remcos | 09a2e4f8534369466eba713828653e44916f2307420fc47306b1b9cfff181e2c

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7v20201028
submitted
12-01-2021 06:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a99807a434f33b10783b43bc2906fbe.exe
Size

1.3MB
MD5

7a99807a434f33b10783b43bc2906fbe
SHA1

070af96b019f7e8f0d0dfa1ccd51a41f2f127c7e
SHA256

09a2e4f8534369466eba713828653e44916f2307420fc47306b1b9cfff181e2c
SHA512

d83ef5e5ca85f600cb3cedadd686f6c677aa26682f1f2c48816195ae94303ac632574b92f4a8742f6703f798b6d4432cecd05a042cf4c0867da998fb5b8ed591

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu:2017

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 2 IoCs

Processes:

vlc.exevlc.exe

pid process

1756 vlc.exe
1972 vlc.exe
Loads dropped DLL 5 IoCs

Processes:

cmd.exeWerFault.exe

pid process

344 cmd.exe
344 cmd.exe
768 WerFault.exe
768 WerFault.exe
768 WerFault.exe

pid	process
1756	vlc.exe
1972	vlc.exe

pid	process
344	cmd.exe
344	cmd.exe
768	WerFault.exe
768	WerFault.exe
768	WerFault.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vlc.exe7a99807a434f33b10783b43bc2906fbe.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\	vlc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\win = "\"C:\\Users\\Admin\\AppData\\Roaming\\vlc.exe\""	vlc.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\	7a99807a434f33b10783b43bc2906fbe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\win = "\"C:\\Users\\Admin\\AppData\\Roaming\\vlc.exe\""	7a99807a434f33b10783b43bc2906fbe.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs

Processes:

7a99807a434f33b10783b43bc2906fbe.exevlc.exe

pid	process
1036	7a99807a434f33b10783b43bc2906fbe.exe
1036	7a99807a434f33b10783b43bc2906fbe.exe
1036	7a99807a434f33b10783b43bc2906fbe.exe
1036	7a99807a434f33b10783b43bc2906fbe.exe
1036	7a99807a434f33b10783b43bc2906fbe.exe
1036	7a99807a434f33b10783b43bc2906fbe.exe
1036	7a99807a434f33b10783b43bc2906fbe.exe
1756	vlc.exe
1756	vlc.exe
1756	vlc.exe
1756	vlc.exe
1756	vlc.exe
1756	vlc.exe
1756	vlc.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

7a99807a434f33b10783b43bc2906fbe.exevlc.exe

description	pid	process	target process
PID 1036 set thread context of 1532	1036	7a99807a434f33b10783b43bc2906fbe.exe	7a99807a434f33b10783b43bc2906fbe.exe
PID 1756 set thread context of 1972	1756	vlc.exe	vlc.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

768 1756 WerFault.exe vlc.exe
Delays execution with timeout.exe 6 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

1604 timeout.exe
1992 timeout.exe
1948 timeout.exe
1156 timeout.exe
1948 timeout.exe
684 timeout.exe

pid	pid_target	process	target process
768	1756	WerFault.exe	vlc.exe

pid	process
1604	timeout.exe
1992	timeout.exe
1948	timeout.exe
1156	timeout.exe
1948	timeout.exe
684	timeout.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

7a99807a434f33b10783b43bc2906fbe.exevlc.exeWerFault.exe

pid	process
1036	7a99807a434f33b10783b43bc2906fbe.exe
1036	7a99807a434f33b10783b43bc2906fbe.exe
1036	7a99807a434f33b10783b43bc2906fbe.exe
1756	vlc.exe
1756	vlc.exe
1756	vlc.exe
768	WerFault.exe
768	WerFault.exe
768	WerFault.exe
768	WerFault.exe
768	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

7a99807a434f33b10783b43bc2906fbe.exevlc.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	1036	7a99807a434f33b10783b43bc2906fbe.exe
Token: SeDebugPrivilege	1756	vlc.exe
Token: SeDebugPrivilege	768	WerFault.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

vlc.exe

pid process

1972 vlc.exe

pid	process
1972	vlc.exe

Suspicious use of WriteProcessMemory 86 IoCs

Processes:

7a99807a434f33b10783b43bc2906fbe.execmd.execmd.execmd.exe7a99807a434f33b10783b43bc2906fbe.exeWScript.execmd.exevlc.execmd.execmd.exe

description	pid	process	target process
PID 1036 wrote to memory of 1500	1036	7a99807a434f33b10783b43bc2906fbe.exe	cmd.exe
PID 1036 wrote to memory of 1500	1036	7a99807a434f33b10783b43bc2906fbe.exe	cmd.exe
PID 1036 wrote to memory of 1500	1036	7a99807a434f33b10783b43bc2906fbe.exe	cmd.exe
PID 1036 wrote to memory of 1500	1036	7a99807a434f33b10783b43bc2906fbe.exe	cmd.exe
PID 1500 wrote to memory of 1156	1500	cmd.exe	timeout.exe
PID 1500 wrote to memory of 1156	1500	cmd.exe	timeout.exe
PID 1500 wrote to memory of 1156	1500	cmd.exe	timeout.exe
PID 1500 wrote to memory of 1156	1500	cmd.exe	timeout.exe
PID 1036 wrote to memory of 1976	1036	7a99807a434f33b10783b43bc2906fbe.exe	cmd.exe
PID 1036 wrote to memory of 1976	1036	7a99807a434f33b10783b43bc2906fbe.exe	cmd.exe
PID 1036 wrote to memory of 1976	1036	7a99807a434f33b10783b43bc2906fbe.exe	cmd.exe
PID 1036 wrote to memory of 1976	1036	7a99807a434f33b10783b43bc2906fbe.exe	cmd.exe
PID 1976 wrote to memory of 1948	1976	cmd.exe	timeout.exe
PID 1976 wrote to memory of 1948	1976	cmd.exe	timeout.exe
PID 1976 wrote to memory of 1948	1976	cmd.exe	timeout.exe
PID 1976 wrote to memory of 1948	1976	cmd.exe	timeout.exe
PID 1036 wrote to memory of 1744	1036	7a99807a434f33b10783b43bc2906fbe.exe	cmd.exe
PID 1036 wrote to memory of 1744	1036	7a99807a434f33b10783b43bc2906fbe.exe	cmd.exe
PID 1036 wrote to memory of 1744	1036	7a99807a434f33b10783b43bc2906fbe.exe	cmd.exe
PID 1036 wrote to memory of 1744	1036	7a99807a434f33b10783b43bc2906fbe.exe	cmd.exe
PID 1744 wrote to memory of 684	1744	cmd.exe	timeout.exe
PID 1744 wrote to memory of 684	1744	cmd.exe	timeout.exe
PID 1744 wrote to memory of 684	1744	cmd.exe	timeout.exe
PID 1744 wrote to memory of 684	1744	cmd.exe	timeout.exe
PID 1036 wrote to memory of 1532	1036	7a99807a434f33b10783b43bc2906fbe.exe	7a99807a434f33b10783b43bc2906fbe.exe
PID 1036 wrote to memory of 1532	1036	7a99807a434f33b10783b43bc2906fbe.exe	7a99807a434f33b10783b43bc2906fbe.exe
PID 1036 wrote to memory of 1532	1036	7a99807a434f33b10783b43bc2906fbe.exe	7a99807a434f33b10783b43bc2906fbe.exe
PID 1036 wrote to memory of 1532	1036	7a99807a434f33b10783b43bc2906fbe.exe	7a99807a434f33b10783b43bc2906fbe.exe
PID 1036 wrote to memory of 1532	1036	7a99807a434f33b10783b43bc2906fbe.exe	7a99807a434f33b10783b43bc2906fbe.exe
PID 1036 wrote to memory of 1532	1036	7a99807a434f33b10783b43bc2906fbe.exe	7a99807a434f33b10783b43bc2906fbe.exe
PID 1036 wrote to memory of 1532	1036	7a99807a434f33b10783b43bc2906fbe.exe	7a99807a434f33b10783b43bc2906fbe.exe
PID 1036 wrote to memory of 1532	1036	7a99807a434f33b10783b43bc2906fbe.exe	7a99807a434f33b10783b43bc2906fbe.exe
PID 1036 wrote to memory of 1532	1036	7a99807a434f33b10783b43bc2906fbe.exe	7a99807a434f33b10783b43bc2906fbe.exe
PID 1036 wrote to memory of 1532	1036	7a99807a434f33b10783b43bc2906fbe.exe	7a99807a434f33b10783b43bc2906fbe.exe
PID 1036 wrote to memory of 1532	1036	7a99807a434f33b10783b43bc2906fbe.exe	7a99807a434f33b10783b43bc2906fbe.exe
PID 1532 wrote to memory of 884	1532	7a99807a434f33b10783b43bc2906fbe.exe	WScript.exe
PID 1532 wrote to memory of 884	1532	7a99807a434f33b10783b43bc2906fbe.exe	WScript.exe
PID 1532 wrote to memory of 884	1532	7a99807a434f33b10783b43bc2906fbe.exe	WScript.exe
PID 1532 wrote to memory of 884	1532	7a99807a434f33b10783b43bc2906fbe.exe	WScript.exe
PID 884 wrote to memory of 344	884	WScript.exe	cmd.exe
PID 884 wrote to memory of 344	884	WScript.exe	cmd.exe
PID 884 wrote to memory of 344	884	WScript.exe	cmd.exe
PID 884 wrote to memory of 344	884	WScript.exe	cmd.exe
PID 344 wrote to memory of 1756	344	cmd.exe	vlc.exe
PID 344 wrote to memory of 1756	344	cmd.exe	vlc.exe
PID 344 wrote to memory of 1756	344	cmd.exe	vlc.exe
PID 344 wrote to memory of 1756	344	cmd.exe	vlc.exe
PID 1756 wrote to memory of 808	1756	vlc.exe	cmd.exe
PID 1756 wrote to memory of 808	1756	vlc.exe	cmd.exe
PID 1756 wrote to memory of 808	1756	vlc.exe	cmd.exe
PID 1756 wrote to memory of 808	1756	vlc.exe	cmd.exe
PID 808 wrote to memory of 1604	808	cmd.exe	timeout.exe
PID 808 wrote to memory of 1604	808	cmd.exe	timeout.exe
PID 808 wrote to memory of 1604	808	cmd.exe	timeout.exe
PID 808 wrote to memory of 1604	808	cmd.exe	timeout.exe
PID 1756 wrote to memory of 1572	1756	vlc.exe	cmd.exe
PID 1756 wrote to memory of 1572	1756	vlc.exe	cmd.exe
PID 1756 wrote to memory of 1572	1756	vlc.exe	cmd.exe
PID 1756 wrote to memory of 1572	1756	vlc.exe	cmd.exe
PID 1572 wrote to memory of 1992	1572	cmd.exe	timeout.exe
PID 1572 wrote to memory of 1992	1572	cmd.exe	timeout.exe
PID 1572 wrote to memory of 1992	1572	cmd.exe	timeout.exe
PID 1572 wrote to memory of 1992	1572	cmd.exe	timeout.exe
PID 1756 wrote to memory of 1248	1756	vlc.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\7a99807a434f33b10783b43bc2906fbe.exe
"C:\Users\Admin\AppData\Local\Temp\7a99807a434f33b10783b43bc2906fbe.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1036
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout 1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1156
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout 1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:1948
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout 1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\SysWOW64\timeout.exe
    timeout 1
    3⤵
    - Delays execution with timeout.exe
    PID:684
- C:\Users\Admin\AppData\Local\Temp\7a99807a434f33b10783b43bc2906fbe.exe
  "C:\Users\Admin\AppData\Local\Temp\7a99807a434f33b10783b43bc2906fbe.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:884
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\vlc.exe"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:344
    - - C:\Users\Admin\AppData\Roaming\vlc.exe
        
        C:\Users\Admin\AppData\Roaming\vlc.exe
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1756
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 1
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:808
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        7⤵
        Delays execution with timeout.exe
        
        PID:1604
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 1
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        7⤵
        Delays execution with timeout.exe
        
        PID:1992
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout 1
        6⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        7⤵
        Delays execution with timeout.exe
        
        PID:1948
      - C:\Users\Admin\AppData\Roaming\vlc.exe
        
        "C:\Users\Admin\AppData\Roaming\vlc.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetWindowsHookEx
        
        PID:1972
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 956
        6⤵
        Loads dropped DLL
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\install.vbs

MD5
0fd303b21c1a43c6a9078e6f5280ca85

SHA1
0db8f1ae34f4e2e72184e337951fde826c0bd26f

SHA256
5d8c6cfdf8fc198c4fd279487e5c1620ece89e39781c6337f4cb5e111e606ddc

SHA512
be4cdd48940bead0274c7cf08abd9bc75b5db468159cbf883198712d0bb15ad81a069638c628eba62237cfa0a197f845c0d9e1f4727c9608a8d642f7aba38671

Download Submit
C:\Users\Admin\AppData\Roaming\vlc.exe

MD5
7a99807a434f33b10783b43bc2906fbe

SHA1
070af96b019f7e8f0d0dfa1ccd51a41f2f127c7e

SHA256
09a2e4f8534369466eba713828653e44916f2307420fc47306b1b9cfff181e2c

SHA512
d83ef5e5ca85f600cb3cedadd686f6c677aa26682f1f2c48816195ae94303ac632574b92f4a8742f6703f798b6d4432cecd05a042cf4c0867da998fb5b8ed591

Download Submit
C:\Users\Admin\AppData\Roaming\vlc.exe

MD5
7a99807a434f33b10783b43bc2906fbe

SHA1
070af96b019f7e8f0d0dfa1ccd51a41f2f127c7e

SHA256
09a2e4f8534369466eba713828653e44916f2307420fc47306b1b9cfff181e2c

SHA512
d83ef5e5ca85f600cb3cedadd686f6c677aa26682f1f2c48816195ae94303ac632574b92f4a8742f6703f798b6d4432cecd05a042cf4c0867da998fb5b8ed591

Download Submit
C:\Users\Admin\AppData\Roaming\vlc.exe

MD5
7a99807a434f33b10783b43bc2906fbe

SHA1
070af96b019f7e8f0d0dfa1ccd51a41f2f127c7e

SHA256
09a2e4f8534369466eba713828653e44916f2307420fc47306b1b9cfff181e2c

SHA512
d83ef5e5ca85f600cb3cedadd686f6c677aa26682f1f2c48816195ae94303ac632574b92f4a8742f6703f798b6d4432cecd05a042cf4c0867da998fb5b8ed591

Download Submit
\Users\Admin\AppData\Roaming\vlc.exe

MD5
7a99807a434f33b10783b43bc2906fbe

SHA1
070af96b019f7e8f0d0dfa1ccd51a41f2f127c7e

SHA256
09a2e4f8534369466eba713828653e44916f2307420fc47306b1b9cfff181e2c

SHA512
d83ef5e5ca85f600cb3cedadd686f6c677aa26682f1f2c48816195ae94303ac632574b92f4a8742f6703f798b6d4432cecd05a042cf4c0867da998fb5b8ed591

Download Submit
\Users\Admin\AppData\Roaming\vlc.exe

MD5
7a99807a434f33b10783b43bc2906fbe

SHA1
070af96b019f7e8f0d0dfa1ccd51a41f2f127c7e

SHA256
09a2e4f8534369466eba713828653e44916f2307420fc47306b1b9cfff181e2c

SHA512
d83ef5e5ca85f600cb3cedadd686f6c677aa26682f1f2c48816195ae94303ac632574b92f4a8742f6703f798b6d4432cecd05a042cf4c0867da998fb5b8ed591

Download Submit
\Users\Admin\AppData\Roaming\vlc.exe

MD5
7a99807a434f33b10783b43bc2906fbe

SHA1
070af96b019f7e8f0d0dfa1ccd51a41f2f127c7e

SHA256
09a2e4f8534369466eba713828653e44916f2307420fc47306b1b9cfff181e2c

SHA512
d83ef5e5ca85f600cb3cedadd686f6c677aa26682f1f2c48816195ae94303ac632574b92f4a8742f6703f798b6d4432cecd05a042cf4c0867da998fb5b8ed591

Download Submit
\Users\Admin\AppData\Roaming\vlc.exe

MD5
7a99807a434f33b10783b43bc2906fbe

SHA1
070af96b019f7e8f0d0dfa1ccd51a41f2f127c7e

SHA256
09a2e4f8534369466eba713828653e44916f2307420fc47306b1b9cfff181e2c

SHA512
d83ef5e5ca85f600cb3cedadd686f6c677aa26682f1f2c48816195ae94303ac632574b92f4a8742f6703f798b6d4432cecd05a042cf4c0867da998fb5b8ed591

Download Submit
\Users\Admin\AppData\Roaming\vlc.exe

MD5
7a99807a434f33b10783b43bc2906fbe

SHA1
070af96b019f7e8f0d0dfa1ccd51a41f2f127c7e

SHA256
09a2e4f8534369466eba713828653e44916f2307420fc47306b1b9cfff181e2c

SHA512
d83ef5e5ca85f600cb3cedadd686f6c677aa26682f1f2c48816195ae94303ac632574b92f4a8742f6703f798b6d4432cecd05a042cf4c0867da998fb5b8ed591

Download Submit
memory/344-20-0x0000000000000000-mapping.dmp

Download
memory/684-11-0x0000000000000000-mapping.dmp

Download
memory/768-42-0x0000000002120000-0x0000000002131000-memory.dmp

Filesize
68KB

Download
memory/768-41-0x0000000000000000-mapping.dmp

Download
memory/808-31-0x0000000000000000-mapping.dmp

Download
memory/884-21-0x0000000002590000-0x0000000002594000-memory.dmp

Filesize
16KB

Download
memory/884-18-0x0000000000000000-mapping.dmp

Download
memory/1036-14-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/1036-15-0x00000000007F0000-0x0000000000810000-memory.dmp

Filesize
128KB

Download
memory/1036-2-0x0000000074900000-0x0000000074FEE000-memory.dmp

Filesize
6.9MB

Download
memory/1036-5-0x0000000000460000-0x000000000048F000-memory.dmp

Filesize
188KB

Download
memory/1036-3-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/1156-7-0x0000000000000000-mapping.dmp

Download
memory/1248-35-0x0000000000000000-mapping.dmp

Download
memory/1500-6-0x0000000000000000-mapping.dmp

Download
memory/1532-12-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1532-13-0x0000000000413FA4-mapping.dmp

Download
memory/1532-17-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1572-33-0x0000000000000000-mapping.dmp

Download
memory/1604-32-0x0000000000000000-mapping.dmp

Download
memory/1744-10-0x0000000000000000-mapping.dmp

Download
memory/1756-27-0x0000000074880000-0x0000000074F6E000-memory.dmp

Filesize
6.9MB

Download
memory/1756-28-0x0000000001200000-0x0000000001201000-memory.dmp

Filesize
4KB

Download
memory/1756-25-0x0000000000000000-mapping.dmp

Download
memory/1948-9-0x0000000000000000-mapping.dmp

Download
memory/1948-36-0x0000000000000000-mapping.dmp

Download
memory/1972-38-0x0000000000413FA4-mapping.dmp

Download
memory/1972-40-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1976-8-0x0000000000000000-mapping.dmp

Download
memory/1992-34-0x0000000000000000-mapping.dmp

Download