remcos | 7bc37a2f4e71dd95aa4e40048f4aca478e8e63b9393a8c2811e8470bb6f4aba1

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
05-10-2022 11:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Order Inquiry.exe
Size

1.1MB
MD5

bd87ed67a08d2e9e4cec6526666b563e
SHA1

6ec0878c6a65ec969617287f19fde458bf0c5461
SHA256

7bc37a2f4e71dd95aa4e40048f4aca478e8e63b9393a8c2811e8470bb6f4aba1
SHA512

236f79f09a7b150c68fc899d08d620fa64ccaeb4ef21c85401296047d3b179a818d33abd22ac38d8018b7f4bc13f2a5419bbf9b1de5570ace87cc1babc815f22
SSDEEP

24576:OGmYbj/2yjk37WwHsOzj4j85M1hUQDAxzJX44qxpWo:OGmY2OghsOzj4jGM1aK4FXo

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

harjahwool.ddnsfree.com:8372

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-EGNT8M
screenshot_crypt
true
screenshot_flag
true
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\dygjhkm.exe,"	reg.exe

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Executes dropped EXE 3 IoCs

Processes:

dygjhkm.exedygjhkmffffhh.exedygjhkmffffhh.exe

pid process

1536 dygjhkm.exe
304 dygjhkmffffhh.exe
1056 dygjhkmffffhh.exe
Loads dropped DLL 3 IoCs

Processes:

cmd.exedygjhkm.exedygjhkmffffhh.exe

pid process

1896 cmd.exe
1536 dygjhkm.exe
304 dygjhkmffffhh.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

dygjhkm.exe

description pid process target process

PID 1536 set thread context of 1116 1536 dygjhkm.exe AddInProcess32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

1672 PING.EXE
1452 PING.EXE
388 PING.EXE

pid	process
1536	dygjhkm.exe
304	dygjhkmffffhh.exe
1056	dygjhkmffffhh.exe

pid	process
1896	cmd.exe
1536	dygjhkm.exe
304	dygjhkmffffhh.exe

description	pid	process	target process
PID 1536 set thread context of 1116	1536	dygjhkm.exe	AddInProcess32.exe

pid	process
1672	PING.EXE
1452	PING.EXE
388	PING.EXE

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

Order Inquiry.exedygjhkm.exedygjhkmffffhh.exedygjhkmffffhh.exe

pid	process
1696	Order Inquiry.exe
1696	Order Inquiry.exe
1696	Order Inquiry.exe
1536	dygjhkm.exe
1536	dygjhkm.exe
1536	dygjhkm.exe
1536	dygjhkm.exe
1536	dygjhkm.exe
1536	dygjhkm.exe
304	dygjhkmffffhh.exe
1056	dygjhkmffffhh.exe
1056	dygjhkmffffhh.exe
1056	dygjhkmffffhh.exe
1536	dygjhkm.exe
1536	dygjhkm.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

Order Inquiry.exedygjhkm.exeAUDIODG.EXEdygjhkmffffhh.exedygjhkmffffhh.exe

description	pid	process
Token: SeDebugPrivilege	1696	Order Inquiry.exe
Token: SeDebugPrivilege	1536	dygjhkm.exe
Token: 33	1992	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1992	AUDIODG.EXE
Token: 33	1992	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1992	AUDIODG.EXE
Token: SeDebugPrivilege	304	dygjhkmffffhh.exe
Token: SeDebugPrivilege	1056	dygjhkmffffhh.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

AddInProcess32.exe

pid process

1116 AddInProcess32.exe

pid	process
1116	AddInProcess32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Order Inquiry.execmd.execmd.exedygjhkm.exe

description	pid	process	target process
PID 1696 wrote to memory of 456	1696	Order Inquiry.exe	cmd.exe
PID 1696 wrote to memory of 456	1696	Order Inquiry.exe	cmd.exe
PID 1696 wrote to memory of 456	1696	Order Inquiry.exe	cmd.exe
PID 1696 wrote to memory of 456	1696	Order Inquiry.exe	cmd.exe
PID 456 wrote to memory of 1672	456	cmd.exe	PING.EXE
PID 456 wrote to memory of 1672	456	cmd.exe	PING.EXE
PID 456 wrote to memory of 1672	456	cmd.exe	PING.EXE
PID 456 wrote to memory of 1672	456	cmd.exe	PING.EXE
PID 1696 wrote to memory of 1896	1696	Order Inquiry.exe	cmd.exe
PID 1696 wrote to memory of 1896	1696	Order Inquiry.exe	cmd.exe
PID 1696 wrote to memory of 1896	1696	Order Inquiry.exe	cmd.exe
PID 1696 wrote to memory of 1896	1696	Order Inquiry.exe	cmd.exe
PID 1896 wrote to memory of 1452	1896	cmd.exe	PING.EXE
PID 1896 wrote to memory of 1452	1896	cmd.exe	PING.EXE
PID 1896 wrote to memory of 1452	1896	cmd.exe	PING.EXE
PID 1896 wrote to memory of 1452	1896	cmd.exe	PING.EXE
PID 456 wrote to memory of 1516	456	cmd.exe	reg.exe
PID 456 wrote to memory of 1516	456	cmd.exe	reg.exe
PID 456 wrote to memory of 1516	456	cmd.exe	reg.exe
PID 456 wrote to memory of 1516	456	cmd.exe	reg.exe
PID 1896 wrote to memory of 388	1896	cmd.exe	PING.EXE
PID 1896 wrote to memory of 388	1896	cmd.exe	PING.EXE
PID 1896 wrote to memory of 388	1896	cmd.exe	PING.EXE
PID 1896 wrote to memory of 388	1896	cmd.exe	PING.EXE
PID 1896 wrote to memory of 1536	1896	cmd.exe	dygjhkm.exe
PID 1896 wrote to memory of 1536	1896	cmd.exe	dygjhkm.exe
PID 1896 wrote to memory of 1536	1896	cmd.exe	dygjhkm.exe
PID 1896 wrote to memory of 1536	1896	cmd.exe	dygjhkm.exe
PID 1536 wrote to memory of 816	1536	dygjhkm.exe	AddInProcess32.exe
PID 1536 wrote to memory of 816	1536	dygjhkm.exe	AddInProcess32.exe
PID 1536 wrote to memory of 816	1536	dygjhkm.exe	AddInProcess32.exe
PID 1536 wrote to memory of 816	1536	dygjhkm.exe	AddInProcess32.exe
PID 1536 wrote to memory of 816	1536	dygjhkm.exe	AddInProcess32.exe
PID 1536 wrote to memory of 816	1536	dygjhkm.exe	AddInProcess32.exe
PID 1536 wrote to memory of 816	1536	dygjhkm.exe	AddInProcess32.exe
PID 1536 wrote to memory of 816	1536	dygjhkm.exe	AddInProcess32.exe
PID 1536 wrote to memory of 816	1536	dygjhkm.exe	AddInProcess32.exe
PID 1536 wrote to memory of 816	1536	dygjhkm.exe	AddInProcess32.exe
PID 1536 wrote to memory of 816	1536	dygjhkm.exe	AddInProcess32.exe
PID 1536 wrote to memory of 816	1536	dygjhkm.exe	AddInProcess32.exe
PID 1536 wrote to memory of 816	1536	dygjhkm.exe	AddInProcess32.exe
PID 1536 wrote to memory of 1520	1536	dygjhkm.exe	AddInProcess32.exe
PID 1536 wrote to memory of 1520	1536	dygjhkm.exe	AddInProcess32.exe
PID 1536 wrote to memory of 1520	1536	dygjhkm.exe	AddInProcess32.exe
PID 1536 wrote to memory of 1520	1536	dygjhkm.exe	AddInProcess32.exe
PID 1536 wrote to memory of 1520	1536	dygjhkm.exe	AddInProcess32.exe
PID 1536 wrote to memory of 1520	1536	dygjhkm.exe	AddInProcess32.exe
PID 1536 wrote to memory of 1520	1536	dygjhkm.exe	AddInProcess32.exe
PID 1536 wrote to memory of 1520	1536	dygjhkm.exe	AddInProcess32.exe
PID 1536 wrote to memory of 1520	1536	dygjhkm.exe	AddInProcess32.exe
PID 1536 wrote to memory of 1520	1536	dygjhkm.exe	AddInProcess32.exe
PID 1536 wrote to memory of 1520	1536	dygjhkm.exe	AddInProcess32.exe
PID 1536 wrote to memory of 1520	1536	dygjhkm.exe	AddInProcess32.exe
PID 1536 wrote to memory of 1520	1536	dygjhkm.exe	AddInProcess32.exe
PID 1536 wrote to memory of 1116	1536	dygjhkm.exe	AddInProcess32.exe
PID 1536 wrote to memory of 1116	1536	dygjhkm.exe	AddInProcess32.exe
PID 1536 wrote to memory of 1116	1536	dygjhkm.exe	AddInProcess32.exe
PID 1536 wrote to memory of 1116	1536	dygjhkm.exe	AddInProcess32.exe
PID 1536 wrote to memory of 1116	1536	dygjhkm.exe	AddInProcess32.exe
PID 1536 wrote to memory of 1116	1536	dygjhkm.exe	AddInProcess32.exe
PID 1536 wrote to memory of 1116	1536	dygjhkm.exe	AddInProcess32.exe
PID 1536 wrote to memory of 1116	1536	dygjhkm.exe	AddInProcess32.exe
PID 1536 wrote to memory of 1116	1536	dygjhkm.exe	AddInProcess32.exe
PID 1536 wrote to memory of 1116	1536	dygjhkm.exe	AddInProcess32.exe

C:\Users\Admin\AppData\Local\Temp\Order Inquiry.exe
"C:\Users\Admin\AppData\Local\Temp\Order Inquiry.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 7 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\dygjhkm.exe,"
2⤵
- Suspicious use of WriteProcessMemory
PID:456

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 7
3⤵
- Runs ping.exe
PID:1672

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\dygjhkm.exe,"
3⤵
- Modifies WinLogon for persistence
PID:1516

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 15 > nul && copy "C:\Users\Admin\AppData\Local\Temp\Order Inquiry.exe" "C:\Users\Admin\AppData\Roaming\dygjhkm.exe" && ping 127.0.0.1 -n 15 > nul && "C:\Users\Admin\AppData\Roaming\dygjhkm.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 15
3⤵
- Runs ping.exe
PID:1452

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 15
3⤵
- Runs ping.exe
PID:388

C:\Users\Admin\AppData\Roaming\dygjhkm.exe
"C:\Users\Admin\AppData\Roaming\dygjhkm.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
4⤵
PID:816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
4⤵
PID:1520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
4⤵
- Suspicious use of SetWindowsHookEx
PID:1116

C:\Users\Admin\AppData\Local\Temp\dygjhkmffffhh.exe
"C:\Users\Admin\AppData\Local\Temp\dygjhkmffffhh.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:304

C:\Users\Admin\AppData\Local\Temp\dygjhkmffffhh.exe
"C:\Users\Admin\AppData\Local\Temp\dygjhkmffffhh.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x530
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1992

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dygjhkmffffhh.exe
Filesize
76KB

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\dygjhkmffffhh.exe
Filesize
76KB

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\dygjhkmffffhh.exe
Filesize
76KB

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\dygjhkmffffhh.txt
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dygjhkmffffhh.txt
Filesize
56B

MD5
db337b7c9f8991ba71c3a50a4b129e64

SHA1
e877bae78734e47946e5075493eeee2e897147c6

SHA256
eb6f1f9fd8c4a64603425ea5cbb3d16e8dbb5ef33dcbf2e904703b09150d48f4

SHA512
e0cbca92b4637aa3ac25ceea0759f9ab6aa6de9d1b0543a2b116d3bf2a8bf8eb55e922051245c487aca09e227cb868d9256ccb871563319ec187bb385c02fa9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dygjhkmffffhh.txt
Filesize
56B

MD5
db337b7c9f8991ba71c3a50a4b129e64

SHA1
e877bae78734e47946e5075493eeee2e897147c6

SHA256
eb6f1f9fd8c4a64603425ea5cbb3d16e8dbb5ef33dcbf2e904703b09150d48f4

SHA512
e0cbca92b4637aa3ac25ceea0759f9ab6aa6de9d1b0543a2b116d3bf2a8bf8eb55e922051245c487aca09e227cb868d9256ccb871563319ec187bb385c02fa9f

Download Submit
C:\Users\Admin\AppData\Roaming\dygjhkm.exe
Filesize
1.1MB

MD5
bd87ed67a08d2e9e4cec6526666b563e

SHA1
6ec0878c6a65ec969617287f19fde458bf0c5461

SHA256
7bc37a2f4e71dd95aa4e40048f4aca478e8e63b9393a8c2811e8470bb6f4aba1

SHA512
236f79f09a7b150c68fc899d08d620fa64ccaeb4ef21c85401296047d3b179a818d33abd22ac38d8018b7f4bc13f2a5419bbf9b1de5570ace87cc1babc815f22

Download Submit
C:\Users\Admin\AppData\Roaming\dygjhkm.exe
Filesize
1.1MB

MD5
bd87ed67a08d2e9e4cec6526666b563e

SHA1
6ec0878c6a65ec969617287f19fde458bf0c5461

SHA256
7bc37a2f4e71dd95aa4e40048f4aca478e8e63b9393a8c2811e8470bb6f4aba1

SHA512
236f79f09a7b150c68fc899d08d620fa64ccaeb4ef21c85401296047d3b179a818d33abd22ac38d8018b7f4bc13f2a5419bbf9b1de5570ace87cc1babc815f22

Download Submit
\Users\Admin\AppData\Local\Temp\dygjhkmffffhh.exe
Filesize
76KB

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
\Users\Admin\AppData\Local\Temp\dygjhkmffffhh.exe
Filesize
76KB

MD5
0e362e7005823d0bec3719b902ed6d62

SHA1
590d860b909804349e0cdc2f1662b37bd62f7463

SHA256
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad

SHA512
518991b68496b3f8545e418cf9b345e0791e09cc20d177b8aa47e0aba447aa55383c64f5bdaca39f2b061a5d08c16f2ad484af8a9f238ca23ab081618fba3ad3

Download Submit
\Users\Admin\AppData\Roaming\dygjhkm.exe
Filesize
1.1MB

MD5
bd87ed67a08d2e9e4cec6526666b563e

SHA1
6ec0878c6a65ec969617287f19fde458bf0c5461

SHA256
7bc37a2f4e71dd95aa4e40048f4aca478e8e63b9393a8c2811e8470bb6f4aba1

SHA512
236f79f09a7b150c68fc899d08d620fa64ccaeb4ef21c85401296047d3b179a818d33abd22ac38d8018b7f4bc13f2a5419bbf9b1de5570ace87cc1babc815f22

Download Submit
memory/304-116-0x0000000000000000-mapping.dmp

Download
memory/304-119-0x0000000000AB0000-0x0000000000ACA000-memory.dmp

Filesize
104KB

Download
memory/388-63-0x0000000000000000-mapping.dmp

Download
memory/456-58-0x0000000000000000-mapping.dmp

Download
memory/816-83-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/816-81-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/816-73-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/816-74-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/816-76-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/816-78-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/816-79-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/816-80-0x0000000000080000-0x00000000000FF000-memory.dmp

Filesize
508KB

Download
memory/1056-123-0x0000000000000000-mapping.dmp

Download
memory/1116-113-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1116-109-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1116-110-0x00000000004327A4-mapping.dmp

Download
memory/1116-114-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1116-127-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1452-61-0x0000000000000000-mapping.dmp

Download
memory/1516-62-0x0000000000000000-mapping.dmp

Download
memory/1536-65-0x0000000000000000-mapping.dmp

Download
memory/1536-71-0x0000000000880000-0x000000000089A000-memory.dmp

Filesize
104KB

Download
memory/1536-70-0x00000000005D0000-0x0000000000602000-memory.dmp

Filesize
200KB

Download
memory/1536-68-0x00000000009D0000-0x0000000000AFA000-memory.dmp

Filesize
1.2MB

Download
memory/1536-72-0x00000000009A0000-0x00000000009A6000-memory.dmp

Filesize
24KB

Download
memory/1672-59-0x0000000000000000-mapping.dmp

Download
memory/1696-57-0x00000000007C0000-0x00000000007D8000-memory.dmp

Filesize
96KB

Download
memory/1696-54-0x0000000000230000-0x000000000035A000-memory.dmp

Filesize
1.2MB

Download
memory/1696-56-0x0000000000790000-0x00000000007C2000-memory.dmp

Filesize
200KB

Download
memory/1696-55-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/1896-60-0x0000000000000000-mapping.dmp

Download