Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
13-03-2023 09:25
Static task
static1
Behavioral task
behavioral1
Sample
PO2023.docx
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
PO2023.docx
Resource
win10v2004-20230220-en
General
-
Target
PO2023.docx
-
Size
10KB
-
MD5
3bd45b53b7c5bb34787723820e0fdae3
-
SHA1
67d08bbc3da158e4d600d6447350e70774a0a35b
-
SHA256
219cefc8a02aa9c891d95febd308941a2f6d2a8fb5dadcb14b747bd456d56e5f
-
SHA512
c7a19b16fc5fbc1d6a68428965f2c4b295cf226f0c91aa7e91401a1c2f121d0177c030e3c3ada1ca30d5fecd8b86d0e69227170a1965c02d0cb5eff599ff80bb
-
SSDEEP
192:ScIMmtP1aIG/bslPL++uO1KPol+CVWBXJC0c3dkJfe:SPXU/slT+LO1YoHkZC9dqm
Malware Config
Extracted
remcos
RemoteHost
top.noforabusers1.xyz:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-5DQBA4
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
formbook
dcn0
ZVx68vDtAMBCwg==
oBMBvsNORkM/O/ox
Ff9pISWkm6eG4lByIspp
c2T42c6CIIF6B8xTxm9XzpVw
bvjhxRbnAC183w==
0lTttSNG4HUDNflyIspp
hPXFlstqiHA/O/ox
WLR+MeerxZ0cNn1ja+IQAYo=
IHRn4xXOVKi477zarG+ObSy7YJA=
Xhf3e+tdAC183w==
Xk0ZAezv2rWH
kngo+vBeSRN7AszNwam3Osmguuqc0MoC
a2Qp7a+E8fSw7LDjpnqEKjsRZA==
3zjy4E7+QM48wg==
YcCmqT3OUNAigVott2pBKiy7YJA=
4+SMeX1juat/5cZ1AZihcyy7YJA=
/+m7sro0OBTl3TMpCw==
i2ctEfe4//a64yklMsgS2J90
+loZ2QKGX0UWgpvErMs=
b9BNCnJWQJS8IfsR0uR3bCy7YJA=
9eiUYE0ynHE/O/ox
F2/75pOIYNg0hzOD99192J8=
Y1xOONdO105okfha33EZ2A==
qYZIIB+dfF0wp1nVWFz067hJ2/qoXEVeAA==
moQMzat7tfKyKPYs
aMZJI/NfUSSpPQUBJ8/11g==
QKMN15GjpHcpyA==
6+S1hTvphhFfoCdj6tw=
DPynhWcnZWho7a0p33EZ2A==
EXY//zDm7ej3Guwo
PSWxPYkk0SNioSdj6tw=
jv+tmhv1ySZloydj6tw=
P8GUV5BhNZflCCBBFg==
IQZ0PWog1lcVVkJYHg==
aOTCq/Cet6AdhSdj6tw=
OBzJrqYS+eac46nZo4aI84kWMEtH
kBzTkbI2LTo/O/ox
a8pwOrU/tyx93a/QrGBpXGQIfZI=
GWoC9K5Mx0GR34urFcDPyQ==
dGxKGM2FI4iAkTOD99192J8=
UqQv8Vkx7WzkCCBBFg==
NcBsPK+YmdZP0cyhY+Lrzw==
zcKbk5oK7NCgFOpa4tHv0g==
uIomFkUTzdWa
QkAF8NuWMZmnPjCFgJBa+Y1t
51w6Gw7c3NyY
IyDnsW89dXaMrAxotF8jGZc=
1s1RHCrCwI8PnVhMY+Lrzw==
zBnRazUUWCsrM5t0SEth
1z4R/XM98Wn3j1RMY+Lrzw==
h3b34yQL3cI8wg==
/+27PhUTzdWa
CO0jnOIoAC183w==
Cn8jz+pyZEfWCCBBFg==
jI4f4NnKFwoSUb4YbnkzePzLv+Sc0MoC
xZnrS1Y+5Sxv1g==
phjYsTTGW8zAMydj6tw=
v7JcJyW3x64phzOD99192J8=
tBJ+Uh3sJxYqbyvrfF6BKjsRZA==
xRTxyfuTgMhGxg==
6ceNTfir2qmQHtxWwqIrI8GQ7h/Te/A2CA==
00gVx7d5/U5soCdj6tw=
Jgvgt58H8MFLfBzTp1VZXCe2ZYg=
1NKRY1QTzdWa
ahmedo.ch
Signatures
-
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral1/memory/1932-223-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView behavioral1/memory/1932-234-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView behavioral1/memory/1932-247-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/1600-216-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral1/memory/1600-231-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral1/memory/1600-241-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 8 IoCs
Processes:
resource yara_rule behavioral1/memory/1600-216-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/1932-223-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft behavioral1/memory/1632-232-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral1/memory/1600-231-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/1932-234-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft behavioral1/memory/1632-236-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral1/memory/1600-241-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/1932-247-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 1344 EQNEDT32.EXE -
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location 2 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\14.0\Common WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\Common\Offline\Files\http://314482727/se.......se.........se.doc WINWORD.EXE -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
bmhxz.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Control Panel\International\Geo\Nation bmhxz.exe -
Executes dropped EXE 10 IoCs
Processes:
vbc.exezipguge.exezipguge.exezipguge.exedwn.exebmhxz.exebmhxz.exezipguge.exezipguge.exezipguge.exepid process 1312 vbc.exe 928 zipguge.exe 580 zipguge.exe 956 zipguge.exe 1748 dwn.exe 396 bmhxz.exe 1456 bmhxz.exe 1600 zipguge.exe 1932 zipguge.exe 1632 zipguge.exe -
Loads dropped DLL 13 IoCs
Processes:
EQNEDT32.EXEvbc.exezipguge.exezipguge.exedwn.exebmhxz.exehelp.exepid process 1344 EQNEDT32.EXE 1312 vbc.exe 1312 vbc.exe 928 zipguge.exe 928 zipguge.exe 956 zipguge.exe 1748 dwn.exe 1748 dwn.exe 396 bmhxz.exe 956 zipguge.exe 956 zipguge.exe 956 zipguge.exe 928 help.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/956-160-0x0000000000400000-0x0000000000488000-memory.dmp upx behavioral1/memory/956-162-0x0000000000400000-0x0000000000488000-memory.dmp upx behavioral1/memory/956-164-0x0000000000400000-0x0000000000488000-memory.dmp upx behavioral1/memory/956-165-0x0000000000400000-0x0000000000488000-memory.dmp upx behavioral1/memory/956-166-0x0000000000400000-0x0000000000488000-memory.dmp upx behavioral1/memory/956-167-0x0000000000400000-0x0000000000488000-memory.dmp upx behavioral1/memory/956-169-0x0000000000400000-0x0000000000488000-memory.dmp upx behavioral1/memory/956-170-0x0000000000400000-0x0000000000488000-memory.dmp upx behavioral1/memory/956-172-0x0000000000400000-0x0000000000488000-memory.dmp upx behavioral1/memory/956-173-0x0000000000400000-0x0000000000488000-memory.dmp upx behavioral1/memory/956-171-0x0000000000400000-0x0000000000488000-memory.dmp upx behavioral1/memory/956-175-0x0000000000400000-0x0000000000488000-memory.dmp upx behavioral1/memory/956-190-0x0000000000400000-0x0000000000488000-memory.dmp upx behavioral1/memory/956-253-0x0000000000400000-0x0000000000488000-memory.dmp upx behavioral1/memory/956-255-0x0000000000400000-0x0000000000488000-memory.dmp upx behavioral1/memory/956-259-0x0000000000400000-0x0000000000488000-memory.dmp upx behavioral1/memory/956-260-0x0000000000400000-0x0000000000488000-memory.dmp upx behavioral1/memory/956-268-0x0000000000400000-0x0000000000488000-memory.dmp upx behavioral1/memory/956-269-0x0000000000400000-0x0000000000488000-memory.dmp upx behavioral1/memory/956-316-0x0000000000400000-0x0000000000488000-memory.dmp upx behavioral1/memory/956-317-0x0000000000400000-0x0000000000488000-memory.dmp upx behavioral1/memory/956-324-0x0000000000400000-0x0000000000488000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
zipguge.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts zipguge.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
zipguge.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\frdnx = "C:\\Users\\Admin\\AppData\\Roaming\\wtwklmktexxebr\\pepnknlvetqnvf.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\zipguge.exe\" C:\\Users\\Admin\\Ap" zipguge.exe -
Suspicious use of SetThreadContext 7 IoCs
Processes:
zipguge.exebmhxz.exezipguge.exebmhxz.exehelp.exedescription pid process target process PID 928 set thread context of 956 928 zipguge.exe zipguge.exe PID 396 set thread context of 1456 396 bmhxz.exe bmhxz.exe PID 956 set thread context of 1600 956 zipguge.exe zipguge.exe PID 956 set thread context of 1932 956 zipguge.exe zipguge.exe PID 956 set thread context of 1632 956 zipguge.exe zipguge.exe PID 1456 set thread context of 1204 1456 bmhxz.exe Explorer.EXE PID 928 set thread context of 1204 928 help.exe Explorer.EXE -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEhelp.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \Registry\User\S-1-5-21-2647223082-2067913677-935928954-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 help.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1396 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
bmhxz.exezipguge.exehelp.exepid process 1456 bmhxz.exe 1456 bmhxz.exe 1456 bmhxz.exe 1456 bmhxz.exe 1600 zipguge.exe 1600 zipguge.exe 928 help.exe 928 help.exe 928 help.exe 928 help.exe 928 help.exe 928 help.exe 928 help.exe 928 help.exe 928 help.exe 928 help.exe 928 help.exe 928 help.exe 928 help.exe 928 help.exe 928 help.exe 928 help.exe 928 help.exe 928 help.exe -
Suspicious behavior: MapViewOfSection 13 IoCs
Processes:
zipguge.exebmhxz.exezipguge.exebmhxz.exehelp.exepid process 928 zipguge.exe 928 zipguge.exe 396 bmhxz.exe 956 zipguge.exe 956 zipguge.exe 1456 bmhxz.exe 956 zipguge.exe 1456 bmhxz.exe 1456 bmhxz.exe 928 help.exe 928 help.exe 928 help.exe 928 help.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
bmhxz.exezipguge.exehelp.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1456 bmhxz.exe Token: SeDebugPrivilege 1632 zipguge.exe Token: SeDebugPrivilege 928 help.exe Token: SeShutdownPrivilege 1204 Explorer.EXE Token: SeShutdownPrivilege 1204 Explorer.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXEExplorer.EXEpid process 1396 WINWORD.EXE 1396 WINWORD.EXE 1204 Explorer.EXE -
Suspicious use of WriteProcessMemory 58 IoCs
Processes:
EQNEDT32.EXEvbc.exezipguge.exeWINWORD.EXEzipguge.exedwn.exebmhxz.exeExplorer.EXEhelp.exedescription pid process target process PID 1344 wrote to memory of 1312 1344 EQNEDT32.EXE vbc.exe PID 1344 wrote to memory of 1312 1344 EQNEDT32.EXE vbc.exe PID 1344 wrote to memory of 1312 1344 EQNEDT32.EXE vbc.exe PID 1344 wrote to memory of 1312 1344 EQNEDT32.EXE vbc.exe PID 1312 wrote to memory of 928 1312 vbc.exe zipguge.exe PID 1312 wrote to memory of 928 1312 vbc.exe zipguge.exe PID 1312 wrote to memory of 928 1312 vbc.exe zipguge.exe PID 1312 wrote to memory of 928 1312 vbc.exe zipguge.exe PID 928 wrote to memory of 580 928 zipguge.exe zipguge.exe PID 928 wrote to memory of 580 928 zipguge.exe zipguge.exe PID 928 wrote to memory of 580 928 zipguge.exe zipguge.exe PID 928 wrote to memory of 580 928 zipguge.exe zipguge.exe PID 928 wrote to memory of 956 928 zipguge.exe zipguge.exe PID 928 wrote to memory of 956 928 zipguge.exe zipguge.exe PID 928 wrote to memory of 956 928 zipguge.exe zipguge.exe PID 928 wrote to memory of 956 928 zipguge.exe zipguge.exe PID 928 wrote to memory of 956 928 zipguge.exe zipguge.exe PID 1396 wrote to memory of 944 1396 WINWORD.EXE splwow64.exe PID 1396 wrote to memory of 944 1396 WINWORD.EXE splwow64.exe PID 1396 wrote to memory of 944 1396 WINWORD.EXE splwow64.exe PID 1396 wrote to memory of 944 1396 WINWORD.EXE splwow64.exe PID 956 wrote to memory of 1748 956 zipguge.exe dwn.exe PID 956 wrote to memory of 1748 956 zipguge.exe dwn.exe PID 956 wrote to memory of 1748 956 zipguge.exe dwn.exe PID 956 wrote to memory of 1748 956 zipguge.exe dwn.exe PID 1748 wrote to memory of 396 1748 dwn.exe bmhxz.exe PID 1748 wrote to memory of 396 1748 dwn.exe bmhxz.exe PID 1748 wrote to memory of 396 1748 dwn.exe bmhxz.exe PID 1748 wrote to memory of 396 1748 dwn.exe bmhxz.exe PID 396 wrote to memory of 1456 396 bmhxz.exe bmhxz.exe PID 396 wrote to memory of 1456 396 bmhxz.exe bmhxz.exe PID 396 wrote to memory of 1456 396 bmhxz.exe bmhxz.exe PID 396 wrote to memory of 1456 396 bmhxz.exe bmhxz.exe PID 396 wrote to memory of 1456 396 bmhxz.exe bmhxz.exe PID 956 wrote to memory of 1600 956 zipguge.exe zipguge.exe PID 956 wrote to memory of 1600 956 zipguge.exe zipguge.exe PID 956 wrote to memory of 1600 956 zipguge.exe zipguge.exe PID 956 wrote to memory of 1600 956 zipguge.exe zipguge.exe PID 956 wrote to memory of 1600 956 zipguge.exe zipguge.exe PID 956 wrote to memory of 1932 956 zipguge.exe zipguge.exe PID 956 wrote to memory of 1932 956 zipguge.exe zipguge.exe PID 956 wrote to memory of 1932 956 zipguge.exe zipguge.exe PID 956 wrote to memory of 1932 956 zipguge.exe zipguge.exe PID 956 wrote to memory of 1932 956 zipguge.exe zipguge.exe PID 956 wrote to memory of 1632 956 zipguge.exe zipguge.exe PID 956 wrote to memory of 1632 956 zipguge.exe zipguge.exe PID 956 wrote to memory of 1632 956 zipguge.exe zipguge.exe PID 956 wrote to memory of 1632 956 zipguge.exe zipguge.exe PID 956 wrote to memory of 1632 956 zipguge.exe zipguge.exe PID 1204 wrote to memory of 928 1204 Explorer.EXE help.exe PID 1204 wrote to memory of 928 1204 Explorer.EXE help.exe PID 1204 wrote to memory of 928 1204 Explorer.EXE help.exe PID 1204 wrote to memory of 928 1204 Explorer.EXE help.exe PID 928 wrote to memory of 1908 928 help.exe Firefox.exe PID 928 wrote to memory of 1908 928 help.exe Firefox.exe PID 928 wrote to memory of 1908 928 help.exe Firefox.exe PID 928 wrote to memory of 1908 928 help.exe Firefox.exe PID 928 wrote to memory of 1908 928 help.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PO2023.docx"2⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\zipguge.exe"C:\Users\Admin\AppData\Local\Temp\zipguge.exe" C:\Users\Admin\AppData\Local\Temp\bwnmlnda.zha3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\zipguge.exe"C:\Users\Admin\AppData\Local\Temp\zipguge.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\zipguge.exe"C:\Users\Admin\AppData\Local\Temp\zipguge.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dwn.exe"C:\Users\Admin\AppData\Local\Temp\dwn.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bmhxz.exe"C:\Users\Admin\AppData\Local\Temp\bmhxz.exe" C:\Users\Admin\AppData\Local\Temp\ivdovjt.r6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bmhxz.exe"C:\Users\Admin\AppData\Local\Temp\bmhxz.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\zipguge.exeC:\Users\Admin\AppData\Local\Temp\zipguge.exe /stext "C:\Users\Admin\AppData\Local\Temp\xohitlydcesbhkbj"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\zipguge.exeC:\Users\Admin\AppData\Local\Temp\zipguge.exe /stext "C:\Users\Admin\AppData\Local\Temp\iqmbuejxqmkgjqpnlly"5⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
-
C:\Users\Admin\AppData\Local\Temp\zipguge.exeC:\Users\Admin\AppData\Local\Temp\zipguge.exe /stext "C:\Users\Admin\AppData\Local\Temp\kkrtvwtzeudktelrcwlyef"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSDFilesize
128KB
MD59464988c8681070e8dbae63a0ba99140
SHA18b27e2782bdc3b9e48f2be1fcc41e4d199a6349b
SHA25629e9b1a5b2bfd3279323a7db600629e34a03297cdfe259afae405e479044c117
SHA51235368fc2e809069a32670286723fa45960b3128e37d93f43d03958c4e04019d962ed05a0d976f30479a31f3170c6e808583b5a1b09949e55babc16096537a6b3
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{43F130C1-0B86-45EE-89AA-DEBFD5A15A50}.FSDFilesize
128KB
MD57de847b8ad9bc87d8f4b5e01c3eadc6b
SHA1a443230f6746e551a150c89d021a9b5d2db5d613
SHA256b69189fc248393d75fe4aa2a4f2626a722c307ad58994c3f7c7956d52db253a8
SHA512e8871c09ea9b5c125b4ced3bdc39ad3d6a5470c66d6035b6bf32866261ba519edee16cc0f928ef217062d5320da3adb95e0bf73209142c350ff0565fb650f796
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDFilesize
128KB
MD59ec21e0f786bf424959cb99a6b6e210d
SHA1709777c4479a76afbc0fb2cc770560be11fead32
SHA256e58fd9fbe370c914b1f678146c2be33277c8f49cfd91befff3e5b527090ad404
SHA512086e34ae478a116949b05e8a2e9e6542ca80da281af5c6b1454f5243a3449dc59d9edffdaaf06c588b0dc852ba356b72c17cfc0d446b0cf41862a0bbe24f4b81
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{478E6479-6145-4C24-87E2-809EB30BA106}.FSDFilesize
128KB
MD5d53c2abe22eb770ab1ba83728bbf6269
SHA1a4dad7b855915f1237a67b941ffa61be5ff9af2c
SHA2560c7c757f4aaa475ad5a22bb339f7adbc461c8c8e5131ee2102be238812088730
SHA512d713efde431d82acff5ac4697d296baf764de1bc6323a2835965b1cb8a4200cfed95d5bc6e979a79de60b2fd00e138e76710b5336f5ba50b8c19d3455aefb84b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QCNSQOTT\se.......se.........se[1].docFilesize
11KB
MD567d53c6ca1dda0546fc34f0667c1f3a3
SHA15b54209b40d8cc4dc2843051c3d4265f5678fa0a
SHA256d19b9cdf9f175fd8833c9dbd62f5f01a0daa451b7e6b972a4d34b74c3bc409c7
SHA5124314cf547ae5c1884c93f9a9c6d73a597475a1f7b8a86094f604fc6647a5b394d52a1e76dcebf820657edf61c1c7005c3a99f974ce084fd70d62ef9166832684
-
C:\Users\Admin\AppData\Local\Temp\bmhxz.exeFilesize
60KB
MD5b6ffac9fd9fa4bda1fb559339b1129c6
SHA119601603364fc52963e6a1164e7b2ebc8f74798f
SHA25631584cf85de8403216e18bcad08639039b952991202d9be5fb7f84a965897248
SHA512f9dba9280908f7c61c1d93b08bde0e7ee0340b76718cce73797921f89b5badf61f163c3e75b1323353cd0f7f36b2d9134c93b61cd8ddac3e92851596833622ff
-
C:\Users\Admin\AppData\Local\Temp\bmhxz.exeFilesize
60KB
MD5b6ffac9fd9fa4bda1fb559339b1129c6
SHA119601603364fc52963e6a1164e7b2ebc8f74798f
SHA25631584cf85de8403216e18bcad08639039b952991202d9be5fb7f84a965897248
SHA512f9dba9280908f7c61c1d93b08bde0e7ee0340b76718cce73797921f89b5badf61f163c3e75b1323353cd0f7f36b2d9134c93b61cd8ddac3e92851596833622ff
-
C:\Users\Admin\AppData\Local\Temp\bmhxz.exeFilesize
60KB
MD5b6ffac9fd9fa4bda1fb559339b1129c6
SHA119601603364fc52963e6a1164e7b2ebc8f74798f
SHA25631584cf85de8403216e18bcad08639039b952991202d9be5fb7f84a965897248
SHA512f9dba9280908f7c61c1d93b08bde0e7ee0340b76718cce73797921f89b5badf61f163c3e75b1323353cd0f7f36b2d9134c93b61cd8ddac3e92851596833622ff
-
C:\Users\Admin\AppData\Local\Temp\bmhxz.exeFilesize
60KB
MD5b6ffac9fd9fa4bda1fb559339b1129c6
SHA119601603364fc52963e6a1164e7b2ebc8f74798f
SHA25631584cf85de8403216e18bcad08639039b952991202d9be5fb7f84a965897248
SHA512f9dba9280908f7c61c1d93b08bde0e7ee0340b76718cce73797921f89b5badf61f163c3e75b1323353cd0f7f36b2d9134c93b61cd8ddac3e92851596833622ff
-
C:\Users\Admin\AppData\Local\Temp\bwnmlnda.zhaFilesize
7KB
MD534460fb4f84ad9cdbe4e24b77752437d
SHA1ed7d6b57ca7662e069cbdee69fd73cf6d2701d8e
SHA256b3fb80fe2450104084e20acd43a9930ba14bf13246c4d374e1e36c8594f2dec4
SHA512d72f0f2f8b5fb00b73c8a4ef7a8410015638ce6bd5665cd585285735ac1ff8de9eab972e22c265e1b24bece19efc7212d64ecaf9b5f0b44fd192e3183b4e5433
-
C:\Users\Admin\AppData\Local\Temp\dwn.exeFilesize
293KB
MD51cec6fc1d987f880a59744420e67e0bd
SHA1ccc4e68717d9f5184de4743e662d8920492b0099
SHA256050398f0efe923fd04f6ba862784dff664c1b16579e412ec80f421056944c1a6
SHA51299bd35611c86a9b01e1d41e4972b1bbecefc6161bff1d803f130e4136c95eddb59c14ef7a913a44df689ee4db590817d3465af1b32c1423064dd66cbdb7642d0
-
C:\Users\Admin\AppData\Local\Temp\dwn.exeFilesize
293KB
MD51cec6fc1d987f880a59744420e67e0bd
SHA1ccc4e68717d9f5184de4743e662d8920492b0099
SHA256050398f0efe923fd04f6ba862784dff664c1b16579e412ec80f421056944c1a6
SHA51299bd35611c86a9b01e1d41e4972b1bbecefc6161bff1d803f130e4136c95eddb59c14ef7a913a44df689ee4db590817d3465af1b32c1423064dd66cbdb7642d0
-
C:\Users\Admin\AppData\Local\Temp\ivdovjt.rFilesize
6KB
MD52a2d33c157870c03e0b4da24a25182e0
SHA142c9fb1bcf601e9329971facde44fd1881a6fcd8
SHA256d0d65f0fc8d81902d8526dcca5c4a9fe6b20dcf4bafa84347282882d95a6ca10
SHA512729ce67a9f99727d4b0bbc282eea1173add32709863fbc25c7f8349050eee826460c1bb9408aa2446ee86adfb6ed74fd714f2e6a5847db2021f8cd9bc9f727c9
-
C:\Users\Admin\AppData\Local\Temp\uvixesnbcl.rgyFilesize
204KB
MD5003608cb27e878d22426a616856d0e1a
SHA1c81bd2c2ab545eed81e46c2094a0e34df479532b
SHA256ce994d0cbfa200fcb394abc6ac2afe9d08e9f53946efaa70b83bf7a23d0246f8
SHA5120601d5af0be9e7b95ceac147d7319d302d72c76466db1983504143a0092850cb988fec3aa169e1eb0cec027b80177871658fe00707cd91d603778805dae8ccdd
-
C:\Users\Admin\AppData\Local\Temp\xohitlydcesbhkbjFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Local\Temp\xohitlydcesbhkbjFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Local\Temp\xrd0hbm.zipFilesize
435KB
MD50d1613320b79de7e8c7627c07d19f4a7
SHA1f85b78ed8568a648b9134beb654e384c622c73bd
SHA256e6fc736d8850729ee5d9d65076e0f4a869530b2c5df7239bda47051fa3c04be7
SHA51213c00d2a48a42c3da05c6f475ab9b0581c951dd62ca0b435c44dbcefdfc02f14597b2b33aa28d3c4c8526adb198b24f1a83d92b12612209ca4aed06b80c7cbfa
-
C:\Users\Admin\AppData\Local\Temp\xwkrasyudl.jFilesize
250KB
MD5200df3463b32028243e5afd190df206c
SHA1a45550c563b60b8a29859031f5b94ab107f44087
SHA256bac67949e660a912516c259a225059b672f8839fbf1f5c54cd86783ecbba9df7
SHA512257a5e595d366d8786b827cc60b285af7db66dd707d18df24f5dd6200d0d3d35c8dacfd010cb2940399ed2acb1cb8e93c06a26213dbe120b770fda39c2572581
-
C:\Users\Admin\AppData\Local\Temp\zipguge.exeFilesize
60KB
MD51a4b87e0f57b0a94b7fc65e9a30e5ad0
SHA1924e54b4b0298c8c0843796bfab0e41c2310eb3e
SHA256b5afbd657397942bfb34c97222bb9dfdaf01af1c688f6432076f5df15c1a3fbe
SHA512755af072d0ac3207e96e600cc3b613234c87aeca58d04cb2d86be9fb0268e57a82da829cad37a9ced43ce035215534380aab62d9c0878643a428a039aaf6710a
-
C:\Users\Admin\AppData\Local\Temp\zipguge.exeFilesize
60KB
MD51a4b87e0f57b0a94b7fc65e9a30e5ad0
SHA1924e54b4b0298c8c0843796bfab0e41c2310eb3e
SHA256b5afbd657397942bfb34c97222bb9dfdaf01af1c688f6432076f5df15c1a3fbe
SHA512755af072d0ac3207e96e600cc3b613234c87aeca58d04cb2d86be9fb0268e57a82da829cad37a9ced43ce035215534380aab62d9c0878643a428a039aaf6710a
-
C:\Users\Admin\AppData\Local\Temp\zipguge.exeFilesize
60KB
MD51a4b87e0f57b0a94b7fc65e9a30e5ad0
SHA1924e54b4b0298c8c0843796bfab0e41c2310eb3e
SHA256b5afbd657397942bfb34c97222bb9dfdaf01af1c688f6432076f5df15c1a3fbe
SHA512755af072d0ac3207e96e600cc3b613234c87aeca58d04cb2d86be9fb0268e57a82da829cad37a9ced43ce035215534380aab62d9c0878643a428a039aaf6710a
-
C:\Users\Admin\AppData\Local\Temp\zipguge.exeFilesize
60KB
MD51a4b87e0f57b0a94b7fc65e9a30e5ad0
SHA1924e54b4b0298c8c0843796bfab0e41c2310eb3e
SHA256b5afbd657397942bfb34c97222bb9dfdaf01af1c688f6432076f5df15c1a3fbe
SHA512755af072d0ac3207e96e600cc3b613234c87aeca58d04cb2d86be9fb0268e57a82da829cad37a9ced43ce035215534380aab62d9c0878643a428a039aaf6710a
-
C:\Users\Admin\AppData\Local\Temp\zipguge.exeFilesize
60KB
MD51a4b87e0f57b0a94b7fc65e9a30e5ad0
SHA1924e54b4b0298c8c0843796bfab0e41c2310eb3e
SHA256b5afbd657397942bfb34c97222bb9dfdaf01af1c688f6432076f5df15c1a3fbe
SHA512755af072d0ac3207e96e600cc3b613234c87aeca58d04cb2d86be9fb0268e57a82da829cad37a9ced43ce035215534380aab62d9c0878643a428a039aaf6710a
-
C:\Users\Admin\AppData\Local\Temp\zipguge.exeFilesize
60KB
MD51a4b87e0f57b0a94b7fc65e9a30e5ad0
SHA1924e54b4b0298c8c0843796bfab0e41c2310eb3e
SHA256b5afbd657397942bfb34c97222bb9dfdaf01af1c688f6432076f5df15c1a3fbe
SHA512755af072d0ac3207e96e600cc3b613234c87aeca58d04cb2d86be9fb0268e57a82da829cad37a9ced43ce035215534380aab62d9c0878643a428a039aaf6710a
-
C:\Users\Admin\AppData\Local\Temp\zipguge.exeFilesize
60KB
MD51a4b87e0f57b0a94b7fc65e9a30e5ad0
SHA1924e54b4b0298c8c0843796bfab0e41c2310eb3e
SHA256b5afbd657397942bfb34c97222bb9dfdaf01af1c688f6432076f5df15c1a3fbe
SHA512755af072d0ac3207e96e600cc3b613234c87aeca58d04cb2d86be9fb0268e57a82da829cad37a9ced43ce035215534380aab62d9c0878643a428a039aaf6710a
-
C:\Users\Admin\AppData\Local\Temp\zipguge.exeFilesize
60KB
MD51a4b87e0f57b0a94b7fc65e9a30e5ad0
SHA1924e54b4b0298c8c0843796bfab0e41c2310eb3e
SHA256b5afbd657397942bfb34c97222bb9dfdaf01af1c688f6432076f5df15c1a3fbe
SHA512755af072d0ac3207e96e600cc3b613234c87aeca58d04cb2d86be9fb0268e57a82da829cad37a9ced43ce035215534380aab62d9c0878643a428a039aaf6710a
-
C:\Users\Admin\AppData\Local\Temp\{47F3C66B-F015-4495-A914-BB72743BC918}Filesize
128KB
MD523e23cfb47ee65d169b3d827e6ab1aa0
SHA1ccd0ce090cf01fcbd3b0ef75fb5d815ba417df42
SHA256cc47e79a1cd5ce24f4f58521b74a58e81ca996741be0be8b39fc1c688110bea4
SHA51275a947c74e133ea71c88d299584a40c8664e42591c5c4a4b84ef40d66831560fa833d3fdc18665e2256844d11b7a5675b674c5020d4ce3791a598e967e7d7b08
-
C:\Users\Public\vbc.exeFilesize
334KB
MD5f90db90919147d8d78cd6bb75401cf45
SHA1cd5213f1efe2f09f846d77fe8b4401739d42155e
SHA256586bee5c54945ec0395c23fcaa6cef65401f4360b970f94c484c3e6106196c30
SHA512e82d9782d58d5c05bc15ab81aa60a3a154b12f2f7d41f227b85451716105a14933436f4021ed71fb3968ef1f08804412e3c3e48ab92c14338f957d2b606be085
-
C:\Users\Public\vbc.exeFilesize
334KB
MD5f90db90919147d8d78cd6bb75401cf45
SHA1cd5213f1efe2f09f846d77fe8b4401739d42155e
SHA256586bee5c54945ec0395c23fcaa6cef65401f4360b970f94c484c3e6106196c30
SHA512e82d9782d58d5c05bc15ab81aa60a3a154b12f2f7d41f227b85451716105a14933436f4021ed71fb3968ef1f08804412e3c3e48ab92c14338f957d2b606be085
-
C:\Users\Public\vbc.exeFilesize
334KB
MD5f90db90919147d8d78cd6bb75401cf45
SHA1cd5213f1efe2f09f846d77fe8b4401739d42155e
SHA256586bee5c54945ec0395c23fcaa6cef65401f4360b970f94c484c3e6106196c30
SHA512e82d9782d58d5c05bc15ab81aa60a3a154b12f2f7d41f227b85451716105a14933436f4021ed71fb3968ef1f08804412e3c3e48ab92c14338f957d2b606be085
-
\Users\Admin\AppData\Local\Temp\bmhxz.exeFilesize
60KB
MD5b6ffac9fd9fa4bda1fb559339b1129c6
SHA119601603364fc52963e6a1164e7b2ebc8f74798f
SHA25631584cf85de8403216e18bcad08639039b952991202d9be5fb7f84a965897248
SHA512f9dba9280908f7c61c1d93b08bde0e7ee0340b76718cce73797921f89b5badf61f163c3e75b1323353cd0f7f36b2d9134c93b61cd8ddac3e92851596833622ff
-
\Users\Admin\AppData\Local\Temp\bmhxz.exeFilesize
60KB
MD5b6ffac9fd9fa4bda1fb559339b1129c6
SHA119601603364fc52963e6a1164e7b2ebc8f74798f
SHA25631584cf85de8403216e18bcad08639039b952991202d9be5fb7f84a965897248
SHA512f9dba9280908f7c61c1d93b08bde0e7ee0340b76718cce73797921f89b5badf61f163c3e75b1323353cd0f7f36b2d9134c93b61cd8ddac3e92851596833622ff
-
\Users\Admin\AppData\Local\Temp\bmhxz.exeFilesize
60KB
MD5b6ffac9fd9fa4bda1fb559339b1129c6
SHA119601603364fc52963e6a1164e7b2ebc8f74798f
SHA25631584cf85de8403216e18bcad08639039b952991202d9be5fb7f84a965897248
SHA512f9dba9280908f7c61c1d93b08bde0e7ee0340b76718cce73797921f89b5badf61f163c3e75b1323353cd0f7f36b2d9134c93b61cd8ddac3e92851596833622ff
-
\Users\Admin\AppData\Local\Temp\dwn.exeFilesize
293KB
MD51cec6fc1d987f880a59744420e67e0bd
SHA1ccc4e68717d9f5184de4743e662d8920492b0099
SHA256050398f0efe923fd04f6ba862784dff664c1b16579e412ec80f421056944c1a6
SHA51299bd35611c86a9b01e1d41e4972b1bbecefc6161bff1d803f130e4136c95eddb59c14ef7a913a44df689ee4db590817d3465af1b32c1423064dd66cbdb7642d0
-
\Users\Admin\AppData\Local\Temp\sqlite3.dllFilesize
831KB
MD505ace2f6d9bef6fd9bbd05ee5262a1f2
SHA15cce2228e0d9c6cc913cf551e0bf7c76ed74ff59
SHA256002459f4d4758011b4d7f36935f1fe323494b847f8c173a551076a3d30475ebc
SHA5121e717a66a72eb626727144fa7458f472ada54fd1be37072c9e740945e34ba94025737aef44e54752c50c5b79a583c6a91a0d8043bf1bf7c3e7cab8537207f9fc
-
\Users\Admin\AppData\Local\Temp\zipguge.exeFilesize
60KB
MD51a4b87e0f57b0a94b7fc65e9a30e5ad0
SHA1924e54b4b0298c8c0843796bfab0e41c2310eb3e
SHA256b5afbd657397942bfb34c97222bb9dfdaf01af1c688f6432076f5df15c1a3fbe
SHA512755af072d0ac3207e96e600cc3b613234c87aeca58d04cb2d86be9fb0268e57a82da829cad37a9ced43ce035215534380aab62d9c0878643a428a039aaf6710a
-
\Users\Admin\AppData\Local\Temp\zipguge.exeFilesize
60KB
MD51a4b87e0f57b0a94b7fc65e9a30e5ad0
SHA1924e54b4b0298c8c0843796bfab0e41c2310eb3e
SHA256b5afbd657397942bfb34c97222bb9dfdaf01af1c688f6432076f5df15c1a3fbe
SHA512755af072d0ac3207e96e600cc3b613234c87aeca58d04cb2d86be9fb0268e57a82da829cad37a9ced43ce035215534380aab62d9c0878643a428a039aaf6710a
-
\Users\Admin\AppData\Local\Temp\zipguge.exeFilesize
60KB
MD51a4b87e0f57b0a94b7fc65e9a30e5ad0
SHA1924e54b4b0298c8c0843796bfab0e41c2310eb3e
SHA256b5afbd657397942bfb34c97222bb9dfdaf01af1c688f6432076f5df15c1a3fbe
SHA512755af072d0ac3207e96e600cc3b613234c87aeca58d04cb2d86be9fb0268e57a82da829cad37a9ced43ce035215534380aab62d9c0878643a428a039aaf6710a
-
\Users\Admin\AppData\Local\Temp\zipguge.exeFilesize
60KB
MD51a4b87e0f57b0a94b7fc65e9a30e5ad0
SHA1924e54b4b0298c8c0843796bfab0e41c2310eb3e
SHA256b5afbd657397942bfb34c97222bb9dfdaf01af1c688f6432076f5df15c1a3fbe
SHA512755af072d0ac3207e96e600cc3b613234c87aeca58d04cb2d86be9fb0268e57a82da829cad37a9ced43ce035215534380aab62d9c0878643a428a039aaf6710a
-
\Users\Admin\AppData\Local\Temp\zipguge.exeFilesize
60KB
MD51a4b87e0f57b0a94b7fc65e9a30e5ad0
SHA1924e54b4b0298c8c0843796bfab0e41c2310eb3e
SHA256b5afbd657397942bfb34c97222bb9dfdaf01af1c688f6432076f5df15c1a3fbe
SHA512755af072d0ac3207e96e600cc3b613234c87aeca58d04cb2d86be9fb0268e57a82da829cad37a9ced43ce035215534380aab62d9c0878643a428a039aaf6710a
-
\Users\Admin\AppData\Local\Temp\zipguge.exeFilesize
60KB
MD51a4b87e0f57b0a94b7fc65e9a30e5ad0
SHA1924e54b4b0298c8c0843796bfab0e41c2310eb3e
SHA256b5afbd657397942bfb34c97222bb9dfdaf01af1c688f6432076f5df15c1a3fbe
SHA512755af072d0ac3207e96e600cc3b613234c87aeca58d04cb2d86be9fb0268e57a82da829cad37a9ced43ce035215534380aab62d9c0878643a428a039aaf6710a
-
\Users\Admin\AppData\Local\Temp\zipguge.exeFilesize
60KB
MD51a4b87e0f57b0a94b7fc65e9a30e5ad0
SHA1924e54b4b0298c8c0843796bfab0e41c2310eb3e
SHA256b5afbd657397942bfb34c97222bb9dfdaf01af1c688f6432076f5df15c1a3fbe
SHA512755af072d0ac3207e96e600cc3b613234c87aeca58d04cb2d86be9fb0268e57a82da829cad37a9ced43ce035215534380aab62d9c0878643a428a039aaf6710a
-
\Users\Public\vbc.exeFilesize
334KB
MD5f90db90919147d8d78cd6bb75401cf45
SHA1cd5213f1efe2f09f846d77fe8b4401739d42155e
SHA256586bee5c54945ec0395c23fcaa6cef65401f4360b970f94c484c3e6106196c30
SHA512e82d9782d58d5c05bc15ab81aa60a3a154b12f2f7d41f227b85451716105a14933436f4021ed71fb3968ef1f08804412e3c3e48ab92c14338f957d2b606be085
-
memory/928-246-0x0000000000870000-0x0000000000B73000-memory.dmpFilesize
3.0MB
-
memory/928-313-0x0000000061E00000-0x0000000061EBD000-memory.dmpFilesize
756KB
-
memory/928-258-0x00000000004B0000-0x000000000053F000-memory.dmpFilesize
572KB
-
memory/928-248-0x00000000000C0000-0x00000000000ED000-memory.dmpFilesize
180KB
-
memory/928-243-0x00000000006D0000-0x00000000006D6000-memory.dmpFilesize
24KB
-
memory/928-245-0x00000000000C0000-0x00000000000ED000-memory.dmpFilesize
180KB
-
memory/928-244-0x00000000006D0000-0x00000000006D6000-memory.dmpFilesize
24KB
-
memory/956-165-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/956-263-0x0000000010000000-0x0000000010019000-memory.dmpFilesize
100KB
-
memory/956-324-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/956-317-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/956-316-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/956-160-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/956-162-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/956-164-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/956-269-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/956-190-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/956-268-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/956-260-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/956-259-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/956-255-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/956-254-0x0000000010000000-0x0000000010019000-memory.dmpFilesize
100KB
-
memory/956-253-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/956-252-0x0000000010000000-0x0000000010019000-memory.dmpFilesize
100KB
-
memory/956-249-0x0000000010000000-0x0000000010019000-memory.dmpFilesize
100KB
-
memory/956-175-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/956-166-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/956-167-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/956-169-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/956-170-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/956-171-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/956-172-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/956-173-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/1204-271-0x0000000004EB0000-0x0000000005015000-memory.dmpFilesize
1.4MB
-
memory/1204-266-0x0000000004EB0000-0x0000000005015000-memory.dmpFilesize
1.4MB
-
memory/1204-265-0x0000000004EB0000-0x0000000005015000-memory.dmpFilesize
1.4MB
-
memory/1204-261-0x00000000048D0000-0x00000000049A1000-memory.dmpFilesize
836KB
-
memory/1204-225-0x0000000000230000-0x0000000000330000-memory.dmpFilesize
1024KB
-
memory/1204-235-0x00000000048D0000-0x00000000049A1000-memory.dmpFilesize
836KB
-
memory/1396-54-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1456-219-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1456-230-0x0000000000870000-0x0000000000B73000-memory.dmpFilesize
3.0MB
-
memory/1456-228-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1456-203-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1456-233-0x0000000000110000-0x0000000000120000-memory.dmpFilesize
64KB
-
memory/1600-231-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1600-241-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1600-216-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1600-207-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1600-208-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1600-214-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1632-229-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1632-224-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1632-232-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1632-236-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1932-221-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/1932-223-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/1932-215-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/1932-247-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/1932-234-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB