Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
28-03-2023 02:05
General
-
Target
baa1926f8f9eb46243f4591d418581fc422268a40aec9a83fccf7e3ee2f913af.exe
-
Size
1.3MB
-
MD5
9ca296392ffda3a2168b2c8e38423f88
-
SHA1
5a6001e488ee7fb0ec19e5727871c7a1d476457d
-
SHA256
baa1926f8f9eb46243f4591d418581fc422268a40aec9a83fccf7e3ee2f913af
-
SHA512
80be381586098c24ad441b638f45924af481063bd28a84aa0f2dc1e177fa23a4d8a8ca2263977380c4af054870f64704bbb72b6845ce17375d563d5d2a9ce8b1
-
SSDEEP
24576:lTbBv5rUqDGbB22Y7+QE96qZaeUTHc8SqAOgRF65:PBX0YZD40kVqK65
Malware Config
Extracted
remcos
RemoteHost
104.254.90.203:42940
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-KNQYWF
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 33 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 44 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\baa1926f8f9eb46243f4591d418581fc422268a40aec9a83fccf7e3ee2f913af.exe"C:\Users\Admin\AppData\Local\Temp\baa1926f8f9eb46243f4591d418581fc422268a40aec9a83fccf7e3ee2f913af.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\System32\wscript.exe" Update-pe.b.vbe2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bibc\exrthati.pif"C:\Users\Admin\AppData\Local\Temp\bibc\exrthati.pif" mmooosqfr.xml3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\bibc4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionProcess 'RegSvcs.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess RegSvcs.exe5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '.vbe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension .vbe5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '.vbs'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension .vbs5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '*.vbs'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension *.vbs5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '*.vbe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension *.vbe5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5e0b3c08fff4685e84e5f8cd00f5fdfbc
SHA1ef9477ecc57b1ce2f5d508fc226c7172fdf15dbd
SHA256137235cb52578bbd027e3759c44bbdd8857f0ffc7364c88a587161390f9762c5
SHA512158382df32e9d6d4930cd74f4edb9030791a7556e2afb4735264a28ebbd6979a4323ed81a7d6b739cd94ed02999ccd0855733df326efe3a5ac782036d32348fd
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
11KB
MD51081fd9721fc341c9891c97a8dbe814d
SHA1d118b253489c6666969470cf135720335f8aafa3
SHA25606c8fa4e953d5c49b4df5e257b440368c5e0a87a7f788afd332eb5b756a1ac4e
SHA512c9119ee4543e77d5c4dcf93816698a1918c5966472b86743e14a41e6f617db1dd09bcc1e217883d4a802b8b1738c4627d732c60b86fd8c5ad4b4ceecfa6ae208
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
11KB
MD51081fd9721fc341c9891c97a8dbe814d
SHA1d118b253489c6666969470cf135720335f8aafa3
SHA25606c8fa4e953d5c49b4df5e257b440368c5e0a87a7f788afd332eb5b756a1ac4e
SHA512c9119ee4543e77d5c4dcf93816698a1918c5966472b86743e14a41e6f617db1dd09bcc1e217883d4a802b8b1738c4627d732c60b86fd8c5ad4b4ceecfa6ae208
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD50b6f91cd079c5cf5084717071938be1c
SHA136b041f9e277acc5c02e493c62fce9a8277120e5
SHA2566fdb8306fefc8d40c2e0a0ab8866f76740a549501f3f04c262efe28246dbd65f
SHA512a6b6d7ba040d03fcb50a282f059081a1ddb0b94cf72e21afc6e74626492a486f7f283c04fc71d367ac190e1958ab9807cf1508f5d7976dd85c44116f6864a2ba
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
11KB
MD5cac64266e4c9ae83617a8f156071c519
SHA1f9d99357bb98f416f476c60d0cf3f151ec9be376
SHA256a55abe64742397cb614556c9882738de46b9b23a702fb91aaa00e5b3c38726ca
SHA512c2471f90abe834b920d2061d6f4a249de38e64b04b429e5da9453e99dcbae2b5814862fe9279642ca52318bf30d619c0b8203faab20e74351e51c0c3c7e26176
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
11KB
MD5fa3610c7bd30b45a5f83ae299296aebe
SHA10f15b097b15feed058ca7b74d9b71b12402e22d7
SHA2561e60a80936c487778303a0cc1a1c1f938e7cd4cb23a923413663787bdffa9f99
SHA512af5e5940f8a11ab553cde18e61db2edc868dcbd60acff4eb6df39cc4680a281dae962857968e94a2955d7cc098d2420114650124a614e119678c514e0255aaeb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
11KB
MD5fa3610c7bd30b45a5f83ae299296aebe
SHA10f15b097b15feed058ca7b74d9b71b12402e22d7
SHA2561e60a80936c487778303a0cc1a1c1f938e7cd4cb23a923413663787bdffa9f99
SHA512af5e5940f8a11ab553cde18e61db2edc868dcbd60acff4eb6df39cc4680a281dae962857968e94a2955d7cc098d2420114650124a614e119678c514e0255aaeb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD5ce1d301aa5b34b6f66b92e352decd382
SHA1d3f4fbdcc1a35a8419b959d26bcbfe5a00f9c586
SHA2569349d98b00ac7f7cd1e073e3f1eaa8b37602c0dc91e35fe54a1f57fcc943a258
SHA5125b7bfd305555b7eb6589e239e24cf6fcd7792b246b1254ed09092ae9710928c269db097a1daa0bf78072bf9434339f422d1d3657df223676c7b48cdc2b1efbea
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
11KB
MD55dc3970923f87d91875101582888cdac
SHA13872f3adc84e4200c8350a0cb5899af5e79d7572
SHA256a167269047eab81eacb108a5b4c5766a7013353034bb9c19ab8afad0060f32a1
SHA51206e3276105298a4105498b3687e6db912429f8612db8cac920d1e9c53dd93451c5bf45685b82d2e81f9c21f1bfe947a76791e93c137879e0a5603a880e547c14
-
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exeFilesize
44KB
MD59d352bc46709f0cb5ec974633a0c3c94
SHA11969771b2f022f9a86d77ac4d4d239becdf08d07
SHA2562c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA51213c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aetacaft.vn5.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\bibc\askagvk.xmlFilesize
37KB
MD5df2aad1df52884dacca9ce4c9df73715
SHA1d9271cfd6486175ac744583c883c19b00821f647
SHA2566d4a527a9bf69e28defe550a737b13a7d9f11c0dc4296cd3e5873648f0321776
SHA5126803d4f3ed270edcc04aa7de79442036783ed4233854615b41628f903b1ad1460fb27cc40d386482cd40a860432b8a727a003087b3b014493425ebdc05085822
-
C:\Users\Admin\AppData\Local\Temp\bibc\exrthati.pifFilesize
1.1MB
MD5c81409f51b6115a5513a4ee52ec94b1d
SHA197d49ccce31bf74c9dd1841b07a7a4ac4fe8dba1
SHA2562957e77587a002d380031ac26da95e605fa18e2d23ae7a141595406652be6cd6
SHA512cca20666de959cc0e49b7381d20a201c12b02db7bb1b0d2f6c3d0b51e02494567f615bd3205d1e1cbb08f658d8db552e22abe7ed079eba403889a4dcdabd21e9
-
C:\Users\Admin\AppData\Local\Temp\bibc\exrthati.pifFilesize
1.1MB
MD5c81409f51b6115a5513a4ee52ec94b1d
SHA197d49ccce31bf74c9dd1841b07a7a4ac4fe8dba1
SHA2562957e77587a002d380031ac26da95e605fa18e2d23ae7a141595406652be6cd6
SHA512cca20666de959cc0e49b7381d20a201c12b02db7bb1b0d2f6c3d0b51e02494567f615bd3205d1e1cbb08f658d8db552e22abe7ed079eba403889a4dcdabd21e9
-
C:\Users\Admin\AppData\Local\Temp\bibc\mmooosqfr.xmlFilesize
118.7MB
MD50b8c3389fcfa4b23792cfe4be9bf5d4d
SHA1fb874d34954345f99fc32dcf1bd2d7dd552a69a4
SHA2560ff9a189fe4a7fc1d0988f13c4a641b8a2b467fc0304df7f4a130346c5378399
SHA512990ed70cc4d98035cff152df2401ec923ecb2aca040f1664825eff73ef859f561fc8d337beedf4c39a02d17c2bbaba1ea26ca7e7c72d9e759af7e6d0e2e5fbf8
-
C:\Users\Admin\AppData\Local\Temp\bibc\olmk.kefFilesize
869KB
MD588e9eb2b1734c06854c9a7f0ce654481
SHA13a390631ad78073dfe0a9fc02dcd18ab01ffce0c
SHA2562f0ee4d549cae7625366077f4d73dad31f276e9fde10a0a61d035887ae729789
SHA5128e7381c4113e6f8280c1172278570464607e538f6eac3766a6912e3f5980f89f848a0658b3956f27cf44c7c88a158cb75cd0981b390dd0efea3d74bcd903538f
-
C:\Users\Admin\AppData\Local\temp\bibc\Update-pe.b.vbeFilesize
90KB
MD5c0f4bcc7ee5b04990cbef34b501af814
SHA150b0ca595eba95a552f98d0e616a4ac0d28dc511
SHA25636d08a949ccf2b6628711d4642efead0f675c2f42be30bace2c93a7a8e49e9dc
SHA512747d53ea0a172936dc4c290afdea6116ddac9af5eef6f3f0ef7f8e66e74a0f3b6ad176f3f2dc52a7832c5d5b972dfcae64500a373b9df79aea93fbda3d57b955
-
memory/448-505-0x0000000001590000-0x00000000015A0000-memory.dmpFilesize
64KB
-
memory/448-361-0x00000000067C0000-0x00000000067DE000-memory.dmpFilesize
120KB
-
memory/448-293-0x0000000002EE0000-0x0000000002F16000-memory.dmpFilesize
216KB
-
memory/448-299-0x0000000001590000-0x00000000015A0000-memory.dmpFilesize
64KB
-
memory/828-398-0x0000000004FA0000-0x0000000004FB0000-memory.dmpFilesize
64KB
-
memory/828-441-0x0000000004FA0000-0x0000000004FB0000-memory.dmpFilesize
64KB
-
memory/828-442-0x000000006F2C0000-0x000000006F30C000-memory.dmpFilesize
304KB
-
memory/828-475-0x000000007FDF0000-0x000000007FE00000-memory.dmpFilesize
64KB
-
memory/992-497-0x000000007F490000-0x000000007F4A0000-memory.dmpFilesize
64KB
-
memory/992-472-0x00000000050D0000-0x00000000050E0000-memory.dmpFilesize
64KB
-
memory/992-476-0x000000006F2C0000-0x000000006F30C000-memory.dmpFilesize
304KB
-
memory/1696-502-0x0000000002FA0000-0x0000000002FB0000-memory.dmpFilesize
64KB
-
memory/1696-506-0x0000000002FA0000-0x0000000002FB0000-memory.dmpFilesize
64KB
-
memory/1696-310-0x0000000002FA0000-0x0000000002FB0000-memory.dmpFilesize
64KB
-
memory/1696-297-0x0000000006230000-0x0000000006296000-memory.dmpFilesize
408KB
-
memory/2528-349-0x0000000004920000-0x0000000004930000-memory.dmpFilesize
64KB
-
memory/3028-440-0x00000000048B0000-0x00000000048C0000-memory.dmpFilesize
64KB
-
memory/3028-400-0x00000000048B0000-0x00000000048C0000-memory.dmpFilesize
64KB
-
memory/3028-452-0x000000006F2C0000-0x000000006F30C000-memory.dmpFilesize
304KB
-
memory/3028-376-0x00000000048B0000-0x00000000048C0000-memory.dmpFilesize
64KB
-
memory/3304-504-0x0000000002820000-0x0000000002830000-memory.dmpFilesize
64KB
-
memory/3304-344-0x0000000002820000-0x0000000002830000-memory.dmpFilesize
64KB
-
memory/3304-296-0x0000000005A90000-0x0000000005AF6000-memory.dmpFilesize
408KB
-
memory/3812-375-0x0000000000F00000-0x000000000161F000-memory.dmpFilesize
7.1MB
-
memory/3812-533-0x0000000000F00000-0x000000000161F000-memory.dmpFilesize
7.1MB
-
memory/3812-538-0x0000000000F00000-0x000000000161F000-memory.dmpFilesize
7.1MB
-
memory/3812-527-0x0000000000F00000-0x000000000161F000-memory.dmpFilesize
7.1MB
-
memory/3812-436-0x0000000000F00000-0x000000000161F000-memory.dmpFilesize
7.1MB
-
memory/3812-526-0x0000000000F00000-0x000000000161F000-memory.dmpFilesize
7.1MB
-
memory/3812-537-0x0000000000F00000-0x000000000161F000-memory.dmpFilesize
7.1MB
-
memory/3812-529-0x0000000000F00000-0x000000000161F000-memory.dmpFilesize
7.1MB
-
memory/3812-536-0x0000000000F00000-0x000000000161F000-memory.dmpFilesize
7.1MB
-
memory/3812-535-0x0000000000F00000-0x000000000161F000-memory.dmpFilesize
7.1MB
-
memory/3812-530-0x0000000000F00000-0x000000000161F000-memory.dmpFilesize
7.1MB
-
memory/3812-363-0x0000000000F00000-0x000000000161F000-memory.dmpFilesize
7.1MB
-
memory/3812-534-0x0000000000F00000-0x000000000161F000-memory.dmpFilesize
7.1MB
-
memory/3812-387-0x0000000000F00000-0x000000000161F000-memory.dmpFilesize
7.1MB
-
memory/3812-413-0x0000000000F00000-0x000000000161F000-memory.dmpFilesize
7.1MB
-
memory/3812-531-0x0000000000F00000-0x000000000161F000-memory.dmpFilesize
7.1MB
-
memory/3812-532-0x0000000000F00000-0x000000000161F000-memory.dmpFilesize
7.1MB
-
memory/3812-528-0x0000000000F00000-0x000000000161F000-memory.dmpFilesize
7.1MB
-
memory/3812-401-0x0000000000F00000-0x000000000161F000-memory.dmpFilesize
7.1MB
-
memory/3844-373-0x0000000004750000-0x0000000004760000-memory.dmpFilesize
64KB
-
memory/3844-359-0x0000000004750000-0x0000000004760000-memory.dmpFilesize
64KB
-
memory/3844-499-0x0000000007030000-0x0000000007038000-memory.dmpFilesize
32KB
-
memory/3844-498-0x0000000007050000-0x000000000706A000-memory.dmpFilesize
104KB
-
memory/3844-438-0x00000000070D0000-0x0000000007166000-memory.dmpFilesize
600KB
-
memory/3844-496-0x0000000006FD0000-0x0000000006FDE000-memory.dmpFilesize
56KB
-
memory/3844-423-0x0000000006A10000-0x0000000006A2E000-memory.dmpFilesize
120KB
-
memory/3844-399-0x0000000006A50000-0x0000000006A82000-memory.dmpFilesize
200KB
-
memory/3844-403-0x000000006F2C0000-0x000000006F30C000-memory.dmpFilesize
304KB
-
memory/3844-337-0x0000000004750000-0x0000000004760000-memory.dmpFilesize
64KB
-
memory/3844-433-0x00000000073F0000-0x0000000007A6A000-memory.dmpFilesize
6.5MB
-
memory/3844-295-0x00000000049D0000-0x00000000049F2000-memory.dmpFilesize
136KB
-
memory/3844-434-0x0000000006DA0000-0x0000000006DBA000-memory.dmpFilesize
104KB
-
memory/3844-435-0x000000007EF10000-0x000000007EF20000-memory.dmpFilesize
64KB
-
memory/3844-437-0x0000000006E10000-0x0000000006E1A000-memory.dmpFilesize
40KB
-
memory/4076-386-0x0000000004F90000-0x0000000004FA0000-memory.dmpFilesize
64KB
-
memory/4076-397-0x0000000004F90000-0x0000000004FA0000-memory.dmpFilesize
64KB
-
memory/4076-474-0x000000007FC60000-0x000000007FC70000-memory.dmpFilesize
64KB
-
memory/4076-453-0x000000006F2C0000-0x000000006F30C000-memory.dmpFilesize
304KB
-
memory/4076-439-0x0000000004F90000-0x0000000004FA0000-memory.dmpFilesize
64KB
-
memory/4712-402-0x0000000004A50000-0x0000000004A60000-memory.dmpFilesize
64KB
-
memory/4712-477-0x000000006F2C0000-0x000000006F30C000-memory.dmpFilesize
304KB
-
memory/4712-473-0x0000000004A50000-0x0000000004A60000-memory.dmpFilesize
64KB
-
memory/5020-294-0x0000000005450000-0x0000000005A78000-memory.dmpFilesize
6.2MB
-
memory/5020-326-0x0000000002840000-0x0000000002850000-memory.dmpFilesize
64KB
-
memory/5020-503-0x0000000002840000-0x0000000002850000-memory.dmpFilesize
64KB