xmrig | 7022aee75dbf84ea8b3050fcee637f6f87232dfab7cb7cbd5f5a2062d749c07c

Analysis

max time kernel
149s
max time network
147s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
05/08/2024, 15:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Xbox.exe
Size

19.0MB
MD5

30880523d777f4fe75ca515c0d6df32b
SHA1

73629571c0c7f6bfae8422ff44d79b48e2e13d1f
SHA256

7022aee75dbf84ea8b3050fcee637f6f87232dfab7cb7cbd5f5a2062d749c07c
SHA512

1276a39236434cb7fc4903f2b75f1f6dceb1522aba70ff2babf70bae7088caeb5463f6f405e8bac51f2b1378c12291828dfa0978aaf009821cf87385d9824f81
SSDEEP

196608:Yb61gbgwY5kuaC4FaXtBrlOMOpnLo213diio7eLi4iUK+cTwfnrUzhjzO5quL971:Yo487OsOcTwfOa5L93edRaF/

Score

10^/10

xmrig xworm discovery evasion execution miner persistence rat trojan upx

Malware Config

Extracted

Family

xworm

expected-schema.gl.at.ply.gg:2980

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2216-17-0x0000000005330000-0x0000000005348000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 12 IoCs

miner

resource	yara_rule
behavioral1/memory/2896-1247-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2896-1246-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2896-1244-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2896-1243-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2896-1241-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2896-1245-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2896-1240-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2896-1254-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2896-1255-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2896-1259-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2896-1261-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2896-1260-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4088	powershell.exe
4512	powershell.exe
2756	powershell.exe
4116	powershell.exe
3316	powershell.exe
4704	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	flux.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	flux.exe

Executes dropped EXE 6 IoCs

pid	Process
1288	build.exe
2216	flux.exe
752	XboxInstaller.exe
2264	gaexyjbdzroy.exe
4560	XClient.exe
2140	XClient.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2896-1234-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2896-1247-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2896-1246-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2896-1244-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2896-1243-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2896-1241-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2896-1237-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2896-1245-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2896-1233-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2896-1240-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2896-1238-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2896-1236-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2896-1254-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2896-1255-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2896-1259-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2896-1261-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2896-1260-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	flux.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	XboxInstaller.exe
File opened (read-only)	\??\X:	XboxInstaller.exe
File opened (read-only)	\??\Z:	XboxInstaller.exe
File opened (read-only)	\??\R:	XboxInstaller.exe
File opened (read-only)	\??\S:	XboxInstaller.exe
File opened (read-only)	\??\T:	XboxInstaller.exe
File opened (read-only)	\??\U:	XboxInstaller.exe
File opened (read-only)	\??\V:	XboxInstaller.exe
File opened (read-only)	\??\E:	XboxInstaller.exe
File opened (read-only)	\??\L:	XboxInstaller.exe
File opened (read-only)	\??\M:	XboxInstaller.exe
File opened (read-only)	\??\K:	XboxInstaller.exe
File opened (read-only)	\??\O:	XboxInstaller.exe
File opened (read-only)	\??\Y:	XboxInstaller.exe
File opened (read-only)	\??\H:	XboxInstaller.exe
File opened (read-only)	\??\I:	XboxInstaller.exe
File opened (read-only)	\??\J:	XboxInstaller.exe
File opened (read-only)	\??\N:	XboxInstaller.exe
File opened (read-only)	\??\P:	XboxInstaller.exe
File opened (read-only)	\??\W:	XboxInstaller.exe
File opened (read-only)	\??\A:	XboxInstaller.exe
File opened (read-only)	\??\B:	XboxInstaller.exe
File opened (read-only)	\??\G:	XboxInstaller.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2668	powercfg.exe
2996	powercfg.exe
2292	powercfg.exe
5100	powercfg.exe
4072	powercfg.exe
344	powercfg.exe
3024	powercfg.exe
2896	powercfg.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	gaexyjbdzroy.exe
File opened for modification	C:\Windows\system32\MRT.exe	build.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2264 set thread context of 2416	2264	gaexyjbdzroy.exe	139
PID 2264 set thread context of 2896	2264	gaexyjbdzroy.exe	142

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
504	sc.exe
1568	sc.exe
4692	sc.exe
2420	sc.exe
2160	sc.exe
3076	sc.exe
4488	sc.exe
4868	sc.exe
212	sc.exe
4984	sc.exe
4204	sc.exe
1880	sc.exe
1988	sc.exe
3044	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	flux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XboxInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XClient.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1988	timeout.exe

Modifies data under HKEY_USERS 51 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3288	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4704	powershell.exe
4704	powershell.exe
4704	powershell.exe
4088	powershell.exe
4088	powershell.exe
4088	powershell.exe
4512	powershell.exe
4512	powershell.exe
4512	powershell.exe
1288	build.exe
2756	powershell.exe
2756	powershell.exe
2756	powershell.exe
4116	powershell.exe
4116	powershell.exe
4116	powershell.exe
1288	build.exe
1288	build.exe
1288	build.exe
1288	build.exe
1288	build.exe
1288	build.exe
1288	build.exe
1288	build.exe
1288	build.exe
1288	build.exe
1288	build.exe
1288	build.exe
1288	build.exe
1288	build.exe
2264	gaexyjbdzroy.exe
3316	powershell.exe
3316	powershell.exe
3316	powershell.exe
2264	gaexyjbdzroy.exe
2264	gaexyjbdzroy.exe
2264	gaexyjbdzroy.exe
2264	gaexyjbdzroy.exe
2264	gaexyjbdzroy.exe
2264	gaexyjbdzroy.exe
2264	gaexyjbdzroy.exe
2264	gaexyjbdzroy.exe
2264	gaexyjbdzroy.exe
2264	gaexyjbdzroy.exe
2264	gaexyjbdzroy.exe
2264	gaexyjbdzroy.exe
2216	flux.exe
2896	explorer.exe
2896	explorer.exe
2896	explorer.exe
2896	explorer.exe
2896	explorer.exe
2896	explorer.exe
2896	explorer.exe
2896	explorer.exe
2896	explorer.exe
2896	explorer.exe
2896	explorer.exe
2896	explorer.exe
2896	explorer.exe
2896	explorer.exe
2896	explorer.exe
2896	explorer.exe
2896	explorer.exe

Suspicious use of AdjustPrivilegeToken 62 IoCs

description	pid	Process
Token: SeDebugPrivilege	2216	flux.exe
Token: SeShutdownPrivilege	752	XboxInstaller.exe
Token: SeCreatePagefilePrivilege	752	XboxInstaller.exe
Token: SeDebugPrivilege	4704	powershell.exe
Token: SeDebugPrivilege	4088	powershell.exe
Token: SeDebugPrivilege	4512	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	4116	powershell.exe
Token: SeIncreaseQuotaPrivilege	2756	powershell.exe
Token: SeSecurityPrivilege	2756	powershell.exe
Token: SeTakeOwnershipPrivilege	2756	powershell.exe
Token: SeLoadDriverPrivilege	2756	powershell.exe
Token: SeSystemProfilePrivilege	2756	powershell.exe
Token: SeSystemtimePrivilege	2756	powershell.exe
Token: SeProfSingleProcessPrivilege	2756	powershell.exe
Token: SeIncBasePriorityPrivilege	2756	powershell.exe
Token: SeCreatePagefilePrivilege	2756	powershell.exe
Token: SeBackupPrivilege	2756	powershell.exe
Token: SeRestorePrivilege	2756	powershell.exe
Token: SeShutdownPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeSystemEnvironmentPrivilege	2756	powershell.exe
Token: SeRemoteShutdownPrivilege	2756	powershell.exe
Token: SeUndockPrivilege	2756	powershell.exe
Token: SeManageVolumePrivilege	2756	powershell.exe
Token: 33	2756	powershell.exe
Token: 34	2756	powershell.exe
Token: 35	2756	powershell.exe
Token: 36	2756	powershell.exe
Token: SeShutdownPrivilege	3024	powercfg.exe
Token: SeCreatePagefilePrivilege	3024	powercfg.exe
Token: SeShutdownPrivilege	4072	powercfg.exe
Token: SeCreatePagefilePrivilege	4072	powercfg.exe
Token: SeShutdownPrivilege	344	powercfg.exe
Token: SeCreatePagefilePrivilege	344	powercfg.exe
Token: SeShutdownPrivilege	2896	powercfg.exe
Token: SeCreatePagefilePrivilege	2896	powercfg.exe
Token: SeDebugPrivilege	3316	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	3316	powershell.exe
Token: SeIncreaseQuotaPrivilege	3316	powershell.exe
Token: SeSecurityPrivilege	3316	powershell.exe
Token: SeTakeOwnershipPrivilege	3316	powershell.exe
Token: SeLoadDriverPrivilege	3316	powershell.exe
Token: SeSystemtimePrivilege	3316	powershell.exe
Token: SeBackupPrivilege	3316	powershell.exe
Token: SeRestorePrivilege	3316	powershell.exe
Token: SeShutdownPrivilege	3316	powershell.exe
Token: SeSystemEnvironmentPrivilege	3316	powershell.exe
Token: SeUndockPrivilege	3316	powershell.exe
Token: SeManageVolumePrivilege	3316	powershell.exe
Token: SeDebugPrivilege	2216	flux.exe
Token: SeLockMemoryPrivilege	2896	explorer.exe
Token: SeShutdownPrivilege	2292	powercfg.exe
Token: SeCreatePagefilePrivilege	2292	powercfg.exe
Token: SeShutdownPrivilege	2996	powercfg.exe
Token: SeCreatePagefilePrivilege	2996	powercfg.exe
Token: SeShutdownPrivilege	5100	powercfg.exe
Token: SeCreatePagefilePrivilege	5100	powercfg.exe
Token: SeShutdownPrivilege	2668	powercfg.exe
Token: SeCreatePagefilePrivilege	2668	powercfg.exe
Token: SeDebugPrivilege	4560	XClient.exe
Token: SeDebugPrivilege	2140	XClient.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2216	flux.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 1288	4900	Xbox.exe	73
PID 4900 wrote to memory of 1288	4900	Xbox.exe	73
PID 4900 wrote to memory of 2216	4900	Xbox.exe	74
PID 4900 wrote to memory of 2216	4900	Xbox.exe	74
PID 4900 wrote to memory of 2216	4900	Xbox.exe	74
PID 4900 wrote to memory of 752	4900	Xbox.exe	75
PID 4900 wrote to memory of 752	4900	Xbox.exe	75
PID 4900 wrote to memory of 752	4900	Xbox.exe	75
PID 2216 wrote to memory of 4704	2216	flux.exe	77
PID 2216 wrote to memory of 4704	2216	flux.exe	77
PID 2216 wrote to memory of 4704	2216	flux.exe	77
PID 2216 wrote to memory of 4088	2216	flux.exe	79
PID 2216 wrote to memory of 4088	2216	flux.exe	79
PID 2216 wrote to memory of 4088	2216	flux.exe	79
PID 2216 wrote to memory of 4512	2216	flux.exe	81
PID 2216 wrote to memory of 4512	2216	flux.exe	81
PID 2216 wrote to memory of 4512	2216	flux.exe	81
PID 2216 wrote to memory of 4116	2216	flux.exe	85
PID 2216 wrote to memory of 4116	2216	flux.exe	85
PID 2216 wrote to memory of 4116	2216	flux.exe	85
PID 2816 wrote to memory of 1048	2816	cmd.exe	94
PID 2816 wrote to memory of 1048	2816	cmd.exe	94
PID 2216 wrote to memory of 3288	2216	flux.exe	120
PID 2216 wrote to memory of 3288	2216	flux.exe	120
PID 2216 wrote to memory of 3288	2216	flux.exe	120
PID 212 wrote to memory of 1152	212	cmd.exe	128
PID 212 wrote to memory of 1152	212	cmd.exe	128
PID 2264 wrote to memory of 2416	2264	gaexyjbdzroy.exe	139
PID 2264 wrote to memory of 2416	2264	gaexyjbdzroy.exe	139
PID 2264 wrote to memory of 2416	2264	gaexyjbdzroy.exe	139
PID 2264 wrote to memory of 2416	2264	gaexyjbdzroy.exe	139
PID 2264 wrote to memory of 2416	2264	gaexyjbdzroy.exe	139
PID 2264 wrote to memory of 2416	2264	gaexyjbdzroy.exe	139
PID 2264 wrote to memory of 2416	2264	gaexyjbdzroy.exe	139
PID 2264 wrote to memory of 2416	2264	gaexyjbdzroy.exe	139
PID 2264 wrote to memory of 2416	2264	gaexyjbdzroy.exe	139
PID 2264 wrote to memory of 2896	2264	gaexyjbdzroy.exe	142
PID 2264 wrote to memory of 2896	2264	gaexyjbdzroy.exe	142
PID 2264 wrote to memory of 2896	2264	gaexyjbdzroy.exe	142
PID 2264 wrote to memory of 2896	2264	gaexyjbdzroy.exe	142
PID 2264 wrote to memory of 2896	2264	gaexyjbdzroy.exe	142
PID 2216 wrote to memory of 2988	2216	flux.exe	149
PID 2216 wrote to memory of 2988	2216	flux.exe	149
PID 2216 wrote to memory of 2988	2216	flux.exe	149
PID 2216 wrote to memory of 3660	2216	flux.exe	151
PID 2216 wrote to memory of 3660	2216	flux.exe	151
PID 2216 wrote to memory of 3660	2216	flux.exe	151
PID 3660 wrote to memory of 1988	3660	cmd.exe	153
PID 3660 wrote to memory of 1988	3660	cmd.exe	153
PID 3660 wrote to memory of 1988	3660	cmd.exe	153

C:\Users\Admin\AppData\Local\Temp\Xbox.exe
"C:\Users\Admin\AppData\Local\Temp\Xbox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Users\Public\build.exe
  "C:\Users\Public\build.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1288
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:1048
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4488
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:504
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:4868
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:212
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:1880
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:4072
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2896
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:3024
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:344
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "LNETTCDY"
    3⤵
    - Launches sc.exe
    PID:4984
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "LNETTCDY" binpath= "C:\ProgramData\jqznuyxniafn\gaexyjbdzroy.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:2160
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:3076
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "LNETTCDY"
    3⤵
    - Launches sc.exe
    PID:1568
- C:\Users\Public\flux.exe
  "C:\Users\Public\flux.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\flux.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4704
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'flux.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4088
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4512
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4116
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3288
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /delete /f /tn "XClient"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8A25.tmp.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3660
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:1988
- C:\Users\Public\XboxInstaller.exe
  "C:\Users\Public\XboxInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:752

C:\ProgramData\jqznuyxniafn\gaexyjbdzroy.exe
C:\ProgramData\jqznuyxniafn\gaexyjbdzroy.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:212
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:1152
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:1988
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:4204
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:4692
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:3044
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2420
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2668
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2996
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2292
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:5100
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:2416
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2896

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4560

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\XClient.exe.log

Filesize
611B

MD5
8e8d72bcd3888ab78462df25bc356c74

SHA1
6bd8168734b86ecdef5e06b5ad28d76e0b568477

SHA256
a641f7edee0edd71d18c1d697f05ea965699c7860eb6717852d1ab4334f03383

SHA512
831985a9bc252cf1761721e8ef2ea80d3fa0555f568eafc626c2e92908487e652b799d8c006b1ddc05069207f48fbecfe619385dd8b778f71ff45204448f456a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
896KB

MD5
211c23e6d6ee2bd0da51c5bd5b9a3110

SHA1
94245b4e776ae61927d5cd85d963f34722af9541

SHA256
a04e1bae390de5357093f55ac5cc755bfdf5b083827fa6bdc8a0778667bfcd3c

SHA512
c5e816134e637a4ef04f32681865840e9765dd9b04979f72f2c38a8ebd8ac971e5519296f814c22b3cdc213e3b934cc2ab226394d2a7bbbd15b7c5bedbed0b40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
72333ca1161a1056c6d95beda0e16dbb

SHA1
df720e456fb2ffe7b04ccd658a3c60bd169b3a18

SHA256
2b1512cbfd6e1e96fcad6b5312d9eee807be9bf09cbb93a26976145d0817e18a

SHA512
38a472cf6c3b912cdcc1593431fd4ac708cdf4b4da1bf7d33dc9eb3530ed263047ac4f09944b5d847e53410a57234b298c61d121f8af3b69274b8bb5b7b92c3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
fb6b8f08ab40c923dca95e6a8738df9b

SHA1
1b62316748c8e0a00ee3c704fd90dda5650bf178

SHA256
51070bf9d7a276991051e7d51d9c7ff2371e2e55b83d5af8ea1bee0f2859ed2d

SHA512
b33beaad56832a301ff9869d078b7741d590d3950045b1a8ae37b05fed988b5d70e86d2d8cd556baf1a6fee41625cfa12a7fd4e83c097a3bf0616f0888b41663

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
b0ce1970d7c75461a40d5d675e2ed628

SHA1
aeb91edcb1b9b2fa57d2835b45d738e7c468e7a4

SHA256
c5dc66c1df42792462ecafde613dd677585fa1f30ade003af96109cbdcfbc452

SHA512
efb56360c07bdd50964f97dcc53709fd01b286acb7f1a7246dc87ec605c03e3189ecaa47a5b174c69d3ddc5c16af7e2e71e2183727bccadde5ade878f06804e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
fe0c340eeb201ca6eac724da82af469a

SHA1
bdc27baeb03ab89a2f6edd5b06fae55f17899ba9

SHA256
1450cfc58deac02cc9868cc091b431659b08d4e1b4fa3a8f5b0dfb4acae37a88

SHA512
8c1aea3f7cfa8571cce2bfcbae2de61e4a6cea0a9610fb2298fa82ceac8d31d5b63b1662821f83fb4212cefc1270f8fb3372f4d1436edb610d86046043c092c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jvl4y44a.g2j.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8A25.tmp.bat

Filesize
138B

MD5
7db3c21f33d142bd39a37ca9f6831888

SHA1
259c870df3f6c7f611b43d84669278c5b285da51

SHA256
bf0e9e67368ec2e92f30d61177ea7c67051d005f7b726a906ed9a4e5ced281e4

SHA512
79800f4c68d280dcfe6ea3635bcb59093f3e389c1e86e5aa673aa28197ff597bbb6366b661548e6b5119f0e795305b98cb81f1299584c9e257d93039607f6cea

Download Submit
C:\Users\Public\XboxInstaller.exe

Filesize
13.4MB

MD5
33c9518c086d0cca4a636bc86728485e

SHA1
2420ad25e243ab8905b49f60fe7fb96590661f50

SHA256
ba30ea16cd8fbd9209d40ae193206ad00f042d100524cf310982c33369325ca2

SHA512
6c2c470607b88e7cd79411b7a645b395cee3306a23e6ba50b8ac57f7d5529a1b350c34e19da69aeb1ffade44d5187b4a1ef209a53d21a83e9e35add10fc7867d

Download Submit
C:\Users\Public\build.exe

Filesize
5.1MB

MD5
e99a422a6e87545ae15e8184ea697809

SHA1
18c04b90aa66b23e87460ff9c91d732d5147872b

SHA256
4095beaf2970d2f15ff23e49a4c7bb8969c0a9e0bd5b034f6a442066c8e1ab92

SHA512
7f56e7b56a01f65f5f8e17c1dd9743c76136dee004b9e94cf544343e43fab4b5233f8405ec3909b5f01612e7399696dd5b66fad9ba361319fccf6457816a39dd

Download Submit
C:\Users\Public\flux.exe

Filesize
554KB

MD5
153e795f536e7159e5a14ed836e31dc0

SHA1
6d1049b0f029e8c96fb612b048b71ee6f32c9398

SHA256
b3d902eb6101db0346fd033453d626b7c8e92be6264fd06609b486006d4f0310

SHA512
74567f0d8c02ab638c083e15806bfcfd38f219bb6c46c596f165ffbd1b05ef685d7ab3eff17c198dd4d42d4866f076e644aef282e10ec875db48dc35f6251a70

Download Submit
memory/752-24-0x0000000074010000-0x00000000746FE000-memory.dmp

Filesize
6.9MB

Download
memory/752-27-0x00000000060A0000-0x00000000060A8000-memory.dmp

Filesize
32KB

Download
memory/752-26-0x0000000006180000-0x00000000061A6000-memory.dmp

Filesize
152KB

Download
memory/752-28-0x00000000060D0000-0x00000000060DA000-memory.dmp

Filesize
40KB

Download
memory/752-40-0x000000000A830000-0x000000000A868000-memory.dmp

Filesize
224KB

Download
memory/752-25-0x0000000000660000-0x00000000013CA000-memory.dmp

Filesize
13.4MB

Download
memory/752-1250-0x0000000074010000-0x00000000746FE000-memory.dmp

Filesize
6.9MB

Download
memory/752-56-0x0000000009B70000-0x0000000009B78000-memory.dmp

Filesize
32KB

Download
memory/2216-55-0x00000000053E0000-0x0000000005446000-memory.dmp

Filesize
408KB

Download
memory/2216-1235-0x0000000006B10000-0x000000000700E000-memory.dmp

Filesize
5.0MB

Download
memory/2216-1268-0x0000000074010000-0x00000000746FE000-memory.dmp

Filesize
6.9MB

Download
memory/2216-1239-0x0000000007140000-0x000000000714A000-memory.dmp

Filesize
40KB

Download
memory/2216-1088-0x0000000074010000-0x00000000746FE000-memory.dmp

Filesize
6.9MB

Download
memory/2216-1087-0x000000007401E000-0x000000007401F000-memory.dmp

Filesize
4KB

Download
memory/2216-12-0x000000007401E000-0x000000007401F000-memory.dmp

Filesize
4KB

Download
memory/2216-16-0x0000000005140000-0x00000000051D2000-memory.dmp

Filesize
584KB

Download
memory/2216-20-0x00000000055C0000-0x000000000565C000-memory.dmp

Filesize
624KB

Download
memory/2216-13-0x00000000008A0000-0x0000000000930000-memory.dmp

Filesize
576KB

Download
memory/2216-22-0x0000000074010000-0x00000000746FE000-memory.dmp

Filesize
6.9MB

Download
memory/2216-17-0x0000000005330000-0x0000000005348000-memory.dmp

Filesize
96KB

Download
memory/2416-1225-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2416-1227-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2416-1232-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2416-1229-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2416-1228-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2416-1226-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2756-784-0x0000022D8D350000-0x0000022D8D372000-memory.dmp

Filesize
136KB

Download
memory/2756-793-0x0000022DA5960000-0x0000022DA59D6000-memory.dmp

Filesize
472KB

Download
memory/2896-1245-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2896-1237-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2896-1242-0x0000000000DE0000-0x0000000000E00000-memory.dmp

Filesize
128KB

Download
memory/2896-1240-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2896-1254-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2896-1238-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2896-1255-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2896-1259-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2896-1261-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2896-1233-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2896-1260-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2896-1241-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2896-1236-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2896-1234-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2896-1247-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2896-1246-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2896-1244-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2896-1243-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3316-1099-0x0000029073AD0000-0x0000029073B89000-memory.dmp

Filesize
740KB

Download
memory/3316-1132-0x0000029073460000-0x000002907346A000-memory.dmp

Filesize
40KB

Download
memory/3316-1093-0x0000029073440000-0x000002907345C000-memory.dmp

Filesize
112KB

Download
memory/4088-319-0x0000000007B10000-0x0000000007E60000-memory.dmp

Filesize
3.3MB

Download
memory/4088-337-0x0000000069A70000-0x0000000069ABB000-memory.dmp

Filesize
300KB

Download
memory/4116-845-0x0000000069A70000-0x0000000069ABB000-memory.dmp

Filesize
300KB

Download
memory/4512-571-0x0000000069A70000-0x0000000069ABB000-memory.dmp

Filesize
300KB

Download
memory/4704-102-0x0000000009640000-0x00000000096D4000-memory.dmp

Filesize
592KB

Download
memory/4704-70-0x0000000004700000-0x0000000004736000-memory.dmp

Filesize
216KB

Download
memory/4704-300-0x0000000009580000-0x0000000009588000-memory.dmp

Filesize
32KB

Download
memory/4704-295-0x00000000095A0000-0x00000000095BA000-memory.dmp

Filesize
104KB

Download
memory/4704-71-0x00000000072F0000-0x0000000007918000-memory.dmp

Filesize
6.2MB

Download
memory/4704-101-0x0000000009410000-0x00000000094B5000-memory.dmp

Filesize
660KB

Download
memory/4704-96-0x00000000092C0000-0x00000000092DE000-memory.dmp

Filesize
120KB

Download
memory/4704-95-0x0000000069A70000-0x0000000069ABB000-memory.dmp

Filesize
300KB

Download
memory/4704-94-0x00000000092E0000-0x0000000009313000-memory.dmp

Filesize
204KB

Download
memory/4704-72-0x0000000007160000-0x0000000007182000-memory.dmp

Filesize
136KB

Download
memory/4704-77-0x00000000081E0000-0x0000000008256000-memory.dmp

Filesize
472KB

Download
memory/4704-76-0x0000000008000000-0x000000000804B000-memory.dmp

Filesize
300KB

Download
memory/4704-75-0x0000000007F10000-0x0000000007F2C000-memory.dmp

Filesize
112KB

Download
memory/4704-74-0x0000000007B00000-0x0000000007E50000-memory.dmp

Filesize
3.3MB

Download
memory/4704-73-0x0000000007200000-0x0000000007266000-memory.dmp

Filesize
408KB

Download
memory/4900-0-0x00007FFC73053000-0x00007FFC73054000-memory.dmp

Filesize
4KB

Download
memory/4900-1-0x00000000003A0000-0x00000000016B0000-memory.dmp

Filesize
19.1MB

Download