Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
14-07-2023 06:44
Static task
static1
Behavioral task
behavioral1
Sample
4d18c07abced7f8fc570c83dd825bb0b.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
4d18c07abced7f8fc570c83dd825bb0b.exe
Resource
win10v2004-20230703-en
General
-
Target
4d18c07abced7f8fc570c83dd825bb0b.exe
-
Size
451KB
-
MD5
4d18c07abced7f8fc570c83dd825bb0b
-
SHA1
4e1d179697ab7536ee475494b158b969963e0bf6
-
SHA256
b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642
-
SHA512
daf48720ed402be15b532a32d10dd8823b564516d5f6d6628ca646c20347f7180bf911c7b8dfd75c03826badf719534bd45e1c26c5bd4857680ec77e63f4c5a4
-
SSDEEP
6144:ekN8IaM0bFfBmtjlfXKG/PhjPO6odPgQ4PJsL0cVeMmhi9MdNeerB+0Vsw:V8DM0blqjl/h/97MV0cGLNZxV
Malware Config
Extracted
systembc
adstat477d.xyz:4044
demstat577d.xyz:4044
Extracted
smokeloader
2022
http://serverxlogs21.xyz/statweb255/
http://servxblog79.xyz/statweb255/
http://demblog289.xyz/statweb255/
http://admlogs77x.online/statweb255/
http://blogxstat38.xyz/statweb255/
http://blogxstat25.xyz/statweb255/
Signatures
-
Detect rhadamanthys stealer shellcode 5 IoCs
Processes:
resource yara_rule behavioral2/memory/3272-138-0x0000000004D80000-0x0000000005180000-memory.dmp family_rhadamanthys behavioral2/memory/3272-139-0x0000000004D80000-0x0000000005180000-memory.dmp family_rhadamanthys behavioral2/memory/3272-140-0x0000000004D80000-0x0000000005180000-memory.dmp family_rhadamanthys behavioral2/memory/3272-142-0x0000000004D80000-0x0000000005180000-memory.dmp family_rhadamanthys behavioral2/memory/3272-155-0x0000000004D80000-0x0000000005180000-memory.dmp family_rhadamanthys -
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
4d18c07abced7f8fc570c83dd825bb0b.exedescription pid process target process PID 3272 created 3144 3272 4d18c07abced7f8fc570c83dd825bb0b.exe Explorer.EXE -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 1396 bcdedit.exe 4412 bcdedit.exe -
Renames multiple (346) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Processes:
wbadmin.exepid process 3920 wbadmin.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 1 TTPs 2 IoCs
-
Drops startup file 1 IoCs
Processes:
syuQ1.exedescription ioc process File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\syuQ1.exe syuQ1.exe -
Executes dropped EXE 6 IoCs
Processes:
syuQ1.exe[Kl.exeFy3`yV.exesyuQ1.exeFy3`yV.exe8EAA.exepid process 5080 syuQ1.exe 1432 [Kl.exe 4048 Fy3`yV.exe 3476 syuQ1.exe 3044 Fy3`yV.exe 1620 8EAA.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs
Processes:
certreq.exeexplorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
syuQ1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\syuQ1 = "C:\\Users\\Admin\\AppData\\Local\\syuQ1.exe" syuQ1.exe Set value (str) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\syuQ1 = "C:\\Users\\Admin\\AppData\\Local\\syuQ1.exe" syuQ1.exe -
Drops desktop.ini file(s) 4 IoCs
Processes:
syuQ1.exedescription ioc process File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1498570331-2313266200-788959944-1000\desktop.ini syuQ1.exe File opened for modification C:\Program Files\desktop.ini syuQ1.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI syuQ1.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-1498570331-2313266200-788959944-1000\desktop.ini syuQ1.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Fy3`yV.exedescription pid process target process PID 4048 set thread context of 3044 4048 Fy3`yV.exe Fy3`yV.exe -
Drops file in Program Files directory 64 IoCs
Processes:
syuQ1.exedescription ioc process File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\INDUST.INF.id[6A87AEF0-3483].[[email protected]].8base syuQ1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Images\fre_background.jpg syuQ1.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\tabskb.dll.mui syuQ1.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\javafx-src.zip.id[6A87AEF0-3483].[[email protected]].8base syuQ1.exe File created C:\Program Files\Java\jre1.8.0_66\lib\jvm.hprof.txt.id[6A87AEF0-3483].[[email protected]].8base syuQ1.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-pl.xrm-ms syuQ1.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\oregres.dll syuQ1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-256_contrast-black.png syuQ1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Globalization.Extensions.dll syuQ1.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\bin\prism_sw.dll.id[6A87AEF0-3483].[[email protected]].8base syuQ1.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvm.xml syuQ1.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\SKY.ELM.id[6A87AEF0-3483].[[email protected]].8base syuQ1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\BuildInfo.xml syuQ1.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-lib-uihandler.xml syuQ1.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-keymap.xml.id[6A87AEF0-3483].[[email protected]].8base syuQ1.exe File created C:\Program Files\Java\jre1.8.0_66\bin\gstreamer-lite.dll.id[6A87AEF0-3483].[[email protected]].8base syuQ1.exe File opened for modification C:\Program Files\Microsoft Office\root\vreg\onenotemui.msi.16.en-us.vreg.dat syuQ1.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-windows.xml syuQ1.exe File created C:\Program Files\VideoLAN\VLC\plugins\access\libftp_plugin.dll.id[6A87AEF0-3483].[[email protected]].8base syuQ1.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libwinhibit_plugin.dll syuQ1.exe File created C:\Program Files\7-Zip\readme.txt.id[6A87AEF0-3483].[[email protected]].8base syuQ1.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf syuQ1.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x syuQ1.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-pl.xrm-ms.id[6A87AEF0-3483].[[email protected]].8base syuQ1.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_srt_plugin.dll.id[6A87AEF0-3483].[[email protected]].8base syuQ1.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\SmallTile.scale-125.png syuQ1.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\WideTile.scale-125.png syuQ1.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_ja.jar syuQ1.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ppd.xrm-ms.id[6A87AEF0-3483].[[email protected]].8base syuQ1.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-ul-oob.xrm-ms.id[6A87AEF0-3483].[[email protected]].8base syuQ1.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Trial-pl.xrm-ms.id[6A87AEF0-3483].[[email protected]].8base syuQ1.exe File created C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007.id[6A87AEF0-3483].[[email protected]].8base syuQ1.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\LibrarySquare150x150Logo.scale-100_contrast-black.png syuQ1.exe File opened for modification C:\Program Files\Internet Explorer\es-ES\iexplore.exe.mui syuQ1.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-uihandler.jar syuQ1.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libmjpeg_plugin.dll syuQ1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat syuQ1.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Grace-ul-oob.xrm-ms.id[6A87AEF0-3483].[[email protected]].8base syuQ1.exe File created C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\vlc.mo.id[6A87AEF0-3483].[[email protected]].8base syuQ1.exe File created C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE.id[6A87AEF0-3483].[[email protected]].8base syuQ1.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fr-fr.dll.id[6A87AEF0-3483].[[email protected]].8base syuQ1.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-pl.xrm-ms syuQ1.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html.id[6A87AEF0-3483].[[email protected]].8base syuQ1.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF.id[6A87AEF0-3483].[[email protected]].8base syuQ1.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\launcher.win32.win32.x86_64.properties syuQ1.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-coredump_ja.jar syuQ1.exe File opened for modification C:\Program Files\Windows Mail\wab.exe syuQ1.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-125.png syuQ1.exe File opened for modification C:\Program Files\7-Zip\Lang\de.txt syuQ1.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\jconsole.jar.id[6A87AEF0-3483].[[email protected]].8base syuQ1.exe File created C:\Program Files\Mozilla Firefox\precomplete.id[6A87AEF0-3483].[[email protected]].8base syuQ1.exe File created C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm.xml.id[6A87AEF0-3483].[[email protected]].8base syuQ1.exe File created C:\Program Files\VideoLAN\VLC\plugins\video_output\libwingdi_plugin.dll.id[6A87AEF0-3483].[[email protected]].8base syuQ1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-40_altform-unplated_contrast-white.png syuQ1.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml syuQ1.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar\msipc.dll.mui.id[6A87AEF0-3483].[[email protected]].8base syuQ1.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_scale-200.png syuQ1.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-fallback.xml syuQ1.exe File created C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe.id[6A87AEF0-3483].[[email protected]].8base syuQ1.exe File created C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe.id[6A87AEF0-3483].[[email protected]].8base syuQ1.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jsound.dll syuQ1.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN121.XML.id[6A87AEF0-3483].[[email protected]].8base syuQ1.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\175.png syuQ1.exe File opened for modification C:\Program Files\Common Files\System\ado\de-DE\msader15.dll.mui syuQ1.exe -
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2636 3272 WerFault.exe 4d18c07abced7f8fc570c83dd825bb0b.exe 2364 3476 WerFault.exe syuQ1.exe 3780 1620 WerFault.exe 8EAA.exe -
Checks SCSI registry key(s) 3 TTPs 7 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exeFy3`yV.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Fy3`yV.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Fy3`yV.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Fy3`yV.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
certreq.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 certreq.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString certreq.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 4788 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
4d18c07abced7f8fc570c83dd825bb0b.execertreq.exeFy3`yV.exesyuQ1.exeExplorer.EXEpid process 3272 4d18c07abced7f8fc570c83dd825bb0b.exe 3272 4d18c07abced7f8fc570c83dd825bb0b.exe 3272 4d18c07abced7f8fc570c83dd825bb0b.exe 3272 4d18c07abced7f8fc570c83dd825bb0b.exe 4576 certreq.exe 4576 certreq.exe 4576 certreq.exe 4576 certreq.exe 3044 Fy3`yV.exe 3044 Fy3`yV.exe 5080 syuQ1.exe 5080 syuQ1.exe 5080 syuQ1.exe 5080 syuQ1.exe 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 5080 syuQ1.exe 5080 syuQ1.exe 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 5080 syuQ1.exe 5080 syuQ1.exe 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 5080 syuQ1.exe 5080 syuQ1.exe 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 5080 syuQ1.exe 5080 syuQ1.exe 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3144 Explorer.EXE -
Suspicious behavior: MapViewOfSection 31 IoCs
Processes:
Fy3`yV.exeExplorer.EXEpid process 3044 Fy3`yV.exe 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE 3144 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 57 IoCs
Processes:
syuQ1.exevssvc.exeExplorer.EXEWMIC.exewbengine.exedescription pid process Token: SeDebugPrivilege 5080 syuQ1.exe Token: SeBackupPrivilege 4080 vssvc.exe Token: SeRestorePrivilege 4080 vssvc.exe Token: SeAuditPrivilege 4080 vssvc.exe Token: SeShutdownPrivilege 3144 Explorer.EXE Token: SeCreatePagefilePrivilege 3144 Explorer.EXE Token: SeIncreaseQuotaPrivilege 2300 WMIC.exe Token: SeSecurityPrivilege 2300 WMIC.exe Token: SeTakeOwnershipPrivilege 2300 WMIC.exe Token: SeLoadDriverPrivilege 2300 WMIC.exe Token: SeSystemProfilePrivilege 2300 WMIC.exe Token: SeSystemtimePrivilege 2300 WMIC.exe Token: SeProfSingleProcessPrivilege 2300 WMIC.exe Token: SeIncBasePriorityPrivilege 2300 WMIC.exe Token: SeCreatePagefilePrivilege 2300 WMIC.exe Token: SeBackupPrivilege 2300 WMIC.exe Token: SeRestorePrivilege 2300 WMIC.exe Token: SeShutdownPrivilege 2300 WMIC.exe Token: SeDebugPrivilege 2300 WMIC.exe Token: SeSystemEnvironmentPrivilege 2300 WMIC.exe Token: SeRemoteShutdownPrivilege 2300 WMIC.exe Token: SeUndockPrivilege 2300 WMIC.exe Token: SeManageVolumePrivilege 2300 WMIC.exe Token: 33 2300 WMIC.exe Token: 34 2300 WMIC.exe Token: 35 2300 WMIC.exe Token: 36 2300 WMIC.exe Token: SeIncreaseQuotaPrivilege 2300 WMIC.exe Token: SeSecurityPrivilege 2300 WMIC.exe Token: SeTakeOwnershipPrivilege 2300 WMIC.exe Token: SeLoadDriverPrivilege 2300 WMIC.exe Token: SeSystemProfilePrivilege 2300 WMIC.exe Token: SeSystemtimePrivilege 2300 WMIC.exe Token: SeProfSingleProcessPrivilege 2300 WMIC.exe Token: SeIncBasePriorityPrivilege 2300 WMIC.exe Token: SeCreatePagefilePrivilege 2300 WMIC.exe Token: SeBackupPrivilege 2300 WMIC.exe Token: SeRestorePrivilege 2300 WMIC.exe Token: SeShutdownPrivilege 2300 WMIC.exe Token: SeDebugPrivilege 2300 WMIC.exe Token: SeSystemEnvironmentPrivilege 2300 WMIC.exe Token: SeRemoteShutdownPrivilege 2300 WMIC.exe Token: SeUndockPrivilege 2300 WMIC.exe Token: SeManageVolumePrivilege 2300 WMIC.exe Token: 33 2300 WMIC.exe Token: 34 2300 WMIC.exe Token: 35 2300 WMIC.exe Token: 36 2300 WMIC.exe Token: SeBackupPrivilege 5008 wbengine.exe Token: SeRestorePrivilege 5008 wbengine.exe Token: SeSecurityPrivilege 5008 wbengine.exe Token: SeShutdownPrivilege 3144 Explorer.EXE Token: SeCreatePagefilePrivilege 3144 Explorer.EXE Token: SeShutdownPrivilege 3144 Explorer.EXE Token: SeCreatePagefilePrivilege 3144 Explorer.EXE Token: SeShutdownPrivilege 3144 Explorer.EXE Token: SeCreatePagefilePrivilege 3144 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
4d18c07abced7f8fc570c83dd825bb0b.exeFy3`yV.exesyuQ1.execmd.execmd.exeExplorer.EXEdescription pid process target process PID 3272 wrote to memory of 4576 3272 4d18c07abced7f8fc570c83dd825bb0b.exe certreq.exe PID 3272 wrote to memory of 4576 3272 4d18c07abced7f8fc570c83dd825bb0b.exe certreq.exe PID 3272 wrote to memory of 4576 3272 4d18c07abced7f8fc570c83dd825bb0b.exe certreq.exe PID 3272 wrote to memory of 4576 3272 4d18c07abced7f8fc570c83dd825bb0b.exe certreq.exe PID 4048 wrote to memory of 3044 4048 Fy3`yV.exe Fy3`yV.exe PID 4048 wrote to memory of 3044 4048 Fy3`yV.exe Fy3`yV.exe PID 4048 wrote to memory of 3044 4048 Fy3`yV.exe Fy3`yV.exe PID 4048 wrote to memory of 3044 4048 Fy3`yV.exe Fy3`yV.exe PID 4048 wrote to memory of 3044 4048 Fy3`yV.exe Fy3`yV.exe PID 4048 wrote to memory of 3044 4048 Fy3`yV.exe Fy3`yV.exe PID 5080 wrote to memory of 4340 5080 syuQ1.exe cmd.exe PID 5080 wrote to memory of 4340 5080 syuQ1.exe cmd.exe PID 5080 wrote to memory of 3548 5080 syuQ1.exe cmd.exe PID 5080 wrote to memory of 3548 5080 syuQ1.exe cmd.exe PID 4340 wrote to memory of 4788 4340 cmd.exe vssadmin.exe PID 4340 wrote to memory of 4788 4340 cmd.exe vssadmin.exe PID 3548 wrote to memory of 2924 3548 cmd.exe netsh.exe PID 3548 wrote to memory of 2924 3548 cmd.exe netsh.exe PID 3548 wrote to memory of 4328 3548 cmd.exe netsh.exe PID 3548 wrote to memory of 4328 3548 cmd.exe netsh.exe PID 4340 wrote to memory of 2300 4340 cmd.exe WMIC.exe PID 4340 wrote to memory of 2300 4340 cmd.exe WMIC.exe PID 4340 wrote to memory of 1396 4340 cmd.exe bcdedit.exe PID 4340 wrote to memory of 1396 4340 cmd.exe bcdedit.exe PID 4340 wrote to memory of 4412 4340 cmd.exe bcdedit.exe PID 4340 wrote to memory of 4412 4340 cmd.exe bcdedit.exe PID 4340 wrote to memory of 3920 4340 cmd.exe wbadmin.exe PID 4340 wrote to memory of 3920 4340 cmd.exe wbadmin.exe PID 3144 wrote to memory of 1620 3144 Explorer.EXE 8EAA.exe PID 3144 wrote to memory of 1620 3144 Explorer.EXE 8EAA.exe PID 3144 wrote to memory of 1620 3144 Explorer.EXE 8EAA.exe PID 3144 wrote to memory of 2932 3144 Explorer.EXE explorer.exe PID 3144 wrote to memory of 2932 3144 Explorer.EXE explorer.exe PID 3144 wrote to memory of 2932 3144 Explorer.EXE explorer.exe PID 3144 wrote to memory of 2932 3144 Explorer.EXE explorer.exe PID 3144 wrote to memory of 4608 3144 Explorer.EXE explorer.exe PID 3144 wrote to memory of 4608 3144 Explorer.EXE explorer.exe PID 3144 wrote to memory of 4608 3144 Explorer.EXE explorer.exe PID 3144 wrote to memory of 1316 3144 Explorer.EXE explorer.exe PID 3144 wrote to memory of 1316 3144 Explorer.EXE explorer.exe PID 3144 wrote to memory of 1316 3144 Explorer.EXE explorer.exe PID 3144 wrote to memory of 1316 3144 Explorer.EXE explorer.exe PID 3144 wrote to memory of 3396 3144 Explorer.EXE explorer.exe PID 3144 wrote to memory of 3396 3144 Explorer.EXE explorer.exe PID 3144 wrote to memory of 3396 3144 Explorer.EXE explorer.exe PID 3144 wrote to memory of 3396 3144 Explorer.EXE explorer.exe PID 3144 wrote to memory of 1748 3144 Explorer.EXE explorer.exe PID 3144 wrote to memory of 1748 3144 Explorer.EXE explorer.exe PID 3144 wrote to memory of 1748 3144 Explorer.EXE explorer.exe PID 3144 wrote to memory of 1748 3144 Explorer.EXE explorer.exe PID 3144 wrote to memory of 1160 3144 Explorer.EXE explorer.exe PID 3144 wrote to memory of 1160 3144 Explorer.EXE explorer.exe PID 3144 wrote to memory of 1160 3144 Explorer.EXE explorer.exe PID 3144 wrote to memory of 3164 3144 Explorer.EXE explorer.exe PID 3144 wrote to memory of 3164 3144 Explorer.EXE explorer.exe PID 3144 wrote to memory of 3164 3144 Explorer.EXE explorer.exe PID 3144 wrote to memory of 3164 3144 Explorer.EXE explorer.exe PID 3144 wrote to memory of 3816 3144 Explorer.EXE explorer.exe PID 3144 wrote to memory of 3816 3144 Explorer.EXE explorer.exe PID 3144 wrote to memory of 3816 3144 Explorer.EXE explorer.exe PID 3144 wrote to memory of 1772 3144 Explorer.EXE explorer.exe PID 3144 wrote to memory of 1772 3144 Explorer.EXE explorer.exe PID 3144 wrote to memory of 1772 3144 Explorer.EXE explorer.exe PID 3144 wrote to memory of 1772 3144 Explorer.EXE explorer.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
outlook_win_path 1 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\4d18c07abced7f8fc570c83dd825bb0b.exe"C:\Users\Admin\AppData\Local\Temp\4d18c07abced7f8fc570c83dd825bb0b.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 9483⤵
- Program crash
-
C:\Windows\system32\certreq.exe"C:\Windows\system32\certreq.exe"2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\8EAA.exeC:\Users\Admin\AppData\Local\Temp\8EAA.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 4963⤵
- Program crash
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3272 -ip 32721⤵
-
C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe"C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe"C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 3203⤵
- Program crash
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Users\Admin\AppData\Local\Microsoft\[Kl.exe"C:\Users\Admin\AppData\Local\Microsoft\[Kl.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Microsoft\Fy3`yV.exe"C:\Users\Admin\AppData\Local\Microsoft\Fy3`yV.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Microsoft\Fy3`yV.exe"C:\Users\Admin\AppData\Local\Microsoft\Fy3`yV.exe"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3476 -ip 34761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1620 -ip 16201⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.id[6A87AEF0-3483].[[email protected]].8baseFilesize
2.7MB
MD52a754c0e6b8838a641ff3b13a3100317
SHA193cd3d69349345f6792069251fdaf05eb98775dd
SHA256c31049c5ed25444086ff0e38787650b7a689ffa13e3b7dea3c48c45f655383f7
SHA512b63e4af89ab3357126d556a7918cd54b01a41afec8860bb45990baedfb54fa57f967125dc3321b58eb65a4a054cf0768e03a9bab493e922406cd5f72baffcb77
-
C:\Users\Admin\AppData\Local\Microsoft\Fy3`yV.exeFilesize
166KB
MD51b2b02b4b524fe02b8b96bd781c8eceb
SHA136e2eb7e1ae58b103b2d1cca5991786b0118534b
SHA256e780a1b2be7dab91bdc77bd313dd5a4456e0d92164fc1e54894f086f269d85c6
SHA51280caf55a2f2a63e99c5ee6199b3b8357fd5d2bf92cb671f80a0b05385cc79f78fc689d60197176fc1bae67ab331e8bdf71adf44c88423bbbf95e7926e31e5bc8
-
C:\Users\Admin\AppData\Local\Microsoft\Fy3`yV.exeFilesize
166KB
MD51b2b02b4b524fe02b8b96bd781c8eceb
SHA136e2eb7e1ae58b103b2d1cca5991786b0118534b
SHA256e780a1b2be7dab91bdc77bd313dd5a4456e0d92164fc1e54894f086f269d85c6
SHA51280caf55a2f2a63e99c5ee6199b3b8357fd5d2bf92cb671f80a0b05385cc79f78fc689d60197176fc1bae67ab331e8bdf71adf44c88423bbbf95e7926e31e5bc8
-
C:\Users\Admin\AppData\Local\Microsoft\Fy3`yV.exeFilesize
166KB
MD51b2b02b4b524fe02b8b96bd781c8eceb
SHA136e2eb7e1ae58b103b2d1cca5991786b0118534b
SHA256e780a1b2be7dab91bdc77bd313dd5a4456e0d92164fc1e54894f086f269d85c6
SHA51280caf55a2f2a63e99c5ee6199b3b8357fd5d2bf92cb671f80a0b05385cc79f78fc689d60197176fc1bae67ab331e8bdf71adf44c88423bbbf95e7926e31e5bc8
-
C:\Users\Admin\AppData\Local\Microsoft\[Kl.exeFilesize
164KB
MD53524139d7687147f53dc7df4f4867093
SHA177a6308dc4981ac164a887ed54a0e01c63c17c63
SHA256954429625375fc965c2151a8b109c07d1f6de6fbf9c3b95660400d9b4bf79081
SHA51248df3de51b20e20660804f92a699f9b3886406c1872c8df02e220bf23415838ada393fc540f878aad8ebe61f7023161b15152942509b63030b6fd4a458a82db3
-
C:\Users\Admin\AppData\Local\Microsoft\[Kl.exeFilesize
164KB
MD53524139d7687147f53dc7df4f4867093
SHA177a6308dc4981ac164a887ed54a0e01c63c17c63
SHA256954429625375fc965c2151a8b109c07d1f6de6fbf9c3b95660400d9b4bf79081
SHA51248df3de51b20e20660804f92a699f9b3886406c1872c8df02e220bf23415838ada393fc540f878aad8ebe61f7023161b15152942509b63030b6fd4a458a82db3
-
C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exeFilesize
165KB
MD565ba8303fabfb2652158af69f7124772
SHA1e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA2563ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0
-
C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exeFilesize
165KB
MD565ba8303fabfb2652158af69f7124772
SHA1e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA2563ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0
-
C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exeFilesize
165KB
MD565ba8303fabfb2652158af69f7124772
SHA1e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA2563ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0
-
C:\Users\Admin\AppData\Local\Temp\8EAA.exeFilesize
165KB
MD565ba8303fabfb2652158af69f7124772
SHA1e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA2563ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0
-
C:\Users\Admin\AppData\Local\Temp\8EAA.exeFilesize
165KB
MD565ba8303fabfb2652158af69f7124772
SHA1e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA2563ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0
-
C:\Users\Admin\AppData\Local\Temp\8EAA.exeFilesize
165KB
MD565ba8303fabfb2652158af69f7124772
SHA1e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA2563ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0
-
memory/1160-2216-0x0000000000BC0000-0x0000000000BCF000-memory.dmpFilesize
60KB
-
memory/1160-2937-0x0000000000BD0000-0x0000000000BD9000-memory.dmpFilesize
36KB
-
memory/1160-2211-0x0000000000BC0000-0x0000000000BCF000-memory.dmpFilesize
60KB
-
memory/1160-2215-0x0000000000BD0000-0x0000000000BD9000-memory.dmpFilesize
36KB
-
memory/1316-2026-0x0000000001060000-0x0000000001064000-memory.dmpFilesize
16KB
-
memory/1316-2336-0x0000000001060000-0x0000000001064000-memory.dmpFilesize
16KB
-
memory/1316-2027-0x0000000001050000-0x0000000001059000-memory.dmpFilesize
36KB
-
memory/1316-2043-0x0000000001050000-0x0000000001059000-memory.dmpFilesize
36KB
-
memory/1352-3618-0x00000000012B0000-0x00000000012BB000-memory.dmpFilesize
44KB
-
memory/1352-3593-0x00000000012B0000-0x00000000012BB000-memory.dmpFilesize
44KB
-
memory/1432-205-0x0000000000750000-0x0000000000850000-memory.dmpFilesize
1024KB
-
memory/1432-197-0x0000000000710000-0x0000000000715000-memory.dmpFilesize
20KB
-
memory/1432-196-0x0000000000750000-0x0000000000850000-memory.dmpFilesize
1024KB
-
memory/1432-198-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/1748-2139-0x0000000000350000-0x0000000000357000-memory.dmpFilesize
28KB
-
memory/1748-2140-0x0000000000340000-0x000000000034B000-memory.dmpFilesize
44KB
-
memory/1748-2137-0x0000000000340000-0x000000000034B000-memory.dmpFilesize
44KB
-
memory/1748-2647-0x0000000000350000-0x0000000000357000-memory.dmpFilesize
28KB
-
memory/1772-2436-0x0000000000130000-0x0000000000139000-memory.dmpFilesize
36KB
-
memory/1772-2437-0x0000000000140000-0x0000000000144000-memory.dmpFilesize
16KB
-
memory/1772-3624-0x0000000000140000-0x0000000000144000-memory.dmpFilesize
16KB
-
memory/1772-2438-0x0000000000130000-0x0000000000139000-memory.dmpFilesize
36KB
-
memory/2932-2213-0x0000000000D50000-0x0000000000DBB000-memory.dmpFilesize
428KB
-
memory/2932-1935-0x0000000001000000-0x0000000001075000-memory.dmpFilesize
468KB
-
memory/2932-1924-0x0000000000D50000-0x0000000000DBB000-memory.dmpFilesize
428KB
-
memory/2932-1914-0x0000000000D50000-0x0000000000DBB000-memory.dmpFilesize
428KB
-
memory/2972-3625-0x0000000000BE0000-0x0000000000BED000-memory.dmpFilesize
52KB
-
memory/2972-3626-0x0000000000BF0000-0x0000000000C00000-memory.dmpFilesize
64KB
-
memory/2972-3627-0x0000000000BE0000-0x0000000000BED000-memory.dmpFilesize
52KB
-
memory/3044-201-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3044-342-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3044-203-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3144-327-0x0000000002A00000-0x0000000002A16000-memory.dmpFilesize
88KB
-
memory/3164-2307-0x0000000001050000-0x0000000001059000-memory.dmpFilesize
36KB
-
memory/3164-2311-0x0000000001060000-0x0000000001065000-memory.dmpFilesize
20KB
-
memory/3164-2327-0x0000000001050000-0x0000000001059000-memory.dmpFilesize
36KB
-
memory/3164-3179-0x0000000001060000-0x0000000001065000-memory.dmpFilesize
20KB
-
memory/3272-142-0x0000000004D80000-0x0000000005180000-memory.dmpFilesize
4.0MB
-
memory/3272-141-0x0000000000400000-0x0000000002B7C000-memory.dmpFilesize
39.5MB
-
memory/3272-156-0x0000000000400000-0x0000000002B7C000-memory.dmpFilesize
39.5MB
-
memory/3272-134-0x0000000002EA0000-0x0000000002FA0000-memory.dmpFilesize
1024KB
-
memory/3272-155-0x0000000004D80000-0x0000000005180000-memory.dmpFilesize
4.0MB
-
memory/3272-136-0x0000000000400000-0x0000000002B7C000-memory.dmpFilesize
39.5MB
-
memory/3272-137-0x0000000004960000-0x0000000004967000-memory.dmpFilesize
28KB
-
memory/3272-138-0x0000000004D80000-0x0000000005180000-memory.dmpFilesize
4.0MB
-
memory/3272-139-0x0000000004D80000-0x0000000005180000-memory.dmpFilesize
4.0MB
-
memory/3272-140-0x0000000004D80000-0x0000000005180000-memory.dmpFilesize
4.0MB
-
memory/3272-152-0x00000000059C0000-0x00000000059F6000-memory.dmpFilesize
216KB
-
memory/3272-143-0x0000000002EA0000-0x0000000002FA0000-memory.dmpFilesize
1024KB
-
memory/3272-145-0x0000000002E20000-0x0000000002E91000-memory.dmpFilesize
452KB
-
memory/3272-146-0x00000000059C0000-0x00000000059F6000-memory.dmpFilesize
216KB
-
memory/3272-135-0x0000000002E20000-0x0000000002E91000-memory.dmpFilesize
452KB
-
memory/3396-2124-0x0000000001060000-0x000000000106A000-memory.dmpFilesize
40KB
-
memory/3396-2147-0x0000000001050000-0x000000000105B000-memory.dmpFilesize
44KB
-
memory/3396-2125-0x0000000001050000-0x000000000105B000-memory.dmpFilesize
44KB
-
memory/3476-1525-0x0000000000680000-0x0000000000780000-memory.dmpFilesize
1024KB
-
memory/3476-3202-0x0000000000DF0000-0x0000000000DF9000-memory.dmpFilesize
36KB
-
memory/3476-1526-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/3476-3157-0x0000000000DF0000-0x0000000000DF9000-memory.dmpFilesize
36KB
-
memory/3816-3614-0x0000000000B20000-0x0000000000B26000-memory.dmpFilesize
24KB
-
memory/3816-2434-0x0000000000B10000-0x0000000000B1C000-memory.dmpFilesize
48KB
-
memory/3816-2405-0x0000000000B10000-0x0000000000B1C000-memory.dmpFilesize
48KB
-
memory/3816-2412-0x0000000000B20000-0x0000000000B26000-memory.dmpFilesize
24KB
-
memory/3868-3775-0x0000000000F30000-0x0000000000F3B000-memory.dmpFilesize
44KB
-
memory/3868-3774-0x0000000000F40000-0x0000000000F48000-memory.dmpFilesize
32KB
-
memory/3868-3772-0x0000000000F30000-0x0000000000F3B000-memory.dmpFilesize
44KB
-
memory/4048-200-0x0000000000520000-0x0000000000529000-memory.dmpFilesize
36KB
-
memory/4048-199-0x0000000000560000-0x0000000000660000-memory.dmpFilesize
1024KB
-
memory/4576-173-0x00007FF4A9650000-0x00007FF4A977D000-memory.dmpFilesize
1.2MB
-
memory/4576-171-0x00007FF4A9650000-0x00007FF4A977D000-memory.dmpFilesize
1.2MB
-
memory/4576-144-0x000001B79C670000-0x000001B79C673000-memory.dmpFilesize
12KB
-
memory/4576-157-0x000001B79C670000-0x000001B79C673000-memory.dmpFilesize
12KB
-
memory/4576-158-0x000001B79C6C0000-0x000001B79C6C7000-memory.dmpFilesize
28KB
-
memory/4576-159-0x00007FF4A9650000-0x00007FF4A977D000-memory.dmpFilesize
1.2MB
-
memory/4576-160-0x00007FF4A9650000-0x00007FF4A977D000-memory.dmpFilesize
1.2MB
-
memory/4576-161-0x00007FF4A9650000-0x00007FF4A977D000-memory.dmpFilesize
1.2MB
-
memory/4576-162-0x00007FF4A9650000-0x00007FF4A977D000-memory.dmpFilesize
1.2MB
-
memory/4576-163-0x00007FF4A9650000-0x00007FF4A977D000-memory.dmpFilesize
1.2MB
-
memory/4576-165-0x00007FF4A9650000-0x00007FF4A977D000-memory.dmpFilesize
1.2MB
-
memory/4576-190-0x00007FFCD2BD0000-0x00007FFCD2DC5000-memory.dmpFilesize
2.0MB
-
memory/4576-189-0x000001B79C6C0000-0x000001B79C6C5000-memory.dmpFilesize
20KB
-
memory/4576-176-0x00007FFCD2BD0000-0x00007FFCD2DC5000-memory.dmpFilesize
2.0MB
-
memory/4576-175-0x00007FF4A9650000-0x00007FF4A977D000-memory.dmpFilesize
1.2MB
-
memory/4576-174-0x00007FF4A9650000-0x00007FF4A977D000-memory.dmpFilesize
1.2MB
-
memory/4576-172-0x00007FF4A9650000-0x00007FF4A977D000-memory.dmpFilesize
1.2MB
-
memory/4576-167-0x00007FF4A9650000-0x00007FF4A977D000-memory.dmpFilesize
1.2MB
-
memory/4576-168-0x00007FF4A9650000-0x00007FF4A977D000-memory.dmpFilesize
1.2MB
-
memory/4576-169-0x00007FF4A9650000-0x00007FF4A977D000-memory.dmpFilesize
1.2MB
-
memory/4576-170-0x00007FFCD2BD0000-0x00007FFCD2DC5000-memory.dmpFilesize
2.0MB
-
memory/4608-1911-0x00000000009F0000-0x00000000009FC000-memory.dmpFilesize
48KB
-
memory/4608-1912-0x00000000009F0000-0x00000000009FC000-memory.dmpFilesize
48KB
-
memory/4608-1910-0x0000000000C80000-0x0000000000C87000-memory.dmpFilesize
28KB
-
memory/4844-2938-0x0000000000620000-0x0000000000647000-memory.dmpFilesize
156KB
-
memory/4844-2981-0x0000000000650000-0x0000000000671000-memory.dmpFilesize
132KB
-
memory/4844-2898-0x0000000000620000-0x0000000000647000-memory.dmpFilesize
156KB
-
memory/4844-3896-0x0000000000650000-0x0000000000671000-memory.dmpFilesize
132KB
-
memory/5076-3773-0x00000000009E0000-0x00000000009E5000-memory.dmpFilesize
20KB
-
memory/5076-2629-0x00000000009D0000-0x00000000009D9000-memory.dmpFilesize
36KB
-
memory/5076-2672-0x00000000009E0000-0x00000000009E5000-memory.dmpFilesize
20KB
-
memory/5076-2682-0x00000000009D0000-0x00000000009D9000-memory.dmpFilesize
36KB
-
memory/5080-192-0x0000000000520000-0x000000000052F000-memory.dmpFilesize
60KB
-
memory/5080-193-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/5080-204-0x00000000005C0000-0x00000000006C0000-memory.dmpFilesize
1024KB
-
memory/5080-430-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/5080-1297-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/5080-191-0x00000000005C0000-0x00000000006C0000-memory.dmpFilesize
1024KB
-
memory/5080-2212-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/5080-3877-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/5080-4495-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB