remcos | 0e25b5299c3df59e05d296b1478d43094d5d81e1a5b8706fd355b36388244326

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2023, 11:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

DocumentodigitaLSCRexeexe.exe
Size

1.4MB
MD5

850d9e8271dcae3b78c922aeddd9f743
SHA1

95971cc0caf853f0e4750cdaff5874b4adc2a4a3
SHA256

0e25b5299c3df59e05d296b1478d43094d5d81e1a5b8706fd355b36388244326
SHA512

0e4af245411c80d1cdc52d72a16fddbad41a3dc9972bdb8a25fe9f50721c8306eebb17ee30c1a504e370ff7cb8175e411c4b13188336f093269468906500b5ef
SSDEEP

24576:9VgmnudJ41JhQ0IM6AYsLKBL/7DciY5tTb2p0UdEWVnK:9VSr4+M63ci6b2pxI

Score

10^/10

remcos matarifejulio5 persistence rat

Malware Config

Extracted

Family

remcos

Botnet

matarifeJULIO5

matarife.duckdns.org:2798

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
20
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-ZQGP5Y
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\International\Geo\Nation	DocumentodigitaLSCRexeexe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\International\Geo\Nation	RAd00000000000000000523KJIUTJ.SCR

Drops startup file 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anydeskMRX.exe	Powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AXd00000000000000000523KJIUTJ.lnk	AXd00000000000000000523KJIUTJ.SCR
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AXd00000000000000000523KJIUTJ.lnk	AXd00000000000000000523KJIUTJ.SCR
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anydeskMR.exe	Powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anydeskMR.exe	Powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anydeskMR.exe	Powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anydeskMRX.exe	Powershell.exe

Executes dropped EXE 7 IoCs

pid	Process
672	AXd00000000000000000523KJIUTJ.SCR
792	RAd00000000000000000523KJIUTJ.SCR
972	RAd00000000000000000523KJIUTJ.SCR
4564	RAd00000000000000000523KJIUTJ.SCR
2872	remcos.exe
2980	remcos.exe
632	AXd00000000000000000523KJIUTJ.SCR

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Windows\CurrentVersion\Run\	RAd00000000000000000523KJIUTJ.SCR
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-ZQGP5Y = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	RAd00000000000000000523KJIUTJ.SCR
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Windows\CurrentVersion\Run\	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-ZQGP5Y = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 792 set thread context of 4564	792	RAd00000000000000000523KJIUTJ.SCR	91
PID 2872 set thread context of 2980	2872	remcos.exe	102
PID 672 set thread context of 632	672	AXd00000000000000000523KJIUTJ.SCR	103

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings	DocumentodigitaLSCRexeexe.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2204	Powershell.exe
2204	Powershell.exe
792	RAd00000000000000000523KJIUTJ.SCR
792	RAd00000000000000000523KJIUTJ.SCR
4368	Powershell.exe
4368	Powershell.exe
4080	Powershell.exe
4080	Powershell.exe
2396	AcroRd32.exe
2396	AcroRd32.exe
2396	AcroRd32.exe
2396	AcroRd32.exe
2396	AcroRd32.exe
2396	AcroRd32.exe
2396	AcroRd32.exe
2396	AcroRd32.exe
2396	AcroRd32.exe
2396	AcroRd32.exe
2396	AcroRd32.exe
2396	AcroRd32.exe
2396	AcroRd32.exe
2396	AcroRd32.exe
2396	AcroRd32.exe
2396	AcroRd32.exe
2396	AcroRd32.exe
2396	AcroRd32.exe
2396	AcroRd32.exe
2396	AcroRd32.exe
632	AXd00000000000000000523KJIUTJ.SCR

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2204	Powershell.exe
Token: SeDebugPrivilege	792	RAd00000000000000000523KJIUTJ.SCR
Token: SeDebugPrivilege	4368	Powershell.exe
Token: SeDebugPrivilege	2872	remcos.exe
Token: SeDebugPrivilege	4080	Powershell.exe
Token: SeDebugPrivilege	672	AXd00000000000000000523KJIUTJ.SCR
Token: SeDebugPrivilege	632	AXd00000000000000000523KJIUTJ.SCR

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2396	AcroRd32.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2396	AcroRd32.exe
2396	AcroRd32.exe
2396	AcroRd32.exe
2396	AcroRd32.exe
2980	remcos.exe
2396	AcroRd32.exe
2396	AcroRd32.exe
632	AXd00000000000000000523KJIUTJ.SCR

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5028 wrote to memory of 672	5028	DocumentodigitaLSCRexeexe.exe	84
PID 5028 wrote to memory of 672	5028	DocumentodigitaLSCRexeexe.exe	84
PID 5028 wrote to memory of 672	5028	DocumentodigitaLSCRexeexe.exe	84
PID 5028 wrote to memory of 792	5028	DocumentodigitaLSCRexeexe.exe	86
PID 5028 wrote to memory of 792	5028	DocumentodigitaLSCRexeexe.exe	86
PID 5028 wrote to memory of 792	5028	DocumentodigitaLSCRexeexe.exe	86
PID 5028 wrote to memory of 2396	5028	DocumentodigitaLSCRexeexe.exe	87
PID 5028 wrote to memory of 2396	5028	DocumentodigitaLSCRexeexe.exe	87
PID 5028 wrote to memory of 2396	5028	DocumentodigitaLSCRexeexe.exe	87
PID 792 wrote to memory of 2204	792	RAd00000000000000000523KJIUTJ.SCR	88
PID 792 wrote to memory of 2204	792	RAd00000000000000000523KJIUTJ.SCR	88
PID 792 wrote to memory of 2204	792	RAd00000000000000000523KJIUTJ.SCR	88
PID 792 wrote to memory of 972	792	RAd00000000000000000523KJIUTJ.SCR	90
PID 792 wrote to memory of 972	792	RAd00000000000000000523KJIUTJ.SCR	90
PID 792 wrote to memory of 972	792	RAd00000000000000000523KJIUTJ.SCR	90
PID 792 wrote to memory of 4564	792	RAd00000000000000000523KJIUTJ.SCR	91
PID 792 wrote to memory of 4564	792	RAd00000000000000000523KJIUTJ.SCR	91
PID 792 wrote to memory of 4564	792	RAd00000000000000000523KJIUTJ.SCR	91
PID 792 wrote to memory of 4564	792	RAd00000000000000000523KJIUTJ.SCR	91
PID 792 wrote to memory of 4564	792	RAd00000000000000000523KJIUTJ.SCR	91
PID 792 wrote to memory of 4564	792	RAd00000000000000000523KJIUTJ.SCR	91
PID 792 wrote to memory of 4564	792	RAd00000000000000000523KJIUTJ.SCR	91
PID 792 wrote to memory of 4564	792	RAd00000000000000000523KJIUTJ.SCR	91
PID 792 wrote to memory of 4564	792	RAd00000000000000000523KJIUTJ.SCR	91
PID 792 wrote to memory of 4564	792	RAd00000000000000000523KJIUTJ.SCR	91
PID 792 wrote to memory of 4564	792	RAd00000000000000000523KJIUTJ.SCR	91
PID 792 wrote to memory of 4564	792	RAd00000000000000000523KJIUTJ.SCR	91
PID 4564 wrote to memory of 2872	4564	RAd00000000000000000523KJIUTJ.SCR	92
PID 4564 wrote to memory of 2872	4564	RAd00000000000000000523KJIUTJ.SCR	92
PID 4564 wrote to memory of 2872	4564	RAd00000000000000000523KJIUTJ.SCR	92
PID 2872 wrote to memory of 4368	2872	remcos.exe	93
PID 2872 wrote to memory of 4368	2872	remcos.exe	93
PID 2872 wrote to memory of 4368	2872	remcos.exe	93
PID 2396 wrote to memory of 1564	2396	AcroRd32.exe	95
PID 2396 wrote to memory of 1564	2396	AcroRd32.exe	95
PID 2396 wrote to memory of 1564	2396	AcroRd32.exe	95
PID 1564 wrote to memory of 3684	1564	RdrCEF.exe	96
PID 1564 wrote to memory of 3684	1564	RdrCEF.exe	96
PID 1564 wrote to memory of 3684	1564	RdrCEF.exe	96
PID 1564 wrote to memory of 3684	1564	RdrCEF.exe	96
PID 1564 wrote to memory of 3684	1564	RdrCEF.exe	96
PID 1564 wrote to memory of 3684	1564	RdrCEF.exe	96
PID 1564 wrote to memory of 3684	1564	RdrCEF.exe	96
PID 1564 wrote to memory of 3684	1564	RdrCEF.exe	96
PID 1564 wrote to memory of 3684	1564	RdrCEF.exe	96
PID 1564 wrote to memory of 3684	1564	RdrCEF.exe	96
PID 1564 wrote to memory of 3684	1564	RdrCEF.exe	96
PID 1564 wrote to memory of 3684	1564	RdrCEF.exe	96
PID 1564 wrote to memory of 3684	1564	RdrCEF.exe	96
PID 1564 wrote to memory of 3684	1564	RdrCEF.exe	96
PID 1564 wrote to memory of 3684	1564	RdrCEF.exe	96
PID 1564 wrote to memory of 3684	1564	RdrCEF.exe	96
PID 1564 wrote to memory of 3684	1564	RdrCEF.exe	96
PID 1564 wrote to memory of 3684	1564	RdrCEF.exe	96
PID 1564 wrote to memory of 3684	1564	RdrCEF.exe	96
PID 1564 wrote to memory of 3684	1564	RdrCEF.exe	96
PID 1564 wrote to memory of 3684	1564	RdrCEF.exe	96
PID 1564 wrote to memory of 3684	1564	RdrCEF.exe	96
PID 1564 wrote to memory of 3684	1564	RdrCEF.exe	96
PID 1564 wrote to memory of 3684	1564	RdrCEF.exe	96
PID 1564 wrote to memory of 3684	1564	RdrCEF.exe	96
PID 1564 wrote to memory of 3684	1564	RdrCEF.exe	96
PID 1564 wrote to memory of 3684	1564	RdrCEF.exe	96
PID 1564 wrote to memory of 3684	1564	RdrCEF.exe	96

C:\Users\Admin\AppData\Local\Temp\DocumentodigitaLSCRexeexe.exe
"C:\Users\Admin\AppData\Local\Temp\DocumentodigitaLSCRexeexe.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Users\Admin\AppData\Local\Temp\AXd00000000000000000523KJIUTJ.SCR
  "C:\Users\Admin\AppData\Local\Temp\AXd00000000000000000523KJIUTJ.SCR" /S
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:672
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
    "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\AXd00000000000000000523KJIUTJ.SCR' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anydeskMRX.exe'
    3⤵
    - Drops startup file
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4080
- - C:\Users\Admin\AppData\Local\Temp\AXd00000000000000000523KJIUTJ.SCR
    "C:\Users\Admin\AppData\Local\Temp\AXd00000000000000000523KJIUTJ.SCR"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:632
- C:\Users\Admin\AppData\Local\Temp\RAd00000000000000000523KJIUTJ.SCR
  "C:\Users\Admin\AppData\Local\Temp\RAd00000000000000000523KJIUTJ.SCR" /S
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:792
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
    "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\RAd00000000000000000523KJIUTJ.SCR' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anydeskMR.exe'
    3⤵
    - Drops startup file
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2204
- - C:\Users\Admin\AppData\Local\Temp\RAd00000000000000000523KJIUTJ.SCR
    "C:\Users\Admin\AppData\Local\Temp\RAd00000000000000000523KJIUTJ.SCR"
    3⤵
    - Executes dropped EXE
    PID:972
- - C:\Users\Admin\AppData\Local\Temp\RAd00000000000000000523KJIUTJ.SCR
    "C:\Users\Admin\AppData\Local\Temp\RAd00000000000000000523KJIUTJ.SCR"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4564
  - - C:\ProgramData\Remcos\remcos.exe
      "C:\ProgramData\Remcos\remcos.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2872
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
        
        "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\ProgramData\Remcos\remcos.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anydeskMR.exe'
        5⤵
        Drops startup file
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4368
    - - C:\ProgramData\Remcos\remcos.exe
        
        "C:\ProgramData\Remcos\remcos.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        
        PID:2980
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Carpeta Acta Del Caso Jurídico.pdf"
  2⤵
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1564
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2B2BFF5DE3BA34B685464A02F099E64A --mojo-platform-channel-handle=1716 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:3684
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=4FDF7B4D4CB67274829C592823EB79B1 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=4FDF7B4D4CB67274829C592823EB79B1 --renderer-client-id=2 --mojo-platform-channel-handle=1784 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:908
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=697AEC4B63D1F46E9C40A0106D1573B9 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=697AEC4B63D1F46E9C40A0106D1573B9 --renderer-client-id=4 --mojo-platform-channel-handle=2176 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:3836
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1E31D8DFE070F9E8B7DBD044ACF55473 --mojo-platform-channel-handle=2564 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:1492
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FC4AD3D5D421CA14CB937AF1DBF4A037 --mojo-platform-channel-handle=2692 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:4996
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9C168E195A3C5948E2335BFA43405C88 --mojo-platform-channel-handle=2792 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:116

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Remcos\logs.dat

Filesize
234B

MD5
cd4ca957a144a18ce3db6f6dbbf3cf83

SHA1
8258fd31b0b3bba8932f05537bc9e8224b396519

SHA256
f8f97a71e09b02025d9b070b00f3887bbb6093cbd3ac9e2945efff8a6282f619

SHA512
e61e1631b17276c7b533d44adb14ce98d46b1ff690870a2346b254b2aab9972a89ff6735e192a5f95b2fbaeddfba99926ade8201ce69850d9625c0eabe05ea29

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
853KB

MD5
c6ea0e7a228a5de6fdb682fd0a135d67

SHA1
264d0950d5ac08b6dc784b5e372237185a3b956c

SHA256
40495077a292c313a58d5d42004097acf6372f0ab3f7e20c14872e7623edf6a2

SHA512
1bb34d149e390a2668abe85e977ec9285002e15dc741315b0888df44e1b0b7ebf1c7a03b9ad041ad19f51325702176124e123ea3b5c3bd76a8f83bca5c10b5d5

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
853KB

MD5
c6ea0e7a228a5de6fdb682fd0a135d67

SHA1
264d0950d5ac08b6dc784b5e372237185a3b956c

SHA256
40495077a292c313a58d5d42004097acf6372f0ab3f7e20c14872e7623edf6a2

SHA512
1bb34d149e390a2668abe85e977ec9285002e15dc741315b0888df44e1b0b7ebf1c7a03b9ad041ad19f51325702176124e123ea3b5c3bd76a8f83bca5c10b5d5

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
853KB

MD5
c6ea0e7a228a5de6fdb682fd0a135d67

SHA1
264d0950d5ac08b6dc784b5e372237185a3b956c

SHA256
40495077a292c313a58d5d42004097acf6372f0ab3f7e20c14872e7623edf6a2

SHA512
1bb34d149e390a2668abe85e977ec9285002e15dc741315b0888df44e1b0b7ebf1c7a03b9ad041ad19f51325702176124e123ea3b5c3bd76a8f83bca5c10b5d5

Download Submit
C:\ProgramData\Remcos\remcos.exe

Filesize
853KB

MD5
c6ea0e7a228a5de6fdb682fd0a135d67

SHA1
264d0950d5ac08b6dc784b5e372237185a3b956c

SHA256
40495077a292c313a58d5d42004097acf6372f0ab3f7e20c14872e7623edf6a2

SHA512
1bb34d149e390a2668abe85e977ec9285002e15dc741315b0888df44e1b0b7ebf1c7a03b9ad041ad19f51325702176124e123ea3b5c3bd76a8f83bca5c10b5d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
7f7f852ea2804977809653fd9052fc2d

SHA1
7cedcd97b384d49ce30f877be27a8e2d0f92713c

SHA256
e9662c6a408b009b2f3fd1a662a2b510cb7608d86b84b9802b29270ca05a85a5

SHA512
019cdd2e42c5098eb0d0279509b6cca3411e24c33313a52fd4a680c551dae799059cb7aacb6d391c9a59f233cbbe3c4df62d7917ac4d7aefd2f49e591e00867a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AXd00000000000000000523KJIUTJ.SCR.log

Filesize
1KB

MD5
fb48e160ad99a056cb5502632c82c402

SHA1
e51bd74b1da051115245d03ad325fad2affa0c7d

SHA256
b98b48bac31d64a426f4fefd46aba5a23812a5518d00774a3d04fdf872d2ebd4

SHA512
5b7cac873a341e4fa0233f2aad686718369d6a59af539354ec3cc3a146a26a16973df62bbd276465e81e104c68cd7af3f72c012536e6bf677c6bd5afb4c90822

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Powershell.exe.log

Filesize
1KB

MD5
def65711d78669d7f8e69313be4acf2e

SHA1
6522ebf1de09eeb981e270bd95114bc69a49cda6

SHA256
aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

SHA512
05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
618c1deeadfe5d65bfdae9ad41408c93

SHA1
59e3d98633adb1e0df7b93a46b62f0fb043515ef

SHA256
8036a88473e4a9ad6156bfd02a2f4d90e1ce2a27c3052a9dc458a18ab0eec91e

SHA512
2308bde48040469c47169d34a459e96c10f185f6773b21bc94f1e833878bbab954caed26cd76ef723d3356a6839f8a3937f04e89ee0150ee6d39df541822e640

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
618c1deeadfe5d65bfdae9ad41408c93

SHA1
59e3d98633adb1e0df7b93a46b62f0fb043515ef

SHA256
8036a88473e4a9ad6156bfd02a2f4d90e1ce2a27c3052a9dc458a18ab0eec91e

SHA512
2308bde48040469c47169d34a459e96c10f185f6773b21bc94f1e833878bbab954caed26cd76ef723d3356a6839f8a3937f04e89ee0150ee6d39df541822e640

Download Submit
C:\Users\Admin\AppData\Local\Temp\AXd00000000000000000523KJIUTJ.SCR

Filesize
571KB

MD5
f0ee9b49497460c19c470e2ba4a9db70

SHA1
4dcc8dd8b1f54fa6f0d7af9438b403fbf84f8b37

SHA256
51e46ab5623646e8fea7fd1b13348f0adc510a0712e7b1b506d3117d6b066c19

SHA512
b441f746cc666a68abf96778c4cc61aac41e4bac5c8ed950e9de432972e0b712a37e278f2107b005ec7c9c8f858495bab54cfb34deb259e579731a6941773482

Download Submit
C:\Users\Admin\AppData\Local\Temp\AXd00000000000000000523KJIUTJ.SCR

Filesize
571KB

MD5
f0ee9b49497460c19c470e2ba4a9db70

SHA1
4dcc8dd8b1f54fa6f0d7af9438b403fbf84f8b37

SHA256
51e46ab5623646e8fea7fd1b13348f0adc510a0712e7b1b506d3117d6b066c19

SHA512
b441f746cc666a68abf96778c4cc61aac41e4bac5c8ed950e9de432972e0b712a37e278f2107b005ec7c9c8f858495bab54cfb34deb259e579731a6941773482

Download Submit
C:\Users\Admin\AppData\Local\Temp\AXd00000000000000000523KJIUTJ.SCR

Filesize
571KB

MD5
f0ee9b49497460c19c470e2ba4a9db70

SHA1
4dcc8dd8b1f54fa6f0d7af9438b403fbf84f8b37

SHA256
51e46ab5623646e8fea7fd1b13348f0adc510a0712e7b1b506d3117d6b066c19

SHA512
b441f746cc666a68abf96778c4cc61aac41e4bac5c8ed950e9de432972e0b712a37e278f2107b005ec7c9c8f858495bab54cfb34deb259e579731a6941773482

Download Submit
C:\Users\Admin\AppData\Local\Temp\Carpeta Acta Del Caso Jurídico.pdf

Filesize
112KB

MD5
238e8416d317ec42a14f2ba41e3dfcf4

SHA1
b5a2b1864e5daffd1adabc463975f98783845633

SHA256
299e149cf809474d19d823ea9fd6e8d7b1403c5040bb85a29b02e9624c022988

SHA512
0a6af03d8601ddf536aef607875989eda2efc074ad0124acb399688e648efa655d9f4f3b2a57ff6c69fabd95795b7a2d40e02b6aeec88d7657edbceb9b00729f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RAd00000000000000000523KJIUTJ.SCR

Filesize
853KB

MD5
c6ea0e7a228a5de6fdb682fd0a135d67

SHA1
264d0950d5ac08b6dc784b5e372237185a3b956c

SHA256
40495077a292c313a58d5d42004097acf6372f0ab3f7e20c14872e7623edf6a2

SHA512
1bb34d149e390a2668abe85e977ec9285002e15dc741315b0888df44e1b0b7ebf1c7a03b9ad041ad19f51325702176124e123ea3b5c3bd76a8f83bca5c10b5d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RAd00000000000000000523KJIUTJ.SCR

Filesize
853KB

MD5
c6ea0e7a228a5de6fdb682fd0a135d67

SHA1
264d0950d5ac08b6dc784b5e372237185a3b956c

SHA256
40495077a292c313a58d5d42004097acf6372f0ab3f7e20c14872e7623edf6a2

SHA512
1bb34d149e390a2668abe85e977ec9285002e15dc741315b0888df44e1b0b7ebf1c7a03b9ad041ad19f51325702176124e123ea3b5c3bd76a8f83bca5c10b5d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RAd00000000000000000523KJIUTJ.SCR

Filesize
853KB

MD5
c6ea0e7a228a5de6fdb682fd0a135d67

SHA1
264d0950d5ac08b6dc784b5e372237185a3b956c

SHA256
40495077a292c313a58d5d42004097acf6372f0ab3f7e20c14872e7623edf6a2

SHA512
1bb34d149e390a2668abe85e977ec9285002e15dc741315b0888df44e1b0b7ebf1c7a03b9ad041ad19f51325702176124e123ea3b5c3bd76a8f83bca5c10b5d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RAd00000000000000000523KJIUTJ.SCR

Filesize
853KB

MD5
c6ea0e7a228a5de6fdb682fd0a135d67

SHA1
264d0950d5ac08b6dc784b5e372237185a3b956c

SHA256
40495077a292c313a58d5d42004097acf6372f0ab3f7e20c14872e7623edf6a2

SHA512
1bb34d149e390a2668abe85e977ec9285002e15dc741315b0888df44e1b0b7ebf1c7a03b9ad041ad19f51325702176124e123ea3b5c3bd76a8f83bca5c10b5d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5p1o5gxj.gim.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anydeskMRX.exe

Filesize
571KB

MD5
f0ee9b49497460c19c470e2ba4a9db70

SHA1
4dcc8dd8b1f54fa6f0d7af9438b403fbf84f8b37

SHA256
51e46ab5623646e8fea7fd1b13348f0adc510a0712e7b1b506d3117d6b066c19

SHA512
b441f746cc666a68abf96778c4cc61aac41e4bac5c8ed950e9de432972e0b712a37e278f2107b005ec7c9c8f858495bab54cfb34deb259e579731a6941773482

Download Submit
memory/632-546-0x0000000005EE0000-0x0000000005EEA000-memory.dmp

Filesize
40KB

Download
memory/632-563-0x00000000054F0000-0x0000000005500000-memory.dmp

Filesize
64KB

Download
memory/632-551-0x00000000054F0000-0x0000000005500000-memory.dmp

Filesize
64KB

Download
memory/632-413-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/672-149-0x0000000000C80000-0x0000000000D14000-memory.dmp

Filesize
592KB

Download
memory/672-404-0x0000000005C30000-0x0000000005C31000-memory.dmp

Filesize
4KB

Download
memory/672-157-0x0000000005720000-0x0000000005730000-memory.dmp

Filesize
64KB

Download
memory/792-215-0x0000000005D20000-0x0000000005D43000-memory.dmp

Filesize
140KB

Download
memory/792-223-0x0000000005D20000-0x0000000005D43000-memory.dmp

Filesize
140KB

Download
memory/792-194-0x0000000005D20000-0x0000000005D43000-memory.dmp

Filesize
140KB

Download
memory/792-196-0x0000000005D20000-0x0000000005D43000-memory.dmp

Filesize
140KB

Download
memory/792-198-0x0000000005D20000-0x0000000005D43000-memory.dmp

Filesize
140KB

Download
memory/792-200-0x0000000005D20000-0x0000000005D43000-memory.dmp

Filesize
140KB

Download
memory/792-202-0x0000000005D20000-0x0000000005D43000-memory.dmp

Filesize
140KB

Download
memory/792-204-0x0000000005D20000-0x0000000005D43000-memory.dmp

Filesize
140KB

Download
memory/792-206-0x0000000005D20000-0x0000000005D43000-memory.dmp

Filesize
140KB

Download
memory/792-208-0x0000000005D20000-0x0000000005D43000-memory.dmp

Filesize
140KB

Download
memory/792-210-0x0000000005D20000-0x0000000005D43000-memory.dmp

Filesize
140KB

Download
memory/792-148-0x0000000000D30000-0x0000000000E0A000-memory.dmp

Filesize
872KB

Download
memory/792-212-0x0000000005D20000-0x0000000005D43000-memory.dmp

Filesize
140KB

Download
memory/792-190-0x0000000005D20000-0x0000000005D43000-memory.dmp

Filesize
140KB

Download
memory/792-217-0x0000000005D20000-0x0000000005D43000-memory.dmp

Filesize
140KB

Download
memory/792-219-0x0000000005D20000-0x0000000005D43000-memory.dmp

Filesize
140KB

Download
memory/792-221-0x0000000005D20000-0x0000000005D43000-memory.dmp

Filesize
140KB

Download
memory/792-178-0x0000000005D20000-0x0000000005D43000-memory.dmp

Filesize
140KB

Download
memory/792-224-0x0000000005D70000-0x0000000005D71000-memory.dmp

Filesize
4KB

Download
memory/792-188-0x0000000005D20000-0x0000000005D43000-memory.dmp

Filesize
140KB

Download
memory/792-150-0x0000000005E10000-0x00000000063B4000-memory.dmp

Filesize
5.6MB

Download
memory/792-186-0x0000000005D20000-0x0000000005D43000-memory.dmp

Filesize
140KB

Download
memory/792-151-0x0000000005910000-0x00000000059A2000-memory.dmp

Filesize
584KB

Download
memory/792-153-0x00000000058F0000-0x0000000005902000-memory.dmp

Filesize
72KB

Download
memory/792-184-0x0000000005D20000-0x0000000005D43000-memory.dmp

Filesize
140KB

Download
memory/792-182-0x0000000005D20000-0x0000000005D43000-memory.dmp

Filesize
140KB

Download
memory/792-154-0x00000000063C0000-0x000000000645C000-memory.dmp

Filesize
624KB

Download
memory/792-180-0x0000000005D20000-0x0000000005D43000-memory.dmp

Filesize
140KB

Download
memory/792-156-0x0000000005780000-0x0000000005790000-memory.dmp

Filesize
64KB

Download
memory/792-192-0x0000000005D20000-0x0000000005D43000-memory.dmp

Filesize
140KB

Download
memory/792-173-0x0000000005D20000-0x0000000005D43000-memory.dmp

Filesize
140KB

Download
memory/792-174-0x0000000005D20000-0x0000000005D43000-memory.dmp

Filesize
140KB

Download
memory/792-176-0x0000000005D20000-0x0000000005D43000-memory.dmp

Filesize
140KB

Download
memory/2204-163-0x00000000053C0000-0x0000000005426000-memory.dmp

Filesize
408KB

Download
memory/2204-213-0x0000000005AB0000-0x0000000005ACE000-memory.dmp

Filesize
120KB

Download
memory/2204-155-0x0000000002120000-0x0000000002156000-memory.dmp

Filesize
216KB

Download
memory/2204-159-0x0000000004BB0000-0x00000000051D8000-memory.dmp

Filesize
6.2MB

Download
memory/2204-253-0x0000000005F40000-0x0000000005F5A000-memory.dmp

Filesize
104KB

Download
memory/2204-252-0x0000000006B60000-0x0000000006BF6000-memory.dmp

Filesize
600KB

Download
memory/2204-254-0x0000000005FD0000-0x0000000005FF2000-memory.dmp

Filesize
136KB

Download
memory/2204-160-0x0000000002180000-0x0000000002190000-memory.dmp

Filesize
64KB

Download
memory/2204-162-0x00000000052E0000-0x0000000005346000-memory.dmp

Filesize
408KB

Download
memory/2204-161-0x0000000004AA0000-0x0000000004AC2000-memory.dmp

Filesize
136KB

Download
memory/2204-158-0x0000000002180000-0x0000000002190000-memory.dmp

Filesize
64KB

Download
memory/2872-244-0x0000000002D40000-0x0000000002D50000-memory.dmp

Filesize
64KB

Download
memory/2980-403-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2980-522-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4080-301-0x00000000021A0000-0x00000000021B0000-memory.dmp

Filesize
64KB

Download
memory/4080-300-0x00000000021A0000-0x00000000021B0000-memory.dmp

Filesize
64KB

Download
memory/4368-246-0x00000000029F0000-0x0000000002A00000-memory.dmp

Filesize
64KB

Download
memory/4368-245-0x00000000029F0000-0x0000000002A00000-memory.dmp

Filesize
64KB

Download
memory/4564-243-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4564-230-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4564-229-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4564-226-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download