remcos | 928f75ac182baea6734e08cdd425bcea33bf7f27a43922b9f693d199d7aee550

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
08-08-2022 12:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

2.4MB
MD5

05f6fa39a293a904e53aad577744ee8e
SHA1

99126bc0831b9d49eb46fd6dcdf7a12376db415d
SHA256

928f75ac182baea6734e08cdd425bcea33bf7f27a43922b9f693d199d7aee550
SHA512

3136c7a911b07496d0f85885780edf684592ec265173801a1a472406a8b73bc1bebe0fa48202ded9b83acb8a0f633d6b1ce1657adc6a5775ca8946010d76df9b

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

vivald21.hopto.org:3240

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-9HMSCN
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 5 IoCs

Processes:

._cache_tmp.exeSynaptics.exeSynaptics.exeSynaptics.exe._cache_Synaptics.exe

pid process

4352 ._cache_tmp.exe
3108 Synaptics.exe
1120 Synaptics.exe
700 Synaptics.exe
4400 ._cache_Synaptics.exe

pid	process
4352	._cache_tmp.exe
3108	Synaptics.exe
1120	Synaptics.exe
700	Synaptics.exe
4400	._cache_Synaptics.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Synaptics.exeSynaptics.exetmp.exetmp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation	tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	tmp.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

tmp.exeSynaptics.exe

description	pid	process	target process
PID 688 set thread context of 2028	688	tmp.exe	tmp.exe
PID 3108 set thread context of 700	3108	Synaptics.exe	Synaptics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1804 schtasks.exe
3028 schtasks.exe

pid	process
1804	schtasks.exe
3028	schtasks.exe

Modifies registry class 2 IoCs

Processes:

tmp.exeSynaptics.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	tmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

tmp.exepowershell.exeSynaptics.exepowershell.exe

pid	process
688	tmp.exe
3904	powershell.exe
688	tmp.exe
3904	powershell.exe
3108	Synaptics.exe
4100	powershell.exe
3108	Synaptics.exe
3108	Synaptics.exe
3108	Synaptics.exe
4100	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tmp.exepowershell.exeSynaptics.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	688	tmp.exe
Token: SeDebugPrivilege	3904	powershell.exe
Token: SeDebugPrivilege	3108	Synaptics.exe
Token: SeDebugPrivilege	4100	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

tmp.exeSynaptics.exe

pid process

688 tmp.exe
3108 Synaptics.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

tmp.exeSynaptics.exe

pid process

688 tmp.exe
3108 Synaptics.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

._cache_tmp.exe

pid process

4352 ._cache_tmp.exe

pid	process
4352	._cache_tmp.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

tmp.exetmp.exeSynaptics.exeSynaptics.exe

description	pid	process	target process
PID 688 wrote to memory of 3904	688	tmp.exe	powershell.exe
PID 688 wrote to memory of 3904	688	tmp.exe	powershell.exe
PID 688 wrote to memory of 3904	688	tmp.exe	powershell.exe
PID 688 wrote to memory of 1804	688	tmp.exe	schtasks.exe
PID 688 wrote to memory of 1804	688	tmp.exe	schtasks.exe
PID 688 wrote to memory of 1804	688	tmp.exe	schtasks.exe
PID 688 wrote to memory of 2028	688	tmp.exe	tmp.exe
PID 688 wrote to memory of 2028	688	tmp.exe	tmp.exe
PID 688 wrote to memory of 2028	688	tmp.exe	tmp.exe
PID 688 wrote to memory of 2028	688	tmp.exe	tmp.exe
PID 688 wrote to memory of 2028	688	tmp.exe	tmp.exe
PID 688 wrote to memory of 2028	688	tmp.exe	tmp.exe
PID 688 wrote to memory of 2028	688	tmp.exe	tmp.exe
PID 688 wrote to memory of 2028	688	tmp.exe	tmp.exe
PID 688 wrote to memory of 2028	688	tmp.exe	tmp.exe
PID 688 wrote to memory of 2028	688	tmp.exe	tmp.exe
PID 688 wrote to memory of 2028	688	tmp.exe	tmp.exe
PID 2028 wrote to memory of 4352	2028	tmp.exe	._cache_tmp.exe
PID 2028 wrote to memory of 4352	2028	tmp.exe	._cache_tmp.exe
PID 2028 wrote to memory of 4352	2028	tmp.exe	._cache_tmp.exe
PID 2028 wrote to memory of 3108	2028	tmp.exe	Synaptics.exe
PID 2028 wrote to memory of 3108	2028	tmp.exe	Synaptics.exe
PID 2028 wrote to memory of 3108	2028	tmp.exe	Synaptics.exe
PID 3108 wrote to memory of 4100	3108	Synaptics.exe	powershell.exe
PID 3108 wrote to memory of 4100	3108	Synaptics.exe	powershell.exe
PID 3108 wrote to memory of 4100	3108	Synaptics.exe	powershell.exe
PID 3108 wrote to memory of 3028	3108	Synaptics.exe	schtasks.exe
PID 3108 wrote to memory of 3028	3108	Synaptics.exe	schtasks.exe
PID 3108 wrote to memory of 3028	3108	Synaptics.exe	schtasks.exe
PID 3108 wrote to memory of 1120	3108	Synaptics.exe	Synaptics.exe
PID 3108 wrote to memory of 1120	3108	Synaptics.exe	Synaptics.exe
PID 3108 wrote to memory of 1120	3108	Synaptics.exe	Synaptics.exe
PID 3108 wrote to memory of 700	3108	Synaptics.exe	Synaptics.exe
PID 3108 wrote to memory of 700	3108	Synaptics.exe	Synaptics.exe
PID 3108 wrote to memory of 700	3108	Synaptics.exe	Synaptics.exe
PID 3108 wrote to memory of 700	3108	Synaptics.exe	Synaptics.exe
PID 3108 wrote to memory of 700	3108	Synaptics.exe	Synaptics.exe
PID 3108 wrote to memory of 700	3108	Synaptics.exe	Synaptics.exe
PID 3108 wrote to memory of 700	3108	Synaptics.exe	Synaptics.exe
PID 3108 wrote to memory of 700	3108	Synaptics.exe	Synaptics.exe
PID 3108 wrote to memory of 700	3108	Synaptics.exe	Synaptics.exe
PID 3108 wrote to memory of 700	3108	Synaptics.exe	Synaptics.exe
PID 3108 wrote to memory of 700	3108	Synaptics.exe	Synaptics.exe
PID 700 wrote to memory of 4400	700	Synaptics.exe	._cache_Synaptics.exe
PID 700 wrote to memory of 4400	700	Synaptics.exe	._cache_Synaptics.exe
PID 700 wrote to memory of 4400	700	Synaptics.exe	._cache_Synaptics.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:688

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\HziGohhJaJ.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3904

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HziGohhJaJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp22CA.tmp"
2⤵
- Creates scheduled task(s)
PID:1804

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Local\Temp\._cache_tmp.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_tmp.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4352

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3108

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\HziGohhJaJ.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4100

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HziGohhJaJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE7A1.tmp"
4⤵
- Creates scheduled task(s)
PID:3028

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe"
4⤵
- Executes dropped EXE
PID:1120

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:700

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"
5⤵
- Executes dropped EXE
PID:4400

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe
Filesize
2.4MB

MD5
05f6fa39a293a904e53aad577744ee8e

SHA1
99126bc0831b9d49eb46fd6dcdf7a12376db415d

SHA256
928f75ac182baea6734e08cdd425bcea33bf7f27a43922b9f693d199d7aee550

SHA512
3136c7a911b07496d0f85885780edf684592ec265173801a1a472406a8b73bc1bebe0fa48202ded9b83acb8a0f633d6b1ce1657adc6a5775ca8946010d76df9b

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe
Filesize
2.4MB

MD5
05f6fa39a293a904e53aad577744ee8e

SHA1
99126bc0831b9d49eb46fd6dcdf7a12376db415d

SHA256
928f75ac182baea6734e08cdd425bcea33bf7f27a43922b9f693d199d7aee550

SHA512
3136c7a911b07496d0f85885780edf684592ec265173801a1a472406a8b73bc1bebe0fa48202ded9b83acb8a0f633d6b1ce1657adc6a5775ca8946010d76df9b

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe
Filesize
2.4MB

MD5
05f6fa39a293a904e53aad577744ee8e

SHA1
99126bc0831b9d49eb46fd6dcdf7a12376db415d

SHA256
928f75ac182baea6734e08cdd425bcea33bf7f27a43922b9f693d199d7aee550

SHA512
3136c7a911b07496d0f85885780edf684592ec265173801a1a472406a8b73bc1bebe0fa48202ded9b83acb8a0f633d6b1ce1657adc6a5775ca8946010d76df9b

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe
Filesize
2.4MB

MD5
05f6fa39a293a904e53aad577744ee8e

SHA1
99126bc0831b9d49eb46fd6dcdf7a12376db415d

SHA256
928f75ac182baea6734e08cdd425bcea33bf7f27a43922b9f693d199d7aee550

SHA512
3136c7a911b07496d0f85885780edf684592ec265173801a1a472406a8b73bc1bebe0fa48202ded9b83acb8a0f633d6b1ce1657adc6a5775ca8946010d76df9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
8e0483ded40802a7784388137f21df02

SHA1
5cfa7e70847ee59ce7c98f2a1fb5bd470e9c21ae

SHA256
cec7c9822ede3a6de7313f44b2d05156f01192ddc5e64f8242f968ac01a2f167

SHA512
7c37e6cded555ae14708f92a2bb3278e41a786ada68c76fa41bfced99a577548cae41537bc9e6d30d9e8facb8154d29132c2da80e26c0a8a980218ebc4c3c6ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
Filesize
466KB

MD5
e729b5c9501252eba5d7917256950424

SHA1
4dd74a695e40e22760e00a532677e1cc8857687c

SHA256
395cf5e6d3f891a3049ec3412a97e687a8fdd077834fd30a83dcf9b3fb0f2807

SHA512
31eac3aa066b30019f51b3678ed8dc628f8d518a2c05b93c15798ca2d7bce263245e700fe7a5e3af29eed5d47d66cf70ca08a7220ebd8d054e1f8b02dfa13443

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
Filesize
466KB

MD5
e729b5c9501252eba5d7917256950424

SHA1
4dd74a695e40e22760e00a532677e1cc8857687c

SHA256
395cf5e6d3f891a3049ec3412a97e687a8fdd077834fd30a83dcf9b3fb0f2807

SHA512
31eac3aa066b30019f51b3678ed8dc628f8d518a2c05b93c15798ca2d7bce263245e700fe7a5e3af29eed5d47d66cf70ca08a7220ebd8d054e1f8b02dfa13443

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_tmp.exe
Filesize
466KB

MD5
e729b5c9501252eba5d7917256950424

SHA1
4dd74a695e40e22760e00a532677e1cc8857687c

SHA256
395cf5e6d3f891a3049ec3412a97e687a8fdd077834fd30a83dcf9b3fb0f2807

SHA512
31eac3aa066b30019f51b3678ed8dc628f8d518a2c05b93c15798ca2d7bce263245e700fe7a5e3af29eed5d47d66cf70ca08a7220ebd8d054e1f8b02dfa13443

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_tmp.exe
Filesize
466KB

MD5
e729b5c9501252eba5d7917256950424

SHA1
4dd74a695e40e22760e00a532677e1cc8857687c

SHA256
395cf5e6d3f891a3049ec3412a97e687a8fdd077834fd30a83dcf9b3fb0f2807

SHA512
31eac3aa066b30019f51b3678ed8dc628f8d518a2c05b93c15798ca2d7bce263245e700fe7a5e3af29eed5d47d66cf70ca08a7220ebd8d054e1f8b02dfa13443

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp22CA.tmp
Filesize
1KB

MD5
6767a93558d0429c6b867ac348c3d1c0

SHA1
072965fd4f913e640041daae9a769d609ca6a446

SHA256
63eaaef92ae9fbe70bab0d8bb9aa637211ad92a17489e1eddb401b49ec04e0f7

SHA512
ed568288732411cdeb14e7e74f9c3e4570e261e1cc367a219962a84f22773a77e7d9ef0eaffb3a3334d68edca98a4a89a2866e3dc011c9edc24d10c02b55b276

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE7A1.tmp
Filesize
1KB

MD5
6767a93558d0429c6b867ac348c3d1c0

SHA1
072965fd4f913e640041daae9a769d609ca6a446

SHA256
63eaaef92ae9fbe70bab0d8bb9aa637211ad92a17489e1eddb401b49ec04e0f7

SHA512
ed568288732411cdeb14e7e74f9c3e4570e261e1cc367a219962a84f22773a77e7d9ef0eaffb3a3334d68edca98a4a89a2866e3dc011c9edc24d10c02b55b276

Download Submit
memory/688-135-0x000000000BCA0000-0x000000000BD06000-memory.dmp

Filesize
408KB

Download
memory/688-134-0x000000000BA00000-0x000000000BA9C000-memory.dmp

Filesize
624KB

Download
memory/688-130-0x0000000000C10000-0x0000000000E80000-memory.dmp

Filesize
2.4MB

Download
memory/688-133-0x0000000005960000-0x000000000596A000-memory.dmp

Filesize
40KB

Download
memory/688-132-0x0000000007D10000-0x0000000007DA2000-memory.dmp

Filesize
584KB

Download
memory/688-131-0x00000000082C0000-0x0000000008864000-memory.dmp

Filesize
5.6MB

Download
memory/700-183-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/700-173-0x0000000000000000-mapping.dmp

Download
memory/700-177-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/700-178-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1120-170-0x0000000000000000-mapping.dmp

Download
memory/1804-137-0x0000000000000000-mapping.dmp

Download
memory/2028-144-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2028-155-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2028-142-0x0000000000000000-mapping.dmp

Download
memory/2028-145-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2028-146-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2028-151-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3028-167-0x0000000000000000-mapping.dmp

Download
memory/3108-152-0x0000000000000000-mapping.dmp

Download
memory/3904-141-0x0000000005290000-0x00000000052B2000-memory.dmp

Filesize
136KB

Download
memory/3904-140-0x0000000005380000-0x00000000059A8000-memory.dmp

Filesize
6.2MB

Download
memory/3904-164-0x0000000007880000-0x000000000789A000-memory.dmp

Filesize
104KB

Download
memory/3904-165-0x0000000007860000-0x0000000007868000-memory.dmp

Filesize
32KB

Download
memory/3904-138-0x0000000004CA0000-0x0000000004CD6000-memory.dmp

Filesize
216KB

Download
memory/3904-160-0x0000000007540000-0x000000000755A000-memory.dmp

Filesize
104KB

Download
memory/3904-162-0x00000000077C0000-0x0000000007856000-memory.dmp

Filesize
600KB

Download
memory/3904-158-0x00000000067A0000-0x00000000067BE000-memory.dmp

Filesize
120KB

Download
memory/3904-136-0x0000000000000000-mapping.dmp

Download
memory/3904-163-0x0000000007770000-0x000000000777E000-memory.dmp

Filesize
56KB

Download
memory/3904-159-0x0000000007B80000-0x00000000081FA000-memory.dmp

Filesize
6.5MB

Download
memory/3904-157-0x0000000073BF0000-0x0000000073C3C000-memory.dmp

Filesize
304KB

Download
memory/3904-143-0x00000000059B0000-0x0000000005A16000-memory.dmp

Filesize
408KB

Download
memory/3904-156-0x0000000007200000-0x0000000007232000-memory.dmp

Filesize
200KB

Download
memory/3904-161-0x00000000075B0000-0x00000000075BA000-memory.dmp

Filesize
40KB

Download
memory/3904-147-0x0000000006240000-0x000000000625E000-memory.dmp

Filesize
120KB

Download
memory/4100-179-0x0000000071880000-0x00000000718CC000-memory.dmp

Filesize
304KB

Download
memory/4100-166-0x0000000000000000-mapping.dmp

Download
memory/4352-148-0x0000000000000000-mapping.dmp

Download
memory/4400-180-0x0000000000000000-mapping.dmp

Download