Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-1703_x64
  • resource
    win10-20231023-en
  • resource tags

    arch:x64arch:x86image:win10-20231023-enlocale:en-usos:windows10-1703-x64system
  • submitted
    04/12/2023, 04:54

General

  • Target

    4272d50d759608b77e9240a433fc1a4bbf149e8f4cb05d6f89fb53fd73446a48.exe

  • Size

    1.7MB

  • MD5

    432a7a6b4b723e5d88eae3fe158c6ae6

  • SHA1

    a93140d92b0cfafc09cb5eee77399aa693b2de3f

  • SHA256

    4272d50d759608b77e9240a433fc1a4bbf149e8f4cb05d6f89fb53fd73446a48

  • SHA512

    5f3d3d7f0dc1b4305f8a758eb94cc1d4fe3c60597be237d0c540c41c2234bf29a59273b820a542f258e41a64d6aeb14edb5644519b18b88ce874470d9764f5a6

  • SSDEEP

    12288:2GcbKnZVj7SRrfZetBO1rgRO6u2TdimrfZetCvmKT6IQViL/MW5bk3:2GcmnZlSRa0uOR2xZnkiYWZk3

Malware Config

Extracted

Family

smokeloader

Version

2022

C2

http://atillapro.com/

https://atillapro.com/

rc4.i32
rc4.i32

Extracted

Family

remcos

Botnet

RemoteHost

C2

185.157.162.241:1303

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-NT0JNG

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Downloads MZ/PE file
  • Deletes itself 1 IoCs
  • Executes dropped EXE 7 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 18 IoCs
  • Suspicious use of WriteProcessMemory 55 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • c:\windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:3040
      • C:\Windows\SysWOW64\dialer.exe
        "C:\Windows\system32\dialer.exe"
        2⤵
          PID:4860
      • C:\Users\Admin\AppData\Local\Temp\4272d50d759608b77e9240a433fc1a4bbf149e8f4cb05d6f89fb53fd73446a48.exe
        "C:\Users\Admin\AppData\Local\Temp\4272d50d759608b77e9240a433fc1a4bbf149e8f4cb05d6f89fb53fd73446a48.exe"
        1⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:4368
        • C:\Users\Admin\AppData\Local\Temp\4272d50d759608b77e9240a433fc1a4bbf149e8f4cb05d6f89fb53fd73446a48.exe
          "C:\Users\Admin\AppData\Local\Temp\4272d50d759608b77e9240a433fc1a4bbf149e8f4cb05d6f89fb53fd73446a48.exe"
          2⤵
          • Checks SCSI registry key(s)
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          PID:4160
      • C:\Users\Admin\AppData\Local\Temp\3D71.exe
        C:\Users\Admin\AppData\Local\Temp\3D71.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:204
        • C:\Users\Admin\AppData\Local\Temp\3D71.exe
          "C:\Users\Admin\AppData\Local\Temp\3D71.exe"
          2⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3440
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        1⤵
        • Accesses Microsoft Outlook profiles
        • outlook_office_path
        • outlook_win_path
        PID:96
      • C:\Users\Admin\AppData\Local\Temp\3E3E.exe
        C:\Users\Admin\AppData\Local\Temp\3E3E.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:4144
        • C:\Users\Admin\AppData\Local\Temp\3E3E.exe
          "C:\Users\Admin\AppData\Local\Temp\3E3E.exe"
          2⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:1256
        • C:\Users\Admin\AppData\Local\Temp\3E3E.exe
          "C:\Users\Admin\AppData\Local\Temp\3E3E.exe"
          2⤵
          • Executes dropped EXE
          PID:4180
      • C:\ProgramData\Remcos\remcos.exe
        "C:\ProgramData\Remcos\remcos.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:4076
        • C:\ProgramData\Remcos\remcos.exe
          "C:\ProgramData\Remcos\remcos.exe"
          2⤵
          • Executes dropped EXE
          • Adds Run key to start application
          PID:848
      • C:\Windows\SysWOW64\explorer.exe
        C:\Windows\SysWOW64\explorer.exe
        1⤵
          PID:3416
        • C:\Windows\explorer.exe
          C:\Windows\explorer.exe
          1⤵
            PID:4808
          • C:\Windows\SysWOW64\explorer.exe
            C:\Windows\SysWOW64\explorer.exe
            1⤵
              PID:4420
            • C:\Windows\explorer.exe
              C:\Windows\explorer.exe
              1⤵
                PID:3484
              • C:\Windows\SysWOW64\explorer.exe
                C:\Windows\SysWOW64\explorer.exe
                1⤵
                  PID:4944

                Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\ProgramData\Remcos\remcos.exe

                        Filesize

                        268KB

                        MD5

                        6a9957dd2a19a1bf4af05ca7be1694de

                        SHA1

                        72c945a8acf762df42d5d5ae1a281a2e5c3d9196

                        SHA256

                        17d18a7a41119c12455a644fefca70b4504db83e0122d6dc2652f46f98de8992

                        SHA512

                        42076c0d76914a89e2785eddef8d5049ab8fd958cc363279e0fbb18b819684157d212c2f922502fa6a7e10471eda806b257e37b4712f389cb56eac94c69d5113

                      • C:\ProgramData\Remcos\remcos.exe

                        Filesize

                        268KB

                        MD5

                        6a9957dd2a19a1bf4af05ca7be1694de

                        SHA1

                        72c945a8acf762df42d5d5ae1a281a2e5c3d9196

                        SHA256

                        17d18a7a41119c12455a644fefca70b4504db83e0122d6dc2652f46f98de8992

                        SHA512

                        42076c0d76914a89e2785eddef8d5049ab8fd958cc363279e0fbb18b819684157d212c2f922502fa6a7e10471eda806b257e37b4712f389cb56eac94c69d5113

                      • C:\ProgramData\Remcos\remcos.exe

                        Filesize

                        268KB

                        MD5

                        6a9957dd2a19a1bf4af05ca7be1694de

                        SHA1

                        72c945a8acf762df42d5d5ae1a281a2e5c3d9196

                        SHA256

                        17d18a7a41119c12455a644fefca70b4504db83e0122d6dc2652f46f98de8992

                        SHA512

                        42076c0d76914a89e2785eddef8d5049ab8fd958cc363279e0fbb18b819684157d212c2f922502fa6a7e10471eda806b257e37b4712f389cb56eac94c69d5113

                      • C:\ProgramData\Remcos\remcos.exe

                        Filesize

                        268KB

                        MD5

                        6a9957dd2a19a1bf4af05ca7be1694de

                        SHA1

                        72c945a8acf762df42d5d5ae1a281a2e5c3d9196

                        SHA256

                        17d18a7a41119c12455a644fefca70b4504db83e0122d6dc2652f46f98de8992

                        SHA512

                        42076c0d76914a89e2785eddef8d5049ab8fd958cc363279e0fbb18b819684157d212c2f922502fa6a7e10471eda806b257e37b4712f389cb56eac94c69d5113

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YZUNXYOV\encrypt[1].bin

                        Filesize

                        483KB

                        MD5

                        9ff228d096ee65bf9d214b5793bde076

                        SHA1

                        1d388f9f9c9d1fe1db1f79948b959625a9ac33c1

                        SHA256

                        3f7f8b96bd1f1bf7d5ef5bd8c0fe2f6de28295be2514243fd903bab2165697cc

                        SHA512

                        ed6a9c7d3e38b621903bd269b6b64825db5e9224fb6e9972615b7db30c2b65959e0014073bc1335e6bdb5c68bbec3e4ab5d942c4217aa83033ff4bba6a6db62d

                      • C:\Users\Admin\AppData\Local\Temp\3D71.exe

                        Filesize

                        599KB

                        MD5

                        7a0bdb236159804a677953a5518d5184

                        SHA1

                        337cf700131b80e2774c2ac9ad48e57f5f9596d8

                        SHA256

                        878e881cb00de3297651a06f1d2054c88183e9f8010c1c30f5eeb92d7154e816

                        SHA512

                        6bf5254b28548308886dffc92616164dc9c86e47437d687c587b7f91651ede13e6262f2ef0cbd78981dcdd1eb8367999a6081e35d9eac1820ad46c71729ab832

                      • C:\Users\Admin\AppData\Local\Temp\3D71.exe

                        Filesize

                        599KB

                        MD5

                        7a0bdb236159804a677953a5518d5184

                        SHA1

                        337cf700131b80e2774c2ac9ad48e57f5f9596d8

                        SHA256

                        878e881cb00de3297651a06f1d2054c88183e9f8010c1c30f5eeb92d7154e816

                        SHA512

                        6bf5254b28548308886dffc92616164dc9c86e47437d687c587b7f91651ede13e6262f2ef0cbd78981dcdd1eb8367999a6081e35d9eac1820ad46c71729ab832

                      • C:\Users\Admin\AppData\Local\Temp\3D71.exe

                        Filesize

                        599KB

                        MD5

                        7a0bdb236159804a677953a5518d5184

                        SHA1

                        337cf700131b80e2774c2ac9ad48e57f5f9596d8

                        SHA256

                        878e881cb00de3297651a06f1d2054c88183e9f8010c1c30f5eeb92d7154e816

                        SHA512

                        6bf5254b28548308886dffc92616164dc9c86e47437d687c587b7f91651ede13e6262f2ef0cbd78981dcdd1eb8367999a6081e35d9eac1820ad46c71729ab832

                      • C:\Users\Admin\AppData\Local\Temp\3E3E.exe

                        Filesize

                        268KB

                        MD5

                        6a9957dd2a19a1bf4af05ca7be1694de

                        SHA1

                        72c945a8acf762df42d5d5ae1a281a2e5c3d9196

                        SHA256

                        17d18a7a41119c12455a644fefca70b4504db83e0122d6dc2652f46f98de8992

                        SHA512

                        42076c0d76914a89e2785eddef8d5049ab8fd958cc363279e0fbb18b819684157d212c2f922502fa6a7e10471eda806b257e37b4712f389cb56eac94c69d5113

                      • C:\Users\Admin\AppData\Local\Temp\3E3E.exe

                        Filesize

                        268KB

                        MD5

                        6a9957dd2a19a1bf4af05ca7be1694de

                        SHA1

                        72c945a8acf762df42d5d5ae1a281a2e5c3d9196

                        SHA256

                        17d18a7a41119c12455a644fefca70b4504db83e0122d6dc2652f46f98de8992

                        SHA512

                        42076c0d76914a89e2785eddef8d5049ab8fd958cc363279e0fbb18b819684157d212c2f922502fa6a7e10471eda806b257e37b4712f389cb56eac94c69d5113

                      • C:\Users\Admin\AppData\Local\Temp\3E3E.exe

                        Filesize

                        268KB

                        MD5

                        6a9957dd2a19a1bf4af05ca7be1694de

                        SHA1

                        72c945a8acf762df42d5d5ae1a281a2e5c3d9196

                        SHA256

                        17d18a7a41119c12455a644fefca70b4504db83e0122d6dc2652f46f98de8992

                        SHA512

                        42076c0d76914a89e2785eddef8d5049ab8fd958cc363279e0fbb18b819684157d212c2f922502fa6a7e10471eda806b257e37b4712f389cb56eac94c69d5113

                      • C:\Users\Admin\AppData\Local\Temp\3E3E.exe

                        Filesize

                        268KB

                        MD5

                        6a9957dd2a19a1bf4af05ca7be1694de

                        SHA1

                        72c945a8acf762df42d5d5ae1a281a2e5c3d9196

                        SHA256

                        17d18a7a41119c12455a644fefca70b4504db83e0122d6dc2652f46f98de8992

                        SHA512

                        42076c0d76914a89e2785eddef8d5049ab8fd958cc363279e0fbb18b819684157d212c2f922502fa6a7e10471eda806b257e37b4712f389cb56eac94c69d5113

                      • C:\Users\Public\vlkkqasyibgdtlsvhzbnyahry.bin

                        Filesize

                        483KB

                        MD5

                        9ff228d096ee65bf9d214b5793bde076

                        SHA1

                        1d388f9f9c9d1fe1db1f79948b959625a9ac33c1

                        SHA256

                        3f7f8b96bd1f1bf7d5ef5bd8c0fe2f6de28295be2514243fd903bab2165697cc

                        SHA512

                        ed6a9c7d3e38b621903bd269b6b64825db5e9224fb6e9972615b7db30c2b65959e0014073bc1335e6bdb5c68bbec3e4ab5d942c4217aa83033ff4bba6a6db62d

                      • C:\Users\Public\vlkkqasyibgdtlsvhzbnyahry.bin

                        Filesize

                        483KB

                        MD5

                        9ff228d096ee65bf9d214b5793bde076

                        SHA1

                        1d388f9f9c9d1fe1db1f79948b959625a9ac33c1

                        SHA256

                        3f7f8b96bd1f1bf7d5ef5bd8c0fe2f6de28295be2514243fd903bab2165697cc

                        SHA512

                        ed6a9c7d3e38b621903bd269b6b64825db5e9224fb6e9972615b7db30c2b65959e0014073bc1335e6bdb5c68bbec3e4ab5d942c4217aa83033ff4bba6a6db62d

                      • memory/96-30-0x00000000010B0000-0x000000000111B000-memory.dmp

                        Filesize

                        428KB

                      • memory/96-31-0x0000000001120000-0x0000000001195000-memory.dmp

                        Filesize

                        468KB

                      • memory/96-32-0x00000000010B0000-0x000000000111B000-memory.dmp

                        Filesize

                        428KB

                      • memory/96-45-0x00000000010B0000-0x000000000111B000-memory.dmp

                        Filesize

                        428KB

                      • memory/204-75-0x0000000001810000-0x000000000194C000-memory.dmp

                        Filesize

                        1.2MB

                      • memory/204-73-0x0000000001710000-0x0000000001801000-memory.dmp

                        Filesize

                        964KB

                      • memory/848-127-0x0000000000400000-0x0000000000482000-memory.dmp

                        Filesize

                        520KB

                      • memory/848-126-0x0000000000400000-0x0000000000482000-memory.dmp

                        Filesize

                        520KB

                      • memory/848-87-0x0000000000400000-0x0000000000482000-memory.dmp

                        Filesize

                        520KB

                      • memory/848-125-0x0000000000400000-0x0000000000482000-memory.dmp

                        Filesize

                        520KB

                      • memory/848-90-0x0000000000400000-0x0000000000482000-memory.dmp

                        Filesize

                        520KB

                      • memory/848-96-0x0000000000400000-0x0000000000482000-memory.dmp

                        Filesize

                        520KB

                      • memory/848-124-0x0000000000400000-0x0000000000482000-memory.dmp

                        Filesize

                        520KB

                      • memory/848-88-0x0000000000400000-0x0000000000482000-memory.dmp

                        Filesize

                        520KB

                      • memory/848-98-0x0000000000400000-0x0000000000482000-memory.dmp

                        Filesize

                        520KB

                      • memory/848-123-0x0000000000400000-0x0000000000482000-memory.dmp

                        Filesize

                        520KB

                      • memory/848-120-0x0000000000400000-0x0000000000482000-memory.dmp

                        Filesize

                        520KB

                      • memory/848-128-0x0000000000400000-0x0000000000482000-memory.dmp

                        Filesize

                        520KB

                      • memory/848-121-0x0000000000400000-0x0000000000482000-memory.dmp

                        Filesize

                        520KB

                      • memory/848-85-0x0000000000400000-0x0000000000482000-memory.dmp

                        Filesize

                        520KB

                      • memory/848-86-0x0000000000400000-0x0000000000482000-memory.dmp

                        Filesize

                        520KB

                      • memory/848-119-0x0000000000400000-0x0000000000482000-memory.dmp

                        Filesize

                        520KB

                      • memory/1256-54-0x0000000000400000-0x0000000000482000-memory.dmp

                        Filesize

                        520KB

                      • memory/1256-60-0x0000000000400000-0x0000000000482000-memory.dmp

                        Filesize

                        520KB

                      • memory/1256-50-0x0000000000400000-0x0000000000482000-memory.dmp

                        Filesize

                        520KB

                      • memory/1256-52-0x0000000000400000-0x0000000000482000-memory.dmp

                        Filesize

                        520KB

                      • memory/1256-53-0x0000000000400000-0x0000000000482000-memory.dmp

                        Filesize

                        520KB

                      • memory/3252-6-0x0000000001440000-0x0000000001456000-memory.dmp

                        Filesize

                        88KB

                      • memory/3416-66-0x0000000000AF0000-0x0000000000B17000-memory.dmp

                        Filesize

                        156KB

                      • memory/3416-65-0x0000000000B20000-0x0000000000B41000-memory.dmp

                        Filesize

                        132KB

                      • memory/3416-116-0x0000000000AF0000-0x0000000000B17000-memory.dmp

                        Filesize

                        156KB

                      • memory/3416-109-0x0000000000B20000-0x0000000000B41000-memory.dmp

                        Filesize

                        132KB

                      • memory/3440-93-0x00007FFB7A670000-0x00007FFB7A84B000-memory.dmp

                        Filesize

                        1.9MB

                      • memory/3440-103-0x0000000000400000-0x0000000000488000-memory.dmp

                        Filesize

                        544KB

                      • memory/3440-89-0x0000000003E60000-0x0000000004260000-memory.dmp

                        Filesize

                        4.0MB

                      • memory/3440-92-0x0000000003E60000-0x0000000004260000-memory.dmp

                        Filesize

                        4.0MB

                      • memory/3440-91-0x0000000003E60000-0x0000000004260000-memory.dmp

                        Filesize

                        4.0MB

                      • memory/3440-74-0x0000000000400000-0x0000000000488000-memory.dmp

                        Filesize

                        544KB

                      • memory/3440-70-0x0000000000400000-0x0000000000488000-memory.dmp

                        Filesize

                        544KB

                      • memory/3440-101-0x0000000074CE0000-0x0000000074EA2000-memory.dmp

                        Filesize

                        1.8MB

                      • memory/3440-95-0x0000000003E60000-0x0000000004260000-memory.dmp

                        Filesize

                        4.0MB

                      • memory/3440-76-0x0000000000400000-0x0000000000488000-memory.dmp

                        Filesize

                        544KB

                      • memory/3484-81-0x0000000001260000-0x000000000126B000-memory.dmp

                        Filesize

                        44KB

                      • memory/3484-80-0x0000000001010000-0x000000000101D000-memory.dmp

                        Filesize

                        52KB

                      • memory/3484-118-0x0000000001260000-0x000000000126B000-memory.dmp

                        Filesize

                        44KB

                      • memory/3484-82-0x0000000001010000-0x000000000101D000-memory.dmp

                        Filesize

                        52KB

                      • memory/4160-2-0x0000000000400000-0x0000000000409000-memory.dmp

                        Filesize

                        36KB

                      • memory/4160-1-0x0000000000400000-0x0000000000409000-memory.dmp

                        Filesize

                        36KB

                      • memory/4160-7-0x0000000000400000-0x0000000000409000-memory.dmp

                        Filesize

                        36KB

                      • memory/4368-3-0x0000000000970000-0x0000000000A61000-memory.dmp

                        Filesize

                        964KB

                      • memory/4368-4-0x0000000000B70000-0x0000000000CAC000-memory.dmp

                        Filesize

                        1.2MB

                      • memory/4368-5-0x00000000004B0000-0x0000000000527000-memory.dmp

                        Filesize

                        476KB

                      • memory/4368-0-0x0000000000420000-0x0000000000423000-memory.dmp

                        Filesize

                        12KB

                      • memory/4420-79-0x0000000001260000-0x000000000126B000-memory.dmp

                        Filesize

                        44KB

                      • memory/4420-77-0x0000000001260000-0x000000000126B000-memory.dmp

                        Filesize

                        44KB

                      • memory/4420-78-0x0000000001270000-0x0000000001276000-memory.dmp

                        Filesize

                        24KB

                      • memory/4420-117-0x0000000001270000-0x0000000001276000-memory.dmp

                        Filesize

                        24KB

                      • memory/4808-48-0x0000000000A80000-0x0000000000A8C000-memory.dmp

                        Filesize

                        48KB

                      • memory/4808-47-0x0000000000A90000-0x0000000000A97000-memory.dmp

                        Filesize

                        28KB

                      • memory/4808-46-0x0000000000A80000-0x0000000000A8C000-memory.dmp

                        Filesize

                        48KB

                      • memory/4860-112-0x0000000004500000-0x0000000004900000-memory.dmp

                        Filesize

                        4.0MB

                      • memory/4860-114-0x0000000074CE0000-0x0000000074EA2000-memory.dmp

                        Filesize

                        1.8MB

                      • memory/4860-110-0x00007FFB7A670000-0x00007FFB7A84B000-memory.dmp

                        Filesize

                        1.9MB

                      • memory/4860-107-0x0000000004500000-0x0000000004900000-memory.dmp

                        Filesize

                        4.0MB

                      • memory/4860-102-0x0000000002770000-0x0000000002779000-memory.dmp

                        Filesize

                        36KB

                      • memory/4860-113-0x00007FFB7A670000-0x00007FFB7A84B000-memory.dmp

                        Filesize

                        1.9MB

                      • memory/4860-115-0x0000000004500000-0x0000000004900000-memory.dmp

                        Filesize

                        4.0MB

                      • memory/4860-108-0x0000000004500000-0x0000000004900000-memory.dmp

                        Filesize

                        4.0MB

                      • memory/4944-97-0x0000000001020000-0x000000000102B000-memory.dmp

                        Filesize

                        44KB

                      • memory/4944-94-0x0000000001020000-0x000000000102B000-memory.dmp

                        Filesize

                        44KB