agenttesla | 51e3e221774cbf9c557325fdf05fae962db239979cf28694c83170b1c9963c6a

Resubmissions

21-05-2024 10:56

240521-m1yrsaah95 10

17-05-2024 09:33

240517-lh8nlabg6x 10

17-05-2024 09:25

240517-ldlchabh35 10

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
17-05-2024 09:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe
Size

1.1MB
MD5

ab8be64fd575f219a2ff48c82eeebf81
SHA1

af39348f99e58dc93a79fdb66e51f73f135a4a4b
SHA256

51e3e221774cbf9c557325fdf05fae962db239979cf28694c83170b1c9963c6a
SHA512

4c014e1578bf1b1f9f294c204f0717f80ed8ed798ed5551cae389bdc943ded559936069f2d0cf3cc6fdf501c3a84309773463a06bc7995682068f7d1ecaf8a42
SSDEEP

24576:b6G5oq6WlY5EQJbBCt598PkfzGwWPEXyqc:bPQrJChIP1q

Score

10^/10

agenttesla remcos remotehost microsoft collection keylogger persistence phishing rat spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.zoho.com
Port:
587
Username:
[email protected]
Password:
IDMzp2Gy8uh9

Extracted

Family

remcos

Botnet

RemoteHost

timeisnow.duckdns.org:4343

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-6P097R
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
5
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.zoho.com
Port:
587
Username:
[email protected]
Password:
IDMzp2Gy8uh9
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/3032-51-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral2/memory/3032-41-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral2/memory/3032-36-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/2340-26-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/2340-29-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/2340-64-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 9 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2340-26-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/1800-42-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/3032-51-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/1800-60-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/3032-41-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/1800-40-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/3032-36-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/2340-29-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/2340-64-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe

Executes dropped EXE 1 IoCs

Processes:

FxFile.exe

pid process

3424 FxFile.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3424	FxFile.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exeFxFile.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nbksvykc = "C:\\Users\\Public\\Nbksvykc.url"	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zedfile = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zedfile\\zedfile.exe"	FxFile.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

53 api.ipify.org
54 ip-api.com
52 api.ipify.org
Detected potential entity reuse from brand microsoft.
phishing microsoft

flow	ioc
53	api.ipify.org
54	ip-api.com
52	api.ipify.org

Suspicious use of SetThreadContext 4 IoCs

Processes:

SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe

description	pid	process	target process
PID 2456 set thread context of 2340	2456	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe
PID 2456 set thread context of 4212	2456	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe
PID 2456 set thread context of 3032	2456	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe
PID 2456 set thread context of 1800	2456	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	30	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	32	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exeSecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exeFxFile.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
2340	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe
2340	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe
1800	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe
1800	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe
3424	FxFile.exe
3424	FxFile.exe
2340	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe
2340	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe
2296	msedge.exe
2296	msedge.exe
3660	msedge.exe
3660	msedge.exe
2576	identity_helper.exe
2576	identity_helper.exe
5684	msedge.exe
5684	msedge.exe
5684	msedge.exe
5684	msedge.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe

pid	process
2456	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe
2456	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe
2456	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe
2456	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

3660 msedge.exe
3660 msedge.exe
3660 msedge.exe
3660 msedge.exe
3660 msedge.exe
3660 msedge.exe
3660 msedge.exe
3660 msedge.exe
3660 msedge.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exeFxFile.exe

description pid process

Token: SeDebugPrivilege 1800 SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe
Token: SeDebugPrivilege 3424 FxFile.exe

description	pid	process
Token: SeDebugPrivilege	1800	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe
Token: SeDebugPrivilege	3424	FxFile.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exeFxFile.exe

pid process

2456 SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe
3424 FxFile.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exeSecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exemsedge.exe

description	pid	process	target process
PID 2456 wrote to memory of 1108	2456	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe	extrac32.exe
PID 2456 wrote to memory of 1108	2456	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe	extrac32.exe
PID 2456 wrote to memory of 1108	2456	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe	extrac32.exe
PID 2456 wrote to memory of 2340	2456	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe
PID 2456 wrote to memory of 2340	2456	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe
PID 2456 wrote to memory of 2340	2456	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe
PID 2456 wrote to memory of 4212	2456	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe
PID 2456 wrote to memory of 4212	2456	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe
PID 2456 wrote to memory of 4212	2456	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe
PID 2456 wrote to memory of 3032	2456	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe
PID 2456 wrote to memory of 3032	2456	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe
PID 2456 wrote to memory of 3032	2456	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe
PID 2456 wrote to memory of 4212	2456	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe
PID 2456 wrote to memory of 1800	2456	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe
PID 2456 wrote to memory of 1800	2456	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe
PID 2456 wrote to memory of 1800	2456	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe
PID 2456 wrote to memory of 3424	2456	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe	FxFile.exe
PID 2456 wrote to memory of 3424	2456	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe	FxFile.exe
PID 2456 wrote to memory of 3424	2456	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe	FxFile.exe
PID 4212 wrote to memory of 3660	4212	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe	msedge.exe
PID 4212 wrote to memory of 3660	4212	SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe	msedge.exe
PID 3660 wrote to memory of 2816	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 2816	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 3496	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 3496	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 3496	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 3496	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 3496	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 3496	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 3496	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 3496	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 3496	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 3496	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 3496	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 3496	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 3496	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 3496	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 3496	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 3496	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 3496	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 3496	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 3496	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 3496	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 3496	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 3496	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 3496	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 3496	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 3496	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 3496	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 3496	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 3496	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 3496	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 3496	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 3496	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 3496	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 3496	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 3496	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 3496	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 3496	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 3496	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 3496	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 3496	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 3496	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 2296	3660	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Windows\SysWOW64\extrac32.exe
  C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe C:\\Users\\Public\\Libraries\\Nbksvykc.PIF
  2⤵
  PID:1108
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe
  C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4212
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3660
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xd8,0xdc,0x7ffe311046f8,0x7ffe31104708,0x7ffe31104718
      4⤵
      PID:2816
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,6368573323387792828,11368917709514308681,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
      4⤵
      PID:3496
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,6368573323387792828,11368917709514308681,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2296
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,6368573323387792828,11368917709514308681,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2600 /prefetch:8
      4⤵
      PID:4716
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,6368573323387792828,11368917709514308681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
      4⤵
      PID:4520
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,6368573323387792828,11368917709514308681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
      4⤵
      PID:3548
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,6368573323387792828,11368917709514308681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
      4⤵
      PID:2688
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,6368573323387792828,11368917709514308681,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5296 /prefetch:8
      4⤵
      PID:1456
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,6368573323387792828,11368917709514308681,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5296 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2576
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,6368573323387792828,11368917709514308681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
      4⤵
      PID:3636
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,6368573323387792828,11368917709514308681,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
      4⤵
      PID:5112
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,6368573323387792828,11368917709514308681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
      4⤵
      PID:5232
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,6368573323387792828,11368917709514308681,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
      4⤵
      PID:5240
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,6368573323387792828,11368917709514308681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:1
      4⤵
      PID:5664
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,6368573323387792828,11368917709514308681,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:1
      4⤵
      PID:5748
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,6368573323387792828,11368917709514308681,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4828 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5684
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
    3⤵
    PID:5584
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x74,0x108,0x7ffe311046f8,0x7ffe31104708,0x7ffe31104718
      4⤵
      PID:5600
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe
  C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe /stext "C:\Users\Admin\AppData\Local\Temp\dbokrmrbxbpgdtcrjizvxzvyceftjymrom"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2340
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe
  C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe /stext "C:\Users\Admin\AppData\Local\Temp\fdbusfc"
  2⤵
  - Accesses Microsoft Outlook accounts
  PID:3032
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe
  C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownLoader46.63573.25866.32524.exe /stext "C:\Users\Admin\AppData\Local\Temp\qxhnsxnwzr"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1800
- C:\Users\Admin\AppData\Roaming\FxFile.exe
  "C:\Users\Admin\AppData\Roaming\FxFile.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3424

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2804

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
81aeca4bee13a861fdb875352a06adbe

SHA1
c72c76a6f60fc66ebc2c9eae35f05181fafd2df6

SHA256
81b07318b92f361ab218d267e08f8ff1c75e24d6a0978c6d754cead68b7793e7

SHA512
127c5751747f32aca8bb544f84dfaf49cb76f57a4bd876d8cd5b7d41661ebd8fc7390d829bd0163f9042da085cd30a511a71bbdf300ce33c7ebe4493d8979899

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b2a1398f937474c51a48b347387ee36a

SHA1
922a8567f09e68a04233e84e5919043034635949

SHA256
2dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6

SHA512
4a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1ac52e2503cc26baee4322f02f5b8d9c

SHA1
38e0cee911f5f2a24888a64780ffdf6fa72207c8

SHA256
f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4

SHA512
7670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
d5c428734a0f5f7c159da0d5772ed58d

SHA1
571ecdce5e3a6ac5f2d7ec74c5f8b3c0d7fc3e5f

SHA256
0b155b1c63e71a01d3b519901ae365f93b62242489a7281991e794f03a4b4958

SHA512
7ea42198b6578f89bbad1debe0c83e946ca4544c484e88155f3d0ee8dc112a80798e8d7f9f8a17f8c96db73136a2309a08f1aff5520270284aefee09853461eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
437B

MD5
05592d6b429a6209d372dba7629ce97c

SHA1
b4d45e956e3ec9651d4e1e045b887c7ccbdde326

SHA256
3aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd

SHA512
caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c4016e3bc5787b6673a7df361030bc8e

SHA1
387869d5125711adabc637ae599d267ff6cb9a00

SHA256
856393bd4682874872a6fa3e8199da7bfa702321535ef33fbd5c84bd9f7683c5

SHA512
62b9e020bd6dd68a328caf8f0a0e38aca12a811a8e9386523c46900dc86eeb3edc07fb681aa29f5816df0a2048adda05bd5878b8b743cca29ed38978490ed22e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
764b97f5547b2e7d074b8294592ebdf2

SHA1
6677fa6bdcf3a977379e2f3246d9e64b977665fb

SHA256
19cf16d6c2fae3e9a0df6536c493489c3b8cf222154edcb7407aa1631160ad56

SHA512
2363aa6bbff83d24d64b3595a484807fae4555554b6d34bb7bbd2a4b133494e57b994b13d212d1a131f3ea4cb3a3c2942519f0b806a994fa3822a197bc7a0930

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4612e3307449ad83f735e93861efb592

SHA1
75063e4938e5e196f4eca95f40fad1baf71ee500

SHA256
5d30e472a8e46a2f67aead2b6f0cff2751242482327d81bbd714fe38ea468693

SHA512
457d2cf141990bc345fd5ef798c6f0f9705cfbfea6c8e798608e8330435f06c7e1ca25ffa9f46e8d3a98de99a1231adabafbeb089ecf6948c19651fd039cdf07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
369B

MD5
4bfc63cb4d24db88fb298725f7c041f9

SHA1
9e83ed186ac73f8b5bab52aa2bda65f4c64157b5

SHA256
0e8aa225d2307192285fbaebb6202c1d22aef0e66406f5357136f9926a2828b3

SHA512
0d3127a944fe6f6d9006b87b0e589699dc174ebb154ae33744eb6876902b2d744e40ea2783bfc1b04e95cef07798b777216c5cd8a5165b691230155d7252c115

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d522.TMP

Filesize
369B

MD5
fbca67389e667a0f67eca8ea33f5c689

SHA1
2f17e9fbebbc76c74ce692ac771b41daff7548a5

SHA256
68497f6df680e15aa8a641d6bda005d35657cae64ee8c3016421a798f3c0f173

SHA512
ce82b8244e099269c4513d6548e75ba9b42bb1f31303ad2f1997325921fb7a5d0cba50cdd6b08ca67e631907908ec3f888d2a75d7540dbf88e64d32aff216461

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
85327fc22d4a6956edc5198921b1b42c

SHA1
b32b8b0c2c27eab8a80e8263de4f71951d708535

SHA256
fcf15ed5e1b11c4aeabd258c9268407272704d1d59af8fdce2f42570b47b2853

SHA512
841e74b190cfe34a7ac2101c54ee4437943c4fa5d40b4db1acb57b4d83a48f23cff7215ac2698fc569de14a66b4a0502ffc28dd3894f1cdabd60b741856a49fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\dbokrmrbxbpgdtcrjizvxzvyceftjymrom

Filesize
4KB

MD5
788d7419b32411807cc6753cbbccecbe

SHA1
761b99a1e5bc168f525181d78cff3f6ed82daa14

SHA256
76150e857b36f1f070422d2ad4df17f87454466348e4bfc158b028977378140b

SHA512
3003f104b0b07870015ff4e9e0d254c2e537d4c68ef664a772d7018827b0ccbeb5481a2ce587b88e6ab1d71d6ce523a620c11c00c676857d5fd5ab949fa617b4

Download Submit
C:\Users\Admin\AppData\Roaming\FxFile.exe

Filesize
246KB

MD5
bfb8a979efec55c75d1530702239d741

SHA1
03d5f2fba57dd1b1507a16221aaf003fa0d548d4

SHA256
ba7541211cc1c286dcdd1dfce89c9ed1827544bffcba2263270e461a45b00b2c

SHA512
591d7955eef3fd0e0d6642f531c6afa54df50a051b3cf232d225c69d9f1d4fce786e269da1a627a9e1a0b913a6c9579cba4be77f18b54241185d6e9d03954c75

Download Submit
\??\pipe\LOCAL\crashpad_3660_ZUZNTQKZOBHEAWXU

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1800-37-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1800-42-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1800-56-0x0000000000430000-0x00000000004F9000-memory.dmp

Filesize
804KB

Download
memory/1800-60-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1800-39-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1800-40-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2340-26-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2340-22-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2340-25-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2340-64-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2340-29-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2456-141-0x0000000027970000-0x0000000028970000-memory.dmp

Filesize
16.0MB

Download
memory/2456-100-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/2456-315-0x0000000027970000-0x0000000028970000-memory.dmp

Filesize
16.0MB

Download
memory/2456-314-0x0000000027970000-0x0000000028970000-memory.dmp

Filesize
16.0MB

Download
memory/2456-302-0x0000000027970000-0x0000000028970000-memory.dmp

Filesize
16.0MB

Download
memory/2456-301-0x0000000027970000-0x0000000028970000-memory.dmp

Filesize
16.0MB

Download
memory/2456-1-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2456-55-0x0000000027970000-0x0000000028970000-memory.dmp

Filesize
16.0MB

Download
memory/2456-38-0x0000000027970000-0x0000000028970000-memory.dmp

Filesize
16.0MB

Download
memory/2456-268-0x0000000027970000-0x0000000028970000-memory.dmp

Filesize
16.0MB

Download
memory/2456-267-0x0000000027970000-0x0000000028970000-memory.dmp

Filesize
16.0MB

Download
memory/2456-70-0x000000003FE70000-0x000000003FE89000-memory.dmp

Filesize
100KB

Download
memory/2456-69-0x000000003FE70000-0x000000003FE89000-memory.dmp

Filesize
100KB

Download
memory/2456-66-0x000000003FE70000-0x000000003FE89000-memory.dmp

Filesize
100KB

Download
memory/2456-71-0x0000000027970000-0x0000000028970000-memory.dmp

Filesize
16.0MB

Download
memory/2456-241-0x0000000027970000-0x0000000028970000-memory.dmp

Filesize
16.0MB

Download
memory/2456-242-0x0000000027970000-0x0000000028970000-memory.dmp

Filesize
16.0MB

Download
memory/2456-7-0x0000000027970000-0x0000000028970000-memory.dmp

Filesize
16.0MB

Download
memory/2456-21-0x0000000027970000-0x0000000028970000-memory.dmp

Filesize
16.0MB

Download
memory/2456-20-0x0000000027970000-0x0000000028970000-memory.dmp

Filesize
16.0MB

Download
memory/2456-18-0x0000000027970000-0x0000000028970000-memory.dmp

Filesize
16.0MB

Download
memory/2456-10-0x0000000027970000-0x0000000028970000-memory.dmp

Filesize
16.0MB

Download
memory/2456-16-0x0000000027970000-0x0000000028970000-memory.dmp

Filesize
16.0MB

Download
memory/2456-11-0x0000000027970000-0x0000000028970000-memory.dmp

Filesize
16.0MB

Download
memory/2456-12-0x0000000027970000-0x0000000028970000-memory.dmp

Filesize
16.0MB

Download
memory/2456-140-0x0000000027970000-0x0000000028970000-memory.dmp

Filesize
16.0MB

Download
memory/2456-0-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/2456-15-0x0000000027970000-0x0000000028970000-memory.dmp

Filesize
16.0MB

Download
memory/2456-14-0x0000000027970000-0x0000000028970000-memory.dmp

Filesize
16.0MB

Download
memory/2456-13-0x0000000027970000-0x0000000028970000-memory.dmp

Filesize
16.0MB

Download
memory/3032-36-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3032-30-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3032-51-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3032-32-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3032-41-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3424-136-0x0000000006610000-0x00000000066A2000-memory.dmp

Filesize
584KB

Download
memory/3424-57-0x0000000000340000-0x0000000000384000-memory.dmp

Filesize
272KB

Download
memory/3424-76-0x0000000006570000-0x000000000660C000-memory.dmp

Filesize
624KB

Download
memory/3424-75-0x0000000006480000-0x00000000064D0000-memory.dmp

Filesize
320KB

Download
memory/3424-137-0x0000000006540000-0x000000000654A000-memory.dmp

Filesize
40KB

Download
memory/3424-58-0x0000000005190000-0x0000000005734000-memory.dmp

Filesize
5.6MB

Download
memory/3424-61-0x0000000004C50000-0x0000000004CB6000-memory.dmp

Filesize
408KB

Download
memory/4212-27-0x0000000000520000-0x0000000000564000-memory.dmp

Filesize
272KB

Download