xmrig | 30d76e09797fbe92ce2ed452177f3ae3cf67ce0173bfbbe7fa46f540e8e43ef8

Analysis

max time kernel
1800s
max time network
1561s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-02-2024 11:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

allminer.exe
Size

5.2MB
MD5

4450c620c5d1dd08eea7c3ad5270f6df
SHA1

91389a8503852ac27662ecd6631dcee0eedeeef2
SHA256

30d76e09797fbe92ce2ed452177f3ae3cf67ce0173bfbbe7fa46f540e8e43ef8
SHA512

9792fbbe7e7192f431443ab53b4f8c04ada9b7647934c9385923d023fc030e23a8e56b50438e161409fa5b70f63ad346e9619d2b1bf50384fe4a982c0942697e
SSDEEP

98304:GvtPA6xB+3IFNaFE/1ZT6Pvn2F9rpV5BJmTlOlJBscGF4n0OC0IO+o6266ivSXXU:GvtPA61l/b0vnutfBqeQFT0ic4J

Score

10^/10

xmrig evasion miner persistence upx

Malware Config

Signatures

Modifies security service 2 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection = 22020100	svchost.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 1 IoCs

miner

resource	yara_rule
behavioral1/memory/1752-98-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 2 IoCs

pid	Process
1408	gmstcccpdzbb.exe
2496	gmstcccpdzbb.exe

Loads dropped DLL 2 IoCs

pid	Process
480	services.exe
480	services.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1752-90-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1752-91-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1752-92-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1752-93-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1752-96-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1752-98-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Drops file in System32 directory 22 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfc00C.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh00C.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfc011.dat	WMIADAP.EXE
File created	C:\Windows\system32\PerfStringBackup.TMP	WMIADAP.EXE
File opened for modification	C:\Windows\system32\MRT.exe	allminer.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\perfc007.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh009.dat	WMIADAP.EXE
File opened for modification	C:\Windows\system32\MRT.exe	gmstcccpdzbb.exe
File created	C:\Windows\system32\perfh010.dat	WMIADAP.EXE
File created	C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini	WMIADAP.EXE
File created	C:\Windows\system32\perfc00A.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh007.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfc009.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfh00A.dat	WMIADAP.EXE
File created	C:\Windows\system32\perfc010.dat	WMIADAP.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	gmstcccpdzbb.exe
File created	C:\Windows\system32\perfh011.dat	WMIADAP.EXE
File opened for modification	C:\Windows\system32\PerfStringBackup.INI	WMIADAP.EXE

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 2004 set thread context of 2492	2004	allminer.exe	51
PID 1408 set thread context of 2328	1408	gmstcccpdzbb.exe	82
PID 1408 set thread context of 900	1408	gmstcccpdzbb.exe	87
PID 1408 set thread context of 1752	1408	gmstcccpdzbb.exe	88
PID 2496 set thread context of 2128	2496	gmstcccpdzbb.exe	110

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\inf\WmiApRpl\WmiApRpl.h	WMIADAP.EXE
File opened for modification	C:\Windows\inf\WmiApRpl\WmiApRpl.h	WMIADAP.EXE
File created	C:\Windows\inf\WmiApRpl\0009\WmiApRpl.ini	WMIADAP.EXE
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat	sppsvc.exe
File created	C:\Windows\wusa.lock	wusa.exe

Launches sc.exe 19 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2592	sc.exe
540	sc.exe
2276	sc.exe
1852	sc.exe
2388	sc.exe
1204	sc.exe
1172	sc.exe
2764	sc.exe
2560	sc.exe
2844	sc.exe
2896	sc.exe
684	sc.exe
2768	sc.exe
2948	sc.exe
2324	sc.exe
1888	sc.exe
608	sc.exe
1136	sc.exe
1384	sc.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = b0960a193b6ada01	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2004	allminer.exe
2632	powershell.exe
2004	allminer.exe
2004	allminer.exe
2004	allminer.exe
2004	allminer.exe
2004	allminer.exe
2004	allminer.exe
2004	allminer.exe
2004	allminer.exe
2004	allminer.exe
2004	allminer.exe
2004	allminer.exe
2004	allminer.exe
2004	allminer.exe
2492	dialer.exe
2492	dialer.exe
2492	dialer.exe
2492	dialer.exe
2004	allminer.exe
2004	allminer.exe
1408	gmstcccpdzbb.exe
756	powershell.exe
1408	gmstcccpdzbb.exe
1408	gmstcccpdzbb.exe
1408	gmstcccpdzbb.exe
1408	gmstcccpdzbb.exe
1408	gmstcccpdzbb.exe
1408	gmstcccpdzbb.exe
1408	gmstcccpdzbb.exe
1408	gmstcccpdzbb.exe
1408	gmstcccpdzbb.exe
1408	gmstcccpdzbb.exe
1408	gmstcccpdzbb.exe
1408	gmstcccpdzbb.exe
2328	dialer.exe
2328	dialer.exe
2328	dialer.exe
2328	dialer.exe
1408	gmstcccpdzbb.exe
900	dialer.exe
1584	powershell.exe
900	dialer.exe
2496	gmstcccpdzbb.exe
2748	powershell.exe
2496	gmstcccpdzbb.exe
2496	gmstcccpdzbb.exe
2496	gmstcccpdzbb.exe
2496	gmstcccpdzbb.exe
2496	gmstcccpdzbb.exe
2328	dialer.exe
2328	dialer.exe
2496	gmstcccpdzbb.exe
2496	gmstcccpdzbb.exe
2496	gmstcccpdzbb.exe
2496	gmstcccpdzbb.exe
2496	gmstcccpdzbb.exe
2496	gmstcccpdzbb.exe
2328	dialer.exe
2328	dialer.exe
2328	dialer.exe
2328	dialer.exe
2128	dialer.exe
2128	dialer.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeShutdownPrivilege	2480	powercfg.exe
Token: SeShutdownPrivilege	2464	powercfg.exe
Token: SeShutdownPrivilege	2512	powercfg.exe
Token: SeDebugPrivilege	2004	allminer.exe
Token: SeShutdownPrivilege	2524	powercfg.exe
Token: SeDebugPrivilege	2492	dialer.exe
Token: SeDebugPrivilege	756	powershell.exe
Token: SeShutdownPrivilege	1540	powercfg.exe
Token: SeShutdownPrivilege	1052	powercfg.exe
Token: SeShutdownPrivilege	1696	powercfg.exe
Token: SeShutdownPrivilege	1692	powercfg.exe
Token: SeDebugPrivilege	1408	gmstcccpdzbb.exe
Token: SeDebugPrivilege	2328	dialer.exe
Token: SeLockMemoryPrivilege	1752	dialer.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeAuditPrivilege	860	svchost.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeShutdownPrivilege	2044	powercfg.exe
Token: SeShutdownPrivilege	656	powercfg.exe
Token: SeShutdownPrivilege	2340	powercfg.exe
Token: SeShutdownPrivilege	1392	powercfg.exe
Token: SeDebugPrivilege	2496	gmstcccpdzbb.exe
Token: SeDebugPrivilege	2128	dialer.exe
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeAuditPrivilege	860	svchost.exe
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeAuditPrivilege	860	svchost.exe
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeAuditPrivilege	860	svchost.exe
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeShutdownPrivilege	1208	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2600 wrote to memory of 2712	2600	cmd.exe	36
PID 2600 wrote to memory of 2712	2600	cmd.exe	36
PID 2600 wrote to memory of 2712	2600	cmd.exe	36
PID 2004 wrote to memory of 2492	2004	allminer.exe	51
PID 2004 wrote to memory of 2492	2004	allminer.exe	51
PID 2004 wrote to memory of 2492	2004	allminer.exe	51
PID 2004 wrote to memory of 2492	2004	allminer.exe	51
PID 2004 wrote to memory of 2492	2004	allminer.exe	51
PID 2004 wrote to memory of 2492	2004	allminer.exe	51
PID 2004 wrote to memory of 2492	2004	allminer.exe	51
PID 2492 wrote to memory of 436	2492	dialer.exe	3
PID 2492 wrote to memory of 480	2492	dialer.exe	2
PID 2492 wrote to memory of 496	2492	dialer.exe	1
PID 2492 wrote to memory of 504	2492	dialer.exe	26
PID 480 wrote to memory of 1408	480	services.exe	61
PID 480 wrote to memory of 1408	480	services.exe	61
PID 480 wrote to memory of 1408	480	services.exe	61
PID 2492 wrote to memory of 1408	2492	dialer.exe	61
PID 584 wrote to memory of 1248	584	cmd.exe	69
PID 584 wrote to memory of 1248	584	cmd.exe	69
PID 584 wrote to memory of 1248	584	cmd.exe	69
PID 1408 wrote to memory of 2328	1408	gmstcccpdzbb.exe	82
PID 1408 wrote to memory of 2328	1408	gmstcccpdzbb.exe	82
PID 1408 wrote to memory of 2328	1408	gmstcccpdzbb.exe	82
PID 1408 wrote to memory of 2328	1408	gmstcccpdzbb.exe	82
PID 1408 wrote to memory of 2328	1408	gmstcccpdzbb.exe	82
PID 1408 wrote to memory of 2328	1408	gmstcccpdzbb.exe	82
PID 1408 wrote to memory of 2328	1408	gmstcccpdzbb.exe	82
PID 1408 wrote to memory of 900	1408	gmstcccpdzbb.exe	87
PID 1408 wrote to memory of 900	1408	gmstcccpdzbb.exe	87
PID 1408 wrote to memory of 900	1408	gmstcccpdzbb.exe	87
PID 1408 wrote to memory of 900	1408	gmstcccpdzbb.exe	87
PID 1408 wrote to memory of 900	1408	gmstcccpdzbb.exe	87
PID 1408 wrote to memory of 900	1408	gmstcccpdzbb.exe	87
PID 1408 wrote to memory of 900	1408	gmstcccpdzbb.exe	87
PID 1408 wrote to memory of 900	1408	gmstcccpdzbb.exe	87
PID 1408 wrote to memory of 900	1408	gmstcccpdzbb.exe	87
PID 1408 wrote to memory of 1752	1408	gmstcccpdzbb.exe	88
PID 1408 wrote to memory of 1752	1408	gmstcccpdzbb.exe	88
PID 1408 wrote to memory of 1752	1408	gmstcccpdzbb.exe	88
PID 1408 wrote to memory of 1752	1408	gmstcccpdzbb.exe	88
PID 1408 wrote to memory of 1752	1408	gmstcccpdzbb.exe	88
PID 2328 wrote to memory of 436	2328	dialer.exe	3
PID 2328 wrote to memory of 480	2328	dialer.exe	2
PID 2328 wrote to memory of 496	2328	dialer.exe	1
PID 2328 wrote to memory of 504	2328	dialer.exe	26
PID 2328 wrote to memory of 596	2328	dialer.exe	25
PID 2328 wrote to memory of 672	2328	dialer.exe	8
PID 2328 wrote to memory of 764	2328	dialer.exe	24
PID 2328 wrote to memory of 808	2328	dialer.exe	23
PID 596 wrote to memory of 3020	596	svchost.exe	94
PID 596 wrote to memory of 3020	596	svchost.exe	94
PID 596 wrote to memory of 3020	596	svchost.exe	94
PID 2328 wrote to memory of 860	2328	dialer.exe	22
PID 2328 wrote to memory of 972	2328	dialer.exe	20
PID 2328 wrote to memory of 280	2328	dialer.exe	19
PID 2328 wrote to memory of 300	2328	dialer.exe	9
PID 2328 wrote to memory of 1072	2328	dialer.exe	18
PID 1972 wrote to memory of 988	1972	cmd.exe	98
PID 1972 wrote to memory of 988	1972	cmd.exe	98
PID 1972 wrote to memory of 988	1972	cmd.exe	98
PID 2328 wrote to memory of 1116	2328	dialer.exe	17
PID 2328 wrote to memory of 1176	2328	dialer.exe	16
PID 2328 wrote to memory of 1208	2328	dialer.exe	15

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:496

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:480
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:672
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:300
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  - Drops file in Windows directory
  PID:2336
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:1620
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1116
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1072
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:280
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:972
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:860
- - C:\Windows\system32\wbem\WMIADAP.EXE
    wmiadap.exe /F /T /R
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:2804
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:808
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  - Modifies security service
  PID:764
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:596
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -Embedding
    3⤵
    PID:2256
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
    3⤵
    PID:3020
- C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe
  C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1408
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:584
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Drops file in Windows directory
      PID:1248
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2948
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:608
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1136
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:2388
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:2276
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1052
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1540
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1692
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1696
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2328
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:900
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1584
  - - C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe
      "C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2496
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        5⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:1204
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1972
      - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        Drops file in Windows directory
        
        PID:988
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:1852
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:1384
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        5⤵
        Launches sc.exe
        
        PID:2324
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        5⤵
        Launches sc.exe
        
        PID:1172
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1392
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
    - - C:\Windows\system32\dialer.exe
        
        C:\Windows\system32\dialer.exe
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:656
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340
- - C:\Windows\system32\dialer.exe
    dialer.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1752

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:436

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1208
- C:\Users\Admin\AppData\Local\Temp\allminer.exe
  "C:\Users\Admin\AppData\Local\Temp\allminer.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Drops file in Windows directory
      PID:2712
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2592
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2764
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1888
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:2768
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:2560
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2464
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2480
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2524
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2512
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2492
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "XLZQHCLS"
    3⤵
    - Launches sc.exe
    PID:2844
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "XLZQHCLS" binpath= "C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:2896
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "XLZQHCLS"
    3⤵
    - Launches sc.exe
    PID:540
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:684

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:504

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1460809643-1791063528204275386994390008-1831265778-443848367-1143670822-1595870627"
1⤵
PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe

Filesize
64KB

MD5
ede141a7f35963a22842ec7727316cd2

SHA1
d0adb4fc3e28be04462d863287893b7075eee02b

SHA256
f6a09d7ceeee7eb79f823df66130d8a8e2d29c40960414c140b670d5d0db9fd7

SHA512
d4addeccc2ce0942fe9ed083124bb81cd9f37f03fa8a82a4cdf1b3ed26bcbb08bc7e5b627799ff0962f4eade3e8d592d0997252bf6a173ea0e123a08b7014735

Download Submit
C:\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe

Filesize
576KB

MD5
98201b171419d3c30cd6f812a96898fc

SHA1
74d60ca8bd0add1da08ccbad6d8a5aad8e40a509

SHA256
b20e105503bd0c363e043e5fbff3cc35911f944d33de663ce722de9fc01e5347

SHA512
32b3b7f7ba5bfe5ac373063bd85ed9c0b3b1df68456a09413835644aeb0fa3d759a66fc7d6e62a16eca821a18318b6458b20e68ae18f091f8573cf51fc532c7e

Download Submit
C:\Windows\System32\perfc007.dat

Filesize
145KB

MD5
19c7052de3b7281b4c1c6bfbb543c5dc

SHA1
d2e12081a14c1069c89f2cee7357a559c27786e7

SHA256
14ed6cb3198e80964cbc687a60aed24fb68d1bbd7588f983dc1fc6ae63514b4a

SHA512
289ca791909882c857014bd24e777fa84b533896508b562051b529d4c27e0d98bc41c801c6384b382f5dc0fa584dc8f713939c636543b0a5cf5ea2b396300f83

Download Submit
C:\Windows\System32\perfc00A.dat

Filesize
154KB

MD5
f0ecfbfa3e3e59fd02197018f7e9cb84

SHA1
961e9367a4ef3a189466c0a0a186faf8958bdbc4

SHA256
cfa293532a1b865b95093437d82bf8b682132aa335957f0c6d95edfbcc372324

SHA512
116e648cb3b591a6a94da5ef11234778924a2ff9e0b3d7f6f00310d8a58914d12f5ee1b63c2f88701bb00538ad0e42ae2561575333c5a1d63bb8c86863ac6294

Download Submit
C:\Windows\System32\perfc00C.dat

Filesize
145KB

MD5
ce233fa5dc5adcb87a5185617a0ff6ac

SHA1
2e2747284b1204d3ab08733a29fdbabdf8dc55b9

SHA256
68d4de5e72cfd117151c44dd6ec74cf46fafd6c51357895d3025d7dac570ce31

SHA512
1e9c8e7f12d7c87b4faa0d587a8b374e491cd44f23e13fdb64bde3bc6bf3f2a2d3aba5444a13b199a19737a8170ee8d4ead17a883fbaee66b8b32b35b7577fc2

Download Submit
C:\Windows\System32\perfc010.dat

Filesize
142KB

MD5
d73172c6cb697755f87cd047c474cf91

SHA1
abc5c7194abe32885a170ca666b7cce8251ac1d6

SHA256
9de801eebbe32699630f74082c9adea15069acd5afb138c9ecd5d4904e3cdc57

SHA512
7c9e4126bed6bc94a211281eed45cee30452519f125b82b143f78da32a3aac72d94d31757e1da22fb2f8a25099ffddec992e2c60987efb9da9b7a17831eafdf6

Download Submit
C:\Windows\System32\perfc011.dat

Filesize
118KB

MD5
045b3a28859ed815f97e17fcebadf523

SHA1
a3cfaf297b3ef6d2e7ae0e33b9e7a3f212c7c5bd

SHA256
690ebf33940e7d22aeef120d30cc8b1731b2b18ce0cb4b2db89679735809312c

SHA512
d1836a85871c5c11efc407827bb87af4356297a8c498310de45cb322827082622c56cccee7d22c2e2a2f6894a33589534b9f516736005107571d7efade1e9de5

Download Submit
C:\Windows\System32\perfh007.dat

Filesize
680KB

MD5
b69ab3aeddb720d6ef8c05ff88c23b38

SHA1
d830c2155159656ed1806c7c66cae2a54a2441fa

SHA256
24c81302014118e07ed97eaac0819ecf191e0cc3d69c02b16ecda60ac4718625

SHA512
4c7a99d45fb6e90c206439dcdd7cd198870ea5397a6584bb666eed53a8dc36faaac0b9cfc786a3ab4ecbbecc3a4ddd91560246d83b3319f2e37c1ed4bdbec32d

Download Submit
C:\Windows\System32\perfh009.dat

Filesize
646KB

MD5
aecab86cc5c705d7a036cba758c1d7b0

SHA1
e88cf81fd282d91c7fc0efae13c13c55f4857b5e

SHA256
9bab92e274fcc0af88a7fdd143c9045b9d3a13cac2c00b63f00b320128dcc066

SHA512
e0aa8da41373fc64d0e3dc86c9e92a9dd5232f6bcae42dfe6f79012d7e780de85511a9ec6941cb39476632972573a18063d3ecd8b059b1d008d34f585d9edbe8

Download Submit
C:\Windows\System32\perfh00A.dat

Filesize
727KB

MD5
7d0bac4e796872daa3f6dc82c57f4ca8

SHA1
b4f6bbe08fa8cd0784a94ac442ff937a3d3eea0a

SHA256
ce2ef9fc248965f1408d4b7a1e6db67494ba07a7bbdfa810418b30be66ad5879

SHA512
145a0e8543e0d79fe1a5ce268d710c807834a05da1e948f84d6a1818171cd4ef077ea44ba1fe439b07b095721e0109cbf7e4cfd7b57519ee44d9fd9fe1169a3e

Download Submit
C:\Windows\System32\perfh00C.dat

Filesize
727KB

MD5
5f684ce126de17a7d4433ed2494c5ca9

SHA1
ce1a30a477daa1bac2ec358ce58731429eafe911

SHA256
2e2ba0c47e71991d646ec380cde47f44318d695e6f3f56ec095955a129af1c2c

SHA512
4d0c2669b5002da14d44c21dc2f521fb37b6b41b61bca7b2a9af7c03f616dda9ca825f79a81d3401af626a90017654f9221a6ccc83010ff73de71967fc2f3f5b

Download Submit
C:\Windows\System32\perfh010.dat

Filesize
722KB

MD5
4623482c106cf6cc1bac198f31787b65

SHA1
5abb0decf7b42ef5daf7db012a742311932f6dad

SHA256
eceda45aedbf6454b79f010c891bead3844d43189972f6beeb5ccddb13cc0349

SHA512
afecefcec652856dd8b4275f11d75a68a582337b682309c4b61fd26ed7038b92e6b9aa72c1bfc350ce2caf5e357098b54eb1e448a4392960f9f82e01c447669f

Download Submit
C:\Windows\System32\perfh011.dat

Filesize
64KB

MD5
26e4953631f7b9901398b30f902d3407

SHA1
08955b33a4ae549d5ef9f21f403be02f688947ab

SHA256
327aae30c66dbcba4c634ceed665436808b2acbd4f557e2c5650c2e28b36b497

SHA512
90ab63dc9c181aed35eb3269cb84eb49442b7964910753a256d06b5df946b6cc938f6f5ce8843328234dc6f69e3898b46d7c61e769f8a972077715789a857bc9

Download Submit
C:\Windows\System32\wbem\Performance\WmiApRpl.ini

Filesize
27KB

MD5
46d08e3a55f007c523ac64dce6dcf478

SHA1
62edf88697e98d43f32090a2197bead7e7244245

SHA256
5b15b1fc32713447c3fbc952a0fb02f1fd78c6f9ac69087bdb240625b0282614

SHA512
b1f42e70c0ba866a9ed34eb531dbcbae1a659d7349c1e1a14b18b9e23d8cbd302d8509c6d3a28bc7509dd92e83bcb400201fb5d5a70f613421d81fe649d02e42

Download Submit
C:\Windows\TEMP\klmlodoaqrxs.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
\ProgramData\oaocofwmfjha\gmstcccpdzbb.exe

Filesize
320KB

MD5
2e48234f67fdfe16f795a8e33420e80c

SHA1
e8a723a6fc8a9a932d19ae5df880bf87ae1db117

SHA256
fed7e71a4f76caa78833af321d63288b9819c212ebe7751a7795a510df4682fd

SHA512
c809d79ea7a5bd4cf0608bdfed994d2d7eb44a13ba161de91c30e05cf627efeb1508f99186d6874e47be8c964fc9af59a1febc0008551bd0ab3b04edc0a3d5e7

Download Submit
memory/280-221-0x00000000373E0000-0x00000000373F0000-memory.dmp

Filesize
64KB

Download
memory/280-193-0x0000000000E50000-0x0000000000E7B000-memory.dmp

Filesize
172KB

Download
memory/300-219-0x0000000002000000-0x000000000202B000-memory.dmp

Filesize
172KB

Download
memory/300-226-0x00000000373E0000-0x00000000373F0000-memory.dmp

Filesize
64KB

Download
memory/436-25-0x0000000000B90000-0x0000000000BB4000-memory.dmp

Filesize
144KB

Download
memory/436-29-0x0000000000BC0000-0x0000000000BEB000-memory.dmp

Filesize
172KB

Download
memory/436-26-0x0000000000B90000-0x0000000000BB4000-memory.dmp

Filesize
144KB

Download
memory/436-163-0x0000000000BC0000-0x0000000000BEB000-memory.dmp

Filesize
172KB

Download
memory/436-100-0x0000000000CB0000-0x0000000000CDB000-memory.dmp

Filesize
172KB

Download
memory/436-36-0x00000000373E0000-0x00000000373F0000-memory.dmp

Filesize
64KB

Download
memory/436-30-0x000007FEBF490000-0x000007FEBF4A0000-memory.dmp

Filesize
64KB

Download
memory/436-32-0x00000000773F1000-0x00000000773F2000-memory.dmp

Filesize
4KB

Download
memory/480-108-0x0000000000D70000-0x0000000000D9B000-memory.dmp

Filesize
172KB

Download
memory/480-34-0x0000000000240000-0x000000000026B000-memory.dmp

Filesize
172KB

Download
memory/480-41-0x00000000373E0000-0x00000000373F0000-memory.dmp

Filesize
64KB

Download
memory/480-40-0x0000000000240000-0x000000000026B000-memory.dmp

Filesize
172KB

Download
memory/480-38-0x000007FEBF490000-0x000007FEBF4A0000-memory.dmp

Filesize
64KB

Download
memory/480-166-0x0000000000240000-0x000000000026B000-memory.dmp

Filesize
172KB

Download
memory/496-113-0x0000000000A30000-0x0000000000A5B000-memory.dmp

Filesize
172KB

Download
memory/496-50-0x00000000373E0000-0x00000000373F0000-memory.dmp

Filesize
64KB

Download
memory/496-195-0x0000000000210000-0x000000000023B000-memory.dmp

Filesize
172KB

Download
memory/496-42-0x0000000000210000-0x000000000023B000-memory.dmp

Filesize
172KB

Download
memory/496-45-0x000007FEBF490000-0x000007FEBF4A0000-memory.dmp

Filesize
64KB

Download
memory/496-46-0x0000000000210000-0x000000000023B000-memory.dmp

Filesize
172KB

Download
memory/504-159-0x00000000373E0000-0x00000000373F0000-memory.dmp

Filesize
64KB

Download
memory/504-133-0x0000000000500000-0x000000000052B000-memory.dmp

Filesize
172KB

Download
memory/596-136-0x00000000001D0000-0x00000000001FB000-memory.dmp

Filesize
172KB

Download
memory/596-142-0x00000000373E0000-0x00000000373F0000-memory.dmp

Filesize
64KB

Download
memory/672-150-0x00000000373E0000-0x00000000373F0000-memory.dmp

Filesize
64KB

Download
memory/672-146-0x0000000000150000-0x000000000017B000-memory.dmp

Filesize
172KB

Download
memory/756-65-0x000007FEF4DA0000-0x000007FEF573D000-memory.dmp

Filesize
9.6MB

Download
memory/756-68-0x000007FEF4DA0000-0x000007FEF573D000-memory.dmp

Filesize
9.6MB

Download
memory/756-62-0x000007FEF4DA0000-0x000007FEF573D000-memory.dmp

Filesize
9.6MB

Download
memory/756-63-0x00000000009A0000-0x00000000009A8000-memory.dmp

Filesize
32KB

Download
memory/756-61-0x000000001A010000-0x000000001A2F2000-memory.dmp

Filesize
2.9MB

Download
memory/756-64-0x0000000001460000-0x00000000014E0000-memory.dmp

Filesize
512KB

Download
memory/756-66-0x0000000001460000-0x00000000014E0000-memory.dmp

Filesize
512KB

Download
memory/756-67-0x0000000001460000-0x00000000014E0000-memory.dmp

Filesize
512KB

Download
memory/764-156-0x0000000000D10000-0x0000000000D3B000-memory.dmp

Filesize
172KB

Download
memory/808-181-0x00000000373E0000-0x00000000373F0000-memory.dmp

Filesize
64KB

Download
memory/808-170-0x0000000000D30000-0x0000000000D5B000-memory.dmp

Filesize
172KB

Download
memory/860-201-0x00000000373E0000-0x00000000373F0000-memory.dmp

Filesize
64KB

Download
memory/860-185-0x0000000000F00000-0x0000000000F2B000-memory.dmp

Filesize
172KB

Download
memory/900-79-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/900-76-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/900-81-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/900-80-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/900-88-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/900-75-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/972-209-0x0000000000200000-0x000000000022B000-memory.dmp

Filesize
172KB

Download
memory/972-188-0x00000000373E0000-0x00000000373F0000-memory.dmp

Filesize
64KB

Download
memory/1072-215-0x0000000000BC0000-0x0000000000BEB000-memory.dmp

Filesize
172KB

Download
memory/1116-231-0x00000000020C0000-0x00000000020EB000-memory.dmp

Filesize
172KB

Download
memory/1116-237-0x00000000373E0000-0x00000000373F0000-memory.dmp

Filesize
64KB

Download
memory/1208-240-0x00000000024D0000-0x00000000024FB000-memory.dmp

Filesize
172KB

Download
memory/1408-60-0x0000000000080000-0x00000000000AB000-memory.dmp

Filesize
172KB

Download
memory/1584-129-0x000000000102B000-0x0000000001092000-memory.dmp

Filesize
412KB

Download
memory/1584-125-0x0000000001024000-0x0000000001027000-memory.dmp

Filesize
12KB

Download
memory/1584-124-0x0000000001020000-0x00000000010A0000-memory.dmp

Filesize
512KB

Download
memory/1584-120-0x000007FEF5740000-0x000007FEF60DD000-memory.dmp

Filesize
9.6MB

Download
memory/1584-119-0x0000000001020000-0x00000000010A0000-memory.dmp

Filesize
512KB

Download
memory/1584-116-0x000007FEF5740000-0x000007FEF60DD000-memory.dmp

Filesize
9.6MB

Download
memory/1752-96-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1752-93-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1752-90-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1752-91-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1752-92-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1752-98-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2328-77-0x00000000773A0000-0x0000000077549000-memory.dmp

Filesize
1.7MB

Download
memory/2328-78-0x0000000077280000-0x000000007739F000-memory.dmp

Filesize
1.1MB

Download
memory/2492-14-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2492-21-0x0000000077280000-0x000000007739F000-memory.dmp

Filesize
1.1MB

Download
memory/2492-130-0x00000000773A0000-0x0000000077549000-memory.dmp

Filesize
1.7MB

Download
memory/2492-13-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2492-12-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2492-15-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2492-17-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2492-22-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2492-19-0x00000000773A0000-0x0000000077549000-memory.dmp

Filesize
1.7MB

Download
memory/2632-10-0x0000000002B10000-0x0000000002B90000-memory.dmp

Filesize
512KB

Download
memory/2632-11-0x000007FEF5740000-0x000007FEF60DD000-memory.dmp

Filesize
9.6MB

Download
memory/2632-5-0x000007FEF5740000-0x000007FEF60DD000-memory.dmp

Filesize
9.6MB

Download
memory/2632-9-0x0000000002B10000-0x0000000002B90000-memory.dmp

Filesize
512KB

Download
memory/2632-8-0x000007FEF5740000-0x000007FEF60DD000-memory.dmp

Filesize
9.6MB

Download
memory/2632-6-0x0000000001DD0000-0x0000000001DD8000-memory.dmp

Filesize
32KB

Download
memory/2632-7-0x0000000002B10000-0x0000000002B90000-memory.dmp

Filesize
512KB

Download
memory/2632-4-0x000000001B520000-0x000000001B802000-memory.dmp

Filesize
2.9MB

Download
memory/2748-183-0x00000000014DB000-0x0000000001542000-memory.dmp

Filesize
412KB

Download
memory/2748-179-0x00000000014D4000-0x00000000014D7000-memory.dmp

Filesize
12KB

Download
memory/2748-172-0x00000000014D0000-0x0000000001550000-memory.dmp

Filesize
512KB

Download
memory/2748-175-0x000007FEF4DA0000-0x000007FEF573D000-memory.dmp

Filesize
9.6MB

Download
memory/2748-177-0x00000000014D0000-0x0000000001550000-memory.dmp

Filesize
512KB

Download