modiloader | 93b2af1c877bb2c7acd39d3ff5f770bea880bf66477e4e9b0a1d21d1d213cb7c

Analysis

max time kernel
147s
max time network
140s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11-06-2024 18:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SBM_C3350i240229122.xls
Size

967KB
MD5

30c72d7387b2033675119cc82906bbb8
SHA1

e3c3f070b85f9c991069b408e7147bd1b19882bb
SHA256

93b2af1c877bb2c7acd39d3ff5f770bea880bf66477e4e9b0a1d21d1d213cb7c
SHA512

3368a3bb66f88dde45120e072b9a04a36d799961dcb230785745ba5ee916ebf8272fc2fb896a935ddfcc636fe7e09e0711fa0f663674eb08461fde44a6602f69
SSDEEP

24576:SUP/mMxAF77GF0SNjs6ivPQbA2j3AOk6N1Y:SGsNk0SNjs5PAVUl

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 55 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1908-237-0x0000000003710000-0x0000000004710000-memory.dmp	modiloader_stage2
behavioral1/memory/1908-240-0x0000000003710000-0x0000000004710000-memory.dmp	modiloader_stage2
behavioral1/memory/1908-239-0x0000000003710000-0x0000000004710000-memory.dmp	modiloader_stage2
behavioral1/memory/1908-241-0x0000000003710000-0x0000000004710000-memory.dmp	modiloader_stage2
behavioral1/memory/1908-238-0x0000000003710000-0x0000000004710000-memory.dmp	modiloader_stage2
behavioral1/memory/1908-246-0x0000000003710000-0x0000000004710000-memory.dmp	modiloader_stage2
behavioral1/memory/1908-243-0x0000000003710000-0x0000000004710000-memory.dmp	modiloader_stage2
behavioral1/memory/1908-244-0x0000000003710000-0x0000000004710000-memory.dmp	modiloader_stage2
behavioral1/memory/1908-247-0x0000000003710000-0x0000000004710000-memory.dmp	modiloader_stage2
behavioral1/memory/1908-245-0x0000000003710000-0x0000000004710000-memory.dmp	modiloader_stage2
behavioral1/memory/1908-253-0x0000000003710000-0x0000000004710000-memory.dmp	modiloader_stage2
behavioral1/memory/1908-252-0x0000000003710000-0x0000000004710000-memory.dmp	modiloader_stage2
behavioral1/memory/1908-254-0x0000000003710000-0x0000000004710000-memory.dmp	modiloader_stage2
behavioral1/memory/1908-251-0x0000000003710000-0x0000000004710000-memory.dmp	modiloader_stage2
behavioral1/memory/1908-250-0x0000000003710000-0x0000000004710000-memory.dmp	modiloader_stage2
behavioral1/memory/1908-258-0x0000000003710000-0x0000000004710000-memory.dmp	modiloader_stage2
behavioral1/memory/1908-260-0x0000000003710000-0x0000000004710000-memory.dmp	modiloader_stage2
behavioral1/memory/1908-259-0x0000000003710000-0x0000000004710000-memory.dmp	modiloader_stage2
behavioral1/memory/1908-257-0x0000000003710000-0x0000000004710000-memory.dmp	modiloader_stage2
behavioral1/memory/1908-256-0x0000000003710000-0x0000000004710000-memory.dmp	modiloader_stage2
behavioral1/memory/1908-265-0x0000000003710000-0x0000000004710000-memory.dmp	modiloader_stage2
behavioral1/memory/1908-264-0x0000000003710000-0x0000000004710000-memory.dmp	modiloader_stage2
behavioral1/memory/1908-266-0x0000000003710000-0x0000000004710000-memory.dmp	modiloader_stage2
behavioral1/memory/1908-263-0x0000000003710000-0x0000000004710000-memory.dmp	modiloader_stage2
behavioral1/memory/1908-262-0x0000000003710000-0x0000000004710000-memory.dmp	modiloader_stage2
behavioral1/memory/1908-269-0x0000000003710000-0x0000000004710000-memory.dmp	modiloader_stage2
behavioral1/memory/1908-268-0x0000000003710000-0x0000000004710000-memory.dmp	modiloader_stage2
behavioral1/memory/1908-267-0x0000000003710000-0x0000000004710000-memory.dmp	modiloader_stage2
behavioral1/memory/1908-323-0x0000000003710000-0x0000000004710000-memory.dmp	modiloader_stage2
behavioral1/memory/1908-320-0x0000000003710000-0x0000000004710000-memory.dmp	modiloader_stage2
behavioral1/memory/1908-316-0x0000000003710000-0x0000000004710000-memory.dmp	modiloader_stage2
behavioral1/memory/1908-312-0x0000000003710000-0x0000000004710000-memory.dmp	modiloader_stage2
behavioral1/memory/1908-308-0x0000000003710000-0x0000000004710000-memory.dmp	modiloader_stage2
behavioral1/memory/1908-305-0x0000000003710000-0x0000000004710000-memory.dmp	modiloader_stage2
behavioral1/memory/1908-301-0x0000000003710000-0x0000000004710000-memory.dmp	modiloader_stage2
behavioral1/memory/1908-298-0x0000000003710000-0x0000000004710000-memory.dmp	modiloader_stage2
behavioral1/memory/1908-295-0x0000000003710000-0x0000000004710000-memory.dmp	modiloader_stage2
behavioral1/memory/1908-292-0x0000000003710000-0x0000000004710000-memory.dmp	modiloader_stage2
behavioral1/memory/1908-289-0x0000000003710000-0x0000000004710000-memory.dmp	modiloader_stage2
behavioral1/memory/1908-286-0x0000000003710000-0x0000000004710000-memory.dmp	modiloader_stage2
behavioral1/memory/1908-283-0x0000000003710000-0x0000000004710000-memory.dmp	modiloader_stage2
behavioral1/memory/1908-280-0x0000000003710000-0x0000000004710000-memory.dmp	modiloader_stage2
behavioral1/memory/1908-277-0x0000000003710000-0x0000000004710000-memory.dmp	modiloader_stage2
behavioral1/memory/1908-274-0x0000000003710000-0x0000000004710000-memory.dmp	modiloader_stage2
behavioral1/memory/1908-272-0x0000000003710000-0x0000000004710000-memory.dmp	modiloader_stage2
behavioral1/memory/1908-270-0x0000000003710000-0x0000000004710000-memory.dmp	modiloader_stage2
behavioral1/memory/1908-342-0x0000000003710000-0x0000000004710000-memory.dmp	modiloader_stage2
behavioral1/memory/1908-339-0x0000000003710000-0x0000000004710000-memory.dmp	modiloader_stage2
behavioral1/memory/1908-335-0x0000000003710000-0x0000000004710000-memory.dmp	modiloader_stage2
behavioral1/memory/1908-332-0x0000000003710000-0x0000000004710000-memory.dmp	modiloader_stage2
behavioral1/memory/1908-329-0x0000000003710000-0x0000000004710000-memory.dmp	modiloader_stage2
behavioral1/memory/1908-326-0x0000000003710000-0x0000000004710000-memory.dmp	modiloader_stage2
behavioral1/memory/1908-275-0x0000000003710000-0x0000000004710000-memory.dmp	modiloader_stage2
behavioral1/memory/1908-273-0x0000000003710000-0x0000000004710000-memory.dmp	modiloader_stage2
behavioral1/memory/1908-271-0x0000000003710000-0x0000000004710000-memory.dmp	modiloader_stage2

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

27 1260 EQNEDT32.EXE
Downloads MZ/PE file
Abuses OpenXML format to download file from external location
Executes dropped EXE 1 IoCs

Processes:

igcc.exe

pid process

1908 igcc.exe
Loads dropped DLL 5 IoCs

Processes:

EQNEDT32.EXEWerFault.exe

pid process

1260 EQNEDT32.EXE
1260 EQNEDT32.EXE
588 WerFault.exe
588 WerFault.exe
588 WerFault.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

588 1908 WerFault.exe igcc.exe
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1260 EQNEDT32.EXE

flow	pid	process
27	1260	EQNEDT32.EXE

pid	process
1908	igcc.exe

pid	process
1260	EQNEDT32.EXE
1260	EQNEDT32.EXE
588	WerFault.exe
588	WerFault.exe
588	WerFault.exe

pid	pid_target	process	target process
588	1908	WerFault.exe	igcc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1260	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2968 EXCEL.EXE
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

2968 EXCEL.EXE
2968 EXCEL.EXE
2968 EXCEL.EXE
1652 WINWORD.EXE
1652 WINWORD.EXE
2968 EXCEL.EXE
2968 EXCEL.EXE

pid	process
2968	EXCEL.EXE

pid	process
2968	EXCEL.EXE
2968	EXCEL.EXE
2968	EXCEL.EXE
1652	WINWORD.EXE
1652	WINWORD.EXE
2968	EXCEL.EXE
2968	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEigcc.exe

description	pid	process	target process
PID 1260 wrote to memory of 1908	1260	EQNEDT32.EXE	igcc.exe
PID 1260 wrote to memory of 1908	1260	EQNEDT32.EXE	igcc.exe
PID 1260 wrote to memory of 1908	1260	EQNEDT32.EXE	igcc.exe
PID 1260 wrote to memory of 1908	1260	EQNEDT32.EXE	igcc.exe
PID 1652 wrote to memory of 2144	1652	WINWORD.EXE	splwow64.exe
PID 1652 wrote to memory of 2144	1652	WINWORD.EXE	splwow64.exe
PID 1652 wrote to memory of 2144	1652	WINWORD.EXE	splwow64.exe
PID 1652 wrote to memory of 2144	1652	WINWORD.EXE	splwow64.exe
PID 1908 wrote to memory of 588	1908	igcc.exe	WerFault.exe
PID 1908 wrote to memory of 588	1908	igcc.exe	WerFault.exe
PID 1908 wrote to memory of 588	1908	igcc.exe	WerFault.exe
PID 1908 wrote to memory of 588	1908	igcc.exe	WerFault.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\SBM_C3350i240229122.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2968

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2144

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1260

C:\Users\Admin\AppData\Roaming\igcc.exe
"C:\Users\Admin\AppData\Roaming\igcc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 704
3⤵
- Loads dropped DLL
- Program crash
PID:588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1495DD322A24490E2BF2FAABAE1C61
Filesize
299B

MD5
5ae8478af8dd6eec7ad4edf162dd3df1

SHA1
55670b9fd39da59a9d7d0bb0aecb52324cbacc5a

SHA256
fe42ac92eae3b2850370b73c3691ccf394c23ab6133de39f1697a6ebac4bedca

SHA512
a5ed33ecec5eecf5437c14eba7c65c84b6f8b08a42df7f18c8123ee37f6743b0cf8116f4359efa82338b244b28938a6e0c8895fcd7f7563bf5777b7d8ee86296

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
10b790c13c976f12c7ad5c9690b5d9bc

SHA1
0b24bfab23a16a7dd4945a726415208c546f83c9

SHA256
ee5e658e453d31550b990ec97801d66733f705f8748a292c683606bb6bd9b3fa

SHA512
937b430f207a2b83479fb742f6a7fca6e3c015b31dd1f453816ebe1eb6becc7e252bf744eac37c226811195d86b26aad500a13fb4fb844803b4f4c66673c54fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1495DD322A24490E2BF2FAABAE1C61
Filesize
192B

MD5
00868d2c4dfb01017b05d56b705a40b6

SHA1
122b762d1b0bb55e3ce3be4637a1dc86de544645

SHA256
02570247edcf0c334e7244cd28e5f41b2e162fd4fc7755de04cb56702fe6e70d

SHA512
e36b1a5840cd0733f7ece82184369091a89b8404edd73640aac3ea0c5623c965382df4428da720fde751485f12c8ab76f30505fe4f07d469cc6aee189575c8b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
dc07aec3f5ea0b498dc5e2c62eede255

SHA1
7e976615aa43f6d8acb3026fd743f2fd2325e68e

SHA256
b79744054c9c15b39f8c72669e299e93f96c023d8afa2bcb16cefa5e52031bdc

SHA512
f5f1c8f5f1e92fbf14da230626228c6187919a18d57802a2ec6c3cc1e3e0e107abeeeef88b2b9d85621af020fc2d878a78e9a6d36ec5784513e28c7ab7fff427

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
ba8b242ab3f2aabea263053c95890009

SHA1
9f4426eab5b5f3a33b220cfbc5ce2e53fb7686e3

SHA256
e78162e7e0eddd8970d268d70b8870ad337b7b297f1d6b44d54d5ef88c5333dc

SHA512
cab1072f3eb630306baaf7fc78ba324bbde7c1e8f0b53aa333bea3b6181f1f65f18b2c2badb2b1221f965dad53f5a87bf21894b4a9c897db1fb8d74b374627eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{556CFFD1-3974-4099-A2FC-348C59E53246}.FSD
Filesize
128KB

MD5
3a56aef2b1f4a8b4ac116869a4000ae9

SHA1
2c0ea657c81d32700a873a32faa80d9603756074

SHA256
64383903f001a976f993a57d2d2159b7c5091dba09a72ec85babef36091bce7e

SHA512
3bc6c7163d1267eda6344382be275ab4dd3b71b8c5e04594f252bca07d4bb335a50b0dd2506e90d26877dc60b4f7b66dc2fdf78ee048256cd91bbf134a443799

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
2b0cac79ba82e27515ebfa88b030913c

SHA1
9d9333f0f7317d684a23351b073576c08ba12286

SHA256
dc2c8f400a316570bb3c5be24d1207ce77a94880b8c82aa61eea0bb03a997281

SHA512
7238bb9ee686d27df9a7af546e6075cba334a5348bce9d1a7d87ffd88d359b985c55b500e83507c0ea5e96d6e0c44507268f45da6f541be61cc4397932ec4938

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3NPBB818\lionsareveryinterstingcharacteroneverytimetounderstandthewayofhowitsfinetogetmebackintheforestsuchagreat__lionsarekingofjungle[1].doc
Filesize
104KB

MD5
fe30d755f7243a16d47bf6f37b929cd2

SHA1
a3d84850f11e67516e21914997944d19e41d2bf2

SHA256
5d7601529aeeebfd4e2f2a4f5320d7f276200b3f04bbb414c66345f586a23b0f

SHA512
b040f620da8c2766c6c73cb6f6e3c5d913e77f5b5ed3931d46cd6cbad74d434581e40d57fa98ef506e3344479e7bc259b091b05b11f1d854528e3ae393d3879c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1B31.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1C03.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{01CA9D47-E1B0-4403-9F20-950DF76AFC5D}
Filesize
128KB

MD5
88c377444e7df8b145e8928be54cc5da

SHA1
c00256751395a43f4d25b2eadbc9d525915f16e0

SHA256
a506c878a7565934f0f5a5390ada732f2353d47fef1706905bfe1fbfee1517f5

SHA512
132fd82f1c342ae265dbfd08fa5e1b6abcfacb07b5d4a80b4f5abf19f65f63e6cc3cbb043c230dd38d7eab58f95224e4ee5935c971af4c2fbdc60d3e7c64324f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
41B

MD5
af8140cc80e6001b0c58d1ad30c08355

SHA1
140543c6133298fab84b6b19c87a548b690ee9be

SHA256
14d4fbf228b0cfa2f836efa4d1eeab308aa9654324a47a8fb1523cc868cb6522

SHA512
0612591ccd969b15de211bac514473b9e78881fc5efd7ca4e75b1eef82923ea90696445dd025c6c23b6e559183ca777bad96844faccc04024faa366c71afe6b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\O8RLE4OF.txt
Filesize
68B

MD5
fbbf260071cc1ad4810d8b2896891aee

SHA1
51e114c39e6e035a61805ce0f4b83c2e1e325178

SHA256
c91a022f21ec94502ae5a1c627c3a9775ecccdb0d556419367fe35a274c14af2

SHA512
6576ba4b427ec3d9d5f9b654b9be47a58e707c726b6c513b6e9855f6e43f245efc7431be2144fd75829f5764320bec7f2c309d80d3a0498fd4d47a706824f133

Download Submit
C:\Users\Admin\AppData\Roaming\igcc.exe
Filesize
1.2MB

MD5
c57b287858b87f3528e1366bcb4359e8

SHA1
2629391b45ae9cb08c5df8dd53bdc7c7f222c171

SHA256
119bb4f428f6056330cf8a0087b1a52277dbceca3cd81f1d5934c4f4a398c664

SHA512
0100caab7532f3adeb4f6302c76dd44e2ab5ebca9dde4e39d73895d4ecda7341e825b73aa4ebeac16873be79c0352c60baec5c59508429043c9515c777202476

Download Submit
memory/1652-92-0x0000000004390000-0x0000000004392000-memory.dmp

Filesize
8KB

Download
memory/1652-90-0x000000007284D000-0x0000000072858000-memory.dmp

Filesize
44KB

Download
memory/1652-88-0x000000002FFA1000-0x000000002FFA2000-memory.dmp

Filesize
4KB

Download
memory/1652-236-0x000000007284D000-0x0000000072858000-memory.dmp

Filesize
44KB

Download
memory/1908-258-0x0000000003710000-0x0000000004710000-memory.dmp

Filesize
16.0MB

Download
memory/1908-262-0x0000000003710000-0x0000000004710000-memory.dmp

Filesize
16.0MB

Download
memory/1908-271-0x0000000003710000-0x0000000004710000-memory.dmp

Filesize
16.0MB

Download
memory/1908-273-0x0000000003710000-0x0000000004710000-memory.dmp

Filesize
16.0MB

Download
memory/1908-237-0x0000000003710000-0x0000000004710000-memory.dmp

Filesize
16.0MB

Download
memory/1908-240-0x0000000003710000-0x0000000004710000-memory.dmp

Filesize
16.0MB

Download
memory/1908-239-0x0000000003710000-0x0000000004710000-memory.dmp

Filesize
16.0MB

Download
memory/1908-241-0x0000000003710000-0x0000000004710000-memory.dmp

Filesize
16.0MB

Download
memory/1908-238-0x0000000003710000-0x0000000004710000-memory.dmp

Filesize
16.0MB

Download
memory/1908-242-0x0000000000400000-0x0000000000948000-memory.dmp

Filesize
5.3MB

Download
memory/1908-246-0x0000000003710000-0x0000000004710000-memory.dmp

Filesize
16.0MB

Download
memory/1908-243-0x0000000003710000-0x0000000004710000-memory.dmp

Filesize
16.0MB

Download
memory/1908-244-0x0000000003710000-0x0000000004710000-memory.dmp

Filesize
16.0MB

Download
memory/1908-247-0x0000000003710000-0x0000000004710000-memory.dmp

Filesize
16.0MB

Download
memory/1908-245-0x0000000003710000-0x0000000004710000-memory.dmp

Filesize
16.0MB

Download
memory/1908-253-0x0000000003710000-0x0000000004710000-memory.dmp

Filesize
16.0MB

Download
memory/1908-252-0x0000000003710000-0x0000000004710000-memory.dmp

Filesize
16.0MB

Download
memory/1908-254-0x0000000003710000-0x0000000004710000-memory.dmp

Filesize
16.0MB

Download
memory/1908-251-0x0000000003710000-0x0000000004710000-memory.dmp

Filesize
16.0MB

Download
memory/1908-250-0x0000000003710000-0x0000000004710000-memory.dmp

Filesize
16.0MB

Download
memory/1908-275-0x0000000003710000-0x0000000004710000-memory.dmp

Filesize
16.0MB

Download
memory/1908-260-0x0000000003710000-0x0000000004710000-memory.dmp

Filesize
16.0MB

Download
memory/1908-259-0x0000000003710000-0x0000000004710000-memory.dmp

Filesize
16.0MB

Download
memory/1908-257-0x0000000003710000-0x0000000004710000-memory.dmp

Filesize
16.0MB

Download
memory/1908-256-0x0000000003710000-0x0000000004710000-memory.dmp

Filesize
16.0MB

Download
memory/1908-265-0x0000000003710000-0x0000000004710000-memory.dmp

Filesize
16.0MB

Download
memory/1908-264-0x0000000003710000-0x0000000004710000-memory.dmp

Filesize
16.0MB

Download
memory/1908-266-0x0000000003710000-0x0000000004710000-memory.dmp

Filesize
16.0MB

Download
memory/1908-263-0x0000000003710000-0x0000000004710000-memory.dmp

Filesize
16.0MB

Download
memory/1908-326-0x0000000003710000-0x0000000004710000-memory.dmp

Filesize
16.0MB

Download
memory/1908-269-0x0000000003710000-0x0000000004710000-memory.dmp

Filesize
16.0MB

Download
memory/1908-268-0x0000000003710000-0x0000000004710000-memory.dmp

Filesize
16.0MB

Download
memory/1908-267-0x0000000003710000-0x0000000004710000-memory.dmp

Filesize
16.0MB

Download
memory/1908-323-0x0000000003710000-0x0000000004710000-memory.dmp

Filesize
16.0MB

Download
memory/1908-320-0x0000000003710000-0x0000000004710000-memory.dmp

Filesize
16.0MB

Download
memory/1908-316-0x0000000003710000-0x0000000004710000-memory.dmp

Filesize
16.0MB

Download
memory/1908-312-0x0000000003710000-0x0000000004710000-memory.dmp

Filesize
16.0MB

Download
memory/1908-308-0x0000000003710000-0x0000000004710000-memory.dmp

Filesize
16.0MB

Download
memory/1908-305-0x0000000003710000-0x0000000004710000-memory.dmp

Filesize
16.0MB

Download
memory/1908-301-0x0000000003710000-0x0000000004710000-memory.dmp

Filesize
16.0MB

Download
memory/1908-298-0x0000000003710000-0x0000000004710000-memory.dmp

Filesize
16.0MB

Download
memory/1908-295-0x0000000003710000-0x0000000004710000-memory.dmp

Filesize
16.0MB

Download
memory/1908-292-0x0000000003710000-0x0000000004710000-memory.dmp

Filesize
16.0MB

Download
memory/1908-289-0x0000000003710000-0x0000000004710000-memory.dmp

Filesize
16.0MB

Download
memory/1908-286-0x0000000003710000-0x0000000004710000-memory.dmp

Filesize
16.0MB

Download
memory/1908-283-0x0000000003710000-0x0000000004710000-memory.dmp

Filesize
16.0MB

Download
memory/1908-280-0x0000000003710000-0x0000000004710000-memory.dmp

Filesize
16.0MB

Download
memory/1908-277-0x0000000003710000-0x0000000004710000-memory.dmp

Filesize
16.0MB

Download
memory/1908-274-0x0000000003710000-0x0000000004710000-memory.dmp

Filesize
16.0MB

Download
memory/1908-272-0x0000000003710000-0x0000000004710000-memory.dmp

Filesize
16.0MB

Download
memory/1908-270-0x0000000003710000-0x0000000004710000-memory.dmp

Filesize
16.0MB

Download
memory/1908-342-0x0000000003710000-0x0000000004710000-memory.dmp

Filesize
16.0MB

Download
memory/1908-339-0x0000000003710000-0x0000000004710000-memory.dmp

Filesize
16.0MB

Download
memory/1908-335-0x0000000003710000-0x0000000004710000-memory.dmp

Filesize
16.0MB

Download
memory/1908-332-0x0000000003710000-0x0000000004710000-memory.dmp

Filesize
16.0MB

Download
memory/1908-329-0x0000000003710000-0x0000000004710000-memory.dmp

Filesize
16.0MB

Download
memory/2968-93-0x00000000024B0000-0x00000000024B2000-memory.dmp

Filesize
8KB

Download
memory/2968-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2968-1-0x000000007284D000-0x0000000072858000-memory.dmp

Filesize
44KB

Download
memory/2968-235-0x000000007284D000-0x0000000072858000-memory.dmp

Filesize
44KB

Download