lokibot | 591eabded5e77dfd437b36706f36d41b4f1c580e945a85a9e7904c8e35dc8f7d

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20220414-en
submitted
05-07-2022 07:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

decrypted.xlsm
Size

196KB
MD5

00f3575ade589b67fa914fc408db0440
SHA1

db7fc7b0747bd00c97339dd2640d83b2af20393f
SHA256

84abe5ae1fcb927fb52ffd6c0f322fc9e30fad520d09ac7e123354a557de6aeb
SHA512

77577de214c1c54829d4a01561c5268779dd137341b939c1e3fa6433f1a5eba155efb1400130abc70ce9fa4e284f62d8eda6641a40aaeea572d8c65050d78e81

Score

10^/10

lokibot collection spyware stealer suricata trojan

Malware Config

Extracted

Family

lokibot

http://sempersim.su/gf10/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
suricata
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata
suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request
suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

8 1644 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 9 IoCs

Processes:

vbc.exejGwtsgfcAwgrRaYqBrXLHt.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exe

pid process

1212 vbc.exe
1752 jGwtsgfcAwgrRaYqBrXLHt.exe
1352 vbc.exe
1904 vbc.exe
1968 vbc.exe
1456 vbc.exe
1608 vbc.exe
980 vbc.exe
936 vbc.exe
Abuses OpenXML format to download file from external location

flow	pid	process
8	1644	EQNEDT32.EXE

pid	process
1212	vbc.exe
1752	jGwtsgfcAwgrRaYqBrXLHt.exe
1352	vbc.exe
1904	vbc.exe
1968	vbc.exe
1456	vbc.exe
1608	vbc.exe
980	vbc.exe
936	vbc.exe

Loads dropped DLL 9 IoCs

Processes:

EQNEDT32.EXEEXCEL.EXEjGwtsgfcAwgrRaYqBrXLHt.exe

pid	process
1644	EQNEDT32.EXE
1644	EQNEDT32.EXE
1644	EQNEDT32.EXE
1644	EQNEDT32.EXE
1692	EXCEL.EXE
1692	EXCEL.EXE
1752	jGwtsgfcAwgrRaYqBrXLHt.exe
1752	jGwtsgfcAwgrRaYqBrXLHt.exe
1752	jGwtsgfcAwgrRaYqBrXLHt.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	vbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

vbc.exe

description pid process target process

PID 1352 set thread context of 936 1352 vbc.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1644 EQNEDT32.EXE

description	pid	process	target process
PID 1352 set thread context of 936	1352	vbc.exe	vbc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1692 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

vbc.exe

pid process

1212 vbc.exe
1212 vbc.exe
1212 vbc.exe
1212 vbc.exe
1212 vbc.exe
1212 vbc.exe
1212 vbc.exe
1212 vbc.exe
1212 vbc.exe
1212 vbc.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vbc.exevbc.exeWINWORD.EXE

description pid process

Token: SeDebugPrivilege 1212 vbc.exe
Token: SeDebugPrivilege 936 vbc.exe
Token: SeShutdownPrivilege 740 WINWORD.EXE
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

1692 EXCEL.EXE
1692 EXCEL.EXE
1692 EXCEL.EXE
740 WINWORD.EXE
740 WINWORD.EXE

pid	process
1692	EXCEL.EXE

pid	process
1212	vbc.exe
1212	vbc.exe
1212	vbc.exe
1212	vbc.exe
1212	vbc.exe
1212	vbc.exe
1212	vbc.exe
1212	vbc.exe
1212	vbc.exe
1212	vbc.exe

description	pid	process
Token: SeDebugPrivilege	1212	vbc.exe
Token: SeDebugPrivilege	936	vbc.exe
Token: SeShutdownPrivilege	740	WINWORD.EXE

pid	process
1692	EXCEL.EXE
1692	EXCEL.EXE
1692	EXCEL.EXE
740	WINWORD.EXE
740	WINWORD.EXE

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEEXCEL.EXEjGwtsgfcAwgrRaYqBrXLHt.exevbc.exevbc.exe

description	pid	process	target process
PID 1644 wrote to memory of 1212	1644	EQNEDT32.EXE	vbc.exe
PID 1644 wrote to memory of 1212	1644	EQNEDT32.EXE	vbc.exe
PID 1644 wrote to memory of 1212	1644	EQNEDT32.EXE	vbc.exe
PID 1644 wrote to memory of 1212	1644	EQNEDT32.EXE	vbc.exe
PID 740 wrote to memory of 808	740	WINWORD.EXE	splwow64.exe
PID 740 wrote to memory of 808	740	WINWORD.EXE	splwow64.exe
PID 740 wrote to memory of 808	740	WINWORD.EXE	splwow64.exe
PID 740 wrote to memory of 808	740	WINWORD.EXE	splwow64.exe
PID 1692 wrote to memory of 1752	1692	EXCEL.EXE	jGwtsgfcAwgrRaYqBrXLHt.exe
PID 1692 wrote to memory of 1752	1692	EXCEL.EXE	jGwtsgfcAwgrRaYqBrXLHt.exe
PID 1692 wrote to memory of 1752	1692	EXCEL.EXE	jGwtsgfcAwgrRaYqBrXLHt.exe
PID 1692 wrote to memory of 1752	1692	EXCEL.EXE	jGwtsgfcAwgrRaYqBrXLHt.exe
PID 1752 wrote to memory of 1352	1752	jGwtsgfcAwgrRaYqBrXLHt.exe	vbc.exe
PID 1752 wrote to memory of 1352	1752	jGwtsgfcAwgrRaYqBrXLHt.exe	vbc.exe
PID 1752 wrote to memory of 1352	1752	jGwtsgfcAwgrRaYqBrXLHt.exe	vbc.exe
PID 1752 wrote to memory of 1352	1752	jGwtsgfcAwgrRaYqBrXLHt.exe	vbc.exe
PID 1352 wrote to memory of 936	1352	vbc.exe	vbc.exe
PID 1212 wrote to memory of 1904	1212	vbc.exe	vbc.exe
PID 1352 wrote to memory of 936	1352	vbc.exe	vbc.exe
PID 1212 wrote to memory of 1904	1212	vbc.exe	vbc.exe
PID 1352 wrote to memory of 936	1352	vbc.exe	vbc.exe
PID 1212 wrote to memory of 1904	1212	vbc.exe	vbc.exe
PID 1352 wrote to memory of 936	1352	vbc.exe	vbc.exe
PID 1212 wrote to memory of 1904	1212	vbc.exe	vbc.exe
PID 1352 wrote to memory of 936	1352	vbc.exe	vbc.exe
PID 1352 wrote to memory of 936	1352	vbc.exe	vbc.exe
PID 1352 wrote to memory of 936	1352	vbc.exe	vbc.exe
PID 1212 wrote to memory of 1968	1212	vbc.exe	vbc.exe
PID 1212 wrote to memory of 1968	1212	vbc.exe	vbc.exe
PID 1212 wrote to memory of 1968	1212	vbc.exe	vbc.exe
PID 1212 wrote to memory of 1968	1212	vbc.exe	vbc.exe
PID 1212 wrote to memory of 1608	1212	vbc.exe	vbc.exe
PID 1212 wrote to memory of 1608	1212	vbc.exe	vbc.exe
PID 1212 wrote to memory of 1608	1212	vbc.exe	vbc.exe
PID 1212 wrote to memory of 1608	1212	vbc.exe	vbc.exe
PID 1352 wrote to memory of 936	1352	vbc.exe	vbc.exe
PID 1212 wrote to memory of 1456	1212	vbc.exe	vbc.exe
PID 1212 wrote to memory of 1456	1212	vbc.exe	vbc.exe
PID 1212 wrote to memory of 1456	1212	vbc.exe	vbc.exe
PID 1212 wrote to memory of 1456	1212	vbc.exe	vbc.exe
PID 1212 wrote to memory of 980	1212	vbc.exe	vbc.exe
PID 1212 wrote to memory of 980	1212	vbc.exe	vbc.exe
PID 1212 wrote to memory of 980	1212	vbc.exe	vbc.exe
PID 1212 wrote to memory of 980	1212	vbc.exe	vbc.exe
PID 1352 wrote to memory of 936	1352	vbc.exe	vbc.exe
PID 1352 wrote to memory of 936	1352	vbc.exe	vbc.exe

outlook_office_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	vbc.exe

outlook_win_path 1 IoCs

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	vbc.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\decrypted.xlsm
1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1692

C:\Users\Admin\AppData\Local\Temp\jGwtsgfcAwgrRaYqBrXLHt.exe
C:\Users\Admin\AppData\Local\Temp\jGwtsgfcAwgrRaYqBrXLHt.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1752

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1352

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:936

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:740

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:808

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1644

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:1904

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:1456

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:980

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:1608

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
3⤵
- Executes dropped EXE
PID:1968

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CSMPMU9R\vbc[1].exe
Filesize
532KB

MD5
75c415220becc3ddad0a7cb84ef37155

SHA1
edc412ccf2c7dac8aff2272d84c5083de59080e2

SHA256
ea135a6b1296c4041c8c5083b84573ce167e3ad757c0989c9060a902eec15e46

SHA512
cb8ad153295ea03e833d102c81e0d781edb9485ad9fc2d9a0532654d934831604c37fa1244e9781116a0a92a07a0ecf811ba4dadaf7d62a9c454777f344b7783

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\V789HYVY\receipt[1].doc
Filesize
20KB

MD5
420c0ada5b084930072500dda293f55b

SHA1
f0e5d7edfde6641670c79ecf0ae4e70ea78e5387

SHA256
1b7f1ee778e86d3e4ee56ea99b6c1951f2be2ad261d4a5ff691de4437e6dc1a0

SHA512
c0d5adb3912f2d7293e4bd0455352feedfa2e9dea8d78cb827fa22d3c20b0d14db89024ea1c3aa6e71e8d84a9ac298584b3064e4e2a47d6deeed57e37dcbfb76

Download Submit
C:\Users\Admin\AppData\Local\Temp\jGwtsgfcAwgrRaYqBrXLHt.exe
Filesize
3KB

MD5
5fba4d1a0060d727411412a9c6a2ab98

SHA1
693c3f5603291437f8c0b76ad540904bc0650173

SHA256
85fa61b47359faf795bb7849e0352ccab52073877912a1b15566cd465837ec4b

SHA512
445491b6cc49f85ef170b6d6d03215153d1a3f9e1fc204982045e4ae05e2e96e89432c1b4a5fd7bb2c42b0dbe97c1f41e7fb58dcc4e98b560a4ad703b34bc8dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\jGwtsgfcAwgrRaYqBrXLHt.exe
Filesize
3KB

MD5
5fba4d1a0060d727411412a9c6a2ab98

SHA1
693c3f5603291437f8c0b76ad540904bc0650173

SHA256
85fa61b47359faf795bb7849e0352ccab52073877912a1b15566cd465837ec4b

SHA512
445491b6cc49f85ef170b6d6d03215153d1a3f9e1fc204982045e4ae05e2e96e89432c1b4a5fd7bb2c42b0dbe97c1f41e7fb58dcc4e98b560a4ad703b34bc8dd

Download Submit
C:\Users\Public\vbc.exe
Filesize
532KB

MD5
75c415220becc3ddad0a7cb84ef37155

SHA1
edc412ccf2c7dac8aff2272d84c5083de59080e2

SHA256
ea135a6b1296c4041c8c5083b84573ce167e3ad757c0989c9060a902eec15e46

SHA512
cb8ad153295ea03e833d102c81e0d781edb9485ad9fc2d9a0532654d934831604c37fa1244e9781116a0a92a07a0ecf811ba4dadaf7d62a9c454777f344b7783

Download Submit
C:\Users\Public\vbc.exe
Filesize
532KB

MD5
75c415220becc3ddad0a7cb84ef37155

SHA1
edc412ccf2c7dac8aff2272d84c5083de59080e2

SHA256
ea135a6b1296c4041c8c5083b84573ce167e3ad757c0989c9060a902eec15e46

SHA512
cb8ad153295ea03e833d102c81e0d781edb9485ad9fc2d9a0532654d934831604c37fa1244e9781116a0a92a07a0ecf811ba4dadaf7d62a9c454777f344b7783

Download Submit
C:\Users\Public\vbc.exe
Filesize
532KB

MD5
75c415220becc3ddad0a7cb84ef37155

SHA1
edc412ccf2c7dac8aff2272d84c5083de59080e2

SHA256
ea135a6b1296c4041c8c5083b84573ce167e3ad757c0989c9060a902eec15e46

SHA512
cb8ad153295ea03e833d102c81e0d781edb9485ad9fc2d9a0532654d934831604c37fa1244e9781116a0a92a07a0ecf811ba4dadaf7d62a9c454777f344b7783

Download Submit
C:\Users\Public\vbc.exe
Filesize
532KB

MD5
75c415220becc3ddad0a7cb84ef37155

SHA1
edc412ccf2c7dac8aff2272d84c5083de59080e2

SHA256
ea135a6b1296c4041c8c5083b84573ce167e3ad757c0989c9060a902eec15e46

SHA512
cb8ad153295ea03e833d102c81e0d781edb9485ad9fc2d9a0532654d934831604c37fa1244e9781116a0a92a07a0ecf811ba4dadaf7d62a9c454777f344b7783

Download Submit
C:\Users\Public\vbc.exe
Filesize
532KB

MD5
75c415220becc3ddad0a7cb84ef37155

SHA1
edc412ccf2c7dac8aff2272d84c5083de59080e2

SHA256
ea135a6b1296c4041c8c5083b84573ce167e3ad757c0989c9060a902eec15e46

SHA512
cb8ad153295ea03e833d102c81e0d781edb9485ad9fc2d9a0532654d934831604c37fa1244e9781116a0a92a07a0ecf811ba4dadaf7d62a9c454777f344b7783

Download Submit
C:\Users\Public\vbc.exe
Filesize
532KB

MD5
75c415220becc3ddad0a7cb84ef37155

SHA1
edc412ccf2c7dac8aff2272d84c5083de59080e2

SHA256
ea135a6b1296c4041c8c5083b84573ce167e3ad757c0989c9060a902eec15e46

SHA512
cb8ad153295ea03e833d102c81e0d781edb9485ad9fc2d9a0532654d934831604c37fa1244e9781116a0a92a07a0ecf811ba4dadaf7d62a9c454777f344b7783

Download Submit
C:\Users\Public\vbc.exe
Filesize
532KB

MD5
75c415220becc3ddad0a7cb84ef37155

SHA1
edc412ccf2c7dac8aff2272d84c5083de59080e2

SHA256
ea135a6b1296c4041c8c5083b84573ce167e3ad757c0989c9060a902eec15e46

SHA512
cb8ad153295ea03e833d102c81e0d781edb9485ad9fc2d9a0532654d934831604c37fa1244e9781116a0a92a07a0ecf811ba4dadaf7d62a9c454777f344b7783

Download Submit
C:\Users\Public\vbc.exe
Filesize
532KB

MD5
75c415220becc3ddad0a7cb84ef37155

SHA1
edc412ccf2c7dac8aff2272d84c5083de59080e2

SHA256
ea135a6b1296c4041c8c5083b84573ce167e3ad757c0989c9060a902eec15e46

SHA512
cb8ad153295ea03e833d102c81e0d781edb9485ad9fc2d9a0532654d934831604c37fa1244e9781116a0a92a07a0ecf811ba4dadaf7d62a9c454777f344b7783

Download Submit
C:\Users\Public\vbc.exe
Filesize
532KB

MD5
75c415220becc3ddad0a7cb84ef37155

SHA1
edc412ccf2c7dac8aff2272d84c5083de59080e2

SHA256
ea135a6b1296c4041c8c5083b84573ce167e3ad757c0989c9060a902eec15e46

SHA512
cb8ad153295ea03e833d102c81e0d781edb9485ad9fc2d9a0532654d934831604c37fa1244e9781116a0a92a07a0ecf811ba4dadaf7d62a9c454777f344b7783

Download Submit
\Users\Admin\AppData\Local\Temp\jGwtsgfcAwgrRaYqBrXLHt.exe
Filesize
3KB

MD5
5fba4d1a0060d727411412a9c6a2ab98

SHA1
693c3f5603291437f8c0b76ad540904bc0650173

SHA256
85fa61b47359faf795bb7849e0352ccab52073877912a1b15566cd465837ec4b

SHA512
445491b6cc49f85ef170b6d6d03215153d1a3f9e1fc204982045e4ae05e2e96e89432c1b4a5fd7bb2c42b0dbe97c1f41e7fb58dcc4e98b560a4ad703b34bc8dd

Download Submit
\Users\Admin\AppData\Local\Temp\jGwtsgfcAwgrRaYqBrXLHt.exe
Filesize
3KB

MD5
5fba4d1a0060d727411412a9c6a2ab98

SHA1
693c3f5603291437f8c0b76ad540904bc0650173

SHA256
85fa61b47359faf795bb7849e0352ccab52073877912a1b15566cd465837ec4b

SHA512
445491b6cc49f85ef170b6d6d03215153d1a3f9e1fc204982045e4ae05e2e96e89432c1b4a5fd7bb2c42b0dbe97c1f41e7fb58dcc4e98b560a4ad703b34bc8dd

Download Submit
\Users\Public\vbc.exe
Filesize
532KB

MD5
75c415220becc3ddad0a7cb84ef37155

SHA1
edc412ccf2c7dac8aff2272d84c5083de59080e2

SHA256
ea135a6b1296c4041c8c5083b84573ce167e3ad757c0989c9060a902eec15e46

SHA512
cb8ad153295ea03e833d102c81e0d781edb9485ad9fc2d9a0532654d934831604c37fa1244e9781116a0a92a07a0ecf811ba4dadaf7d62a9c454777f344b7783

Download Submit
\Users\Public\vbc.exe
Filesize
532KB

MD5
75c415220becc3ddad0a7cb84ef37155

SHA1
edc412ccf2c7dac8aff2272d84c5083de59080e2

SHA256
ea135a6b1296c4041c8c5083b84573ce167e3ad757c0989c9060a902eec15e46

SHA512
cb8ad153295ea03e833d102c81e0d781edb9485ad9fc2d9a0532654d934831604c37fa1244e9781116a0a92a07a0ecf811ba4dadaf7d62a9c454777f344b7783

Download Submit
\Users\Public\vbc.exe
Filesize
532KB

MD5
75c415220becc3ddad0a7cb84ef37155

SHA1
edc412ccf2c7dac8aff2272d84c5083de59080e2

SHA256
ea135a6b1296c4041c8c5083b84573ce167e3ad757c0989c9060a902eec15e46

SHA512
cb8ad153295ea03e833d102c81e0d781edb9485ad9fc2d9a0532654d934831604c37fa1244e9781116a0a92a07a0ecf811ba4dadaf7d62a9c454777f344b7783

Download Submit
\Users\Public\vbc.exe
Filesize
532KB

MD5
75c415220becc3ddad0a7cb84ef37155

SHA1
edc412ccf2c7dac8aff2272d84c5083de59080e2

SHA256
ea135a6b1296c4041c8c5083b84573ce167e3ad757c0989c9060a902eec15e46

SHA512
cb8ad153295ea03e833d102c81e0d781edb9485ad9fc2d9a0532654d934831604c37fa1244e9781116a0a92a07a0ecf811ba4dadaf7d62a9c454777f344b7783

Download Submit
\Users\Public\vbc.exe
Filesize
532KB

MD5
75c415220becc3ddad0a7cb84ef37155

SHA1
edc412ccf2c7dac8aff2272d84c5083de59080e2

SHA256
ea135a6b1296c4041c8c5083b84573ce167e3ad757c0989c9060a902eec15e46

SHA512
cb8ad153295ea03e833d102c81e0d781edb9485ad9fc2d9a0532654d934831604c37fa1244e9781116a0a92a07a0ecf811ba4dadaf7d62a9c454777f344b7783

Download Submit
\Users\Public\vbc.exe
Filesize
532KB

MD5
75c415220becc3ddad0a7cb84ef37155

SHA1
edc412ccf2c7dac8aff2272d84c5083de59080e2

SHA256
ea135a6b1296c4041c8c5083b84573ce167e3ad757c0989c9060a902eec15e46

SHA512
cb8ad153295ea03e833d102c81e0d781edb9485ad9fc2d9a0532654d934831604c37fa1244e9781116a0a92a07a0ecf811ba4dadaf7d62a9c454777f344b7783

Download Submit
\Users\Public\vbc.exe
Filesize
532KB

MD5
75c415220becc3ddad0a7cb84ef37155

SHA1
edc412ccf2c7dac8aff2272d84c5083de59080e2

SHA256
ea135a6b1296c4041c8c5083b84573ce167e3ad757c0989c9060a902eec15e46

SHA512
cb8ad153295ea03e833d102c81e0d781edb9485ad9fc2d9a0532654d934831604c37fa1244e9781116a0a92a07a0ecf811ba4dadaf7d62a9c454777f344b7783

Download Submit
memory/740-108-0x000000007290D000-0x0000000072918000-memory.dmp

Filesize
44KB

Download
memory/740-63-0x000000007290D000-0x0000000072918000-memory.dmp

Filesize
44KB

Download
memory/740-138-0x000000007290D000-0x0000000072918000-memory.dmp

Filesize
44KB

Download
memory/740-59-0x000000006B811000-0x000000006B814000-memory.dmp

Filesize
12KB

Download
memory/808-76-0x000007FEFC081000-0x000007FEFC083000-memory.dmp

Filesize
8KB

Download
memory/808-74-0x0000000000000000-mapping.dmp

Download
memory/936-114-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/936-117-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/936-134-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/936-133-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/936-128-0x00000000004139DE-mapping.dmp

Download
memory/936-131-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/936-126-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/936-122-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/936-115-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/936-119-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1212-113-0x0000000002270000-0x0000000002290000-memory.dmp

Filesize
128KB

Download
memory/1212-71-0x0000000000000000-mapping.dmp

Download
memory/1212-75-0x0000000000190000-0x000000000021A000-memory.dmp

Filesize
552KB

Download
memory/1212-110-0x00000000006B0000-0x00000000006BE000-memory.dmp

Filesize
56KB

Download
memory/1352-107-0x0000000001D00000-0x0000000001D20000-memory.dmp

Filesize
128KB

Download
memory/1352-88-0x0000000000000000-mapping.dmp

Download
memory/1352-112-0x0000000004DF0000-0x0000000004E10000-memory.dmp

Filesize
128KB

Download
memory/1352-111-0x0000000005240000-0x00000000052A2000-memory.dmp

Filesize
392KB

Download
memory/1692-57-0x000000007290D000-0x0000000072918000-memory.dmp

Filesize
44KB

Download
memory/1692-96-0x00000000056C0000-0x00000000057C0000-memory.dmp

Filesize
1024KB

Download
memory/1692-109-0x00000000056C0000-0x00000000057C0000-memory.dmp

Filesize
1024KB

Download
memory/1692-106-0x0000000003090000-0x0000000003093000-memory.dmp

Filesize
12KB

Download
memory/1692-105-0x0000000003090000-0x0000000003093000-memory.dmp

Filesize
12KB

Download
memory/1692-139-0x0000000003090000-0x0000000003093000-memory.dmp

Filesize
12KB

Download
memory/1692-104-0x00000000056C0000-0x00000000057C0000-memory.dmp

Filesize
1024KB

Download
memory/1692-54-0x000000002F521000-0x000000002F524000-memory.dmp

Filesize
12KB

Download
memory/1692-99-0x00000000056C0000-0x00000000057C0000-memory.dmp

Filesize
1024KB

Download
memory/1692-103-0x00000000056C0000-0x00000000057C0000-memory.dmp

Filesize
1024KB

Download
memory/1692-102-0x00000000056C0000-0x00000000057C0000-memory.dmp

Filesize
1024KB

Download
memory/1692-98-0x00000000056C0000-0x00000000057C0000-memory.dmp

Filesize
1024KB

Download
memory/1692-97-0x00000000056C0000-0x00000000057C0000-memory.dmp

Filesize
1024KB

Download
memory/1692-137-0x000000007290D000-0x0000000072918000-memory.dmp

Filesize
44KB

Download
memory/1692-65-0x000000007290D000-0x0000000072918000-memory.dmp

Filesize
44KB

Download
memory/1692-58-0x0000000075951000-0x0000000075953000-memory.dmp

Filesize
8KB

Download
memory/1692-95-0x00000000056C0000-0x00000000057C0000-memory.dmp

Filesize
1024KB

Download
memory/1692-100-0x00000000056C0000-0x00000000057C0000-memory.dmp

Filesize
1024KB

Download
memory/1692-94-0x00000000056C0000-0x00000000057C0000-memory.dmp

Filesize
1024KB

Download
memory/1692-93-0x00000000056C0000-0x00000000057C0000-memory.dmp

Filesize
1024KB

Download
memory/1692-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1692-92-0x00000000056C0000-0x00000000057C0000-memory.dmp

Filesize
1024KB

Download
memory/1692-101-0x00000000056C0000-0x00000000057C0000-memory.dmp

Filesize
1024KB

Download
memory/1692-135-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1692-55-0x0000000071921000-0x0000000071923000-memory.dmp

Filesize
8KB

Download
memory/1752-80-0x0000000000000000-mapping.dmp

Download
memory/1752-90-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download