modiloader | e8414dd64dbd95608d21a7b6171b875454f19a7f317f9cf6690448628fdfcf24

Analysis

max time kernel
148s
max time network
139s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
06-06-2024 08:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DHL AWB# 7954365333.xls
Size

280KB
MD5

6ebcf0b1e040ec839f51640a35fa75f4
SHA1

84594217603fec2be41887b9361f565cbbd536b8
SHA256

e8414dd64dbd95608d21a7b6171b875454f19a7f317f9cf6690448628fdfcf24
SHA512

9aee1cab6c9af209b2408aade2b6122b399ca58594f8fa7453cbd6e6dec422014f1c3eff6db0055a12719c856709d4512db3376f02260dca4d665ad8c1c84c9f
SSDEEP

6144:qqFzL5LIT47HtxcbELOS8bBidbu7wGkMV4fonU8ZfI:qqFzu4LEb8OSgBugwZMEWUq

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 58 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2480-128-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-131-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-129-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-127-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-130-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-135-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-136-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-134-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-137-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-138-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-140-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-139-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-141-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-156-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-163-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-167-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-142-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-166-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-161-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-158-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-153-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-170-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-172-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-143-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-174-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-177-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-144-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-179-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-182-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-145-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-184-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-187-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-189-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-191-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-146-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-193-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-196-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-198-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-203-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-147-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-200-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-205-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-208-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-212-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-210-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-148-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-165-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-164-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-162-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-160-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-159-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-157-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-155-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-154-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-152-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-151-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-150-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2
behavioral1/memory/2480-149-0x0000000002FF0000-0x0000000003FF0000-memory.dmp	modiloader_stage2

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

17 2404 EQNEDT32.EXE
Abuses OpenXML format to download file from external location
Executes dropped EXE 8 IoCs

Processes:

alpha.exealpha.exekn.exealpha.exekn.exeAudio.pifalpha.exealpha.exe

pid process

572 alpha.exe
2096 alpha.exe
1400 kn.exe
2304 alpha.exe
2384 kn.exe
2480 Audio.pif
2116 alpha.exe
2188 alpha.exe
Loads dropped DLL 6 IoCs

Processes:

cmd.exealpha.exeWerFault.exe

pid process

1920 cmd.exe
2096 alpha.exe
1920 cmd.exe
1920 cmd.exe
2632 WerFault.exe
2632 WerFault.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2632 2480 WerFault.exe Audio.pif
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

2404 EQNEDT32.EXE

flow	pid	process
17	2404	EQNEDT32.EXE

pid	process
572	alpha.exe
2096	alpha.exe
1400	kn.exe
2304	alpha.exe
2384	kn.exe
2480	Audio.pif
2116	alpha.exe
2188	alpha.exe

pid	process
1920	cmd.exe
2096	alpha.exe
1920	cmd.exe
1920	cmd.exe
2632	WerFault.exe
2632	WerFault.exe

pid	pid_target	process	target process
2632	2480	WerFault.exe	Audio.pif

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
2404	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2176 EXCEL.EXE
Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

2176 EXCEL.EXE
2176 EXCEL.EXE
2176 EXCEL.EXE
2652 WINWORD.EXE
2652 WINWORD.EXE
2176 EXCEL.EXE
2176 EXCEL.EXE
2176 EXCEL.EXE
2176 EXCEL.EXE

pid	process
2176	EXCEL.EXE

pid	process
2176	EXCEL.EXE
2176	EXCEL.EXE
2176	EXCEL.EXE
2652	WINWORD.EXE
2652	WINWORD.EXE
2176	EXCEL.EXE
2176	EXCEL.EXE
2176	EXCEL.EXE
2176	EXCEL.EXE

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEcmd.exealpha.exealpha.exealpha.exeAudio.pif

description	pid	process	target process
PID 2404 wrote to memory of 1920	2404	EQNEDT32.EXE	cmd.exe
PID 2404 wrote to memory of 1920	2404	EQNEDT32.EXE	cmd.exe
PID 2404 wrote to memory of 1920	2404	EQNEDT32.EXE	cmd.exe
PID 2404 wrote to memory of 1920	2404	EQNEDT32.EXE	cmd.exe
PID 2652 wrote to memory of 1608	2652	WINWORD.EXE	splwow64.exe
PID 2652 wrote to memory of 1608	2652	WINWORD.EXE	splwow64.exe
PID 2652 wrote to memory of 1608	2652	WINWORD.EXE	splwow64.exe
PID 2652 wrote to memory of 1608	2652	WINWORD.EXE	splwow64.exe
PID 1920 wrote to memory of 304	1920	cmd.exe	extrac32.exe
PID 1920 wrote to memory of 304	1920	cmd.exe	extrac32.exe
PID 1920 wrote to memory of 304	1920	cmd.exe	extrac32.exe
PID 1920 wrote to memory of 304	1920	cmd.exe	extrac32.exe
PID 1920 wrote to memory of 572	1920	cmd.exe	alpha.exe
PID 1920 wrote to memory of 572	1920	cmd.exe	alpha.exe
PID 1920 wrote to memory of 572	1920	cmd.exe	alpha.exe
PID 1920 wrote to memory of 572	1920	cmd.exe	alpha.exe
PID 572 wrote to memory of 1344	572	alpha.exe	extrac32.exe
PID 572 wrote to memory of 1344	572	alpha.exe	extrac32.exe
PID 572 wrote to memory of 1344	572	alpha.exe	extrac32.exe
PID 572 wrote to memory of 1344	572	alpha.exe	extrac32.exe
PID 1920 wrote to memory of 2096	1920	cmd.exe	alpha.exe
PID 1920 wrote to memory of 2096	1920	cmd.exe	alpha.exe
PID 1920 wrote to memory of 2096	1920	cmd.exe	alpha.exe
PID 1920 wrote to memory of 2096	1920	cmd.exe	alpha.exe
PID 2096 wrote to memory of 1400	2096	alpha.exe	kn.exe
PID 2096 wrote to memory of 1400	2096	alpha.exe	kn.exe
PID 2096 wrote to memory of 1400	2096	alpha.exe	kn.exe
PID 2096 wrote to memory of 1400	2096	alpha.exe	kn.exe
PID 1920 wrote to memory of 2304	1920	cmd.exe	alpha.exe
PID 1920 wrote to memory of 2304	1920	cmd.exe	alpha.exe
PID 1920 wrote to memory of 2304	1920	cmd.exe	alpha.exe
PID 1920 wrote to memory of 2304	1920	cmd.exe	alpha.exe
PID 2304 wrote to memory of 2384	2304	alpha.exe	kn.exe
PID 2304 wrote to memory of 2384	2304	alpha.exe	kn.exe
PID 2304 wrote to memory of 2384	2304	alpha.exe	kn.exe
PID 2304 wrote to memory of 2384	2304	alpha.exe	kn.exe
PID 1920 wrote to memory of 2480	1920	cmd.exe	Audio.pif
PID 1920 wrote to memory of 2480	1920	cmd.exe	Audio.pif
PID 1920 wrote to memory of 2480	1920	cmd.exe	Audio.pif
PID 1920 wrote to memory of 2480	1920	cmd.exe	Audio.pif
PID 1920 wrote to memory of 2116	1920	cmd.exe	alpha.exe
PID 1920 wrote to memory of 2116	1920	cmd.exe	alpha.exe
PID 1920 wrote to memory of 2116	1920	cmd.exe	alpha.exe
PID 1920 wrote to memory of 2116	1920	cmd.exe	alpha.exe
PID 1920 wrote to memory of 2188	1920	cmd.exe	alpha.exe
PID 1920 wrote to memory of 2188	1920	cmd.exe	alpha.exe
PID 1920 wrote to memory of 2188	1920	cmd.exe	alpha.exe
PID 1920 wrote to memory of 2188	1920	cmd.exe	alpha.exe
PID 2480 wrote to memory of 2632	2480	Audio.pif	WerFault.exe
PID 2480 wrote to memory of 2632	2480	Audio.pif	WerFault.exe
PID 2480 wrote to memory of 2632	2480	Audio.pif	WerFault.exe
PID 2480 wrote to memory of 2632	2480	Audio.pif	WerFault.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\DHL AWB# 7954365333.xls"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2176

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2652

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1608

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2404

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\cmd.bat" "
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\SysWOW64\extrac32.exe
C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
3⤵
PID:304

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:572

C:\Windows\SysWOW64\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
4⤵
PID:1344

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Roaming\cmd.bat" "C:\\Users\\Public\\Audio.mp4" 9
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2096

C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Roaming\cmd.bat" "C:\\Users\\Public\\Audio.mp4" 9
4⤵
- Executes dropped EXE
PID:1400

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Audio.mp4" "C:\\Users\\Public\\Libraries\\Audio.pif" 12
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2304

C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Audio.mp4" "C:\\Users\\Public\\Libraries\\Audio.pif" 12
4⤵
- Executes dropped EXE
PID:2384

C:\Users\Public\Libraries\Audio.pif
C:\Users\Public\Libraries\Audio.pif
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 712
4⤵
- Loads dropped DLL
- Program crash
PID:2632

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
3⤵
- Executes dropped EXE
PID:2116

C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Audio.mp4" / A / F / Q / S
3⤵
- Executes dropped EXE
PID:2188

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD
Filesize
128KB

MD5
208bf1fbe5cf9380add117980692f4a4

SHA1
ede713243813c443295e9f04df99d5d7db991887

SHA256
ec4e3f5a2a3c73f62e42d61684c8c9d1e34b355311739ddcca48ed13a3cc7261

SHA512
f4d123e38fe7acd74b5c1f0f65def18542642dce517a8a8015dcc111321780dda80eda7b8627ff5143a9f47b2a8a23278aaaa31c3bcf359afb0d3f4aa565feaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{D36F00A7-F657-42F0-AFCA-79A332FD8BD2}.FSD
Filesize
128KB

MD5
21e962225e2c2d519599df8729d9ac94

SHA1
f240328a4c65afc482506f5c55a4340204736bda

SHA256
2c2e182e97e62e32048403216fa59aa0c4ed0d43eee4ee0202b45443a20e6cc6

SHA512
0057ecec07ef7edd85f78dcfdbaf70ef1018c72f4a688359754351a78a6f9ec99111930ae6b985bd122bc330c7a414ef98c278391ab944cbf31f0ae86bbfc071

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
7a5d34c4eb31320ad09c4dbd7783e2e1

SHA1
7d7bf2f89643f55b817b8602c76408f09bcd96e2

SHA256
35ad977aedd029ff120b5d038e1966a327dcf44fa185d40cc4f05777f70fb089

SHA512
2434f92f80d5b6746653f30bdcd7103561e973514d7ff35910a8527a734909ea2eef770c3e984af72d9d7d156d500b3f1e4ad65b1a86d573da245dbd51c2e003

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{461A8396-48F6-4CA5-BFAC-1C904891E7EE}.FSD
Filesize
128KB

MD5
56c5b485b6796474bd78acef4fb1f2ba

SHA1
e1f0d192bb8d4d3e36948612f5a4db934ad59b46

SHA256
2cbca8abf564b657da9cb22e176abcdee5f90cefb929483ea10e3d794b68c101

SHA512
bf4c9c297f3ded95105cf5f7c04ed60388089aef916818c575f1c8e21b996833ad7db14799d8d9e4dd6f75471aa8b423a4164a57155a0dce85d0e86ab3f4cd0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TTL9DZJ3\lionunderstandjunglenotabletorulealonebecauseitsverydifficulttogetitbackwithentirethingsitstrulyagreatplantogetitbackandgreat___lionisgreatanimalalways[1].doc
Filesize
80KB

MD5
9794997a7de536d9c61f86baef3cfa43

SHA1
a0af705fbcdbc8198de8ef06052d719ed377d8de

SHA256
9e6021a26a5156279da3919429e9dcffa6dd21debcad2a255606b1da6a2f7dd9

SHA512
eacc6d5e07ea3ab7e0c4807ab4dbb5cbc77130da75cab423f07ed1dbb2fd17b7664f1db3fd5d15469e1ea63d557d91a4171243b928cbde41c0df567debd0fbbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9DAEFF95-DA5A-4C41-8C88-F454D2EAE8C3}
Filesize
128KB

MD5
777647b6926efc2a1a3f6cd79c6a4705

SHA1
626658b0cd60b658a9bfd04f27757242b69d159e

SHA256
bee6a7c2508ae31a61f28d823a27f4c4419bbfb3488abc506f1b5e7bf8fac202

SHA512
4511578b68d2d6808e9cfa1824760322f47023f9db9f842a6c9b1e1f4e12cca4c3b7181621d317574e8094df447f1f49d23125e71086333ba4cd6a4d56d55b0f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\2LKALM21.txt
Filesize
73B

MD5
8dd13c1ba9fef43b0563dab6e118b3c7

SHA1
21b0ec2b6c87c22ce35ff081a4c4729da35f2e7f

SHA256
327529e60598f615342e0a23979f8ba0a7ee3325e3d0ca01c1044c72c276282e

SHA512
0ab2ed8fff3ed18c55299534a9c450d6c805ec561f49b5d59e1da5af9136f1b910fe76ce4b2125b6fd614e4c20569981fc8f28e8cd5b85dcb05c420b9b9b1d59

Download Submit
C:\Users\Admin\AppData\Roaming\cmd.bat
Filesize
3.6MB

MD5
21a4228206ee9489fe1bda068e77d0e0

SHA1
069fca44d76e86277cdefd1d182f437e461fcc60

SHA256
ae26f5d0553f84005c99679873d8054538d974b811c0f706335fca2f141ad869

SHA512
25fa4668eeee5f683179b15c2481b723cd3ffb8a1e923927c56d3fd701daf161dd92768e78148a121f4f6044f07bf5a34cc344e5a7e112f27c59fd7486db4d9e

Download Submit
C:\Users\Public\Audio.mp4
Filesize
2.5MB

MD5
ee854e41755aff65ed875ad99b02c469

SHA1
a81476a18936d49e9fde298fff35edd3abf1d736

SHA256
e1695b25967cac02cd05f47d4672c440f3003fc0960e22926670096142c37b8e

SHA512
81ec8ee8e4cac0a3a9b5d204893a8280f828ee3153bcd60605281fb8e48941ddb3cc0628dcdd7a9030af844aee8734cf97890ccb1e815efb4d9c67efc53f346f

Download Submit
C:\Users\Public\kn.exe
Filesize
869KB

MD5
7b973145f7e1b59330ca4dd1f86b3d55

SHA1
10ce9174bff4856083e6adad0094a798ced2c079

SHA256
589229e2bd93100049909edf9825dce24ff963a0c465d969027db34e2eb878b4

SHA512
1e910be2a19a13e6f07f290fc5de8f44a3d1427eb216928bd9230337e3c604b1b782acd373e2d051fc3521280610cb05a95cb95ff2e1db110a4593e55709e9b4

Download Submit
\Users\Public\Libraries\Audio.pif
Filesize
1.2MB

MD5
3db23c215af650e08d8a5695db1b7fdb

SHA1
8b597eeee183d6f486dab7bc18a33d1754a1c28b

SHA256
e9abb1ea6b096bb739b66963bb9c75bb8416ef810bdd72e867047d8ffe0e6267

SHA512
d1ce0d540d43faf1b502e006d460a28ccddb164f92ab1142e84cd5792a8f4be11f5a75872977eaffd14b5df1982c5edd3c47ecbd8a7094a90d53973bcc80b29b

Download Submit
\Users\Public\alpha.exe
Filesize
295KB

MD5
ad7b9c14083b52bc532fba5948342b98

SHA1
ee8cbf12d87c4d388f09b4f69bed2e91682920b5

SHA256
17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae

SHA512
e12aad20c824187b39edb3c7943709290b5ddbf1b4032988db46f2e86da3cf7e7783f78c82e4dc5da232f666b8f9799a260a1f8e2694eb4d0cdaf78da710fde1

Download Submit
memory/2176-9-0x00000000024E0000-0x00000000024E2000-memory.dmp

Filesize
8KB

Download
memory/2176-125-0x000000007237D000-0x0000000072388000-memory.dmp

Filesize
44KB

Download
memory/2176-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2176-1-0x000000007237D000-0x0000000072388000-memory.dmp

Filesize
44KB

Download
memory/2480-166-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-144-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-149-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-150-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-128-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-131-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-129-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-127-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-130-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-132-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/2480-135-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-136-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-134-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-137-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-138-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-140-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-139-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-141-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-156-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-163-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-167-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-142-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-151-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-161-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-158-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-153-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-170-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-172-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-143-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-174-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-177-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-152-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-179-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-182-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-145-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-184-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-187-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-189-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-191-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-146-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-193-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-196-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-198-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-203-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-147-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-200-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-205-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-208-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-212-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-210-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-148-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-165-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-164-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-162-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-160-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-159-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-157-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-155-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2480-154-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

Filesize
16.0MB

Download
memory/2652-8-0x0000000003710000-0x0000000003712000-memory.dmp

Filesize
8KB

Download
memory/2652-4-0x000000002FFE1000-0x000000002FFE2000-memory.dmp

Filesize
4KB

Download
memory/2652-126-0x000000007237D000-0x0000000072388000-memory.dmp

Filesize
44KB

Download
memory/2652-6-0x000000007237D000-0x0000000072388000-memory.dmp

Filesize
44KB

Download