asyncrat | 82d21f05aa27eb85e5244cd11a3e60b39093942d19ac86e20b96a280e9579544

Analysis

max time kernel
149s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
23/04/2024, 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lMG_MlaKhlfa1111HD_14546.vbs
Size

255KB
MD5

b921e66031316c979fac97b7012990ce
SHA1

01c4d314a23b6bd8b571b302c3483b7be904309f
SHA256

82d21f05aa27eb85e5244cd11a3e60b39093942d19ac86e20b96a280e9579544
SHA512

c0085dd5bc5595ff00a091361def95d92c3260a66e2c84c2aa2d54d2a48b3c5249d071e1db240d1ba2a5c26fc7b9d79122d9b0df55a1a4008025813d0839986f
SSDEEP

3072:Q03pA03pp03pmAk79DqcPKrB5jzeTMJNHEPenFkCum03pvfpp03pp03pp03pA:wk79DqcyrBJeQJhEPeQr5

Score

10^/10

asyncrat remcos xenorat adfly adflyyyy persistence rat trojan

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

ADFLYYYY

139.99.133.66:6666

Mutex

acwwcawwacwvasasa

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

remcos

Botnet

ADFLY

139.99.133.66:4444

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
asasasas-SEG6JT
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

xenorat

139.99.133.66

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
nothingset
port
9999
startup_name
nothingset

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remc1.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\remc1.vbs	WScript.exe

Loads dropped DLL 15 IoCs

pid	Process
4080	regsvr32.exe
2240	WSCRIPT.EXE
3636	regsvr32.exe
4996	regsvr32.exe
3028	regsvr32.exe
4248	regsvr32.exe
3612	WScript.exe
4624	regsvr32.exe
3000	regsvr32.exe
2712	regsvr32.exe
1988	regsvr32.exe
1120	WScript.exe
4504	regsvr32.exe
1884	regsvr32.exe
3184	regsvr32.exe

Registers COM server for autorun 1 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe

Suspicious use of SetThreadContext 12 IoCs

description	pid	Process	procid_target
PID 2240 set thread context of 2008	2240	WSCRIPT.EXE	81
PID 2240 set thread context of 2208	2240	WSCRIPT.EXE	83
PID 2240 set thread context of 1624	2240	WSCRIPT.EXE	88
PID 2240 set thread context of 4588	2240	WSCRIPT.EXE	90
PID 3612 set thread context of 4268	3612	WScript.exe	96
PID 3612 set thread context of 1156	3612	WScript.exe	98
PID 3612 set thread context of 1264	3612	WScript.exe	100
PID 3612 set thread context of 2092	3612	WScript.exe	102
PID 1120 set thread context of 3644	1120	WScript.exe	108
PID 1120 set thread context of 2404	1120	WScript.exe	112
PID 1120 set thread context of 4080	1120	WScript.exe	114
PID 1120 set thread context of 4996	1120	WScript.exe	116

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
972	2208	WerFault.exe	83
4692	3644	WerFault.exe

Modifies registry class 54 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\DynamicWrapperX\CLSID\ = "{89565275-A714-4a43-912E-978B935EDCCC}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\DynamicWrapperX\CLSID\ = "{89565275-A714-4a43-912E-978B935EDCCC}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\DynamicWrapperX\CLSID	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\DynamicWrapperX\CLSID	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\DynamicWrapperX\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\DynamicWrapperX\CLSID\ = "{89565275-A714-4a43-912E-978B935EDCCC}"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\DynamicWrapperX\CLSID\ = "{89565275-A714-4a43-912E-978B935EDCCC}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\DynamicWrapperX	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\DynamicWrapperX\CLSID\ = "{89565275-A714-4a43-912E-978B935EDCCC}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\Local Settings	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\WOW6432Node	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\DynamicWrapperX\CLSID\ = "{89565275-A714-4a43-912E-978B935EDCCC}"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\DynamicWrapperX\CLSID\ = "{89565275-A714-4a43-912E-978B935EDCCC}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\DynamicWrapperX\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\DynamicWrapperX\CLSID	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\Local Settings	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\DynamicWrapperX\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\DynamicWrapperX\CLSID\ = "{89565275-A714-4a43-912E-978B935EDCCC}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\WOW6432Node\CLSID	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\DynamicWrapperX\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\DynamicWrapperX\CLSID	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\DynamicWrapperX\CLSID\ = "{89565275-A714-4a43-912E-978B935EDCCC}"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\DynamicWrapperX\CLSID\ = "{89565275-A714-4a43-912E-978B935EDCCC}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\DynamicWrapperX\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\DynamicWrapperX\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\DynamicWrapperX\CLSID	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\DynamicWrapperX\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\DynamicWrapperX\CLSID\ = "{89565275-A714-4a43-912E-978B935EDCCC}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3263309122-2820180308-3568046652-1000_Classes\DynamicWrapperX\CLSID\ = "{89565275-A714-4a43-912E-978B935EDCCC}"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
452	powershell.exe
452	powershell.exe
2008	RegAsm.exe
3420	powershell.exe
3420	powershell.exe
2008	RegAsm.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe
2404	AddInProcess32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2008	RegAsm.exe
Token: SeDebugPrivilege	452	powershell.exe
Token: SeDebugPrivilege	3420	powershell.exe
Token: SeDebugPrivilege	2404	AddInProcess32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5020 wrote to memory of 2240	5020	WScript.exe	79
PID 5020 wrote to memory of 2240	5020	WScript.exe	79
PID 5020 wrote to memory of 2240	5020	WScript.exe	79
PID 2240 wrote to memory of 4080	2240	WSCRIPT.EXE	80
PID 2240 wrote to memory of 4080	2240	WSCRIPT.EXE	80
PID 2240 wrote to memory of 4080	2240	WSCRIPT.EXE	80
PID 2240 wrote to memory of 2008	2240	WSCRIPT.EXE	81
PID 2240 wrote to memory of 2008	2240	WSCRIPT.EXE	81
PID 2240 wrote to memory of 2008	2240	WSCRIPT.EXE	81
PID 2240 wrote to memory of 2008	2240	WSCRIPT.EXE	81
PID 2240 wrote to memory of 2008	2240	WSCRIPT.EXE	81
PID 2240 wrote to memory of 2008	2240	WSCRIPT.EXE	81
PID 2240 wrote to memory of 2008	2240	WSCRIPT.EXE	81
PID 2240 wrote to memory of 2008	2240	WSCRIPT.EXE	81
PID 2240 wrote to memory of 3636	2240	WSCRIPT.EXE	82
PID 2240 wrote to memory of 3636	2240	WSCRIPT.EXE	82
PID 2240 wrote to memory of 3636	2240	WSCRIPT.EXE	82
PID 2240 wrote to memory of 2208	2240	WSCRIPT.EXE	83
PID 2240 wrote to memory of 2208	2240	WSCRIPT.EXE	83
PID 2240 wrote to memory of 2208	2240	WSCRIPT.EXE	83
PID 2240 wrote to memory of 2208	2240	WSCRIPT.EXE	83
PID 2240 wrote to memory of 4996	2240	WSCRIPT.EXE	86
PID 2240 wrote to memory of 4996	2240	WSCRIPT.EXE	86
PID 2240 wrote to memory of 4996	2240	WSCRIPT.EXE	86
PID 2240 wrote to memory of 1624	2240	WSCRIPT.EXE	88
PID 2240 wrote to memory of 1624	2240	WSCRIPT.EXE	88
PID 2240 wrote to memory of 1624	2240	WSCRIPT.EXE	88
PID 2240 wrote to memory of 1624	2240	WSCRIPT.EXE	88
PID 2240 wrote to memory of 1624	2240	WSCRIPT.EXE	88
PID 2240 wrote to memory of 1624	2240	WSCRIPT.EXE	88
PID 2240 wrote to memory of 1624	2240	WSCRIPT.EXE	88
PID 2240 wrote to memory of 1624	2240	WSCRIPT.EXE	88
PID 2240 wrote to memory of 3028	2240	WSCRIPT.EXE	89
PID 2240 wrote to memory of 3028	2240	WSCRIPT.EXE	89
PID 2240 wrote to memory of 3028	2240	WSCRIPT.EXE	89
PID 2240 wrote to memory of 4588	2240	WSCRIPT.EXE	90
PID 2240 wrote to memory of 4588	2240	WSCRIPT.EXE	90
PID 2240 wrote to memory of 4588	2240	WSCRIPT.EXE	90
PID 2240 wrote to memory of 4588	2240	WSCRIPT.EXE	90
PID 2240 wrote to memory of 4588	2240	WSCRIPT.EXE	90
PID 2240 wrote to memory of 4588	2240	WSCRIPT.EXE	90
PID 2240 wrote to memory of 4588	2240	WSCRIPT.EXE	90
PID 2240 wrote to memory of 4588	2240	WSCRIPT.EXE	90
PID 2008 wrote to memory of 3160	2008	RegAsm.exe	91
PID 2008 wrote to memory of 3160	2008	RegAsm.exe	91
PID 2008 wrote to memory of 3160	2008	RegAsm.exe	91
PID 3160 wrote to memory of 452	3160	cmd.exe	93
PID 3160 wrote to memory of 452	3160	cmd.exe	93
PID 3160 wrote to memory of 452	3160	cmd.exe	93
PID 452 wrote to memory of 3612	452	powershell.exe	94
PID 452 wrote to memory of 3612	452	powershell.exe	94
PID 452 wrote to memory of 3612	452	powershell.exe	94
PID 3612 wrote to memory of 4248	3612	WScript.exe	95
PID 3612 wrote to memory of 4248	3612	WScript.exe	95
PID 3612 wrote to memory of 4248	3612	WScript.exe	95
PID 3612 wrote to memory of 4268	3612	WScript.exe	96
PID 3612 wrote to memory of 4268	3612	WScript.exe	96
PID 3612 wrote to memory of 4268	3612	WScript.exe	96
PID 3612 wrote to memory of 4268	3612	WScript.exe	96
PID 3612 wrote to memory of 4268	3612	WScript.exe	96
PID 3612 wrote to memory of 4268	3612	WScript.exe	96
PID 3612 wrote to memory of 4268	3612	WScript.exe	96
PID 3612 wrote to memory of 4268	3612	WScript.exe	96
PID 3612 wrote to memory of 4268	3612	WScript.exe	96

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\lMG_MlaKhlfa1111HD_14546.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Windows\SYSWOW64\WSCRIPT.EXE
  "C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Admin\AppData\Local\Temp\lMG_MlaKhlfa1111HD_14546.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"
    3⤵
    - Loads dropped DLL
    - Registers COM server for autorun
    - Modifies registry class
    PID:4080
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2008
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\remc1.vbs"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3160
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\remc1.vbs"'
        5⤵
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:452
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\remc1.vbs"
        6⤵
        Drops startup file
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3612
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"
        7⤵
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:4248
        
        C:\Windows\winhlp32.exe
        
        "C:\Windows\winhlp32.exe"
        7⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"
        7⤵
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:4624
        
        C:\Windows\winhlp32.exe
        
        "C:\Windows\winhlp32.exe"
        7⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"
        7⤵
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:3000
        
        C:\Windows\winhlp32.exe
        
        "C:\Windows\winhlp32.exe"
        7⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"
        7⤵
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:2712
        
        C:\Windows\winhlp32.exe
        
        "C:\Windows\winhlp32.exe"
        7⤵
        
        PID:2092
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\xeno.vbs"' & exit
      4⤵
      PID:3592
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\xeno.vbs"'
        5⤵
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3420
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xeno.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1120
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"
        7⤵
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:1988
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        7⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 92
        8⤵
        Program crash
        
        PID:4692
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"
        7⤵
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:4504
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"
        7⤵
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:1884
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        7⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"
        7⤵
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:3184
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        7⤵
        
        PID:4996
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"
    3⤵
    - Loads dropped DLL
    - Registers COM server for autorun
    - Modifies registry class
    PID:3636
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:2208
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 92
      4⤵
      Program crash
      PID:972
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"
    3⤵
    - Loads dropped DLL
    - Registers COM server for autorun
    - Modifies registry class
    PID:4996
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"
    3⤵
    - Loads dropped DLL
    - Registers COM server for autorun
    - Modifies registry class
    PID:3028
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2208 -ip 2208
1⤵
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3644 -ip 3644
1⤵
PID:4064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AddInProcess32.exe.log

Filesize
226B

MD5
1294de804ea5400409324a82fdc7ec59

SHA1
9a39506bc6cadf99c1f2129265b610c69d1518f7

SHA256
494398ec6108c68573c366c96aae23d35e7f9bdbb440a4aab96e86fcad5871d0

SHA512
033905cc5b4d0c0ffab2138da47e3223765146fa751c9f84b199284b653a04874c32a23aae577d2e06ce6c6b34fec62331b5fc928e3baf68dc53263ecdfa10c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

Filesize
425B

MD5
bb27934be8860266d478c13f2d65f45e

SHA1
a69a0e171864dcac9ade1b04fc0313e6b4024ccb

SHA256
85ad0d9909461517acf2e24ff116ca350e9b7000b4eefb23aa3647423c9745b4

SHA512
87dd77feac509a25b30c76c119752cc25020cca9c53276c2082aef2a8c75670ef67e1e70024a63d44ae442b64f4bc464aee6691e80c525376bb7421929cfa3bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
faa2dd409bb88491b6c57728dbf8a673

SHA1
6095f074030e7599cb1f9c251c62e2c0d1fb7418

SHA256
955d02ee998eae94048f3a1b33c8eedc73276ef0a179efb1cebc970d9af0df09

SHA512
0ab69299400998bc05fe7074b2c9b01162db9343deab22b502a26c47a054d2ca42918908fcc77a8cc5d275c17635508d546c3f65d857f37a7331ec9c32a766ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
8b9594e4c70d38527f71d87774d20833

SHA1
cf1c408ca54c4eee0f097d83d888137f6b287d0a

SHA256
5e68cd149122e95c58427cb0e7a9059adcbb88a45ec57bb9bee92867d6a5e03c

SHA512
0a227beffc7e3962417101f601646a880270430d32ca0a7315e4fe068735a51704bcf4e4fc799581f1763bb0341a78d4855be4c843753d667166f48b08208ce2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lvvxipsj.tb1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll

Filesize
13KB

MD5
e0b8dfd17b8e7de760b273d18e58b142

SHA1
801509fb6783c9e57edc67a72dde3c62080ffbaf

SHA256
4ef3a6703abc6b2b8e2cac3031c1e5b86fe8b377fde92737349ee52bd2604379

SHA512
443359da27b3c87e81ae4f4b9a2ab7e7bf6abfa93551fc62347a0b79b36d79635131abc14d4deddab3ace12fdf973496518f67e1be8dc4903b35fd465835556b

Download Submit
C:\Users\Admin\AppData\Local\Temp\remc1.vbs

Filesize
1.1MB

MD5
996ce58a48e655f549f5713f0e611f39

SHA1
ecec7979eb9d83600ea972ccfd2bb140209e2bbc

SHA256
f9dea360c36d495e10a397ae78412f08de99609916592275b73045b7df096dd2

SHA512
f992b04057b3e99439c08c249b73ba2afaf6880a6dcf7e6d08413f23d7ce122f087ffd236b75dd2c1f1750123e974ab45569019231a3577d2be227336b6b7eef

Download Submit
C:\Users\Admin\AppData\Local\Temp\xeno.vbs

Filesize
251KB

MD5
ec80082e5d40e6c94a4682fd840870c4

SHA1
1904a6688379fd732ec76932e8fc1eec7896cbac

SHA256
74451d6bcb1565ab921e98a30b8bb8f2450d286cba1766ebd204efe3d96a78c9

SHA512
d3f6a9e44c0608d41cc6dd9dd17ef31a394c3dae099f0c592ef9763590445e072866c23618c6dfb39843a108321e972b5fa49e6377f6a2e4887df35be2075bc5

Download Submit
memory/452-49-0x0000000005E30000-0x0000000005E4E000-memory.dmp

Filesize
120KB

Download
memory/452-52-0x0000000006330000-0x000000000634A000-memory.dmp

Filesize
104KB

Download
memory/452-51-0x00000000063B0000-0x0000000006446000-memory.dmp

Filesize
600KB

Download
memory/452-50-0x0000000005E70000-0x0000000005EBC000-memory.dmp

Filesize
304KB

Download
memory/452-53-0x0000000006380000-0x00000000063A2000-memory.dmp

Filesize
136KB

Download
memory/452-57-0x0000000072FB0000-0x0000000073761000-memory.dmp

Filesize
7.7MB

Download
memory/452-48-0x00000000059A0000-0x0000000005CF7000-memory.dmp

Filesize
3.3MB

Download
memory/452-34-0x0000000002640000-0x0000000002676000-memory.dmp

Filesize
216KB

Download
memory/452-44-0x00000000058C0000-0x0000000005926000-memory.dmp

Filesize
408KB

Download
memory/452-38-0x00000000051A0000-0x00000000051C2000-memory.dmp

Filesize
136KB

Download
memory/452-37-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/452-36-0x0000000005290000-0x00000000058BA000-memory.dmp

Filesize
6.2MB

Download
memory/452-35-0x0000000072FB0000-0x0000000073761000-memory.dmp

Filesize
7.7MB

Download
memory/1120-115-0x0000000004110000-0x0000000004111000-memory.dmp

Filesize
4KB

Download
memory/1120-129-0x00000000044A0000-0x00000000044A1000-memory.dmp

Filesize
4KB

Download
memory/1120-118-0x0000000004250000-0x0000000004251000-memory.dmp

Filesize
4KB

Download
memory/1120-122-0x0000000004410000-0x0000000004411000-memory.dmp

Filesize
4KB

Download
memory/1156-71-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1156-74-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1156-72-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1264-81-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1264-83-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1264-82-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1624-13-0x0000000072FB0000-0x0000000073761000-memory.dmp

Filesize
7.7MB

Download
memory/1624-21-0x0000000072FB0000-0x0000000073761000-memory.dmp

Filesize
7.7MB

Download
memory/1624-19-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/2008-32-0x0000000006A00000-0x0000000006A1E000-memory.dmp

Filesize
120KB

Download
memory/2008-29-0x0000000072FB0000-0x0000000073761000-memory.dmp

Filesize
7.7MB

Download
memory/2008-30-0x0000000006A50000-0x0000000006AC6000-memory.dmp

Filesize
472KB

Download
memory/2008-31-0x0000000005C30000-0x0000000005C3C000-memory.dmp

Filesize
48KB

Download
memory/2008-28-0x0000000005510000-0x0000000005576000-memory.dmp

Filesize
408KB

Download
memory/2008-5-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2008-7-0x0000000072FB0000-0x0000000073761000-memory.dmp

Filesize
7.7MB

Download
memory/2008-27-0x0000000005F60000-0x0000000006506000-memory.dmp

Filesize
5.6MB

Download
memory/2008-26-0x0000000005910000-0x00000000059AC000-memory.dmp

Filesize
624KB

Download
memory/2008-18-0x0000000005070000-0x0000000005080000-memory.dmp

Filesize
64KB

Download
memory/2092-91-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2092-90-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2092-88-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2240-15-0x0000000004E00000-0x0000000004E01000-memory.dmp

Filesize
4KB

Download
memory/2240-4-0x00000000043F0000-0x00000000043F1000-memory.dmp

Filesize
4KB

Download
memory/2240-12-0x0000000004D70000-0x0000000004D71000-memory.dmp

Filesize
4KB

Download
memory/2240-9-0x00000000047C0000-0x00000000047C1000-memory.dmp

Filesize
4KB

Download
memory/2404-117-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2404-135-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/2404-134-0x0000000072FB0000-0x0000000073761000-memory.dmp

Filesize
7.7MB

Download
memory/2404-120-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/2404-119-0x0000000072FB0000-0x0000000073761000-memory.dmp

Filesize
7.7MB

Download
memory/3420-105-0x00000000061D0000-0x0000000006527000-memory.dmp

Filesize
3.3MB

Download
memory/3420-110-0x0000000072FB0000-0x0000000073761000-memory.dmp

Filesize
7.7MB

Download
memory/3420-107-0x00000000066F0000-0x000000000673C000-memory.dmp

Filesize
304KB

Download
memory/3420-94-0x0000000072FB0000-0x0000000073761000-memory.dmp

Filesize
7.7MB

Download
memory/3420-95-0x0000000005560000-0x0000000005570000-memory.dmp

Filesize
64KB

Download
memory/3420-96-0x0000000005560000-0x0000000005570000-memory.dmp

Filesize
64KB

Download
memory/3612-62-0x0000000004290000-0x0000000004291000-memory.dmp

Filesize
4KB

Download
memory/3612-80-0x0000000004E60000-0x0000000004E61000-memory.dmp

Filesize
4KB

Download
memory/3612-73-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

Filesize
4KB

Download
memory/3612-89-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

Filesize
4KB

Download
memory/4080-126-0x0000000072FB0000-0x0000000073761000-memory.dmp

Filesize
7.7MB

Download
memory/4080-124-0x0000000072FB0000-0x0000000073761000-memory.dmp

Filesize
7.7MB

Download
memory/4268-64-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4268-132-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4268-114-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4268-76-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4268-65-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4268-63-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4268-67-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4268-66-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4268-142-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4268-141-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4268-140-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4268-68-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4268-133-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4268-77-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4268-78-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4268-139-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4268-137-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4588-23-0x0000000072FB0000-0x0000000073761000-memory.dmp

Filesize
7.7MB

Download
memory/4588-17-0x0000000072FB0000-0x0000000073761000-memory.dmp

Filesize
7.7MB

Download
memory/4996-136-0x0000000072FB0000-0x0000000073761000-memory.dmp

Filesize
7.7MB

Download
memory/4996-131-0x0000000072FB0000-0x0000000073761000-memory.dmp

Filesize
7.7MB

Download