xloader | 50df1fc76a41a970a44ac40efdd0113c599a7091891dc13c25e78abe52a97158

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
13-04-2024 22:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IMG_38575943.exe
Size

341KB
MD5

2a11ef715093c4429cd05dc3950c7f89
SHA1

3199e3c72fc349d9cce951c2c8830d88a8da4454
SHA256

50df1fc76a41a970a44ac40efdd0113c599a7091891dc13c25e78abe52a97158
SHA512

24f2d7a608d421258334144217e97dccdeb023d5e621774f213eda210a8937df0c7d12cfd02e8c96d5951011d6142a320ca3b40bedb8ac6ad5f95ccc6d3d2d0a
SSDEEP

6144:HqPwmYdAbc0C3LFDDOQmjUi0GL9jDAlPMKpPbd6j62AeI4KR0VoFtDFF7g:HqPwmYdAbc0CboQmjIGN6Pzd6j6/eWtU

Score

10^/10

xloader c6si loader rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

c6si

Decoy

tristateinc.construction

americanscaregroundstexas.com

kanimisoshiru.com

wihling.com

fishcheekstosa.com

parentsfuid.com

greenstandmarket.com

fc8fla8kzq.com

gametwist-83.club

jobsncvs.com

directrealtysells.com

avida2015.com

conceptasite.net

arkaneattire.com

indev-mobility.info

2160centurypark412.com

valefloor.com

septembership.com

stackflix.com

jimc0sales.net

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2644-12-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/2644-17-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral2/memory/3604-25-0x00000000008F0000-0x0000000000919000-memory.dmp	xloader
behavioral2/memory/3604-27-0x00000000008F0000-0x0000000000919000-memory.dmp	xloader

Suspicious use of SetThreadContext 3 IoCs

Processes:

IMG_38575943.exeIMG_38575943.exemsiexec.exe

description	pid	process	target process
PID 1332 set thread context of 2644	1332	IMG_38575943.exe	IMG_38575943.exe
PID 2644 set thread context of 3412	2644	IMG_38575943.exe	Explorer.EXE
PID 3604 set thread context of 3412	3604	msiexec.exe	Explorer.EXE

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\Software\Microsoft\Internet Explorer\Toolbar	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\Software\Microsoft\Internet Explorer\IESettingSync	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Explorer.EXE

Modifies registry class 64 IoCs

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{B3690E58-E961-423B-B687-386EBFD83239}\Vid = "{0057D0E0-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByDirection = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:PID = "0"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{d3162b92-9365-467a-956b-92703aca08af}\Instance\	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A8CDFF1C-4878-43be-B5FD-F8091C1C60D0}\Instance\	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{B3690E58-E961-423B-B687-386EBFD83239}\GroupView = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3\MRUListEx = ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Rev = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616209"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Documents"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "4294967295"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "4"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Rev = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{B3690E58-E961-423B-B687-386EBFD83239}\Mode = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616193"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "5"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByDirection = "1"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\NodeSlot = "4"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{B3690E58-E961-423B-B687-386EBFD83239}\Rev = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Mode = "6"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{B3690E58-E961-423B-B687-386EBFD83239}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 03000000020000000100000000000000ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 = 3a002e80d43aad2469a5304598e1ab02f9417aa8260001002600efbe11000000e5840d46cd8cda01a32d1aa6d28cda01cb1b1341d38cda0114000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{B3690E58-E961-423B-B687-386EBFD83239}\LogicalViewMode = "3"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{B3690E58-E961-423B-B687-386EBFD83239}\IconSize = "96"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4092317236-2027488869-1227795436-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac04000000c8000000354b179bff40d211a27e00c04fc308710300000080000000354b179bff40d211a27e00c04fc308710200000080000000	Explorer.EXE

Suspicious behavior: AddClipboardFormatListener 4 IoCs

Processes:

Explorer.EXEEXCEL.EXEWINWORD.EXE

pid process

3412 Explorer.EXE
2708 EXCEL.EXE
832 WINWORD.EXE
832 WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

IMG_38575943.exemsiexec.exe

pid	process
2644	IMG_38575943.exe
2644	IMG_38575943.exe
2644	IMG_38575943.exe
2644	IMG_38575943.exe
3604	msiexec.exe
3604	msiexec.exe
3604	msiexec.exe
3604	msiexec.exe
3604	msiexec.exe
3604	msiexec.exe
3604	msiexec.exe
3604	msiexec.exe
3604	msiexec.exe
3604	msiexec.exe
3604	msiexec.exe
3604	msiexec.exe
3604	msiexec.exe
3604	msiexec.exe
3604	msiexec.exe
3604	msiexec.exe
3604	msiexec.exe
3604	msiexec.exe
3604	msiexec.exe
3604	msiexec.exe
3604	msiexec.exe
3604	msiexec.exe
3604	msiexec.exe
3604	msiexec.exe
3604	msiexec.exe
3604	msiexec.exe
3604	msiexec.exe
3604	msiexec.exe
3604	msiexec.exe
3604	msiexec.exe
3604	msiexec.exe
3604	msiexec.exe
3604	msiexec.exe
3604	msiexec.exe
3604	msiexec.exe
3604	msiexec.exe
3604	msiexec.exe
3604	msiexec.exe
3604	msiexec.exe
3604	msiexec.exe
3604	msiexec.exe
3604	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3412 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

IMG_38575943.exemsiexec.exe

pid process

2644 IMG_38575943.exe
2644 IMG_38575943.exe
2644 IMG_38575943.exe
3604 msiexec.exe
3604 msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

IMG_38575943.exemsiexec.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	2644	IMG_38575943.exe
Token: SeDebugPrivilege	3604	msiexec.exe
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE
Token: SeShutdownPrivilege	3412	Explorer.EXE
Token: SeCreatePagefilePrivilege	3412	Explorer.EXE

Suspicious use of SetWindowsHookEx 35 IoCs

Processes:

Explorer.EXEEXCEL.EXEWINWORD.EXE

pid	process
3412	Explorer.EXE
3412	Explorer.EXE
3412	Explorer.EXE
2708	EXCEL.EXE
2708	EXCEL.EXE
2708	EXCEL.EXE
2708	EXCEL.EXE
2708	EXCEL.EXE
2708	EXCEL.EXE
2708	EXCEL.EXE
2708	EXCEL.EXE
2708	EXCEL.EXE
3412	Explorer.EXE
3412	Explorer.EXE
3412	Explorer.EXE
3412	Explorer.EXE
3412	Explorer.EXE
3412	Explorer.EXE
832	WINWORD.EXE
832	WINWORD.EXE
832	WINWORD.EXE
832	WINWORD.EXE
832	WINWORD.EXE
832	WINWORD.EXE
832	WINWORD.EXE
3412	Explorer.EXE
3412	Explorer.EXE
3412	Explorer.EXE
3412	Explorer.EXE
3412	Explorer.EXE
3412	Explorer.EXE
3412	Explorer.EXE
3412	Explorer.EXE
3412	Explorer.EXE
3412	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3412 Explorer.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

IMG_38575943.exeExplorer.EXEmsiexec.exe

description	pid	process	target process
PID 1332 wrote to memory of 2644	1332	IMG_38575943.exe	IMG_38575943.exe
PID 1332 wrote to memory of 2644	1332	IMG_38575943.exe	IMG_38575943.exe
PID 1332 wrote to memory of 2644	1332	IMG_38575943.exe	IMG_38575943.exe
PID 1332 wrote to memory of 2644	1332	IMG_38575943.exe	IMG_38575943.exe
PID 1332 wrote to memory of 2644	1332	IMG_38575943.exe	IMG_38575943.exe
PID 1332 wrote to memory of 2644	1332	IMG_38575943.exe	IMG_38575943.exe
PID 3412 wrote to memory of 3604	3412	Explorer.EXE	msiexec.exe
PID 3412 wrote to memory of 3604	3412	Explorer.EXE	msiexec.exe
PID 3412 wrote to memory of 3604	3412	Explorer.EXE	msiexec.exe
PID 3604 wrote to memory of 2316	3604	msiexec.exe	cmd.exe
PID 3604 wrote to memory of 2316	3604	msiexec.exe	cmd.exe
PID 3604 wrote to memory of 2316	3604	msiexec.exe	cmd.exe
PID 3412 wrote to memory of 2708	3412	Explorer.EXE	EXCEL.EXE
PID 3412 wrote to memory of 2708	3412	Explorer.EXE	EXCEL.EXE
PID 3412 wrote to memory of 2708	3412	Explorer.EXE	EXCEL.EXE
PID 3412 wrote to memory of 832	3412	Explorer.EXE	WINWORD.EXE
PID 3412 wrote to memory of 832	3412	Explorer.EXE	WINWORD.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3412

C:\Users\Admin\AppData\Local\Temp\IMG_38575943.exe
"C:\Users\Admin\AppData\Local\Temp\IMG_38575943.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1332

C:\Users\Admin\AppData\Local\Temp\IMG_38575943.exe
"C:\Users\Admin\AppData\Local\Temp\IMG_38575943.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3604

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\IMG_38575943.exe"
3⤵
PID:2316

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Downloads\GroupResume.xlsm"
2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2708

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\Are.docx" /o ""
2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:832

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3684

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize
2KB

MD5
ff5a843be375ebb57a6cdfae6466fd67

SHA1
1e24839053e7e4c36a6393954fd8e2c1fddf3254

SHA256
e8e1149c268faf934c052be1b4c8f9c2d1eb80ace32a536fb8d0193b5ca28f90

SHA512
bdc676f91b50d295933a2410f2d25fb487c7ec24f03e772b7500ea3c88c6bab5ea62605a4a9e74c56dffcba1e76c4ef79c6ff2f702e5a58c2dffa85035054f9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize
2KB

MD5
927b2a16428fa376e8352bd8242474d7

SHA1
da2dc1fc758e0c71dc2ef72619a4df782bb4cb6b

SHA256
32c3632f80526bd8fd11df92582f894297864af1003fec9060c629cd202ddaa6

SHA512
e296871a1b5c5e63b2ff0141fdbdddbf90b668b247f490bcc2a2a52d9dab30aaeb36725200904690abaea00e595d68e72d53291265303d39615da232fcc7b3fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
202B

MD5
add56ec49f8f478e84a934606effef1c

SHA1
1262ae87ef755e40752740df90d21352d5fc81ec

SHA256
22e509cf2b7202fc6b04c3d9a1b137477f11471d58a48c1f9514f89450217327

SHA512
c095f193d221696f3b087c3f224a559ad0efe4852a5392c8a3ab03f80183beec2a8327892aa481c85f1bf8165b76a029555f250e0dd5f396c823feacff4c06f1

Download Submit
memory/832-134-0x00007FFDAF270000-0x00007FFDAF465000-memory.dmp

Filesize
2.0MB

Download
memory/832-132-0x00007FFDAF270000-0x00007FFDAF465000-memory.dmp

Filesize
2.0MB

Download
memory/832-122-0x00007FFD6F2F0000-0x00007FFD6F300000-memory.dmp

Filesize
64KB

Download
memory/832-123-0x00007FFD6F2F0000-0x00007FFD6F300000-memory.dmp

Filesize
64KB

Download
memory/832-125-0x00007FFDAF270000-0x00007FFDAF465000-memory.dmp

Filesize
2.0MB

Download
memory/832-135-0x00007FFDAF270000-0x00007FFDAF465000-memory.dmp

Filesize
2.0MB

Download
memory/832-126-0x00007FFDAF270000-0x00007FFDAF465000-memory.dmp

Filesize
2.0MB

Download
memory/832-124-0x00007FFD6F2F0000-0x00007FFD6F300000-memory.dmp

Filesize
64KB

Download
memory/832-128-0x00007FFDAF270000-0x00007FFDAF465000-memory.dmp

Filesize
2.0MB

Download
memory/832-129-0x00007FFD6F2F0000-0x00007FFD6F300000-memory.dmp

Filesize
64KB

Download
memory/832-127-0x00007FFD6F2F0000-0x00007FFD6F300000-memory.dmp

Filesize
64KB

Download
memory/832-141-0x00007FFD6C990000-0x00007FFD6C9A0000-memory.dmp

Filesize
64KB

Download
memory/832-136-0x00007FFDAF270000-0x00007FFDAF465000-memory.dmp

Filesize
2.0MB

Download
memory/832-133-0x00007FFDAF270000-0x00007FFDAF465000-memory.dmp

Filesize
2.0MB

Download
memory/832-183-0x00007FFD6F2F0000-0x00007FFD6F300000-memory.dmp

Filesize
64KB

Download
memory/832-182-0x00007FFD6F2F0000-0x00007FFD6F300000-memory.dmp

Filesize
64KB

Download
memory/832-181-0x00007FFD6F2F0000-0x00007FFD6F300000-memory.dmp

Filesize
64KB

Download
memory/832-180-0x00007FFD6F2F0000-0x00007FFD6F300000-memory.dmp

Filesize
64KB

Download
memory/832-137-0x00007FFD6C990000-0x00007FFD6C9A0000-memory.dmp

Filesize
64KB

Download
memory/832-138-0x00007FFDAF270000-0x00007FFDAF465000-memory.dmp

Filesize
2.0MB

Download
memory/832-139-0x00007FFDAF270000-0x00007FFDAF465000-memory.dmp

Filesize
2.0MB

Download
memory/832-144-0x00007FFDAF270000-0x00007FFDAF465000-memory.dmp

Filesize
2.0MB

Download
memory/832-143-0x00007FFDAF270000-0x00007FFDAF465000-memory.dmp

Filesize
2.0MB

Download
memory/832-140-0x00007FFDAF270000-0x00007FFDAF465000-memory.dmp

Filesize
2.0MB

Download
memory/832-142-0x00007FFDAF270000-0x00007FFDAF465000-memory.dmp

Filesize
2.0MB

Download
memory/1332-8-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download
memory/1332-10-0x0000000006AF0000-0x0000000006B8C000-memory.dmp

Filesize
624KB

Download
memory/1332-1-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download
memory/1332-2-0x0000000005960000-0x0000000005F04000-memory.dmp

Filesize
5.6MB

Download
memory/1332-3-0x0000000005450000-0x00000000054E2000-memory.dmp

Filesize
584KB

Download
memory/1332-5-0x0000000005410000-0x000000000541A000-memory.dmp

Filesize
40KB

Download
memory/1332-0-0x00000000009B0000-0x0000000000A0C000-memory.dmp

Filesize
368KB

Download
memory/1332-4-0x0000000005670000-0x0000000005680000-memory.dmp

Filesize
64KB

Download
memory/1332-6-0x00000000055A0000-0x00000000055AC000-memory.dmp

Filesize
48KB

Download
memory/1332-7-0x00000000058A0000-0x00000000058EC000-memory.dmp

Filesize
304KB

Download
memory/1332-14-0x00000000747E0000-0x0000000074F90000-memory.dmp

Filesize
7.7MB

Download
memory/1332-9-0x0000000005670000-0x0000000005680000-memory.dmp

Filesize
64KB

Download
memory/1332-11-0x0000000006BF0000-0x0000000006C4E000-memory.dmp

Filesize
376KB

Download
memory/2644-17-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2644-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2644-15-0x00000000012B0000-0x00000000015FA000-memory.dmp

Filesize
3.3MB

Download
memory/2644-18-0x00000000011B0000-0x00000000011C1000-memory.dmp

Filesize
68KB

Download
memory/2708-114-0x00007FFD6F2F0000-0x00007FFD6F300000-memory.dmp

Filesize
64KB

Download
memory/2708-69-0x00007FFD6F2F0000-0x00007FFD6F300000-memory.dmp

Filesize
64KB

Download
memory/2708-84-0x00007FFDAF270000-0x00007FFDAF465000-memory.dmp

Filesize
2.0MB

Download
memory/2708-113-0x00007FFD6F2F0000-0x00007FFD6F300000-memory.dmp

Filesize
64KB

Download
memory/2708-111-0x00007FFD6F2F0000-0x00007FFD6F300000-memory.dmp

Filesize
64KB

Download
memory/2708-112-0x00007FFD6F2F0000-0x00007FFD6F300000-memory.dmp

Filesize
64KB

Download
memory/2708-92-0x00007FFD6C990000-0x00007FFD6C9A0000-memory.dmp

Filesize
64KB

Download
memory/2708-89-0x00007FFDAF270000-0x00007FFDAF465000-memory.dmp

Filesize
2.0MB

Download
memory/2708-88-0x00007FFDAF270000-0x00007FFDAF465000-memory.dmp

Filesize
2.0MB

Download
memory/2708-86-0x00007FFD6C990000-0x00007FFD6C9A0000-memory.dmp

Filesize
64KB

Download
memory/2708-87-0x00007FFDAF270000-0x00007FFDAF465000-memory.dmp

Filesize
2.0MB

Download
memory/2708-116-0x00007FFDAF270000-0x00007FFDAF465000-memory.dmp

Filesize
2.0MB

Download
memory/2708-71-0x00007FFD6F2F0000-0x00007FFD6F300000-memory.dmp

Filesize
64KB

Download
memory/2708-73-0x00007FFDAF270000-0x00007FFDAF465000-memory.dmp

Filesize
2.0MB

Download
memory/2708-72-0x00007FFD6F2F0000-0x00007FFD6F300000-memory.dmp

Filesize
64KB

Download
memory/2708-77-0x00007FFD6F2F0000-0x00007FFD6F300000-memory.dmp

Filesize
64KB

Download
memory/2708-78-0x00007FFDAF270000-0x00007FFDAF465000-memory.dmp

Filesize
2.0MB

Download
memory/2708-76-0x00007FFDAF270000-0x00007FFDAF465000-memory.dmp

Filesize
2.0MB

Download
memory/2708-79-0x00007FFD6F2F0000-0x00007FFD6F300000-memory.dmp

Filesize
64KB

Download
memory/2708-81-0x00007FFDAF270000-0x00007FFDAF465000-memory.dmp

Filesize
2.0MB

Download
memory/2708-82-0x00007FFDAF270000-0x00007FFDAF465000-memory.dmp

Filesize
2.0MB

Download
memory/2708-83-0x00007FFDAF270000-0x00007FFDAF465000-memory.dmp

Filesize
2.0MB

Download
memory/2708-85-0x00007FFDAF270000-0x00007FFDAF465000-memory.dmp

Filesize
2.0MB

Download
memory/3412-31-0x0000000008B80000-0x0000000008CC8000-memory.dmp

Filesize
1.3MB

Download
memory/3412-45-0x000000000D0B0000-0x000000000D0C0000-memory.dmp

Filesize
64KB

Download
memory/3412-66-0x000000000D0B0000-0x000000000D0C0000-memory.dmp

Filesize
64KB

Download
memory/3412-61-0x000000000D0B0000-0x000000000D0C0000-memory.dmp

Filesize
64KB

Download
memory/3412-63-0x000000000D0B0000-0x000000000D0C0000-memory.dmp

Filesize
64KB

Download
memory/3412-64-0x000000000D0B0000-0x000000000D0C0000-memory.dmp

Filesize
64KB

Download
memory/3412-62-0x000000000D0B0000-0x000000000D0C0000-memory.dmp

Filesize
64KB

Download
memory/3412-60-0x000000000D0B0000-0x000000000D0C0000-memory.dmp

Filesize
64KB

Download
memory/3412-59-0x000000000D0D0000-0x000000000D0E0000-memory.dmp

Filesize
64KB

Download
memory/3412-58-0x000000000D0B0000-0x000000000D0C0000-memory.dmp

Filesize
64KB

Download
memory/3412-57-0x000000000D0B0000-0x000000000D0C0000-memory.dmp

Filesize
64KB

Download
memory/3412-55-0x000000000D0B0000-0x000000000D0C0000-memory.dmp

Filesize
64KB

Download
memory/3412-48-0x000000000D0B0000-0x000000000D0C0000-memory.dmp

Filesize
64KB

Download
memory/3412-49-0x000000000D0B0000-0x000000000D0C0000-memory.dmp

Filesize
64KB

Download
memory/3412-51-0x000000000D0B0000-0x000000000D0C0000-memory.dmp

Filesize
64KB

Download
memory/3412-53-0x000000000D0B0000-0x000000000D0C0000-memory.dmp

Filesize
64KB

Download
memory/3412-50-0x000000000D0B0000-0x000000000D0C0000-memory.dmp

Filesize
64KB

Download
memory/3412-47-0x000000000D0B0000-0x000000000D0C0000-memory.dmp

Filesize
64KB

Download
memory/3412-46-0x000000000D0D0000-0x000000000D0E0000-memory.dmp

Filesize
64KB

Download
memory/3412-67-0x000000000D0B0000-0x000000000D0C0000-memory.dmp

Filesize
64KB

Download
memory/3412-44-0x000000000D0B0000-0x000000000D0C0000-memory.dmp

Filesize
64KB

Download
memory/3412-42-0x000000000D0B0000-0x000000000D0C0000-memory.dmp

Filesize
64KB

Download
memory/3412-43-0x000000000D0B0000-0x000000000D0C0000-memory.dmp

Filesize
64KB

Download
memory/3412-41-0x000000000D0B0000-0x000000000D0C0000-memory.dmp

Filesize
64KB

Download
memory/3412-40-0x000000000D0B0000-0x000000000D0C0000-memory.dmp

Filesize
64KB

Download
memory/3412-39-0x000000000D0B0000-0x000000000D0C0000-memory.dmp

Filesize
64KB

Download
memory/3412-37-0x000000000D0B0000-0x000000000D0C0000-memory.dmp

Filesize
64KB

Download
memory/3412-38-0x0000000008DD0000-0x0000000008EDA000-memory.dmp

Filesize
1.0MB

Download
memory/3412-35-0x000000000D0B0000-0x000000000D0C0000-memory.dmp

Filesize
64KB

Download
memory/3412-32-0x0000000008DD0000-0x0000000008EDA000-memory.dmp

Filesize
1.0MB

Download
memory/3412-30-0x0000000008DD0000-0x0000000008EDA000-memory.dmp

Filesize
1.0MB

Download
memory/3412-19-0x0000000008B80000-0x0000000008CC8000-memory.dmp

Filesize
1.3MB

Download
memory/3604-27-0x00000000008F0000-0x0000000000919000-memory.dmp

Filesize
164KB

Download
memory/3604-26-0x00000000029C0000-0x0000000002D0A000-memory.dmp

Filesize
3.3MB

Download
memory/3604-25-0x00000000008F0000-0x0000000000919000-memory.dmp

Filesize
164KB

Download
memory/3604-24-0x0000000000290000-0x00000000002A2000-memory.dmp

Filesize
72KB

Download
memory/3604-22-0x0000000000290000-0x00000000002A2000-memory.dmp

Filesize
72KB

Download
memory/3604-20-0x0000000000290000-0x00000000002A2000-memory.dmp

Filesize
72KB

Download
memory/3604-29-0x00000000026E0000-0x0000000002770000-memory.dmp

Filesize
576KB

Download