Analysis
-
max time kernel
149s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
13-03-2023 12:03
Static task
static1
Behavioral task
behavioral1
Sample
USD23.026,90 (Tiller Order).docx
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
USD23.026,90 (Tiller Order).docx
Resource
win10v2004-20230220-en
General
-
Target
USD23.026,90 (Tiller Order).docx
-
Size
10KB
-
MD5
40fa41596ac736f6e23965c0094bb946
-
SHA1
c64c3183fb4466cce653d55743d40ff156606754
-
SHA256
eabdfa7af51b0ad6d49602685f207ce19dfe287dd6cfc808b53fb4e580734f50
-
SHA512
83e57aa3b75462ffe3fa1481af6e4694050b64074492d4f22ba5b0fedb83087037846d4c6cd7933619405ac7f8bbf803739e3cf640f453e50a9634729f718845
-
SSDEEP
192:ScIMmtP1aIG/bslPL++uOsAl+CVWBXJC0c3CV:SPXU/slT+LOBHkZC9i
Malware Config
Extracted
remcos
RemoteHost
vcv.mastercoa.co:8489
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-4IE8MY
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral1/memory/1628-212-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView behavioral1/memory/1628-213-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral1/memory/1728-191-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral1/memory/1728-201-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral1/memory/1728-208-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 7 IoCs
Processes:
resource yara_rule behavioral1/memory/1728-191-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/1760-200-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral1/memory/1728-201-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/1760-202-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral1/memory/1728-208-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral1/memory/1628-212-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft behavioral1/memory/1628-213-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft -
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 10 1896 EQNEDT32.EXE -
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location 2 IoCs
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\14.0\Common WINWORD.EXE Key opened \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\Common\Offline\Files\http://2401929236/80................80...................80.doc WINWORD.EXE -
Executes dropped EXE 6 IoCs
Processes:
vbc.exeryiixl.exeryiixl.exeryiixl.exeryiixl.exeryiixl.exepid process 1960 vbc.exe 668 ryiixl.exe 1272 ryiixl.exe 1728 ryiixl.exe 1628 ryiixl.exe 1760 ryiixl.exe -
Loads dropped DLL 7 IoCs
Processes:
EQNEDT32.EXEvbc.exeryiixl.exeryiixl.exepid process 1896 EQNEDT32.EXE 1960 vbc.exe 1960 vbc.exe 668 ryiixl.exe 1272 ryiixl.exe 1272 ryiixl.exe 1272 ryiixl.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
ryiixl.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts ryiixl.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
ryiixl.exeryiixl.exedescription pid process target process PID 668 set thread context of 1272 668 ryiixl.exe ryiixl.exe PID 1272 set thread context of 1728 1272 ryiixl.exe ryiixl.exe PID 1272 set thread context of 1628 1272 ryiixl.exe ryiixl.exe PID 1272 set thread context of 1760 1272 ryiixl.exe ryiixl.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Processes:
WINWORD.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell WINWORD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt WINWORD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor WINWORD.EXE Key created \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" WINWORD.EXE -
Modifies registry class 64 IoCs
Processes:
WINWORD.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" WINWORD.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile WINWORD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler WINWORD.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1476 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
ryiixl.exepid process 1728 ryiixl.exe 1728 ryiixl.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
ryiixl.exeryiixl.exepid process 668 ryiixl.exe 1272 ryiixl.exe 1272 ryiixl.exe 1272 ryiixl.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ryiixl.exeWINWORD.EXEdescription pid process Token: SeDebugPrivilege 1760 ryiixl.exe Token: SeShutdownPrivilege 1476 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXEryiixl.exepid process 1476 WINWORD.EXE 1476 WINWORD.EXE 1272 ryiixl.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
EQNEDT32.EXEvbc.exeryiixl.exeWINWORD.EXEryiixl.exedescription pid process target process PID 1896 wrote to memory of 1960 1896 EQNEDT32.EXE vbc.exe PID 1896 wrote to memory of 1960 1896 EQNEDT32.EXE vbc.exe PID 1896 wrote to memory of 1960 1896 EQNEDT32.EXE vbc.exe PID 1896 wrote to memory of 1960 1896 EQNEDT32.EXE vbc.exe PID 1960 wrote to memory of 668 1960 vbc.exe ryiixl.exe PID 1960 wrote to memory of 668 1960 vbc.exe ryiixl.exe PID 1960 wrote to memory of 668 1960 vbc.exe ryiixl.exe PID 1960 wrote to memory of 668 1960 vbc.exe ryiixl.exe PID 668 wrote to memory of 1272 668 ryiixl.exe ryiixl.exe PID 668 wrote to memory of 1272 668 ryiixl.exe ryiixl.exe PID 668 wrote to memory of 1272 668 ryiixl.exe ryiixl.exe PID 668 wrote to memory of 1272 668 ryiixl.exe ryiixl.exe PID 668 wrote to memory of 1272 668 ryiixl.exe ryiixl.exe PID 1476 wrote to memory of 816 1476 WINWORD.EXE splwow64.exe PID 1476 wrote to memory of 816 1476 WINWORD.EXE splwow64.exe PID 1476 wrote to memory of 816 1476 WINWORD.EXE splwow64.exe PID 1476 wrote to memory of 816 1476 WINWORD.EXE splwow64.exe PID 1272 wrote to memory of 1728 1272 ryiixl.exe ryiixl.exe PID 1272 wrote to memory of 1728 1272 ryiixl.exe ryiixl.exe PID 1272 wrote to memory of 1728 1272 ryiixl.exe ryiixl.exe PID 1272 wrote to memory of 1728 1272 ryiixl.exe ryiixl.exe PID 1272 wrote to memory of 1728 1272 ryiixl.exe ryiixl.exe PID 1272 wrote to memory of 1628 1272 ryiixl.exe ryiixl.exe PID 1272 wrote to memory of 1628 1272 ryiixl.exe ryiixl.exe PID 1272 wrote to memory of 1628 1272 ryiixl.exe ryiixl.exe PID 1272 wrote to memory of 1628 1272 ryiixl.exe ryiixl.exe PID 1272 wrote to memory of 1628 1272 ryiixl.exe ryiixl.exe PID 1272 wrote to memory of 1760 1272 ryiixl.exe ryiixl.exe PID 1272 wrote to memory of 1760 1272 ryiixl.exe ryiixl.exe PID 1272 wrote to memory of 1760 1272 ryiixl.exe ryiixl.exe PID 1272 wrote to memory of 1760 1272 ryiixl.exe ryiixl.exe PID 1272 wrote to memory of 1760 1272 ryiixl.exe ryiixl.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\USD23.026,90 (Tiller Order).docx"1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\vbc.exe"C:\Users\Public\vbc.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ryiixl.exe"C:\Users\Admin\AppData\Local\Temp\ryiixl.exe" C:\Users\Admin\AppData\Local\Temp\jdgwj.al3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ryiixl.exe"C:\Users\Admin\AppData\Local\Temp\ryiixl.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ryiixl.exeC:\Users\Admin\AppData\Local\Temp\ryiixl.exe /stext "C:\Users\Admin\AppData\Local\Temp\hscpnoxjkymxnryov"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\ryiixl.exeC:\Users\Admin\AppData\Local\Temp\ryiixl.exe /stext "C:\Users\Admin\AppData\Local\Temp\rmiiohilygebpfmrmjdnf"5⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
-
C:\Users\Admin\AppData\Local\Temp\ryiixl.exeC:\Users\Admin\AppData\Local\Temp\ryiixl.exe /stext "C:\Users\Admin\AppData\Local\Temp\conahztfmowozlivvuphisaw"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\remcos\logs.datFilesize
254B
MD5b3eed3ce3e99ed63df18210eb35e4656
SHA1eeca23be8e13f64192b45bee829c8882a06e5399
SHA25686111e49e9d3f5bb591aa7be6b07b096e36170e40ecaed6a3a0bcbeb8abf5817
SHA512484e485332f213b657fb655cd27a584fb4ebd3fcb5ee2709afecc9706bde9dba8cb3ac9619bdd2a6be29610030634d02a4329329afb67b3c9cabc07f8a11a4e5
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{08DE8121-0139-4EDE-BBCE-98C90BBB5ED2}.FSDFilesize
128KB
MD5a8a08396e12306c93b6f6bc2628d28c6
SHA1199fbb59368ffb699cb4527b30d69769ff2a111d
SHA256085e38bc0721f85cefbc4b01a9476aea83c3d58890ee7f869326187ef0394c55
SHA512a65871dad1904619ab61e4f208471f14021d13395a7dde12d2f6f8a1c455fb3266b2c0a85f0a0d33df4240fc73beec80598004d159956216607d978bc1eaefe0
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDFilesize
128KB
MD5bdb25acba63ee17d233cc772859ef7b6
SHA155ae03310366c93f923aabde81b8de58ee6bf29d
SHA2563225ca966988b8a355c1b5f4004642ff2a7f4cba3dab2fb2807283b740501171
SHA512b2a14e91278fa9087e69eb325f6d46675341ee7e9dee97be623c88e8fb8fb40f881039483f0273bdaa4613856570e55d3ac083ed0027a0a87ef0805ce6e149bc
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{04A10F4B-1374-47A5-8925-36C4421FCE72}.FSDFilesize
128KB
MD5ab4a64d168071e4295e6af8417cad0cb
SHA1c4fc90bcd4dabf1a41e2645b9cdad08f74879fe1
SHA25629533d2ea611bf69dd72e1b6b6d9bee4d32a1e39d566b8ccc721d616ddd05c0a
SHA5120d7e913e7d0862c79502ce27bd1239ce1fb3a43ff14ce4aea647c3e93627ae8f68754ea03309503e8b839f6ec5a29c8f679311b99f86f21c2a1655d8d6cef953
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UOYUJSME\80................80...................80[1].docFilesize
25KB
MD5fa106001a7cf2deb09192898ba82b50f
SHA1d472611b9c4185f4dad80143c6c46cb3a3047779
SHA256e24f9280b453e5262a8f191193f4bf2c249273d30b32dd19e924e56f7e02f057
SHA51216ea979dc9850ae3ef7e4540070da3db3da4c046832b3b6efbd14c1a335082788e3995e6693e1e1c965cc8d0b7c9ec60b13f2720dfd6b9f03ac415506966dfde
-
C:\Users\Admin\AppData\Local\Temp\hscpnoxjkymxnryovFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Local\Temp\hscpnoxjkymxnryovFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Local\Temp\jdgwj.alFilesize
5KB
MD52713735a6a22806ebe05a3616d813b9d
SHA1aa850ef9a7277de15a3a7dacff134a7f6a9f43d5
SHA2563230b1927e92ec8b3e76d353a97807718e766cb81fb4dddccc2997e54404883e
SHA512ba6fd4723a9182a09ecfb24a86b7452df4177987635e9b530c91745bef427b968b8a07becb87c968e8c86e45bb7b18e072a52a10c845bf367d46ceb2629009a6
-
C:\Users\Admin\AppData\Local\Temp\ryiixl.exeFilesize
60KB
MD5ec58ad1a92a419f0f5808457b07ad62e
SHA190e775790640a5f36397365e23aa574e2eb21b00
SHA2562ec72e8d187b8cb6ca75f2859e7ff2f8f662727cce035f18d11beee14423c7d1
SHA5127b20f8c78c3b18445e83f03b1bd33281d4025f472d1592ae1f18f167a34cb5596b6e2f3b544f2c05a196ff4e0cfc3cee16beda9a1bc72ad7e23bcbe3ad8082e5
-
C:\Users\Admin\AppData\Local\Temp\ryiixl.exeFilesize
60KB
MD5ec58ad1a92a419f0f5808457b07ad62e
SHA190e775790640a5f36397365e23aa574e2eb21b00
SHA2562ec72e8d187b8cb6ca75f2859e7ff2f8f662727cce035f18d11beee14423c7d1
SHA5127b20f8c78c3b18445e83f03b1bd33281d4025f472d1592ae1f18f167a34cb5596b6e2f3b544f2c05a196ff4e0cfc3cee16beda9a1bc72ad7e23bcbe3ad8082e5
-
C:\Users\Admin\AppData\Local\Temp\ryiixl.exeFilesize
60KB
MD5ec58ad1a92a419f0f5808457b07ad62e
SHA190e775790640a5f36397365e23aa574e2eb21b00
SHA2562ec72e8d187b8cb6ca75f2859e7ff2f8f662727cce035f18d11beee14423c7d1
SHA5127b20f8c78c3b18445e83f03b1bd33281d4025f472d1592ae1f18f167a34cb5596b6e2f3b544f2c05a196ff4e0cfc3cee16beda9a1bc72ad7e23bcbe3ad8082e5
-
C:\Users\Admin\AppData\Local\Temp\ryiixl.exeFilesize
60KB
MD5ec58ad1a92a419f0f5808457b07ad62e
SHA190e775790640a5f36397365e23aa574e2eb21b00
SHA2562ec72e8d187b8cb6ca75f2859e7ff2f8f662727cce035f18d11beee14423c7d1
SHA5127b20f8c78c3b18445e83f03b1bd33281d4025f472d1592ae1f18f167a34cb5596b6e2f3b544f2c05a196ff4e0cfc3cee16beda9a1bc72ad7e23bcbe3ad8082e5
-
C:\Users\Admin\AppData\Local\Temp\ryiixl.exeFilesize
60KB
MD5ec58ad1a92a419f0f5808457b07ad62e
SHA190e775790640a5f36397365e23aa574e2eb21b00
SHA2562ec72e8d187b8cb6ca75f2859e7ff2f8f662727cce035f18d11beee14423c7d1
SHA5127b20f8c78c3b18445e83f03b1bd33281d4025f472d1592ae1f18f167a34cb5596b6e2f3b544f2c05a196ff4e0cfc3cee16beda9a1bc72ad7e23bcbe3ad8082e5
-
C:\Users\Admin\AppData\Local\Temp\ryiixl.exeFilesize
60KB
MD5ec58ad1a92a419f0f5808457b07ad62e
SHA190e775790640a5f36397365e23aa574e2eb21b00
SHA2562ec72e8d187b8cb6ca75f2859e7ff2f8f662727cce035f18d11beee14423c7d1
SHA5127b20f8c78c3b18445e83f03b1bd33281d4025f472d1592ae1f18f167a34cb5596b6e2f3b544f2c05a196ff4e0cfc3cee16beda9a1bc72ad7e23bcbe3ad8082e5
-
C:\Users\Admin\AppData\Local\Temp\ryiixl.exeFilesize
60KB
MD5ec58ad1a92a419f0f5808457b07ad62e
SHA190e775790640a5f36397365e23aa574e2eb21b00
SHA2562ec72e8d187b8cb6ca75f2859e7ff2f8f662727cce035f18d11beee14423c7d1
SHA5127b20f8c78c3b18445e83f03b1bd33281d4025f472d1592ae1f18f167a34cb5596b6e2f3b544f2c05a196ff4e0cfc3cee16beda9a1bc72ad7e23bcbe3ad8082e5
-
C:\Users\Admin\AppData\Local\Temp\wtnuuqmrl.tFilesize
495KB
MD53492b562086daedc2ebab288e514690d
SHA1630ef4d0016aa312607b8d43c39f0dc7c4db6b6d
SHA25670ef2a031c2947fff70f9ac97b662fdb9414b661047b66372a41c53cc354ad9a
SHA512c615ceaac3f366b8c4cf5781a2927a850926d1a77f9a29d05df399bc5b3c2a5775d89f19f315a27fd82945ad377ce6593fa7a672e241d1baffd6ebbd6de85db6
-
C:\Users\Admin\AppData\Local\Temp\{59B56B4D-8F40-4D95-8E19-B26FDC56382F}Filesize
128KB
MD5275abd78e1d939586c3fd8597765a90b
SHA108b481fbc05a56ca3ae8c7fe6c6e48ee5ea1a6f2
SHA256060e96ac0c7fc52141266db91d791f03a36fd9a107e241a3bacc1133fa17849a
SHA512ed31ec07b15ffaba0de6a471e121e4cca80992c7118668223370632c3214392e53e5985f86a291abb66df36cbe1ea8b4952ae44c823abb38bb12ea591217dacd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotmFilesize
20KB
MD5c3360558d7ff0ac9edb5bee138891d8c
SHA1694637cdc225c1efdb9751236f6b134118f2fe25
SHA256fa1478ea314450949349453ac50bcebbc7b58349c5fc839c9f863dd900be980f
SHA512fa4e28c604785643b912902972699f2b4173ccfb4cdeddf7a81cfe4ffe2f3916f1cbfaab0ae2c9114b91f5d95f1ee06b32b9e2c21cb7c46c88857055ab26658c
-
C:\Users\Public\vbc.exeFilesize
516KB
MD59eea2c45522c0a0507344fc3b216f35e
SHA148e66669c4cb4ac7e3d172f00fb577bcf573f693
SHA256c0a61528c592ee0f031423ea8cfa16f60bdb5aab2a4351bc5e920168c6079c0e
SHA512d8e991bb499135b1f474202dcdaf2db37ba94c5504fa0b1e414f11f97eed684a3a39f03a58a971a3591c974db71fba2350941955e44ee1bae22a209faf5a836e
-
C:\Users\Public\vbc.exeFilesize
516KB
MD59eea2c45522c0a0507344fc3b216f35e
SHA148e66669c4cb4ac7e3d172f00fb577bcf573f693
SHA256c0a61528c592ee0f031423ea8cfa16f60bdb5aab2a4351bc5e920168c6079c0e
SHA512d8e991bb499135b1f474202dcdaf2db37ba94c5504fa0b1e414f11f97eed684a3a39f03a58a971a3591c974db71fba2350941955e44ee1bae22a209faf5a836e
-
C:\Users\Public\vbc.exeFilesize
516KB
MD59eea2c45522c0a0507344fc3b216f35e
SHA148e66669c4cb4ac7e3d172f00fb577bcf573f693
SHA256c0a61528c592ee0f031423ea8cfa16f60bdb5aab2a4351bc5e920168c6079c0e
SHA512d8e991bb499135b1f474202dcdaf2db37ba94c5504fa0b1e414f11f97eed684a3a39f03a58a971a3591c974db71fba2350941955e44ee1bae22a209faf5a836e
-
\Users\Admin\AppData\Local\Temp\ryiixl.exeFilesize
60KB
MD5ec58ad1a92a419f0f5808457b07ad62e
SHA190e775790640a5f36397365e23aa574e2eb21b00
SHA2562ec72e8d187b8cb6ca75f2859e7ff2f8f662727cce035f18d11beee14423c7d1
SHA5127b20f8c78c3b18445e83f03b1bd33281d4025f472d1592ae1f18f167a34cb5596b6e2f3b544f2c05a196ff4e0cfc3cee16beda9a1bc72ad7e23bcbe3ad8082e5
-
\Users\Admin\AppData\Local\Temp\ryiixl.exeFilesize
60KB
MD5ec58ad1a92a419f0f5808457b07ad62e
SHA190e775790640a5f36397365e23aa574e2eb21b00
SHA2562ec72e8d187b8cb6ca75f2859e7ff2f8f662727cce035f18d11beee14423c7d1
SHA5127b20f8c78c3b18445e83f03b1bd33281d4025f472d1592ae1f18f167a34cb5596b6e2f3b544f2c05a196ff4e0cfc3cee16beda9a1bc72ad7e23bcbe3ad8082e5
-
\Users\Admin\AppData\Local\Temp\ryiixl.exeFilesize
60KB
MD5ec58ad1a92a419f0f5808457b07ad62e
SHA190e775790640a5f36397365e23aa574e2eb21b00
SHA2562ec72e8d187b8cb6ca75f2859e7ff2f8f662727cce035f18d11beee14423c7d1
SHA5127b20f8c78c3b18445e83f03b1bd33281d4025f472d1592ae1f18f167a34cb5596b6e2f3b544f2c05a196ff4e0cfc3cee16beda9a1bc72ad7e23bcbe3ad8082e5
-
\Users\Admin\AppData\Local\Temp\ryiixl.exeFilesize
60KB
MD5ec58ad1a92a419f0f5808457b07ad62e
SHA190e775790640a5f36397365e23aa574e2eb21b00
SHA2562ec72e8d187b8cb6ca75f2859e7ff2f8f662727cce035f18d11beee14423c7d1
SHA5127b20f8c78c3b18445e83f03b1bd33281d4025f472d1592ae1f18f167a34cb5596b6e2f3b544f2c05a196ff4e0cfc3cee16beda9a1bc72ad7e23bcbe3ad8082e5
-
\Users\Admin\AppData\Local\Temp\ryiixl.exeFilesize
60KB
MD5ec58ad1a92a419f0f5808457b07ad62e
SHA190e775790640a5f36397365e23aa574e2eb21b00
SHA2562ec72e8d187b8cb6ca75f2859e7ff2f8f662727cce035f18d11beee14423c7d1
SHA5127b20f8c78c3b18445e83f03b1bd33281d4025f472d1592ae1f18f167a34cb5596b6e2f3b544f2c05a196ff4e0cfc3cee16beda9a1bc72ad7e23bcbe3ad8082e5
-
\Users\Admin\AppData\Local\Temp\ryiixl.exeFilesize
60KB
MD5ec58ad1a92a419f0f5808457b07ad62e
SHA190e775790640a5f36397365e23aa574e2eb21b00
SHA2562ec72e8d187b8cb6ca75f2859e7ff2f8f662727cce035f18d11beee14423c7d1
SHA5127b20f8c78c3b18445e83f03b1bd33281d4025f472d1592ae1f18f167a34cb5596b6e2f3b544f2c05a196ff4e0cfc3cee16beda9a1bc72ad7e23bcbe3ad8082e5
-
\Users\Public\vbc.exeFilesize
516KB
MD59eea2c45522c0a0507344fc3b216f35e
SHA148e66669c4cb4ac7e3d172f00fb577bcf573f693
SHA256c0a61528c592ee0f031423ea8cfa16f60bdb5aab2a4351bc5e920168c6079c0e
SHA512d8e991bb499135b1f474202dcdaf2db37ba94c5504fa0b1e414f11f97eed684a3a39f03a58a971a3591c974db71fba2350941955e44ee1bae22a209faf5a836e
-
memory/1272-218-0x0000000010000000-0x0000000010019000-memory.dmpFilesize
100KB
-
memory/1272-224-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1272-174-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1272-267-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1272-266-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1272-161-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1272-182-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1272-260-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1272-259-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1272-168-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1272-165-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1272-225-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1272-169-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1272-214-0x0000000010000000-0x0000000010019000-memory.dmpFilesize
100KB
-
memory/1272-223-0x0000000010000000-0x0000000010019000-memory.dmpFilesize
100KB
-
memory/1272-164-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1272-162-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1272-171-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1272-219-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1272-166-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1272-172-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1272-170-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1272-180-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1272-157-0x0000000000400000-0x0000000000480000-memory.dmpFilesize
512KB
-
memory/1272-217-0x0000000010000000-0x0000000010019000-memory.dmpFilesize
100KB
-
memory/1476-54-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1476-256-0x000000005FFF0000-0x0000000060000000-memory.dmpFilesize
64KB
-
memory/1628-189-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/1628-212-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/1628-211-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/1628-213-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/1728-201-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1728-191-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1728-190-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1728-184-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1728-208-0x0000000000400000-0x0000000000478000-memory.dmpFilesize
480KB
-
memory/1728-183-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1760-196-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1760-199-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1760-200-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/1760-202-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB