Malware Analysis Report

2024-11-16 12:18

Sample ID 230626-q1s33shh92
Target b5237a3f0b1db945c1fe3f9ba71e3ff2.exe
SHA256 239c93b0a44ce8723f181a2ec6d17e9fd9516c17241d8f5b2b0212c6d56a9eb2
Tags
phobos redline smokeloader systembc 1 backdoor collection evasion infostealer persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

239c93b0a44ce8723f181a2ec6d17e9fd9516c17241d8f5b2b0212c6d56a9eb2

Threat Level: Known bad

The file b5237a3f0b1db945c1fe3f9ba71e3ff2.exe was found to be: Known bad.

Malicious Activity Summary

phobos redline smokeloader systembc 1 backdoor collection evasion infostealer persistence ransomware spyware stealer trojan

SystemBC

SmokeLoader

RedLine

Phobos

Renames multiple (371) files with added filename extension

Deletes shadow copies

Modifies boot configuration data using bcdedit

Downloads MZ/PE file

Blocklisted process makes network request

Modifies Windows Firewall

Deletes backup catalog

Drops startup file

Reads user/profile data of web browsers

Executes dropped EXE

Drops desktop.ini file(s)

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Accesses Microsoft Outlook profiles

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in Program Files directory

Unsigned PE

Program crash

outlook_office_path

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

outlook_win_path

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Interacts with shadow copies

Uses Task Scheduler COM API

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-26 13:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-26 13:44

Reported

2023-06-26 13:46

Platform

win7-20230621-en

Max time kernel

31s

Max time network

34s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b5237a3f0b1db945c1fe3f9ba71e3ff2.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\b5237a3f0b1db945c1fe3f9ba71e3ff2.exe

"C:\Users\Admin\AppData\Local\Temp\b5237a3f0b1db945c1fe3f9ba71e3ff2.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"

Network

N/A

Files

memory/2040-54-0x0000000001040000-0x0000000001098000-memory.dmp

memory/2040-55-0x0000000004E10000-0x0000000004E50000-memory.dmp

memory/1992-58-0x00000000021B0000-0x00000000021F0000-memory.dmp

memory/2040-59-0x0000000004E10000-0x0000000004E50000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-26 13:44

Reported

2023-06-26 13:46

Platform

win10v2004-20230621-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b5237a3f0b1db945c1fe3f9ba71e3ff2.exe"

Signatures

Phobos

ransomware phobos

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

SystemBC

trojan systembc

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (371) files with added filename extension

ransomware

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\809A.exe C:\Users\Admin\AppData\Local\Temp\809A.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\809A = "C:\\Users\\Admin\\AppData\\Local\\809A.exe" C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\809A = "C:\\Users\\Admin\\AppData\\Local\\809A.exe" C:\Users\Admin\AppData\Local\Temp\809A.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-2177513644-1903222820-241662473-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2177513644-1903222820-241662473-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\809A.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3968 set thread context of 1140 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 920 set thread context of 3904 N/A C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Core.NetFX35.V7.dll C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-runtime-l1-1-0.dll C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\resources.pri C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ChakraBridge.dll C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-48_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.views.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\notetagsUI\main.js C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\LightTheme.acrotheme C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPHandle.png C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File created C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe.id[EC1FEA35-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\APASixthEditionOfficeOnline.xsl.id[EC1FEA35-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\contrast-white\WideTile.scale-200.png C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-gb\ui-strings.js C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\msdaprsr.dll.mui C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome.exe.sig.id[EC1FEA35-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderSplashScreen.contrast-black_scale-200.png C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\Doughboy.scale-400.png C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\offline\offlineUtilities.js C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubBadgeLogo.scale-100_contrast-white.png C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-core-kit.jar.id[EC1FEA35-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ul-oob.xrm-ms.id[EC1FEA35-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.AnalysisServices.AdomdClientUI.dll C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\index.win32.bundle C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\FPLACE.DLL.id[EC1FEA35-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SyncFusion.Grid.Grouping.Windows.dll C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libes_plugin.dll C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_cs.json C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarBadge.scale-100.png C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity.png.id[EC1FEA35-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\as90.xsl C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.scale-150.png C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\OrientationControlOuterCircle.png C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe.id[EC1FEA35-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\CERTINTL.DLL C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\resources.pri C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\SmallTile.scale-125.png C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSplashLogo.scale-100.png C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-80_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageSmallTile.scale-400_contrast-black.png C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageMedTile.scale-125_contrast-white.png C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\search_emptystate.png C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\data\en-us\RetailDemoData.json C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_folder-focus_32.svg C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ARIALNB.TTF.id[EC1FEA35-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\api-ms-win-core-synch-l1-2-0.dll C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\images\Other-48.png.id[EC1FEA35-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\69.png C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File opened for modification C:\Program Files\ImportRequest.potx C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_K_COL.HXK C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\GameBar_AppList.targetsize-24_altform-unplated.png C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\tr-tr\ui-strings.js C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-uihandler.jar.id[EC1FEA35-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Layout.dll.id[EC1FEA35-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\sr-cyrl-cs\mso.acl C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ul-oob.xrm-ms.id[EC1FEA35-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Infragistics2.Win.UltraWinStatusBar.v11.1.dll.id[EC1FEA35-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreBadgeLogo.scale-200.png C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubMedTile.scale-100.png C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\core_icons_retina.png C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui_3.106.0.v20140812-1751.jar C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiling_ja.jar.id[EC1FEA35-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Temp\809A.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\809A.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3396 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\b5237a3f0b1db945c1fe3f9ba71e3ff2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3396 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\b5237a3f0b1db945c1fe3f9ba71e3ff2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3396 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\b5237a3f0b1db945c1fe3f9ba71e3ff2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3968 wrote to memory of 1140 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 3968 wrote to memory of 1140 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 3968 wrote to memory of 1140 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 3968 wrote to memory of 1140 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 3968 wrote to memory of 1140 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 3968 wrote to memory of 1140 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 3968 wrote to memory of 1140 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 3968 wrote to memory of 1140 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
PID 1140 wrote to memory of 920 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe
PID 1140 wrote to memory of 920 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe
PID 1140 wrote to memory of 920 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe
PID 1140 wrote to memory of 3052 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Users\Admin\AppData\Local\Temp\s777mx.exe
PID 1140 wrote to memory of 3052 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Users\Admin\AppData\Local\Temp\s777mx.exe
PID 1140 wrote to memory of 3052 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Users\Admin\AppData\Local\Temp\s777mx.exe
PID 920 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe
PID 920 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe
PID 920 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe
PID 920 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe
PID 920 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe
PID 920 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe
PID 3116 wrote to memory of 2540 N/A N/A C:\Users\Admin\AppData\Local\Temp\809A.exe
PID 3116 wrote to memory of 2540 N/A N/A C:\Users\Admin\AppData\Local\Temp\809A.exe
PID 3116 wrote to memory of 2540 N/A N/A C:\Users\Admin\AppData\Local\Temp\809A.exe
PID 3116 wrote to memory of 1364 N/A N/A C:\Users\Admin\AppData\Local\Temp\8231.exe
PID 3116 wrote to memory of 1364 N/A N/A C:\Users\Admin\AppData\Local\Temp\8231.exe
PID 3116 wrote to memory of 1364 N/A N/A C:\Users\Admin\AppData\Local\Temp\8231.exe
PID 3116 wrote to memory of 2264 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3116 wrote to memory of 2264 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3116 wrote to memory of 2264 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3116 wrote to memory of 2264 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3116 wrote to memory of 2660 N/A N/A C:\Windows\explorer.exe
PID 3116 wrote to memory of 2660 N/A N/A C:\Windows\explorer.exe
PID 3116 wrote to memory of 2660 N/A N/A C:\Windows\explorer.exe
PID 3116 wrote to memory of 3260 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3116 wrote to memory of 3260 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3116 wrote to memory of 3260 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3116 wrote to memory of 3260 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3116 wrote to memory of 3208 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3116 wrote to memory of 3208 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3116 wrote to memory of 3208 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3116 wrote to memory of 3208 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3116 wrote to memory of 4936 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3116 wrote to memory of 4936 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3116 wrote to memory of 4936 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3116 wrote to memory of 4936 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3116 wrote to memory of 2168 N/A N/A C:\Windows\explorer.exe
PID 3116 wrote to memory of 2168 N/A N/A C:\Windows\explorer.exe
PID 3116 wrote to memory of 2168 N/A N/A C:\Windows\explorer.exe
PID 2540 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\809A.exe C:\Windows\system32\cmd.exe
PID 2540 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\809A.exe C:\Windows\system32\cmd.exe
PID 2540 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\809A.exe C:\Windows\system32\cmd.exe
PID 2540 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\809A.exe C:\Windows\system32\cmd.exe
PID 3116 wrote to memory of 4284 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3116 wrote to memory of 4284 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3116 wrote to memory of 4284 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3116 wrote to memory of 4284 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 2988 wrote to memory of 3828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2988 wrote to memory of 3828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1892 wrote to memory of 1076 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1892 wrote to memory of 1076 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3116 wrote to memory of 4308 N/A N/A C:\Windows\explorer.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b5237a3f0b1db945c1fe3f9ba71e3ff2.exe

"C:\Users\Admin\AppData\Local\Temp\b5237a3f0b1db945c1fe3f9ba71e3ff2.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe

C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe

"C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe"

C:\Users\Admin\AppData\Local\Temp\s777mx.exe

"C:\Users\Admin\AppData\Local\Temp\s777mx.exe"

C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe

"C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe"

C:\Users\Admin\AppData\Local\Temp\809A.exe

C:\Users\Admin\AppData\Local\Temp\809A.exe

C:\Users\Admin\AppData\Local\Temp\8231.exe

C:\Users\Admin\AppData\Local\Temp\8231.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Users\Admin\AppData\Local\Temp\809A.exe

"C:\Users\Admin\AppData\Local\Temp\809A.exe"

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4412 -ip 4412

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 468

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1364 -ip 1364

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 724

Network

Country Destination Domain Proto
US 8.8.8.8:53 254.111.238.8.in-addr.arpa udp
US 8.8.8.8:53 134.121.24.20.in-addr.arpa udp
RU 91.215.85.210:49189 91.215.85.210 tcp
US 8.8.8.8:53 210.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 dexstat255.xyz udp
DE 185.234.72.142:46578 dexstat255.xyz tcp
US 8.8.8.8:53 142.72.234.185.in-addr.arpa udp
US 8.8.8.8:53 sentrex37.xyz udp
DE 5.182.207.8:80 sentrex37.xyz tcp
US 8.8.8.8:53 8.207.182.5.in-addr.arpa udp
US 52.168.117.170:443 tcp
US 192.229.221.95:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
GB 96.16.110.41:443 tcp
US 8.8.8.8:53 44.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 serverlogs37.xyz udp
US 8.8.8.8:53 servblog757.xyz udp
DE 45.89.127.159:80 servblog757.xyz tcp
US 8.8.8.8:53 admhexlogs25.xyz udp
EE 159.253.18.136:80 admhexlogs25.xyz tcp
US 8.8.8.8:53 159.127.89.45.in-addr.arpa udp
US 8.8.8.8:53 136.18.253.159.in-addr.arpa udp
DE 45.89.127.159:80 servblog757.xyz tcp

Files

memory/3396-133-0x0000000000190000-0x00000000001E8000-memory.dmp

memory/3396-134-0x0000000005140000-0x00000000056E4000-memory.dmp

memory/3396-135-0x0000000004C30000-0x0000000004CC2000-memory.dmp

memory/3396-136-0x0000000004B50000-0x0000000004B72000-memory.dmp

memory/3396-137-0x0000000004BF0000-0x0000000004BFA000-memory.dmp

memory/3968-138-0x0000000000BF0000-0x0000000000C26000-memory.dmp

memory/3396-139-0x0000000004E70000-0x0000000004E80000-memory.dmp

memory/3968-140-0x0000000004A80000-0x0000000004A90000-memory.dmp

memory/3968-141-0x0000000004A80000-0x0000000004A90000-memory.dmp

memory/3968-142-0x00000000050C0000-0x00000000056E8000-memory.dmp

memory/3968-143-0x0000000004D50000-0x0000000004DB6000-memory.dmp

memory/3968-144-0x0000000004DC0000-0x0000000004E26000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ngbubqwh.bsv.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3968-154-0x0000000005C50000-0x0000000005C6E000-memory.dmp

memory/3968-155-0x0000000006040000-0x0000000006084000-memory.dmp

memory/3968-156-0x0000000007070000-0x00000000070E6000-memory.dmp

memory/3968-157-0x0000000004A80000-0x0000000004A90000-memory.dmp

memory/3968-158-0x0000000007770000-0x0000000007DEA000-memory.dmp

memory/3968-159-0x0000000006290000-0x00000000062AA000-memory.dmp

memory/3968-160-0x0000000004A80000-0x0000000004A90000-memory.dmp

memory/3968-161-0x00000000076C0000-0x00000000076E2000-memory.dmp

memory/3968-162-0x0000000004A80000-0x0000000004A90000-memory.dmp

memory/3968-163-0x0000000004A80000-0x0000000004A90000-memory.dmp

memory/1140-164-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1140-165-0x000000001D630000-0x000000001DC48000-memory.dmp

memory/1140-166-0x000000001D160000-0x000000001D26A000-memory.dmp

memory/1140-167-0x000000001D090000-0x000000001D0A2000-memory.dmp

memory/1140-168-0x000000001D0F0000-0x000000001D12C000-memory.dmp

memory/3968-169-0x0000000004A80000-0x0000000004A90000-memory.dmp

memory/1140-170-0x0000000015810000-0x0000000015820000-memory.dmp

memory/3968-171-0x0000000004A80000-0x0000000004A90000-memory.dmp

memory/1140-173-0x000000001E110000-0x000000001E160000-memory.dmp

memory/1140-174-0x000000001F730000-0x000000001F8F2000-memory.dmp

memory/1140-175-0x000000001FE30000-0x000000002035C000-memory.dmp

memory/1140-176-0x0000000015810000-0x0000000015820000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe

MD5 9d8a3dd432e255ebb2e890d2a0653ddb
SHA1 0e5741c323e7c35671333863492743ae0c64f64b
SHA256 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27
SHA512 758efb868176e8179256920f3663a77f8cb47ddfe3ad99a59038392cae0f5daea5fbbb3da85cf65559f6b4c6834db647b43b9544494d1085c49070da62e7da96

C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe

MD5 9d8a3dd432e255ebb2e890d2a0653ddb
SHA1 0e5741c323e7c35671333863492743ae0c64f64b
SHA256 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27
SHA512 758efb868176e8179256920f3663a77f8cb47ddfe3ad99a59038392cae0f5daea5fbbb3da85cf65559f6b4c6834db647b43b9544494d1085c49070da62e7da96

C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe

MD5 9d8a3dd432e255ebb2e890d2a0653ddb
SHA1 0e5741c323e7c35671333863492743ae0c64f64b
SHA256 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27
SHA512 758efb868176e8179256920f3663a77f8cb47ddfe3ad99a59038392cae0f5daea5fbbb3da85cf65559f6b4c6834db647b43b9544494d1085c49070da62e7da96

C:\Users\Admin\AppData\Local\Temp\s777mx.exe

MD5 8d7ebe871589d79f195f240dcef43a57
SHA1 f5315edc9bfeb6f37c9df6ad1f10cb3363412d96
SHA256 19397c6dce459330095edc72759d1e79e26f1e12f013cdaee6dbdb90d65aaae8
SHA512 244be66bb480d320ef6d5cbfcd21e526a53726397c1fc4b512935bc50039b0bb773e3f12fd53910d3da9e69ebb8e3fd1a56d22d2fcb2e090c93c9759cdc497cd

C:\Users\Admin\AppData\Local\Temp\s777mx.exe

MD5 8d7ebe871589d79f195f240dcef43a57
SHA1 f5315edc9bfeb6f37c9df6ad1f10cb3363412d96
SHA256 19397c6dce459330095edc72759d1e79e26f1e12f013cdaee6dbdb90d65aaae8
SHA512 244be66bb480d320ef6d5cbfcd21e526a53726397c1fc4b512935bc50039b0bb773e3f12fd53910d3da9e69ebb8e3fd1a56d22d2fcb2e090c93c9759cdc497cd

C:\Users\Admin\AppData\Local\Temp\s777mx.exe

MD5 8d7ebe871589d79f195f240dcef43a57
SHA1 f5315edc9bfeb6f37c9df6ad1f10cb3363412d96
SHA256 19397c6dce459330095edc72759d1e79e26f1e12f013cdaee6dbdb90d65aaae8
SHA512 244be66bb480d320ef6d5cbfcd21e526a53726397c1fc4b512935bc50039b0bb773e3f12fd53910d3da9e69ebb8e3fd1a56d22d2fcb2e090c93c9759cdc497cd

memory/3904-203-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ldx999sx.exe

MD5 9d8a3dd432e255ebb2e890d2a0653ddb
SHA1 0e5741c323e7c35671333863492743ae0c64f64b
SHA256 6fe7ba44d70927fd40d24aeb610d01888609122c75d35be1f4a0dbadbc6c0c27
SHA512 758efb868176e8179256920f3663a77f8cb47ddfe3ad99a59038392cae0f5daea5fbbb3da85cf65559f6b4c6834db647b43b9544494d1085c49070da62e7da96

memory/920-205-0x0000000001BC0000-0x0000000001BC9000-memory.dmp

memory/3052-207-0x0000000001CB0000-0x0000000001CB5000-memory.dmp

memory/3904-208-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3904-211-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3116-210-0x0000000002DE0000-0x0000000002DF6000-memory.dmp

memory/3052-215-0x0000000000400000-0x0000000001B38000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\809A.exe

MD5 0f281d2506515a64082d6e774573afb7
SHA1 8949f27465913bf475fceb5796b205429083df58
SHA256 2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb
SHA512 f4ddb22c7dec04ca862d3df88e285025e02c185dbb2c061e9d0092ba3e8e8e083ca55612aae6b2d5792038729c55c0eaf193048991c0b06c8639a52017102622

C:\Users\Admin\AppData\Local\Temp\809A.exe

MD5 0f281d2506515a64082d6e774573afb7
SHA1 8949f27465913bf475fceb5796b205429083df58
SHA256 2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb
SHA512 f4ddb22c7dec04ca862d3df88e285025e02c185dbb2c061e9d0092ba3e8e8e083ca55612aae6b2d5792038729c55c0eaf193048991c0b06c8639a52017102622

C:\Users\Admin\AppData\Local\Temp\8231.exe

MD5 8d7ebe871589d79f195f240dcef43a57
SHA1 f5315edc9bfeb6f37c9df6ad1f10cb3363412d96
SHA256 19397c6dce459330095edc72759d1e79e26f1e12f013cdaee6dbdb90d65aaae8
SHA512 244be66bb480d320ef6d5cbfcd21e526a53726397c1fc4b512935bc50039b0bb773e3f12fd53910d3da9e69ebb8e3fd1a56d22d2fcb2e090c93c9759cdc497cd

C:\Users\Admin\AppData\Local\Temp\8231.exe

MD5 8d7ebe871589d79f195f240dcef43a57
SHA1 f5315edc9bfeb6f37c9df6ad1f10cb3363412d96
SHA256 19397c6dce459330095edc72759d1e79e26f1e12f013cdaee6dbdb90d65aaae8
SHA512 244be66bb480d320ef6d5cbfcd21e526a53726397c1fc4b512935bc50039b0bb773e3f12fd53910d3da9e69ebb8e3fd1a56d22d2fcb2e090c93c9759cdc497cd

C:\Users\Admin\AppData\Local\Temp\809A.exe

MD5 0f281d2506515a64082d6e774573afb7
SHA1 8949f27465913bf475fceb5796b205429083df58
SHA256 2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb
SHA512 f4ddb22c7dec04ca862d3df88e285025e02c185dbb2c061e9d0092ba3e8e8e083ca55612aae6b2d5792038729c55c0eaf193048991c0b06c8639a52017102622

memory/2540-236-0x0000000000720000-0x000000000072F000-memory.dmp

memory/2264-235-0x0000000000D90000-0x0000000000DFB000-memory.dmp

memory/2264-237-0x0000000000E00000-0x0000000000E75000-memory.dmp

memory/2264-238-0x0000000000D90000-0x0000000000DFB000-memory.dmp

memory/2660-240-0x0000000000330000-0x000000000033C000-memory.dmp

memory/2660-244-0x0000000000330000-0x000000000033C000-memory.dmp

memory/2264-260-0x0000000000D90000-0x0000000000DFB000-memory.dmp

memory/3260-261-0x0000000000170000-0x0000000000179000-memory.dmp

memory/3260-262-0x0000000000180000-0x0000000000184000-memory.dmp

memory/3260-263-0x0000000000170000-0x0000000000179000-memory.dmp

memory/4412-264-0x0000000000400000-0x0000000000695000-memory.dmp

memory/3208-265-0x0000000000930000-0x000000000093B000-memory.dmp

memory/3208-266-0x0000000000930000-0x000000000093B000-memory.dmp

memory/4936-267-0x0000000000370000-0x000000000037B000-memory.dmp

memory/4936-268-0x0000000000380000-0x0000000000387000-memory.dmp

memory/4936-269-0x0000000000370000-0x000000000037B000-memory.dmp

memory/2168-270-0x0000000000310000-0x000000000031F000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\809A.exe

MD5 0f281d2506515a64082d6e774573afb7
SHA1 8949f27465913bf475fceb5796b205429083df58
SHA256 2288a0c896757647538a7dab5e0c980b70b173ed36c9e6206f6701dfd4112cfb
SHA512 f4ddb22c7dec04ca862d3df88e285025e02c185dbb2c061e9d0092ba3e8e8e083ca55612aae6b2d5792038729c55c0eaf193048991c0b06c8639a52017102622

memory/2168-307-0x0000000000310000-0x000000000031F000-memory.dmp

memory/2168-293-0x0000000000320000-0x0000000000329000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[EC1FEA35-3483].[[email protected]].8base

MD5 02f3ba42ef35ccaacb201eb0eac399d5
SHA1 89123a0480d270c558dcafdf8bcb237b91f4cff5
SHA256 b7817f4af379fa1dc543da21f96c069bd17008e045e193ceedab157d29e586b5
SHA512 e1a2935b6aaf00cf4bd640f9ee470bf42624c1c6c6f678ba2bb38be64040f6b2c5bd85a84e2aff06db4d6d1a350ab88f141ab4ee9c95f21d46366ccab53d050e

memory/4284-421-0x0000000000D80000-0x0000000000D89000-memory.dmp

memory/4308-480-0x00000000005F0000-0x00000000005FC000-memory.dmp

memory/4284-494-0x0000000000D90000-0x0000000000D95000-memory.dmp

memory/4284-497-0x0000000000D80000-0x0000000000D89000-memory.dmp

memory/4308-498-0x0000000000800000-0x0000000000806000-memory.dmp

memory/4308-511-0x00000000005F0000-0x00000000005FC000-memory.dmp

memory/1808-529-0x0000000000680000-0x0000000000689000-memory.dmp

memory/2540-584-0x0000000000400000-0x0000000000695000-memory.dmp

memory/1808-604-0x0000000000680000-0x0000000000689000-memory.dmp

memory/1808-595-0x0000000000690000-0x0000000000694000-memory.dmp

memory/1424-650-0x0000000000140000-0x0000000000149000-memory.dmp

memory/1364-607-0x0000000000400000-0x0000000001B38000-memory.dmp

memory/1424-652-0x0000000000150000-0x0000000000155000-memory.dmp

memory/1424-655-0x0000000000140000-0x0000000000149000-memory.dmp

memory/1852-743-0x00000000008D0000-0x00000000008F7000-memory.dmp

memory/1852-749-0x00000000008D0000-0x00000000008F7000-memory.dmp

memory/1852-800-0x0000000000900000-0x0000000000921000-memory.dmp

memory/1680-818-0x0000000000B80000-0x0000000000B89000-memory.dmp

memory/1680-820-0x0000000000B90000-0x0000000000B95000-memory.dmp

memory/1680-821-0x0000000000B80000-0x0000000000B89000-memory.dmp

memory/1816-827-0x0000000000E70000-0x0000000000E7B000-memory.dmp

memory/1816-836-0x0000000000E80000-0x0000000000E86000-memory.dmp

memory/1816-837-0x0000000000E70000-0x0000000000E7B000-memory.dmp

memory/2932-858-0x0000000000590000-0x000000000059D000-memory.dmp

memory/2932-878-0x00000000005A0000-0x00000000005A7000-memory.dmp

memory/2932-880-0x0000000000590000-0x000000000059D000-memory.dmp

memory/3364-897-0x0000000000520000-0x000000000052B000-memory.dmp

memory/3260-1013-0x0000000000180000-0x0000000000184000-memory.dmp

memory/2540-1575-0x0000000000400000-0x0000000000695000-memory.dmp

memory/2540-2438-0x0000000000400000-0x0000000000695000-memory.dmp

memory/2540-3923-0x0000000000400000-0x0000000000695000-memory.dmp

memory/2540-4496-0x0000000000400000-0x0000000000695000-memory.dmp

memory/2540-5188-0x0000000000400000-0x0000000000695000-memory.dmp

memory/1364-5454-0x0000000000400000-0x0000000001B38000-memory.dmp

memory/2540-5924-0x0000000000400000-0x0000000000695000-memory.dmp

memory/2540-6518-0x0000000000400000-0x0000000000695000-memory.dmp

memory/2540-7987-0x0000000000400000-0x0000000000695000-memory.dmp