remcos | fd9c0fb6f463cee4975445c4ff19301daeed95a081f0428c5ef7aad815dd7277

Resubmissions

05-09-2024 11:59

240905-n58yzs1clh 10

05-09-2024 11:59

240905-n53rzazern 3

05-09-2024 11:35

240905-np5lmazcnm 10

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2024 11:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HSBC Payment Advice_pdf.exe
Size

993KB
MD5

d0da590b7edbc0da19fb22989e74094a
SHA1

96ebe02b6e7499acdf741aa1a770511345532cf3
SHA256

fd9c0fb6f463cee4975445c4ff19301daeed95a081f0428c5ef7aad815dd7277
SHA512

6f7547230d5e005b6a9f04db0cb0c64c501dacf6f4836b1061f6dc2135ab8a06f06a1c5d7f90bd87491b534e4bfc20068d498b55bf896d63058ec8035df03a9b
SSDEEP

24576:SUobyDHF8HpzkLmV4ZDeLnmx/E/oLZT2nGr4oI6:DZKJILmVmeKx8gZlI

Score

10^/10

remcos udu discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

udu

UDUM.WORK.GD:2431

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
vlc
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
sos
mouse_option
false
mutex
udm-2WYU92
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4816	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	HSBC Payment Advice_pdf.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\taskschd.msc	mmc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4756 set thread context of 3196	4756	HSBC Payment Advice_pdf.exe	106

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HSBC Payment Advice_pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HSBC Payment Advice_pdf.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2392887640-1187051047-2909758433-1000\{C49B9A2A-D18E-4FB1-BA5E-5BC89469FBD9}	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2880	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4756	HSBC Payment Advice_pdf.exe
4756	HSBC Payment Advice_pdf.exe
4816	powershell.exe
4816	powershell.exe
4756	HSBC Payment Advice_pdf.exe
4816	powershell.exe
4372	msedge.exe
4372	msedge.exe
2868	msedge.exe
2868	msedge.exe
2100	msedge.exe
2100	msedge.exe
4960	identity_helper.exe
4960	identity_helper.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
824	mmc.exe
3196	HSBC Payment Advice_pdf.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	824	mmc.exe
Token: SeIncBasePriorityPrivilege	824	mmc.exe
Token: 33	824	mmc.exe
Token: SeIncBasePriorityPrivilege	824	mmc.exe
Token: 33	824	mmc.exe
Token: SeIncBasePriorityPrivilege	824	mmc.exe
Token: 33	824	mmc.exe
Token: SeIncBasePriorityPrivilege	824	mmc.exe
Token: 33	824	mmc.exe
Token: SeIncBasePriorityPrivilege	824	mmc.exe
Token: 33	824	mmc.exe
Token: SeIncBasePriorityPrivilege	824	mmc.exe
Token: 33	824	mmc.exe
Token: SeIncBasePriorityPrivilege	824	mmc.exe
Token: 33	824	mmc.exe
Token: SeIncBasePriorityPrivilege	824	mmc.exe
Token: 33	824	mmc.exe
Token: SeIncBasePriorityPrivilege	824	mmc.exe
Token: 33	824	mmc.exe
Token: SeIncBasePriorityPrivilege	824	mmc.exe
Token: 33	824	mmc.exe
Token: SeIncBasePriorityPrivilege	824	mmc.exe
Token: SeDebugPrivilege	4756	HSBC Payment Advice_pdf.exe
Token: 33	824	mmc.exe
Token: SeIncBasePriorityPrivilege	824	mmc.exe
Token: 33	824	mmc.exe
Token: SeIncBasePriorityPrivilege	824	mmc.exe
Token: 33	824	mmc.exe
Token: SeIncBasePriorityPrivilege	824	mmc.exe
Token: 33	824	mmc.exe
Token: SeIncBasePriorityPrivilege	824	mmc.exe
Token: 33	824	mmc.exe
Token: SeIncBasePriorityPrivilege	824	mmc.exe
Token: 33	824	mmc.exe
Token: SeIncBasePriorityPrivilege	824	mmc.exe
Token: 33	824	mmc.exe
Token: SeIncBasePriorityPrivilege	824	mmc.exe
Token: 33	824	mmc.exe
Token: SeIncBasePriorityPrivilege	824	mmc.exe
Token: 33	824	mmc.exe
Token: SeIncBasePriorityPrivilege	824	mmc.exe
Token: 33	824	mmc.exe
Token: SeIncBasePriorityPrivilege	824	mmc.exe
Token: 33	824	mmc.exe
Token: SeIncBasePriorityPrivilege	824	mmc.exe
Token: 33	824	mmc.exe
Token: SeIncBasePriorityPrivilege	824	mmc.exe
Token: 33	824	mmc.exe
Token: SeIncBasePriorityPrivilege	824	mmc.exe
Token: 33	824	mmc.exe
Token: SeIncBasePriorityPrivilege	824	mmc.exe
Token: 33	824	mmc.exe
Token: SeIncBasePriorityPrivilege	824	mmc.exe
Token: 33	824	mmc.exe
Token: SeIncBasePriorityPrivilege	824	mmc.exe
Token: 33	824	mmc.exe
Token: SeIncBasePriorityPrivilege	824	mmc.exe
Token: 33	824	mmc.exe
Token: SeIncBasePriorityPrivilege	824	mmc.exe
Token: 33	824	mmc.exe
Token: SeIncBasePriorityPrivilege	824	mmc.exe
Token: 33	824	mmc.exe
Token: SeIncBasePriorityPrivilege	824	mmc.exe
Token: 33	824	mmc.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
3196	HSBC Payment Advice_pdf.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
3196	HSBC Payment Advice_pdf.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe
2868	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
824	mmc.exe
824	mmc.exe
3196	HSBC Payment Advice_pdf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4756 wrote to memory of 4816	4756	HSBC Payment Advice_pdf.exe	102
PID 4756 wrote to memory of 4816	4756	HSBC Payment Advice_pdf.exe	102
PID 4756 wrote to memory of 4816	4756	HSBC Payment Advice_pdf.exe	102
PID 4756 wrote to memory of 2880	4756	HSBC Payment Advice_pdf.exe	104
PID 4756 wrote to memory of 2880	4756	HSBC Payment Advice_pdf.exe	104
PID 4756 wrote to memory of 2880	4756	HSBC Payment Advice_pdf.exe	104
PID 4756 wrote to memory of 3196	4756	HSBC Payment Advice_pdf.exe	106
PID 4756 wrote to memory of 3196	4756	HSBC Payment Advice_pdf.exe	106
PID 4756 wrote to memory of 3196	4756	HSBC Payment Advice_pdf.exe	106
PID 4756 wrote to memory of 3196	4756	HSBC Payment Advice_pdf.exe	106
PID 4756 wrote to memory of 3196	4756	HSBC Payment Advice_pdf.exe	106
PID 4756 wrote to memory of 3196	4756	HSBC Payment Advice_pdf.exe	106
PID 4756 wrote to memory of 3196	4756	HSBC Payment Advice_pdf.exe	106
PID 4756 wrote to memory of 3196	4756	HSBC Payment Advice_pdf.exe	106
PID 4756 wrote to memory of 3196	4756	HSBC Payment Advice_pdf.exe	106
PID 4756 wrote to memory of 3196	4756	HSBC Payment Advice_pdf.exe	106
PID 4756 wrote to memory of 3196	4756	HSBC Payment Advice_pdf.exe	106
PID 4756 wrote to memory of 3196	4756	HSBC Payment Advice_pdf.exe	106
PID 2868 wrote to memory of 3468	2868	msedge.exe	114
PID 2868 wrote to memory of 3468	2868	msedge.exe	114
PID 2868 wrote to memory of 2880	2868	msedge.exe	115
PID 2868 wrote to memory of 2880	2868	msedge.exe	115
PID 2868 wrote to memory of 2880	2868	msedge.exe	115
PID 2868 wrote to memory of 2880	2868	msedge.exe	115
PID 2868 wrote to memory of 2880	2868	msedge.exe	115
PID 2868 wrote to memory of 2880	2868	msedge.exe	115
PID 2868 wrote to memory of 2880	2868	msedge.exe	115
PID 2868 wrote to memory of 2880	2868	msedge.exe	115
PID 2868 wrote to memory of 2880	2868	msedge.exe	115
PID 2868 wrote to memory of 2880	2868	msedge.exe	115
PID 2868 wrote to memory of 2880	2868	msedge.exe	115
PID 2868 wrote to memory of 2880	2868	msedge.exe	115
PID 2868 wrote to memory of 2880	2868	msedge.exe	115
PID 2868 wrote to memory of 2880	2868	msedge.exe	115
PID 2868 wrote to memory of 2880	2868	msedge.exe	115
PID 2868 wrote to memory of 2880	2868	msedge.exe	115
PID 2868 wrote to memory of 2880	2868	msedge.exe	115
PID 2868 wrote to memory of 2880	2868	msedge.exe	115
PID 2868 wrote to memory of 2880	2868	msedge.exe	115
PID 2868 wrote to memory of 2880	2868	msedge.exe	115
PID 2868 wrote to memory of 2880	2868	msedge.exe	115
PID 2868 wrote to memory of 2880	2868	msedge.exe	115
PID 2868 wrote to memory of 2880	2868	msedge.exe	115
PID 2868 wrote to memory of 2880	2868	msedge.exe	115
PID 2868 wrote to memory of 2880	2868	msedge.exe	115
PID 2868 wrote to memory of 2880	2868	msedge.exe	115
PID 2868 wrote to memory of 2880	2868	msedge.exe	115
PID 2868 wrote to memory of 2880	2868	msedge.exe	115
PID 2868 wrote to memory of 2880	2868	msedge.exe	115
PID 2868 wrote to memory of 2880	2868	msedge.exe	115
PID 2868 wrote to memory of 2880	2868	msedge.exe	115
PID 2868 wrote to memory of 2880	2868	msedge.exe	115
PID 2868 wrote to memory of 2880	2868	msedge.exe	115
PID 2868 wrote to memory of 2880	2868	msedge.exe	115
PID 2868 wrote to memory of 2880	2868	msedge.exe	115
PID 2868 wrote to memory of 2880	2868	msedge.exe	115
PID 2868 wrote to memory of 2880	2868	msedge.exe	115
PID 2868 wrote to memory of 2880	2868	msedge.exe	115
PID 2868 wrote to memory of 2880	2868	msedge.exe	115
PID 2868 wrote to memory of 2880	2868	msedge.exe	115
PID 2868 wrote to memory of 4372	2868	msedge.exe	116
PID 2868 wrote to memory of 4372	2868	msedge.exe	116
PID 2868 wrote to memory of 3312	2868	msedge.exe	117
PID 2868 wrote to memory of 3312	2868	msedge.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\HSBC Payment Advice_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\HSBC Payment Advice_pdf.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4756
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FuWEVfUSU.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4816
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FuWEVfUSU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp335F.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2880
- C:\Users\Admin\AppData\Local\Temp\HSBC Payment Advice_pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\HSBC Payment Advice_pdf.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3196

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:824

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb96f846f8,0x7ffb96f84708,0x7ffb96f84718
  2⤵
  PID:3468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,8874706936149652787,7393565094399972146,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2004 /prefetch:2
  2⤵
  PID:2880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1992,8874706936149652787,7393565094399972146,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1992,8874706936149652787,7393565094399972146,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
  2⤵
  PID:3312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,8874706936149652787,7393565094399972146,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:2176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,8874706936149652787,7393565094399972146,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:3416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,8874706936149652787,7393565094399972146,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
  2⤵
  PID:1696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,8874706936149652787,7393565094399972146,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
  2⤵
  PID:4860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,8874706936149652787,7393565094399972146,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3668 /prefetch:1
  2⤵
  PID:1248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,8874706936149652787,7393565094399972146,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4260 /prefetch:1
  2⤵
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,8874706936149652787,7393565094399972146,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3720 /prefetch:1
  2⤵
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,8874706936149652787,7393565094399972146,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:2380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1992,8874706936149652787,7393565094399972146,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5684 /prefetch:8
  2⤵
  PID:2244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1992,8874706936149652787,7393565094399972146,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5696 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2100
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1992,8874706936149652787,7393565094399972146,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5876 /prefetch:8
  2⤵
  PID:3068
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1992,8874706936149652787,7393565094399972146,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5876 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,8874706936149652787,7393565094399972146,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4112 /prefetch:1
  2⤵
  PID:4216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,8874706936149652787,7393565094399972146,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:1
  2⤵
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,8874706936149652787,7393565094399972146,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
  2⤵
  PID:2148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,8874706936149652787,7393565094399972146,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
  2⤵
  PID:2168

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2264

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\sos\logs.dat

Filesize
258B

MD5
5c58b8a96246f920b8badc233ab46749

SHA1
6df2488a389f5da8759d6b8342b715b759ff70f2

SHA256
66758e43ac31031e81503b1336361ebccceed14b9fdcca2dac0cb01224dfe79b

SHA512
5a15e1a754161c3adc9ba3338570dbae234d9cb5db2491b00ab52895e9702693f7288d5ec1d019d49508d2b2790f5f51713f4316cf6e9d74e0365f0ef44e6865

Download Submit
C:\ProgramData\sos\logs.dat

Filesize
150B

MD5
80c4a516e827fe6300718382b77c7609

SHA1
df62aef656e44ec1e32be02cea32c8ae31dc484e

SHA256
7463c96ce65195b64cf7abe0922a9d0b5fc390004c5687b37750b20da46557ea

SHA512
c9075043766287dd2bc9875079d37ddf598243a70d1e0244c849395d253911b6bbb4a4d0449b06e29601b8b67fcc267d1d0d4ee4ca72a55aa751e45735fd9fc1

Download Submit
C:\ProgramData\sos\logs.dat

Filesize
158B

MD5
0a6018ca8eef88e7e3782167be24198b

SHA1
3360bae4f3a30e9557b73931b586ea3502fcc28b

SHA256
e81041e746dc79fad8a4e562705a3485dbb7cc2f9da892db75d29861ff8c45e4

SHA512
8f455ca7c90d024c15feac9640e7075c6285d825af1e49532683800ec3854ca93539034fb94d3c7d993c1656c2cda683f4f7cf16fd2f05dbf8b5c049542a6811

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9569e123772ae290f9bac07e0d31748

SHA1
5806ed9b301d4178a959b26d7b7ccf2c0abc6741

SHA256
20ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b

SHA512
cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eeaa8087eba2f63f31e599f6a7b46ef4

SHA1
f639519deee0766a39cfe258d2ac48e3a9d5ac03

SHA256
50fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9

SHA512
eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
d2e055f511479aeb87fcd442e4c5b434

SHA1
27fdebd9f73da0b25944ddb59865d9a63b681adc

SHA256
1799f493c85a3051eea510f82be993ed49db7465ee8cd3c5264e789aa84b4701

SHA512
b0c8168077ad021534d386feaadcc60e2384dac3b8346474daf449a4bd05e3c1987487de814dd9a2057d3139236c20244c23dadb7f0a825945c8a087061485d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
686B

MD5
12a798d5e9b1105d595f73b7a1d7dea4

SHA1
212e43be4d1ea0b3d1b8e1ecf2469b9e15d1b5dd

SHA256
cad4d5c562d43ab0a88a2edea956f0b9288db2bda4930f55aaf1bd00ff3b8971

SHA512
9e7bf3192ce32453639a7f59a17f29ef8e7152f7b9a644b6180bd70d7fa5e87c6ac6694d38647a70191947ecc32b9ba474743f375829e922905a419175d44a71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d48565cc64cee2ea28ed04b2d334e7a4

SHA1
ebf53a182e152fa7381ce729ddab4605f80aba07

SHA256
21bb9eef7cec9fd73fe10e782c1966c6d2ff58ce426b26d44c330b1f42b5684f

SHA512
44c84efb543e7c91afd1336418ac8a16f51b912eef104f5cf515bbd3e2d098f298ff7b531cc661267c53efcf628d3b00380384e316e3bc5d8973f422ac172180

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
11a306dcb518323a1bf7a7b797227e60

SHA1
2ca0ad922f23a93e1b4d2fc0bca374c3127daeea

SHA256
334c1d162aa3afa4ac085f64715446b888d693e4c4e6c9d876576cbd19527b9b

SHA512
57e5b32b046b2cf7ff8f6d9c363bd94f7b06dba7f8be75cf53372fdcface54fe7f464cbbdb680a789a9fe3d4933e0691db6573aa462a74f7a46ccb724318d79b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3a829fb34e071197cfe2db725f9df112

SHA1
9ef805ed8b9cbe66982cdc6c31c049e2372e1d8b

SHA256
bbd222ddbcf5bcde0b7e510435f4176e1e6f867755f230b4b88e3b249979028a

SHA512
42d8a253b5a2a9c036e04f59449cabafbc215637ee84542c2af8c1c0a43e509b064d664e84f3b5d239b99e375726f6b65ee6c1bf174c869e4f44c5045a0b946c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
caa49c31db64dd43dae1b5668f10520c

SHA1
dcdec68369cfcdb32cd610a74b5cc1768f03c1f8

SHA256
b4213a86ce3739d18fedaf5fc84ec6c01109f217bc5a54c90e22e462f3793f12

SHA512
2ecb3bb2d3351a165444355856bd4ea7c202a86d59df498add444c7aeaff0f364ae765b61e7b3b0968ed72fb6e44dbb9ecea761572d7f8cbc946bf63b0307a73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2caca3dda5b1332fe11a79f90b337dad

SHA1
12f53ccfb5badfbd68718faec8f10c630341a713

SHA256
06a2929c92242e942aaf219a066b10d00ace8edbd3056f6f6fcfebb67a4e898e

SHA512
769142d7955f886934c49b9c56702b09fe5c83cd2fbe63f8a51a17ed78b4229563240d9edc512b485cbe799ea7dc00442a8dbe2a8201df6db7b7add8f0cabdd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
185e7b5baa49095b9f7772964d0d7d30

SHA1
d1f32f10425b5253f96f67a7448e27ac599ef9e3

SHA256
ebe5b6baf3e7584eca7f9c2af63739960b72763cc36c3157123c79c965fcd7f2

SHA512
e4fba51915c58503ca7fb212dc05436f5e50273a744f02562ce00bd7173bd233926cb2991aedbec0470a8c4bdddb54c67a876ec8fa118b5d58958931260375c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59dcaa.TMP

Filesize
1KB

MD5
42c4ca75925a184f75be20b25260b4ea

SHA1
8b217a7524ee5deaa6a4cd00ec63404abd7ca85c

SHA256
a7dc22906661685fd8de85f8220b9f71bfaee71e4eb526e4724641b3c1f9a66c

SHA512
0046ceeda94cf6335c8aa13fcc5a98e1a3c1192b7dd68b425d16304b46d8e244d2afe3d488ade0cbce2b5c522e699ba5c899dd6f2c2ca12b646245631eb04511

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
38a3404d761ad15907583825205380e4

SHA1
be5d3dc577e739d0a924cb05dbeeab4ebfeab403

SHA256
f0864f2f9a2371dfbc3d843fe0e03fcb7c5269aaedc6d8a998fd2d63cd5e8d04

SHA512
9777c8eb4cd6c7a9ae9ca1070354694c421ab548fec69f6d25c3873ca205f30df7e36748a53ad6972cd26120f40dcf167d9f5610c0974f5b66c5282a765bd3cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fc6cf32c966f5f3b6a40313788d1c655

SHA1
7796ae16adefa04fbb333db59050058cdb96b069

SHA256
0bb96ba54933e63d7f2d14887bd4601ecef7c29cf976a71dc8078f846036b2b4

SHA512
784f37f7294902d92ed6a8ed7e8cf4c3bd3ef34acd73f62133b674d46c12ec9628a32676fc15ba50522931d7f44a62f7cc1a3100d5ca29b410dfd0b631831ae4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1lhbskpd.h31.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp335F.tmp

Filesize
1KB

MD5
8951e7f9dca2cae01f32f5d0da6dd36b

SHA1
bd17c33503c829c3512fd3617bc1a12da382da6f

SHA256
2527503c2365625aa86ad066c05b343a9d513fca3ce17b0ed9f277f4cfff7ffe

SHA512
af891de3cbfe6224c51ba434a4b88f5ae4a10d4c3bc7753d97742d8e38378d74f6968e73c4b0201b760905c73eb868eddfc05f0db10baabd2b50562c844f6d2a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/824-16-0x00007FFB85240000-0x00007FFB85D01000-memory.dmp

Filesize
10.8MB

Download
memory/824-13-0x00007FFB85240000-0x00007FFB85D01000-memory.dmp

Filesize
10.8MB

Download
memory/824-101-0x00007FFB85240000-0x00007FFB85D01000-memory.dmp

Filesize
10.8MB

Download
memory/824-84-0x00007FFB85240000-0x00007FFB85D01000-memory.dmp

Filesize
10.8MB

Download
memory/824-83-0x00007FFB85240000-0x00007FFB85D01000-memory.dmp

Filesize
10.8MB

Download
memory/824-15-0x00007FFB85240000-0x00007FFB85D01000-memory.dmp

Filesize
10.8MB

Download
memory/824-14-0x00007FFB85240000-0x00007FFB85D01000-memory.dmp

Filesize
10.8MB

Download
memory/824-82-0x00007FFB85240000-0x00007FFB85D01000-memory.dmp

Filesize
10.8MB

Download
memory/824-77-0x00007FFB85240000-0x00007FFB85D01000-memory.dmp

Filesize
10.8MB

Download
memory/824-68-0x00007FFB85243000-0x00007FFB85245000-memory.dmp

Filesize
8KB

Download
memory/824-10-0x00007FFB85243000-0x00007FFB85245000-memory.dmp

Filesize
8KB

Download
memory/824-11-0x00007FFB85240000-0x00007FFB85D01000-memory.dmp

Filesize
10.8MB

Download
memory/824-12-0x00007FFB85240000-0x00007FFB85D01000-memory.dmp

Filesize
10.8MB

Download
memory/3196-150-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3196-75-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3196-481-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3196-47-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3196-42-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3196-106-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3196-105-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3196-91-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3196-26-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3196-149-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3196-43-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3196-90-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3196-25-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3196-81-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3196-78-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3196-482-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3196-76-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3196-46-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4756-3-0x0000000004CC0000-0x0000000004D52000-memory.dmp

Filesize
584KB

Download
memory/4756-4-0x0000000004C60000-0x0000000004C6A000-memory.dmp

Filesize
40KB

Download
memory/4756-41-0x00000000745A0000-0x0000000074D50000-memory.dmp

Filesize
7.7MB

Download
memory/4756-5-0x00000000745A0000-0x0000000074D50000-memory.dmp

Filesize
7.7MB

Download
memory/4756-17-0x0000000005F80000-0x0000000006040000-memory.dmp

Filesize
768KB

Download
memory/4756-6-0x0000000004EF0000-0x0000000004F8C000-memory.dmp

Filesize
624KB

Download
memory/4756-7-0x0000000005020000-0x0000000005038000-memory.dmp

Filesize
96KB

Download
memory/4756-2-0x00000000051D0000-0x0000000005774000-memory.dmp

Filesize
5.6MB

Download
memory/4756-1-0x00000000002E0000-0x00000000003DE000-memory.dmp

Filesize
1016KB

Download
memory/4756-0-0x00000000745AE000-0x00000000745AF000-memory.dmp

Filesize
4KB

Download
memory/4756-8-0x00000000745AE000-0x00000000745AF000-memory.dmp

Filesize
4KB

Download
memory/4756-9-0x00000000745A0000-0x0000000074D50000-memory.dmp

Filesize
7.7MB

Download
memory/4816-24-0x0000000004F70000-0x0000000005598000-memory.dmp

Filesize
6.2MB

Download
memory/4816-72-0x0000000007410000-0x0000000007418000-memory.dmp

Filesize
32KB

Download
memory/4816-71-0x0000000007430000-0x000000000744A000-memory.dmp

Filesize
104KB

Download
memory/4816-70-0x0000000007330000-0x0000000007344000-memory.dmp

Filesize
80KB

Download
memory/4816-69-0x0000000007320000-0x000000000732E000-memory.dmp

Filesize
56KB

Download
memory/4816-67-0x00000000072F0000-0x0000000007301000-memory.dmp

Filesize
68KB

Download
memory/4816-66-0x0000000007370000-0x0000000007406000-memory.dmp

Filesize
600KB

Download
memory/4816-65-0x0000000007160000-0x000000000716A000-memory.dmp

Filesize
40KB

Download
memory/4816-64-0x00000000070F0000-0x000000000710A000-memory.dmp

Filesize
104KB

Download
memory/4816-63-0x0000000007740000-0x0000000007DBA000-memory.dmp

Filesize
6.5MB

Download
memory/4816-62-0x0000000006DE0000-0x0000000006E83000-memory.dmp

Filesize
652KB

Download
memory/4816-61-0x0000000006380000-0x000000000639E000-memory.dmp

Filesize
120KB

Download
memory/4816-51-0x0000000070A90000-0x0000000070ADC000-memory.dmp

Filesize
304KB

Download
memory/4816-50-0x0000000006DA0000-0x0000000006DD2000-memory.dmp

Filesize
200KB

Download
memory/4816-49-0x0000000005E80000-0x0000000005ECC000-memory.dmp

Filesize
304KB

Download
memory/4816-48-0x0000000005DD0000-0x0000000005DEE000-memory.dmp

Filesize
120KB

Download
memory/4816-28-0x00000000056D0000-0x0000000005736000-memory.dmp

Filesize
408KB

Download
memory/4816-31-0x00000000057B0000-0x0000000005B04000-memory.dmp

Filesize
3.3MB

Download
memory/4816-29-0x0000000005740000-0x00000000057A6000-memory.dmp

Filesize
408KB

Download
memory/4816-27-0x0000000005630000-0x0000000005652000-memory.dmp

Filesize
136KB

Download
memory/4816-22-0x00000000024E0000-0x0000000002516000-memory.dmp

Filesize
216KB

Download