Analysis
-
max time kernel
155s -
max time network
150s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
03-11-2021 19:40
Static task
static1
Behavioral task
behavioral1
Sample
RIOSAT_DOC.xlsx
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
RIOSAT_DOC.xlsx
Resource
win10-en-20210920
General
-
Target
RIOSAT_DOC.xlsx
-
Size
201KB
-
MD5
4ed0940e6e53d246dae50a1a7dda5f68
-
SHA1
4439f0cdb3937226cb4015ec4c2df54a36c29f65
-
SHA256
e6b973beff845a214101c3f4714d32f15112b86a9fbfbd301914063f2e4e5677
-
SHA512
7f7734d8f9983339f279e95b76ce78743875889e5a1e7951f80e9e984ac34b31312ee0f80682976895e030d0784ec17be5b0ec65536a86b448706979a0f288f9
Malware Config
Extracted
xloader
2.5
ht08
http://www.septemberstockevent200.com/ht08/
joye.club
istanbulemlakgalerisi.online
annikadaniel.love
oooci.com
curebase-test.com
swisstradecenter.com
hacticum.com
centercodebase.com
recbi56ni.com
mmj0115.xyz
sharpstead.com
sprklbeauty.com
progettogenesi.cloud
dolinum.com
amaroqadvisors.com
traininig.com
leewaysvcs.com
nashhomesearch.com
joy1263.com
serkanyamac.com
nursingprogramsforme.com
huakf.com
1w3.online
watermountsteam.top
tyralruutan.quest
mattlambert.xyz
xn--fiqs8sypgfujbl4a.xn--czru2d
hfgoal.com
587868.net
noyoucantridemyonewheel.com
riewesell.top
expn.asia
suplementarsas.com
item154655544.com
cdgdentists.com
deboraverdian.com
franquiciasexclusivas.tienda
tminus-10.com
psychoterapeuta-wroclaw.com
coachingbywatson.com
lknitti.net
belenpison.agency
facilitetec.com
99077000.com
thefitmog.com
kinmanpowerwashing.com
escueladelbuenamor.com
getjoyce.net
oilelm.com
maikoufarm.com
hespresso.net
timothyschmallrealt.com
knoxvilleraingutters.com
roonkingagency.online
trashwasher.com
angyfoods.com
yungbredda.com
digipoint-entertainment.com
shangduli.space
kalaraskincare.com
ktnsound.xyz
miabellavita.com
thenlpmentor.com
marzhukov.com
Signatures
-
Detect Neshta Payload 5 IoCs
Processes:
resource yara_rule \Users\Public\vbc.exe family_neshta \Users\Public\vbc.exe family_neshta C:\Users\Public\vbc.exe family_neshta C:\Users\Public\vbc.exe family_neshta C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\RHI8KPQK\VBC_1_~1.EXE family_neshta -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" vbc.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Xloader Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1604-77-0x0000000000000000-mapping.dmp xloader behavioral1/memory/1604-80-0x0000000072480000-0x00000000724A9000-memory.dmp xloader behavioral1/memory/1292-96-0x0000000000080000-0x00000000000A9000-memory.dmp xloader -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 4 836 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
vbc.exevbc.exepid process 1164 vbc.exe 868 vbc.exe -
Loads dropped DLL 6 IoCs
Processes:
EQNEDT32.EXEvbc.exepid process 836 EQNEDT32.EXE 836 EQNEDT32.EXE 1164 vbc.exe 1164 vbc.exe 1164 vbc.exe 1164 vbc.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\Qmvtdvov = "C:\\Users\\Public\\Libraries\\vovdtvmQ.url" vbc.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
logagent.exehelp.exedescription pid process target process PID 1604 set thread context of 1368 1604 logagent.exe Explorer.EXE PID 1292 set thread context of 1368 1292 help.exe Explorer.EXE -
Drops file in Program Files directory 64 IoCs
Processes:
vbc.exedescription ioc process File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe vbc.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE vbc.exe File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe vbc.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE vbc.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE vbc.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~4.EXE vbc.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~2.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\OIS.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE vbc.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GO664E~1.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE vbc.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe vbc.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE vbc.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOBD5D~1.EXE vbc.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe vbc.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE vbc.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe vbc.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe vbc.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE vbc.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe vbc.exe File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE vbc.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe vbc.exe File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe vbc.exe File opened for modification C:\PROGRA~3\PACKAG~1\{F4220~1\VC_RED~1.EXE vbc.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE vbc.exe File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE vbc.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE vbc.exe File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe vbc.exe File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe vbc.exe File opened for modification C:\PROGRA~2\WINDOW~4\ImagingDevices.exe vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE vbc.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE vbc.exe File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe vbc.exe File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE vbc.exe File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE vbc.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe vbc.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~3.EXE vbc.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.71\GOOGLE~1.EXE vbc.exe -
Drops file in Windows directory 1 IoCs
Processes:
vbc.exedescription ioc process File opened for modification C:\Windows\svchost.com vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
EXCEL.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE -
Modifies registry class 64 IoCs
Processes:
EXCEL.EXEvbc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" vbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon EXCEL.EXE -
Modifies registry key 1 TTPs 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 428 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
logagent.exehelp.exepid process 1604 logagent.exe 1604 logagent.exe 1292 help.exe 1292 help.exe 1292 help.exe 1292 help.exe 1292 help.exe 1292 help.exe 1292 help.exe 1292 help.exe 1292 help.exe 1292 help.exe 1292 help.exe 1292 help.exe 1292 help.exe 1292 help.exe 1292 help.exe 1292 help.exe 1292 help.exe 1292 help.exe 1292 help.exe 1292 help.exe 1292 help.exe 1292 help.exe 1292 help.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1368 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
logagent.exehelp.exepid process 1604 logagent.exe 1604 logagent.exe 1604 logagent.exe 1292 help.exe 1292 help.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
logagent.exehelp.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1604 logagent.exe Token: SeDebugPrivilege 1292 help.exe Token: SeShutdownPrivilege 1368 Explorer.EXE Token: SeShutdownPrivilege 1368 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
EXCEL.EXEpid process 428 EXCEL.EXE 428 EXCEL.EXE 428 EXCEL.EXE -
Suspicious use of WriteProcessMemory 47 IoCs
Processes:
EQNEDT32.EXEvbc.exevbc.execmd.execmd.exeExplorer.EXEcmd.exedescription pid process target process PID 836 wrote to memory of 1164 836 EQNEDT32.EXE vbc.exe PID 836 wrote to memory of 1164 836 EQNEDT32.EXE vbc.exe PID 836 wrote to memory of 1164 836 EQNEDT32.EXE vbc.exe PID 836 wrote to memory of 1164 836 EQNEDT32.EXE vbc.exe PID 1164 wrote to memory of 868 1164 vbc.exe vbc.exe PID 1164 wrote to memory of 868 1164 vbc.exe vbc.exe PID 1164 wrote to memory of 868 1164 vbc.exe vbc.exe PID 1164 wrote to memory of 868 1164 vbc.exe vbc.exe PID 868 wrote to memory of 1604 868 vbc.exe logagent.exe PID 868 wrote to memory of 1604 868 vbc.exe logagent.exe PID 868 wrote to memory of 1604 868 vbc.exe logagent.exe PID 868 wrote to memory of 1604 868 vbc.exe logagent.exe PID 868 wrote to memory of 1604 868 vbc.exe logagent.exe PID 868 wrote to memory of 1604 868 vbc.exe logagent.exe PID 868 wrote to memory of 1604 868 vbc.exe logagent.exe PID 868 wrote to memory of 552 868 vbc.exe cmd.exe PID 868 wrote to memory of 552 868 vbc.exe cmd.exe PID 868 wrote to memory of 552 868 vbc.exe cmd.exe PID 868 wrote to memory of 552 868 vbc.exe cmd.exe PID 552 wrote to memory of 304 552 cmd.exe cmd.exe PID 552 wrote to memory of 304 552 cmd.exe cmd.exe PID 552 wrote to memory of 304 552 cmd.exe cmd.exe PID 552 wrote to memory of 304 552 cmd.exe cmd.exe PID 304 wrote to memory of 1120 304 cmd.exe reg.exe PID 304 wrote to memory of 1120 304 cmd.exe reg.exe PID 304 wrote to memory of 1120 304 cmd.exe reg.exe PID 304 wrote to memory of 1120 304 cmd.exe reg.exe PID 304 wrote to memory of 1484 304 cmd.exe reg.exe PID 304 wrote to memory of 1484 304 cmd.exe reg.exe PID 304 wrote to memory of 1484 304 cmd.exe reg.exe PID 304 wrote to memory of 1484 304 cmd.exe reg.exe PID 304 wrote to memory of 2020 304 cmd.exe schtasks.exe PID 304 wrote to memory of 2020 304 cmd.exe schtasks.exe PID 304 wrote to memory of 2020 304 cmd.exe schtasks.exe PID 304 wrote to memory of 2020 304 cmd.exe schtasks.exe PID 1368 wrote to memory of 1292 1368 Explorer.EXE help.exe PID 1368 wrote to memory of 1292 1368 Explorer.EXE help.exe PID 1368 wrote to memory of 1292 1368 Explorer.EXE help.exe PID 1368 wrote to memory of 1292 1368 Explorer.EXE help.exe PID 868 wrote to memory of 2040 868 vbc.exe cmd.exe PID 868 wrote to memory of 2040 868 vbc.exe cmd.exe PID 868 wrote to memory of 2040 868 vbc.exe cmd.exe PID 868 wrote to memory of 2040 868 vbc.exe cmd.exe PID 2040 wrote to memory of 984 2040 cmd.exe reg.exe PID 2040 wrote to memory of 984 2040 cmd.exe reg.exe PID 2040 wrote to memory of 984 2040 cmd.exe reg.exe PID 2040 wrote to memory of 984 2040 cmd.exe reg.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\RIOSAT_DOC.xlsx2⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:428 -
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1292
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\logagent.exeC:\Windows\System32\logagent.exe4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1604 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Public\Trast.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat5⤵
- Suspicious use of WriteProcessMemory
PID:304 -
C:\Windows\SysWOW64\reg.exereg delete hkcu\Environment /v windir /f6⤵
- Modifies registry key
PID:1120 -
C:\Windows\SysWOW64\reg.exereg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f && REM "6⤵
- Modifies registry key
PID:1484 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I6⤵PID:2020
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Public\nest.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\reg.exereg delete hkcu\Environment /v windir /f5⤵
- Modifies registry key
PID:984
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\MICROS~1\Windows\TEMPOR~1\Content.IE5\RHI8KPQK\VBC_1_~1.EXEMD5
30c7103e4ac74802a7c3695736d2592e
SHA1aa151cf41f533688026f84316328a409323ac426
SHA256cda1086841f6d462f662c6b2e643e7d1c4868ea56d848733f3270fa2a780e117
SHA51260668c9f1e48dd99a04d5c6d8158f1412bc19fe3d4d00973a9c61acb3171c73b976430dfc41586825b1347600ee6ff658f14ede153b7c7fe310ff632f84faf35
-
C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exeMD5
c345295004c073b4ffd93d6b1bcbe07b
SHA138dd21c44fc9a358ad260a98b39f9522a444231f
SHA256674b9499d6502f4e84c89499655645f4bee8b027ed127834f2b354637eb4b253
SHA512918274e570f07a2b8d1f7cd35d529149e7dc039f19181b06d86912c4fad25ead3b1c65f25d236521e07b64e9ffd83fdd0f37b708fed5a109c55d24b314aaa4c0
-
C:\Users\Admin\AppData\Local\Temp\3582-490\vbc.exeMD5
c345295004c073b4ffd93d6b1bcbe07b
SHA138dd21c44fc9a358ad260a98b39f9522a444231f
SHA256674b9499d6502f4e84c89499655645f4bee8b027ed127834f2b354637eb4b253
SHA512918274e570f07a2b8d1f7cd35d529149e7dc039f19181b06d86912c4fad25ead3b1c65f25d236521e07b64e9ffd83fdd0f37b708fed5a109c55d24b314aaa4c0
-
C:\Users\Public\LIBRAR~1\Qmvtdvov\Qmvtdvov.exeMD5
24aaa6b488ab77b9b4a28c0d0a60141a
SHA15280ab8f4061fc75921e9a3fdfe67c222c4acef2
SHA2563973f0d23af9f2f090dca5b50d628f41dd5b848157e2470bcd146f3eb6236ea8
SHA512719d3f72fbc148f5240c5d12289a01ce804e7e74bfc7acb104ac5092a4a238f66ed121abb385ddb3b3c1b526c5910f8c9787a2b4af6c27ea133e9194cf25b69c
-
C:\Users\Public\Trast.batMD5
4068c9f69fcd8a171c67f81d4a952a54
SHA14d2536a8c28cdcc17465e20d6693fb9e8e713b36
SHA25624222300c78180b50ed1f8361ba63cb27316ec994c1c9079708a51b4a1a9d810
SHA512a64f9319acc51fffd0491c74dcd9c9084c2783b82f95727e4bfe387a8528c6dcf68f11418e88f1e133d115daf907549c86dd7ad866b2a7938add5225fbb2811d
-
C:\Users\Public\UKO.batMD5
eaf8d967454c3bbddbf2e05a421411f8
SHA16170880409b24de75c2dc3d56a506fbff7f6622c
SHA256f35f2658455a2e40f151549a7d6465a836c33fa9109e67623916f889849eac56
SHA512fe5be5c673e99f70c93019d01abb0a29dd2ecf25b2d895190ff551f020c28e7d8f99f65007f440f0f76c5bcac343b2a179a94d190c938ea3b9e1197890a412e9
-
C:\Users\Public\nest.batMD5
8ada51400b7915de2124baaf75e3414c
SHA11a7b9db12184ab7fd7fce1c383f9670a00adb081
SHA25645aa3957c29865260a78f03eef18ae9aebdbf7bea751ecc88be4a799f2bb46c7
SHA5129afc138157a4565294ca49942579cdb6f5d8084e56f9354738de62b585f4c0fa3e7f2cbc9541827f2084e3ff36c46eed29b46f5dd2444062ffcd05c599992e68
-
C:\Users\Public\vbc.exeMD5
30c7103e4ac74802a7c3695736d2592e
SHA1aa151cf41f533688026f84316328a409323ac426
SHA256cda1086841f6d462f662c6b2e643e7d1c4868ea56d848733f3270fa2a780e117
SHA51260668c9f1e48dd99a04d5c6d8158f1412bc19fe3d4d00973a9c61acb3171c73b976430dfc41586825b1347600ee6ff658f14ede153b7c7fe310ff632f84faf35
-
C:\Users\Public\vbc.exeMD5
30c7103e4ac74802a7c3695736d2592e
SHA1aa151cf41f533688026f84316328a409323ac426
SHA256cda1086841f6d462f662c6b2e643e7d1c4868ea56d848733f3270fa2a780e117
SHA51260668c9f1e48dd99a04d5c6d8158f1412bc19fe3d4d00973a9c61acb3171c73b976430dfc41586825b1347600ee6ff658f14ede153b7c7fe310ff632f84faf35
-
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXEMD5
9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1ec66cda99f44b62470c6930e5afda061579cde35
SHA2568899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA5122ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156
-
\Users\Admin\AppData\Local\Temp\3582-490\vbc.exeMD5
c345295004c073b4ffd93d6b1bcbe07b
SHA138dd21c44fc9a358ad260a98b39f9522a444231f
SHA256674b9499d6502f4e84c89499655645f4bee8b027ed127834f2b354637eb4b253
SHA512918274e570f07a2b8d1f7cd35d529149e7dc039f19181b06d86912c4fad25ead3b1c65f25d236521e07b64e9ffd83fdd0f37b708fed5a109c55d24b314aaa4c0
-
\Users\Admin\AppData\Local\Temp\3582-490\vbc.exeMD5
c345295004c073b4ffd93d6b1bcbe07b
SHA138dd21c44fc9a358ad260a98b39f9522a444231f
SHA256674b9499d6502f4e84c89499655645f4bee8b027ed127834f2b354637eb4b253
SHA512918274e570f07a2b8d1f7cd35d529149e7dc039f19181b06d86912c4fad25ead3b1c65f25d236521e07b64e9ffd83fdd0f37b708fed5a109c55d24b314aaa4c0
-
\Users\Public\LIBRAR~1\Qmvtdvov\Qmvtdvov.exeMD5
24aaa6b488ab77b9b4a28c0d0a60141a
SHA15280ab8f4061fc75921e9a3fdfe67c222c4acef2
SHA2563973f0d23af9f2f090dca5b50d628f41dd5b848157e2470bcd146f3eb6236ea8
SHA512719d3f72fbc148f5240c5d12289a01ce804e7e74bfc7acb104ac5092a4a238f66ed121abb385ddb3b3c1b526c5910f8c9787a2b4af6c27ea133e9194cf25b69c
-
\Users\Public\vbc.exeMD5
30c7103e4ac74802a7c3695736d2592e
SHA1aa151cf41f533688026f84316328a409323ac426
SHA256cda1086841f6d462f662c6b2e643e7d1c4868ea56d848733f3270fa2a780e117
SHA51260668c9f1e48dd99a04d5c6d8158f1412bc19fe3d4d00973a9c61acb3171c73b976430dfc41586825b1347600ee6ff658f14ede153b7c7fe310ff632f84faf35
-
\Users\Public\vbc.exeMD5
30c7103e4ac74802a7c3695736d2592e
SHA1aa151cf41f533688026f84316328a409323ac426
SHA256cda1086841f6d462f662c6b2e643e7d1c4868ea56d848733f3270fa2a780e117
SHA51260668c9f1e48dd99a04d5c6d8158f1412bc19fe3d4d00973a9c61acb3171c73b976430dfc41586825b1347600ee6ff658f14ede153b7c7fe310ff632f84faf35
-
memory/304-82-0x0000000000000000-mapping.dmp
-
memory/428-55-0x000000002FAE1000-0x000000002FAE4000-memory.dmpFilesize
12KB
-
memory/428-57-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/428-104-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/428-56-0x0000000070EB1000-0x0000000070EB3000-memory.dmpFilesize
8KB
-
memory/552-78-0x0000000000000000-mapping.dmp
-
memory/836-58-0x0000000075F41000-0x0000000075F43000-memory.dmpFilesize
8KB
-
memory/868-67-0x0000000000000000-mapping.dmp
-
memory/868-71-0x00000000003E1000-0x00000000003F5000-memory.dmpFilesize
80KB
-
memory/868-70-0x00000000003C0000-0x00000000003C1000-memory.dmpFilesize
4KB
-
memory/984-100-0x0000000000000000-mapping.dmp
-
memory/1120-84-0x0000000000000000-mapping.dmp
-
memory/1164-61-0x0000000000000000-mapping.dmp
-
memory/1292-96-0x0000000000080000-0x00000000000A9000-memory.dmpFilesize
164KB
-
memory/1292-94-0x0000000000000000-mapping.dmp
-
memory/1292-101-0x00000000004F0000-0x0000000000580000-memory.dmpFilesize
576KB
-
memory/1292-95-0x0000000000300000-0x0000000000306000-memory.dmpFilesize
24KB
-
memory/1292-97-0x0000000000A60000-0x0000000000D63000-memory.dmpFilesize
3.0MB
-
memory/1368-102-0x0000000009960000-0x0000000009AE3000-memory.dmpFilesize
1.5MB
-
memory/1368-91-0x0000000007C60000-0x0000000007E00000-memory.dmpFilesize
1.6MB
-
memory/1484-85-0x0000000000000000-mapping.dmp
-
memory/1604-79-0x0000000000090000-0x0000000000091000-memory.dmpFilesize
4KB
-
memory/1604-80-0x0000000072480000-0x00000000724A9000-memory.dmpFilesize
164KB
-
memory/1604-77-0x0000000000000000-mapping.dmp
-
memory/1604-75-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/1604-90-0x0000000000240000-0x0000000000251000-memory.dmpFilesize
68KB
-
memory/1604-89-0x0000000002120000-0x0000000002423000-memory.dmpFilesize
3.0MB
-
memory/1604-74-0x0000000072480000-0x00000000724A9000-memory.dmpFilesize
164KB
-
memory/2020-86-0x0000000000000000-mapping.dmp
-
memory/2040-98-0x0000000000000000-mapping.dmp