remcos | d1d2afe21465d8387627e5721bd2fdbb77e910282074d8ad47bb59abd4550bfb

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 02:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d1d2afe21465d8387627e5721bd2fdbb77e910282074d8ad47bb59abd4550bfb.exe
Size

856KB
MD5

9f806e799d1c4aae3627764bf6db8bb3
SHA1

92fb5b94a46b85a8bf14bc81aa4914418c62548f
SHA256

d1d2afe21465d8387627e5721bd2fdbb77e910282074d8ad47bb59abd4550bfb
SHA512

1e258054a6ab7aadf592f9aabca01a4ed55993fffb9c1307272dc84b1a34119f9affae9c6bc2ca5467bce1264a854c152a339c5ed44b3810c9e286d2956829fb
SSDEEP

24576:1iUmSB/o5d1ubcvVDkkUXk/0+xr+djarbs2rX:1/mU/ohubcvVDkkUXk/Xd

Score

10^/10

remcos ptr2 discovery rat upx

Malware Config

Extracted

Family

remcos

Botnet

ptr2

75.127.7.188:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
hp
mouse_option
false
mutex
Rmc-IWQMC5
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs	name.exe

Executes dropped EXE 1 IoCs

pid	Process
3052	name.exe

UPX packed file 44 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3172-0-0x0000000000FE0000-0x00000000011B8000-memory.dmp	upx
behavioral2/files/0x000700000002340d-14.dat	upx
behavioral2/memory/3052-15-0x0000000000820000-0x00000000009F8000-memory.dmp	upx
behavioral2/memory/3172-18-0x0000000000FE0000-0x00000000011B8000-memory.dmp	upx
behavioral2/memory/4312-41-0x0000000000800000-0x00000000009D8000-memory.dmp	upx
behavioral2/memory/4312-43-0x0000000000800000-0x00000000009D8000-memory.dmp	upx
behavioral2/memory/4312-45-0x0000000000800000-0x00000000009D8000-memory.dmp	upx
behavioral2/memory/4312-44-0x0000000000800000-0x00000000009D8000-memory.dmp	upx
behavioral2/memory/4312-46-0x0000000000800000-0x00000000009D8000-memory.dmp	upx
behavioral2/memory/2016-47-0x0000000000600000-0x00000000007D8000-memory.dmp	upx
behavioral2/memory/2016-49-0x0000000000600000-0x00000000007D8000-memory.dmp	upx
behavioral2/memory/2016-51-0x0000000000600000-0x00000000007D8000-memory.dmp	upx
behavioral2/memory/2016-50-0x0000000000600000-0x00000000007D8000-memory.dmp	upx
behavioral2/memory/1092-52-0x0000000001290000-0x0000000001468000-memory.dmp	upx
behavioral2/memory/1092-54-0x0000000001290000-0x0000000001468000-memory.dmp	upx
behavioral2/memory/1092-53-0x0000000001290000-0x0000000001468000-memory.dmp	upx
behavioral2/memory/5092-56-0x0000000000400000-0x00000000005D8000-memory.dmp	upx
behavioral2/memory/5092-58-0x0000000000400000-0x00000000005D8000-memory.dmp	upx
behavioral2/memory/5092-57-0x0000000000400000-0x00000000005D8000-memory.dmp	upx
behavioral2/memory/4332-59-0x0000000000CF0000-0x0000000000EC8000-memory.dmp	upx
behavioral2/memory/4332-60-0x0000000000CF0000-0x0000000000EC8000-memory.dmp	upx
behavioral2/memory/4332-61-0x0000000000CF0000-0x0000000000EC8000-memory.dmp	upx
behavioral2/memory/3052-62-0x0000000000820000-0x00000000009F8000-memory.dmp	upx
behavioral2/memory/4292-64-0x0000000000C70000-0x0000000000E48000-memory.dmp	upx
behavioral2/memory/4292-66-0x0000000000C70000-0x0000000000E48000-memory.dmp	upx
behavioral2/memory/4292-65-0x0000000000C70000-0x0000000000E48000-memory.dmp	upx
behavioral2/memory/2580-70-0x0000000000610000-0x00000000007E8000-memory.dmp	upx
behavioral2/memory/2580-72-0x0000000000610000-0x00000000007E8000-memory.dmp	upx
behavioral2/memory/2580-71-0x0000000000610000-0x00000000007E8000-memory.dmp	upx
behavioral2/memory/4492-77-0x0000000000F00000-0x00000000010D8000-memory.dmp	upx
behavioral2/memory/4492-79-0x0000000000F00000-0x00000000010D8000-memory.dmp	upx
behavioral2/memory/4492-78-0x0000000000F00000-0x00000000010D8000-memory.dmp	upx
behavioral2/memory/3920-82-0x0000000000500000-0x00000000006D8000-memory.dmp	upx
behavioral2/memory/3920-84-0x0000000000500000-0x00000000006D8000-memory.dmp	upx
behavioral2/memory/3920-83-0x0000000000500000-0x00000000006D8000-memory.dmp	upx
behavioral2/memory/2188-88-0x00000000004D0000-0x00000000006A8000-memory.dmp	upx
behavioral2/memory/2188-89-0x00000000004D0000-0x00000000006A8000-memory.dmp	upx
behavioral2/memory/2188-90-0x00000000004D0000-0x00000000006A8000-memory.dmp	upx
behavioral2/memory/4160-92-0x0000000001000000-0x00000000011D8000-memory.dmp	upx
behavioral2/memory/4160-91-0x0000000001000000-0x00000000011D8000-memory.dmp	upx
behavioral2/memory/4160-93-0x0000000001000000-0x00000000011D8000-memory.dmp	upx
behavioral2/memory/2776-98-0x0000000001200000-0x00000000013D8000-memory.dmp	upx
behavioral2/memory/2776-99-0x0000000001200000-0x00000000013D8000-memory.dmp	upx
behavioral2/memory/2776-100-0x0000000001200000-0x00000000013D8000-memory.dmp	upx

AutoIT Executable 17 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/3172-18-0x0000000000FE0000-0x00000000011B8000-memory.dmp	autoit_exe
behavioral2/memory/4312-45-0x0000000000800000-0x00000000009D8000-memory.dmp	autoit_exe
behavioral2/memory/4312-44-0x0000000000800000-0x00000000009D8000-memory.dmp	autoit_exe
behavioral2/memory/4312-46-0x0000000000800000-0x00000000009D8000-memory.dmp	autoit_exe
behavioral2/memory/2016-51-0x0000000000600000-0x00000000007D8000-memory.dmp	autoit_exe
behavioral2/memory/2016-50-0x0000000000600000-0x00000000007D8000-memory.dmp	autoit_exe
behavioral2/memory/1092-54-0x0000000001290000-0x0000000001468000-memory.dmp	autoit_exe
behavioral2/memory/5092-58-0x0000000000400000-0x00000000005D8000-memory.dmp	autoit_exe
behavioral2/memory/4332-61-0x0000000000CF0000-0x0000000000EC8000-memory.dmp	autoit_exe
behavioral2/memory/3052-62-0x0000000000820000-0x00000000009F8000-memory.dmp	autoit_exe
behavioral2/memory/4292-66-0x0000000000C70000-0x0000000000E48000-memory.dmp	autoit_exe
behavioral2/memory/2580-72-0x0000000000610000-0x00000000007E8000-memory.dmp	autoit_exe
behavioral2/memory/4492-79-0x0000000000F00000-0x00000000010D8000-memory.dmp	autoit_exe
behavioral2/memory/3920-84-0x0000000000500000-0x00000000006D8000-memory.dmp	autoit_exe
behavioral2/memory/2188-90-0x00000000004D0000-0x00000000006A8000-memory.dmp	autoit_exe
behavioral2/memory/4160-93-0x0000000001000000-0x00000000011D8000-memory.dmp	autoit_exe
behavioral2/memory/2776-100-0x0000000001200000-0x00000000013D8000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 3052 set thread context of 4312	3052	name.exe	87
PID 3052 set thread context of 2016	3052	name.exe	91
PID 3052 set thread context of 1092	3052	name.exe	94
PID 3052 set thread context of 5092	3052	name.exe	97
PID 3052 set thread context of 4332	3052	name.exe	100
PID 3052 set thread context of 4292	3052	name.exe	103
PID 3052 set thread context of 3756	3052	name.exe	106
PID 3052 set thread context of 2580	3052	name.exe	109
PID 3052 set thread context of 4076	3052	name.exe	112
PID 3052 set thread context of 4492	3052	name.exe	115
PID 3052 set thread context of 3920	3052	name.exe	118
PID 3052 set thread context of 2188	3052	name.exe	121
PID 3052 set thread context of 4160	3052	name.exe	124
PID 3052 set thread context of 3860	3052	name.exe	127
PID 3052 set thread context of 2776	3052	name.exe	132
PID 3052 set thread context of 4108	3052	name.exe	135
PID 3052 set thread context of 1876	3052	name.exe	138
PID 3052 set thread context of 2304	3052	name.exe	141
PID 3052 set thread context of 3596	3052	name.exe	145
PID 3052 set thread context of 4452	3052	name.exe	148
PID 3052 set thread context of 3624	3052	name.exe	151
PID 3052 set thread context of 4228	3052	name.exe	154
PID 3052 set thread context of 1820	3052	name.exe	157
PID 3052 set thread context of 2384	3052	name.exe	160
PID 3052 set thread context of 5072	3052	name.exe	163
PID 3052 set thread context of 1704	3052	name.exe	166
PID 3052 set thread context of 3088	3052	name.exe	169
PID 3052 set thread context of 3084	3052	name.exe	172
PID 3052 set thread context of 3696	3052	name.exe	175
PID 3052 set thread context of 4828	3052	name.exe	178
PID 3052 set thread context of 4752	3052	name.exe	181
PID 3052 set thread context of 4028	3052	name.exe	184
PID 3052 set thread context of 4668	3052	name.exe	187
PID 3052 set thread context of 4700	3052	name.exe	190
PID 3052 set thread context of 2508	3052	name.exe	193
PID 3052 set thread context of 644	3052	name.exe	196
PID 3052 set thread context of 1504	3052	name.exe	199
PID 3052 set thread context of 1672	3052	name.exe	202
PID 3052 set thread context of 2792	3052	name.exe	205
PID 3052 set thread context of 2328	3052	name.exe	208
PID 3052 set thread context of 4544	3052	name.exe	211
PID 3052 set thread context of 5084	3052	name.exe	214
PID 3052 set thread context of 1916	3052	name.exe	217
PID 3052 set thread context of 1988	3052	name.exe	220
PID 3052 set thread context of 60	3052	name.exe	223
PID 3052 set thread context of 4036	3052	name.exe	226
PID 3052 set thread context of 3572	3052	name.exe	229
PID 3052 set thread context of 4720	3052	name.exe	232
PID 3052 set thread context of 3692	3052	name.exe	235
PID 3052 set thread context of 4876	3052	name.exe	238
PID 3052 set thread context of 2136	3052	name.exe	241
PID 3052 set thread context of 1584	3052	name.exe	244
PID 3052 set thread context of 4976	3052	name.exe	247
PID 3052 set thread context of 3268	3052	name.exe	250
PID 3052 set thread context of 1516	3052	name.exe	253
PID 3052 set thread context of 3440	3052	name.exe	256
PID 3052 set thread context of 4168	3052	name.exe	259
PID 3052 set thread context of 1528	3052	name.exe	262
PID 3052 set thread context of 4900	3052	name.exe	265
PID 3052 set thread context of 2080	3052	name.exe	268
PID 3052 set thread context of 1868	3052	name.exe	271
PID 3052 set thread context of 3352	3052	name.exe	274
PID 3052 set thread context of 2696	3052	name.exe	277
PID 3052 set thread context of 2396	3052	name.exe	280

Program crash 64 IoCs

pid	pid_target	Process	procid_target
4468	4312	WerFault.exe	87
3228	2016	WerFault.exe	91
4720	1092	WerFault.exe	94
316	5092	WerFault.exe	97
2524	4332	WerFault.exe	100
5104	4292	WerFault.exe	103
1504	3756	WerFault.exe	106
2980	2580	WerFault.exe	109
4836	4076	WerFault.exe	112
2644	4492	WerFault.exe	115
2104	3920	WerFault.exe	118
3796	2188	WerFault.exe	121
836	4160	WerFault.exe	124
2080	3860	WerFault.exe	127
4832	2776	WerFault.exe	132
4044	4108	WerFault.exe	135
1424	1876	WerFault.exe	138
3692	2304	WerFault.exe	141
5024	3596	WerFault.exe	145
2872	4452	WerFault.exe	148
3244	3624	WerFault.exe	151
3728	4228	WerFault.exe	154
4412	1820	WerFault.exe	157
4200	2384	WerFault.exe	160
1448	5072	WerFault.exe	163
212	1704	WerFault.exe	166
1564	3088	WerFault.exe	169
4660	3084	WerFault.exe	172
180	3696	WerFault.exe	175
1420	4828	WerFault.exe	178
1920	4752	WerFault.exe	181
3760	4028	WerFault.exe	184
728	4668	WerFault.exe	187
428	4700	WerFault.exe	190
2068	2508	WerFault.exe	193
1028	644	WerFault.exe	196
1724	1504	WerFault.exe	199
2584	1672	WerFault.exe	202
3004	2792	WerFault.exe	205
4200	2328	WerFault.exe	208
1448	4544	WerFault.exe	211
212	5084	WerFault.exe	214
2436	1916	WerFault.exe	217
3228	1988	WerFault.exe	220
2224	60	WerFault.exe	223
2368	4036	WerFault.exe	226
3540	3572	WerFault.exe	229
4656	4720	WerFault.exe	232
2904	3692	WerFault.exe	235
3260	4876	WerFault.exe	238
2428	2136	WerFault.exe	241
2364	1584	WerFault.exe	244
2840	4976	WerFault.exe	247
2756	3268	WerFault.exe	250
956	1516	WerFault.exe	253
4412	3440	WerFault.exe	256
4888	4168	WerFault.exe	259
1448	1528	WerFault.exe	262
2000	4900	WerFault.exe	265
952	2080	WerFault.exe	268
180	1868	WerFault.exe	271
1864	3352	WerFault.exe	274
3568	2696	WerFault.exe	277
3576	2396	WerFault.exe	280

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	name.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1d2afe21465d8387627e5721bd2fdbb77e910282074d8ad47bb59abd4550bfb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe
3052	name.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3172 wrote to memory of 3052	3172	d1d2afe21465d8387627e5721bd2fdbb77e910282074d8ad47bb59abd4550bfb.exe	86
PID 3172 wrote to memory of 3052	3172	d1d2afe21465d8387627e5721bd2fdbb77e910282074d8ad47bb59abd4550bfb.exe	86
PID 3172 wrote to memory of 3052	3172	d1d2afe21465d8387627e5721bd2fdbb77e910282074d8ad47bb59abd4550bfb.exe	86
PID 3052 wrote to memory of 4312	3052	name.exe	87
PID 3052 wrote to memory of 4312	3052	name.exe	87
PID 3052 wrote to memory of 4312	3052	name.exe	87
PID 3052 wrote to memory of 4312	3052	name.exe	87
PID 3052 wrote to memory of 2016	3052	name.exe	91
PID 3052 wrote to memory of 2016	3052	name.exe	91
PID 3052 wrote to memory of 2016	3052	name.exe	91
PID 3052 wrote to memory of 2016	3052	name.exe	91
PID 3052 wrote to memory of 1092	3052	name.exe	94
PID 3052 wrote to memory of 1092	3052	name.exe	94
PID 3052 wrote to memory of 1092	3052	name.exe	94
PID 3052 wrote to memory of 1092	3052	name.exe	94
PID 3052 wrote to memory of 5092	3052	name.exe	97
PID 3052 wrote to memory of 5092	3052	name.exe	97
PID 3052 wrote to memory of 5092	3052	name.exe	97
PID 3052 wrote to memory of 5092	3052	name.exe	97
PID 3052 wrote to memory of 4332	3052	name.exe	100
PID 3052 wrote to memory of 4332	3052	name.exe	100
PID 3052 wrote to memory of 4332	3052	name.exe	100
PID 3052 wrote to memory of 4332	3052	name.exe	100
PID 3052 wrote to memory of 4292	3052	name.exe	103
PID 3052 wrote to memory of 4292	3052	name.exe	103
PID 3052 wrote to memory of 4292	3052	name.exe	103
PID 3052 wrote to memory of 4292	3052	name.exe	103
PID 3052 wrote to memory of 3756	3052	name.exe	106
PID 3052 wrote to memory of 3756	3052	name.exe	106
PID 3052 wrote to memory of 3756	3052	name.exe	106
PID 3052 wrote to memory of 3756	3052	name.exe	106
PID 3052 wrote to memory of 2580	3052	name.exe	109
PID 3052 wrote to memory of 2580	3052	name.exe	109
PID 3052 wrote to memory of 2580	3052	name.exe	109
PID 3052 wrote to memory of 2580	3052	name.exe	109
PID 3052 wrote to memory of 4076	3052	name.exe	112
PID 3052 wrote to memory of 4076	3052	name.exe	112
PID 3052 wrote to memory of 4076	3052	name.exe	112
PID 3052 wrote to memory of 4076	3052	name.exe	112
PID 3052 wrote to memory of 4492	3052	name.exe	115
PID 3052 wrote to memory of 4492	3052	name.exe	115
PID 3052 wrote to memory of 4492	3052	name.exe	115
PID 3052 wrote to memory of 4492	3052	name.exe	115
PID 3052 wrote to memory of 3920	3052	name.exe	118
PID 3052 wrote to memory of 3920	3052	name.exe	118
PID 3052 wrote to memory of 3920	3052	name.exe	118
PID 3052 wrote to memory of 3920	3052	name.exe	118
PID 3052 wrote to memory of 2188	3052	name.exe	121
PID 3052 wrote to memory of 2188	3052	name.exe	121
PID 3052 wrote to memory of 2188	3052	name.exe	121
PID 3052 wrote to memory of 2188	3052	name.exe	121
PID 3052 wrote to memory of 4160	3052	name.exe	124
PID 3052 wrote to memory of 4160	3052	name.exe	124
PID 3052 wrote to memory of 4160	3052	name.exe	124
PID 3052 wrote to memory of 4160	3052	name.exe	124
PID 3052 wrote to memory of 3860	3052	name.exe	127
PID 3052 wrote to memory of 3860	3052	name.exe	127
PID 3052 wrote to memory of 3860	3052	name.exe	127
PID 3052 wrote to memory of 3860	3052	name.exe	127
PID 3052 wrote to memory of 2776	3052	name.exe	132
PID 3052 wrote to memory of 2776	3052	name.exe	132
PID 3052 wrote to memory of 2776	3052	name.exe	132
PID 3052 wrote to memory of 2776	3052	name.exe	132
PID 3052 wrote to memory of 4108	3052	name.exe	135

C:\Users\Admin\AppData\Local\Temp\d1d2afe21465d8387627e5721bd2fdbb77e910282074d8ad47bb59abd4550bfb.exe
"C:\Users\Admin\AppData\Local\Temp\d1d2afe21465d8387627e5721bd2fdbb77e910282074d8ad47bb59abd4550bfb.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3172
- C:\Users\Admin\AppData\Local\directory\name.exe
  "C:\Users\Admin\AppData\Local\Temp\d1d2afe21465d8387627e5721bd2fdbb77e910282074d8ad47bb59abd4550bfb.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4312
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 580
      4⤵
      Program crash
      PID:4468
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2016
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 560
      4⤵
      Program crash
      PID:3228
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1092
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 560
      4⤵
      Program crash
      PID:4720
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5092
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 560
      4⤵
      Program crash
      PID:316
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4332
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 572
      4⤵
      Program crash
      PID:2524
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4292
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 560
      4⤵
      Program crash
      PID:5104
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3756
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 560
      4⤵
      Program crash
      PID:1504
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2580
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 560
      4⤵
      Program crash
      PID:2980
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4076
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 560
      4⤵
      Program crash
      PID:4836
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4492
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 564
      4⤵
      Program crash
      PID:2644
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3920
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 560
      4⤵
      Program crash
      PID:2104
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2188
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 560
      4⤵
      Program crash
      PID:3796
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4160
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4160 -s 560
      4⤵
      Program crash
      PID:836
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3860
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 568
      4⤵
      Program crash
      PID:2080
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2776
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 560
      4⤵
      Program crash
      PID:4832
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4108
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 560
      4⤵
      Program crash
      PID:4044
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:1876
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 572
      4⤵
      Program crash
      PID:1424
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2304
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 560
      4⤵
      Program crash
      PID:3692
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3596
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3596 -s 572
      4⤵
      Program crash
      PID:5024
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4452
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 564
      4⤵
      Program crash
      PID:2872
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3624
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 568
      4⤵
      Program crash
      PID:3244
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4228
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 560
      4⤵
      Program crash
      PID:3728
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:1820
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 560
      4⤵
      Program crash
      PID:4412
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2384
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 560
      4⤵
      Program crash
      PID:4200
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:5072
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 560
      4⤵
      Program crash
      PID:1448
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:1704
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 568
      4⤵
      Program crash
      PID:212
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3088
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 580
      4⤵
      Program crash
      PID:1564
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3084
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 576
      4⤵
      Program crash
      PID:4660
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:3696
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 576
      4⤵
      Program crash
      PID:180
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:4828
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 564
      4⤵
      Program crash
      PID:1420
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4752
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 564
      4⤵
      Program crash
      PID:1920
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:4028
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 560
      4⤵
      Program crash
      PID:3760
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:4668
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 568
      4⤵
      Program crash
      PID:728
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4700
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 560
      4⤵
      Program crash
      PID:428
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2508
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 576
      4⤵
      Program crash
      PID:2068
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:644
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 576
      4⤵
      Program crash
      PID:1028
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1504
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 564
      4⤵
      Program crash
      PID:1724
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1672
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 208
      4⤵
      Program crash
      PID:2584
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2792
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 564
      4⤵
      Program crash
      PID:3004
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2328
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 560
      4⤵
      Program crash
      PID:4200
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4544
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 208
      4⤵
      Program crash
      PID:1448
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5084
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 568
      4⤵
      Program crash
      PID:212
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1916
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 564
      4⤵
      Program crash
      PID:2436
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1988
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 560
      4⤵
      Program crash
      PID:3228
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:60
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 60 -s 560
      4⤵
      Program crash
      PID:2224
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4036
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 192
      4⤵
      Program crash
      PID:2368
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3572
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 560
      4⤵
      Program crash
      PID:3540
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4720
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 568
      4⤵
      Program crash
      PID:4656
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3692
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 560
      4⤵
      Program crash
      PID:2904
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4876
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 568
      4⤵
      Program crash
      PID:3260
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2136
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 560
      4⤵
      Program crash
      PID:2428
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1584
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 560
      4⤵
      Program crash
      PID:2364
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4976
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 572
      4⤵
      Program crash
      PID:2840
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3268
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 560
      4⤵
      Program crash
      PID:2756
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1516
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 564
      4⤵
      Program crash
      PID:956
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3440
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 208
      4⤵
      Program crash
      PID:4412
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4168
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 572
      4⤵
      Program crash
      PID:4888
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1528
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 564
      4⤵
      Program crash
      PID:1448
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4900
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 576
      4⤵
      Program crash
      PID:2000
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2080
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 576
      4⤵
      Program crash
      PID:952
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1868
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 560
      4⤵
      Program crash
      PID:180
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3352
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 592
      4⤵
      Program crash
      PID:1864
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2696
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 560
      4⤵
      Program crash
      PID:3568
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2396
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 572
      4⤵
      Program crash
      PID:3576
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:4552
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 572
      4⤵
      PID:728
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2844
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 568
      4⤵
      PID:2804
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2912
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 564
      4⤵
      PID:1252
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1120
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 572
      4⤵
      PID:2004
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:564
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 564 -s 192
      4⤵
      PID:668
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2088
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 572
      4⤵
      PID:432
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2660
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 572
      4⤵
      PID:4612
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:2228
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 568
      4⤵
      PID:4432
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3796
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 580
      4⤵
      PID:1012
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2176
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 572
      4⤵
      PID:456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4312 -ip 4312
1⤵
PID:3032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2016 -ip 2016
1⤵
PID:3360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1092 -ip 1092
1⤵
PID:744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5092 -ip 5092
1⤵
PID:2780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4332 -ip 4332
1⤵
PID:1688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4292 -ip 4292
1⤵
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3756 -ip 3756
1⤵
PID:3044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2580 -ip 2580
1⤵
PID:1712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4076 -ip 4076
1⤵
PID:1124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4492 -ip 4492
1⤵
PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3920 -ip 3920
1⤵
PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2188 -ip 2188
1⤵
PID:3236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4160 -ip 4160
1⤵
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3860 -ip 3860
1⤵
PID:3084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2776 -ip 2776
1⤵
PID:2084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4108 -ip 4108
1⤵
PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1876 -ip 1876
1⤵
PID:1676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2304 -ip 2304
1⤵
PID:1936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3596 -ip 3596
1⤵
PID:5004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4452 -ip 4452
1⤵
PID:2892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3624 -ip 3624
1⤵
PID:2168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4228 -ip 4228
1⤵
PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1820 -ip 1820
1⤵
PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2384 -ip 2384
1⤵
PID:936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5072 -ip 5072
1⤵
PID:1200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1704 -ip 1704
1⤵
PID:3392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3088 -ip 3088
1⤵
PID:1916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3084 -ip 3084
1⤵
PID:3368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 3696 -ip 3696
1⤵
PID:912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 4828 -ip 4828
1⤵
PID:1480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 4752 -ip 4752
1⤵
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 4028 -ip 4028
1⤵
PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 4668 -ip 4668
1⤵
PID:1888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 4700 -ip 4700
1⤵
PID:4016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 2508 -ip 2508
1⤵
PID:2524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 644 -ip 644
1⤵
PID:2672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 1504 -ip 1504
1⤵
PID:1712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 1672 -ip 1672
1⤵
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 2792 -ip 2792
1⤵
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 808 -p 2328 -ip 2328
1⤵
PID:4436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 820 -p 4544 -ip 4544
1⤵
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 5084 -ip 5084
1⤵
PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 824 -p 1916 -ip 1916
1⤵
PID:452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 872 -p 1988 -ip 1988
1⤵
PID:456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 844 -p 60 -ip 60
1⤵
PID:1332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 820 -p 4036 -ip 4036
1⤵
PID:2696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 896 -p 3572 -ip 3572
1⤵
PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 4720 -ip 4720
1⤵
PID:2884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 884 -p 3692 -ip 3692
1⤵
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 928 -p 4876 -ip 4876
1⤵
PID:996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 836 -p 2136 -ip 2136
1⤵
PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 848 -p 1584 -ip 1584
1⤵
PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 944 -p 4976 -ip 4976
1⤵
PID:2004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 840 -p 3268 -ip 3268
1⤵
PID:1724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 944 -p 1516 -ip 1516
1⤵
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 940 -p 3440 -ip 3440
1⤵
PID:4048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 996 -p 4168 -ip 4168
1⤵
PID:4404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1012 -p 1528 -ip 1528
1⤵
PID:3236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1020 -p 4900 -ip 4900
1⤵
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 2080 -ip 2080
1⤵
PID:2064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 924 -p 1868 -ip 1868
1⤵
PID:912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1020 -p 3352 -ip 3352
1⤵
PID:828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1016 -p 2696 -ip 2696
1⤵
PID:2940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 2396 -ip 2396
1⤵
PID:2948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 988 -p 4552 -ip 4552
1⤵
PID:8

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 952 -p 2844 -ip 2844
1⤵
PID:1780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1004 -p 2912 -ip 2912
1⤵
PID:2720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1000 -p 1120 -ip 1120
1⤵
PID:796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 980 -p 564 -ip 564
1⤵
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1004 -p 2088 -ip 2088
1⤵
PID:2640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 952 -p 2660 -ip 2660
1⤵
PID:1008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 980 -p 2228 -ip 2228
1⤵
PID:3236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 980 -p 3796 -ip 3796
1⤵
PID:516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 960 -p 2176 -ip 2176
1⤵
PID:3636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\hp\logs.dat

Filesize
144B

MD5
97e39b97a67f825c488bbd7c1f5cdfa4

SHA1
dbb34c8a67c440bfb0dff3abab94360613b3d909

SHA256
efffca34e50fa0a96e1620894db8a9fbe5b7ace491346694f98ec98e59de37c7

SHA512
b62de28b15f231a4de99be942378fb669c2442d9495429e44574f6ddbed4085bcc4cc11bcb6412cb1ba428bff829a9dddea30df0134644e70f86975156c58d5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\derogates

Filesize
28KB

MD5
5e5db17274ec38deb1321409a5724eff

SHA1
9e4f39a93fbb04493aef8e4af9b8415c4395f36d

SHA256
2454884cd39c4a40e4569eff3b39909f7d4551b38e5a3de5602b98906142a041

SHA512
fec6bc48b10a397f3ccc114132288edf2d7dd1451c2887f235438a9c026c21f9b5fba6191da1ed6676af39511f8b23f4748b67b64d26ae163b469aa96ef54eab

Download Submit
C:\Users\Admin\AppData\Local\Temp\sticket

Filesize
483KB

MD5
b0e70cf8e3ab7ffa4b6f8f1e185e8da6

SHA1
0103f59e2cfee011a08875b0f5b45ff7e9ffafb2

SHA256
ec9de3a4463b2d73e441d0c3c9e0a7024dd7fa9ae328da673e5310acca0137ed

SHA512
80f0326c9a6e58494381c0e2dd0ff64c0f74475bf5c0795a6017aa1bcc9c152415a7b8b2b66f317dad39590b070510290dad09f251fbb345392810c8217f61b7

Download Submit
C:\Users\Admin\AppData\Local\directory\name.exe

Filesize
856KB

MD5
9f806e799d1c4aae3627764bf6db8bb3

SHA1
92fb5b94a46b85a8bf14bc81aa4914418c62548f

SHA256
d1d2afe21465d8387627e5721bd2fdbb77e910282074d8ad47bb59abd4550bfb

SHA512
1e258054a6ab7aadf592f9aabca01a4ed55993fffb9c1307272dc84b1a34119f9affae9c6bc2ca5467bce1264a854c152a339c5ed44b3810c9e286d2956829fb

Download Submit
memory/1092-53-0x0000000001290000-0x0000000001468000-memory.dmp

Filesize
1.8MB

Download
memory/1092-52-0x0000000001290000-0x0000000001468000-memory.dmp

Filesize
1.8MB

Download
memory/1092-54-0x0000000001290000-0x0000000001468000-memory.dmp

Filesize
1.8MB

Download
memory/2016-50-0x0000000000600000-0x00000000007D8000-memory.dmp

Filesize
1.8MB

Download
memory/2016-51-0x0000000000600000-0x00000000007D8000-memory.dmp

Filesize
1.8MB

Download
memory/2016-49-0x0000000000600000-0x00000000007D8000-memory.dmp

Filesize
1.8MB

Download
memory/2016-47-0x0000000000600000-0x00000000007D8000-memory.dmp

Filesize
1.8MB

Download
memory/2188-88-0x00000000004D0000-0x00000000006A8000-memory.dmp

Filesize
1.8MB

Download
memory/2188-89-0x00000000004D0000-0x00000000006A8000-memory.dmp

Filesize
1.8MB

Download
memory/2188-90-0x00000000004D0000-0x00000000006A8000-memory.dmp

Filesize
1.8MB

Download
memory/2580-71-0x0000000000610000-0x00000000007E8000-memory.dmp

Filesize
1.8MB

Download
memory/2580-70-0x0000000000610000-0x00000000007E8000-memory.dmp

Filesize
1.8MB

Download
memory/2580-72-0x0000000000610000-0x00000000007E8000-memory.dmp

Filesize
1.8MB

Download
memory/2776-98-0x0000000001200000-0x00000000013D8000-memory.dmp

Filesize
1.8MB

Download
memory/2776-99-0x0000000001200000-0x00000000013D8000-memory.dmp

Filesize
1.8MB

Download
memory/2776-100-0x0000000001200000-0x00000000013D8000-memory.dmp

Filesize
1.8MB

Download
memory/3052-37-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3052-62-0x0000000000820000-0x00000000009F8000-memory.dmp

Filesize
1.8MB

Download
memory/3052-40-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3052-15-0x0000000000820000-0x00000000009F8000-memory.dmp

Filesize
1.8MB

Download
memory/3052-87-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3052-86-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3052-85-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3052-35-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3052-36-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3052-32-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3172-11-0x0000000002A80000-0x0000000002A84000-memory.dmp

Filesize
16KB

Download
memory/3172-0-0x0000000000FE0000-0x00000000011B8000-memory.dmp

Filesize
1.8MB

Download
memory/3172-18-0x0000000000FE0000-0x00000000011B8000-memory.dmp

Filesize
1.8MB

Download
memory/3920-82-0x0000000000500000-0x00000000006D8000-memory.dmp

Filesize
1.8MB

Download
memory/3920-84-0x0000000000500000-0x00000000006D8000-memory.dmp

Filesize
1.8MB

Download
memory/3920-83-0x0000000000500000-0x00000000006D8000-memory.dmp

Filesize
1.8MB

Download
memory/4160-92-0x0000000001000000-0x00000000011D8000-memory.dmp

Filesize
1.8MB

Download
memory/4160-91-0x0000000001000000-0x00000000011D8000-memory.dmp

Filesize
1.8MB

Download
memory/4160-93-0x0000000001000000-0x00000000011D8000-memory.dmp

Filesize
1.8MB

Download
memory/4292-65-0x0000000000C70000-0x0000000000E48000-memory.dmp

Filesize
1.8MB

Download
memory/4292-66-0x0000000000C70000-0x0000000000E48000-memory.dmp

Filesize
1.8MB

Download
memory/4292-64-0x0000000000C70000-0x0000000000E48000-memory.dmp

Filesize
1.8MB

Download
memory/4312-45-0x0000000000800000-0x00000000009D8000-memory.dmp

Filesize
1.8MB

Download
memory/4312-46-0x0000000000800000-0x00000000009D8000-memory.dmp

Filesize
1.8MB

Download
memory/4312-41-0x0000000000800000-0x00000000009D8000-memory.dmp

Filesize
1.8MB

Download
memory/4312-43-0x0000000000800000-0x00000000009D8000-memory.dmp

Filesize
1.8MB

Download
memory/4312-44-0x0000000000800000-0x00000000009D8000-memory.dmp

Filesize
1.8MB

Download
memory/4332-61-0x0000000000CF0000-0x0000000000EC8000-memory.dmp

Filesize
1.8MB

Download
memory/4332-59-0x0000000000CF0000-0x0000000000EC8000-memory.dmp

Filesize
1.8MB

Download
memory/4332-60-0x0000000000CF0000-0x0000000000EC8000-memory.dmp

Filesize
1.8MB

Download
memory/4492-78-0x0000000000F00000-0x00000000010D8000-memory.dmp

Filesize
1.8MB

Download
memory/4492-77-0x0000000000F00000-0x00000000010D8000-memory.dmp

Filesize
1.8MB

Download
memory/4492-79-0x0000000000F00000-0x00000000010D8000-memory.dmp

Filesize
1.8MB

Download
memory/5092-57-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/5092-58-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/5092-56-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download