Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
28-09-2023 01:58
Behavioral task
behavioral1
Sample
84196815c135e19db65295a1cea9a522.exe
Resource
win7-20230831-en
General
-
Target
84196815c135e19db65295a1cea9a522.exe
-
Size
3.1MB
-
MD5
84196815c135e19db65295a1cea9a522
-
SHA1
fc46f3972ad6280b17e27f3ff519c2b7d035370f
-
SHA256
e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8
-
SHA512
3be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070
-
SSDEEP
49152:7vWhBYjCO4Dt2d5aKCuVPzlEmVQL0wvwkaYiRJ6TbR3LoGdjTHHB72eh2NT:7v4t2d5aKCuVPzlEmVQ0wvwfYiRJ6F
Malware Config
Extracted
quasar
1.4.1
slave
cherrywoods-29890.portmap.host:29890:16243
5d49d039-8bce-40c5-82b6-413e6ca1279a
-
encryption_key
2E34CBDFC0A612A970A99A781D3AB0C010E1A59C
-
install_name
cvvhost.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Security notification icon
-
subdirectory
SubDir
Signatures
-
Quasar payload 15 IoCs
Processes:
resource yara_rule behavioral2/memory/1644-0-0x0000000000A10000-0x0000000000D34000-memory.dmp family_quasar C:\Windows\System32\SubDir\cvvhost.exe family_quasar C:\Windows\system32\SubDir\cvvhost.exe family_quasar C:\Windows\System32\SubDir\cvvhost.exe family_quasar C:\Windows\System32\SubDir\cvvhost.exe family_quasar C:\Windows\System32\SubDir\cvvhost.exe family_quasar C:\Windows\System32\SubDir\cvvhost.exe family_quasar C:\Windows\System32\SubDir\cvvhost.exe family_quasar C:\Windows\System32\SubDir\cvvhost.exe family_quasar C:\Windows\System32\SubDir\cvvhost.exe family_quasar C:\Windows\System32\SubDir\cvvhost.exe family_quasar C:\Windows\System32\SubDir\cvvhost.exe family_quasar C:\Windows\System32\SubDir\cvvhost.exe family_quasar C:\Windows\System32\SubDir\cvvhost.exe family_quasar C:\Windows\System32\SubDir\cvvhost.exe family_quasar -
Checks computer location settings 2 TTPs 13 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation cvvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation cvvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation cvvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation cvvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation cvvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation cvvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation cvvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation cvvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation cvvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation cvvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation cvvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation cvvhost.exe Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation cvvhost.exe -
Executes dropped EXE 13 IoCs
Processes:
cvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.exepid process 2968 cvvhost.exe 2020 cvvhost.exe 3680 cvvhost.exe 4364 cvvhost.exe 3704 cvvhost.exe 4104 cvvhost.exe 4328 cvvhost.exe 1956 cvvhost.exe 4628 cvvhost.exe 2508 cvvhost.exe 2084 cvvhost.exe 4360 cvvhost.exe 3924 cvvhost.exe -
Drops file in System32 directory 29 IoCs
Processes:
cvvhost.exe84196815c135e19db65295a1cea9a522.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.exedescription ioc process File opened for modification C:\Windows\system32\SubDir\cvvhost.exe cvvhost.exe File opened for modification C:\Windows\system32\SubDir\cvvhost.exe 84196815c135e19db65295a1cea9a522.exe File opened for modification C:\Windows\system32\SubDir\cvvhost.exe cvvhost.exe File opened for modification C:\Windows\system32\SubDir\cvvhost.exe cvvhost.exe File opened for modification C:\Windows\system32\SubDir cvvhost.exe File opened for modification C:\Windows\system32\SubDir\cvvhost.exe cvvhost.exe File opened for modification C:\Windows\system32\SubDir cvvhost.exe File opened for modification C:\Windows\system32\SubDir\cvvhost.exe cvvhost.exe File opened for modification C:\Windows\system32\SubDir\cvvhost.exe cvvhost.exe File opened for modification C:\Windows\system32\SubDir\cvvhost.exe cvvhost.exe File opened for modification C:\Windows\system32\SubDir cvvhost.exe File opened for modification C:\Windows\system32\SubDir cvvhost.exe File opened for modification C:\Windows\system32\SubDir\cvvhost.exe cvvhost.exe File opened for modification C:\Windows\system32\SubDir cvvhost.exe File opened for modification C:\Windows\system32\SubDir cvvhost.exe File opened for modification C:\Windows\system32\SubDir cvvhost.exe File created C:\Windows\system32\SubDir\cvvhost.exe 84196815c135e19db65295a1cea9a522.exe File opened for modification C:\Windows\system32\SubDir cvvhost.exe File opened for modification C:\Windows\system32\SubDir\cvvhost.exe cvvhost.exe File opened for modification C:\Windows\system32\SubDir cvvhost.exe File opened for modification C:\Windows\system32\SubDir cvvhost.exe File opened for modification C:\Windows\system32\SubDir cvvhost.exe File opened for modification C:\Windows\system32\SubDir\cvvhost.exe cvvhost.exe File opened for modification C:\Windows\system32\SubDir\cvvhost.exe cvvhost.exe File opened for modification C:\Windows\system32\SubDir\cvvhost.exe cvvhost.exe File opened for modification C:\Windows\system32\SubDir cvvhost.exe File opened for modification C:\Windows\system32\SubDir 84196815c135e19db65295a1cea9a522.exe File opened for modification C:\Windows\system32\SubDir cvvhost.exe File opened for modification C:\Windows\system32\SubDir\cvvhost.exe cvvhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 14 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4364 schtasks.exe 3504 schtasks.exe 948 schtasks.exe 4064 schtasks.exe 4896 schtasks.exe 4724 schtasks.exe 1316 schtasks.exe 2328 schtasks.exe 2936 schtasks.exe 3004 schtasks.exe 4552 schtasks.exe 2692 schtasks.exe 4496 schtasks.exe 1844 schtasks.exe -
Runs ping.exe 1 TTPs 13 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 832 PING.EXE 4760 PING.EXE 5032 PING.EXE 2444 PING.EXE 4928 PING.EXE 2952 PING.EXE 1964 PING.EXE 1128 PING.EXE 4672 PING.EXE 4428 PING.EXE 4812 PING.EXE 1908 PING.EXE 2372 PING.EXE -
Suspicious use of AdjustPrivilegeToken 14 IoCs
Processes:
84196815c135e19db65295a1cea9a522.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.exedescription pid process Token: SeDebugPrivilege 1644 84196815c135e19db65295a1cea9a522.exe Token: SeDebugPrivilege 2968 cvvhost.exe Token: SeDebugPrivilege 2020 cvvhost.exe Token: SeDebugPrivilege 3680 cvvhost.exe Token: SeDebugPrivilege 4364 cvvhost.exe Token: SeDebugPrivilege 3704 cvvhost.exe Token: SeDebugPrivilege 4104 cvvhost.exe Token: SeDebugPrivilege 4328 cvvhost.exe Token: SeDebugPrivilege 1956 cvvhost.exe Token: SeDebugPrivilege 4628 cvvhost.exe Token: SeDebugPrivilege 2508 cvvhost.exe Token: SeDebugPrivilege 2084 cvvhost.exe Token: SeDebugPrivilege 4360 cvvhost.exe Token: SeDebugPrivilege 3924 cvvhost.exe -
Suspicious use of FindShellTrayWindow 13 IoCs
Processes:
cvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.exepid process 2968 cvvhost.exe 2020 cvvhost.exe 3680 cvvhost.exe 4364 cvvhost.exe 3704 cvvhost.exe 4104 cvvhost.exe 4328 cvvhost.exe 1956 cvvhost.exe 4628 cvvhost.exe 2508 cvvhost.exe 2084 cvvhost.exe 4360 cvvhost.exe 3924 cvvhost.exe -
Suspicious use of SendNotifyMessage 13 IoCs
Processes:
cvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.execvvhost.exepid process 2968 cvvhost.exe 2020 cvvhost.exe 3680 cvvhost.exe 4364 cvvhost.exe 3704 cvvhost.exe 4104 cvvhost.exe 4328 cvvhost.exe 1956 cvvhost.exe 4628 cvvhost.exe 2508 cvvhost.exe 2084 cvvhost.exe 4360 cvvhost.exe 3924 cvvhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
84196815c135e19db65295a1cea9a522.execvvhost.execmd.execvvhost.execmd.execvvhost.execmd.execvvhost.execmd.execvvhost.execmd.execvvhost.execmd.exedescription pid process target process PID 1644 wrote to memory of 4364 1644 84196815c135e19db65295a1cea9a522.exe schtasks.exe PID 1644 wrote to memory of 4364 1644 84196815c135e19db65295a1cea9a522.exe schtasks.exe PID 1644 wrote to memory of 2968 1644 84196815c135e19db65295a1cea9a522.exe cvvhost.exe PID 1644 wrote to memory of 2968 1644 84196815c135e19db65295a1cea9a522.exe cvvhost.exe PID 2968 wrote to memory of 2328 2968 cvvhost.exe schtasks.exe PID 2968 wrote to memory of 2328 2968 cvvhost.exe schtasks.exe PID 2968 wrote to memory of 3568 2968 cvvhost.exe cmd.exe PID 2968 wrote to memory of 3568 2968 cvvhost.exe cmd.exe PID 3568 wrote to memory of 4404 3568 cmd.exe chcp.com PID 3568 wrote to memory of 4404 3568 cmd.exe chcp.com PID 3568 wrote to memory of 2444 3568 cmd.exe PING.EXE PID 3568 wrote to memory of 2444 3568 cmd.exe PING.EXE PID 3568 wrote to memory of 2020 3568 cmd.exe cvvhost.exe PID 3568 wrote to memory of 2020 3568 cmd.exe cvvhost.exe PID 2020 wrote to memory of 948 2020 cvvhost.exe schtasks.exe PID 2020 wrote to memory of 948 2020 cvvhost.exe schtasks.exe PID 2020 wrote to memory of 4900 2020 cvvhost.exe cmd.exe PID 2020 wrote to memory of 4900 2020 cvvhost.exe cmd.exe PID 4900 wrote to memory of 428 4900 cmd.exe chcp.com PID 4900 wrote to memory of 428 4900 cmd.exe chcp.com PID 4900 wrote to memory of 4928 4900 cmd.exe PING.EXE PID 4900 wrote to memory of 4928 4900 cmd.exe PING.EXE PID 4900 wrote to memory of 3680 4900 cmd.exe cvvhost.exe PID 4900 wrote to memory of 3680 4900 cmd.exe cvvhost.exe PID 3680 wrote to memory of 3504 3680 cvvhost.exe schtasks.exe PID 3680 wrote to memory of 3504 3680 cvvhost.exe schtasks.exe PID 3680 wrote to memory of 3424 3680 cvvhost.exe cmd.exe PID 3680 wrote to memory of 3424 3680 cvvhost.exe cmd.exe PID 3424 wrote to memory of 492 3424 cmd.exe chcp.com PID 3424 wrote to memory of 492 3424 cmd.exe chcp.com PID 3424 wrote to memory of 1908 3424 cmd.exe PING.EXE PID 3424 wrote to memory of 1908 3424 cmd.exe PING.EXE PID 3424 wrote to memory of 4364 3424 cmd.exe cvvhost.exe PID 3424 wrote to memory of 4364 3424 cmd.exe cvvhost.exe PID 4364 wrote to memory of 2692 4364 cvvhost.exe schtasks.exe PID 4364 wrote to memory of 2692 4364 cvvhost.exe schtasks.exe PID 4364 wrote to memory of 4340 4364 cvvhost.exe cmd.exe PID 4364 wrote to memory of 4340 4364 cvvhost.exe cmd.exe PID 4340 wrote to memory of 2684 4340 cmd.exe chcp.com PID 4340 wrote to memory of 2684 4340 cmd.exe chcp.com PID 4340 wrote to memory of 2372 4340 cmd.exe PING.EXE PID 4340 wrote to memory of 2372 4340 cmd.exe PING.EXE PID 4340 wrote to memory of 3704 4340 cmd.exe cvvhost.exe PID 4340 wrote to memory of 3704 4340 cmd.exe cvvhost.exe PID 3704 wrote to memory of 4064 3704 cvvhost.exe schtasks.exe PID 3704 wrote to memory of 4064 3704 cvvhost.exe schtasks.exe PID 3704 wrote to memory of 2616 3704 cvvhost.exe cmd.exe PID 3704 wrote to memory of 2616 3704 cvvhost.exe cmd.exe PID 2616 wrote to memory of 1932 2616 cmd.exe chcp.com PID 2616 wrote to memory of 1932 2616 cmd.exe chcp.com PID 2616 wrote to memory of 832 2616 cmd.exe PING.EXE PID 2616 wrote to memory of 832 2616 cmd.exe PING.EXE PID 2616 wrote to memory of 4104 2616 cmd.exe cvvhost.exe PID 2616 wrote to memory of 4104 2616 cmd.exe cvvhost.exe PID 4104 wrote to memory of 4496 4104 cvvhost.exe schtasks.exe PID 4104 wrote to memory of 4496 4104 cvvhost.exe schtasks.exe PID 4104 wrote to memory of 3348 4104 cvvhost.exe cmd.exe PID 4104 wrote to memory of 3348 4104 cvvhost.exe cmd.exe PID 3348 wrote to memory of 3696 3348 cmd.exe chcp.com PID 3348 wrote to memory of 3696 3348 cmd.exe chcp.com PID 3348 wrote to memory of 4760 3348 cmd.exe PING.EXE PID 3348 wrote to memory of 4760 3348 cmd.exe PING.EXE PID 3348 wrote to memory of 4328 3348 cmd.exe cvvhost.exe PID 3348 wrote to memory of 4328 3348 cmd.exe cvvhost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\84196815c135e19db65295a1cea9a522.exe"C:\Users\Admin\AppData\Local\Temp\84196815c135e19db65295a1cea9a522.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\SubDir\cvvhost.exe"C:\Windows\system32\SubDir\cvvhost.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SdVrviSQPzEs.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\cvvhost.exe"C:\Windows\system32\SubDir\cvvhost.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\62od5cwELbsz.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\cvvhost.exe"C:\Windows\system32\SubDir\cvvhost.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f7⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2khD4UktRCnZ.bat" "7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650018⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\cvvhost.exe"C:\Windows\system32\SubDir\cvvhost.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f9⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QNgmaWfbpZMs.bat" "9⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500110⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\cvvhost.exe"C:\Windows\system32\SubDir\cvvhost.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f11⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oUACFRJQdoqP.bat" "11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500112⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\cvvhost.exe"C:\Windows\system32\SubDir\cvvhost.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f13⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eHx521wYpkkg.bat" "13⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500114⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\cvvhost.exe"C:\Windows\system32\SubDir\cvvhost.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f15⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\h1grVWCgk4n9.bat" "15⤵
-
C:\Windows\system32\chcp.comchcp 6500116⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\cvvhost.exe"C:\Windows\system32\SubDir\cvvhost.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f17⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gryEUnyXrHhJ.bat" "17⤵
-
C:\Windows\system32\chcp.comchcp 6500118⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\cvvhost.exe"C:\Windows\system32\SubDir\cvvhost.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f19⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6F5AFCwP4cAE.bat" "19⤵
-
C:\Windows\system32\chcp.comchcp 6500120⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\cvvhost.exe"C:\Windows\system32\SubDir\cvvhost.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f21⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bAsxcd3aBgr2.bat" "21⤵
-
C:\Windows\system32\chcp.comchcp 6500122⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\cvvhost.exe"C:\Windows\system32\SubDir\cvvhost.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f23⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SX5AbjTAO6Eh.bat" "23⤵
-
C:\Windows\system32\chcp.comchcp 6500124⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\cvvhost.exe"C:\Windows\system32\SubDir\cvvhost.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f25⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VW2oqOn3RYPD.bat" "25⤵
-
C:\Windows\system32\chcp.comchcp 6500126⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- Runs ping.exe
-
C:\Windows\system32\SubDir\cvvhost.exe"C:\Windows\system32\SubDir\cvvhost.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Windows Security notification icon" /sc ONLOGON /tr "C:\Windows\system32\SubDir\cvvhost.exe" /rl HIGHEST /f27⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iFq24nIpMKBv.bat" "27⤵
-
C:\Windows\system32\chcp.comchcp 6500128⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\cvvhost.exe.logFilesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
C:\Users\Admin\AppData\Local\Temp\2khD4UktRCnZ.batFilesize
197B
MD5a6a7099f1b3620257f77e8d6c0be1d99
SHA1da19141122551af5a90a0b87cf8a5b6297cd52f1
SHA2568ee19dc4c7b30b305d2f8f1c8c43d72ab028b00aa1ef3896af97ff433509a301
SHA51235d23fb10c0dfc3b07509f2c2d6fd44f81f5bf6bcee58f2c602f129d107ec7f1d20d497c07ea9fc238bee6dfd7d0adc2f2e3d58e598fef423431469be5bd3f3f
-
C:\Users\Admin\AppData\Local\Temp\62od5cwELbsz.batFilesize
197B
MD513fd0db9828aead6370b0d2501b807bc
SHA199ba038517bfe6bf6b1c89b8ad9710c29c030a29
SHA2563587d7e7538a42c1021e2d8f8d38896260b8bf83b61564d476370e29b121cd2b
SHA5127d4499d170323726d4816fc834004dada2bdb283aca740bd77a151932f2d6547ffadef2eaba9f8b125333c949cccb29ffa4e38b2d4b1fda09204bd88c7d1a11b
-
C:\Users\Admin\AppData\Local\Temp\6F5AFCwP4cAE.batFilesize
197B
MD5a0aeae99dd8614a825ca074e52565724
SHA18a7c16bd8f8278f1857fb13170f11e53b936dea6
SHA256e34a3a5a0a98e8c9f36c77209e293a0df10c54e37ebac931d5a37b78a4a90f65
SHA512dc3f6f647b89a68d542d855d90897dacad1e91a5cadf51137eb404020ef7c1d815d715598fe8bb3182f3c583c7b15a8c4bd09acdaf3fe02e63080db279cbc9c7
-
C:\Users\Admin\AppData\Local\Temp\QNgmaWfbpZMs.batFilesize
197B
MD5e7ab408e154fa8dbe9eaa5ba2bb43950
SHA1050199ce07b2bd4d8fde6108ddacdf2e8c8cc40e
SHA256745d84efe0374470a69df2f0d91b9c3f6fc73f76e44aac7a7d254103005481e4
SHA512591d8bb11117a650f83fbc9b436aeb189d2e3f89186eb2f818d207f0a7c34337771e72c8c753726d552c02c7fb704090f96da6c8b7f7e2e2856ef38c8f407f1c
-
C:\Users\Admin\AppData\Local\Temp\SX5AbjTAO6Eh.batFilesize
197B
MD5f850cd98e1dc7a7e89773f12a843ea0f
SHA109056eac4b30107403781a25e99693c21e56603f
SHA25687e01442bbd550bd5e02ac8d528149b4833055e8a158c54d12335cc03fb2bac6
SHA51204331a44df95de27ec03040cc5c6f6e292d7c177ab9f6072ab1fab370f796a6c357d16d98b2669a302b2e9e0f9eb12337b465306ffdaa30542ab8724c1478e9e
-
C:\Users\Admin\AppData\Local\Temp\SdVrviSQPzEs.batFilesize
197B
MD5577cbd36eaa86eb59db6409448b392ed
SHA109f7d02e79818c4f2304484df284fec18e6e671b
SHA256ea7332e8dfac1c896e55ae3ead04ae572dd38095d5391fe7533527a319be7b0b
SHA512d8a3f0737e9616d086322c063d4576ced801ab2d6b82d2e1c9a18e964b1b32a30574f7f8745b269ca0eb26aeb317dd8af32764994d15b9192446315147f963dc
-
C:\Users\Admin\AppData\Local\Temp\VW2oqOn3RYPD.batFilesize
197B
MD59d866d4da1bb3f2e8fe1afd3887b08a5
SHA162b5fafa391ce64c363b393c179faa38b6b4a8c3
SHA2567381060ba6e5c2fe2df818147e1d8fd217f16d72ddf6aed285c7d54c36509d1d
SHA5129e8e4521b6f168edd681a1d62d6eae73b2593fdeee5d8df11106540ff19f72a094e671f38935697852658ce6e3f64f12af1c7307b3467bb4ec62c24658a1dfab
-
C:\Users\Admin\AppData\Local\Temp\bAsxcd3aBgr2.batFilesize
197B
MD5660c9d2650a1c1c93a256b87f572bd35
SHA1e522014a85d5fefa723907a5482f95e1b7d23de3
SHA256719eaee02b446899c02e1c62d34b2be6f98bf1532f24374687e99abf92025d35
SHA51206215754e830e83eeb6b55f1e88e61022fb1901a2512a3b6c5f3d692a4457c0fcd53c13a56a9762e5fa14beb363a1597dc3433ecea2e2f152bc0bf51e6ce7851
-
C:\Users\Admin\AppData\Local\Temp\eHx521wYpkkg.batFilesize
197B
MD5cc4aa3cc03851ed3be0b0230a7b7ab14
SHA162de723e78195390c898064a5568eaf572db42c8
SHA256518bd3b3a3c71ee5d1ae47641c4657c1606f61df1c8aab89c2d2d0e1aca27d0c
SHA5121eaac652de536bc3f03309989f8799a812e22539b755a2a31ff2364e578446f895ecfbe5bf97ac6cc226b60e4b0bc003b60ac98714d88faaaae93ba0494c4dc0
-
C:\Users\Admin\AppData\Local\Temp\gryEUnyXrHhJ.batFilesize
197B
MD5ab3c6eb35e54d75f6e50844f1d8f521a
SHA158b979248b9c777fee9e179a590d43577a521b9b
SHA2567b4743876c2bbd105eac1bf0e96f18d1408be2694c099c112771558e99407a94
SHA5129bb6e02ec731bc161bc4dfcf1bd2ff5d6a3b7b1f8fd05f12a634530e4ec2472fa144adede87f55049ebe7f13ba03be02bf601fe767b3f2f23108000d818bfd5b
-
C:\Users\Admin\AppData\Local\Temp\h1grVWCgk4n9.batFilesize
197B
MD56f0a4bd14a291d18c408124ce31b2733
SHA124187325f63b478faf819875f14e2f563ee18ff1
SHA256b7eddc471ce6e82ab20d556c386cd4f70f05622eea1519ab009f64f954ef3d47
SHA512bd68dad84c0a8403208c0146bc92ac1c2822ac4caf32810e5041f3a553e690bed5819ee2a852a43931804e294eccd724676066725cff534efbf351849ec96a77
-
C:\Users\Admin\AppData\Local\Temp\iFq24nIpMKBv.batFilesize
197B
MD57e8ddd4dca4658a7265d02c490f305d9
SHA1922677a63e8f706e0561c68a4553790a628518d8
SHA256217ce1d35d2a47039b369aca52488839897f48e3726ffda2089766b6891aa08a
SHA5125aa4253c6dcae79434269d1fb4e39e9d3aa4d33ed0fc159867a344c3699e6bc1bf9feb682a3446a7f808d293379408c26c729a6b03a00ef41dca7ce7fb9320bc
-
C:\Users\Admin\AppData\Local\Temp\oUACFRJQdoqP.batFilesize
197B
MD5e47db6f8fd7758d2a0795894e684bd02
SHA1fbba57a2a453940ffbae7fb43754fb3521f9492e
SHA25617c6e5a9a6ea4dd2997788d58a8a4fb9544f711ceda53334315ccb8426ebde01
SHA5128aef1dd1437258cfbe61416b98752cb4d0d3d8033031ff622bf14d5193624489e7e014c6878cc74170e5660747f2b2e1ddb3989ec8fc3dc32cc89403dd5c3638
-
C:\Windows\System32\SubDir\cvvhost.exeFilesize
3.1MB
MD584196815c135e19db65295a1cea9a522
SHA1fc46f3972ad6280b17e27f3ff519c2b7d035370f
SHA256e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8
SHA5123be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070
-
C:\Windows\System32\SubDir\cvvhost.exeFilesize
3.1MB
MD584196815c135e19db65295a1cea9a522
SHA1fc46f3972ad6280b17e27f3ff519c2b7d035370f
SHA256e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8
SHA5123be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070
-
C:\Windows\System32\SubDir\cvvhost.exeFilesize
3.1MB
MD584196815c135e19db65295a1cea9a522
SHA1fc46f3972ad6280b17e27f3ff519c2b7d035370f
SHA256e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8
SHA5123be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070
-
C:\Windows\System32\SubDir\cvvhost.exeFilesize
3.1MB
MD584196815c135e19db65295a1cea9a522
SHA1fc46f3972ad6280b17e27f3ff519c2b7d035370f
SHA256e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8
SHA5123be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070
-
C:\Windows\System32\SubDir\cvvhost.exeFilesize
3.1MB
MD584196815c135e19db65295a1cea9a522
SHA1fc46f3972ad6280b17e27f3ff519c2b7d035370f
SHA256e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8
SHA5123be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070
-
C:\Windows\System32\SubDir\cvvhost.exeFilesize
3.1MB
MD584196815c135e19db65295a1cea9a522
SHA1fc46f3972ad6280b17e27f3ff519c2b7d035370f
SHA256e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8
SHA5123be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070
-
C:\Windows\System32\SubDir\cvvhost.exeFilesize
3.1MB
MD584196815c135e19db65295a1cea9a522
SHA1fc46f3972ad6280b17e27f3ff519c2b7d035370f
SHA256e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8
SHA5123be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070
-
C:\Windows\System32\SubDir\cvvhost.exeFilesize
3.1MB
MD584196815c135e19db65295a1cea9a522
SHA1fc46f3972ad6280b17e27f3ff519c2b7d035370f
SHA256e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8
SHA5123be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070
-
C:\Windows\System32\SubDir\cvvhost.exeFilesize
3.1MB
MD584196815c135e19db65295a1cea9a522
SHA1fc46f3972ad6280b17e27f3ff519c2b7d035370f
SHA256e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8
SHA5123be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070
-
C:\Windows\System32\SubDir\cvvhost.exeFilesize
3.1MB
MD584196815c135e19db65295a1cea9a522
SHA1fc46f3972ad6280b17e27f3ff519c2b7d035370f
SHA256e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8
SHA5123be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070
-
C:\Windows\System32\SubDir\cvvhost.exeFilesize
3.1MB
MD584196815c135e19db65295a1cea9a522
SHA1fc46f3972ad6280b17e27f3ff519c2b7d035370f
SHA256e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8
SHA5123be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070
-
C:\Windows\System32\SubDir\cvvhost.exeFilesize
3.1MB
MD584196815c135e19db65295a1cea9a522
SHA1fc46f3972ad6280b17e27f3ff519c2b7d035370f
SHA256e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8
SHA5123be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070
-
C:\Windows\System32\SubDir\cvvhost.exeFilesize
3.1MB
MD584196815c135e19db65295a1cea9a522
SHA1fc46f3972ad6280b17e27f3ff519c2b7d035370f
SHA256e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8
SHA5123be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070
-
C:\Windows\system32\SubDir\cvvhost.exeFilesize
3.1MB
MD584196815c135e19db65295a1cea9a522
SHA1fc46f3972ad6280b17e27f3ff519c2b7d035370f
SHA256e9a6cd9f0b02d2718b18c784014ffe3ece170196ade1bfed7ecad721349784e8
SHA5123be5c58de337af4f9da7206316f29ab42ba6e43129bac71580f055ce37a84995d137f3e921caa535330a8b90941a574b1d23d57996373a74376426b0d07c3070
-
memory/1644-1-0x00007FFFD85D0000-0x00007FFFD9091000-memory.dmpFilesize
10.8MB
-
memory/1644-2-0x000000001B9A0000-0x000000001B9B0000-memory.dmpFilesize
64KB
-
memory/1644-9-0x00007FFFD85D0000-0x00007FFFD9091000-memory.dmpFilesize
10.8MB
-
memory/1644-0-0x0000000000A10000-0x0000000000D34000-memory.dmpFilesize
3.1MB
-
memory/1956-74-0x00007FFFD7860000-0x00007FFFD8321000-memory.dmpFilesize
10.8MB
-
memory/1956-69-0x00007FFFD7860000-0x00007FFFD8321000-memory.dmpFilesize
10.8MB
-
memory/2020-27-0x00007FFFD83E0000-0x00007FFFD8EA1000-memory.dmpFilesize
10.8MB
-
memory/2020-23-0x0000000002B90000-0x0000000002BA0000-memory.dmpFilesize
64KB
-
memory/2020-22-0x00007FFFD83E0000-0x00007FFFD8EA1000-memory.dmpFilesize
10.8MB
-
memory/2084-91-0x00007FFFD7860000-0x00007FFFD8321000-memory.dmpFilesize
10.8MB
-
memory/2084-92-0x000000001B480000-0x000000001B490000-memory.dmpFilesize
64KB
-
memory/2084-96-0x00007FFFD7860000-0x00007FFFD8321000-memory.dmpFilesize
10.8MB
-
memory/2508-84-0x00007FFFD7860000-0x00007FFFD8321000-memory.dmpFilesize
10.8MB
-
memory/2508-88-0x00007FFFD7860000-0x00007FFFD8321000-memory.dmpFilesize
10.8MB
-
memory/2968-12-0x000000001C360000-0x000000001C3B0000-memory.dmpFilesize
320KB
-
memory/2968-13-0x000000001C470000-0x000000001C522000-memory.dmpFilesize
712KB
-
memory/2968-19-0x00007FFFD85D0000-0x00007FFFD9091000-memory.dmpFilesize
10.8MB
-
memory/2968-11-0x0000000000F40000-0x0000000000F50000-memory.dmpFilesize
64KB
-
memory/2968-10-0x00007FFFD85D0000-0x00007FFFD9091000-memory.dmpFilesize
10.8MB
-
memory/3680-30-0x00007FFFD83E0000-0x00007FFFD8EA1000-memory.dmpFilesize
10.8MB
-
memory/3680-31-0x000000001B8D0000-0x000000001B8E0000-memory.dmpFilesize
64KB
-
memory/3680-35-0x00007FFFD83E0000-0x00007FFFD8EA1000-memory.dmpFilesize
10.8MB
-
memory/3704-46-0x00007FFFD77B0000-0x00007FFFD8271000-memory.dmpFilesize
10.8MB
-
memory/3704-50-0x00007FFFD77B0000-0x00007FFFD8271000-memory.dmpFilesize
10.8MB
-
memory/3924-108-0x0000000002A40000-0x0000000002A50000-memory.dmpFilesize
64KB
-
memory/3924-107-0x00007FFFD7860000-0x00007FFFD8321000-memory.dmpFilesize
10.8MB
-
memory/3924-113-0x00007FFFD7860000-0x00007FFFD8321000-memory.dmpFilesize
10.8MB
-
memory/4104-54-0x0000000001480000-0x0000000001490000-memory.dmpFilesize
64KB
-
memory/4104-53-0x00007FFFD77B0000-0x00007FFFD8271000-memory.dmpFilesize
10.8MB
-
memory/4104-59-0x00007FFFD77B0000-0x00007FFFD8271000-memory.dmpFilesize
10.8MB
-
memory/4328-66-0x00007FFFD77B0000-0x00007FFFD8271000-memory.dmpFilesize
10.8MB
-
memory/4328-61-0x00007FFFD77B0000-0x00007FFFD8271000-memory.dmpFilesize
10.8MB
-
memory/4328-62-0x0000000002CC0000-0x0000000002CD0000-memory.dmpFilesize
64KB
-
memory/4360-99-0x00007FFFD7860000-0x00007FFFD8321000-memory.dmpFilesize
10.8MB
-
memory/4360-100-0x000000001B710000-0x000000001B720000-memory.dmpFilesize
64KB
-
memory/4360-104-0x00007FFFD7860000-0x00007FFFD8321000-memory.dmpFilesize
10.8MB
-
memory/4364-38-0x00007FFFD7BB0000-0x00007FFFD8671000-memory.dmpFilesize
10.8MB
-
memory/4364-39-0x000000001B6D0000-0x000000001B6E0000-memory.dmpFilesize
64KB
-
memory/4364-43-0x00007FFFD7BB0000-0x00007FFFD8671000-memory.dmpFilesize
10.8MB
-
memory/4628-82-0x00007FFFD7860000-0x00007FFFD8321000-memory.dmpFilesize
10.8MB
-
memory/4628-77-0x0000000002AB0000-0x0000000002AC0000-memory.dmpFilesize
64KB
-
memory/4628-76-0x00007FFFD7860000-0x00007FFFD8321000-memory.dmpFilesize
10.8MB