remcos | 5c6cfb4908c07c8b3677cabe6c3b96be940873b5814dd4cfe948c5bec76a0fc2

Resubmissions

22/02/2024, 14:29

240222-rtsz6sba5w 10

22/02/2024, 14:22

240222-rpzbdsbd39 10

Analysis

max time kernel
199s
max time network
290s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22/02/2024, 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a20db58-694a-9617-c311-6ddcd5e6bd97.eml
Size

14KB
MD5

81d78b2667fd7239c7bac435a08f7ec4
SHA1

b561287757732f9667b68b305f28248793c9b4b9
SHA256

5c6cfb4908c07c8b3677cabe6c3b96be940873b5814dd4cfe948c5bec76a0fc2
SHA512

1c0b79a0276f4d8d0145259bf3c1d4767d6b608383be8e3bbac2365f523601b9e28189b74a164efde53892114d6f8112d34a6ab1ef66c37db9db190774a53577
SSDEEP

384:Z0AHiCbpuPXyDkNaQe94rN5XTGLv4ZefeDos:Z0ACsGXJIQ4GTXTiv4ZefeDos

Score

10^/10

remcos bbbbb rat

Malware Config

Extracted

Family

remcos

Botnet

BBBBB

ferfnekfkjerfjre.con-ip.com:1995

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-B468MF
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 2 IoCs

pid	Process
2224	14965156 REVISAR URGENTE PAG PSE APROBADO No 415811343 FEBRERO 21 DEL 2024.exe
2028	14965156 REVISAR URGENTE PAG PSE APROBADO No 415811343 FEBRERO 21 DEL 2024.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2224 set thread context of 2160	2224	14965156 REVISAR URGENTE PAG PSE APROBADO No 415811343 FEBRERO 21 DEL 2024.exe	38
PID 2028 set thread context of 2452	2028	14965156 REVISAR URGENTE PAG PSE APROBADO No 415811343 FEBRERO 21 DEL 2024.exe	48

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1568	schtasks.exe
2128	schtasks.exe
1144	schtasks.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 401b7dbd9b65da01	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 62 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	OUTLOOK.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\MenuExt	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "414774123"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Toolbar	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	OUTLOOK.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	OUTLOOK.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F994FC61-D18E-11EE-A8B6-6A55B5C6A64E} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063075-0000-0000-C000-000000000046}\ = "OutlookBarShortcut"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630ED-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063107-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063087-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063104-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F8-0000-0000-C000-000000000046}\ = "StoresEvents_12"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302C-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672FB-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CD-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063059-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EC-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DA-0000-0000-C000-000000000046}\ = "_OlkTextBox"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304B-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{00062FFF-0000-0000-C000-000000000046}\9.4\0\win32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\msoutl.olb"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DF-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063102-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307F-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063033-0000-0000-C000-000000000046}\ = "_AppointmentItem"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063007-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E6-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D6-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063075-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063070-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E3-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E3-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302F-0000-0000-C000-000000000046}\ = "_SharingItem"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307A-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063033-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063099-0000-0000-C000-000000000046}\ = "_CalendarView"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D2-0000-0000-C000-000000000046}\ = "_Table"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A8-0000-0000-C000-000000000046}\ = "ItemProperties"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006305C-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DB-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067356-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063040-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300B-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006308C-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067355-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063020-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D9-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063097-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F7-0000-0000-C000-000000000046}\ = "OlkInfoBarEvents"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300E-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067356-0000-0000-C000-000000000046}\ = "OlkSenderPhotoEvents"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FC-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CB-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630B1-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304C-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067352-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006305B-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F0-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063001-0000-0000-C000-000000000046}\ = "_Application"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063006-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D7-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D87E7E17-6897-11CE-A6C0-00AA00608FAA}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A7-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C3-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C3-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E6-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E3-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DF-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1676	OUTLOOK.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2468	7zFM.exe
2468	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2468	7zFM.exe
2160	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	2468	7zFM.exe
Token: 35	2468	7zFM.exe
Token: SeSecurityPrivilege	2468	7zFM.exe
Token: SeSecurityPrivilege	2468	7zFM.exe
Token: SeSecurityPrivilege	2468	7zFM.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
1676	OUTLOOK.EXE
944	iexplore.exe
944	iexplore.exe
2468	7zFM.exe
2468	7zFM.exe
2468	7zFM.exe
2468	7zFM.exe

Suspicious use of SetWindowsHookEx 27 IoCs

pid	Process
1676	OUTLOOK.EXE
1676	OUTLOOK.EXE
1676	OUTLOOK.EXE
1676	OUTLOOK.EXE
1676	OUTLOOK.EXE
1676	OUTLOOK.EXE
1676	OUTLOOK.EXE
1676	OUTLOOK.EXE
1676	OUTLOOK.EXE
1676	OUTLOOK.EXE
1676	OUTLOOK.EXE
1676	OUTLOOK.EXE
1676	OUTLOOK.EXE
1676	OUTLOOK.EXE
1676	OUTLOOK.EXE
1676	OUTLOOK.EXE
1676	OUTLOOK.EXE
1676	OUTLOOK.EXE
1676	OUTLOOK.EXE
1676	OUTLOOK.EXE
1676	OUTLOOK.EXE
1676	OUTLOOK.EXE
944	iexplore.exe
944	iexplore.exe
1856	IEXPLORE.EXE
1856	IEXPLORE.EXE
2160	AppLaunch.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 944	1676	OUTLOOK.EXE	33
PID 1676 wrote to memory of 944	1676	OUTLOOK.EXE	33
PID 1676 wrote to memory of 944	1676	OUTLOOK.EXE	33
PID 1676 wrote to memory of 944	1676	OUTLOOK.EXE	33
PID 944 wrote to memory of 1856	944	iexplore.exe	34
PID 944 wrote to memory of 1856	944	iexplore.exe	34
PID 944 wrote to memory of 1856	944	iexplore.exe	34
PID 944 wrote to memory of 1856	944	iexplore.exe	34
PID 944 wrote to memory of 2468	944	iexplore.exe	36
PID 944 wrote to memory of 2468	944	iexplore.exe	36
PID 944 wrote to memory of 2468	944	iexplore.exe	36
PID 2468 wrote to memory of 2224	2468	7zFM.exe	37
PID 2468 wrote to memory of 2224	2468	7zFM.exe	37
PID 2468 wrote to memory of 2224	2468	7zFM.exe	37
PID 2468 wrote to memory of 2224	2468	7zFM.exe	37
PID 2468 wrote to memory of 2224	2468	7zFM.exe	37
PID 2468 wrote to memory of 2224	2468	7zFM.exe	37
PID 2468 wrote to memory of 2224	2468	7zFM.exe	37
PID 2224 wrote to memory of 2160	2224	14965156 REVISAR URGENTE PAG PSE APROBADO No 415811343 FEBRERO 21 DEL 2024.exe	38
PID 2224 wrote to memory of 2160	2224	14965156 REVISAR URGENTE PAG PSE APROBADO No 415811343 FEBRERO 21 DEL 2024.exe	38
PID 2224 wrote to memory of 2160	2224	14965156 REVISAR URGENTE PAG PSE APROBADO No 415811343 FEBRERO 21 DEL 2024.exe	38
PID 2224 wrote to memory of 2160	2224	14965156 REVISAR URGENTE PAG PSE APROBADO No 415811343 FEBRERO 21 DEL 2024.exe	38
PID 2224 wrote to memory of 2160	2224	14965156 REVISAR URGENTE PAG PSE APROBADO No 415811343 FEBRERO 21 DEL 2024.exe	38
PID 2224 wrote to memory of 2160	2224	14965156 REVISAR URGENTE PAG PSE APROBADO No 415811343 FEBRERO 21 DEL 2024.exe	38
PID 2224 wrote to memory of 2160	2224	14965156 REVISAR URGENTE PAG PSE APROBADO No 415811343 FEBRERO 21 DEL 2024.exe	38
PID 2224 wrote to memory of 2160	2224	14965156 REVISAR URGENTE PAG PSE APROBADO No 415811343 FEBRERO 21 DEL 2024.exe	38
PID 2224 wrote to memory of 2160	2224	14965156 REVISAR URGENTE PAG PSE APROBADO No 415811343 FEBRERO 21 DEL 2024.exe	38
PID 2224 wrote to memory of 2160	2224	14965156 REVISAR URGENTE PAG PSE APROBADO No 415811343 FEBRERO 21 DEL 2024.exe	38
PID 2224 wrote to memory of 2160	2224	14965156 REVISAR URGENTE PAG PSE APROBADO No 415811343 FEBRERO 21 DEL 2024.exe	38
PID 2224 wrote to memory of 2160	2224	14965156 REVISAR URGENTE PAG PSE APROBADO No 415811343 FEBRERO 21 DEL 2024.exe	38
PID 2224 wrote to memory of 2160	2224	14965156 REVISAR URGENTE PAG PSE APROBADO No 415811343 FEBRERO 21 DEL 2024.exe	38
PID 2224 wrote to memory of 2160	2224	14965156 REVISAR URGENTE PAG PSE APROBADO No 415811343 FEBRERO 21 DEL 2024.exe	38
PID 2224 wrote to memory of 2160	2224	14965156 REVISAR URGENTE PAG PSE APROBADO No 415811343 FEBRERO 21 DEL 2024.exe	38
PID 2224 wrote to memory of 2160	2224	14965156 REVISAR URGENTE PAG PSE APROBADO No 415811343 FEBRERO 21 DEL 2024.exe	38
PID 2224 wrote to memory of 2748	2224	14965156 REVISAR URGENTE PAG PSE APROBADO No 415811343 FEBRERO 21 DEL 2024.exe	39
PID 2224 wrote to memory of 2748	2224	14965156 REVISAR URGENTE PAG PSE APROBADO No 415811343 FEBRERO 21 DEL 2024.exe	39
PID 2224 wrote to memory of 2748	2224	14965156 REVISAR URGENTE PAG PSE APROBADO No 415811343 FEBRERO 21 DEL 2024.exe	39
PID 2224 wrote to memory of 2748	2224	14965156 REVISAR URGENTE PAG PSE APROBADO No 415811343 FEBRERO 21 DEL 2024.exe	39
PID 2224 wrote to memory of 1008	2224	14965156 REVISAR URGENTE PAG PSE APROBADO No 415811343 FEBRERO 21 DEL 2024.exe	41
PID 2224 wrote to memory of 1008	2224	14965156 REVISAR URGENTE PAG PSE APROBADO No 415811343 FEBRERO 21 DEL 2024.exe	41
PID 2224 wrote to memory of 1008	2224	14965156 REVISAR URGENTE PAG PSE APROBADO No 415811343 FEBRERO 21 DEL 2024.exe	41
PID 2224 wrote to memory of 1008	2224	14965156 REVISAR URGENTE PAG PSE APROBADO No 415811343 FEBRERO 21 DEL 2024.exe	41
PID 1008 wrote to memory of 2128	1008	cmd.exe	43
PID 1008 wrote to memory of 2128	1008	cmd.exe	43
PID 1008 wrote to memory of 2128	1008	cmd.exe	43
PID 1008 wrote to memory of 2128	1008	cmd.exe	43
PID 2224 wrote to memory of 2908	2224	14965156 REVISAR URGENTE PAG PSE APROBADO No 415811343 FEBRERO 21 DEL 2024.exe	44
PID 2224 wrote to memory of 2908	2224	14965156 REVISAR URGENTE PAG PSE APROBADO No 415811343 FEBRERO 21 DEL 2024.exe	44
PID 2224 wrote to memory of 2908	2224	14965156 REVISAR URGENTE PAG PSE APROBADO No 415811343 FEBRERO 21 DEL 2024.exe	44
PID 2224 wrote to memory of 2908	2224	14965156 REVISAR URGENTE PAG PSE APROBADO No 415811343 FEBRERO 21 DEL 2024.exe	44
PID 2468 wrote to memory of 2028	2468	7zFM.exe	47
PID 2468 wrote to memory of 2028	2468	7zFM.exe	47
PID 2468 wrote to memory of 2028	2468	7zFM.exe	47
PID 2468 wrote to memory of 2028	2468	7zFM.exe	47
PID 2468 wrote to memory of 2028	2468	7zFM.exe	47
PID 2468 wrote to memory of 2028	2468	7zFM.exe	47
PID 2468 wrote to memory of 2028	2468	7zFM.exe	47
PID 2028 wrote to memory of 2452	2028	14965156 REVISAR URGENTE PAG PSE APROBADO No 415811343 FEBRERO 21 DEL 2024.exe	48
PID 2028 wrote to memory of 2452	2028	14965156 REVISAR URGENTE PAG PSE APROBADO No 415811343 FEBRERO 21 DEL 2024.exe	48
PID 2028 wrote to memory of 2452	2028	14965156 REVISAR URGENTE PAG PSE APROBADO No 415811343 FEBRERO 21 DEL 2024.exe	48
PID 2028 wrote to memory of 2452	2028	14965156 REVISAR URGENTE PAG PSE APROBADO No 415811343 FEBRERO 21 DEL 2024.exe	48
PID 2028 wrote to memory of 2452	2028	14965156 REVISAR URGENTE PAG PSE APROBADO No 415811343 FEBRERO 21 DEL 2024.exe	48
PID 2028 wrote to memory of 2452	2028	14965156 REVISAR URGENTE PAG PSE APROBADO No 415811343 FEBRERO 21 DEL 2024.exe	48
PID 2028 wrote to memory of 2452	2028	14965156 REVISAR URGENTE PAG PSE APROBADO No 415811343 FEBRERO 21 DEL 2024.exe	48

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE /eml "C:\Users\Admin\AppData\Local\Temp\5a20db58-694a-9617-c311-6ddcd5e6bd97.eml"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://docs.google.com/uc?export=download&id=14NftNZZ9EEkXdCTnPhMHKquj8A8RozT2
  2⤵
  - Modifies Internet Explorer Phishing Filter
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:944
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:944 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1856
- - C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IT88KKGO\14965156 REVISAR URGENTE PAG PSE APROBADO No 415811343 FEBRERO 21 DEL 2024.tar"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2468
  - - C:\Users\Admin\AppData\Local\Temp\7zO4A9FC478\14965156 REVISAR URGENTE PAG PSE APROBADO No 415811343 FEBRERO 21 DEL 2024.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO4A9FC478\14965156 REVISAR URGENTE PAG PSE APROBADO No 415811343 FEBRERO 21 DEL 2024.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2224
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:2160
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\AppData"
        5⤵
        
        PID:2748
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1008
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
        6⤵
        Creates scheduled task(s)
        
        PID:2128
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\7zO4A9FC478\14965156 REVISAR URGENTE PAG PSE APROBADO No 415811343 FEBRERO 21 DEL 2024.exe" "C:\Users\Admin\AppData\Roaming\AppData\AppData.exe"
        5⤵
        
        PID:2908
  - - C:\Users\Admin\AppData\Local\Temp\7zO4A973FE8\14965156 REVISAR URGENTE PAG PSE APROBADO No 415811343 FEBRERO 21 DEL 2024.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO4A973FE8\14965156 REVISAR URGENTE PAG PSE APROBADO No 415811343 FEBRERO 21 DEL 2024.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2028
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:2452
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\AppData"
        5⤵
        
        PID:2540
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
        5⤵
        
        PID:1772
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
        6⤵
        Creates scheduled task(s)
        
        PID:1144
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\7zO4A973FE8\14965156 REVISAR URGENTE PAG PSE APROBADO No 415811343 FEBRERO 21 DEL 2024.exe" "C:\Users\Admin\AppData\Roaming\AppData\AppData.exe"
        5⤵
        
        PID:2736
  - - C:\Users\Admin\AppData\Local\Temp\7zO4A9B9F89\14965156 REVISAR URGENTE PAG PSE APROBADO No 415811343 FEBRERO 21 DEL 2024.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO4A9B9F89\14965156 REVISAR URGENTE PAG PSE APROBADO No 415811343 FEBRERO 21 DEL 2024.exe"
      4⤵
      PID:2496
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:1312
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\AppData"
        5⤵
        
        PID:1604
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
        5⤵
        
        PID:1700
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\AppData\AppData.exe'" /f
        6⤵
        Creates scheduled task(s)
        
        PID:1568
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\7zO4A9B9F89\14965156 REVISAR URGENTE PAG PSE APROBADO No 415811343 FEBRERO 21 DEL 2024.exe" "C:\Users\Admin\AppData\Roaming\AppData\AppData.exe"
        5⤵
        
        PID:1912

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2528

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x558
1⤵
PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
1KB

MD5
99ceb25bfff1d12eec412ac0a752ad20

SHA1
2eeb48fcf379fd31c77647dc45466b17e6337620

SHA256
73faeb0de6198e92fb0cc02eb2c271c559210dbfcdb52937b11e527439382c30

SHA512
e85c5c826f4a2b1c714dbaa90efc6d7b2a3ad09a5b7f471a0fe2b4553346ae8cea7a9a33fd8e5fd3870da720fc01f3b8f9cb9d312ceb033ec9bdd2d19a1ffc4d

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
2KB

MD5
647ea1554e4262fc40b7357aa4d23b75

SHA1
1a20e0aeee48bf1550c25ecb06d07004b69b3b8e

SHA256
d870ab087360032ea42019c416362f234a66f2e7809b627063df8df0f22da23a

SHA512
458f815079e1abdb99ff359054879b74ccea4decfe483b4306bd52c8ca765859aa1775e3005ec72fd42371946eef8a02acebfca11691159ce27b5304381bdd10

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
2KB

MD5
6a88bb08c68e061ebff3efd9bf69547c

SHA1
b7f0165e21d8923fb0b1fb39524cc5b9ca3baec0

SHA256
8474e7c063b12995e0a16c06aa0839fe90d9cbf8e82259e123d27b8b5655a882

SHA512
3db555d8ca01163ba888d68375564d8bc35540aef296b66e31659ddc4555cbd405429969b7bada186099cea00c79188d0ed2be29792971e60f9fda76fb7dae6d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
57d540efa9c8dc949de5608cddf56c78

SHA1
50766728e6d9a6d3a74a0b90544c5ea41692a653

SHA256
9936f15796f39caa45b97c12776fdbc33132ae88b7e79f57ffa8b68ad8b7e9e0

SHA512
73e46471dbaf5bee3dbe8860b33c419e7d513eb47b7e8c70433e98290d85667fc37cab00dc92d6355f7bf103e07907c13db46b4ff37280825ecd08626a86ee11

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4a4adb873f61a3106c72a564a26d1101

SHA1
37067dbe897d6ae1f0f37c6f410e2c2ccb95e13f

SHA256
621a613d03e1c23524a1a0ca8d714e3b584a73c8fec2fb90a955fe081c84ae1e

SHA512
6caf91ad4485f1b2693044bc3e5d2787a5b43d02370051a8008f09e79f8dcfd09dea05d56b2afd22926ca4b5216b2351e402e92187e164c2453ddffd93268a7e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
507c1f9aae5d3e51c00bbcefb70595be

SHA1
2a094a7e2112cd9f1a65f6c4ba8d68e7286155d1

SHA256
c8be6edf810ca8f3dc31c2a956d0e300b7cc4f1f6eb875c3482463e36a954f37

SHA512
fc0aa053a750217bb998e25f52c2282766d4f6d820ad776ff7a64b8aae76c24e568214ef4d358c99f6af8ce4e4a6c74602129c8e91f3b0b586e818278987f9c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
53115173801df1ce742f3ea88b61d9ab

SHA1
7626fc1ca0eaa66e0ba4ddd3d91debd16a8a3dd0

SHA256
7ab346abf03b78af14af15d5c5f80675359443fcc3296f3a20fbb980957acf9c

SHA512
ab3cdf0764e43b04dea45649d8727125472c5dc35f4a437b3a82fa90943bc648ae30124431f453336e842288a63061af771fc5de7cf82821fa3061ad11be55db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f19c3acc47e8f6766e2831d0de1beee9

SHA1
4e95dd03c47c8f66da528ee4e297fae9f76a1b73

SHA256
2c3f3bd465f252f4b62292a60fd8bc1d983df82bd5ce0cb3bcadd9b9d8894354

SHA512
7a7fb302ce6a9ee47fa308ae4781612b5ebce6624a265577de93c0ca9c15786fef33a40585ab91732c9ac017cb0bbac50f287f5ffe345ba000c9bc86f7ba9d5f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9a7dd83c67b07d12a26d1220ec18f192

SHA1
4806b5a3ae848baddc850412576517fe27f1f405

SHA256
d9c41b5973ba98f911b830b96fce676adeb96e2b9fde9c70a9b53e79cd6503f4

SHA512
44f114ae352234a6f08669d24980318965045d1f7acdd09443a83b58da09f35f7a6310a4d92ee669d8c0aa9176e9f3743f9ebfbc8b8359df26607b8492c7e032

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6ec237d438417399f29c6e5bd6727fce

SHA1
899ddad33ab0741d032f58de6128bcab71e000e2

SHA256
2e0bfaa3e8be1e07d841d4a4ba8c0feb63e7772f06bdfea95f9c3c0164972217

SHA512
162412b1ed0baa3cef1dcea5b6871c5305cf701554604f491dfcef3ef9522e891ab89a99da13bce7ce4c0c9fdedefd6d5b5edb9f246546d9d424069c8f48dcf9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
08b11b9f9b0ae410e9fb37172c929ca3

SHA1
ffd9fbc3f5c896229c1ff58a5206bcf54e82cafd

SHA256
90ce145543176ebb5fe42933d5d72cec42e70f6b05a8c0b7babd36a94a4274fc

SHA512
c329f2f9232b3b97c77e7e53555cfd00fbd2990880b84338320a8fb58d38a81ca48d5a3ba88e7e230d4848c00cd7b5dadf2c637ac07d0df2e0303f181d69e02a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0099a0dda9fc7c8c5ee0db0c404a0729

SHA1
136d76690f6dd273b5025a5ada71123a43c10777

SHA256
287a2f37ecceb1e4e8aff46e674b5efac31534adaa29ec2c1b13ea71de80bfe9

SHA512
839fdf981da6120e58f5ea12a869c7e957a46df374ec9ad36dddcd3a55d32b8e30b30459afa0b893ec3194acc59b18d07724428a526e59f4093e81c37bf8410f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fe216f13c95346bbd9079e106419f59f

SHA1
d1acebdf64a9ec6b9d5d895e745fe82c1479430d

SHA256
ff14f38045a29e0917dbbda10558992787e5be78d4efd4b1fab1e934b6fd443e

SHA512
7eee849dd8e504868db53aa3f25e53931ece3ed43d4bfa813082ed1a5dcfbb645f8c4a0369dde3c4f77502be2cc42b798ab0c36ff4c862b934e918098415dea9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
4c1a99bcc5217d014af0650c3668a500

SHA1
9ac1e7a820dec3ca3fc19cadd5bc7018bb84dd2e

SHA256
5b0e0949cfc0492c3481a73eaaaa2e64118ed116528aa85ddd5d96a518b74c94

SHA512
a4b85c61acc68e8b0727ec39916f002102f6e3f434a0701cf9ba2a07df028010ef4552e2ed5dd54658a2c005d0e4ad585e852bee5bd2d0ea699ee94b39b630e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XJ0RD6PK\14965156%20REVISAR%20URGENTE%20PAG%20PSE%20APROBADO%20No%20415811343%20FEBRERO%2021%20DEL%202024[1].tar

Filesize
1.7MB

MD5
2ecc3e3e12a98deb84162eb3c1a44dee

SHA1
8bd85325e5bd61de9901bd7c8b9cd7041b7556dc

SHA256
7020e2606238ee1553fe168fda7a44847e437bd85aeb2bdb11e79c1303b044a7

SHA512
9fb8d41c1544e664e69e9517de7c08a8b0d231750ef92c32343bc7c31cbc7b0b10e747c53d6fa8d81856fd65b2b1748207e70790faf6bdca642501d4b3f12a08

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4A973FE8\14965156 REVISAR URGENTE PAG PSE APROBADO No 415811343 FEBRERO 21 DEL 2024.exe

Filesize
5.5MB

MD5
7d26044583d3341d7854d0caeb4f93de

SHA1
5e3eb4be98b55f1723aa7f3db385217a8c55c3ac

SHA256
04534713cc9b4bee41defac8c266fc5b8f5b448df176dcc31699d4735d3d4845

SHA512
c0a86c54034def637daacc9dc1ba4f35eadf36a821304a1e60b3b600b45a240f5469b814cac98905e145669f2059929f2db9265b6427240159f5884e934ccc2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4A973FE8\14965156 REVISAR URGENTE PAG PSE APROBADO No 415811343 FEBRERO 21 DEL 2024.exe

Filesize
3.5MB

MD5
5a3a36481d9d16818c8058dff667abd7

SHA1
115448078bcbb8f847f615558e9c8d3f12255cf4

SHA256
f1c38ab4deae8c5f125452e99c7387b27a26bc53904237b76f58d40651c1310b

SHA512
320d84f0f44b0d64f6fc1e67355390e16053d1efe05193b9c9d5978450a7f93b98b8dd965cca7e76a569b43a65f5a1a6146173bc385e5bcd69f3ad3473397921

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4A9B9F89\14965156 REVISAR URGENTE PAG PSE APROBADO No 415811343 FEBRERO 21 DEL 2024.exe

Filesize
2.8MB

MD5
27b6a1394fb79935057419ba03cf2509

SHA1
fd18db9af57a0d02875f5504ecf25d5845ca8585

SHA256
394dfd8bd060fa22f28fe953e07e6491c41ed9510c6e0cdf79be6a2e08988b7f

SHA512
188fd1ec4692314aaaa91838e416b5ff9b0d321e60fa1c8616a6b662a2bf93bde70f9f0bb50605d5fd54f92d2e73ce9a888dc4b198994aee763be65cdd81765b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4A9B9F89\14965156 REVISAR URGENTE PAG PSE APROBADO No 415811343 FEBRERO 21 DEL 2024.exe

Filesize
2.0MB

MD5
9657bf00a57d4bb5ee7931b25ef4ebc1

SHA1
e0a2bf57d9136dbbe46ffefb45c2ff148ba2508a

SHA256
6552d95593654b960a12267a9dffb50774917eb6b689e43f1d30955212835900

SHA512
d9910e2b652b2c68dc3be110da22dff40bece91771e6f53c13f0f1b7532cb1ce5a2eddb6ba36f158d880bd6322483eff513c3be3c8479719f52e76715811472e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4A9FC478\14965156 REVISAR URGENTE PAG PSE APROBADO No 415811343 FEBRERO 21 DEL 2024.exe

Filesize
9.4MB

MD5
fa6cd3040a1d8c74bb1472d87c7118f9

SHA1
293f1c180cd378f2e53a9b77f54f250b2aca2149

SHA256
147777603b838da1cdf72efea910548416897aec3da7056af1a7221a68fd11a0

SHA512
6228663ff1a803b793f3214dbcc3dc4e16e81419989742a6b4d63919b191b3144c982cf7802a70731566ed378076234b472cf2e5087f16a105dc691b9cc4daa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4A9FC478\14965156 REVISAR URGENTE PAG PSE APROBADO No 415811343 FEBRERO 21 DEL 2024.exe

Filesize
7.2MB

MD5
2b83cae0b34163cdad1098f5f172d6c8

SHA1
90396134d703de1fc762d626fee15532ba25624f

SHA256
4e60a4a1cffc26d7f838083c3814a34702000fab1aa1e500ed97b8a62f1d115d

SHA512
d92fb7a376e30b2982827909a433f9fd6a90f1d5a945f820396684aa1b5ec87cea4f30ec16331106ff5239eac7573d880e93bb9ad27fcb95defd7c1bb1a7d031

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4A9FC478\14965156 REVISAR URGENTE PAG PSE APROBADO No 415811343 FEBRERO 21 DEL 2024.exe

Filesize
5.9MB

MD5
99b57a92482cde1c978805b7d49b5118

SHA1
86b4c7f93eff689ae7e80c41c6e1fba95c50cc51

SHA256
3fd8021b7a2d16b12245463e26708e778b9ebdbfe6ff9e7e9608ceb9ec98fef8

SHA512
9d5364fefbafe70633bcaaa6eed07fb0b98bbfbe87c7e7f104104a77f4a7434a1f2fd910d7e19fa296ecfd94c1c0e32adcd07bcc8e08c5c61ea21b1714741d43

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8A93.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8BCE.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8D183D55-1BB2-4557-A866-A286AD485800}.html

Filesize
6KB

MD5
adf3db405fe75820ba7ddc92dc3c54fb

SHA1
af664360e136fd5af829fd7f297eb493a2928d60

SHA256
4c73525d8b563d65a16dee49c4fd6af4a52852d3e8f579c0fb2f9bb1da83e476

SHA512
69de07622b0422d86f7960579b15b3f2e4d4b4e92c6e5fcc7e7e0b8c64075c3609aa6e5152beec13f9950ed68330939f6827df26525fc6520628226f598b7a72

Download Submit
C:\Users\Admin\AppData\Roaming\AppData\AppData.exe

Filesize
3.9MB

MD5
f5194e3fb1f0a78325d8db30b49cfa0f

SHA1
4cf8e5cbb48672d51e40b78a049c36c53da74126

SHA256
651b8200f5214b3ab440ced5bdf44cf3054adfb29b5a3c65f2278424aa481302

SHA512
baadd841a2ed575363618abeb7b097a26d159c4388390e86a0004441bf9971c4301a99307a1e854ec49c37bf392d9123daeb0cfc9b738b13b1636ac20e94cee4

Download Submit
C:\Users\Admin\AppData\Roaming\AppData\AppData.exe

Filesize
2.1MB

MD5
418c979cdaef54e25aff39ef1ff5a32f

SHA1
fc7969b0656bed634efff0376dde6c340e1e800c

SHA256
1017fd27e6c63411f048a6b6414164e473d4893af8de00451a3bb661abad4951

SHA512
e26e0966b050968365735fc31d33c9edb7ff496b543db743978adc2f54ef10f3845ca1a0e7dd43441df48c02993cac891886cf87a4e45d70a99f9bde9e77c7f8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/1676-162-0x0000000069321000-0x0000000069322000-memory.dmp

Filesize
4KB

Download
memory/1676-193-0x000000007328D000-0x0000000073298000-memory.dmp

Filesize
44KB

Download
memory/1676-1-0x000000007328D000-0x0000000073298000-memory.dmp

Filesize
44KB

Download
memory/1676-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2028-749-0x0000000064400000-0x0000000064AEE000-memory.dmp

Filesize
6.9MB

Download
memory/2028-748-0x0000000000AA0000-0x0000000000B64000-memory.dmp

Filesize
784KB

Download
memory/2028-782-0x0000000064400000-0x0000000064AEE000-memory.dmp

Filesize
6.9MB

Download
memory/2028-750-0x00000000048B0000-0x00000000048F0000-memory.dmp

Filesize
256KB

Download
memory/2160-714-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2160-697-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2160-709-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2160-711-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2160-712-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2160-713-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2160-701-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2160-716-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2160-715-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2160-689-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2160-728-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2160-729-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2160-699-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2160-690-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2160-695-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2160-706-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2160-708-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2160-703-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2160-704-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2160-693-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2160-691-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2160-778-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2160-779-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2224-631-0x00000000013C0000-0x0000000001484000-memory.dmp

Filesize
784KB

Download
memory/2224-642-0x0000000001360000-0x00000000013A0000-memory.dmp

Filesize
256KB

Download
memory/2224-640-0x0000000064AF0000-0x00000000651DE000-memory.dmp

Filesize
6.9MB

Download
memory/2224-725-0x0000000064AF0000-0x00000000651DE000-memory.dmp

Filesize
6.9MB

Download
memory/2452-767-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2452-773-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2496-806-0x0000000000670000-0x00000000006B0000-memory.dmp

Filesize
256KB

Download
memory/2496-804-0x0000000000F10000-0x0000000000FD4000-memory.dmp

Filesize
784KB

Download
memory/2496-828-0x0000000064AF0000-0x00000000651DE000-memory.dmp

Filesize
6.9MB

Download
memory/2496-803-0x0000000064AF0000-0x00000000651DE000-memory.dmp

Filesize
6.9MB

Download