Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
14-07-2023 07:21
Static task
static1
Behavioral task
behavioral1
Sample
dc80d05184fe7f0757caefa3d0c96682.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
dc80d05184fe7f0757caefa3d0c96682.exe
Resource
win10v2004-20230703-en
General
-
Target
dc80d05184fe7f0757caefa3d0c96682.exe
-
Size
374KB
-
MD5
dc80d05184fe7f0757caefa3d0c96682
-
SHA1
ad89006d5c3938c544d3c6ee648f2fc25eeac556
-
SHA256
ae0087b0e2f4292c64c5232368e562c30da4db998734b9b3dd5e27f456741f9c
-
SHA512
ba9903e233f9ce70181597b741eeb16fcae0f318b67aff225b4ae37e67df73e30bc7dd8707081c9f6154ea9b05f7b8f840daec6d72efad4d780f6be94eba8071
-
SSDEEP
6144:eLw4/9ZyRhBb1Z4HAp+KcvsWxTrwc/ysETGdpxLt4cCt:es+yLBKAp+rnwcEAD54j
Malware Config
Extracted
systembc
adstat477d.xyz:4044
demstat577d.xyz:4044
Extracted
smokeloader
2022
http://serverxlogs21.xyz/statweb255/
http://servxblog79.xyz/statweb255/
http://demblog289.xyz/statweb255/
http://admlogs77x.online/statweb255/
http://blogxstat38.xyz/statweb255/
http://blogxstat25.xyz/statweb255/
Extracted
C:\info.hta
class='mark'>[email protected]</span></div>
http://www.w3.org/TR/html4/strict.dtd'>
Extracted
C:\Users\Admin\Desktop\info.hta
Signatures
-
Detect rhadamanthys stealer shellcode 6 IoCs
Processes:
resource yara_rule behavioral2/memory/3640-139-0x00000000023D0000-0x00000000027D0000-memory.dmp family_rhadamanthys behavioral2/memory/3640-140-0x00000000023D0000-0x00000000027D0000-memory.dmp family_rhadamanthys behavioral2/memory/3640-141-0x00000000023D0000-0x00000000027D0000-memory.dmp family_rhadamanthys behavioral2/memory/3640-142-0x00000000023D0000-0x00000000027D0000-memory.dmp family_rhadamanthys behavioral2/memory/3640-154-0x00000000023D0000-0x00000000027D0000-memory.dmp family_rhadamanthys behavioral2/memory/3640-157-0x00000000023D0000-0x00000000027D0000-memory.dmp family_rhadamanthys -
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
dc80d05184fe7f0757caefa3d0c96682.exedescription pid process target process PID 3640 created 3116 3640 dc80d05184fe7f0757caefa3d0c96682.exe Explorer.EXE -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
Processes:
bcdedit.exebcdedit.exebcdedit.exebcdedit.exepid process 540 bcdedit.exe 2436 bcdedit.exe 1056 bcdedit.exe 5084 bcdedit.exe -
Renames multiple (482) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Processes:
wbadmin.exewbadmin.exepid process 4608 wbadmin.exe 4376 wbadmin.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 1 TTPs 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ZLfFF.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\International\Geo\Nation ZLfFF.exe -
Drops startup file 3 IoCs
Processes:
ZLfFF.exedescription ioc process File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\ZLfFF.exe ZLfFF.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini ZLfFF.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[15276114-3483].[[email protected]].8base ZLfFF.exe -
Executes dropped EXE 6 IoCs
Processes:
88r.exeZLfFF.exeV[x12S.exe88r.exeZLfFF.exeCEF3.exepid process 4976 88r.exe 1620 ZLfFF.exe 3716 V[x12S.exe 4136 88r.exe 4488 ZLfFF.exe 2400 CEF3.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs
Processes:
certreq.exeexplorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
ZLfFF.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZLfFF = "C:\\Users\\Admin\\AppData\\Local\\ZLfFF.exe" ZLfFF.exe Set value (str) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZLfFF = "C:\\Users\\Admin\\AppData\\Local\\ZLfFF.exe" ZLfFF.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
ZLfFF.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini ZLfFF.exe File opened for modification C:\Users\Public\desktop.ini ZLfFF.exe File opened for modification C:\Users\Public\Downloads\desktop.ini ZLfFF.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1722984668-1829624581-3022101259-1000\desktop.ini ZLfFF.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI ZLfFF.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini ZLfFF.exe File opened for modification C:\Users\Admin\Music\desktop.ini ZLfFF.exe File opened for modification C:\Users\Admin\Videos\desktop.ini ZLfFF.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini ZLfFF.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini ZLfFF.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini ZLfFF.exe File opened for modification C:\Users\Admin\Searches\desktop.ini ZLfFF.exe File opened for modification C:\Users\Public\Desktop\desktop.ini ZLfFF.exe File opened for modification C:\Users\Public\Pictures\desktop.ini ZLfFF.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini ZLfFF.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini ZLfFF.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini ZLfFF.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini ZLfFF.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini ZLfFF.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini ZLfFF.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini ZLfFF.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini ZLfFF.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini ZLfFF.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini ZLfFF.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini ZLfFF.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini ZLfFF.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini ZLfFF.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini ZLfFF.exe File opened for modification C:\Users\Public\Libraries\desktop.ini ZLfFF.exe File opened for modification C:\Program Files (x86)\desktop.ini ZLfFF.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini ZLfFF.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini ZLfFF.exe File opened for modification C:\Users\Admin\Links\desktop.ini ZLfFF.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini ZLfFF.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini ZLfFF.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini ZLfFF.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini ZLfFF.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini ZLfFF.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini ZLfFF.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini ZLfFF.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini ZLfFF.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini ZLfFF.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini ZLfFF.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini ZLfFF.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini ZLfFF.exe File opened for modification C:\Users\Public\Videos\desktop.ini ZLfFF.exe File opened for modification C:\Program Files\desktop.ini ZLfFF.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini ZLfFF.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini ZLfFF.exe File opened for modification C:\Users\Public\Music\desktop.ini ZLfFF.exe File opened for modification C:\Users\Public\Documents\desktop.ini ZLfFF.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini ZLfFF.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini ZLfFF.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini ZLfFF.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini ZLfFF.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini ZLfFF.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini ZLfFF.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini ZLfFF.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini ZLfFF.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini ZLfFF.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini ZLfFF.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini ZLfFF.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini ZLfFF.exe File opened for modification C:\Users\Admin\Documents\desktop.ini ZLfFF.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
88r.exedescription pid process target process PID 4976 set thread context of 4136 4976 88r.exe 88r.exe -
Drops file in Program Files directory 64 IoCs
Processes:
ZLfFF.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleAppList.targetsize-256.png ZLfFF.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ar-sa.dll.id[15276114-3483].[[email protected]].8base ZLfFF.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sl-si.dll ZLfFF.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppPackageAppList.scale-125.png ZLfFF.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_Full.aapp.id[15276114-3483].[[email protected]].8base ZLfFF.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7d4.png ZLfFF.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\core_icons.png.id[15276114-3483].[[email protected]].8base ZLfFF.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ro-ro\ui-strings.js ZLfFF.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\nb-no\ui-strings.js ZLfFF.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\wsgen.exe ZLfFF.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\gstreamer-lite.dll ZLfFF.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PEOPLEDATAHANDLER.DLL ZLfFF.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EDGE\EDGE.ELM ZLfFF.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x ZLfFF.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremDemoR_BypassTrial365-ppd.xrm-ms ZLfFF.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ppd.xrm-ms ZLfFF.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\SplashWideTile.scale-200_contrast-white.png ZLfFF.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xe7d9.png ZLfFF.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\AppxSignature.p7x ZLfFF.exe File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt ZLfFF.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml ZLfFF.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.dcfmui.msi.16.en-us.xml ZLfFF.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-oob.xrm-ms.id[15276114-3483].[[email protected]].8base ZLfFF.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_imem_plugin.dll ZLfFF.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\Weather_LogoSmall.targetsize-24.png ZLfFF.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\skchui.dll ZLfFF.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\fr.pak ZLfFF.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.1813.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x ZLfFF.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\ca-Es-VALENCIA.pak.DATA ZLfFF.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\kn.pak.id[15276114-3483].[[email protected]].8base ZLfFF.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker.nl_zh_4.4.0.v20140623020002.jar ZLfFF.exe File opened for modification C:\Program Files\VideoLAN\VLC\axvlc.dll ZLfFF.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libgradfun_plugin.dll ZLfFF.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-40_altform-unplated.png ZLfFF.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\6445_48x48x32.png ZLfFF.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\MANIFEST.MF.id[15276114-3483].[[email protected]].8base ZLfFF.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ul-oob.xrm-ms.id[15276114-3483].[[email protected]].8base ZLfFF.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\WidescreenPresentation.potx ZLfFF.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ARCTIC\ARCTIC.ELM ZLfFF.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libgme_plugin.dll ZLfFF.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\eu-es\ui-strings.js ZLfFF.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-80.png ZLfFF.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\xaml\onenote\CaptureUI.xaml ZLfFF.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\faf_field_grabber.png ZLfFF.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ja-jp\ui-strings.js.id[15276114-3483].[[email protected]].8base ZLfFF.exe File opened for modification C:\Program Files\Mozilla Firefox\api-ms-win-crt-utility-l1-1-0.dll ZLfFF.exe File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\liberase_plugin.dll.id[15276114-3483].[[email protected]].8base ZLfFF.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\154.png ZLfFF.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_shared.gif ZLfFF.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\OSFPROXY.DLL ZLfFF.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\CONCRETE.ELM ZLfFF.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Microsoft.BigPark.Utilities.winmd ZLfFF.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeBadge.scale-125.png ZLfFF.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\selector.js ZLfFF.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvmstat_zh_CN.jar.id[15276114-3483].[[email protected]].8base ZLfFF.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\SETUP.CHM ZLfFF.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_dirac_plugin.dll ZLfFF.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Velocity\FeatureStaging-SnipAndSketch.xml ZLfFF.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Light.scale-125.png ZLfFF.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\NIRMALAB.TTF ZLfFF.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\SmallTile.scale-200.png ZLfFF.exe File opened for modification C:\Program Files (x86)\Common Files\Services\verisign.bmp ZLfFF.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-72_altform-unplated_contrast-white.png ZLfFF.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\WideTile.scale-150_contrast-black.png ZLfFF.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 5000 3640 WerFault.exe dc80d05184fe7f0757caefa3d0c96682.exe 3644 4488 WerFault.exe ZLfFF.exe 4544 2400 WerFault.exe CEF3.exe -
Checks SCSI registry key(s) 3 TTPs 7 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exe88r.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 88r.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 88r.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 88r.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
certreq.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 certreq.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString certreq.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 1108 vssadmin.exe 3376 vssadmin.exe -
Modifies registry class 3 IoCs
Processes:
Explorer.EXEZLfFF.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings ZLfFF.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
dc80d05184fe7f0757caefa3d0c96682.execertreq.exe88r.exeExplorer.EXEZLfFF.exepid process 3640 dc80d05184fe7f0757caefa3d0c96682.exe 3640 dc80d05184fe7f0757caefa3d0c96682.exe 3640 dc80d05184fe7f0757caefa3d0c96682.exe 3640 dc80d05184fe7f0757caefa3d0c96682.exe 3944 certreq.exe 3944 certreq.exe 3944 certreq.exe 3944 certreq.exe 4136 88r.exe 4136 88r.exe 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 1620 ZLfFF.exe 1620 ZLfFF.exe 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 1620 ZLfFF.exe 1620 ZLfFF.exe 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 1620 ZLfFF.exe 1620 ZLfFF.exe 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 1620 ZLfFF.exe 1620 ZLfFF.exe 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 1620 ZLfFF.exe 1620 ZLfFF.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3116 Explorer.EXE -
Suspicious behavior: MapViewOfSection 31 IoCs
Processes:
88r.exeExplorer.EXEpid process 4136 88r.exe 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE 3116 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
ZLfFF.exevssvc.exeWMIC.exeExplorer.EXEwbengine.exedescription pid process Token: SeDebugPrivilege 1620 ZLfFF.exe Token: SeBackupPrivilege 3304 vssvc.exe Token: SeRestorePrivilege 3304 vssvc.exe Token: SeAuditPrivilege 3304 vssvc.exe Token: SeIncreaseQuotaPrivilege 4416 WMIC.exe Token: SeSecurityPrivilege 4416 WMIC.exe Token: SeTakeOwnershipPrivilege 4416 WMIC.exe Token: SeLoadDriverPrivilege 4416 WMIC.exe Token: SeSystemProfilePrivilege 4416 WMIC.exe Token: SeSystemtimePrivilege 4416 WMIC.exe Token: SeProfSingleProcessPrivilege 4416 WMIC.exe Token: SeIncBasePriorityPrivilege 4416 WMIC.exe Token: SeCreatePagefilePrivilege 4416 WMIC.exe Token: SeBackupPrivilege 4416 WMIC.exe Token: SeRestorePrivilege 4416 WMIC.exe Token: SeShutdownPrivilege 4416 WMIC.exe Token: SeDebugPrivilege 4416 WMIC.exe Token: SeSystemEnvironmentPrivilege 4416 WMIC.exe Token: SeRemoteShutdownPrivilege 4416 WMIC.exe Token: SeUndockPrivilege 4416 WMIC.exe Token: SeManageVolumePrivilege 4416 WMIC.exe Token: 33 4416 WMIC.exe Token: 34 4416 WMIC.exe Token: 35 4416 WMIC.exe Token: 36 4416 WMIC.exe Token: SeIncreaseQuotaPrivilege 4416 WMIC.exe Token: SeSecurityPrivilege 4416 WMIC.exe Token: SeTakeOwnershipPrivilege 4416 WMIC.exe Token: SeLoadDriverPrivilege 4416 WMIC.exe Token: SeSystemProfilePrivilege 4416 WMIC.exe Token: SeSystemtimePrivilege 4416 WMIC.exe Token: SeProfSingleProcessPrivilege 4416 WMIC.exe Token: SeIncBasePriorityPrivilege 4416 WMIC.exe Token: SeCreatePagefilePrivilege 4416 WMIC.exe Token: SeBackupPrivilege 4416 WMIC.exe Token: SeRestorePrivilege 4416 WMIC.exe Token: SeShutdownPrivilege 4416 WMIC.exe Token: SeDebugPrivilege 4416 WMIC.exe Token: SeSystemEnvironmentPrivilege 4416 WMIC.exe Token: SeRemoteShutdownPrivilege 4416 WMIC.exe Token: SeUndockPrivilege 4416 WMIC.exe Token: SeManageVolumePrivilege 4416 WMIC.exe Token: 33 4416 WMIC.exe Token: 34 4416 WMIC.exe Token: 35 4416 WMIC.exe Token: 36 4416 WMIC.exe Token: SeShutdownPrivilege 3116 Explorer.EXE Token: SeCreatePagefilePrivilege 3116 Explorer.EXE Token: SeBackupPrivilege 3104 wbengine.exe Token: SeRestorePrivilege 3104 wbengine.exe Token: SeSecurityPrivilege 3104 wbengine.exe Token: SeShutdownPrivilege 3116 Explorer.EXE Token: SeCreatePagefilePrivilege 3116 Explorer.EXE Token: SeShutdownPrivilege 3116 Explorer.EXE Token: SeCreatePagefilePrivilege 3116 Explorer.EXE Token: SeShutdownPrivilege 3116 Explorer.EXE Token: SeCreatePagefilePrivilege 3116 Explorer.EXE Token: SeShutdownPrivilege 3116 Explorer.EXE Token: SeCreatePagefilePrivilege 3116 Explorer.EXE Token: SeShutdownPrivilege 3116 Explorer.EXE Token: SeCreatePagefilePrivilege 3116 Explorer.EXE Token: SeShutdownPrivilege 3116 Explorer.EXE Token: SeCreatePagefilePrivilege 3116 Explorer.EXE Token: SeShutdownPrivilege 3116 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
dc80d05184fe7f0757caefa3d0c96682.exe88r.exeZLfFF.execmd.execmd.exeExplorer.EXEdescription pid process target process PID 3640 wrote to memory of 3944 3640 dc80d05184fe7f0757caefa3d0c96682.exe certreq.exe PID 3640 wrote to memory of 3944 3640 dc80d05184fe7f0757caefa3d0c96682.exe certreq.exe PID 3640 wrote to memory of 3944 3640 dc80d05184fe7f0757caefa3d0c96682.exe certreq.exe PID 3640 wrote to memory of 3944 3640 dc80d05184fe7f0757caefa3d0c96682.exe certreq.exe PID 4976 wrote to memory of 4136 4976 88r.exe 88r.exe PID 4976 wrote to memory of 4136 4976 88r.exe 88r.exe PID 4976 wrote to memory of 4136 4976 88r.exe 88r.exe PID 4976 wrote to memory of 4136 4976 88r.exe 88r.exe PID 4976 wrote to memory of 4136 4976 88r.exe 88r.exe PID 4976 wrote to memory of 4136 4976 88r.exe 88r.exe PID 1620 wrote to memory of 4736 1620 ZLfFF.exe cmd.exe PID 1620 wrote to memory of 4736 1620 ZLfFF.exe cmd.exe PID 1620 wrote to memory of 2276 1620 ZLfFF.exe cmd.exe PID 1620 wrote to memory of 2276 1620 ZLfFF.exe cmd.exe PID 2276 wrote to memory of 1748 2276 cmd.exe netsh.exe PID 2276 wrote to memory of 1748 2276 cmd.exe netsh.exe PID 4736 wrote to memory of 1108 4736 cmd.exe vssadmin.exe PID 4736 wrote to memory of 1108 4736 cmd.exe vssadmin.exe PID 2276 wrote to memory of 1052 2276 cmd.exe netsh.exe PID 2276 wrote to memory of 1052 2276 cmd.exe netsh.exe PID 4736 wrote to memory of 4416 4736 cmd.exe WMIC.exe PID 4736 wrote to memory of 4416 4736 cmd.exe WMIC.exe PID 4736 wrote to memory of 540 4736 cmd.exe bcdedit.exe PID 4736 wrote to memory of 540 4736 cmd.exe bcdedit.exe PID 4736 wrote to memory of 2436 4736 cmd.exe bcdedit.exe PID 4736 wrote to memory of 2436 4736 cmd.exe bcdedit.exe PID 4736 wrote to memory of 4608 4736 cmd.exe wbadmin.exe PID 4736 wrote to memory of 4608 4736 cmd.exe wbadmin.exe PID 3116 wrote to memory of 2400 3116 Explorer.EXE CEF3.exe PID 3116 wrote to memory of 2400 3116 Explorer.EXE CEF3.exe PID 3116 wrote to memory of 2400 3116 Explorer.EXE CEF3.exe PID 3116 wrote to memory of 2320 3116 Explorer.EXE explorer.exe PID 3116 wrote to memory of 2320 3116 Explorer.EXE explorer.exe PID 3116 wrote to memory of 2320 3116 Explorer.EXE explorer.exe PID 3116 wrote to memory of 2320 3116 Explorer.EXE explorer.exe PID 3116 wrote to memory of 4132 3116 Explorer.EXE explorer.exe PID 3116 wrote to memory of 4132 3116 Explorer.EXE explorer.exe PID 3116 wrote to memory of 4132 3116 Explorer.EXE explorer.exe PID 3116 wrote to memory of 2624 3116 Explorer.EXE explorer.exe PID 3116 wrote to memory of 2624 3116 Explorer.EXE explorer.exe PID 3116 wrote to memory of 2624 3116 Explorer.EXE explorer.exe PID 3116 wrote to memory of 2624 3116 Explorer.EXE explorer.exe PID 3116 wrote to memory of 4900 3116 Explorer.EXE explorer.exe PID 3116 wrote to memory of 4900 3116 Explorer.EXE explorer.exe PID 3116 wrote to memory of 4900 3116 Explorer.EXE explorer.exe PID 3116 wrote to memory of 4900 3116 Explorer.EXE explorer.exe PID 3116 wrote to memory of 112 3116 Explorer.EXE explorer.exe PID 3116 wrote to memory of 112 3116 Explorer.EXE explorer.exe PID 3116 wrote to memory of 112 3116 Explorer.EXE explorer.exe PID 3116 wrote to memory of 112 3116 Explorer.EXE explorer.exe PID 3116 wrote to memory of 4060 3116 Explorer.EXE explorer.exe PID 3116 wrote to memory of 4060 3116 Explorer.EXE explorer.exe PID 3116 wrote to memory of 4060 3116 Explorer.EXE explorer.exe PID 3116 wrote to memory of 3068 3116 Explorer.EXE explorer.exe PID 3116 wrote to memory of 3068 3116 Explorer.EXE explorer.exe PID 3116 wrote to memory of 3068 3116 Explorer.EXE explorer.exe PID 3116 wrote to memory of 3068 3116 Explorer.EXE explorer.exe PID 3116 wrote to memory of 1128 3116 Explorer.EXE explorer.exe PID 3116 wrote to memory of 1128 3116 Explorer.EXE explorer.exe PID 3116 wrote to memory of 1128 3116 Explorer.EXE explorer.exe PID 3116 wrote to memory of 2248 3116 Explorer.EXE explorer.exe PID 3116 wrote to memory of 2248 3116 Explorer.EXE explorer.exe PID 3116 wrote to memory of 2248 3116 Explorer.EXE explorer.exe PID 3116 wrote to memory of 2248 3116 Explorer.EXE explorer.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
outlook_win_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dc80d05184fe7f0757caefa3d0c96682.exe"C:\Users\Admin\AppData\Local\Temp\dc80d05184fe7f0757caefa3d0c96682.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 9443⤵
- Program crash
-
C:\Windows\system32\certreq.exe"C:\Windows\system32\certreq.exe"2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\CEF3.exeC:\Users\Admin\AppData\Local\Temp\CEF3.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 2923⤵
- Program crash
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3640 -ip 36401⤵
-
C:\Users\Admin\AppData\Local\Microsoft\88r.exe"C:\Users\Admin\AppData\Local\Microsoft\88r.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Microsoft\88r.exe"C:\Users\Admin\AppData\Local\Microsoft\88r.exe"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe"C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe"1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe"C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 3403⤵
- Program crash
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "F:\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Users\Admin\AppData\Local\Microsoft\V[x12S.exe"C:\Users\Admin\AppData\Local\Microsoft\V[x12S.exe"1⤵
- Executes dropped EXE
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4488 -ip 44881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2400 -ip 24001⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id[15276114-3483].[[email protected]].8baseFilesize
3.2MB
MD5744828e0387880282aac52761b6213d4
SHA1af11d4f60733871e203443dfabfc61f03e1ee9c1
SHA25658fa281db807fb9c15a9ba5c6e9eeaaac0518d60b1a8d3e2ab80fbbc66722dc2
SHA512a4bc27ac17de9fbc5529cc980d9bc82f5fb1ead114a457fc40ddd8757f99fcdfe3902fbba52ba74d74ea181649a47754564d7660a11c2c1da915f8042126623b
-
C:\Users\Admin\AppData\Local\Microsoft\88r.exeFilesize
166KB
MD51b2b02b4b524fe02b8b96bd781c8eceb
SHA136e2eb7e1ae58b103b2d1cca5991786b0118534b
SHA256e780a1b2be7dab91bdc77bd313dd5a4456e0d92164fc1e54894f086f269d85c6
SHA51280caf55a2f2a63e99c5ee6199b3b8357fd5d2bf92cb671f80a0b05385cc79f78fc689d60197176fc1bae67ab331e8bdf71adf44c88423bbbf95e7926e31e5bc8
-
C:\Users\Admin\AppData\Local\Microsoft\88r.exeFilesize
166KB
MD51b2b02b4b524fe02b8b96bd781c8eceb
SHA136e2eb7e1ae58b103b2d1cca5991786b0118534b
SHA256e780a1b2be7dab91bdc77bd313dd5a4456e0d92164fc1e54894f086f269d85c6
SHA51280caf55a2f2a63e99c5ee6199b3b8357fd5d2bf92cb671f80a0b05385cc79f78fc689d60197176fc1bae67ab331e8bdf71adf44c88423bbbf95e7926e31e5bc8
-
C:\Users\Admin\AppData\Local\Microsoft\88r.exeFilesize
166KB
MD51b2b02b4b524fe02b8b96bd781c8eceb
SHA136e2eb7e1ae58b103b2d1cca5991786b0118534b
SHA256e780a1b2be7dab91bdc77bd313dd5a4456e0d92164fc1e54894f086f269d85c6
SHA51280caf55a2f2a63e99c5ee6199b3b8357fd5d2bf92cb671f80a0b05385cc79f78fc689d60197176fc1bae67ab331e8bdf71adf44c88423bbbf95e7926e31e5bc8
-
C:\Users\Admin\AppData\Local\Microsoft\V[x12S.exeFilesize
164KB
MD53524139d7687147f53dc7df4f4867093
SHA177a6308dc4981ac164a887ed54a0e01c63c17c63
SHA256954429625375fc965c2151a8b109c07d1f6de6fbf9c3b95660400d9b4bf79081
SHA51248df3de51b20e20660804f92a699f9b3886406c1872c8df02e220bf23415838ada393fc540f878aad8ebe61f7023161b15152942509b63030b6fd4a458a82db3
-
C:\Users\Admin\AppData\Local\Microsoft\V[x12S.exeFilesize
164KB
MD53524139d7687147f53dc7df4f4867093
SHA177a6308dc4981ac164a887ed54a0e01c63c17c63
SHA256954429625375fc965c2151a8b109c07d1f6de6fbf9c3b95660400d9b4bf79081
SHA51248df3de51b20e20660804f92a699f9b3886406c1872c8df02e220bf23415838ada393fc540f878aad8ebe61f7023161b15152942509b63030b6fd4a458a82db3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000027.db.id[15276114-3483].[[email protected]].8baseFilesize
92KB
MD5a5f95b63a660b91ab0dc178c35804653
SHA14292571880a23cbe5b570eaea862c87bfb635469
SHA256b4fd164e510d35a3fb14dc59af215023c4b6a5e7a5bc79fd5f71bf5818418ed6
SHA5128759866b896e6e84896e2edc5016ab13cde96a2f671a1f847a2e51cdea762e72220ade76e868f49d3e3ca208bb916f8a10c8ee7013063bda66f9d475443a2ecb
-
C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exeFilesize
165KB
MD565ba8303fabfb2652158af69f7124772
SHA1e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA2563ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0
-
C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exeFilesize
165KB
MD565ba8303fabfb2652158af69f7124772
SHA1e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA2563ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0
-
C:\Users\Admin\AppData\Local\Microsoft\ZLfFF.exeFilesize
165KB
MD565ba8303fabfb2652158af69f7124772
SHA1e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA2563ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0
-
C:\Users\Admin\AppData\Local\Temp\CEF3.exeFilesize
165KB
MD565ba8303fabfb2652158af69f7124772
SHA1e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA2563ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0
-
C:\Users\Admin\AppData\Local\Temp\CEF3.exeFilesize
165KB
MD565ba8303fabfb2652158af69f7124772
SHA1e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA2563ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0
-
C:\Users\Admin\AppData\Local\Temp\CEF3.exeFilesize
165KB
MD565ba8303fabfb2652158af69f7124772
SHA1e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA2563ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0
-
C:\Users\Admin\AppData\Local\Temp\F7D8\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.dllFilesize
5.5MB
MD55febe5be74c3c3794161d573554d3fd5
SHA1c2323c09b0a975fad7c9b367f9d63da80826b855
SHA2564ce6ab20a14a8d3d0d3d80501d373dee2162512b2fceac9f959e04c750008348
SHA512c0a2c99b60a265ad233faad7af032a388590c1c06541128aca3fd2fbf33c870400cf04169d2f8fbc49ab1bcf56648ff5467b6ba97ae07bea8a25573b7c04bf57
-
C:\Users\Admin\AppData\Local\Temp\F7D8\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exeFilesize
18KB
MD5cfe72ed40a076ae4f4157940ce0c5d44
SHA18010f7c746a7ba4864785f798f46ec05caae7ece
SHA2566868894ab04d08956388a94a81016f03d5b7a7b1646c8a6235057a7e1e45de32
SHA512f002afa2131d250dd6148d8372ce45f84283b8e1209e91720cee7aff497503d0e566bae3a83cd326701458230ae5c0e200eec617889393dd46ac00ff357ff1b0
-
C:\Users\Admin\AppData\Local\Temp\F7D8\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xmlFilesize
1KB
MD594f90fcd2b8f7f1df69224f845d9e9b7
SHA1a09e3072cc581cf89adaf1aa20aa89b3af7bf987
SHA256a16113a66b1c36f919b5f7eaa3fb7aa8e0ba9e057823861aabea703cc06a04c0
SHA51251f4ee06a8d8bf1121083bf4383433160f16c68d1fe4c44e5d0e0529910d27ba8446c7a4bef359b990574d1d61563da30139c6d09ad0ad1a5b5c7748b8da08f3
-
C:\Users\Admin\AppData\Local\Temp\F7D8\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xmlFilesize
7KB
MD5108f130067a9df1719c590316a5245f7
SHA179bb9a86e7a50c85214cd7e21719f0cb4155f58a
SHA256c91debd34057ca5c280ca15ac542733930e1c94c7d887448eac6e3385b5a0874
SHA512d43b3861d5153c7ca54edd078c900d31599fc9f04d6883a449d62c7e86a105a3c5dfb2d232255c41505b210b063caf6325921dc074fcdf93407c9e2c985a5301
-
C:\Users\Admin\AppData\Local\Temp\F7D8\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xmlFilesize
1KB
MD594f90fcd2b8f7f1df69224f845d9e9b7
SHA1a09e3072cc581cf89adaf1aa20aa89b3af7bf987
SHA256a16113a66b1c36f919b5f7eaa3fb7aa8e0ba9e057823861aabea703cc06a04c0
SHA51251f4ee06a8d8bf1121083bf4383433160f16c68d1fe4c44e5d0e0529910d27ba8446c7a4bef359b990574d1d61563da30139c6d09ad0ad1a5b5c7748b8da08f3
-
C:\Users\Admin\AppData\Local\Temp\F7D8\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xmlFilesize
7KB
MD5108f130067a9df1719c590316a5245f7
SHA179bb9a86e7a50c85214cd7e21719f0cb4155f58a
SHA256c91debd34057ca5c280ca15ac542733930e1c94c7d887448eac6e3385b5a0874
SHA512d43b3861d5153c7ca54edd078c900d31599fc9f04d6883a449d62c7e86a105a3c5dfb2d232255c41505b210b063caf6325921dc074fcdf93407c9e2c985a5301
-
C:\Users\Admin\AppData\Local\Temp\F7D8\C\Windows\SysWOW64\WalletBackgroundServiceProxy.dllFilesize
10KB
MD51097d1e58872f3cf58f78730a697ce4b
SHA196db4e4763a957b28dd80ec1e43eb27367869b86
SHA25683ec0be293b19d00eca4ae51f16621753e1d2b11248786b25a1abaae6230bdef
SHA512b933eac4eaabacc51069a72b24b649b980aea251b1b87270ff4ffea12de9368d5447cdbe748ac7faf2805548b896c8499f9eceeed2f5efd0c684f94360940351
-
C:\Users\Admin\AppData\Local\Temp\F7D8\C\Windows\SysWOW64\WalletProxy.dllFilesize
36KB
MD5d09724c29a8f321f2f9c552de6ef6afa
SHA1d6ce3d3a973695f4f770e7fb3fcb5e2f3df592a3
SHA25623cc82878957683184fbd0e3098e9e6858978bf78d7812c6d7470ebdc79d1c5c
SHA512cc8db1b0c4bbd94dfc8a669cd6accf6fa29dc1034ce03d9dae53d6ce117bb86b432bf040fb53230b612c6e9a325e58acc8ebb600f760a8d9d6a383ce751fd6ed
-
C:\Users\Admin\AppData\Local\Temp\F7D8\C\Windows\SysWOW64\Windows.ApplicationModel.Wallet.dllFilesize
402KB
MD502557c141c9e153c2b7987b79a3a2dd7
SHA1a054761382ee68608b6a3b62b68138dc205f576b
SHA256207c587e769e2655669bd3ce1d28a00bcac08f023013735f026f65c0e3baa6f4
SHA512a37e29c115bcb9956b1f8fd2022f2e3966c1fa2a0efa5c2ee2d14bc5c41bfddae0deea4d481a681d13ec58e9dec41e7565f8b4eb1c10f2c44c03e58bdd2792b3
-
C:\Users\Admin\AppData\Local\Temp\F7D8\C\Windows\System32\WalletBackgroundServiceProxy.dllFilesize
10KB
MD51097d1e58872f3cf58f78730a697ce4b
SHA196db4e4763a957b28dd80ec1e43eb27367869b86
SHA25683ec0be293b19d00eca4ae51f16621753e1d2b11248786b25a1abaae6230bdef
SHA512b933eac4eaabacc51069a72b24b649b980aea251b1b87270ff4ffea12de9368d5447cdbe748ac7faf2805548b896c8499f9eceeed2f5efd0c684f94360940351
-
C:\Users\Admin\AppData\Local\Temp\F7D8\C\Windows\System32\WalletProxy.dllFilesize
36KB
MD5d09724c29a8f321f2f9c552de6ef6afa
SHA1d6ce3d3a973695f4f770e7fb3fcb5e2f3df592a3
SHA25623cc82878957683184fbd0e3098e9e6858978bf78d7812c6d7470ebdc79d1c5c
SHA512cc8db1b0c4bbd94dfc8a669cd6accf6fa29dc1034ce03d9dae53d6ce117bb86b432bf040fb53230b612c6e9a325e58acc8ebb600f760a8d9d6a383ce751fd6ed
-
C:\Users\Admin\AppData\Local\Temp\F7D8\C\Windows\System32\Windows.ApplicationModel.Wallet.dllFilesize
402KB
MD502557c141c9e153c2b7987b79a3a2dd7
SHA1a054761382ee68608b6a3b62b68138dc205f576b
SHA256207c587e769e2655669bd3ce1d28a00bcac08f023013735f026f65c0e3baa6f4
SHA512a37e29c115bcb9956b1f8fd2022f2e3966c1fa2a0efa5c2ee2d14bc5c41bfddae0deea4d481a681d13ec58e9dec41e7565f8b4eb1c10f2c44c03e58bdd2792b3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\cookies.sqlite.id[15276114-3483].[[email protected]].8baseFilesize
96KB
MD53144002cf1ac7556f1702ab950214792
SHA18d535c9fbce27ee02c3ec9001ab1d97a4c18b00f
SHA256725cdec996467bf580046cc64f18209637e94838a9e00efefa1e08057ed91960
SHA51234566e471474196ed87d42eb0efb9752e4dcd0ff7e8285f792a60c0fec164c982ffbaa0c34dd7dc1d2167ab90fdade54b54273a4018df33fad3f3f3374f2a98c
-
C:\Users\Admin\AppData\Roaming\bebfchgFilesize
166KB
MD51b2b02b4b524fe02b8b96bd781c8eceb
SHA136e2eb7e1ae58b103b2d1cca5991786b0118534b
SHA256e780a1b2be7dab91bdc77bd313dd5a4456e0d92164fc1e54894f086f269d85c6
SHA51280caf55a2f2a63e99c5ee6199b3b8357fd5d2bf92cb671f80a0b05385cc79f78fc689d60197176fc1bae67ab331e8bdf71adf44c88423bbbf95e7926e31e5bc8
-
C:\Users\Admin\AppData\Roaming\sgrvuaiFilesize
438KB
MD5ab328465a82e23bbb2408e58d4c0aa9e
SHA15eb017fc7b905c8bcd00e27dcd975b5c19943724
SHA256a8744c3bc34417275f0e0f6da50dd10017e565f0b300936aa530193735dced09
SHA512adda5c933d889edd4d4502e4907522721fb8c375597f6bf0f13935087aa54a7f6a7178a294dd55d73fe4b07e8833eae42694ed78958c9bfc43961cb673015600
-
C:\Users\Admin\Desktop\info.htaFilesize
5KB
MD58b483c23ae26df9760d7d4954a1d2de1
SHA14ae54cbe87e54190636bc63f0022caa1aedabf9c
SHA256d9c3574eef12a0291e33df69958ba59f75b24fd20ec812e49e4d1569c6ec2a15
SHA51292fb9e33fd77e359b6859447ad9813975044f568c3ce1edeb4cbaf9fb8e7e0eff132cfae41a5ce95f9b50acd1a2d7e2c75d159dde66684de069c053b467f948a
-
C:\info.htaFilesize
5KB
MD58b483c23ae26df9760d7d4954a1d2de1
SHA14ae54cbe87e54190636bc63f0022caa1aedabf9c
SHA256d9c3574eef12a0291e33df69958ba59f75b24fd20ec812e49e4d1569c6ec2a15
SHA51292fb9e33fd77e359b6859447ad9813975044f568c3ce1edeb4cbaf9fb8e7e0eff132cfae41a5ce95f9b50acd1a2d7e2c75d159dde66684de069c053b467f948a
-
C:\info.htaFilesize
5KB
MD58b483c23ae26df9760d7d4954a1d2de1
SHA14ae54cbe87e54190636bc63f0022caa1aedabf9c
SHA256d9c3574eef12a0291e33df69958ba59f75b24fd20ec812e49e4d1569c6ec2a15
SHA51292fb9e33fd77e359b6859447ad9813975044f568c3ce1edeb4cbaf9fb8e7e0eff132cfae41a5ce95f9b50acd1a2d7e2c75d159dde66684de069c053b467f948a
-
C:\users\public\desktop\info.htaFilesize
5KB
MD58b483c23ae26df9760d7d4954a1d2de1
SHA14ae54cbe87e54190636bc63f0022caa1aedabf9c
SHA256d9c3574eef12a0291e33df69958ba59f75b24fd20ec812e49e4d1569c6ec2a15
SHA51292fb9e33fd77e359b6859447ad9813975044f568c3ce1edeb4cbaf9fb8e7e0eff132cfae41a5ce95f9b50acd1a2d7e2c75d159dde66684de069c053b467f948a
-
F:\info.htaFilesize
5KB
MD58b483c23ae26df9760d7d4954a1d2de1
SHA14ae54cbe87e54190636bc63f0022caa1aedabf9c
SHA256d9c3574eef12a0291e33df69958ba59f75b24fd20ec812e49e4d1569c6ec2a15
SHA51292fb9e33fd77e359b6859447ad9813975044f568c3ce1edeb4cbaf9fb8e7e0eff132cfae41a5ce95f9b50acd1a2d7e2c75d159dde66684de069c053b467f948a
-
memory/112-4412-0x00000000009C0000-0x00000000009CB000-memory.dmpFilesize
44KB
-
memory/112-4413-0x00000000009D0000-0x00000000009D7000-memory.dmpFilesize
28KB
-
memory/112-4414-0x00000000009C0000-0x00000000009CB000-memory.dmpFilesize
44KB
-
memory/112-5093-0x00000000009D0000-0x00000000009D7000-memory.dmpFilesize
28KB
-
memory/964-5163-0x00000000003B0000-0x00000000003D7000-memory.dmpFilesize
156KB
-
memory/964-5164-0x00000000003B0000-0x00000000003D7000-memory.dmpFilesize
156KB
-
memory/964-5162-0x0000000000600000-0x0000000000621000-memory.dmpFilesize
132KB
-
memory/964-5160-0x00000000003B0000-0x00000000003D7000-memory.dmpFilesize
156KB
-
memory/1128-4611-0x0000000000F90000-0x0000000000F9C000-memory.dmpFilesize
48KB
-
memory/1128-4570-0x0000000000F90000-0x0000000000F9C000-memory.dmpFilesize
48KB
-
memory/1128-4604-0x0000000000FA0000-0x0000000000FA6000-memory.dmpFilesize
24KB
-
memory/1444-5780-0x0000000001010000-0x000000000101D000-memory.dmpFilesize
52KB
-
memory/1444-5762-0x0000000001020000-0x0000000001027000-memory.dmpFilesize
28KB
-
memory/1444-5757-0x0000000001010000-0x000000000101D000-memory.dmpFilesize
52KB
-
memory/1620-195-0x00000000005B0000-0x00000000005BF000-memory.dmpFilesize
60KB
-
memory/1620-201-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/1620-2041-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/1620-2142-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/1620-5395-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/1620-194-0x0000000000780000-0x0000000000880000-memory.dmpFilesize
1024KB
-
memory/1620-6486-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/1620-1216-0x00000000005B0000-0x00000000005BF000-memory.dmpFilesize
60KB
-
memory/1620-1189-0x0000000000780000-0x0000000000880000-memory.dmpFilesize
1024KB
-
memory/1620-3823-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/2248-4967-0x0000000000B40000-0x0000000000B49000-memory.dmpFilesize
36KB
-
memory/2248-4968-0x0000000000B40000-0x0000000000B49000-memory.dmpFilesize
36KB
-
memory/2320-3374-0x0000000000160000-0x00000000001CB000-memory.dmpFilesize
428KB
-
memory/2320-3324-0x0000000000400000-0x0000000000475000-memory.dmpFilesize
468KB
-
memory/2320-3872-0x0000000000160000-0x00000000001CB000-memory.dmpFilesize
428KB
-
memory/2320-3227-0x0000000000160000-0x00000000001CB000-memory.dmpFilesize
428KB
-
memory/2624-4028-0x0000000000B20000-0x0000000000B29000-memory.dmpFilesize
36KB
-
memory/2624-3988-0x0000000000B20000-0x0000000000B29000-memory.dmpFilesize
36KB
-
memory/2624-4575-0x0000000000B30000-0x0000000000B34000-memory.dmpFilesize
16KB
-
memory/2624-4026-0x0000000000B30000-0x0000000000B34000-memory.dmpFilesize
16KB
-
memory/3068-5398-0x0000000000E80000-0x0000000000E85000-memory.dmpFilesize
20KB
-
memory/3068-4420-0x0000000000E70000-0x0000000000E79000-memory.dmpFilesize
36KB
-
memory/3068-4419-0x0000000000E80000-0x0000000000E85000-memory.dmpFilesize
20KB
-
memory/3068-4418-0x0000000000E70000-0x0000000000E79000-memory.dmpFilesize
36KB
-
memory/3116-206-0x0000000002AA0000-0x0000000002AB6000-memory.dmpFilesize
88KB
-
memory/3640-145-0x00000000020E0000-0x0000000002151000-memory.dmpFilesize
452KB
-
memory/3640-152-0x0000000000400000-0x00000000004CE000-memory.dmpFilesize
824KB
-
memory/3640-157-0x00000000023D0000-0x00000000027D0000-memory.dmpFilesize
4.0MB
-
memory/3640-153-0x00000000031D0000-0x0000000003206000-memory.dmpFilesize
216KB
-
memory/3640-154-0x00000000023D0000-0x00000000027D0000-memory.dmpFilesize
4.0MB
-
memory/3640-146-0x00000000031D0000-0x0000000003206000-memory.dmpFilesize
216KB
-
memory/3640-137-0x0000000000400000-0x00000000004CE000-memory.dmpFilesize
824KB
-
memory/3640-135-0x00000000020E0000-0x0000000002151000-memory.dmpFilesize
452KB
-
memory/3640-156-0x0000000000400000-0x00000000004CE000-memory.dmpFilesize
824KB
-
memory/3640-138-0x0000000002190000-0x0000000002197000-memory.dmpFilesize
28KB
-
memory/3640-139-0x00000000023D0000-0x00000000027D0000-memory.dmpFilesize
4.0MB
-
memory/3640-140-0x00000000023D0000-0x00000000027D0000-memory.dmpFilesize
4.0MB
-
memory/3640-134-0x0000000000530000-0x0000000000630000-memory.dmpFilesize
1024KB
-
memory/3640-136-0x0000000000400000-0x00000000004CE000-memory.dmpFilesize
824KB
-
memory/3640-143-0x0000000000530000-0x0000000000630000-memory.dmpFilesize
1024KB
-
memory/3640-142-0x00000000023D0000-0x00000000027D0000-memory.dmpFilesize
4.0MB
-
memory/3640-141-0x00000000023D0000-0x00000000027D0000-memory.dmpFilesize
4.0MB
-
memory/3716-199-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/3716-2040-0x0000000000510000-0x0000000000610000-memory.dmpFilesize
1024KB
-
memory/3716-197-0x00000000004E0000-0x00000000004E5000-memory.dmpFilesize
20KB
-
memory/3716-200-0x0000000000510000-0x0000000000610000-memory.dmpFilesize
1024KB
-
memory/3944-173-0x00007FF419640000-0x00007FF41976D000-memory.dmpFilesize
1.2MB
-
memory/3944-175-0x00007FF419640000-0x00007FF41976D000-memory.dmpFilesize
1.2MB
-
memory/3944-158-0x000001E4347B0000-0x000001E4347B3000-memory.dmpFilesize
12KB
-
memory/3944-169-0x00007FF419640000-0x00007FF41976D000-memory.dmpFilesize
1.2MB
-
memory/3944-172-0x00007FF419640000-0x00007FF41976D000-memory.dmpFilesize
1.2MB
-
memory/3944-159-0x000001E434A50000-0x000001E434A57000-memory.dmpFilesize
28KB
-
memory/3944-161-0x00007FF419640000-0x00007FF41976D000-memory.dmpFilesize
1.2MB
-
memory/3944-160-0x00007FF419640000-0x00007FF41976D000-memory.dmpFilesize
1.2MB
-
memory/3944-162-0x00007FF419640000-0x00007FF41976D000-memory.dmpFilesize
1.2MB
-
memory/3944-184-0x00007FFF8A010000-0x00007FFF8A205000-memory.dmpFilesize
2.0MB
-
memory/3944-174-0x00007FF419640000-0x00007FF41976D000-memory.dmpFilesize
1.2MB
-
memory/3944-163-0x00007FF419640000-0x00007FF41976D000-memory.dmpFilesize
1.2MB
-
memory/3944-164-0x00007FF419640000-0x00007FF41976D000-memory.dmpFilesize
1.2MB
-
memory/3944-170-0x00007FFF8A010000-0x00007FFF8A205000-memory.dmpFilesize
2.0MB
-
memory/3944-190-0x00007FFF8A010000-0x00007FFF8A205000-memory.dmpFilesize
2.0MB
-
memory/3944-168-0x00007FF419640000-0x00007FF41976D000-memory.dmpFilesize
1.2MB
-
memory/3944-144-0x000001E4347B0000-0x000001E4347B3000-memory.dmpFilesize
12KB
-
memory/3944-165-0x00007FF419640000-0x00007FF41976D000-memory.dmpFilesize
1.2MB
-
memory/3944-171-0x00007FF419640000-0x00007FF41976D000-memory.dmpFilesize
1.2MB
-
memory/3944-167-0x00007FF419640000-0x00007FF41976D000-memory.dmpFilesize
1.2MB
-
memory/3944-189-0x000001E434A50000-0x000001E434A55000-memory.dmpFilesize
20KB
-
memory/3948-5916-0x00000000009F0000-0x00000000009FB000-memory.dmpFilesize
44KB
-
memory/3948-5917-0x0000000000C00000-0x0000000000C08000-memory.dmpFilesize
32KB
-
memory/4060-5161-0x0000000000FD0000-0x0000000000FDF000-memory.dmpFilesize
60KB
-
memory/4060-4415-0x0000000000FE0000-0x0000000000FE9000-memory.dmpFilesize
36KB
-
memory/4060-4417-0x0000000000FD0000-0x0000000000FDF000-memory.dmpFilesize
60KB
-
memory/4132-3824-0x0000000000D10000-0x0000000000D1C000-memory.dmpFilesize
48KB
-
memory/4132-3813-0x0000000000D10000-0x0000000000D1C000-memory.dmpFilesize
48KB
-
memory/4132-3817-0x0000000000D20000-0x0000000000D27000-memory.dmpFilesize
28KB
-
memory/4136-207-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/4136-193-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/4136-198-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/4488-2080-0x0000000000730000-0x0000000000830000-memory.dmpFilesize
1024KB
-
memory/4488-2081-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/4700-5106-0x0000000000800000-0x0000000000809000-memory.dmpFilesize
36KB
-
memory/4700-5087-0x0000000000800000-0x0000000000809000-memory.dmpFilesize
36KB
-
memory/4700-5104-0x0000000000810000-0x0000000000815000-memory.dmpFilesize
20KB
-
memory/4788-5443-0x0000000000E60000-0x0000000000E69000-memory.dmpFilesize
36KB
-
memory/4788-5409-0x0000000000E60000-0x0000000000E69000-memory.dmpFilesize
36KB
-
memory/4788-5442-0x0000000000E70000-0x0000000000E75000-memory.dmpFilesize
20KB
-
memory/4900-4264-0x0000000000C00000-0x0000000000C0B000-memory.dmpFilesize
44KB
-
memory/4900-4256-0x0000000000C00000-0x0000000000C0B000-memory.dmpFilesize
44KB
-
memory/4900-4253-0x0000000000C10000-0x0000000000C1A000-memory.dmpFilesize
40KB
-
memory/4960-5556-0x0000000000AB0000-0x0000000000ABB000-memory.dmpFilesize
44KB
-
memory/4960-5528-0x0000000000AB0000-0x0000000000ABB000-memory.dmpFilesize
44KB
-
memory/4960-5533-0x0000000000AC0000-0x0000000000AC6000-memory.dmpFilesize
24KB
-
memory/4976-192-0x0000000000700000-0x0000000000709000-memory.dmpFilesize
36KB
-
memory/4976-191-0x00000000007A0000-0x00000000008A0000-memory.dmpFilesize
1024KB