remcos | 31e81d4201fec97127d8f8deffb64c25a76825d6c68fab083775e7197baa0956

Analysis

max time kernel
82s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
22-03-2023 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hesaphareketi-01.PDF.exe
Size

500KB
MD5

826532ae78986d3b52639e72b1ac0e01
SHA1

bf5d6199c99e22e947595687af9b89954e2a6e37
SHA256

31e81d4201fec97127d8f8deffb64c25a76825d6c68fab083775e7197baa0956
SHA512

a1c8899bc1edd4587571130ea382b93adaa0bcc02f92a122a7e60343cc70aaf119a5d9c3a47baa5ae526dd12b69c451de42781ddd894876a80ca22b505f9397b
SSDEEP

12288:JYkYar2AbX18zFRBXKz6u1pSpGLyfeXLl3UU70:JYkYYi5K6u1pmEkeXLhA

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

ennenbach.duckdns.org:5800

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-LDLQM0
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

noptbru.exenoptbru.exe

pid process

4040 noptbru.exe
1684 noptbru.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

noptbru.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dmirn = "C:\\Users\\Admin\\AppData\\Roaming\\pienwscxhq\\mvfbkfoxt.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\noptbru.exe\" C:\\Users\\Admin\\AppData\\Loc"	noptbru.exe

Suspicious use of SetThreadContext 41 IoCs

Processes:

noptbru.exenoptbru.exe

description	pid	process	target process
PID 4040 set thread context of 1684	4040	noptbru.exe	noptbru.exe
PID 1684 set thread context of 2512	1684	noptbru.exe	svchost.exe
PID 1684 set thread context of 2616	1684	noptbru.exe	svchost.exe
PID 1684 set thread context of 1200	1684	noptbru.exe	svchost.exe
PID 1684 set thread context of 4612	1684	noptbru.exe	svchost.exe
PID 1684 set thread context of 2172	1684	noptbru.exe	svchost.exe
PID 1684 set thread context of 388	1684	noptbru.exe	svchost.exe
PID 1684 set thread context of 3976	1684	noptbru.exe	svchost.exe
PID 1684 set thread context of 3124	1684	noptbru.exe	svchost.exe
PID 1684 set thread context of 912	1684	noptbru.exe	svchost.exe
PID 1684 set thread context of 3024	1684	noptbru.exe	svchost.exe
PID 1684 set thread context of 4556	1684	noptbru.exe	svchost.exe
PID 1684 set thread context of 408	1684	noptbru.exe	svchost.exe
PID 1684 set thread context of 1840	1684	noptbru.exe	svchost.exe
PID 1684 set thread context of 8	1684	noptbru.exe	svchost.exe
PID 1684 set thread context of 1924	1684	noptbru.exe	svchost.exe
PID 1684 set thread context of 4420	1684	noptbru.exe	svchost.exe
PID 1684 set thread context of 4132	1684	noptbru.exe	svchost.exe
PID 1684 set thread context of 4188	1684	noptbru.exe	svchost.exe
PID 1684 set thread context of 896	1684	noptbru.exe	svchost.exe
PID 1684 set thread context of 3388	1684	noptbru.exe	svchost.exe
PID 1684 set thread context of 3376	1684	noptbru.exe	svchost.exe
PID 1684 set thread context of 1464	1684	noptbru.exe	svchost.exe
PID 1684 set thread context of 1552	1684	noptbru.exe	svchost.exe
PID 1684 set thread context of 4148	1684	noptbru.exe	svchost.exe
PID 1684 set thread context of 4956	1684	noptbru.exe	svchost.exe
PID 1684 set thread context of 2152	1684	noptbru.exe	svchost.exe
PID 1684 set thread context of 2636	1684	noptbru.exe	svchost.exe
PID 1684 set thread context of 2008	1684	noptbru.exe	svchost.exe
PID 1684 set thread context of 4932	1684	noptbru.exe	svchost.exe
PID 1684 set thread context of 2556	1684	noptbru.exe	svchost.exe
PID 1684 set thread context of 540	1684	noptbru.exe	svchost.exe
PID 1684 set thread context of 4424	1684	noptbru.exe	svchost.exe
PID 1684 set thread context of 2956	1684	noptbru.exe	svchost.exe
PID 1684 set thread context of 3824	1684	noptbru.exe	svchost.exe
PID 1684 set thread context of 4632	1684	noptbru.exe	svchost.exe
PID 1684 set thread context of 3536	1684	noptbru.exe	svchost.exe
PID 1684 set thread context of 2128	1684	noptbru.exe	svchost.exe
PID 1684 set thread context of 3716	1684	noptbru.exe	svchost.exe
PID 1684 set thread context of 4592	1684	noptbru.exe	svchost.exe
PID 1684 set thread context of 1692	1684	noptbru.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 40 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
828	2512	WerFault.exe	svchost.exe
4112	2616	WerFault.exe	svchost.exe
1592	1200	WerFault.exe	svchost.exe
2212	4612	WerFault.exe	svchost.exe
4976	2172	WerFault.exe	svchost.exe
4912	388	WerFault.exe	svchost.exe
4308	3976	WerFault.exe	svchost.exe
3948	3124	WerFault.exe	svchost.exe
2612	912	WerFault.exe	svchost.exe
2180	3024	WerFault.exe	svchost.exe
4372	4556	WerFault.exe	svchost.exe
4148	408	WerFault.exe	svchost.exe
1636	1840	WerFault.exe	svchost.exe
4724	8	WerFault.exe	svchost.exe
4040	1924	WerFault.exe	svchost.exe
3768	4420	WerFault.exe	svchost.exe
2612	4132	WerFault.exe	svchost.exe
1336	4188	WerFault.exe	svchost.exe
5116	896	WerFault.exe	svchost.exe
1396	3388	WerFault.exe	svchost.exe
2196	3376	WerFault.exe	svchost.exe
1272	1464	WerFault.exe	svchost.exe
4328	1552	WerFault.exe	svchost.exe
1208	4148	WerFault.exe	svchost.exe
1060	4956	WerFault.exe	svchost.exe
2956	2152	WerFault.exe	svchost.exe
4288	2636	WerFault.exe	svchost.exe
1388	2008	WerFault.exe	svchost.exe
1000	4932	WerFault.exe	svchost.exe
4696	2556	WerFault.exe	svchost.exe
2804	540	WerFault.exe	svchost.exe
2788	4424	WerFault.exe	svchost.exe
4912	2956	WerFault.exe	svchost.exe
3176	3824	WerFault.exe	svchost.exe
1204	4632	WerFault.exe	svchost.exe
4916	3536	WerFault.exe	svchost.exe
3952	2128	WerFault.exe	svchost.exe
1408	3716	WerFault.exe	svchost.exe
2180	4592	WerFault.exe	svchost.exe
1920	1692	WerFault.exe	svchost.exe

Suspicious behavior: MapViewOfSection 49 IoCs

Processes:

noptbru.exenoptbru.exe

pid	process
4040	noptbru.exe
1684	noptbru.exe
1684	noptbru.exe
1684	noptbru.exe
1684	noptbru.exe
1684	noptbru.exe
1684	noptbru.exe
1684	noptbru.exe
1684	noptbru.exe
1684	noptbru.exe
1684	noptbru.exe
1684	noptbru.exe
1684	noptbru.exe
1684	noptbru.exe
1684	noptbru.exe
1684	noptbru.exe
1684	noptbru.exe
1684	noptbru.exe
1684	noptbru.exe
1684	noptbru.exe
1684	noptbru.exe
1684	noptbru.exe
1684	noptbru.exe
1684	noptbru.exe
1684	noptbru.exe
1684	noptbru.exe
1684	noptbru.exe
1684	noptbru.exe
1684	noptbru.exe
1684	noptbru.exe
1684	noptbru.exe
1684	noptbru.exe
1684	noptbru.exe
1684	noptbru.exe
1684	noptbru.exe
1684	noptbru.exe
1684	noptbru.exe
1684	noptbru.exe
1684	noptbru.exe
1684	noptbru.exe
1684	noptbru.exe
1684	noptbru.exe
1684	noptbru.exe
1684	noptbru.exe
1684	noptbru.exe
1684	noptbru.exe
1684	noptbru.exe
1684	noptbru.exe
1684	noptbru.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

noptbru.exe

pid process

1684 noptbru.exe

pid	process
1684	noptbru.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

hesaphareketi-01.PDF.exenoptbru.exenoptbru.exe

description	pid	process	target process
PID 3920 wrote to memory of 4040	3920	hesaphareketi-01.PDF.exe	noptbru.exe
PID 3920 wrote to memory of 4040	3920	hesaphareketi-01.PDF.exe	noptbru.exe
PID 3920 wrote to memory of 4040	3920	hesaphareketi-01.PDF.exe	noptbru.exe
PID 4040 wrote to memory of 1684	4040	noptbru.exe	noptbru.exe
PID 4040 wrote to memory of 1684	4040	noptbru.exe	noptbru.exe
PID 4040 wrote to memory of 1684	4040	noptbru.exe	noptbru.exe
PID 4040 wrote to memory of 1684	4040	noptbru.exe	noptbru.exe
PID 1684 wrote to memory of 2512	1684	noptbru.exe	svchost.exe
PID 1684 wrote to memory of 2512	1684	noptbru.exe	svchost.exe
PID 1684 wrote to memory of 2512	1684	noptbru.exe	svchost.exe
PID 1684 wrote to memory of 2512	1684	noptbru.exe	svchost.exe
PID 1684 wrote to memory of 3108	1684	noptbru.exe	svchost.exe
PID 1684 wrote to memory of 3108	1684	noptbru.exe	svchost.exe
PID 1684 wrote to memory of 3108	1684	noptbru.exe	svchost.exe
PID 1684 wrote to memory of 2616	1684	noptbru.exe	svchost.exe
PID 1684 wrote to memory of 2616	1684	noptbru.exe	svchost.exe
PID 1684 wrote to memory of 2616	1684	noptbru.exe	svchost.exe
PID 1684 wrote to memory of 2616	1684	noptbru.exe	svchost.exe
PID 1684 wrote to memory of 1200	1684	noptbru.exe	svchost.exe
PID 1684 wrote to memory of 1200	1684	noptbru.exe	svchost.exe
PID 1684 wrote to memory of 1200	1684	noptbru.exe	svchost.exe
PID 1684 wrote to memory of 1200	1684	noptbru.exe	svchost.exe
PID 1684 wrote to memory of 4612	1684	noptbru.exe	svchost.exe
PID 1684 wrote to memory of 4612	1684	noptbru.exe	svchost.exe
PID 1684 wrote to memory of 4612	1684	noptbru.exe	svchost.exe
PID 1684 wrote to memory of 4612	1684	noptbru.exe	svchost.exe
PID 1684 wrote to memory of 2172	1684	noptbru.exe	svchost.exe
PID 1684 wrote to memory of 2172	1684	noptbru.exe	svchost.exe
PID 1684 wrote to memory of 2172	1684	noptbru.exe	svchost.exe
PID 1684 wrote to memory of 2172	1684	noptbru.exe	svchost.exe
PID 1684 wrote to memory of 388	1684	noptbru.exe	svchost.exe
PID 1684 wrote to memory of 388	1684	noptbru.exe	svchost.exe
PID 1684 wrote to memory of 388	1684	noptbru.exe	svchost.exe
PID 1684 wrote to memory of 388	1684	noptbru.exe	svchost.exe
PID 1684 wrote to memory of 3976	1684	noptbru.exe	svchost.exe
PID 1684 wrote to memory of 3976	1684	noptbru.exe	svchost.exe
PID 1684 wrote to memory of 3976	1684	noptbru.exe	svchost.exe
PID 1684 wrote to memory of 3976	1684	noptbru.exe	svchost.exe
PID 1684 wrote to memory of 3124	1684	noptbru.exe	svchost.exe
PID 1684 wrote to memory of 3124	1684	noptbru.exe	svchost.exe
PID 1684 wrote to memory of 3124	1684	noptbru.exe	svchost.exe
PID 1684 wrote to memory of 3124	1684	noptbru.exe	svchost.exe
PID 1684 wrote to memory of 912	1684	noptbru.exe	svchost.exe
PID 1684 wrote to memory of 912	1684	noptbru.exe	svchost.exe
PID 1684 wrote to memory of 912	1684	noptbru.exe	svchost.exe
PID 1684 wrote to memory of 912	1684	noptbru.exe	svchost.exe
PID 1684 wrote to memory of 3024	1684	noptbru.exe	svchost.exe
PID 1684 wrote to memory of 3024	1684	noptbru.exe	svchost.exe
PID 1684 wrote to memory of 3024	1684	noptbru.exe	svchost.exe
PID 1684 wrote to memory of 3024	1684	noptbru.exe	svchost.exe
PID 1684 wrote to memory of 4556	1684	noptbru.exe	svchost.exe
PID 1684 wrote to memory of 4556	1684	noptbru.exe	svchost.exe
PID 1684 wrote to memory of 4556	1684	noptbru.exe	svchost.exe
PID 1684 wrote to memory of 4556	1684	noptbru.exe	svchost.exe
PID 1684 wrote to memory of 408	1684	noptbru.exe	svchost.exe
PID 1684 wrote to memory of 408	1684	noptbru.exe	svchost.exe
PID 1684 wrote to memory of 408	1684	noptbru.exe	svchost.exe
PID 1684 wrote to memory of 408	1684	noptbru.exe	svchost.exe
PID 1684 wrote to memory of 1840	1684	noptbru.exe	svchost.exe
PID 1684 wrote to memory of 1840	1684	noptbru.exe	svchost.exe
PID 1684 wrote to memory of 1840	1684	noptbru.exe	svchost.exe
PID 1684 wrote to memory of 1840	1684	noptbru.exe	svchost.exe
PID 1684 wrote to memory of 8	1684	noptbru.exe	svchost.exe
PID 1684 wrote to memory of 8	1684	noptbru.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.PDF.exe
"C:\Users\Admin\AppData\Local\Temp\hesaphareketi-01.PDF.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3920
- C:\Users\Admin\AppData\Local\Temp\noptbru.exe
  "C:\Users\Admin\AppData\Local\Temp\noptbru.exe" C:\Users\Admin\AppData\Local\Temp\xzylabr.dxy
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4040
- - C:\Users\Admin\AppData\Local\Temp\noptbru.exe
    "C:\Users\Admin\AppData\Local\Temp\noptbru.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1684
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:2512
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 84
        5⤵
        Program crash
        
        PID:828
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:3108
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:2616
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 636
        5⤵
        Program crash
        
        PID:4112
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:1200
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 672
        5⤵
        Program crash
        
        PID:1592
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:4612
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 668
        5⤵
        Program crash
        
        PID:2212
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:2172
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 668
        5⤵
        Program crash
        
        PID:4976
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:388
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 388 -s 668
        5⤵
        Program crash
        
        PID:4912
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:3976
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 668
        5⤵
        Program crash
        
        PID:4308
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:3124
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 668
        5⤵
        Program crash
        
        PID:3948
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:912
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 668
        5⤵
        Program crash
        
        PID:2612
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:3024
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 668
        5⤵
        Program crash
        
        PID:2180
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:4556
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 668
        5⤵
        Program crash
        
        PID:4372
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:408
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 668
        5⤵
        Program crash
        
        PID:4148
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:1840
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 680
        5⤵
        Program crash
        
        PID:1636
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:8
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 668
        5⤵
        Program crash
        
        PID:4724
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:1924
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 668
        5⤵
        Program crash
        
        PID:4040
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:4420
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 672
        5⤵
        Program crash
        
        PID:3768
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:4132
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 668
        5⤵
        Program crash
        
        PID:2612
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:4188
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 668
        5⤵
        Program crash
        
        PID:1336
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:896
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 668
        5⤵
        Program crash
        
        PID:5116
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:1636
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:3388
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 668
        5⤵
        Program crash
        
        PID:1396
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:3376
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 668
        5⤵
        Program crash
        
        PID:2196
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:1336
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:1464
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 668
        5⤵
        Program crash
        
        PID:1272
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:1552
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 668
        5⤵
        Program crash
        
        PID:4328
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:4148
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 668
        5⤵
        Program crash
        
        PID:1208
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:4956
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 668
        5⤵
        Program crash
        
        PID:1060
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:2024
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:2152
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 668
        5⤵
        Program crash
        
        PID:2956
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:1392
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:2636
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 668
        5⤵
        Program crash
        
        PID:4288
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:968
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:2008
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 680
        5⤵
        Program crash
        
        PID:1388
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:4932
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 672
        5⤵
        Program crash
        
        PID:1000
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:3600
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:2556
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 668
        5⤵
        Program crash
        
        PID:4696
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:5016
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:540
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 668
        5⤵
        Program crash
        
        PID:2804
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:4424
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 668
        5⤵
        Program crash
        
        PID:2788
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:2956
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 668
        5⤵
        Program crash
        
        PID:4912
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:3824
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 668
        5⤵
        Program crash
        
        PID:3176
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:4632
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 668
        5⤵
        Program crash
        
        PID:1204
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:3536
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 668
        5⤵
        Program crash
        
        PID:4916
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:2128
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 680
        5⤵
        Program crash
        
        PID:3952
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:3716
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 676
        5⤵
        Program crash
        
        PID:1408
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:4592
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 668
        5⤵
        Program crash
        
        PID:2180
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:1692
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 84
        5⤵
        Program crash
        
        PID:1920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2512 -ip 2512
1⤵
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2616 -ip 2616
1⤵
PID:3684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1200 -ip 1200
1⤵
PID:772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4612 -ip 4612
1⤵
PID:1264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2172 -ip 2172
1⤵
PID:2276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 388 -ip 388
1⤵
PID:3296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3976 -ip 3976
1⤵
PID:1244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3124 -ip 3124
1⤵
PID:2104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 912 -ip 912
1⤵
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3024 -ip 3024
1⤵
PID:3288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4556 -ip 4556
1⤵
PID:1264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 408 -ip 408
1⤵
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1840 -ip 1840
1⤵
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 8 -ip 8
1⤵
PID:384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1924 -ip 1924
1⤵
PID:2556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4420 -ip 4420
1⤵
PID:4304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4132 -ip 4132
1⤵
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4188 -ip 4188
1⤵
PID:2788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 896 -ip 896
1⤵
PID:3312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3388 -ip 3388
1⤵
PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3376 -ip 3376
1⤵
PID:2376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1464 -ip 1464
1⤵
PID:2636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1552 -ip 1552
1⤵
PID:1000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4148 -ip 4148
1⤵
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4956 -ip 4956
1⤵
PID:412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2152 -ip 2152
1⤵
PID:2912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2636 -ip 2636
1⤵
PID:2276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2008 -ip 2008
1⤵
PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4932 -ip 4932
1⤵
PID:1320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2556 -ip 2556
1⤵
PID:3596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 540 -ip 540
1⤵
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4424 -ip 4424
1⤵
PID:1936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2956 -ip 2956
1⤵
PID:2116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3824 -ip 3824
1⤵
PID:1264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4632 -ip 4632
1⤵
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3536 -ip 3536
1⤵
PID:660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2128 -ip 2128
1⤵
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3716 -ip 3716
1⤵
PID:3820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4592 -ip 4592
1⤵
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1692 -ip 1692
1⤵
PID:384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
176B

MD5
e8a3207805ac395fdc27bafd16243068

SHA1
3da5f57d3748b2fb8d77be4b11e62565ca8abfaa

SHA256
35f17fecf0fe4b8760884948553f3061402facd3d7ffd91d125fa7a89fa02ba5

SHA512
bb2911742cee6fc71d2b0a43296fb3f3baedccc0a93e7cc0b8e1407dbac1e178cee8a04cac030c0b121038170275c56e91f2e2b2008d04df46f49dacb310494a

Download Submit
C:\Users\Admin\AppData\Local\Temp\noptbru.exe

Filesize
54KB

MD5
8722b30e6dffb45747d50c30bf1b1a59

SHA1
4dd89ebac1289cd3d0e671110bc2fb74cc5a2aef

SHA256
28e506deca0f0f097219fc6ffe5173e5c621472d4d87ddf65beddde29c16c71f

SHA512
23bf0b65874b0a73464d131d03dc1d3bdf5aea2fb10f5d0c363343178434b58add950ef0a49bc0518ba880800014d4959d8cd02cec2c26ae109515aab1393799

Download Submit
C:\Users\Admin\AppData\Local\Temp\noptbru.exe

Filesize
54KB

MD5
8722b30e6dffb45747d50c30bf1b1a59

SHA1
4dd89ebac1289cd3d0e671110bc2fb74cc5a2aef

SHA256
28e506deca0f0f097219fc6ffe5173e5c621472d4d87ddf65beddde29c16c71f

SHA512
23bf0b65874b0a73464d131d03dc1d3bdf5aea2fb10f5d0c363343178434b58add950ef0a49bc0518ba880800014d4959d8cd02cec2c26ae109515aab1393799

Download Submit
C:\Users\Admin\AppData\Local\Temp\noptbru.exe

Filesize
54KB

MD5
8722b30e6dffb45747d50c30bf1b1a59

SHA1
4dd89ebac1289cd3d0e671110bc2fb74cc5a2aef

SHA256
28e506deca0f0f097219fc6ffe5173e5c621472d4d87ddf65beddde29c16c71f

SHA512
23bf0b65874b0a73464d131d03dc1d3bdf5aea2fb10f5d0c363343178434b58add950ef0a49bc0518ba880800014d4959d8cd02cec2c26ae109515aab1393799

Download Submit
C:\Users\Admin\AppData\Local\Temp\tawbgsphp.jp

Filesize
496KB

MD5
eb65ab25be5e6ae467114cf52af2c960

SHA1
77966fcf2e5b5a614cbe3e43df55ea7c4a99b326

SHA256
2d429d11f4fa136c4fa31759f1130ef91a83703edcd296ac4c55267c4152f4e6

SHA512
da49e6bd7a576f550c5bc2d34ac171e964b018e0a0514d0a3e16ed4b9de29d4a428c75307944efd66f6be5d3bce7bfcd2d291103ed3905e5a295bc204d9164c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\xzylabr.dxy

Filesize
8KB

MD5
14c7f8b84044e72cc164b943ccc80e5c

SHA1
de3c33dec85795fc1abcbb9860f22049cc22d724

SHA256
50310fd5f742199d40cd603841348b1753660ab807afcc1d9fd0ce91d593700e

SHA512
d9fd743b9c27194cb92410d15ee731d4cc3af999c1b55878cf58fa9b6d44fe106ed82f29391b9428975084d7f4d12611b6138d0d26f56dd17765b8cdb256c504

Download Submit
memory/8-234-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/388-185-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/388-188-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/388-184-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/408-221-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/408-222-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/408-223-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/540-337-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/896-264-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/912-203-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/912-205-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/912-204-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1200-167-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1200-166-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1200-168-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1464-283-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1552-289-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1684-212-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1684-146-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1684-164-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1684-170-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1684-201-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1684-224-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1684-174-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1684-153-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1684-151-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1684-150-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1684-179-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1684-219-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1684-181-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1684-155-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1684-148-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1684-186-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1684-145-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1684-187-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1684-189-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1684-217-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1684-160-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1684-193-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1684-210-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1684-206-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1684-143-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1684-198-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1692-388-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1840-229-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1924-240-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2008-319-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2128-371-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2152-307-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2172-177-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2172-178-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2172-180-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2512-154-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2512-156-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2512-157-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2512-158-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2556-330-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2616-161-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2616-162-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2616-163-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2636-313-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2956-349-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3024-209-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3024-208-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3024-211-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3124-196-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3124-199-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3124-197-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3376-278-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3388-269-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3536-367-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3716-378-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3824-354-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3976-192-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3976-191-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3976-194-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4040-140-0x00000000004A0000-0x00000000004A3000-memory.dmp

Filesize
12KB

Download
memory/4132-252-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4148-295-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4188-259-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4420-247-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4424-342-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4556-218-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4556-215-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4556-216-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4592-384-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4612-172-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4612-175-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4612-173-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4632-359-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4932-324-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4956-300-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download