emotet | e6e6ce18a4888eed3d079937b00cc71ccc8fddb764342b14e1e85b1e98304f95

Analysis

max time kernel
145s
max time network
149s
platform
windows7_x64
resource
win7-20220414-en
submitted
30-06-2022 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BANK TRANSFER COPY ACH.xls
Size

94KB
MD5

bca774464f52e484a93f3841124758a1
SHA1

1bf6b435f6389af53744e960dac2e643eaac4192
SHA256

c45bf0bf43d9595be252f2646198e686ee50df78f2eafd8fd58f5fda324db8b5
SHA512

21c3b41f831ff41d1a81d926c85fcdec6be37699d02665d8db2826a7c360646cc338a7e4ac30871420528ae1cf4819a911c38129ef7c70b3c83221763390c257

Score

10^/10

emotet epoch4 banker suricata trojan

Malware Config

Extracted

Language

xlm4.0

Source

URLs

xlm40.dropper

https://www.mobiles-photostudio.com/MPS/uYUKsZhII1qQ1/

xlm40.dropper

https://www.zablimconsultancy.co.ke/musagala/pmOVrwAwG/

xlm40.dropper

http://www.kspintidana.com/wp-admin/jjiOcQAL/

xlm40.dropper

http://www.garantihaliyikama.com/wp-admin/CcxWGjZEjriZ9zMdsP/

Extracted

Family

emotet

Botnet

Epoch4

172.104.251.154:8080

51.161.73.194:443

101.50.0.91:8080

91.207.28.33:8080

119.193.124.41:7080

150.95.66.124:8080

103.132.242.26:8080

37.187.115.122:8080

172.105.226.75:8080

131.100.24.231:80

196.218.30.83:443

79.137.35.198:8080

103.75.201.2:443

82.223.21.224:8080

153.126.146.25:7080

146.59.226.45:443

209.97.163.214:443

186.194.240.217:443

197.242.150.244:8080

45.118.115.99:8080

eck1.plain

ecs1.plain

Extracted

Family

emotet

104.236.40.81:443

34.80.191.247:8080

201.73.143.120:7080

165.227.166.238:8080

103.224.242.13:8080

131.100.24.199:4143

162.243.103.246:8080

203.114.109.124:443

104.248.155.133:443

51.79.205.117:8080

136.243.32.168:443

217.79.180.211:8080

34.85.105.209:8080

69.63.64.48:8080

51.91.142.26:443

45.93.136.110:7080

144.217.88.125:443

1.234.21.73:7080

159.8.59.84:8080

49.231.16.102:8080

Signatures

Emotet
Emotet is a trojan that is primarily spread through spam emails.
trojan banker emotet

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1520	2036	regsvr32.exe	EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2004	2036	regsvr32.exe	EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	2008	2036	regsvr32.exe	EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1668	2036	regsvr32.exe	EXCEL.EXE

suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata: ET MALWARE W32/Emotet CnC Beacon 3
suricata
Downloads MZ/PE file
Loads dropped DLL 8 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

pid process

1520 regsvr32.exe
1548 regsvr32.exe
2004 regsvr32.exe
752 regsvr32.exe
2008 regsvr32.exe
1944 regsvr32.exe
1668 regsvr32.exe
928 regsvr32.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1604 ipconfig.exe
Gathers system information 1 TTPs 3 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exesysteminfo.exesysteminfo.exe

pid process

1812 systeminfo.exe
440 systeminfo.exe
1740 systeminfo.exe

pid	process
1520	regsvr32.exe
1548	regsvr32.exe
2004	regsvr32.exe
752	regsvr32.exe
2008	regsvr32.exe
1944	regsvr32.exe
1668	regsvr32.exe
928	regsvr32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1604	ipconfig.exe

pid	process
1812	systeminfo.exe
440	systeminfo.exe
1740	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2036 EXCEL.EXE

pid	process
2036	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

pid	process
1548	regsvr32.exe
1724	regsvr32.exe
1724	regsvr32.exe
752	regsvr32.exe
1632	regsvr32.exe
1632	regsvr32.exe
1944	regsvr32.exe
1596	regsvr32.exe
1596	regsvr32.exe
928	regsvr32.exe
656	regsvr32.exe
656	regsvr32.exe
1632	regsvr32.exe
1724	regsvr32.exe
1596	regsvr32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

2036 EXCEL.EXE
2036 EXCEL.EXE
2036 EXCEL.EXE

pid	process
2036	EXCEL.EXE
2036	EXCEL.EXE
2036	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

EXCEL.EXEregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	pid	process	target process
PID 2036 wrote to memory of 1520	2036	EXCEL.EXE	regsvr32.exe
PID 2036 wrote to memory of 1520	2036	EXCEL.EXE	regsvr32.exe
PID 2036 wrote to memory of 1520	2036	EXCEL.EXE	regsvr32.exe
PID 2036 wrote to memory of 1520	2036	EXCEL.EXE	regsvr32.exe
PID 2036 wrote to memory of 1520	2036	EXCEL.EXE	regsvr32.exe
PID 2036 wrote to memory of 1520	2036	EXCEL.EXE	regsvr32.exe
PID 2036 wrote to memory of 1520	2036	EXCEL.EXE	regsvr32.exe
PID 1520 wrote to memory of 1548	1520	regsvr32.exe	regsvr32.exe
PID 1520 wrote to memory of 1548	1520	regsvr32.exe	regsvr32.exe
PID 1520 wrote to memory of 1548	1520	regsvr32.exe	regsvr32.exe
PID 1520 wrote to memory of 1548	1520	regsvr32.exe	regsvr32.exe
PID 1520 wrote to memory of 1548	1520	regsvr32.exe	regsvr32.exe
PID 1520 wrote to memory of 1548	1520	regsvr32.exe	regsvr32.exe
PID 1520 wrote to memory of 1548	1520	regsvr32.exe	regsvr32.exe
PID 1548 wrote to memory of 1724	1548	regsvr32.exe	regsvr32.exe
PID 1548 wrote to memory of 1724	1548	regsvr32.exe	regsvr32.exe
PID 1548 wrote to memory of 1724	1548	regsvr32.exe	regsvr32.exe
PID 1548 wrote to memory of 1724	1548	regsvr32.exe	regsvr32.exe
PID 1548 wrote to memory of 1724	1548	regsvr32.exe	regsvr32.exe
PID 2036 wrote to memory of 2004	2036	EXCEL.EXE	regsvr32.exe
PID 2036 wrote to memory of 2004	2036	EXCEL.EXE	regsvr32.exe
PID 2036 wrote to memory of 2004	2036	EXCEL.EXE	regsvr32.exe
PID 2036 wrote to memory of 2004	2036	EXCEL.EXE	regsvr32.exe
PID 2036 wrote to memory of 2004	2036	EXCEL.EXE	regsvr32.exe
PID 2036 wrote to memory of 2004	2036	EXCEL.EXE	regsvr32.exe
PID 2036 wrote to memory of 2004	2036	EXCEL.EXE	regsvr32.exe
PID 2004 wrote to memory of 752	2004	regsvr32.exe	regsvr32.exe
PID 2004 wrote to memory of 752	2004	regsvr32.exe	regsvr32.exe
PID 2004 wrote to memory of 752	2004	regsvr32.exe	regsvr32.exe
PID 2004 wrote to memory of 752	2004	regsvr32.exe	regsvr32.exe
PID 2004 wrote to memory of 752	2004	regsvr32.exe	regsvr32.exe
PID 2004 wrote to memory of 752	2004	regsvr32.exe	regsvr32.exe
PID 2004 wrote to memory of 752	2004	regsvr32.exe	regsvr32.exe
PID 752 wrote to memory of 1632	752	regsvr32.exe	regsvr32.exe
PID 752 wrote to memory of 1632	752	regsvr32.exe	regsvr32.exe
PID 752 wrote to memory of 1632	752	regsvr32.exe	regsvr32.exe
PID 752 wrote to memory of 1632	752	regsvr32.exe	regsvr32.exe
PID 752 wrote to memory of 1632	752	regsvr32.exe	regsvr32.exe
PID 2036 wrote to memory of 2008	2036	EXCEL.EXE	regsvr32.exe
PID 2036 wrote to memory of 2008	2036	EXCEL.EXE	regsvr32.exe
PID 2036 wrote to memory of 2008	2036	EXCEL.EXE	regsvr32.exe
PID 2036 wrote to memory of 2008	2036	EXCEL.EXE	regsvr32.exe
PID 2036 wrote to memory of 2008	2036	EXCEL.EXE	regsvr32.exe
PID 2036 wrote to memory of 2008	2036	EXCEL.EXE	regsvr32.exe
PID 2036 wrote to memory of 2008	2036	EXCEL.EXE	regsvr32.exe
PID 2008 wrote to memory of 1944	2008	regsvr32.exe	regsvr32.exe
PID 2008 wrote to memory of 1944	2008	regsvr32.exe	regsvr32.exe
PID 2008 wrote to memory of 1944	2008	regsvr32.exe	regsvr32.exe
PID 2008 wrote to memory of 1944	2008	regsvr32.exe	regsvr32.exe
PID 2008 wrote to memory of 1944	2008	regsvr32.exe	regsvr32.exe
PID 2008 wrote to memory of 1944	2008	regsvr32.exe	regsvr32.exe
PID 2008 wrote to memory of 1944	2008	regsvr32.exe	regsvr32.exe
PID 1944 wrote to memory of 1596	1944	regsvr32.exe	regsvr32.exe
PID 1944 wrote to memory of 1596	1944	regsvr32.exe	regsvr32.exe
PID 1944 wrote to memory of 1596	1944	regsvr32.exe	regsvr32.exe
PID 1944 wrote to memory of 1596	1944	regsvr32.exe	regsvr32.exe
PID 1944 wrote to memory of 1596	1944	regsvr32.exe	regsvr32.exe
PID 2036 wrote to memory of 1668	2036	EXCEL.EXE	regsvr32.exe
PID 2036 wrote to memory of 1668	2036	EXCEL.EXE	regsvr32.exe
PID 2036 wrote to memory of 1668	2036	EXCEL.EXE	regsvr32.exe
PID 2036 wrote to memory of 1668	2036	EXCEL.EXE	regsvr32.exe
PID 2036 wrote to memory of 1668	2036	EXCEL.EXE	regsvr32.exe
PID 2036 wrote to memory of 1668	2036	EXCEL.EXE	regsvr32.exe
PID 2036 wrote to memory of 1668	2036	EXCEL.EXE	regsvr32.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\BANK TRANSFER COPY ACH.xls"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\sctm1.ocx
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\system32\regsvr32.exe
/S ..\sctm1.ocx
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\DWfKoBRXYFi\TqXHvNYXmzuW.dll"
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1724

C:\Windows\system32\systeminfo.exe
systeminfo
5⤵
- Gathers system information
PID:440

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\sctm2.ocx
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\system32\regsvr32.exe
/S ..\sctm2.ocx
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:752

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\KxVbJhpIfxqJv\cTImayjjmBpBZL.dll"
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1632

C:\Windows\system32\systeminfo.exe
systeminfo
5⤵
- Gathers system information
PID:1812

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\sctm3.ocx
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\system32\regsvr32.exe
/S ..\sctm3.ocx
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\UZmtuHLAUzbG\NLuSsHLbGjX.dll"
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1596

C:\Windows\system32\systeminfo.exe
systeminfo
5⤵
- Gathers system information
PID:1740

C:\Windows\system32\ipconfig.exe
ipconfig /all
5⤵
- Gathers network information
PID:1604

C:\Windows\system32\nltest.exe
nltest /dclist:
5⤵
PID:1684

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\System32\regsvr32.exe /S ..\sctm4.ocx
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
PID:1668

C:\Windows\system32\regsvr32.exe
/S ..\sctm4.ocx
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:928

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\IuENRWDDrkUz\tiJjCGHEr.dll"
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
60KB

MD5
589c442fc7a0c70dca927115a700d41e

SHA1
66a07dace3afbfd1aa07a47e6875beab62c4bb31

SHA256
2e5cb72e9eb43baafb6c6bfcc573aac92f49a8064c483f9d378a9e8e781a526a

SHA512
1b5fa79e52be495c42cf49618441fb7012e28c02e7a08a91da9213db3ab810f0e83485bc1dd5f625a47d0ba7cfcdd5ea50acc9a8dcebb39f048c40f01e94155b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
99c8d2d1971ca5df9a27d2d16ae85b34

SHA1
c7c77cfaefbffb23c2bdefae665fa11a2f4c4c30

SHA256
ec3270ebc16679a56c2448268d9ba5e1b99f27a81f078152a60f923e1b82b851

SHA512
8fb0aba6c7e8f3df92bf70da2bb1bc61cdb3f4b6ba553061b15b18c8f98d465bdaf0de6e07aa6e8cbb0eb3c00cce065fe94dacbc38c90af07461b37146fbbccd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
ea03a8440a2c832506dfdd5d09ef03f9

SHA1
d132c212dc8fa5e36c9c08ed480b9aced208782c

SHA256
adf2e049459a38c5f385a7ba9987f7749a1bd1efb86da94a367faccc0e597de7

SHA512
c053a5f750ce9826f1f8a290256bf2f45841aca13c6de2788a132a50d290f252e8388f127a3e22b29af5df7e3e6ddc9d0834e3a4b1db98a087fe998e32ddb6b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
2dd6408e13da1ad667c83d4d4ef96c78

SHA1
1cb6e67140ae055889da798eaafc9ce003bf1804

SHA256
5e2f23491033422b754eadcd84355476e68485f36fc80c3aff48e47226dcc61a

SHA512
33097567e36c1ffc508102d0830527eda743f2062cc6e4f2e22921d511291786550c33a54ec10c065be4ae284dfdd24b272547974c31f928fbf8dc8e1e3fa581

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
d7b8cb4f7e984e8c05571db3f7c7c416

SHA1
2f5b4eccee38ee37a9f7d53c45f68e1533ab5c6e

SHA256
3d1962bde76e192744137f758e13d481780cf337e0ef4af9034d0333f8dec5c9

SHA512
fd79e6e54c43e656f3aff0cac0468773ef210d4771bda8d6bf96439ddee739ec78fc74ebea452dbcf2a3a9c23ad5ee686e1b920e132f44ef599877a318a32bc0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
bde5df3cfce75126770fa86585555bbc

SHA1
78ab656994be012e42e7fc543a5ca71e28a8b7de

SHA256
f45490b51b88b39adfdee01402f0539ca62813a5a3599e100079dfa0d41ca3e5

SHA512
2f91784b04fe69eea0b809454875769261300c2c1fee7892175a5473102c54146a6227870fc2e15dffc1aad449404d7a2c947e552d17a127e638028b8c144f2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
febec8b3da23453209e28b0aa1376682

SHA1
c74120863c295e2cc2522f0d9af1af341603b574

SHA256
7a924ed8fe6c122484f8bdabdb701d7a620ffa07fbf052c27769336ebcfa8d3f

SHA512
b39bcd5fbc856f96c878b46d3c872a66988f41d87228a7e9b5b21a04dbf39c5feea5b5637f3a7810304411fc8818660e5e2ee15e1d3eb0073a2517bab0458f40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
340B

MD5
5e7b3a56c054dcb2a19b1d5f6592678f

SHA1
9ec16e9746071c8728c77599a0f4a62d9485f9b6

SHA256
8db5e7ec5fdb9ec1b33a33f5412385a7f33357d0113fda18c6e495f7f3458fa8

SHA512
1c910e5bd4c2e5c434748c3b150da67900e4a790d65eba9edbb32612bbf2acc03bb20cecc52f7c1758d434bef1285ea621c2c33a0061b0cd62caf907e6307ca8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
b47195f8755e6d76e8fd307644fb4a5b

SHA1
5f0a0e0b0fc9c44f610d999b2a151d9cc786c447

SHA256
b06fb314c0f75dbd6bacc5afb1f92fbba58e2d169eb72f61ce923e96894132d4

SHA512
3df3205500340051f41efff965b8d51d88d745905ddc7ed12ee6540405c9df8d66d52777332766b44d1db05873bc5888d0e10e66fb9aeff1690fe1a052452ad1

Download Submit
C:\Users\Admin\sctm1.ocx
Filesize
425KB

MD5
eaafa5852e48116275168a134b01def0

SHA1
92b20ecf953bdcf51f7e393e0ed8bd93fac94f3f

SHA256
f772a7a6db220ce231125e0c4ef0aaf8f351c61b92c57f9a8353a5598ddfb4b1

SHA512
c2fc9cdc8f2ac1a79cace7cd2e90c13a0bba7802d607c2cb343e40282ae9f3aaf22701410a886ab6dea2b4ceea1b505d7692a01bab3fbcd7faad5ea2b71071ad

Download Submit
C:\Users\Admin\sctm2.ocx
Filesize
425KB

MD5
c922a603368a4d4a61bff74788da3848

SHA1
042f6d2c7f014148c2873ea1f4ac511682f030ce

SHA256
b57254b38faeb11fee2497090dc0ba83664ca4563ae2a8153e5a1b390f66ce7f

SHA512
36860237448fb934aead9546665dd1531d2b712b83b8294bb7a5b0dcc0ec55c5e9242eb3b640f6734f274d7180045235f3ade307fc7b8b6e591be4f41e9e211a

Download Submit
C:\Users\Admin\sctm3.ocx
Filesize
425KB

MD5
d77b83fc86cf84cc40afbc0213db0bda

SHA1
fd72eaf67c008e7949f56a7bf20b18ccff54af16

SHA256
a8b544949b7ae8534be62b24233100d48ed2f64fb155cd65d0c2c387b17a8b30

SHA512
e62b42f0054f18a09aef5d5b247ebeb3dea6e2d9b4e63cc21b8b12025a9d5e06c702650af39854eabb598df70132ea419aa1d99be47101b5769f06bf20f0b333

Download Submit
C:\Users\Admin\sctm4.ocx
Filesize
425KB

MD5
457487cae2edab5b541092d411e717c1

SHA1
dd2eb187453b841ca4e47e334c4d8e4cc8497278

SHA256
cd82f9f9405bf17eb67025649cafafaeb5a23230a0973cd46a3d64ba4c454887

SHA512
2548d604c2073f6bc0ad08a41b315b7886abd47d8c09e0a1aff28a9e3fae2c1b55a2d85dae67a0951369366c0062f87c96a476484ab357ae91c3c3fed3c6075c

Download Submit
\Users\Admin\sctm1.ocx
Filesize
425KB

MD5
eaafa5852e48116275168a134b01def0

SHA1
92b20ecf953bdcf51f7e393e0ed8bd93fac94f3f

SHA256
f772a7a6db220ce231125e0c4ef0aaf8f351c61b92c57f9a8353a5598ddfb4b1

SHA512
c2fc9cdc8f2ac1a79cace7cd2e90c13a0bba7802d607c2cb343e40282ae9f3aaf22701410a886ab6dea2b4ceea1b505d7692a01bab3fbcd7faad5ea2b71071ad

Download Submit
\Users\Admin\sctm1.ocx
Filesize
425KB

MD5
eaafa5852e48116275168a134b01def0

SHA1
92b20ecf953bdcf51f7e393e0ed8bd93fac94f3f

SHA256
f772a7a6db220ce231125e0c4ef0aaf8f351c61b92c57f9a8353a5598ddfb4b1

SHA512
c2fc9cdc8f2ac1a79cace7cd2e90c13a0bba7802d607c2cb343e40282ae9f3aaf22701410a886ab6dea2b4ceea1b505d7692a01bab3fbcd7faad5ea2b71071ad

Download Submit
\Users\Admin\sctm2.ocx
Filesize
425KB

MD5
c922a603368a4d4a61bff74788da3848

SHA1
042f6d2c7f014148c2873ea1f4ac511682f030ce

SHA256
b57254b38faeb11fee2497090dc0ba83664ca4563ae2a8153e5a1b390f66ce7f

SHA512
36860237448fb934aead9546665dd1531d2b712b83b8294bb7a5b0dcc0ec55c5e9242eb3b640f6734f274d7180045235f3ade307fc7b8b6e591be4f41e9e211a

Download Submit
\Users\Admin\sctm2.ocx
Filesize
425KB

MD5
c922a603368a4d4a61bff74788da3848

SHA1
042f6d2c7f014148c2873ea1f4ac511682f030ce

SHA256
b57254b38faeb11fee2497090dc0ba83664ca4563ae2a8153e5a1b390f66ce7f

SHA512
36860237448fb934aead9546665dd1531d2b712b83b8294bb7a5b0dcc0ec55c5e9242eb3b640f6734f274d7180045235f3ade307fc7b8b6e591be4f41e9e211a

Download Submit
\Users\Admin\sctm3.ocx
Filesize
425KB

MD5
d77b83fc86cf84cc40afbc0213db0bda

SHA1
fd72eaf67c008e7949f56a7bf20b18ccff54af16

SHA256
a8b544949b7ae8534be62b24233100d48ed2f64fb155cd65d0c2c387b17a8b30

SHA512
e62b42f0054f18a09aef5d5b247ebeb3dea6e2d9b4e63cc21b8b12025a9d5e06c702650af39854eabb598df70132ea419aa1d99be47101b5769f06bf20f0b333

Download Submit
\Users\Admin\sctm3.ocx
Filesize
425KB

MD5
d77b83fc86cf84cc40afbc0213db0bda

SHA1
fd72eaf67c008e7949f56a7bf20b18ccff54af16

SHA256
a8b544949b7ae8534be62b24233100d48ed2f64fb155cd65d0c2c387b17a8b30

SHA512
e62b42f0054f18a09aef5d5b247ebeb3dea6e2d9b4e63cc21b8b12025a9d5e06c702650af39854eabb598df70132ea419aa1d99be47101b5769f06bf20f0b333

Download Submit
\Users\Admin\sctm4.ocx
Filesize
425KB

MD5
457487cae2edab5b541092d411e717c1

SHA1
dd2eb187453b841ca4e47e334c4d8e4cc8497278

SHA256
cd82f9f9405bf17eb67025649cafafaeb5a23230a0973cd46a3d64ba4c454887

SHA512
2548d604c2073f6bc0ad08a41b315b7886abd47d8c09e0a1aff28a9e3fae2c1b55a2d85dae67a0951369366c0062f87c96a476484ab357ae91c3c3fed3c6075c

Download Submit
\Users\Admin\sctm4.ocx
Filesize
425KB

MD5
457487cae2edab5b541092d411e717c1

SHA1
dd2eb187453b841ca4e47e334c4d8e4cc8497278

SHA256
cd82f9f9405bf17eb67025649cafafaeb5a23230a0973cd46a3d64ba4c454887

SHA512
2548d604c2073f6bc0ad08a41b315b7886abd47d8c09e0a1aff28a9e3fae2c1b55a2d85dae67a0951369366c0062f87c96a476484ab357ae91c3c3fed3c6075c

Download Submit
memory/440-138-0x0000000000000000-mapping.dmp

Download
memory/656-121-0x0000000000000000-mapping.dmp

Download
memory/752-80-0x0000000000000000-mapping.dmp

Download
memory/928-114-0x0000000000000000-mapping.dmp

Download
memory/1520-59-0x0000000000000000-mapping.dmp

Download
memory/1548-63-0x0000000000000000-mapping.dmp

Download
memory/1548-64-0x000007FEFB9A1000-0x000007FEFB9A3000-memory.dmp

Filesize
8KB

Download
memory/1548-66-0x0000000001E30000-0x0000000001E84000-memory.dmp

Filesize
336KB

Download
memory/1596-104-0x0000000000000000-mapping.dmp

Download
memory/1596-146-0x0000000001EB0000-0x0000000001ED3000-memory.dmp

Filesize
140KB

Download
memory/1596-143-0x0000000001EB0000-0x0000000001ED3000-memory.dmp

Filesize
140KB

Download
memory/1604-144-0x0000000000000000-mapping.dmp

Download
memory/1632-137-0x0000000001EC0000-0x0000000001EE3000-memory.dmp

Filesize
140KB

Download
memory/1632-87-0x0000000000000000-mapping.dmp

Download
memory/1668-110-0x0000000000000000-mapping.dmp

Download
memory/1684-145-0x0000000000000000-mapping.dmp

Download
memory/1724-142-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download
memory/1724-70-0x0000000000000000-mapping.dmp

Download
memory/1740-139-0x0000000000000000-mapping.dmp

Download
memory/1812-132-0x0000000000000000-mapping.dmp

Download
memory/1944-97-0x0000000000000000-mapping.dmp

Download
memory/2004-76-0x0000000000000000-mapping.dmp

Download
memory/2008-93-0x0000000000000000-mapping.dmp

Download
memory/2036-58-0x0000000075721000-0x0000000075723000-memory.dmp

Filesize
8KB

Download
memory/2036-57-0x000000007217D000-0x0000000072188000-memory.dmp

Filesize
44KB

Download
memory/2036-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2036-55-0x0000000071191000-0x0000000071193000-memory.dmp

Filesize
8KB

Download
memory/2036-127-0x000000007217D000-0x0000000072188000-memory.dmp

Filesize
44KB

Download
memory/2036-54-0x000000002FC21000-0x000000002FC24000-memory.dmp

Filesize
12KB

Download