Analysis
-
max time kernel
600s -
max time network
602s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
20-02-2023 11:21
Static task
static1
Behavioral task
behavioral1
Sample
Updated ORDER.docx
Resource
win10-20220812-en
Behavioral task
behavioral2
Sample
Updated ORDER.docx
Resource
win7-20220812-en
Behavioral task
behavioral3
Sample
Updated ORDER.docx
Resource
win10v2004-20220901-en
General
-
Target
Updated ORDER.docx
-
Size
11KB
-
MD5
98d58338e27f9aad2ef3c5a0a4df20ab
-
SHA1
1af7e9a0b504f116db06090cb229c64b54a607b8
-
SHA256
5f195b9a20724e347f6a90bceb30081141ddceaf0fbee468cbd120d3d4425717
-
SHA512
dea40ac1624aa1ee9ab743c897a1f00764ad6722b9b9a329fcdcccdab9319ea85c5512c7a63fb440b0d5b55e67270ba1a417c24fb0176551021ad26ee7e2c0db
-
SSDEEP
192:CtNCWUyn0i13pNXqkOcPiYFLwzvdX6Ptpwjnw+umHBCaWgk9Vlp:aNxUyn0i13LROEiOLkX6Ujnw+3NWgaVr
Malware Config
Extracted
formbook
4.1
ho62
aqawonky.com
ancachsroadsideassistance.com
artologycreatlive.com
olesinfo.africa
lovebreatheandsleep.com
friendsofdragonsprings.com
homecomingmums.wiki
hg222.bet
precision-spares.co.uk
generalhospitaleu.africa
touchstone4x4.africa
dynamator.com
dental-implants-52531.com
efefear.buzz
bentonapp.net
89luxu.com
bridgesonelm.com
acesaigon.online
instantapprovals.loans
evuniverso.com
kasoraenterprises.com
instasteamer.com
granolei.com
iamavisioniar.site
beachexplo.com
ynametro.com
littlegallery-rovinj.com
27og.com
horrorcity.online
zexo.africa
perdeumane.com
drugsaddiction.co.uk
tickleyourfancy.africa
jimyhq.top
rajputnetwork.co.uk
lacuspidehn.com
bestxdenotecyby.top
gg10siyahposet.xyz
biorigin.co.uk
jye-group.com
digito.exposed
eternalstw.com
schjetne.dev
climateviking.com
easysaldoya.xyz
1233332.xyz
centerverified.online
lezzetyemekfabrikasi.com
wzshayang.com
cloudadonis.com
zxpz6.com
alifecube.com
induscontrolpcb.site
golfingineurope.com
ducksathomephotos.com
aimeesbellaboutique.com
justrebottle.com
hachettejeunesse.pro
238142.com
casabiancapanama.com
dohenydesalination.com
1-kh.com
cdhptor.xyz
island6.work
ehirtt.com
Signatures
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/848-78-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/848-85-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/1524-88-0x0000000000080000-0x00000000000AF000-memory.dmp formbook behavioral2/memory/1524-91-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
cmmon32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\4H-X6TWHWZ = "C:\\Program Files (x86)\\Ambs\\ms7nm81n.exe" cmmon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cmmon32.exe -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 608 EQNEDT32.EXE -
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location 2 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\14.0\Common WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\Common\Offline\Files\http://1332625003/O--O.DOC WINWORD.EXE -
Executes dropped EXE 4 IoCs
Processes:
vbc.exervcgltry.exervcgltry.exems7nm81n.exepid process 1300 vbc.exe 1744 rvcgltry.exe 848 rvcgltry.exe 1160 ms7nm81n.exe -
Loads dropped DLL 7 IoCs
Processes:
EQNEDT32.EXEvbc.exervcgltry.exeWerFault.exepid process 608 EQNEDT32.EXE 1300 vbc.exe 1744 rvcgltry.exe 608 WerFault.exe 608 WerFault.exe 608 WerFault.exe 608 WerFault.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
rvcgltry.exervcgltry.execmmon32.exedescription pid process target process PID 1744 set thread context of 848 1744 rvcgltry.exe rvcgltry.exe PID 848 set thread context of 1196 848 rvcgltry.exe Explorer.EXE PID 848 set thread context of 1196 848 rvcgltry.exe Explorer.EXE PID 1524 set thread context of 1196 1524 cmmon32.exe Explorer.EXE -
Drops file in Program Files directory 2 IoCs
Processes:
cmmon32.exeExplorer.EXEdescription ioc process File opened for modification C:\Program Files (x86)\Ambs\ms7nm81n.exe cmmon32.exe File created C:\Program Files (x86)\Ambs\ms7nm81n.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 608 1160 WerFault.exe ms7nm81n.exe -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
cmmon32.exeWINWORD.EXEdescription ioc process Key created \Registry\User\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cmmon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1636 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rvcgltry.execmmon32.exepid process 848 rvcgltry.exe 848 rvcgltry.exe 848 rvcgltry.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1196 Explorer.EXE -
Suspicious behavior: MapViewOfSection 9 IoCs
Processes:
rvcgltry.exervcgltry.execmmon32.exepid process 1744 rvcgltry.exe 848 rvcgltry.exe 848 rvcgltry.exe 848 rvcgltry.exe 848 rvcgltry.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe 1524 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
Processes:
rvcgltry.exeExplorer.EXEcmmon32.exeWINWORD.EXEdescription pid process Token: SeDebugPrivilege 848 rvcgltry.exe Token: SeShutdownPrivilege 1196 Explorer.EXE Token: SeShutdownPrivilege 1196 Explorer.EXE Token: SeShutdownPrivilege 1196 Explorer.EXE Token: SeShutdownPrivilege 1196 Explorer.EXE Token: SeDebugPrivilege 1524 cmmon32.exe Token: SeShutdownPrivilege 1196 Explorer.EXE Token: SeShutdownPrivilege 1196 Explorer.EXE Token: SeShutdownPrivilege 1636 WINWORD.EXE Token: SeShutdownPrivilege 1196 Explorer.EXE Token: SeShutdownPrivilege 1196 Explorer.EXE Token: SeShutdownPrivilege 1196 Explorer.EXE Token: SeShutdownPrivilege 1196 Explorer.EXE -
Suspicious use of FindShellTrayWindow 12 IoCs
Processes:
Explorer.EXEpid process 1196 Explorer.EXE 1196 Explorer.EXE 1196 Explorer.EXE 1196 Explorer.EXE 1196 Explorer.EXE 1196 Explorer.EXE 1196 Explorer.EXE 1196 Explorer.EXE 1196 Explorer.EXE 1196 Explorer.EXE 1196 Explorer.EXE 1196 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1196 Explorer.EXE 1196 Explorer.EXE 1196 Explorer.EXE 1196 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1636 WINWORD.EXE 1636 WINWORD.EXE -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
EQNEDT32.EXEvbc.exervcgltry.exeWINWORD.EXEExplorer.EXEcmmon32.exems7nm81n.exedescription pid process target process PID 608 wrote to memory of 1300 608 EQNEDT32.EXE vbc.exe PID 608 wrote to memory of 1300 608 EQNEDT32.EXE vbc.exe PID 608 wrote to memory of 1300 608 EQNEDT32.EXE vbc.exe PID 608 wrote to memory of 1300 608 EQNEDT32.EXE vbc.exe PID 1300 wrote to memory of 1744 1300 vbc.exe rvcgltry.exe PID 1300 wrote to memory of 1744 1300 vbc.exe rvcgltry.exe PID 1300 wrote to memory of 1744 1300 vbc.exe rvcgltry.exe PID 1300 wrote to memory of 1744 1300 vbc.exe rvcgltry.exe PID 1744 wrote to memory of 848 1744 rvcgltry.exe rvcgltry.exe PID 1744 wrote to memory of 848 1744 rvcgltry.exe rvcgltry.exe PID 1744 wrote to memory of 848 1744 rvcgltry.exe rvcgltry.exe PID 1744 wrote to memory of 848 1744 rvcgltry.exe rvcgltry.exe PID 1744 wrote to memory of 848 1744 rvcgltry.exe rvcgltry.exe PID 1636 wrote to memory of 1004 1636 WINWORD.EXE splwow64.exe PID 1636 wrote to memory of 1004 1636 WINWORD.EXE splwow64.exe PID 1636 wrote to memory of 1004 1636 WINWORD.EXE splwow64.exe PID 1636 wrote to memory of 1004 1636 WINWORD.EXE splwow64.exe PID 1196 wrote to memory of 1524 1196 Explorer.EXE cmmon32.exe PID 1196 wrote to memory of 1524 1196 Explorer.EXE cmmon32.exe PID 1196 wrote to memory of 1524 1196 Explorer.EXE cmmon32.exe PID 1196 wrote to memory of 1524 1196 Explorer.EXE cmmon32.exe PID 1524 wrote to memory of 964 1524 cmmon32.exe cmd.exe PID 1524 wrote to memory of 964 1524 cmmon32.exe cmd.exe PID 1524 wrote to memory of 964 1524 cmmon32.exe cmd.exe PID 1524 wrote to memory of 964 1524 cmmon32.exe cmd.exe PID 1524 wrote to memory of 1932 1524 cmmon32.exe Firefox.exe PID 1524 wrote to memory of 1932 1524 cmmon32.exe Firefox.exe PID 1524 wrote to memory of 1932 1524 cmmon32.exe Firefox.exe PID 1524 wrote to memory of 1932 1524 cmmon32.exe Firefox.exe PID 1524 wrote to memory of 1932 1524 cmmon32.exe Firefox.exe PID 1196 wrote to memory of 1160 1196 Explorer.EXE ms7nm81n.exe PID 1196 wrote to memory of 1160 1196 Explorer.EXE ms7nm81n.exe PID 1196 wrote to memory of 1160 1196 Explorer.EXE ms7nm81n.exe PID 1196 wrote to memory of 1160 1196 Explorer.EXE ms7nm81n.exe PID 1160 wrote to memory of 608 1160 ms7nm81n.exe WerFault.exe PID 1160 wrote to memory of 608 1160 ms7nm81n.exe WerFault.exe PID 1160 wrote to memory of 608 1160 ms7nm81n.exe WerFault.exe PID 1160 wrote to memory of 608 1160 ms7nm81n.exe WerFault.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Updated ORDER.docx"2⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\rvcgltry.exe"3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\Ambs\ms7nm81n.exe"C:\Program Files (x86)\Ambs\ms7nm81n.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 2443⤵
- Loads dropped DLL
- Program crash
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rvcgltry.exe"C:\Users\Admin\AppData\Local\Temp\rvcgltry.exe" C:\Users\Admin\AppData\Local\Temp\xjfdjrmdyjo.r3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\rvcgltry.exe"C:\Users\Admin\AppData\Local\Temp\rvcgltry.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Ambs\ms7nm81n.exeFilesize
296KB
MD5e0e1e7aa194ff7f3de17a2eafe5e92eb
SHA18415a4b78de0eb06a0c715046b63b63c2a785d2d
SHA256edde7e13debc34e655dbc59e42f66644525ac72480f510b708be6a6065e2ce4c
SHA51262228860b22d660aef179b5394d7ce9e01d1b560b80e2f40cfa607bf703e5a52176702977e6da46794c80a16d7fe6dda07fc9a873dad29e6561fcd5e45c4d7b4
-
C:\Program Files (x86)\Ambs\ms7nm81n.exeFilesize
296KB
MD5e0e1e7aa194ff7f3de17a2eafe5e92eb
SHA18415a4b78de0eb06a0c715046b63b63c2a785d2d
SHA256edde7e13debc34e655dbc59e42f66644525ac72480f510b708be6a6065e2ce4c
SHA51262228860b22d660aef179b5394d7ce9e01d1b560b80e2f40cfa607bf703e5a52176702977e6da46794c80a16d7fe6dda07fc9a873dad29e6561fcd5e45c4d7b4
-
C:\Users\Admin\AppData\Local\Temp\rvcgltry.exeFilesize
296KB
MD5e0e1e7aa194ff7f3de17a2eafe5e92eb
SHA18415a4b78de0eb06a0c715046b63b63c2a785d2d
SHA256edde7e13debc34e655dbc59e42f66644525ac72480f510b708be6a6065e2ce4c
SHA51262228860b22d660aef179b5394d7ce9e01d1b560b80e2f40cfa607bf703e5a52176702977e6da46794c80a16d7fe6dda07fc9a873dad29e6561fcd5e45c4d7b4
-
C:\Users\Admin\AppData\Local\Temp\rvcgltry.exeFilesize
296KB
MD5e0e1e7aa194ff7f3de17a2eafe5e92eb
SHA18415a4b78de0eb06a0c715046b63b63c2a785d2d
SHA256edde7e13debc34e655dbc59e42f66644525ac72480f510b708be6a6065e2ce4c
SHA51262228860b22d660aef179b5394d7ce9e01d1b560b80e2f40cfa607bf703e5a52176702977e6da46794c80a16d7fe6dda07fc9a873dad29e6561fcd5e45c4d7b4
-
C:\Users\Admin\AppData\Local\Temp\rvcgltry.exeFilesize
296KB
MD5e0e1e7aa194ff7f3de17a2eafe5e92eb
SHA18415a4b78de0eb06a0c715046b63b63c2a785d2d
SHA256edde7e13debc34e655dbc59e42f66644525ac72480f510b708be6a6065e2ce4c
SHA51262228860b22d660aef179b5394d7ce9e01d1b560b80e2f40cfa607bf703e5a52176702977e6da46794c80a16d7fe6dda07fc9a873dad29e6561fcd5e45c4d7b4
-
C:\Users\Admin\AppData\Local\Temp\tclpuoflals.opyFilesize
205KB
MD5deac0048a0c6ec356070a82ce292fe6f
SHA1537f69f232356d953ce0474032efb7bcd14ef39f
SHA256dafcc435e99f4fd4798fdd740b6379685764037093d83547ffb500f043f1d646
SHA5124e51b1a11c010f5525c6774234f33f7c4076c067bd1cd7921cdc7c204f2032e9939b4c4740f049740ad957e5a8b1f0f1b0ed7b15c6b97f3571c6feed0d31557e
-
C:\Users\Admin\AppData\Local\Temp\xjfdjrmdyjo.rFilesize
6KB
MD563ea2b1b129b3bdb981a0ab43167e734
SHA197f8c5869717e0fc9625aa128b0b9f473121bc0b
SHA256db767d3f93786d24e935f5ee35b65ea6038b786cf6e57ade24404de162a0de84
SHA5121f707e603fec74832e55bb57803461c45408ff17bd00222fb17d0bbd5faac2bb0365897e00ebaa18cdd5d84780c1153b87f7f049af8cc35306f6ffda1d878b7e
-
C:\Users\Admin\AppData\Roaming\-4R--QQC\-4Rlogim.jpegFilesize
63KB
MD505d73590b60e67a46e64b9a901381ee8
SHA1d948fdaa4527d3f5836ae975c4c0c1940de8c08f
SHA256bcc428946567389ec5718eb8823ef382c327a06de9831c894095f95cd53e6bb3
SHA512f23c7a278bd7aa32abd97fd8748bfb63a77725d30bba68018891f1d366f6ef2086d2751b6d6e42c3fe605e0a773b1ea48c6cf0150dd4b35b682f62ae3113639b
-
C:\Users\Admin\AppData\Roaming\-4R--QQC\-4Rlogrf.iniFilesize
40B
MD52f245469795b865bdd1b956c23d7893d
SHA16ad80b974d3808f5a20ea1e766c7d2f88b9e5895
SHA2561662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361
SHA512909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f
-
C:\Users\Admin\AppData\Roaming\-4R--QQC\-4Rlogri.iniFilesize
40B
MD5d63a82e5d81e02e399090af26db0b9cb
SHA191d0014c8f54743bba141fd60c9d963f869d76c9
SHA256eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae
SHA51238afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad
-
C:\Users\Admin\AppData\Roaming\-4R--QQC\-4Rlogrv.iniFilesize
40B
MD5ba3b6bc807d4f76794c4b81b09bb9ba5
SHA124cb89501f0212ff3095ecc0aba97dd563718fb1
SHA2566eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507
SHA512ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf
-
C:\Users\Public\vbc.exeFilesize
423KB
MD5d00138d4097d9e64a13f408bb7441b4f
SHA1e7d7447a48917bb0090f4d2f80148006f91d8228
SHA2561954e5d17d12c8b4fabdb74dec7e0001ce7a5143052430155668111e1e4039cf
SHA512f7a3f7c59888edc4270bb31c65bd6d25d43b16d6835d3638f1693fb0fbbef1f09aa7512f7e41bf455fd96a5cb029d491d8a33b1b727c00793134fda92b933ff4
-
C:\Users\Public\vbc.exeFilesize
423KB
MD5d00138d4097d9e64a13f408bb7441b4f
SHA1e7d7447a48917bb0090f4d2f80148006f91d8228
SHA2561954e5d17d12c8b4fabdb74dec7e0001ce7a5143052430155668111e1e4039cf
SHA512f7a3f7c59888edc4270bb31c65bd6d25d43b16d6835d3638f1693fb0fbbef1f09aa7512f7e41bf455fd96a5cb029d491d8a33b1b727c00793134fda92b933ff4
-
\Program Files (x86)\Ambs\ms7nm81n.exeFilesize
296KB
MD5e0e1e7aa194ff7f3de17a2eafe5e92eb
SHA18415a4b78de0eb06a0c715046b63b63c2a785d2d
SHA256edde7e13debc34e655dbc59e42f66644525ac72480f510b708be6a6065e2ce4c
SHA51262228860b22d660aef179b5394d7ce9e01d1b560b80e2f40cfa607bf703e5a52176702977e6da46794c80a16d7fe6dda07fc9a873dad29e6561fcd5e45c4d7b4
-
\Program Files (x86)\Ambs\ms7nm81n.exeFilesize
296KB
MD5e0e1e7aa194ff7f3de17a2eafe5e92eb
SHA18415a4b78de0eb06a0c715046b63b63c2a785d2d
SHA256edde7e13debc34e655dbc59e42f66644525ac72480f510b708be6a6065e2ce4c
SHA51262228860b22d660aef179b5394d7ce9e01d1b560b80e2f40cfa607bf703e5a52176702977e6da46794c80a16d7fe6dda07fc9a873dad29e6561fcd5e45c4d7b4
-
\Program Files (x86)\Ambs\ms7nm81n.exeFilesize
296KB
MD5e0e1e7aa194ff7f3de17a2eafe5e92eb
SHA18415a4b78de0eb06a0c715046b63b63c2a785d2d
SHA256edde7e13debc34e655dbc59e42f66644525ac72480f510b708be6a6065e2ce4c
SHA51262228860b22d660aef179b5394d7ce9e01d1b560b80e2f40cfa607bf703e5a52176702977e6da46794c80a16d7fe6dda07fc9a873dad29e6561fcd5e45c4d7b4
-
\Program Files (x86)\Ambs\ms7nm81n.exeFilesize
296KB
MD5e0e1e7aa194ff7f3de17a2eafe5e92eb
SHA18415a4b78de0eb06a0c715046b63b63c2a785d2d
SHA256edde7e13debc34e655dbc59e42f66644525ac72480f510b708be6a6065e2ce4c
SHA51262228860b22d660aef179b5394d7ce9e01d1b560b80e2f40cfa607bf703e5a52176702977e6da46794c80a16d7fe6dda07fc9a873dad29e6561fcd5e45c4d7b4
-
\Users\Admin\AppData\Local\Temp\rvcgltry.exeFilesize
296KB
MD5e0e1e7aa194ff7f3de17a2eafe5e92eb
SHA18415a4b78de0eb06a0c715046b63b63c2a785d2d
SHA256edde7e13debc34e655dbc59e42f66644525ac72480f510b708be6a6065e2ce4c
SHA51262228860b22d660aef179b5394d7ce9e01d1b560b80e2f40cfa607bf703e5a52176702977e6da46794c80a16d7fe6dda07fc9a873dad29e6561fcd5e45c4d7b4
-
\Users\Admin\AppData\Local\Temp\rvcgltry.exeFilesize
296KB
MD5e0e1e7aa194ff7f3de17a2eafe5e92eb
SHA18415a4b78de0eb06a0c715046b63b63c2a785d2d
SHA256edde7e13debc34e655dbc59e42f66644525ac72480f510b708be6a6065e2ce4c
SHA51262228860b22d660aef179b5394d7ce9e01d1b560b80e2f40cfa607bf703e5a52176702977e6da46794c80a16d7fe6dda07fc9a873dad29e6561fcd5e45c4d7b4
-
\Users\Public\vbc.exeFilesize
423KB
MD5d00138d4097d9e64a13f408bb7441b4f
SHA1e7d7447a48917bb0090f4d2f80148006f91d8228
SHA2561954e5d17d12c8b4fabdb74dec7e0001ce7a5143052430155668111e1e4039cf
SHA512f7a3f7c59888edc4270bb31c65bd6d25d43b16d6835d3638f1693fb0fbbef1f09aa7512f7e41bf455fd96a5cb029d491d8a33b1b727c00793134fda92b933ff4
-
memory/608-104-0x0000000000000000-mapping.dmp
-
memory/848-82-0x0000000000390000-0x00000000003A5000-memory.dmpFilesize
84KB
-
memory/848-79-0x0000000000890000-0x0000000000B93000-memory.dmpFilesize
3.0MB
-
memory/848-80-0x0000000000340000-0x0000000000355000-memory.dmpFilesize
84KB
-
memory/848-74-0x000000000041F070-mapping.dmp
-
memory/848-85-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/848-78-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/964-86-0x0000000000000000-mapping.dmp
-
memory/1004-76-0x0000000000000000-mapping.dmp
-
memory/1004-77-0x000007FEFC421000-0x000007FEFC423000-memory.dmpFilesize
8KB
-
memory/1160-101-0x0000000000000000-mapping.dmp
-
memory/1196-93-0x0000000006F00000-0x0000000006FD9000-memory.dmpFilesize
868KB
-
memory/1196-83-0x0000000007CE0000-0x0000000007E73000-memory.dmpFilesize
1.6MB
-
memory/1196-81-0x00000000063C0000-0x00000000064C8000-memory.dmpFilesize
1.0MB
-
memory/1196-92-0x0000000006F00000-0x0000000006FD9000-memory.dmpFilesize
868KB
-
memory/1300-62-0x0000000000000000-mapping.dmp
-
memory/1524-88-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/1524-91-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/1524-90-0x0000000000920000-0x00000000009B4000-memory.dmpFilesize
592KB
-
memory/1524-87-0x0000000000EE0000-0x0000000000EED000-memory.dmpFilesize
52KB
-
memory/1524-84-0x0000000000000000-mapping.dmp
-
memory/1524-89-0x00000000022F0000-0x00000000025F3000-memory.dmpFilesize
3.0MB
-
memory/1636-59-0x000000007197D000-0x0000000071988000-memory.dmpFilesize
44KB
-
memory/1636-54-0x0000000072F11000-0x0000000072F14000-memory.dmpFilesize
12KB
-
memory/1636-95-0x000000007197D000-0x0000000071988000-memory.dmpFilesize
44KB
-
memory/1636-94-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1636-58-0x000000007197D000-0x0000000071988000-memory.dmpFilesize
44KB
-
memory/1636-57-0x00000000762F1000-0x00000000762F3000-memory.dmpFilesize
8KB
-
memory/1636-56-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1636-55-0x0000000070991000-0x0000000070993000-memory.dmpFilesize
8KB
-
memory/1744-67-0x0000000000000000-mapping.dmp