Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
14-07-2023 06:33
Static task
static1
Behavioral task
behavioral1
Sample
7041b5e6716fbc3d51516bfc782b1adf.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
7041b5e6716fbc3d51516bfc782b1adf.exe
Resource
win10v2004-20230703-en
General
-
Target
7041b5e6716fbc3d51516bfc782b1adf.exe
-
Size
451KB
-
MD5
7041b5e6716fbc3d51516bfc782b1adf
-
SHA1
8a7188931e6d548c1c717be4386df5a19e04b51f
-
SHA256
caf660d5a464070e4a488bb3d2153c90204f739e75684f4d8ed56de1062b2f87
-
SHA512
75800515735a33a6479791bf628951cafc8d6b09119ebbc80e5570731ee3d343d7386c8e2ac07c14ae7fa34ee5b5bf16264b804ab7e2ad7f667335d918e95709
-
SSDEEP
6144:dJ9FSjroYqIslQS49PJPGTsqgU4yct3kgDNx5DKUfiyk6EeRqD6u:dbFSXzslQ34eU4yct3BBx5DKfwEeRC
Malware Config
Extracted
systembc
adstat477d.xyz:4044
demstat577d.xyz:4044
Extracted
smokeloader
2022
http://serverxlogs21.xyz/statweb255/
http://servxblog79.xyz/statweb255/
http://demblog289.xyz/statweb255/
http://admlogs77x.online/statweb255/
http://blogxstat38.xyz/statweb255/
http://blogxstat25.xyz/statweb255/
Signatures
-
Detect rhadamanthys stealer shellcode 6 IoCs
Processes:
resource yara_rule behavioral2/memory/2216-138-0x0000000004E00000-0x0000000005200000-memory.dmp family_rhadamanthys behavioral2/memory/2216-139-0x0000000004E00000-0x0000000005200000-memory.dmp family_rhadamanthys behavioral2/memory/2216-140-0x0000000004E00000-0x0000000005200000-memory.dmp family_rhadamanthys behavioral2/memory/2216-141-0x0000000004E00000-0x0000000005200000-memory.dmp family_rhadamanthys behavioral2/memory/2216-153-0x0000000004E00000-0x0000000005200000-memory.dmp family_rhadamanthys behavioral2/memory/2216-156-0x0000000004E00000-0x0000000005200000-memory.dmp family_rhadamanthys -
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
7041b5e6716fbc3d51516bfc782b1adf.exedescription pid process target process PID 2216 created 772 2216 7041b5e6716fbc3d51516bfc782b1adf.exe Explorer.EXE -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 3992 bcdedit.exe 4584 bcdedit.exe -
Renames multiple (476) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Processes:
wbadmin.exepid process 1600 wbadmin.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 1 TTPs 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
description ioc process Key value queried \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\International\Geo\Nation [email protected] -
Drops startup file 3 IoCs
Processes:
description ioc process File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\[email protected] [email protected] File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini [email protected] File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id[AE7CADA3-3483].[[email protected]].8base [email protected] -
Executes dropped EXE 6 IoCs
Processes:
pid process 1948 p9D[8W).exe 3008 {xE.exe 1068 [email protected] 1192 {xE.exe 1128 [email protected] 320 EC3F.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs
Processes:
certreq.exeexplorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\F9W8Tds@Y = "C:\\Users\\Admin\\AppData\\Local\\[email protected]" [email protected] Set value (str) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\F9W8Tds@Y = "C:\\Users\\Admin\\AppData\\Local\\[email protected]" [email protected] -
Drops desktop.ini file(s) 64 IoCs
Processes:
description ioc process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini [email protected] File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini [email protected] File opened for modification C:\Users\Admin\Documents\desktop.ini [email protected] File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini [email protected] File opened for modification C:\Users\Public\Desktop\desktop.ini [email protected] File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini [email protected] File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini [email protected] File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini [email protected] File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini [email protected] File opened for modification C:\Users\Admin\Desktop\desktop.ini [email protected] File opened for modification C:\Users\Admin\Links\desktop.ini [email protected] File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini [email protected] File opened for modification C:\Users\Public\Videos\desktop.ini [email protected] File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini [email protected] File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini [email protected] File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini [email protected] File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini [email protected] File opened for modification C:\Users\Public\Libraries\desktop.ini [email protected] File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini [email protected] File opened for modification C:\Users\Admin\Music\desktop.ini [email protected] File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini [email protected] File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI [email protected] File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini [email protected] File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini [email protected] File opened for modification C:\Users\Admin\Contacts\desktop.ini [email protected] File opened for modification C:\Users\Admin\Searches\desktop.ini [email protected] File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini [email protected] File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini [email protected] File opened for modification C:\Program Files\desktop.ini [email protected] File opened for modification C:\Users\Admin\3D Objects\desktop.ini [email protected] File opened for modification C:\Users\Public\Music\desktop.ini [email protected] File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini [email protected] File opened for modification C:\Users\Admin\Pictures\desktop.ini [email protected] File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini [email protected] File opened for modification C:\Users\Admin\Videos\desktop.ini [email protected] File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini [email protected] File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini [email protected] File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini [email protected] File opened for modification C:\Users\Public\Pictures\desktop.ini [email protected] File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini [email protected] File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini [email protected] File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini [email protected] File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini [email protected] File opened for modification C:\Users\Admin\Saved Games\desktop.ini [email protected] File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini [email protected] File opened for modification C:\Users\Public\AccountPictures\desktop.ini [email protected] File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini [email protected] File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini [email protected] File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini [email protected] File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini [email protected] File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1722984668-1829624581-3022101259-1000\desktop.ini [email protected] File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini [email protected] File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini [email protected] File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini [email protected] File opened for modification C:\Users\Admin\Favorites\desktop.ini [email protected] File opened for modification C:\Users\Public\Downloads\desktop.ini [email protected] File opened for modification C:\Program Files (x86)\desktop.ini [email protected] File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini [email protected] File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini [email protected] File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini [email protected] File opened for modification C:\Users\Admin\Downloads\desktop.ini [email protected] File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini [email protected] File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini [email protected] File opened for modification C:\Users\Public\desktop.ini [email protected] -
Suspicious use of SetThreadContext 1 IoCs
Processes:
{xE.exedescription pid process target process PID 3008 set thread context of 1192 3008 {xE.exe {xE.exe -
Drops file in Program Files directory 64 IoCs
Processes:
description ioc process File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\UIAutomationTypes.resources.dll [email protected] File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-60.png [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\print_poster.png [email protected] File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe [email protected] File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\msvcr120.dll.id[AE7CADA3-3483].[[email protected]].8base [email protected] File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\sr-Latn-RS.pak.id[AE7CADA3-3483].[[email protected]].8base [email protected] File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\fontconfig.properties.src [email protected] File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.altform-unplated_targetsize-32.png [email protected] File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man.id[AE7CADA3-3483].[[email protected]].8base [email protected] File opened for modification C:\Program Files\Windows Defender\ja-JP\MpAsDesc.dll.mui [email protected] File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-100_contrast-black.png [email protected] File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-256.png [email protected] File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-72_altform-unplated_contrast-black.png [email protected] File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\meta-index.id[AE7CADA3-3483].[[email protected]].8base [email protected] File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\2.jpg [email protected] File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\org-netbeans-modules-profiler_visualvm.jar.id[AE7CADA3-3483].[[email protected]].8base [email protected] File created C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_pt_BR.properties.id[AE7CADA3-3483].[[email protected]].8base [email protected] File created C:\Program Files\Mozilla Firefox\vcruntime140.dll.id[AE7CADA3-3483].[[email protected]].8base [email protected] File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\it.pak.DATA.id[AE7CADA3-3483].[[email protected]].8base [email protected] File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup_ja.jar [email protected] File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-heapwalker.jar.id[AE7CADA3-3483].[[email protected]].8base [email protected] File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial3-pl.xrm-ms.id[AE7CADA3-3483].[[email protected]].8base [email protected] File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\BASMLA.XSL [email protected] File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\WideTile.scale-200.png [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\it-it\ui-strings.js [email protected] File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ul-phn.xrm-ms.id[AE7CADA3-3483].[[email protected]].8base [email protected] File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ESEN\MSB1ESEN.DLL [email protected] File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-80_altform-lightunplated.png [email protected] File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\jvm.hprof.txt.id[AE7CADA3-3483].[[email protected]].8base [email protected] File opened for modification C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe [email protected] File created C:\Program Files\VideoLAN\VLC\plugins\codec\librtpvideo_plugin.dll.id[AE7CADA3-3483].[[email protected]].8base [email protected] File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\sRGB.pf.id[AE7CADA3-3483].[[email protected]].8base [email protected] File opened for modification C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x64__8wekyb3d8bbwe\mfc140enu.dll [email protected] File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-30_altform-unplated_contrast-white.png [email protected] File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.175.29\msedgeupdateres_or.dll.id[AE7CADA3-3483].[[email protected]].8base [email protected] File opened for modification C:\Program Files\7-Zip\Lang\lv.txt [email protected] File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-48_altform-unplated_contrast-white.png [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sk-sk\ui-strings.js [email protected] File created C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll.id[AE7CADA3-3483].[[email protected]].8base [email protected] File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaTypewriterRegular.ttf [email protected] File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\SUMIPNTG.ELM.id[AE7CADA3-3483].[[email protected]].8base [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\cs-cz\ui-strings.js [email protected] File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProDemoR_BypassTrial180-ul-oob.xrm-ms [email protected] File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sv-se\ui-strings.js.id[AE7CADA3-3483].[[email protected]].8base [email protected] File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\lo.pak.id[AE7CADA3-3483].[[email protected]].8base [email protected] File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-ppd.xrm-ms [email protected] File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-180.png.id[AE7CADA3-3483].[[email protected]].8base [email protected] File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\da-dk\ui-strings.js.id[AE7CADA3-3483].[[email protected]].8base [email protected] File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sk-sk\ui-strings.js.id[AE7CADA3-3483].[[email protected]].8base [email protected] File opened for modification C:\Program Files (x86)\Common Files\System\ado\msader15.dll [email protected] File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ppd.xrm-ms.id[AE7CADA3-3483].[[email protected]].8base [email protected] File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_Cloud.png [email protected] File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\people\eliseGibson.png [email protected] File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Wide310x150Logo.scale-100.png [email protected] File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-20_altform-unplated.png [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia.api [email protected] File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ur.pak [email protected] File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\Microsoft.Build.Engine.resources.dll [email protected] File created C:\Program Files\VideoLAN\VLC\plugins\codec\libsubsdec_plugin.dll.id[AE7CADA3-3483].[[email protected]].8base [email protected] File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\pt-br\ui-strings.js [email protected] File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\s_radio_selected_18.svg.id[AE7CADA3-3483].[[email protected]].8base [email protected] File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.175.29\msedgeupdateres_et.dll.id[AE7CADA3-3483].[[email protected]].8base [email protected] File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-oob.xrm-ms [email protected] File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\Invite or Link.one [email protected] -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3596 2216 WerFault.exe 7041b5e6716fbc3d51516bfc782b1adf.exe 5072 1128 WerFault.exe [email protected] 1660 320 WerFault.exe EC3F.exe -
Checks SCSI registry key(s) 3 TTPs 7 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
{xE.exevds.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI {xE.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI {xE.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI {xE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
certreq.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 certreq.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString certreq.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2872 vssadmin.exe -
Modifies registry class 3 IoCs
Processes:
Explorer.EXE[email protected]description ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings [email protected] -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
pid process 2216 7041b5e6716fbc3d51516bfc782b1adf.exe 2216 7041b5e6716fbc3d51516bfc782b1adf.exe 2216 7041b5e6716fbc3d51516bfc782b1adf.exe 2216 7041b5e6716fbc3d51516bfc782b1adf.exe 2592 certreq.exe 2592 certreq.exe 2592 certreq.exe 2592 certreq.exe 1192 {xE.exe 1192 {xE.exe 772 Explorer.EXE 772 Explorer.EXE 1068 [email protected] 1068 [email protected] 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 1068 [email protected] 1068 [email protected] 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 1068 [email protected] 1068 [email protected] 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 1068 [email protected] 1068 [email protected] 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 1068 [email protected] 1068 [email protected] 772 Explorer.EXE 772 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 772 Explorer.EXE -
Suspicious behavior: MapViewOfSection 31 IoCs
Processes:
{xE.exeExplorer.EXEpid process 1192 {xE.exe 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE 772 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 57 IoCs
Processes:
description pid process Token: SeDebugPrivilege 1068 [email protected] Token: SeBackupPrivilege 2788 vssvc.exe Token: SeRestorePrivilege 2788 vssvc.exe Token: SeAuditPrivilege 2788 vssvc.exe Token: SeShutdownPrivilege 772 Explorer.EXE Token: SeCreatePagefilePrivilege 772 Explorer.EXE Token: SeIncreaseQuotaPrivilege 980 WMIC.exe Token: SeSecurityPrivilege 980 WMIC.exe Token: SeTakeOwnershipPrivilege 980 WMIC.exe Token: SeLoadDriverPrivilege 980 WMIC.exe Token: SeSystemProfilePrivilege 980 WMIC.exe Token: SeSystemtimePrivilege 980 WMIC.exe Token: SeProfSingleProcessPrivilege 980 WMIC.exe Token: SeIncBasePriorityPrivilege 980 WMIC.exe Token: SeCreatePagefilePrivilege 980 WMIC.exe Token: SeBackupPrivilege 980 WMIC.exe Token: SeRestorePrivilege 980 WMIC.exe Token: SeShutdownPrivilege 980 WMIC.exe Token: SeDebugPrivilege 980 WMIC.exe Token: SeSystemEnvironmentPrivilege 980 WMIC.exe Token: SeRemoteShutdownPrivilege 980 WMIC.exe Token: SeUndockPrivilege 980 WMIC.exe Token: SeManageVolumePrivilege 980 WMIC.exe Token: 33 980 WMIC.exe Token: 34 980 WMIC.exe Token: 35 980 WMIC.exe Token: 36 980 WMIC.exe Token: SeIncreaseQuotaPrivilege 980 WMIC.exe Token: SeSecurityPrivilege 980 WMIC.exe Token: SeTakeOwnershipPrivilege 980 WMIC.exe Token: SeLoadDriverPrivilege 980 WMIC.exe Token: SeSystemProfilePrivilege 980 WMIC.exe Token: SeSystemtimePrivilege 980 WMIC.exe Token: SeProfSingleProcessPrivilege 980 WMIC.exe Token: SeIncBasePriorityPrivilege 980 WMIC.exe Token: SeCreatePagefilePrivilege 980 WMIC.exe Token: SeBackupPrivilege 980 WMIC.exe Token: SeRestorePrivilege 980 WMIC.exe Token: SeShutdownPrivilege 980 WMIC.exe Token: SeDebugPrivilege 980 WMIC.exe Token: SeSystemEnvironmentPrivilege 980 WMIC.exe Token: SeRemoteShutdownPrivilege 980 WMIC.exe Token: SeUndockPrivilege 980 WMIC.exe Token: SeManageVolumePrivilege 980 WMIC.exe Token: 33 980 WMIC.exe Token: 34 980 WMIC.exe Token: 35 980 WMIC.exe Token: 36 980 WMIC.exe Token: SeBackupPrivilege 2792 wbengine.exe Token: SeRestorePrivilege 2792 wbengine.exe Token: SeSecurityPrivilege 2792 wbengine.exe Token: SeShutdownPrivilege 772 Explorer.EXE Token: SeCreatePagefilePrivilege 772 Explorer.EXE Token: SeShutdownPrivilege 772 Explorer.EXE Token: SeCreatePagefilePrivilege 772 Explorer.EXE Token: SeShutdownPrivilege 772 Explorer.EXE Token: SeCreatePagefilePrivilege 772 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
description pid process target process PID 2216 wrote to memory of 2592 2216 7041b5e6716fbc3d51516bfc782b1adf.exe certreq.exe PID 2216 wrote to memory of 2592 2216 7041b5e6716fbc3d51516bfc782b1adf.exe certreq.exe PID 2216 wrote to memory of 2592 2216 7041b5e6716fbc3d51516bfc782b1adf.exe certreq.exe PID 2216 wrote to memory of 2592 2216 7041b5e6716fbc3d51516bfc782b1adf.exe certreq.exe PID 3008 wrote to memory of 1192 3008 {xE.exe {xE.exe PID 3008 wrote to memory of 1192 3008 {xE.exe {xE.exe PID 3008 wrote to memory of 1192 3008 {xE.exe {xE.exe PID 3008 wrote to memory of 1192 3008 {xE.exe {xE.exe PID 3008 wrote to memory of 1192 3008 {xE.exe {xE.exe PID 3008 wrote to memory of 1192 3008 {xE.exe {xE.exe PID 1068 wrote to memory of 3412 1068 [email protected] cmd.exe PID 1068 wrote to memory of 4820 1068 [email protected] cmd.exe PID 1068 wrote to memory of 3412 1068 [email protected] cmd.exe PID 1068 wrote to memory of 4820 1068 [email protected] cmd.exe PID 4820 wrote to memory of 2872 4820 cmd.exe vssadmin.exe PID 4820 wrote to memory of 2872 4820 cmd.exe vssadmin.exe PID 3412 wrote to memory of 3800 3412 cmd.exe netsh.exe PID 3412 wrote to memory of 3800 3412 cmd.exe netsh.exe PID 3412 wrote to memory of 1760 3412 cmd.exe netsh.exe PID 3412 wrote to memory of 1760 3412 cmd.exe netsh.exe PID 4820 wrote to memory of 980 4820 cmd.exe WMIC.exe PID 4820 wrote to memory of 980 4820 cmd.exe WMIC.exe PID 4820 wrote to memory of 3992 4820 cmd.exe bcdedit.exe PID 4820 wrote to memory of 3992 4820 cmd.exe bcdedit.exe PID 4820 wrote to memory of 4584 4820 cmd.exe bcdedit.exe PID 4820 wrote to memory of 4584 4820 cmd.exe bcdedit.exe PID 4820 wrote to memory of 1600 4820 cmd.exe wbadmin.exe PID 4820 wrote to memory of 1600 4820 cmd.exe wbadmin.exe PID 772 wrote to memory of 320 772 Explorer.EXE EC3F.exe PID 772 wrote to memory of 320 772 Explorer.EXE EC3F.exe PID 772 wrote to memory of 320 772 Explorer.EXE EC3F.exe PID 772 wrote to memory of 4748 772 Explorer.EXE explorer.exe PID 772 wrote to memory of 4748 772 Explorer.EXE explorer.exe PID 772 wrote to memory of 4748 772 Explorer.EXE explorer.exe PID 772 wrote to memory of 4748 772 Explorer.EXE explorer.exe PID 772 wrote to memory of 5064 772 Explorer.EXE explorer.exe PID 772 wrote to memory of 5064 772 Explorer.EXE explorer.exe PID 772 wrote to memory of 5064 772 Explorer.EXE explorer.exe PID 772 wrote to memory of 2968 772 Explorer.EXE explorer.exe PID 772 wrote to memory of 2968 772 Explorer.EXE explorer.exe PID 772 wrote to memory of 2968 772 Explorer.EXE explorer.exe PID 772 wrote to memory of 2968 772 Explorer.EXE explorer.exe PID 772 wrote to memory of 2828 772 Explorer.EXE explorer.exe PID 772 wrote to memory of 2828 772 Explorer.EXE explorer.exe PID 772 wrote to memory of 2828 772 Explorer.EXE explorer.exe PID 772 wrote to memory of 2828 772 Explorer.EXE explorer.exe PID 772 wrote to memory of 1352 772 Explorer.EXE explorer.exe PID 772 wrote to memory of 1352 772 Explorer.EXE explorer.exe PID 772 wrote to memory of 1352 772 Explorer.EXE explorer.exe PID 772 wrote to memory of 1352 772 Explorer.EXE explorer.exe PID 772 wrote to memory of 4156 772 Explorer.EXE explorer.exe PID 772 wrote to memory of 4156 772 Explorer.EXE explorer.exe PID 772 wrote to memory of 4156 772 Explorer.EXE explorer.exe PID 772 wrote to memory of 452 772 Explorer.EXE explorer.exe PID 772 wrote to memory of 452 772 Explorer.EXE explorer.exe PID 772 wrote to memory of 452 772 Explorer.EXE explorer.exe PID 772 wrote to memory of 452 772 Explorer.EXE explorer.exe PID 772 wrote to memory of 3084 772 Explorer.EXE explorer.exe PID 772 wrote to memory of 3084 772 Explorer.EXE explorer.exe PID 772 wrote to memory of 3084 772 Explorer.EXE explorer.exe PID 772 wrote to memory of 1124 772 Explorer.EXE explorer.exe PID 772 wrote to memory of 1124 772 Explorer.EXE explorer.exe PID 772 wrote to memory of 1124 772 Explorer.EXE explorer.exe PID 772 wrote to memory of 1124 772 Explorer.EXE explorer.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
outlook_win_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7041b5e6716fbc3d51516bfc782b1adf.exe"C:\Users\Admin\AppData\Local\Temp\7041b5e6716fbc3d51516bfc782b1adf.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 9483⤵
- Program crash
-
C:\Windows\system32\certreq.exe"C:\Windows\system32\certreq.exe"2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\EC3F.exeC:\Users\Admin\AppData\Local\Temp\EC3F.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 5003⤵
- Program crash
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2216 -ip 22161⤵
-
C:\Users\Admin\AppData\Local\Microsoft\p9D[8W).exe"C:\Users\Admin\AppData\Local\Microsoft\p9D[8W).exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Microsoft\{xE.exe"C:\Users\Admin\AppData\Local\Microsoft\{xE.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Microsoft\{xE.exe"C:\Users\Admin\AppData\Local\Microsoft\{xE.exe"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Microsoft\[email protected]"C:\Users\Admin\AppData\Local\Microsoft\[email protected]"1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Microsoft\[email protected]
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 4843⤵
- Program crash
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\users\public\desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}2⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1128 -ip 11281⤵
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 320 -ip 3201⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id[AE7CADA3-3483].[[email protected]].8baseFilesize
2.7MB
MD5c43477bcde64bb882b22141efffbf781
SHA11c2bbf29f780aa9247da1b016a8ab74b84b10454
SHA25676b5100924b53b8a59818626b17730359b36dfa32e9a00ad23a72f9751846f25
SHA512d2c2b24ed8823dee86951082629cb295a3ce7e0e954a7396ed0b8253de353fa77fc63e4b71fe8cff5f893924ab1a21a7149645efe626ca8868b54efdacc5c909
-
C:\Users\Admin\AppData\Local\Microsoft\[email protected]Filesize
165KB
MD565ba8303fabfb2652158af69f7124772
SHA1e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA2563ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0
-
C:\Users\Admin\AppData\Local\Microsoft\[email protected]Filesize
165KB
MD565ba8303fabfb2652158af69f7124772
SHA1e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA2563ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0
-
C:\Users\Admin\AppData\Local\Microsoft\[email protected]Filesize
165KB
MD565ba8303fabfb2652158af69f7124772
SHA1e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA2563ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000026.db.id[AE7CADA3-3483].[[email protected]].8baseFilesize
92KB
MD5f0223e0376b21682999771c3502f82b7
SHA1de0bb7b2955035e28f86ba5f7c9be1abd2482658
SHA256622c10568c5dbe01288d39d12176866890e17f5583d3d13d5e75f7dcf7b75976
SHA51278516d85a32fc89fab9cec39bc238b26423eb997120b1954c6a2f69e17f3ae2f591a38fa8efe44bc92b86b48e9d70eeb2b6b0e4fcb402415cf8a5557a8a40a6d
-
C:\Users\Admin\AppData\Local\Microsoft\p9D[8W).exeFilesize
164KB
MD53524139d7687147f53dc7df4f4867093
SHA177a6308dc4981ac164a887ed54a0e01c63c17c63
SHA256954429625375fc965c2151a8b109c07d1f6de6fbf9c3b95660400d9b4bf79081
SHA51248df3de51b20e20660804f92a699f9b3886406c1872c8df02e220bf23415838ada393fc540f878aad8ebe61f7023161b15152942509b63030b6fd4a458a82db3
-
C:\Users\Admin\AppData\Local\Microsoft\p9D[8W).exeFilesize
164KB
MD53524139d7687147f53dc7df4f4867093
SHA177a6308dc4981ac164a887ed54a0e01c63c17c63
SHA256954429625375fc965c2151a8b109c07d1f6de6fbf9c3b95660400d9b4bf79081
SHA51248df3de51b20e20660804f92a699f9b3886406c1872c8df02e220bf23415838ada393fc540f878aad8ebe61f7023161b15152942509b63030b6fd4a458a82db3
-
C:\Users\Admin\AppData\Local\Microsoft\{xE.exeFilesize
166KB
MD51b2b02b4b524fe02b8b96bd781c8eceb
SHA136e2eb7e1ae58b103b2d1cca5991786b0118534b
SHA256e780a1b2be7dab91bdc77bd313dd5a4456e0d92164fc1e54894f086f269d85c6
SHA51280caf55a2f2a63e99c5ee6199b3b8357fd5d2bf92cb671f80a0b05385cc79f78fc689d60197176fc1bae67ab331e8bdf71adf44c88423bbbf95e7926e31e5bc8
-
C:\Users\Admin\AppData\Local\Microsoft\{xE.exeFilesize
166KB
MD51b2b02b4b524fe02b8b96bd781c8eceb
SHA136e2eb7e1ae58b103b2d1cca5991786b0118534b
SHA256e780a1b2be7dab91bdc77bd313dd5a4456e0d92164fc1e54894f086f269d85c6
SHA51280caf55a2f2a63e99c5ee6199b3b8357fd5d2bf92cb671f80a0b05385cc79f78fc689d60197176fc1bae67ab331e8bdf71adf44c88423bbbf95e7926e31e5bc8
-
C:\Users\Admin\AppData\Local\Microsoft\{xE.exeFilesize
166KB
MD51b2b02b4b524fe02b8b96bd781c8eceb
SHA136e2eb7e1ae58b103b2d1cca5991786b0118534b
SHA256e780a1b2be7dab91bdc77bd313dd5a4456e0d92164fc1e54894f086f269d85c6
SHA51280caf55a2f2a63e99c5ee6199b3b8357fd5d2bf92cb671f80a0b05385cc79f78fc689d60197176fc1bae67ab331e8bdf71adf44c88423bbbf95e7926e31e5bc8
-
C:\Users\Admin\AppData\Local\Temp\16BA\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.dllFilesize
5.5MB
MD54bf88985778e74145bdd37f5c5f8f0d1
SHA16f292dedaa2f97b93e707b024ef178f75fc26771
SHA256f16eac39a2be258e1abc9a5207680fbc34190c8e5b56a6cfe28c365166b9d2e9
SHA512c5eecbeb3e8080ba333e5099156b97c1e990e9f16190e395a4a2f354b64eeac3f924d230a522cadba4bf547765d4be2f7a8ef55738fecf702623eeba8604b724
-
C:\Users\Admin\AppData\Local\Temp\16BA\C\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exeFilesize
18KB
MD5cfe72ed40a076ae4f4157940ce0c5d44
SHA18010f7c746a7ba4864785f798f46ec05caae7ece
SHA2566868894ab04d08956388a94a81016f03d5b7a7b1646c8a6235057a7e1e45de32
SHA512f002afa2131d250dd6148d8372ce45f84283b8e1209e91720cee7aff497503d0e566bae3a83cd326701458230ae5c0e200eec617889393dd46ac00ff357ff1b0
-
C:\Users\Admin\AppData\Local\Temp\16BA\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xmlFilesize
1KB
MD594f90fcd2b8f7f1df69224f845d9e9b7
SHA1a09e3072cc581cf89adaf1aa20aa89b3af7bf987
SHA256a16113a66b1c36f919b5f7eaa3fb7aa8e0ba9e057823861aabea703cc06a04c0
SHA51251f4ee06a8d8bf1121083bf4383433160f16c68d1fe4c44e5d0e0529910d27ba8446c7a4bef359b990574d1d61563da30139c6d09ad0ad1a5b5c7748b8da08f3
-
C:\Users\Admin\AppData\Local\Temp\16BA\C\ProgramData\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xmlFilesize
7KB
MD5108f130067a9df1719c590316a5245f7
SHA179bb9a86e7a50c85214cd7e21719f0cb4155f58a
SHA256c91debd34057ca5c280ca15ac542733930e1c94c7d887448eac6e3385b5a0874
SHA512d43b3861d5153c7ca54edd078c900d31599fc9f04d6883a449d62c7e86a105a3c5dfb2d232255c41505b210b063caf6325921dc074fcdf93407c9e2c985a5301
-
C:\Users\Admin\AppData\Local\Temp\16BA\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe.xmlFilesize
1KB
MD594f90fcd2b8f7f1df69224f845d9e9b7
SHA1a09e3072cc581cf89adaf1aa20aa89b3af7bf987
SHA256a16113a66b1c36f919b5f7eaa3fb7aa8e0ba9e057823861aabea703cc06a04c0
SHA51251f4ee06a8d8bf1121083bf4383433160f16c68d1fe4c44e5d0e0529910d27ba8446c7a4bef359b990574d1d61563da30139c6d09ad0ad1a5b5c7748b8da08f3
-
C:\Users\Admin\AppData\Local\Temp\16BA\C\Users\All Users\Microsoft\Windows\AppRepository\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe.xmlFilesize
7KB
MD5108f130067a9df1719c590316a5245f7
SHA179bb9a86e7a50c85214cd7e21719f0cb4155f58a
SHA256c91debd34057ca5c280ca15ac542733930e1c94c7d887448eac6e3385b5a0874
SHA512d43b3861d5153c7ca54edd078c900d31599fc9f04d6883a449d62c7e86a105a3c5dfb2d232255c41505b210b063caf6325921dc074fcdf93407c9e2c985a5301
-
C:\Users\Admin\AppData\Local\Temp\16BA\C\Windows\SysWOW64\WalletBackgroundServiceProxy.dllFilesize
10KB
MD51097d1e58872f3cf58f78730a697ce4b
SHA196db4e4763a957b28dd80ec1e43eb27367869b86
SHA25683ec0be293b19d00eca4ae51f16621753e1d2b11248786b25a1abaae6230bdef
SHA512b933eac4eaabacc51069a72b24b649b980aea251b1b87270ff4ffea12de9368d5447cdbe748ac7faf2805548b896c8499f9eceeed2f5efd0c684f94360940351
-
C:\Users\Admin\AppData\Local\Temp\16BA\C\Windows\SysWOW64\WalletProxy.dllFilesize
36KB
MD5d09724c29a8f321f2f9c552de6ef6afa
SHA1d6ce3d3a973695f4f770e7fb3fcb5e2f3df592a3
SHA25623cc82878957683184fbd0e3098e9e6858978bf78d7812c6d7470ebdc79d1c5c
SHA512cc8db1b0c4bbd94dfc8a669cd6accf6fa29dc1034ce03d9dae53d6ce117bb86b432bf040fb53230b612c6e9a325e58acc8ebb600f760a8d9d6a383ce751fd6ed
-
C:\Users\Admin\AppData\Local\Temp\16BA\C\Windows\SysWOW64\Windows.ApplicationModel.Wallet.dllFilesize
402KB
MD502557c141c9e153c2b7987b79a3a2dd7
SHA1a054761382ee68608b6a3b62b68138dc205f576b
SHA256207c587e769e2655669bd3ce1d28a00bcac08f023013735f026f65c0e3baa6f4
SHA512a37e29c115bcb9956b1f8fd2022f2e3966c1fa2a0efa5c2ee2d14bc5c41bfddae0deea4d481a681d13ec58e9dec41e7565f8b4eb1c10f2c44c03e58bdd2792b3
-
C:\Users\Admin\AppData\Local\Temp\16BA\C\Windows\System32\WalletBackgroundServiceProxy.dllFilesize
10KB
MD51097d1e58872f3cf58f78730a697ce4b
SHA196db4e4763a957b28dd80ec1e43eb27367869b86
SHA25683ec0be293b19d00eca4ae51f16621753e1d2b11248786b25a1abaae6230bdef
SHA512b933eac4eaabacc51069a72b24b649b980aea251b1b87270ff4ffea12de9368d5447cdbe748ac7faf2805548b896c8499f9eceeed2f5efd0c684f94360940351
-
C:\Users\Admin\AppData\Local\Temp\16BA\C\Windows\System32\WalletProxy.dllFilesize
36KB
MD5d09724c29a8f321f2f9c552de6ef6afa
SHA1d6ce3d3a973695f4f770e7fb3fcb5e2f3df592a3
SHA25623cc82878957683184fbd0e3098e9e6858978bf78d7812c6d7470ebdc79d1c5c
SHA512cc8db1b0c4bbd94dfc8a669cd6accf6fa29dc1034ce03d9dae53d6ce117bb86b432bf040fb53230b612c6e9a325e58acc8ebb600f760a8d9d6a383ce751fd6ed
-
C:\Users\Admin\AppData\Local\Temp\16BA\C\Windows\System32\Windows.ApplicationModel.Wallet.dllFilesize
402KB
MD502557c141c9e153c2b7987b79a3a2dd7
SHA1a054761382ee68608b6a3b62b68138dc205f576b
SHA256207c587e769e2655669bd3ce1d28a00bcac08f023013735f026f65c0e3baa6f4
SHA512a37e29c115bcb9956b1f8fd2022f2e3966c1fa2a0efa5c2ee2d14bc5c41bfddae0deea4d481a681d13ec58e9dec41e7565f8b4eb1c10f2c44c03e58bdd2792b3
-
C:\Users\Admin\AppData\Local\Temp\EC3F.exeFilesize
165KB
MD565ba8303fabfb2652158af69f7124772
SHA1e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA2563ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0
-
C:\Users\Admin\AppData\Local\Temp\EC3F.exeFilesize
165KB
MD565ba8303fabfb2652158af69f7124772
SHA1e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA2563ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0
-
C:\Users\Admin\AppData\Local\Temp\EC3F.exeFilesize
165KB
MD565ba8303fabfb2652158af69f7124772
SHA1e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA2563ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ezoxz0hs.default-release\cookies.sqlite.id[AE7CADA3-3483].[[email protected]].8baseFilesize
96KB
MD53776fb4868bab628f0f15dcd7fbd5b7c
SHA1e809d03605cb96a423e5053af79f101864aa2c15
SHA2567ac365d8d38d5591dc00d6aabce69720a011b5fc93a63e0cb34c6ccd9eb52daa
SHA512020090ee1df92c7e793868f9c21f7eb98b2bb6d5e78e9b8622653d5da6a74384f4c1e4460092316355efa7ed669c6ba2852df7e258866e07c9418323987ba6af
-
C:\Users\Admin\AppData\Roaming\gijdgddFilesize
438KB
MD55195665bdb7d1ce4541862318278e108
SHA1630b8dc305e77948023c37eca3b0488ecd51fd0a
SHA2560b8377d45bfc376df15d76addcce3c72366bba696e1ad77f88f86614770326aa
SHA512653498e121b97f672ca2f35e9e029e2634b1cf3456293d0342fd93f5bdfe2fbacc7e61b2532f23fef350712abc55fdb0b43cb19c6e0ff76d98293aa0c11d8154
-
C:\Users\Admin\AppData\Roaming\ugrvhtrFilesize
166KB
MD51b2b02b4b524fe02b8b96bd781c8eceb
SHA136e2eb7e1ae58b103b2d1cca5991786b0118534b
SHA256e780a1b2be7dab91bdc77bd313dd5a4456e0d92164fc1e54894f086f269d85c6
SHA51280caf55a2f2a63e99c5ee6199b3b8357fd5d2bf92cb671f80a0b05385cc79f78fc689d60197176fc1bae67ab331e8bdf71adf44c88423bbbf95e7926e31e5bc8
-
memory/400-5896-0x0000000000190000-0x000000000019D000-memory.dmpFilesize
52KB
-
memory/400-5897-0x0000000000FC0000-0x0000000000FCB000-memory.dmpFilesize
44KB
-
memory/400-5898-0x0000000000190000-0x000000000019D000-memory.dmpFilesize
52KB
-
memory/452-5086-0x0000000000FC0000-0x0000000000FC9000-memory.dmpFilesize
36KB
-
memory/452-5708-0x0000000000FD0000-0x0000000000FD5000-memory.dmpFilesize
20KB
-
memory/452-5062-0x0000000000FC0000-0x0000000000FC9000-memory.dmpFilesize
36KB
-
memory/452-5078-0x0000000000FD0000-0x0000000000FD5000-memory.dmpFilesize
20KB
-
memory/772-208-0x00000000008E0000-0x00000000008F6000-memory.dmpFilesize
88KB
-
memory/1068-7540-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/1068-197-0x00000000004F0000-0x00000000004FF000-memory.dmpFilesize
60KB
-
memory/1068-5928-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/1068-4599-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/1068-423-0x00000000004F0000-0x00000000004FF000-memory.dmpFilesize
60KB
-
memory/1068-200-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/1068-199-0x0000000000530000-0x0000000000630000-memory.dmpFilesize
1024KB
-
memory/1068-543-0x0000000000530000-0x0000000000630000-memory.dmpFilesize
1024KB
-
memory/1068-2675-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/1068-546-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/1068-545-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/1124-5278-0x0000000000FC0000-0x0000000000FC9000-memory.dmpFilesize
36KB
-
memory/1124-5276-0x0000000000FC0000-0x0000000000FC9000-memory.dmpFilesize
36KB
-
memory/1124-5895-0x00000000005C0000-0x00000000005CC000-memory.dmpFilesize
48KB
-
memory/1128-744-0x0000000000640000-0x0000000000740000-memory.dmpFilesize
1024KB
-
memory/1128-752-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/1192-203-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1192-201-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1192-209-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1192-204-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/1244-5537-0x0000000000660000-0x0000000000687000-memory.dmpFilesize
156KB
-
memory/1244-5591-0x0000000000660000-0x0000000000687000-memory.dmpFilesize
156KB
-
memory/1352-4604-0x0000000000440000-0x0000000000447000-memory.dmpFilesize
28KB
-
memory/1352-4603-0x0000000000430000-0x000000000043B000-memory.dmpFilesize
44KB
-
memory/1352-5280-0x0000000000440000-0x0000000000447000-memory.dmpFilesize
28KB
-
memory/1352-4609-0x0000000000430000-0x000000000043B000-memory.dmpFilesize
44KB
-
memory/1652-5917-0x0000000000FC0000-0x0000000000FCB000-memory.dmpFilesize
44KB
-
memory/1948-198-0x0000000000570000-0x0000000000670000-memory.dmpFilesize
1024KB
-
memory/1948-194-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/1948-192-0x0000000000570000-0x0000000000670000-memory.dmpFilesize
1024KB
-
memory/1948-193-0x0000000000530000-0x0000000000535000-memory.dmpFilesize
20KB
-
memory/2216-152-0x0000000004DA0000-0x0000000004DD6000-memory.dmpFilesize
216KB
-
memory/2216-153-0x0000000004E00000-0x0000000005200000-memory.dmpFilesize
4.0MB
-
memory/2216-134-0x0000000002CE0000-0x0000000002DE0000-memory.dmpFilesize
1024KB
-
memory/2216-155-0x0000000000400000-0x0000000002B7C000-memory.dmpFilesize
39.5MB
-
memory/2216-135-0x00000000048F0000-0x0000000004961000-memory.dmpFilesize
452KB
-
memory/2216-136-0x0000000000400000-0x0000000002B7C000-memory.dmpFilesize
39.5MB
-
memory/2216-137-0x0000000004970000-0x0000000004977000-memory.dmpFilesize
28KB
-
memory/2216-156-0x0000000004E00000-0x0000000005200000-memory.dmpFilesize
4.0MB
-
memory/2216-138-0x0000000004E00000-0x0000000005200000-memory.dmpFilesize
4.0MB
-
memory/2216-139-0x0000000004E00000-0x0000000005200000-memory.dmpFilesize
4.0MB
-
memory/2216-140-0x0000000004E00000-0x0000000005200000-memory.dmpFilesize
4.0MB
-
memory/2216-141-0x0000000004E00000-0x0000000005200000-memory.dmpFilesize
4.0MB
-
memory/2216-142-0x0000000002CE0000-0x0000000002DE0000-memory.dmpFilesize
1024KB
-
memory/2216-146-0x0000000004DA0000-0x0000000004DD6000-memory.dmpFilesize
216KB
-
memory/2216-145-0x0000000000400000-0x0000000002B7C000-memory.dmpFilesize
39.5MB
-
memory/2216-144-0x00000000048F0000-0x0000000004961000-memory.dmpFilesize
452KB
-
memory/2592-190-0x000001699EFF0000-0x000001699EFF5000-memory.dmpFilesize
20KB
-
memory/2592-163-0x00007FF460200000-0x00007FF46032D000-memory.dmpFilesize
1.2MB
-
memory/2592-160-0x00007FF460200000-0x00007FF46032D000-memory.dmpFilesize
1.2MB
-
memory/2592-191-0x00007FFCA8230000-0x00007FFCA8425000-memory.dmpFilesize
2.0MB
-
memory/2592-161-0x00007FF460200000-0x00007FF46032D000-memory.dmpFilesize
1.2MB
-
memory/2592-167-0x00007FF460200000-0x00007FF46032D000-memory.dmpFilesize
1.2MB
-
memory/2592-168-0x00007FF460200000-0x00007FF46032D000-memory.dmpFilesize
1.2MB
-
memory/2592-143-0x000001699EF60000-0x000001699EF63000-memory.dmpFilesize
12KB
-
memory/2592-165-0x00007FF460200000-0x00007FF46032D000-memory.dmpFilesize
1.2MB
-
memory/2592-181-0x00007FFCA8230000-0x00007FFCA8425000-memory.dmpFilesize
2.0MB
-
memory/2592-180-0x00007FF460200000-0x00007FF46032D000-memory.dmpFilesize
1.2MB
-
memory/2592-162-0x00007FF460200000-0x00007FF46032D000-memory.dmpFilesize
1.2MB
-
memory/2592-159-0x00007FF460200000-0x00007FF46032D000-memory.dmpFilesize
1.2MB
-
memory/2592-169-0x00007FF460200000-0x00007FF46032D000-memory.dmpFilesize
1.2MB
-
memory/2592-175-0x00007FF460200000-0x00007FF46032D000-memory.dmpFilesize
1.2MB
-
memory/2592-157-0x000001699EF60000-0x000001699EF63000-memory.dmpFilesize
12KB
-
memory/2592-174-0x00007FF460200000-0x00007FF46032D000-memory.dmpFilesize
1.2MB
-
memory/2592-173-0x00007FF460200000-0x00007FF46032D000-memory.dmpFilesize
1.2MB
-
memory/2592-172-0x00007FF460200000-0x00007FF46032D000-memory.dmpFilesize
1.2MB
-
memory/2592-158-0x000001699EFF0000-0x000001699EFF7000-memory.dmpFilesize
28KB
-
memory/2592-171-0x00007FF460200000-0x00007FF46032D000-memory.dmpFilesize
1.2MB
-
memory/2592-170-0x00007FFCA8230000-0x00007FFCA8425000-memory.dmpFilesize
2.0MB
-
memory/2828-4598-0x00000000006F0000-0x00000000006FB000-memory.dmpFilesize
44KB
-
memory/2828-4596-0x00000000006F0000-0x00000000006FB000-memory.dmpFilesize
44KB
-
memory/2828-4597-0x0000000000700000-0x000000000070A000-memory.dmpFilesize
40KB
-
memory/2968-4415-0x0000000001200000-0x0000000001204000-memory.dmpFilesize
16KB
-
memory/2968-4416-0x0000000000FF0000-0x0000000000FF9000-memory.dmpFilesize
36KB
-
memory/2968-5092-0x0000000001200000-0x0000000001204000-memory.dmpFilesize
16KB
-
memory/2968-4411-0x0000000000FF0000-0x0000000000FF9000-memory.dmpFilesize
36KB
-
memory/3008-195-0x0000000000740000-0x0000000000840000-memory.dmpFilesize
1024KB
-
memory/3008-196-0x0000000000700000-0x0000000000709000-memory.dmpFilesize
36KB
-
memory/3084-5893-0x00000000005D0000-0x00000000005D6000-memory.dmpFilesize
24KB
-
memory/3084-5124-0x00000000005C0000-0x00000000005CC000-memory.dmpFilesize
48KB
-
memory/3084-5120-0x00000000005D0000-0x00000000005D6000-memory.dmpFilesize
24KB
-
memory/3084-5119-0x00000000005C0000-0x00000000005CC000-memory.dmpFilesize
48KB
-
memory/4124-5744-0x0000000000360000-0x0000000000369000-memory.dmpFilesize
36KB
-
memory/4124-5731-0x0000000000660000-0x0000000000687000-memory.dmpFilesize
156KB
-
memory/4124-5698-0x0000000000360000-0x0000000000369000-memory.dmpFilesize
36KB
-
memory/4132-5282-0x0000000000960000-0x0000000000969000-memory.dmpFilesize
36KB
-
memory/4132-5281-0x0000000000FC0000-0x0000000000FC9000-memory.dmpFilesize
36KB
-
memory/4132-5279-0x0000000000960000-0x0000000000969000-memory.dmpFilesize
36KB
-
memory/4156-4735-0x0000000000BD0000-0x0000000000BDF000-memory.dmpFilesize
60KB
-
memory/4156-4691-0x0000000000BD0000-0x0000000000BDF000-memory.dmpFilesize
60KB
-
memory/4156-4705-0x0000000000BE0000-0x0000000000BE9000-memory.dmpFilesize
36KB
-
memory/4156-5574-0x0000000000BE0000-0x0000000000BE9000-memory.dmpFilesize
36KB
-
memory/4748-4368-0x0000000000500000-0x000000000056B000-memory.dmpFilesize
428KB
-
memory/4748-4093-0x0000000000500000-0x000000000056B000-memory.dmpFilesize
428KB
-
memory/4748-4060-0x0000000000570000-0x00000000005E5000-memory.dmpFilesize
468KB
-
memory/4748-4058-0x0000000000500000-0x000000000056B000-memory.dmpFilesize
428KB
-
memory/4964-5894-0x0000000000FC0000-0x0000000000FCB000-memory.dmpFilesize
44KB
-
memory/4964-5890-0x0000000000FC0000-0x0000000000FCB000-memory.dmpFilesize
44KB
-
memory/5064-4378-0x00000000010F0000-0x00000000010FC000-memory.dmpFilesize
48KB
-
memory/5064-4376-0x00000000010F0000-0x00000000010FC000-memory.dmpFilesize
48KB
-
memory/5064-4375-0x0000000001100000-0x0000000001107000-memory.dmpFilesize
28KB