remcos | 3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01

Analysis

max time kernel
55s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-09-2024 02:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CameraCaptureUI.exe
Size

2.9MB
MD5

067027b5b20d0d80be90f41dc126fda3
SHA1

b7644f39188e8e8bcb41723833321a43f9474629
SHA256

3b41f447509a77d0c3155f23928457be0f71701c490af674f03da959e984ac01
SHA512

a56fa19a0e6e4263a9d48e17e13ef76084808f98dfba1306feda58f64d92acb15c93794726697982f15cde699874407f7a991138de423eb5fa87b43d5084362a
SSDEEP

49152:hh+ZkldoPK8Yad7cwj644Mh+ZkldoPK8YaLDNc9:C2cPK8YwjE2cPK8U

Score

10^/10

remcos webmonitor remotehost backdoor discovery infostealer link pdf persistence rat upx

Malware Config

Extracted

Family

webmonitor

snpandey4659.wm01.to:443

Attributes

config_key
sFitr5r1ExCJl86X6inyc4qxlzwyw8fK
private_key
t1wG88poq
url_path
/recv4.php

Extracted

Family

remcos

Version

2.3.0 Pro

Botnet

RemoteHost

daya4659.ddns.net:8282

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
3
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-S1KNPZ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
RevcodeRat, WebMonitorRat
WebMonitor is a remote access tool that you can use from any browser access to control, and monitor your phones, or PCs.
backdoor rat infostealer webmonitor

WebMonitor payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2360-20-0x0000000000400000-0x00000000004C0000-memory.dmp	family_webmonitor
behavioral2/memory/2360-19-0x0000000000400000-0x00000000004C0000-memory.dmp	family_webmonitor

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CameraCaptureUI.exeremcos_agent_Protected.exeremcos_agent_Protected.exeWScript.exeremcos.exedriverquery.exesfc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	CameraCaptureUI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	remcos_agent_Protected.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	remcos_agent_Protected.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	remcos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	driverquery.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	sfc.exe

Executes dropped EXE 8 IoCs

Processes:

remcos_agent_Protected.exeremcos_agent_Protected.exeremcos.exeremcos.exesfc.exedriverquery.exedriverquery.exesfc.exe

pid	process
2944	remcos_agent_Protected.exe
1412	remcos_agent_Protected.exe
1476	remcos.exe
4428	remcos.exe
1408	sfc.exe
3888	driverquery.exe
3864	driverquery.exe
1524	sfc.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2360-18-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral2/memory/2360-20-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral2/memory/2360-19-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral2/memory/2360-17-0x0000000000400000-0x00000000004C0000-memory.dmp	upx
behavioral2/memory/2360-13-0x0000000000400000-0x00000000004C0000-memory.dmp	upx

Unexpected DNS network traffic destination 16 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	185.141.152.26
Destination IP	114.114.114.114
Destination IP	1.2.4.8
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	114.114.114.114
Destination IP	185.141.152.26
Destination IP	185.141.152.26
Destination IP	185.141.152.26
Destination IP	1.2.4.8
Destination IP	185.141.152.26
Destination IP	1.2.4.8
Destination IP	1.2.4.8
Destination IP	1.2.4.8
Destination IP	185.141.152.26
Destination IP	185.141.152.26

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

remcos.exeCameraCaptureUI.exeremcos_agent_Protected.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WebMonitor-ea8d = "C:\\Users\\Admin\\AppData\\Roaming\\WebMonitor-ea8d.exe"	CameraCaptureUI.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos_agent_Protected.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos_agent_Protected.exe

AutoIT Executable 21 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe	autoit_exe
behavioral2/memory/4996-70-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral2/memory/4996-71-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral2/memory/4700-86-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral2/memory/4076-88-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral2/memory/4320-90-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral2/memory/4404-99-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral2/memory/4072-114-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral2/memory/4536-194-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral2/memory/5040-196-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral2/memory/2360-197-0x0000000000C50000-0x0000000000F3B000-memory.dmp	autoit_exe
behavioral2/memory/2504-199-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral2/memory/4804-201-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral2/memory/2780-204-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral2/memory/1416-206-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral2/memory/1820-208-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral2/memory/964-213-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral2/memory/8-215-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral2/memory/4036-218-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe	autoit_exe

Suspicious use of SetThreadContext 28 IoCs

Processes:

CameraCaptureUI.exeremcos_agent_Protected.exeremcos.exeremcos.exedriverquery.exesfc.exe

description	pid	process	target process
PID 4216 set thread context of 2360	4216	CameraCaptureUI.exe	CameraCaptureUI.exe
PID 2944 set thread context of 1412	2944	remcos_agent_Protected.exe	remcos_agent_Protected.exe
PID 1476 set thread context of 4428	1476	remcos.exe	remcos.exe
PID 4428 set thread context of 4996	4428	remcos.exe	svchost.exe
PID 4428 set thread context of 4700	4428	remcos.exe	svchost.exe
PID 4428 set thread context of 4076	4428	remcos.exe	svchost.exe
PID 4428 set thread context of 4320	4428	remcos.exe	svchost.exe
PID 4428 set thread context of 4404	4428	remcos.exe	svchost.exe
PID 4428 set thread context of 4072	4428	remcos.exe	svchost.exe
PID 4428 set thread context of 4536	4428	remcos.exe	svchost.exe
PID 4428 set thread context of 5040	4428	remcos.exe	svchost.exe
PID 4428 set thread context of 2504	4428	remcos.exe	svchost.exe
PID 4428 set thread context of 4804	4428	remcos.exe	svchost.exe
PID 4428 set thread context of 2780	4428	remcos.exe	svchost.exe
PID 4428 set thread context of 1416	4428	remcos.exe	svchost.exe
PID 4428 set thread context of 1820	4428	remcos.exe	svchost.exe
PID 4428 set thread context of 964	4428	remcos.exe	svchost.exe
PID 4428 set thread context of 8	4428	remcos.exe	svchost.exe
PID 4428 set thread context of 4036	4428	remcos.exe	svchost.exe
PID 4428 set thread context of 2144	4428	remcos.exe	svchost.exe
PID 4428 set thread context of 1412	4428	remcos.exe	svchost.exe
PID 4428 set thread context of 3944	4428	remcos.exe	svchost.exe
PID 4428 set thread context of 4188	4428	remcos.exe	svchost.exe
PID 4428 set thread context of 3444	4428	remcos.exe	svchost.exe
PID 4428 set thread context of 2220	4428	remcos.exe	svchost.exe
PID 4428 set thread context of 4828	4428	remcos.exe	svchost.exe
PID 3888 set thread context of 3864	3888	driverquery.exe	driverquery.exe
PID 1408 set thread context of 1524	1408	sfc.exe	sfc.exe

HTTP links in PDF interactive object 2 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\medical-application-form.pdf	pdf_with_link_action
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe	pdf_with_link_action

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 23 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
776	4996	WerFault.exe	svchost.exe
1400	4700	WerFault.exe	svchost.exe
2956	4076	WerFault.exe	svchost.exe
3640	4320	WerFault.exe	svchost.exe
3992	4404	WerFault.exe	svchost.exe
2612	4072	WerFault.exe	svchost.exe
1032	4536	WerFault.exe	svchost.exe
4424	5040	WerFault.exe	svchost.exe
540	2504	WerFault.exe	svchost.exe
4808	4804	WerFault.exe	svchost.exe
5056	2780	WerFault.exe	svchost.exe
2948	1416	WerFault.exe	svchost.exe
4932	1820	WerFault.exe	svchost.exe
3860	964	WerFault.exe	svchost.exe
4424	8	WerFault.exe	svchost.exe
3880	4036	WerFault.exe	svchost.exe
3152	2144	WerFault.exe	svchost.exe
3376	1412	WerFault.exe	svchost.exe
3824	3944	WerFault.exe	svchost.exe
4764	4188	WerFault.exe	svchost.exe
4216	3444	WerFault.exe	svchost.exe
3228	2220	WerFault.exe	svchost.exe
5112	4828	WerFault.exe	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 46 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

RdrCEF.exesvchost.exeRdrCEF.exesvchost.exesvchost.exesvchost.exesfc.exeschtasks.exeCameraCaptureUI.exeremcos.exesvchost.execmd.exeRdrCEF.exesvchost.exesvchost.exesvchost.exedriverquery.exeschtasks.exesvchost.exesvchost.exeAcroRd32.exeschtasks.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exeWScript.exeRdrCEF.exeRdrCEF.exeschtasks.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exeCameraCaptureUI.exeremcos_agent_Protected.exeremcos_agent_Protected.exeremcos.exeRdrCEF.exeRdrCEF.exesvchost.exeschtasks.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CameraCaptureUI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	driverquery.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CameraCaptureUI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos_agent_Protected.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos_agent_Protected.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 2 IoCs

Processes:

remcos_agent_Protected.exeCameraCaptureUI.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	remcos_agent_Protected.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	CameraCaptureUI.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4976 schtasks.exe
1496 schtasks.exe
4512 schtasks.exe
4072 schtasks.exe
4524 schtasks.exe

pid	process
4976	schtasks.exe
1496	schtasks.exe
4512	schtasks.exe
4072	schtasks.exe
4524	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

AcroRd32.exe

pid	process
3532	AcroRd32.exe
3532	AcroRd32.exe
3532	AcroRd32.exe
3532	AcroRd32.exe
3532	AcroRd32.exe
3532	AcroRd32.exe
3532	AcroRd32.exe
3532	AcroRd32.exe
3532	AcroRd32.exe
3532	AcroRd32.exe
3532	AcroRd32.exe
3532	AcroRd32.exe
3532	AcroRd32.exe
3532	AcroRd32.exe
3532	AcroRd32.exe
3532	AcroRd32.exe
3532	AcroRd32.exe
3532	AcroRd32.exe
3532	AcroRd32.exe
3532	AcroRd32.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

CameraCaptureUI.exe

pid process

2360 CameraCaptureUI.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

3532 AcroRd32.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

AcroRd32.exeremcos.exe

pid process

3532 AcroRd32.exe
3532 AcroRd32.exe
3532 AcroRd32.exe
3532 AcroRd32.exe
4428 remcos.exe
3532 AcroRd32.exe

pid	process
2360	CameraCaptureUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

CameraCaptureUI.exeremcos_agent_Protected.exeremcos_agent_Protected.exeWScript.execmd.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 4216 wrote to memory of 2944	4216	CameraCaptureUI.exe	remcos_agent_Protected.exe
PID 4216 wrote to memory of 2944	4216	CameraCaptureUI.exe	remcos_agent_Protected.exe
PID 4216 wrote to memory of 2944	4216	CameraCaptureUI.exe	remcos_agent_Protected.exe
PID 4216 wrote to memory of 3532	4216	CameraCaptureUI.exe	AcroRd32.exe
PID 4216 wrote to memory of 3532	4216	CameraCaptureUI.exe	AcroRd32.exe
PID 4216 wrote to memory of 3532	4216	CameraCaptureUI.exe	AcroRd32.exe
PID 4216 wrote to memory of 2360	4216	CameraCaptureUI.exe	CameraCaptureUI.exe
PID 4216 wrote to memory of 2360	4216	CameraCaptureUI.exe	CameraCaptureUI.exe
PID 4216 wrote to memory of 2360	4216	CameraCaptureUI.exe	CameraCaptureUI.exe
PID 4216 wrote to memory of 2360	4216	CameraCaptureUI.exe	CameraCaptureUI.exe
PID 4216 wrote to memory of 2360	4216	CameraCaptureUI.exe	CameraCaptureUI.exe
PID 4216 wrote to memory of 4072	4216	CameraCaptureUI.exe	schtasks.exe
PID 4216 wrote to memory of 4072	4216	CameraCaptureUI.exe	schtasks.exe
PID 4216 wrote to memory of 4072	4216	CameraCaptureUI.exe	schtasks.exe
PID 2944 wrote to memory of 1412	2944	remcos_agent_Protected.exe	remcos_agent_Protected.exe
PID 2944 wrote to memory of 1412	2944	remcos_agent_Protected.exe	remcos_agent_Protected.exe
PID 2944 wrote to memory of 1412	2944	remcos_agent_Protected.exe	remcos_agent_Protected.exe
PID 2944 wrote to memory of 1412	2944	remcos_agent_Protected.exe	remcos_agent_Protected.exe
PID 2944 wrote to memory of 1412	2944	remcos_agent_Protected.exe	remcos_agent_Protected.exe
PID 1412 wrote to memory of 2300	1412	remcos_agent_Protected.exe	WScript.exe
PID 1412 wrote to memory of 2300	1412	remcos_agent_Protected.exe	WScript.exe
PID 1412 wrote to memory of 2300	1412	remcos_agent_Protected.exe	WScript.exe
PID 2944 wrote to memory of 4524	2944	remcos_agent_Protected.exe	schtasks.exe
PID 2944 wrote to memory of 4524	2944	remcos_agent_Protected.exe	schtasks.exe
PID 2944 wrote to memory of 4524	2944	remcos_agent_Protected.exe	schtasks.exe
PID 2300 wrote to memory of 4592	2300	WScript.exe	cmd.exe
PID 2300 wrote to memory of 4592	2300	WScript.exe	cmd.exe
PID 2300 wrote to memory of 4592	2300	WScript.exe	cmd.exe
PID 4592 wrote to memory of 1476	4592	cmd.exe	remcos.exe
PID 4592 wrote to memory of 1476	4592	cmd.exe	remcos.exe
PID 4592 wrote to memory of 1476	4592	cmd.exe	remcos.exe
PID 3532 wrote to memory of 3612	3532	AcroRd32.exe	RdrCEF.exe
PID 3532 wrote to memory of 3612	3532	AcroRd32.exe	RdrCEF.exe
PID 3532 wrote to memory of 3612	3532	AcroRd32.exe	RdrCEF.exe
PID 3612 wrote to memory of 4536	3612	RdrCEF.exe	RdrCEF.exe
PID 3612 wrote to memory of 4536	3612	RdrCEF.exe	RdrCEF.exe
PID 3612 wrote to memory of 4536	3612	RdrCEF.exe	RdrCEF.exe
PID 3612 wrote to memory of 4536	3612	RdrCEF.exe	RdrCEF.exe
PID 3612 wrote to memory of 4536	3612	RdrCEF.exe	RdrCEF.exe
PID 3612 wrote to memory of 4536	3612	RdrCEF.exe	RdrCEF.exe
PID 3612 wrote to memory of 4536	3612	RdrCEF.exe	RdrCEF.exe
PID 3612 wrote to memory of 4536	3612	RdrCEF.exe	RdrCEF.exe
PID 3612 wrote to memory of 4536	3612	RdrCEF.exe	RdrCEF.exe
PID 3612 wrote to memory of 4536	3612	RdrCEF.exe	RdrCEF.exe
PID 3612 wrote to memory of 4536	3612	RdrCEF.exe	RdrCEF.exe
PID 3612 wrote to memory of 4536	3612	RdrCEF.exe	RdrCEF.exe
PID 3612 wrote to memory of 4536	3612	RdrCEF.exe	RdrCEF.exe
PID 3612 wrote to memory of 4536	3612	RdrCEF.exe	RdrCEF.exe
PID 3612 wrote to memory of 4536	3612	RdrCEF.exe	RdrCEF.exe
PID 3612 wrote to memory of 4536	3612	RdrCEF.exe	RdrCEF.exe
PID 3612 wrote to memory of 4536	3612	RdrCEF.exe	RdrCEF.exe
PID 3612 wrote to memory of 4536	3612	RdrCEF.exe	RdrCEF.exe
PID 3612 wrote to memory of 4536	3612	RdrCEF.exe	RdrCEF.exe
PID 3612 wrote to memory of 4536	3612	RdrCEF.exe	RdrCEF.exe
PID 3612 wrote to memory of 4536	3612	RdrCEF.exe	RdrCEF.exe
PID 3612 wrote to memory of 4536	3612	RdrCEF.exe	RdrCEF.exe
PID 3612 wrote to memory of 4536	3612	RdrCEF.exe	RdrCEF.exe
PID 3612 wrote to memory of 4536	3612	RdrCEF.exe	RdrCEF.exe
PID 3612 wrote to memory of 4536	3612	RdrCEF.exe	RdrCEF.exe
PID 3612 wrote to memory of 4536	3612	RdrCEF.exe	RdrCEF.exe
PID 3612 wrote to memory of 4536	3612	RdrCEF.exe	RdrCEF.exe
PID 3612 wrote to memory of 4536	3612	RdrCEF.exe	RdrCEF.exe
PID 3612 wrote to memory of 4536	3612	RdrCEF.exe	RdrCEF.exe
PID 3612 wrote to memory of 4536	3612	RdrCEF.exe	RdrCEF.exe

C:\Users\Admin\AppData\Local\Temp\CameraCaptureUI.exe
"C:\Users\Admin\AppData\Local\Temp\CameraCaptureUI.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4216
- C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe
  "C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe
    "C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1412
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2300
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4592
      - C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1476
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4428
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4996
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 560
        9⤵
        Program crash
        
        PID:776
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4700
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 560
        9⤵
        Program crash
        
        PID:1400
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 560
        9⤵
        Program crash
        
        PID:2956
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4320
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4320 -s 204
        9⤵
        Program crash
        
        PID:3640
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 564
        9⤵
        Program crash
        
        PID:3992
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 564
        9⤵
        Program crash
        
        PID:2612
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 560
        9⤵
        Program crash
        
        PID:1032
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 208
        9⤵
        Program crash
        
        PID:4424
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 560
        9⤵
        Program crash
        
        PID:540
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4804
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 208
        9⤵
        Program crash
        
        PID:4808
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 560
        9⤵
        Program crash
        
        PID:5056
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 560
        9⤵
        Program crash
        
        PID:2948
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 560
        9⤵
        Program crash
        
        PID:4932
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 560
        9⤵
        Program crash
        
        PID:3860
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:8
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 560
        9⤵
        Program crash
        
        PID:4424
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4036
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 560
        9⤵
        Program crash
        
        PID:3880
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 560
        9⤵
        Program crash
        
        PID:3152
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1412
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 560
        9⤵
        Program crash
        
        PID:3376
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 228
        9⤵
        Program crash
        
        PID:3824
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 560
        9⤵
        Program crash
        
        PID:4764
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3444
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 560
        9⤵
        Program crash
        
        PID:4216
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 560
        9⤵
        Program crash
        
        PID:3228
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4828
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 564
        9⤵
        Program crash
        
        PID:5112
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4976
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4524
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\medical-application-form.pdf"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3532
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3612
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=628E72AE766C7836E89EB028EAB22751 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:4536
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=6CAA319E109B300427FC6DD3D2641CCF --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=6CAA319E109B300427FC6DD3D2641CCF --renderer-client-id=2 --mojo-platform-channel-handle=1728 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:4600
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5C491B0F759CD2A697458E04EEA07284 --mojo-platform-channel-handle=2316 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:1752
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=FD9B1FDE838FD410762D6F48EB5638B4 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=FD9B1FDE838FD410762D6F48EB5638B4 --renderer-client-id=5 --mojo-platform-channel-handle=2520 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:1324
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=01453613BE2DEF0AC2C394D948052C28 --mojo-platform-channel-handle=1808 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:4896
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D9728FBDB70C173215B7D7A5CFCE463C --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:1316
- C:\Users\Admin\AppData\Local\Temp\CameraCaptureUI.exe
  "C:\Users\Admin\AppData\Local\Temp\CameraCaptureUI.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  PID:2360
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn WWAHost /tr "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe" /sc minute /mo 1 /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4996 -ip 4996
1⤵
PID:1472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4700 -ip 4700
1⤵
PID:2660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4076 -ip 4076
1⤵
PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4320 -ip 4320
1⤵
PID:2888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4404 -ip 4404
1⤵
PID:5112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4072 -ip 4072
1⤵
PID:1980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4536 -ip 4536
1⤵
PID:2912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5040 -ip 5040
1⤵
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2504 -ip 2504
1⤵
PID:3992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4804 -ip 4804
1⤵
PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2780 -ip 2780
1⤵
PID:3580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1416 -ip 1416
1⤵
PID:1300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1820 -ip 1820
1⤵
PID:3452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 964 -ip 964
1⤵
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 8 -ip 8
1⤵
PID:4216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4036 -ip 4036
1⤵
PID:3080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2144 -ip 2144
1⤵
PID:1120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1412 -ip 1412
1⤵
PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3944 -ip 3944
1⤵
PID:796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4188 -ip 4188
1⤵
PID:4884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3444 -ip 3444
1⤵
PID:2672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2220 -ip 2220
1⤵
PID:3096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4828 -ip 4828
1⤵
PID:4004

C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1408
- C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
  "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe"
  2⤵
  - Executes dropped EXE
  PID:1524
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:4512

C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3888
- C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
  "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
  2⤵
  - Executes dropped EXE
  PID:3864
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn WWAHost /tr "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe" /sc minute /mo 1 /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1496

C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
1⤵
PID:4004

C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
1⤵
PID:4592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
0a07d68cef7f583825f6d32a7add122e

SHA1
387614ce56ca84d1bb85361e86c1441f98b6c581

SHA256
a3aaed610046f6c9dd64fbf2d05bc0fe7cfac6c2e510a6e638906acb740ba3d7

SHA512
1929c66bd586cad538187c46df294e9dbdb34c7eeed881ee3693bbf5d1d9d0fdf4155988076fe47ca82fb6bedd22657cfbf4334c9e07019cda644eb911926169

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
418B

MD5
ff449f6f7bc5e2d800eb30e2d2c56611

SHA1
93419ea805b9ce35a766e5c56db50d54c2d3f94b

SHA256
655787cf79040ee701963986320556a834d6345e850e03653e4852d94eb09416

SHA512
02a17064c837d36ba241fb8edf9266e33479a10eb8652b974158a3227878a801da29db1108413bb2c298a105b3c19bd20c3a3100f19444189f434706825766a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\medical-application-form.pdf

Filesize
340KB

MD5
bb0aa1bade4df17033a05d8d682b44d2

SHA1
bec4b0a8a7413d158cf6705a3c888bdf36a4371b

SHA256
96d6c8c54390b476e8f8f42b99b52efb19eca152bf046c254992bc2f2faba764

SHA512
6bfe1b289f9c84d4db5a564ed129f7920775946981d5da5cb7753d63a141d84486ba9e958044e8162fba2eba875e56c358f92091b760e07b8cbe459e4202e4d9

Download Submit
C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe

Filesize
1.1MB

MD5
ca6d66a62934585601079f85d861482e

SHA1
8a83b05af22d5b8b14561aedc5e2eb16679bb43b

SHA256
c86f92e8f31b1b94b7f28224ad39049f5b37bf7ec02512a049bce696f93ad41a

SHA512
23a3839706e67de3ea292d59089f4f1bef6023472c01c9be596cb860595964c68b6422824347c75a2bb12fddfab8909efd4db450bcbbc34a298b60c8e27b2810

Download Submit
C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe

Filesize
2.9MB

MD5
1ec88792e3c005b546eafc46f9cdde6c

SHA1
a20be967bad81b9bf7d5d09739ebc56654fbc81c

SHA256
19b3948a9527c118d08d1b139239e78278e7dc1c6c402132cfd83e7084832f4a

SHA512
971c9ee9b381a3829ba3e07f4962d1ff81c9286c89aa7e3ac743f5a6d6185fc0d36c4112ec42faf852a6613f853b467273ac83e4349a634d47ad87d2c675cad6

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\logs.dat

Filesize
118B

MD5
a943e7f82e39c952c60726617f3461f3

SHA1
40d590b6503860510b6e0f44afcdf37a8166357e

SHA256
f7fe636972fbb05ceadb9654dbd7c4b1ae98287174d8c0bb0cac0b8c92582443

SHA512
884f705d9d51c57cd471c72820b902b4a69a53c8bdb2151cafeba70f0e9a25e1ffe776edbe5fbf54da0848e914983b13576175ca5686802c094310442a6c4dff

Download Submit
C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe

Filesize
1.1MB

MD5
d5581c9db64b399c7d0cdb3f7b78673b

SHA1
87396211e6468d73c97301fe0b673f64bcd6d17c

SHA256
7210f2ca290296d1f6e61da4b3192ad19afd719d6cf77dbb2d6810734b349826

SHA512
5a8034902bfd110826aebc8196469f0dea26d94fcb093406342657b9660f400cc495a6a7ce843d32a7541083cfbc3f0fbdf9aab1ad08294729307bffe7c512c6

Download Submit
memory/8-215-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/964-213-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1412-30-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1412-23-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1416-206-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1820-208-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2360-197-0x0000000000C50000-0x0000000000F3B000-memory.dmp

Filesize
2.9MB

Download
memory/2360-18-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2360-20-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2360-19-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2360-17-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2360-13-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2504-199-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2780-204-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/4036-218-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/4072-114-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/4076-88-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/4320-90-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/4404-99-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/4428-67-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4428-66-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4428-63-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4428-62-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4536-194-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/4700-86-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/4804-201-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/4996-70-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/4996-71-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/5040-196-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download