Analysis
-
max time kernel
152s -
max time network
177s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-12-2022 01:31
Static task
static1
Behavioral task
behavioral1
Sample
3cf83d826c47b887733f5f279e16936e9fa36efb6ad6badd5b1fb3aaeeb43a2f.rtf
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
3cf83d826c47b887733f5f279e16936e9fa36efb6ad6badd5b1fb3aaeeb43a2f.rtf
Resource
win10v2004-20220901-en
General
-
Target
3cf83d826c47b887733f5f279e16936e9fa36efb6ad6badd5b1fb3aaeeb43a2f.rtf
-
Size
23KB
-
MD5
4c6aaef387645227a1a987043d56d6be
-
SHA1
feaec8f7f4652115ee34e2eae79987778ca87de9
-
SHA256
3cf83d826c47b887733f5f279e16936e9fa36efb6ad6badd5b1fb3aaeeb43a2f
-
SHA512
ef2d4e034f262fbe25a81f9db08b00c7c87881c96c76c7958ca547174f6b9791ea64bc499936af27b140cac2d9161b24f04edab9b13fd3889f916d22da97879c
-
SSDEEP
384:KQMmdOFNYY0aaaIswqPeOrka1+fHQJ+t3rQkRhZ9GBpwe2ok/+EeIA:GFx0XaIsnPRIa4fwJMi7J2ok/HHA
Malware Config
Extracted
remcos
1.7 Pro
Dec 1st
terzona2022.duckdns.org:3030
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
Windows input text.exe
-
copy_folder
Microsoft Text
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
true
-
install_flag
true
-
install_path
%WinDir%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
Windows Display
-
keylog_path
%WinDir%
-
mouse_option
false
-
mutex
Windows Audio
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
Microsoft Sound Text
-
take_screenshot_option
true
-
take_screenshot_time
5
-
take_screenshot_title
Username;password;proforma;invoice;notepad
Signatures
-
Processes:
reg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 4 1416 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
Processes:
chungec84736.exechungec84736.exechungec84736.exeWindows input text.exeWindows input text.exepid process 1712 chungec84736.exe 1832 chungec84736.exe 840 chungec84736.exe 816 Windows input text.exe 1760 Windows input text.exe -
Loads dropped DLL 2 IoCs
Processes:
EQNEDT32.EXEcmd.exepid process 1416 EQNEDT32.EXE 1892 cmd.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
chungec84736.exeWindows input text.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ chungec84736.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Sound Text = "\"C:\\Windows\\Microsoft Text\\Windows input text.exe\"" chungec84736.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\ Windows input text.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Sound Text = "\"C:\\Windows\\Microsoft Text\\Windows input text.exe\"" Windows input text.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
chungec84736.exeWindows input text.exeWindows input text.exedescription pid process target process PID 1712 set thread context of 840 1712 chungec84736.exe chungec84736.exe PID 816 set thread context of 1760 816 Windows input text.exe Windows input text.exe PID 1760 set thread context of 1188 1760 Windows input text.exe iexplore.exe -
Drops file in Windows directory 4 IoCs
Processes:
WINWORD.EXEchungec84736.exedescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File created C:\Windows\Microsoft Text\Windows input text.exe chungec84736.exe File opened for modification C:\Windows\Microsoft Text\Windows input text.exe chungec84736.exe File opened for modification C:\Windows\Microsoft Text chungec84736.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEiexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{175CFD61-72B3-11ED-BF3D-D6AAFEFD221A} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 WINWORD.EXE -
Modifies registry key 1 TTPs 2 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1756 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
chungec84736.exepid process 1712 chungec84736.exe 1712 chungec84736.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
chungec84736.exedescription pid process Token: SeDebugPrivilege 1712 chungec84736.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 952 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
WINWORD.EXEiexplore.exeIEXPLORE.EXEpid process 1756 WINWORD.EXE 1756 WINWORD.EXE 952 iexplore.exe 952 iexplore.exe 1500 IEXPLORE.EXE 1500 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEchungec84736.exechungec84736.execmd.execmd.exeWindows input text.exeWindows input text.execmd.exedescription pid process target process PID 1416 wrote to memory of 1712 1416 EQNEDT32.EXE chungec84736.exe PID 1416 wrote to memory of 1712 1416 EQNEDT32.EXE chungec84736.exe PID 1416 wrote to memory of 1712 1416 EQNEDT32.EXE chungec84736.exe PID 1416 wrote to memory of 1712 1416 EQNEDT32.EXE chungec84736.exe PID 1756 wrote to memory of 1388 1756 WINWORD.EXE splwow64.exe PID 1756 wrote to memory of 1388 1756 WINWORD.EXE splwow64.exe PID 1756 wrote to memory of 1388 1756 WINWORD.EXE splwow64.exe PID 1756 wrote to memory of 1388 1756 WINWORD.EXE splwow64.exe PID 1712 wrote to memory of 1832 1712 chungec84736.exe chungec84736.exe PID 1712 wrote to memory of 1832 1712 chungec84736.exe chungec84736.exe PID 1712 wrote to memory of 1832 1712 chungec84736.exe chungec84736.exe PID 1712 wrote to memory of 1832 1712 chungec84736.exe chungec84736.exe PID 1712 wrote to memory of 840 1712 chungec84736.exe chungec84736.exe PID 1712 wrote to memory of 840 1712 chungec84736.exe chungec84736.exe PID 1712 wrote to memory of 840 1712 chungec84736.exe chungec84736.exe PID 1712 wrote to memory of 840 1712 chungec84736.exe chungec84736.exe PID 1712 wrote to memory of 840 1712 chungec84736.exe chungec84736.exe PID 1712 wrote to memory of 840 1712 chungec84736.exe chungec84736.exe PID 1712 wrote to memory of 840 1712 chungec84736.exe chungec84736.exe PID 1712 wrote to memory of 840 1712 chungec84736.exe chungec84736.exe PID 1712 wrote to memory of 840 1712 chungec84736.exe chungec84736.exe PID 1712 wrote to memory of 840 1712 chungec84736.exe chungec84736.exe PID 840 wrote to memory of 1644 840 chungec84736.exe cmd.exe PID 840 wrote to memory of 1644 840 chungec84736.exe cmd.exe PID 840 wrote to memory of 1644 840 chungec84736.exe cmd.exe PID 840 wrote to memory of 1644 840 chungec84736.exe cmd.exe PID 1644 wrote to memory of 468 1644 cmd.exe reg.exe PID 1644 wrote to memory of 468 1644 cmd.exe reg.exe PID 1644 wrote to memory of 468 1644 cmd.exe reg.exe PID 1644 wrote to memory of 468 1644 cmd.exe reg.exe PID 840 wrote to memory of 1892 840 chungec84736.exe cmd.exe PID 840 wrote to memory of 1892 840 chungec84736.exe cmd.exe PID 840 wrote to memory of 1892 840 chungec84736.exe cmd.exe PID 840 wrote to memory of 1892 840 chungec84736.exe cmd.exe PID 840 wrote to memory of 1892 840 chungec84736.exe cmd.exe PID 840 wrote to memory of 1892 840 chungec84736.exe cmd.exe PID 840 wrote to memory of 1892 840 chungec84736.exe cmd.exe PID 1892 wrote to memory of 1116 1892 cmd.exe PING.EXE PID 1892 wrote to memory of 1116 1892 cmd.exe PING.EXE PID 1892 wrote to memory of 1116 1892 cmd.exe PING.EXE PID 1892 wrote to memory of 1116 1892 cmd.exe PING.EXE PID 1892 wrote to memory of 816 1892 cmd.exe Windows input text.exe PID 1892 wrote to memory of 816 1892 cmd.exe Windows input text.exe PID 1892 wrote to memory of 816 1892 cmd.exe Windows input text.exe PID 1892 wrote to memory of 816 1892 cmd.exe Windows input text.exe PID 816 wrote to memory of 1760 816 Windows input text.exe Windows input text.exe PID 816 wrote to memory of 1760 816 Windows input text.exe Windows input text.exe PID 816 wrote to memory of 1760 816 Windows input text.exe Windows input text.exe PID 816 wrote to memory of 1760 816 Windows input text.exe Windows input text.exe PID 816 wrote to memory of 1760 816 Windows input text.exe Windows input text.exe PID 816 wrote to memory of 1760 816 Windows input text.exe Windows input text.exe PID 816 wrote to memory of 1760 816 Windows input text.exe Windows input text.exe PID 816 wrote to memory of 1760 816 Windows input text.exe Windows input text.exe PID 816 wrote to memory of 1760 816 Windows input text.exe Windows input text.exe PID 816 wrote to memory of 1760 816 Windows input text.exe Windows input text.exe PID 1760 wrote to memory of 1084 1760 Windows input text.exe cmd.exe PID 1760 wrote to memory of 1084 1760 Windows input text.exe cmd.exe PID 1760 wrote to memory of 1084 1760 Windows input text.exe cmd.exe PID 1760 wrote to memory of 1084 1760 Windows input text.exe cmd.exe PID 1084 wrote to memory of 1736 1084 cmd.exe reg.exe PID 1084 wrote to memory of 1736 1084 cmd.exe reg.exe PID 1084 wrote to memory of 1736 1084 cmd.exe reg.exe PID 1084 wrote to memory of 1736 1084 cmd.exe reg.exe PID 1760 wrote to memory of 1188 1760 Windows input text.exe iexplore.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\3cf83d826c47b887733f5f279e16936e9fa36efb6ad6badd5b1fb3aaeeb43a2f.rtf"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\chungec84736.exe"C:\Users\Admin\AppData\Roaming\chungec84736.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\chungec84736.exe"C:\Users\Admin\AppData\Roaming\chungec84736.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\chungec84736.exe"C:\Users\Admin\AppData\Roaming\chungec84736.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEPING 127.0.0.1 -n 25⤵
- Runs ping.exe
-
C:\Windows\Microsoft Text\Windows input text.exe"C:\Windows\Microsoft Text\Windows input text.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft Text\Windows input text.exe"C:\Windows\Microsoft Text\Windows input text.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f8⤵
- UAC bypass
- Modifies registry key
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"7⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.08⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:952 CREDAT:275457 /prefetch:29⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\install.batFilesize
99B
MD5cd13321bdef41f7575c97a6c302668c1
SHA1f7de6ac53a6914dde55fe408c67ec934686ecc9f
SHA2562e7ff7169fe44c0360335a47264f1963bb65ae1ca3f93a20922074f143491dc8
SHA51275ea823f45820f7bc118f8f982faee3b4ede68ab42958723647c356b9f667026d37c75702f4360bc38e19b44efbf4d9bf574e8b65f6a8ef37139216041ab234b
-
C:\Users\Admin\AppData\Roaming\chungec84736.exeFilesize
845KB
MD5a978a64c13cfda974d57a2f8f551ce1d
SHA1f2dfb8462deba835a5128642330d51a4f2c94d90
SHA256f78c1d9582dfebb90c4fc5455d3d12817506ab177c5716bf6d69aadb0ad5f3fa
SHA51242d21b4bcfe604a5d103390457565857042022345caef15d5ea69741ee4eddc546493c7957986f1ef2b3830eed6bf74cd3f4319c582182f9ea5db3389ad64a24
-
C:\Users\Admin\AppData\Roaming\chungec84736.exeFilesize
845KB
MD5a978a64c13cfda974d57a2f8f551ce1d
SHA1f2dfb8462deba835a5128642330d51a4f2c94d90
SHA256f78c1d9582dfebb90c4fc5455d3d12817506ab177c5716bf6d69aadb0ad5f3fa
SHA51242d21b4bcfe604a5d103390457565857042022345caef15d5ea69741ee4eddc546493c7957986f1ef2b3830eed6bf74cd3f4319c582182f9ea5db3389ad64a24
-
C:\Users\Admin\AppData\Roaming\chungec84736.exeFilesize
845KB
MD5a978a64c13cfda974d57a2f8f551ce1d
SHA1f2dfb8462deba835a5128642330d51a4f2c94d90
SHA256f78c1d9582dfebb90c4fc5455d3d12817506ab177c5716bf6d69aadb0ad5f3fa
SHA51242d21b4bcfe604a5d103390457565857042022345caef15d5ea69741ee4eddc546493c7957986f1ef2b3830eed6bf74cd3f4319c582182f9ea5db3389ad64a24
-
C:\Users\Admin\AppData\Roaming\chungec84736.exeFilesize
845KB
MD5a978a64c13cfda974d57a2f8f551ce1d
SHA1f2dfb8462deba835a5128642330d51a4f2c94d90
SHA256f78c1d9582dfebb90c4fc5455d3d12817506ab177c5716bf6d69aadb0ad5f3fa
SHA51242d21b4bcfe604a5d103390457565857042022345caef15d5ea69741ee4eddc546493c7957986f1ef2b3830eed6bf74cd3f4319c582182f9ea5db3389ad64a24
-
C:\Windows\Microsoft Text\Windows input text.exeFilesize
845KB
MD5a978a64c13cfda974d57a2f8f551ce1d
SHA1f2dfb8462deba835a5128642330d51a4f2c94d90
SHA256f78c1d9582dfebb90c4fc5455d3d12817506ab177c5716bf6d69aadb0ad5f3fa
SHA51242d21b4bcfe604a5d103390457565857042022345caef15d5ea69741ee4eddc546493c7957986f1ef2b3830eed6bf74cd3f4319c582182f9ea5db3389ad64a24
-
C:\Windows\Microsoft Text\Windows input text.exeFilesize
845KB
MD5a978a64c13cfda974d57a2f8f551ce1d
SHA1f2dfb8462deba835a5128642330d51a4f2c94d90
SHA256f78c1d9582dfebb90c4fc5455d3d12817506ab177c5716bf6d69aadb0ad5f3fa
SHA51242d21b4bcfe604a5d103390457565857042022345caef15d5ea69741ee4eddc546493c7957986f1ef2b3830eed6bf74cd3f4319c582182f9ea5db3389ad64a24
-
C:\Windows\Microsoft Text\Windows input text.exeFilesize
845KB
MD5a978a64c13cfda974d57a2f8f551ce1d
SHA1f2dfb8462deba835a5128642330d51a4f2c94d90
SHA256f78c1d9582dfebb90c4fc5455d3d12817506ab177c5716bf6d69aadb0ad5f3fa
SHA51242d21b4bcfe604a5d103390457565857042022345caef15d5ea69741ee4eddc546493c7957986f1ef2b3830eed6bf74cd3f4319c582182f9ea5db3389ad64a24
-
\Users\Admin\AppData\Roaming\chungec84736.exeFilesize
845KB
MD5a978a64c13cfda974d57a2f8f551ce1d
SHA1f2dfb8462deba835a5128642330d51a4f2c94d90
SHA256f78c1d9582dfebb90c4fc5455d3d12817506ab177c5716bf6d69aadb0ad5f3fa
SHA51242d21b4bcfe604a5d103390457565857042022345caef15d5ea69741ee4eddc546493c7957986f1ef2b3830eed6bf74cd3f4319c582182f9ea5db3389ad64a24
-
\Windows\Microsoft Text\Windows input text.exeFilesize
845KB
MD5a978a64c13cfda974d57a2f8f551ce1d
SHA1f2dfb8462deba835a5128642330d51a4f2c94d90
SHA256f78c1d9582dfebb90c4fc5455d3d12817506ab177c5716bf6d69aadb0ad5f3fa
SHA51242d21b4bcfe604a5d103390457565857042022345caef15d5ea69741ee4eddc546493c7957986f1ef2b3830eed6bf74cd3f4319c582182f9ea5db3389ad64a24
-
memory/468-88-0x0000000000000000-mapping.dmp
-
memory/816-98-0x0000000000D00000-0x0000000000DDA000-memory.dmpFilesize
872KB
-
memory/816-100-0x00000000004F0000-0x0000000000506000-memory.dmpFilesize
88KB
-
memory/816-96-0x0000000000000000-mapping.dmp
-
memory/840-85-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/840-91-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/840-73-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/840-74-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/840-81-0x000000000040FD88-mapping.dmp
-
memory/840-80-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/840-79-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/840-78-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/840-76-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/1084-114-0x0000000000000000-mapping.dmp
-
memory/1116-93-0x0000000000000000-mapping.dmp
-
memory/1388-68-0x000007FEFB931000-0x000007FEFB933000-memory.dmpFilesize
8KB
-
memory/1388-67-0x0000000000000000-mapping.dmp
-
memory/1644-87-0x0000000000000000-mapping.dmp
-
memory/1712-66-0x00000000001F0000-0x0000000000206000-memory.dmpFilesize
88KB
-
memory/1712-70-0x00000000050A0000-0x0000000005118000-memory.dmpFilesize
480KB
-
memory/1712-71-0x0000000000640000-0x0000000000680000-memory.dmpFilesize
256KB
-
memory/1712-61-0x0000000000000000-mapping.dmp
-
memory/1712-69-0x00000000003C0000-0x00000000003CE000-memory.dmpFilesize
56KB
-
memory/1712-64-0x0000000000EF0000-0x0000000000FCA000-memory.dmpFilesize
872KB
-
memory/1736-115-0x0000000000000000-mapping.dmp
-
memory/1756-56-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1756-54-0x0000000072281000-0x0000000072284000-memory.dmpFilesize
12KB
-
memory/1756-58-0x0000000070CED000-0x0000000070CF8000-memory.dmpFilesize
44KB
-
memory/1756-57-0x0000000075141000-0x0000000075143000-memory.dmpFilesize
8KB
-
memory/1756-89-0x0000000070CED000-0x0000000070CF8000-memory.dmpFilesize
44KB
-
memory/1756-55-0x000000006FD01000-0x000000006FD03000-memory.dmpFilesize
8KB
-
memory/1756-86-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1760-109-0x000000000040FD88-mapping.dmp
-
memory/1760-113-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/1760-116-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/1892-90-0x0000000000000000-mapping.dmp