remcos | ff639f1953e0e7896b18dc804ee0ed11f965d6cc60907fd454812c1a8846a2ce

Analysis

max time kernel
124s
max time network
130s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 08:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff639f1953e0e7896b18dc804ee0ed11f965d6cc60907fd454812c1a8846a2ce.exe
Size

1.2MB
MD5

e2f45f4dad343940e2c06b901b71a864
SHA1

72223201c29be62eabac3f798ced2b8b762d833e
SHA256

ff639f1953e0e7896b18dc804ee0ed11f965d6cc60907fd454812c1a8846a2ce
SHA512

b5364557140c5cd4bfab75bd9ce237dd6366d19e2a6a174cc7b432e981f93928540280f251698e0b935af04fde851073b6607f60cc6c90a133aa0e7b8892d98c
SSDEEP

24576:IPMpzxWvSQVw/BSCDyBSvbSFMySqL1fjv4G4uKZ0PU:JWvxiSCWBSzsVL1fktec

Score

10^/10

remcos remotehost discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

154.216.16.54:6092

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-YJ70D0
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
true
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2692 powershell.exe
1020 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

remcos.exeremcos.exe

pid process

2208 remcos.exe
588 remcos.exe
Loads dropped DLL 1 IoCs

Processes:

ff639f1953e0e7896b18dc804ee0ed11f965d6cc60907fd454812c1a8846a2ce.exe

pid process

2784 ff639f1953e0e7896b18dc804ee0ed11f965d6cc60907fd454812c1a8846a2ce.exe

pid	process
2692	powershell.exe
1020	powershell.exe

pid	process
2208	remcos.exe
588	remcos.exe

pid	process
2784	ff639f1953e0e7896b18dc804ee0ed11f965d6cc60907fd454812c1a8846a2ce.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

remcos.exeff639f1953e0e7896b18dc804ee0ed11f965d6cc60907fd454812c1a8846a2ce.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-YJ70D0 = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-YJ70D0 = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-YJ70D0 = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	ff639f1953e0e7896b18dc804ee0ed11f965d6cc60907fd454812c1a8846a2ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-YJ70D0 = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	ff639f1953e0e7896b18dc804ee0ed11f965d6cc60907fd454812c1a8846a2ce.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

ff639f1953e0e7896b18dc804ee0ed11f965d6cc60907fd454812c1a8846a2ce.exeremcos.exeremcos.exe

description	pid	process	target process
PID 1680 set thread context of 2784	1680	ff639f1953e0e7896b18dc804ee0ed11f965d6cc60907fd454812c1a8846a2ce.exe	ff639f1953e0e7896b18dc804ee0ed11f965d6cc60907fd454812c1a8846a2ce.exe
PID 2208 set thread context of 588	2208	remcos.exe	remcos.exe
PID 588 set thread context of 2284	588	remcos.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.exeIEXPLORE.EXEff639f1953e0e7896b18dc804ee0ed11f965d6cc60907fd454812c1a8846a2ce.exeff639f1953e0e7896b18dc804ee0ed11f965d6cc60907fd454812c1a8846a2ce.exepowershell.exeremcos.exeremcos.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff639f1953e0e7896b18dc804ee0ed11f965d6cc60907fd454812c1a8846a2ce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff639f1953e0e7896b18dc804ee0ed11f965d6cc60907fd454812c1a8846a2ce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b1319000000000200000000001066000000010000200000003cde95a56d4054ad712305a0b27714c117d95326de247562d30bfc1ec9062b6f000000000e80000000020000200000008af3ba07b6f7b73eadad391cb7baf09cab572b93e6841df8d1f3e6999b036096200000000653085bcf3383c1035a6c48b39735eacd49e17cd693e3120674fe4622148d8240000000ffcb56aabfc3eedf6a8eb0a3515e802f3ed6a6ebe5e6150ef021d29458b6dedba90e313ee0ff543d2ea130c4865fae13a3bc37b705489b5ffa43b1366370c917	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{31EF8291-A8AF-11EF-93C8-7227CCB080AF} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80a9f609bc3cdb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b1319000000000200000000001066000000010000200000005ee4e98939e784c99fd520faae2e350861dd58feb635edb7d78a50b8dfeb258c000000000e80000000020000200000001260760ce28c6306a1237a4ef4b5f5640d7eb96f5712fa7c4e1f6f1c71dff0b49000000040f5ae65246bfcadfb2b440670fb5b34cc4fa25d695f9d739407a0fb461a991f050f298bd37246d942a2764cbc785fbeaf5b1f2c6670692ad8d4671a0bc57a7ea879b1410d31949f65e7d3f8870b2b697eae510a548cec72dcd111cb8a20d76c14ba0257c02511806d2bb6dc22aafffcecf764e8591311be60228981e9d6b7bcbbd44eea11a521cd20f7228920742ed9400000009ccf076c3024b44caf06dfb95411911d296fcf0d9fc2dc9057082651075aa5cafdcfad9c92aeb43d12aa929507a2c45d0155ab22d4a81d264a72c06f0b1368c7	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exeremcos.exepowershell.exe

pid process

2692 powershell.exe
588 remcos.exe
1020 powershell.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

remcos.exe

pid process

588 remcos.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2692 powershell.exe
Token: SeDebugPrivilege 1020 powershell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1420 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1420 iexplore.exe
1420 iexplore.exe
1808 IEXPLORE.EXE
1808 IEXPLORE.EXE
1808 IEXPLORE.EXE
1808 IEXPLORE.EXE

pid	process
2692	powershell.exe
588	remcos.exe
1020	powershell.exe

pid	process
588	remcos.exe

description	pid	process
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	1020	powershell.exe

pid	process
1420	iexplore.exe

pid	process
1420	iexplore.exe
1420	iexplore.exe
1808	IEXPLORE.EXE
1808	IEXPLORE.EXE
1808	IEXPLORE.EXE
1808	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

ff639f1953e0e7896b18dc804ee0ed11f965d6cc60907fd454812c1a8846a2ce.exeff639f1953e0e7896b18dc804ee0ed11f965d6cc60907fd454812c1a8846a2ce.exeremcos.exeremcos.exesvchost.exeiexplore.exe

description	pid	process	target process
PID 1680 wrote to memory of 2692	1680	ff639f1953e0e7896b18dc804ee0ed11f965d6cc60907fd454812c1a8846a2ce.exe	powershell.exe
PID 1680 wrote to memory of 2692	1680	ff639f1953e0e7896b18dc804ee0ed11f965d6cc60907fd454812c1a8846a2ce.exe	powershell.exe
PID 1680 wrote to memory of 2692	1680	ff639f1953e0e7896b18dc804ee0ed11f965d6cc60907fd454812c1a8846a2ce.exe	powershell.exe
PID 1680 wrote to memory of 2692	1680	ff639f1953e0e7896b18dc804ee0ed11f965d6cc60907fd454812c1a8846a2ce.exe	powershell.exe
PID 1680 wrote to memory of 2784	1680	ff639f1953e0e7896b18dc804ee0ed11f965d6cc60907fd454812c1a8846a2ce.exe	ff639f1953e0e7896b18dc804ee0ed11f965d6cc60907fd454812c1a8846a2ce.exe
PID 1680 wrote to memory of 2784	1680	ff639f1953e0e7896b18dc804ee0ed11f965d6cc60907fd454812c1a8846a2ce.exe	ff639f1953e0e7896b18dc804ee0ed11f965d6cc60907fd454812c1a8846a2ce.exe
PID 1680 wrote to memory of 2784	1680	ff639f1953e0e7896b18dc804ee0ed11f965d6cc60907fd454812c1a8846a2ce.exe	ff639f1953e0e7896b18dc804ee0ed11f965d6cc60907fd454812c1a8846a2ce.exe
PID 1680 wrote to memory of 2784	1680	ff639f1953e0e7896b18dc804ee0ed11f965d6cc60907fd454812c1a8846a2ce.exe	ff639f1953e0e7896b18dc804ee0ed11f965d6cc60907fd454812c1a8846a2ce.exe
PID 1680 wrote to memory of 2784	1680	ff639f1953e0e7896b18dc804ee0ed11f965d6cc60907fd454812c1a8846a2ce.exe	ff639f1953e0e7896b18dc804ee0ed11f965d6cc60907fd454812c1a8846a2ce.exe
PID 1680 wrote to memory of 2784	1680	ff639f1953e0e7896b18dc804ee0ed11f965d6cc60907fd454812c1a8846a2ce.exe	ff639f1953e0e7896b18dc804ee0ed11f965d6cc60907fd454812c1a8846a2ce.exe
PID 1680 wrote to memory of 2784	1680	ff639f1953e0e7896b18dc804ee0ed11f965d6cc60907fd454812c1a8846a2ce.exe	ff639f1953e0e7896b18dc804ee0ed11f965d6cc60907fd454812c1a8846a2ce.exe
PID 1680 wrote to memory of 2784	1680	ff639f1953e0e7896b18dc804ee0ed11f965d6cc60907fd454812c1a8846a2ce.exe	ff639f1953e0e7896b18dc804ee0ed11f965d6cc60907fd454812c1a8846a2ce.exe
PID 1680 wrote to memory of 2784	1680	ff639f1953e0e7896b18dc804ee0ed11f965d6cc60907fd454812c1a8846a2ce.exe	ff639f1953e0e7896b18dc804ee0ed11f965d6cc60907fd454812c1a8846a2ce.exe
PID 1680 wrote to memory of 2784	1680	ff639f1953e0e7896b18dc804ee0ed11f965d6cc60907fd454812c1a8846a2ce.exe	ff639f1953e0e7896b18dc804ee0ed11f965d6cc60907fd454812c1a8846a2ce.exe
PID 1680 wrote to memory of 2784	1680	ff639f1953e0e7896b18dc804ee0ed11f965d6cc60907fd454812c1a8846a2ce.exe	ff639f1953e0e7896b18dc804ee0ed11f965d6cc60907fd454812c1a8846a2ce.exe
PID 2784 wrote to memory of 2208	2784	ff639f1953e0e7896b18dc804ee0ed11f965d6cc60907fd454812c1a8846a2ce.exe	remcos.exe
PID 2784 wrote to memory of 2208	2784	ff639f1953e0e7896b18dc804ee0ed11f965d6cc60907fd454812c1a8846a2ce.exe	remcos.exe
PID 2784 wrote to memory of 2208	2784	ff639f1953e0e7896b18dc804ee0ed11f965d6cc60907fd454812c1a8846a2ce.exe	remcos.exe
PID 2784 wrote to memory of 2208	2784	ff639f1953e0e7896b18dc804ee0ed11f965d6cc60907fd454812c1a8846a2ce.exe	remcos.exe
PID 2208 wrote to memory of 1020	2208	remcos.exe	powershell.exe
PID 2208 wrote to memory of 1020	2208	remcos.exe	powershell.exe
PID 2208 wrote to memory of 1020	2208	remcos.exe	powershell.exe
PID 2208 wrote to memory of 1020	2208	remcos.exe	powershell.exe
PID 2208 wrote to memory of 588	2208	remcos.exe	remcos.exe
PID 2208 wrote to memory of 588	2208	remcos.exe	remcos.exe
PID 2208 wrote to memory of 588	2208	remcos.exe	remcos.exe
PID 2208 wrote to memory of 588	2208	remcos.exe	remcos.exe
PID 2208 wrote to memory of 588	2208	remcos.exe	remcos.exe
PID 2208 wrote to memory of 588	2208	remcos.exe	remcos.exe
PID 2208 wrote to memory of 588	2208	remcos.exe	remcos.exe
PID 2208 wrote to memory of 588	2208	remcos.exe	remcos.exe
PID 2208 wrote to memory of 588	2208	remcos.exe	remcos.exe
PID 2208 wrote to memory of 588	2208	remcos.exe	remcos.exe
PID 2208 wrote to memory of 588	2208	remcos.exe	remcos.exe
PID 588 wrote to memory of 2284	588	remcos.exe	svchost.exe
PID 588 wrote to memory of 2284	588	remcos.exe	svchost.exe
PID 588 wrote to memory of 2284	588	remcos.exe	svchost.exe
PID 588 wrote to memory of 2284	588	remcos.exe	svchost.exe
PID 588 wrote to memory of 2284	588	remcos.exe	svchost.exe
PID 2284 wrote to memory of 1420	2284	svchost.exe	iexplore.exe
PID 2284 wrote to memory of 1420	2284	svchost.exe	iexplore.exe
PID 2284 wrote to memory of 1420	2284	svchost.exe	iexplore.exe
PID 2284 wrote to memory of 1420	2284	svchost.exe	iexplore.exe
PID 1420 wrote to memory of 1808	1420	iexplore.exe	IEXPLORE.EXE
PID 1420 wrote to memory of 1808	1420	iexplore.exe	IEXPLORE.EXE
PID 1420 wrote to memory of 1808	1420	iexplore.exe	IEXPLORE.EXE
PID 1420 wrote to memory of 1808	1420	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\ff639f1953e0e7896b18dc804ee0ed11f965d6cc60907fd454812c1a8846a2ce.exe
"C:\Users\Admin\AppData\Local\Temp\ff639f1953e0e7896b18dc804ee0ed11f965d6cc60907fd454812c1a8846a2ce.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ff639f1953e0e7896b18dc804ee0ed11f965d6cc60907fd454812c1a8846a2ce.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2692
- C:\Users\Admin\AppData\Local\Temp\ff639f1953e0e7896b18dc804ee0ed11f965d6cc60907fd454812c1a8846a2ce.exe
  "C:\Users\Admin\AppData\Local\Temp\ff639f1953e0e7896b18dc804ee0ed11f965d6cc60907fd454812c1a8846a2ce.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\ProgramData\Remcos\remcos.exe
    "C:\ProgramData\Remcos\remcos.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2208
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\Remcos\remcos.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1020
  - - C:\ProgramData\Remcos\remcos.exe
      "C:\ProgramData\Remcos\remcos.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:588
    - - C:\Windows\SysWOW64\svchost.exe
        
        C:\Windows\System32\svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2284
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1420 CREDAT:275457 /prefetch:2
        7⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Remcos\remcos.exe

Filesize
1.2MB

MD5
e2f45f4dad343940e2c06b901b71a864

SHA1
72223201c29be62eabac3f798ced2b8b762d833e

SHA256
ff639f1953e0e7896b18dc804ee0ed11f965d6cc60907fd454812c1a8846a2ce

SHA512
b5364557140c5cd4bfab75bd9ce237dd6366d19e2a6a174cc7b432e981f93928540280f251698e0b935af04fde851073b6607f60cc6c90a133aa0e7b8892d98c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C

Filesize
579B

MD5
f55da450a5fb287e1e0f0dcc965756ca

SHA1
7e04de896a3e666d00e687d33ffad93be83d349e

SHA256
31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0

SHA512
19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C

Filesize
252B

MD5
3f71b7d98bdca8e63466ea1b378d2ec2

SHA1
91bc94afaa05c2153498a3f307cbecb8ac4f153a

SHA256
a5609f5d7e8b5a487f7f08dcb3e3b6bfb6de64175094348b27b518ed0c67e599

SHA512
0210e99532974164b65babadd91da69db1a11e9b8799c5b24b251b3441855cc9a6573ef2da9ec5d4ca087a07bf8021d0b8b8e52cae8dc30ee9f5c4b015563cec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd99e256a60127212f4e43fd0e0fa77c

SHA1
0f572a00f76edd2865d30c6d1e51fd21be2cd912

SHA256
e31d419200b92c6a88fa04309e44d12335bbf6c1ee8a77942e04778083d65ca8

SHA512
d808059ec50376b8b99a458e92b4492b04af32a8282a80c4e1a67bf726eee89a59ab525dc9c02c98defa4445766f6aac2f5cc4c64cf646aebfed687436210680

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d5cc61b5dd3f02de3a12057f936fac4c

SHA1
0008083dc4e8e4247e137f4faec1d58b79e80215

SHA256
3c8840fd750e14322c5ff2822bc0363db987a974aa8f0aaa373f672ad53d92de

SHA512
61559c4c84fa198cf73851d8065dc1d04ca1145f054fe9921f90d02ff20a078458d801b23df40a160136a17c8df6ae0f28804c48e3fd3b2c91d731854c3dd144

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b46d3d748e2c1007900d0d46af36fae9

SHA1
1fb6a1824e566aa5b8df6bb37d62143704127f02

SHA256
c30bb56c1f184f2fa289826f910a22fc5283ff2a7091e28fe65b20510b4a12e7

SHA512
179260f678bbd83779002d6b04cd29dc82f2c0aa27dc7efb1c44243f49fb3d83a15b33386b432e1354160320f563e3bd2cd994c093309370aff70ace45b1ffb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
157fceece3fa47b60f487a278dac7f91

SHA1
7290d27548df2a8cb36322371256dafd225d1df5

SHA256
5aab32639295cb5f1fe4126bd7d2499549c9f94b7c18bc0bf86c34fa1350aa0f

SHA512
ba47d98baf011852439509b689d2306c938800d8c12c04335a2e1bd121b2291b7c1608ce83f5f7ca76ffa36c2995a88608121a79fce4cb9524bbbf6be9b6b983

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d475393177973bcd4ac29d3c6c65eb2

SHA1
d6ed3dd3a31d872c23ec01a698ea4238c96e587d

SHA256
eece4cd4b4fa48d704582eec29fcb641c1993075014afbcdffae09cf31120a8f

SHA512
668711d55165c780fc0fcc63f932451934707edb4f748a779b61dc7920b2063b4d544d17e0cbe126369e0b01d152c259babd10139fbe0bb6a7437d7705542194

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d6c29978a8abfd4a32308e215c5d3f0c

SHA1
691ca387d9882a83cfe06c9385271113e2213753

SHA256
1913071812c733919110653f268727d620ef9bd523e4ff436c3b3219c265a146

SHA512
cb7315a662cae78e74ea9362462fe5d1bdd219c82a9a573b2afd28e9dacd5934df1cb811fa4c1aabf799e753440adc6d0476cd0ca8d852e88fb3def0ec6e61d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
57fa38d2b4095e40a4a811af402480ad

SHA1
095de4b8889603b62477940e996fef702a0b3fe5

SHA256
6f05c6b1001d269826ca208e5e28dd475dbb2abbacc02ad00b11dd910ca91bf8

SHA512
c7c905d8761f9f82a49c070fef5584444769f9d534f0f489f18013920a9ed0d773715ddf4aaee4c0633701fb084b66747966c33de4cd1a54249db4633db60214

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f9af0b3e9e650a9d75df416ecc5deccf

SHA1
98b7467a6eff50f1e9c9c2d2f9eca5b0be684212

SHA256
4e924b8a82904d068e9b966552a50161574311b72fd34b63cde437bb84871fca

SHA512
c472b29e7752641b53cd411db2b123ddefee4e68a8ce367900386c88c7536f204ea212c0e1352ab8d8ee2e4fadb84be9201e8ebdb644c36686e3bca21dd644ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2db64e40b3dde0ae426dc2095912b739

SHA1
384c34ef3847a75b088f91eea3b684b6ec3cc9e8

SHA256
a989f5b0d0ecc469afbafd7e1218be38006194ddc52bbfa95917e82a1d5d155a

SHA512
152a08758f409a7cedaeb61c8dfa358f218b82bf542dd1261acddf5daef367458ce882b218f507a2fcd65b7238d084636202a69308bac49e151e3f00448d6b59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1652cfee645fa8ed78efd0c4f71e6ab9

SHA1
9c616d130231505c64539853fcb182fe862777a2

SHA256
3577490e52539d9bfa515143877d67ef842b4c37741da66134b265cc66c48a34

SHA512
b49f95cc554c66fc64cb357f284f939909e278874cebe6619eaae54b6ac578f04337342dce5a3e3d5feac47af1e84c3c58cb8a7b176ef7d99a9eabd59b69902f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0b9a2acf8327086929763a531e2ce241

SHA1
4420d82dff21bab136dc398c40a66745d11e7928

SHA256
d0ef2e741cb5b406c08b1290f03649134877b0a983e124c0b4927f892440c62d

SHA512
1b999e65cceeaa0e6ad3791df803f4906729f7cca3e2f0630de27823ea61f8a551eecbe72a1c07c260240d01060d3f5fe323c2359ba5f1862d73096f10e176f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
42b57193546d730760a9012f6ed61fa1

SHA1
4acb7f485e8399048870a76d76c88b4319c5b402

SHA256
1ea0bbd97ad3ea740e8ad00607870e4ae53d0a4b9e370a495785cf76fcb622da

SHA512
2329bc960a1896c9f6f76d06617bf2f9c39f3a772a242cb89294b23da50f91549a768405b6554881fcfe812da1cea8e9e43bcc61e364c8bc97347556f6d16c29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
db7a26654025f6cc40ba0dc4a6706484

SHA1
4aa1569f8189d56d590bee51ed6ad7001bbe0384

SHA256
70fcba477910894834cd8b4aa1f57d17a9a0f792b3dbe1277424009cfa4bc864

SHA512
27e4aad688ccfa19fd3537ffffe675636beb49d47a6502045665ddb3c70d72bea4e943173fe1ba24f7cfcab434dc3240b8a1c3d0be00d0441523b2280596d3ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3175c745a08c71bcbda5d57b3e499a63

SHA1
f73a128c18a6c846ce41b3e40c1baf7fe0bc24b2

SHA256
8e9fbdfe213d976b97358b4463414d8ff88a88a4bd7a20a9d9fc52ca9113caca

SHA512
8a9afb7e6c946bec0ce02cc84de3a014300d3ba88ed4f064e6e1f3373dcb8f783372496426dfe56bfb60fc9af8e3fd4bb754492db30dc7c32d3c31a99b53e411

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dd9d550df22e4431aae2bfa1fb04c03c

SHA1
0351a23e148ad705b981c8472ea9d0c718bdd17f

SHA256
fa806f67511377865aeb655bb67d6f8e8fd630c8076f7d32f4b14b06f46a83ea

SHA512
0a5af812b708c624bf2d94941a0700e7e14f2e8329ff5ec2ca2793d8cb178c4444a95f031424b025e7e54e9b6d3717259fc5bebe9b0a440b89a722f5bef170ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6d2453b3d82fcb71e6331d1228110ec2

SHA1
c955fb64a0822a33ff90dd8b843da22819710187

SHA256
ac2d1a0c3b78da12cca13a6674d0fbc795aeaef1547723a163e2ae238859240b

SHA512
4de12a8dbe5e6dad40c2b0b6893be7905a7ffcafee94950578a7e88eccb4b6a7390980b403ffb00fbe51e6def88a672437f519c11493bd25fddbf763b789374b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
27b0759f2e7f988f8440e69c4ae135d5

SHA1
68952301a5505421ede0f7d20b3016b72b861e1b

SHA256
78aece644fe85a94dcb7841307908cff1474fc34a825f0e49c8078ee71f60756

SHA512
4bb0dcb0cd0567e5b95344ccc3aee2f5a1a6eb186414c3d82b581ae39a4357699cce5f28c933c8649d7e3fdc3134ebebbccc19fdcb0a5a8a13b68c750d33b590

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c2591ae2dbd2f5cb1d134579dd8c5e75

SHA1
fcb8784ada939fcfbdf6268c9c18aa99d55f60bc

SHA256
50c02b1e5a8823a8360510da1a8c85fa9a62bab6b9a0df9dd6d4241e626d4877

SHA512
b94a3aa96804b50e585ba027e205999d2127b860220a69bb74fd7fbb6519f0932229d66b9015cacf5ca6197553087e1b35707eff7af41449c6bcaf06cb3a3000

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
025f9b6161298de7f69a1ac4c7eaab00

SHA1
dfeb50a804e348787759ffa2be93c5e12014cd98

SHA256
82e1432176a28261aaa9531d146788f694b3bc3240206a047089c3b4fe21cb3f

SHA512
ca74816a2771a09ee13e6ef9721d19586ae584edf766b45719a85d1c522dbeeab1c3d723f8dbec655ae3e6028f3d9e5b585f1fdd74d0d7816ac32e1c103a8473

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e7c8ee413f5554cf0cb8a352a5a3a9ff

SHA1
cbf1a4a1858e7573535be317aa91f197288c26a5

SHA256
d064aa31b1c5a9b5fd14005aa92c7f63a0a3288973926f2d3efec0c0fc25ef87

SHA512
6f6a74d57c0e01d108ca1153d61b0ce3f4f35c526403c046369dcb9a0ee89745ff3f3f2967b9796bf1208b469dbef52d873e6aaba8b7a86c087ed406ba99589b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a2ef563bea0a7194ccf11a53e4f71761

SHA1
ff6838237e4d0662ae30db72ada4d49174d9c200

SHA256
aebe68a6645835ff9c37428d2000b70f106b3790e1a613b132b4e0732716d9be

SHA512
aead7e31dd8068b7569bca404cfce9c85a6480fd748a52d001edcf40e48095c7b9f083fc09852f675fa938d83aba98a7b0cc5953ebb0b316586c6a1192469e0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8d7d3fea0fd99554bbade3cea4a412af

SHA1
a0cfec385b2da7dead693e195fe5d3d0e898221a

SHA256
96035cb5e87d8d6cb63cd98d315efb8a28f9ce286263c4d2429e0698d73e9dc4

SHA512
dfb58d80b40f7bb407d06d33d964b9317d573b79c4fd046d7a3a9f3d967f4bd63fab607aa71ffde8335562103fc2e22fa85c4de1e81100d4be18f5dfb76d8ea4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a4c13a232e748ade86de6a9fcf251c85

SHA1
a72169b368d60d45d93388cc0bdbe77c0296a275

SHA256
0ad6d9a00fd9963439623e91b1e8d4297eea10558dbfe71922e168b96b45810c

SHA512
edcdf57232dc9872a3e185e6a2bc026cfc2135e0262c1248cba031c36bb0d43867b38a6d5284c857ddc59b3c8e48e630886703c26b3147e94289affa895d9131

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBE32.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBF00.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
a6c5aff9bb969a744da114b2bd0895cd

SHA1
c1394e5c0a95407fd452b120346388e8b1e953db

SHA256
114cad70498c9de5dc01783c3c95563bade433406e800b6a875268d1f0c2eba7

SHA512
499681aad1c557fc3a5977b76d59b8bd7a3eedefa5cb4de47d53739496885266c762b44b1a84f0732c045d406dc02148935b049f83038ea1ebf59f9ddb1c2387

Download Submit
memory/588-50-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/588-53-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1680-30-0x0000000073F60000-0x000000007464E000-memory.dmp

Filesize
6.9MB

Download
memory/1680-0-0x0000000073F6E000-0x0000000073F6F000-memory.dmp

Filesize
4KB

Download
memory/1680-1-0x0000000000EE0000-0x0000000001010000-memory.dmp

Filesize
1.2MB

Download
memory/1680-2-0x0000000073F60000-0x000000007464E000-memory.dmp

Filesize
6.9MB

Download
memory/1680-3-0x0000000000570000-0x0000000000582000-memory.dmp

Filesize
72KB

Download
memory/1680-4-0x0000000073F6E000-0x0000000073F6F000-memory.dmp

Filesize
4KB

Download
memory/1680-5-0x0000000073F60000-0x000000007464E000-memory.dmp

Filesize
6.9MB

Download
memory/1680-6-0x0000000005220000-0x00000000052E4000-memory.dmp

Filesize
784KB

Download
memory/2208-37-0x0000000000220000-0x0000000000232000-memory.dmp

Filesize
72KB

Download
memory/2208-34-0x0000000000F60000-0x0000000001090000-memory.dmp

Filesize
1.2MB

Download
memory/2284-56-0x0000000000110000-0x0000000000240000-memory.dmp

Filesize
1.2MB

Download
memory/2284-57-0x0000000000110000-0x0000000000240000-memory.dmp

Filesize
1.2MB

Download
memory/2284-55-0x0000000000110000-0x0000000000240000-memory.dmp

Filesize
1.2MB

Download
memory/2284-54-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2784-17-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2784-26-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2784-23-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2784-21-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2784-7-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2784-32-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2784-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2784-11-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2784-15-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2784-9-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2784-14-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download