lokibot | 591eabded5e77dfd437b36706f36d41b4f1c580e945a85a9e7904c8e35dc8f7d

Analysis

max time kernel
115s
max time network
99s
platform
windows7_x64
resource
win7-20220414-en
submitted
05-07-2022 07:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Draft Of Shipping Docs.xlsm
Size

203KB
MD5

e0e217bf187d940292bf1e3bd743ed2e
SHA1

37698145a8bdf43c3b4dc77f2e234b715f1953ee
SHA256

591eabded5e77dfd437b36706f36d41b4f1c580e945a85a9e7904c8e35dc8f7d
SHA512

5ac9bc896ec907598688bc3090b07ccd2ecab6ffe7d0be9bf71bfc3e7ecb7e3579b89b45dda199192163baa3fadd00562a3d22948595355dd7f1afbe17d9f452

Score

10^/10

lokibot collection spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

http://sempersim.su/gf10/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata
suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request
suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

8 268 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 8 IoCs

Processes:

vbc.exejGwtsgfcAwgrRaYqBrXLHt.exevbc.exejGwtsgfcAwgrRaYqBrXLHt.exevbc.exevbc.exevbc.exevbc.exe

pid process

384 vbc.exe
1000 jGwtsgfcAwgrRaYqBrXLHt.exe
1496 vbc.exe
916 jGwtsgfcAwgrRaYqBrXLHt.exe
1456 vbc.exe
692 vbc.exe
836 vbc.exe
1000 vbc.exe
Abuses OpenXML format to download file from external location

flow	pid	process
8	268	EQNEDT32.EXE

pid	process
384	vbc.exe
1000	jGwtsgfcAwgrRaYqBrXLHt.exe
1496	vbc.exe
916	jGwtsgfcAwgrRaYqBrXLHt.exe
1456	vbc.exe
692	vbc.exe
836	vbc.exe
1000	vbc.exe

Loads dropped DLL 12 IoCs

Processes:

EQNEDT32.EXEEXCEL.EXEjGwtsgfcAwgrRaYqBrXLHt.exejGwtsgfcAwgrRaYqBrXLHt.exe

pid	process
268	EQNEDT32.EXE
268	EQNEDT32.EXE
268	EQNEDT32.EXE
268	EQNEDT32.EXE
880	EXCEL.EXE
880	EXCEL.EXE
1000	jGwtsgfcAwgrRaYqBrXLHt.exe
1000	jGwtsgfcAwgrRaYqBrXLHt.exe
1000	jGwtsgfcAwgrRaYqBrXLHt.exe
916	jGwtsgfcAwgrRaYqBrXLHt.exe
916	jGwtsgfcAwgrRaYqBrXLHt.exe
916	jGwtsgfcAwgrRaYqBrXLHt.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	vbc.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

vbc.exevbc.exe

description pid process target process

PID 1496 set thread context of 836 1496 vbc.exe vbc.exe
PID 384 set thread context of 1000 384 vbc.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2656 1456 WerFault.exe vbc.exe
Office loads VBA resources, possible macro or embedded object present

description	pid	process	target process
PID 1496 set thread context of 836	1496	vbc.exe	vbc.exe
PID 384 set thread context of 1000	384	vbc.exe	vbc.exe

pid	pid_target	process	target process
2656	1456	WerFault.exe	vbc.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEchrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

268 EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1480 NOTEPAD.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

880 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

vbc.exechrome.exechrome.exevbc.exe

pid process

384 vbc.exe
384 vbc.exe
384 chrome.exe
1960 chrome.exe
1960 chrome.exe
1456 vbc.exe
1456 vbc.exe

pid	process
1480	NOTEPAD.EXE

pid	process
880	EXCEL.EXE

pid	process
384	vbc.exe
384	vbc.exe
384	chrome.exe
1960	chrome.exe
1960	chrome.exe
1456	vbc.exe
1456	vbc.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

AUDIODG.EXEvbc.exevbc.exeWINWORD.EXEvbc.exe

description	pid	process
Token: 33	1540	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1540	AUDIODG.EXE
Token: 33	1540	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1540	AUDIODG.EXE
Token: SeDebugPrivilege	384	vbc.exe
Token: SeDebugPrivilege	836	vbc.exe
Token: SeShutdownPrivilege	580	WINWORD.EXE
Token: SeDebugPrivilege	1456	vbc.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

chrome.exe

pid	process
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

880 EXCEL.EXE
880 EXCEL.EXE
880 EXCEL.EXE
580 WINWORD.EXE
580 WINWORD.EXE
880 EXCEL.EXE
880 EXCEL.EXE
880 EXCEL.EXE
880 EXCEL.EXE

pid	process
880	EXCEL.EXE
880	EXCEL.EXE
880	EXCEL.EXE
580	WINWORD.EXE
580	WINWORD.EXE
880	EXCEL.EXE
880	EXCEL.EXE
880	EXCEL.EXE
880	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEEXCEL.EXEjGwtsgfcAwgrRaYqBrXLHt.exejGwtsgfcAwgrRaYqBrXLHt.exevbc.exevbc.exechrome.exe

description	pid	process	target process
PID 268 wrote to memory of 384	268	EQNEDT32.EXE	vbc.exe
PID 268 wrote to memory of 384	268	EQNEDT32.EXE	vbc.exe
PID 268 wrote to memory of 384	268	EQNEDT32.EXE	vbc.exe
PID 268 wrote to memory of 384	268	EQNEDT32.EXE	vbc.exe
PID 580 wrote to memory of 1168	580	WINWORD.EXE	splwow64.exe
PID 580 wrote to memory of 1168	580	WINWORD.EXE	splwow64.exe
PID 580 wrote to memory of 1168	580	WINWORD.EXE	splwow64.exe
PID 580 wrote to memory of 1168	580	WINWORD.EXE	splwow64.exe
PID 880 wrote to memory of 1000	880	EXCEL.EXE	jGwtsgfcAwgrRaYqBrXLHt.exe
PID 880 wrote to memory of 1000	880	EXCEL.EXE	jGwtsgfcAwgrRaYqBrXLHt.exe
PID 880 wrote to memory of 1000	880	EXCEL.EXE	jGwtsgfcAwgrRaYqBrXLHt.exe
PID 880 wrote to memory of 1000	880	EXCEL.EXE	jGwtsgfcAwgrRaYqBrXLHt.exe
PID 1000 wrote to memory of 1496	1000	jGwtsgfcAwgrRaYqBrXLHt.exe	vbc.exe
PID 1000 wrote to memory of 1496	1000	jGwtsgfcAwgrRaYqBrXLHt.exe	vbc.exe
PID 1000 wrote to memory of 1496	1000	jGwtsgfcAwgrRaYqBrXLHt.exe	vbc.exe
PID 1000 wrote to memory of 1496	1000	jGwtsgfcAwgrRaYqBrXLHt.exe	vbc.exe
PID 916 wrote to memory of 1456	916	jGwtsgfcAwgrRaYqBrXLHt.exe	vbc.exe
PID 916 wrote to memory of 1456	916	jGwtsgfcAwgrRaYqBrXLHt.exe	vbc.exe
PID 916 wrote to memory of 1456	916	jGwtsgfcAwgrRaYqBrXLHt.exe	vbc.exe
PID 916 wrote to memory of 1456	916	jGwtsgfcAwgrRaYqBrXLHt.exe	vbc.exe
PID 384 wrote to memory of 692	384	vbc.exe	vbc.exe
PID 384 wrote to memory of 692	384	vbc.exe	vbc.exe
PID 384 wrote to memory of 692	384	vbc.exe	vbc.exe
PID 384 wrote to memory of 692	384	vbc.exe	vbc.exe
PID 1496 wrote to memory of 836	1496	vbc.exe	vbc.exe
PID 1496 wrote to memory of 836	1496	vbc.exe	vbc.exe
PID 1496 wrote to memory of 836	1496	vbc.exe	vbc.exe
PID 1496 wrote to memory of 836	1496	vbc.exe	vbc.exe
PID 1496 wrote to memory of 836	1496	vbc.exe	vbc.exe
PID 384 wrote to memory of 1000	384	vbc.exe	vbc.exe
PID 384 wrote to memory of 1000	384	vbc.exe	vbc.exe
PID 384 wrote to memory of 1000	384	vbc.exe	vbc.exe
PID 384 wrote to memory of 1000	384	vbc.exe	vbc.exe
PID 1496 wrote to memory of 836	1496	vbc.exe	vbc.exe
PID 384 wrote to memory of 1000	384	vbc.exe	vbc.exe
PID 1496 wrote to memory of 836	1496	vbc.exe	vbc.exe
PID 384 wrote to memory of 1000	384	vbc.exe	vbc.exe
PID 1496 wrote to memory of 836	1496	vbc.exe	vbc.exe
PID 384 wrote to memory of 1000	384	vbc.exe	vbc.exe
PID 1496 wrote to memory of 836	1496	vbc.exe	vbc.exe
PID 1496 wrote to memory of 836	1496	vbc.exe	vbc.exe
PID 384 wrote to memory of 1000	384	vbc.exe	vbc.exe
PID 384 wrote to memory of 1000	384	vbc.exe	vbc.exe
PID 384 wrote to memory of 1000	384	vbc.exe	vbc.exe
PID 1960 wrote to memory of 688	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 688	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 688	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 904	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 904	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 904	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 904	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 904	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 904	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 904	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 904	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 904	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 904	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 904	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 904	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 904	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 904	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 904	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 904	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 904	1960	chrome.exe	chrome.exe

outlook_office_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	vbc.exe

outlook_win_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Draft Of Shipping Docs.xlsm"
1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:880

C:\Users\Admin\AppData\Local\Temp\jGwtsgfcAwgrRaYqBrXLHt.exe
C:\Users\Admin\AppData\Local\Temp\jGwtsgfcAwgrRaYqBrXLHt.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1000

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1496

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:836

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1168

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:268

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:384

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:692

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:1000

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1820

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x47c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1540

C:\Users\Admin\AppData\Local\Temp\jGwtsgfcAwgrRaYqBrXLHt.exe
"C:\Users\Admin\AppData\Local\Temp\jGwtsgfcAwgrRaYqBrXLHt.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:916

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 684
3⤵
- Program crash
PID:2656

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\1.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5cb4f50,0x7fef5cb4f60,0x7fef5cb4f70
2⤵
PID:688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1040,18120267127331437605,5688157235352817798,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1272 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1040,18120267127331437605,5688157235352817798,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1124 /prefetch:2
2⤵
PID:904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1040,18120267127331437605,5688157235352817798,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1716 /prefetch:8
2⤵
PID:2132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,18120267127331437605,5688157235352817798,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2040 /prefetch:1
2⤵
PID:2180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,18120267127331437605,5688157235352817798,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2152 /prefetch:1
2⤵
PID:2192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,18120267127331437605,5688157235352817798,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8
2⤵
PID:2336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:2428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5cb4f50,0x7fef5cb4f60,0x7fef5cb4f70
2⤵
PID:2440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1048,13528201681052336882,15243510869505938604,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1448 /prefetch:8
2⤵
PID:2592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1048,13528201681052336882,15243510869505938604,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1064 /prefetch:2
2⤵
PID:2572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:2688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5cb4f50,0x7fef5cb4f60,0x7fef5cb4f70
2⤵
PID:2700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1104,14364552423549784087,3976371286830776952,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1160 /prefetch:2
2⤵
PID:2840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1104,14364552423549784087,3976371286830776952,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1284 /prefetch:8
2⤵
PID:2852

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
4771451858a34e3e31a26a9cd9cb874a

SHA1
5f44ca6c71b800de89533304cf61f2355e4e16ea

SHA256
a0a30ec69e4b4b98a737a3c99adacd01c8782f7cc1978baeb8381631f5af96f2

SHA512
472ab68ee71cb97ea7ac0ffabe2fab346d0f3550704c8684bfe23a12c0138d5c70dded5bf3306093d56db3f62fcf05a92d29459efd0ecd7b23ff48c6c224406b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
4771451858a34e3e31a26a9cd9cb874a

SHA1
5f44ca6c71b800de89533304cf61f2355e4e16ea

SHA256
a0a30ec69e4b4b98a737a3c99adacd01c8782f7cc1978baeb8381631f5af96f2

SHA512
472ab68ee71cb97ea7ac0ffabe2fab346d0f3550704c8684bfe23a12c0138d5c70dded5bf3306093d56db3f62fcf05a92d29459efd0ecd7b23ff48c6c224406b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
84KB

MD5
249f2e5c4c9755ba89b6e979673dc5a1

SHA1
2ab1f7ae948a5837d0e07ab93c59493dd32e6922

SHA256
f6d959e48afc272888adaef9743e2374726b87ec00bc1de193c5bd3e5d9948cb

SHA512
27f5f77da450f5f7631b1e6b872613e1fef39794b6c76625e97714d443c40c04c515761a110fc456f46f071db405e2708c7e3330d4eeb5d643ef0e1b815f93a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
84KB

MD5
235af25e1d3791b7580603df3693a160

SHA1
b1f52aa51a5806d38e0ab94e9cd5cb689633f8d8

SHA256
9810b030f525bacca5d0b86c77b4c64c86573a8ba31aed465ed37a735cb99d68

SHA512
28a110c9d9726c9871bf2c3798933a09e811e3c7d02df2c14ad07152abc94e4c4a2e4df859145a5cb28af0751996764f84c954fad47a12a11459131778f89550

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FJZU34PA\receipt[1].doc
Filesize
20KB

MD5
420c0ada5b084930072500dda293f55b

SHA1
f0e5d7edfde6641670c79ecf0ae4e70ea78e5387

SHA256
1b7f1ee778e86d3e4ee56ea99b6c1951f2be2ad261d4a5ff691de4437e6dc1a0

SHA512
c0d5adb3912f2d7293e4bd0455352feedfa2e9dea8d78cb827fa22d3c20b0d14db89024ea1c3aa6e71e8d84a9ac298584b3064e4e2a47d6deeed57e37dcbfb76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LZXOIVA8\vbc[1].exe
Filesize
532KB

MD5
75c415220becc3ddad0a7cb84ef37155

SHA1
edc412ccf2c7dac8aff2272d84c5083de59080e2

SHA256
ea135a6b1296c4041c8c5083b84573ce167e3ad757c0989c9060a902eec15e46

SHA512
cb8ad153295ea03e833d102c81e0d781edb9485ad9fc2d9a0532654d934831604c37fa1244e9781116a0a92a07a0ecf811ba4dadaf7d62a9c454777f344b7783

Download Submit
C:\Users\Admin\AppData\Local\Temp\jGwtsgfcAwgrRaYqBrXLHt.exe
Filesize
3KB

MD5
5fba4d1a0060d727411412a9c6a2ab98

SHA1
693c3f5603291437f8c0b76ad540904bc0650173

SHA256
85fa61b47359faf795bb7849e0352ccab52073877912a1b15566cd465837ec4b

SHA512
445491b6cc49f85ef170b6d6d03215153d1a3f9e1fc204982045e4ae05e2e96e89432c1b4a5fd7bb2c42b0dbe97c1f41e7fb58dcc4e98b560a4ad703b34bc8dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\jGwtsgfcAwgrRaYqBrXLHt.exe
Filesize
3KB

MD5
5fba4d1a0060d727411412a9c6a2ab98

SHA1
693c3f5603291437f8c0b76ad540904bc0650173

SHA256
85fa61b47359faf795bb7849e0352ccab52073877912a1b15566cd465837ec4b

SHA512
445491b6cc49f85ef170b6d6d03215153d1a3f9e1fc204982045e4ae05e2e96e89432c1b4a5fd7bb2c42b0dbe97c1f41e7fb58dcc4e98b560a4ad703b34bc8dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\jGwtsgfcAwgrRaYqBrXLHt.exe
Filesize
3KB

MD5
5fba4d1a0060d727411412a9c6a2ab98

SHA1
693c3f5603291437f8c0b76ad540904bc0650173

SHA256
85fa61b47359faf795bb7849e0352ccab52073877912a1b15566cd465837ec4b

SHA512
445491b6cc49f85ef170b6d6d03215153d1a3f9e1fc204982045e4ae05e2e96e89432c1b4a5fd7bb2c42b0dbe97c1f41e7fb58dcc4e98b560a4ad703b34bc8dd

Download Submit
C:\Users\Public\vbc.exe
Filesize
532KB

MD5
75c415220becc3ddad0a7cb84ef37155

SHA1
edc412ccf2c7dac8aff2272d84c5083de59080e2

SHA256
ea135a6b1296c4041c8c5083b84573ce167e3ad757c0989c9060a902eec15e46

SHA512
cb8ad153295ea03e833d102c81e0d781edb9485ad9fc2d9a0532654d934831604c37fa1244e9781116a0a92a07a0ecf811ba4dadaf7d62a9c454777f344b7783

Download Submit
C:\Users\Public\vbc.exe
Filesize
532KB

MD5
75c415220becc3ddad0a7cb84ef37155

SHA1
edc412ccf2c7dac8aff2272d84c5083de59080e2

SHA256
ea135a6b1296c4041c8c5083b84573ce167e3ad757c0989c9060a902eec15e46

SHA512
cb8ad153295ea03e833d102c81e0d781edb9485ad9fc2d9a0532654d934831604c37fa1244e9781116a0a92a07a0ecf811ba4dadaf7d62a9c454777f344b7783

Download Submit
C:\Users\Public\vbc.exe
Filesize
532KB

MD5
75c415220becc3ddad0a7cb84ef37155

SHA1
edc412ccf2c7dac8aff2272d84c5083de59080e2

SHA256
ea135a6b1296c4041c8c5083b84573ce167e3ad757c0989c9060a902eec15e46

SHA512
cb8ad153295ea03e833d102c81e0d781edb9485ad9fc2d9a0532654d934831604c37fa1244e9781116a0a92a07a0ecf811ba4dadaf7d62a9c454777f344b7783

Download Submit
C:\Users\Public\vbc.exe
Filesize
532KB

MD5
75c415220becc3ddad0a7cb84ef37155

SHA1
edc412ccf2c7dac8aff2272d84c5083de59080e2

SHA256
ea135a6b1296c4041c8c5083b84573ce167e3ad757c0989c9060a902eec15e46

SHA512
cb8ad153295ea03e833d102c81e0d781edb9485ad9fc2d9a0532654d934831604c37fa1244e9781116a0a92a07a0ecf811ba4dadaf7d62a9c454777f344b7783

Download Submit
C:\Users\Public\vbc.exe
Filesize
532KB

MD5
75c415220becc3ddad0a7cb84ef37155

SHA1
edc412ccf2c7dac8aff2272d84c5083de59080e2

SHA256
ea135a6b1296c4041c8c5083b84573ce167e3ad757c0989c9060a902eec15e46

SHA512
cb8ad153295ea03e833d102c81e0d781edb9485ad9fc2d9a0532654d934831604c37fa1244e9781116a0a92a07a0ecf811ba4dadaf7d62a9c454777f344b7783

Download Submit
C:\Users\Public\vbc.exe
Filesize
532KB

MD5
75c415220becc3ddad0a7cb84ef37155

SHA1
edc412ccf2c7dac8aff2272d84c5083de59080e2

SHA256
ea135a6b1296c4041c8c5083b84573ce167e3ad757c0989c9060a902eec15e46

SHA512
cb8ad153295ea03e833d102c81e0d781edb9485ad9fc2d9a0532654d934831604c37fa1244e9781116a0a92a07a0ecf811ba4dadaf7d62a9c454777f344b7783

Download Submit
C:\Users\Public\vbc.exe
Filesize
532KB

MD5
75c415220becc3ddad0a7cb84ef37155

SHA1
edc412ccf2c7dac8aff2272d84c5083de59080e2

SHA256
ea135a6b1296c4041c8c5083b84573ce167e3ad757c0989c9060a902eec15e46

SHA512
cb8ad153295ea03e833d102c81e0d781edb9485ad9fc2d9a0532654d934831604c37fa1244e9781116a0a92a07a0ecf811ba4dadaf7d62a9c454777f344b7783

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\crashpad_1960_RFGHUZVDUFDXMADT
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\crashpad_2428_NFWHOYLYOMRXMLQB
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\crashpad_2688_YDRBUMVXKHFUYSVP
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\jGwtsgfcAwgrRaYqBrXLHt.exe
Filesize
3KB

MD5
5fba4d1a0060d727411412a9c6a2ab98

SHA1
693c3f5603291437f8c0b76ad540904bc0650173

SHA256
85fa61b47359faf795bb7849e0352ccab52073877912a1b15566cd465837ec4b

SHA512
445491b6cc49f85ef170b6d6d03215153d1a3f9e1fc204982045e4ae05e2e96e89432c1b4a5fd7bb2c42b0dbe97c1f41e7fb58dcc4e98b560a4ad703b34bc8dd

Download Submit
\Users\Admin\AppData\Local\Temp\jGwtsgfcAwgrRaYqBrXLHt.exe
Filesize
3KB

MD5
5fba4d1a0060d727411412a9c6a2ab98

SHA1
693c3f5603291437f8c0b76ad540904bc0650173

SHA256
85fa61b47359faf795bb7849e0352ccab52073877912a1b15566cd465837ec4b

SHA512
445491b6cc49f85ef170b6d6d03215153d1a3f9e1fc204982045e4ae05e2e96e89432c1b4a5fd7bb2c42b0dbe97c1f41e7fb58dcc4e98b560a4ad703b34bc8dd

Download Submit
\Users\Public\vbc.exe
Filesize
532KB

MD5
75c415220becc3ddad0a7cb84ef37155

SHA1
edc412ccf2c7dac8aff2272d84c5083de59080e2

SHA256
ea135a6b1296c4041c8c5083b84573ce167e3ad757c0989c9060a902eec15e46

SHA512
cb8ad153295ea03e833d102c81e0d781edb9485ad9fc2d9a0532654d934831604c37fa1244e9781116a0a92a07a0ecf811ba4dadaf7d62a9c454777f344b7783

Download Submit
\Users\Public\vbc.exe
Filesize
532KB

MD5
75c415220becc3ddad0a7cb84ef37155

SHA1
edc412ccf2c7dac8aff2272d84c5083de59080e2

SHA256
ea135a6b1296c4041c8c5083b84573ce167e3ad757c0989c9060a902eec15e46

SHA512
cb8ad153295ea03e833d102c81e0d781edb9485ad9fc2d9a0532654d934831604c37fa1244e9781116a0a92a07a0ecf811ba4dadaf7d62a9c454777f344b7783

Download Submit
\Users\Public\vbc.exe
Filesize
532KB

MD5
75c415220becc3ddad0a7cb84ef37155

SHA1
edc412ccf2c7dac8aff2272d84c5083de59080e2

SHA256
ea135a6b1296c4041c8c5083b84573ce167e3ad757c0989c9060a902eec15e46

SHA512
cb8ad153295ea03e833d102c81e0d781edb9485ad9fc2d9a0532654d934831604c37fa1244e9781116a0a92a07a0ecf811ba4dadaf7d62a9c454777f344b7783

Download Submit
\Users\Public\vbc.exe
Filesize
532KB

MD5
75c415220becc3ddad0a7cb84ef37155

SHA1
edc412ccf2c7dac8aff2272d84c5083de59080e2

SHA256
ea135a6b1296c4041c8c5083b84573ce167e3ad757c0989c9060a902eec15e46

SHA512
cb8ad153295ea03e833d102c81e0d781edb9485ad9fc2d9a0532654d934831604c37fa1244e9781116a0a92a07a0ecf811ba4dadaf7d62a9c454777f344b7783

Download Submit
\Users\Public\vbc.exe
Filesize
532KB

MD5
75c415220becc3ddad0a7cb84ef37155

SHA1
edc412ccf2c7dac8aff2272d84c5083de59080e2

SHA256
ea135a6b1296c4041c8c5083b84573ce167e3ad757c0989c9060a902eec15e46

SHA512
cb8ad153295ea03e833d102c81e0d781edb9485ad9fc2d9a0532654d934831604c37fa1244e9781116a0a92a07a0ecf811ba4dadaf7d62a9c454777f344b7783

Download Submit
\Users\Public\vbc.exe
Filesize
532KB

MD5
75c415220becc3ddad0a7cb84ef37155

SHA1
edc412ccf2c7dac8aff2272d84c5083de59080e2

SHA256
ea135a6b1296c4041c8c5083b84573ce167e3ad757c0989c9060a902eec15e46

SHA512
cb8ad153295ea03e833d102c81e0d781edb9485ad9fc2d9a0532654d934831604c37fa1244e9781116a0a92a07a0ecf811ba4dadaf7d62a9c454777f344b7783

Download Submit
\Users\Public\vbc.exe
Filesize
532KB

MD5
75c415220becc3ddad0a7cb84ef37155

SHA1
edc412ccf2c7dac8aff2272d84c5083de59080e2

SHA256
ea135a6b1296c4041c8c5083b84573ce167e3ad757c0989c9060a902eec15e46

SHA512
cb8ad153295ea03e833d102c81e0d781edb9485ad9fc2d9a0532654d934831604c37fa1244e9781116a0a92a07a0ecf811ba4dadaf7d62a9c454777f344b7783

Download Submit
\Users\Public\vbc.exe
Filesize
532KB

MD5
75c415220becc3ddad0a7cb84ef37155

SHA1
edc412ccf2c7dac8aff2272d84c5083de59080e2

SHA256
ea135a6b1296c4041c8c5083b84573ce167e3ad757c0989c9060a902eec15e46

SHA512
cb8ad153295ea03e833d102c81e0d781edb9485ad9fc2d9a0532654d934831604c37fa1244e9781116a0a92a07a0ecf811ba4dadaf7d62a9c454777f344b7783

Download Submit
\Users\Public\vbc.exe
Filesize
532KB

MD5
75c415220becc3ddad0a7cb84ef37155

SHA1
edc412ccf2c7dac8aff2272d84c5083de59080e2

SHA256
ea135a6b1296c4041c8c5083b84573ce167e3ad757c0989c9060a902eec15e46

SHA512
cb8ad153295ea03e833d102c81e0d781edb9485ad9fc2d9a0532654d934831604c37fa1244e9781116a0a92a07a0ecf811ba4dadaf7d62a9c454777f344b7783

Download Submit
\Users\Public\vbc.exe
Filesize
532KB

MD5
75c415220becc3ddad0a7cb84ef37155

SHA1
edc412ccf2c7dac8aff2272d84c5083de59080e2

SHA256
ea135a6b1296c4041c8c5083b84573ce167e3ad757c0989c9060a902eec15e46

SHA512
cb8ad153295ea03e833d102c81e0d781edb9485ad9fc2d9a0532654d934831604c37fa1244e9781116a0a92a07a0ecf811ba4dadaf7d62a9c454777f344b7783

Download Submit
memory/384-180-0x0000000004BE0000-0x0000000004C42000-memory.dmp

Filesize
392KB

Download
memory/384-182-0x0000000004D40000-0x0000000004D60000-memory.dmp

Filesize
128KB

Download
memory/384-166-0x00000000005D0000-0x00000000005F0000-memory.dmp

Filesize
128KB

Download
memory/384-74-0x00000000002B0000-0x000000000033A000-memory.dmp

Filesize
552KB

Download
memory/384-70-0x0000000000000000-mapping.dmp

Download
memory/580-167-0x0000000071EBD000-0x0000000071EC8000-memory.dmp

Filesize
44KB

Download
memory/580-221-0x0000000071EBD000-0x0000000071EC8000-memory.dmp

Filesize
44KB

Download
memory/580-63-0x0000000071EBD000-0x0000000071EC8000-memory.dmp

Filesize
44KB

Download
memory/580-59-0x000000006AE71000-0x000000006AE74000-memory.dmp

Filesize
12KB

Download
memory/836-200-0x00000000004139DE-mapping.dmp

Download
memory/836-213-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/836-215-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/880-92-0x0000000005771000-0x00000000057D4000-memory.dmp

Filesize
396KB

Download
memory/880-101-0x0000000005771000-0x00000000057D4000-memory.dmp

Filesize
396KB

Download
memory/880-107-0x0000000005771000-0x00000000057D4000-memory.dmp

Filesize
396KB

Download
memory/880-108-0x0000000005771000-0x00000000057D4000-memory.dmp

Filesize
396KB

Download
memory/880-109-0x0000000005771000-0x00000000057D4000-memory.dmp

Filesize
396KB

Download
memory/880-110-0x0000000005771000-0x00000000057D4000-memory.dmp

Filesize
396KB

Download
memory/880-111-0x0000000005771000-0x00000000057D4000-memory.dmp

Filesize
396KB

Download
memory/880-112-0x0000000005771000-0x00000000057D4000-memory.dmp

Filesize
396KB

Download
memory/880-114-0x0000000071EBD000-0x0000000071EC8000-memory.dmp

Filesize
44KB

Download
memory/880-113-0x0000000005771000-0x00000000057D4000-memory.dmp

Filesize
396KB

Download
memory/880-116-0x00000000002FC000-0x00000000002FE000-memory.dmp

Filesize
8KB

Download
memory/880-115-0x0000000005771000-0x00000000057D4000-memory.dmp

Filesize
396KB

Download
memory/880-118-0x0000000005771000-0x00000000057D4000-memory.dmp

Filesize
396KB

Download
memory/880-117-0x00000000002FC000-0x00000000002FE000-memory.dmp

Filesize
8KB

Download
memory/880-120-0x00000000002FC000-0x00000000002FE000-memory.dmp

Filesize
8KB

Download
memory/880-119-0x0000000005771000-0x00000000057D4000-memory.dmp

Filesize
396KB

Download
memory/880-122-0x00000000002FC000-0x00000000002FE000-memory.dmp

Filesize
8KB

Download
memory/880-121-0x0000000005771000-0x00000000057D4000-memory.dmp

Filesize
396KB

Download
memory/880-124-0x00000000002FC000-0x00000000002FE000-memory.dmp

Filesize
8KB

Download
memory/880-123-0x0000000005771000-0x00000000057D4000-memory.dmp

Filesize
396KB

Download
memory/880-128-0x00000000002FC000-0x00000000002FE000-memory.dmp

Filesize
8KB

Download
memory/880-130-0x00000000002FC000-0x00000000002FE000-memory.dmp

Filesize
8KB

Download
memory/880-132-0x00000000002FC000-0x00000000002FE000-memory.dmp

Filesize
8KB

Download
memory/880-134-0x00000000002FC000-0x00000000002FE000-memory.dmp

Filesize
8KB

Download
memory/880-136-0x00000000002FC000-0x00000000002FE000-memory.dmp

Filesize
8KB

Download
memory/880-138-0x00000000002FC000-0x00000000002FE000-memory.dmp

Filesize
8KB

Download
memory/880-139-0x0000000005771000-0x00000000057D4000-memory.dmp

Filesize
396KB

Download
memory/880-137-0x0000000005771000-0x00000000057D4000-memory.dmp

Filesize
396KB

Download
memory/880-135-0x0000000005771000-0x00000000057D4000-memory.dmp

Filesize
396KB

Download
memory/880-133-0x0000000005771000-0x00000000057D4000-memory.dmp

Filesize
396KB

Download
memory/880-131-0x0000000005771000-0x00000000057D4000-memory.dmp

Filesize
396KB

Download
memory/880-129-0x0000000005771000-0x00000000057D4000-memory.dmp

Filesize
396KB

Download
memory/880-126-0x00000000002FC000-0x00000000002FE000-memory.dmp

Filesize
8KB

Download
memory/880-125-0x0000000005771000-0x00000000057D4000-memory.dmp

Filesize
396KB

Download
memory/880-127-0x0000000005771000-0x00000000057D4000-memory.dmp

Filesize
396KB

Download
memory/880-140-0x0000000005771000-0x00000000057D4000-memory.dmp

Filesize
396KB

Download
memory/880-141-0x0000000005771000-0x00000000057D4000-memory.dmp

Filesize
396KB

Download
memory/880-142-0x0000000005771000-0x00000000057D4000-memory.dmp

Filesize
396KB

Download
memory/880-105-0x0000000005771000-0x00000000057D4000-memory.dmp

Filesize
396KB

Download
memory/880-104-0x0000000005771000-0x00000000057D4000-memory.dmp

Filesize
396KB

Download
memory/880-55-0x0000000070ED1000-0x0000000070ED3000-memory.dmp

Filesize
8KB

Download
memory/880-102-0x0000000005771000-0x00000000057D4000-memory.dmp

Filesize
396KB

Download
memory/880-103-0x0000000005771000-0x00000000057D4000-memory.dmp

Filesize
396KB

Download
memory/880-106-0x0000000005771000-0x00000000057D4000-memory.dmp

Filesize
396KB

Download
memory/880-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/880-100-0x0000000005771000-0x00000000057D4000-memory.dmp

Filesize
396KB

Download
memory/880-99-0x0000000005771000-0x00000000057D4000-memory.dmp

Filesize
396KB

Download
memory/880-98-0x0000000005771000-0x00000000057D4000-memory.dmp

Filesize
396KB

Download
memory/880-97-0x0000000005771000-0x00000000057D4000-memory.dmp

Filesize
396KB

Download
memory/880-57-0x0000000071EBD000-0x0000000071EC8000-memory.dmp

Filesize
44KB

Download
memory/880-165-0x0000000005690000-0x0000000005693000-memory.dmp

Filesize
12KB

Download
memory/880-164-0x00000000002FC000-0x00000000002FE000-memory.dmp

Filesize
8KB

Download
memory/880-96-0x0000000005771000-0x00000000057D4000-memory.dmp

Filesize
396KB

Download
memory/880-95-0x0000000005771000-0x00000000057D4000-memory.dmp

Filesize
396KB

Download
memory/880-169-0x00000000002FC000-0x00000000002FE000-memory.dmp

Filesize
8KB

Download
memory/880-93-0x0000000005771000-0x00000000057D4000-memory.dmp

Filesize
396KB

Download
memory/880-94-0x0000000005771000-0x00000000057D4000-memory.dmp

Filesize
396KB

Download
memory/880-54-0x000000002F721000-0x000000002F724000-memory.dmp

Filesize
12KB

Download
memory/880-90-0x0000000005771000-0x00000000057D4000-memory.dmp

Filesize
396KB

Download
memory/880-58-0x0000000075711000-0x0000000075713000-memory.dmp

Filesize
8KB

Download
memory/880-91-0x0000000005771000-0x00000000057D4000-memory.dmp

Filesize
396KB

Download
memory/880-223-0x0000000071EBD000-0x0000000071EC8000-memory.dmp

Filesize
44KB

Download
memory/880-78-0x0000000005771000-0x00000000057D4000-memory.dmp

Filesize
396KB

Download
memory/880-89-0x0000000005771000-0x00000000057D4000-memory.dmp

Filesize
396KB

Download
memory/880-88-0x0000000005771000-0x00000000057D4000-memory.dmp

Filesize
396KB

Download
memory/880-87-0x0000000005771000-0x00000000057D4000-memory.dmp

Filesize
396KB

Download
memory/880-86-0x0000000005771000-0x00000000057D4000-memory.dmp

Filesize
396KB

Download
memory/880-85-0x0000000005771000-0x00000000057D4000-memory.dmp

Filesize
396KB

Download
memory/880-84-0x0000000005771000-0x00000000057D4000-memory.dmp

Filesize
396KB

Download
memory/880-79-0x0000000005771000-0x00000000057D4000-memory.dmp

Filesize
396KB

Download
memory/880-77-0x0000000005771000-0x00000000057D4000-memory.dmp

Filesize
396KB

Download
memory/880-83-0x0000000005771000-0x00000000057D4000-memory.dmp

Filesize
396KB

Download
memory/880-82-0x0000000005771000-0x00000000057D4000-memory.dmp

Filesize
396KB

Download
memory/880-81-0x0000000005771000-0x00000000057D4000-memory.dmp

Filesize
396KB

Download
memory/880-80-0x0000000005771000-0x00000000057D4000-memory.dmp

Filesize
396KB

Download
memory/1000-212-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1000-206-0x00000000004139DE-mapping.dmp

Download
memory/1000-162-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1000-152-0x0000000000000000-mapping.dmp

Download
memory/1168-76-0x000007FEFB6E1000-0x000007FEFB6E3000-memory.dmp

Filesize
8KB

Download
memory/1168-73-0x0000000000000000-mapping.dmp

Download
memory/1456-175-0x0000000000000000-mapping.dmp

Download
memory/1496-181-0x0000000004F40000-0x0000000004FA2000-memory.dmp

Filesize
392KB

Download
memory/1496-179-0x0000000000A10000-0x0000000000A1E000-memory.dmp

Filesize
56KB

Download
memory/1496-160-0x0000000000000000-mapping.dmp

Download
memory/2656-224-0x0000000000000000-mapping.dmp

Download