Analysis Overview
SHA256
01b6ee7d4a8b358ef51e4f2d19f75ff4de4d4acab7c56f2a3063e4b35847dd09
Threat Level: Known bad
The file 0kZvTYku.exe was found to be: Known bad.
Malicious Activity Summary
Deletes NTFS Change Journal
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Stops running service(s)
Server Software Component: Terminal Services DLL
Checks BIOS information in registry
Themida packer
Checks whether UAC is enabled
Enumerates connected drives
Indicator Removal: File Deletion
Suspicious use of NtSetInformationThreadHideFromDebugger
Boot or Logon Autostart Execution: Time Providers
Hide Artifacts: Ignore Process Interrupts
Launches sc.exe
Drops file in Windows directory
Command and Scripting Interpreter: PowerShell
Unsigned PE
System Time Discovery
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Runs net.exe
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 14:37
Signatures
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 14:37
Reported
2024-11-12 14:40
Platform
win10v2004-20241007-en
Max time kernel
146s
Max time network
157s
Command Line
Signatures
Deletes NTFS Change Journal
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\0kZvTYku.exe | N/A |
Server Software Component: Terminal Services DLL
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\Parameters\ServiceDll = "C:\\Windows\\SYSTEM32\\w32time.DLL" | C:\Windows\SYSTEM32\w32tm.exe | N/A |
Stops running service(s)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\0kZvTYku.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\0kZvTYku.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\0kZvTYku.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\F: | C:\Windows\SYSTEM32\fsutil.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\SYSTEM32\fsutil.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\SYSTEM32\fsutil.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\SYSTEM32\fsutil.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\SYSTEM32\fsutil.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\SYSTEM32\fsutil.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\SYSTEM32\fsutil.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\SYSTEM32\fsutil.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\SYSTEM32\fsutil.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\SYSTEM32\fsutil.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\SYSTEM32\fsutil.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\SYSTEM32\fsutil.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\SYSTEM32\fsutil.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\SYSTEM32\fsutil.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\SYSTEM32\fsutil.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\SYSTEM32\fsutil.exe | N/A |
Indicator Removal: File Deletion
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0kZvTYku.exe | N/A |
Boot or Logon Autostart Execution: Time Providers
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\Enabled = "1" | C:\Windows\SYSTEM32\w32tm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\ChainMaxHostEntries = "4" | C:\Windows\SYSTEM32\w32tm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\ChainLoggingRate = "30" | C:\Windows\SYSTEM32\w32tm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\SpecialPollInterval = "32768" | C:\Windows\SYSTEM32\w32tm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\SpecialPollTimeRemaining = 0000 | C:\Windows\SYSTEM32\w32tm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\NtpClient | C:\Windows\SYSTEM32\w32tm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\LargeSampleSkew = "3" | C:\Windows\SYSTEM32\w32tm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\ChainEntryTimeout = "16" | C:\Windows\SYSTEM32\w32tm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\VMICTimeProvider\DllName = "%SystemRoot%\\System32\\vmictimeprovider.dll" | C:\Windows\SYSTEM32\w32tm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\SignatureAuthAllowed = "1" | C:\Windows\SYSTEM32\w32tm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\ChainMaxEntries = "128" | C:\Windows\SYSTEM32\w32tm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\DllName = "C:\\Windows\\SYSTEM32\\w32time.DLL" | C:\Windows\SYSTEM32\w32tm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\Enabled = "0" | C:\Windows\SYSTEM32\w32tm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\NtpServer | C:\Windows\SYSTEM32\w32tm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\InputProvider = "1" | C:\Windows\SYSTEM32\w32tm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\CrossSiteSyncFlags = "2" | C:\Windows\SYSTEM32\w32tm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\CompatibilityFlags = "2147483648" | C:\Windows\SYSTEM32\w32tm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\VMICTimeProvider\Parameters | C:\Windows\SYSTEM32\w32tm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\AllowNonstandardModeCombinations = "1" | C:\Windows\SYSTEM32\w32tm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\ResolvePeerBackoffMinutes = "15" | C:\Windows\SYSTEM32\w32tm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\InputProvider = "0" | C:\Windows\SYSTEM32\w32tm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\ChainDisable = "0" | C:\Windows\SYSTEM32\w32tm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\VMICTimeProvider\InputProvider = "1" | C:\Windows\SYSTEM32\w32tm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\EventLogFlags = "1" | C:\Windows\SYSTEM32\w32tm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\AllowNonstandardModeCombinations = "1" | C:\Windows\SYSTEM32\w32tm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\RequireSecureTimeSyncRequests = "0" | C:\Windows\SYSTEM32\w32tm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\VMICTimeProvider\Enabled = "1" | C:\Windows\SYSTEM32\w32tm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\SpecialPollTimeRemaining = 740069006d0065002e00770069006e0064006f00770073002e0063006f006d002c003700660038006600660065006500000000000000000000000000000000000000000000000000 | C:\Windows\system32\svchost.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\SpecialPollTimeRemaining = 740069006d0065002e00770069006e0064006f00770073002e0063006f006d002c003700660038006600660065006500000000000000000000000000000000000000000000000000 | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\VMICTimeProvider | C:\Windows\SYSTEM32\w32tm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\ResolvePeerBackoffMaxTimes = "7" | C:\Windows\SYSTEM32\w32tm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\EventLogFlags = "0" | C:\Windows\SYSTEM32\w32tm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\DllName = "C:\\Windows\\SYSTEM32\\w32time.DLL" | C:\Windows\SYSTEM32\w32tm.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Prefetch\RUNTIMEBROKER.EXE-94A02D86.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\WFSERVICESREG.EXE-3EE82250.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\AgRobust.db | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\RUNDLL32.EXE-7BB97BF6.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\RUNDLL32.EXE-DB926CB0.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\RUNDLL32.EXE-FDF50724.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\TASKKILL.EXE-8F5B2253.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\DISM.EXE-DE199F71.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\PfPre_285df1c2.mkd | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\SMCONFIGINSTALLER.EXE-EC979AE0.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\SVCHOST.EXE-7CFEDEA3.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\TAKEOWN.EXE-A80759AD.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\LINQWEBCONFIG.EXE-4A3DBBF6.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\RUNDLL32.EXE-18665B15.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\SETTINGSYNCHOST.EXE-2521C7ED.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\SVCHOST.EXE-C49E779A.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\ONEDRIVESETUP.EXE-8CE5A462.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\ResPriHMStaticDb.ebd | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\SVCHOST.EXE-033BBABB.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\POWERSHELL.EXE-920BBA2A.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\RUNTIMEBROKER.EXE-98C67737.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\NGEN.EXE-AE594A6B.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\SGRMBROKER.EXE-0CA31CC6.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\RUNDLL32.EXE-B2C296EF.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\SEARCHAPP.EXE-0651CA85.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\SVCHOST.EXE-8102A33C.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\PfSvPerfStats.bin | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\RUNDLL32.EXE-AE5EC6E9.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\RUNDLL32.EXE-08AF006C.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\RUNDLL32.EXE-7CB48DE8.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\DISMHOST.EXE-1B661FD1.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\MOUSOCOREWORKER.EXE-681A8FEE.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\ONEDRIVESETUP.EXE-ADFC0EFD.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\RUNDLL32.EXE-D71F3FEA.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\DLLHOST.EXE-504C779A.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\DLLHOST.EXE-FC981FFE.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\SMCONFIGINSTALLER.EXE-039D5D2E.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\RUNDLL32.EXE-2C52326A.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\RUNDLL32.EXE-373C0EED.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\RUNDLL32.EXE-6F2A95AF.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\SRTASKS.EXE-4F77756F.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\SVCHOST.EXE-4BA0E729.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\FILESYNCCONFIG.EXE-CB60E6FA.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\ONEDRIVE.EXE-96969DDA.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\VSSVC.EXE-B8AFC319.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\RUNDLL32.EXE-4DC9A20E.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\RUNDLL32.EXE-61696F68.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\RUNDLL32.EXE-AED2006F.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\RUNDLL32.EXE-E66A223C.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\SHELLEXPERIENCEHOST.EXE-A3608B1E.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\TEXTINPUTHOST.EXE-4AE33179.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\REG.EXE-E7E8BD26.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\RUNDLL32.EXE-976DB280.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\SVCHOST.EXE-9F4DB6F5.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\RUNDLL32.EXE-32DA767E.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\RUNDLL32.EXE-8AFD300C.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\FSQUIRT.EXE-BBD9646E.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\RUNTIMEBROKER.EXE-98F22970.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\XQT5SK.EXE-E97A7100.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\ReadyBoot\Trace1.fx | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\ReadyBoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\RUNDLL32.EXE-4EFE6110.pf | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\Prefetch\AgGlFaultHistory.db | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Hide Artifacts: Ignore Process Interrupts
Launches sc.exe
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
System Time Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\net.exe | N/A |
| N/A | N/A | C:\Windows\system32\net1.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\net.exe | N/A |
| N/A | N/A | C:\Windows\system32\net1.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\net.exe | N/A |
| N/A | N/A | C:\Windows\system32\net1.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_CLASSES\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\MUICACHE | C:\Users\Admin\AppData\Local\Temp\0kZvTYku.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0kZvTYku.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0kZvTYku.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0kZvTYku.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0kZvTYku.exe
"C:\Users\Admin\AppData\Local\Temp\0kZvTYku.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command Remove-Item 'C:\Users\Admin\AppData\Local\Temp\0kZvTYku.exe.bak' -force
C:\Windows\SYSTEM32\net.exe
net stop w32time
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop w32time
C:\Windows\SYSTEM32\w32tm.exe
w32tm /unregister
C:\Windows\SYSTEM32\w32tm.exe
w32tm /register
C:\Windows\SYSTEM32\net.exe
net start w32time
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start w32time
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s w32time
C:\Windows\System32\Wbem\wmic.exe
wmic cpu get VirtualizationFirmwareEnabled
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "$env:firmware_type"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "confirm-securebootuefi"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Get-WmiObject -Namespace 'Root\CIMv2\Security\MicrosoftTpm' -Class Win32_Tpm"
C:\Windows\SYSTEM32\fsutil.exe
fsutil behavior set disablelastaccess 1
C:\Windows\SYSTEM32\w32tm.exe
w32tm /resync /force
C:\Windows\SYSTEM32\sc.exe
sc stop "PcaSvc"
C:\Windows\SYSTEM32\sc.exe
sc config "PcaSvc" start=disabled
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SYSTEM32\net.exe
net stop w32time
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop w32time
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
C:\Windows\SYSTEM32\fsutil.exe
fsutil usn deletejournal /d C:
C:\Windows\SYSTEM32\fsutil.exe
fsutil usn deletejournal /d D:
C:\Windows\SYSTEM32\fsutil.exe
fsutil usn deletejournal /d F:
C:\Windows\SYSTEM32\sc.exe
sc stop "SysMain"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SYSTEM32\sc.exe
sc config "SysMain" start=disabled
C:\Windows\SYSTEM32\sc.exe
sc stop "SuperFetch"
C:\Windows\SYSTEM32\sc.exe
sc config "SuperFetch" start=disabled
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s w32time
C:\Windows\SYSTEM32\fsutil.exe
fsutil behavior set disablelastaccess 1
C:\Windows\SYSTEM32\sc.exe
sc stop "PcaSvc"
C:\Windows\SYSTEM32\sc.exe
sc config "PcaSvc" start=disabled
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
C:\Windows\SYSTEM32\fsutil.exe
fsutil usn deletejournal /d C:
C:\Windows\SYSTEM32\fsutil.exe
fsutil usn deletejournal /d D:
C:\Windows\SYSTEM32\fsutil.exe
fsutil usn deletejournal /d F:
C:\Windows\SYSTEM32\sc.exe
sc stop "SysMain"
C:\Windows\SYSTEM32\sc.exe
sc config "SysMain" start=disabled
C:\Windows\SYSTEM32\sc.exe
sc stop "SuperFetch"
C:\Windows\SYSTEM32\sc.exe
sc config "SuperFetch" start=disabled
C:\Windows\SYSTEM32\fsutil.exe
fsutil behavior set disablelastaccess 1
C:\Windows\SYSTEM32\sc.exe
sc stop "PcaSvc"
C:\Windows\SYSTEM32\sc.exe
sc config "PcaSvc" start=disabled
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
C:\Windows\SYSTEM32\fsutil.exe
fsutil usn deletejournal /d C:
C:\Windows\SYSTEM32\fsutil.exe
fsutil usn deletejournal /d D:
C:\Windows\SYSTEM32\fsutil.exe
fsutil usn deletejournal /d F:
C:\Windows\SYSTEM32\sc.exe
sc stop "SysMain"
C:\Windows\SYSTEM32\sc.exe
sc config "SysMain" start=disabled
C:\Windows\SYSTEM32\sc.exe
sc stop "SuperFetch"
C:\Windows\SYSTEM32\sc.exe
sc config "SuperFetch" start=disabled
C:\Windows\SYSTEM32\fsutil.exe
fsutil behavior set disablelastaccess 1
C:\Windows\SYSTEM32\sc.exe
sc stop "PcaSvc"
C:\Windows\SYSTEM32\sc.exe
sc config "PcaSvc" start=disabled
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
C:\Windows\SYSTEM32\fsutil.exe
fsutil behavior set disablelastaccess 1
C:\Windows\SYSTEM32\sc.exe
sc stop "PcaSvc"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
C:\Windows\SYSTEM32\sc.exe
sc config "PcaSvc" start=disabled
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
C:\Windows\SYSTEM32\fsutil.exe
fsutil usn deletejournal /d C:
C:\Windows\SYSTEM32\fsutil.exe
fsutil usn deletejournal /d D:
C:\Windows\SYSTEM32\fsutil.exe
fsutil usn deletejournal /d F:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
C:\Windows\SYSTEM32\sc.exe
sc stop "SysMain"
C:\Windows\SYSTEM32\sc.exe
sc config "SysMain" start=disabled
C:\Windows\SYSTEM32\sc.exe
sc stop "SuperFetch"
C:\Windows\SYSTEM32\fsutil.exe
fsutil usn deletejournal /d C:
C:\Windows\SYSTEM32\sc.exe
sc config "SuperFetch" start=disabled
C:\Windows\SYSTEM32\fsutil.exe
fsutil usn deletejournal /d D:
C:\Windows\SYSTEM32\fsutil.exe
fsutil usn deletejournal /d F:
C:\Windows\SYSTEM32\sc.exe
sc stop "SysMain"
C:\Windows\SYSTEM32\sc.exe
sc config "SysMain" start=disabled
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SYSTEM32\sc.exe
sc stop "SuperFetch"
C:\Windows\SYSTEM32\sc.exe
sc config "SuperFetch" start=disabled
C:\Windows\SYSTEM32\fsutil.exe
fsutil behavior set disablelastaccess 1
C:\Windows\SYSTEM32\sc.exe
sc stop "PcaSvc"
C:\Windows\SYSTEM32\sc.exe
sc config "PcaSvc" start=disabled
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
C:\Windows\SYSTEM32\fsutil.exe
fsutil behavior set disablelastaccess 1
C:\Windows\SYSTEM32\fsutil.exe
fsutil usn deletejournal /d C:
C:\Windows\SYSTEM32\sc.exe
sc stop "PcaSvc"
C:\Windows\SYSTEM32\fsutil.exe
fsutil usn deletejournal /d D:
C:\Windows\SYSTEM32\sc.exe
sc config "PcaSvc" start=disabled
C:\Windows\SYSTEM32\fsutil.exe
fsutil usn deletejournal /d F:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
C:\Windows\SYSTEM32\sc.exe
sc stop "SysMain"
C:\Windows\SYSTEM32\sc.exe
sc config "SysMain" start=disabled
C:\Windows\SYSTEM32\sc.exe
sc stop "SuperFetch"
C:\Windows\SYSTEM32\sc.exe
sc config "SuperFetch" start=disabled
C:\Windows\SYSTEM32\fsutil.exe
fsutil behavior set disablelastaccess 1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
C:\Windows\SYSTEM32\sc.exe
sc stop "PcaSvc"
C:\Windows\SYSTEM32\sc.exe
sc config "PcaSvc" start=disabled
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
C:\Windows\SYSTEM32\fsutil.exe
fsutil usn deletejournal /d C:
C:\Windows\SYSTEM32\fsutil.exe
fsutil usn deletejournal /d D:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
C:\Windows\SYSTEM32\fsutil.exe
fsutil usn deletejournal /d F:
C:\Windows\SYSTEM32\sc.exe
sc stop "SysMain"
C:\Windows\SYSTEM32\sc.exe
sc config "SysMain" start=disabled
C:\Windows\SYSTEM32\sc.exe
sc stop "SuperFetch"
C:\Windows\SYSTEM32\sc.exe
sc config "SuperFetch" start=disabled
C:\Windows\SYSTEM32\fsutil.exe
fsutil usn deletejournal /d C:
C:\Windows\SYSTEM32\fsutil.exe
fsutil usn deletejournal /d D:
C:\Windows\SYSTEM32\fsutil.exe
fsutil usn deletejournal /d F:
C:\Windows\SYSTEM32\sc.exe
sc stop "SysMain"
C:\Windows\SYSTEM32\sc.exe
sc config "SysMain" start=disabled
C:\Windows\SYSTEM32\sc.exe
sc stop "SuperFetch"
C:\Windows\SYSTEM32\sc.exe
sc config "SuperFetch" start=disabled
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /C timeout /t 1 /nobreak > nul & del "C:\Users\Admin\AppData\Local\Temp\0kZvTYku.exe"
C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ringcheats.com | udp |
| GB | 79.127.237.132:443 | ringcheats.com | tcp |
| US | 8.8.8.8:53 | 132.237.127.79.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 111.137.137.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:53933 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.173.189.20.in-addr.arpa | udp |
Files
memory/2544-0-0x00007FF9C0270000-0x00007FF9C0272000-memory.dmp
memory/2544-1-0x0000000140000000-0x000000014325E000-memory.dmp
memory/2544-2-0x0000000140000000-0x000000014325E000-memory.dmp
memory/2544-3-0x0000000140000000-0x000000014325E000-memory.dmp
memory/2544-4-0x0000000140000000-0x000000014325E000-memory.dmp
memory/2544-5-0x0000000140000000-0x000000014325E000-memory.dmp
memory/4248-6-0x00007FF9C01D0000-0x00007FF9C03C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5mkwsclp.dby.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4248-12-0x0000026A1EA70000-0x0000026A1EA92000-memory.dmp
memory/4248-19-0x00007FF9C01D0000-0x00007FF9C03C5000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 6cf293cb4d80be23433eecf74ddb5503 |
| SHA1 | 24fe4752df102c2ef492954d6b046cb5512ad408 |
| SHA256 | b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8 |
| SHA512 | 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 88be3bc8a7f90e3953298c0fdbec4d72 |
| SHA1 | f4969784ad421cc80ef45608727aacd0f6bf2e4b |
| SHA256 | 533c8470b41084e40c5660569ebbdb7496520d449629a235e8053e84025f348a |
| SHA512 | 4fce64e2dacddbc03314048fef1ce356ee2647c14733da121c23c65507eeb8d721d6b690ad5463319b364dc4fa95904ad6ab096907f32918e3406ef438a6ef7c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3327a28128022a8114478f792a363012 |
| SHA1 | b47d3313c8951f8b7fd26d5707740dcf5021ec18 |
| SHA256 | b51041d595ae09530d03304466e9927f740884ec0882257035cbce6181a701c8 |
| SHA512 | aa2f350bf180016b3dd9b54dd0d69547709bb20bc60adf3ff8ce85a2944c95b263dc01dff94ffc3da120e70cc7db396bbfbc408a5d6d270ae515bdea8fac4267 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3e2631323bdbc388d1fca634746db42f |
| SHA1 | 778174e49028290c1bf30ef4518019381e53706d |
| SHA256 | 48ba4fa73c48c539683eab69f82fe11b2d317b153c27ebd4e6ad4be14e4879d9 |
| SHA512 | 05d7ae92ee999f9697883a425fff3ddf10ce57ea88def7ea73d98261c9d0c0e6e5bb119c1e26feee4d4b08c42a1dc80e6dd732825d0d66704ad5a8fb3aedc912 |
memory/2544-64-0x0000000140000000-0x000000014325E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 446dd1cf97eaba21cf14d03aebc79f27 |
| SHA1 | 36e4cc7367e0c7b40f4a8ace272941ea46373799 |
| SHA256 | a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf |
| SHA512 | a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7 |
memory/2544-122-0x0000000140000000-0x000000014325E000-memory.dmp
memory/2544-176-0x0000000140000000-0x000000014325E000-memory.dmp
memory/2544-322-0x0000000140000000-0x000000014325E000-memory.dmp