remcos | ab3a04d7711c664857a8fccfcaca260221888343734f967313e0c9934ec2a4ca

Resubmissions

11/07/2023, 13:54

230711-q72zkaae5s 10

06/07/2023, 14:39

230706-r1hg1scc53 10

Analysis

max time kernel
267s
max time network
279s
platform
windows10-2004_x64
resource
win10v2004-20230703-es
resource tags

arch:x64arch:x86image:win10v2004-20230703-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
06/07/2023, 14:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Documento_digitaL.scr
Size

1.4MB
MD5

850d9e8271dcae3b78c922aeddd9f743
SHA1

95971cc0caf853f0e4750cdaff5874b4adc2a4a3
SHA256

0e25b5299c3df59e05d296b1478d43094d5d81e1a5b8706fd355b36388244326
SHA512

0e4af245411c80d1cdc52d72a16fddbad41a3dc9972bdb8a25fe9f50721c8306eebb17ee30c1a504e370ff7cb8175e411c4b13188336f093269468906500b5ef
SSDEEP

24576:9VgmnudJ41JhQ0IM6AYsLKBL/7DciY5tTb2p0UdEWVnK:9VSr4+M63ci6b2pxI

Score

10^/10

remcos matarifejulio5 persistence rat

Malware Config

Extracted

Family

remcos

Botnet

matarifeJULIO5

matarife.duckdns.org:2798

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
20
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-ZQGP5Y
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation	Documento_digitaL.scr
Key value queried	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation	RAd00000000000000000523KJIUTJ.SCR

Drops startup file 7 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anydeskMRX.exe	Powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anydeskMRX.exe	Powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AXd00000000000000000523KJIUTJ.lnk	AXd00000000000000000523KJIUTJ.SCR
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AXd00000000000000000523KJIUTJ.lnk	AXd00000000000000000523KJIUTJ.SCR
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anydeskMR.exe	Powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anydeskMR.exe	Powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anydeskMR.exe	Powershell.exe

Executes dropped EXE 8 IoCs

pid	Process
3620	AXd00000000000000000523KJIUTJ.SCR
2532	RAd00000000000000000523KJIUTJ.SCR
5096	RAd00000000000000000523KJIUTJ.SCR
1108	remcos.exe
1984	remcos.exe
4444	remcos.exe
4800	AXd00000000000000000523KJIUTJ.SCR
3572	AXd00000000000000000523KJIUTJ.SCR

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-ZQGP5Y = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	RAd00000000000000000523KJIUTJ.SCR
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Windows\CurrentVersion\Run\	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-ZQGP5Y = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Software\Microsoft\Windows\CurrentVersion\Run\	RAd00000000000000000523KJIUTJ.SCR

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2532 set thread context of 5096	2532	RAd00000000000000000523KJIUTJ.SCR	89
PID 1108 set thread context of 4444	1108	remcos.exe	101
PID 3620 set thread context of 3572	3620	AXd00000000000000000523KJIUTJ.SCR	104

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000_Classes\Local Settings	Documento_digitaL.scr

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2896	Powershell.exe
2896	Powershell.exe
1908	Powershell.exe
1908	Powershell.exe
2380	Powershell.exe
2380	Powershell.exe
1108	remcos.exe
1108	remcos.exe
3620	AXd00000000000000000523KJIUTJ.SCR
3620	AXd00000000000000000523KJIUTJ.SCR
4212	AcroRd32.exe
4212	AcroRd32.exe
4212	AcroRd32.exe
4212	AcroRd32.exe
4212	AcroRd32.exe
4212	AcroRd32.exe
4212	AcroRd32.exe
4212	AcroRd32.exe
4212	AcroRd32.exe
4212	AcroRd32.exe
4212	AcroRd32.exe
4212	AcroRd32.exe
4212	AcroRd32.exe
4212	AcroRd32.exe
4212	AcroRd32.exe
4212	AcroRd32.exe
4212	AcroRd32.exe
4212	AcroRd32.exe
4212	AcroRd32.exe
4212	AcroRd32.exe
3572	AXd00000000000000000523KJIUTJ.SCR

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4444	remcos.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2896	Powershell.exe
Token: SeDebugPrivilege	2532	RAd00000000000000000523KJIUTJ.SCR
Token: SeDebugPrivilege	1908	Powershell.exe
Token: SeDebugPrivilege	1108	remcos.exe
Token: SeDebugPrivilege	2380	Powershell.exe
Token: SeDebugPrivilege	3620	AXd00000000000000000523KJIUTJ.SCR
Token: SeDebugPrivilege	3572	AXd00000000000000000523KJIUTJ.SCR

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4212	AcroRd32.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4212	AcroRd32.exe
4212	AcroRd32.exe
4212	AcroRd32.exe
4212	AcroRd32.exe
4444	remcos.exe
4212	AcroRd32.exe
4212	AcroRd32.exe
3572	AXd00000000000000000523KJIUTJ.SCR

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4244 wrote to memory of 3620	4244	Documento_digitaL.scr	83
PID 4244 wrote to memory of 3620	4244	Documento_digitaL.scr	83
PID 4244 wrote to memory of 3620	4244	Documento_digitaL.scr	83
PID 4244 wrote to memory of 2532	4244	Documento_digitaL.scr	85
PID 4244 wrote to memory of 2532	4244	Documento_digitaL.scr	85
PID 4244 wrote to memory of 2532	4244	Documento_digitaL.scr	85
PID 4244 wrote to memory of 4212	4244	Documento_digitaL.scr	86
PID 4244 wrote to memory of 4212	4244	Documento_digitaL.scr	86
PID 4244 wrote to memory of 4212	4244	Documento_digitaL.scr	86
PID 2532 wrote to memory of 2896	2532	RAd00000000000000000523KJIUTJ.SCR	87
PID 2532 wrote to memory of 2896	2532	RAd00000000000000000523KJIUTJ.SCR	87
PID 2532 wrote to memory of 2896	2532	RAd00000000000000000523KJIUTJ.SCR	87
PID 2532 wrote to memory of 5096	2532	RAd00000000000000000523KJIUTJ.SCR	89
PID 2532 wrote to memory of 5096	2532	RAd00000000000000000523KJIUTJ.SCR	89
PID 2532 wrote to memory of 5096	2532	RAd00000000000000000523KJIUTJ.SCR	89
PID 2532 wrote to memory of 5096	2532	RAd00000000000000000523KJIUTJ.SCR	89
PID 2532 wrote to memory of 5096	2532	RAd00000000000000000523KJIUTJ.SCR	89
PID 2532 wrote to memory of 5096	2532	RAd00000000000000000523KJIUTJ.SCR	89
PID 2532 wrote to memory of 5096	2532	RAd00000000000000000523KJIUTJ.SCR	89
PID 2532 wrote to memory of 5096	2532	RAd00000000000000000523KJIUTJ.SCR	89
PID 2532 wrote to memory of 5096	2532	RAd00000000000000000523KJIUTJ.SCR	89
PID 2532 wrote to memory of 5096	2532	RAd00000000000000000523KJIUTJ.SCR	89
PID 2532 wrote to memory of 5096	2532	RAd00000000000000000523KJIUTJ.SCR	89
PID 2532 wrote to memory of 5096	2532	RAd00000000000000000523KJIUTJ.SCR	89
PID 5096 wrote to memory of 1108	5096	RAd00000000000000000523KJIUTJ.SCR	90
PID 5096 wrote to memory of 1108	5096	RAd00000000000000000523KJIUTJ.SCR	90
PID 5096 wrote to memory of 1108	5096	RAd00000000000000000523KJIUTJ.SCR	90
PID 1108 wrote to memory of 1908	1108	remcos.exe	91
PID 1108 wrote to memory of 1908	1108	remcos.exe	91
PID 1108 wrote to memory of 1908	1108	remcos.exe	91
PID 4212 wrote to memory of 4964	4212	AcroRd32.exe	93
PID 4212 wrote to memory of 4964	4212	AcroRd32.exe	93
PID 4212 wrote to memory of 4964	4212	AcroRd32.exe	93
PID 4964 wrote to memory of 60	4964	RdrCEF.exe	94
PID 4964 wrote to memory of 60	4964	RdrCEF.exe	94
PID 4964 wrote to memory of 60	4964	RdrCEF.exe	94
PID 4964 wrote to memory of 60	4964	RdrCEF.exe	94
PID 4964 wrote to memory of 60	4964	RdrCEF.exe	94
PID 4964 wrote to memory of 60	4964	RdrCEF.exe	94
PID 4964 wrote to memory of 60	4964	RdrCEF.exe	94
PID 4964 wrote to memory of 60	4964	RdrCEF.exe	94
PID 4964 wrote to memory of 60	4964	RdrCEF.exe	94
PID 4964 wrote to memory of 60	4964	RdrCEF.exe	94
PID 4964 wrote to memory of 60	4964	RdrCEF.exe	94
PID 4964 wrote to memory of 60	4964	RdrCEF.exe	94
PID 4964 wrote to memory of 60	4964	RdrCEF.exe	94
PID 4964 wrote to memory of 60	4964	RdrCEF.exe	94
PID 4964 wrote to memory of 60	4964	RdrCEF.exe	94
PID 4964 wrote to memory of 60	4964	RdrCEF.exe	94
PID 4964 wrote to memory of 60	4964	RdrCEF.exe	94
PID 4964 wrote to memory of 60	4964	RdrCEF.exe	94
PID 4964 wrote to memory of 60	4964	RdrCEF.exe	94
PID 4964 wrote to memory of 60	4964	RdrCEF.exe	94
PID 4964 wrote to memory of 60	4964	RdrCEF.exe	94
PID 4964 wrote to memory of 60	4964	RdrCEF.exe	94
PID 4964 wrote to memory of 60	4964	RdrCEF.exe	94
PID 4964 wrote to memory of 60	4964	RdrCEF.exe	94
PID 4964 wrote to memory of 60	4964	RdrCEF.exe	94
PID 4964 wrote to memory of 60	4964	RdrCEF.exe	94
PID 4964 wrote to memory of 60	4964	RdrCEF.exe	94
PID 4964 wrote to memory of 60	4964	RdrCEF.exe	94
PID 4964 wrote to memory of 60	4964	RdrCEF.exe	94
PID 4964 wrote to memory of 60	4964	RdrCEF.exe	94
PID 4964 wrote to memory of 60	4964	RdrCEF.exe	94

C:\Users\Admin\AppData\Local\Temp\Documento_digitaL.scr
"C:\Users\Admin\AppData\Local\Temp\Documento_digitaL.scr" /S
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4244
- C:\Users\Admin\AppData\Local\Temp\AXd00000000000000000523KJIUTJ.SCR
  "C:\Users\Admin\AppData\Local\Temp\AXd00000000000000000523KJIUTJ.SCR" /S
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3620
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
    "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\AXd00000000000000000523KJIUTJ.SCR' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anydeskMRX.exe'
    3⤵
    - Drops startup file
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2380
- - C:\Users\Admin\AppData\Local\Temp\AXd00000000000000000523KJIUTJ.SCR
    "C:\Users\Admin\AppData\Local\Temp\AXd00000000000000000523KJIUTJ.SCR"
    3⤵
    - Executes dropped EXE
    PID:4800
- - C:\Users\Admin\AppData\Local\Temp\AXd00000000000000000523KJIUTJ.SCR
    "C:\Users\Admin\AppData\Local\Temp\AXd00000000000000000523KJIUTJ.SCR"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3572
- C:\Users\Admin\AppData\Local\Temp\RAd00000000000000000523KJIUTJ.SCR
  "C:\Users\Admin\AppData\Local\Temp\RAd00000000000000000523KJIUTJ.SCR" /S
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
    "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\RAd00000000000000000523KJIUTJ.SCR' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anydeskMR.exe'
    3⤵
    - Drops startup file
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2896
- - C:\Users\Admin\AppData\Local\Temp\RAd00000000000000000523KJIUTJ.SCR
    "C:\Users\Admin\AppData\Local\Temp\RAd00000000000000000523KJIUTJ.SCR"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:5096
  - - C:\ProgramData\Remcos\remcos.exe
      "C:\ProgramData\Remcos\remcos.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1108
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
        
        "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\ProgramData\Remcos\remcos.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anydeskMR.exe'
        5⤵
        Drops startup file
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1908
    - - C:\ProgramData\Remcos\remcos.exe
        
        "C:\ProgramData\Remcos\remcos.exe"
        5⤵
        Executes dropped EXE
        
        PID:1984
    - - C:\ProgramData\Remcos\remcos.exe
        
        "C:\ProgramData\Remcos\remcos.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:4444
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Carpeta Acta Del Caso Jurídico.pdf"
  2⤵
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4212
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4964
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=294FB37FAC670FDE2A12F0FF43529EB4 --mojo-platform-channel-handle=1636 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:60
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=34A3E6351E46083CF50374BA246DF325 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=34A3E6351E46083CF50374BA246DF325 --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:2296
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=2735423C265436F9BF747AFFEE9DC55C --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=2735423C265436F9BF747AFFEE9DC55C --renderer-client-id=4 --mojo-platform-channel-handle=2196 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:2040
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9958EC89F5FF4F66443F8CC8DC9E113D --mojo-platform-channel-handle=2588 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:212
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2D26E53568D35CB5CD34DDF832B5CB59 --mojo-platform-channel-handle=1968 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:1876
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=29212E4B85233AD620E50B0EA042FCD3 --mojo-platform-channel-handle=2708 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:3736

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Remcos\logs.dat

Filesize
234B

MD5
1707e61a223b54467770c282313bfd27

SHA1
fbddb0fb14bf47dd8dec7fd730d4db66f0963103

SHA256
363368adf3b7bc98671b76e6e5b098ff9bf772a20c4c1e596136daaa7dcc8073

SHA512
d9fe6f9e13f7590a0e4d22e3fb69b54532e190a48c1758f45ab349aff7d793f98551e5da5b80bafd0e06425369a097fc37d8fa9d605ad5ec408b33e3319545c7

Download Submit
C:\ProgramData\Remcos\logs.dat

Filesize
320B

MD5
93ecbce01bbd88744cb2c925df755833

SHA1
7381555d01ead6acfaeeec612052f586220112e6

SHA256
f98cee5e3f51a114ffe77b90d63464f25f5d10b2be41ea741bf013342439bc43

SHA512
efdfe610467e5a0b472cebc7408fa29ff7df46aa41819c6770722b57d8d45181fca0833113d44d874a834ef028bb05747f2cf7530c34c9b6380a73212262c351

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
853KB

MD5
c6ea0e7a228a5de6fdb682fd0a135d67

SHA1
264d0950d5ac08b6dc784b5e372237185a3b956c

SHA256
40495077a292c313a58d5d42004097acf6372f0ab3f7e20c14872e7623edf6a2

SHA512
1bb34d149e390a2668abe85e977ec9285002e15dc741315b0888df44e1b0b7ebf1c7a03b9ad041ad19f51325702176124e123ea3b5c3bd76a8f83bca5c10b5d5

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
853KB

MD5
c6ea0e7a228a5de6fdb682fd0a135d67

SHA1
264d0950d5ac08b6dc784b5e372237185a3b956c

SHA256
40495077a292c313a58d5d42004097acf6372f0ab3f7e20c14872e7623edf6a2

SHA512
1bb34d149e390a2668abe85e977ec9285002e15dc741315b0888df44e1b0b7ebf1c7a03b9ad041ad19f51325702176124e123ea3b5c3bd76a8f83bca5c10b5d5

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
853KB

MD5
c6ea0e7a228a5de6fdb682fd0a135d67

SHA1
264d0950d5ac08b6dc784b5e372237185a3b956c

SHA256
40495077a292c313a58d5d42004097acf6372f0ab3f7e20c14872e7623edf6a2

SHA512
1bb34d149e390a2668abe85e977ec9285002e15dc741315b0888df44e1b0b7ebf1c7a03b9ad041ad19f51325702176124e123ea3b5c3bd76a8f83bca5c10b5d5

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
853KB

MD5
c6ea0e7a228a5de6fdb682fd0a135d67

SHA1
264d0950d5ac08b6dc784b5e372237185a3b956c

SHA256
40495077a292c313a58d5d42004097acf6372f0ab3f7e20c14872e7623edf6a2

SHA512
1bb34d149e390a2668abe85e977ec9285002e15dc741315b0888df44e1b0b7ebf1c7a03b9ad041ad19f51325702176124e123ea3b5c3bd76a8f83bca5c10b5d5

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
853KB

MD5
c6ea0e7a228a5de6fdb682fd0a135d67

SHA1
264d0950d5ac08b6dc784b5e372237185a3b956c

SHA256
40495077a292c313a58d5d42004097acf6372f0ab3f7e20c14872e7623edf6a2

SHA512
1bb34d149e390a2668abe85e977ec9285002e15dc741315b0888df44e1b0b7ebf1c7a03b9ad041ad19f51325702176124e123ea3b5c3bd76a8f83bca5c10b5d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
24d4bfbd348ce980bff3dc81643d6f65

SHA1
9b17c04b354ccc9ccdd0b69b09f558aeb2a598c8

SHA256
27cbf47c851cc3b0481e64f298eb27822336f32de8092479d1c366a99ceb143e

SHA512
288c0d6bd470a9cf3e4c09f2dbf380cad4cdb169af67dce557022fccbbbed640a65184bdd8e6734a7ea512ae769127413cf4e749c9203ab5ba933d114a97a2a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AXd00000000000000000523KJIUTJ.SCR.log

Filesize
1KB

MD5
fb48e160ad99a056cb5502632c82c402

SHA1
e51bd74b1da051115245d03ad325fad2affa0c7d

SHA256
b98b48bac31d64a426f4fefd46aba5a23812a5518d00774a3d04fdf872d2ebd4

SHA512
5b7cac873a341e4fa0233f2aad686718369d6a59af539354ec3cc3a146a26a16973df62bbd276465e81e104c68cd7af3f72c012536e6bf677c6bd5afb4c90822

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Powershell.exe.log

Filesize
1KB

MD5
def65711d78669d7f8e69313be4acf2e

SHA1
6522ebf1de09eeb981e270bd95114bc69a49cda6

SHA256
aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

SHA512
05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
c8544b707136b72975f9892f8c64bbd8

SHA1
9f3af7af4ab004f3842cd30b36311f5516df744f

SHA256
07cc8aebb1c7eb28acc0b1bae3cb6e524fdb5adaa863d7f9a8a14e16b578cd5d

SHA512
c643acd59159528c71c051daabd348ca93c9928521b2bbe88fce1d23d36d14af49a7a6e02592ea42f8a35a861864534afc5ba5445d738730ef748ba266dc1258

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
4959ca18aaaa11fbce66b64ccecc0bd4

SHA1
15cd31d69044687aa66d7a0f0131f5cab42d44e8

SHA256
e2d5e346c812d277e51d1afb074dda6f0b6e23b8fbccdf2c6f29820ad99591b3

SHA512
10ad851d5b620459fdfe99d2cabe678fc25128f7106b5707435ad2a0c62131a03e4718d79fc4d257dbc888ee7500d3104d0c3f67226f18dfe1d1773cd0de922b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AXd00000000000000000523KJIUTJ.SCR

Filesize
571KB

MD5
f0ee9b49497460c19c470e2ba4a9db70

SHA1
4dcc8dd8b1f54fa6f0d7af9438b403fbf84f8b37

SHA256
51e46ab5623646e8fea7fd1b13348f0adc510a0712e7b1b506d3117d6b066c19

SHA512
b441f746cc666a68abf96778c4cc61aac41e4bac5c8ed950e9de432972e0b712a37e278f2107b005ec7c9c8f858495bab54cfb34deb259e579731a6941773482

Download Submit
C:\Users\Admin\AppData\Local\Temp\AXd00000000000000000523KJIUTJ.SCR

Filesize
571KB

MD5
f0ee9b49497460c19c470e2ba4a9db70

SHA1
4dcc8dd8b1f54fa6f0d7af9438b403fbf84f8b37

SHA256
51e46ab5623646e8fea7fd1b13348f0adc510a0712e7b1b506d3117d6b066c19

SHA512
b441f746cc666a68abf96778c4cc61aac41e4bac5c8ed950e9de432972e0b712a37e278f2107b005ec7c9c8f858495bab54cfb34deb259e579731a6941773482

Download Submit
C:\Users\Admin\AppData\Local\Temp\AXd00000000000000000523KJIUTJ.SCR

Filesize
571KB

MD5
f0ee9b49497460c19c470e2ba4a9db70

SHA1
4dcc8dd8b1f54fa6f0d7af9438b403fbf84f8b37

SHA256
51e46ab5623646e8fea7fd1b13348f0adc510a0712e7b1b506d3117d6b066c19

SHA512
b441f746cc666a68abf96778c4cc61aac41e4bac5c8ed950e9de432972e0b712a37e278f2107b005ec7c9c8f858495bab54cfb34deb259e579731a6941773482

Download Submit
C:\Users\Admin\AppData\Local\Temp\AXd00000000000000000523KJIUTJ.SCR

Filesize
571KB

MD5
f0ee9b49497460c19c470e2ba4a9db70

SHA1
4dcc8dd8b1f54fa6f0d7af9438b403fbf84f8b37

SHA256
51e46ab5623646e8fea7fd1b13348f0adc510a0712e7b1b506d3117d6b066c19

SHA512
b441f746cc666a68abf96778c4cc61aac41e4bac5c8ed950e9de432972e0b712a37e278f2107b005ec7c9c8f858495bab54cfb34deb259e579731a6941773482

Download Submit
C:\Users\Admin\AppData\Local\Temp\Carpeta Acta Del Caso Jurídico.pdf

Filesize
112KB

MD5
238e8416d317ec42a14f2ba41e3dfcf4

SHA1
b5a2b1864e5daffd1adabc463975f98783845633

SHA256
299e149cf809474d19d823ea9fd6e8d7b1403c5040bb85a29b02e9624c022988

SHA512
0a6af03d8601ddf536aef607875989eda2efc074ad0124acb399688e648efa655d9f4f3b2a57ff6c69fabd95795b7a2d40e02b6aeec88d7657edbceb9b00729f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RAd00000000000000000523KJIUTJ.SCR

Filesize
853KB

MD5
c6ea0e7a228a5de6fdb682fd0a135d67

SHA1
264d0950d5ac08b6dc784b5e372237185a3b956c

SHA256
40495077a292c313a58d5d42004097acf6372f0ab3f7e20c14872e7623edf6a2

SHA512
1bb34d149e390a2668abe85e977ec9285002e15dc741315b0888df44e1b0b7ebf1c7a03b9ad041ad19f51325702176124e123ea3b5c3bd76a8f83bca5c10b5d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RAd00000000000000000523KJIUTJ.SCR

Filesize
853KB

MD5
c6ea0e7a228a5de6fdb682fd0a135d67

SHA1
264d0950d5ac08b6dc784b5e372237185a3b956c

SHA256
40495077a292c313a58d5d42004097acf6372f0ab3f7e20c14872e7623edf6a2

SHA512
1bb34d149e390a2668abe85e977ec9285002e15dc741315b0888df44e1b0b7ebf1c7a03b9ad041ad19f51325702176124e123ea3b5c3bd76a8f83bca5c10b5d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RAd00000000000000000523KJIUTJ.SCR

Filesize
853KB

MD5
c6ea0e7a228a5de6fdb682fd0a135d67

SHA1
264d0950d5ac08b6dc784b5e372237185a3b956c

SHA256
40495077a292c313a58d5d42004097acf6372f0ab3f7e20c14872e7623edf6a2

SHA512
1bb34d149e390a2668abe85e977ec9285002e15dc741315b0888df44e1b0b7ebf1c7a03b9ad041ad19f51325702176124e123ea3b5c3bd76a8f83bca5c10b5d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x21ygbin.klo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anydeskMR.exe

Filesize
853KB

MD5
c6ea0e7a228a5de6fdb682fd0a135d67

SHA1
264d0950d5ac08b6dc784b5e372237185a3b956c

SHA256
40495077a292c313a58d5d42004097acf6372f0ab3f7e20c14872e7623edf6a2

SHA512
1bb34d149e390a2668abe85e977ec9285002e15dc741315b0888df44e1b0b7ebf1c7a03b9ad041ad19f51325702176124e123ea3b5c3bd76a8f83bca5c10b5d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anydeskMRX.exe

Filesize
571KB

MD5
f0ee9b49497460c19c470e2ba4a9db70

SHA1
4dcc8dd8b1f54fa6f0d7af9438b403fbf84f8b37

SHA256
51e46ab5623646e8fea7fd1b13348f0adc510a0712e7b1b506d3117d6b066c19

SHA512
b441f746cc666a68abf96778c4cc61aac41e4bac5c8ed950e9de432972e0b712a37e278f2107b005ec7c9c8f858495bab54cfb34deb259e579731a6941773482

Download Submit
memory/1108-258-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/1108-339-0x0000000005230000-0x0000000005231000-memory.dmp

Filesize
4KB

Download
memory/1908-261-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/1908-260-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/2380-340-0x00000000031D0000-0x00000000031E0000-memory.dmp

Filesize
64KB

Download
memory/2532-175-0x0000000005FF0000-0x0000000006013000-memory.dmp

Filesize
140KB

Download
memory/2532-218-0x0000000005FF0000-0x0000000006013000-memory.dmp

Filesize
140KB

Download
memory/2532-191-0x0000000005FF0000-0x0000000006013000-memory.dmp

Filesize
140KB

Download
memory/2532-195-0x0000000005FF0000-0x0000000006013000-memory.dmp

Filesize
140KB

Download
memory/2532-197-0x0000000005FF0000-0x0000000006013000-memory.dmp

Filesize
140KB

Download
memory/2532-193-0x0000000005FF0000-0x0000000006013000-memory.dmp

Filesize
140KB

Download
memory/2532-199-0x0000000005FF0000-0x0000000006013000-memory.dmp

Filesize
140KB

Download
memory/2532-201-0x0000000005FF0000-0x0000000006013000-memory.dmp

Filesize
140KB

Download
memory/2532-203-0x0000000005FF0000-0x0000000006013000-memory.dmp

Filesize
140KB

Download
memory/2532-149-0x0000000000FF0000-0x00000000010CA000-memory.dmp

Filesize
872KB

Download
memory/2532-205-0x0000000005FF0000-0x0000000006013000-memory.dmp

Filesize
140KB

Download
memory/2532-210-0x0000000005FF0000-0x0000000006013000-memory.dmp

Filesize
140KB

Download
memory/2532-208-0x0000000005FF0000-0x0000000006013000-memory.dmp

Filesize
140KB

Download
memory/2532-212-0x0000000005FF0000-0x0000000006013000-memory.dmp

Filesize
140KB

Download
memory/2532-214-0x0000000005FF0000-0x0000000006013000-memory.dmp

Filesize
140KB

Download
memory/2532-179-0x0000000005FF0000-0x0000000006013000-memory.dmp

Filesize
140KB

Download
memory/2532-216-0x0000000005FF0000-0x0000000006013000-memory.dmp

Filesize
140KB

Download
memory/2532-220-0x0000000005FF0000-0x0000000006013000-memory.dmp

Filesize
140KB

Download
memory/2532-222-0x0000000005FF0000-0x0000000006013000-memory.dmp

Filesize
140KB

Download
memory/2532-224-0x0000000005FF0000-0x0000000006013000-memory.dmp

Filesize
140KB

Download
memory/2532-226-0x0000000005FF0000-0x0000000006013000-memory.dmp

Filesize
140KB

Download
memory/2532-151-0x0000000005BE0000-0x0000000005C72000-memory.dmp

Filesize
584KB

Download
memory/2532-229-0x0000000006750000-0x0000000006751000-memory.dmp

Filesize
4KB

Download
memory/2532-187-0x0000000005FF0000-0x0000000006013000-memory.dmp

Filesize
140KB

Download
memory/2532-153-0x0000000005AF0000-0x0000000005B00000-memory.dmp

Filesize
64KB

Download
memory/2532-156-0x0000000006660000-0x00000000066FC000-memory.dmp

Filesize
624KB

Download
memory/2532-185-0x0000000005FF0000-0x0000000006013000-memory.dmp

Filesize
140KB

Download
memory/2532-183-0x0000000005FF0000-0x0000000006013000-memory.dmp

Filesize
140KB

Download
memory/2532-181-0x0000000005FF0000-0x0000000006013000-memory.dmp

Filesize
140KB

Download
memory/2532-174-0x0000000006BA0000-0x0000000006CA2000-memory.dmp

Filesize
1.0MB

Download
memory/2532-189-0x0000000005FF0000-0x0000000006013000-memory.dmp

Filesize
140KB

Download
memory/2532-177-0x0000000005FF0000-0x0000000006013000-memory.dmp

Filesize
140KB

Download
memory/2896-246-0x0000000007110000-0x00000000071A6000-memory.dmp

Filesize
600KB

Download
memory/2896-157-0x00000000023A0000-0x00000000023D6000-memory.dmp

Filesize
216KB

Download
memory/2896-247-0x0000000006310000-0x000000000632A000-memory.dmp

Filesize
104KB

Download
memory/2896-176-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/2896-207-0x0000000005E80000-0x0000000005E9E000-memory.dmp

Filesize
120KB

Download
memory/2896-169-0x0000000005750000-0x00000000057B6000-memory.dmp

Filesize
408KB

Download
memory/2896-163-0x0000000005630000-0x0000000005696000-memory.dmp

Filesize
408KB

Download
memory/2896-162-0x0000000004DC0000-0x0000000004DE2000-memory.dmp

Filesize
136KB

Download
memory/2896-161-0x0000000004C00000-0x0000000004C82000-memory.dmp

Filesize
520KB

Download
memory/2896-160-0x0000000004850000-0x0000000004860000-memory.dmp

Filesize
64KB

Download
memory/2896-159-0x0000000004850000-0x0000000004860000-memory.dmp

Filesize
64KB

Download
memory/2896-158-0x0000000004E90000-0x00000000054B8000-memory.dmp

Filesize
6.2MB

Download
memory/2896-248-0x0000000006380000-0x00000000063A2000-memory.dmp

Filesize
136KB

Download
memory/3572-559-0x0000000005E70000-0x0000000005E7A000-memory.dmp

Filesize
40KB

Download
memory/3572-572-0x0000000005250000-0x0000000005260000-memory.dmp

Filesize
64KB

Download
memory/3572-421-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3572-560-0x0000000005250000-0x0000000005260000-memory.dmp

Filesize
64KB

Download
memory/3620-154-0x00000000050F0000-0x0000000005102000-memory.dmp

Filesize
72KB

Download
memory/3620-148-0x0000000000700000-0x0000000000794000-memory.dmp

Filesize
592KB

Download
memory/3620-152-0x0000000005120000-0x0000000005130000-memory.dmp

Filesize
64KB

Download
memory/3620-150-0x00000000056E0000-0x0000000005C84000-memory.dmp

Filesize
5.6MB

Download
memory/4444-372-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4444-529-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/5096-227-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/5096-245-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/5096-230-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/5096-232-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download