Analysis
-
max time kernel
139s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
14-07-2023 23:51
Static task
static1
Behavioral task
behavioral1
Sample
a85fc38903152fcf020fb5ac1d90aa10.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
a85fc38903152fcf020fb5ac1d90aa10.exe
Resource
win10v2004-20230703-en
General
-
Target
a85fc38903152fcf020fb5ac1d90aa10.exe
-
Size
164KB
-
MD5
a85fc38903152fcf020fb5ac1d90aa10
-
SHA1
caab463070bc5b97431e19344541f01fb06a0883
-
SHA256
2f114f5d0e6063b5c3c3276bdbd20766a102b49dd48dce74d142eefa07c7cda5
-
SHA512
6f591a5f75fad096dff024b745a5ca0219a149a93f38e47ebeaebfaa70a2694f524611fbfbeb559ade7818a6fcf16151b5521c720dec3472e2127c3c6fba87a2
-
SSDEEP
3072:yCLITMy2+o6bVAR9PMfBMbsIFD9T3WUNztymtohPwM5AJY:HLIgy7refNPFRWUptJR9O
Malware Config
Extracted
smokeloader
summ
Extracted
smokeloader
2022
http://stalagmijesarl.com/
http://ukdantist-sarl.com/
http://cpcorprotationltd.com/
http://serverxlogs21.xyz/statweb255/
http://servxblog79.xyz/statweb255/
http://demblog289.xyz/statweb255/
http://admlogs77x.online/statweb255/
http://blogxstat38.xyz/statweb255/
http://blogxstat25.xyz/statweb255/
Extracted
lumma
gstatic-node.io
Extracted
systembc
adstat477d.xyz:4044
demstat577d.xyz:4044
Signatures
-
Detect rhadamanthys stealer shellcode 6 IoCs
Processes:
resource yara_rule behavioral2/memory/3524-203-0x0000000002640000-0x0000000002A40000-memory.dmp family_rhadamanthys behavioral2/memory/3524-204-0x0000000002640000-0x0000000002A40000-memory.dmp family_rhadamanthys behavioral2/memory/3524-205-0x0000000002640000-0x0000000002A40000-memory.dmp family_rhadamanthys behavioral2/memory/3524-207-0x0000000002640000-0x0000000002A40000-memory.dmp family_rhadamanthys behavioral2/memory/3524-220-0x0000000002640000-0x0000000002A40000-memory.dmp family_rhadamanthys behavioral2/memory/3524-223-0x0000000002640000-0x0000000002A40000-memory.dmp family_rhadamanthys -
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
D472.exedescription pid process target process PID 3524 created 3160 3524 D472.exe Explorer.EXE -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 4488 bcdedit.exe 1628 bcdedit.exe -
Processes:
wbadmin.exepid process 2760 wbadmin.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 1 TTPs 2 IoCs
-
Drops startup file 1 IoCs
Processes:
description ioc process File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\[email protected] [email protected] -
Executes dropped EXE 7 IoCs
Processes:
pid process 3524 D472.exe 212 DCB0.exe 4252 nfCnEcb[.exe 3388 [email protected] 3816 vjvE57][email protected] 4236 nfCnEcb[.exe 4900 [email protected] -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
Processes:
certreq.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook certreq.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Y_K5~@q4 = "C:\\Users\\Admin\\AppData\\Local\\[email protected]" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Y_K5~@q4 = "C:\\Users\\Admin\\AppData\\Local\\[email protected]" [email protected] -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 3 IoCs
Processes:
description ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-1498570331-2313266200-788959944-1000\desktop.ini [email protected] File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1498570331-2313266200-788959944-1000\desktop.ini [email protected] File opened for modification C:\Program Files\desktop.ini [email protected] -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
nfCnEcb[.exedescription pid process target process PID 4252 set thread context of 4236 4252 nfCnEcb[.exe nfCnEcb[.exe -
Drops file in Program Files directory 64 IoCs
Processes:
description ioc process File opened for modification C:\Program Files\Common Files\microsoft shared\ink\tpcps.dll [email protected] File created C:\Program Files\7-Zip\Lang\vi.txt.id[C14A9462-3483].[[email protected]].8base [email protected] File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hu-hu.dll.id[C14A9462-3483].[[email protected]].8base [email protected] File opened for modification C:\Program Files\Common Files\microsoft shared\VC\msdia90.dll [email protected] File opened for modification C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui [email protected] File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe [email protected] File created C:\Program Files\Java\jdk1.8.0_66\db\bin\stopNetworkServer.id[C14A9462-3483].[[email protected]].8base [email protected] File created C:\Program Files\Java\jdk1.8.0_66\include\classfile_constants.h.id[C14A9462-3483].[[email protected]].8base [email protected] File opened for modification C:\Program Files\7-Zip\Lang\ga.txt [email protected] File created C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig-office.xrm-ms.id[C14A9462-3483].[[email protected]].8base [email protected] File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe [email protected] File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\ucrtbase.dll [email protected] File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TabTip.exe.mui [email protected] File created C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe.id[C14A9462-3483].[[email protected]].8base [email protected] File opened for modification C:\Program Files\7-Zip\Lang\he.txt [email protected] File created C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe.id[C14A9462-3483].[[email protected]].8base [email protected] File created C:\Program Files\FindUnblock.vsx.id[C14A9462-3483].[[email protected]].8base [email protected] File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_wer.dll [email protected] File opened for modification C:\Program Files\7-Zip\Lang\el.txt [email protected] File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.uk-ua.dll.id[C14A9462-3483].[[email protected]].8base [email protected] File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hi.pak [email protected] File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoDev.png.id[C14A9462-3483].[[email protected]].8base [email protected] File created C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\AccessBridgeCallbacks.h.id[C14A9462-3483].[[email protected]].8base [email protected] File created C:\Program Files\7-Zip\Lang\gu.txt.id[C14A9462-3483].[[email protected]].8base [email protected] File opened for modification C:\Program Files\Common Files\System\ado\msador28.tlb [email protected] File opened for modification C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui [email protected] File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\nacl_irt_x86_64.nexe.id[C14A9462-3483].[[email protected]].8base [email protected] File created C:\Program Files\Java\jdk1.8.0_66\include\win32\jawt_md.h.id[C14A9462-3483].[[email protected]].8base [email protected] File created C:\Program Files\7-Zip\Lang\an.txt.id[C14A9462-3483].[[email protected]].8base [email protected] File created C:\Program Files\7-Zip\Lang\he.txt.id[C14A9462-3483].[[email protected]].8base [email protected] File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat [email protected] File opened for modification C:\Program Files\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui [email protected] File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\bg.pak [email protected] File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\fil.pak [email protected] File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVFileSystemMetadata.dll [email protected] File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.et-ee.dll [email protected] File opened for modification C:\Program Files\7-Zip\Lang\vi.txt [email protected] File opened for modification C:\Program Files\Common Files\microsoft shared\ink\it-IT\ShapeCollector.exe.mui [email protected] File opened for modification C:\Program Files\Common Files\System\Ole DB\sqlxmlx.dll [email protected] File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ur.pak [email protected] File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\manifest.json.id[C14A9462-3483].[[email protected]].8base [email protected] File created C:\Program Files\Java\jdk1.8.0_66\jre\bin\bci.dll.id[C14A9462-3483].[[email protected]].8base [email protected] File created C:\Program Files\7-Zip\Lang\ru.txt.id[C14A9462-3483].[[email protected]].8base [email protected] File opened for modification C:\Program Files\7-Zip\Lang\tr.txt [email protected] File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pl-pl.dll [email protected] File opened for modification C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml [email protected] File created C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe.id[C14A9462-3483].[[email protected]].8base [email protected] File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll.id[C14A9462-3483].[[email protected]].8base [email protected] File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ar-sa.dll [email protected] File opened for modification C:\Program Files\Common Files\System\Ole DB\sqloledb.dll [email protected] File created C:\Program Files\ConvertAssert.jpg.id[C14A9462-3483].[[email protected]].8base [email protected] File opened for modification C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui [email protected] File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derby.war [email protected] File created C:\Program Files\7-Zip\7-zip.chm.id[C14A9462-3483].[[email protected]].8base [email protected] File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.cs-cz.dll.id[C14A9462-3483].[[email protected]].8base [email protected] File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\cpprestsdk.dll.id[C14A9462-3483].[[email protected]].8base [email protected] File opened for modification C:\Program Files\7-Zip\Lang\si.txt [email protected] File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-environment-l1-1-0.dll.id[C14A9462-3483].[[email protected]].8base [email protected] File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\uk.pak.id[C14A9462-3483].[[email protected]].8base [email protected] File created C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe.id[C14A9462-3483].[[email protected]].8base [email protected] File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dll.id[C14A9462-3483].[[email protected]].8base [email protected] File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsdan.xml [email protected] File opened for modification C:\Program Files\CloseDisable.jpg [email protected] File opened for modification C:\Program Files\Common Files\microsoft shared\ink\es-ES\ShapeCollector.exe.mui [email protected] -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3724 3524 WerFault.exe D472.exe 2320 212 WerFault.exe DCB0.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
a85fc38903152fcf020fb5ac1d90aa10.exenfCnEcb[.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a85fc38903152fcf020fb5ac1d90aa10.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a85fc38903152fcf020fb5ac1d90aa10.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI a85fc38903152fcf020fb5ac1d90aa10.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI nfCnEcb[.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI nfCnEcb[.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI nfCnEcb[.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
certreq.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 certreq.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString certreq.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 5088 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
a85fc38903152fcf020fb5ac1d90aa10.exeExplorer.EXEpid process 3696 a85fc38903152fcf020fb5ac1d90aa10.exe 3696 a85fc38903152fcf020fb5ac1d90aa10.exe 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3160 Explorer.EXE -
Suspicious behavior: MapViewOfSection 20 IoCs
Processes:
a85fc38903152fcf020fb5ac1d90aa10.exeExplorer.EXEnfCnEcb[.exepid process 3696 a85fc38903152fcf020fb5ac1d90aa10.exe 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 3160 Explorer.EXE 4236 nfCnEcb[.exe -
Suspicious use of AdjustPrivilegeToken 39 IoCs
Processes:
description pid process Token: SeShutdownPrivilege 3160 Explorer.EXE Token: SeCreatePagefilePrivilege 3160 Explorer.EXE Token: SeShutdownPrivilege 3160 Explorer.EXE Token: SeCreatePagefilePrivilege 3160 Explorer.EXE Token: SeShutdownPrivilege 3160 Explorer.EXE Token: SeCreatePagefilePrivilege 3160 Explorer.EXE Token: SeShutdownPrivilege 3160 Explorer.EXE Token: SeCreatePagefilePrivilege 3160 Explorer.EXE Token: SeDebugPrivilege 3388 [email protected] Token: SeBackupPrivilege 1540 vssvc.exe Token: SeRestorePrivilege 1540 vssvc.exe Token: SeAuditPrivilege 1540 vssvc.exe Token: SeIncreaseQuotaPrivilege 3488 WMIC.exe Token: SeSecurityPrivilege 3488 WMIC.exe Token: SeTakeOwnershipPrivilege 3488 WMIC.exe Token: SeLoadDriverPrivilege 3488 WMIC.exe Token: SeSystemProfilePrivilege 3488 WMIC.exe Token: SeSystemtimePrivilege 3488 WMIC.exe Token: SeProfSingleProcessPrivilege 3488 WMIC.exe Token: SeIncBasePriorityPrivilege 3488 WMIC.exe Token: SeCreatePagefilePrivilege 3488 WMIC.exe Token: SeBackupPrivilege 3488 WMIC.exe Token: SeRestorePrivilege 3488 WMIC.exe Token: SeShutdownPrivilege 3488 WMIC.exe Token: SeDebugPrivilege 3488 WMIC.exe Token: SeSystemEnvironmentPrivilege 3488 WMIC.exe Token: SeRemoteShutdownPrivilege 3488 WMIC.exe Token: SeUndockPrivilege 3488 WMIC.exe Token: SeManageVolumePrivilege 3488 WMIC.exe Token: 33 3488 WMIC.exe Token: 34 3488 WMIC.exe Token: 35 3488 WMIC.exe Token: 36 3488 WMIC.exe Token: SeIncreaseQuotaPrivilege 3488 WMIC.exe Token: SeSecurityPrivilege 3488 WMIC.exe Token: SeTakeOwnershipPrivilege 3488 WMIC.exe Token: SeLoadDriverPrivilege 3488 WMIC.exe Token: SeSystemProfilePrivilege 3488 WMIC.exe Token: SeSystemtimePrivilege 3488 WMIC.exe -
Suspicious use of WriteProcessMemory 61 IoCs
Processes:
description pid process target process PID 3160 wrote to memory of 3524 3160 Explorer.EXE D472.exe PID 3160 wrote to memory of 3524 3160 Explorer.EXE D472.exe PID 3160 wrote to memory of 3524 3160 Explorer.EXE D472.exe PID 3160 wrote to memory of 212 3160 Explorer.EXE DCB0.exe PID 3160 wrote to memory of 212 3160 Explorer.EXE DCB0.exe PID 3160 wrote to memory of 212 3160 Explorer.EXE DCB0.exe PID 3160 wrote to memory of 872 3160 Explorer.EXE explorer.exe PID 3160 wrote to memory of 872 3160 Explorer.EXE explorer.exe PID 3160 wrote to memory of 872 3160 Explorer.EXE explorer.exe PID 3160 wrote to memory of 872 3160 Explorer.EXE explorer.exe PID 3160 wrote to memory of 3680 3160 Explorer.EXE explorer.exe PID 3160 wrote to memory of 3680 3160 Explorer.EXE explorer.exe PID 3160 wrote to memory of 3680 3160 Explorer.EXE explorer.exe PID 3160 wrote to memory of 1048 3160 Explorer.EXE explorer.exe PID 3160 wrote to memory of 1048 3160 Explorer.EXE explorer.exe PID 3160 wrote to memory of 1048 3160 Explorer.EXE explorer.exe PID 3160 wrote to memory of 1048 3160 Explorer.EXE explorer.exe PID 3160 wrote to memory of 1528 3160 Explorer.EXE explorer.exe PID 3160 wrote to memory of 1528 3160 Explorer.EXE explorer.exe PID 3160 wrote to memory of 1528 3160 Explorer.EXE explorer.exe PID 3160 wrote to memory of 1608 3160 Explorer.EXE explorer.exe PID 3160 wrote to memory of 1608 3160 Explorer.EXE explorer.exe PID 3160 wrote to memory of 1608 3160 Explorer.EXE explorer.exe PID 3160 wrote to memory of 1608 3160 Explorer.EXE explorer.exe PID 3160 wrote to memory of 4208 3160 Explorer.EXE explorer.exe PID 3160 wrote to memory of 4208 3160 Explorer.EXE explorer.exe PID 3160 wrote to memory of 4208 3160 Explorer.EXE explorer.exe PID 3160 wrote to memory of 4208 3160 Explorer.EXE explorer.exe PID 3160 wrote to memory of 4416 3160 Explorer.EXE explorer.exe PID 3160 wrote to memory of 4416 3160 Explorer.EXE explorer.exe PID 3160 wrote to memory of 4416 3160 Explorer.EXE explorer.exe PID 3160 wrote to memory of 4416 3160 Explorer.EXE explorer.exe PID 3160 wrote to memory of 4280 3160 Explorer.EXE explorer.exe PID 3160 wrote to memory of 4280 3160 Explorer.EXE explorer.exe PID 3160 wrote to memory of 4280 3160 Explorer.EXE explorer.exe PID 3160 wrote to memory of 2512 3160 Explorer.EXE explorer.exe PID 3160 wrote to memory of 2512 3160 Explorer.EXE explorer.exe PID 3160 wrote to memory of 2512 3160 Explorer.EXE explorer.exe PID 3160 wrote to memory of 2512 3160 Explorer.EXE explorer.exe PID 3524 wrote to memory of 180 3524 D472.exe certreq.exe PID 3524 wrote to memory of 180 3524 D472.exe certreq.exe PID 3524 wrote to memory of 180 3524 D472.exe certreq.exe PID 3524 wrote to memory of 180 3524 D472.exe certreq.exe PID 4252 wrote to memory of 4236 4252 nfCnEcb[.exe nfCnEcb[.exe PID 4252 wrote to memory of 4236 4252 nfCnEcb[.exe nfCnEcb[.exe PID 4252 wrote to memory of 4236 4252 nfCnEcb[.exe nfCnEcb[.exe PID 4252 wrote to memory of 4236 4252 nfCnEcb[.exe nfCnEcb[.exe PID 4252 wrote to memory of 4236 4252 nfCnEcb[.exe nfCnEcb[.exe PID 4252 wrote to memory of 4236 4252 nfCnEcb[.exe nfCnEcb[.exe PID 3388 wrote to memory of 3616 3388 [email protected] cmd.exe PID 3388 wrote to memory of 3616 3388 [email protected] cmd.exe PID 3388 wrote to memory of 4760 3388 [email protected] cmd.exe PID 3388 wrote to memory of 4760 3388 [email protected] cmd.exe PID 3616 wrote to memory of 2372 3616 cmd.exe netsh.exe PID 3616 wrote to memory of 2372 3616 cmd.exe netsh.exe PID 4760 wrote to memory of 5088 4760 cmd.exe vssadmin.exe PID 4760 wrote to memory of 5088 4760 cmd.exe vssadmin.exe PID 3616 wrote to memory of 1112 3616 cmd.exe netsh.exe PID 3616 wrote to memory of 1112 3616 cmd.exe netsh.exe PID 4760 wrote to memory of 3488 4760 cmd.exe WMIC.exe PID 4760 wrote to memory of 3488 4760 cmd.exe WMIC.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
Processes:
certreq.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook certreq.exe -
outlook_win_path 1 IoCs
Processes:
certreq.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook certreq.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a85fc38903152fcf020fb5ac1d90aa10.exe"C:\Users\Admin\AppData\Local\Temp\a85fc38903152fcf020fb5ac1d90aa10.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\D472.exeC:\Users\Admin\AppData\Local\Temp\D472.exe2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 9683⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\DCB0.exeC:\Users\Admin\AppData\Local\Temp\DCB0.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 34003⤵
- Program crash
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\system32\certreq.exe"C:\Windows\system32\certreq.exe"2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3524 -ip 35241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 212 -ip 2121⤵
-
C:\Users\Admin\AppData\Local\Microsoft\nfCnEcb[.exe"C:\Users\Admin\AppData\Local\Microsoft\nfCnEcb[.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Microsoft\nfCnEcb[.exe"C:\Users\Admin\AppData\Local\Microsoft\nfCnEcb[.exe"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Microsoft\[email protected]"C:\Users\Admin\AppData\Local\Microsoft\[email protected]"1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Microsoft\[email protected]
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Local\Microsoft\vjvE57][email protected]
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id[C14A9462-3483].[[email protected]].8baseFilesize
2.7MB
MD57078f7a0fde81d09c34f36515216069b
SHA18dff7f6b04e55e616ffe09ab31e0ea2031d5927d
SHA25643fee4db44c70aeee45535be0e89844295879a1b6e5e02c0791fc4d58ca8b1a5
SHA5121ba3793ab4fc696bf5d82add1e4b33170df727983ae8ccdfb8257b751d15f5332cb0d119d0a2867f4267af9bb740b4975628a06f9323302aec751a821d34d4ef
-
C:\Users\Admin\AppData\Local\Microsoft\[email protected]Filesize
164KB
MD5de348ef9eed7ccdaed5a70ae15796a86
SHA142914d94e8024ca94e58bb4bd9cfa4d0ae524975
SHA256a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855
SHA512605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163
-
C:\Users\Admin\AppData\Local\Microsoft\[email protected]Filesize
164KB
MD5de348ef9eed7ccdaed5a70ae15796a86
SHA142914d94e8024ca94e58bb4bd9cfa4d0ae524975
SHA256a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855
SHA512605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163
-
C:\Users\Admin\AppData\Local\Microsoft\[email protected]Filesize
164KB
MD5de348ef9eed7ccdaed5a70ae15796a86
SHA142914d94e8024ca94e58bb4bd9cfa4d0ae524975
SHA256a2333bcbbdbf6846ea6945637f93ecc2500a32bbfa9032c4cc39021a4e41a855
SHA512605bdb115b9fc95b1c0924f01b3b62b27737d94fe97825e81ebc5f1de107a317bd47fbe88be9d2ac4e6b3c9d0d537a8b38986b24480a54495442c6206e9eb163
-
C:\Users\Admin\AppData\Local\Microsoft\nfCnEcb[.exeFilesize
164KB
MD509d7f30d2f8432be6087038562a029dd
SHA107fc20446a03a20c191e750ef21737ec948d9544
SHA2568c7319e9b6bd1ec0fa5658aaf55096a7e549b21a380de406c705969f165cb3f8
SHA512abc4670991a0a109a292d36f2b5116685374d0c85c157eefac3b44e240050b51c41839b8df4ffdad3ef6460dcd70c2b9457492c7d486fccd7a48e931cebacf7e
-
C:\Users\Admin\AppData\Local\Microsoft\nfCnEcb[.exeFilesize
164KB
MD509d7f30d2f8432be6087038562a029dd
SHA107fc20446a03a20c191e750ef21737ec948d9544
SHA2568c7319e9b6bd1ec0fa5658aaf55096a7e549b21a380de406c705969f165cb3f8
SHA512abc4670991a0a109a292d36f2b5116685374d0c85c157eefac3b44e240050b51c41839b8df4ffdad3ef6460dcd70c2b9457492c7d486fccd7a48e931cebacf7e
-
C:\Users\Admin\AppData\Local\Microsoft\nfCnEcb[.exeFilesize
164KB
MD509d7f30d2f8432be6087038562a029dd
SHA107fc20446a03a20c191e750ef21737ec948d9544
SHA2568c7319e9b6bd1ec0fa5658aaf55096a7e549b21a380de406c705969f165cb3f8
SHA512abc4670991a0a109a292d36f2b5116685374d0c85c157eefac3b44e240050b51c41839b8df4ffdad3ef6460dcd70c2b9457492c7d486fccd7a48e931cebacf7e
-
C:\Users\Admin\AppData\Local\Microsoft\vjvE57][email protected]Filesize
164KB
MD56ac14216327dcfb60b33ebd914f62769
SHA1d55eba9a523347f5ee65c9e27a3dc73a1eb4cf7b
SHA25625f77a058ec8aff36602762a75066b3ba52652ce90fc823b51dc81e4b14bbeb9
SHA5126af659cfee302b0faefd85a87bc0aa3e10c40aeb18c6246cf2b335a34b40c21279f1b76ae420217f2caa3913d66e96116860ce442fad5fe465d2273de79ff3ed
-
C:\Users\Admin\AppData\Local\Microsoft\vjvE57][email protected]Filesize
164KB
MD56ac14216327dcfb60b33ebd914f62769
SHA1d55eba9a523347f5ee65c9e27a3dc73a1eb4cf7b
SHA25625f77a058ec8aff36602762a75066b3ba52652ce90fc823b51dc81e4b14bbeb9
SHA5126af659cfee302b0faefd85a87bc0aa3e10c40aeb18c6246cf2b335a34b40c21279f1b76ae420217f2caa3913d66e96116860ce442fad5fe465d2273de79ff3ed
-
C:\Users\Admin\AppData\Local\Temp\D472.exeFilesize
374KB
MD5aaf3d68aeea347268ede50e621ca21ce
SHA10e7c0e38a200a9ea3af663dfd33941cc5e1657c9
SHA25609c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416
SHA51261416225031cbb74114ee61e3f7ce697e73423c75a0f2e96f51557b3d289ad868034e2e07ead926cd12a95b524ed37cf1626dc75dc99c47fac9cb8f843002bd0
-
C:\Users\Admin\AppData\Local\Temp\D472.exeFilesize
374KB
MD5aaf3d68aeea347268ede50e621ca21ce
SHA10e7c0e38a200a9ea3af663dfd33941cc5e1657c9
SHA25609c9bc026f600cb19848ba96858b3dbfe13f03358dc0703818d3bfa3d632d416
SHA51261416225031cbb74114ee61e3f7ce697e73423c75a0f2e96f51557b3d289ad868034e2e07ead926cd12a95b524ed37cf1626dc75dc99c47fac9cb8f843002bd0
-
C:\Users\Admin\AppData\Local\Temp\DCB0.exeFilesize
290KB
MD56d35d4cb11e99f8645441b0f1f96da3d
SHA13b6e12da0c1c37d38db867ab6330ace34461c56a
SHA2569066d830ae21197499f19a044054b0ea96f5be17cbb246714e15f36f32312204
SHA51201b5b75ce608f55f70c6471bb20f0a248116ef902f4bd602b5cf11fed747e0af9b811fbe74d393895672806f2b525900c6cef0ce889229d27032683a5e591aa4
-
C:\Users\Admin\AppData\Local\Temp\DCB0.exeFilesize
290KB
MD56d35d4cb11e99f8645441b0f1f96da3d
SHA13b6e12da0c1c37d38db867ab6330ace34461c56a
SHA2569066d830ae21197499f19a044054b0ea96f5be17cbb246714e15f36f32312204
SHA51201b5b75ce608f55f70c6471bb20f0a248116ef902f4bd602b5cf11fed747e0af9b811fbe74d393895672806f2b525900c6cef0ce889229d27032683a5e591aa4
-
memory/180-237-0x00007FF41A580000-0x00007FF41A6AD000-memory.dmpFilesize
1.2MB
-
memory/180-246-0x00007FF41A580000-0x00007FF41A6AD000-memory.dmpFilesize
1.2MB
-
memory/180-236-0x00007FF41A580000-0x00007FF41A6AD000-memory.dmpFilesize
1.2MB
-
memory/180-211-0x000001D97EFD0000-0x000001D97EFD3000-memory.dmpFilesize
12KB
-
memory/180-238-0x00007FF41A580000-0x00007FF41A6AD000-memory.dmpFilesize
1.2MB
-
memory/180-239-0x00007FFF08AD0000-0x00007FFF08CC5000-memory.dmpFilesize
2.0MB
-
memory/180-240-0x00007FF41A580000-0x00007FF41A6AD000-memory.dmpFilesize
1.2MB
-
memory/180-241-0x00007FF41A580000-0x00007FF41A6AD000-memory.dmpFilesize
1.2MB
-
memory/180-242-0x00007FF41A580000-0x00007FF41A6AD000-memory.dmpFilesize
1.2MB
-
memory/180-227-0x000001D97F270000-0x000001D97F277000-memory.dmpFilesize
28KB
-
memory/180-243-0x00007FF41A580000-0x00007FF41A6AD000-memory.dmpFilesize
1.2MB
-
memory/180-234-0x00007FF41A580000-0x00007FF41A6AD000-memory.dmpFilesize
1.2MB
-
memory/180-247-0x00007FFF08AD0000-0x00007FFF08CC5000-memory.dmpFilesize
2.0MB
-
memory/180-232-0x00007FF41A580000-0x00007FF41A6AD000-memory.dmpFilesize
1.2MB
-
memory/180-231-0x00007FF41A580000-0x00007FF41A6AD000-memory.dmpFilesize
1.2MB
-
memory/180-230-0x00007FF41A580000-0x00007FF41A6AD000-memory.dmpFilesize
1.2MB
-
memory/180-228-0x00007FF41A580000-0x00007FF41A6AD000-memory.dmpFilesize
1.2MB
-
memory/180-261-0x00007FFF08AD0000-0x00007FFF08CC5000-memory.dmpFilesize
2.0MB
-
memory/180-260-0x000001D97F270000-0x000001D97F275000-memory.dmpFilesize
20KB
-
memory/180-229-0x00007FF41A580000-0x00007FF41A6AD000-memory.dmpFilesize
1.2MB
-
memory/180-226-0x000001D97EFD0000-0x000001D97EFD3000-memory.dmpFilesize
12KB
-
memory/212-200-0x00000000006D0000-0x0000000000725000-memory.dmpFilesize
340KB
-
memory/212-244-0x0000000000400000-0x0000000000502000-memory.dmpFilesize
1.0MB
-
memory/212-218-0x00000000007A0000-0x00000000008A0000-memory.dmpFilesize
1024KB
-
memory/212-208-0x0000000000400000-0x0000000000502000-memory.dmpFilesize
1.0MB
-
memory/212-201-0x0000000000400000-0x0000000000502000-memory.dmpFilesize
1.0MB
-
memory/212-199-0x00000000007A0000-0x00000000008A0000-memory.dmpFilesize
1024KB
-
memory/872-176-0x0000000000370000-0x0000000000377000-memory.dmpFilesize
28KB
-
memory/872-162-0x0000000000360000-0x000000000036B000-memory.dmpFilesize
44KB
-
memory/872-179-0x0000000000360000-0x000000000036B000-memory.dmpFilesize
44KB
-
memory/872-160-0x0000000000370000-0x0000000000377000-memory.dmpFilesize
28KB
-
memory/1048-168-0x00000000009A0000-0x00000000009A9000-memory.dmpFilesize
36KB
-
memory/1048-166-0x00000000009A0000-0x00000000009A9000-memory.dmpFilesize
36KB
-
memory/1048-185-0x00000000009B0000-0x00000000009B5000-memory.dmpFilesize
20KB
-
memory/1048-167-0x00000000009B0000-0x00000000009B5000-memory.dmpFilesize
20KB
-
memory/1528-189-0x0000000001230000-0x0000000001236000-memory.dmpFilesize
24KB
-
memory/1528-171-0x0000000001220000-0x000000000122C000-memory.dmpFilesize
48KB
-
memory/1528-170-0x0000000001230000-0x0000000001236000-memory.dmpFilesize
24KB
-
memory/1528-169-0x0000000001220000-0x000000000122C000-memory.dmpFilesize
48KB
-
memory/1608-173-0x00000000008F0000-0x0000000000912000-memory.dmpFilesize
136KB
-
memory/1608-172-0x00000000008C0000-0x00000000008E7000-memory.dmpFilesize
156KB
-
memory/1608-174-0x00000000008C0000-0x00000000008E7000-memory.dmpFilesize
156KB
-
memory/1608-192-0x00000000008F0000-0x0000000000912000-memory.dmpFilesize
136KB
-
memory/2512-191-0x00000000013D0000-0x00000000013DB000-memory.dmpFilesize
44KB
-
memory/2512-198-0x00000000013E0000-0x00000000013E8000-memory.dmpFilesize
32KB
-
memory/2512-188-0x00000000013D0000-0x00000000013DB000-memory.dmpFilesize
44KB
-
memory/2512-190-0x00000000013E0000-0x00000000013E8000-memory.dmpFilesize
32KB
-
memory/3160-138-0x0000000002730000-0x0000000002746000-memory.dmpFilesize
88KB
-
memory/3160-278-0x00000000026C0000-0x00000000026D6000-memory.dmpFilesize
88KB
-
memory/3388-273-0x0000000000400000-0x00000000004E3000-memory.dmpFilesize
908KB
-
memory/3388-272-0x00000000020F0000-0x00000000020FF000-memory.dmpFilesize
60KB
-
memory/3388-557-0x0000000000850000-0x0000000000950000-memory.dmpFilesize
1024KB
-
memory/3388-271-0x0000000000850000-0x0000000000950000-memory.dmpFilesize
1024KB
-
memory/3388-613-0x0000000000400000-0x00000000004E3000-memory.dmpFilesize
908KB
-
memory/3388-657-0x0000000000400000-0x00000000004E3000-memory.dmpFilesize
908KB
-
memory/3388-1756-0x0000000000400000-0x00000000004E3000-memory.dmpFilesize
908KB
-
memory/3524-207-0x0000000002640000-0x0000000002A40000-memory.dmpFilesize
4.0MB
-
memory/3524-206-0x0000000000400000-0x0000000000517000-memory.dmpFilesize
1.1MB
-
memory/3524-222-0x0000000000400000-0x0000000000517000-memory.dmpFilesize
1.1MB
-
memory/3524-220-0x0000000002640000-0x0000000002A40000-memory.dmpFilesize
4.0MB
-
memory/3524-219-0x00000000025E0000-0x0000000002616000-memory.dmpFilesize
216KB
-
memory/3524-212-0x00000000025E0000-0x0000000002616000-memory.dmpFilesize
216KB
-
memory/3524-210-0x0000000000640000-0x0000000000740000-memory.dmpFilesize
1024KB
-
memory/3524-209-0x0000000002120000-0x0000000002191000-memory.dmpFilesize
452KB
-
memory/3524-223-0x0000000002640000-0x0000000002A40000-memory.dmpFilesize
4.0MB
-
memory/3524-195-0x0000000000640000-0x0000000000740000-memory.dmpFilesize
1024KB
-
memory/3524-205-0x0000000002640000-0x0000000002A40000-memory.dmpFilesize
4.0MB
-
memory/3524-204-0x0000000002640000-0x0000000002A40000-memory.dmpFilesize
4.0MB
-
memory/3524-203-0x0000000002640000-0x0000000002A40000-memory.dmpFilesize
4.0MB
-
memory/3524-202-0x00000000021C0000-0x00000000021C7000-memory.dmpFilesize
28KB
-
memory/3524-197-0x0000000000400000-0x0000000000517000-memory.dmpFilesize
1.1MB
-
memory/3524-196-0x0000000002120000-0x0000000002191000-memory.dmpFilesize
452KB
-
memory/3680-164-0x00000000004B0000-0x00000000004B9000-memory.dmpFilesize
36KB
-
memory/3680-165-0x00000000004A0000-0x00000000004AF000-memory.dmpFilesize
60KB
-
memory/3680-163-0x00000000004A0000-0x00000000004AF000-memory.dmpFilesize
60KB
-
memory/3680-181-0x00000000004B0000-0x00000000004B9000-memory.dmpFilesize
36KB
-
memory/3696-134-0x00000000008B0000-0x00000000009B0000-memory.dmpFilesize
1024KB
-
memory/3696-142-0x0000000000890000-0x0000000000899000-memory.dmpFilesize
36KB
-
memory/3696-139-0x0000000000400000-0x00000000004E3000-memory.dmpFilesize
908KB
-
memory/3696-137-0x0000000000400000-0x00000000004E3000-memory.dmpFilesize
908KB
-
memory/3696-136-0x0000000000400000-0x00000000004E3000-memory.dmpFilesize
908KB
-
memory/3696-135-0x0000000000890000-0x0000000000899000-memory.dmpFilesize
36KB
-
memory/3816-499-0x0000000000750000-0x0000000000850000-memory.dmpFilesize
1024KB
-
memory/3816-426-0x0000000000600000-0x0000000000605000-memory.dmpFilesize
20KB
-
memory/3816-267-0x0000000000750000-0x0000000000850000-memory.dmpFilesize
1024KB
-
memory/3816-269-0x0000000000400000-0x00000000004E3000-memory.dmpFilesize
908KB
-
memory/3816-268-0x0000000000600000-0x0000000000605000-memory.dmpFilesize
20KB
-
memory/4208-177-0x00000000004A0000-0x00000000004A5000-memory.dmpFilesize
20KB
-
memory/4208-178-0x0000000000490000-0x0000000000499000-memory.dmpFilesize
36KB
-
memory/4208-175-0x0000000000490000-0x0000000000499000-memory.dmpFilesize
36KB
-
memory/4236-264-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/4236-266-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/4236-279-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/4252-263-0x0000000001FF0000-0x0000000001FF9000-memory.dmpFilesize
36KB
-
memory/4252-262-0x0000000000510000-0x0000000000610000-memory.dmpFilesize
1024KB
-
memory/4280-187-0x0000000000170000-0x000000000017D000-memory.dmpFilesize
52KB
-
memory/4280-194-0x0000000000180000-0x0000000000187000-memory.dmpFilesize
28KB
-
memory/4280-186-0x0000000000180000-0x0000000000187000-memory.dmpFilesize
28KB
-
memory/4280-184-0x0000000000170000-0x000000000017D000-memory.dmpFilesize
52KB
-
memory/4416-180-0x0000000001390000-0x000000000139B000-memory.dmpFilesize
44KB
-
memory/4416-183-0x0000000001390000-0x000000000139B000-memory.dmpFilesize
44KB
-
memory/4416-193-0x00000000013A0000-0x00000000013A6000-memory.dmpFilesize
24KB
-
memory/4416-182-0x00000000013A0000-0x00000000013A6000-memory.dmpFilesize
24KB