Malware Analysis Report

2025-06-16 01:18

Sample ID 231206-re5enade5s
Target FACTURA090000.zIP
SHA256 eaac1b1dda1328d09641300b4eeba319d467f58b7b01214d70ea41ce4ddad3fd
Tags
remcos remotehost collection rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eaac1b1dda1328d09641300b4eeba319d467f58b7b01214d70ea41ce4ddad3fd

Threat Level: Known bad

The file FACTURA090000.zIP was found to be: Known bad.

Malicious Activity Summary

remcos remotehost collection rat spyware stealer

Remcos

Nirsoft

NirSoft WebBrowserPassView

NirSoft MailPassView

Reads user/profile data of web browsers

Checks computer location settings

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-06 14:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-06 14:07

Reported

2023-12-06 14:10

Platform

win7-20231023-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe"

Signatures

Remcos

rat remcos

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3036 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3036 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3036 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3036 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3036 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3036 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3036 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3036 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3036 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Windows\SysWOW64\schtasks.exe
PID 3036 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Windows\SysWOW64\schtasks.exe
PID 3036 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Windows\SysWOW64\schtasks.exe
PID 3036 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Windows\SysWOW64\schtasks.exe
PID 3036 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 3036 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 3036 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 3036 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 3036 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 3036 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 3036 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 3036 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 3036 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 3036 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 3036 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 3036 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 3036 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 2628 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 2628 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 2628 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 2628 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 2628 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 2628 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 2628 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 2628 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 2628 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 2628 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 2628 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 2628 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 2628 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 2628 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 2628 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 2628 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 2628 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 2628 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 2628 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 2628 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 2628 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 2628 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 2628 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe

Processes

C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe

"C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\jCaIeJ.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jCaIeJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8F45.tmp"

C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe

"C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe"

C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe

C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe /stext "C:\Users\Admin\AppData\Local\Temp\anrhumgnxfi"

C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe

C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe /stext "C:\Users\Admin\AppData\Local\Temp\lpxavxroloaqdgt"

C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe

C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe /stext "C:\Users\Admin\AppData\Local\Temp\vjckwpbizwsvfuhzeh"

C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe

C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe /stext "C:\Users\Admin\AppData\Local\Temp\vjckwpbizwsvfuhzeh"

C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe

C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe /stext "C:\Users\Admin\AppData\Local\Temp\vjckwpbizwsvfuhzeh"

Network

Country Destination Domain Proto
US 107.175.229.139:8087 tcp
US 107.175.229.139:8087 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp

Files

memory/3036-0-0x00000000013B0000-0x00000000014AE000-memory.dmp

memory/3036-1-0x0000000074190000-0x000000007487E000-memory.dmp

memory/3036-2-0x0000000005190000-0x00000000051D0000-memory.dmp

memory/3036-3-0x0000000000430000-0x000000000044A000-memory.dmp

memory/3036-4-0x0000000000460000-0x0000000000468000-memory.dmp

memory/3036-5-0x00000000004B0000-0x00000000004BA000-memory.dmp

memory/3036-6-0x00000000055B0000-0x0000000005668000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8F45.tmp

MD5 a48bfee41bcf023f5bc34f930b7f93d6
SHA1 85a326d34e46588c1faf9594734827762937c13f
SHA256 87b67277dec1571899136fcaa33b64f06f1772b64c85661397bf1e1d1e114c33
SHA512 e5aa3a73d1c24edcaae33d29a044ba1f857f90214d1426192ce677cb41314b7972dc8b65ef8ae680b0d6537e4b4ca2979ab8198f94207ae5f46f68c33f16b8da

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 975155c88f5d6cb3f72d2e2db170ccb0
SHA1 df0b534d6a27f340690c8054b7198e33c4ac2a9a
SHA256 e8b3ff96675f982eedd55ee6e42e16251aa4f0f1bf03b40f58a76e101936d40c
SHA512 6fbe5df3599a9d9fe2ea87c32701eca4e17d51153a920956c5aab2c8de2c6b838df11085c662ee040fdb17977084ceae1b566349d56d310a028b41f6b77aa540

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HNHOJSVFKPND8USG3ZFN.temp

MD5 975155c88f5d6cb3f72d2e2db170ccb0
SHA1 df0b534d6a27f340690c8054b7198e33c4ac2a9a
SHA256 e8b3ff96675f982eedd55ee6e42e16251aa4f0f1bf03b40f58a76e101936d40c
SHA512 6fbe5df3599a9d9fe2ea87c32701eca4e17d51153a920956c5aab2c8de2c6b838df11085c662ee040fdb17977084ceae1b566349d56d310a028b41f6b77aa540

memory/2628-21-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2628-20-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2628-19-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2628-22-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2628-23-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2628-24-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2628-25-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2628-26-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2628-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2628-29-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3036-31-0x0000000074190000-0x000000007487E000-memory.dmp

memory/2704-32-0x000000006ECB0000-0x000000006F25B000-memory.dmp

memory/2628-33-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2628-34-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1620-36-0x000000006ECB0000-0x000000006F25B000-memory.dmp

memory/2628-37-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2704-38-0x0000000002500000-0x0000000002540000-memory.dmp

memory/2628-39-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2628-41-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1620-40-0x000000006ECB0000-0x000000006F25B000-memory.dmp

memory/2704-42-0x000000006ECB0000-0x000000006F25B000-memory.dmp

memory/1620-43-0x0000000002610000-0x0000000002650000-memory.dmp

memory/2628-46-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2628-47-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2704-48-0x0000000002500000-0x0000000002540000-memory.dmp

memory/1620-45-0x0000000002610000-0x0000000002650000-memory.dmp

memory/2628-44-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2628-49-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2628-50-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2628-52-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2704-53-0x000000006ECB0000-0x000000006F25B000-memory.dmp

memory/1620-54-0x000000006ECB0000-0x000000006F25B000-memory.dmp

memory/2740-57-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2740-60-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2740-62-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3016-63-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2740-64-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3016-67-0x0000000000400000-0x0000000000457000-memory.dmp

memory/3016-69-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2040-70-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2040-72-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2040-73-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2040-74-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2740-80-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\anrhumgnxfi

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/3016-82-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2628-86-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2628-87-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2628-83-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2628-88-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2628-89-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2628-91-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2628-93-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2628-94-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 5547374c9c9ac75ad1593d8dfecba104
SHA1 56c9a01c96a663a83870f0dcef02478c2de8443b
SHA256 2120b7244553657fb6314a9f851949d594a63b3377c5831b3b536c3a48e5ccfc
SHA512 d201aa5b0afff40dabbd420202dcb40aa0eb0124b71a9737b9e815beceb81cfffb3fe0e6c7087a0bd9633ba194e8ee367444c239d0d1aeba60810d36bd9c222f

memory/2628-98-0x0000000010000000-0x0000000010019000-memory.dmp

memory/2628-102-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2628-103-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2628-110-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2628-111-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2628-118-0x0000000000400000-0x0000000000482000-memory.dmp

memory/2628-119-0x0000000000400000-0x0000000000482000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-06 14:07

Reported

2023-12-06 14:09

Platform

win10v2004-20231130-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe"

Signatures

Remcos

rat remcos

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2784 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2784 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Windows\SysWOW64\schtasks.exe
PID 2784 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Windows\SysWOW64\schtasks.exe
PID 2784 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Windows\SysWOW64\schtasks.exe
PID 2784 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 2784 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 2784 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 2784 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 2784 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 2784 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 2784 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 2784 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 2784 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 2784 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 2784 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 2784 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 2784 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 2784 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 2784 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 2784 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 2784 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 2784 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 3880 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 3880 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 3880 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 3880 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 3880 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 3880 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 3880 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 3880 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 3880 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 3880 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 3880 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 3880 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 3880 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 3880 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe
PID 3880 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe

Processes

C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe

"C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\jCaIeJ.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jCaIeJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8201.tmp"

C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe

"C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe"

C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe

"C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe"

C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe

"C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe"

C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe

C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe /stext "C:\Users\Admin\AppData\Local\Temp\rnpyznniqpgunueeftdivvxkos"

C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe

C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe /stext "C:\Users\Admin\AppData\Local\Temp\hsjfyuuocgoplgisojrhsrc"

C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe

C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe /stext "C:\Users\Admin\AppData\Local\Temp\fqevycjmoywkbauofyw"

C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe

C:\Users\Admin\AppData\Local\Temp\FACTURA090000.exe /stext "C:\Users\Admin\AppData\Local\Temp\rnpyznniqpgunueeftdivvxkos"

Network

Country Destination Domain Proto
US 8.8.8.8:53 1.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 167.109.18.2.in-addr.arpa udp
US 107.175.229.139:8087 tcp
US 8.8.8.8:53 139.229.175.107.in-addr.arpa udp
US 107.175.229.139:8087 tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 185.178.17.96.in-addr.arpa udp

Files

memory/2784-0-0x00000000002A0000-0x000000000039E000-memory.dmp

memory/2784-1-0x0000000074720000-0x0000000074ED0000-memory.dmp

memory/2784-2-0x0000000005470000-0x0000000005A14000-memory.dmp

memory/2784-3-0x0000000004D90000-0x0000000004E22000-memory.dmp

memory/2784-4-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

memory/2784-5-0x0000000004E40000-0x0000000004E4A000-memory.dmp

memory/2784-6-0x0000000005140000-0x000000000515A000-memory.dmp

memory/2784-7-0x0000000005170000-0x0000000005178000-memory.dmp

memory/2784-8-0x0000000005180000-0x000000000518A000-memory.dmp

memory/2784-9-0x00000000062D0000-0x0000000006388000-memory.dmp

memory/2784-10-0x0000000008B00000-0x0000000008B9C000-memory.dmp

memory/1828-16-0x0000000074720000-0x0000000074ED0000-memory.dmp

memory/1828-15-0x0000000001600000-0x0000000001636000-memory.dmp

memory/2784-17-0x0000000074720000-0x0000000074ED0000-memory.dmp

memory/1828-19-0x0000000005B10000-0x0000000006138000-memory.dmp

memory/768-22-0x0000000000C10000-0x0000000000C20000-memory.dmp

memory/2784-21-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

memory/1828-20-0x00000000054D0000-0x00000000054E0000-memory.dmp

memory/1828-18-0x00000000054D0000-0x00000000054E0000-memory.dmp

memory/768-24-0x0000000074720000-0x0000000074ED0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8201.tmp

MD5 e95f7db0c061f494af12eca56d64be3d
SHA1 fb62a2c1869aa903cf4c84f4c22b1e05da5e6bf5
SHA256 5f8041f71cd1ee7d7e50838b5bee9ac1c60c57da7150aabe3acbd9e6314a68dd
SHA512 f3f8f5e7784f50e09e7507ec7bcf7b0f551b7aba515c07dc265aeb9e7a198880458aa70d9d5d0bd1d7f07b176a4ea5683a7266101192cd5e6408dd1a78833947

memory/1828-23-0x00000000058E0000-0x0000000005902000-memory.dmp

memory/768-27-0x0000000004D70000-0x0000000004DD6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gs0inpch.20v.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3880-47-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1828-46-0x0000000006410000-0x0000000006764000-memory.dmp

memory/3880-52-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3880-53-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3880-56-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3880-57-0x0000000000400000-0x0000000000482000-memory.dmp

memory/768-58-0x00000000059D0000-0x00000000059EE000-memory.dmp

memory/3880-55-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3880-50-0x0000000000400000-0x0000000000482000-memory.dmp

memory/768-59-0x0000000005F80000-0x0000000005FCC000-memory.dmp

memory/2784-51-0x0000000074720000-0x0000000074ED0000-memory.dmp

memory/3880-48-0x0000000000400000-0x0000000000482000-memory.dmp

memory/768-26-0x0000000004AD0000-0x0000000004B36000-memory.dmp

memory/3880-61-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3880-60-0x0000000000400000-0x0000000000482000-memory.dmp

memory/768-73-0x0000000005F10000-0x0000000005F2E000-memory.dmp

memory/768-63-0x00000000731C0000-0x000000007320C000-memory.dmp

memory/1828-75-0x00000000731C0000-0x000000007320C000-memory.dmp

memory/3880-78-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1828-91-0x00000000054D0000-0x00000000054E0000-memory.dmp

memory/3880-90-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1828-93-0x0000000007AB0000-0x0000000007ACA000-memory.dmp

memory/768-92-0x0000000007350000-0x00000000079CA000-memory.dmp

memory/768-89-0x0000000000C10000-0x0000000000C20000-memory.dmp

memory/1828-88-0x00000000054D0000-0x00000000054E0000-memory.dmp

memory/768-77-0x0000000006A10000-0x0000000006AB3000-memory.dmp

memory/1828-76-0x000000007FC50000-0x000000007FC60000-memory.dmp

memory/768-94-0x0000000006D80000-0x0000000006D8A000-memory.dmp

memory/768-74-0x000000007F620000-0x000000007F630000-memory.dmp

memory/1828-62-0x0000000007700000-0x0000000007732000-memory.dmp

memory/3880-96-0x0000000000400000-0x0000000000482000-memory.dmp

memory/768-97-0x0000000006F90000-0x0000000007026000-memory.dmp

memory/1828-98-0x0000000007CB0000-0x0000000007CC1000-memory.dmp

memory/768-99-0x0000000006F40000-0x0000000006F4E000-memory.dmp

memory/1828-102-0x0000000007DD0000-0x0000000007DD8000-memory.dmp

memory/1828-101-0x0000000007DF0000-0x0000000007E0A000-memory.dmp

memory/768-100-0x0000000006F50000-0x0000000006F64000-memory.dmp

memory/768-109-0x0000000074720000-0x0000000074ED0000-memory.dmp

memory/1828-108-0x0000000074720000-0x0000000074ED0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9e77a2e9ccd76de55360a4cfeec03bda
SHA1 4a7ddee3fa5bf830b497718c1a49a87e1bcadbdf
SHA256 cd83c74f972a8a6d27452bf09de9bd3be8e8d7e4856612a9ead9d277ff082afc
SHA512 c66968c03be88065e850bf831c01f9aeb527d9f01287c764753c21a97ebe6afc9b42c86f5f5387b649ad45e127be5db402cd0548f885388c80cd545d5a9351c3

memory/5100-110-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2176-111-0x0000000000400000-0x0000000000457000-memory.dmp

memory/5100-114-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2176-115-0x0000000000400000-0x0000000000457000-memory.dmp

memory/5100-117-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4604-122-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4604-125-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4604-126-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4604-128-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4604-127-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2176-124-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2176-121-0x0000000000400000-0x0000000000457000-memory.dmp

memory/5100-130-0x0000000000400000-0x0000000000478000-memory.dmp

memory/3880-135-0x0000000010000000-0x0000000010019000-memory.dmp

memory/3880-138-0x0000000010000000-0x0000000010019000-memory.dmp

memory/3880-137-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3880-136-0x0000000010000000-0x0000000010019000-memory.dmp

memory/3880-132-0x0000000010000000-0x0000000010019000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fqevycjmoywkbauofyw

MD5 05b913e050d2b362781248c7eeb17ee4
SHA1 0f263d74a27527154c8381bb34049a121851467f
SHA256 28a8b87fe959106951e7f632c0a1b0b52d4542da12a3679176c3707926251c27
SHA512 70335927da5010cb8a1e9718dab4c62964c33451545ca19c0bde6027c3165233cfded1157575eaba48aab4b43978812db1afa63eb631d2df0f2b30da16e8067c

memory/3880-141-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3880-144-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3880-145-0x0000000000400000-0x0000000000482000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 7e59deb6649494bf5da7c4a5ea831374
SHA1 e865d664d0a5721cd6f47fff6450a0e3d4bcf88b
SHA256 9baeb8d33ceeda825c93418df69084b32bff065eb727e5769cc38bab01e6bf2f
SHA512 c9b2c12651a44f1c5ccb612ee82b644e8d866e4d51392f6f0a2709a7dd5059d62c3a617e539151a01770a182f902225e51ebef93c16017b31c65526a564e880b

memory/3880-152-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3880-153-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3880-168-0x0000000000400000-0x0000000000482000-memory.dmp

memory/3880-169-0x0000000000400000-0x0000000000482000-memory.dmp