Analysis
-
max time kernel
121s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
13-07-2023 21:27
Static task
static1
Behavioral task
behavioral1
Sample
b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642.exe
Resource
win10v2004-20230703-en
General
-
Target
b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642.exe
-
Size
451KB
-
MD5
4d18c07abced7f8fc570c83dd825bb0b
-
SHA1
4e1d179697ab7536ee475494b158b969963e0bf6
-
SHA256
b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642
-
SHA512
daf48720ed402be15b532a32d10dd8823b564516d5f6d6628ca646c20347f7180bf911c7b8dfd75c03826badf719534bd45e1c26c5bd4857680ec77e63f4c5a4
-
SSDEEP
6144:ekN8IaM0bFfBmtjlfXKG/PhjPO6odPgQ4PJsL0cVeMmhi9MdNeerB+0Vsw:V8DM0blqjl/h/97MV0cGLNZxV
Malware Config
Extracted
smokeloader
2022
http://serverxlogs21.xyz/statweb255/
http://servxblog79.xyz/statweb255/
http://demblog289.xyz/statweb255/
http://admlogs77x.online/statweb255/
http://blogxstat38.xyz/statweb255/
http://blogxstat25.xyz/statweb255/
Extracted
systembc
adstat477d.xyz:4044
demstat577d.xyz:4044
Extracted
C:\info.hta
class='mark'>[email protected]</span></div>
http://www.w3.org/TR/html4/strict.dtd'>
Extracted
C:\Users\Admin\Desktop\info.hta
Signatures
-
Detect rhadamanthys stealer shellcode 6 IoCs
Processes:
resource yara_rule behavioral1/memory/2708-138-0x0000000004B00000-0x0000000004F00000-memory.dmp family_rhadamanthys behavioral1/memory/2708-140-0x0000000004B00000-0x0000000004F00000-memory.dmp family_rhadamanthys behavioral1/memory/2708-139-0x0000000004B00000-0x0000000004F00000-memory.dmp family_rhadamanthys behavioral1/memory/2708-141-0x0000000004B00000-0x0000000004F00000-memory.dmp family_rhadamanthys behavioral1/memory/2708-153-0x0000000004B00000-0x0000000004F00000-memory.dmp family_rhadamanthys behavioral1/memory/2708-156-0x0000000004B00000-0x0000000004F00000-memory.dmp family_rhadamanthys -
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642.exedescription pid process target process PID 2708 created 3140 2708 b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642.exe Explorer.EXE -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
Processes:
bcdedit.exebcdedit.exebcdedit.exebcdedit.exepid process 4308 bcdedit.exe 3424 bcdedit.exe 4072 bcdedit.exe 2424 bcdedit.exe -
Renames multiple (460) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Processes:
wbadmin.exewbadmin.exepid process 728 wbadmin.exe 3944 wbadmin.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 1 TTPs 2 IoCs
-
Drops startup file 1 IoCs
Processes:
Sdy%]L57db.exedescription ioc process File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\Sdy%]L57db.exe Sdy%]L57db.exe -
Executes dropped EXE 6 IoCs
Processes:
pid process 1104 LBak(x3).exe 1524 Sdy%]L57db.exe 2260 uT`[email protected] 1244 LBak(x3).exe 2652 Sdy%]L57db.exe 3448 D1.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs
Processes:
certreq.exeexplorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Sdy%]L57db.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sdy%]L57db = "C:\\Users\\Admin\\AppData\\Local\\Sdy%]L57db.exe" Sdy%]L57db.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sdy%]L57db = "C:\\Users\\Admin\\AppData\\Local\\Sdy%]L57db.exe" Sdy%]L57db.exe -
Drops desktop.ini file(s) 24 IoCs
Processes:
Sdy%]L57db.exedescription ioc process File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini Sdy%]L57db.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini Sdy%]L57db.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini Sdy%]L57db.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini Sdy%]L57db.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini Sdy%]L57db.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI Sdy%]L57db.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini Sdy%]L57db.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini Sdy%]L57db.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini Sdy%]L57db.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini Sdy%]L57db.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini Sdy%]L57db.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini Sdy%]L57db.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini Sdy%]L57db.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini Sdy%]L57db.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini Sdy%]L57db.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini Sdy%]L57db.exe File opened for modification C:\Program Files\desktop.ini Sdy%]L57db.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini Sdy%]L57db.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-618519468-4027732583-1827558364-1000\desktop.ini Sdy%]L57db.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-618519468-4027732583-1827558364-1000\desktop.ini Sdy%]L57db.exe File opened for modification C:\Program Files (x86)\desktop.ini Sdy%]L57db.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini Sdy%]L57db.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini Sdy%]L57db.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini Sdy%]L57db.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
LBak(x3).exedescription pid process target process PID 1104 set thread context of 1244 1104 LBak(x3).exe LBak(x3).exe -
Drops file in Program Files directory 64 IoCs
Processes:
Sdy%]L57db.exedescription ioc process File opened for modification C:\Program Files\7-Zip\Lang\cy.txt Sdy%]L57db.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyoptionaltools.jar Sdy%]L57db.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jp2iexp.dll Sdy%]L57db.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-ul-oob.xrm-ms Sdy%]L57db.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-72_altform-unplated.png Sdy%]L57db.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-48_altform-unplated_contrast-black_devicefamily-colorfulunplated.png Sdy%]L57db.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSmallTile.contrast-white_scale-200.png Sdy%]L57db.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedSplash.scale-100.png Sdy%]L57db.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalMedTile.scale-125_contrast-white.png Sdy%]L57db.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\hr-hr\ui-strings.js Sdy%]L57db.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected][324C6089-3483].[[email protected]].8base Sdy%]L57db.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Coverage.ps1 Sdy%]L57db.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_Exp_RHP.aapp Sdy%]L57db.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugin.js Sdy%]L57db.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_MAK_AE-ul-phn.xrm-ms Sdy%]L57db.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\core_icons_fw.png.id[324C6089-3483].[[email protected]].8base Sdy%]L57db.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer_3.2.200.v20140827-1444.jar.id[324C6089-3483].[[email protected]].8base Sdy%]L57db.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Trial-pl.xrm-ms.id[324C6089-3483].[[email protected]].8base Sdy%]L57db.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Edm.NetFX35.dll.id[324C6089-3483].[[email protected]].8base Sdy%]L57db.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\NamedUrls.HxK.id[324C6089-3483].[[email protected]].8base Sdy%]L57db.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-125_contrast-black.png Sdy%]L57db.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\de\Microsoft.PowerShell.PackageManagement.resources.dll Sdy%]L57db.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Wide310x150\PaintWideTile.scale-200.png Sdy%]L57db.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\tr.gif.id[324C6089-3483].[[email protected]].8base Sdy%]L57db.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ar.pak Sdy%]L57db.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-140.png.id[324C6089-3483].[[email protected]].8base Sdy%]L57db.exe File created C:\Program Files\Microsoft Office\root\Office16\SAMPLES\SOLVSAMP.XLS.id[324C6089-3483].[[email protected]].8base Sdy%]L57db.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat Sdy%]L57db.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_replace_signer_18.svg Sdy%]L57db.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_nothumbnail_34.svg.id[324C6089-3483].[[email protected]].8base Sdy%]L57db.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\kok.pak Sdy%]L57db.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\ms_get.svg Sdy%]L57db.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.OData.Edm.NetFX35.V7.dll Sdy%]L57db.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-200.png Sdy%]L57db.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg3_thumb.png Sdy%]L57db.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml Sdy%]L57db.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\smtp.jar.id[324C6089-3483].[[email protected]].8base Sdy%]L57db.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalAppList.targetsize-40_altform-unplated_contrast-black.png Sdy%]L57db.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\rna-main.js.id[324C6089-3483].[[email protected]].8base Sdy%]L57db.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-util-lookup.xml.id[324C6089-3483].[[email protected]].8base Sdy%]L57db.exe File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libposterize_plugin.dll.id[324C6089-3483].[[email protected]].8base Sdy%]L57db.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\commerce\sms_failure_illustration.png Sdy%]L57db.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-black_targetsize-16.png Sdy%]L57db.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\spectrum_spinner_process.svg.id[324C6089-3483].[[email protected]].8base Sdy%]L57db.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-400_contrast-black.png Sdy%]L57db.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Generic-Dark.scale-250.png Sdy%]L57db.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-dialogs_zh_CN.jar.id[324C6089-3483].[[email protected]].8base Sdy%]L57db.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Grace-ul-oob.xrm-ms.id[324C6089-3483].[[email protected]].8base Sdy%]L57db.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-pl.xrm-ms Sdy%]L57db.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-environment-l1-1-0.dll Sdy%]L57db.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\animations\OneNoteAudio_RecordingPlayback.gif Sdy%]L57db.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\VisualElements\SmallLogo.png.DATA.id[324C6089-3483].[[email protected]].8base Sdy%]L57db.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.util_1.0.500.v20130404-1337.jar Sdy%]L57db.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-ul-oob.xrm-ms Sdy%]L57db.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Trial-ul-oob.xrm-ms.id[324C6089-3483].[[email protected]].8base Sdy%]L57db.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected][324C6089-3483].[[email protected]].8base Sdy%]L57db.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml Sdy%]L57db.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\OrientationSensorCalibrationFigure.png Sdy%]L57db.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_filetype_xd.svg.id[324C6089-3483].[[email protected]].8base Sdy%]L57db.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreLogo.scale-100.png Sdy%]L57db.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-100_contrast-black.png Sdy%]L57db.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-white_targetsize-48.png Sdy%]L57db.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_contrast-white.png Sdy%]L57db.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\arrow-down.png Sdy%]L57db.exe -
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3200 2708 WerFault.exe b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642.exe 3952 2652 WerFault.exe Sdy%]L57db.exe 1104 3448 WerFault.exe D1.exe -
Checks SCSI registry key(s) 3 TTPs 7 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
LBak(x3).exevds.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI LBak(x3).exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI LBak(x3).exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI LBak(x3).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
certreq.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString certreq.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 certreq.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 316 vssadmin.exe 4400 vssadmin.exe -
Modifies registry class 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642.execertreq.exeLBak(x3).exeExplorer.EXESdy%]L57db.exepid process 2708 b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642.exe 2708 b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642.exe 2708 b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642.exe 2708 b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642.exe 3056 certreq.exe 3056 certreq.exe 3056 certreq.exe 3056 certreq.exe 1244 LBak(x3).exe 1244 LBak(x3).exe 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 1524 Sdy%]L57db.exe 1524 Sdy%]L57db.exe 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 1524 Sdy%]L57db.exe 1524 Sdy%]L57db.exe 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 1524 Sdy%]L57db.exe 1524 Sdy%]L57db.exe 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 1524 Sdy%]L57db.exe 1524 Sdy%]L57db.exe 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3140 Explorer.EXE -
Suspicious behavior: MapViewOfSection 31 IoCs
Processes:
LBak(x3).exeExplorer.EXEpid process 1244 LBak(x3).exe 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE 3140 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 59 IoCs
Processes:
Sdy%]L57db.exevssvc.exeExplorer.EXEWMIC.exewbengine.exedescription pid process Token: SeDebugPrivilege 1524 Sdy%]L57db.exe Token: SeBackupPrivilege 4832 vssvc.exe Token: SeRestorePrivilege 4832 vssvc.exe Token: SeAuditPrivilege 4832 vssvc.exe Token: SeShutdownPrivilege 3140 Explorer.EXE Token: SeCreatePagefilePrivilege 3140 Explorer.EXE Token: SeIncreaseQuotaPrivilege 3080 WMIC.exe Token: SeSecurityPrivilege 3080 WMIC.exe Token: SeTakeOwnershipPrivilege 3080 WMIC.exe Token: SeLoadDriverPrivilege 3080 WMIC.exe Token: SeSystemProfilePrivilege 3080 WMIC.exe Token: SeSystemtimePrivilege 3080 WMIC.exe Token: SeProfSingleProcessPrivilege 3080 WMIC.exe Token: SeIncBasePriorityPrivilege 3080 WMIC.exe Token: SeCreatePagefilePrivilege 3080 WMIC.exe Token: SeBackupPrivilege 3080 WMIC.exe Token: SeRestorePrivilege 3080 WMIC.exe Token: SeShutdownPrivilege 3080 WMIC.exe Token: SeDebugPrivilege 3080 WMIC.exe Token: SeSystemEnvironmentPrivilege 3080 WMIC.exe Token: SeRemoteShutdownPrivilege 3080 WMIC.exe Token: SeUndockPrivilege 3080 WMIC.exe Token: SeManageVolumePrivilege 3080 WMIC.exe Token: 33 3080 WMIC.exe Token: 34 3080 WMIC.exe Token: 35 3080 WMIC.exe Token: 36 3080 WMIC.exe Token: SeIncreaseQuotaPrivilege 3080 WMIC.exe Token: SeSecurityPrivilege 3080 WMIC.exe Token: SeTakeOwnershipPrivilege 3080 WMIC.exe Token: SeLoadDriverPrivilege 3080 WMIC.exe Token: SeSystemProfilePrivilege 3080 WMIC.exe Token: SeSystemtimePrivilege 3080 WMIC.exe Token: SeProfSingleProcessPrivilege 3080 WMIC.exe Token: SeIncBasePriorityPrivilege 3080 WMIC.exe Token: SeCreatePagefilePrivilege 3080 WMIC.exe Token: SeBackupPrivilege 3080 WMIC.exe Token: SeRestorePrivilege 3080 WMIC.exe Token: SeShutdownPrivilege 3080 WMIC.exe Token: SeDebugPrivilege 3080 WMIC.exe Token: SeSystemEnvironmentPrivilege 3080 WMIC.exe Token: SeRemoteShutdownPrivilege 3080 WMIC.exe Token: SeUndockPrivilege 3080 WMIC.exe Token: SeManageVolumePrivilege 3080 WMIC.exe Token: 33 3080 WMIC.exe Token: 34 3080 WMIC.exe Token: 35 3080 WMIC.exe Token: 36 3080 WMIC.exe Token: SeShutdownPrivilege 3140 Explorer.EXE Token: SeCreatePagefilePrivilege 3140 Explorer.EXE Token: SeShutdownPrivilege 3140 Explorer.EXE Token: SeCreatePagefilePrivilege 3140 Explorer.EXE Token: SeBackupPrivilege 2056 wbengine.exe Token: SeRestorePrivilege 2056 wbengine.exe Token: SeSecurityPrivilege 2056 wbengine.exe Token: SeShutdownPrivilege 3140 Explorer.EXE Token: SeCreatePagefilePrivilege 3140 Explorer.EXE Token: SeShutdownPrivilege 3140 Explorer.EXE Token: SeCreatePagefilePrivilege 3140 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642.exeLBak(x3).exeSdy%]L57db.execmd.execmd.exeExplorer.EXEdescription pid process target process PID 2708 wrote to memory of 3056 2708 b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642.exe certreq.exe PID 2708 wrote to memory of 3056 2708 b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642.exe certreq.exe PID 2708 wrote to memory of 3056 2708 b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642.exe certreq.exe PID 2708 wrote to memory of 3056 2708 b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642.exe certreq.exe PID 1104 wrote to memory of 1244 1104 LBak(x3).exe LBak(x3).exe PID 1104 wrote to memory of 1244 1104 LBak(x3).exe LBak(x3).exe PID 1104 wrote to memory of 1244 1104 LBak(x3).exe LBak(x3).exe PID 1104 wrote to memory of 1244 1104 LBak(x3).exe LBak(x3).exe PID 1104 wrote to memory of 1244 1104 LBak(x3).exe LBak(x3).exe PID 1104 wrote to memory of 1244 1104 LBak(x3).exe LBak(x3).exe PID 1524 wrote to memory of 4344 1524 Sdy%]L57db.exe cmd.exe PID 1524 wrote to memory of 4344 1524 Sdy%]L57db.exe cmd.exe PID 1524 wrote to memory of 4112 1524 Sdy%]L57db.exe cmd.exe PID 1524 wrote to memory of 4112 1524 Sdy%]L57db.exe cmd.exe PID 4112 wrote to memory of 4964 4112 cmd.exe netsh.exe PID 4112 wrote to memory of 4964 4112 cmd.exe netsh.exe PID 4344 wrote to memory of 316 4344 cmd.exe vssadmin.exe PID 4344 wrote to memory of 316 4344 cmd.exe vssadmin.exe PID 4112 wrote to memory of 836 4112 cmd.exe netsh.exe PID 4112 wrote to memory of 836 4112 cmd.exe netsh.exe PID 4344 wrote to memory of 3080 4344 cmd.exe WMIC.exe PID 4344 wrote to memory of 3080 4344 cmd.exe WMIC.exe PID 4344 wrote to memory of 4308 4344 cmd.exe bcdedit.exe PID 4344 wrote to memory of 4308 4344 cmd.exe bcdedit.exe PID 4344 wrote to memory of 3424 4344 cmd.exe bcdedit.exe PID 4344 wrote to memory of 3424 4344 cmd.exe bcdedit.exe PID 4344 wrote to memory of 728 4344 cmd.exe wbadmin.exe PID 4344 wrote to memory of 728 4344 cmd.exe wbadmin.exe PID 3140 wrote to memory of 3448 3140 Explorer.EXE D1.exe PID 3140 wrote to memory of 3448 3140 Explorer.EXE D1.exe PID 3140 wrote to memory of 3448 3140 Explorer.EXE D1.exe PID 3140 wrote to memory of 2788 3140 Explorer.EXE explorer.exe PID 3140 wrote to memory of 2788 3140 Explorer.EXE explorer.exe PID 3140 wrote to memory of 2788 3140 Explorer.EXE explorer.exe PID 3140 wrote to memory of 2788 3140 Explorer.EXE explorer.exe PID 3140 wrote to memory of 5112 3140 Explorer.EXE explorer.exe PID 3140 wrote to memory of 5112 3140 Explorer.EXE explorer.exe PID 3140 wrote to memory of 5112 3140 Explorer.EXE explorer.exe PID 3140 wrote to memory of 1740 3140 Explorer.EXE explorer.exe PID 3140 wrote to memory of 1740 3140 Explorer.EXE explorer.exe PID 3140 wrote to memory of 1740 3140 Explorer.EXE explorer.exe PID 3140 wrote to memory of 1740 3140 Explorer.EXE explorer.exe PID 3140 wrote to memory of 4988 3140 Explorer.EXE explorer.exe PID 3140 wrote to memory of 4988 3140 Explorer.EXE explorer.exe PID 3140 wrote to memory of 4988 3140 Explorer.EXE explorer.exe PID 3140 wrote to memory of 4988 3140 Explorer.EXE explorer.exe PID 3140 wrote to memory of 4164 3140 Explorer.EXE explorer.exe PID 3140 wrote to memory of 4164 3140 Explorer.EXE explorer.exe PID 3140 wrote to memory of 4164 3140 Explorer.EXE explorer.exe PID 3140 wrote to memory of 4164 3140 Explorer.EXE explorer.exe PID 3140 wrote to memory of 5000 3140 Explorer.EXE explorer.exe PID 3140 wrote to memory of 5000 3140 Explorer.EXE explorer.exe PID 3140 wrote to memory of 5000 3140 Explorer.EXE explorer.exe PID 3140 wrote to memory of 4404 3140 Explorer.EXE explorer.exe PID 3140 wrote to memory of 4404 3140 Explorer.EXE explorer.exe PID 3140 wrote to memory of 4404 3140 Explorer.EXE explorer.exe PID 3140 wrote to memory of 4404 3140 Explorer.EXE explorer.exe PID 3140 wrote to memory of 3516 3140 Explorer.EXE explorer.exe PID 3140 wrote to memory of 3516 3140 Explorer.EXE explorer.exe PID 3140 wrote to memory of 3516 3140 Explorer.EXE explorer.exe PID 3140 wrote to memory of 1652 3140 Explorer.EXE explorer.exe PID 3140 wrote to memory of 1652 3140 Explorer.EXE explorer.exe PID 3140 wrote to memory of 1652 3140 Explorer.EXE explorer.exe PID 3140 wrote to memory of 1652 3140 Explorer.EXE explorer.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
outlook_win_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Users\Admin\AppData\Local\Temp\b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642.exe"C:\Users\Admin\AppData\Local\Temp\b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 9643⤵
- Program crash
PID:3200 -
C:\Windows\system32\certreq.exe"C:\Windows\system32\certreq.exe"2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:3056 -
C:\Users\Admin\AppData\Local\Temp\D1.exeC:\Users\Admin\AppData\Local\Temp\D1.exe2⤵
- Executes dropped EXE
PID:3448 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 4923⤵
- Program crash
PID:1104 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:2788 -
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:5112
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:1740
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:4988
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:4164
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:5000
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:4404
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:3516
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:1652
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:3076
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:1416
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:2920
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:1432
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:5112
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:316
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2708 -ip 27081⤵PID:3736
-
C:\Users\Admin\AppData\Local\Microsoft\LBak(x3).exe"C:\Users\Admin\AppData\Local\Microsoft\LBak(x3).exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Users\Admin\AppData\Local\Microsoft\LBak(x3).exe"C:\Users\Admin\AppData\Local\Microsoft\LBak(x3).exe"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1244
-
C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe"C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe"C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exe"2⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2652 -s 4683⤵
- Program crash
PID:3952 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off3⤵
- Modifies Windows Firewall
PID:4964 -
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
PID:836 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:316 -
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3080 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:4308 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:3424 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
PID:728 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵PID:300
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵PID:4988
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵PID:4392
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵PID:4336
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵PID:3428
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:4400 -
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵PID:276
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
PID:4072 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
PID:2424 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
PID:3944
-
C:\Users\Admin\AppData\Local\Microsoft\uT`[email protected]PID:2260
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4832
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2652 -ip 26521⤵PID:1944
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2056
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:3800
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:1920
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3448 -ip 34481⤵PID:3244
-
C:\Users\Admin\AppData\Roaming\vtdcetgC:\Users\Admin\AppData\Roaming\vtdcetg1⤵PID:3808
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[324C6089-3483].[[email protected]].8baseFilesize
3.2MB
MD57176bbf11837b6acf2f8830894012a16
SHA1c2eac7dda754ca518d4405d7a2410b905ba7f661
SHA25620496ba30a617b7e68da143d26123ca46d02ec6e15b325389d63e89433547a5f
SHA512cd8914e54e2996780fa4e514b78aa59926805ba443d16e9a6073e0f894b01eaa3a88929db03c1a6bfcd3c8448b92180db8db62717e0bb2e33b9d1438364a0e87
-
C:\Users\Admin\AppData\Local\Microsoft\LBak(x3).exeFilesize
233KB
MD5f56ab31379d92b546875eff976ec9148
SHA179ba7f22410a64adf18e36005cfa98179f128053
SHA256d509b4fc5c6dd7c8c9b2bec568f39ad1b0a9724a8046b342e207d5c5c260b4d0
SHA512650ddd099dfa9de50c6e5493c4d33c7dcaeb9827069becfb5756b802789926e1520c9672685ed6afb2b4c4e960ab860aa6a35e1fa6dc4b5de1b023efacc09258
-
C:\Users\Admin\AppData\Local\Microsoft\LBak(x3).exeFilesize
233KB
MD5f56ab31379d92b546875eff976ec9148
SHA179ba7f22410a64adf18e36005cfa98179f128053
SHA256d509b4fc5c6dd7c8c9b2bec568f39ad1b0a9724a8046b342e207d5c5c260b4d0
SHA512650ddd099dfa9de50c6e5493c4d33c7dcaeb9827069becfb5756b802789926e1520c9672685ed6afb2b4c4e960ab860aa6a35e1fa6dc4b5de1b023efacc09258
-
C:\Users\Admin\AppData\Local\Microsoft\LBak(x3).exeFilesize
233KB
MD5f56ab31379d92b546875eff976ec9148
SHA179ba7f22410a64adf18e36005cfa98179f128053
SHA256d509b4fc5c6dd7c8c9b2bec568f39ad1b0a9724a8046b342e207d5c5c260b4d0
SHA512650ddd099dfa9de50c6e5493c4d33c7dcaeb9827069becfb5756b802789926e1520c9672685ed6afb2b4c4e960ab860aa6a35e1fa6dc4b5de1b023efacc09258
-
C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exeFilesize
232KB
MD5e2c05722293b07319cfd5bb1fef74f44
SHA1d3f4f66861f8bf6aae657e475bcb8222c77a2770
SHA256f909efbae3c83ae64dcd8f57e18be891df6386ca89f3a2f4c40d12ebc1913ef4
SHA51292c0a3d6bf1708c82f17c8236c3e23ba66f0c3788fcf5c66553353765f3ba657c1a69a092493a71c4dbeac01e235da2c91f93ce19718f1728ffc1c29e3e64037
-
C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exeFilesize
232KB
MD5e2c05722293b07319cfd5bb1fef74f44
SHA1d3f4f66861f8bf6aae657e475bcb8222c77a2770
SHA256f909efbae3c83ae64dcd8f57e18be891df6386ca89f3a2f4c40d12ebc1913ef4
SHA51292c0a3d6bf1708c82f17c8236c3e23ba66f0c3788fcf5c66553353765f3ba657c1a69a092493a71c4dbeac01e235da2c91f93ce19718f1728ffc1c29e3e64037
-
C:\Users\Admin\AppData\Local\Microsoft\Sdy%]L57db.exeFilesize
232KB
MD5e2c05722293b07319cfd5bb1fef74f44
SHA1d3f4f66861f8bf6aae657e475bcb8222c77a2770
SHA256f909efbae3c83ae64dcd8f57e18be891df6386ca89f3a2f4c40d12ebc1913ef4
SHA51292c0a3d6bf1708c82f17c8236c3e23ba66f0c3788fcf5c66553353765f3ba657c1a69a092493a71c4dbeac01e235da2c91f93ce19718f1728ffc1c29e3e64037
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000027.db.id[324C6089-3483].[[email protected]].8baseFilesize
92KB
MD50fbc1a578ebf73f69e8e0f1b2c742207
SHA1053eab511c8d7fa53d06a168fe05c606c49edae2
SHA256fd108957a6a64a37a4241846ea910c54e65d6a4610dc4b9190012d1f009f0212
SHA5122e103382b81a2b92b97bc8340940ae0c8e3861e84d3608553f3a5d8e044f9f759da9512b3eb5379502266e0b7879145a932a288bb4d985aebbf7f8bb578f9ca5
-
C:\Users\Admin\AppData\Local\Microsoft\uT`[email protected]Filesize
231KB
MD5e411054bf19f624a88719981c5eb22d6
SHA1943df640e6c34757e60dbcb98129f3550bec7f38
SHA256046b6de02d3af494896a540bd5189faf6f2f9f75d00c59657071ff0aa5ed94a0
SHA51239d647fa6158ae5453a6a448881e5f86ab9d1ea54047997eb358e40a1dd2d44a7b5665e7ff206013512e071cc4ce616accdad661bd2d1aafad8f8d224577700a
-
C:\Users\Admin\AppData\Local\Microsoft\uT`[email protected]Filesize
231KB
MD5e411054bf19f624a88719981c5eb22d6
SHA1943df640e6c34757e60dbcb98129f3550bec7f38
SHA256046b6de02d3af494896a540bd5189faf6f2f9f75d00c59657071ff0aa5ed94a0
SHA51239d647fa6158ae5453a6a448881e5f86ab9d1ea54047997eb358e40a1dd2d44a7b5665e7ff206013512e071cc4ce616accdad661bd2d1aafad8f8d224577700a
-
C:\Users\Admin\AppData\Local\Temp\2C94\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.dllFilesize
5.5MB
MD543ad1dd044c719f378d171baecf3a91c
SHA1a55fcb4e09d4b0f73669187f47a5229e831659a9
SHA256b88f4c053e4323b49f839298fc44244d91927045de807634308a850bb409b4ab
SHA5121944977ae24c3ef47aef9cc2e51735e7d9e7cbe47c277f85bc3a822cf8b55d40de520710c4d81678a0361a1c1effaf30c5ef795e1d2f32abc898087fc0e2d7d8
-
C:\Users\Admin\AppData\Local\Temp\2C94\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exeFilesize
18KB
MD5cfe72ed40a076ae4f4157940ce0c5d44
SHA18010f7c746a7ba4864785f798f46ec05caae7ece
SHA2566868894ab04d08956388a94a81016f03d5b7a7b1646c8a6235057a7e1e45de32
SHA512f002afa2131d250dd6148d8372ce45f84283b8e1209e91720cee7aff497503d0e566bae3a83cd326701458230ae5c0e200eec617889393dd46ac00ff357ff1b0
-
C:\Users\Admin\AppData\Local\Temp\2C94\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xmlFilesize
1KB
MD594f90fcd2b8f7f1df69224f845d9e9b7
SHA1a09e3072cc581cf89adaf1aa20aa89b3af7bf987
SHA256a16113a66b1c36f919b5f7eaa3fb7aa8e0ba9e057823861aabea703cc06a04c0
SHA51251f4ee06a8d8bf1121083bf4383433160f16c68d1fe4c44e5d0e0529910d27ba8446c7a4bef359b990574d1d61563da30139c6d09ad0ad1a5b5c7748b8da08f3
-
C:\Users\Admin\AppData\Local\Temp\2C94\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xmlFilesize
7KB
MD5108f130067a9df1719c590316a5245f7
SHA179bb9a86e7a50c85214cd7e21719f0cb4155f58a
SHA256c91debd34057ca5c280ca15ac542733930e1c94c7d887448eac6e3385b5a0874
SHA512d43b3861d5153c7ca54edd078c900d31599fc9f04d6883a449d62c7e86a105a3c5dfb2d232255c41505b210b063caf6325921dc074fcdf93407c9e2c985a5301
-
C:\Users\Admin\AppData\Local\Temp\2C94\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xmlFilesize
1KB
MD594f90fcd2b8f7f1df69224f845d9e9b7
SHA1a09e3072cc581cf89adaf1aa20aa89b3af7bf987
SHA256a16113a66b1c36f919b5f7eaa3fb7aa8e0ba9e057823861aabea703cc06a04c0
SHA51251f4ee06a8d8bf1121083bf4383433160f16c68d1fe4c44e5d0e0529910d27ba8446c7a4bef359b990574d1d61563da30139c6d09ad0ad1a5b5c7748b8da08f3
-
C:\Users\Admin\AppData\Local\Temp\2C94\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xmlFilesize
7KB
MD5108f130067a9df1719c590316a5245f7
SHA179bb9a86e7a50c85214cd7e21719f0cb4155f58a
SHA256c91debd34057ca5c280ca15ac542733930e1c94c7d887448eac6e3385b5a0874
SHA512d43b3861d5153c7ca54edd078c900d31599fc9f04d6883a449d62c7e86a105a3c5dfb2d232255c41505b210b063caf6325921dc074fcdf93407c9e2c985a5301
-
C:\Users\Admin\AppData\Local\Temp\2C94\C\Windows\SysWOW64\WalletBackgroundServiceProxy.dllFilesize
10KB
MD51097d1e58872f3cf58f78730a697ce4b
SHA196db4e4763a957b28dd80ec1e43eb27367869b86
SHA25683ec0be293b19d00eca4ae51f16621753e1d2b11248786b25a1abaae6230bdef
SHA512b933eac4eaabacc51069a72b24b649b980aea251b1b87270ff4ffea12de9368d5447cdbe748ac7faf2805548b896c8499f9eceeed2f5efd0c684f94360940351
-
C:\Users\Admin\AppData\Local\Temp\2C94\C\Windows\SysWOW64\WalletProxy.dllFilesize
36KB
MD5d09724c29a8f321f2f9c552de6ef6afa
SHA1d6ce3d3a973695f4f770e7fb3fcb5e2f3df592a3
SHA25623cc82878957683184fbd0e3098e9e6858978bf78d7812c6d7470ebdc79d1c5c
SHA512cc8db1b0c4bbd94dfc8a669cd6accf6fa29dc1034ce03d9dae53d6ce117bb86b432bf040fb53230b612c6e9a325e58acc8ebb600f760a8d9d6a383ce751fd6ed
-
C:\Users\Admin\AppData\Local\Temp\2C94\C\Windows\SysWOW64\Windows.ApplicationModel.Wallet.dllFilesize
402KB
MD502557c141c9e153c2b7987b79a3a2dd7
SHA1a054761382ee68608b6a3b62b68138dc205f576b
SHA256207c587e769e2655669bd3ce1d28a00bcac08f023013735f026f65c0e3baa6f4
SHA512a37e29c115bcb9956b1f8fd2022f2e3966c1fa2a0efa5c2ee2d14bc5c41bfddae0deea4d481a681d13ec58e9dec41e7565f8b4eb1c10f2c44c03e58bdd2792b3
-
C:\Users\Admin\AppData\Local\Temp\2C94\C\Windows\System32\WalletBackgroundServiceProxy.dllFilesize
10KB
MD51097d1e58872f3cf58f78730a697ce4b
SHA196db4e4763a957b28dd80ec1e43eb27367869b86
SHA25683ec0be293b19d00eca4ae51f16621753e1d2b11248786b25a1abaae6230bdef
SHA512b933eac4eaabacc51069a72b24b649b980aea251b1b87270ff4ffea12de9368d5447cdbe748ac7faf2805548b896c8499f9eceeed2f5efd0c684f94360940351
-
C:\Users\Admin\AppData\Local\Temp\2C94\C\Windows\System32\WalletProxy.dllFilesize
36KB
MD5d09724c29a8f321f2f9c552de6ef6afa
SHA1d6ce3d3a973695f4f770e7fb3fcb5e2f3df592a3
SHA25623cc82878957683184fbd0e3098e9e6858978bf78d7812c6d7470ebdc79d1c5c
SHA512cc8db1b0c4bbd94dfc8a669cd6accf6fa29dc1034ce03d9dae53d6ce117bb86b432bf040fb53230b612c6e9a325e58acc8ebb600f760a8d9d6a383ce751fd6ed
-
C:\Users\Admin\AppData\Local\Temp\2C94\C\Windows\System32\Windows.ApplicationModel.Wallet.dllFilesize
402KB
MD502557c141c9e153c2b7987b79a3a2dd7
SHA1a054761382ee68608b6a3b62b68138dc205f576b
SHA256207c587e769e2655669bd3ce1d28a00bcac08f023013735f026f65c0e3baa6f4
SHA512a37e29c115bcb9956b1f8fd2022f2e3966c1fa2a0efa5c2ee2d14bc5c41bfddae0deea4d481a681d13ec58e9dec41e7565f8b4eb1c10f2c44c03e58bdd2792b3
-
C:\Users\Admin\AppData\Local\Temp\D1.exeFilesize
232KB
MD5b2243260d077693972cc92b7302cb372
SHA11699650e3e6b1ab94de7d7d6630aa73ace143422
SHA256281481eb8f1579206e55232754f47587a61bbe1460fc1f3b06157f31d214a290
SHA51239f60638f5306205132e32f1e179598036cdb688c976cc7e169f304c180fceaeeb9b612862c57957241b4f3d6588bd4faf6c2ab36b9d76ac3d57a93f6649eed3
-
C:\Users\Admin\AppData\Local\Temp\D1.exeFilesize
232KB
MD5b2243260d077693972cc92b7302cb372
SHA11699650e3e6b1ab94de7d7d6630aa73ace143422
SHA256281481eb8f1579206e55232754f47587a61bbe1460fc1f3b06157f31d214a290
SHA51239f60638f5306205132e32f1e179598036cdb688c976cc7e169f304c180fceaeeb9b612862c57957241b4f3d6588bd4faf6c2ab36b9d76ac3d57a93f6649eed3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg.id[324C6089-3483].[[email protected]].8baseFilesize
52KB
MD5fefaab7fa27d143a61af7e58f5a1887f
SHA1fea646ffe33034100aa106421e09df9f3af228bb
SHA256e9d5debca8b4d0634d586ae69fe93024600cf15d5f397918313d0d8484f2ab7b
SHA512c0e6d9d60682e2a4436c4cb3a1f5d6c6e2fd2e3126fbfc29d8020da62f069ac3f82501b9c4b059c70c78e14afd6594200c438d56e46e455a6a54d97af4786924
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\05ypapi5.default-release\cookies.sqlite.id[324C6089-3483].[[email protected]].8baseFilesize
96KB
MD518571f0c2e6aa37a196cd84285087def
SHA14723efc495fd5ed0192530144f30bb72b1dfa9d5
SHA256dac43dfcea84311a498a36c28108f8111470ba237bf8369f24e98ace331d7f71
SHA51280872c621eedd4b187f94eb6cf5472f45742e4081e9b785f7305d8c84e3a857abb11e5af3dd0c4987645cacb44be929b6a53d5d7a2dc5b6b41698b0166d6dfb0
-
C:\Users\Admin\AppData\Roaming\agieddbFilesize
438KB
MD50d076a7af7087f966f922c4049681e43
SHA1583bb93f7954c5c54b1da9318902c4ddc1c50182
SHA25613e7e6b74ef3146b9cca697ad8c101a0d18849edabc78e10dadf6f74a1218ccd
SHA5127ec362d3d6c8384e2c195eaedcf754a609e7a34fa74b2df4f3cc0425207e3e1ce9ee9d96221343beb06c11bc07f2aee1eadcf5074c651b3d565cfcf5597e5497
-
C:\Users\Admin\AppData\Roaming\vtdcetgFilesize
233KB
MD5f56ab31379d92b546875eff976ec9148
SHA179ba7f22410a64adf18e36005cfa98179f128053
SHA256d509b4fc5c6dd7c8c9b2bec568f39ad1b0a9724a8046b342e207d5c5c260b4d0
SHA512650ddd099dfa9de50c6e5493c4d33c7dcaeb9827069becfb5756b802789926e1520c9672685ed6afb2b4c4e960ab860aa6a35e1fa6dc4b5de1b023efacc09258
-
C:\Users\Admin\AppData\Roaming\vtdcetgFilesize
233KB
MD5f56ab31379d92b546875eff976ec9148
SHA179ba7f22410a64adf18e36005cfa98179f128053
SHA256d509b4fc5c6dd7c8c9b2bec568f39ad1b0a9724a8046b342e207d5c5c260b4d0
SHA512650ddd099dfa9de50c6e5493c4d33c7dcaeb9827069becfb5756b802789926e1520c9672685ed6afb2b4c4e960ab860aa6a35e1fa6dc4b5de1b023efacc09258
-
C:\Users\Admin\Desktop\info.htaFilesize
5KB
MD5bf040e72e2259324c298ce34a0364807
SHA1404be060ee0767791669ac511b6afbf0f72ef340
SHA256046df92c8e84e224ab0e4bd176943d44e4392ee35fb60162185779cec3e90417
SHA5120549aa0e1c47c0a95b5d6872553394fa886ec092d0e6bc2e4874e20a6c5f623e51fc98431c6225d5a4acb3a1a9c0ba46e6adbe913f93ba75df94d44083f5f47f
-
C:\info.htaFilesize
5KB
MD5bf040e72e2259324c298ce34a0364807
SHA1404be060ee0767791669ac511b6afbf0f72ef340
SHA256046df92c8e84e224ab0e4bd176943d44e4392ee35fb60162185779cec3e90417
SHA5120549aa0e1c47c0a95b5d6872553394fa886ec092d0e6bc2e4874e20a6c5f623e51fc98431c6225d5a4acb3a1a9c0ba46e6adbe913f93ba75df94d44083f5f47f
-
C:\info.htaFilesize
5KB
MD5bf040e72e2259324c298ce34a0364807
SHA1404be060ee0767791669ac511b6afbf0f72ef340
SHA256046df92c8e84e224ab0e4bd176943d44e4392ee35fb60162185779cec3e90417
SHA5120549aa0e1c47c0a95b5d6872553394fa886ec092d0e6bc2e4874e20a6c5f623e51fc98431c6225d5a4acb3a1a9c0ba46e6adbe913f93ba75df94d44083f5f47f
-
C:\users\public\desktop\info.htaFilesize
5KB
MD5bf040e72e2259324c298ce34a0364807
SHA1404be060ee0767791669ac511b6afbf0f72ef340
SHA256046df92c8e84e224ab0e4bd176943d44e4392ee35fb60162185779cec3e90417
SHA5120549aa0e1c47c0a95b5d6872553394fa886ec092d0e6bc2e4874e20a6c5f623e51fc98431c6225d5a4acb3a1a9c0ba46e6adbe913f93ba75df94d44083f5f47f
-
F:\info.htaFilesize
5KB
MD5bf040e72e2259324c298ce34a0364807
SHA1404be060ee0767791669ac511b6afbf0f72ef340
SHA256046df92c8e84e224ab0e4bd176943d44e4392ee35fb60162185779cec3e90417
SHA5120549aa0e1c47c0a95b5d6872553394fa886ec092d0e6bc2e4874e20a6c5f623e51fc98431c6225d5a4acb3a1a9c0ba46e6adbe913f93ba75df94d44083f5f47f
-
memory/316-6122-0x0000000000C20000-0x0000000000C2B000-memory.dmpFilesize
44KB
-
memory/316-6121-0x0000000000C30000-0x0000000000C38000-memory.dmpFilesize
32KB
-
memory/1104-186-0x0000000002EB0000-0x0000000002FB0000-memory.dmpFilesize
1024KB
-
memory/1104-188-0x0000000002CA0000-0x0000000002CA9000-memory.dmpFilesize
36KB
-
memory/1244-201-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1244-194-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1244-191-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1416-5641-0x0000000000570000-0x0000000000591000-memory.dmpFilesize
132KB
-
memory/1416-5506-0x0000000000540000-0x0000000000567000-memory.dmpFilesize
156KB
-
memory/1416-5517-0x0000000000540000-0x0000000000567000-memory.dmpFilesize
156KB
-
memory/1432-5855-0x0000000001140000-0x0000000001146000-memory.dmpFilesize
24KB
-
memory/1432-5778-0x0000000001130000-0x000000000113B000-memory.dmpFilesize
44KB
-
memory/1432-5876-0x0000000001130000-0x000000000113B000-memory.dmpFilesize
44KB
-
memory/1524-577-0x0000000002C60000-0x0000000002C6F000-memory.dmpFilesize
60KB
-
memory/1524-4240-0x0000000000400000-0x0000000002B46000-memory.dmpFilesize
39.3MB
-
memory/1524-5521-0x0000000000400000-0x0000000002B46000-memory.dmpFilesize
39.3MB
-
memory/1524-189-0x0000000002C60000-0x0000000002C6F000-memory.dmpFilesize
60KB
-
memory/1524-193-0x0000000000400000-0x0000000002B46000-memory.dmpFilesize
39.3MB
-
memory/1524-190-0x0000000002CE0000-0x0000000002DE0000-memory.dmpFilesize
1024KB
-
memory/1524-1217-0x0000000000400000-0x0000000002B46000-memory.dmpFilesize
39.3MB
-
memory/1524-609-0x0000000002CE0000-0x0000000002DE0000-memory.dmpFilesize
1024KB
-
memory/1524-2611-0x0000000000400000-0x0000000002B46000-memory.dmpFilesize
39.3MB
-
memory/1524-1431-0x0000000000400000-0x0000000002B46000-memory.dmpFilesize
39.3MB
-
memory/1652-5430-0x00000000011F0000-0x00000000011F9000-memory.dmpFilesize
36KB
-
memory/1652-5158-0x00000000011F0000-0x00000000011F9000-memory.dmpFilesize
36KB
-
memory/1740-5439-0x0000000000740000-0x0000000000744000-memory.dmpFilesize
16KB
-
memory/1740-4386-0x0000000000740000-0x0000000000744000-memory.dmpFilesize
16KB
-
memory/1740-4337-0x0000000000730000-0x0000000000739000-memory.dmpFilesize
36KB
-
memory/1740-4355-0x0000000000730000-0x0000000000739000-memory.dmpFilesize
36KB
-
memory/2260-700-0x0000000000400000-0x0000000002B45000-memory.dmpFilesize
39.3MB
-
memory/2652-802-0x0000000000400000-0x0000000002B46000-memory.dmpFilesize
39.3MB
-
memory/2652-735-0x0000000002CA0000-0x0000000002DA0000-memory.dmpFilesize
1024KB
-
memory/2708-138-0x0000000004B00000-0x0000000004F00000-memory.dmpFilesize
4.0MB
-
memory/2708-135-0x00000000047E0000-0x0000000004851000-memory.dmpFilesize
452KB
-
memory/2708-155-0x0000000000400000-0x0000000002B7C000-memory.dmpFilesize
39.5MB
-
memory/2708-136-0x0000000000400000-0x0000000002B7C000-memory.dmpFilesize
39.5MB
-
memory/2708-141-0x0000000004B00000-0x0000000004F00000-memory.dmpFilesize
4.0MB
-
memory/2708-137-0x0000000002D00000-0x0000000002D07000-memory.dmpFilesize
28KB
-
memory/2708-145-0x00000000047E0000-0x0000000004851000-memory.dmpFilesize
452KB
-
memory/2708-143-0x0000000002D40000-0x0000000002E40000-memory.dmpFilesize
1024KB
-
memory/2708-152-0x0000000004A30000-0x0000000004A66000-memory.dmpFilesize
216KB
-
memory/2708-156-0x0000000004B00000-0x0000000004F00000-memory.dmpFilesize
4.0MB
-
memory/2708-146-0x0000000004A30000-0x0000000004A66000-memory.dmpFilesize
216KB
-
memory/2708-142-0x0000000000400000-0x0000000002B7C000-memory.dmpFilesize
39.5MB
-
memory/2708-153-0x0000000004B00000-0x0000000004F00000-memory.dmpFilesize
4.0MB
-
memory/2708-139-0x0000000004B00000-0x0000000004F00000-memory.dmpFilesize
4.0MB
-
memory/2708-140-0x0000000004B00000-0x0000000004F00000-memory.dmpFilesize
4.0MB
-
memory/2708-134-0x0000000002D40000-0x0000000002E40000-memory.dmpFilesize
1024KB
-
memory/2788-4332-0x00000000004B0000-0x0000000000525000-memory.dmpFilesize
468KB
-
memory/2788-4309-0x0000000000440000-0x00000000004AB000-memory.dmpFilesize
428KB
-
memory/2788-4344-0x0000000000440000-0x00000000004AB000-memory.dmpFilesize
428KB
-
memory/2788-4480-0x0000000000440000-0x00000000004AB000-memory.dmpFilesize
428KB
-
memory/2920-5663-0x0000000001180000-0x0000000001189000-memory.dmpFilesize
36KB
-
memory/2920-5675-0x0000000001180000-0x0000000001189000-memory.dmpFilesize
36KB
-
memory/2920-5664-0x0000000001190000-0x0000000001195000-memory.dmpFilesize
20KB
-
memory/3056-165-0x00007FF4F7530000-0x00007FF4F765D000-memory.dmpFilesize
1.2MB
-
memory/3056-161-0x00007FF4F7530000-0x00007FF4F765D000-memory.dmpFilesize
1.2MB
-
memory/3056-167-0x00007FF4F7530000-0x00007FF4F765D000-memory.dmpFilesize
1.2MB
-
memory/3056-157-0x000001CA7FDB0000-0x000001CA7FDB3000-memory.dmpFilesize
12KB
-
memory/3056-144-0x000001CA7FDB0000-0x000001CA7FDB3000-memory.dmpFilesize
12KB
-
memory/3056-172-0x00007FF4F7530000-0x00007FF4F765D000-memory.dmpFilesize
1.2MB
-
memory/3056-158-0x000001CA01E80000-0x000001CA01E87000-memory.dmpFilesize
28KB
-
memory/3056-170-0x00007FFB71A70000-0x00007FFB71C65000-memory.dmpFilesize
2.0MB
-
memory/3056-169-0x00007FF4F7530000-0x00007FF4F765D000-memory.dmpFilesize
1.2MB
-
memory/3056-182-0x00007FFB71A70000-0x00007FFB71C65000-memory.dmpFilesize
2.0MB
-
memory/3056-160-0x00007FF4F7530000-0x00007FF4F765D000-memory.dmpFilesize
1.2MB
-
memory/3056-168-0x00007FF4F7530000-0x00007FF4F765D000-memory.dmpFilesize
1.2MB
-
memory/3056-159-0x00007FF4F7530000-0x00007FF4F765D000-memory.dmpFilesize
1.2MB
-
memory/3056-173-0x00007FF4F7530000-0x00007FF4F765D000-memory.dmpFilesize
1.2MB
-
memory/3056-197-0x000001CA01E80000-0x000001CA01E85000-memory.dmpFilesize
20KB
-
memory/3056-198-0x00007FFB71A70000-0x00007FFB71C65000-memory.dmpFilesize
2.0MB
-
memory/3056-162-0x00007FF4F7530000-0x00007FF4F765D000-memory.dmpFilesize
1.2MB
-
memory/3056-171-0x00007FF4F7530000-0x00007FF4F765D000-memory.dmpFilesize
1.2MB
-
memory/3056-175-0x00007FF4F7530000-0x00007FF4F765D000-memory.dmpFilesize
1.2MB
-
memory/3056-163-0x00007FF4F7530000-0x00007FF4F765D000-memory.dmpFilesize
1.2MB
-
memory/3056-174-0x00007FF4F7530000-0x00007FF4F765D000-memory.dmpFilesize
1.2MB
-
memory/3076-6124-0x0000000000720000-0x0000000000725000-memory.dmpFilesize
20KB
-
memory/3076-5432-0x0000000000710000-0x0000000000719000-memory.dmpFilesize
36KB
-
memory/3076-5431-0x0000000000720000-0x0000000000725000-memory.dmpFilesize
20KB
-
memory/3076-5356-0x0000000000710000-0x0000000000719000-memory.dmpFilesize
36KB
-
memory/3140-199-0x00000000007B0000-0x00000000007C6000-memory.dmpFilesize
88KB
-
memory/3448-5237-0x0000000000400000-0x0000000002B45000-memory.dmpFilesize
39.3MB
-
memory/3448-5133-0x0000000002E20000-0x0000000002F20000-memory.dmpFilesize
1024KB
-
memory/3516-6123-0x0000000000B60000-0x0000000000B66000-memory.dmpFilesize
24KB
-
memory/3516-5094-0x0000000000B50000-0x0000000000B5C000-memory.dmpFilesize
48KB
-
memory/3516-5131-0x0000000000B60000-0x0000000000B66000-memory.dmpFilesize
24KB
-
memory/3516-5132-0x0000000000B50000-0x0000000000B5C000-memory.dmpFilesize
48KB
-
memory/4164-4563-0x00000000005E0000-0x00000000005EB000-memory.dmpFilesize
44KB
-
memory/4164-5888-0x00000000005E0000-0x00000000005EB000-memory.dmpFilesize
44KB
-
memory/4164-5829-0x00000000005F0000-0x00000000005F7000-memory.dmpFilesize
28KB
-
memory/4164-4553-0x00000000005F0000-0x00000000005F7000-memory.dmpFilesize
28KB
-
memory/4404-4914-0x00000000011F0000-0x00000000011F9000-memory.dmpFilesize
36KB
-
memory/4404-6085-0x0000000001400000-0x0000000001405000-memory.dmpFilesize
20KB
-
memory/4404-4892-0x00000000011F0000-0x00000000011F9000-memory.dmpFilesize
36KB
-
memory/4404-4896-0x0000000001400000-0x0000000001405000-memory.dmpFilesize
20KB
-
memory/4988-4511-0x0000000000600000-0x000000000060B000-memory.dmpFilesize
44KB
-
memory/4988-4477-0x0000000000600000-0x000000000060B000-memory.dmpFilesize
44KB
-
memory/4988-4479-0x0000000000610000-0x000000000061A000-memory.dmpFilesize
40KB
-
memory/4988-5512-0x0000000000600000-0x000000000060B000-memory.dmpFilesize
44KB
-
memory/5000-4727-0x0000000000AA0000-0x0000000000AAF000-memory.dmpFilesize
60KB
-
memory/5000-5916-0x0000000000AA0000-0x0000000000AAF000-memory.dmpFilesize
60KB
-
memory/5000-4713-0x0000000000AB0000-0x0000000000AB9000-memory.dmpFilesize
36KB
-
memory/5112-4284-0x00000000003F0000-0x00000000003FC000-memory.dmpFilesize
48KB
-
memory/5112-5942-0x00000000001D0000-0x00000000001D7000-memory.dmpFilesize
28KB
-
memory/5112-5929-0x00000000001C0000-0x00000000001CD000-memory.dmpFilesize
52KB
-
memory/5112-4239-0x00000000003F0000-0x00000000003FC000-memory.dmpFilesize
48KB