Malware Analysis Report

2025-06-16 06:21

Sample ID 231129-wyq4labf2x
Target PI7812367813.doc
SHA256 7a2f9e411b75bd3fff4de3eccade17a7c72c810cd786145239ab21950e761aae
Tags
nanocore evasion keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7a2f9e411b75bd3fff4de3eccade17a7c72c810cd786145239ab21950e761aae

Threat Level: Known bad

The file PI7812367813.doc was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger persistence spyware stealer trojan

NanoCore

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

Launches Equation Editor

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: GetForegroundWindowSpam

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-29 18:20

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-29 18:20

Reported

2023-11-29 18:22

Platform

win7-20231020-en

Max time kernel

119s

Max time network

151s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PI7812367813.rtf"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\plugman75907.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\plugman75907.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UDP Manager = "C:\\Program Files (x86)\\UDP Manager\\udpmgr.exe" C:\Users\Admin\AppData\Roaming\plugman75907.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\plugman75907.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2724 set thread context of 1440 N/A C:\Users\Admin\AppData\Roaming\plugman75907.exe C:\Users\Admin\AppData\Roaming\plugman75907.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\UDP Manager\udpmgr.exe C:\Users\Admin\AppData\Roaming\plugman75907.exe N/A
File opened for modification C:\Program Files (x86)\UDP Manager\udpmgr.exe C:\Users\Admin\AppData\Roaming\plugman75907.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Launches Equation Editor

exploit
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\plugman75907.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\plugman75907.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2288 wrote to memory of 2724 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\plugman75907.exe
PID 2288 wrote to memory of 2724 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\plugman75907.exe
PID 2288 wrote to memory of 2724 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\plugman75907.exe
PID 2288 wrote to memory of 2724 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\plugman75907.exe
PID 2724 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Roaming\plugman75907.exe C:\Users\Admin\AppData\Roaming\plugman75907.exe
PID 2724 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Roaming\plugman75907.exe C:\Users\Admin\AppData\Roaming\plugman75907.exe
PID 2724 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Roaming\plugman75907.exe C:\Users\Admin\AppData\Roaming\plugman75907.exe
PID 2724 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Roaming\plugman75907.exe C:\Users\Admin\AppData\Roaming\plugman75907.exe
PID 2724 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Roaming\plugman75907.exe C:\Users\Admin\AppData\Roaming\plugman75907.exe
PID 2724 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Roaming\plugman75907.exe C:\Users\Admin\AppData\Roaming\plugman75907.exe
PID 2724 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Roaming\plugman75907.exe C:\Users\Admin\AppData\Roaming\plugman75907.exe
PID 2724 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Roaming\plugman75907.exe C:\Users\Admin\AppData\Roaming\plugman75907.exe
PID 2724 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Roaming\plugman75907.exe C:\Users\Admin\AppData\Roaming\plugman75907.exe
PID 1440 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\plugman75907.exe C:\Windows\SysWOW64\schtasks.exe
PID 1440 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\plugman75907.exe C:\Windows\SysWOW64\schtasks.exe
PID 1440 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\plugman75907.exe C:\Windows\SysWOW64\schtasks.exe
PID 1440 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\plugman75907.exe C:\Windows\SysWOW64\schtasks.exe
PID 1440 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Roaming\plugman75907.exe C:\Windows\SysWOW64\schtasks.exe
PID 1440 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Roaming\plugman75907.exe C:\Windows\SysWOW64\schtasks.exe
PID 1440 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Roaming\plugman75907.exe C:\Windows\SysWOW64\schtasks.exe
PID 1440 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Roaming\plugman75907.exe C:\Windows\SysWOW64\schtasks.exe
PID 1824 wrote to memory of 1416 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1824 wrote to memory of 1416 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1824 wrote to memory of 1416 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 1824 wrote to memory of 1416 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PI7812367813.rtf"

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Users\Admin\AppData\Roaming\plugman75907.exe

"C:\Users\Admin\AppData\Roaming\plugman75907.exe"

C:\Users\Admin\AppData\Roaming\plugman75907.exe

"C:\Users\Admin\AppData\Roaming\plugman75907.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "UDP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9878.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "UDP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9A9B.tmp"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

Country Destination Domain Proto
US 8.8.8.8:53 zang1.almashreaq.top udp
US 172.67.221.26:80 zang1.almashreaq.top tcp
US 8.8.8.8:53 rn72836.sytes.net udp
VN 103.114.106.29:6696 rn72836.sytes.net tcp

Files

memory/1824-0-0x000000002F281000-0x000000002F282000-memory.dmp

memory/1824-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1824-2-0x000000007112D000-0x0000000071138000-memory.dmp

C:\Users\Admin\AppData\Roaming\plugman75907.exe

MD5 d0cc28fddecca60c208ae56d78014e95
SHA1 34069e3897de6509b630f9b65b067ae9a74baffc
SHA256 e3f6a75a8004412643549e095af1150d8329a3c46a06aef839842b90d54933a5
SHA512 68626b0f448af738fdc41b4c8f71adb956d6ea29e5cd843ad71902b59f6beee88b42805ee50387749b05f2a019f56f45b2efa443883c6d7afd9edcc66d518d80

\Users\Admin\AppData\Roaming\plugman75907.exe

MD5 d0cc28fddecca60c208ae56d78014e95
SHA1 34069e3897de6509b630f9b65b067ae9a74baffc
SHA256 e3f6a75a8004412643549e095af1150d8329a3c46a06aef839842b90d54933a5
SHA512 68626b0f448af738fdc41b4c8f71adb956d6ea29e5cd843ad71902b59f6beee88b42805ee50387749b05f2a019f56f45b2efa443883c6d7afd9edcc66d518d80

C:\Users\Admin\AppData\Roaming\plugman75907.exe

MD5 d0cc28fddecca60c208ae56d78014e95
SHA1 34069e3897de6509b630f9b65b067ae9a74baffc
SHA256 e3f6a75a8004412643549e095af1150d8329a3c46a06aef839842b90d54933a5
SHA512 68626b0f448af738fdc41b4c8f71adb956d6ea29e5cd843ad71902b59f6beee88b42805ee50387749b05f2a019f56f45b2efa443883c6d7afd9edcc66d518d80

C:\Users\Admin\AppData\Roaming\plugman75907.exe

MD5 d0cc28fddecca60c208ae56d78014e95
SHA1 34069e3897de6509b630f9b65b067ae9a74baffc
SHA256 e3f6a75a8004412643549e095af1150d8329a3c46a06aef839842b90d54933a5
SHA512 68626b0f448af738fdc41b4c8f71adb956d6ea29e5cd843ad71902b59f6beee88b42805ee50387749b05f2a019f56f45b2efa443883c6d7afd9edcc66d518d80

memory/2724-15-0x00000000002E0000-0x000000000038A000-memory.dmp

memory/2724-16-0x000000006B2E0000-0x000000006B9CE000-memory.dmp

memory/2724-21-0x0000000004B50000-0x0000000004B90000-memory.dmp

memory/2724-22-0x0000000001EA0000-0x0000000001EBA000-memory.dmp

memory/2724-23-0x0000000001E50000-0x0000000001E58000-memory.dmp

memory/1824-24-0x000000007112D000-0x0000000071138000-memory.dmp

memory/2724-25-0x0000000001EC0000-0x0000000001ECA000-memory.dmp

memory/2724-26-0x0000000005320000-0x0000000005392000-memory.dmp

memory/1440-27-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1440-29-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1440-31-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1440-33-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1440-37-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1440-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1440-40-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Roaming\plugman75907.exe

MD5 d0cc28fddecca60c208ae56d78014e95
SHA1 34069e3897de6509b630f9b65b067ae9a74baffc
SHA256 e3f6a75a8004412643549e095af1150d8329a3c46a06aef839842b90d54933a5
SHA512 68626b0f448af738fdc41b4c8f71adb956d6ea29e5cd843ad71902b59f6beee88b42805ee50387749b05f2a019f56f45b2efa443883c6d7afd9edcc66d518d80

memory/1440-42-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2724-43-0x000000006B2E0000-0x000000006B9CE000-memory.dmp

memory/1440-44-0x000000006B2E0000-0x000000006B9CE000-memory.dmp

memory/1440-45-0x0000000004D80000-0x0000000004DC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9878.tmp

MD5 8e3b0eae623035f63ea2615d66f690c3
SHA1 53e1ec94bef459f5865851da899ca36e8c237181
SHA256 9481f3e69976cc0f33f0ff687d7f98f9c12aabe7f27ca2e49b339dd81779ca03
SHA512 ad14e0138bd94cde239423adba252a8ede0b9e9b2c43d189524ae640d8fff3b9cbfa70e530506128f760a53aafa022dcb3639f9502dfc71d721215c89d5b7ea6

C:\Users\Admin\AppData\Local\Temp\tmp9A9B.tmp

MD5 c1c4b266e129249076bbe8a15cc5e06c
SHA1 312b8173c264245c834eee91e05dcca845c341f8
SHA256 f336d06dcadca621be6b2dc9493dcb84d871497e65142bc9fdd72c9f250a1b7b
SHA512 0f02ec7700f89d95d29014eec42d13c85234351c3fe1dc6a3efeea52ea76ca4bea3151567a6c798b5ce658d481b424646b43d93e95ccad897356a87a25d45041

memory/1440-53-0x00000000003F0000-0x00000000003FA000-memory.dmp

memory/1440-54-0x0000000000520000-0x000000000053E000-memory.dmp

memory/1440-55-0x0000000000540000-0x000000000054A000-memory.dmp

memory/1440-58-0x0000000000820000-0x0000000000832000-memory.dmp

memory/1440-59-0x00000000008D0000-0x00000000008EA000-memory.dmp

memory/1440-60-0x0000000000880000-0x000000000088E000-memory.dmp

memory/1440-61-0x0000000000910000-0x0000000000922000-memory.dmp

memory/1440-62-0x0000000000920000-0x000000000092E000-memory.dmp

memory/1440-63-0x0000000000930000-0x000000000093C000-memory.dmp

memory/1440-64-0x0000000000980000-0x0000000000994000-memory.dmp

memory/1440-65-0x00000000021A0000-0x00000000021B0000-memory.dmp

memory/1440-66-0x00000000021B0000-0x00000000021C4000-memory.dmp

memory/1440-67-0x00000000021C0000-0x00000000021CE000-memory.dmp

memory/1440-68-0x0000000004400000-0x000000000442E000-memory.dmp

memory/1440-69-0x0000000002320000-0x0000000002334000-memory.dmp

memory/1440-76-0x000000006B2E0000-0x000000006B9CE000-memory.dmp

memory/1440-77-0x0000000004D80000-0x0000000004DC0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

MD5 b2e8cadc836252323b2d9ef66fb97b36
SHA1 bead4dc8b6bc5ad4d62d0e535882f0a5c9d2ede2
SHA256 edda1724f28d7b7af0a5a732df44b609516d2bf3963e0fe0da26b9ed4c86d841
SHA512 eff7bf2c3ae16e1f971b90caa5a588d66e92eb398acba7fbf23e7baa879b3bb1630269e8b4e930eb2584d3abe667517e6b84e54dbfd671418e5796b05ed42f4b

memory/1824-95-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1824-96-0x000000007112D000-0x0000000071138000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-29 18:20

Reported

2023-11-29 18:22

Platform

win10v2004-20231127-en

Max time kernel

118s

Max time network

133s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PI7812367813.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PI7812367813.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 18.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 226.145.62.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 254.21.238.8.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

memory/4756-0-0x00007FFF566D0000-0x00007FFF566E0000-memory.dmp

memory/4756-1-0x00007FFF566D0000-0x00007FFF566E0000-memory.dmp

memory/4756-2-0x00007FFF96650000-0x00007FFF96845000-memory.dmp

memory/4756-4-0x00007FFF96650000-0x00007FFF96845000-memory.dmp

memory/4756-3-0x00007FFF566D0000-0x00007FFF566E0000-memory.dmp

memory/4756-5-0x00007FFF566D0000-0x00007FFF566E0000-memory.dmp

memory/4756-6-0x00007FFF566D0000-0x00007FFF566E0000-memory.dmp

memory/4756-7-0x00007FFF96650000-0x00007FFF96845000-memory.dmp

memory/4756-8-0x00007FFF96650000-0x00007FFF96845000-memory.dmp

memory/4756-9-0x00007FFF96650000-0x00007FFF96845000-memory.dmp

memory/4756-10-0x00007FFF96650000-0x00007FFF96845000-memory.dmp

memory/4756-11-0x00007FFF96650000-0x00007FFF96845000-memory.dmp

memory/4756-12-0x00007FFF96650000-0x00007FFF96845000-memory.dmp

memory/4756-13-0x00007FFF54510000-0x00007FFF54520000-memory.dmp

memory/4756-15-0x00007FFF54510000-0x00007FFF54520000-memory.dmp

memory/4756-14-0x00007FFF96650000-0x00007FFF96845000-memory.dmp

memory/4756-16-0x00007FFF96650000-0x00007FFF96845000-memory.dmp

memory/4756-17-0x00007FFF96650000-0x00007FFF96845000-memory.dmp

memory/4756-18-0x00007FFF96650000-0x00007FFF96845000-memory.dmp

memory/4756-19-0x00007FFF96650000-0x00007FFF96845000-memory.dmp

memory/4756-20-0x00007FFF96650000-0x00007FFF96845000-memory.dmp

memory/4756-31-0x00007FFF96650000-0x00007FFF96845000-memory.dmp

memory/4756-32-0x00007FFF96650000-0x00007FFF96845000-memory.dmp

memory/4756-33-0x00007FFF96650000-0x00007FFF96845000-memory.dmp

memory/4756-34-0x00007FFF96650000-0x00007FFF96845000-memory.dmp

memory/4756-55-0x00007FFF566D0000-0x00007FFF566E0000-memory.dmp

memory/4756-56-0x00007FFF566D0000-0x00007FFF566E0000-memory.dmp

memory/4756-57-0x00007FFF566D0000-0x00007FFF566E0000-memory.dmp

memory/4756-58-0x00007FFF566D0000-0x00007FFF566E0000-memory.dmp

memory/4756-59-0x00007FFF96650000-0x00007FFF96845000-memory.dmp

memory/4756-60-0x00007FFF96650000-0x00007FFF96845000-memory.dmp

memory/4756-61-0x00007FFF96650000-0x00007FFF96845000-memory.dmp