3d403e5661dd33a3e3e33585ce28384fde2f9d0d3e128ad5b46da1bec36ba0f4

Analysis

max time kernel
1808s
max time network
1590s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
29/03/2024, 02:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

miner100.exe
Size

2.7MB
MD5

eae2347aaed97da4f802c0b32689f4eb
SHA1

a7a83d1ff7ec22d74d8415b95b3d57f1323699ce
SHA256

3d403e5661dd33a3e3e33585ce28384fde2f9d0d3e128ad5b46da1bec36ba0f4
SHA512

65f3411a7e80ec6d1dfea40d644ca621f4de929d17e58a54e43030b58662fedba11f000928049b4d3d7ae6ec38003d62dd8109c330ceba588be96f598b35d7cd
SSDEEP

49152:+Ev7yMxM0ZzUjqhWBkZFOj3nscD6gLRZdjM0PcuzQ3zAlkVKd:+EvWMxHUjqPPOjXsngLjdjBPz+3

Score

8^/10

evasion persistence

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 1 IoCs

pid	Process
1224	tiucgvijebnv.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9C237ECACBCB4101A3BE740DF0E53F83	svchost.exe
File opened for modification	C:\Windows\system32\MRT.exe	miner100.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6D1A73D92C4DC2751A4B5A2404E1BDCC	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4964 set thread context of 4740	4964	miner100.exe	92

Launches sc.exe 9 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2968	sc.exe
488	sc.exe
1364	sc.exe
680	sc.exe
3612	sc.exe
4020	sc.exe
4148	sc.exe
96	sc.exe
3780	sc.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Fri, 29 Mar 2024 02:04:19 GMT"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1711677854"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={4352F2CF-7EF6-4246-8776-43F031BC8769}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4964	miner100.exe
4016	powershell.exe
4016	powershell.exe
4016	powershell.exe
4964	miner100.exe
4964	miner100.exe
4964	miner100.exe
4964	miner100.exe
4964	miner100.exe
4964	miner100.exe
4964	miner100.exe
4964	miner100.exe
4964	miner100.exe
4964	miner100.exe
4964	miner100.exe
4964	miner100.exe
4740	dialer.exe
4740	dialer.exe
4964	miner100.exe
4964	miner100.exe
4964	miner100.exe
1224	tiucgvijebnv.exe
4740	dialer.exe
4740	dialer.exe
1852	powershell.exe
1852	powershell.exe
1852	powershell.exe
4740	dialer.exe
4740	dialer.exe
2140	svchost.exe
2140	svchost.exe
1852	powershell.exe
1852	powershell.exe
4740	dialer.exe
4740	dialer.exe
4740	dialer.exe
4740	dialer.exe
4740	dialer.exe
4740	dialer.exe
4740	dialer.exe
1852	powershell.exe
4740	dialer.exe
4740	dialer.exe
4740	dialer.exe
4740	dialer.exe
4740	dialer.exe
4740	dialer.exe
4740	dialer.exe
4740	dialer.exe
1852	powershell.exe
4740	dialer.exe
4740	dialer.exe
4740	dialer.exe
4740	dialer.exe
4740	dialer.exe
4740	dialer.exe
4740	dialer.exe
4740	dialer.exe
4740	dialer.exe
1852	powershell.exe
4740	dialer.exe
4740	dialer.exe
4740	dialer.exe
4740	dialer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4016	powershell.exe
Token: SeIncreaseQuotaPrivilege	4016	powershell.exe
Token: SeSecurityPrivilege	4016	powershell.exe
Token: SeTakeOwnershipPrivilege	4016	powershell.exe
Token: SeLoadDriverPrivilege	4016	powershell.exe
Token: SeSystemProfilePrivilege	4016	powershell.exe
Token: SeSystemtimePrivilege	4016	powershell.exe
Token: SeProfSingleProcessPrivilege	4016	powershell.exe
Token: SeIncBasePriorityPrivilege	4016	powershell.exe
Token: SeCreatePagefilePrivilege	4016	powershell.exe
Token: SeBackupPrivilege	4016	powershell.exe
Token: SeRestorePrivilege	4016	powershell.exe
Token: SeShutdownPrivilege	4016	powershell.exe
Token: SeDebugPrivilege	4016	powershell.exe
Token: SeSystemEnvironmentPrivilege	4016	powershell.exe
Token: SeRemoteShutdownPrivilege	4016	powershell.exe
Token: SeUndockPrivilege	4016	powershell.exe
Token: SeManageVolumePrivilege	4016	powershell.exe
Token: 33	4016	powershell.exe
Token: 34	4016	powershell.exe
Token: 35	4016	powershell.exe
Token: 36	4016	powershell.exe
Token: SeShutdownPrivilege	3292	powercfg.exe
Token: SeCreatePagefilePrivilege	3292	powercfg.exe
Token: SeShutdownPrivilege	1432	powercfg.exe
Token: SeCreatePagefilePrivilege	1432	powercfg.exe
Token: SeDebugPrivilege	4964	miner100.exe
Token: SeShutdownPrivilege	1316	powercfg.exe
Token: SeCreatePagefilePrivilege	1316	powercfg.exe
Token: SeDebugPrivilege	4740	dialer.exe
Token: SeShutdownPrivilege	4936	powercfg.exe
Token: SeCreatePagefilePrivilege	4936	powercfg.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeCreateGlobalPrivilege	3572	dwm.exe
Token: SeChangeNotifyPrivilege	3572	dwm.exe
Token: 33	3572	dwm.exe
Token: SeIncBasePriorityPrivilege	3572	dwm.exe
Token: SeAssignPrimaryTokenPrivilege	1852	powershell.exe
Token: SeIncreaseQuotaPrivilege	1852	powershell.exe
Token: SeSecurityPrivilege	1852	powershell.exe
Token: SeTakeOwnershipPrivilege	1852	powershell.exe
Token: SeLoadDriverPrivilege	1852	powershell.exe
Token: SeSystemtimePrivilege	1852	powershell.exe
Token: SeBackupPrivilege	1852	powershell.exe
Token: SeRestorePrivilege	1852	powershell.exe
Token: SeShutdownPrivilege	1852	powershell.exe
Token: SeSystemEnvironmentPrivilege	1852	powershell.exe
Token: SeUndockPrivilege	1852	powershell.exe
Token: SeManageVolumePrivilege	1852	powershell.exe
Token: SeShutdownPrivilege	3384	Explorer.EXE
Token: SeCreatePagefilePrivilege	3384	Explorer.EXE
Token: SeAuditPrivilege	2296	svchost.exe
Token: SeShutdownPrivilege	3384	Explorer.EXE
Token: SeCreatePagefilePrivilege	3384	Explorer.EXE
Token: SeAuditPrivilege	2296	svchost.exe
Token: SeShutdownPrivilege	3384	Explorer.EXE
Token: SeCreatePagefilePrivilege	3384	Explorer.EXE
Token: SeShutdownPrivilege	3384	Explorer.EXE
Token: SeCreatePagefilePrivilege	3384	Explorer.EXE
Token: SeAuditPrivilege	2296	svchost.exe
Token: SeShutdownPrivilege	3384	Explorer.EXE
Token: SeCreatePagefilePrivilege	3384	Explorer.EXE
Token: SeShutdownPrivilege	3384	Explorer.EXE
Token: SeCreatePagefilePrivilege	3384	Explorer.EXE

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
3572	dwm.exe
3572	dwm.exe
3572	dwm.exe
3572	dwm.exe
3572	dwm.exe
3572	dwm.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3384	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 4260	2328	cmd.exe	79
PID 2328 wrote to memory of 4260	2328	cmd.exe	79
PID 4964 wrote to memory of 4740	4964	miner100.exe	92
PID 4964 wrote to memory of 4740	4964	miner100.exe	92
PID 4964 wrote to memory of 4740	4964	miner100.exe	92
PID 4964 wrote to memory of 4740	4964	miner100.exe	92
PID 4964 wrote to memory of 4740	4964	miner100.exe	92
PID 4964 wrote to memory of 4740	4964	miner100.exe	92
PID 4964 wrote to memory of 4740	4964	miner100.exe	92
PID 4740 wrote to memory of 580	4740	dialer.exe	5
PID 4740 wrote to memory of 636	4740	dialer.exe	7
PID 636 wrote to memory of 2420	636	lsass.exe	44
PID 4740 wrote to memory of 724	4740	dialer.exe	8
PID 4740 wrote to memory of 908	4740	dialer.exe	13
PID 4740 wrote to memory of 988	4740	dialer.exe	14
PID 4740 wrote to memory of 1008	4740	dialer.exe	15
PID 4740 wrote to memory of 396	4740	dialer.exe	16
PID 636 wrote to memory of 2420	636	lsass.exe	44
PID 4740 wrote to memory of 588	4740	dialer.exe	17
PID 4740 wrote to memory of 1052	4740	dialer.exe	18
PID 4740 wrote to memory of 1104	4740	dialer.exe	19
PID 4740 wrote to memory of 1168	4740	dialer.exe	21
PID 4740 wrote to memory of 1216	4740	dialer.exe	22
PID 636 wrote to memory of 2420	636	lsass.exe	44
PID 4740 wrote to memory of 1284	4740	dialer.exe	23
PID 4740 wrote to memory of 1292	4740	dialer.exe	24
PID 4740 wrote to memory of 1344	4740	dialer.exe	25
PID 4740 wrote to memory of 1452	4740	dialer.exe	26
PID 4740 wrote to memory of 1488	4740	dialer.exe	27
PID 4740 wrote to memory of 1540	4740	dialer.exe	28
PID 4740 wrote to memory of 1560	4740	dialer.exe	29
PID 4740 wrote to memory of 1616	4740	dialer.exe	30
PID 4740 wrote to memory of 1660	4740	dialer.exe	31
PID 4740 wrote to memory of 1764	4740	dialer.exe	32
PID 4740 wrote to memory of 1772	4740	dialer.exe	33
PID 4740 wrote to memory of 1804	4740	dialer.exe	34
PID 636 wrote to memory of 2420	636	lsass.exe	44
PID 580 wrote to memory of 3572	580	winlogon.exe	110
PID 580 wrote to memory of 3572	580	winlogon.exe	110
PID 4740 wrote to memory of 3572	4740	dialer.exe	110
PID 4740 wrote to memory of 1828	4740	dialer.exe	35
PID 4740 wrote to memory of 1880	4740	dialer.exe	36
PID 4740 wrote to memory of 2004	4740	dialer.exe	37
PID 4740 wrote to memory of 1536	4740	dialer.exe	38
PID 4740 wrote to memory of 2120	4740	dialer.exe	39
PID 4740 wrote to memory of 2252	4740	dialer.exe	40
PID 4740 wrote to memory of 2260	4740	dialer.exe	41
PID 4740 wrote to memory of 2296	4740	dialer.exe	42
PID 4740 wrote to memory of 2340	4740	dialer.exe	43
PID 4740 wrote to memory of 2420	4740	dialer.exe	44
PID 4740 wrote to memory of 2488	4740	dialer.exe	45
PID 4740 wrote to memory of 2508	4740	dialer.exe	46
PID 4740 wrote to memory of 2520	4740	dialer.exe	47
PID 4740 wrote to memory of 2672	4740	dialer.exe	48
PID 4740 wrote to memory of 2936	4740	dialer.exe	49
PID 4740 wrote to memory of 3028	4740	dialer.exe	50
PID 4740 wrote to memory of 3036	4740	dialer.exe	51
PID 4740 wrote to memory of 3156	4740	dialer.exe	52
PID 4740 wrote to memory of 3240	4740	dialer.exe	53
PID 4740 wrote to memory of 3384	4740	dialer.exe	54
PID 4740 wrote to memory of 3976	4740	dialer.exe	57
PID 4740 wrote to memory of 2180	4740	dialer.exe	59
PID 4740 wrote to memory of 4756	4740	dialer.exe	60
PID 4740 wrote to memory of 3556	4740	dialer.exe	62

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:580
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:988
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3572

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:636

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:724

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:908

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:1008

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:396

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:588

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
- Drops file in System32 directory
PID:1052

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:1104
- c:\windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:3156

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1168

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1216

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1284

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1292

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1344

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1452
- c:\windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:3028

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1488

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1540

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1560

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1616

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1660

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1772

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1804

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1828

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1880

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2004

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:1536

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2120

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2252

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2260

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2296

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2340

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2420

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2488

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2508

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2520

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2672

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2936

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:3036

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker
1⤵
PID:3240

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3384
- C:\Users\Admin\AppData\Local\Temp\miner100.exe
  "C:\Users\Admin\AppData\Local\Temp\miner100.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2328
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:4260
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2968
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4020
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:488
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:1364
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:4148
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3292
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1432
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4936
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1316
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4740
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "OPAGMGUY"
    3⤵
    - Launches sc.exe
    PID:96
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "OPAGMGUY" binpath= "C:\ProgramData\axadwxtjeetz\tiucgvijebnv.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:680
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:3612
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "OPAGMGUY"
    3⤵
    - Launches sc.exe
    PID:3780

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3976

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2180
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2180 -s 848
  2⤵
  PID:196

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:4756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:3556

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1684

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
1⤵
PID:2400

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3716

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
1⤵
PID:1900

C:\Windows\System32\InstallAgent.exe
C:\Windows\System32\InstallAgent.exe -Embedding
1⤵
PID:1152

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:2864
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2864 -s 908
  2⤵
  PID:5032

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:4544

C:\ProgramData\axadwxtjeetz\tiucgvijebnv.exe
C:\ProgramData\axadwxtjeetz\tiucgvijebnv.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1224
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1852
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4128

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7233.tmp.csv

Filesize
33KB

MD5
d1d96435035f6b1f0b1ddb3f0cd2e7e4

SHA1
145c1dd91d2f7e0e7638f7e68ee2fc19ca846f54

SHA256
8912dcdeb956990ec9b2925e0db705b032867f288b69be9a56ed71b754fbcb7d

SHA512
f60189a6151c4acf217c478b4efcb6a40b57cc25f8b709a37caec408e0b63db90ca1a70c4aabbcc872d4a74998d7bf8de6c24aa002fe585a516a28086400d3d8

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7300.tmp.txt

Filesize
12KB

MD5
44b70788518b5c87e31b9161fde2a2c2

SHA1
4762cceac9eebc537edf1d0e7e12beec34259fbf

SHA256
4e93611007ca2495af41c260be9fd51df2df5763ba76d1b927fcb3b8f6d7bf99

SHA512
56d52d8a38a665564cefebdc3b7eb4d2bb25c6ad7c148db46ad0bd7bc3ee8880f960c9872b84aa83c33d938588bb60df55b70044eb0975a5d347f1d708257d5e

Download Submit
C:\ProgramData\axadwxtjeetz\tiucgvijebnv.exe

Filesize
2.7MB

MD5
eae2347aaed97da4f802c0b32689f4eb

SHA1
a7a83d1ff7ec22d74d8415b95b3d57f1323699ce

SHA256
3d403e5661dd33a3e3e33585ce28384fde2f9d0d3e128ad5b46da1bec36ba0f4

SHA512
65f3411a7e80ec6d1dfea40d644ca621f4de929d17e58a54e43030b58662fedba11f000928049b4d3d7ae6ec38003d62dd8109c330ceba588be96f598b35d7cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j5u5vul3.ptv.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
338B

MD5
716f97bddeb21ec78b18d6bb27f97f74

SHA1
40fedc772eaa3deaa4ad4a9ecd52cb024a4d10ad

SHA256
8469da05a4b3ee37051169656a15018108f54328845699774e8e0da5da329685

SHA512
147961b428021cb6d32137443cbcc81c08d272dcabc662ca0d30e206f1d78b643cb8f283321c408b3371efe940419501ff5b0ddee8db4d3b7f27b1ca03c00404

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
412B

MD5
c5db9f9175b69df29034c27878d9bb6d

SHA1
6da2bb652a6ab24d049ddad909374e0358b61563

SHA256
9ea35e9379b13350b5070770ebc0c5980b9e5c55dd4804862197f6859d770640

SHA512
bf6b5b53ba00aa96ebaab61187b08f72eb445a683b7cda106e2527c66f9d5c9748a2a49f9d9acf0d745fb49ed5332313ee6887d8668d7488b9d57481a4986674

Download Submit
memory/396-97-0x00000242449B0000-0x00000242449DB000-memory.dmp

Filesize
172KB

Download
memory/396-101-0x00007FFF59E90000-0x00007FFF59EA0000-memory.dmp

Filesize
64KB

Download
memory/580-69-0x00007FFF59E90000-0x00007FFF59EA0000-memory.dmp

Filesize
64KB

Download
memory/580-71-0x00007FFF99EA5000-0x00007FFF99EA6000-memory.dmp

Filesize
4KB

Download
memory/580-68-0x000002C806FE0000-0x000002C80700B000-memory.dmp

Filesize
172KB

Download
memory/580-65-0x000002C806FB0000-0x000002C806FD4000-memory.dmp

Filesize
144KB

Download
memory/588-99-0x0000020F737B0000-0x0000020F737DB000-memory.dmp

Filesize
172KB

Download
memory/588-104-0x00007FFF59E90000-0x00007FFF59EA0000-memory.dmp

Filesize
64KB

Download
memory/588-185-0x0000020F737B0000-0x0000020F737DB000-memory.dmp

Filesize
172KB

Download
memory/636-70-0x000001EFE8710000-0x000001EFE873B000-memory.dmp

Filesize
172KB

Download
memory/636-74-0x00007FFF59E90000-0x00007FFF59EA0000-memory.dmp

Filesize
64KB

Download
memory/636-75-0x000001EFE8710000-0x000001EFE873B000-memory.dmp

Filesize
172KB

Download
memory/724-80-0x00007FFF59E90000-0x00007FFF59EA0000-memory.dmp

Filesize
64KB

Download
memory/724-78-0x0000024848190000-0x00000248481BB000-memory.dmp

Filesize
172KB

Download
memory/908-88-0x00007FFF59E90000-0x00007FFF59EA0000-memory.dmp

Filesize
64KB

Download
memory/908-84-0x000001F7E1300000-0x000001F7E132B000-memory.dmp

Filesize
172KB

Download
memory/988-82-0x000001AC08100000-0x000001AC0812B000-memory.dmp

Filesize
172KB

Download
memory/988-87-0x000001AC08100000-0x000001AC0812B000-memory.dmp

Filesize
172KB

Download
memory/988-175-0x000001AC08100000-0x000001AC0812B000-memory.dmp

Filesize
172KB

Download
memory/1008-91-0x000001EF9F0A0000-0x000001EF9F0CB000-memory.dmp

Filesize
172KB

Download
memory/1008-93-0x00007FFF59E90000-0x00007FFF59EA0000-memory.dmp

Filesize
64KB

Download
memory/1052-112-0x000002130B070000-0x000002130B09B000-memory.dmp

Filesize
172KB

Download
memory/1052-102-0x000002130B070000-0x000002130B09B000-memory.dmp

Filesize
172KB

Download
memory/1052-107-0x00007FFF59E90000-0x00007FFF59EA0000-memory.dmp

Filesize
64KB

Download
memory/1104-189-0x000002B694680000-0x000002B6946AB000-memory.dmp

Filesize
172KB

Download
memory/1104-117-0x00007FFF59E90000-0x00007FFF59EA0000-memory.dmp

Filesize
64KB

Download
memory/1104-113-0x000002B694680000-0x000002B6946AB000-memory.dmp

Filesize
172KB

Download
memory/1168-118-0x0000025282A80000-0x0000025282AAB000-memory.dmp

Filesize
172KB

Download
memory/1168-120-0x00007FFF59E90000-0x00007FFF59EA0000-memory.dmp

Filesize
64KB

Download
memory/1216-124-0x00007FFF59E90000-0x00007FFF59EA0000-memory.dmp

Filesize
64KB

Download
memory/1216-122-0x000001846B590000-0x000001846B5BB000-memory.dmp

Filesize
172KB

Download
memory/1284-134-0x0000028FDF150000-0x0000028FDF17B000-memory.dmp

Filesize
172KB

Download
memory/1284-131-0x00007FFF59E90000-0x00007FFF59EA0000-memory.dmp

Filesize
64KB

Download
memory/1284-126-0x0000028FDF150000-0x0000028FDF17B000-memory.dmp

Filesize
172KB

Download
memory/1292-132-0x000001ED5D1D0000-0x000001ED5D1FB000-memory.dmp

Filesize
172KB

Download
memory/1292-144-0x000001ED5D1D0000-0x000001ED5D1FB000-memory.dmp

Filesize
172KB

Download
memory/1344-149-0x000001494A1A0000-0x000001494A1CB000-memory.dmp

Filesize
172KB

Download
memory/1452-153-0x0000023699590000-0x00000236995BB000-memory.dmp

Filesize
172KB

Download
memory/1488-157-0x000002542EC10000-0x000002542EC3B000-memory.dmp

Filesize
172KB

Download
memory/1536-256-0x00000148472A0000-0x00000148472CB000-memory.dmp

Filesize
172KB

Download
memory/1540-161-0x0000014140F80000-0x0000014140FAB000-memory.dmp

Filesize
172KB

Download
memory/1560-196-0x00000294770B0000-0x00000294770DB000-memory.dmp

Filesize
172KB

Download
memory/1616-165-0x00000209EFFA0000-0x00000209EFFCB000-memory.dmp

Filesize
172KB

Download
memory/1660-173-0x000001F4A2B00000-0x000001F4A2B2B000-memory.dmp

Filesize
172KB

Download
memory/1684-350-0x0000021911770000-0x000002191179B000-memory.dmp

Filesize
172KB

Download
memory/1764-180-0x000001E187050000-0x000001E18707B000-memory.dmp

Filesize
172KB

Download
memory/1772-201-0x000001B73FAD0000-0x000001B73FAFB000-memory.dmp

Filesize
172KB

Download
memory/1804-213-0x0000027D026C0000-0x0000027D026EB000-memory.dmp

Filesize
172KB

Download
memory/1828-242-0x00000220DFB90000-0x00000220DFBBB000-memory.dmp

Filesize
172KB

Download
memory/1852-128-0x000002286D160000-0x000002286D170000-memory.dmp

Filesize
64KB

Download
memory/1852-108-0x00007FFF8D510000-0x00007FFF8DEFC000-memory.dmp

Filesize
9.9MB

Download
memory/1852-139-0x000002286D160000-0x000002286D170000-memory.dmp

Filesize
64KB

Download
memory/1880-246-0x0000013F3F6A0000-0x0000013F3F6CB000-memory.dmp

Filesize
172KB

Download
memory/2004-251-0x0000000001D80000-0x0000000001DAB000-memory.dmp

Filesize
172KB

Download
memory/2120-261-0x000001815FD60000-0x000001815FD8B000-memory.dmp

Filesize
172KB

Download
memory/2252-264-0x0000026451670000-0x000002645169B000-memory.dmp

Filesize
172KB

Download
memory/2260-266-0x00000177A09D0000-0x00000177A09FB000-memory.dmp

Filesize
172KB

Download
memory/2340-270-0x0000011D4FF50000-0x0000011D4FF7B000-memory.dmp

Filesize
172KB

Download
memory/2420-273-0x0000016FD2680000-0x0000016FD26AB000-memory.dmp

Filesize
172KB

Download
memory/2488-279-0x000002C757DB0000-0x000002C757DDB000-memory.dmp

Filesize
172KB

Download
memory/2508-284-0x000001A8C7910000-0x000001A8C793B000-memory.dmp

Filesize
172KB

Download
memory/2520-291-0x000001B5DDB00000-0x000001B5DDB2B000-memory.dmp

Filesize
172KB

Download
memory/2672-297-0x000002153EEA0000-0x000002153EECB000-memory.dmp

Filesize
172KB

Download
memory/2936-306-0x0000025FC3D50000-0x0000025FC3D7B000-memory.dmp

Filesize
172KB

Download
memory/3028-301-0x000001F578360000-0x000001F57838B000-memory.dmp

Filesize
172KB

Download
memory/3036-310-0x0000025134E40000-0x0000025134E6B000-memory.dmp

Filesize
172KB

Download
memory/3156-314-0x000002C528950000-0x000002C52897B000-memory.dmp

Filesize
172KB

Download
memory/3240-326-0x0000017FEC500000-0x0000017FEC52B000-memory.dmp

Filesize
172KB

Download
memory/3384-332-0x00000000024F0000-0x000000000251B000-memory.dmp

Filesize
172KB

Download
memory/3556-346-0x0000019207990000-0x00000192079BB000-memory.dmp

Filesize
172KB

Download
memory/3572-226-0x00007FFF99E00000-0x00007FFF99FDB000-memory.dmp

Filesize
1.9MB

Download
memory/3572-232-0x00007FFF99E00000-0x00007FFF99FDB000-memory.dmp

Filesize
1.9MB

Download
memory/3572-220-0x00007FFF99E00000-0x00007FFF99FDB000-memory.dmp

Filesize
1.9MB

Download
memory/3572-207-0x0000012DA3040000-0x0000012DA306B000-memory.dmp

Filesize
172KB

Download
memory/3572-236-0x00007FFF99E00000-0x00007FFF99FDB000-memory.dmp

Filesize
1.9MB

Download
memory/3976-337-0x0000024B62B80000-0x0000024B62BAB000-memory.dmp

Filesize
172KB

Download
memory/4016-50-0x00007FFF8D510000-0x00007FFF8DEFC000-memory.dmp

Filesize
9.9MB

Download
memory/4016-46-0x000001D451B00000-0x000001D451B10000-memory.dmp

Filesize
64KB

Download
memory/4016-7-0x00007FFF8D510000-0x00007FFF8DEFC000-memory.dmp

Filesize
9.9MB

Download
memory/4016-8-0x000001D451B00000-0x000001D451B10000-memory.dmp

Filesize
64KB

Download
memory/4016-9-0x000001D451B00000-0x000001D451B10000-memory.dmp

Filesize
64KB

Download
memory/4016-23-0x000001D451B00000-0x000001D451B10000-memory.dmp

Filesize
64KB

Download
memory/4016-4-0x000001D451AB0000-0x000001D451AD2000-memory.dmp

Filesize
136KB

Download
memory/4016-10-0x000001D46A210000-0x000001D46A286000-memory.dmp

Filesize
472KB

Download
memory/4740-54-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4740-58-0x00007FFF98CF0000-0x00007FFF98D9E000-memory.dmp

Filesize
696KB

Download
memory/4740-57-0x00007FFF99E00000-0x00007FFF99FDB000-memory.dmp

Filesize
1.9MB

Download
memory/4740-60-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4740-56-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4740-53-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4740-52-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4740-51-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/4756-342-0x000002AA29EA0000-0x000002AA29ECB000-memory.dmp

Filesize
172KB

Download