bitrat | 833747fe3feaca3e71a38cc66ee5003a846fc43a61e8a59e093a23c5b260ef90

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
14-03-2023 19:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

zapitvane marko bulgaria eood.rtf
Size

3KB
MD5

93671555d60537ba07df133dda8592a2
SHA1

396ab1b853fac12d406bc1687cf18cb0a2cc061e
SHA256

833747fe3feaca3e71a38cc66ee5003a846fc43a61e8a59e093a23c5b260ef90
SHA512

8d03fcc1a697a8150ce7d2325e65a329d8d870a185b66cdb9ae70c84aecd9983913c12b48902d2b3f7553378617dee533363ac759bef1c8c502903f3016d6a6f

Score

10^/10

bitrat trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

74.201.28.92:3569

Attributes

communication_password
148b191cf4e80b549e1b1a4444f2bdf6
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Blocklisted process makes network request 5 IoCs

Processes:

EQNEDT32.EXE

flow pid process

4 336 EQNEDT32.EXE
6 336 EQNEDT32.EXE
8 336 EQNEDT32.EXE
10 336 EQNEDT32.EXE
12 336 EQNEDT32.EXE
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

hjpy.exetewu.exetewu.exetewu.exe

pid process

1580 hjpy.exe
588 tewu.exe
1556 tewu.exe
2044 tewu.exe
Loads dropped DLL 1 IoCs

Processes:

EQNEDT32.EXE

pid process

336 EQNEDT32.EXE
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

Processes:

vbc.exevbc.exevbc.exe

pid process

1440 vbc.exe
1440 vbc.exe
1440 vbc.exe
1440 vbc.exe
1440 vbc.exe
1912 vbc.exe
1720 vbc.exe

flow	pid	process
4	336	EQNEDT32.EXE
6	336	EQNEDT32.EXE
8	336	EQNEDT32.EXE
10	336	EQNEDT32.EXE
12	336	EQNEDT32.EXE

pid	process
1580	hjpy.exe
588	tewu.exe
1556	tewu.exe
2044	tewu.exe

pid	process
336	EQNEDT32.EXE

pid	process
1440	vbc.exe
1440	vbc.exe
1440	vbc.exe
1440	vbc.exe
1440	vbc.exe
1912	vbc.exe
1720	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

hjpy.exetewu.exetewu.exe

description	pid	process	target process
PID 1580 set thread context of 1440	1580	hjpy.exe	vbc.exe
PID 588 set thread context of 1912	588	tewu.exe	vbc.exe
PID 1556 set thread context of 1720	1556	tewu.exe	vbc.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1964 schtasks.exe
652 schtasks.exe
1912 schtasks.exe
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

336 EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1964	schtasks.exe
652	schtasks.exe
1912	schtasks.exe

pid	process
336	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

1196 WINWORD.EXE

pid	process
1196	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

vbc.exevbc.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	1440	vbc.exe
Token: SeShutdownPrivilege	1440	vbc.exe
Token: SeDebugPrivilege	1912	vbc.exe
Token: SeShutdownPrivilege	1912	vbc.exe
Token: SeDebugPrivilege	1720	vbc.exe
Token: SeShutdownPrivilege	1720	vbc.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

WINWORD.EXEvbc.exe

pid process

1196 WINWORD.EXE
1196 WINWORD.EXE
1440 vbc.exe
1440 vbc.exe

pid	process
1196	WINWORD.EXE
1196	WINWORD.EXE
1440	vbc.exe
1440	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

EQNEDT32.EXEhjpy.execmd.exetaskeng.exetewu.execmd.exe

description	pid	process	target process
PID 336 wrote to memory of 1580	336	EQNEDT32.EXE	hjpy.exe
PID 336 wrote to memory of 1580	336	EQNEDT32.EXE	hjpy.exe
PID 336 wrote to memory of 1580	336	EQNEDT32.EXE	hjpy.exe
PID 336 wrote to memory of 1580	336	EQNEDT32.EXE	hjpy.exe
PID 1580 wrote to memory of 1440	1580	hjpy.exe	vbc.exe
PID 1580 wrote to memory of 1440	1580	hjpy.exe	vbc.exe
PID 1580 wrote to memory of 1440	1580	hjpy.exe	vbc.exe
PID 1580 wrote to memory of 1440	1580	hjpy.exe	vbc.exe
PID 1580 wrote to memory of 1440	1580	hjpy.exe	vbc.exe
PID 1580 wrote to memory of 1440	1580	hjpy.exe	vbc.exe
PID 1580 wrote to memory of 1440	1580	hjpy.exe	vbc.exe
PID 1580 wrote to memory of 1440	1580	hjpy.exe	vbc.exe
PID 1580 wrote to memory of 1440	1580	hjpy.exe	vbc.exe
PID 1580 wrote to memory of 1440	1580	hjpy.exe	vbc.exe
PID 1580 wrote to memory of 1440	1580	hjpy.exe	vbc.exe
PID 1580 wrote to memory of 1440	1580	hjpy.exe	vbc.exe
PID 1580 wrote to memory of 824	1580	hjpy.exe	cmd.exe
PID 1580 wrote to memory of 824	1580	hjpy.exe	cmd.exe
PID 1580 wrote to memory of 824	1580	hjpy.exe	cmd.exe
PID 1580 wrote to memory of 824	1580	hjpy.exe	cmd.exe
PID 1580 wrote to memory of 700	1580	hjpy.exe	cmd.exe
PID 1580 wrote to memory of 700	1580	hjpy.exe	cmd.exe
PID 1580 wrote to memory of 700	1580	hjpy.exe	cmd.exe
PID 1580 wrote to memory of 700	1580	hjpy.exe	cmd.exe
PID 1580 wrote to memory of 1960	1580	hjpy.exe	cmd.exe
PID 1580 wrote to memory of 1960	1580	hjpy.exe	cmd.exe
PID 1580 wrote to memory of 1960	1580	hjpy.exe	cmd.exe
PID 1580 wrote to memory of 1960	1580	hjpy.exe	cmd.exe
PID 700 wrote to memory of 1964	700	cmd.exe	schtasks.exe
PID 700 wrote to memory of 1964	700	cmd.exe	schtasks.exe
PID 700 wrote to memory of 1964	700	cmd.exe	schtasks.exe
PID 700 wrote to memory of 1964	700	cmd.exe	schtasks.exe
PID 1812 wrote to memory of 588	1812	taskeng.exe	tewu.exe
PID 1812 wrote to memory of 588	1812	taskeng.exe	tewu.exe
PID 1812 wrote to memory of 588	1812	taskeng.exe	tewu.exe
PID 1812 wrote to memory of 588	1812	taskeng.exe	tewu.exe
PID 588 wrote to memory of 1912	588	tewu.exe	vbc.exe
PID 588 wrote to memory of 1912	588	tewu.exe	vbc.exe
PID 588 wrote to memory of 1912	588	tewu.exe	vbc.exe
PID 588 wrote to memory of 1912	588	tewu.exe	vbc.exe
PID 588 wrote to memory of 1912	588	tewu.exe	vbc.exe
PID 588 wrote to memory of 1912	588	tewu.exe	vbc.exe
PID 588 wrote to memory of 1912	588	tewu.exe	vbc.exe
PID 588 wrote to memory of 1912	588	tewu.exe	vbc.exe
PID 588 wrote to memory of 1912	588	tewu.exe	vbc.exe
PID 588 wrote to memory of 1912	588	tewu.exe	vbc.exe
PID 588 wrote to memory of 1912	588	tewu.exe	vbc.exe
PID 588 wrote to memory of 1912	588	tewu.exe	vbc.exe
PID 588 wrote to memory of 2032	588	tewu.exe	cmd.exe
PID 588 wrote to memory of 2032	588	tewu.exe	cmd.exe
PID 588 wrote to memory of 2032	588	tewu.exe	cmd.exe
PID 588 wrote to memory of 2032	588	tewu.exe	cmd.exe
PID 588 wrote to memory of 1476	588	tewu.exe	cmd.exe
PID 588 wrote to memory of 1476	588	tewu.exe	cmd.exe
PID 588 wrote to memory of 1476	588	tewu.exe	cmd.exe
PID 588 wrote to memory of 1476	588	tewu.exe	cmd.exe
PID 588 wrote to memory of 1956	588	tewu.exe	cmd.exe
PID 588 wrote to memory of 1956	588	tewu.exe	cmd.exe
PID 588 wrote to memory of 1956	588	tewu.exe	cmd.exe
PID 588 wrote to memory of 1956	588	tewu.exe	cmd.exe
PID 1476 wrote to memory of 652	1476	cmd.exe	schtasks.exe
PID 1476 wrote to memory of 652	1476	cmd.exe	schtasks.exe
PID 1476 wrote to memory of 652	1476	cmd.exe	schtasks.exe
PID 1476 wrote to memory of 652	1476	cmd.exe	schtasks.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\zapitvane marko bulgaria eood.rtf"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1196

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1384

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:336

C:\Users\Admin\AppData\Roaming\hjpy.exe
C:\Users\Admin\AppData\Roaming\hjpy.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1440

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\tewu"
3⤵
PID:824

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\hjpy.exe" "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe"
3⤵
PID:1960

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:700

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
1⤵
- Creates scheduled task(s)
PID:1964

C:\Windows\system32\taskeng.exe
taskeng.exe {2B9492B0-9928-4F00-A7FC-B368B14F2A4C} S-1-5-21-3430344531-3702557399-3004411149-1000:WFSTZEPN\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1812

C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\tewu"
3⤵
PID:2032

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
4⤵
- Creates scheduled task(s)
PID:652

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe" "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe"
3⤵
PID:1956

C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1720

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\tewu"
3⤵
PID:1300

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
3⤵
PID:1504

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\tewu\tewu.exe'" /f
4⤵
- Creates scheduled task(s)
PID:1912

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe" "C:\Users\Admin\AppData\Roaming\tewu\tewu.exe"
3⤵
PID:1500

C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
2⤵
- Executes dropped EXE
PID:2044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Exploitation for Client Execution

T1203

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
97e2ca715247c4337025b994b4c1d06b

SHA1
83ae2e613f7108ce1f9cb1a5302050400a74ce04

SHA256
f31258ce06dc78c8131f45eb6d7bb30d335b451f76d776e0ad25cc8dd993de8d

SHA512
f189278923c8b0e590da0b5219e9182fd82bfc548a87e271073353e33bbf55ec650a940a0c2f3e3e5b3c83959ddab6467768b150ef420fe9c98665429b79faf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3BEB.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4026.tmp
Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
1e018e56c2af38de9f123a8e26d17d62

SHA1
aa1394eb376ed7f7317e8c24202643c175186200

SHA256
89d5f36fe4e9db51df01d4ccc68ee60a3cb76bc6bb9ff6861c86d673ff87e30c

SHA512
ba07892980539c0198211d963f22ff853d115930a5049f6fded4d797b953d325e82ce1ac3bda6767b4adb71b4014123bda67100c3c93bd5d9ea6491520940e39

Download Submit
C:\Users\Admin\AppData\Roaming\hjpy.exe
Filesize
3.8MB

MD5
d07b7112b39c9eee7eaeba1adb099543

SHA1
1df70cc161540228240e1dde290ac2f5efcfbb0c

SHA256
1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a

SHA512
9f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135

Download Submit
C:\Users\Admin\AppData\Roaming\hjpy.exe
Filesize
3.8MB

MD5
d07b7112b39c9eee7eaeba1adb099543

SHA1
1df70cc161540228240e1dde290ac2f5efcfbb0c

SHA256
1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a

SHA512
9f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135

Download Submit
C:\Users\Admin\AppData\Roaming\hjpy.exe
Filesize
3.8MB

MD5
d07b7112b39c9eee7eaeba1adb099543

SHA1
1df70cc161540228240e1dde290ac2f5efcfbb0c

SHA256
1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a

SHA512
9f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135

Download Submit
C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
Filesize
3.8MB

MD5
d07b7112b39c9eee7eaeba1adb099543

SHA1
1df70cc161540228240e1dde290ac2f5efcfbb0c

SHA256
1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a

SHA512
9f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135

Download Submit
C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
Filesize
3.8MB

MD5
d07b7112b39c9eee7eaeba1adb099543

SHA1
1df70cc161540228240e1dde290ac2f5efcfbb0c

SHA256
1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a

SHA512
9f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135

Download Submit
C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
Filesize
3.8MB

MD5
d07b7112b39c9eee7eaeba1adb099543

SHA1
1df70cc161540228240e1dde290ac2f5efcfbb0c

SHA256
1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a

SHA512
9f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135

Download Submit
C:\Users\Admin\AppData\Roaming\tewu\tewu.exe
Filesize
3.1MB

MD5
3276d32a0910b570f300254f65d3093f

SHA1
15b9b0c94b36d8933acc311ec1d0652f1dd153a8

SHA256
6bee61fc09ea2d6386cbe135d3070b8b3f6dee1f5e7781b89843528abc7a6a38

SHA512
26760f3674f7c72a709b5ac97b45ea4b9e5cd9e9bbbf40ff0d3ca4c2552fbe6ea281ac832f2b7f74e3c9421713cc65a9c89013aba3a65ecce8bf595614db62d5

Download Submit
\Users\Admin\AppData\Roaming\hjpy.exe
Filesize
3.8MB

MD5
d07b7112b39c9eee7eaeba1adb099543

SHA1
1df70cc161540228240e1dde290ac2f5efcfbb0c

SHA256
1c0493090eb306714a26e5a30404947c325dc75410adf4ee4ea18ea159302b9a

SHA512
9f82564e59b49e503de3aad4b7a28a163b3de543a807522c48c5b6f3a005cb38b37e99fab6865e0e064be9c1cf6e2cbec616e7cbb2218ea9f1fbd2015ef9e135

Download Submit
memory/588-198-0x00000000045E0000-0x0000000004620000-memory.dmp

Filesize
256KB

Download
memory/588-185-0x0000000000010000-0x00000000003E4000-memory.dmp

Filesize
3.8MB

Download
memory/1196-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1440-157-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1440-201-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1440-158-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1440-159-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1440-161-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1440-165-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1440-171-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1440-172-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1440-173-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1440-174-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1440-175-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1440-176-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1440-177-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1440-178-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1440-179-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1440-180-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1440-181-0x0000000000190000-0x000000000019A000-memory.dmp

Filesize
40KB

Download
memory/1440-182-0x0000000000190000-0x000000000019A000-memory.dmp

Filesize
40KB

Download
memory/1440-155-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1440-154-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1440-153-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1440-196-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1440-150-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1440-199-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1440-200-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1440-156-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1440-202-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1440-203-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1440-205-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1440-206-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1440-207-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1440-208-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1440-209-0x0000000000190000-0x000000000019A000-memory.dmp

Filesize
40KB

Download
memory/1440-210-0x0000000000190000-0x000000000019A000-memory.dmp

Filesize
40KB

Download
memory/1440-211-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1440-152-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1440-230-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1440-218-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1440-220-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1440-222-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1440-223-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1440-224-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1440-226-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1440-228-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1556-233-0x0000000001060000-0x0000000001434000-memory.dmp

Filesize
3.8MB

Download
memory/1580-151-0x0000000000ED0000-0x0000000000F10000-memory.dmp

Filesize
256KB

Download
memory/1580-149-0x0000000001140000-0x0000000001514000-memory.dmp

Filesize
3.8MB

Download
memory/1720-245-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1720-248-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1912-217-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/1912-215-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2044-286-0x0000000001060000-0x0000000001434000-memory.dmp

Filesize
3.8MB

Download