Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
15-07-2023 00:38
Static task
static1
Behavioral task
behavioral1
Sample
1b94e6504da7365a7ac9e5f1c37ea714.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
1b94e6504da7365a7ac9e5f1c37ea714.exe
Resource
win10v2004-20230703-en
General
-
Target
1b94e6504da7365a7ac9e5f1c37ea714.exe
-
Size
164KB
-
MD5
1b94e6504da7365a7ac9e5f1c37ea714
-
SHA1
b2c784470f5400680f275943aacfcbef6cda5c88
-
SHA256
eeb18dec0f9402e96fb629ab201890d8b2fcfeb45e890e42e3a79a799e575771
-
SHA512
6b86bdea9ed18fc11e32c0ce7e6883677fa5e3dfad053200e6757a51cc4b11a5adf0757853c9b4421796e7789d75af17c686ca513a9d442a7a0fa093920d012e
-
SSDEEP
3072:sSGL9TvjYP99HQjQQeTXE61nB1KpyehJqCFQUDjp5AJ:IL9jjYlaQ9E6B2yeHPOJ
Malware Config
Extracted
smokeloader
summ
Extracted
smokeloader
2022
http://stalagmijesarl.com/
http://ukdantist-sarl.com/
http://cpcorprotationltd.com/
http://serverxlogs21.xyz/statweb255/
http://servxblog79.xyz/statweb255/
http://demblog289.xyz/statweb255/
http://admlogs77x.online/statweb255/
http://blogxstat38.xyz/statweb255/
http://blogxstat25.xyz/statweb255/
Extracted
systembc
adstat477d.xyz:4044
demstat577d.xyz:4044
Signatures
-
Detect rhadamanthys stealer shellcode 6 IoCs
Processes:
resource yara_rule behavioral1/memory/2512-115-0x0000000001F50000-0x0000000002350000-memory.dmp family_rhadamanthys behavioral1/memory/2512-114-0x0000000001F50000-0x0000000002350000-memory.dmp family_rhadamanthys behavioral1/memory/2512-116-0x0000000001F50000-0x0000000002350000-memory.dmp family_rhadamanthys behavioral1/memory/2512-118-0x0000000001F50000-0x0000000002350000-memory.dmp family_rhadamanthys behavioral1/memory/2512-131-0x0000000001F50000-0x0000000002350000-memory.dmp family_rhadamanthys behavioral1/memory/2512-134-0x0000000001F50000-0x0000000002350000-memory.dmp family_rhadamanthys -
Phobos
Phobos ransomware appeared at the beginning of 2019.
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
24B0.exedescription pid process target process PID 2512 created 1400 2512 24B0.exe Explorer.EXE -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (79) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Downloads MZ/PE file
-
Modifies Windows Firewall 1 TTPs 2 IoCs
-
Deletes itself 1 IoCs
Processes:
Explorer.EXEpid process 1400 Explorer.EXE -
Drops startup file 1 IoCs
Processes:
~st]e.exedescription ioc process File created \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\~st]e.exe ~st]e.exe -
Executes dropped EXE 8 IoCs
Processes:
24B0.exe~~P7P.exe~st]e.exe1aL1rP.exe~st]e.exe~~P7P.exegdfbwajBF1C.exepid process 2512 24B0.exe 1668 ~~P7P.exe 3016 ~st]e.exe 1200 1aL1rP.exe 2132 ~st]e.exe 3036 ~~P7P.exe 1680 gdfbwaj 1704 BF1C.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
Processes:
certreq.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook certreq.exe Key opened \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook certreq.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
~st]e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\~st]e = "C:\\Users\\Admin\\AppData\\Local\\~st]e.exe" ~st]e.exe Set value (str) \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Windows\CurrentVersion\Run\~st]e = "C:\\Users\\Admin\\AppData\\Local\\~st]e.exe" ~st]e.exe -
Drops desktop.ini file(s) 4 IoCs
Processes:
~st]e.exedescription ioc process File opened for modification C:\$Recycle.Bin\S-1-5-21-722410544-1258951091-1992882075-1000\desktop.ini ~st]e.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-722410544-1258951091-1992882075-1000\desktop.ini ~st]e.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini ~st]e.exe File opened for modification C:\Program Files\desktop.ini ~st]e.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
~~P7P.exedescription pid process target process PID 1668 set thread context of 3036 1668 ~~P7P.exe ~~P7P.exe -
Drops file in Program Files directory 64 IoCs
Processes:
~st]e.exedescription ioc process File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InkObj.dll.mui ~st]e.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\TipRes.dll.mui ~st]e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\MST7MDT ~st]e.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF.id[51F095FA-3483].[[email protected]].8base ~st]e.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-api.xml.id[51F095FA-3483].[[email protected]].8base ~st]e.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-charts.xml.id[51F095FA-3483].[[email protected]].8base ~st]e.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-loaders_zh_CN.jar.id[51F095FA-3483].[[email protected]].8base ~st]e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-spi-actions.jar ~st]e.exe File created C:\Program Files\7-Zip\7-zip.chm.id[51F095FA-3483].[[email protected]].8base ~st]e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\dblook.bat ~st]e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkServerCP ~st]e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.commons.codec_1.6.0.v201305230611.jar ~st]e.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.update.configurator.nl_zh_4.4.0.v20140623020002.jar.id[51F095FA-3483].[[email protected]].8base ~st]e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-loaders.jar ~st]e.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-heapdump.xml.id[51F095FA-3483].[[email protected]].8base ~st]e.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\button-highlight.png ~st]e.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ca.pak ~st]e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\logging.properties ~st]e.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureB.png ~st]e.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\reflect.png ~st]e.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe.id[51F095FA-3483].[[email protected]].8base ~st]e.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.properties.id[51F095FA-3483].[[email protected]].8base ~st]e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-javahelp.xml ~st]e.exe File created C:\Program Files\7-Zip\Lang\ne.txt.id[51F095FA-3483].[[email protected]].8base ~st]e.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_ButtonGraphic.png ~st]e.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe.id[51F095FA-3483].[[email protected]].8base ~st]e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup-impl.xml ~st]e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-io-ui_zh_CN.jar ~st]e.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Filters\odffilt.dll ~st]e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Rarotonga ~st]e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.xml ~st]e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository.nl_zh_4.4.0.v20140623020002.jar ~st]e.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Seyes.emf ~st]e.exe File opened for modification C:\Program Files\DVD Maker\it-IT\OmdProject.dll.mui ~st]e.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\menu_style_default_Thumbnail.png ~st]e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.commands_0.10.2.v20140424-2344.jar ~st]e.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.services.nl_ja_4.4.0.v20140623020002.jar.id[51F095FA-3483].[[email protected]].8base ~st]e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-lib-uihandler_ja.jar ~st]e.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\de.pak.id[51F095FA-3483].[[email protected]].8base ~st]e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Cape_Verde ~st]e.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.nl_zh_4.4.0.v20140623020002.jar.id[51F095FA-3483].[[email protected]].8base ~st]e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.nl_zh_4.4.0.v20140623020002.jar ~st]e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-compat_zh_CN.jar ~st]e.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\javafx.policy.id[51F095FA-3483].[[email protected]].8base ~st]e.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Canary.id[51F095FA-3483].[[email protected]].8base ~st]e.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\pushplaysubpicture.png ~st]e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Bougainville ~st]e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf_3.4.0.v20140827-1444.jar ~st]e.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse.nl_zh_4.4.0.v20140623020002.jar.id[51F095FA-3483].[[email protected]].8base ~st]e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-fallback.xml ~st]e.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-cli_ja.jar.id[51F095FA-3483].[[email protected]].8base ~st]e.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_rightarrow.png ~st]e.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_ButtonGraphic.png ~st]e.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ja.pak.id[51F095FA-3483].[[email protected]].8base ~st]e.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\LogoCanary.png.id[51F095FA-3483].[[email protected]].8base ~st]e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\jni_md.h ~st]e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Shanghai ~st]e.exe File created C:\Program Files\CloseUnregister.sql.id[51F095FA-3483].[[email protected]].8base ~st]e.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_ButtonGraphic.png ~st]e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa ~st]e.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\access-bridge-64.jar.id[51F095FA-3483].[[email protected]].8base ~st]e.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt.id[51F095FA-3483].[[email protected]].8base ~st]e.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui_5.5.0.165303.jar ~st]e.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multitabs.xml.id[51F095FA-3483].[[email protected]].8base ~st]e.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
1b94e6504da7365a7ac9e5f1c37ea714.exe~~P7P.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1b94e6504da7365a7ac9e5f1c37ea714.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1b94e6504da7365a7ac9e5f1c37ea714.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 1b94e6504da7365a7ac9e5f1c37ea714.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ~~P7P.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ~~P7P.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ~~P7P.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
certreq.exedescription ioc process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 certreq.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString certreq.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 888 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
1b94e6504da7365a7ac9e5f1c37ea714.exeExplorer.EXEpid process 2392 1b94e6504da7365a7ac9e5f1c37ea714.exe 2392 1b94e6504da7365a7ac9e5f1c37ea714.exe 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1400 Explorer.EXE -
Suspicious behavior: MapViewOfSection 20 IoCs
Processes:
1b94e6504da7365a7ac9e5f1c37ea714.exeExplorer.EXE~~P7P.exepid process 2392 1b94e6504da7365a7ac9e5f1c37ea714.exe 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 1400 Explorer.EXE 3036 ~~P7P.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
Explorer.EXE~st]e.exevssvc.exedescription pid process Token: SeShutdownPrivilege 1400 Explorer.EXE Token: SeDebugPrivilege 3016 ~st]e.exe Token: SeBackupPrivilege 2716 vssvc.exe Token: SeRestorePrivilege 2716 vssvc.exe Token: SeAuditPrivilege 2716 vssvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Explorer.EXE24B0.exe~~P7P.exetaskeng.exe~st]e.exedescription pid process target process PID 1400 wrote to memory of 2512 1400 Explorer.EXE 24B0.exe PID 1400 wrote to memory of 2512 1400 Explorer.EXE 24B0.exe PID 1400 wrote to memory of 2512 1400 Explorer.EXE 24B0.exe PID 1400 wrote to memory of 2512 1400 Explorer.EXE 24B0.exe PID 1400 wrote to memory of 2796 1400 Explorer.EXE explorer.exe PID 1400 wrote to memory of 2796 1400 Explorer.EXE explorer.exe PID 1400 wrote to memory of 2796 1400 Explorer.EXE explorer.exe PID 1400 wrote to memory of 2796 1400 Explorer.EXE explorer.exe PID 1400 wrote to memory of 2796 1400 Explorer.EXE explorer.exe PID 1400 wrote to memory of 2848 1400 Explorer.EXE explorer.exe PID 1400 wrote to memory of 2848 1400 Explorer.EXE explorer.exe PID 1400 wrote to memory of 2848 1400 Explorer.EXE explorer.exe PID 1400 wrote to memory of 2848 1400 Explorer.EXE explorer.exe PID 1400 wrote to memory of 2932 1400 Explorer.EXE explorer.exe PID 1400 wrote to memory of 2932 1400 Explorer.EXE explorer.exe PID 1400 wrote to memory of 2932 1400 Explorer.EXE explorer.exe PID 1400 wrote to memory of 2932 1400 Explorer.EXE explorer.exe PID 1400 wrote to memory of 2932 1400 Explorer.EXE explorer.exe PID 1400 wrote to memory of 2972 1400 Explorer.EXE explorer.exe PID 1400 wrote to memory of 2972 1400 Explorer.EXE explorer.exe PID 1400 wrote to memory of 2972 1400 Explorer.EXE explorer.exe PID 1400 wrote to memory of 2972 1400 Explorer.EXE explorer.exe PID 1400 wrote to memory of 1508 1400 Explorer.EXE explorer.exe PID 1400 wrote to memory of 1508 1400 Explorer.EXE explorer.exe PID 1400 wrote to memory of 1508 1400 Explorer.EXE explorer.exe PID 1400 wrote to memory of 1508 1400 Explorer.EXE explorer.exe PID 1400 wrote to memory of 1508 1400 Explorer.EXE explorer.exe PID 1400 wrote to memory of 1960 1400 Explorer.EXE explorer.exe PID 1400 wrote to memory of 1960 1400 Explorer.EXE explorer.exe PID 1400 wrote to memory of 1960 1400 Explorer.EXE explorer.exe PID 1400 wrote to memory of 1960 1400 Explorer.EXE explorer.exe PID 1400 wrote to memory of 1960 1400 Explorer.EXE explorer.exe PID 1400 wrote to memory of 2712 1400 Explorer.EXE explorer.exe PID 1400 wrote to memory of 2712 1400 Explorer.EXE explorer.exe PID 1400 wrote to memory of 2712 1400 Explorer.EXE explorer.exe PID 1400 wrote to memory of 2712 1400 Explorer.EXE explorer.exe PID 1400 wrote to memory of 2712 1400 Explorer.EXE explorer.exe PID 1400 wrote to memory of 2820 1400 Explorer.EXE explorer.exe PID 1400 wrote to memory of 2820 1400 Explorer.EXE explorer.exe PID 1400 wrote to memory of 2820 1400 Explorer.EXE explorer.exe PID 1400 wrote to memory of 2820 1400 Explorer.EXE explorer.exe PID 1400 wrote to memory of 2732 1400 Explorer.EXE explorer.exe PID 1400 wrote to memory of 2732 1400 Explorer.EXE explorer.exe PID 1400 wrote to memory of 2732 1400 Explorer.EXE explorer.exe PID 1400 wrote to memory of 2732 1400 Explorer.EXE explorer.exe PID 1400 wrote to memory of 2732 1400 Explorer.EXE explorer.exe PID 2512 wrote to memory of 2304 2512 24B0.exe certreq.exe PID 2512 wrote to memory of 2304 2512 24B0.exe certreq.exe PID 2512 wrote to memory of 2304 2512 24B0.exe certreq.exe PID 2512 wrote to memory of 2304 2512 24B0.exe certreq.exe PID 2512 wrote to memory of 2304 2512 24B0.exe certreq.exe PID 2512 wrote to memory of 2304 2512 24B0.exe certreq.exe PID 1668 wrote to memory of 3036 1668 ~~P7P.exe ~~P7P.exe PID 1668 wrote to memory of 3036 1668 ~~P7P.exe ~~P7P.exe PID 1668 wrote to memory of 3036 1668 ~~P7P.exe ~~P7P.exe PID 1668 wrote to memory of 3036 1668 ~~P7P.exe ~~P7P.exe PID 1668 wrote to memory of 3036 1668 ~~P7P.exe ~~P7P.exe PID 1668 wrote to memory of 3036 1668 ~~P7P.exe ~~P7P.exe PID 1668 wrote to memory of 3036 1668 ~~P7P.exe ~~P7P.exe PID 2792 wrote to memory of 1680 2792 taskeng.exe gdfbwaj PID 2792 wrote to memory of 1680 2792 taskeng.exe gdfbwaj PID 2792 wrote to memory of 1680 2792 taskeng.exe gdfbwaj PID 2792 wrote to memory of 1680 2792 taskeng.exe gdfbwaj PID 3016 wrote to memory of 2328 3016 ~st]e.exe cmd.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
Processes:
certreq.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook certreq.exe -
outlook_win_path 1 IoCs
Processes:
certreq.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook certreq.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Users\Admin\AppData\Local\Temp\1b94e6504da7365a7ac9e5f1c37ea714.exe"C:\Users\Admin\AppData\Local\Temp\1b94e6504da7365a7ac9e5f1c37ea714.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2392 -
C:\Users\Admin\AppData\Local\Temp\24B0.exeC:\Users\Admin\AppData\Local\Temp\24B0.exe2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:2796
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:2848
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:2932
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:2972
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:1508
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:1960
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:2712
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:2820
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:2732
-
C:\Windows\system32\certreq.exe"C:\Windows\system32\certreq.exe"2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- outlook_office_path
- outlook_win_path
PID:2304 -
C:\Users\Admin\AppData\Local\Temp\BF1C.exeC:\Users\Admin\AppData\Local\Temp\BF1C.exe2⤵
- Executes dropped EXE
PID:1704 -
C:\Users\Admin\AppData\Local\Temp\D54B.exeC:\Users\Admin\AppData\Local\Temp\D54B.exe2⤵PID:2108
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:1172
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:2152
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe2⤵PID:2936
-
C:\Users\Admin\AppData\Local\Microsoft\~~P7P.exe"C:\Users\Admin\AppData\Local\Microsoft\~~P7P.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Users\Admin\AppData\Local\Microsoft\~~P7P.exe"C:\Users\Admin\AppData\Local\Microsoft\~~P7P.exe"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3036
-
C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe"C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe"C:\Users\Admin\AppData\Local\Microsoft\~st]e.exe"2⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵PID:2328
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off3⤵
- Modifies Windows Firewall
PID:1256 -
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable3⤵
- Modifies Windows Firewall
PID:2396 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵PID:1564
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:888
-
C:\Users\Admin\AppData\Local\Microsoft\1aL1rP.exe"C:\Users\Admin\AppData\Local\Microsoft\1aL1rP.exe"1⤵
- Executes dropped EXE
PID:1200
-
C:\Windows\system32\taskeng.exetaskeng.exe {B18B27C8-722E-4D01-8694-97D85903E6C3} S-1-5-21-722410544-1258951091-1992882075-1000:MGKTNXNO\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Users\Admin\AppData\Roaming\gdfbwajC:\Users\Admin\AppData\Roaming\gdfbwaj2⤵
- Executes dropped EXE
PID:1680
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2716
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.id[51F095FA-3483].[[email protected]].8baseFilesize
143.1MB
MD5bc5f1d1e4df27daacdfcb5c0ed15dc37
SHA17a211bed06367a2ddf1917f9d8caa707d6e65a43
SHA256f86bb5cef9aa455c2e17dcad20ccd329be5333a85dbfb52014a425d58578d97e
SHA5124aa669c2762c122e1f96e0c0b6b7077fd522f7d92c11420b6278f2593805e1b30d64deb9da6bc6cb03258188c07d06209730eb18545e9f8d2d3c2f2a18a653d9
-
C:\Users\Admin\AppData\Local\Microsoft\1aL1rP.exeFilesize
164KB
MD516bab536f93bbf833bca053e355402ee
SHA18b7ccbef0fcb0edab800b6ddc0c9d302b0a03374
SHA256b8c302a27f96d81723dae52638784519772a968b84533a793e69aab74ef08ba4
SHA512c7f9b1f0a6034e22b61febcab103482dc613f861a987e53569a2526aba56826fd06f98fe357506fd4f2806abc7f84c3d86e2e046cdfac3539eea6e67ff9c603f
-
C:\Users\Admin\AppData\Local\Microsoft\~st]e.exeFilesize
164KB
MD57166d39e9c1cb17e1728d316531242b1
SHA1d05810943685bcd70999ff0926215f5d6fe2637a
SHA2568879a7a950a3916f5438685f994ee829a20e4c60021db73060cd078e4a72b5a7
SHA512b377a2605a34a0fe98a1c49db7d3898e12850944c323b7a4d19c1f5e2081e688624127de529e961da530b7439813495cc254957cb2e16ffea999d943f0fc4214
-
C:\Users\Admin\AppData\Local\Microsoft\~st]e.exeFilesize
164KB
MD57166d39e9c1cb17e1728d316531242b1
SHA1d05810943685bcd70999ff0926215f5d6fe2637a
SHA2568879a7a950a3916f5438685f994ee829a20e4c60021db73060cd078e4a72b5a7
SHA512b377a2605a34a0fe98a1c49db7d3898e12850944c323b7a4d19c1f5e2081e688624127de529e961da530b7439813495cc254957cb2e16ffea999d943f0fc4214
-
C:\Users\Admin\AppData\Local\Microsoft\~st]e.exeFilesize
164KB
MD57166d39e9c1cb17e1728d316531242b1
SHA1d05810943685bcd70999ff0926215f5d6fe2637a
SHA2568879a7a950a3916f5438685f994ee829a20e4c60021db73060cd078e4a72b5a7
SHA512b377a2605a34a0fe98a1c49db7d3898e12850944c323b7a4d19c1f5e2081e688624127de529e961da530b7439813495cc254957cb2e16ffea999d943f0fc4214
-
C:\Users\Admin\AppData\Local\Microsoft\~~P7P.exeFilesize
163KB
MD57d39a3778ad4a5d5e6c7e78fc9e05a00
SHA12b030e3180efb06721404fa0de1fbe4998618225
SHA25621a3bdc28c80ad2f590418c95fa8ff8c21f2e8b80166c7dea43ddc70c16bfaf9
SHA5121a0693245d226de50eacd2c8ae0081cea3c20e8b9f6f0f0dff69468aba294c402fba321920129346528bc1d5512e6db31f551f049b95177add129dae6148cc2e
-
C:\Users\Admin\AppData\Local\Microsoft\~~P7P.exeFilesize
163KB
MD57d39a3778ad4a5d5e6c7e78fc9e05a00
SHA12b030e3180efb06721404fa0de1fbe4998618225
SHA25621a3bdc28c80ad2f590418c95fa8ff8c21f2e8b80166c7dea43ddc70c16bfaf9
SHA5121a0693245d226de50eacd2c8ae0081cea3c20e8b9f6f0f0dff69468aba294c402fba321920129346528bc1d5512e6db31f551f049b95177add129dae6148cc2e
-
C:\Users\Admin\AppData\Local\Microsoft\~~P7P.exeFilesize
163KB
MD57d39a3778ad4a5d5e6c7e78fc9e05a00
SHA12b030e3180efb06721404fa0de1fbe4998618225
SHA25621a3bdc28c80ad2f590418c95fa8ff8c21f2e8b80166c7dea43ddc70c16bfaf9
SHA5121a0693245d226de50eacd2c8ae0081cea3c20e8b9f6f0f0dff69468aba294c402fba321920129346528bc1d5512e6db31f551f049b95177add129dae6148cc2e
-
C:\Users\Admin\AppData\Local\Temp\24B0.exeFilesize
374KB
MD511715c27335a026129dfc1695ebc8888
SHA10ffaa4f65fbf2bc0750b972621f37c787b0231e2
SHA256c4c5c296ff9dd8f2518960f5521747335c5a457e3cb0be2eee0bf8bcf8f64482
SHA512f7743e16fa619a90cb2c216bc46e2f3b10973e2d3aeb81be27d284e52758cc6fd204dc0babef2bfd01e8bfdc12e70c35dd0f50472f06635f489d2db8060b1220
-
C:\Users\Admin\AppData\Local\Temp\24B0.exeFilesize
374KB
MD511715c27335a026129dfc1695ebc8888
SHA10ffaa4f65fbf2bc0750b972621f37c787b0231e2
SHA256c4c5c296ff9dd8f2518960f5521747335c5a457e3cb0be2eee0bf8bcf8f64482
SHA512f7743e16fa619a90cb2c216bc46e2f3b10973e2d3aeb81be27d284e52758cc6fd204dc0babef2bfd01e8bfdc12e70c35dd0f50472f06635f489d2db8060b1220
-
C:\Users\Admin\AppData\Local\Temp\24B0.exeFilesize
374KB
MD511715c27335a026129dfc1695ebc8888
SHA10ffaa4f65fbf2bc0750b972621f37c787b0231e2
SHA256c4c5c296ff9dd8f2518960f5521747335c5a457e3cb0be2eee0bf8bcf8f64482
SHA512f7743e16fa619a90cb2c216bc46e2f3b10973e2d3aeb81be27d284e52758cc6fd204dc0babef2bfd01e8bfdc12e70c35dd0f50472f06635f489d2db8060b1220
-
C:\Users\Admin\AppData\Local\Temp\BF1C.exeFilesize
164KB
MD57166d39e9c1cb17e1728d316531242b1
SHA1d05810943685bcd70999ff0926215f5d6fe2637a
SHA2568879a7a950a3916f5438685f994ee829a20e4c60021db73060cd078e4a72b5a7
SHA512b377a2605a34a0fe98a1c49db7d3898e12850944c323b7a4d19c1f5e2081e688624127de529e961da530b7439813495cc254957cb2e16ffea999d943f0fc4214
-
C:\Users\Admin\AppData\Local\Temp\BF1C.exeFilesize
164KB
MD57166d39e9c1cb17e1728d316531242b1
SHA1d05810943685bcd70999ff0926215f5d6fe2637a
SHA2568879a7a950a3916f5438685f994ee829a20e4c60021db73060cd078e4a72b5a7
SHA512b377a2605a34a0fe98a1c49db7d3898e12850944c323b7a4d19c1f5e2081e688624127de529e961da530b7439813495cc254957cb2e16ffea999d943f0fc4214
-
C:\Users\Admin\AppData\Local\Temp\D54B.exeFilesize
164KB
MD516bab536f93bbf833bca053e355402ee
SHA18b7ccbef0fcb0edab800b6ddc0c9d302b0a03374
SHA256b8c302a27f96d81723dae52638784519772a968b84533a793e69aab74ef08ba4
SHA512c7f9b1f0a6034e22b61febcab103482dc613f861a987e53569a2526aba56826fd06f98fe357506fd4f2806abc7f84c3d86e2e046cdfac3539eea6e67ff9c603f
-
C:\Users\Admin\AppData\Local\Temp\D54B.exeFilesize
164KB
MD516bab536f93bbf833bca053e355402ee
SHA18b7ccbef0fcb0edab800b6ddc0c9d302b0a03374
SHA256b8c302a27f96d81723dae52638784519772a968b84533a793e69aab74ef08ba4
SHA512c7f9b1f0a6034e22b61febcab103482dc613f861a987e53569a2526aba56826fd06f98fe357506fd4f2806abc7f84c3d86e2e046cdfac3539eea6e67ff9c603f
-
C:\Users\Admin\AppData\Roaming\gdfbwajFilesize
164KB
MD51b94e6504da7365a7ac9e5f1c37ea714
SHA1b2c784470f5400680f275943aacfcbef6cda5c88
SHA256eeb18dec0f9402e96fb629ab201890d8b2fcfeb45e890e42e3a79a799e575771
SHA5126b86bdea9ed18fc11e32c0ce7e6883677fa5e3dfad053200e6757a51cc4b11a5adf0757853c9b4421796e7789d75af17c686ca513a9d442a7a0fa093920d012e
-
C:\Users\Admin\AppData\Roaming\gdfbwajFilesize
164KB
MD51b94e6504da7365a7ac9e5f1c37ea714
SHA1b2c784470f5400680f275943aacfcbef6cda5c88
SHA256eeb18dec0f9402e96fb629ab201890d8b2fcfeb45e890e42e3a79a799e575771
SHA5126b86bdea9ed18fc11e32c0ce7e6883677fa5e3dfad053200e6757a51cc4b11a5adf0757853c9b4421796e7789d75af17c686ca513a9d442a7a0fa093920d012e
-
memory/1172-2854-0x00000000000C0000-0x000000000012B000-memory.dmpFilesize
428KB
-
memory/1172-2850-0x0000000000130000-0x00000000001B0000-memory.dmpFilesize
512KB
-
memory/1172-2841-0x00000000000C0000-0x000000000012B000-memory.dmpFilesize
428KB
-
memory/1172-2890-0x00000000000C0000-0x000000000012B000-memory.dmpFilesize
428KB
-
memory/1200-187-0x0000000000400000-0x00000000004E3000-memory.dmpFilesize
908KB
-
memory/1200-479-0x0000000000590000-0x0000000000690000-memory.dmpFilesize
1024KB
-
memory/1200-480-0x0000000000230000-0x0000000000235000-memory.dmpFilesize
20KB
-
memory/1200-184-0x0000000000230000-0x0000000000235000-memory.dmpFilesize
20KB
-
memory/1200-183-0x0000000000590000-0x0000000000690000-memory.dmpFilesize
1024KB
-
memory/1400-58-0x0000000002A90000-0x0000000002AA6000-memory.dmpFilesize
88KB
-
memory/1400-229-0x00000000025D0000-0x00000000025E6000-memory.dmpFilesize
88KB
-
memory/1508-88-0x0000000000080000-0x00000000000A7000-memory.dmpFilesize
156KB
-
memory/1508-89-0x00000000000B0000-0x00000000000D2000-memory.dmpFilesize
136KB
-
memory/1508-107-0x0000000000080000-0x00000000000A7000-memory.dmpFilesize
156KB
-
memory/1668-174-0x00000000006B0000-0x00000000007B0000-memory.dmpFilesize
1024KB
-
memory/1668-177-0x0000000000220000-0x0000000000229000-memory.dmpFilesize
36KB
-
memory/1960-93-0x0000000000080000-0x0000000000089000-memory.dmpFilesize
36KB
-
memory/1960-92-0x0000000000080000-0x00000000000A7000-memory.dmpFilesize
156KB
-
memory/1960-90-0x0000000000080000-0x0000000000089000-memory.dmpFilesize
36KB
-
memory/1960-110-0x0000000000080000-0x00000000000A7000-memory.dmpFilesize
156KB
-
memory/2132-2842-0x0000000000600000-0x0000000000700000-memory.dmpFilesize
1024KB
-
memory/2132-2844-0x0000000000400000-0x00000000004E3000-memory.dmpFilesize
908KB
-
memory/2152-3027-0x0000000000070000-0x0000000000077000-memory.dmpFilesize
28KB
-
memory/2152-3014-0x0000000000060000-0x000000000006C000-memory.dmpFilesize
48KB
-
memory/2304-149-0x00000000776C0000-0x0000000077869000-memory.dmpFilesize
1.7MB
-
memory/2304-151-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmpFilesize
1.2MB
-
memory/2304-140-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmpFilesize
1.2MB
-
memory/2304-138-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmpFilesize
1.2MB
-
memory/2304-139-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmpFilesize
1.2MB
-
memory/2304-142-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmpFilesize
1.2MB
-
memory/2304-166-0x00000000776C0000-0x0000000077869000-memory.dmpFilesize
1.7MB
-
memory/2304-165-0x0000000000120000-0x0000000000122000-memory.dmpFilesize
8KB
-
memory/2304-162-0x00000000776C0000-0x0000000077869000-memory.dmpFilesize
1.7MB
-
memory/2304-154-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmpFilesize
1.2MB
-
memory/2304-120-0x0000000000060000-0x0000000000063000-memory.dmpFilesize
12KB
-
memory/2304-153-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmpFilesize
1.2MB
-
memory/2304-152-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmpFilesize
1.2MB
-
memory/2304-141-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmpFilesize
1.2MB
-
memory/2304-150-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmpFilesize
1.2MB
-
memory/2304-148-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmpFilesize
1.2MB
-
memory/2304-147-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmpFilesize
1.2MB
-
memory/2304-146-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmpFilesize
1.2MB
-
memory/2304-144-0x000007FFFFE80000-0x000007FFFFFAD000-memory.dmpFilesize
1.2MB
-
memory/2304-135-0x0000000000060000-0x0000000000063000-memory.dmpFilesize
12KB
-
memory/2304-136-0x0000000000120000-0x0000000000127000-memory.dmpFilesize
28KB
-
memory/2392-55-0x0000000000590000-0x0000000000690000-memory.dmpFilesize
1024KB
-
memory/2392-59-0x0000000000400000-0x00000000004E3000-memory.dmpFilesize
908KB
-
memory/2392-57-0x0000000000400000-0x00000000004E3000-memory.dmpFilesize
908KB
-
memory/2392-56-0x0000000000220000-0x0000000000229000-memory.dmpFilesize
36KB
-
memory/2512-130-0x0000000002A20000-0x0000000002A56000-memory.dmpFilesize
216KB
-
memory/2512-116-0x0000000001F50000-0x0000000002350000-memory.dmpFilesize
4.0MB
-
memory/2512-134-0x0000000001F50000-0x0000000002350000-memory.dmpFilesize
4.0MB
-
memory/2512-133-0x0000000000400000-0x0000000000517000-memory.dmpFilesize
1.1MB
-
memory/2512-131-0x0000000001F50000-0x0000000002350000-memory.dmpFilesize
4.0MB
-
memory/2512-111-0x0000000000400000-0x0000000000517000-memory.dmpFilesize
1.1MB
-
memory/2512-108-0x00000000002D0000-0x00000000003D0000-memory.dmpFilesize
1024KB
-
memory/2512-129-0x0000000000400000-0x0000000000517000-memory.dmpFilesize
1.1MB
-
memory/2512-123-0x0000000002A20000-0x0000000002A56000-memory.dmpFilesize
216KB
-
memory/2512-122-0x0000000000590000-0x0000000000601000-memory.dmpFilesize
452KB
-
memory/2512-121-0x00000000002D0000-0x00000000003D0000-memory.dmpFilesize
1024KB
-
memory/2512-113-0x00000000001C0000-0x00000000001C7000-memory.dmpFilesize
28KB
-
memory/2512-115-0x0000000001F50000-0x0000000002350000-memory.dmpFilesize
4.0MB
-
memory/2512-114-0x0000000001F50000-0x0000000002350000-memory.dmpFilesize
4.0MB
-
memory/2512-118-0x0000000001F50000-0x0000000002350000-memory.dmpFilesize
4.0MB
-
memory/2512-109-0x0000000000590000-0x0000000000601000-memory.dmpFilesize
452KB
-
memory/2712-98-0x00000000000C0000-0x00000000000CB000-memory.dmpFilesize
44KB
-
memory/2712-112-0x00000000000D0000-0x00000000000D6000-memory.dmpFilesize
24KB
-
memory/2712-96-0x00000000000C0000-0x00000000000CB000-memory.dmpFilesize
44KB
-
memory/2712-97-0x00000000000D0000-0x00000000000D6000-memory.dmpFilesize
24KB
-
memory/2732-106-0x0000000000080000-0x000000000008B000-memory.dmpFilesize
44KB
-
memory/2732-119-0x00000000000E0000-0x00000000000ED000-memory.dmpFilesize
52KB
-
memory/2732-103-0x0000000000080000-0x000000000008B000-memory.dmpFilesize
44KB
-
memory/2732-105-0x00000000000E0000-0x00000000000ED000-memory.dmpFilesize
52KB
-
memory/2796-77-0x0000000000080000-0x000000000008B000-memory.dmpFilesize
44KB
-
memory/2796-94-0x0000000000080000-0x000000000008B000-memory.dmpFilesize
44KB
-
memory/2796-91-0x0000000000090000-0x0000000000097000-memory.dmpFilesize
28KB
-
memory/2796-78-0x0000000000080000-0x000000000008B000-memory.dmpFilesize
44KB
-
memory/2796-76-0x0000000000090000-0x0000000000097000-memory.dmpFilesize
28KB
-
memory/2820-117-0x00000000000C0000-0x00000000000CB000-memory.dmpFilesize
44KB
-
memory/2820-101-0x00000000000C0000-0x00000000000CB000-memory.dmpFilesize
44KB
-
memory/2820-99-0x00000000000E0000-0x00000000000ED000-memory.dmpFilesize
52KB
-
memory/2820-102-0x00000000000E0000-0x00000000000ED000-memory.dmpFilesize
52KB
-
memory/2848-95-0x0000000000070000-0x0000000000079000-memory.dmpFilesize
36KB
-
memory/2848-79-0x0000000000060000-0x000000000006F000-memory.dmpFilesize
60KB
-
memory/2848-80-0x0000000000070000-0x0000000000079000-memory.dmpFilesize
36KB
-
memory/2848-81-0x0000000000060000-0x000000000006F000-memory.dmpFilesize
60KB
-
memory/2932-100-0x00000000000D0000-0x00000000000D5000-memory.dmpFilesize
20KB
-
memory/2932-82-0x0000000000080000-0x0000000000089000-memory.dmpFilesize
36KB
-
memory/2932-83-0x00000000000D0000-0x00000000000D5000-memory.dmpFilesize
20KB
-
memory/2932-84-0x0000000000080000-0x0000000000089000-memory.dmpFilesize
36KB
-
memory/2936-3114-0x0000000000080000-0x0000000000089000-memory.dmpFilesize
36KB
-
memory/2972-85-0x0000000000060000-0x000000000006C000-memory.dmpFilesize
48KB
-
memory/2972-87-0x0000000000060000-0x000000000006C000-memory.dmpFilesize
48KB
-
memory/2972-104-0x0000000000070000-0x0000000000076000-memory.dmpFilesize
24KB
-
memory/2972-86-0x0000000000070000-0x0000000000076000-memory.dmpFilesize
24KB
-
memory/3016-186-0x00000000002B0000-0x00000000003B0000-memory.dmpFilesize
1024KB
-
memory/3016-1583-0x0000000000400000-0x00000000004E3000-memory.dmpFilesize
908KB
-
memory/3016-2403-0x0000000000400000-0x00000000004E3000-memory.dmpFilesize
908KB
-
memory/3016-167-0x00000000002B0000-0x00000000003B0000-memory.dmpFilesize
1024KB
-
memory/3016-169-0x00000000001B0000-0x00000000001BF000-memory.dmpFilesize
60KB
-
memory/3016-170-0x0000000000400000-0x00000000004E3000-memory.dmpFilesize
908KB
-
memory/3016-470-0x0000000000400000-0x00000000004E3000-memory.dmpFilesize
908KB
-
memory/3036-176-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/3036-230-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3036-179-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/3036-181-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB