Analysis
-
max time kernel
88s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
14-07-2023 06:44
Static task
static1
Behavioral task
behavioral1
Sample
4d18c07abced7f8fc570c83dd825bb0b.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
4d18c07abced7f8fc570c83dd825bb0b.exe
Resource
win10v2004-20230703-en
General
-
Target
4d18c07abced7f8fc570c83dd825bb0b.exe
-
Size
451KB
-
MD5
4d18c07abced7f8fc570c83dd825bb0b
-
SHA1
4e1d179697ab7536ee475494b158b969963e0bf6
-
SHA256
b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642
-
SHA512
daf48720ed402be15b532a32d10dd8823b564516d5f6d6628ca646c20347f7180bf911c7b8dfd75c03826badf719534bd45e1c26c5bd4857680ec77e63f4c5a4
-
SSDEEP
6144:ekN8IaM0bFfBmtjlfXKG/PhjPO6odPgQ4PJsL0cVeMmhi9MdNeerB+0Vsw:V8DM0blqjl/h/97MV0cGLNZxV
Malware Config
Extracted
smokeloader
2022
http://serverxlogs21.xyz/statweb255/
http://servxblog79.xyz/statweb255/
http://demblog289.xyz/statweb255/
http://admlogs77x.online/statweb255/
http://blogxstat38.xyz/statweb255/
http://blogxstat25.xyz/statweb255/
Extracted
systembc
adstat477d.xyz:4044
demstat577d.xyz:4044
Signatures
-
Detect rhadamanthys stealer shellcode 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1044-59-0x00000000046E0000-0x0000000004AE0000-memory.dmp family_rhadamanthys behavioral1/memory/1044-60-0x00000000046E0000-0x0000000004AE0000-memory.dmp family_rhadamanthys behavioral1/memory/1044-61-0x00000000046E0000-0x0000000004AE0000-memory.dmp family_rhadamanthys behavioral1/memory/1044-62-0x00000000046E0000-0x0000000004AE0000-memory.dmp family_rhadamanthys behavioral1/memory/1044-74-0x00000000046E0000-0x0000000004AE0000-memory.dmp family_rhadamanthys behavioral1/memory/1044-77-0x00000000046E0000-0x0000000004AE0000-memory.dmp family_rhadamanthys -
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
4d18c07abced7f8fc570c83dd825bb0b.exedescription pid process target process PID 1044 created 1212 1044 4d18c07abced7f8fc570c83dd825bb0b.exe Explorer.EXE -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (83) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Downloads MZ/PE file
-
Modifies Windows Firewall 1 TTPs 2 IoCs
-
Deletes itself 1 IoCs
Processes:
certreq.exepid process 2072 certreq.exe -
Drops startup file 1 IoCs
Processes:
xi28sr.exedescription ioc process File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\xi28sr.exe xi28sr.exe -
Executes dropped EXE 6 IoCs
Processes:
tcIbvM8%{6.exexi28sr.exePN4[8$.exexi28sr.exetcIbvM8%{6.exe9BA3.exepid process 112 tcIbvM8%{6.exe 524 xi28sr.exe 472 PN4[8$.exe 1100 xi28sr.exe 2672 tcIbvM8%{6.exe 1040 9BA3.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs
Processes:
explorer.execertreq.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook certreq.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
xi28sr.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xi28sr = "C:\\Users\\Admin\\AppData\\Local\\xi28sr.exe" xi28sr.exe Set value (str) \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Windows\CurrentVersion\Run\xi28sr = "C:\\Users\\Admin\\AppData\\Local\\xi28sr.exe" xi28sr.exe -
Drops desktop.ini file(s) 4 IoCs
Processes:
xi28sr.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-377084978-2088738870-2818360375-1000\desktop.ini xi28sr.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-377084978-2088738870-2818360375-1000\desktop.ini xi28sr.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini xi28sr.exe File opened for modification C:\Program Files\desktop.ini xi28sr.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
tcIbvM8%{6.exedescription pid process target process PID 112 set thread context of 2672 112 tcIbvM8%{6.exe tcIbvM8%{6.exe -
Drops file in Program Files directory 64 IoCs
Processes:
xi28sr.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.servlet.jsp_2.2.0.v201112011158.jar xi28sr.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs-nio2_ja.jar.id[A1D1CB13-3483].[[email protected]].8base xi28sr.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvmstat.xml xi28sr.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.felix.gogo.shell_0.10.0.v201212101605.jar xi28sr.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.nl_zh_4.4.0.v20140623020002.jar xi28sr.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe xi28sr.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe xi28sr.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\sound.properties xi28sr.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Enderbury xi28sr.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-tabcontrol.jar.id[A1D1CB13-3483].[[email protected]].8base xi28sr.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-filesystems.xml xi28sr.exe File opened for modification C:\Program Files\7-Zip\Lang\it.txt xi28sr.exe File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\msoshext.dll.id[A1D1CB13-3483].[[email protected]].8base xi28sr.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Regina.id[A1D1CB13-3483].[[email protected]].8base xi28sr.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\ant-javafx.jar xi28sr.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\core_ja.jar xi28sr.exe File opened for modification C:\Program Files\7-Zip\Lang\bg.txt xi28sr.exe File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\msdaprsr.dll.mui xi28sr.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_pl.jar xi28sr.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\larrow.gif.id[A1D1CB13-3483].[[email protected]].8base xi28sr.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\javafx-iio.dll.id[A1D1CB13-3483].[[email protected]].8base xi28sr.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\management.properties.id[A1D1CB13-3483].[[email protected]].8base xi28sr.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui_5.5.0.165303.jar.id[A1D1CB13-3483].[[email protected]].8base xi28sr.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt_0.12.100.v20140530-1436.jar.id[A1D1CB13-3483].[[email protected]].8base xi28sr.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-uisupport_ja.jar.id[A1D1CB13-3483].[[email protected]].8base xi28sr.exe File created C:\Program Files\Java\jre7\bin\libxslt.dll.id[A1D1CB13-3483].[[email protected]].8base xi28sr.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\vk_swiftshader_icd.json.id[A1D1CB13-3483].[[email protected]].8base xi28sr.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe xi28sr.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\dt.jar xi28sr.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-util.xml xi28sr.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Goose_Bay.id[A1D1CB13-3483].[[email protected]].8base xi28sr.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html.id[A1D1CB13-3483].[[email protected]].8base xi28sr.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html.id[A1D1CB13-3483].[[email protected]].8base xi28sr.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt.nl_ja_4.4.0.v20140623020002.jar xi28sr.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-modules.xml.id[A1D1CB13-3483].[[email protected]].8base xi28sr.exe File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPC.DLL.id[A1D1CB13-3483].[[email protected]].8base xi28sr.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\af.pak xi28sr.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Rangoon xi28sr.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Adelaide.id[A1D1CB13-3483].[[email protected]].8base xi28sr.exe File opened for modification C:\Program Files\7-Zip\Lang\uk.txt xi28sr.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\play-static.png xi28sr.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\mc.jar xi28sr.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\boot.jar xi28sr.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Filters\msgfilt.dll xi28sr.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationLeft_SelectionSubpicture.png xi28sr.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-modules_ja.jar xi28sr.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.identity_3.4.0.v20140827-1444.jar.id[A1D1CB13-3483].[[email protected]].8base xi28sr.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_SelectionSubpicture.png xi28sr.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.h xi28sr.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf xi28sr.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf_3.4.0.v20140827-1444.jar.id[A1D1CB13-3483].[[email protected]].8base xi28sr.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher_1.3.0.v20140911-0143.jar.id[A1D1CB13-3483].[[email protected]].8base xi28sr.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.nl_ja_4.4.0.v20140623020002.jar xi28sr.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\orb.idl.id[A1D1CB13-3483].[[email protected]].8base xi28sr.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-text.xml.id[A1D1CB13-3483].[[email protected]].8base xi28sr.exe File opened for modification C:\Program Files\Common Files\System\msadc\de-DE\msadcfr.dll.mui xi28sr.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationUp_SelectionSubpicture.png xi28sr.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\preloaded_data.pb.id[A1D1CB13-3483].[[email protected]].8base xi28sr.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Denver xi28sr.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-text.xml xi28sr.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-modules-appui.xml xi28sr.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME.txt xi28sr.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\com.jrockit.mc.rcp.product_root_5.5.0.165303.id[A1D1CB13-3483].[[email protected]].8base xi28sr.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-dialogs.xml xi28sr.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
tcIbvM8%{6.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI tcIbvM8%{6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI tcIbvM8%{6.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI tcIbvM8%{6.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
certreq.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 certreq.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString certreq.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2156 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
4d18c07abced7f8fc570c83dd825bb0b.execertreq.exetcIbvM8%{6.exexi28sr.exeExplorer.EXEpid process 1044 4d18c07abced7f8fc570c83dd825bb0b.exe 1044 4d18c07abced7f8fc570c83dd825bb0b.exe 1044 4d18c07abced7f8fc570c83dd825bb0b.exe 1044 4d18c07abced7f8fc570c83dd825bb0b.exe 2072 certreq.exe 2072 certreq.exe 2072 certreq.exe 2072 certreq.exe 2672 tcIbvM8%{6.exe 2672 tcIbvM8%{6.exe 524 xi28sr.exe 524 xi28sr.exe 524 xi28sr.exe 1212 Explorer.EXE 1212 Explorer.EXE 524 xi28sr.exe 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 524 xi28sr.exe 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 524 xi28sr.exe 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 524 xi28sr.exe 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 524 xi28sr.exe 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 524 xi28sr.exe 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 524 xi28sr.exe 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 524 xi28sr.exe 1212 Explorer.EXE -
Suspicious behavior: MapViewOfSection 23 IoCs
Processes:
tcIbvM8%{6.exeExplorer.EXEpid process 2672 tcIbvM8%{6.exe 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
xi28sr.exevssvc.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 524 xi28sr.exe Token: SeBackupPrivilege 2396 vssvc.exe Token: SeRestorePrivilege 2396 vssvc.exe Token: SeAuditPrivilege 2396 vssvc.exe Token: SeShutdownPrivilege 1212 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
4d18c07abced7f8fc570c83dd825bb0b.exetcIbvM8%{6.exexi28sr.execmd.execmd.exeExplorer.EXEdescription pid process target process PID 1044 wrote to memory of 2072 1044 4d18c07abced7f8fc570c83dd825bb0b.exe certreq.exe PID 1044 wrote to memory of 2072 1044 4d18c07abced7f8fc570c83dd825bb0b.exe certreq.exe PID 1044 wrote to memory of 2072 1044 4d18c07abced7f8fc570c83dd825bb0b.exe certreq.exe PID 1044 wrote to memory of 2072 1044 4d18c07abced7f8fc570c83dd825bb0b.exe certreq.exe PID 1044 wrote to memory of 2072 1044 4d18c07abced7f8fc570c83dd825bb0b.exe certreq.exe PID 1044 wrote to memory of 2072 1044 4d18c07abced7f8fc570c83dd825bb0b.exe certreq.exe PID 112 wrote to memory of 2672 112 tcIbvM8%{6.exe tcIbvM8%{6.exe PID 112 wrote to memory of 2672 112 tcIbvM8%{6.exe tcIbvM8%{6.exe PID 112 wrote to memory of 2672 112 tcIbvM8%{6.exe tcIbvM8%{6.exe PID 112 wrote to memory of 2672 112 tcIbvM8%{6.exe tcIbvM8%{6.exe PID 112 wrote to memory of 2672 112 tcIbvM8%{6.exe tcIbvM8%{6.exe PID 112 wrote to memory of 2672 112 tcIbvM8%{6.exe tcIbvM8%{6.exe PID 112 wrote to memory of 2672 112 tcIbvM8%{6.exe tcIbvM8%{6.exe PID 524 wrote to memory of 856 524 xi28sr.exe cmd.exe PID 524 wrote to memory of 856 524 xi28sr.exe cmd.exe PID 524 wrote to memory of 856 524 xi28sr.exe cmd.exe PID 524 wrote to memory of 856 524 xi28sr.exe cmd.exe PID 524 wrote to memory of 1996 524 xi28sr.exe cmd.exe PID 524 wrote to memory of 1996 524 xi28sr.exe cmd.exe PID 524 wrote to memory of 1996 524 xi28sr.exe cmd.exe PID 524 wrote to memory of 1996 524 xi28sr.exe cmd.exe PID 1996 wrote to memory of 2156 1996 cmd.exe vssadmin.exe PID 1996 wrote to memory of 2156 1996 cmd.exe vssadmin.exe PID 1996 wrote to memory of 2156 1996 cmd.exe vssadmin.exe PID 856 wrote to memory of 1604 856 cmd.exe netsh.exe PID 856 wrote to memory of 1604 856 cmd.exe netsh.exe PID 856 wrote to memory of 1604 856 cmd.exe netsh.exe PID 856 wrote to memory of 2848 856 cmd.exe netsh.exe PID 856 wrote to memory of 2848 856 cmd.exe netsh.exe PID 856 wrote to memory of 2848 856 cmd.exe netsh.exe PID 1212 wrote to memory of 1040 1212 Explorer.EXE 9BA3.exe PID 1212 wrote to memory of 1040 1212 Explorer.EXE 9BA3.exe PID 1212 wrote to memory of 1040 1212 Explorer.EXE 9BA3.exe PID 1212 wrote to memory of 1040 1212 Explorer.EXE 9BA3.exe PID 1212 wrote to memory of 2088 1212 Explorer.EXE explorer.exe PID 1212 wrote to memory of 2088 1212 Explorer.EXE explorer.exe PID 1212 wrote to memory of 2088 1212 Explorer.EXE explorer.exe PID 1212 wrote to memory of 2088 1212 Explorer.EXE explorer.exe PID 1212 wrote to memory of 2088 1212 Explorer.EXE explorer.exe PID 1212 wrote to memory of 1728 1212 Explorer.EXE explorer.exe PID 1212 wrote to memory of 1728 1212 Explorer.EXE explorer.exe PID 1212 wrote to memory of 1728 1212 Explorer.EXE explorer.exe PID 1212 wrote to memory of 1728 1212 Explorer.EXE explorer.exe PID 1212 wrote to memory of 2608 1212 Explorer.EXE explorer.exe PID 1212 wrote to memory of 2608 1212 Explorer.EXE explorer.exe PID 1212 wrote to memory of 2608 1212 Explorer.EXE explorer.exe PID 1212 wrote to memory of 2608 1212 Explorer.EXE explorer.exe PID 1212 wrote to memory of 2608 1212 Explorer.EXE explorer.exe PID 1212 wrote to memory of 1764 1212 Explorer.EXE explorer.exe PID 1212 wrote to memory of 1764 1212 Explorer.EXE explorer.exe PID 1212 wrote to memory of 1764 1212 Explorer.EXE explorer.exe PID 1212 wrote to memory of 1764 1212 Explorer.EXE explorer.exe PID 1212 wrote to memory of 1764 1212 Explorer.EXE explorer.exe PID 1212 wrote to memory of 2612 1212 Explorer.EXE explorer.exe PID 1212 wrote to memory of 2612 1212 Explorer.EXE explorer.exe PID 1212 wrote to memory of 2612 1212 Explorer.EXE explorer.exe PID 1212 wrote to memory of 2612 1212 Explorer.EXE explorer.exe PID 1212 wrote to memory of 2612 1212 Explorer.EXE explorer.exe PID 1212 wrote to memory of 2700 1212 Explorer.EXE explorer.exe PID 1212 wrote to memory of 2700 1212 Explorer.EXE explorer.exe PID 1212 wrote to memory of 2700 1212 Explorer.EXE explorer.exe PID 1212 wrote to memory of 2700 1212 Explorer.EXE explorer.exe PID 1212 wrote to memory of 2000 1212 Explorer.EXE explorer.exe PID 1212 wrote to memory of 2000 1212 Explorer.EXE explorer.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
outlook_win_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4d18c07abced7f8fc570c83dd825bb0b.exe"C:\Users\Admin\AppData\Local\Temp\4d18c07abced7f8fc570c83dd825bb0b.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\certreq.exe"C:\Windows\system32\certreq.exe"2⤵
- Deletes itself
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\9BA3.exeC:\Users\Admin\AppData\Local\Temp\9BA3.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Users\Admin\AppData\Local\Microsoft\tcIbvM8%{6.exe"C:\Users\Admin\AppData\Local\Microsoft\tcIbvM8%{6.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Microsoft\tcIbvM8%{6.exe"C:\Users\Admin\AppData\Local\Microsoft\tcIbvM8%{6.exe"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe"C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe"C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe"2⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Local\Microsoft\PN4[8$.exe"C:\Users\Admin\AppData\Local\Microsoft\PN4[8$.exe"1⤵
- Executes dropped EXE
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.id[A1D1CB13-3483].[[email protected]].8baseFilesize
99.8MB
MD5c12828c173760cad7a789173f74e0f27
SHA141fc0e6d77aa009282cb0926eba7b8c08fe08eb0
SHA25676e62ab74d71af12b0a8c9790dadfde3889732426ca1375c6585a44fbc69c662
SHA512bcf917784bc6f2a654b0c52fc7ef1d00cf4ae50bae8eb57c172b1ce3e9cb3a51e19f4e731fc8ab87858915cccafa2d317570c12aa2edc6493282ecb290299252
-
C:\Users\Admin\AppData\Local\Microsoft\PN4[8$.exeFilesize
164KB
MD53524139d7687147f53dc7df4f4867093
SHA177a6308dc4981ac164a887ed54a0e01c63c17c63
SHA256954429625375fc965c2151a8b109c07d1f6de6fbf9c3b95660400d9b4bf79081
SHA51248df3de51b20e20660804f92a699f9b3886406c1872c8df02e220bf23415838ada393fc540f878aad8ebe61f7023161b15152942509b63030b6fd4a458a82db3
-
C:\Users\Admin\AppData\Local\Microsoft\tcIbvM8%{6.exeFilesize
166KB
MD51b2b02b4b524fe02b8b96bd781c8eceb
SHA136e2eb7e1ae58b103b2d1cca5991786b0118534b
SHA256e780a1b2be7dab91bdc77bd313dd5a4456e0d92164fc1e54894f086f269d85c6
SHA51280caf55a2f2a63e99c5ee6199b3b8357fd5d2bf92cb671f80a0b05385cc79f78fc689d60197176fc1bae67ab331e8bdf71adf44c88423bbbf95e7926e31e5bc8
-
C:\Users\Admin\AppData\Local\Microsoft\tcIbvM8%{6.exeFilesize
166KB
MD51b2b02b4b524fe02b8b96bd781c8eceb
SHA136e2eb7e1ae58b103b2d1cca5991786b0118534b
SHA256e780a1b2be7dab91bdc77bd313dd5a4456e0d92164fc1e54894f086f269d85c6
SHA51280caf55a2f2a63e99c5ee6199b3b8357fd5d2bf92cb671f80a0b05385cc79f78fc689d60197176fc1bae67ab331e8bdf71adf44c88423bbbf95e7926e31e5bc8
-
C:\Users\Admin\AppData\Local\Microsoft\tcIbvM8%{6.exeFilesize
166KB
MD51b2b02b4b524fe02b8b96bd781c8eceb
SHA136e2eb7e1ae58b103b2d1cca5991786b0118534b
SHA256e780a1b2be7dab91bdc77bd313dd5a4456e0d92164fc1e54894f086f269d85c6
SHA51280caf55a2f2a63e99c5ee6199b3b8357fd5d2bf92cb671f80a0b05385cc79f78fc689d60197176fc1bae67ab331e8bdf71adf44c88423bbbf95e7926e31e5bc8
-
C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exeFilesize
165KB
MD565ba8303fabfb2652158af69f7124772
SHA1e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA2563ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0
-
C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exeFilesize
165KB
MD565ba8303fabfb2652158af69f7124772
SHA1e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA2563ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0
-
C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exeFilesize
165KB
MD565ba8303fabfb2652158af69f7124772
SHA1e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA2563ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0
-
C:\Users\Admin\AppData\Local\Temp\9BA3.exeFilesize
165KB
MD565ba8303fabfb2652158af69f7124772
SHA1e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA2563ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0
-
C:\Users\Admin\AppData\Local\Temp\9BA3.exeFilesize
165KB
MD565ba8303fabfb2652158af69f7124772
SHA1e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA2563ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tf9bvg1t.default-release\cookies.sqlite.id[A1D1CB13-3483].[[email protected]].8baseFilesize
96KB
MD5d3c361f7db413c3ee876d794da33e374
SHA192fc50208cce7280e5940692e7c2eb5ce95562c6
SHA256a48ae5a0686ed581bcab4e76ce9a61abdc0ebaf1f26b129639f72d21b76a4ad8
SHA5123d6cd3bed2f0933aeffcb557c1df58e3f7963c02cf6f22311e163ccbf9fbb68a8d3d038d19f649ebeb8b7941132d06946bef87aa1dedfd04ed3ba5af56af488f
-
memory/112-116-0x0000000000630000-0x0000000000730000-memory.dmpFilesize
1024KB
-
memory/112-118-0x0000000000240000-0x0000000000249000-memory.dmpFilesize
36KB
-
memory/472-377-0x00000000005C0000-0x00000000006C0000-memory.dmpFilesize
1024KB
-
memory/472-392-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/472-383-0x0000000000220000-0x0000000000225000-memory.dmpFilesize
20KB
-
memory/472-666-0x00000000005C0000-0x00000000006C0000-memory.dmpFilesize
1024KB
-
memory/472-667-0x0000000000220000-0x0000000000225000-memory.dmpFilesize
20KB
-
memory/524-644-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/524-2362-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/524-111-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/524-109-0x0000000000220000-0x000000000022F000-memory.dmpFilesize
60KB
-
memory/524-108-0x00000000005B0000-0x00000000006B0000-memory.dmpFilesize
1024KB
-
memory/524-1108-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/524-164-0x00000000005B0000-0x00000000006B0000-memory.dmpFilesize
1024KB
-
memory/524-327-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/1040-2926-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/1044-60-0x00000000046E0000-0x0000000004AE0000-memory.dmpFilesize
4.0MB
-
memory/1044-61-0x00000000046E0000-0x0000000004AE0000-memory.dmpFilesize
4.0MB
-
memory/1044-55-0x0000000002CC0000-0x0000000002DC0000-memory.dmpFilesize
1024KB
-
memory/1044-74-0x00000000046E0000-0x0000000004AE0000-memory.dmpFilesize
4.0MB
-
memory/1044-57-0x0000000000270000-0x00000000002E1000-memory.dmpFilesize
452KB
-
memory/1044-73-0x0000000002BC0000-0x0000000002BF6000-memory.dmpFilesize
216KB
-
memory/1044-65-0x0000000000400000-0x0000000002B7C000-memory.dmpFilesize
39.5MB
-
memory/1044-63-0x0000000002CC0000-0x0000000002DC0000-memory.dmpFilesize
1024KB
-
memory/1044-62-0x00000000046E0000-0x0000000004AE0000-memory.dmpFilesize
4.0MB
-
memory/1044-66-0x0000000002BC0000-0x0000000002BF6000-memory.dmpFilesize
216KB
-
memory/1044-56-0x0000000000400000-0x0000000002B7C000-memory.dmpFilesize
39.5MB
-
memory/1044-58-0x0000000000230000-0x0000000000237000-memory.dmpFilesize
28KB
-
memory/1044-77-0x00000000046E0000-0x0000000004AE0000-memory.dmpFilesize
4.0MB
-
memory/1044-76-0x0000000000400000-0x0000000002B7C000-memory.dmpFilesize
39.5MB
-
memory/1044-59-0x00000000046E0000-0x0000000004AE0000-memory.dmpFilesize
4.0MB
-
memory/1100-643-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/1100-642-0x00000000002D0000-0x00000000003D0000-memory.dmpFilesize
1024KB
-
memory/1212-204-0x0000000002580000-0x0000000002596000-memory.dmpFilesize
88KB
-
memory/1252-2854-0x0000000000080000-0x0000000000089000-memory.dmpFilesize
36KB
-
memory/1252-2855-0x00000000000C0000-0x00000000000CB000-memory.dmpFilesize
44KB
-
memory/1252-2852-0x00000000000C0000-0x00000000000CB000-memory.dmpFilesize
44KB
-
memory/1592-2275-0x0000000000080000-0x0000000000089000-memory.dmpFilesize
36KB
-
memory/1592-2927-0x0000000000090000-0x0000000000094000-memory.dmpFilesize
16KB
-
memory/1592-2277-0x0000000000080000-0x0000000000089000-memory.dmpFilesize
36KB
-
memory/1592-2276-0x0000000000090000-0x0000000000094000-memory.dmpFilesize
16KB
-
memory/1692-2448-0x0000000000080000-0x00000000000A7000-memory.dmpFilesize
156KB
-
memory/1692-2449-0x0000000000080000-0x00000000000A7000-memory.dmpFilesize
156KB
-
memory/1692-2451-0x0000000000080000-0x00000000000A7000-memory.dmpFilesize
156KB
-
memory/1728-1819-0x0000000000060000-0x000000000006C000-memory.dmpFilesize
48KB
-
memory/1728-1169-0x0000000000070000-0x0000000000077000-memory.dmpFilesize
28KB
-
memory/1728-1170-0x0000000000060000-0x000000000006C000-memory.dmpFilesize
48KB
-
memory/1728-1168-0x0000000000060000-0x000000000006C000-memory.dmpFilesize
48KB
-
memory/1764-1526-0x0000000000080000-0x000000000008B000-memory.dmpFilesize
44KB
-
memory/1764-1521-0x0000000000090000-0x000000000009A000-memory.dmpFilesize
40KB
-
memory/1764-2096-0x0000000000090000-0x000000000009A000-memory.dmpFilesize
40KB
-
memory/1764-1518-0x0000000000080000-0x000000000008B000-memory.dmpFilesize
44KB
-
memory/1812-2088-0x0000000000060000-0x000000000006C000-memory.dmpFilesize
48KB
-
memory/1812-2086-0x0000000000060000-0x000000000006C000-memory.dmpFilesize
48KB
-
memory/1812-2087-0x0000000000070000-0x0000000000076000-memory.dmpFilesize
24KB
-
memory/1812-2853-0x0000000000070000-0x0000000000076000-memory.dmpFilesize
24KB
-
memory/1856-2481-0x0000000000080000-0x0000000000089000-memory.dmpFilesize
36KB
-
memory/1856-2483-0x0000000000080000-0x0000000000089000-memory.dmpFilesize
36KB
-
memory/1856-2482-0x0000000000090000-0x0000000000095000-memory.dmpFilesize
20KB
-
memory/2000-1969-0x0000000000080000-0x0000000000089000-memory.dmpFilesize
36KB
-
memory/2000-2024-0x0000000000080000-0x0000000000089000-memory.dmpFilesize
36KB
-
memory/2000-2023-0x00000000000E0000-0x00000000000EF000-memory.dmpFilesize
60KB
-
memory/2072-92-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmpFilesize
1.2MB
-
memory/2072-88-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmpFilesize
1.2MB
-
memory/2072-64-0x0000000000060000-0x0000000000063000-memory.dmpFilesize
12KB
-
memory/2072-78-0x0000000000060000-0x0000000000063000-memory.dmpFilesize
12KB
-
memory/2072-79-0x00000000020C0000-0x00000000020C7000-memory.dmpFilesize
28KB
-
memory/2072-81-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmpFilesize
1.2MB
-
memory/2072-80-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmpFilesize
1.2MB
-
memory/2072-82-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmpFilesize
1.2MB
-
memory/2072-83-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmpFilesize
1.2MB
-
memory/2072-84-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmpFilesize
1.2MB
-
memory/2072-85-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmpFilesize
1.2MB
-
memory/2072-87-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmpFilesize
1.2MB
-
memory/2072-89-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmpFilesize
1.2MB
-
memory/2072-90-0x00000000770F0000-0x0000000077299000-memory.dmpFilesize
1.7MB
-
memory/2072-91-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmpFilesize
1.2MB
-
memory/2072-93-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmpFilesize
1.2MB
-
memory/2072-94-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmpFilesize
1.2MB
-
memory/2072-95-0x00000000020C0000-0x00000000020C7000-memory.dmpFilesize
28KB
-
memory/2072-112-0x00000000770F0000-0x0000000077299000-memory.dmpFilesize
1.7MB
-
memory/2072-96-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmpFilesize
1.2MB
-
memory/2072-104-0x00000000770F0000-0x0000000077299000-memory.dmpFilesize
1.7MB
-
memory/2072-103-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmpFilesize
1.2MB
-
memory/2088-1067-0x0000000000080000-0x00000000000EB000-memory.dmpFilesize
428KB
-
memory/2088-1236-0x0000000000080000-0x00000000000EB000-memory.dmpFilesize
428KB
-
memory/2088-1030-0x00000000000F0000-0x0000000000165000-memory.dmpFilesize
468KB
-
memory/2088-1163-0x0000000000080000-0x00000000000EB000-memory.dmpFilesize
428KB
-
memory/2608-1290-0x0000000000090000-0x0000000000094000-memory.dmpFilesize
16KB
-
memory/2608-1292-0x0000000000080000-0x0000000000089000-memory.dmpFilesize
36KB
-
memory/2608-2031-0x0000000000090000-0x0000000000094000-memory.dmpFilesize
16KB
-
memory/2608-1289-0x0000000000080000-0x0000000000089000-memory.dmpFilesize
36KB
-
memory/2612-1768-0x00000000000D0000-0x00000000000D7000-memory.dmpFilesize
28KB
-
memory/2612-2363-0x00000000000D0000-0x00000000000D7000-memory.dmpFilesize
28KB
-
memory/2612-1765-0x00000000000C0000-0x00000000000CB000-memory.dmpFilesize
44KB
-
memory/2612-1769-0x00000000000C0000-0x00000000000CB000-memory.dmpFilesize
44KB
-
memory/2672-205-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2672-117-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2672-122-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2672-120-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2700-1818-0x00000000000E0000-0x00000000000EF000-memory.dmpFilesize
60KB
-
memory/2700-1849-0x00000000000E0000-0x00000000000EF000-memory.dmpFilesize
60KB
-
memory/2700-1844-0x00000000000C0000-0x00000000000CB000-memory.dmpFilesize
44KB
-
memory/2700-2443-0x00000000000C0000-0x00000000000CB000-memory.dmpFilesize
44KB
-
memory/2808-2969-0x0000000000060000-0x000000000006D000-memory.dmpFilesize
52KB
-
memory/2932-2365-0x0000000000060000-0x0000000000069000-memory.dmpFilesize
36KB
-
memory/2932-2364-0x0000000000080000-0x0000000000089000-memory.dmpFilesize
36KB
-
memory/2932-2361-0x0000000000060000-0x0000000000069000-memory.dmpFilesize
36KB