remcos | 6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554

Analysis

max time kernel
63s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 03:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe
Size

2.9MB
MD5

5519df0a635727fc10991148bfe970a0
SHA1

2a6ff2e8cd98ce0bb1e8a8cf024f616aa922edb7
SHA256

6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554
SHA512

13ce91d2931ae1aefa618d43919b8c00a612b67a886451a696b5e764c833eb4ce27d07c41ca4c4f95f92791d54b35d55d6efc1f3fec66c4aee1f1d7271f7ee3f
SSDEEP

49152:hh+ZkldoPK8Yad7cwj644Mh+ZkldoPK8YaLDNcL:C2cPK8YwjE2cPK8y

Score

10^/10

remcos remotehost discovery link pdf persistence rat

Malware Config

Extracted

Family

remcos

Version

2.3.0 Pro

Botnet

RemoteHost

daya4659.ddns.net:8282

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
3
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-S1KNPZ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	remcos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	driverquery.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	sfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	remcos_agent_Protected.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	remcos_agent_Protected.exe

Executes dropped EXE 8 IoCs

pid	Process
2316	remcos_agent_Protected.exe
3628	remcos_agent_Protected.exe
1416	remcos.exe
1420	remcos.exe
4524	sfc.exe
4724	driverquery.exe
4356	driverquery.exe
5000	sfc.exe

Unexpected DNS network traffic destination 6 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	185.141.152.26
Destination IP	114.114.114.114
Destination IP	1.2.4.8
Destination IP	185.141.152.26
Destination IP	1.2.4.8
Destination IP	185.141.152.26

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos_agent_Protected.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos_agent_Protected.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\remcos\\remcos.exe\""	remcos.exe

AutoIT Executable 25 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x0009000000023490-5.dat	autoit_exe
behavioral2/memory/3512-70-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral2/memory/3512-71-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral2/memory/3512-75-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral2/memory/2920-81-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral2/memory/2920-82-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral2/memory/1452-85-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral2/memory/1452-86-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral2/memory/1748-89-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral2/memory/1748-90-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral2/memory/3000-97-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral2/memory/3000-101-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral2/memory/3876-116-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral2/memory/3876-117-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral2/memory/832-120-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral2/memory/832-127-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral2/memory/2776-201-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral2/memory/2776-202-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral2/memory/212-205-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral2/memory/212-206-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral2/memory/3020-209-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral2/memory/3020-210-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral2/memory/2448-214-0x0000000000400000-0x0000000000526000-memory.dmp	autoit_exe
behavioral2/files/0x00070000000234f7-281.dat	autoit_exe
behavioral2/files/0x00070000000234f0-284.dat	autoit_exe

Suspicious use of SetThreadContext 30 IoCs

description	pid	Process	procid_target
PID 2316 set thread context of 3628	2316	remcos_agent_Protected.exe	93
PID 1416 set thread context of 1420	1416	remcos.exe	107
PID 1420 set thread context of 3512	1420	remcos.exe	108
PID 1420 set thread context of 2920	1420	remcos.exe	116
PID 1420 set thread context of 1452	1420	remcos.exe	121
PID 1420 set thread context of 1748	1420	remcos.exe	125
PID 1420 set thread context of 3000	1420	remcos.exe	128
PID 1420 set thread context of 3876	1420	remcos.exe	133
PID 1420 set thread context of 832	1420	remcos.exe	136
PID 1420 set thread context of 2776	1420	remcos.exe	139
PID 1420 set thread context of 212	1420	remcos.exe	142
PID 1420 set thread context of 3020	1420	remcos.exe	145
PID 1420 set thread context of 2448	1420	remcos.exe	148
PID 1420 set thread context of 4228	1420	remcos.exe	151
PID 1420 set thread context of 3692	1420	remcos.exe	155
PID 1420 set thread context of 3424	1420	remcos.exe	158
PID 1420 set thread context of 4120	1420	remcos.exe	162
PID 1420 set thread context of 768	1420	remcos.exe	165
PID 1420 set thread context of 244	1420	remcos.exe	168
PID 1420 set thread context of 4264	1420	remcos.exe	172
PID 1420 set thread context of 1196	1420	remcos.exe	175
PID 1420 set thread context of 5112	1420	remcos.exe	178
PID 1420 set thread context of 4012	1420	remcos.exe	182
PID 1420 set thread context of 312	1420	remcos.exe	185
PID 1420 set thread context of 3964	1420	remcos.exe	189
PID 1420 set thread context of 2140	1420	remcos.exe	192
PID 1420 set thread context of 1720	1420	remcos.exe	195
PID 4724 set thread context of 4356	4724	driverquery.exe	200
PID 1420 set thread context of 116	1420	remcos.exe	201
PID 4524 set thread context of 5000	4524	sfc.exe	206

HTTP links in PDF interactive object 2 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

resource	yara_rule
behavioral2/files/0x00070000000234ef-13.dat	pdf_with_link_action
behavioral2/files/0x00070000000234f0-284.dat	pdf_with_link_action

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 26 IoCs

pid	pid_target	Process	procid_target
4176	3512	WerFault.exe	108
5096	2920	WerFault.exe	116
3004	1452	WerFault.exe	121
212	1748	WerFault.exe	125
216	3000	WerFault.exe	128
116	3876	WerFault.exe	133
2876	832	WerFault.exe	136
4984	2776	WerFault.exe	139
4076	212	WerFault.exe	142
4524	3020	WerFault.exe	145
116	2448	WerFault.exe	148
944	4228	WerFault.exe	151
916	3692	WerFault.exe	155
4412	3424	WerFault.exe	158
2736	4120	WerFault.exe	162
4768	768	WerFault.exe	165
3616	244	WerFault.exe	168
4212	4264	WerFault.exe	172
4304	1196	WerFault.exe	175
4752	5112	WerFault.exe	178
2268	4012	WerFault.exe	182
3040	312	WerFault.exe	185
3636	3964	WerFault.exe	189
1308	2140	WerFault.exe	192
3388	1720	WerFault.exe	195
1572	116	WerFault.exe	201

System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	driverquery.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos_agent_Protected.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos_agent_Protected.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	driverquery.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	remcos_agent_Protected.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3964	schtasks.exe
4076	schtasks.exe
1548	schtasks.exe
1324	schtasks.exe
636	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1776	AcroRd32.exe
1776	AcroRd32.exe
1776	AcroRd32.exe
1776	AcroRd32.exe
1776	AcroRd32.exe
1776	AcroRd32.exe
1776	AcroRd32.exe
1776	AcroRd32.exe
1776	AcroRd32.exe
1776	AcroRd32.exe
1776	AcroRd32.exe
1776	AcroRd32.exe
1776	AcroRd32.exe
1776	AcroRd32.exe
1776	AcroRd32.exe
1776	AcroRd32.exe
1776	AcroRd32.exe
1776	AcroRd32.exe
1776	AcroRd32.exe
1776	AcroRd32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1776	AcroRd32.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1776	AcroRd32.exe
1776	AcroRd32.exe
1776	AcroRd32.exe
1776	AcroRd32.exe
1420	remcos.exe
1776	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 2316	2484	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe	82
PID 2484 wrote to memory of 2316	2484	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe	82
PID 2484 wrote to memory of 2316	2484	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe	82
PID 2484 wrote to memory of 1776	2484	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe	84
PID 2484 wrote to memory of 1776	2484	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe	84
PID 2484 wrote to memory of 1776	2484	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe	84
PID 2484 wrote to memory of 4808	2484	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe	85
PID 2484 wrote to memory of 4808	2484	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe	85
PID 2484 wrote to memory of 4808	2484	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe	85
PID 2484 wrote to memory of 4276	2484	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe	86
PID 2484 wrote to memory of 4276	2484	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe	86
PID 2484 wrote to memory of 4276	2484	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe	86
PID 2484 wrote to memory of 2444	2484	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe	87
PID 2484 wrote to memory of 2444	2484	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe	87
PID 2484 wrote to memory of 2444	2484	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe	87
PID 2484 wrote to memory of 5028	2484	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe	88
PID 2484 wrote to memory of 5028	2484	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe	88
PID 2484 wrote to memory of 5028	2484	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe	88
PID 2484 wrote to memory of 2928	2484	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe	89
PID 2484 wrote to memory of 2928	2484	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe	89
PID 2484 wrote to memory of 2928	2484	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe	89
PID 2484 wrote to memory of 2712	2484	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe	90
PID 2484 wrote to memory of 2712	2484	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe	90
PID 2484 wrote to memory of 2712	2484	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe	90
PID 2484 wrote to memory of 3964	2484	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe	91
PID 2484 wrote to memory of 3964	2484	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe	91
PID 2484 wrote to memory of 3964	2484	6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe	91
PID 2316 wrote to memory of 3628	2316	remcos_agent_Protected.exe	93
PID 2316 wrote to memory of 3628	2316	remcos_agent_Protected.exe	93
PID 2316 wrote to memory of 3628	2316	remcos_agent_Protected.exe	93
PID 2316 wrote to memory of 3628	2316	remcos_agent_Protected.exe	93
PID 2316 wrote to memory of 3628	2316	remcos_agent_Protected.exe	93
PID 3628 wrote to memory of 3020	3628	remcos_agent_Protected.exe	94
PID 3628 wrote to memory of 3020	3628	remcos_agent_Protected.exe	94
PID 3628 wrote to memory of 3020	3628	remcos_agent_Protected.exe	94
PID 2316 wrote to memory of 4076	2316	remcos_agent_Protected.exe	95
PID 2316 wrote to memory of 4076	2316	remcos_agent_Protected.exe	95
PID 2316 wrote to memory of 4076	2316	remcos_agent_Protected.exe	95
PID 3020 wrote to memory of 312	3020	WScript.exe	97
PID 3020 wrote to memory of 312	3020	WScript.exe	97
PID 3020 wrote to memory of 312	3020	WScript.exe	97
PID 312 wrote to memory of 1416	312	cmd.exe	99
PID 312 wrote to memory of 1416	312	cmd.exe	99
PID 312 wrote to memory of 1416	312	cmd.exe	99
PID 1776 wrote to memory of 4380	1776	AcroRd32.exe	100
PID 1776 wrote to memory of 4380	1776	AcroRd32.exe	100
PID 1776 wrote to memory of 4380	1776	AcroRd32.exe	100
PID 4380 wrote to memory of 2056	4380	RdrCEF.exe	101
PID 4380 wrote to memory of 2056	4380	RdrCEF.exe	101
PID 4380 wrote to memory of 2056	4380	RdrCEF.exe	101
PID 4380 wrote to memory of 2056	4380	RdrCEF.exe	101
PID 4380 wrote to memory of 2056	4380	RdrCEF.exe	101
PID 4380 wrote to memory of 2056	4380	RdrCEF.exe	101
PID 4380 wrote to memory of 2056	4380	RdrCEF.exe	101
PID 4380 wrote to memory of 2056	4380	RdrCEF.exe	101
PID 4380 wrote to memory of 2056	4380	RdrCEF.exe	101
PID 4380 wrote to memory of 2056	4380	RdrCEF.exe	101
PID 4380 wrote to memory of 2056	4380	RdrCEF.exe	101
PID 4380 wrote to memory of 2056	4380	RdrCEF.exe	101
PID 4380 wrote to memory of 2056	4380	RdrCEF.exe	101
PID 4380 wrote to memory of 2056	4380	RdrCEF.exe	101
PID 4380 wrote to memory of 2056	4380	RdrCEF.exe	101
PID 4380 wrote to memory of 2056	4380	RdrCEF.exe	101
PID 4380 wrote to memory of 2056	4380	RdrCEF.exe	101

C:\Users\Admin\AppData\Local\Temp\6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe
"C:\Users\Admin\AppData\Local\Temp\6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe
  "C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe
    "C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3628
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3020
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:312
      - C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1416
        
        C:\Users\Admin\AppData\Roaming\remcos\remcos.exe
        
        "C:\Users\Admin\AppData\Roaming\remcos\remcos.exe"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1420
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 560
        9⤵
        Program crash
        
        PID:4176
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 572
        9⤵
        Program crash
        
        PID:5096
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 564
        9⤵
        Program crash
        
        PID:3004
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 564
        9⤵
        Program crash
        
        PID:212
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 560
        9⤵
        Program crash
        
        PID:216
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 560
        9⤵
        Program crash
        
        PID:116
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:832
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 832 -s 560
        9⤵
        Program crash
        
        PID:2876
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 560
        9⤵
        Program crash
        
        PID:4984
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 560
        9⤵
        Program crash
        
        PID:4076
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 560
        9⤵
        Program crash
        
        PID:4524
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 196
        9⤵
        Program crash
        
        PID:116
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4228
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 212
        9⤵
        Program crash
        
        PID:944
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3692
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 192
        9⤵
        Program crash
        
        PID:916
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3424 -s 564
        9⤵
        Program crash
        
        PID:4412
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:264
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4120
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 564
        9⤵
        Program crash
        
        PID:2736
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 560
        9⤵
        Program crash
        
        PID:4768
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:244
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 244 -s 560
        9⤵
        Program crash
        
        PID:3616
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4264
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 584
        9⤵
        Program crash
        
        PID:4212
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1196
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 560
        9⤵
        Program crash
        
        PID:4304
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 564
        9⤵
        Program crash
        
        PID:4752
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 560
        9⤵
        Program crash
        
        PID:2268
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 312 -s 560
        9⤵
        Program crash
        
        PID:3040
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 560
        9⤵
        Program crash
        
        PID:3636
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 560
        9⤵
        Program crash
        
        PID:1308
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 560
        9⤵
        Program crash
        
        PID:3388
        
        C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\SysWOW64\svchost.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 560
        9⤵
        Program crash
        
        PID:1572
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1548
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4076
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\medical-application-form.pdf"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4380
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0BA496B55E5A96B337028D04D3464E36 --mojo-platform-channel-handle=1776 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:2056
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=5B98B3BDB27C365329FCF8F1C09EB8C1 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=5B98B3BDB27C365329FCF8F1C09EB8C1 --renderer-client-id=2 --mojo-platform-channel-handle=1828 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:4780
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B5B555134F7585DA700F7E7760520794 --mojo-platform-channel-handle=1824 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:4348
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7ABCD0559B6D64F4120F96102932A736 --mojo-platform-channel-handle=2332 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:4500
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=707A6A5D7BE24571D04AD28C6CBFF4D9 --mojo-platform-channel-handle=2460 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:5036
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=1E28FB41837311FFA3D6DFD0BCDD8C78 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=1E28FB41837311FFA3D6DFD0BCDD8C78 --renderer-client-id=7 --mojo-platform-channel-handle=2572 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:3688
- C:\Users\Admin\AppData\Local\Temp\6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe
  "C:\Users\Admin\AppData\Local\Temp\6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe"
  2⤵
  PID:4808
- C:\Users\Admin\AppData\Local\Temp\6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe
  "C:\Users\Admin\AppData\Local\Temp\6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe"
  2⤵
  PID:4276
- C:\Users\Admin\AppData\Local\Temp\6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe
  "C:\Users\Admin\AppData\Local\Temp\6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe"
  2⤵
  PID:2444
- C:\Users\Admin\AppData\Local\Temp\6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe
  "C:\Users\Admin\AppData\Local\Temp\6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe"
  2⤵
  PID:5028
- C:\Users\Admin\AppData\Local\Temp\6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe
  "C:\Users\Admin\AppData\Local\Temp\6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe"
  2⤵
  PID:2928
- C:\Users\Admin\AppData\Local\Temp\6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe
  "C:\Users\Admin\AppData\Local\Temp\6fae2da606acefa20145cffaab3bd07fe4f86ba0a8d45fe316713cfe70604554N.exe"
  2⤵
  PID:2712
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn WWAHost /tr "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe" /sc minute /mo 1 /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3512 -ip 3512
1⤵
PID:4100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2920 -ip 2920
1⤵
PID:4464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1452 -ip 1452
1⤵
PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1748 -ip 1748
1⤵
PID:4704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3000 -ip 3000
1⤵
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3876 -ip 3876
1⤵
PID:4364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 832 -ip 832
1⤵
PID:1556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2776 -ip 2776
1⤵
PID:3004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 212 -ip 212
1⤵
PID:660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3020 -ip 3020
1⤵
PID:3336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2448 -ip 2448
1⤵
PID:1240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4228 -ip 4228
1⤵
PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3692 -ip 3692
1⤵
PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3424 -ip 3424
1⤵
PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4120 -ip 4120
1⤵
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 768 -ip 768
1⤵
PID:3068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 244 -ip 244
1⤵
PID:1956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4264 -ip 4264
1⤵
PID:1156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1196 -ip 1196
1⤵
PID:944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5112 -ip 5112
1⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4012 -ip 4012
1⤵
PID:4700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 312 -ip 312
1⤵
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3964 -ip 3964
1⤵
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2140 -ip 2140
1⤵
PID:3068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1720 -ip 1720
1⤵
PID:2720

C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4524
- C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
  "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe"
  2⤵
  - Executes dropped EXE
  PID:5000
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn setx /tr "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe" /sc minute /mo 1 /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:636

C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4724
- C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe
  "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4356
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\SysWOW64\schtasks.exe" /create /tn WWAHost /tr "C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe" /sc minute /mo 1 /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 116 -ip 116
1⤵
PID:3188

C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
1⤵
PID:1256
- C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe
  "C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe"
  2⤵
  PID:4648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
e5bb5b4ef23ee8d4016d33c9bbaeb97d

SHA1
937845cc739ccc7f4803647538e93c1f75ac0c85

SHA256
5cea7e4dcc6b5ad83fcbd3f8924d43cc5420d024d08fd834fb4c7b5ef7b130b5

SHA512
1be0b460de78109fa546a8c81b5fe542f3b14507808d6f861fb29364498d042b9dedfd687b803cdd7f316ee8ce10227e73cc7239b5fc026b025ea47a7149e806

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
418B

MD5
ff449f6f7bc5e2d800eb30e2d2c56611

SHA1
93419ea805b9ce35a766e5c56db50d54c2d3f94b

SHA256
655787cf79040ee701963986320556a834d6345e850e03653e4852d94eb09416

SHA512
02a17064c837d36ba241fb8edf9266e33479a10eb8652b974158a3227878a801da29db1108413bb2c298a105b3c19bd20c3a3100f19444189f434706825766a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\medical-application-form.pdf

Filesize
340KB

MD5
bb0aa1bade4df17033a05d8d682b44d2

SHA1
bec4b0a8a7413d158cf6705a3c888bdf36a4371b

SHA256
96d6c8c54390b476e8f8f42b99b52efb19eca152bf046c254992bc2f2faba764

SHA512
6bfe1b289f9c84d4db5a564ed129f7920775946981d5da5cb7753d63a141d84486ba9e958044e8162fba2eba875e56c358f92091b760e07b8cbe459e4202e4d9

Download Submit
C:\Users\Admin\AppData\Roaming\CapabilityAccessHandlers\sfc.exe

Filesize
1.1MB

MD5
2c9848f6b62c456aa28166cca576b000

SHA1
ce88de1c11ce2c4b12569677638398aa6ca5d4b6

SHA256
0536bfae35b2914b50bde5be8831e58453e1d8027ffdcb39611d5fde7520a86b

SHA512
ce3903fa8d4b0ce6247b8f66c9f259d2f77bdcee9220205a6734c5f7ac0b7bd9bffb18f07eb4eebfc1225102b76f67e343c2a1d9c240d60e3a373cf19f5e70a1

Download Submit
C:\Users\Admin\AppData\Roaming\RtDCpl64\driverquery.exe

Filesize
2.9MB

MD5
7c90f53f37f03a023115b910742df874

SHA1
8a0ca77cd2097621a00c7fd2aee012553ff616d8

SHA256
155f9049875e3b8254bb66e357bfc3070bd5e4efcfec79d1d7432e6b686cf263

SHA512
6f810c350cc6af585e60dd5a77040f00e012ba97dd173aa6e532d7e2630634222abbe70c007b8b33649cdf0e00480ba5f43190b8663276f1306855b0d46a43fb

Download Submit
C:\Users\Admin\AppData\Roaming\remcos\logs.dat

Filesize
118B

MD5
a045381e183d9dffde922a44f6e145ef

SHA1
5d004d7f7fd1cde1bc6fee1a09aae8306c8c5ae7

SHA256
b33372b5f44e02663ab778993e0a9ea079d25f1661b2f215042e8746a65788b2

SHA512
fd75820c36fc83075cccc76646bd22be91818a623b191dba22a7b0a965633b548dab517f362277361d355a3e7569da51a6c54f6f258bb8bd16babd632eafbc44

Download Submit
C:\Users\Admin\AppData\Roaming\remcos_agent_Protected.exe

Filesize
1.1MB

MD5
d5581c9db64b399c7d0cdb3f7b78673b

SHA1
87396211e6468d73c97301fe0b673f64bcd6d17c

SHA256
7210f2ca290296d1f6e61da4b3192ad19afd719d6cf77dbb2d6810734b349826

SHA512
5a8034902bfd110826aebc8196469f0dea26d94fcb093406342657b9660f400cc495a6a7ce843d32a7541083cfbc3f0fbdf9aab1ad08294729307bffe7c512c6

Download Submit
memory/212-205-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/212-206-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/832-120-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/832-127-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1420-62-0x0000000000720000-0x0000000000740000-memory.dmp

Filesize
128KB

Download
memory/1420-55-0x0000000000720000-0x0000000000740000-memory.dmp

Filesize
128KB

Download
memory/1420-63-0x0000000000720000-0x0000000000740000-memory.dmp

Filesize
128KB

Download
memory/1420-67-0x0000000000720000-0x0000000000740000-memory.dmp

Filesize
128KB

Download
memory/1420-66-0x0000000000720000-0x0000000000740000-memory.dmp

Filesize
128KB

Download
memory/1452-85-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1452-86-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1748-89-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/1748-90-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2448-214-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2776-201-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2776-202-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2920-82-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/2920-81-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3000-97-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3000-101-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3020-209-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3020-210-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3512-75-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3512-71-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3512-70-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3628-23-0x0000000000360000-0x0000000000380000-memory.dmp

Filesize
128KB

Download
memory/3628-22-0x0000000000360000-0x0000000000380000-memory.dmp

Filesize
128KB

Download
memory/3628-15-0x0000000000360000-0x0000000000380000-memory.dmp

Filesize
128KB

Download
memory/3876-116-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/3876-117-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download