bitrat | 833747fe3feaca3e71a38cc66ee5003a846fc43a61e8a59e093a23c5b260ef90

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
14-03-2023 19:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

zapitvane marko bulgaria eood.rtf
Size

3KB
MD5

93671555d60537ba07df133dda8592a2
SHA1

396ab1b853fac12d406bc1687cf18cb0a2cc061e
SHA256

833747fe3feaca3e71a38cc66ee5003a846fc43a61e8a59e093a23c5b260ef90
SHA512

8d03fcc1a697a8150ce7d2325e65a329d8d870a185b66cdb9ae70c84aecd9983913c12b48902d2b3f7553378617dee533363ac759bef1c8c502903f3016d6a6f

Score

10^/10

bitrat trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

74.201.28.92:3569

Attributes

communication_password
148b191cf4e80b549e1b1a4444f2bdf6
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Blocklisted process makes network request 5 IoCs

Processes:

EQNEDT32.EXE

flow pid process

4 436 EQNEDT32.EXE
6 436 EQNEDT32.EXE
8 436 EQNEDT32.EXE
10 436 EQNEDT32.EXE
12 436 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

hjpy.exetewu.exetewu.exe

pid process

1576 hjpy.exe
620 tewu.exe
1080 tewu.exe
Loads dropped DLL 1 IoCs

Processes:

EQNEDT32.EXE

pid process

436 EQNEDT32.EXE
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

Processes:

vbc.exevbc.exevbc.exe

pid process

1792 vbc.exe
1792 vbc.exe
1792 vbc.exe
1792 vbc.exe
1792 vbc.exe
1156 vbc.exe
1088 vbc.exe

flow	pid	process
4	436	EQNEDT32.EXE
6	436	EQNEDT32.EXE
8	436	EQNEDT32.EXE
10	436	EQNEDT32.EXE
12	436	EQNEDT32.EXE

pid	process
1576	hjpy.exe
620	tewu.exe
1080	tewu.exe

pid	process
436	EQNEDT32.EXE

pid	process
1792	vbc.exe
1792	vbc.exe
1792	vbc.exe
1792	vbc.exe
1792	vbc.exe
1156	vbc.exe
1088	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

hjpy.exetewu.exetewu.exe

description	pid	process	target process
PID 1576 set thread context of 1792	1576	hjpy.exe	vbc.exe
PID 620 set thread context of 1156	620	tewu.exe	vbc.exe
PID 1080 set thread context of 1088	1080	tewu.exe	vbc.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

620 schtasks.exe
1516 schtasks.exe
928 schtasks.exe
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

436 EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
620	schtasks.exe
1516	schtasks.exe
928	schtasks.exe

pid	process
436	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

316 WINWORD.EXE

pid	process
316	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

vbc.exevbc.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	1792	vbc.exe
Token: SeShutdownPrivilege	1792	vbc.exe
Token: SeDebugPrivilege	1156	vbc.exe
Token: SeShutdownPrivilege	1156	vbc.exe
Token: SeDebugPrivilege	1088	vbc.exe
Token: SeShutdownPrivilege	1088	vbc.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

WINWORD.EXEvbc.exe

pid process

316 WINWORD.EXE
316 WINWORD.EXE
1792 vbc.exe
1792 vbc.exe

pid	process
316	WINWORD.EXE
316	WINWORD.EXE
1792	vbc.exe
1792	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

EQNEDT32.EXEhjpy.execmd.exeWINWORD.EXEtaskeng.exetewu.exe

description	pid	process	target process
PID 436 wrote to memory of 1576	436	EQNEDT32.EXE	hjpy.exe
PID 436 wrote to memory of 1576	436	EQNEDT32.EXE	hjpy.exe
PID 436 wrote to memory of 1576	436	EQNEDT32.EXE	hjpy.exe
PID 436 wrote to memory of 1576	436	EQNEDT32.EXE	hjpy.exe
PID 1576 wrote to memory of 1792	1576	hjpy.exe	vbc.exe
PID 1576 wrote to memory of 1792	1576	hjpy.exe	vbc.exe
PID 1576 wrote to memory of 1792	1576	hjpy.exe	vbc.exe
PID 1576 wrote to memory of 1792	1576	hjpy.exe	vbc.exe
PID 1576 wrote to memory of 1792	1576	hjpy.exe	vbc.exe
PID 1576 wrote to memory of 1792	1576	hjpy.exe	vbc.exe
PID 1576 wrote to memory of 1792	1576	hjpy.exe	vbc.exe
PID 1576 wrote to memory of 1792	1576	hjpy.exe	vbc.exe
PID 1576 wrote to memory of 1792	1576	hjpy.exe	vbc.exe
PID 1576 wrote to memory of 1792	1576	hjpy.exe	vbc.exe
PID 1576 wrote to memory of 1792	1576	hjpy.exe	vbc.exe
PID 1576 wrote to memory of 1792	1576	hjpy.exe	vbc.exe
PID 1576 wrote to memory of 1520	1576	hjpy.exe	cmd.exe
PID 1576 wrote to memory of 1520	1576	hjpy.exe	cmd.exe
PID 1576 wrote to memory of 1520	1576	hjpy.exe	cmd.exe
PID 1576 wrote to memory of 1520	1576	hjpy.exe	cmd.exe
PID 1576 wrote to memory of 1012	1576	hjpy.exe	cmd.exe
PID 1576 wrote to memory of 1012	1576	hjpy.exe	cmd.exe
PID 1576 wrote to memory of 1012	1576	hjpy.exe	cmd.exe
PID 1576 wrote to memory of 1012	1576	hjpy.exe	cmd.exe
PID 1576 wrote to memory of 2028	1576	hjpy.exe	cmd.exe
PID 1576 wrote to memory of 2028	1576	hjpy.exe	cmd.exe
PID 1576 wrote to memory of 2028	1576	hjpy.exe	cmd.exe
PID 1576 wrote to memory of 2028	1576	hjpy.exe	cmd.exe
PID 1012 wrote to memory of 620	1012	cmd.exe	schtasks.exe
PID 1012 wrote to memory of 620	1012	cmd.exe	schtasks.exe
PID 1012 wrote to memory of 620	1012	cmd.exe	schtasks.exe
PID 1012 wrote to memory of 620	1012	cmd.exe	schtasks.exe
PID 316 wrote to memory of 544	316	WINWORD.EXE	splwow64.exe
PID 316 wrote to memory of 544	316	WINWORD.EXE	splwow64.exe
PID 316 wrote to memory of 544	316	WINWORD.EXE	splwow64.exe
PID 316 wrote to memory of 544	316	WINWORD.EXE	splwow64.exe
PID 1520 wrote to memory of 620	1520	taskeng.exe	tewu.exe
PID 1520 wrote to memory of 620	1520	taskeng.exe	tewu.exe
PID 1520 wrote to memory of 620	1520	taskeng.exe	tewu.exe
PID 1520 wrote to memory of 620	1520	taskeng.exe	tewu.exe
PID 620 wrote to memory of 1156	620	tewu.exe	vbc.exe
PID 620 wrote to memory of 1156	620	tewu.exe	vbc.exe
PID 620 wrote to memory of 1156	620	tewu.exe	vbc.exe
PID 620 wrote to memory of 1156	620	tewu.exe	vbc.exe
PID 620 wrote to memory of 1156	620	tewu.exe	vbc.exe
PID 620 wrote to memory of 1156	620	tewu.exe	vbc.exe
PID 620 wrote to memory of 1156	620	tewu.exe	vbc.exe
PID 620 wrote to memory of 1156	620	tewu.exe	vbc.exe
PID 620 wrote to memory of 1156	620	tewu.exe	vbc.exe
PID 620 wrote to memory of 1156	620	tewu.exe	vbc.exe
PID 620 wrote to memory of 1156	620	tewu.exe	vbc.exe
PID 620 wrote to memory of 1156	620	tewu.exe	vbc.exe
PID 620 wrote to memory of 744	620	tewu.exe	cmd.exe
PID 620 wrote to memory of 744	620	tewu.exe	cmd.exe
PID 620 wrote to memory of 744	620	tewu.exe	cmd.exe
PID 620 wrote to memory of 744	620	tewu.exe	cmd.exe
PID 620 wrote to memory of 276	620	tewu.exe	cmd.exe
PID 620 wrote to memory of 276	620	tewu.exe	cmd.exe
PID 620 wrote to memory of 276	620	tewu.exe	cmd.exe
PID 620 wrote to memory of 276	620	tewu.exe	cmd.exe
PID 620 wrote to memory of 1608	620	tewu.exe	cmd.exe
PID 620 wrote to memory of 1608	620	tewu.exe	cmd.exe
PID 620 wrote to memory of 1608	620	tewu.exe	cmd.exe
PID 620 wrote to memory of 1608	620	tewu.exe	cmd.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\zapitvane marko bulgaria eood.rtf"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:544

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:436

C:\Users\Admin\AppData\Roaming\hjpy.exe
C:\Users\Admin\AppData\Roaming\hjpy.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1792

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\tewu"
3⤵
PID:1520

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\hjpy.exe" "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe"
3⤵
PID:2028

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1012

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
4⤵
- Creates scheduled task(s)
PID:620

C:\Windows\system32\taskeng.exe
taskeng.exe {8D640145-7C90-4E65-9E7A-6A4DD6A0EA71} S-1-5-21-2647223082-2067913677-935928954-1000:BPOQNXYB\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1520

C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1156

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\tewu"
3⤵
PID:744

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
3⤵
PID:276

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1516

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe" "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe"
3⤵
PID:1608

C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1088

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\tewu"
3⤵
PID:1776

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
3⤵
PID:1704

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
4⤵
- Creates scheduled task(s)
PID:928

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe" "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe"
3⤵
PID:1128

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Exploitation for Client Execution

T1203

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
af0cfb60d294005f72659aa228214fa1

SHA1
2e06c92112008f7667a9ce34e48278848b6634df

SHA256
db68a99933b59a96f5be4b1bd08a84e5c2ed31f5df35f7ef9e0cd6820e521857

SHA512
8e6228fbca315702b1295c891d3b1b9c4da320b557e953b4da3267e2f1e0a5a308642e56286eb5d718a1d57b81b6973f61b9dc9c7e9145318247f11b8b12ab25

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2C13.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2F54.tmp
Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
d58a5ff7c5002a8f46937c2a31d98aa9

SHA1
ecca7e76a741cb0e29a550b4fe6584a10feec7b7

SHA256
7ab2120452b457cdb92b19552d2d50ab3de73e3e084912f30ad11ec610e81235

SHA512
af93ca72801c90b5fc4306ad0726e98d90d3fe12a3d06bb6fcb9618484bc6fa2876df572378e3ea97c4d75b8ee524cc9deb4bb7d25642d48ee1421da12db9fcd

Download Submit
C:\Users\Admin\AppData\Roaming\hjpy.exe
Filesize
3.8MB

MD5
d07b7112b39c9eee7eaeba1adb099543

SHA1
1df70cc161540228240e1dde290ac2f5efcfbb0c

SHA256
1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a

SHA512
9f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135

Download Submit
C:\Users\Admin\AppData\Roaming\hjpy.exe
Filesize
3.8MB

MD5
d07b7112b39c9eee7eaeba1adb099543

SHA1
1df70cc161540228240e1dde290ac2f5efcfbb0c

SHA256
1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a

SHA512
9f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135

Download Submit
C:\Users\Admin\AppData\Roaming\hjpy.exe
Filesize
3.8MB

MD5
d07b7112b39c9eee7eaeba1adb099543

SHA1
1df70cc161540228240e1dde290ac2f5efcfbb0c

SHA256
1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a

SHA512
9f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135

Download Submit
C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
Filesize
3.8MB

MD5
d07b7112b39c9eee7eaeba1adb099543

SHA1
1df70cc161540228240e1dde290ac2f5efcfbb0c

SHA256
1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a

SHA512
9f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135

Download Submit
C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
Filesize
3.8MB

MD5
d07b7112b39c9eee7eaeba1adb099543

SHA1
1df70cc161540228240e1dde290ac2f5efcfbb0c

SHA256
1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a

SHA512
9f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135

Download Submit
C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
Filesize
3.8MB

MD5
d07b7112b39c9eee7eaeba1adb099543

SHA1
1df70cc161540228240e1dde290ac2f5efcfbb0c

SHA256
1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a

SHA512
9f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135

Download Submit
\Users\Admin\AppData\Roaming\hjpy.exe
Filesize
3.8MB

MD5
d07b7112b39c9eee7eaeba1adb099543

SHA1
1df70cc161540228240e1dde290ac2f5efcfbb0c

SHA256
1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a

SHA512
9f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135

Download Submit
memory/316-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/620-215-0x0000000000CC0000-0x0000000000D00000-memory.dmp

Filesize
256KB

Download
memory/620-211-0x0000000001110000-0x00000000014E4000-memory.dmp

Filesize
3.8MB

Download
memory/1080-264-0x0000000001110000-0x00000000014E4000-memory.dmp

Filesize
3.8MB

Download
memory/1088-288-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1088-291-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1156-228-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1156-224-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1156-223-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1576-150-0x00000000051F0000-0x0000000005230000-memory.dmp

Filesize
256KB

Download
memory/1576-149-0x0000000001290000-0x0000000001664000-memory.dmp

Filesize
3.8MB

Download
memory/1792-187-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1792-201-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1792-180-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1792-181-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1792-182-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1792-183-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1792-184-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1792-185-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1792-186-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1792-178-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1792-188-0x0000000000160000-0x000000000016A000-memory.dmp

Filesize
40KB

Download
memory/1792-189-0x0000000000160000-0x000000000016A000-memory.dmp

Filesize
40KB

Download
memory/1792-190-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1792-192-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1792-193-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1792-194-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1792-195-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1792-197-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1792-196-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1792-198-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1792-200-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1792-179-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1792-202-0x0000000000160000-0x000000000016A000-memory.dmp

Filesize
40KB

Download
memory/1792-203-0x0000000000160000-0x000000000016A000-memory.dmp

Filesize
40KB

Download
memory/1792-204-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1792-207-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1792-177-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1792-168-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1792-164-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1792-159-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1792-158-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1792-157-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1792-226-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1792-227-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1792-156-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1792-229-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1792-231-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1792-155-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1792-154-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1792-153-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1792-152-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download
memory/1792-151-0x0000000000410000-0x00000000007DE000-memory.dmp

Filesize
3.8MB

Download