Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
05-07-2022 07:30
Static task
static1
Behavioral task
behavioral1
Sample
Draft Of Shipping Docs.xlsm
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Draft Of Shipping Docs.xlsm
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
decrypted.xlsm
Resource
win7-20220414-en
General
-
Target
decrypted.xlsm
-
Size
196KB
-
MD5
00f3575ade589b67fa914fc408db0440
-
SHA1
db7fc7b0747bd00c97339dd2640d83b2af20393f
-
SHA256
84abe5ae1fcb927fb52ffd6c0f322fc9e30fad520d09ac7e123354a557de6aeb
-
SHA512
77577de214c1c54829d4a01561c5268779dd137341b939c1e3fa6433f1a5eba155efb1400130abc70ce9fa4e284f62d8eda6641a40aaeea572d8c65050d78e81
Malware Config
Extracted
lokibot
http://sempersim.su/gf10/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
-
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
suricata: ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
-
suricata: ET MALWARE LokiBot Checkin
suricata: ET MALWARE LokiBot Checkin
-
suricata: ET MALWARE LokiBot Fake 404 Response
suricata: ET MALWARE LokiBot Fake 404 Response
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M1
-
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
suricata: ET MALWARE LokiBot Request for C2 Commands Detected M2
-
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
suricata: ET MALWARE LokiBot User-Agent (Charon/Inferno)
-
suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request
suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 8 1644 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 9 IoCs
Processes:
vbc.exejGwtsgfcAwgrRaYqBrXLHt.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exepid process 1212 vbc.exe 1752 jGwtsgfcAwgrRaYqBrXLHt.exe 1352 vbc.exe 1904 vbc.exe 1968 vbc.exe 1456 vbc.exe 1608 vbc.exe 980 vbc.exe 936 vbc.exe -
Abuses OpenXML format to download file from external location
-
Loads dropped DLL 9 IoCs
Processes:
EQNEDT32.EXEEXCEL.EXEjGwtsgfcAwgrRaYqBrXLHt.exepid process 1644 EQNEDT32.EXE 1644 EQNEDT32.EXE 1644 EQNEDT32.EXE 1644 EQNEDT32.EXE 1692 EXCEL.EXE 1692 EXCEL.EXE 1752 jGwtsgfcAwgrRaYqBrXLHt.exe 1752 jGwtsgfcAwgrRaYqBrXLHt.exe 1752 jGwtsgfcAwgrRaYqBrXLHt.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook vbc.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook vbc.exe Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
vbc.exedescription pid process target process PID 1352 set thread context of 936 1352 vbc.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEEXCEL.EXEdescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1692 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
vbc.exepid process 1212 vbc.exe 1212 vbc.exe 1212 vbc.exe 1212 vbc.exe 1212 vbc.exe 1212 vbc.exe 1212 vbc.exe 1212 vbc.exe 1212 vbc.exe 1212 vbc.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vbc.exevbc.exeWINWORD.EXEdescription pid process Token: SeDebugPrivilege 1212 vbc.exe Token: SeDebugPrivilege 936 vbc.exe Token: SeShutdownPrivilege 740 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
EXCEL.EXEWINWORD.EXEpid process 1692 EXCEL.EXE 1692 EXCEL.EXE 1692 EXCEL.EXE 740 WINWORD.EXE 740 WINWORD.EXE -
Suspicious use of WriteProcessMemory 46 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEEXCEL.EXEjGwtsgfcAwgrRaYqBrXLHt.exevbc.exevbc.exedescription pid process target process PID 1644 wrote to memory of 1212 1644 EQNEDT32.EXE vbc.exe PID 1644 wrote to memory of 1212 1644 EQNEDT32.EXE vbc.exe PID 1644 wrote to memory of 1212 1644 EQNEDT32.EXE vbc.exe PID 1644 wrote to memory of 1212 1644 EQNEDT32.EXE vbc.exe PID 740 wrote to memory of 808 740 WINWORD.EXE splwow64.exe PID 740 wrote to memory of 808 740 WINWORD.EXE splwow64.exe PID 740 wrote to memory of 808 740 WINWORD.EXE splwow64.exe PID 740 wrote to memory of 808 740 WINWORD.EXE splwow64.exe PID 1692 wrote to memory of 1752 1692 EXCEL.EXE jGwtsgfcAwgrRaYqBrXLHt.exe PID 1692 wrote to memory of 1752 1692 EXCEL.EXE jGwtsgfcAwgrRaYqBrXLHt.exe PID 1692 wrote to memory of 1752 1692 EXCEL.EXE jGwtsgfcAwgrRaYqBrXLHt.exe PID 1692 wrote to memory of 1752 1692 EXCEL.EXE jGwtsgfcAwgrRaYqBrXLHt.exe PID 1752 wrote to memory of 1352 1752 jGwtsgfcAwgrRaYqBrXLHt.exe vbc.exe PID 1752 wrote to memory of 1352 1752 jGwtsgfcAwgrRaYqBrXLHt.exe vbc.exe PID 1752 wrote to memory of 1352 1752 jGwtsgfcAwgrRaYqBrXLHt.exe vbc.exe PID 1752 wrote to memory of 1352 1752 jGwtsgfcAwgrRaYqBrXLHt.exe vbc.exe PID 1352 wrote to memory of 936 1352 vbc.exe vbc.exe PID 1212 wrote to memory of 1904 1212 vbc.exe vbc.exe PID 1352 wrote to memory of 936 1352 vbc.exe vbc.exe PID 1212 wrote to memory of 1904 1212 vbc.exe vbc.exe PID 1352 wrote to memory of 936 1352 vbc.exe vbc.exe PID 1212 wrote to memory of 1904 1212 vbc.exe vbc.exe PID 1352 wrote to memory of 936 1352 vbc.exe vbc.exe PID 1212 wrote to memory of 1904 1212 vbc.exe vbc.exe PID 1352 wrote to memory of 936 1352 vbc.exe vbc.exe PID 1352 wrote to memory of 936 1352 vbc.exe vbc.exe PID 1352 wrote to memory of 936 1352 vbc.exe vbc.exe PID 1212 wrote to memory of 1968 1212 vbc.exe vbc.exe PID 1212 wrote to memory of 1968 1212 vbc.exe vbc.exe PID 1212 wrote to memory of 1968 1212 vbc.exe vbc.exe PID 1212 wrote to memory of 1968 1212 vbc.exe vbc.exe PID 1212 wrote to memory of 1608 1212 vbc.exe vbc.exe PID 1212 wrote to memory of 1608 1212 vbc.exe vbc.exe PID 1212 wrote to memory of 1608 1212 vbc.exe vbc.exe PID 1212 wrote to memory of 1608 1212 vbc.exe vbc.exe PID 1352 wrote to memory of 936 1352 vbc.exe vbc.exe PID 1212 wrote to memory of 1456 1212 vbc.exe vbc.exe PID 1212 wrote to memory of 1456 1212 vbc.exe vbc.exe PID 1212 wrote to memory of 1456 1212 vbc.exe vbc.exe PID 1212 wrote to memory of 1456 1212 vbc.exe vbc.exe PID 1212 wrote to memory of 980 1212 vbc.exe vbc.exe PID 1212 wrote to memory of 980 1212 vbc.exe vbc.exe PID 1212 wrote to memory of 980 1212 vbc.exe vbc.exe PID 1212 wrote to memory of 980 1212 vbc.exe vbc.exe PID 1352 wrote to memory of 936 1352 vbc.exe vbc.exe PID 1352 wrote to memory of 936 1352 vbc.exe vbc.exe -
outlook_office_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook vbc.exe -
outlook_win_path 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook vbc.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\decrypted.xlsm1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jGwtsgfcAwgrRaYqBrXLHt.exeC:\Users\Admin\AppData\Local\Temp\jGwtsgfcAwgrRaYqBrXLHt.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CSMPMU9R\vbc[1].exeFilesize
532KB
MD575c415220becc3ddad0a7cb84ef37155
SHA1edc412ccf2c7dac8aff2272d84c5083de59080e2
SHA256ea135a6b1296c4041c8c5083b84573ce167e3ad757c0989c9060a902eec15e46
SHA512cb8ad153295ea03e833d102c81e0d781edb9485ad9fc2d9a0532654d934831604c37fa1244e9781116a0a92a07a0ecf811ba4dadaf7d62a9c454777f344b7783
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\V789HYVY\receipt[1].docFilesize
20KB
MD5420c0ada5b084930072500dda293f55b
SHA1f0e5d7edfde6641670c79ecf0ae4e70ea78e5387
SHA2561b7f1ee778e86d3e4ee56ea99b6c1951f2be2ad261d4a5ff691de4437e6dc1a0
SHA512c0d5adb3912f2d7293e4bd0455352feedfa2e9dea8d78cb827fa22d3c20b0d14db89024ea1c3aa6e71e8d84a9ac298584b3064e4e2a47d6deeed57e37dcbfb76
-
C:\Users\Admin\AppData\Local\Temp\jGwtsgfcAwgrRaYqBrXLHt.exeFilesize
3KB
MD55fba4d1a0060d727411412a9c6a2ab98
SHA1693c3f5603291437f8c0b76ad540904bc0650173
SHA25685fa61b47359faf795bb7849e0352ccab52073877912a1b15566cd465837ec4b
SHA512445491b6cc49f85ef170b6d6d03215153d1a3f9e1fc204982045e4ae05e2e96e89432c1b4a5fd7bb2c42b0dbe97c1f41e7fb58dcc4e98b560a4ad703b34bc8dd
-
C:\Users\Admin\AppData\Local\Temp\jGwtsgfcAwgrRaYqBrXLHt.exeFilesize
3KB
MD55fba4d1a0060d727411412a9c6a2ab98
SHA1693c3f5603291437f8c0b76ad540904bc0650173
SHA25685fa61b47359faf795bb7849e0352ccab52073877912a1b15566cd465837ec4b
SHA512445491b6cc49f85ef170b6d6d03215153d1a3f9e1fc204982045e4ae05e2e96e89432c1b4a5fd7bb2c42b0dbe97c1f41e7fb58dcc4e98b560a4ad703b34bc8dd
-
C:\Users\Public\vbc.exeFilesize
532KB
MD575c415220becc3ddad0a7cb84ef37155
SHA1edc412ccf2c7dac8aff2272d84c5083de59080e2
SHA256ea135a6b1296c4041c8c5083b84573ce167e3ad757c0989c9060a902eec15e46
SHA512cb8ad153295ea03e833d102c81e0d781edb9485ad9fc2d9a0532654d934831604c37fa1244e9781116a0a92a07a0ecf811ba4dadaf7d62a9c454777f344b7783
-
C:\Users\Public\vbc.exeFilesize
532KB
MD575c415220becc3ddad0a7cb84ef37155
SHA1edc412ccf2c7dac8aff2272d84c5083de59080e2
SHA256ea135a6b1296c4041c8c5083b84573ce167e3ad757c0989c9060a902eec15e46
SHA512cb8ad153295ea03e833d102c81e0d781edb9485ad9fc2d9a0532654d934831604c37fa1244e9781116a0a92a07a0ecf811ba4dadaf7d62a9c454777f344b7783
-
C:\Users\Public\vbc.exeFilesize
532KB
MD575c415220becc3ddad0a7cb84ef37155
SHA1edc412ccf2c7dac8aff2272d84c5083de59080e2
SHA256ea135a6b1296c4041c8c5083b84573ce167e3ad757c0989c9060a902eec15e46
SHA512cb8ad153295ea03e833d102c81e0d781edb9485ad9fc2d9a0532654d934831604c37fa1244e9781116a0a92a07a0ecf811ba4dadaf7d62a9c454777f344b7783
-
C:\Users\Public\vbc.exeFilesize
532KB
MD575c415220becc3ddad0a7cb84ef37155
SHA1edc412ccf2c7dac8aff2272d84c5083de59080e2
SHA256ea135a6b1296c4041c8c5083b84573ce167e3ad757c0989c9060a902eec15e46
SHA512cb8ad153295ea03e833d102c81e0d781edb9485ad9fc2d9a0532654d934831604c37fa1244e9781116a0a92a07a0ecf811ba4dadaf7d62a9c454777f344b7783
-
C:\Users\Public\vbc.exeFilesize
532KB
MD575c415220becc3ddad0a7cb84ef37155
SHA1edc412ccf2c7dac8aff2272d84c5083de59080e2
SHA256ea135a6b1296c4041c8c5083b84573ce167e3ad757c0989c9060a902eec15e46
SHA512cb8ad153295ea03e833d102c81e0d781edb9485ad9fc2d9a0532654d934831604c37fa1244e9781116a0a92a07a0ecf811ba4dadaf7d62a9c454777f344b7783
-
C:\Users\Public\vbc.exeFilesize
532KB
MD575c415220becc3ddad0a7cb84ef37155
SHA1edc412ccf2c7dac8aff2272d84c5083de59080e2
SHA256ea135a6b1296c4041c8c5083b84573ce167e3ad757c0989c9060a902eec15e46
SHA512cb8ad153295ea03e833d102c81e0d781edb9485ad9fc2d9a0532654d934831604c37fa1244e9781116a0a92a07a0ecf811ba4dadaf7d62a9c454777f344b7783
-
C:\Users\Public\vbc.exeFilesize
532KB
MD575c415220becc3ddad0a7cb84ef37155
SHA1edc412ccf2c7dac8aff2272d84c5083de59080e2
SHA256ea135a6b1296c4041c8c5083b84573ce167e3ad757c0989c9060a902eec15e46
SHA512cb8ad153295ea03e833d102c81e0d781edb9485ad9fc2d9a0532654d934831604c37fa1244e9781116a0a92a07a0ecf811ba4dadaf7d62a9c454777f344b7783
-
C:\Users\Public\vbc.exeFilesize
532KB
MD575c415220becc3ddad0a7cb84ef37155
SHA1edc412ccf2c7dac8aff2272d84c5083de59080e2
SHA256ea135a6b1296c4041c8c5083b84573ce167e3ad757c0989c9060a902eec15e46
SHA512cb8ad153295ea03e833d102c81e0d781edb9485ad9fc2d9a0532654d934831604c37fa1244e9781116a0a92a07a0ecf811ba4dadaf7d62a9c454777f344b7783
-
C:\Users\Public\vbc.exeFilesize
532KB
MD575c415220becc3ddad0a7cb84ef37155
SHA1edc412ccf2c7dac8aff2272d84c5083de59080e2
SHA256ea135a6b1296c4041c8c5083b84573ce167e3ad757c0989c9060a902eec15e46
SHA512cb8ad153295ea03e833d102c81e0d781edb9485ad9fc2d9a0532654d934831604c37fa1244e9781116a0a92a07a0ecf811ba4dadaf7d62a9c454777f344b7783
-
\Users\Admin\AppData\Local\Temp\jGwtsgfcAwgrRaYqBrXLHt.exeFilesize
3KB
MD55fba4d1a0060d727411412a9c6a2ab98
SHA1693c3f5603291437f8c0b76ad540904bc0650173
SHA25685fa61b47359faf795bb7849e0352ccab52073877912a1b15566cd465837ec4b
SHA512445491b6cc49f85ef170b6d6d03215153d1a3f9e1fc204982045e4ae05e2e96e89432c1b4a5fd7bb2c42b0dbe97c1f41e7fb58dcc4e98b560a4ad703b34bc8dd
-
\Users\Admin\AppData\Local\Temp\jGwtsgfcAwgrRaYqBrXLHt.exeFilesize
3KB
MD55fba4d1a0060d727411412a9c6a2ab98
SHA1693c3f5603291437f8c0b76ad540904bc0650173
SHA25685fa61b47359faf795bb7849e0352ccab52073877912a1b15566cd465837ec4b
SHA512445491b6cc49f85ef170b6d6d03215153d1a3f9e1fc204982045e4ae05e2e96e89432c1b4a5fd7bb2c42b0dbe97c1f41e7fb58dcc4e98b560a4ad703b34bc8dd
-
\Users\Public\vbc.exeFilesize
532KB
MD575c415220becc3ddad0a7cb84ef37155
SHA1edc412ccf2c7dac8aff2272d84c5083de59080e2
SHA256ea135a6b1296c4041c8c5083b84573ce167e3ad757c0989c9060a902eec15e46
SHA512cb8ad153295ea03e833d102c81e0d781edb9485ad9fc2d9a0532654d934831604c37fa1244e9781116a0a92a07a0ecf811ba4dadaf7d62a9c454777f344b7783
-
\Users\Public\vbc.exeFilesize
532KB
MD575c415220becc3ddad0a7cb84ef37155
SHA1edc412ccf2c7dac8aff2272d84c5083de59080e2
SHA256ea135a6b1296c4041c8c5083b84573ce167e3ad757c0989c9060a902eec15e46
SHA512cb8ad153295ea03e833d102c81e0d781edb9485ad9fc2d9a0532654d934831604c37fa1244e9781116a0a92a07a0ecf811ba4dadaf7d62a9c454777f344b7783
-
\Users\Public\vbc.exeFilesize
532KB
MD575c415220becc3ddad0a7cb84ef37155
SHA1edc412ccf2c7dac8aff2272d84c5083de59080e2
SHA256ea135a6b1296c4041c8c5083b84573ce167e3ad757c0989c9060a902eec15e46
SHA512cb8ad153295ea03e833d102c81e0d781edb9485ad9fc2d9a0532654d934831604c37fa1244e9781116a0a92a07a0ecf811ba4dadaf7d62a9c454777f344b7783
-
\Users\Public\vbc.exeFilesize
532KB
MD575c415220becc3ddad0a7cb84ef37155
SHA1edc412ccf2c7dac8aff2272d84c5083de59080e2
SHA256ea135a6b1296c4041c8c5083b84573ce167e3ad757c0989c9060a902eec15e46
SHA512cb8ad153295ea03e833d102c81e0d781edb9485ad9fc2d9a0532654d934831604c37fa1244e9781116a0a92a07a0ecf811ba4dadaf7d62a9c454777f344b7783
-
\Users\Public\vbc.exeFilesize
532KB
MD575c415220becc3ddad0a7cb84ef37155
SHA1edc412ccf2c7dac8aff2272d84c5083de59080e2
SHA256ea135a6b1296c4041c8c5083b84573ce167e3ad757c0989c9060a902eec15e46
SHA512cb8ad153295ea03e833d102c81e0d781edb9485ad9fc2d9a0532654d934831604c37fa1244e9781116a0a92a07a0ecf811ba4dadaf7d62a9c454777f344b7783
-
\Users\Public\vbc.exeFilesize
532KB
MD575c415220becc3ddad0a7cb84ef37155
SHA1edc412ccf2c7dac8aff2272d84c5083de59080e2
SHA256ea135a6b1296c4041c8c5083b84573ce167e3ad757c0989c9060a902eec15e46
SHA512cb8ad153295ea03e833d102c81e0d781edb9485ad9fc2d9a0532654d934831604c37fa1244e9781116a0a92a07a0ecf811ba4dadaf7d62a9c454777f344b7783
-
\Users\Public\vbc.exeFilesize
532KB
MD575c415220becc3ddad0a7cb84ef37155
SHA1edc412ccf2c7dac8aff2272d84c5083de59080e2
SHA256ea135a6b1296c4041c8c5083b84573ce167e3ad757c0989c9060a902eec15e46
SHA512cb8ad153295ea03e833d102c81e0d781edb9485ad9fc2d9a0532654d934831604c37fa1244e9781116a0a92a07a0ecf811ba4dadaf7d62a9c454777f344b7783
-
memory/740-108-0x000000007290D000-0x0000000072918000-memory.dmpFilesize
44KB
-
memory/740-63-0x000000007290D000-0x0000000072918000-memory.dmpFilesize
44KB
-
memory/740-138-0x000000007290D000-0x0000000072918000-memory.dmpFilesize
44KB
-
memory/740-59-0x000000006B811000-0x000000006B814000-memory.dmpFilesize
12KB
-
memory/808-76-0x000007FEFC081000-0x000007FEFC083000-memory.dmpFilesize
8KB
-
memory/808-74-0x0000000000000000-mapping.dmp
-
memory/936-114-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/936-117-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/936-134-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/936-133-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/936-128-0x00000000004139DE-mapping.dmp
-
memory/936-131-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/936-126-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/936-122-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/936-115-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/936-119-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1212-113-0x0000000002270000-0x0000000002290000-memory.dmpFilesize
128KB
-
memory/1212-71-0x0000000000000000-mapping.dmp
-
memory/1212-75-0x0000000000190000-0x000000000021A000-memory.dmpFilesize
552KB
-
memory/1212-110-0x00000000006B0000-0x00000000006BE000-memory.dmpFilesize
56KB
-
memory/1352-107-0x0000000001D00000-0x0000000001D20000-memory.dmpFilesize
128KB
-
memory/1352-88-0x0000000000000000-mapping.dmp
-
memory/1352-112-0x0000000004DF0000-0x0000000004E10000-memory.dmpFilesize
128KB
-
memory/1352-111-0x0000000005240000-0x00000000052A2000-memory.dmpFilesize
392KB
-
memory/1692-57-0x000000007290D000-0x0000000072918000-memory.dmpFilesize
44KB
-
memory/1692-96-0x00000000056C0000-0x00000000057C0000-memory.dmpFilesize
1024KB
-
memory/1692-109-0x00000000056C0000-0x00000000057C0000-memory.dmpFilesize
1024KB
-
memory/1692-106-0x0000000003090000-0x0000000003093000-memory.dmpFilesize
12KB
-
memory/1692-105-0x0000000003090000-0x0000000003093000-memory.dmpFilesize
12KB
-
memory/1692-139-0x0000000003090000-0x0000000003093000-memory.dmpFilesize
12KB
-
memory/1692-104-0x00000000056C0000-0x00000000057C0000-memory.dmpFilesize
1024KB
-
memory/1692-54-0x000000002F521000-0x000000002F524000-memory.dmpFilesize
12KB
-
memory/1692-99-0x00000000056C0000-0x00000000057C0000-memory.dmpFilesize
1024KB
-
memory/1692-103-0x00000000056C0000-0x00000000057C0000-memory.dmpFilesize
1024KB
-
memory/1692-102-0x00000000056C0000-0x00000000057C0000-memory.dmpFilesize
1024KB
-
memory/1692-98-0x00000000056C0000-0x00000000057C0000-memory.dmpFilesize
1024KB
-
memory/1692-97-0x00000000056C0000-0x00000000057C0000-memory.dmpFilesize
1024KB
-
memory/1692-137-0x000000007290D000-0x0000000072918000-memory.dmpFilesize
44KB
-
memory/1692-65-0x000000007290D000-0x0000000072918000-memory.dmpFilesize
44KB
-
memory/1692-58-0x0000000075951000-0x0000000075953000-memory.dmpFilesize
8KB
-
memory/1692-95-0x00000000056C0000-0x00000000057C0000-memory.dmpFilesize
1024KB
-
memory/1692-100-0x00000000056C0000-0x00000000057C0000-memory.dmpFilesize
1024KB
-
memory/1692-94-0x00000000056C0000-0x00000000057C0000-memory.dmpFilesize
1024KB
-
memory/1692-93-0x00000000056C0000-0x00000000057C0000-memory.dmpFilesize
1024KB
-
memory/1692-56-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1692-92-0x00000000056C0000-0x00000000057C0000-memory.dmpFilesize
1024KB
-
memory/1692-101-0x00000000056C0000-0x00000000057C0000-memory.dmpFilesize
1024KB
-
memory/1692-135-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1692-55-0x0000000071921000-0x0000000071923000-memory.dmpFilesize
8KB
-
memory/1752-80-0x0000000000000000-mapping.dmp
-
memory/1752-90-0x0000000000400000-0x0000000000403000-memory.dmpFilesize
12KB