Malware Analysis Report

2024-11-16 12:19

Sample ID 230714-hhhwdsce24
Target 4d18c07abced7f8fc570c83dd825bb0b.exe
SHA256 b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642
Tags
phobos rhadamanthys smokeloader systembc backdoor collection evasion persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b8623632ef4735f184691e98adaaa01e707f5287759ee0516fb1672db6187642

Threat Level: Known bad

The file 4d18c07abced7f8fc570c83dd825bb0b.exe was found to be: Known bad.

Malicious Activity Summary

phobos rhadamanthys smokeloader systembc backdoor collection evasion persistence ransomware spyware stealer trojan

SystemBC

Phobos

Suspicious use of NtCreateUserProcessOtherParentProcess

SmokeLoader

Rhadamanthys

Detect rhadamanthys stealer shellcode

Renames multiple (83) files with added filename extension

Modifies boot configuration data using bcdedit

Deletes shadow copies

Renames multiple (346) files with added filename extension

Modifies Windows Firewall

Downloads MZ/PE file

Deletes backup catalog

Deletes itself

Executes dropped EXE

Drops startup file

Reads user/profile data of web browsers

Adds Run key to start application

Drops desktop.ini file(s)

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Drops file in Program Files directory

Program crash

Unsigned PE

Interacts with shadow copies

outlook_office_path

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Uses Task Scheduler COM API

outlook_win_path

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-14 06:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-14 06:44

Reported

2023-07-14 06:46

Platform

win7-20230712-en

Max time kernel

88s

Max time network

142s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Phobos

ransomware phobos

Rhadamanthys

stealer rhadamanthys

SmokeLoader

trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1044 created 1212 N/A C:\Users\Admin\AppData\Local\Temp\4d18c07abced7f8fc570c83dd825bb0b.exe C:\Windows\Explorer.EXE

SystemBC

trojan systembc

Deletes shadow copies

ransomware

Renames multiple (83) files with added filename extension

ransomware

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\certreq.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\xi28sr.exe C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xi28sr = "C:\\Users\\Admin\\AppData\\Local\\xi28sr.exe" C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Windows\CurrentVersion\Run\xi28sr = "C:\\Users\\Admin\\AppData\\Local\\xi28sr.exe" C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-377084978-2088738870-2818360375-1000\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-377084978-2088738870-2818360375-1000\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 112 set thread context of 2672 N/A C:\Users\Admin\AppData\Local\Microsoft\tcIbvM8%{6.exe C:\Users\Admin\AppData\Local\Microsoft\tcIbvM8%{6.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.servlet.jsp_2.2.0.v201112011158.jar C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs-nio2_ja.jar.id[A1D1CB13-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvmstat.xml C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.felix.gogo.shell_0.10.0.v201212101605.jar C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\sound.properties C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Enderbury C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-tabcontrol.jar.id[A1D1CB13-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-filesystems.xml C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\it.txt C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OFFICE14\msoshext.dll.id[A1D1CB13-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Regina.id[A1D1CB13-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\ant-javafx.jar C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\core_ja.jar C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\bg.txt C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\es-ES\msdaprsr.dll.mui C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_pl.jar C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\larrow.gif.id[A1D1CB13-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\javafx-iio.dll.id[A1D1CB13-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\management.properties.id[A1D1CB13-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui_5.5.0.165303.jar.id[A1D1CB13-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt_0.12.100.v20140530-1436.jar.id[A1D1CB13-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-uisupport_ja.jar.id[A1D1CB13-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File created C:\Program Files\Java\jre7\bin\libxslt.dll.id[A1D1CB13-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\vk_swiftshader_icd.json.id[A1D1CB13-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\dt.jar C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-util.xml C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Goose_Bay.id[A1D1CB13-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html.id[A1D1CB13-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html.id[A1D1CB13-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-modules.xml.id[A1D1CB13-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPC.DLL.id[A1D1CB13-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\af.pak C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Rangoon C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Adelaide.id[A1D1CB13-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\uk.txt C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\play-static.png C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\mc.jar C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\boot.jar C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Filters\msgfilt.dll C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationLeft_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-modules_ja.jar C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.identity_3.4.0.v20140827-1444.jar.id[A1D1CB13-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\NavigationLeft_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.h C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\eclipse.inf C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf_3.4.0.v20140827-1444.jar.id[A1D1CB13-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher_1.3.0.v20140911-0143.jar.id[A1D1CB13-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\orb.idl.id[A1D1CB13-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-text.xml.id[A1D1CB13-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\de-DE\msadcfr.dll.mui C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationUp_SelectionSubpicture.png C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\preloaded_data.pb.id[A1D1CB13-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Denver C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-text.xml C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-modules-appui.xml C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME.txt C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\com.jrockit.mc.rcp.product_root_5.5.0.165303.id[A1D1CB13-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-dialogs.xml C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\tcIbvM8%{6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\tcIbvM8%{6.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\tcIbvM8%{6.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\certreq.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\certreq.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d18c07abced7f8fc570c83dd825bb0b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d18c07abced7f8fc570c83dd825bb0b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d18c07abced7f8fc570c83dd825bb0b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d18c07abced7f8fc570c83dd825bb0b.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\tcIbvM8%{6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\tcIbvM8%{6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1044 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\4d18c07abced7f8fc570c83dd825bb0b.exe C:\Windows\system32\certreq.exe
PID 1044 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\4d18c07abced7f8fc570c83dd825bb0b.exe C:\Windows\system32\certreq.exe
PID 1044 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\4d18c07abced7f8fc570c83dd825bb0b.exe C:\Windows\system32\certreq.exe
PID 1044 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\4d18c07abced7f8fc570c83dd825bb0b.exe C:\Windows\system32\certreq.exe
PID 1044 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\4d18c07abced7f8fc570c83dd825bb0b.exe C:\Windows\system32\certreq.exe
PID 1044 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\4d18c07abced7f8fc570c83dd825bb0b.exe C:\Windows\system32\certreq.exe
PID 112 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Microsoft\tcIbvM8%{6.exe C:\Users\Admin\AppData\Local\Microsoft\tcIbvM8%{6.exe
PID 112 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Microsoft\tcIbvM8%{6.exe C:\Users\Admin\AppData\Local\Microsoft\tcIbvM8%{6.exe
PID 112 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Microsoft\tcIbvM8%{6.exe C:\Users\Admin\AppData\Local\Microsoft\tcIbvM8%{6.exe
PID 112 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Microsoft\tcIbvM8%{6.exe C:\Users\Admin\AppData\Local\Microsoft\tcIbvM8%{6.exe
PID 112 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Microsoft\tcIbvM8%{6.exe C:\Users\Admin\AppData\Local\Microsoft\tcIbvM8%{6.exe
PID 112 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Microsoft\tcIbvM8%{6.exe C:\Users\Admin\AppData\Local\Microsoft\tcIbvM8%{6.exe
PID 112 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Microsoft\tcIbvM8%{6.exe C:\Users\Admin\AppData\Local\Microsoft\tcIbvM8%{6.exe
PID 524 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe C:\Windows\system32\cmd.exe
PID 524 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe C:\Windows\system32\cmd.exe
PID 524 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe C:\Windows\system32\cmd.exe
PID 524 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe C:\Windows\system32\cmd.exe
PID 524 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe C:\Windows\system32\cmd.exe
PID 524 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe C:\Windows\system32\cmd.exe
PID 524 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe C:\Windows\system32\cmd.exe
PID 524 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe C:\Windows\system32\cmd.exe
PID 1996 wrote to memory of 2156 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1996 wrote to memory of 2156 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1996 wrote to memory of 2156 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 856 wrote to memory of 1604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 856 wrote to memory of 1604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 856 wrote to memory of 1604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 856 wrote to memory of 2848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 856 wrote to memory of 2848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 856 wrote to memory of 2848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1212 wrote to memory of 1040 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\9BA3.exe
PID 1212 wrote to memory of 1040 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\9BA3.exe
PID 1212 wrote to memory of 1040 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\9BA3.exe
PID 1212 wrote to memory of 1040 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\9BA3.exe
PID 1212 wrote to memory of 2088 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1212 wrote to memory of 2088 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1212 wrote to memory of 2088 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1212 wrote to memory of 2088 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1212 wrote to memory of 2088 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1212 wrote to memory of 1728 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 1212 wrote to memory of 1728 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 1212 wrote to memory of 1728 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 1212 wrote to memory of 1728 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 1212 wrote to memory of 2608 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1212 wrote to memory of 2608 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1212 wrote to memory of 2608 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1212 wrote to memory of 2608 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1212 wrote to memory of 2608 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1212 wrote to memory of 1764 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1212 wrote to memory of 1764 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1212 wrote to memory of 1764 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1212 wrote to memory of 1764 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1212 wrote to memory of 1764 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1212 wrote to memory of 2612 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1212 wrote to memory of 2612 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1212 wrote to memory of 2612 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1212 wrote to memory of 2612 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1212 wrote to memory of 2612 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1212 wrote to memory of 2700 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 1212 wrote to memory of 2700 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 1212 wrote to memory of 2700 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 1212 wrote to memory of 2700 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 1212 wrote to memory of 2000 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 1212 wrote to memory of 2000 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\4d18c07abced7f8fc570c83dd825bb0b.exe

"C:\Users\Admin\AppData\Local\Temp\4d18c07abced7f8fc570c83dd825bb0b.exe"

C:\Windows\system32\certreq.exe

"C:\Windows\system32\certreq.exe"

C:\Users\Admin\AppData\Local\Microsoft\tcIbvM8%{6.exe

"C:\Users\Admin\AppData\Local\Microsoft\tcIbvM8%{6.exe"

C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe

"C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe"

C:\Users\Admin\AppData\Local\Microsoft\PN4[8$.exe

"C:\Users\Admin\AppData\Local\Microsoft\PN4[8$.exe"

C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe

"C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe"

C:\Users\Admin\AppData\Local\Microsoft\tcIbvM8%{6.exe

"C:\Users\Admin\AppData\Local\Microsoft\tcIbvM8%{6.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Users\Admin\AppData\Local\Temp\9BA3.exe

C:\Users\Admin\AppData\Local\Temp\9BA3.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 servblog25.xyz udp
DE 45.131.66.61:80 servblog25.xyz tcp
DE 45.131.66.61:80 servblog25.xyz tcp
DE 45.131.66.61:80 servblog25.xyz tcp
DE 45.131.66.61:80 servblog25.xyz tcp
US 8.8.8.8:53 serverxlogs21.xyz udp
DE 45.131.66.120:80 serverxlogs21.xyz tcp
US 8.8.8.8:53 fexstat257.xyz udp
DE 45.89.125.136:80 fexstat257.xyz tcp

Files

memory/1044-55-0x0000000002CC0000-0x0000000002DC0000-memory.dmp

memory/1044-57-0x0000000000270000-0x00000000002E1000-memory.dmp

memory/1044-56-0x0000000000400000-0x0000000002B7C000-memory.dmp

memory/1044-59-0x00000000046E0000-0x0000000004AE0000-memory.dmp

memory/1044-58-0x0000000000230000-0x0000000000237000-memory.dmp

memory/1044-60-0x00000000046E0000-0x0000000004AE0000-memory.dmp

memory/1044-61-0x00000000046E0000-0x0000000004AE0000-memory.dmp

memory/1044-62-0x00000000046E0000-0x0000000004AE0000-memory.dmp

memory/1044-63-0x0000000002CC0000-0x0000000002DC0000-memory.dmp

memory/2072-64-0x0000000000060000-0x0000000000063000-memory.dmp

memory/1044-65-0x0000000000400000-0x0000000002B7C000-memory.dmp

memory/1044-66-0x0000000002BC0000-0x0000000002BF6000-memory.dmp

memory/1044-74-0x00000000046E0000-0x0000000004AE0000-memory.dmp

memory/1044-73-0x0000000002BC0000-0x0000000002BF6000-memory.dmp

memory/1044-76-0x0000000000400000-0x0000000002B7C000-memory.dmp

memory/1044-77-0x00000000046E0000-0x0000000004AE0000-memory.dmp

memory/2072-78-0x0000000000060000-0x0000000000063000-memory.dmp

memory/2072-79-0x00000000020C0000-0x00000000020C7000-memory.dmp

memory/2072-81-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/2072-80-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/2072-82-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/2072-83-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/2072-84-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/2072-85-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/2072-87-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/2072-88-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/2072-89-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/2072-90-0x00000000770F0000-0x0000000077299000-memory.dmp

memory/2072-91-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/2072-92-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/2072-93-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/2072-94-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/2072-95-0x00000000020C0000-0x00000000020C7000-memory.dmp

memory/2072-96-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\tcIbvM8%{6.exe

MD5 1b2b02b4b524fe02b8b96bd781c8eceb
SHA1 36e2eb7e1ae58b103b2d1cca5991786b0118534b
SHA256 e780a1b2be7dab91bdc77bd313dd5a4456e0d92164fc1e54894f086f269d85c6
SHA512 80caf55a2f2a63e99c5ee6199b3b8357fd5d2bf92cb671f80a0b05385cc79f78fc689d60197176fc1bae67ab331e8bdf71adf44c88423bbbf95e7926e31e5bc8

C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe

MD5 65ba8303fabfb2652158af69f7124772
SHA1 e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA256 3ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512 cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0

memory/2072-103-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmp

memory/2072-104-0x00000000770F0000-0x0000000077299000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\PN4[8$.exe

MD5 3524139d7687147f53dc7df4f4867093
SHA1 77a6308dc4981ac164a887ed54a0e01c63c17c63
SHA256 954429625375fc965c2151a8b109c07d1f6de6fbf9c3b95660400d9b4bf79081
SHA512 48df3de51b20e20660804f92a699f9b3886406c1872c8df02e220bf23415838ada393fc540f878aad8ebe61f7023161b15152942509b63030b6fd4a458a82db3

memory/524-108-0x00000000005B0000-0x00000000006B0000-memory.dmp

memory/524-109-0x0000000000220000-0x000000000022F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe

MD5 65ba8303fabfb2652158af69f7124772
SHA1 e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA256 3ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512 cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0

memory/524-111-0x0000000000400000-0x000000000049A000-memory.dmp

memory/2072-112-0x00000000770F0000-0x0000000077299000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\xi28sr.exe

MD5 65ba8303fabfb2652158af69f7124772
SHA1 e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA256 3ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512 cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0

memory/112-116-0x0000000000630000-0x0000000000730000-memory.dmp

memory/2672-117-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/112-118-0x0000000000240000-0x0000000000249000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\tcIbvM8%{6.exe

MD5 1b2b02b4b524fe02b8b96bd781c8eceb
SHA1 36e2eb7e1ae58b103b2d1cca5991786b0118534b
SHA256 e780a1b2be7dab91bdc77bd313dd5a4456e0d92164fc1e54894f086f269d85c6
SHA512 80caf55a2f2a63e99c5ee6199b3b8357fd5d2bf92cb671f80a0b05385cc79f78fc689d60197176fc1bae67ab331e8bdf71adf44c88423bbbf95e7926e31e5bc8

memory/2672-120-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\tcIbvM8%{6.exe

MD5 1b2b02b4b524fe02b8b96bd781c8eceb
SHA1 36e2eb7e1ae58b103b2d1cca5991786b0118534b
SHA256 e780a1b2be7dab91bdc77bd313dd5a4456e0d92164fc1e54894f086f269d85c6
SHA512 80caf55a2f2a63e99c5ee6199b3b8357fd5d2bf92cb671f80a0b05385cc79f78fc689d60197176fc1bae67ab331e8bdf71adf44c88423bbbf95e7926e31e5bc8

memory/2672-122-0x0000000000400000-0x0000000000409000-memory.dmp

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.id[A1D1CB13-3483].[[email protected]].8base

MD5 c12828c173760cad7a789173f74e0f27
SHA1 41fc0e6d77aa009282cb0926eba7b8c08fe08eb0
SHA256 76e62ab74d71af12b0a8c9790dadfde3889732426ca1375c6585a44fbc69c662
SHA512 bcf917784bc6f2a654b0c52fc7ef1d00cf4ae50bae8eb57c172b1ce3e9cb3a51e19f4e731fc8ab87858915cccafa2d317570c12aa2edc6493282ecb290299252

memory/524-164-0x00000000005B0000-0x00000000006B0000-memory.dmp

memory/2672-205-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1212-204-0x0000000002580000-0x0000000002596000-memory.dmp

memory/524-327-0x0000000000400000-0x000000000049A000-memory.dmp

memory/472-383-0x0000000000220000-0x0000000000225000-memory.dmp

memory/472-377-0x00000000005C0000-0x00000000006C0000-memory.dmp

memory/472-392-0x0000000000400000-0x000000000049A000-memory.dmp

memory/1100-642-0x00000000002D0000-0x00000000003D0000-memory.dmp

memory/1100-643-0x0000000000400000-0x000000000049A000-memory.dmp

memory/524-644-0x0000000000400000-0x000000000049A000-memory.dmp

memory/472-666-0x00000000005C0000-0x00000000006C0000-memory.dmp

memory/472-667-0x0000000000220000-0x0000000000225000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9BA3.exe

MD5 65ba8303fabfb2652158af69f7124772
SHA1 e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA256 3ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512 cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0

C:\Users\Admin\AppData\Local\Temp\9BA3.exe

MD5 65ba8303fabfb2652158af69f7124772
SHA1 e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA256 3ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512 cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0

memory/2088-1030-0x00000000000F0000-0x0000000000165000-memory.dmp

memory/2088-1067-0x0000000000080000-0x00000000000EB000-memory.dmp

memory/524-1108-0x0000000000400000-0x000000000049A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tf9bvg1t.default-release\cookies.sqlite.id[A1D1CB13-3483].[[email protected]].8base

MD5 d3c361f7db413c3ee876d794da33e374
SHA1 92fc50208cce7280e5940692e7c2eb5ce95562c6
SHA256 a48ae5a0686ed581bcab4e76ce9a61abdc0ebaf1f26b129639f72d21b76a4ad8
SHA512 3d6cd3bed2f0933aeffcb557c1df58e3f7963c02cf6f22311e163ccbf9fbb68a8d3d038d19f649ebeb8b7941132d06946bef87aa1dedfd04ed3ba5af56af488f

memory/2088-1163-0x0000000000080000-0x00000000000EB000-memory.dmp

memory/1728-1169-0x0000000000070000-0x0000000000077000-memory.dmp

memory/1728-1168-0x0000000000060000-0x000000000006C000-memory.dmp

memory/1728-1170-0x0000000000060000-0x000000000006C000-memory.dmp

memory/2088-1236-0x0000000000080000-0x00000000000EB000-memory.dmp

memory/2608-1289-0x0000000000080000-0x0000000000089000-memory.dmp

memory/2608-1290-0x0000000000090000-0x0000000000094000-memory.dmp

memory/2608-1292-0x0000000000080000-0x0000000000089000-memory.dmp

memory/1764-1518-0x0000000000080000-0x000000000008B000-memory.dmp

memory/1764-1526-0x0000000000080000-0x000000000008B000-memory.dmp

memory/1764-1521-0x0000000000090000-0x000000000009A000-memory.dmp

memory/2612-1765-0x00000000000C0000-0x00000000000CB000-memory.dmp

memory/2612-1768-0x00000000000D0000-0x00000000000D7000-memory.dmp

memory/2612-1769-0x00000000000C0000-0x00000000000CB000-memory.dmp

memory/1728-1819-0x0000000000060000-0x000000000006C000-memory.dmp

memory/2700-1818-0x00000000000E0000-0x00000000000EF000-memory.dmp

memory/2700-1849-0x00000000000E0000-0x00000000000EF000-memory.dmp

memory/2700-1844-0x00000000000C0000-0x00000000000CB000-memory.dmp

memory/2000-1969-0x0000000000080000-0x0000000000089000-memory.dmp

memory/2000-2023-0x00000000000E0000-0x00000000000EF000-memory.dmp

memory/2000-2024-0x0000000000080000-0x0000000000089000-memory.dmp

memory/2608-2031-0x0000000000090000-0x0000000000094000-memory.dmp

memory/1812-2087-0x0000000000070000-0x0000000000076000-memory.dmp

memory/1812-2088-0x0000000000060000-0x000000000006C000-memory.dmp

memory/1812-2086-0x0000000000060000-0x000000000006C000-memory.dmp

memory/1764-2096-0x0000000000090000-0x000000000009A000-memory.dmp

memory/1592-2275-0x0000000000080000-0x0000000000089000-memory.dmp

memory/1592-2276-0x0000000000090000-0x0000000000094000-memory.dmp

memory/1592-2277-0x0000000000080000-0x0000000000089000-memory.dmp

memory/524-2362-0x0000000000400000-0x000000000049A000-memory.dmp

memory/2932-2361-0x0000000000060000-0x0000000000069000-memory.dmp

memory/2612-2363-0x00000000000D0000-0x00000000000D7000-memory.dmp

memory/2932-2364-0x0000000000080000-0x0000000000089000-memory.dmp

memory/2932-2365-0x0000000000060000-0x0000000000069000-memory.dmp

memory/2700-2443-0x00000000000C0000-0x00000000000CB000-memory.dmp

memory/1692-2448-0x0000000000080000-0x00000000000A7000-memory.dmp

memory/1692-2449-0x0000000000080000-0x00000000000A7000-memory.dmp

memory/1692-2451-0x0000000000080000-0x00000000000A7000-memory.dmp

memory/1856-2482-0x0000000000090000-0x0000000000095000-memory.dmp

memory/1856-2483-0x0000000000080000-0x0000000000089000-memory.dmp

memory/1856-2481-0x0000000000080000-0x0000000000089000-memory.dmp

memory/1252-2852-0x00000000000C0000-0x00000000000CB000-memory.dmp

memory/1812-2853-0x0000000000070000-0x0000000000076000-memory.dmp

memory/1252-2854-0x0000000000080000-0x0000000000089000-memory.dmp

memory/1252-2855-0x00000000000C0000-0x00000000000CB000-memory.dmp

memory/1040-2926-0x0000000000400000-0x000000000049A000-memory.dmp

memory/1592-2927-0x0000000000090000-0x0000000000094000-memory.dmp

memory/2808-2969-0x0000000000060000-0x000000000006D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-14 06:44

Reported

2023-07-14 06:46

Platform

win10v2004-20230703-en

Max time kernel

147s

Max time network

153s

Command Line

C:\Windows\Explorer.EXE

Signatures

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Phobos

ransomware phobos

Rhadamanthys

stealer rhadamanthys

SmokeLoader

trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 3272 created 3144 N/A C:\Users\Admin\AppData\Local\Temp\4d18c07abced7f8fc570c83dd825bb0b.exe C:\Windows\Explorer.EXE

SystemBC

trojan systembc

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Renames multiple (346) files with added filename extension

ransomware

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\syuQ1.exe C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Windows\system32\certreq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\syuQ1 = "C:\\Users\\Admin\\AppData\\Local\\syuQ1.exe" C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\syuQ1 = "C:\\Users\\Admin\\AppData\\Local\\syuQ1.exe" C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1498570331-2313266200-788959944-1000\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-1498570331-2313266200-788959944-1000\desktop.ini C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4048 set thread context of 3044 N/A C:\Users\Admin\AppData\Local\Microsoft\Fy3`yV.exe C:\Users\Admin\AppData\Local\Microsoft\Fy3`yV.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\INDUST.INF.id[6A87AEF0-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Images\fre_background.jpg C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\en-US\tabskb.dll.mui C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\javafx-src.zip.id[6A87AEF0-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File created C:\Program Files\Java\jre1.8.0_66\lib\jvm.hprof.txt.id[6A87AEF0-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProMSDNR_Retail-pl.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\oregres.dll C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageAppList.targetsize-256_contrast-black.png C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Globalization.Extensions.dll C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\jre\bin\prism_sw.dll.id[6A87AEF0-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvm.xml C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\SKY.ELM.id[6A87AEF0-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\BuildInfo.xml C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-lib-uihandler.xml C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-keymap.xml.id[6A87AEF0-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File created C:\Program Files\Java\jre1.8.0_66\bin\gstreamer-lite.dll.id[6A87AEF0-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vreg\onenotemui.msi.16.en-us.vreg.dat C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-windows.xml C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\libftp_plugin.dll.id[6A87AEF0-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libwinhibit_plugin.dll C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File created C:\Program Files\7-Zip\readme.txt.id[6A87AEF0-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-pl.xrm-ms.id[6A87AEF0-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\libaccess_output_srt_plugin.dll.id[6A87AEF0-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\SmallTile.scale-125.png C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\WideTile.scale-125.png C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_ja.jar C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ppd.xrm-ms.id[6A87AEF0-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-ul-oob.xrm-ms.id[6A87AEF0-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Trial-pl.xrm-ms.id[6A87AEF0-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\FPA_f7\FA000000007.id[6A87AEF0-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\LibrarySquare150x150Logo.scale-100_contrast-black.png C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File opened for modification C:\Program Files\Internet Explorer\es-ES\iexplore.exe.mui C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-uihandler.jar C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libmjpeg_plugin.dll C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\AppxMetadata\CodeIntegrity.cat C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Grace-ul-oob.xrm-ms.id[6A87AEF0-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\vlc.mo.id[6A87AEF0-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE.id[6A87AEF0-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fr-fr.dll.id[6A87AEF0-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_OEM_Perp-pl.xrm-ms C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\license.html.id[6A87AEF0-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF.id[6A87AEF0-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\launcher.win32.win32.x86_64.properties C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-coredump_ja.jar C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File opened for modification C:\Program Files\Windows Mail\wab.exe C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-125.png C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\de.txt C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\lib\jconsole.jar.id[6A87AEF0-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File created C:\Program Files\Mozilla Firefox\precomplete.id[6A87AEF0-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm.xml.id[6A87AEF0-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_output\libwingdi_plugin.dll.id[6A87AEF0-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-40_altform-unplated_contrast-white.png C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar\msipc.dll.mui.id[6A87AEF0-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_scale-200.png C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-fallback.xml C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File created C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe.id[6A87AEF0-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File created C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe.id[6A87AEF0-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jsound.dll C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN121.XML.id[6A87AEF0-3483].[[email protected]].8base C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\175.png C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\de-DE\msader15.dll.mui C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\Fy3`yV.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\Fy3`yV.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Microsoft\Fy3`yV.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\certreq.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\certreq.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d18c07abced7f8fc570c83dd825bb0b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d18c07abced7f8fc570c83dd825bb0b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d18c07abced7f8fc570c83dd825bb0b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d18c07abced7f8fc570c83dd825bb0b.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Windows\system32\certreq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Fy3`yV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\Fy3`yV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3272 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\4d18c07abced7f8fc570c83dd825bb0b.exe C:\Windows\system32\certreq.exe
PID 3272 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\4d18c07abced7f8fc570c83dd825bb0b.exe C:\Windows\system32\certreq.exe
PID 3272 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\4d18c07abced7f8fc570c83dd825bb0b.exe C:\Windows\system32\certreq.exe
PID 3272 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\4d18c07abced7f8fc570c83dd825bb0b.exe C:\Windows\system32\certreq.exe
PID 4048 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Microsoft\Fy3`yV.exe C:\Users\Admin\AppData\Local\Microsoft\Fy3`yV.exe
PID 4048 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Microsoft\Fy3`yV.exe C:\Users\Admin\AppData\Local\Microsoft\Fy3`yV.exe
PID 4048 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Microsoft\Fy3`yV.exe C:\Users\Admin\AppData\Local\Microsoft\Fy3`yV.exe
PID 4048 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Microsoft\Fy3`yV.exe C:\Users\Admin\AppData\Local\Microsoft\Fy3`yV.exe
PID 4048 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Microsoft\Fy3`yV.exe C:\Users\Admin\AppData\Local\Microsoft\Fy3`yV.exe
PID 4048 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Microsoft\Fy3`yV.exe C:\Users\Admin\AppData\Local\Microsoft\Fy3`yV.exe
PID 5080 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe C:\Windows\system32\cmd.exe
PID 5080 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe C:\Windows\system32\cmd.exe
PID 5080 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe C:\Windows\system32\cmd.exe
PID 5080 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe C:\Windows\system32\cmd.exe
PID 4340 wrote to memory of 4788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 4340 wrote to memory of 4788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 3548 wrote to memory of 2924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3548 wrote to memory of 2924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3548 wrote to memory of 4328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3548 wrote to memory of 4328 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4340 wrote to memory of 2300 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4340 wrote to memory of 2300 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4340 wrote to memory of 1396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4340 wrote to memory of 1396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4340 wrote to memory of 4412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4340 wrote to memory of 4412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4340 wrote to memory of 3920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 4340 wrote to memory of 3920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 3144 wrote to memory of 1620 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8EAA.exe
PID 3144 wrote to memory of 1620 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8EAA.exe
PID 3144 wrote to memory of 1620 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\8EAA.exe
PID 3144 wrote to memory of 2932 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3144 wrote to memory of 2932 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3144 wrote to memory of 2932 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3144 wrote to memory of 2932 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3144 wrote to memory of 4608 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3144 wrote to memory of 4608 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3144 wrote to memory of 4608 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3144 wrote to memory of 1316 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3144 wrote to memory of 1316 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3144 wrote to memory of 1316 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3144 wrote to memory of 1316 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3144 wrote to memory of 3396 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3144 wrote to memory of 3396 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3144 wrote to memory of 3396 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3144 wrote to memory of 3396 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3144 wrote to memory of 1748 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3144 wrote to memory of 1748 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3144 wrote to memory of 1748 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3144 wrote to memory of 1748 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3144 wrote to memory of 1160 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3144 wrote to memory of 1160 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3144 wrote to memory of 1160 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3144 wrote to memory of 3164 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3144 wrote to memory of 3164 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3144 wrote to memory of 3164 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3144 wrote to memory of 3164 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3144 wrote to memory of 3816 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3144 wrote to memory of 3816 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3144 wrote to memory of 3816 N/A C:\Windows\Explorer.EXE C:\Windows\explorer.exe
PID 3144 wrote to memory of 1772 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3144 wrote to memory of 1772 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3144 wrote to memory of 1772 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3144 wrote to memory of 1772 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\4d18c07abced7f8fc570c83dd825bb0b.exe

"C:\Users\Admin\AppData\Local\Temp\4d18c07abced7f8fc570c83dd825bb0b.exe"

C:\Windows\system32\certreq.exe

"C:\Windows\system32\certreq.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3272 -ip 3272

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 948

C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe

"C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe"

C:\Users\Admin\AppData\Local\Microsoft\[Kl.exe

"C:\Users\Admin\AppData\Local\Microsoft\[Kl.exe"

C:\Users\Admin\AppData\Local\Microsoft\Fy3`yV.exe

"C:\Users\Admin\AppData\Local\Microsoft\Fy3`yV.exe"

C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe

"C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe"

C:\Users\Admin\AppData\Local\Microsoft\Fy3`yV.exe

"C:\Users\Admin\AppData\Local\Microsoft\Fy3`yV.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=disable

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3476 -ip 3476

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 320

C:\Users\Admin\AppData\Local\Temp\8EAA.exe

C:\Users\Admin\AppData\Local\Temp\8EAA.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1620 -ip 1620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 496

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 servblog25.xyz udp
DE 45.131.66.61:80 servblog25.xyz tcp
US 8.8.8.8:53 61.66.131.45.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
DE 45.131.66.61:80 servblog25.xyz tcp
DE 45.131.66.61:80 servblog25.xyz tcp
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 76.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 serverxlogs21.xyz udp
DE 45.131.66.120:80 serverxlogs21.xyz tcp
US 8.8.8.8:53 fexstat257.xyz udp
DE 45.89.125.136:80 fexstat257.xyz tcp
US 8.8.8.8:53 120.66.131.45.in-addr.arpa udp
US 8.8.8.8:53 136.125.89.45.in-addr.arpa udp
DE 45.131.66.120:80 serverxlogs21.xyz tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp

Files

memory/3272-134-0x0000000002EA0000-0x0000000002FA0000-memory.dmp

memory/3272-135-0x0000000002E20000-0x0000000002E91000-memory.dmp

memory/3272-136-0x0000000000400000-0x0000000002B7C000-memory.dmp

memory/3272-137-0x0000000004960000-0x0000000004967000-memory.dmp

memory/3272-138-0x0000000004D80000-0x0000000005180000-memory.dmp

memory/3272-139-0x0000000004D80000-0x0000000005180000-memory.dmp

memory/3272-140-0x0000000004D80000-0x0000000005180000-memory.dmp

memory/3272-141-0x0000000000400000-0x0000000002B7C000-memory.dmp

memory/3272-142-0x0000000004D80000-0x0000000005180000-memory.dmp

memory/3272-143-0x0000000002EA0000-0x0000000002FA0000-memory.dmp

memory/4576-144-0x000001B79C670000-0x000001B79C673000-memory.dmp

memory/3272-145-0x0000000002E20000-0x0000000002E91000-memory.dmp

memory/3272-146-0x00000000059C0000-0x00000000059F6000-memory.dmp

memory/3272-152-0x00000000059C0000-0x00000000059F6000-memory.dmp

memory/3272-155-0x0000000004D80000-0x0000000005180000-memory.dmp

memory/3272-156-0x0000000000400000-0x0000000002B7C000-memory.dmp

memory/4576-157-0x000001B79C670000-0x000001B79C673000-memory.dmp

memory/4576-158-0x000001B79C6C0000-0x000001B79C6C7000-memory.dmp

memory/4576-159-0x00007FF4A9650000-0x00007FF4A977D000-memory.dmp

memory/4576-160-0x00007FF4A9650000-0x00007FF4A977D000-memory.dmp

memory/4576-161-0x00007FF4A9650000-0x00007FF4A977D000-memory.dmp

memory/4576-162-0x00007FF4A9650000-0x00007FF4A977D000-memory.dmp

memory/4576-163-0x00007FF4A9650000-0x00007FF4A977D000-memory.dmp

memory/4576-165-0x00007FF4A9650000-0x00007FF4A977D000-memory.dmp

memory/4576-167-0x00007FF4A9650000-0x00007FF4A977D000-memory.dmp

memory/4576-168-0x00007FF4A9650000-0x00007FF4A977D000-memory.dmp

memory/4576-169-0x00007FF4A9650000-0x00007FF4A977D000-memory.dmp

memory/4576-170-0x00007FFCD2BD0000-0x00007FFCD2DC5000-memory.dmp

memory/4576-171-0x00007FF4A9650000-0x00007FF4A977D000-memory.dmp

memory/4576-172-0x00007FF4A9650000-0x00007FF4A977D000-memory.dmp

memory/4576-173-0x00007FF4A9650000-0x00007FF4A977D000-memory.dmp

memory/4576-174-0x00007FF4A9650000-0x00007FF4A977D000-memory.dmp

memory/4576-175-0x00007FF4A9650000-0x00007FF4A977D000-memory.dmp

memory/4576-176-0x00007FFCD2BD0000-0x00007FFCD2DC5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe

MD5 65ba8303fabfb2652158af69f7124772
SHA1 e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA256 3ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512 cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0

C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe

MD5 65ba8303fabfb2652158af69f7124772
SHA1 e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA256 3ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512 cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0

C:\Users\Admin\AppData\Local\Microsoft\[Kl.exe

MD5 3524139d7687147f53dc7df4f4867093
SHA1 77a6308dc4981ac164a887ed54a0e01c63c17c63
SHA256 954429625375fc965c2151a8b109c07d1f6de6fbf9c3b95660400d9b4bf79081
SHA512 48df3de51b20e20660804f92a699f9b3886406c1872c8df02e220bf23415838ada393fc540f878aad8ebe61f7023161b15152942509b63030b6fd4a458a82db3

C:\Users\Admin\AppData\Local\Microsoft\[Kl.exe

MD5 3524139d7687147f53dc7df4f4867093
SHA1 77a6308dc4981ac164a887ed54a0e01c63c17c63
SHA256 954429625375fc965c2151a8b109c07d1f6de6fbf9c3b95660400d9b4bf79081
SHA512 48df3de51b20e20660804f92a699f9b3886406c1872c8df02e220bf23415838ada393fc540f878aad8ebe61f7023161b15152942509b63030b6fd4a458a82db3

C:\Users\Admin\AppData\Local\Microsoft\Fy3`yV.exe

MD5 1b2b02b4b524fe02b8b96bd781c8eceb
SHA1 36e2eb7e1ae58b103b2d1cca5991786b0118534b
SHA256 e780a1b2be7dab91bdc77bd313dd5a4456e0d92164fc1e54894f086f269d85c6
SHA512 80caf55a2f2a63e99c5ee6199b3b8357fd5d2bf92cb671f80a0b05385cc79f78fc689d60197176fc1bae67ab331e8bdf71adf44c88423bbbf95e7926e31e5bc8

C:\Users\Admin\AppData\Local\Microsoft\Fy3`yV.exe

MD5 1b2b02b4b524fe02b8b96bd781c8eceb
SHA1 36e2eb7e1ae58b103b2d1cca5991786b0118534b
SHA256 e780a1b2be7dab91bdc77bd313dd5a4456e0d92164fc1e54894f086f269d85c6
SHA512 80caf55a2f2a63e99c5ee6199b3b8357fd5d2bf92cb671f80a0b05385cc79f78fc689d60197176fc1bae67ab331e8bdf71adf44c88423bbbf95e7926e31e5bc8

memory/4576-189-0x000001B79C6C0000-0x000001B79C6C5000-memory.dmp

memory/4576-190-0x00007FFCD2BD0000-0x00007FFCD2DC5000-memory.dmp

memory/5080-191-0x00000000005C0000-0x00000000006C0000-memory.dmp

memory/5080-192-0x0000000000520000-0x000000000052F000-memory.dmp

memory/5080-193-0x0000000000400000-0x000000000049A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\syuQ1.exe

MD5 65ba8303fabfb2652158af69f7124772
SHA1 e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA256 3ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512 cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0

memory/1432-196-0x0000000000750000-0x0000000000850000-memory.dmp

memory/1432-197-0x0000000000710000-0x0000000000715000-memory.dmp

memory/1432-198-0x0000000000400000-0x000000000049A000-memory.dmp

memory/4048-199-0x0000000000560000-0x0000000000660000-memory.dmp

memory/4048-200-0x0000000000520000-0x0000000000529000-memory.dmp

memory/3044-201-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Fy3`yV.exe

MD5 1b2b02b4b524fe02b8b96bd781c8eceb
SHA1 36e2eb7e1ae58b103b2d1cca5991786b0118534b
SHA256 e780a1b2be7dab91bdc77bd313dd5a4456e0d92164fc1e54894f086f269d85c6
SHA512 80caf55a2f2a63e99c5ee6199b3b8357fd5d2bf92cb671f80a0b05385cc79f78fc689d60197176fc1bae67ab331e8bdf71adf44c88423bbbf95e7926e31e5bc8

memory/3044-203-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5080-204-0x00000000005C0000-0x00000000006C0000-memory.dmp

memory/1432-205-0x0000000000750000-0x0000000000850000-memory.dmp

memory/3144-327-0x0000000002A00000-0x0000000002A16000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.id[6A87AEF0-3483].[[email protected]].8base

MD5 2a754c0e6b8838a641ff3b13a3100317
SHA1 93cd3d69349345f6792069251fdaf05eb98775dd
SHA256 c31049c5ed25444086ff0e38787650b7a689ffa13e3b7dea3c48c45f655383f7
SHA512 b63e4af89ab3357126d556a7918cd54b01a41afec8860bb45990baedfb54fa57f967125dc3321b58eb65a4a054cf0768e03a9bab493e922406cd5f72baffcb77

memory/3044-342-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5080-430-0x0000000000400000-0x000000000049A000-memory.dmp

memory/5080-1297-0x0000000000400000-0x000000000049A000-memory.dmp

memory/3476-1525-0x0000000000680000-0x0000000000780000-memory.dmp

memory/3476-1526-0x0000000000400000-0x000000000049A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8EAA.exe

MD5 65ba8303fabfb2652158af69f7124772
SHA1 e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA256 3ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512 cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0

C:\Users\Admin\AppData\Local\Temp\8EAA.exe

MD5 65ba8303fabfb2652158af69f7124772
SHA1 e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA256 3ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512 cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0

C:\Users\Admin\AppData\Local\Temp\8EAA.exe

MD5 65ba8303fabfb2652158af69f7124772
SHA1 e7a679c504b8f00c995da10f1fa66fb6458832a2
SHA256 3ec359f6ab125099db4a4f7b6ad6b17ab1411a338be932ea45aea13aad7788c8
SHA512 cc77310aa5caf21cfcfd318b97f804d565fb0ecb8ad6f3335bd9883a9c3db3d94e784b4b9ac54b04ee71172d62fb23e8b99de93237e9d798cb02d5359a83c5f0

memory/4608-1911-0x00000000009F0000-0x00000000009FC000-memory.dmp

memory/4608-1910-0x0000000000C80000-0x0000000000C87000-memory.dmp

memory/4608-1912-0x00000000009F0000-0x00000000009FC000-memory.dmp

memory/2932-1914-0x0000000000D50000-0x0000000000DBB000-memory.dmp

memory/2932-1924-0x0000000000D50000-0x0000000000DBB000-memory.dmp

memory/2932-1935-0x0000000001000000-0x0000000001075000-memory.dmp

memory/1316-2027-0x0000000001050000-0x0000000001059000-memory.dmp

memory/1316-2026-0x0000000001060000-0x0000000001064000-memory.dmp

memory/1316-2043-0x0000000001050000-0x0000000001059000-memory.dmp

memory/3396-2124-0x0000000001060000-0x000000000106A000-memory.dmp

memory/3396-2125-0x0000000001050000-0x000000000105B000-memory.dmp

memory/1748-2139-0x0000000000350000-0x0000000000357000-memory.dmp

memory/1748-2140-0x0000000000340000-0x000000000034B000-memory.dmp

memory/1748-2137-0x0000000000340000-0x000000000034B000-memory.dmp

memory/3396-2147-0x0000000001050000-0x000000000105B000-memory.dmp

memory/1160-2211-0x0000000000BC0000-0x0000000000BCF000-memory.dmp

memory/5080-2212-0x0000000000400000-0x000000000049A000-memory.dmp

memory/2932-2213-0x0000000000D50000-0x0000000000DBB000-memory.dmp

memory/1160-2215-0x0000000000BD0000-0x0000000000BD9000-memory.dmp

memory/1160-2216-0x0000000000BC0000-0x0000000000BCF000-memory.dmp

memory/3164-2307-0x0000000001050000-0x0000000001059000-memory.dmp

memory/3164-2311-0x0000000001060000-0x0000000001065000-memory.dmp

memory/3164-2327-0x0000000001050000-0x0000000001059000-memory.dmp

memory/1316-2336-0x0000000001060000-0x0000000001064000-memory.dmp

memory/3816-2405-0x0000000000B10000-0x0000000000B1C000-memory.dmp

memory/3816-2412-0x0000000000B20000-0x0000000000B26000-memory.dmp

memory/3816-2434-0x0000000000B10000-0x0000000000B1C000-memory.dmp

memory/1772-2436-0x0000000000130000-0x0000000000139000-memory.dmp

memory/1772-2437-0x0000000000140000-0x0000000000144000-memory.dmp

memory/1772-2438-0x0000000000130000-0x0000000000139000-memory.dmp

memory/1748-2647-0x0000000000350000-0x0000000000357000-memory.dmp

memory/5076-2629-0x00000000009D0000-0x00000000009D9000-memory.dmp

memory/5076-2672-0x00000000009E0000-0x00000000009E5000-memory.dmp

memory/5076-2682-0x00000000009D0000-0x00000000009D9000-memory.dmp

memory/4844-2898-0x0000000000620000-0x0000000000647000-memory.dmp

memory/1160-2937-0x0000000000BD0000-0x0000000000BD9000-memory.dmp

memory/4844-2938-0x0000000000620000-0x0000000000647000-memory.dmp

memory/4844-2981-0x0000000000650000-0x0000000000671000-memory.dmp

memory/3476-3157-0x0000000000DF0000-0x0000000000DF9000-memory.dmp

memory/3164-3179-0x0000000001060000-0x0000000001065000-memory.dmp

memory/3476-3202-0x0000000000DF0000-0x0000000000DF9000-memory.dmp

memory/1352-3593-0x00000000012B0000-0x00000000012BB000-memory.dmp

memory/3816-3614-0x0000000000B20000-0x0000000000B26000-memory.dmp

memory/1352-3618-0x00000000012B0000-0x00000000012BB000-memory.dmp

memory/1772-3624-0x0000000000140000-0x0000000000144000-memory.dmp

memory/2972-3625-0x0000000000BE0000-0x0000000000BED000-memory.dmp

memory/2972-3626-0x0000000000BF0000-0x0000000000C00000-memory.dmp

memory/2972-3627-0x0000000000BE0000-0x0000000000BED000-memory.dmp

memory/3868-3772-0x0000000000F30000-0x0000000000F3B000-memory.dmp

memory/3868-3774-0x0000000000F40000-0x0000000000F48000-memory.dmp

memory/5076-3773-0x00000000009E0000-0x00000000009E5000-memory.dmp

memory/3868-3775-0x0000000000F30000-0x0000000000F3B000-memory.dmp

memory/5080-3877-0x0000000000400000-0x000000000049A000-memory.dmp

memory/4844-3896-0x0000000000650000-0x0000000000671000-memory.dmp

memory/5080-4495-0x0000000000400000-0x000000000049A000-memory.dmp