remcos | 2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2024 13:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe
Size

928KB
MD5

db2d6fa90a8e0b9a6573c39b734310c6
SHA1

0fc5dae3eb723a9eb34cee2e6ffd98248b0407b2
SHA256

2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da
SHA512

aebcff4744959d841146c432c46fb8504e2675c3ffbaf7f8c9dbf771897b104cd8a6f4805040cd94febeac1be20b9d19e90b0f1b104194aed7f33640003ea836
SSDEEP

24576:gPCi9zp3A/JhqLRNDIIg76mziStsfAI9r:gT3ehqLRxI/Fi1fh

Score

10^/10

remcos remotehost discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

45.89.247.155:2404

Attributes

audio_folder
MicRecords
audio_path
%ProgramFiles%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-HO4EX3
screenshot_crypt
true
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%ProgramFiles%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1576	powershell.exe
2616	powershell.exe
1800	powershell.exe
2260	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	remcos.exe

Executes dropped EXE 2 IoCs

pid	Process
3884	remcos.exe
4432	remcos.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-HO4EX3 = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-HO4EX3 = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-HO4EX3 = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-HO4EX3 = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4736 set thread context of 1180	4736	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe	93
PID 3884 set thread context of 4432	3884	remcos.exe	104
PID 4432 set thread context of 1480	4432	remcos.exe	105

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1964	schtasks.exe
452	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1576	powershell.exe
2260	powershell.exe
4736	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe
4736	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe
1576	powershell.exe
2260	powershell.exe
2616	powershell.exe
1800	powershell.exe
2616	powershell.exe
1800	powershell.exe
2876	msedge.exe
2876	msedge.exe
2072	msedge.exe
2072	msedge.exe
2424	identity_helper.exe
2424	identity_helper.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4432	remcos.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeDebugPrivilege	4736	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe
2072	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 2260	4736	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe	86
PID 4736 wrote to memory of 2260	4736	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe	86
PID 4736 wrote to memory of 2260	4736	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe	86
PID 4736 wrote to memory of 1576	4736	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe	88
PID 4736 wrote to memory of 1576	4736	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe	88
PID 4736 wrote to memory of 1576	4736	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe	88
PID 4736 wrote to memory of 1964	4736	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe	90
PID 4736 wrote to memory of 1964	4736	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe	90
PID 4736 wrote to memory of 1964	4736	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe	90
PID 4736 wrote to memory of 396	4736	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe	92
PID 4736 wrote to memory of 396	4736	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe	92
PID 4736 wrote to memory of 396	4736	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe	92
PID 4736 wrote to memory of 1180	4736	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe	93
PID 4736 wrote to memory of 1180	4736	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe	93
PID 4736 wrote to memory of 1180	4736	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe	93
PID 4736 wrote to memory of 1180	4736	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe	93
PID 4736 wrote to memory of 1180	4736	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe	93
PID 4736 wrote to memory of 1180	4736	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe	93
PID 4736 wrote to memory of 1180	4736	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe	93
PID 4736 wrote to memory of 1180	4736	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe	93
PID 4736 wrote to memory of 1180	4736	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe	93
PID 4736 wrote to memory of 1180	4736	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe	93
PID 4736 wrote to memory of 1180	4736	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe	93
PID 4736 wrote to memory of 1180	4736	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe	93
PID 1180 wrote to memory of 3884	1180	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe	94
PID 1180 wrote to memory of 3884	1180	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe	94
PID 1180 wrote to memory of 3884	1180	2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe	94
PID 3884 wrote to memory of 2616	3884	remcos.exe	98
PID 3884 wrote to memory of 2616	3884	remcos.exe	98
PID 3884 wrote to memory of 2616	3884	remcos.exe	98
PID 3884 wrote to memory of 1800	3884	remcos.exe	100
PID 3884 wrote to memory of 1800	3884	remcos.exe	100
PID 3884 wrote to memory of 1800	3884	remcos.exe	100
PID 3884 wrote to memory of 452	3884	remcos.exe	101
PID 3884 wrote to memory of 452	3884	remcos.exe	101
PID 3884 wrote to memory of 452	3884	remcos.exe	101
PID 3884 wrote to memory of 4432	3884	remcos.exe	104
PID 3884 wrote to memory of 4432	3884	remcos.exe	104
PID 3884 wrote to memory of 4432	3884	remcos.exe	104
PID 3884 wrote to memory of 4432	3884	remcos.exe	104
PID 3884 wrote to memory of 4432	3884	remcos.exe	104
PID 3884 wrote to memory of 4432	3884	remcos.exe	104
PID 3884 wrote to memory of 4432	3884	remcos.exe	104
PID 3884 wrote to memory of 4432	3884	remcos.exe	104
PID 3884 wrote to memory of 4432	3884	remcos.exe	104
PID 3884 wrote to memory of 4432	3884	remcos.exe	104
PID 3884 wrote to memory of 4432	3884	remcos.exe	104
PID 3884 wrote to memory of 4432	3884	remcos.exe	104
PID 4432 wrote to memory of 1480	4432	remcos.exe	105
PID 4432 wrote to memory of 1480	4432	remcos.exe	105
PID 4432 wrote to memory of 1480	4432	remcos.exe	105
PID 4432 wrote to memory of 1480	4432	remcos.exe	105
PID 1480 wrote to memory of 2072	1480	iexplore.exe	106
PID 1480 wrote to memory of 2072	1480	iexplore.exe	106
PID 2072 wrote to memory of 3096	2072	msedge.exe	107
PID 2072 wrote to memory of 3096	2072	msedge.exe	107
PID 2072 wrote to memory of 4108	2072	msedge.exe	108
PID 2072 wrote to memory of 4108	2072	msedge.exe	108
PID 2072 wrote to memory of 4108	2072	msedge.exe	108
PID 2072 wrote to memory of 4108	2072	msedge.exe	108
PID 2072 wrote to memory of 4108	2072	msedge.exe	108
PID 2072 wrote to memory of 4108	2072	msedge.exe	108
PID 2072 wrote to memory of 4108	2072	msedge.exe	108
PID 2072 wrote to memory of 4108	2072	msedge.exe	108

C:\Users\Admin\AppData\Local\Temp\2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe
"C:\Users\Admin\AppData\Local\Temp\2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2260
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\IjmeWkIVoEt.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1576
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IjmeWkIVoEt" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE4A3.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1964
- C:\Users\Admin\AppData\Local\Temp\2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe
  "C:\Users\Admin\AppData\Local\Temp\2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe"
  2⤵
  PID:396
- C:\Users\Admin\AppData\Local\Temp\2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe
  "C:\Users\Admin\AppData\Local\Temp\2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1180
- - C:\ProgramData\Remcos\remcos.exe
    "C:\ProgramData\Remcos\remcos.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3884
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\Remcos\remcos.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2616
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\IjmeWkIVoEt.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1800
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IjmeWkIVoEt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4ADF.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:452
  - - C:\ProgramData\Remcos\remcos.exe
      "C:\ProgramData\Remcos\remcos.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:4432
    - - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1480
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xe4,0x100,0x104,0xd8,0x108,0x7ffa3eb046f8,0x7ffa3eb04708,0x7ffa3eb04718
        7⤵
        
        PID:3096
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,14587042459464253494,2449730493682737053,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
        7⤵
        
        PID:4108
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,14587042459464253494,2449730493682737053,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2876
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,14587042459464253494,2449730493682737053,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
        7⤵
        
        PID:4924
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14587042459464253494,2449730493682737053,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
        7⤵
        
        PID:2152
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14587042459464253494,2449730493682737053,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
        7⤵
        
        PID:2368
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14587042459464253494,2449730493682737053,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
        7⤵
        
        PID:4076
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,14587042459464253494,2449730493682737053,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 /prefetch:8
        7⤵
        
        PID:2692
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,14587042459464253494,2449730493682737053,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 /prefetch:8
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2424
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14587042459464253494,2449730493682737053,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
        7⤵
        
        PID:3404
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14587042459464253494,2449730493682737053,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
        7⤵
        
        PID:3624
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14587042459464253494,2449730493682737053,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
        7⤵
        
        PID:3732
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14587042459464253494,2449730493682737053,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
        7⤵
        
        PID:1184
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14587042459464253494,2449730493682737053,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
        7⤵
        
        PID:2368
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14587042459464253494,2449730493682737053,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
        7⤵
        
        PID:2408
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:4428
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x78,0x108,0x7ffa3eb046f8,0x7ffa3eb04708,0x7ffa3eb04718
        7⤵
        
        PID:2580

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1596

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Remcos\remcos.exe

Filesize
928KB

MD5
db2d6fa90a8e0b9a6573c39b734310c6

SHA1
0fc5dae3eb723a9eb34cee2e6ffd98248b0407b2

SHA256
2361c17c4b1dd719f9546f08486daad02c3369224abca66161bbd8839ea7b6da

SHA512
aebcff4744959d841146c432c46fb8504e2675c3ffbaf7f8c9dbf771897b104cd8a6f4805040cd94febeac1be20b9d19e90b0f1b104194aed7f33640003ea836

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba6ef346187b40694d493da98d5da979

SHA1
643c15bec043f8673943885199bb06cd1652ee37

SHA256
d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

SHA512
2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8880802fc2bb880a7a869faa01315b0

SHA1
51d1a3fa2c272f094515675d82150bfce08ee8d3

SHA256
467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

SHA512
e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\92025352-33d8-4f38-ab48-92f1950b0433.tmp

Filesize
6KB

MD5
7e99dce30a98dddb9375c43d52d4e8c6

SHA1
74916c475ec491a9dddbcb10000cc6360298352c

SHA256
5123e74135ed9128bde21f94ad3497867d1c7921a8ad1011b36484323c364cbe

SHA512
81acc81cfe363775c0eaf10dc96106ba4e852305d11047ce2759ba6cc21afb8c733ffc03a4db390965576b3f99a85f1d8e996ffbeecd363809f435daf0c50a57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
57f077b80061f6d5a2fc0772209d269c

SHA1
68b03fbcaa72c00f0c4d683bae8dfb50428f86b5

SHA256
473eab6044414bf08763c301e30bb69dc64c67dbbcd912df55797c244ccec287

SHA512
23bf536959283f9dd0e8c60abe67058720a97ddd42eb0dbddff6f8652073e438a172a65263e2280f2c3aedacae55d6022494107402f4b5f17f40456c63d0323e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
437B

MD5
05592d6b429a6209d372dba7629ce97c

SHA1
b4d45e956e3ec9651d4e1e045b887c7ccbdde326

SHA256
3aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd

SHA512
caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
27ccc1ca67e45219a85ab7b492a2bad0

SHA1
d46bb7b4a6d0e0a93e7168e63fad9f1a532d7f22

SHA256
eb00f07a37fd7e330d8126534dbaccc718a5be2db9dfea824af29be8ccb28199

SHA512
8ba10f5a8ebcf9e8445492d5c2af3df6138bdc0ab1208b9066077545f7c3c2859fe248d897978603e420ffcbcd9fc24d13344ed7b90eac57e77a4c77502ffa5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7dbe300c11f5bf9b1323ac6cadf532ba

SHA1
c70ceea618af0d1326097108016deac33786abe9

SHA256
3724ba54be42d70f8d347401617790dc1ac38185cc1e1419b37fa1f04e8717f5

SHA512
ae0b49bc987bcb7a1345e668c98489e020dba48f588e1f1b5311f4fef626e82f30c2a9f572184e4bb5118588a3f7bb705f99b925f1eab1ae56ede04234471dd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
250cee8b8599b482deb41fea2124c5b3

SHA1
72ffecc6c11e4b41c375927e60cfed0aa6079836

SHA256
145397b0a306f246981f155f4573c9210cf7814411a97dc904b0f3b85f621180

SHA512
2ab1058aa5d8424ca5e8842fe2ef1e5b38ba1f59682b41b1a0a9bf4db8844b98b7eb5d63cb2a87a27f9013d8e1face44729075fb1846178cb884ca8f6991f186

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58bd31.TMP

Filesize
367B

MD5
4d4cd992ae204db602f8f19b4d2abd81

SHA1
8574a5eccf54516f82fd778d468e0632d9dda22e

SHA256
8742b51078f1d99d56d1ebbd56c73ea65c122b8d33317872a91f003ae1f24e2d

SHA512
9317449848307fbab7cf0b2a8693b2c0431254b5db227b39f881477f5fe2d2cf45f945dfd9a6500783ce4d256493c8908bb47ac37402f3c93586a77a1318b98b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
436d703698d0bcffb7f8cf830ca13c6b

SHA1
585feabf93307c74cdcd842918b8598c49b8081e

SHA256
cf137d7efd44b3dd4315ed53fe0cbf50ca731affbe263377a9082d5e28cf51f7

SHA512
1f665fc92343c26b5fdf60bcc00e892fbcaf3f8b9158340915635b12a902e32259e3a7e0252edc489840a1f790d8f437292a7adae5a9c7db78c8319eac24669b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
51ed840c2f8ca6e19af190fc9f783e86

SHA1
36a40886ef2867273db1578bf7d6d6b1e50214dc

SHA256
1bfa2d302102ece4855a587f61e00377d9399ecbf8266a202299ae5d786987b9

SHA512
6241a1ba1dd5aa3108becb50dd1b803bdee2a2f52e8e1ffde976daa00210a7a8dea6891736889c3d4e00f286dbf2f6557ffd1d2f791f5ae80eae3fcafc7d654b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m33torms.5rm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE4A3.tmp

Filesize
1KB

MD5
e167ef72dbe9c060d163e3dda6e9e296

SHA1
154a28cdc42e74b8f275591657e7bbbcf1afc662

SHA256
063c52871e1960cb743ad7edafccbbf6d6cd039c6e329d2d565932c1a328943e

SHA512
efe06cbccf746a04eec41fc6580f194afc30561a57c65d7df26c8bea6d163bb21103d6f1c3125df267f3ff2a9180b2a5e4415f88fa18638c80ea9db72316ac10

Download Submit
memory/1180-46-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1180-42-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1480-157-0x0000000000A10000-0x0000000000AFA000-memory.dmp

Filesize
936KB

Download
memory/1576-124-0x0000000006D60000-0x0000000006E03000-memory.dmp

Filesize
652KB

Download
memory/1576-19-0x00000000750A0000-0x0000000075850000-memory.dmp

Filesize
7.7MB

Download
memory/1576-29-0x0000000005490000-0x00000000054F6000-memory.dmp

Filesize
408KB

Download
memory/1576-30-0x0000000005570000-0x00000000055D6000-memory.dmp

Filesize
408KB

Download
memory/1576-150-0x00000000750A0000-0x0000000075850000-memory.dmp

Filesize
7.7MB

Download
memory/1576-41-0x00000000750A0000-0x0000000075850000-memory.dmp

Filesize
7.7MB

Download
memory/1576-50-0x00000000056E0000-0x0000000005A34000-memory.dmp

Filesize
3.3MB

Download
memory/1576-140-0x00000000070D0000-0x00000000070DE000-memory.dmp

Filesize
56KB

Download
memory/1576-22-0x00000000750A0000-0x0000000075850000-memory.dmp

Filesize
7.7MB

Download
memory/1576-53-0x0000000005F70000-0x0000000005FBC000-memory.dmp

Filesize
304KB

Download
memory/1576-52-0x0000000005B80000-0x0000000005B9E000-memory.dmp

Filesize
120KB

Download
memory/1576-123-0x0000000006D40000-0x0000000006D5E000-memory.dmp

Filesize
120KB

Download
memory/1576-113-0x0000000071890000-0x00000000718DC000-memory.dmp

Filesize
304KB

Download
memory/1576-112-0x0000000006140000-0x0000000006172000-memory.dmp

Filesize
200KB

Download
memory/1576-139-0x00000000070A0000-0x00000000070B1000-memory.dmp

Filesize
68KB

Download
memory/1800-167-0x0000000006390000-0x00000000066E4000-memory.dmp

Filesize
3.3MB

Download
memory/1800-190-0x0000000070E20000-0x0000000070E6C000-memory.dmp

Filesize
304KB

Download
memory/2260-15-0x0000000004B40000-0x0000000004B76000-memory.dmp

Filesize
216KB

Download
memory/2260-143-0x0000000007730000-0x0000000007738000-memory.dmp

Filesize
32KB

Download
memory/2260-138-0x0000000007690000-0x0000000007726000-memory.dmp

Filesize
600KB

Download
memory/2260-125-0x0000000071890000-0x00000000718DC000-memory.dmp

Filesize
304KB

Download
memory/2260-16-0x00000000750A0000-0x0000000075850000-memory.dmp

Filesize
7.7MB

Download
memory/2260-141-0x0000000007650000-0x0000000007664000-memory.dmp

Filesize
80KB

Download
memory/2260-142-0x0000000007750000-0x000000000776A000-memory.dmp

Filesize
104KB

Download
memory/2260-17-0x0000000005290000-0x00000000058B8000-memory.dmp

Filesize
6.2MB

Download
memory/2260-21-0x0000000005250000-0x0000000005272000-memory.dmp

Filesize
136KB

Download
memory/2260-18-0x00000000750A0000-0x0000000075850000-memory.dmp

Filesize
7.7MB

Download
memory/2260-23-0x00000000750A0000-0x0000000075850000-memory.dmp

Filesize
7.7MB

Download
memory/2260-149-0x00000000750A0000-0x0000000075850000-memory.dmp

Filesize
7.7MB

Download
memory/2260-136-0x0000000007410000-0x000000000742A000-memory.dmp

Filesize
104KB

Download
memory/2260-135-0x0000000007A50000-0x00000000080CA000-memory.dmp

Filesize
6.5MB

Download
memory/2260-137-0x0000000007480000-0x000000000748A000-memory.dmp

Filesize
40KB

Download
memory/2616-178-0x0000000006AB0000-0x0000000006AFC000-memory.dmp

Filesize
304KB

Download
memory/2616-179-0x0000000070E20000-0x0000000070E6C000-memory.dmp

Filesize
304KB

Download
memory/2616-189-0x0000000007770000-0x0000000007813000-memory.dmp

Filesize
652KB

Download
memory/2616-200-0x0000000007A50000-0x0000000007A61000-memory.dmp

Filesize
68KB

Download
memory/2616-201-0x0000000007A90000-0x0000000007AA4000-memory.dmp

Filesize
80KB

Download
memory/4432-155-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4736-1-0x0000000000CB0000-0x0000000000D9A000-memory.dmp

Filesize
936KB

Download
memory/4736-0-0x00000000750AE000-0x00000000750AF000-memory.dmp

Filesize
4KB

Download
memory/4736-51-0x00000000750A0000-0x0000000075850000-memory.dmp

Filesize
7.7MB

Download
memory/4736-8-0x00000000750A0000-0x0000000075850000-memory.dmp

Filesize
7.7MB

Download
memory/4736-9-0x0000000009220000-0x00000000092E0000-memory.dmp

Filesize
768KB

Download
memory/4736-7-0x00000000750AE000-0x00000000750AF000-memory.dmp

Filesize
4KB

Download
memory/4736-6-0x0000000005DB0000-0x0000000005DC2000-memory.dmp

Filesize
72KB

Download
memory/4736-4-0x0000000005850000-0x000000000585A000-memory.dmp

Filesize
40KB

Download
memory/4736-5-0x00000000750A0000-0x0000000075850000-memory.dmp

Filesize
7.7MB

Download
memory/4736-3-0x0000000005770000-0x0000000005802000-memory.dmp

Filesize
584KB

Download
memory/4736-2-0x0000000005DD0000-0x0000000006374000-memory.dmp

Filesize
5.6MB

Download
memory/4736-10-0x000000000BAA0000-0x000000000BB3C000-memory.dmp

Filesize
624KB

Download