xred | 0ead901357740bc3954c78cffff8d51611da7f9ddcc60fedc29cfc0a5611039d

Analysis

max time kernel
8s
max time network
32s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
29-11-2024 11:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

windxten.exe
Size

1.4MB
MD5

70487c862739b4c07713647d669c1a27
SHA1

82f8f407ed9444262baa6a914fbeec3a51f83652
SHA256

0ead901357740bc3954c78cffff8d51611da7f9ddcc60fedc29cfc0a5611039d
SHA512

a1f8a06391a1930312d4963773ab9c80b8fd40e8ede1469ce090fc56f8e71bf7cd1768762476f8f168986945b4d32614a2ee82fca5a748ba2873b7c22086b9da
SSDEEP

24576:vnsJ39LyjbJkQFMhmC+6GD9n3/g8cUWDyTGLAeNzMnF124VsODEwKZ6:vnsHyjtk2MYC5GDt3/qBNLAe9MF12zBM

Score

10^/10

xred xworm backdoor discovery execution persistence rat trojan

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

xworm

45.141.27.213:7000

45.141.26.214:7000

Attributes

Install_directory
%ProgramData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x002900000004504b-135.dat	family_xworm
behavioral1/memory/2564-160-0x0000000000410000-0x0000000000426000-memory.dmp	family_xworm
behavioral1/files/0x002800000004504f-167.dat	family_xworm
behavioral1/memory/3180-176-0x0000000000A50000-0x0000000000A68000-memory.dmp	family_xworm

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
3176	powershell.exe
1232	powershell.exe
2192	powershell.exe
2420	powershell.exe
2124	powershell.exe
4228	powershell.exe
4068	powershell.exe
1480	powershell.exe

Checks computer location settings 2 TTPs 28 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

windxten.exewindxten.exewindxten.exewindxten.exewindxten.exewindxten.exewindxten.exewindxten.exewindxten.exewindxten.exewindxten.exewindxten.exe._cache_windxten.exewindxten.exewindxten.exewindxten.exewindxten.exewindxten.exewindxten.exewindxten.exewindxten.exewindxten.exewindxten.exewindxten.exewindxten.exewindxten.exewindxten.exewindxten.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	windxten.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	windxten.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	windxten.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	windxten.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	windxten.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	windxten.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	windxten.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	windxten.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	windxten.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	windxten.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	windxten.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	windxten.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	._cache_windxten.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	windxten.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	windxten.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	windxten.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	windxten.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	windxten.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	windxten.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	windxten.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	windxten.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	windxten.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	windxten.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	windxten.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	windxten.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	windxten.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	windxten.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4152190078-1497776152-96910572-1000\Control Panel\International\Geo\Nation	windxten.exe

Executes dropped EXE 56 IoCs

Processes:

._cache_windxten.exeSynaptics.exeXClient.exewindxten.exesvchost.exewindxten.exesvchost.exewindxten.exesvchost.exewindxten.exesvchost.exewindxten.exesvchost.exewindxten.exesvchost.exewindxten.exesvchost.exewindxten.exesvchost.exewindxten.exesvchost.exewindxten.exesvchost.exewindxten.exesvchost.exewindxten.exesvchost.exewindxten.exesvchost.exewindxten.exesvchost.exewindxten.exesvchost.exewindxten.exesvchost.exewindxten.exesvchost.exewindxten.exesvchost.exewindxten.exesvchost.exewindxten.exesvchost.exewindxten.exesvchost.exewindxten.exesvchost.exewindxten.exesvchost.exewindxten.exesvchost.exewindxten.exesvchost.exewindxten.exesvchost.exewindxten.exe

pid	Process
3696	._cache_windxten.exe
4612	Synaptics.exe
2564	XClient.exe
640	windxten.exe
3180	svchost.exe
2860	windxten.exe
2016	svchost.exe
3388	windxten.exe
3384	svchost.exe
2248	windxten.exe
4564	svchost.exe
4528	windxten.exe
4900	svchost.exe
3016	windxten.exe
3340	svchost.exe
3500	windxten.exe
2396	svchost.exe
324	windxten.exe
4936	svchost.exe
2420	windxten.exe
3052	svchost.exe
1252	windxten.exe
4076	svchost.exe
3740	windxten.exe
2892	svchost.exe
3292	windxten.exe
4088	svchost.exe
4068	windxten.exe
4560	svchost.exe
1180	windxten.exe
4596	svchost.exe
3168	windxten.exe
4448	svchost.exe
2696	windxten.exe
1204	svchost.exe
1168	windxten.exe
3780	svchost.exe
1056	windxten.exe
1848	svchost.exe
1764	windxten.exe
4092	svchost.exe
3588	windxten.exe
4632	svchost.exe
4924	windxten.exe
1404	svchost.exe
4136	windxten.exe
4276	svchost.exe
396	windxten.exe
4432	svchost.exe
228	windxten.exe
1468	svchost.exe
3384	windxten.exe
4024	svchost.exe
2088	windxten.exe
220	svchost.exe
4844	windxten.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

windxten.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	windxten.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
14	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

windxten.exeSynaptics.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windxten.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 1 IoCs

Processes:

windxten.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	windxten.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid	Process
2148	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

XClient.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	pid	Process
Token: SeDebugPrivilege	2564	XClient.exe
Token: SeDebugPrivilege	3180	svchost.exe
Token: SeDebugPrivilege	2016	svchost.exe
Token: SeDebugPrivilege	3384	svchost.exe
Token: SeDebugPrivilege	4564	svchost.exe
Token: SeDebugPrivilege	4900	svchost.exe
Token: SeDebugPrivilege	3340	svchost.exe
Token: SeDebugPrivilege	2396	svchost.exe
Token: SeDebugPrivilege	4936	svchost.exe
Token: SeDebugPrivilege	3052	svchost.exe
Token: SeDebugPrivilege	4076	svchost.exe
Token: SeDebugPrivilege	2892	svchost.exe
Token: SeDebugPrivilege	4088	svchost.exe
Token: SeDebugPrivilege	4560	svchost.exe
Token: SeDebugPrivilege	4596	svchost.exe
Token: SeDebugPrivilege	4448	svchost.exe
Token: SeDebugPrivilege	1204	svchost.exe
Token: SeDebugPrivilege	3780	svchost.exe
Token: SeDebugPrivilege	1848	svchost.exe
Token: SeDebugPrivilege	4092	svchost.exe
Token: SeDebugPrivilege	4632	svchost.exe
Token: SeDebugPrivilege	1404	svchost.exe
Token: SeDebugPrivilege	4276	svchost.exe
Token: SeDebugPrivilege	4432	svchost.exe
Token: SeDebugPrivilege	1468	svchost.exe
Token: SeDebugPrivilege	4024	svchost.exe
Token: SeDebugPrivilege	220	svchost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

EXCEL.EXE

pid	Process
2148	EXCEL.EXE
2148	EXCEL.EXE
2148	EXCEL.EXE
2148	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

windxten.exe._cache_windxten.exewindxten.exewindxten.exewindxten.exewindxten.exewindxten.exewindxten.exewindxten.exewindxten.exewindxten.exewindxten.exewindxten.exewindxten.exewindxten.exewindxten.exe

description	pid	Process	procid_target
PID 272 wrote to memory of 3696	272	windxten.exe	80
PID 272 wrote to memory of 3696	272	windxten.exe	80
PID 272 wrote to memory of 4612	272	windxten.exe	81
PID 272 wrote to memory of 4612	272	windxten.exe	81
PID 272 wrote to memory of 4612	272	windxten.exe	81
PID 3696 wrote to memory of 2564	3696	._cache_windxten.exe	82
PID 3696 wrote to memory of 2564	3696	._cache_windxten.exe	82
PID 3696 wrote to memory of 640	3696	._cache_windxten.exe	83
PID 3696 wrote to memory of 640	3696	._cache_windxten.exe	83
PID 640 wrote to memory of 3180	640	windxten.exe	84
PID 640 wrote to memory of 3180	640	windxten.exe	84
PID 640 wrote to memory of 2860	640	windxten.exe	85
PID 640 wrote to memory of 2860	640	windxten.exe	85
PID 2860 wrote to memory of 2016	2860	windxten.exe	86
PID 2860 wrote to memory of 2016	2860	windxten.exe	86
PID 2860 wrote to memory of 3388	2860	windxten.exe	87
PID 2860 wrote to memory of 3388	2860	windxten.exe	87
PID 3388 wrote to memory of 3384	3388	windxten.exe	88
PID 3388 wrote to memory of 3384	3388	windxten.exe	88
PID 3388 wrote to memory of 2248	3388	windxten.exe	89
PID 3388 wrote to memory of 2248	3388	windxten.exe	89
PID 2248 wrote to memory of 4564	2248	windxten.exe	92
PID 2248 wrote to memory of 4564	2248	windxten.exe	92
PID 2248 wrote to memory of 4528	2248	windxten.exe	93
PID 2248 wrote to memory of 4528	2248	windxten.exe	93
PID 4528 wrote to memory of 4900	4528	windxten.exe	94
PID 4528 wrote to memory of 4900	4528	windxten.exe	94
PID 4528 wrote to memory of 3016	4528	windxten.exe	95
PID 4528 wrote to memory of 3016	4528	windxten.exe	95
PID 3016 wrote to memory of 3340	3016	windxten.exe	96
PID 3016 wrote to memory of 3340	3016	windxten.exe	96
PID 3016 wrote to memory of 3500	3016	windxten.exe	97
PID 3016 wrote to memory of 3500	3016	windxten.exe	97
PID 3500 wrote to memory of 2396	3500	windxten.exe	98
PID 3500 wrote to memory of 2396	3500	windxten.exe	98
PID 3500 wrote to memory of 324	3500	windxten.exe	100
PID 3500 wrote to memory of 324	3500	windxten.exe	100
PID 324 wrote to memory of 4936	324	windxten.exe	101
PID 324 wrote to memory of 4936	324	windxten.exe	101
PID 324 wrote to memory of 2420	324	windxten.exe	228
PID 324 wrote to memory of 2420	324	windxten.exe	228
PID 2420 wrote to memory of 3052	2420	windxten.exe	104
PID 2420 wrote to memory of 3052	2420	windxten.exe	104
PID 2420 wrote to memory of 1252	2420	windxten.exe	105
PID 2420 wrote to memory of 1252	2420	windxten.exe	105
PID 1252 wrote to memory of 4076	1252	windxten.exe	106
PID 1252 wrote to memory of 4076	1252	windxten.exe	106
PID 1252 wrote to memory of 3740	1252	windxten.exe	107
PID 1252 wrote to memory of 3740	1252	windxten.exe	107
PID 3740 wrote to memory of 2892	3740	windxten.exe	108
PID 3740 wrote to memory of 2892	3740	windxten.exe	108
PID 3740 wrote to memory of 3292	3740	windxten.exe	109
PID 3740 wrote to memory of 3292	3740	windxten.exe	109
PID 3292 wrote to memory of 4088	3292	windxten.exe	248
PID 3292 wrote to memory of 4088	3292	windxten.exe	248
PID 3292 wrote to memory of 4068	3292	windxten.exe	180
PID 3292 wrote to memory of 4068	3292	windxten.exe	180
PID 4068 wrote to memory of 4560	4068	windxten.exe	232
PID 4068 wrote to memory of 4560	4068	windxten.exe	232
PID 4068 wrote to memory of 1180	4068	windxten.exe	113
PID 4068 wrote to memory of 1180	4068	windxten.exe	113
PID 1180 wrote to memory of 4596	1180	windxten.exe	114
PID 1180 wrote to memory of 4596	1180	windxten.exe	114
PID 1180 wrote to memory of 3168	1180	windxten.exe	115

C:\Users\Admin\AppData\Local\Temp\windxten.exe
"C:\Users\Admin\AppData\Local\Temp\windxten.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:272
- C:\Users\Admin\AppData\Local\Temp\._cache_windxten.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_windxten.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3696
- - C:\ProgramData\XClient.exe
    "C:\ProgramData\XClient.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2564
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1480
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1232
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4432
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2192
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2420
- - C:\ProgramData\windxten.exe
    "C:\ProgramData\windxten.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:640
  - - C:\ProgramData\svchost.exe
      "C:\ProgramData\svchost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3180
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2124
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4228
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4068
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3176
  - - C:\ProgramData\windxten.exe
      "C:\ProgramData\windxten.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2860
    - - C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
    - - C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3388
      - C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3384
      - C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4564
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4900
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3340
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:324
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4936
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4076
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3740
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3292
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4088
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4560
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4596
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3168
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4448
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2696
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1204
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1168
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3780
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1056
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1848
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1764
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4092
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3588
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4632
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4924
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1404
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4136
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4276
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:396
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4432
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:228
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1468
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3384
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4024
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2088
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:220
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        29⤵
        Executes dropped EXE
        
        PID:4844
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        30⤵
        
        PID:2904
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        30⤵
        
        PID:4176
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        31⤵
        
        PID:4676
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        31⤵
        
        PID:5076
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        32⤵
        
        PID:1232
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        32⤵
        
        PID:4984
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        33⤵
        
        PID:5000
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        33⤵
        
        PID:852
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        34⤵
        
        PID:4824
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        34⤵
        
        PID:1860
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        35⤵
        
        PID:4388
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        35⤵
        
        PID:4452
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        36⤵
        
        PID:448
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        36⤵
        
        PID:2948
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        37⤵
        
        PID:820
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        37⤵
        
        PID:2876
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        38⤵
        
        PID:5076
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        38⤵
        
        PID:4000
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        39⤵
        
        PID:252
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        39⤵
        
        PID:4420
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        40⤵
        
        PID:3852
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        40⤵
        
        PID:4608
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        41⤵
        
        PID:5096
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        41⤵
        
        PID:1904
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        42⤵
        
        PID:2624
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        42⤵
        
        PID:2168
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        43⤵
        
        PID:1036
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        43⤵
        
        PID:4796
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        44⤵
        
        PID:4016
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        44⤵
        
        PID:4088
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        45⤵
        
        PID:1152
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        45⤵
        
        PID:2948
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        46⤵
        
        PID:2996
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        46⤵
        
        PID:852
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        47⤵
        
        PID:892
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        47⤵
        
        PID:4668
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        48⤵
        
        PID:4088
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        48⤵
        
        PID:568
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        49⤵
        
        PID:5088
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        49⤵
        
        PID:4472
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        50⤵
        
        PID:3472
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        50⤵
        
        PID:4796
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        51⤵
        
        PID:1224
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        51⤵
        
        PID:4344
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        52⤵
        
        PID:3748
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        52⤵
        
        PID:1996
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        53⤵
        
        PID:4892
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        53⤵
        
        PID:4840
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        54⤵
        
        PID:1296
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        54⤵
        
        PID:1860
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        55⤵
        
        PID:4028
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        55⤵
        
        PID:1584
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        56⤵
        
        PID:1696
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        56⤵
        
        PID:4560
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        57⤵
        
        PID:4824
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        57⤵
        
        PID:1260
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        58⤵
        
        PID:1320
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        58⤵
        
        PID:380
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        59⤵
        
        PID:2628
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        59⤵
        
        PID:3780
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        60⤵
        
        PID:240
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        60⤵
        
        PID:4844
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        61⤵
        
        PID:320
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        61⤵
        
        PID:5012
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        62⤵
        
        PID:5096
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        62⤵
        
        PID:220
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        63⤵
        
        PID:656
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        63⤵
        
        PID:1972
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        64⤵
        
        PID:4560
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        64⤵
        
        PID:3580
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        65⤵
        
        PID:4252
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        65⤵
        
        PID:3136
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        66⤵
        
        PID:1504
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        66⤵
        
        PID:3004
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        67⤵
        
        PID:640
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        67⤵
        
        PID:2624
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        68⤵
        
        PID:3672
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        68⤵
        
        PID:1152
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        69⤵
        
        PID:1392
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        69⤵
        
        PID:884
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        70⤵
        
        PID:3128
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        70⤵
        
        PID:4336
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        71⤵
        
        PID:2228
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        71⤵
        
        PID:3780
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        72⤵
        
        PID:4088
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        72⤵
        
        PID:2952
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        73⤵
        
        PID:1580
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        73⤵
        
        PID:1756
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        74⤵
        
        PID:1040
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        74⤵
        
        PID:4564
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        75⤵
        
        PID:2980
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        75⤵
        
        PID:2356
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        76⤵
        
        PID:2432
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        76⤵
        
        PID:2412
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        77⤵
        
        PID:4520
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        77⤵
        
        PID:1304
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        78⤵
        
        PID:5088
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        78⤵
        
        PID:4924
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        79⤵
        
        PID:2504
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        79⤵
        
        PID:2796
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        80⤵
        
        PID:2964
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        80⤵
        
        PID:2356
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        81⤵
        
        PID:3640
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        81⤵
        
        PID:4824
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        82⤵
        
        PID:112
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        82⤵
        
        PID:4740
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        83⤵
        
        PID:2836
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        83⤵
        
        PID:3532
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        84⤵
        
        PID:1068
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        84⤵
        
        PID:4564
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        85⤵
        
        PID:4984
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        85⤵
        
        PID:4892
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        86⤵
        
        PID:2412
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        86⤵
        
        PID:1296
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        87⤵
        
        PID:2624
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        87⤵
        
        PID:776
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        88⤵
        
        PID:1224
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        88⤵
        
        PID:3756
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        89⤵
        
        PID:1644
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        89⤵
        
        PID:4016
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        90⤵
        
        PID:320
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        90⤵
        
        PID:2512
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        91⤵
        
        PID:1776
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        91⤵
        
        PID:2904
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        92⤵
        
        PID:568
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        92⤵
        
        PID:2380
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        93⤵
        
        PID:240
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        93⤵
        
        PID:448
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        94⤵
        
        PID:3752
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        94⤵
        
        PID:4016
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        95⤵
        
        PID:1504
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        95⤵
        
        PID:1468
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        96⤵
        
        PID:4136
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        96⤵
        
        PID:3756
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        97⤵
        
        PID:4476
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        97⤵
        
        PID:2696
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        98⤵
        
        PID:4716
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        98⤵
        
        PID:1580
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        99⤵
        
        PID:2892
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        99⤵
        
        PID:4632
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        100⤵
        
        PID:3816
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        100⤵
        
        PID:2168
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        101⤵
        
        PID:1672
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        101⤵
        
        PID:380
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        102⤵
        
        PID:3168
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        102⤵
        
        PID:5044
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        103⤵
        
        PID:4016
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        103⤵
        
        PID:4416
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        104⤵
        
        PID:2140
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        104⤵
        
        PID:112
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        105⤵
        
        PID:4236
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        105⤵
        
        PID:1840
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        106⤵
        
        PID:1740
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        106⤵
        
        PID:880
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        107⤵
        
        PID:2504
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        107⤵
        
        PID:2056
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        108⤵
        
        PID:1696
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        108⤵
        
        PID:1392
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        109⤵
        
        PID:1224
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        109⤵
        
        PID:3860
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        110⤵
        
        PID:4008
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        110⤵
        
        PID:4892
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        111⤵
        
        PID:3532
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        111⤵
        
        PID:4472
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        112⤵
        
        PID:3696
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        112⤵
        
        PID:1840
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        113⤵
        
        PID:1700
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        113⤵
        
        PID:2412
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        114⤵
        
        PID:1936
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        114⤵
        
        PID:1540
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        115⤵
        
        PID:1128
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        115⤵
        
        PID:4136
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        116⤵
        
        PID:4340
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        116⤵
        
        PID:4476
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        117⤵
        
        PID:252
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        117⤵
        
        PID:2836
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        118⤵
        
        PID:884
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        118⤵
        
        PID:1040
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        119⤵
        
        PID:4564
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        119⤵
        
        PID:1620
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        120⤵
        
        PID:1580
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        120⤵
        
        PID:2904
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        121⤵
        
        PID:3472
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        121⤵
        
        PID:2420
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        122⤵
        
        PID:1036
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        122⤵
        
        PID:5044
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        123⤵
        
        PID:1916
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        123⤵
        
        PID:4068
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        124⤵
        
        PID:824
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        124⤵
        
        PID:1296
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        125⤵
        
        PID:3440
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        125⤵
        
        PID:4004
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        126⤵
        
        PID:880
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        126⤵
        
        PID:5088
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        127⤵
        
        PID:2412
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        127⤵
        
        PID:720
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        128⤵
        
        PID:4336
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        128⤵
        
        PID:3748
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        129⤵
        
        PID:4416
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        129⤵
        
        PID:1992
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        130⤵
        
        PID:4528
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        130⤵
        
        PID:3292
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        131⤵
        
        PID:4148
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        131⤵
        
        PID:4132
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        132⤵
        
        PID:3128
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        132⤵
        
        PID:4008
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        133⤵
        
        PID:1428
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        133⤵
        
        PID:3168
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        134⤵
        
        PID:1304
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        134⤵
        
        PID:5012
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        135⤵
        
        PID:4136
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        135⤵
        
        PID:1072
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        136⤵
        
        PID:2088
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        136⤵
        
        PID:444
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        137⤵
        
        PID:4844
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        137⤵
        
        PID:4520
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        138⤵
        
        PID:2964
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        138⤵
        
        PID:4680
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        139⤵
        
        PID:2628
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        139⤵
        
        PID:4936
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        140⤵
        
        PID:4432
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        140⤵
        
        PID:3752
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        141⤵
        
        PID:1980
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        141⤵
        
        PID:4756
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        142⤵
        
        PID:4824
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        142⤵
        
        PID:1936
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        143⤵
        
        PID:4068
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        143⤵
        
        PID:4124
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        144⤵
        
        PID:2876
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        144⤵
        
        PID:4004
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        145⤵
        
        PID:3780
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        145⤵
        
        PID:3016
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        146⤵
        
        PID:3048
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        146⤵
        
        PID:4936
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        147⤵
        
        PID:4480
        
        C:\ProgramData\windxten.exe
        
        "C:\ProgramData\windxten.exe"
        147⤵
        
        PID:448
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4612

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2148

C:\Windows\system32\BackgroundTaskHost.exe
"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
1⤵
PID:1168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
753KB

MD5
f8968f581b22448d4bf1c181b230b6fc

SHA1
f0a7f89035549cc001464d93f26c3e401e5450a4

SHA256
9719bb1d71927325e0735ad50ce8716baa80d29cdcc0b9fcccf77545d4af230e

SHA512
a48b2ed4f9acbc9bfe43940ff710fac1b96b0ad78fa1d7c576bd3eec641832c91359e551e7d62e28f56b51fa85ea741ae08bf0d6d1f9624a216cd7ffebfaf1db

Download Submit
C:\ProgramData\XClient.exe

Filesize
64KB

MD5
f0defb0eb794197b56b43bd6b4c9e7a7

SHA1
13e9c2f74bae8f5e12006024cad8267c400ab3ee

SHA256
991107af1bef63c78b2d6c9b966dca05cb9b6d6286dde9ec083bb80780ab35d6

SHA512
4a566fdb6c3aad170bf5745b73f391f2a9c87b4aa3fcdd2b741a32127db46381692d29402f7e09e5684bfb5dd75253b967918672c88f4309bf1799b8e2d8587e

Download Submit
C:\ProgramData\svchost.exe

Filesize
73KB

MD5
a6e3543ed1eeb525e84cc28e97713491

SHA1
442ab143ae0ca371e495cefc87c893d1642a98df

SHA256
3cc4913315247d3d179e8bfdd5778caf030926f68bcb12aacff481dca5d7857b

SHA512
01e079a5ae6e3d3f860e0c91b61d2dbbf4c02e4f52f1ccce3f7f628c9882b4e704dfe78a4389bec70459df898acab1bc6cdb18f15e7287a8d276117bf6f7453d

Download Submit
C:\ProgramData\windxten.exe

Filesize
625KB

MD5
d9ff762918a1712d34b6ba8dc685ebf0

SHA1
f3b718bed8f066f6215a7f231123730f4dca0883

SHA256
cfb20a2e571fbd5f76d6f511304ad84d4fbd5b54bd5a3a6652e986b0ffedf3b0

SHA512
c23e74fbd29c3e29c10b5720a60807d02fa8476a4a05d194621ba310bc746ddca15674fb97c5735a7d9fda5d416b1eeae97d6014413d0b1f8f856e489723b96b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\windxten.exe.log

Filesize
654B

MD5
11c6e74f0561678d2cf7fc075a6cc00c

SHA1
535ee79ba978554abcb98c566235805e7ea18490

SHA256
d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63

SHA512
32c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_windxten.exe

Filesize
702KB

MD5
87815ff1c64162bf983272c78d16aaab

SHA1
464f6ab82c591c4c91549eb7b3f386b3e6c0bc4e

SHA256
a1a446fc41abf26d6963dcaa44d206098f7c9c47ed597c2089f3b1261c914fa8

SHA512
95e5155b1ea0d2d3051d71786b13f7d3f03222444f5d562648cbad804c48c3f678bb2ed47f5898959299fad74a3e76b6456cad616ea3e66647134f690cbfc2f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sa5wx5p1.rg0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\vQ7eXZQU.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
memory/272-131-0x0000000000400000-0x0000000000572000-memory.dmp

Filesize
1.4MB

Download
memory/272-0-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/640-161-0x0000000000930000-0x00000000009D2000-memory.dmp

Filesize
648KB

Download
memory/2124-250-0x0000018477DD0000-0x0000018477DF2000-memory.dmp

Filesize
136KB

Download
memory/2148-221-0x00007FFC26CB0000-0x00007FFC26CC0000-memory.dmp

Filesize
64KB

Download
memory/2148-220-0x00007FFC26CB0000-0x00007FFC26CC0000-memory.dmp

Filesize
64KB

Download
memory/2148-222-0x00007FFC26CB0000-0x00007FFC26CC0000-memory.dmp

Filesize
64KB

Download
memory/2148-225-0x00007FFC24510000-0x00007FFC24520000-memory.dmp

Filesize
64KB

Download
memory/2148-224-0x00007FFC26CB0000-0x00007FFC26CC0000-memory.dmp

Filesize
64KB

Download
memory/2148-228-0x00007FFC24510000-0x00007FFC24520000-memory.dmp

Filesize
64KB

Download
memory/2148-223-0x00007FFC26CB0000-0x00007FFC26CC0000-memory.dmp

Filesize
64KB

Download
memory/2564-160-0x0000000000410000-0x0000000000426000-memory.dmp

Filesize
88KB

Download
memory/3180-176-0x0000000000A50000-0x0000000000A68000-memory.dmp

Filesize
96KB

Download
memory/3696-68-0x00007FFC48293000-0x00007FFC48295000-memory.dmp

Filesize
8KB

Download
memory/3696-116-0x0000000000B60000-0x0000000000C16000-memory.dmp

Filesize
728KB

Download
memory/4612-308-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4612-335-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download