d61b83ccbe8a440efc227f483a6a67000d7fb671b4c38227a2068fa4e5528e23

Analysis

max time kernel
144s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-03-2024 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-27_890ccdd953ad624f557516c5f94ef5ec_icedid.exe
Size

2.0MB
MD5

890ccdd953ad624f557516c5f94ef5ec
SHA1

0137cd95c0cfbb4ea2659253b13f781a980914c0
SHA256

d61b83ccbe8a440efc227f483a6a67000d7fb671b4c38227a2068fa4e5528e23
SHA512

c7ce61f6ebb9b77d0ea5e63be869b9528e34d3c8add9ee34464d1f8f12b7f8a92d9a27fe3d3bbe70d680040f0fab909efdfb7e3e72425db2390d96c80616b11a
SSDEEP

49152:vnsHyjtk2MYC5GDuTq24GjdGS9hWb2J3Y2p9tGk5fA:vnsmtk2aeEjdGSGb2Jo2b75fA

Score

9^/10

persistence

Malware Config

Signatures

Detects Windows executables referencing non-Windows User-Agents 12 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012257-4.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x003200000001630b-13.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1888-27-0x0000000000400000-0x00000000005FC000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2380-30-0x0000000000AE0000-0x0000000000C1E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x003200000001630b-33.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x003200000001630b-32.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x00320000000164b2-37.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x00320000000164b2-34.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2524-40-0x00000000011B0000-0x00000000012EE000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2536-154-0x0000000000400000-0x00000000005FC000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2536-159-0x0000000000400000-0x00000000005FC000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2536-196-0x0000000000400000-0x00000000005FC000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects executables (downlaoders) containing URLs to raw contents of a paste 12 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012257-4.dat	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
behavioral1/files/0x003200000001630b-13.dat	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
behavioral1/memory/1888-27-0x0000000000400000-0x00000000005FC000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
behavioral1/memory/2380-30-0x0000000000AE0000-0x0000000000C1E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
behavioral1/files/0x003200000001630b-33.dat	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
behavioral1/files/0x003200000001630b-32.dat	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
behavioral1/files/0x00320000000164b2-37.dat	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
behavioral1/files/0x00320000000164b2-34.dat	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
behavioral1/memory/2524-40-0x00000000011B0000-0x00000000012EE000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
behavioral1/memory/2536-154-0x0000000000400000-0x00000000005FC000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
behavioral1/memory/2536-159-0x0000000000400000-0x00000000005FC000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL
behavioral1/memory/2536-196-0x0000000000400000-0x00000000005FC000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL

Detects executables Discord URL observed in first stage droppers 12 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012257-4.dat	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/files/0x003200000001630b-13.dat	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/1888-27-0x0000000000400000-0x00000000005FC000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2380-30-0x0000000000AE0000-0x0000000000C1E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/files/0x003200000001630b-33.dat	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/files/0x003200000001630b-32.dat	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/files/0x00320000000164b2-37.dat	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/files/0x00320000000164b2-34.dat	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2524-40-0x00000000011B0000-0x00000000012EE000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2536-154-0x0000000000400000-0x00000000005FC000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2536-159-0x0000000000400000-0x00000000005FC000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2536-196-0x0000000000400000-0x00000000005FC000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL

Detects executables manipulated with Fody 12 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012257-4.dat	INDICATOR_EXE_Packed_Fody
behavioral1/files/0x003200000001630b-13.dat	INDICATOR_EXE_Packed_Fody
behavioral1/memory/1888-27-0x0000000000400000-0x00000000005FC000-memory.dmp	INDICATOR_EXE_Packed_Fody
behavioral1/memory/2380-30-0x0000000000AE0000-0x0000000000C1E000-memory.dmp	INDICATOR_EXE_Packed_Fody
behavioral1/files/0x003200000001630b-33.dat	INDICATOR_EXE_Packed_Fody
behavioral1/files/0x003200000001630b-32.dat	INDICATOR_EXE_Packed_Fody
behavioral1/files/0x00320000000164b2-37.dat	INDICATOR_EXE_Packed_Fody
behavioral1/files/0x00320000000164b2-34.dat	INDICATOR_EXE_Packed_Fody
behavioral1/memory/2524-40-0x00000000011B0000-0x00000000012EE000-memory.dmp	INDICATOR_EXE_Packed_Fody
behavioral1/memory/2536-154-0x0000000000400000-0x00000000005FC000-memory.dmp	INDICATOR_EXE_Packed_Fody
behavioral1/memory/2536-159-0x0000000000400000-0x00000000005FC000-memory.dmp	INDICATOR_EXE_Packed_Fody
behavioral1/memory/2536-196-0x0000000000400000-0x00000000005FC000-memory.dmp	INDICATOR_EXE_Packed_Fody

Executes dropped EXE 3 IoCs

pid	Process
2380	._cache_2024-03-27_890ccdd953ad624f557516c5f94ef5ec_icedid.exe
2536	Synaptics.exe
2524	._cache_Synaptics.exe

Loads dropped DLL 15 IoCs

pid	Process
1888	2024-03-27_890ccdd953ad624f557516c5f94ef5ec_icedid.exe
1888	2024-03-27_890ccdd953ad624f557516c5f94ef5ec_icedid.exe
1888	2024-03-27_890ccdd953ad624f557516c5f94ef5ec_icedid.exe
2536	Synaptics.exe
2536	Synaptics.exe
2816	WerFault.exe
2816	WerFault.exe
2296	WerFault.exe
2296	WerFault.exe
2816	WerFault.exe
2296	WerFault.exe
2816	WerFault.exe
2296	WerFault.exe
2816	WerFault.exe
2296	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	2024-03-27_890ccdd953ad624f557516c5f94ef5ec_icedid.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com
3	pastebin.com
4	pastebin.com
5	pastebin.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2296	2524	WerFault.exe	31
2816	2380	WerFault.exe	28

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	._cache_Synaptics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	._cache_Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2020	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2524	._cache_Synaptics.exe
2380	._cache_2024-03-27_890ccdd953ad624f557516c5f94ef5ec_icedid.exe
2524	._cache_Synaptics.exe
2380	._cache_2024-03-27_890ccdd953ad624f557516c5f94ef5ec_icedid.exe
2524	._cache_Synaptics.exe
2380	._cache_2024-03-27_890ccdd953ad624f557516c5f94ef5ec_icedid.exe
2524	._cache_Synaptics.exe
2380	._cache_2024-03-27_890ccdd953ad624f557516c5f94ef5ec_icedid.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2524	._cache_Synaptics.exe
Token: SeDebugPrivilege	2380	._cache_2024-03-27_890ccdd953ad624f557516c5f94ef5ec_icedid.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2020	EXCEL.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 2380	1888	2024-03-27_890ccdd953ad624f557516c5f94ef5ec_icedid.exe	28
PID 1888 wrote to memory of 2380	1888	2024-03-27_890ccdd953ad624f557516c5f94ef5ec_icedid.exe	28
PID 1888 wrote to memory of 2380	1888	2024-03-27_890ccdd953ad624f557516c5f94ef5ec_icedid.exe	28
PID 1888 wrote to memory of 2380	1888	2024-03-27_890ccdd953ad624f557516c5f94ef5ec_icedid.exe	28
PID 1888 wrote to memory of 2536	1888	2024-03-27_890ccdd953ad624f557516c5f94ef5ec_icedid.exe	30
PID 1888 wrote to memory of 2536	1888	2024-03-27_890ccdd953ad624f557516c5f94ef5ec_icedid.exe	30
PID 1888 wrote to memory of 2536	1888	2024-03-27_890ccdd953ad624f557516c5f94ef5ec_icedid.exe	30
PID 1888 wrote to memory of 2536	1888	2024-03-27_890ccdd953ad624f557516c5f94ef5ec_icedid.exe	30
PID 2536 wrote to memory of 2524	2536	Synaptics.exe	31
PID 2536 wrote to memory of 2524	2536	Synaptics.exe	31
PID 2536 wrote to memory of 2524	2536	Synaptics.exe	31
PID 2536 wrote to memory of 2524	2536	Synaptics.exe	31
PID 2380 wrote to memory of 2816	2380	._cache_2024-03-27_890ccdd953ad624f557516c5f94ef5ec_icedid.exe	34
PID 2524 wrote to memory of 2296	2524	._cache_Synaptics.exe	35
PID 2524 wrote to memory of 2296	2524	._cache_Synaptics.exe	35
PID 2524 wrote to memory of 2296	2524	._cache_Synaptics.exe	35
PID 2524 wrote to memory of 2296	2524	._cache_Synaptics.exe	35
PID 2380 wrote to memory of 2816	2380	._cache_2024-03-27_890ccdd953ad624f557516c5f94ef5ec_icedid.exe	34
PID 2380 wrote to memory of 2816	2380	._cache_2024-03-27_890ccdd953ad624f557516c5f94ef5ec_icedid.exe	34
PID 2380 wrote to memory of 2816	2380	._cache_2024-03-27_890ccdd953ad624f557516c5f94ef5ec_icedid.exe	34

C:\Users\Admin\AppData\Local\Temp\2024-03-27_890ccdd953ad624f557516c5f94ef5ec_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-27_890ccdd953ad624f557516c5f94ef5ec_icedid.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Users\Admin\AppData\Local\Temp\._cache_2024-03-27_890ccdd953ad624f557516c5f94ef5ec_icedid.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_2024-03-27_890ccdd953ad624f557516c5f94ef5ec_icedid.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 1384
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2816
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2524
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 1440
      4⤵
      Loads dropped DLL
      Program crash
      PID:2296

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
2.0MB

MD5
890ccdd953ad624f557516c5f94ef5ec

SHA1
0137cd95c0cfbb4ea2659253b13f781a980914c0

SHA256
d61b83ccbe8a440efc227f483a6a67000d7fb671b4c38227a2068fa4e5528e23

SHA512
c7ce61f6ebb9b77d0ea5e63be869b9528e34d3c8add9ee34464d1f8f12b7f8a92d9a27fe3d3bbe70d680040f0fab909efdfb7e3e72425db2390d96c80616b11a

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
766KB

MD5
d520ee00f828614597042e9f7bf181c6

SHA1
a9ec6ac326b95a29875bdac6b6cef03ad93d11da

SHA256
fecb2ae2e9c5e4f200527c6ce46386f4ae85047f4fb2d6e79b11f2529c3ddfd0

SHA512
1b3b46a0c2fe10e0b56a3cc0774d1e57a3b2a303844be393d68051394d2a31256df4d6ff4e583c880c637e3d400bf9c7407c88c57cdad853d122abea53c277d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cbd9163a2f3d499d70f41ff62278baab

SHA1
74481156354ed44f087fee5d11552f43c68f07d2

SHA256
e14c8cc9f22212d10eed9c8b8b934f01337f5c806e9bf1e3d58731fa4147949c

SHA512
d7e21a081c3111247e3c2cd12cdf573b39676b90b2378c0991c4e7473734c872ce4aea76f6390b63882f173124d950e7dc22a013024ba5f884fa78425de784c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
164e434acadc71c6b8f68443efe2e68a

SHA1
7b639dc2a4a9250b53c3a82b75de50b9cad9c869

SHA256
4c98bf43b03ec5a388bcbf11d10ddb0b41658acedba9c5f8643351e1242749b2

SHA512
c5f27d7017c41a86af4cfce0c256b70c42c5ccb59c53af9274900934175927383d122819642cb9eb3378fe32a62387b700f9eb4f6e696c4a5b6f86e50248252f

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
448KB

MD5
5e1bf4170b58c6a6c18e2bee8e91ac54

SHA1
bad7ebb1cbe312fd696c721525ba4b89e91d37e9

SHA256
0195ff04db08b3b11d0d9c9dc0782daac57159078818ae7daa6e8646e849469b

SHA512
0256b5f1661a91a2f6029786f40341546a1036cf5eb900ae5d88413f5c3a5c92204cf2dc57e737f87adffd81b16e6ec6caea03eeeb88e4fb724a4529fb924b38

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab47DA.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CheckerCfg.ini

Filesize
153B

MD5
93f58e7229530ad2b22774f170a2f581

SHA1
ad0112b8a300283d645b2070f15c58777688154f

SHA256
aa7f10c8d0eca33b326ebb1f41f160fc59c04dbc60fac4c150e32c466181689d

SHA512
3bce7f38886bf105e1fcf21b04a320c69f62ead7026958e7e7c2144b6fb9dc0b002b52f5a2fbafc681926a42e68528ddf39c8e218112724345a5129d35dd2c24

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4965.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jsTkj8Zq.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
\ProgramData\Synaptics\Synaptics.exe

Filesize
702KB

MD5
594707ef3e9bbee08b03670b2e841ed1

SHA1
2ec5ffd6d0d44820d412b15a993ef9080366f476

SHA256
95e32e3169391bd03710b22093d7086f2435229055be7ae0ec3628232a105a5a

SHA512
729f99cf4229594aeb2c52c10542e6de3d407b6d55a44bfa0c9ff097b0284b8cad3e44afc8b44791c69fe750938e96f57681c185801d24237c5a3d599a1a2098

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_2024-03-27_890ccdd953ad624f557516c5f94ef5ec_icedid.exe

Filesize
1.2MB

MD5
c0ea55286540db56bee76d56ccb295bc

SHA1
c7c63f6ffab5925ba9c7d9f9e4f7b494bc00eb68

SHA256
310739bba1cf863d2d54e2fa15a48f3163dd2eee9839c70db4cd4aa435da44fa

SHA512
e8ca1f979d329cd7cd4a6bd46fcf5abbebac3dad138c8cd751489751dccccd8eea092161fe8130b59d3cdd5cfa724bb59f7178a70c3fe62a6557be763c419c37

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
543KB

MD5
7080ec8d308eb139dc5944da52ecc755

SHA1
eb7eec6df9a6d3e914979efb65844b37b71c984a

SHA256
b0d440af75a2b13757f2e6d36cce3171eee0549e8b24026153fe1006854ec129

SHA512
ff951f9e9e892f91d092d56242893538f1cf7fa74d339eb2fd6eedb11d9db047802dd7ffb6b8b9adb15ae806a243b4cfe60ebb4c1e2d977779271d8d273b8b93

Download Submit
memory/1888-27-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/1888-0-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2020-52-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2020-162-0x000000006F85D000-0x000000006F868000-memory.dmp

Filesize
44KB

Download
memory/2020-53-0x000000006F85D000-0x000000006F868000-memory.dmp

Filesize
44KB

Download
memory/2380-48-0x0000000000540000-0x000000000055C000-memory.dmp

Filesize
112KB

Download
memory/2380-156-0x0000000074280000-0x000000007496E000-memory.dmp

Filesize
6.9MB

Download
memory/2380-39-0x0000000074280000-0x000000007496E000-memory.dmp

Filesize
6.9MB

Download
memory/2380-47-0x0000000004B80000-0x0000000004BC0000-memory.dmp

Filesize
256KB

Download
memory/2380-43-0x0000000004B80000-0x0000000004BC0000-memory.dmp

Filesize
256KB

Download
memory/2380-161-0x0000000004B80000-0x0000000004BC0000-memory.dmp

Filesize
256KB

Download
memory/2380-41-0x00000000003A0000-0x00000000003C6000-memory.dmp

Filesize
152KB

Download
memory/2380-158-0x0000000004B80000-0x0000000004BC0000-memory.dmp

Filesize
256KB

Download
memory/2380-30-0x0000000000AE0000-0x0000000000C1E000-memory.dmp

Filesize
1.2MB

Download
memory/2524-160-0x0000000000AA0000-0x0000000000AE0000-memory.dmp

Filesize
256KB

Download
memory/2524-46-0x0000000000AA0000-0x0000000000AE0000-memory.dmp

Filesize
256KB

Download
memory/2524-157-0x0000000074280000-0x000000007496E000-memory.dmp

Filesize
6.9MB

Download
memory/2524-44-0x0000000004EC0000-0x0000000004F6A000-memory.dmp

Filesize
680KB

Download
memory/2524-42-0x0000000074280000-0x000000007496E000-memory.dmp

Filesize
6.9MB

Download
memory/2524-40-0x00000000011B0000-0x00000000012EE000-memory.dmp

Filesize
1.2MB

Download
memory/2524-45-0x0000000000AA0000-0x0000000000AE0000-memory.dmp

Filesize
256KB

Download
memory/2536-26-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2536-154-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/2536-155-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2536-159-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download
memory/2536-196-0x0000000000400000-0x00000000005FC000-memory.dmp

Filesize
2.0MB

Download