Analysis
-
max time kernel
1640s -
max time network
1427s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
17-03-2022 12:11
Behavioral task
behavioral1
Sample
c6a0e1404bf24a7a3d6197d01cdd881b287b5ee25bf94990a3ad9f4ab01d4bdf.zip
Resource
win10v2004-en-20220113
General
-
Target
c6a0e1404bf24a7a3d6197d01cdd881b287b5ee25bf94990a3ad9f4ab01d4bdf.zip
-
Size
116KB
-
MD5
4dc8ba09c045dd5a7337bb11ac971358
-
SHA1
3bc46bc37b2493ec53ecf391077d564cb7ed6755
-
SHA256
c6a0e1404bf24a7a3d6197d01cdd881b287b5ee25bf94990a3ad9f4ab01d4bdf
-
SHA512
a5adc9ab69b8de2970d85f6543106777e1c9149cb9f2b7daa4ffca0dc5ebb72ceac7ece46d1ce613a5c5be9b54e524a4f0b0350666fba417ff56f3a5d8816548
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\181cd27d-55f3-47b7-a3b3-2d5452bab608.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220317121346.pma setup.exe -
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEWINWORD.EXEEXCEL.EXEWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 15 IoCs
Processes:
msedge.exeWINWORD.EXEEXCEL.EXEWINWORD.EXEWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies data under HKEY_USERS 1 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: AddClipboardFormatListener 7 IoCs
Processes:
WINWORD.EXEWINWORD.EXEWINWORD.EXEEXCEL.EXEpid process 4124 WINWORD.EXE 4124 WINWORD.EXE 3900 WINWORD.EXE 3900 WINWORD.EXE 1576 WINWORD.EXE 1576 WINWORD.EXE 2652 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exepid process 2692 msedge.exe 2692 msedge.exe 3860 msedge.exe 3860 msedge.exe 1224 identity_helper.exe 1224 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
Processes:
msedge.exepid process 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
svchost.exedescription pid process Token: SeTcbPrivilege 1440 svchost.exe Token: SeTcbPrivilege 1440 svchost.exe Token: SeTcbPrivilege 1440 svchost.exe Token: SeTcbPrivilege 1440 svchost.exe Token: SeTcbPrivilege 1440 svchost.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
msedge.exepid process 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe -
Suspicious use of SetWindowsHookEx 35 IoCs
Processes:
WINWORD.EXEWINWORD.EXEWINWORD.EXEEXCEL.EXEpid process 4124 WINWORD.EXE 4124 WINWORD.EXE 4124 WINWORD.EXE 4124 WINWORD.EXE 4124 WINWORD.EXE 4124 WINWORD.EXE 4124 WINWORD.EXE 3900 WINWORD.EXE 3900 WINWORD.EXE 3900 WINWORD.EXE 3900 WINWORD.EXE 3900 WINWORD.EXE 3900 WINWORD.EXE 3900 WINWORD.EXE 1576 WINWORD.EXE 1576 WINWORD.EXE 1576 WINWORD.EXE 1576 WINWORD.EXE 1576 WINWORD.EXE 1576 WINWORD.EXE 1576 WINWORD.EXE 1576 WINWORD.EXE 2652 EXCEL.EXE 2652 EXCEL.EXE 2652 EXCEL.EXE 2652 EXCEL.EXE 2652 EXCEL.EXE 2652 EXCEL.EXE 2652 EXCEL.EXE 2652 EXCEL.EXE 2652 EXCEL.EXE 2652 EXCEL.EXE 2652 EXCEL.EXE 2652 EXCEL.EXE 2652 EXCEL.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 3860 wrote to memory of 2792 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 2792 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 740 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 740 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 740 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 740 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 740 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 740 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 740 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 740 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 740 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 740 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 740 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 740 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 740 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 740 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 740 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 740 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 740 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 740 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 740 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 740 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 740 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 740 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 740 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 740 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 740 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 740 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 740 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 740 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 740 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 740 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 740 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 740 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 740 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 740 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 740 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 740 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 740 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 740 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 740 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 740 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 2692 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 2692 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 4236 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 4236 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 4236 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 4236 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 4236 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 4236 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 4236 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 4236 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 4236 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 4236 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 4236 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 4236 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 4236 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 4236 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 4236 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 4236 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 4236 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 4236 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 4236 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 4236 3860 msedge.exe msedge.exe
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\c6a0e1404bf24a7a3d6197d01cdd881b287b5ee25bf94990a3ad9f4ab01d4bdf.zip1⤵PID:1932
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
PID:4020
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4044
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\c6a0e1404bf24a7a3d6197d01cdd881b287b5ee25bf94990a3ad9f4ab01d4bdf\RFQ.pdf1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffc8add46f8,0x7ffc8add4708,0x7ffc8add47182⤵PID:2792
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,17317789001568862371,9250302148035456833,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:22⤵PID:740
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,17317789001568862371,9250302148035456833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2692 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,17317789001568862371,9250302148035456833,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:82⤵PID:4236
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17317789001568862371,9250302148035456833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3812 /prefetch:12⤵PID:2800
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17317789001568862371,9250302148035456833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:12⤵PID:4680
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,17317789001568862371,9250302148035456833,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5316 /prefetch:82⤵PID:1404
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17317789001568862371,9250302148035456833,131072 --disable-gpu-compositing --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:12⤵PID:3188
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --field-trial-handle=2128,17317789001568862371,9250302148035456833,131072 --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=5608 /prefetch:62⤵PID:4336
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,17317789001568862371,9250302148035456833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5932 /prefetch:82⤵PID:3508
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
PID:1300 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff71c835460,0x7ff71c835470,0x7ff71c8354803⤵PID:2004
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,17317789001568862371,9250302148035456833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5932 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1224 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17317789001568862371,9250302148035456833,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:12⤵PID:2320
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17317789001568862371,9250302148035456833,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6476 /prefetch:12⤵PID:856
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,17317789001568862371,9250302148035456833,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:82⤵PID:1888
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2404
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1440
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵PID:4260
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\c6a0e1404bf24a7a3d6197d01cdd881b287b5ee25bf94990a3ad9f4ab01d4bdf\Technical qualification statement.docx" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4124
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\c6a0e1404bf24a7a3d6197d01cdd881b287b5ee25bf94990a3ad9f4ab01d4bdf\commercial qualification statement.docx" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3900
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\c6a0e1404bf24a7a3d6197d01cdd881b287b5ee25bf94990a3ad9f4ab01d4bdf\406 - Low Value Purchase Order.docx" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1576
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\c6a0e1404bf24a7a3d6197d01cdd881b287b5ee25bf94990a3ad9f4ab01d4bdf\rfq_6000026477_technical_bid_submission_sheet.xlsx"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2652
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53MD5
eeb419f0e23c5383bdf86c1aaa98a580
SHA1d1be514290b8f73faf4f45120c20d8d3724a0e9a
SHA256ba385e8e081b8521bba756343976a75a632505f1ef503a86a4c00cfa73002379
SHA51217abe58755a95b810163b5a5936218b12bf9a0d7c53f182cdb70e5b05d2d7fafa7e4cf4c376119db765faa99f0502706a3691b9801594446df266d113417e5ca
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECEMD5
dfb4812068b1036a1f9f9078e6937343
SHA170d325bdd2fe4603cae52ad56e6a8ef8903f3240
SHA256ef7d817b9ece8664f21b470b8cd6168931b8c5156a33012c1f995e8480134a62
SHA512b9ba7c6eb7cba5e25ce34816693e94151a5ecba95e83f31b674beefa02351a861b18f37286b397aa3c517f49b6c454bff9b994a239351bdf7571fbc53383340a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53MD5
a641a61334386429641750ae229e4591
SHA160ca8f787bb411038c89285c3593babcc65d16ea
SHA256fbeb4ca289b93e2ed84207e0afbd550ee3b3baccb562b5de047e37357fb5c3d5
SHA512fedb7b37413d92b9e0407b1bf351108ed33270ff6ff4eb6496b3a3c180945fc04604f428c31b62108bb9e19c40a417f16dd856493ba30f788c3083d854ff5b56
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECEMD5
5d0fee9a7ff822abfd93714a38131c8b
SHA125ad31f6edbff865ae002352ae844613074a7054
SHA25681fe2a0105332dce9d3b00946ac6b3756cd54c57c35d7202cb3e499f21d302ae
SHA512914aa41caf702add486359e490e0efba946fac80b6b061f9e450059318ded8c2b81715127b3568b33d2a3ce57c97020383a70c6488eb0a2820482ef61db87910
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.jsonMD5
f1b59332b953b3c99b3c95a44249c0d2
SHA11b16a2ca32bf8481e18ff8b7365229b598908991
SHA256138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA5123c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.jsonMD5
f1b59332b953b3c99b3c95a44249c0d2
SHA11b16a2ca32bf8481e18ff8b7365229b598908991
SHA256138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c
SHA5123c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.jsonMD5
c56ff60fbd601e84edd5a0ff1010d584
SHA1342abb130dabeacde1d8ced806d67a3aef00a749
SHA256200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.jsonMD5
c56ff60fbd601e84edd5a0ff1010d584
SHA1342abb130dabeacde1d8ced806d67a3aef00a749
SHA256200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c
SHA512acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.jsonMD5
e4e83f8123e9740b8aa3c3dfa77c1c04
SHA15281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA2566034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.jsonMD5
e4e83f8123e9740b8aa3c3dfa77c1c04
SHA15281eae96efde7b0e16a1d977f005f0d3bd7aad0
SHA2566034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31
SHA512bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.jsonMD5
6ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.jsonMD5
6ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.jsonMD5
6ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.jsonMD5
6ca4960355e4951c72aa5f6364e459d5
SHA12fd90b4ec32804dff7a41b6e63c8b0a40b592113
SHA25688301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3
SHA5128544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\428BC7BA-99B6-438F-9AF3-807D4C185885MD5
f92089330c05b1c937b320940d0761c0
SHA19247498168e2a58bddd1654de15a584650be2cb8
SHA256c7a1b95aa7464c95497adbc6ba9999fb42698e80e31d63033a1b2ff215de4790
SHA512f986433063e08415a3422ec927f65fa816e95438316f32550346bf0a102f39fcf10f18600ef6f98bd3ff68ea2aa36168a4984076ae6df9df2a18b0066a5758d4
-
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\TenantInfo.xmlMD5
0f8eb2423d2bf6cb5b8bdb44cb170ca3
SHA1242755226012b4449a49b45491c0b1538ebf6410
SHA256385347c0cbacdd3c61d2635fbd390e0095a008fd75eeb23af2f14f975c083944
SHA512a9f23a42340b83a2f59df930d7563e8abd669b9f0955562cd3c2872e2e081f26d6d8b26357972b6d0423af05b2392bddbb46da769788e77fd169b3264ff53886
-
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\TenantInfo.xmlMD5
0f8eb2423d2bf6cb5b8bdb44cb170ca3
SHA1242755226012b4449a49b45491c0b1538ebf6410
SHA256385347c0cbacdd3c61d2635fbd390e0095a008fd75eeb23af2f14f975c083944
SHA512a9f23a42340b83a2f59df930d7563e8abd669b9f0955562cd3c2872e2e081f26d6d8b26357972b6d0423af05b2392bddbb46da769788e77fd169b3264ff53886
-
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\TenantInfo.xmlMD5
0f8eb2423d2bf6cb5b8bdb44cb170ca3
SHA1242755226012b4449a49b45491c0b1538ebf6410
SHA256385347c0cbacdd3c61d2635fbd390e0095a008fd75eeb23af2f14f975c083944
SHA512a9f23a42340b83a2f59df930d7563e8abd669b9f0955562cd3c2872e2e081f26d6d8b26357972b6d0423af05b2392bddbb46da769788e77fd169b3264ff53886
-
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.dbMD5
b00f3f56c104c94e03cd2ad8452c14e7
SHA151b78e45015e0d9d62fbdf31b75a22535a107204
SHA256ba2b669020334ff01a85bfc900ea4371ea557bd315f154875d9bdfdc16ae8b50
SHA51293e1609be5bbb414c285f37432ce93294c3d1583ef46c7c6c570c122f0b166c34b0ad87de708005c8af97dee27923ba53395a34c2563cdadf3c0a708848b3525
-
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.dbMD5
bb5122013e9da21ebcd7cf8bbfd442d8
SHA1137dc37b75c41a0edca25bc20dab16729c23d5f5
SHA256fa311153c8e26e115ed889e986eabf2c6f96123d7a3a7f89102bfa89321342c3
SHA5126582f6d15a31dcaecc6e6fee0ebb21b6d2278c4b2c1f80580172181d457c47a8be7edb0bc007c701c8a3adc391656ee166a77f49f575539f4f7e5188f5da8a0a
-
C:\Users\Admin\AppData\Local\Temp\edge_BITS_3860_1651514225\561b267d-84e8-4c62-b0b7-4e064be02aa2MD5
e1e5c20a754c68872e8abbf1d84875e8
SHA13cc98edfc0a925f39c7b78ae4ec4e4425b0fd661
SHA256dd94940b6330d77e7797a60de1183cca7b0f71ab247bea8f9ae0ff30eafc379f
SHA51259d2ce41bfc0764a699ad0ea6eb0ff38ac05c8dfdc15004ccffc4182dc53bf5cacd77274a1d24f0cf0489edf2abea99efb0d4af7ba7d84c21e793c89273a9279
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datMD5
6fe66a5131b9baee3fa67163b36c666b
SHA13e578570b6dc9952ab8185861036c6cd7561ec01
SHA256b7e09741c0503067d279fb6a44a30540b94722f707cb79cf5faec8e672e96386
SHA512fb26a50859c76483f95eb6825b0cfdd9c514ca8002a651123f59f2572bc904330b59e354a1e00652c2835c5f958f0f2a4b58787c6ff0072fdcb2abfd32098e3f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datMD5
a18eb58807259af682a568bfb8d7544f
SHA168064c09a373a9242443931d50783d7b43f4c869
SHA256742405ad6ca89a6130af418e25c40fa92f2b13812cf0998e201c94dfb46b3a03
SHA5124408bb109c7893780c5cdbede0e33d053415663032730f2a31f58a796f9ac78798fb2b93090595a460092ce5d5dbb11eeb96f0534edaab4f4b164b88d6732b58
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datMD5
a021af0a3eadbe1e624037d7dddbc76a
SHA17cfd2574a7f9c980ead5e670ed17ccf9883b87bc
SHA256a974bdbe3e8c8a2c41bde512d463e2694649027f6019bd0ba569fbbc76979dfb
SHA512eeedc011a916bb6932dded3e2f062799ee6b78445d0d34bd6fa4891a6d93501444114717303e7838cb138c07a1172cd06732f8a01ae6be3cf3f8aceaf517b405
-
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lexMD5
f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-msMD5
a29216152329b6923be226025d70d8ca
SHA18618e335a0d67969c069768c605fbc85ce98b25a
SHA256fcbbf13dc970c8e4ffca368745dd00b90b9f1a755603d2c6bec217fb74278cc4
SHA5123bb74f3f2a4fcac1428871cde188383e0f2e59d19232537949221c3cfd8d9adff2f0ce786e5c67db8c402a4cdc05017a92657ed6994cf11753c08759ce4c0083
-
\??\pipe\LOCAL\crashpad_3860_UEXZVXVINWYOUQQTMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/740-134-0x00007FFCA8710000-0x00007FFCA8711000-memory.dmpFilesize
4KB
-
memory/1576-242-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/1576-241-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/1576-240-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/1576-238-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/1576-239-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/1576-237-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/1576-236-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/1576-235-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/1576-234-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/1576-233-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/1576-232-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/1576-243-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/1576-231-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/1576-244-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/1576-245-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/1576-246-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/1576-247-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/1576-256-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/2652-262-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/2652-263-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/2652-265-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/2652-264-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/2652-266-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/2652-267-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/2652-268-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/2652-269-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/2652-270-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/2652-271-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/3900-207-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/3900-208-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/3900-210-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/3900-206-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/3900-205-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/3900-220-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/3900-204-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/3900-203-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/3900-202-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/3900-201-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/3900-199-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/3900-198-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/3900-196-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/3900-194-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/3900-195-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/3900-189-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/3900-188-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/3900-187-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/4020-130-0x000001EAE2D60000-0x000001EAE2D70000-memory.dmpFilesize
64KB
-
memory/4020-132-0x000001EAE5370000-0x000001EAE5374000-memory.dmpFilesize
16KB
-
memory/4020-131-0x000001EAE2F80000-0x000001EAE2F90000-memory.dmpFilesize
64KB
-
memory/4020-289-0x000001EAE56C0000-0x000001EAE56C4000-memory.dmpFilesize
16KB
-
memory/4020-290-0x000001EAE56B0000-0x000001EAE56B1000-memory.dmpFilesize
4KB
-
memory/4020-294-0x000001EAE5290000-0x000001EAE5291000-memory.dmpFilesize
4KB
-
memory/4020-293-0x000001EAE5390000-0x000001EAE5394000-memory.dmpFilesize
16KB
-
memory/4020-292-0x000001EAE5390000-0x000001EAE5391000-memory.dmpFilesize
4KB
-
memory/4020-291-0x000001EAE53A0000-0x000001EAE53A4000-memory.dmpFilesize
16KB
-
memory/4124-178-0x00007FFC69430000-0x00007FFC69440000-memory.dmpFilesize
64KB
-
memory/4124-164-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/4124-175-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/4124-174-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/4124-173-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/4124-172-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/4124-171-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/4124-170-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/4124-169-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/4124-168-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/4124-167-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/4124-166-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/4124-165-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/4124-176-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/4124-163-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/4124-162-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/4124-161-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/4124-160-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/4124-159-0x00007FFC69430000-0x00007FFC69440000-memory.dmpFilesize
64KB
-
memory/4124-177-0x00007FFC69430000-0x00007FFC69440000-memory.dmpFilesize
64KB
-
memory/4124-179-0x00007FFC69430000-0x00007FFC69440000-memory.dmpFilesize
64KB
-
memory/4124-180-0x00007FFC69430000-0x00007FFC69440000-memory.dmpFilesize
64KB
-
memory/4124-181-0x00007FFCA93B0000-0x00007FFCA95A5000-memory.dmpFilesize
2.0MB
-
memory/4124-158-0x00007FFC69430000-0x00007FFC69440000-memory.dmpFilesize
64KB
-
memory/4124-157-0x00007FFC69430000-0x00007FFC69440000-memory.dmpFilesize
64KB
-
memory/4124-156-0x00007FFC69430000-0x00007FFC69440000-memory.dmpFilesize
64KB
-
memory/4124-155-0x00007FFC69430000-0x00007FFC69440000-memory.dmpFilesize
64KB