29a1b2044662e0dd7f3059854ed7d49d2511eca878ecf4aad8664292e62dd2d5

Analysis

max time kernel
27s
max time network
31s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
04-06-2024 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Small Malwares/1000014001/services64.exe
Size

16.9MB
MD5

c8a50a6f1f73df72de866f6131346e69
SHA1

37d99d5a8254cead586931f8b0c9b4cf031e0b4d
SHA256

59e6a5009ce5e9547078db7f964bb8fc10ee999dd35b7e9243f119db8337aa8d
SHA512

9f9230c58ddb8f029421a494220023253d725105ac2575d4ecd818c139dfaf77c7d559c58b66d764d78f3ffa19296f05af6a5d02f795b22512e6979671f2d745
SSDEEP

393216:VqXwsD/P9ME9hCb4B6+SY34VAw+56VbaK5P5jH7s:VqX/DDb24xt4VF46V+Kp5T7

Score

8^/10

evasion execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

4904 powershell.exe
1040 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Drops file in Drivers directory 2 IoCs

Processes:

services64.exeWindowsAutHost

description ioc process

File created C:\Windows\system32\drivers\etc\hosts services64.exe
File created C:\Windows\system32\drivers\etc\hosts WindowsAutHost

pid	process
4904	powershell.exe
1040	powershell.exe

description	ioc	process
File created	C:\Windows\system32\drivers\etc\hosts	services64.exe
File created	C:\Windows\system32\drivers\etc\hosts	WindowsAutHost

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WaaSMedicAgent.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\dosvc\ImagePath = "C:\\Windows\\System32\\svchost.exe -k NetworkService -p"	WaaSMedicAgent.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\UsoSvc\ImagePath = "C:\\Windows\\system32\\svchost.exe -k netsvcs -p"	WaaSMedicAgent.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Executes dropped EXE 1 IoCs

Processes:

WindowsAutHost

pid process

1432 WindowsAutHost

pid	process
1432	WindowsAutHost

Drops file in System32 directory 8 IoCs

Processes:

svchost.exepowershell.exeWindowsAutHostsvchost.exeservices64.exe

description	ioc	process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	WindowsAutHost
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\WindowsUpdate\Scheduled Start	svchost.exe
File opened for modification	C:\Windows\system32\MRT.exe	services64.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Setup.evtx	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

services64.exeWindowsAutHost

pid process

2988 services64.exe
2988 services64.exe
1432 WindowsAutHost
1432 WindowsAutHost

Suspicious use of SetThreadContext 4 IoCs

Processes:

services64.exeWindowsAutHost

description	pid	process	target process
PID 2988 set thread context of 448	2988	services64.exe	dialer.exe
PID 1432 set thread context of 3496	1432	WindowsAutHost	dialer.exe
PID 1432 set thread context of 3484	1432	WindowsAutHost	dialer.exe
PID 1432 set thread context of 768	1432	WindowsAutHost	dialer.exe

Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

3136 sc.exe
4508 sc.exe
428 sc.exe
4812 sc.exe
1908 sc.exe
4900 sc.exe
364 sc.exe
3436 sc.exe
692 sc.exe
4608 sc.exe
2844 sc.exe
2788 sc.exe
4320 sc.exe
2524 sc.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe

pid	process
3136	sc.exe
4508	sc.exe
428	sc.exe
4812	sc.exe
1908	sc.exe
4900	sc.exe
364	sc.exe
3436	sc.exe
692	sc.exe
4608	sc.exe
2844	sc.exe
2788	sc.exe
4320	sc.exe
2524	sc.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wmiprvse.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe

Modifies data under HKEY_USERS 46 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

services64.exepowershell.exedialer.exeWindowsAutHostpowershell.exe

pid	process
2988	services64.exe
2988	services64.exe
2988	services64.exe
4904	powershell.exe
4904	powershell.exe
2988	services64.exe
2988	services64.exe
2988	services64.exe
2988	services64.exe
2988	services64.exe
2988	services64.exe
2988	services64.exe
2988	services64.exe
2988	services64.exe
2988	services64.exe
2988	services64.exe
2988	services64.exe
448	dialer.exe
448	dialer.exe
448	dialer.exe
448	dialer.exe
2988	services64.exe
448	dialer.exe
448	dialer.exe
2988	services64.exe
2988	services64.exe
448	dialer.exe
448	dialer.exe
448	dialer.exe
448	dialer.exe
448	dialer.exe
448	dialer.exe
448	dialer.exe
448	dialer.exe
448	dialer.exe
448	dialer.exe
448	dialer.exe
448	dialer.exe
448	dialer.exe
448	dialer.exe
448	dialer.exe
448	dialer.exe
448	dialer.exe
448	dialer.exe
448	dialer.exe
448	dialer.exe
448	dialer.exe
448	dialer.exe
448	dialer.exe
448	dialer.exe
448	dialer.exe
448	dialer.exe
1432	WindowsAutHost
1432	WindowsAutHost
448	dialer.exe
448	dialer.exe
1432	WindowsAutHost
448	dialer.exe
448	dialer.exe
448	dialer.exe
448	dialer.exe
448	dialer.exe
448	dialer.exe
1040	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeservices64.exedialer.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exeWindowsAutHostdialer.exepowercfg.exepowercfg.exepowercfg.exedialer.exepowercfg.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	4904	powershell.exe
Token: SeDebugPrivilege	2988	services64.exe
Token: SeDebugPrivilege	448	dialer.exe
Token: SeShutdownPrivilege	4440	powercfg.exe
Token: SeShutdownPrivilege	4104	powercfg.exe
Token: SeCreatePagefilePrivilege	4440	powercfg.exe
Token: SeCreatePagefilePrivilege	4104	powercfg.exe
Token: SeShutdownPrivilege	1156	powercfg.exe
Token: SeCreatePagefilePrivilege	1156	powercfg.exe
Token: SeShutdownPrivilege	2260	powercfg.exe
Token: SeCreatePagefilePrivilege	2260	powercfg.exe
Token: SeDebugPrivilege	1040	powershell.exe
Token: SeDebugPrivilege	1432	WindowsAutHost
Token: SeDebugPrivilege	3496	dialer.exe
Token: SeShutdownPrivilege	4968	powercfg.exe
Token: SeCreatePagefilePrivilege	4968	powercfg.exe
Token: SeShutdownPrivilege	2540	powercfg.exe
Token: SeCreatePagefilePrivilege	2540	powercfg.exe
Token: SeShutdownPrivilege	3128	powercfg.exe
Token: SeCreatePagefilePrivilege	3128	powercfg.exe
Token: SeLockMemoryPrivilege	768	dialer.exe
Token: SeShutdownPrivilege	2988	powercfg.exe
Token: SeCreatePagefilePrivilege	2988	powercfg.exe
Token: SeAssignPrimaryTokenPrivilege	1936	svchost.exe
Token: SeIncreaseQuotaPrivilege	1936	svchost.exe
Token: SeSecurityPrivilege	1936	svchost.exe
Token: SeTakeOwnershipPrivilege	1936	svchost.exe
Token: SeLoadDriverPrivilege	1936	svchost.exe
Token: SeSystemtimePrivilege	1936	svchost.exe
Token: SeBackupPrivilege	1936	svchost.exe
Token: SeRestorePrivilege	1936	svchost.exe
Token: SeShutdownPrivilege	1936	svchost.exe
Token: SeSystemEnvironmentPrivilege	1936	svchost.exe
Token: SeUndockPrivilege	1936	svchost.exe
Token: SeManageVolumePrivilege	1936	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1936	svchost.exe
Token: SeIncreaseQuotaPrivilege	1936	svchost.exe
Token: SeSecurityPrivilege	1936	svchost.exe
Token: SeTakeOwnershipPrivilege	1936	svchost.exe
Token: SeLoadDriverPrivilege	1936	svchost.exe
Token: SeSystemtimePrivilege	1936	svchost.exe
Token: SeBackupPrivilege	1936	svchost.exe
Token: SeRestorePrivilege	1936	svchost.exe
Token: SeShutdownPrivilege	1936	svchost.exe
Token: SeSystemEnvironmentPrivilege	1936	svchost.exe
Token: SeUndockPrivilege	1936	svchost.exe
Token: SeManageVolumePrivilege	1936	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1936	svchost.exe
Token: SeIncreaseQuotaPrivilege	1936	svchost.exe
Token: SeSecurityPrivilege	1936	svchost.exe
Token: SeTakeOwnershipPrivilege	1936	svchost.exe
Token: SeLoadDriverPrivilege	1936	svchost.exe
Token: SeSystemtimePrivilege	1936	svchost.exe
Token: SeBackupPrivilege	1936	svchost.exe
Token: SeRestorePrivilege	1936	svchost.exe
Token: SeShutdownPrivilege	1936	svchost.exe
Token: SeSystemEnvironmentPrivilege	1936	svchost.exe
Token: SeUndockPrivilege	1936	svchost.exe
Token: SeManageVolumePrivilege	1936	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1936	svchost.exe
Token: SeIncreaseQuotaPrivilege	1936	svchost.exe
Token: SeSecurityPrivilege	1936	svchost.exe
Token: SeTakeOwnershipPrivilege	1936	svchost.exe
Token: SeLoadDriverPrivilege	1936	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exeservices64.exedialer.exe

description	pid	process	target process
PID 1540 wrote to memory of 1660	1540	cmd.exe	wusa.exe
PID 1540 wrote to memory of 1660	1540	cmd.exe	wusa.exe
PID 2988 wrote to memory of 448	2988	services64.exe	dialer.exe
PID 2988 wrote to memory of 448	2988	services64.exe	dialer.exe
PID 2988 wrote to memory of 448	2988	services64.exe	dialer.exe
PID 2988 wrote to memory of 448	2988	services64.exe	dialer.exe
PID 2988 wrote to memory of 448	2988	services64.exe	dialer.exe
PID 2988 wrote to memory of 448	2988	services64.exe	dialer.exe
PID 2988 wrote to memory of 448	2988	services64.exe	dialer.exe
PID 448 wrote to memory of 612	448	dialer.exe	winlogon.exe
PID 448 wrote to memory of 672	448	dialer.exe	lsass.exe
PID 448 wrote to memory of 956	448	dialer.exe	svchost.exe
PID 448 wrote to memory of 336	448	dialer.exe	dwm.exe
PID 448 wrote to memory of 432	448	dialer.exe	svchost.exe
PID 448 wrote to memory of 1032	448	dialer.exe	svchost.exe
PID 448 wrote to memory of 1076	448	dialer.exe	svchost.exe
PID 448 wrote to memory of 1084	448	dialer.exe	svchost.exe
PID 448 wrote to memory of 1136	448	dialer.exe	svchost.exe
PID 448 wrote to memory of 1176	448	dialer.exe	svchost.exe
PID 448 wrote to memory of 1252	448	dialer.exe	svchost.exe
PID 448 wrote to memory of 1324	448	dialer.exe	svchost.exe
PID 448 wrote to memory of 1344	448	dialer.exe	svchost.exe
PID 448 wrote to memory of 1404	448	dialer.exe	svchost.exe
PID 448 wrote to memory of 1508	448	dialer.exe	svchost.exe
PID 448 wrote to memory of 1560	448	dialer.exe	svchost.exe
PID 448 wrote to memory of 1580	448	dialer.exe	svchost.exe
PID 448 wrote to memory of 1608	448	dialer.exe	svchost.exe
PID 448 wrote to memory of 1740	448	dialer.exe	svchost.exe
PID 448 wrote to memory of 1764	448	dialer.exe	svchost.exe
PID 448 wrote to memory of 1808	448	dialer.exe	svchost.exe
PID 448 wrote to memory of 1896	448	dialer.exe	svchost.exe
PID 448 wrote to memory of 1964	448	dialer.exe	svchost.exe
PID 448 wrote to memory of 1976	448	dialer.exe	svchost.exe
PID 448 wrote to memory of 1616	448	dialer.exe	svchost.exe
PID 448 wrote to memory of 1688	448	dialer.exe	svchost.exe
PID 448 wrote to memory of 1936	448	dialer.exe	svchost.exe
PID 448 wrote to memory of 2144	448	dialer.exe	spoolsv.exe
PID 448 wrote to memory of 2252	448	dialer.exe	svchost.exe
PID 448 wrote to memory of 2376	448	dialer.exe	svchost.exe
PID 448 wrote to memory of 2496	448	dialer.exe	svchost.exe
PID 448 wrote to memory of 2504	448	dialer.exe	svchost.exe
PID 448 wrote to memory of 2660	448	dialer.exe	svchost.exe
PID 448 wrote to memory of 2700	448	dialer.exe	svchost.exe
PID 448 wrote to memory of 2712	448	dialer.exe	sysmon.exe
PID 448 wrote to memory of 2724	448	dialer.exe	svchost.exe
PID 448 wrote to memory of 2732	448	dialer.exe	svchost.exe
PID 448 wrote to memory of 2808	448	dialer.exe	sihost.exe
PID 448 wrote to memory of 2884	448	dialer.exe	svchost.exe
PID 448 wrote to memory of 3016	448	dialer.exe	unsecapp.exe
PID 448 wrote to memory of 3040	448	dialer.exe	taskhostw.exe
PID 448 wrote to memory of 668	448	dialer.exe	svchost.exe
PID 448 wrote to memory of 3312	448	dialer.exe	svchost.exe
PID 448 wrote to memory of 3424	448	dialer.exe	Explorer.EXE
PID 448 wrote to memory of 3560	448	dialer.exe	svchost.exe
PID 448 wrote to memory of 3740	448	dialer.exe	DllHost.exe
PID 448 wrote to memory of 3952	448	dialer.exe	RuntimeBroker.exe
PID 448 wrote to memory of 4116	448	dialer.exe	RuntimeBroker.exe
PID 448 wrote to memory of 4944	448	dialer.exe	SppExtComObj.exe
PID 448 wrote to memory of 4324	448	dialer.exe	svchost.exe
PID 448 wrote to memory of 4772	448	dialer.exe	svchost.exe
PID 448 wrote to memory of 1984	448	dialer.exe	svchost.exe
PID 448 wrote to memory of 4624	448	dialer.exe	svchost.exe
PID 448 wrote to memory of 2156	448	dialer.exe	svchost.exe
PID 448 wrote to memory of 1948	448	dialer.exe	OfficeClickToRun.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:336

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:432

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1032

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1076

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1176
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:3040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1508
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1560

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1580

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1740

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1964

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1976

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1936

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2144

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2252

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2700

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2732

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2884

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3312

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3424
- C:\Users\Admin\AppData\Local\Temp\Small Malwares\1000014001\services64.exe
  "C:\Users\Admin\AppData\Local\Temp\Small Malwares\1000014001\services64.exe"
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1540
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:1660
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4320
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1908
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:4900
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:692
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:2524
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4440
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4104
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1156
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2260
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:448
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "WindowsAutHost"
    3⤵
    - Launches sc.exe
    PID:3136
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "WindowsAutHost" binpath= "C:\ProgramData\WindowsServices\WindowsAutHost" start= "auto"
    3⤵
    - Launches sc.exe
    PID:428
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:4608
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "WindowsAutHost"
    3⤵
    - Launches sc.exe
    PID:4508
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3560

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3740

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3952

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4116

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4944

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4772

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:2156

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:1948

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3656

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:5004

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1200

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4400

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 385f9a45d9b47aa6a5ee589427616404 64ICZHjuIkCO5XnnDwmKzQ.0.1.0.0.0
1⤵
- Sets service image path in registry
PID:2352
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:3188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
PID:3480

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks processor information in registry
PID:2016

C:\ProgramData\WindowsServices\WindowsAutHost
C:\ProgramData\WindowsServices\WindowsAutHost
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1432
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1040
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:3104
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:4752
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:3436
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:364
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:4812
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:2844
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1028
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2788
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4968
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4572
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2988
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2224
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3128
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4888
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2540
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2020
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3496
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:3484
- C:\Windows\system32\dialer.exe
  dialer.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:768

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WindowsServices\WindowsAutHost

Filesize
16.9MB

MD5
c8a50a6f1f73df72de866f6131346e69

SHA1
37d99d5a8254cead586931f8b0c9b4cf031e0b4d

SHA256
59e6a5009ce5e9547078db7f964bb8fc10ee999dd35b7e9243f119db8337aa8d

SHA512
9f9230c58ddb8f029421a494220023253d725105ac2575d4ecd818c139dfaf77c7d559c58b66d764d78f3ffa19296f05af6a5d02f795b22512e6979671f2d745

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_etv2shai.25h.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
8ec9b858770ae71075f06a8ebc30210f

SHA1
e54f2d1bb0b25b5c59c2eb26a55ac9a1d09a1d08

SHA256
7c5a5eb9142e4cd3bbfbd9b9ed482c5a2471c3014f2449138783fe2b92f62339

SHA512
abef1fb612996bb1c5d59f55b6163cc481c3f0cdb260946762d6829ee3ab4b4ee8829b511e0462b168ebac039d055440547804e560aec8699820a85cdadff553

Download Submit
memory/336-43-0x000001EA87610000-0x000001EA8763B000-memory.dmp

Filesize
172KB

Download
memory/336-44-0x00007FFF627F0000-0x00007FFF62800000-memory.dmp

Filesize
64KB

Download
memory/448-33-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/448-26-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/448-25-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/448-24-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/448-30-0x00007FFFA2770000-0x00007FFFA2965000-memory.dmp

Filesize
2.0MB

Download
memory/448-31-0x00007FFFA25D0000-0x00007FFFA268E000-memory.dmp

Filesize
760KB

Download
memory/448-29-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/448-27-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/612-35-0x00000282C44D0000-0x00000282C44F4000-memory.dmp

Filesize
144KB

Download
memory/612-39-0x00000282C4500000-0x00000282C452B000-memory.dmp

Filesize
172KB

Download
memory/612-40-0x00007FFF627F0000-0x00007FFF62800000-memory.dmp

Filesize
64KB

Download
memory/672-47-0x00007FFF627F0000-0x00007FFF62800000-memory.dmp

Filesize
64KB

Download
memory/672-46-0x000001FA63CB0000-0x000001FA63CDB000-memory.dmp

Filesize
172KB

Download
memory/1040-357-0x00000259690D0000-0x00000259690D8000-memory.dmp

Filesize
32KB

Download
memory/1040-359-0x0000025969110000-0x000002596911A000-memory.dmp

Filesize
40KB

Download
memory/1040-358-0x0000025969100000-0x0000025969106000-memory.dmp

Filesize
24KB

Download
memory/1040-356-0x0000025969120000-0x000002596913A000-memory.dmp

Filesize
104KB

Download
memory/1040-355-0x00000259690C0000-0x00000259690CA000-memory.dmp

Filesize
40KB

Download
memory/1040-354-0x00000259690E0000-0x00000259690FC000-memory.dmp

Filesize
112KB

Download
memory/1040-349-0x0000025968F70000-0x0000025968F7A000-memory.dmp

Filesize
40KB

Download
memory/1040-347-0x0000025968E90000-0x0000025968EAC000-memory.dmp

Filesize
112KB

Download
memory/1040-348-0x0000025968EB0000-0x0000025968F65000-memory.dmp

Filesize
724KB

Download
memory/2988-2-0x00007FFFA2980000-0x00007FFFA2982000-memory.dmp

Filesize
8KB

Download
memory/2988-6-0x00007FF61AAD0000-0x00007FF61C864000-memory.dmp

Filesize
29.6MB

Download
memory/2988-304-0x00007FF61AAD0000-0x00007FF61C864000-memory.dmp

Filesize
29.6MB

Download
memory/2988-234-0x00007FF61B013000-0x00007FF61B782000-memory.dmp

Filesize
7.4MB

Download
memory/2988-0-0x00007FF61B013000-0x00007FF61B782000-memory.dmp

Filesize
7.4MB

Download
memory/2988-1-0x00007FFFA2970000-0x00007FFFA2972000-memory.dmp

Filesize
8KB

Download
memory/4904-7-0x00007FFF83A43000-0x00007FFF83A45000-memory.dmp

Filesize
8KB

Download
memory/4904-13-0x000001E0A84D0000-0x000001E0A84F2000-memory.dmp

Filesize
136KB

Download
memory/4904-18-0x00007FFF83A40000-0x00007FFF84501000-memory.dmp

Filesize
10.8MB

Download
memory/4904-19-0x00007FFF83A40000-0x00007FFF84501000-memory.dmp

Filesize
10.8MB

Download
memory/4904-22-0x00007FFF83A40000-0x00007FFF84501000-memory.dmp

Filesize
10.8MB

Download