remcos | 19ae3643afa6978f331d8b0a62693cf3dbd9d3d9263b649fd875fb39ad684394

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
03-09-2024 14:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Quote PBR0270824.scr
Size

324KB
MD5

985d9eeed23248b4b8448fddc52e4137
SHA1

4c9a60717d5a5696bb87cdbab9d0ad0fc9b5c95d
SHA256

f9d403b0f6d3993624c7dff24e63c59ece712f8cd64fd6d87289db1959090543
SHA512

37e8844a8a69081afd1a4738868d986a13f841b691168c4d0a1ad05ddedcad02384a6c9fbee067de77c9eb166825b08825d2b8c7842ae488d6a2089c0a7d9fbd
SSDEEP

6144:P+K0WO4UhaD6zCSP6GL7Ag5Uj4oXwwq24yFGUOJy+pMfO7yQaBUINDPP:GW+AEv6GHCMoXNq2mUOJ7pMm8LDH

Score

10^/10

remcos remotehost collection credential_access discovery rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

ejikenewguy.site:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-E55SDS
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Detected Nirsoft tools 8 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/memory/2468-982-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1612-984-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/2468-983-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1612-981-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/884-988-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/884-989-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/2468-995-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/1612-1000-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/1612-984-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral1/memory/1612-981-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView
behavioral1/memory/1612-1000-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 3 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/2468-982-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/2468-983-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral1/memory/2468-995-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Loads dropped DLL 64 IoCs

pid	Process
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr
2984	Quote PBR0270824.scr

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Quote PBR0270824.scr

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1084	Quote PBR0270824.scr

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2984	Quote PBR0270824.scr
1084	Quote PBR0270824.scr

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2984 set thread context of 1084	2984	Quote PBR0270824.scr	619
PID 1084 set thread context of 2468	1084	Quote PBR0270824.scr	621
PID 1084 set thread context of 1612	1084	Quote PBR0270824.scr	622
PID 1084 set thread context of 884	1084	Quote PBR0270824.scr	623

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Quote PBR0270824.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Quote PBR0270824.scr
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Quote PBR0270824.scr

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2468	Quote PBR0270824.scr
2468	Quote PBR0270824.scr

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
2984	Quote PBR0270824.scr
1084	Quote PBR0270824.scr
1084	Quote PBR0270824.scr
1084	Quote PBR0270824.scr

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	884	Quote PBR0270824.scr

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 2464	2984	Quote PBR0270824.scr	30
PID 2984 wrote to memory of 2464	2984	Quote PBR0270824.scr	30
PID 2984 wrote to memory of 2464	2984	Quote PBR0270824.scr	30
PID 2984 wrote to memory of 2464	2984	Quote PBR0270824.scr	30
PID 2984 wrote to memory of 1712	2984	Quote PBR0270824.scr	32
PID 2984 wrote to memory of 1712	2984	Quote PBR0270824.scr	32
PID 2984 wrote to memory of 1712	2984	Quote PBR0270824.scr	32
PID 2984 wrote to memory of 1712	2984	Quote PBR0270824.scr	32
PID 2984 wrote to memory of 1924	2984	Quote PBR0270824.scr	34
PID 2984 wrote to memory of 1924	2984	Quote PBR0270824.scr	34
PID 2984 wrote to memory of 1924	2984	Quote PBR0270824.scr	34
PID 2984 wrote to memory of 1924	2984	Quote PBR0270824.scr	34
PID 2984 wrote to memory of 2180	2984	Quote PBR0270824.scr	36
PID 2984 wrote to memory of 2180	2984	Quote PBR0270824.scr	36
PID 2984 wrote to memory of 2180	2984	Quote PBR0270824.scr	36
PID 2984 wrote to memory of 2180	2984	Quote PBR0270824.scr	36
PID 2984 wrote to memory of 2768	2984	Quote PBR0270824.scr	38
PID 2984 wrote to memory of 2768	2984	Quote PBR0270824.scr	38
PID 2984 wrote to memory of 2768	2984	Quote PBR0270824.scr	38
PID 2984 wrote to memory of 2768	2984	Quote PBR0270824.scr	38
PID 2984 wrote to memory of 2164	2984	Quote PBR0270824.scr	40
PID 2984 wrote to memory of 2164	2984	Quote PBR0270824.scr	40
PID 2984 wrote to memory of 2164	2984	Quote PBR0270824.scr	40
PID 2984 wrote to memory of 2164	2984	Quote PBR0270824.scr	40
PID 2984 wrote to memory of 2924	2984	Quote PBR0270824.scr	42
PID 2984 wrote to memory of 2924	2984	Quote PBR0270824.scr	42
PID 2984 wrote to memory of 2924	2984	Quote PBR0270824.scr	42
PID 2984 wrote to memory of 2924	2984	Quote PBR0270824.scr	42
PID 2984 wrote to memory of 2884	2984	Quote PBR0270824.scr	44
PID 2984 wrote to memory of 2884	2984	Quote PBR0270824.scr	44
PID 2984 wrote to memory of 2884	2984	Quote PBR0270824.scr	44
PID 2984 wrote to memory of 2884	2984	Quote PBR0270824.scr	44
PID 2984 wrote to memory of 2688	2984	Quote PBR0270824.scr	46
PID 2984 wrote to memory of 2688	2984	Quote PBR0270824.scr	46
PID 2984 wrote to memory of 2688	2984	Quote PBR0270824.scr	46
PID 2984 wrote to memory of 2688	2984	Quote PBR0270824.scr	46
PID 2984 wrote to memory of 2724	2984	Quote PBR0270824.scr	48
PID 2984 wrote to memory of 2724	2984	Quote PBR0270824.scr	48
PID 2984 wrote to memory of 2724	2984	Quote PBR0270824.scr	48
PID 2984 wrote to memory of 2724	2984	Quote PBR0270824.scr	48
PID 2984 wrote to memory of 2624	2984	Quote PBR0270824.scr	50
PID 2984 wrote to memory of 2624	2984	Quote PBR0270824.scr	50
PID 2984 wrote to memory of 2624	2984	Quote PBR0270824.scr	50
PID 2984 wrote to memory of 2624	2984	Quote PBR0270824.scr	50
PID 2984 wrote to memory of 1096	2984	Quote PBR0270824.scr	52
PID 2984 wrote to memory of 1096	2984	Quote PBR0270824.scr	52
PID 2984 wrote to memory of 1096	2984	Quote PBR0270824.scr	52
PID 2984 wrote to memory of 1096	2984	Quote PBR0270824.scr	52
PID 2984 wrote to memory of 1512	2984	Quote PBR0270824.scr	54
PID 2984 wrote to memory of 1512	2984	Quote PBR0270824.scr	54
PID 2984 wrote to memory of 1512	2984	Quote PBR0270824.scr	54
PID 2984 wrote to memory of 1512	2984	Quote PBR0270824.scr	54
PID 2984 wrote to memory of 1928	2984	Quote PBR0270824.scr	56
PID 2984 wrote to memory of 1928	2984	Quote PBR0270824.scr	56
PID 2984 wrote to memory of 1928	2984	Quote PBR0270824.scr	56
PID 2984 wrote to memory of 1928	2984	Quote PBR0270824.scr	56
PID 2984 wrote to memory of 2092	2984	Quote PBR0270824.scr	58
PID 2984 wrote to memory of 2092	2984	Quote PBR0270824.scr	58
PID 2984 wrote to memory of 2092	2984	Quote PBR0270824.scr	58
PID 2984 wrote to memory of 2092	2984	Quote PBR0270824.scr	58
PID 2984 wrote to memory of 1732	2984	Quote PBR0270824.scr	60
PID 2984 wrote to memory of 1732	2984	Quote PBR0270824.scr	60
PID 2984 wrote to memory of 1732	2984	Quote PBR0270824.scr	60
PID 2984 wrote to memory of 1732	2984	Quote PBR0270824.scr	60

C:\Users\Admin\AppData\Local\Temp\Quote PBR0270824.scr
"C:\Users\Admin\AppData\Local\Temp\Quote PBR0270824.scr" /S
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "250^177"
  2⤵
  PID:2464
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "244^177"
  2⤵
  PID:1712
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "227^177"
  2⤵
  PID:1924
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "255^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2180
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "244^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2768
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "253^177"
  2⤵
  PID:2164
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "130^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2924
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "131^177"
  2⤵
  PID:2884
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "139^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2688
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "139^177"
  2⤵
  PID:2724
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "242^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2624
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  PID:1096
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "212^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1512
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "208^177"
  2⤵
  PID:1928
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "197^177"
  2⤵
  PID:2092
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "212^177"
  2⤵
  PID:1732
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "247^177"
  2⤵
  PID:848
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:2800
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "221^177"
  2⤵
  PID:2236
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "212^177"
  2⤵
  PID:2144
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "240^177"
  2⤵
  PID:2980
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "153^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2172
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "220^177"
  2⤵
  PID:2088
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:296
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  PID:1492
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "133^177"
  2⤵
  PID:2020
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:836
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:1560
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2288
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1840
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:3064
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:540
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "201^177"
  2⤵
  PID:1248
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "137^177"
  2⤵
  PID:1716
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2916
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2364
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2456
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2348
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2644
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2756
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2244
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2684
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2824
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2764
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2200
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2572
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:3004
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:1824
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "193^177"
  2⤵
  PID:1356
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:372
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2092
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1732
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:848
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:2864
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:3016
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "133^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3000
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:860
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2064
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:1076
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:1376
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:1032
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "201^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2376
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "137^177"
  2⤵
  PID:836
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:1548
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:532
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2412
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:1500
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:396
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2520
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "152^177"
  2⤵
  PID:1584
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:2632
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "159^177"
  2⤵
  PID:544
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  PID:284
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "132^177"
  2⤵
  PID:2456
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "141^177"
  2⤵
  PID:2068
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "250^177"
  2⤵
  PID:2280
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "244^177"
  2⤵
  PID:2752
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "227^177"
  2⤵
  PID:2656
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "255^177"
  2⤵
  PID:2804
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "244^177"
  2⤵
  PID:2888
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "253^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2900
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "130^177"
  2⤵
  PID:2716
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "131^177"
  2⤵
  PID:2564
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "139^177"
  2⤵
  PID:1744
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "139^177"
  2⤵
  PID:3004
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "231^177"
  2⤵
  PID:1980
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2600
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1644
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "197^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1820
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "196^177"
  2⤵
  PID:1392
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "208^177"
  2⤵
  PID:2732
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "221^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2880
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "240^177"
  2⤵
  PID:2236
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "221^177"
  2⤵
  PID:2388
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "221^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2132
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "222^177"
  2⤵
  PID:860
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "210^177"
  2⤵
  PID:2312
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "153^177"
  2⤵
  PID:2000
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:1872
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1736
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:1700
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:1676
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:1128
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2380
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "135^177"
  2⤵
  PID:2116
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "128^177"
  2⤵
  PID:3064
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "131^177"
  2⤵
  PID:984
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:888
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "131^177"
  2⤵
  PID:1612
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "133^177"
  2⤵
  PID:1932
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "130^177"
  2⤵
  PID:2460
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "131^177"
  2⤵
  PID:2304
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:2336
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2084
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2680
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2780
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2244
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "201^177"
  2⤵
  PID:1440
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "130^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2808
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2608
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2568
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2720
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:3028
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:1096
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:688
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:1952
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2012
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "201^177"
  2⤵
  PID:2092
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "133^177"
  2⤵
  PID:2540
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2860
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "152^177"
  2⤵
  PID:2276
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "193^177"
  2⤵
  PID:2448
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "159^177"
  2⤵
  PID:2908
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  PID:1124
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "128^177"
  2⤵
  PID:1728
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "141^177"
  2⤵
  PID:2876
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "250^177"
  2⤵
  PID:948
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "244^177"
  2⤵
  PID:1520
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "227^177"
  2⤵
  PID:1660
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "255^177"
  2⤵
  PID:896
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "244^177"
  2⤵
  PID:1556
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "253^177"
  2⤵
  PID:2264
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "130^177"
  2⤵
  PID:1232
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "131^177"
  2⤵
  PID:1840
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "139^177"
  2⤵
  PID:1500
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "139^177"
  2⤵
  PID:396
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "226^177"
  2⤵
  PID:884
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "212^177"
  2⤵
  PID:3048
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "197^177"
  2⤵
  PID:2636
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "247^177"
  2⤵
  PID:2912
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:760
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "221^177"
  2⤵
  PID:2356
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "212^177"
  2⤵
  PID:2736
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "225^177"
  2⤵
  PID:2644
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "222^177"
  2⤵
  PID:2756
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:2452
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "223^177"
  2⤵
  PID:2804
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "197^177"
  2⤵
  PID:2576
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "212^177"
  2⤵
  PID:2664
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  PID:2616
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "153^177"
  2⤵
  PID:2724
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:2748
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2372
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  PID:1808
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "132^177"
  2⤵
  PID:1356
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:372
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:1488
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:1392
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2732
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "135^177"
  2⤵
  PID:2228
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "134^177"
  2⤵
  PID:2196
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "134^177"
  2⤵
  PID:2156
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2420
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:584
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2640
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:1076
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1376
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2788
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:1700
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:1676
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:736
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2328
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "152^177"
  2⤵
  PID:2424
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:292
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "159^177"
  2⤵
  PID:480
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  PID:2468
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "130^177"
  2⤵
  PID:1616
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "141^177"
  2⤵
  PID:3052
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "250^177"
  2⤵
  PID:2060
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "244^177"
  2⤵
  PID:2464
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "227^177"
  2⤵
  PID:1712
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "255^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2408
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "244^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2740
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "253^177"
  2⤵
  PID:2660
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "130^177"
  2⤵
  PID:2928
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "131^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2252
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "139^177"
  2⤵
  PID:2924
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "139^177"
  2⤵
  PID:2840
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "227^177"
  2⤵
  PID:2688
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "212^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2584
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "208^177"
  2⤵
  PID:2628
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "213^177"
  2⤵
  PID:1496
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "247^177"
  2⤵
  PID:1512
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1984
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "221^177"
  2⤵
  PID:1816
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "212^177"
  2⤵
  PID:1148
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "153^177"
  2⤵
  PID:1916
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:1780
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2800
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  PID:1092
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "132^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2128
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2728
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:1592
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2100
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:1240
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2648
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "128^177"
  2⤵
  PID:1332
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:2160
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:744
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:656
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:856
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "135^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1232
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "128^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1840
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "131^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2384
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2224
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "131^177"
  2⤵
  PID:1604
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "133^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2516
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "130^177"
  2⤵
  PID:1972
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "131^177"
  2⤵
  PID:348
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:2076
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "155^177"
  2⤵
  PID:3024
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2700
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2772
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2768
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2164
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2820
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:2884
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2764
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2200
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "152^177"
  2⤵
  PID:2572
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:1552
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "159^177"
  2⤵
  PID:1136
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  PID:1256
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "130^177"
  2⤵
  PID:1536
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "141^177"
  2⤵
  PID:1648
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "196^177"
  2⤵
  PID:1920
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "194^177"
  2⤵
  PID:1444
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "212^177"
  2⤵
  PID:2652
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2404
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "130^177"
  2⤵
  PID:2592
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "131^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3000
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "139^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2420
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "139^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2152
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "242^177"
  2⤵
  PID:2640
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "208^177"
  2⤵
  PID:1076
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "221^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1376
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "221^177"
  2⤵
  PID:2788
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "230^177"
  2⤵
  PID:768
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:928
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "223^177"
  2⤵
  PID:1328
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "213^177"
  2⤵
  PID:2328
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "222^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2424
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "198^177"
  2⤵
  PID:292
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "225^177"
  2⤵
  PID:396
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:884
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "222^177"
  2⤵
  PID:1616
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "210^177"
  2⤵
  PID:3052
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "240^177"
  2⤵
  PID:2060
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "153^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2464
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1712
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2736
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "195^177"
  2⤵
  PID:2644
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "128^177"
  2⤵
  PID:2756
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2452
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2804
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:2972
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2664
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2616
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:2724
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:2612
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2016
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:2600
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:1644
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:372
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:1488
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:1392
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2872
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "157^177"
  2⤵
  PID:2864
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:2196
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "216^177"
  2⤵
  PID:2156
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "145^177"
  2⤵
  PID:1864
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "129^177"
  2⤵
  PID:584
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "152^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:828
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c set /a "141^177"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1872
- C:\Users\Admin\AppData\Local\Temp\Quote PBR0270824.scr
  "C:\Users\Admin\AppData\Local\Temp\Quote PBR0270824.scr" /S
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Modifies system certificate store
  - Suspicious behavior: MapViewOfSection
  PID:1084
- - C:\Users\Admin\AppData\Local\Temp\Quote PBR0270824.scr
    "C:\Users\Admin\AppData\Local\Temp\Quote PBR0270824.scr" /stext "C:\Users\Admin\AppData\Local\Temp\upaaiuebreggkjgiacjgcvtoborhfsjn"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2468
- - C:\Users\Admin\AppData\Local\Temp\Quote PBR0270824.scr
    "C:\Users\Admin\AppData\Local\Temp\Quote PBR0270824.scr" /stext "C:\Users\Admin\AppData\Local\Temp\wkft"
    3⤵
    - Accesses Microsoft Outlook accounts
    - System Location Discovery: System Language Discovery
    PID:1612
- - C:\Users\Admin\AppData\Local\Temp\Quote PBR0270824.scr
    "C:\Users\Admin\AppData\Local\Temp\Quote PBR0270824.scr" /stext "C:\Users\Admin\AppData\Local\Temp\hmsdkfa"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsdBB54.tmp\System.dll

Filesize
11KB

MD5
cf85183b87314359488b850f9e97a698

SHA1
6b6c790037eec7ebea4d05590359cb4473f19aea

SHA256
3b6a5cb2a3c091814fce297c04fb677f72732fb21615102c62a195fdc2e7dfac

SHA512
fe484b3fc89aeed3a6b71b90b90ea11a787697e56be3077154b6ddc2646850f6c38589ed422ff792e391638a80a778d33f22e891e76b5d65896c6fb4696a2c3b

Download Submit
\Users\Admin\AppData\Local\Temp\nsdBB54.tmp\nsExec.dll

Filesize
6KB

MD5
b2639b996a3d69541c78642772283e9f

SHA1
e8a0c678708b8b625234a3ac502e37940ad2992f

SHA256
79aa4f0daf303b02bfcf0306e690378e050003e42c7c9d3e1bd5ad62fb2f3a21

SHA512
fabd2f9dd6ff8887cde99c9ccb7c755722daed0e6d7d332e1811b7a4a0f10daaad3ab750fb90838fdcc8049bda49f0cb84283e007c48e54b117b4de41c321815

Download Submit
memory/884-986-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/884-989-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/884-988-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/884-987-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1084-1006-0x0000000000440000-0x00000000014A2000-memory.dmp

Filesize
16.4MB

Download
memory/1084-1007-0x0000000000440000-0x00000000014A2000-memory.dmp

Filesize
16.4MB

Download
memory/1084-1013-0x0000000000440000-0x00000000014A2000-memory.dmp

Filesize
16.4MB

Download
memory/1084-1012-0x0000000000440000-0x00000000014A2000-memory.dmp

Filesize
16.4MB

Download
memory/1084-1011-0x0000000000440000-0x00000000014A2000-memory.dmp

Filesize
16.4MB

Download
memory/1084-1010-0x0000000000440000-0x00000000014A2000-memory.dmp

Filesize
16.4MB

Download
memory/1084-1009-0x0000000000440000-0x00000000014A2000-memory.dmp

Filesize
16.4MB

Download
memory/1084-1008-0x0000000000440000-0x00000000014A2000-memory.dmp

Filesize
16.4MB

Download
memory/1084-1005-0x0000000035C00000-0x0000000035C19000-memory.dmp

Filesize
100KB

Download
memory/1084-976-0x0000000000440000-0x00000000014A2000-memory.dmp

Filesize
16.4MB

Download
memory/1084-972-0x0000000000440000-0x00000000014A2000-memory.dmp

Filesize
16.4MB

Download
memory/1084-960-0x0000000000440000-0x00000000014A2000-memory.dmp

Filesize
16.4MB

Download
memory/1084-1004-0x0000000035C00000-0x0000000035C19000-memory.dmp

Filesize
100KB

Download
memory/1084-997-0x0000000000440000-0x00000000014A2000-memory.dmp

Filesize
16.4MB

Download
memory/1084-1001-0x0000000035C00000-0x0000000035C19000-memory.dmp

Filesize
100KB

Download
memory/1612-1000-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1612-979-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1612-978-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1612-981-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1612-984-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2468-995-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2468-980-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2468-983-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2468-977-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2468-982-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2984-959-0x0000000010004000-0x0000000010005000-memory.dmp

Filesize
4KB

Download