

SHA1
f720dc5c840731cf5e9b7f296ae3f843ca77579e

SHA256
89dc6effb51bf04d24b5ccb1ef120dc4ac99a3c91a6d9df1d21818b0a2a42af0

SHA512
ddea68249b11876c163a674566b17661eccf0bbcfc1f69cf3e0fd90746883f6629c4829ec95a17ee9e61242477771ba7f18326a5bf8a746f1ea35b5babbc124d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1b3c54557570f4d11be8acf70ec7cf63

SHA1
a1b5db4ab6b8ccf700081222bf93925ca7d3d9b6

SHA256
b2c45e8128324b29c004335428c934f53590892c4452aec3eea42c982eedf847

SHA512
34fafe19b62e1270cfddc4e81a32122836c476f8beb7b8975ae200af6ae599b715ee2a3d76e09944d69f357bc0b91341dc0174830e35f18aabbccf4772cc1da8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
66700c5a57e5061b9a69dafdbd8f7373

SHA1
7b7c1bf58a92b631943c1c4b196b804f7c23d372

SHA256
bb6881a3c81c9b49df59ed0851be8df7bb49a79b3978ef72a2a3532963549f73

SHA512
ecdd0879beb5c383d486b6b9b01ae89334aceeb487600b8d71fc1437d915aed52e53628f95df6bc557230f9bf69e201f266d419ec539b324b068587d8a8cc4f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cd13513bf34ded069e5498af1fa54af4

SHA1
2f4bcbaeab6cfd6226eed460c61b171feed3388d

SHA256
89eff33d04a6b4d47c611a80e0e127c0afff65b129fe46f010d76761e4ae9a3b

SHA512
7f134e4937990db28dbe6091fb13ca331fdeed89e68bfc242c6bfd2206a25eaed8be7a4154fa3ce4008bc78c775096f3c0d6209a00683ece6de9687ad7fc35c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f4e8bf5224802c5c34013e74beaeceee

SHA1
2978d2a2facd514cc1d71c591a005285bedc0dc7

SHA256
7245f2e716eafa04e606df893c1e7f86b0e19b78bd719f711a569283234cde71

SHA512
87ab809840f06a5a7e8fa56a4c4340af77815a63d206850b5b33aae57071b10e160e776812f3ba8c28f2d6c3c5e8bc077cef3d1a0a0878fa644c9f26fbb9edda

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
39d9bb9bb6b5af61b5e4538f032820d5

SHA1
dc65514dbedab5a538a411afda727a854a214268

SHA256
0d75392a2f59ef2658b7ff76a5c8b85c5c32a94aa3ad7f63a7d07748aacc9f4a

SHA512
bc7e6ec029ab3bed78362d4756ba91e26514bf94ba3f22327e57da15812c92f04906dd9c3bdce5b0a57b6aa663a1882c26e97faeb30a338dd1257b2dc6e36918

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
74f84fa3749cd0982bc1a04dc2b60cc8

SHA1
22488fb858ea8295cf4622626b8db1e9202935a8

SHA256
b76f46842d47337fa1c403a9a55dc78a1f765554c8df80daf7840dc95c40c3f5

SHA512
65703ccd4cd5fbcd115e6348c61a0c9a26d32425427750c14b00412027fd860e937a1ee22a753a9cc2a567d386a17226f286f7fb4a0e5ae76f50d5479aba101c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
248fea3ccb565dbe23348a61031609e8

SHA1
2aefe666424f59458b6cfe921a0b9186e7bf4a5d

SHA256
cbf4908666407a0060890c51b493c32b830c47d2f93e758ee06fec1de9b7cf0a

SHA512
e724eb5a733570e0a732dcedfef10f38cfbc6dbb4b05327e30312b9a69a4026559c8a963faaff2ef91112a49210621ce8338c22754d316e39d5d901e33c17dae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d7d12374039ba90e60489df03a9c405a

SHA1
c902216bbe7374368c0664da7daad59ba6c68d68

SHA256
af3d5871469598ec0d34605e83a6c677cea611a8a4a87511b6461b9c5ecf88e0

SHA512
c6a43ec0538b435eb9803ba5c892f157f7f29a32627265a365a25c02f6481f3f1955d6506ef3f5346b97ac143cb343672112065fd3efce44fe57de340098d0d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabACB5.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAE05.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
18b4ac27c8622ca2863997760a3fc7ee

SHA1
fffe6cfd43d8b1b65534f3ae7353e4a1e8975a14

SHA256
cc16a2f038199c973a067a58ec73fa5b13081992f2be313f34604de47d9c4b53

SHA512
9629733d6853d31f76ed083b5bd0c4044693ef685c577c751cd5ac989b702b80b307c323198e154cea6f63909f01425e7b67e87f45551c7c2e7c0bbaf2cafdbb

Download Submit
C:\Users\Admin\AppData\Roaming\XClient.exe

Filesize
74KB

MD5
d3ebbab144d54b4759acdf633ecbee16

SHA1
fa2b167957e2aa8905d3af4f07f80967c819bdab

SHA256
ee28f54f43c0bf06067ae14fd538a95de55eb811bab582291fa7688b2c50b46e

SHA512
9095630280b3140edccf566346b5eb9b72026c772aa64c945d3cf136f51ccac097bd60e58694b41dc00961dfcb1be442f078eebc9d66f934e3436f72b5f5f9d3

Download Submit
C:\Users\Admin\Desktop\How To Decrypt My Files.html

Filesize
723B

MD5
553cf6c7e10d1c701098d7e1d0a01839

SHA1
3cbdf41c6d02de51754a2696a382485be5175771

SHA256
bfbb59fa451071b37088b6286c3e5941f2536c4d9a1b77c1c6e987da9545b6ae

SHA512
591ace58027c743e663598f29857e3fa52e47e5a015dfb5e46570fcc563b623306b6e9de5df0aed2f5242c7ae88178aced6c909ec3b8c075b5d7239922d3183c

Download Submit
C:\Users\Admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.ENC

Filesize
16B

MD5
3da7dfbd6c9e11b4d8dd5adb76c9a987

SHA1
cdd4cf0d8e5d5656d1e47308835268c1c27f5567

SHA256
4c00b7f2eac4df1134d965618429bf66e981bca09974e14e6447bdc269f51f40

SHA512
107e23de41fd6863fc639cdd2157c9b7df51f2daa38bfb9e28c45e00366b1904121192b1a5f0a73eaed1941fc5c96beb5b81d9c94af71f3983933e6f89928d31

Download Submit
memory/272-61-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

Filesize
9.9MB

Download
memory/272-62-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

Filesize
9.9MB

Download
memory/288-1210-0x0000000001020000-0x0000000001038000-memory.dmp

Filesize
96KB

Download
memory/288-1211-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

Filesize
9.9MB

Download
memory/288-1212-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

Filesize
9.9MB

Download
memory/320-1233-0x0000000000DE0000-0x0000000000DF8000-memory.dmp

Filesize
96KB

Download
memory/320-1234-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

Filesize
9.9MB

Download
memory/600-1223-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

Filesize
9.9MB

Download
memory/600-1222-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

Filesize
9.9MB

Download
memory/1364-728-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

Filesize
9.9MB

Download
memory/1364-727-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

Filesize
9.9MB

Download
memory/1792-40-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/1792-42-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/1792-43-0x000007FEEE9C0000-0x000007FEEF35D000-memory.dmp

Filesize
9.6MB

Download
memory/1792-39-0x000007FEEE9C0000-0x000007FEEF35D000-memory.dmp

Filesize
9.6MB

Download
memory/1792-38-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/1792-37-0x000007FEEE9C0000-0x000007FEEF35D000-memory.dmp

Filesize
9.6MB

Download
memory/1864-1225-0x0000000000ED0000-0x0000000000EE8000-memory.dmp

Filesize
96KB

Download
memory/1864-1226-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

Filesize
9.9MB

Download
memory/1864-1227-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

Filesize
9.9MB

Download
memory/2300-56-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

Filesize
9.9MB

Download
memory/2300-57-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

Filesize
9.9MB

Download
memory/2300-55-0x0000000000DB0000-0x0000000000DC8000-memory.dmp

Filesize
96KB

Download
memory/2316-1229-0x00000000002B0000-0x00000000002C8000-memory.dmp

Filesize
96KB

Download
memory/2316-1230-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

Filesize
9.9MB

Download
memory/2316-1231-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

Filesize
9.9MB

Download
memory/2408-1215-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

Filesize
9.9MB

Download
memory/2408-1216-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

Filesize
9.9MB

Download
memory/2432-26-0x000007FEEE020000-0x000007FEEE9BD000-memory.dmp

Filesize
9.6MB

Download
memory/2432-31-0x000007FEEE020000-0x000007FEEE9BD000-memory.dmp

Filesize
9.6MB

Download
memory/2432-22-0x000007FEEE020000-0x000007FEEE9BD000-memory.dmp

Filesize
9.6MB

Download
memory/2432-23-0x0000000002C80000-0x0000000002D00000-memory.dmp

Filesize
512KB

Download
memory/2432-24-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download
memory/2432-21-0x000000001B4E0000-0x000000001B7C2000-memory.dmp

Filesize
2.9MB

Download
memory/2432-25-0x000007FEEE020000-0x000007FEEE9BD000-memory.dmp

Filesize
9.6MB

Download
memory/2432-28-0x0000000002C80000-0x0000000002D00000-memory.dmp

Filesize
512KB

Download
memory/2432-27-0x0000000002C80000-0x0000000002D00000-memory.dmp

Filesize
512KB

Download
memory/2432-30-0x0000000002C80000-0x0000000002D00000-memory.dmp

Filesize
512KB

Download
memory/2548-1220-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

Filesize
9.9MB

Download
memory/2548-1218-0x0000000000280000-0x0000000000298000-memory.dmp

Filesize
96KB

Download
memory/2548-1219-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

Filesize
9.9MB

Download
memory/2764-65-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

Filesize
9.9MB

Download
memory/2764-64-0x0000000000E80000-0x0000000000E98000-memory.dmp

Filesize
96KB

Download
memory/2764-66-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

Filesize
9.9MB

Download
memory/2800-15-0x000007FEEE9C0000-0x000007FEEF35D000-memory.dmp

Filesize
9.6MB

Download
memory/2800-7-0x000000001B760000-0x000000001BA42000-memory.dmp

Filesize
2.9MB

Download
memory/2800-9-0x0000000001D20000-0x0000000001D28000-memory.dmp

Filesize
32KB

Download
memory/2800-8-0x000007FEEE9C0000-0x000007FEEF35D000-memory.dmp

Filesize
9.6MB

Download
memory/2800-11-0x000007FEEE9C0000-0x000007FEEF35D000-memory.dmp

Filesize
9.6MB

Download
memory/2800-10-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/2800-12-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/2800-13-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/2800-14-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/2832-68-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

Filesize
9.9MB

Download
memory/2832-69-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

Filesize
9.9MB

Download
memory/3000-1-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

Filesize
9.9MB

Download
memory/3000-725-0x000000001B340000-0x000000001B3C0000-memory.dmp

Filesize
512KB

Download
memory/3000-246-0x000000001B340000-0x000000001B3C0000-memory.dmp

Filesize
512KB

Download
memory/3000-70-0x000000001A820000-0x000000001A82C000-memory.dmp

Filesize
48KB

Download
memory/3000-0-0x0000000000C50000-0x0000000000C68000-memory.dmp

Filesize
96KB

Download
memory/3000-41-0x000000001B340000-0x000000001B3C0000-memory.dmp

Filesize
512KB

Download
memory/3000-58-0x00000000022C0000-0x00000000022CA000-memory.dmp

Filesize
40KB

Download
memory/3000-2-0x000000001B340000-0x000000001B3C0000-memory.dmp

Filesize
512KB

Download
memory/3000-29-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

Filesize
9.9MB

Download