xmrig | 7022aee75dbf84ea8b3050fcee637f6f87232dfab7cb7cbd5f5a2062d749c07c

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
01-08-2024 20:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Xbox.exe
Size

19.0MB
MD5

30880523d777f4fe75ca515c0d6df32b
SHA1

73629571c0c7f6bfae8422ff44d79b48e2e13d1f
SHA256

7022aee75dbf84ea8b3050fcee637f6f87232dfab7cb7cbd5f5a2062d749c07c
SHA512

1276a39236434cb7fc4903f2b75f1f6dceb1522aba70ff2babf70bae7088caeb5463f6f405e8bac51f2b1378c12291828dfa0978aaf009821cf87385d9824f81
SSDEEP

196608:Yb61gbgwY5kuaC4FaXtBrlOMOpnLo213diio7eLi4iUK+cTwfnrUzhjzO5quL971:Yo487OsOcTwfOa5L93edRaF/

Score

10^/10

xmrig xworm discovery evasion execution miner persistence rat trojan upx

Malware Config

Extracted

Family

xworm

expected-schema.gl.at.ply.gg:2980

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/2008-29-0x0000000004D10000-0x0000000004D28000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 12 IoCs

miner

resource	yara_rule
behavioral2/memory/3864-260-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3864-265-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3864-264-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3864-263-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3864-262-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3864-259-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3864-266-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3864-270-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3864-271-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3864-278-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3864-279-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/3864-280-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4440	powershell.exe
3908	powershell.exe
2264	powershell.exe
1668	powershell.exe
2152	powershell.exe
1672	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2951562807-3718269429-4208157415-1000\Control Panel\International\Geo\Nation	flux.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2951562807-3718269429-4208157415-1000\Control Panel\International\Geo\Nation	Xbox.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	flux.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	flux.exe

Executes dropped EXE 6 IoCs

pid	Process
3416	build.exe
2008	flux.exe
4548	XboxInstaller.exe
4336	gaexyjbdzroy.exe
4860	XClient.exe
1208	XClient.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3864-258-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3864-260-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3864-265-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3864-264-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3864-263-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3864-262-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3864-259-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3864-257-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3864-256-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3864-255-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3864-254-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3864-266-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3864-270-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3864-271-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3864-278-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3864-279-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/3864-280-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2951562807-3718269429-4208157415-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	flux.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	XboxInstaller.exe
File opened (read-only)	\??\Q:	XboxInstaller.exe
File opened (read-only)	\??\A:	XboxInstaller.exe
File opened (read-only)	\??\E:	XboxInstaller.exe
File opened (read-only)	\??\H:	XboxInstaller.exe
File opened (read-only)	\??\K:	XboxInstaller.exe
File opened (read-only)	\??\N:	XboxInstaller.exe
File opened (read-only)	\??\O:	XboxInstaller.exe
File opened (read-only)	\??\S:	XboxInstaller.exe
File opened (read-only)	\??\Y:	XboxInstaller.exe
File opened (read-only)	\??\B:	XboxInstaller.exe
File opened (read-only)	\??\I:	XboxInstaller.exe
File opened (read-only)	\??\U:	XboxInstaller.exe
File opened (read-only)	\??\V:	XboxInstaller.exe
File opened (read-only)	\??\W:	XboxInstaller.exe
File opened (read-only)	\??\Z:	XboxInstaller.exe
File opened (read-only)	\??\G:	XboxInstaller.exe
File opened (read-only)	\??\J:	XboxInstaller.exe
File opened (read-only)	\??\R:	XboxInstaller.exe
File opened (read-only)	\??\T:	XboxInstaller.exe
File opened (read-only)	\??\L:	XboxInstaller.exe
File opened (read-only)	\??\M:	XboxInstaller.exe
File opened (read-only)	\??\X:	XboxInstaller.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	ip-api.com

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
3788	powercfg.exe
1740	powercfg.exe
4852	powercfg.exe
4028	powercfg.exe
1100	powercfg.exe
2336	powercfg.exe
4868	powercfg.exe
448	powercfg.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	build.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	gaexyjbdzroy.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4336 set thread context of 2320	4336	gaexyjbdzroy.exe	151
PID 4336 set thread context of 3864	4336	gaexyjbdzroy.exe	156

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
444	sc.exe
4864	sc.exe
4360	sc.exe
4856	sc.exe
1464	sc.exe
208	sc.exe
976	sc.exe
4072	sc.exe
1432	sc.exe
2736	sc.exe
3568	sc.exe
5116	sc.exe
3152	sc.exe
4704	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	flux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XboxInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XClient.exe

Modifies data under HKEY_USERS 50 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3940	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2152	powershell.exe
2152	powershell.exe
1672	powershell.exe
1672	powershell.exe
4440	powershell.exe
4440	powershell.exe
3908	powershell.exe
3908	powershell.exe
3416	build.exe
2008	flux.exe
2264	powershell.exe
2264	powershell.exe
3416	build.exe
3416	build.exe
3416	build.exe
3416	build.exe
3416	build.exe
3416	build.exe
3416	build.exe
3416	build.exe
3416	build.exe
3416	build.exe
3416	build.exe
3416	build.exe
3416	build.exe
3416	build.exe
4336	gaexyjbdzroy.exe
1668	powershell.exe
1668	powershell.exe
4336	gaexyjbdzroy.exe
4336	gaexyjbdzroy.exe
4336	gaexyjbdzroy.exe
4336	gaexyjbdzroy.exe
4336	gaexyjbdzroy.exe
4336	gaexyjbdzroy.exe
4336	gaexyjbdzroy.exe
4336	gaexyjbdzroy.exe
4336	gaexyjbdzroy.exe
4336	gaexyjbdzroy.exe
4336	gaexyjbdzroy.exe
4336	gaexyjbdzroy.exe
3864	explorer.exe
3864	explorer.exe
3864	explorer.exe
3864	explorer.exe
3864	explorer.exe
3864	explorer.exe
3864	explorer.exe
3864	explorer.exe
3864	explorer.exe
3864	explorer.exe
3864	explorer.exe
3864	explorer.exe
3864	explorer.exe
3864	explorer.exe
3864	explorer.exe
3864	explorer.exe
3864	explorer.exe
3864	explorer.exe
3864	explorer.exe
3864	explorer.exe
3864	explorer.exe
3864	explorer.exe
3864	explorer.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	2008	flux.exe
Token: SeShutdownPrivilege	4548	XboxInstaller.exe
Token: SeCreatePagefilePrivilege	4548	XboxInstaller.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeDebugPrivilege	4440	powershell.exe
Token: SeDebugPrivilege	3908	powershell.exe
Token: SeDebugPrivilege	2008	flux.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeShutdownPrivilege	448	powercfg.exe
Token: SeCreatePagefilePrivilege	448	powercfg.exe
Token: SeShutdownPrivilege	4852	powercfg.exe
Token: SeCreatePagefilePrivilege	4852	powercfg.exe
Token: SeShutdownPrivilege	3788	powercfg.exe
Token: SeCreatePagefilePrivilege	3788	powercfg.exe
Token: SeShutdownPrivilege	1740	powercfg.exe
Token: SeCreatePagefilePrivilege	1740	powercfg.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeLockMemoryPrivilege	3864	explorer.exe
Token: SeShutdownPrivilege	1100	powercfg.exe
Token: SeCreatePagefilePrivilege	1100	powercfg.exe
Token: SeShutdownPrivilege	4868	powercfg.exe
Token: SeCreatePagefilePrivilege	4868	powercfg.exe
Token: SeShutdownPrivilege	2336	powercfg.exe
Token: SeCreatePagefilePrivilege	2336	powercfg.exe
Token: SeShutdownPrivilege	4028	powercfg.exe
Token: SeCreatePagefilePrivilege	4028	powercfg.exe
Token: SeDebugPrivilege	4860	XClient.exe
Token: SeDebugPrivilege	1208	XClient.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2008	flux.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 3148 wrote to memory of 3416	3148	Xbox.exe	86
PID 3148 wrote to memory of 3416	3148	Xbox.exe	86
PID 3148 wrote to memory of 2008	3148	Xbox.exe	87
PID 3148 wrote to memory of 2008	3148	Xbox.exe	87
PID 3148 wrote to memory of 2008	3148	Xbox.exe	87
PID 3148 wrote to memory of 4548	3148	Xbox.exe	88
PID 3148 wrote to memory of 4548	3148	Xbox.exe	88
PID 3148 wrote to memory of 4548	3148	Xbox.exe	88
PID 2008 wrote to memory of 2152	2008	flux.exe	90
PID 2008 wrote to memory of 2152	2008	flux.exe	90
PID 2008 wrote to memory of 2152	2008	flux.exe	90
PID 2008 wrote to memory of 1672	2008	flux.exe	92
PID 2008 wrote to memory of 1672	2008	flux.exe	92
PID 2008 wrote to memory of 1672	2008	flux.exe	92
PID 2008 wrote to memory of 4440	2008	flux.exe	94
PID 2008 wrote to memory of 4440	2008	flux.exe	94
PID 2008 wrote to memory of 4440	2008	flux.exe	94
PID 2008 wrote to memory of 3908	2008	flux.exe	96
PID 2008 wrote to memory of 3908	2008	flux.exe	96
PID 2008 wrote to memory of 3908	2008	flux.exe	96
PID 2008 wrote to memory of 3940	2008	flux.exe	98
PID 2008 wrote to memory of 3940	2008	flux.exe	98
PID 2008 wrote to memory of 3940	2008	flux.exe	98
PID 3140 wrote to memory of 3780	3140	cmd.exe	107
PID 3140 wrote to memory of 3780	3140	cmd.exe	107
PID 2224 wrote to memory of 3544	2224	cmd.exe	138
PID 2224 wrote to memory of 3544	2224	cmd.exe	138
PID 4336 wrote to memory of 2320	4336	gaexyjbdzroy.exe	151
PID 4336 wrote to memory of 2320	4336	gaexyjbdzroy.exe	151
PID 4336 wrote to memory of 2320	4336	gaexyjbdzroy.exe	151
PID 4336 wrote to memory of 2320	4336	gaexyjbdzroy.exe	151
PID 4336 wrote to memory of 2320	4336	gaexyjbdzroy.exe	151
PID 4336 wrote to memory of 2320	4336	gaexyjbdzroy.exe	151
PID 4336 wrote to memory of 2320	4336	gaexyjbdzroy.exe	151
PID 4336 wrote to memory of 2320	4336	gaexyjbdzroy.exe	151
PID 4336 wrote to memory of 2320	4336	gaexyjbdzroy.exe	151
PID 4336 wrote to memory of 3864	4336	gaexyjbdzroy.exe	156
PID 4336 wrote to memory of 3864	4336	gaexyjbdzroy.exe	156
PID 4336 wrote to memory of 3864	4336	gaexyjbdzroy.exe	156
PID 4336 wrote to memory of 3864	4336	gaexyjbdzroy.exe	156
PID 4336 wrote to memory of 3864	4336	gaexyjbdzroy.exe	156

C:\Users\Admin\AppData\Local\Temp\Xbox.exe
"C:\Users\Admin\AppData\Local\Temp\Xbox.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3148
- C:\Users\Public\build.exe
  "C:\Users\Public\build.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3416
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3140
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:3780
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:5116
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:208
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:976
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:4072
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:3152
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:448
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:4852
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1740
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:3788
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "LNETTCDY"
    3⤵
    - Launches sc.exe
    PID:2736
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "LNETTCDY" binpath= "C:\ProgramData\jqznuyxniafn\gaexyjbdzroy.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:444
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:4864
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "LNETTCDY"
    3⤵
    - Launches sc.exe
    PID:4704
- C:\Users\Public\flux.exe
  "C:\Users\Public\flux.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\flux.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2152
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'flux.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1672
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4440
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3908
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3940
- C:\Users\Public\XboxInstaller.exe
  "C:\Users\Public\XboxInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4548

C:\ProgramData\jqznuyxniafn\gaexyjbdzroy.exe
C:\ProgramData\jqznuyxniafn\gaexyjbdzroy.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4336
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:3544
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:3568
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:4360
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:4856
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:1432
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:1464
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4028
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1100
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2336
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4868
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:2320
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3864

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4860

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\XClient.exe.log

Filesize
611B

MD5
0ac178e97bb01bbc54e3e8e56557bb94

SHA1
c867e788182ed35a331b643d557c1fb0056db87e

SHA256
2bc4f3fb1aef5822fcf28fab63a766249870cddc64af10138bf1e33fe4315878

SHA512
07ef4a4cf9f553485c2c1e405e42d15f70040c1e552b75cddb8030a1a96bf929828097538664565aa1a04a48627753058e8fe00ba2f44bda26210f2573ebbeeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
256KB

MD5
31bf270dfb65dbde8f22850f36a68d65

SHA1
7540f99fd08eca37058f01189da24841be9ea227

SHA256
18a1de89312eecd5c007738bfc2f278502caf2556547730ab7b0eff503eb8e05

SHA512
d150837e5060f2dd5512d2ac7fbef86e77ad95a76a9867466bf908a72ba51a4788f5b79199c30f136718408ff30382b7d30a2db76be6c14868ff6ef52ad8b007

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
6d00d1582364f6c6e2c39ad94548aae4

SHA1
91b694a7431a7a0b83db1bea5359f3170071ee2e

SHA256
d2a815d2e3b7e553852d797e8b1c652cb2e85b8ae52ec9bb5678542213ebef8c

SHA512
4e574d211b5c4d6c4520fe0b4510f880dec5d041798650bc15b17de469be41f6b6c89acd7abf95b7d688485c3a18a0d86eed1c45df60b0f4e20d489b07594a9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
e6ca0a730b60730b78244a340acb948a

SHA1
b352fe27fb5b900ba406586be1f6f878a56a7e6b

SHA256
b7b9db66a6383274b73ddbd6626136f7df900898a8cb8fbe4df18bae256a14e1

SHA512
5a567587198ba9b45ecef65fc51959784dd61785380ac05129e87b240f0b81c8493900a345351885430dff43962e647419d1eea20752fcbd866bb3672fe1f838

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
0b64e1e1b6dae71b8c0eb70cdbc9b16e

SHA1
f5f85efa6ffe259bee5028baea94878e4ce79b16

SHA256
f556c2c2f827b1c13870a42e24b6a0104af66f3edfe551ae09c828ad41c1ec67

SHA512
b0f955676a2e1ed8beea8935d6f8ab7698da81a12d94d53699bff4fd0da4a129be1b004a3cbbcd1d1ba3fef79b07eb9ecc006771e2c4be76c4e054ad9cd7a22a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
511a97956e0e80e6774e14e0147dbbf3

SHA1
bb1783b72d42654462aa0e117bb8003b5ecbefe4

SHA256
df587018ac7e3b71fe695477f906b0ed6ee6b82b73426ce60769cae3f80cb2c3

SHA512
ec0740f0cffa5195374b66eb0d15f0d71dc2141b49e49467b5110b9c59ddcf1fa5919f92a6472740addf23f73abaade29676cb3d0f5467df5252cb24916ddd2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ytgkut0m.po2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\XboxInstaller.exe

Filesize
13.4MB

MD5
33c9518c086d0cca4a636bc86728485e

SHA1
2420ad25e243ab8905b49f60fe7fb96590661f50

SHA256
ba30ea16cd8fbd9209d40ae193206ad00f042d100524cf310982c33369325ca2

SHA512
6c2c470607b88e7cd79411b7a645b395cee3306a23e6ba50b8ac57f7d5529a1b350c34e19da69aeb1ffade44d5187b4a1ef209a53d21a83e9e35add10fc7867d

Download Submit
C:\Users\Public\build.exe

Filesize
5.1MB

MD5
e99a422a6e87545ae15e8184ea697809

SHA1
18c04b90aa66b23e87460ff9c91d732d5147872b

SHA256
4095beaf2970d2f15ff23e49a4c7bb8969c0a9e0bd5b034f6a442066c8e1ab92

SHA512
7f56e7b56a01f65f5f8e17c1dd9743c76136dee004b9e94cf544343e43fab4b5233f8405ec3909b5f01612e7399696dd5b66fad9ba361319fccf6457816a39dd

Download Submit
C:\Users\Public\flux.exe

Filesize
554KB

MD5
153e795f536e7159e5a14ed836e31dc0

SHA1
6d1049b0f029e8c96fb612b048b71ee6f32c9398

SHA256
b3d902eb6101db0346fd033453d626b7c8e92be6264fd06609b486006d4f0310

SHA512
74567f0d8c02ab638c083e15806bfcfd38f219bb6c46c596f165ffbd1b05ef685d7ab3eff17c198dd4d42d4866f076e644aef282e10ec875db48dc35f6251a70

Download Submit
memory/1668-235-0x0000014BEB5E0000-0x0000014BEB5FC000-memory.dmp

Filesize
112KB

Download
memory/1668-243-0x0000014BEB860000-0x0000014BEB86A000-memory.dmp

Filesize
40KB

Download
memory/1668-242-0x0000014BEB850000-0x0000014BEB856000-memory.dmp

Filesize
24KB

Download
memory/1668-241-0x0000014BEB820000-0x0000014BEB828000-memory.dmp

Filesize
32KB

Download
memory/1668-236-0x0000014BEB600000-0x0000014BEB6B5000-memory.dmp

Filesize
724KB

Download
memory/1668-240-0x0000014BEB870000-0x0000014BEB88A000-memory.dmp

Filesize
104KB

Download
memory/1668-239-0x0000014BEB810000-0x0000014BEB81A000-memory.dmp

Filesize
40KB

Download
memory/1668-238-0x0000014BEB830000-0x0000014BEB84C000-memory.dmp

Filesize
112KB

Download
memory/1668-237-0x0000014BEB6C0000-0x0000014BEB6CA000-memory.dmp

Filesize
40KB

Download
memory/1672-140-0x00000000060C0000-0x0000000006414000-memory.dmp

Filesize
3.3MB

Download
memory/1672-142-0x0000000069710000-0x000000006975C000-memory.dmp

Filesize
304KB

Download
memory/2008-31-0x0000000004FC0000-0x000000000505C000-memory.dmp

Filesize
624KB

Download
memory/2008-50-0x0000000004E40000-0x0000000004EA6000-memory.dmp

Filesize
408KB

Download
memory/2008-267-0x0000000074DDE000-0x0000000074DDF000-memory.dmp

Filesize
4KB

Download
memory/2008-268-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/2008-200-0x0000000006670000-0x000000000667A000-memory.dmp

Filesize
40KB

Download
memory/2008-199-0x00000000066C0000-0x0000000006C64000-memory.dmp

Filesize
5.6MB

Download
memory/2008-30-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/2008-29-0x0000000004D10000-0x0000000004D28000-memory.dmp

Filesize
96KB

Download
memory/2008-28-0x0000000004AB0000-0x0000000004B42000-memory.dmp

Filesize
584KB

Download
memory/2008-27-0x0000000074DDE000-0x0000000074DDF000-memory.dmp

Filesize
4KB

Download
memory/2008-26-0x00000000001D0000-0x0000000000260000-memory.dmp

Filesize
576KB

Download
memory/2152-79-0x00000000053F0000-0x0000000005412000-memory.dmp

Filesize
136KB

Download
memory/2152-77-0x0000000002AA0000-0x0000000002AD6000-memory.dmp

Filesize
216KB

Download
memory/2152-120-0x00000000076F0000-0x000000000770A000-memory.dmp

Filesize
104KB

Download
memory/2152-121-0x0000000007760000-0x000000000776A000-memory.dmp

Filesize
40KB

Download
memory/2152-122-0x0000000007970000-0x0000000007A06000-memory.dmp

Filesize
600KB

Download
memory/2152-123-0x00000000078F0000-0x0000000007901000-memory.dmp

Filesize
68KB

Download
memory/2152-124-0x0000000007920000-0x000000000792E000-memory.dmp

Filesize
56KB

Download
memory/2152-125-0x0000000007930000-0x0000000007944000-memory.dmp

Filesize
80KB

Download
memory/2152-126-0x0000000007A30000-0x0000000007A4A000-memory.dmp

Filesize
104KB

Download
memory/2152-127-0x0000000007A10000-0x0000000007A18000-memory.dmp

Filesize
32KB

Download
memory/2152-118-0x00000000075C0000-0x0000000007663000-memory.dmp

Filesize
652KB

Download
memory/2152-117-0x00000000069A0000-0x00000000069BE000-memory.dmp

Filesize
120KB

Download
memory/2152-107-0x0000000069710000-0x000000006975C000-memory.dmp

Filesize
304KB

Download
memory/2152-106-0x0000000007370000-0x00000000073A2000-memory.dmp

Filesize
200KB

Download
memory/2152-119-0x0000000007D40000-0x00000000083BA000-memory.dmp

Filesize
6.5MB

Download
memory/2152-78-0x0000000005560000-0x0000000005B88000-memory.dmp

Filesize
6.2MB

Download
memory/2152-80-0x0000000005C00000-0x0000000005C66000-memory.dmp

Filesize
408KB

Download
memory/2152-90-0x0000000005D90000-0x00000000060E4000-memory.dmp

Filesize
3.3MB

Download
memory/2152-92-0x0000000006410000-0x000000000645C000-memory.dmp

Filesize
304KB

Download
memory/2152-91-0x00000000063C0000-0x00000000063DE000-memory.dmp

Filesize
120KB

Download
memory/2264-201-0x00000203FACC0000-0x00000203FACE2000-memory.dmp

Filesize
136KB

Download
memory/2320-250-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2320-253-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2320-246-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2320-247-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2320-248-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2320-249-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3148-0-0x00007FFAAEC83000-0x00007FFAAEC85000-memory.dmp

Filesize
8KB

Download
memory/3148-1-0x00000000003B0000-0x00000000016C0000-memory.dmp

Filesize
19.1MB

Download
memory/3864-278-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3864-262-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3864-271-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3864-279-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3864-266-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3864-254-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3864-280-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3864-258-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3864-261-0x00000000013A0000-0x00000000013C0000-memory.dmp

Filesize
128KB

Download
memory/3864-260-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3864-265-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3864-264-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3864-263-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3864-270-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3864-259-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3864-257-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3864-256-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3864-255-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3908-184-0x0000000069710000-0x000000006975C000-memory.dmp

Filesize
304KB

Download
memory/4440-163-0x0000000069710000-0x000000006975C000-memory.dmp

Filesize
304KB

Download
memory/4548-94-0x000000000BFC0000-0x000000000BFC8000-memory.dmp

Filesize
32KB

Download
memory/4548-45-0x0000000000DF0000-0x0000000001B5A000-memory.dmp

Filesize
13.4MB

Download
memory/4548-44-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/4548-269-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/4548-46-0x00000000068F0000-0x0000000006916000-memory.dmp

Filesize
152KB

Download
memory/4548-47-0x00000000067C0000-0x00000000067C8000-memory.dmp

Filesize
32KB

Download
memory/4548-48-0x00000000067D0000-0x00000000067DA000-memory.dmp

Filesize
40KB

Download
memory/4548-61-0x000000000C170000-0x000000000C1A8000-memory.dmp

Filesize
224KB

Download
memory/4548-62-0x000000000BEA0000-0x000000000BEAE000-memory.dmp

Filesize
56KB

Download
memory/4548-93-0x0000000015860000-0x0000000015882000-memory.dmp

Filesize
136KB

Download