Analysis Overview
SHA256
bc3758b4698a77d9126ad97c6bf695e2cfeb8b1ced85a948f24e7895c635ae44
Threat Level: Known bad
The file bc3758b4698a77d9126ad97c6bf695e2cfeb8b1ced85a948f24e7895c635ae44 was found to be: Known bad.
Malicious Activity Summary
RMS
ACProtect 1.3x - 1.4x DLL software
Executes dropped EXE
ASPack v2.12-2.42
UPX packed file
Checks computer location settings
Loads dropped DLL
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Office loads VBA resources, possible macro or embedded object present
Kills process with taskkill
Modifies registry class
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Suspicious behavior: SetClipboardViewer
Checks processor information in registry
Runs .reg file with regedit
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-16 02:03
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-16 02:03
Reported
2022-05-16 02:11
Platform
win7-20220414-en
Max time kernel
136s
Max time network
148s
Command Line
Signatures
RMS
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\word\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files\word\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files\word\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files\word\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files\word\rfusclient.exe | N/A |
| N/A | N/A | C:\Program Files\word\rfusclient.exe | N/A |
| N/A | N/A | C:\Program Files\word\rfusclient.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Program Files\word\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files\word\rutserv.exe | N/A |
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Enumerates physical storage devices
Office loads VBA resources, possible macro or embedded object present
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\word\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files\word\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files\word\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files\word\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files\word\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files\word\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files\word\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files\word\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files\word\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files\word\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files\word\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files\word\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files\word\rfusclient.exe | N/A |
Suspicious behavior: SetClipboardViewer
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\word\rfusclient.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\word\rutserv.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\word\rutserv.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Program Files\word\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Program Files\word\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Program Files\word\rutserv.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\word\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files\word\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files\word\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files\word\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bc3758b4698a77d9126ad97c6bf695e2cfeb8b1ced85a948f24e7895c635ae44.exe
"C:\Users\Admin\AppData\Local\Temp\bc3758b4698a77d9126ad97c6bf695e2cfeb8b1ced85a948f24e7895c635ae44.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files\word\install.vbs"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files\word\install.bat" "
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rutserv.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rfusclient.exe
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
C:\Windows\SysWOW64\regedit.exe
regedit /s "regedit.reg"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Program Files\word\rutserv.exe
rutserv.exe /silentinstall
C:\Program Files\word\rutserv.exe
rutserv.exe /firewall
C:\Program Files\word\rutserv.exe
rutserv.exe /start
C:\Program Files\word\rutserv.exe
"C:\Program Files\word\rutserv.exe"
C:\Program Files\word\rfusclient.exe
"C:\Program Files\word\rfusclient.exe"
C:\Program Files\word\rfusclient.exe
"C:\Program Files\word\rfusclient.exe" /tray
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Program Files\word\1.doc"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
C:\Program Files\word\rfusclient.exe
"C:\Program Files\word\rfusclient.exe" /tray
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rmansys.ru | udp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| US | 8.8.8.8:53 | rms-server.tektonit.ru | udp |
| RU | 95.213.205.83:5655 | rms-server.tektonit.ru | tcp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
Files
memory/1512-54-0x0000000076421000-0x0000000076423000-memory.dmp
memory/1940-55-0x0000000000000000-mapping.dmp
C:\Program Files\word\install.vbs
| MD5 | 65fc32766a238ff3e95984e325357dbb |
| SHA1 | 3ac16a2648410be8aa75f3e2817fbf69bb0e8922 |
| SHA256 | a7b067e9e4d44efe579c7cdb1e847d61af2323d3d73c6fffb22e178ae476f420 |
| SHA512 | 621e81fc2d0f9dd92413481864638a140bee94c7dbd31f944826b21bd6ad6b8a59e63de9f7f0025cffc0efb7f9975dde77f523510ee23ada62c152a63a22f608 |
C:\Program Files\word\install.bat
| MD5 | 73e89f8df08e778feca688998addfec4 |
| SHA1 | a715a2dba5412da8bfd17ccff4cf931822463085 |
| SHA256 | 0506dec7ee56d3e967dba45fa02e410a9c79530878244c2b23e6599ec7ff6bfd |
| SHA512 | a93d30718fefc5b2dcf17f16b599f03f91fb7e8e99d9a2a7986d6138755866772446cd1c287b85c849b5505735f1d924aff534e5857a8a79e157c237f98892d2 |
memory/1228-59-0x0000000000000000-mapping.dmp
memory/2044-60-0x0000000000000000-mapping.dmp
memory/1888-61-0x0000000000000000-mapping.dmp
memory/388-62-0x0000000000000000-mapping.dmp
memory/1060-63-0x0000000000000000-mapping.dmp
C:\Program Files\word\regedit.reg
| MD5 | 7b9375d672ff35e2331439dc4bfb95a2 |
| SHA1 | 76bef183b79906643cd95177d2f4976666ec1d76 |
| SHA256 | 7a1071e0068f10191ff416c9133f133d63a56de1fc3c62baa4e57e3acecd7fa6 |
| SHA512 | 4aee9306a57570e99de699f8f6cb6eb2541fdbcc35b036cd90dbe5e15468faa61372c68b15b09f827a5bea5cdcb6eef6107bec4120b7e23674e6d979499e8e22 |
memory/1376-66-0x0000000000000000-mapping.dmp
\Program Files\word\rutserv.exe
| MD5 | 37a8802017a212bb7f5255abc7857969 |
| SHA1 | cb10c0d343c54538d12db8ed664d0a1fa35b6109 |
| SHA256 | 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6 |
| SHA512 | 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0 |
C:\Program Files\word\rutserv.exe
| MD5 | 37a8802017a212bb7f5255abc7857969 |
| SHA1 | cb10c0d343c54538d12db8ed664d0a1fa35b6109 |
| SHA256 | 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6 |
| SHA512 | 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0 |
memory/1552-69-0x0000000000000000-mapping.dmp
C:\Program Files\word\rutserv.exe
| MD5 | 37a8802017a212bb7f5255abc7857969 |
| SHA1 | cb10c0d343c54538d12db8ed664d0a1fa35b6109 |
| SHA256 | 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6 |
| SHA512 | 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0 |
memory/1552-72-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1552-73-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1552-74-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1552-75-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1552-76-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1552-77-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1596-78-0x0000000000000000-mapping.dmp
C:\Program Files\word\rutserv.exe
| MD5 | 37a8802017a212bb7f5255abc7857969 |
| SHA1 | cb10c0d343c54538d12db8ed664d0a1fa35b6109 |
| SHA256 | 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6 |
| SHA512 | 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0 |
memory/1596-81-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1596-82-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1596-83-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1596-84-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1596-85-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1596-86-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1656-87-0x0000000000000000-mapping.dmp
C:\Program Files\word\rutserv.exe
| MD5 | 37a8802017a212bb7f5255abc7857969 |
| SHA1 | cb10c0d343c54538d12db8ed664d0a1fa35b6109 |
| SHA256 | 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6 |
| SHA512 | 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0 |
C:\Program Files\word\rutserv.exe
| MD5 | 37a8802017a212bb7f5255abc7857969 |
| SHA1 | cb10c0d343c54538d12db8ed664d0a1fa35b6109 |
| SHA256 | 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6 |
| SHA512 | 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0 |
memory/1668-97-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1668-98-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1668-99-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1668-100-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/1668-101-0x0000000000400000-0x0000000000AB9000-memory.dmp
C:\Program Files\word\rfusclient.exe
| MD5 | b8667a1e84567fcf7821bcefb6a444af |
| SHA1 | 9c1f91fe77ad357c8f81205d65c9067a270d61f0 |
| SHA256 | dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9 |
| SHA512 | ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852 |
C:\Program Files\word\vp8encoder.dll
| MD5 | 6298c0af3d1d563834a218a9cc9f54bd |
| SHA1 | 0185cd591e454ed072e5a5077b25c612f6849dc9 |
| SHA256 | 81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172 |
| SHA512 | 389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe |
C:\Program Files\word\vp8decoder.dll
| MD5 | 88318158527985702f61d169434a4940 |
| SHA1 | 3cc751ba256b5727eb0713aad6f554ff1e7bca57 |
| SHA256 | 4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74 |
| SHA512 | 5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff |
memory/608-106-0x0000000000000000-mapping.dmp
\Program Files\word\rfusclient.exe
| MD5 | b8667a1e84567fcf7821bcefb6a444af |
| SHA1 | 9c1f91fe77ad357c8f81205d65c9067a270d61f0 |
| SHA256 | dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9 |
| SHA512 | ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852 |
\Program Files\word\rfusclient.exe
| MD5 | b8667a1e84567fcf7821bcefb6a444af |
| SHA1 | 9c1f91fe77ad357c8f81205d65c9067a270d61f0 |
| SHA256 | dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9 |
| SHA512 | ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852 |
memory/1072-108-0x0000000000000000-mapping.dmp
C:\Program Files\word\rfusclient.exe
| MD5 | b8667a1e84567fcf7821bcefb6a444af |
| SHA1 | 9c1f91fe77ad357c8f81205d65c9067a270d61f0 |
| SHA256 | dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9 |
| SHA512 | ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852 |
C:\Program Files\word\rfusclient.exe
| MD5 | b8667a1e84567fcf7821bcefb6a444af |
| SHA1 | 9c1f91fe77ad357c8f81205d65c9067a270d61f0 |
| SHA256 | dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9 |
| SHA512 | ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852 |
memory/1072-113-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/608-114-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/608-115-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/1072-116-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/608-117-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/1072-118-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/608-119-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/608-121-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/1072-120-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/1072-122-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/1656-123-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/388-125-0x0000000000000000-mapping.dmp
memory/388-126-0x0000000072601000-0x0000000072604000-memory.dmp
memory/388-127-0x0000000070081000-0x0000000070083000-memory.dmp
memory/388-128-0x000000005FFF0000-0x0000000060000000-memory.dmp
C:\Program Files\word\1.doc
| MD5 | 2d17816c1b66dd964511796c037045e5 |
| SHA1 | 4f7199f48ed081de8a904a77ed73c65f35d15bf9 |
| SHA256 | 9585e54a4d46e70491c8098d9abeaeb470a12a2a45e1bfd00100d28d79df61c4 |
| SHA512 | 0b0c21f94ae6d4f7687a7e1fc92e182abd39da807f4465c22830d0a9425731d603c790d85481d3fbc4d6cfd34a2bb899adf02b30f30bfb0ad9bc031b51fe37be |
memory/1504-131-0x0000000000000000-mapping.dmp
memory/1504-132-0x000007FEFBB11000-0x000007FEFBB13000-memory.dmp
memory/1580-133-0x0000000000000000-mapping.dmp
C:\Program Files\word\rfusclient.exe
| MD5 | b8667a1e84567fcf7821bcefb6a444af |
| SHA1 | 9c1f91fe77ad357c8f81205d65c9067a270d61f0 |
| SHA256 | dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9 |
| SHA512 | ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852 |
memory/1580-141-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/388-142-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/388-143-0x000000007106D000-0x0000000071078000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-16 02:03
Reported
2022-05-16 02:11
Platform
win10v2004-20220414-en
Max time kernel
145s
Max time network
152s
Command Line
Signatures
RMS
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\word\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files\word\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files\word\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files\word\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files\word\rfusclient.exe | N/A |
| N/A | N/A | C:\Program Files\word\rfusclient.exe | N/A |
| N/A | N/A | C:\Program Files\word\rfusclient.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bc3758b4698a77d9126ad97c6bf695e2cfeb8b1ced85a948f24e7895c635ae44.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
Drops file in Program Files directory
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\bc3758b4698a77d9126ad97c6bf695e2cfeb8b1ced85a948f24e7895c635ae44.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\word\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files\word\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files\word\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files\word\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files\word\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files\word\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files\word\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files\word\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files\word\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files\word\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files\word\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files\word\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files\word\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files\word\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files\word\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files\word\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files\word\rfusclient.exe | N/A |
| N/A | N/A | C:\Program Files\word\rfusclient.exe | N/A |
Suspicious behavior: SetClipboardViewer
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\word\rfusclient.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\word\rutserv.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\word\rutserv.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Program Files\word\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Program Files\word\rutserv.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Program Files\word\rutserv.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\word\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files\word\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files\word\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files\word\rutserv.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bc3758b4698a77d9126ad97c6bf695e2cfeb8b1ced85a948f24e7895c635ae44.exe
"C:\Users\Admin\AppData\Local\Temp\bc3758b4698a77d9126ad97c6bf695e2cfeb8b1ced85a948f24e7895c635ae44.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Program Files\word\install.vbs"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files\word\install.bat" "
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rutserv.exe
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rfusclient.exe
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SYSTEM\Remote Manipulator System" /f
C:\Windows\SysWOW64\regedit.exe
regedit /s "regedit.reg"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Program Files\word\rutserv.exe
rutserv.exe /silentinstall
C:\Program Files\word\rutserv.exe
rutserv.exe /firewall
C:\Program Files\word\rutserv.exe
rutserv.exe /start
C:\Program Files\word\rutserv.exe
"C:\Program Files\word\rutserv.exe"
C:\Program Files\word\rfusclient.exe
"C:\Program Files\word\rfusclient.exe" /tray
C:\Program Files\word\rfusclient.exe
"C:\Program Files\word\rfusclient.exe"
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Program Files\word\1.doc" /o ""
C:\Program Files\word\rfusclient.exe
"C:\Program Files\word\rfusclient.exe" /tray
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rmansys.ru | udp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| US | 8.8.8.8:53 | rms-server.tektonit.ru | udp |
| RU | 95.213.205.83:5655 | rms-server.tektonit.ru | tcp |
| US | 93.184.220.29:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 93.184.220.29:80 | tcp |
Files
memory/4816-130-0x0000000000000000-mapping.dmp
C:\Program Files\word\install.vbs
| MD5 | 65fc32766a238ff3e95984e325357dbb |
| SHA1 | 3ac16a2648410be8aa75f3e2817fbf69bb0e8922 |
| SHA256 | a7b067e9e4d44efe579c7cdb1e847d61af2323d3d73c6fffb22e178ae476f420 |
| SHA512 | 621e81fc2d0f9dd92413481864638a140bee94c7dbd31f944826b21bd6ad6b8a59e63de9f7f0025cffc0efb7f9975dde77f523510ee23ada62c152a63a22f608 |
C:\Program Files\word\install.bat
| MD5 | 73e89f8df08e778feca688998addfec4 |
| SHA1 | a715a2dba5412da8bfd17ccff4cf931822463085 |
| SHA256 | 0506dec7ee56d3e967dba45fa02e410a9c79530878244c2b23e6599ec7ff6bfd |
| SHA512 | a93d30718fefc5b2dcf17f16b599f03f91fb7e8e99d9a2a7986d6138755866772446cd1c287b85c849b5505735f1d924aff534e5857a8a79e157c237f98892d2 |
memory/2076-133-0x0000000000000000-mapping.dmp
memory/4924-134-0x0000000000000000-mapping.dmp
memory/4320-135-0x0000000000000000-mapping.dmp
memory/2556-136-0x0000000000000000-mapping.dmp
memory/2548-137-0x0000000000000000-mapping.dmp
C:\Program Files\word\regedit.reg
| MD5 | 7b9375d672ff35e2331439dc4bfb95a2 |
| SHA1 | 76bef183b79906643cd95177d2f4976666ec1d76 |
| SHA256 | 7a1071e0068f10191ff416c9133f133d63a56de1fc3c62baa4e57e3acecd7fa6 |
| SHA512 | 4aee9306a57570e99de699f8f6cb6eb2541fdbcc35b036cd90dbe5e15468faa61372c68b15b09f827a5bea5cdcb6eef6107bec4120b7e23674e6d979499e8e22 |
memory/4460-139-0x0000000000000000-mapping.dmp
memory/4800-140-0x0000000000000000-mapping.dmp
C:\Program Files\word\rutserv.exe
| MD5 | 37a8802017a212bb7f5255abc7857969 |
| SHA1 | cb10c0d343c54538d12db8ed664d0a1fa35b6109 |
| SHA256 | 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6 |
| SHA512 | 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0 |
C:\Program Files\word\rutserv.exe
| MD5 | 37a8802017a212bb7f5255abc7857969 |
| SHA1 | cb10c0d343c54538d12db8ed664d0a1fa35b6109 |
| SHA256 | 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6 |
| SHA512 | 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0 |
memory/4800-143-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/4800-144-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/4800-145-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/4800-146-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/4800-147-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/4800-148-0x0000000000400000-0x0000000000AB9000-memory.dmp
C:\Program Files\word\rutserv.exe
| MD5 | 37a8802017a212bb7f5255abc7857969 |
| SHA1 | cb10c0d343c54538d12db8ed664d0a1fa35b6109 |
| SHA256 | 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6 |
| SHA512 | 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0 |
memory/4776-149-0x0000000000000000-mapping.dmp
memory/4776-151-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/4776-152-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/4776-153-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/4776-154-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/4776-155-0x0000000000400000-0x0000000000AB9000-memory.dmp
C:\Program Files\word\rutserv.exe
| MD5 | 37a8802017a212bb7f5255abc7857969 |
| SHA1 | cb10c0d343c54538d12db8ed664d0a1fa35b6109 |
| SHA256 | 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6 |
| SHA512 | 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0 |
memory/2204-157-0x0000000000000000-mapping.dmp
memory/4776-156-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/2204-159-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/2204-160-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/2204-161-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/2204-162-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/2204-163-0x0000000000400000-0x0000000000AB9000-memory.dmp
C:\Program Files\word\rutserv.exe
| MD5 | 37a8802017a212bb7f5255abc7857969 |
| SHA1 | cb10c0d343c54538d12db8ed664d0a1fa35b6109 |
| SHA256 | 1699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6 |
| SHA512 | 4e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0 |
memory/4972-165-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/4972-166-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/4972-167-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/4972-168-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/4972-169-0x0000000000400000-0x0000000000AB9000-memory.dmp
C:\Program Files\word\vp8decoder.dll
| MD5 | 88318158527985702f61d169434a4940 |
| SHA1 | 3cc751ba256b5727eb0713aad6f554ff1e7bca57 |
| SHA256 | 4c04d7968a9fe9d9258968d3a722263334bbf5f8af972f206a71f17fa293aa74 |
| SHA512 | 5d88562b6c6d2a5b14390512712819238cd838914f7c48a27f017827cb9b825c24ff05a30333427acec93cd836e8f04158b86d17e6ac3dd62c55b2e2ff4e2aff |
C:\Program Files\word\rfusclient.exe
| MD5 | b8667a1e84567fcf7821bcefb6a444af |
| SHA1 | 9c1f91fe77ad357c8f81205d65c9067a270d61f0 |
| SHA256 | dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9 |
| SHA512 | ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852 |
C:\Program Files\word\vp8encoder.dll
| MD5 | 6298c0af3d1d563834a218a9cc9f54bd |
| SHA1 | 0185cd591e454ed072e5a5077b25c612f6849dc9 |
| SHA256 | 81af82019d9f45a697a8ca1788f2c5c0205af9892efd94879dedf4bc06db4172 |
| SHA512 | 389d89053689537cdb582c0e8a7951a84549f0c36484db4346c31bdbe7cb93141f6a354069eb13e550297dc8ec35cd6899746e0c16abc876a0fe542cc450fffe |
memory/3120-174-0x0000000000000000-mapping.dmp
C:\Program Files\word\rfusclient.exe
| MD5 | b8667a1e84567fcf7821bcefb6a444af |
| SHA1 | 9c1f91fe77ad357c8f81205d65c9067a270d61f0 |
| SHA256 | dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9 |
| SHA512 | ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852 |
memory/3260-173-0x0000000000000000-mapping.dmp
memory/3260-176-0x0000000000400000-0x00000000009B6000-memory.dmp
C:\Program Files\word\rfusclient.exe
| MD5 | b8667a1e84567fcf7821bcefb6a444af |
| SHA1 | 9c1f91fe77ad357c8f81205d65c9067a270d61f0 |
| SHA256 | dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9 |
| SHA512 | ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852 |
memory/3260-178-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/2204-179-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/3260-180-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/3260-181-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/3120-182-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/3260-183-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/3120-184-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/3120-185-0x0000000000400000-0x00000000009B6000-memory.dmp
C:\Program Files\word\1.doc
| MD5 | 2d17816c1b66dd964511796c037045e5 |
| SHA1 | 4f7199f48ed081de8a904a77ed73c65f35d15bf9 |
| SHA256 | 9585e54a4d46e70491c8098d9abeaeb470a12a2a45e1bfd00100d28d79df61c4 |
| SHA512 | 0b0c21f94ae6d4f7687a7e1fc92e182abd39da807f4465c22830d0a9425731d603c790d85481d3fbc4d6cfd34a2bb899adf02b30f30bfb0ad9bc031b51fe37be |
memory/3600-187-0x0000000000000000-mapping.dmp
memory/3120-188-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/3120-189-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/3600-191-0x00007FFEAAFB0000-0x00007FFEAAFC0000-memory.dmp
memory/3600-192-0x00007FFEAAFB0000-0x00007FFEAAFC0000-memory.dmp
memory/3600-190-0x00007FFEAAFB0000-0x00007FFEAAFC0000-memory.dmp
memory/3600-193-0x00007FFEAAFB0000-0x00007FFEAAFC0000-memory.dmp
memory/3600-194-0x00007FFEAAFB0000-0x00007FFEAAFC0000-memory.dmp
memory/3600-195-0x00007FFEA8960000-0x00007FFEA8970000-memory.dmp
memory/3600-196-0x00007FFEA8960000-0x00007FFEA8970000-memory.dmp
C:\Program Files\word\rfusclient.exe
| MD5 | b8667a1e84567fcf7821bcefb6a444af |
| SHA1 | 9c1f91fe77ad357c8f81205d65c9067a270d61f0 |
| SHA256 | dc9d875e659421a51addd8e8a362c926369e84320ab0c5d8bbb1e4d12d372fc9 |
| SHA512 | ec6af663a3b41719d684f04504746f91196105ef6f8baa013b4bd02df6684eca49049d5517691f8e3a4ba6351fe35545a27f728b1d29d949e950d574a012f852 |
memory/3208-197-0x0000000000000000-mapping.dmp
memory/3208-199-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/3208-200-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/3208-201-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/3208-202-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/3208-203-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/3208-204-0x0000000000400000-0x00000000009B6000-memory.dmp
memory/4972-205-0x0000000000400000-0x0000000000AB9000-memory.dmp
memory/3600-207-0x00007FFEAAFB0000-0x00007FFEAAFC0000-memory.dmp
memory/3600-208-0x00007FFEAAFB0000-0x00007FFEAAFC0000-memory.dmp
memory/3600-209-0x00007FFEAAFB0000-0x00007FFEAAFC0000-memory.dmp
memory/3600-210-0x00007FFEAAFB0000-0x00007FFEAAFC0000-memory.dmp