remcos | 4ce1f830db2e5195e1b9242fef348c67527b4235d7afd3eebfab675b89597f3d

Resubmissions

30-09-2022 13:05

220930-qbjhcadfa2 10

30-09-2022 13:02

220930-p9w1nadeh9 10

Analysis

max time kernel
210s
max time network
196s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-09-2022 13:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IMG-SCAN28202209.exe
Size

23KB
MD5

4ab9b88c610ff3fbe511aaf8f1c1294c
SHA1

b7c9e2df72ef925ff48cd6d4b125bc72e2dd12e5
SHA256

fcba45047433ffcc247b656b941e4fb517fb0a6582a01543a6e25bf774dfd11a
SHA512

e3aab0975fc27efb3783c70e7bdf347edd07edd531f3da8741ef3f61450305b7e6b983b4aac7fec49f5f459e6f69766e4bebc4e3840dc87d76258c00eac9e106
SSDEEP

384:73XELB28wj8veCinbQ4vlid7TEPVoyQLkopnW:kGjBDdvlid74PpQL9pW

Score

10^/10

remcos new collection persistence rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

NEW

remcapi.duckdns.org:2028

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
FILE.EXE
copy_folder
work
delete_file
true
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-L9LQMY
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
file
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/1476-133-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView
behavioral1/memory/1476-135-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/1372-130-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/1256-131-0x0000000140000000-0x00000001405E8000-memory.dmp	WebBrowserPassView

Nirsoft 5 IoCs

resource	yara_rule
behavioral1/memory/1400-129-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/1372-130-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1256-131-0x0000000140000000-0x00000001405E8000-memory.dmp	Nirsoft
behavioral1/memory/1476-133-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral1/memory/1476-135-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	IMG-SCAN28202209.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\file = "\"C:\\ProgramData\\work\\FILE.EXE\""	IMG-SCAN28202209.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	FILE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\file = "\"C:\\ProgramData\\work\\FILE.EXE\""	FILE.EXE

Executes dropped EXE 8 IoCs

pid	Process
1772	FILE.EXE
1636	FILE.EXE
1372	FILE.EXE
1468	FILE.EXE
1476	FILE.EXE
1956	FILE.EXE
1400	FILE.EXE
1420	FILE.EXE

Deletes itself 1 IoCs

pid	Process
2000	WScript.exe

Loads dropped DLL 1 IoCs

pid	Process
1852	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	FILE.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\APP = "\"C:\\Users\\Admin\\AppData\\Roaming\\APP.exe\""	IMG-SCAN28202209.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\APP = "\"C:\\Users\\Admin\\AppData\\Roaming\\APP.exe\""	FILE.EXE

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 1044 set thread context of 1012	1044	IMG-SCAN28202209.exe	29
PID 1772 set thread context of 1636	1772	FILE.EXE	36
PID 1636 set thread context of 1372	1636	FILE.EXE	39
PID 1636 set thread context of 1476	1636	FILE.EXE	41
PID 1636 set thread context of 1400	1636	FILE.EXE	43

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	FILE.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	FILE.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	FILE.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	FILE.EXE

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
288	powershell.exe
1420	powershell.exe
1256	taskmgr.exe
1256	taskmgr.exe
1372	FILE.EXE
1372	FILE.EXE
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1472	powershell.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1256	taskmgr.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
1636	FILE.EXE
1636	FILE.EXE
1636	FILE.EXE
1636	FILE.EXE
1636	FILE.EXE

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1044	IMG-SCAN28202209.exe
Token: SeDebugPrivilege	288	powershell.exe
Token: SeDebugPrivilege	1772	FILE.EXE
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	1256	taskmgr.exe
Token: SeDebugPrivilege	1400	FILE.EXE
Token: SeDebugPrivilege	1420	FILE.EXE
Token: SeDebugPrivilege	1472	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe
1256	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1636	FILE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 288	1044	IMG-SCAN28202209.exe	27
PID 1044 wrote to memory of 288	1044	IMG-SCAN28202209.exe	27
PID 1044 wrote to memory of 288	1044	IMG-SCAN28202209.exe	27
PID 1044 wrote to memory of 288	1044	IMG-SCAN28202209.exe	27
PID 1044 wrote to memory of 1012	1044	IMG-SCAN28202209.exe	29
PID 1044 wrote to memory of 1012	1044	IMG-SCAN28202209.exe	29
PID 1044 wrote to memory of 1012	1044	IMG-SCAN28202209.exe	29
PID 1044 wrote to memory of 1012	1044	IMG-SCAN28202209.exe	29
PID 1044 wrote to memory of 1012	1044	IMG-SCAN28202209.exe	29
PID 1044 wrote to memory of 1012	1044	IMG-SCAN28202209.exe	29
PID 1044 wrote to memory of 1012	1044	IMG-SCAN28202209.exe	29
PID 1044 wrote to memory of 1012	1044	IMG-SCAN28202209.exe	29
PID 1044 wrote to memory of 1012	1044	IMG-SCAN28202209.exe	29
PID 1044 wrote to memory of 1012	1044	IMG-SCAN28202209.exe	29
PID 1044 wrote to memory of 1012	1044	IMG-SCAN28202209.exe	29
PID 1044 wrote to memory of 1012	1044	IMG-SCAN28202209.exe	29
PID 1044 wrote to memory of 1012	1044	IMG-SCAN28202209.exe	29
PID 1012 wrote to memory of 2000	1012	IMG-SCAN28202209.exe	30
PID 1012 wrote to memory of 2000	1012	IMG-SCAN28202209.exe	30
PID 1012 wrote to memory of 2000	1012	IMG-SCAN28202209.exe	30
PID 1012 wrote to memory of 2000	1012	IMG-SCAN28202209.exe	30
PID 2000 wrote to memory of 1852	2000	WScript.exe	31
PID 2000 wrote to memory of 1852	2000	WScript.exe	31
PID 2000 wrote to memory of 1852	2000	WScript.exe	31
PID 2000 wrote to memory of 1852	2000	WScript.exe	31
PID 1852 wrote to memory of 1772	1852	cmd.exe	33
PID 1852 wrote to memory of 1772	1852	cmd.exe	33
PID 1852 wrote to memory of 1772	1852	cmd.exe	33
PID 1852 wrote to memory of 1772	1852	cmd.exe	33
PID 1772 wrote to memory of 1420	1772	FILE.EXE	34
PID 1772 wrote to memory of 1420	1772	FILE.EXE	34
PID 1772 wrote to memory of 1420	1772	FILE.EXE	34
PID 1772 wrote to memory of 1420	1772	FILE.EXE	34
PID 1772 wrote to memory of 1636	1772	FILE.EXE	36
PID 1772 wrote to memory of 1636	1772	FILE.EXE	36
PID 1772 wrote to memory of 1636	1772	FILE.EXE	36
PID 1772 wrote to memory of 1636	1772	FILE.EXE	36
PID 1772 wrote to memory of 1636	1772	FILE.EXE	36
PID 1772 wrote to memory of 1636	1772	FILE.EXE	36
PID 1772 wrote to memory of 1636	1772	FILE.EXE	36
PID 1772 wrote to memory of 1636	1772	FILE.EXE	36
PID 1772 wrote to memory of 1636	1772	FILE.EXE	36
PID 1772 wrote to memory of 1636	1772	FILE.EXE	36
PID 1772 wrote to memory of 1636	1772	FILE.EXE	36
PID 1772 wrote to memory of 1636	1772	FILE.EXE	36
PID 1772 wrote to memory of 1636	1772	FILE.EXE	36
PID 1636 wrote to memory of 1372	1636	FILE.EXE	39
PID 1636 wrote to memory of 1372	1636	FILE.EXE	39
PID 1636 wrote to memory of 1372	1636	FILE.EXE	39
PID 1636 wrote to memory of 1372	1636	FILE.EXE	39
PID 1636 wrote to memory of 1372	1636	FILE.EXE	39
PID 1636 wrote to memory of 1468	1636	FILE.EXE	40
PID 1636 wrote to memory of 1468	1636	FILE.EXE	40
PID 1636 wrote to memory of 1468	1636	FILE.EXE	40
PID 1636 wrote to memory of 1468	1636	FILE.EXE	40
PID 1636 wrote to memory of 1476	1636	FILE.EXE	41
PID 1636 wrote to memory of 1476	1636	FILE.EXE	41
PID 1636 wrote to memory of 1476	1636	FILE.EXE	41
PID 1636 wrote to memory of 1476	1636	FILE.EXE	41
PID 1636 wrote to memory of 1476	1636	FILE.EXE	41
PID 1636 wrote to memory of 1956	1636	FILE.EXE	42
PID 1636 wrote to memory of 1956	1636	FILE.EXE	42
PID 1636 wrote to memory of 1956	1636	FILE.EXE	42
PID 1636 wrote to memory of 1956	1636	FILE.EXE	42

C:\Users\Admin\AppData\Local\Temp\IMG-SCAN28202209.exe
"C:\Users\Admin\AppData\Local\Temp\IMG-SCAN28202209.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:288
- C:\Users\Admin\AppData\Local\Temp\IMG-SCAN28202209.exe
  C:\Users\Admin\AppData\Local\Temp\IMG-SCAN28202209.exe
  2⤵
  - Adds policy Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1012
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:2000
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\work\FILE.EXE"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1852
    - - C:\ProgramData\work\FILE.EXE
        
        C:\ProgramData\work\FILE.EXE
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1772
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1420
      - C:\ProgramData\work\FILE.EXE
        
        C:\ProgramData\work\FILE.EXE
        6⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\ProgramData\work\FILE.EXE
        
        C:\ProgramData\work\FILE.EXE /stext "C:\Users\Admin\AppData\Local\Temp\cwtzaojjrpjhvyzrlvxybp"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1372
        
        C:\ProgramData\work\FILE.EXE
        
        C:\ProgramData\work\FILE.EXE /stext "C:\Users\Admin\AppData\Local\Temp\eqzsahtcfxbmfendvgjrmcrcas"
        7⤵
        Executes dropped EXE
        
        PID:1468
        
        C:\ProgramData\work\FILE.EXE
        
        C:\ProgramData\work\FILE.EXE /stext "C:\Users\Admin\AppData\Local\Temp\eqzsahtcfxbmfendvgjrmcrcas"
        7⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        
        PID:1476
        
        C:\ProgramData\work\FILE.EXE
        
        C:\ProgramData\work\FILE.EXE /stext "C:\Users\Admin\AppData\Local\Temp\osecbzeetftqhkjhmretphdtjykoo"
        7⤵
        Executes dropped EXE
        
        PID:1956
        
        C:\ProgramData\work\FILE.EXE
        
        C:\ProgramData\work\FILE.EXE /stext "C:\Users\Admin\AppData\Local\Temp\osecbzeetftqhkjhmretphdtjykoo"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1400

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1256

C:\ProgramData\work\FILE.EXE
"C:\ProgramData\work\FILE.EXE"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1420
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\work\FILE.EXE

Filesize
23KB

MD5
4ab9b88c610ff3fbe511aaf8f1c1294c

SHA1
b7c9e2df72ef925ff48cd6d4b125bc72e2dd12e5

SHA256
fcba45047433ffcc247b656b941e4fb517fb0a6582a01543a6e25bf774dfd11a

SHA512
e3aab0975fc27efb3783c70e7bdf347edd07edd531f3da8741ef3f61450305b7e6b983b4aac7fec49f5f459e6f69766e4bebc4e3840dc87d76258c00eac9e106

Download Submit
C:\ProgramData\work\FILE.EXE

Filesize
23KB

MD5
4ab9b88c610ff3fbe511aaf8f1c1294c

SHA1
b7c9e2df72ef925ff48cd6d4b125bc72e2dd12e5

SHA256
fcba45047433ffcc247b656b941e4fb517fb0a6582a01543a6e25bf774dfd11a

SHA512
e3aab0975fc27efb3783c70e7bdf347edd07edd531f3da8741ef3f61450305b7e6b983b4aac7fec49f5f459e6f69766e4bebc4e3840dc87d76258c00eac9e106

Download Submit
C:\ProgramData\work\FILE.EXE

Filesize
23KB

MD5
4ab9b88c610ff3fbe511aaf8f1c1294c

SHA1
b7c9e2df72ef925ff48cd6d4b125bc72e2dd12e5

SHA256
fcba45047433ffcc247b656b941e4fb517fb0a6582a01543a6e25bf774dfd11a

SHA512
e3aab0975fc27efb3783c70e7bdf347edd07edd531f3da8741ef3f61450305b7e6b983b4aac7fec49f5f459e6f69766e4bebc4e3840dc87d76258c00eac9e106

Download Submit
C:\ProgramData\work\FILE.EXE

Filesize
23KB

MD5
4ab9b88c610ff3fbe511aaf8f1c1294c

SHA1
b7c9e2df72ef925ff48cd6d4b125bc72e2dd12e5

SHA256
fcba45047433ffcc247b656b941e4fb517fb0a6582a01543a6e25bf774dfd11a

SHA512
e3aab0975fc27efb3783c70e7bdf347edd07edd531f3da8741ef3f61450305b7e6b983b4aac7fec49f5f459e6f69766e4bebc4e3840dc87d76258c00eac9e106

Download Submit
C:\ProgramData\work\FILE.EXE

Filesize
23KB

MD5
4ab9b88c610ff3fbe511aaf8f1c1294c

SHA1
b7c9e2df72ef925ff48cd6d4b125bc72e2dd12e5

SHA256
fcba45047433ffcc247b656b941e4fb517fb0a6582a01543a6e25bf774dfd11a

SHA512
e3aab0975fc27efb3783c70e7bdf347edd07edd531f3da8741ef3f61450305b7e6b983b4aac7fec49f5f459e6f69766e4bebc4e3840dc87d76258c00eac9e106

Download Submit
C:\ProgramData\work\FILE.EXE

Filesize
23KB

MD5
4ab9b88c610ff3fbe511aaf8f1c1294c

SHA1
b7c9e2df72ef925ff48cd6d4b125bc72e2dd12e5

SHA256
fcba45047433ffcc247b656b941e4fb517fb0a6582a01543a6e25bf774dfd11a

SHA512
e3aab0975fc27efb3783c70e7bdf347edd07edd531f3da8741ef3f61450305b7e6b983b4aac7fec49f5f459e6f69766e4bebc4e3840dc87d76258c00eac9e106

Download Submit
C:\ProgramData\work\FILE.EXE

Filesize
23KB

MD5
4ab9b88c610ff3fbe511aaf8f1c1294c

SHA1
b7c9e2df72ef925ff48cd6d4b125bc72e2dd12e5

SHA256
fcba45047433ffcc247b656b941e4fb517fb0a6582a01543a6e25bf774dfd11a

SHA512
e3aab0975fc27efb3783c70e7bdf347edd07edd531f3da8741ef3f61450305b7e6b983b4aac7fec49f5f459e6f69766e4bebc4e3840dc87d76258c00eac9e106

Download Submit
C:\ProgramData\work\FILE.EXE

Filesize
23KB

MD5
4ab9b88c610ff3fbe511aaf8f1c1294c

SHA1
b7c9e2df72ef925ff48cd6d4b125bc72e2dd12e5

SHA256
fcba45047433ffcc247b656b941e4fb517fb0a6582a01543a6e25bf774dfd11a

SHA512
e3aab0975fc27efb3783c70e7bdf347edd07edd531f3da8741ef3f61450305b7e6b983b4aac7fec49f5f459e6f69766e4bebc4e3840dc87d76258c00eac9e106

Download Submit
C:\ProgramData\work\FILE.EXE

Filesize
23KB

MD5
4ab9b88c610ff3fbe511aaf8f1c1294c

SHA1
b7c9e2df72ef925ff48cd6d4b125bc72e2dd12e5

SHA256
fcba45047433ffcc247b656b941e4fb517fb0a6582a01543a6e25bf774dfd11a

SHA512
e3aab0975fc27efb3783c70e7bdf347edd07edd531f3da8741ef3f61450305b7e6b983b4aac7fec49f5f459e6f69766e4bebc4e3840dc87d76258c00eac9e106

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwtzaojjrpjhvyzrlvxybp

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
522B

MD5
bea79706ca85b348ac847100f6d55906

SHA1
6f49d9f95306def7f974cc92a78ee01226565c82

SHA256
dcc0f0a231657ac2e354b10791e7b7e848b82fce86170345628348d73642b4ea

SHA512
997bcb3a81f7029fb651f2ac50db7a849e47674a6a05c8ca72acbf6859cb7dd68f0cfe74d7f7691de2856f1f991e7d68dbd8c7cc2090d44521f56d8c6cfca0ee

Download Submit
C:\Users\Admin\AppData\Roaming\APP.exe

Filesize
23KB

MD5
4ab9b88c610ff3fbe511aaf8f1c1294c

SHA1
b7c9e2df72ef925ff48cd6d4b125bc72e2dd12e5

SHA256
fcba45047433ffcc247b656b941e4fb517fb0a6582a01543a6e25bf774dfd11a

SHA512
e3aab0975fc27efb3783c70e7bdf347edd07edd531f3da8741ef3f61450305b7e6b983b4aac7fec49f5f459e6f69766e4bebc4e3840dc87d76258c00eac9e106

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
fdbd2ee3cbf5eb8137b6b639d1d8a5aa

SHA1
d644351ccc2af59c3526cf5679e5ef15299b0f64

SHA256
653680623036688ad401cc95dc406db16243a2082b3e5255cfc8821e766e6c2f

SHA512
505f3e9150290551e216b2d990c8d785319212a9111b429dee0a3eea5b900ed60ece87786499ef42ce4bfd2433ff3d3b7b7099ef90c92dbc7d87da9e364b3093

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
8a34a1ccb25f98a3db7eeda5693bea6d

SHA1
c28ed02297c0fa6bdfb76e8ee235a84881a3ec31

SHA256
b63f02c4249ab3514fcdb6799e6fc99be930470890f9a2137ec7995533ea4424

SHA512
b8af55e3686c65993d7a611f0d9713c8766722a6de082b85c3dd8bd3af4eb7d78f119b92fb5ff9175febf7253149c8d8f99716828045e89347b075ebca7136b6

Download Submit
\ProgramData\work\FILE.EXE

Filesize
23KB

MD5
4ab9b88c610ff3fbe511aaf8f1c1294c

SHA1
b7c9e2df72ef925ff48cd6d4b125bc72e2dd12e5

SHA256
fcba45047433ffcc247b656b941e4fb517fb0a6582a01543a6e25bf774dfd11a

SHA512
e3aab0975fc27efb3783c70e7bdf347edd07edd531f3da8741ef3f61450305b7e6b983b4aac7fec49f5f459e6f69766e4bebc4e3840dc87d76258c00eac9e106

Download Submit
memory/288-61-0x000000006EF70000-0x000000006F51B000-memory.dmp

Filesize
5.7MB

Download
memory/288-62-0x000000006EF70000-0x000000006F51B000-memory.dmp

Filesize
5.7MB

Download
memory/288-60-0x000000006EF70000-0x000000006F51B000-memory.dmp

Filesize
5.7MB

Download
memory/288-58-0x0000000000000000-mapping.dmp

Download
memory/1012-68-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1012-69-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1012-81-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1012-79-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1012-66-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1012-64-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1012-63-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1012-76-0x00000000004327A4-mapping.dmp

Download
memory/1012-75-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1012-73-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1012-71-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1012-70-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1044-54-0x0000000000200000-0x000000000020C000-memory.dmp

Filesize
48KB

Download
memory/1044-57-0x0000000005440000-0x00000000054D2000-memory.dmp

Filesize
584KB

Download
memory/1044-56-0x0000000005B90000-0x0000000005C70000-memory.dmp

Filesize
896KB

Download
memory/1044-55-0x0000000075071000-0x0000000075073000-memory.dmp

Filesize
8KB

Download
memory/1256-131-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1256-132-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1256-136-0x0000000001FE0000-0x0000000001FF0000-memory.dmp

Filesize
64KB

Download
memory/1256-138-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1256-117-0x000007FEFB821000-0x000007FEFB823000-memory.dmp

Filesize
8KB

Download
memory/1372-130-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1372-118-0x0000000000476274-mapping.dmp

Download
memory/1400-129-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1400-126-0x0000000000422206-mapping.dmp

Download
memory/1420-94-0x000000006F040000-0x000000006F5EB000-memory.dmp

Filesize
5.7MB

Download
memory/1420-91-0x0000000000000000-mapping.dmp

Download
memory/1420-140-0x0000000001240000-0x000000000124C000-memory.dmp

Filesize
48KB

Download
memory/1420-95-0x000000006F040000-0x000000006F5EB000-memory.dmp

Filesize
5.7MB

Download
memory/1420-96-0x000000006F040000-0x000000006F5EB000-memory.dmp

Filesize
5.7MB

Download
memory/1472-142-0x0000000000000000-mapping.dmp

Download
memory/1472-148-0x000000006EDC0000-0x000000006F36B000-memory.dmp

Filesize
5.7MB

Download
memory/1472-147-0x000000006EDC0000-0x000000006F36B000-memory.dmp

Filesize
5.7MB

Download
memory/1472-146-0x000000006EDC0000-0x000000006F36B000-memory.dmp

Filesize
5.7MB

Download
memory/1476-135-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1476-121-0x0000000000455238-mapping.dmp

Download
memory/1476-133-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1636-137-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1636-115-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1636-111-0x00000000004327A4-mapping.dmp

Download
memory/1636-116-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1772-89-0x0000000001240000-0x000000000124C000-memory.dmp

Filesize
48KB

Download
memory/1772-87-0x0000000000000000-mapping.dmp

Download
memory/1852-84-0x0000000000000000-mapping.dmp

Download
memory/2000-80-0x0000000000000000-mapping.dmp

Download