remcos | 2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da

Analysis

max time kernel
141s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2024 13:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe
Size

928KB
MD5

db2d6fa90a8e0b9a6573c39b734310c6
SHA1

0fc5dae3eb723a9eb34cee2e6ffd98248b0407b2
SHA256

2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da
SHA512

aebcff4744959d841146c432c46fb8504e2675c3ffbaf7f8c9dbf771897b104cd8a6f4805040cd94febeac1be20b9d19e90b0f1b104194aed7f33640003ea836
SSDEEP

24576:gPCi9zp3A/JhqLRNDIIg76mziStsfAI9r:gT3ehqLRxI/Fi1fh

Score

10^/10

remcos remotehost discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

45.89.247.155:2404

Attributes

audio_folder
MicRecords
audio_path
%ProgramFiles%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-HO4EX3
screenshot_crypt
true
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%ProgramFiles%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2332	powershell.exe
396	powershell.exe
1484	powershell.exe
972	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	remcos.exe

Executes dropped EXE 2 IoCs

pid	Process
2812	remcos.exe
3996	remcos.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-HO4EX3 = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-HO4EX3 = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-HO4EX3 = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-HO4EX3 = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1504 set thread context of 1852	1504	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe	93
PID 2812 set thread context of 3996	2812	remcos.exe	107
PID 3996 set thread context of 4780	3996	remcos.exe	108

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3124	schtasks.exe
4856	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
396	powershell.exe
1484	powershell.exe
1504	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe
1504	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe
1484	powershell.exe
396	powershell.exe
972	powershell.exe
2332	powershell.exe
2332	powershell.exe
972	powershell.exe
1388	msedge.exe
1388	msedge.exe
4656	msedge.exe
4656	msedge.exe
3540	identity_helper.exe
3540	identity_helper.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3996	remcos.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	396	powershell.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	1504	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe
Token: SeDebugPrivilege	972	powershell.exe
Token: SeDebugPrivilege	2332	powershell.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 396	1504	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe	86
PID 1504 wrote to memory of 396	1504	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe	86
PID 1504 wrote to memory of 396	1504	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe	86
PID 1504 wrote to memory of 1484	1504	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe	88
PID 1504 wrote to memory of 1484	1504	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe	88
PID 1504 wrote to memory of 1484	1504	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe	88
PID 1504 wrote to memory of 3124	1504	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe	90
PID 1504 wrote to memory of 3124	1504	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe	90
PID 1504 wrote to memory of 3124	1504	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe	90
PID 1504 wrote to memory of 4112	1504	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe	92
PID 1504 wrote to memory of 4112	1504	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe	92
PID 1504 wrote to memory of 4112	1504	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe	92
PID 1504 wrote to memory of 1852	1504	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe	93
PID 1504 wrote to memory of 1852	1504	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe	93
PID 1504 wrote to memory of 1852	1504	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe	93
PID 1504 wrote to memory of 1852	1504	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe	93
PID 1504 wrote to memory of 1852	1504	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe	93
PID 1504 wrote to memory of 1852	1504	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe	93
PID 1504 wrote to memory of 1852	1504	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe	93
PID 1504 wrote to memory of 1852	1504	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe	93
PID 1504 wrote to memory of 1852	1504	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe	93
PID 1504 wrote to memory of 1852	1504	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe	93
PID 1504 wrote to memory of 1852	1504	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe	93
PID 1504 wrote to memory of 1852	1504	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe	93
PID 1852 wrote to memory of 2812	1852	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe	94
PID 1852 wrote to memory of 2812	1852	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe	94
PID 1852 wrote to memory of 2812	1852	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe	94
PID 2812 wrote to memory of 972	2812	remcos.exe	101
PID 2812 wrote to memory of 972	2812	remcos.exe	101
PID 2812 wrote to memory of 972	2812	remcos.exe	101
PID 2812 wrote to memory of 2332	2812	remcos.exe	103
PID 2812 wrote to memory of 2332	2812	remcos.exe	103
PID 2812 wrote to memory of 2332	2812	remcos.exe	103
PID 2812 wrote to memory of 4856	2812	remcos.exe	104
PID 2812 wrote to memory of 4856	2812	remcos.exe	104
PID 2812 wrote to memory of 4856	2812	remcos.exe	104
PID 2812 wrote to memory of 3996	2812	remcos.exe	107
PID 2812 wrote to memory of 3996	2812	remcos.exe	107
PID 2812 wrote to memory of 3996	2812	remcos.exe	107
PID 2812 wrote to memory of 3996	2812	remcos.exe	107
PID 2812 wrote to memory of 3996	2812	remcos.exe	107
PID 2812 wrote to memory of 3996	2812	remcos.exe	107
PID 2812 wrote to memory of 3996	2812	remcos.exe	107
PID 2812 wrote to memory of 3996	2812	remcos.exe	107
PID 2812 wrote to memory of 3996	2812	remcos.exe	107
PID 2812 wrote to memory of 3996	2812	remcos.exe	107
PID 2812 wrote to memory of 3996	2812	remcos.exe	107
PID 2812 wrote to memory of 3996	2812	remcos.exe	107
PID 3996 wrote to memory of 4780	3996	remcos.exe	108
PID 3996 wrote to memory of 4780	3996	remcos.exe	108
PID 3996 wrote to memory of 4780	3996	remcos.exe	108
PID 3996 wrote to memory of 4780	3996	remcos.exe	108
PID 4780 wrote to memory of 4656	4780	iexplore.exe	109
PID 4780 wrote to memory of 4656	4780	iexplore.exe	109
PID 4656 wrote to memory of 1284	4656	msedge.exe	110
PID 4656 wrote to memory of 1284	4656	msedge.exe	110
PID 4656 wrote to memory of 724	4656	msedge.exe	111
PID 4656 wrote to memory of 724	4656	msedge.exe	111
PID 4656 wrote to memory of 724	4656	msedge.exe	111
PID 4656 wrote to memory of 724	4656	msedge.exe	111
PID 4656 wrote to memory of 724	4656	msedge.exe	111
PID 4656 wrote to memory of 724	4656	msedge.exe	111
PID 4656 wrote to memory of 724	4656	msedge.exe	111
PID 4656 wrote to memory of 724	4656	msedge.exe	111

C:\Users\Admin\AppData\Local\Temp\2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe
"C:\Users\Admin\AppData\Local\Temp\2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:396
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\IjmeWkIVoEt.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1484
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IjmeWkIVoEt" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE639.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3124
- C:\Users\Admin\AppData\Local\Temp\2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe
  "C:\Users\Admin\AppData\Local\Temp\2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe"
  2⤵
  PID:4112
- C:\Users\Admin\AppData\Local\Temp\2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe
  "C:\Users\Admin\AppData\Local\Temp\2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1852
- - C:\ProgramData\Remcos\remcos.exe
    "C:\ProgramData\Remcos\remcos.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\Remcos\remcos.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:972
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\IjmeWkIVoEt.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2332
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IjmeWkIVoEt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4707.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4856
  - - C:\ProgramData\Remcos\remcos.exe
      "C:\ProgramData\Remcos\remcos.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:3996
    - - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4780
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xd8,0xe4,0x7ffc808746f8,0x7ffc80874708,0x7ffc80874718
        7⤵
        
        PID:1284
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,13938073163962363785,1006905316040103133,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
        7⤵
        
        PID:724
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,13938073163962363785,1006905316040103133,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1388
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,13938073163962363785,1006905316040103133,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
        7⤵
        
        PID:3108
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13938073163962363785,1006905316040103133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
        7⤵
        
        PID:2040
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13938073163962363785,1006905316040103133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
        7⤵
        
        PID:4652
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13938073163962363785,1006905316040103133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:1
        7⤵
        
        PID:1672
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,13938073163962363785,1006905316040103133,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:8
        7⤵
        
        PID:5048
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,13938073163962363785,1006905316040103133,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:8
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3540
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13938073163962363785,1006905316040103133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:1
        7⤵
        
        PID:2332
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13938073163962363785,1006905316040103133,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
        7⤵
        
        PID:2424
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13938073163962363785,1006905316040103133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
        7⤵
        
        PID:4444
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13938073163962363785,1006905316040103133,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
        7⤵
        
        PID:2372
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13938073163962363785,1006905316040103133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
        7⤵
        
        PID:1620
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13938073163962363785,1006905316040103133,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
        7⤵
        
        PID:4636
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:2288
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffc808746f8,0x7ffc80874708,0x7ffc80874718
        7⤵
        
        PID:3532

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4172

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Remcos\remcos.exe

Filesize
928KB

MD5
db2d6fa90a8e0b9a6573c39b734310c6

SHA1
0fc5dae3eb723a9eb34cee2e6ffd98248b0407b2

SHA256
2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da

SHA512
aebcff4744959d841146c432c46fb8504e2675c3ffbaf7f8c9dbf771897b104cd8a6f4805040cd94febeac1be20b9d19e90b0f1b104194aed7f33640003ea836

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
713794332a6c4b645e4e164ffcdbe6e4

SHA1
0c4883e300873cc414b1f9798af9c2cb6eb92459

SHA256
cbcd4b3e95381709ba9fd71734d2f3824077c15d120c306b746d334b7707a470

SHA512
6c08261d7e447e1f9d40515f04e9db5e69888a5a20ba0b91d428445d084db15ad69cac0e2860dae6ddd91fef6ee750e58720e7d762970e9d2866047057ea5d26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
437B

MD5
05592d6b429a6209d372dba7629ce97c

SHA1
b4d45e956e3ec9651d4e1e045b887c7ccbdde326

SHA256
3aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd

SHA512
caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ffccce4dad7596e118bb55f1ff7723c5

SHA1
2df920d163009a7c79b7221626af2ed184966cac

SHA256
9d1b62855660c87b5ed5613fdddca07f23811b62781cd53d40eabfcdad43ffc1

SHA512
5c2d5daffaee023b94deaeeb206ecba205c7bbcb157b83c56d5e5d11b4305a959d6ca095163ce1151fbd9ae967595f31cb5d4e4b834b719cc7681130682ce761

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
aa3dc145a38acd01655e919c853a9f32

SHA1
55d3c8354f2225d7208cb83c5a6779074dfc0bd8

SHA256
4f5fa9ba4141946eea2f04dd875c31dd16c04100e584eb8c1951a614b8bf53ef

SHA512
f7c3a0b371ea46a247a6740970b4f4c1a5908c384271b63b1ec8434c9a80e3763939e842a688f9d8453f7a2a437f9498046dfce18e05794057a5a7e162b9347e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
51e80d015f866f519e1e45f6d0d4a140

SHA1
30386262008202dae5f2261df5622c0cb0b7ce48

SHA256
78a2cfb1d0cd640c334bc07bda602fb03fbe6ce532322b85b5b97748b412e7a9

SHA512
b5cb0d1eb6019ddab522574b08c0ff26d810b90ad19baf752d4aaae56b326cfa82abea95ebcf8af540e0eecfe269d75b45303c94b8bba8ddd364a100fe6c9a44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
367B

MD5
98be9917b16b5e6b66b569922694bd3d

SHA1
5fd99407928f5774083baceda5031327223c9aba

SHA256
d10c9a686e7463195e09528dccd070621d5770907b9ed4281d497ab02ff198b0

SHA512
64e4f4b83438808cdeb75202ec8e65aa0419e1d599aa7594ef6d50753c5d6a18962eb1494ff967fdcf0ff84d7d52dbea27a2e10b216985d57da382d59bf410e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58a92c.TMP

Filesize
369B

MD5
7dc0d7f0730b691b277e726e5beed0b8

SHA1
bcaa0d4dbd9142997492c4c66fa1b3005aff8c6c

SHA256
2754659fe87966512ce8875c6449bbb6cc987f77acf76cc79e6ee8956b444bfe

SHA512
8688b9fd3af082a69c3a4701bffe7e40f90aab4ca5651b6818e84586f5fb52c2bebb370bc4dbd026e44ce182eba15a6c85d2908ed8148e121cb1583e1543f019

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0b06499116eb1bd8757091399a868f77

SHA1
9f5b1b64c8ed15abd596be6c9ea21339c62ec383

SHA256
048ad78048a56ce51b5789a744aca90762087f531e8c656e7f6c01b6ba482278

SHA512
e9cc4b57c8d23b4e5f01fb507c2774a456542326f294e28e5fcdf9b5622d0c847717dbde8dff7f4432d76ec10b0f12acea7e0ed712dfff0414e2d445f1255b16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
63facf8e6138ffa01f2984591b806d45

SHA1
6a088ec95ecbac1616367af42c9946f8712e1f1d

SHA256
5e0813bb8bee33ef2da4476cb871c363bfea020b3df85dc89d58335a849c41c2

SHA512
2ef2fa27beaab801c7626c61d93e3d1b4c18b06bd1457ed6ea27f3b4cdfa1904a4b7e551c6748ca37f10792796eb857023db1c5918da60f33f34ef7fdf7ce600

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
3aaafb6c084b43d388fcd1cc108f9da0

SHA1
1b7a233808cec8fd3723f76c922b375aed8a20d0

SHA256
79466d9c66b6e74794d20cbbc328aec32adfa3a8204623ef8ff19d05ebd417e7

SHA512
a34f638b17d59b63d7d80a07d03d92a6d4a1bda4f319a8c1446425237a6b60616da31f2659f59683602c990df6c232b036db078821d8c1bb9613372577226ca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4kjrm1vm.y3a.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE639.tmp

Filesize
1KB

MD5
3844ee708d731895ab0b471b13a7810b

SHA1
78b0d7a4a0fd8d58b41bf8945d47b4a60d7243f0

SHA256
22f9f7d3eb67c2f708de493d18cadc897859bfe31a31392a9150cad2d50811b9

SHA512
692a612fbfb590e82837e9ee351555fe25c77c6e206e96f34637a535be3b2df83843342237179a221487787fa9f6b46683502f0a501c1ce59d5ac382d217becd

Download Submit
memory/396-27-0x0000000074550000-0x0000000074D00000-memory.dmp

Filesize
7.7MB

Download
memory/396-17-0x0000000005120000-0x0000000005748000-memory.dmp

Filesize
6.2MB

Download
memory/396-18-0x0000000074550000-0x0000000074D00000-memory.dmp

Filesize
7.7MB

Download
memory/396-32-0x0000000005920000-0x0000000005986000-memory.dmp

Filesize
408KB

Download
memory/396-125-0x0000000070D10000-0x0000000070D5C000-memory.dmp

Filesize
304KB

Download
memory/396-33-0x0000000005A00000-0x0000000005A66000-memory.dmp

Filesize
408KB

Download
memory/396-45-0x0000000005B70000-0x0000000005EC4000-memory.dmp

Filesize
3.3MB

Download
memory/396-138-0x00000000075A0000-0x0000000007636000-memory.dmp

Filesize
600KB

Download
memory/396-139-0x0000000007520000-0x0000000007531000-memory.dmp

Filesize
68KB

Download
memory/396-15-0x0000000004A70000-0x0000000004AA6000-memory.dmp

Filesize
216KB

Download
memory/396-16-0x0000000074550000-0x0000000074D00000-memory.dmp

Filesize
7.7MB

Download
memory/396-137-0x0000000007390000-0x000000000739A000-memory.dmp

Filesize
40KB

Download
memory/396-151-0x0000000074550000-0x0000000074D00000-memory.dmp

Filesize
7.7MB

Download
memory/972-163-0x0000000005EF0000-0x0000000006244000-memory.dmp

Filesize
3.3MB

Download
memory/972-180-0x00000000063C0000-0x000000000640C000-memory.dmp

Filesize
304KB

Download
memory/972-181-0x0000000070840000-0x000000007088C000-memory.dmp

Filesize
304KB

Download
memory/972-201-0x0000000007550000-0x00000000075F3000-memory.dmp

Filesize
652KB

Download
memory/972-202-0x0000000007890000-0x00000000078A1000-memory.dmp

Filesize
68KB

Download
memory/1484-123-0x00000000065F0000-0x000000000660E000-memory.dmp

Filesize
120KB

Download
memory/1484-28-0x0000000074550000-0x0000000074D00000-memory.dmp

Filesize
7.7MB

Download
memory/1484-135-0x0000000007A00000-0x000000000807A000-memory.dmp

Filesize
6.5MB

Download
memory/1484-124-0x00000000072D0000-0x0000000007373000-memory.dmp

Filesize
652KB

Download
memory/1484-136-0x00000000073C0000-0x00000000073DA000-memory.dmp

Filesize
104KB

Download
memory/1484-140-0x00000000075F0000-0x00000000075FE000-memory.dmp

Filesize
56KB

Download
memory/1484-141-0x0000000007600000-0x0000000007614000-memory.dmp

Filesize
80KB

Download
memory/1484-142-0x0000000007700000-0x000000000771A000-memory.dmp

Filesize
104KB

Download
memory/1484-143-0x00000000076E0000-0x00000000076E8000-memory.dmp

Filesize
32KB

Download
memory/1484-112-0x0000000007090000-0x00000000070C2000-memory.dmp

Filesize
200KB

Download
memory/1484-113-0x0000000070D10000-0x0000000070D5C000-memory.dmp

Filesize
304KB

Download
memory/1484-53-0x0000000006630000-0x000000000667C000-memory.dmp

Filesize
304KB

Download
memory/1484-150-0x0000000074550000-0x0000000074D00000-memory.dmp

Filesize
7.7MB

Download
memory/1484-52-0x00000000060B0000-0x00000000060CE000-memory.dmp

Filesize
120KB

Download
memory/1484-19-0x0000000074550000-0x0000000074D00000-memory.dmp

Filesize
7.7MB

Download
memory/1484-20-0x0000000074550000-0x0000000074D00000-memory.dmp

Filesize
7.7MB

Download
memory/1484-21-0x0000000005920000-0x0000000005942000-memory.dmp

Filesize
136KB

Download
memory/1504-10-0x000000000AE90000-0x000000000AF2C000-memory.dmp

Filesize
624KB

Download
memory/1504-9-0x00000000060C0000-0x0000000006180000-memory.dmp

Filesize
768KB

Download
memory/1504-1-0x0000000000130000-0x000000000021A000-memory.dmp

Filesize
936KB

Download
memory/1504-2-0x00000000052A0000-0x0000000005844000-memory.dmp

Filesize
5.6MB

Download
memory/1504-3-0x0000000004BF0000-0x0000000004C82000-memory.dmp

Filesize
584KB

Download
memory/1504-51-0x0000000074550000-0x0000000074D00000-memory.dmp

Filesize
7.7MB

Download
memory/1504-4-0x0000000074550000-0x0000000074D00000-memory.dmp

Filesize
7.7MB

Download
memory/1504-5-0x0000000004CC0000-0x0000000004CCA000-memory.dmp

Filesize
40KB

Download
memory/1504-0-0x000000007455E000-0x000000007455F000-memory.dmp

Filesize
4KB

Download
memory/1504-6-0x0000000004EB0000-0x0000000004EC2000-memory.dmp

Filesize
72KB

Download
memory/1504-8-0x0000000074550000-0x0000000074D00000-memory.dmp

Filesize
7.7MB

Download
memory/1504-7-0x000000007455E000-0x000000007455F000-memory.dmp

Filesize
4KB

Download
memory/1852-47-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1852-46-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2332-191-0x0000000070840000-0x000000007088C000-memory.dmp

Filesize
304KB

Download
memory/2332-203-0x0000000007030000-0x0000000007044000-memory.dmp

Filesize
80KB

Download
memory/3996-167-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4780-169-0x00000000004F0000-0x00000000005DA000-memory.dmp

Filesize
936KB

Download