remcos | 453e835fcebe5695f7d314712666c6541195decf8ebcb105448daab986b07370

Analysis

max time kernel
150s
max time network
131s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
02-05-2023 09:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PS MARILN JACKET S.8 and Sticker Series.docx
Size

10KB
MD5

fae941100b007533cd7aead9a7155603
SHA1

6a434f5d9519417dfb2b408d105a7b5a04a1e8fb
SHA256

453e835fcebe5695f7d314712666c6541195decf8ebcb105448daab986b07370
SHA512

2920036a5fcd378b85d654a4b0d968b22489d02ae8bde8bd7b2bdd089555325e00d3fa68f4fb8f7e2e554ef364d354a98a864044f24fada6eb8add3217932ff3
SSDEEP

192:ScIMmtPYqPC7UpG/bkpbJNONtrdlJFtGxV3rY0u:SPXgqPCfIJNONtjJFtGxxrYv

Score

10^/10

remcos first god love collection rat

Malware Config

Extracted

Family

remcos

Botnet

First God LOVE

yousbresde.ddns.net:31895

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-J6TVLD
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/1908-197-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView
behavioral1/memory/1908-207-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView
behavioral1/memory/1908-212-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/1632-196-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/1632-193-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/1632-209-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1908-197-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral1/memory/1632-196-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1632-193-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/736-201-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/736-202-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/1908-207-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral1/memory/1632-209-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1908-212-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow pid process

7 1552 EQNEDT32.EXE
Downloads MZ/PE file

flow	pid	process
7	1552	EQNEDT32.EXE

Abuses OpenXML format to download file from external location 2 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\14.0\Common	WINWORD.EXE
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\Common\Offline\Files\http://392089164/3/4/##################################.doc	WINWORD.EXE

Executes dropped EXE 1 IoCs

Processes:

vbc.exe

pid process

1276 vbc.exe
Loads dropped DLL 1 IoCs

Processes:

EQNEDT32.EXE

pid process

1552 EQNEDT32.EXE
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1276	vbc.exe

pid	process
1552	EQNEDT32.EXE

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

InstallUtil.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	InstallUtil.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

vbc.exeInstallUtil.exe

description	pid	process	target process
PID 1276 set thread context of 1608	1276	vbc.exe	InstallUtil.exe
PID 1608 set thread context of 1632	1608	InstallUtil.exe	InstallUtil.exe
PID 1608 set thread context of 1908	1608	InstallUtil.exe	InstallUtil.exe
PID 1608 set thread context of 736	1608	InstallUtil.exe	InstallUtil.exe

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Office loads VBA resources, possible macro or embedded object present
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
exploit

Exploitation for Client Execution
T1203

Processes:

EQNEDT32.EXE

pid process

1552 EQNEDT32.EXE

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

pid	process
1552	EQNEDT32.EXE

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	WINWORD.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	WINWORD.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	WINWORD.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	WINWORD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

928 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exeInstallUtil.exe

pid process

888 powershell.exe
1632 InstallUtil.exe
1632 InstallUtil.exe
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

InstallUtil.exe

pid process

1608 InstallUtil.exe
1608 InstallUtil.exe
1608 InstallUtil.exe
1608 InstallUtil.exe

pid	process
928	WINWORD.EXE

pid	process
888	powershell.exe
1632	InstallUtil.exe
1632	InstallUtil.exe

pid	process
1608	InstallUtil.exe
1608	InstallUtil.exe
1608	InstallUtil.exe
1608	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exevbc.exeInstallUtil.exeWINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	888	powershell.exe
Token: SeDebugPrivilege	1276	vbc.exe
Token: SeDebugPrivilege	736	InstallUtil.exe
Token: SeShutdownPrivilege	928	WINWORD.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

WINWORD.EXEInstallUtil.exe

pid process

928 WINWORD.EXE
928 WINWORD.EXE
1608 InstallUtil.exe

pid	process
928	WINWORD.EXE
928	WINWORD.EXE
1608	InstallUtil.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEvbc.exeInstallUtil.exe

description	pid	process	target process
PID 1552 wrote to memory of 1276	1552	EQNEDT32.EXE	vbc.exe
PID 1552 wrote to memory of 1276	1552	EQNEDT32.EXE	vbc.exe
PID 1552 wrote to memory of 1276	1552	EQNEDT32.EXE	vbc.exe
PID 1552 wrote to memory of 1276	1552	EQNEDT32.EXE	vbc.exe
PID 1552 wrote to memory of 1276	1552	EQNEDT32.EXE	vbc.exe
PID 1552 wrote to memory of 1276	1552	EQNEDT32.EXE	vbc.exe
PID 1552 wrote to memory of 1276	1552	EQNEDT32.EXE	vbc.exe
PID 928 wrote to memory of 884	928	WINWORD.EXE	splwow64.exe
PID 928 wrote to memory of 884	928	WINWORD.EXE	splwow64.exe
PID 928 wrote to memory of 884	928	WINWORD.EXE	splwow64.exe
PID 928 wrote to memory of 884	928	WINWORD.EXE	splwow64.exe
PID 1276 wrote to memory of 888	1276	vbc.exe	powershell.exe
PID 1276 wrote to memory of 888	1276	vbc.exe	powershell.exe
PID 1276 wrote to memory of 888	1276	vbc.exe	powershell.exe
PID 1276 wrote to memory of 888	1276	vbc.exe	powershell.exe
PID 1276 wrote to memory of 1608	1276	vbc.exe	InstallUtil.exe
PID 1276 wrote to memory of 1608	1276	vbc.exe	InstallUtil.exe
PID 1276 wrote to memory of 1608	1276	vbc.exe	InstallUtil.exe
PID 1276 wrote to memory of 1608	1276	vbc.exe	InstallUtil.exe
PID 1276 wrote to memory of 1608	1276	vbc.exe	InstallUtil.exe
PID 1276 wrote to memory of 1608	1276	vbc.exe	InstallUtil.exe
PID 1276 wrote to memory of 1608	1276	vbc.exe	InstallUtil.exe
PID 1276 wrote to memory of 1608	1276	vbc.exe	InstallUtil.exe
PID 1276 wrote to memory of 1608	1276	vbc.exe	InstallUtil.exe
PID 1276 wrote to memory of 1608	1276	vbc.exe	InstallUtil.exe
PID 1276 wrote to memory of 1608	1276	vbc.exe	InstallUtil.exe
PID 1276 wrote to memory of 1608	1276	vbc.exe	InstallUtil.exe
PID 1276 wrote to memory of 1608	1276	vbc.exe	InstallUtil.exe
PID 1276 wrote to memory of 1608	1276	vbc.exe	InstallUtil.exe
PID 1276 wrote to memory of 1608	1276	vbc.exe	InstallUtil.exe
PID 1276 wrote to memory of 1608	1276	vbc.exe	InstallUtil.exe
PID 1608 wrote to memory of 1056	1608	InstallUtil.exe	InstallUtil.exe
PID 1608 wrote to memory of 1056	1608	InstallUtil.exe	InstallUtil.exe
PID 1608 wrote to memory of 1056	1608	InstallUtil.exe	InstallUtil.exe
PID 1608 wrote to memory of 1056	1608	InstallUtil.exe	InstallUtil.exe
PID 1608 wrote to memory of 1056	1608	InstallUtil.exe	InstallUtil.exe
PID 1608 wrote to memory of 1056	1608	InstallUtil.exe	InstallUtil.exe
PID 1608 wrote to memory of 1056	1608	InstallUtil.exe	InstallUtil.exe
PID 1608 wrote to memory of 1632	1608	InstallUtil.exe	InstallUtil.exe
PID 1608 wrote to memory of 1632	1608	InstallUtil.exe	InstallUtil.exe
PID 1608 wrote to memory of 1632	1608	InstallUtil.exe	InstallUtil.exe
PID 1608 wrote to memory of 1632	1608	InstallUtil.exe	InstallUtil.exe
PID 1608 wrote to memory of 1632	1608	InstallUtil.exe	InstallUtil.exe
PID 1608 wrote to memory of 1632	1608	InstallUtil.exe	InstallUtil.exe
PID 1608 wrote to memory of 1632	1608	InstallUtil.exe	InstallUtil.exe
PID 1608 wrote to memory of 1632	1608	InstallUtil.exe	InstallUtil.exe
PID 1608 wrote to memory of 1908	1608	InstallUtil.exe	InstallUtil.exe
PID 1608 wrote to memory of 1908	1608	InstallUtil.exe	InstallUtil.exe
PID 1608 wrote to memory of 1908	1608	InstallUtil.exe	InstallUtil.exe
PID 1608 wrote to memory of 1908	1608	InstallUtil.exe	InstallUtil.exe
PID 1608 wrote to memory of 1908	1608	InstallUtil.exe	InstallUtil.exe
PID 1608 wrote to memory of 1908	1608	InstallUtil.exe	InstallUtil.exe
PID 1608 wrote to memory of 1908	1608	InstallUtil.exe	InstallUtil.exe
PID 1608 wrote to memory of 1908	1608	InstallUtil.exe	InstallUtil.exe
PID 1608 wrote to memory of 736	1608	InstallUtil.exe	InstallUtil.exe
PID 1608 wrote to memory of 736	1608	InstallUtil.exe	InstallUtil.exe
PID 1608 wrote to memory of 736	1608	InstallUtil.exe	InstallUtil.exe
PID 1608 wrote to memory of 736	1608	InstallUtil.exe	InstallUtil.exe
PID 1608 wrote to memory of 736	1608	InstallUtil.exe	InstallUtil.exe
PID 1608 wrote to memory of 736	1608	InstallUtil.exe	InstallUtil.exe
PID 1608 wrote to memory of 736	1608	InstallUtil.exe	InstallUtil.exe
PID 1608 wrote to memory of 736	1608	InstallUtil.exe	InstallUtil.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\PS MARILN JACKET S.8 and Sticker Series.docx"
1⤵
- Abuses OpenXML format to download file from external location
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:928

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:884

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1552

C:\Users\Public\vbc.exe
"C:\Users\Public\vbc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1276

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /stext "C:\Users\Admin\AppData\Local\Temp\bcjsgnfiila"
4⤵
PID:1056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /stext "C:\Users\Admin\AppData\Local\Temp\bcjsgnfiila"
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /stext "C:\Users\Admin\AppData\Local\Temp\lwolhgpjwtsjlxv"
4⤵
- Accesses Microsoft Outlook accounts
PID:1908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /stext "C:\Users\Admin\AppData\Local\Temp\nyudzyadsbkwoekapp"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:736

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
334B

MD5
d6eed6749456e8dcf313abacccb0cf81

SHA1
ffb3596c8dac962a589bcf578f53c921366bdc27

SHA256
a94845e6060b6ec42bffe02b68bc301828d3f7e04bd5f777c71dc9f90677e18b

SHA512
72e7d2bcfbc733a68407f1358b268d66f1bad09dd29c1eb1e17bbbb7de71f53688c157f5e595b079eb295e1f0be6fe92a43341a4f74f3f2e4c714efdaace19c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize
128KB

MD5
22d78cde03d49507a82c6cc88c0a4fa7

SHA1
a7a7d3dc9defa3740e4e5b17de3c7369b6bc26b6

SHA256
62d233424fe6c6ac12e04d26be587fcfb9624e9ce9f984fd96ca9a5dd9159577

SHA512
e7b1bc3ac947ab581d0d4ac49d5bdf4ac4fcc8b0212e267fc1c5fd3f4ff79b6f130b7058084f0b907f2b855824cb330877340e2089e556ac27793dd3abcff6cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TOS3MI7U\##################################[1].doc
Filesize
25KB

MD5
b399ca1298c7cb77fe79901d11a28452

SHA1
caa0421f8c96b4349873c6f8c2e2f5045f7d06ad

SHA256
c3d93fd4a248da7dbf8400da8b0efbd6a2f2aa549cf829dae9902ca9d4fec240

SHA512
b028421cf297c88688ae2a055a6616cdfe930cd411ae56f4dd052193d988b52e7d36fd0a7e07e9b6bfd58ae630c70f8032fe66ce000d23bf756edc9b1dd0118c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bcjsgnfiila
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\bcjsgnfiila
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\{10508961-EC7B-499A-AD2F-05E563B4AB7C}
Filesize
128KB

MD5
0bcaff1ed210b8ca698ccc5759853a06

SHA1
3535c6e775bbbbf3e4421488c11e205a9cf061bc

SHA256
b7b00e54447ecd3210b044bfaf0d2a7a902d8e9864ef9e044cc10d564fa10667

SHA512
df3aed030f1ab8a7b9faca2dc164670c0cc8066f21e030ea284ca7049dffe34b7fe623509a71ae08bf55805daaa03ca0f41f5ad8471e6aa8900aab523cdae969

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
67ff8a97898351ba50cc2e784fb245d7

SHA1
f420c10e30043ab7d8dd0078a98fbed97048af78

SHA256
2bc42baaed86d5f57ce93172dd0bd19a4b812e89758f7ad9b5fa3da9b3473fda

SHA512
5a861d38c07bc489e439d321b141ebdf1ac08c45523a6453c16fcf4639fc9c5bbc0c062cb045e76d9ef3ac713779775c52ca70cab80176339836f911feeabe20

Download Submit
C:\Users\Public\vbc.exe
Filesize
1.6MB

MD5
f563b8ee9029b3eaf400d499a6d4813f

SHA1
1257500f4237aa15b7df00a3afefdff9fd81f1a1

SHA256
cf71f23d26be575be83b1af3ab4d8a52c79625d4fdbbe06a0375d7d9a093ce2a

SHA512
ad02b9e6b3c854360106a2de1209a6bcfdfbe6376b43b40f06993354a1bae0ff164c27aca7267420c54f2613a8fd81dbacf26794d0011727704caf4ffdf387ae

Download Submit
C:\Users\Public\vbc.exe
Filesize
1.6MB

MD5
f563b8ee9029b3eaf400d499a6d4813f

SHA1
1257500f4237aa15b7df00a3afefdff9fd81f1a1

SHA256
cf71f23d26be575be83b1af3ab4d8a52c79625d4fdbbe06a0375d7d9a093ce2a

SHA512
ad02b9e6b3c854360106a2de1209a6bcfdfbe6376b43b40f06993354a1bae0ff164c27aca7267420c54f2613a8fd81dbacf26794d0011727704caf4ffdf387ae

Download Submit
C:\Users\Public\vbc.exe
Filesize
1.6MB

MD5
f563b8ee9029b3eaf400d499a6d4813f

SHA1
1257500f4237aa15b7df00a3afefdff9fd81f1a1

SHA256
cf71f23d26be575be83b1af3ab4d8a52c79625d4fdbbe06a0375d7d9a093ce2a

SHA512
ad02b9e6b3c854360106a2de1209a6bcfdfbe6376b43b40f06993354a1bae0ff164c27aca7267420c54f2613a8fd81dbacf26794d0011727704caf4ffdf387ae

Download Submit
\Users\Public\vbc.exe
Filesize
1.6MB

MD5
f563b8ee9029b3eaf400d499a6d4813f

SHA1
1257500f4237aa15b7df00a3afefdff9fd81f1a1

SHA256
cf71f23d26be575be83b1af3ab4d8a52c79625d4fdbbe06a0375d7d9a093ce2a

SHA512
ad02b9e6b3c854360106a2de1209a6bcfdfbe6376b43b40f06993354a1bae0ff164c27aca7267420c54f2613a8fd81dbacf26794d0011727704caf4ffdf387ae

Download Submit
memory/736-198-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/736-202-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/736-201-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/736-200-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/888-158-0x0000000002570000-0x00000000025B0000-memory.dmp

Filesize
256KB

Download
memory/888-159-0x0000000002570000-0x00000000025B0000-memory.dmp

Filesize
256KB

Download
memory/888-157-0x0000000002570000-0x00000000025B0000-memory.dmp

Filesize
256KB

Download
memory/888-150-0x0000000002570000-0x00000000025B0000-memory.dmp

Filesize
256KB

Download
memory/888-151-0x0000000002570000-0x00000000025B0000-memory.dmp

Filesize
256KB

Download
memory/928-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/928-252-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1276-156-0x0000000004980000-0x00000000049C0000-memory.dmp

Filesize
256KB

Download
memory/1276-141-0x0000000000D90000-0x0000000000F2A000-memory.dmp

Filesize
1.6MB

Download
memory/1276-143-0x0000000004AD0000-0x0000000004BF6000-memory.dmp

Filesize
1.1MB

Download
memory/1276-144-0x0000000000690000-0x00000000006D8000-memory.dmp

Filesize
288KB

Download
memory/1276-145-0x0000000004ED0000-0x0000000004F62000-memory.dmp

Filesize
584KB

Download
memory/1276-146-0x0000000004980000-0x00000000049C0000-memory.dmp

Filesize
256KB

Download
memory/1608-213-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1608-171-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1608-174-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1608-176-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1608-177-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1608-178-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1608-179-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1608-180-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1608-181-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1608-182-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1608-183-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1608-185-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1608-258-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1608-257-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1608-162-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1608-163-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1608-224-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1608-223-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1608-164-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1608-173-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1608-170-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1608-169-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1608-168-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1608-220-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1608-167-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1608-218-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1608-166-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1608-217-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1608-165-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1608-216-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1632-209-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1632-193-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1632-196-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1632-191-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1632-187-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1908-212-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1908-207-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1908-195-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1908-197-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1908-190-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download