remcos | 53ee1cf2f76ca5ca7eb3cbad6fa38a5dc04126fa7e3efa7e7449af4b1e659b8c

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
17-12-2024 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Receipt-#202431029B3.exe
Size

1.2MB
MD5

152c7485cbeb3bc280d028e065891d6e
SHA1

0ddffbb675b4569217ea960b288da13a67801983
SHA256

1420ee82c4ec66f06a832f01c43b0aca270fa9990f82f23fb36b899cabe11590
SHA512

1dc27627c964b8d39251833e4a97b3c51b334fd9cdc132094082a1ac4cae4a6d97258e04e9b87de929c18340d4af53768fa99469085db777bafb59559b1208b3
SSDEEP

24576:dMZMXvpjs+e2azR9jSca2PEt2kWT3GJqhDYRoPd+pT2A:AMfpjs+b2PEfYY+PspT2A

Score

10^/10

remcos remotehost discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

172.245.244.69:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
JavaRuntime.exe
copy_folder
Java
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-I0P1F7
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
JavaRuntime
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3064	powershell.exe
2920	powershell.exe

Executes dropped EXE 3 IoCs

pid	Process
2600	JavaRuntime.exe
2236	JavaRuntime.exe
1800	JavaRuntime.exe

Loads dropped DLL 1 IoCs

pid	Process
884	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\JavaRuntime = "\"C:\\ProgramData\\Java\\JavaRuntime.exe\""	Receipt-#202431029B3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaRuntime = "\"C:\\ProgramData\\Java\\JavaRuntime.exe\""	Receipt-#202431029B3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\JavaRuntime = "\"C:\\ProgramData\\Java\\JavaRuntime.exe\""	JavaRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaRuntime = "\"C:\\ProgramData\\Java\\JavaRuntime.exe\""	JavaRuntime.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2128 set thread context of 1076	2128	Receipt-#202431029B3.exe	35
PID 2600 set thread context of 1800	2600	JavaRuntime.exe	45

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JavaRuntime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JavaRuntime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Receipt-#202431029B3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Receipt-#202431029B3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2932	schtasks.exe
992	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2128	Receipt-#202431029B3.exe
2128	Receipt-#202431029B3.exe
3064	powershell.exe
2600	JavaRuntime.exe
2600	JavaRuntime.exe
2920	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2128	Receipt-#202431029B3.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	2600	JavaRuntime.exe
Token: SeDebugPrivilege	2920	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1800	JavaRuntime.exe

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 3064	2128	Receipt-#202431029B3.exe	30
PID 2128 wrote to memory of 3064	2128	Receipt-#202431029B3.exe	30
PID 2128 wrote to memory of 3064	2128	Receipt-#202431029B3.exe	30
PID 2128 wrote to memory of 3064	2128	Receipt-#202431029B3.exe	30
PID 2128 wrote to memory of 2932	2128	Receipt-#202431029B3.exe	31
PID 2128 wrote to memory of 2932	2128	Receipt-#202431029B3.exe	31
PID 2128 wrote to memory of 2932	2128	Receipt-#202431029B3.exe	31
PID 2128 wrote to memory of 2932	2128	Receipt-#202431029B3.exe	31
PID 2128 wrote to memory of 3004	2128	Receipt-#202431029B3.exe	34
PID 2128 wrote to memory of 3004	2128	Receipt-#202431029B3.exe	34
PID 2128 wrote to memory of 3004	2128	Receipt-#202431029B3.exe	34
PID 2128 wrote to memory of 3004	2128	Receipt-#202431029B3.exe	34
PID 2128 wrote to memory of 1076	2128	Receipt-#202431029B3.exe	35
PID 2128 wrote to memory of 1076	2128	Receipt-#202431029B3.exe	35
PID 2128 wrote to memory of 1076	2128	Receipt-#202431029B3.exe	35
PID 2128 wrote to memory of 1076	2128	Receipt-#202431029B3.exe	35
PID 2128 wrote to memory of 1076	2128	Receipt-#202431029B3.exe	35
PID 2128 wrote to memory of 1076	2128	Receipt-#202431029B3.exe	35
PID 2128 wrote to memory of 1076	2128	Receipt-#202431029B3.exe	35
PID 2128 wrote to memory of 1076	2128	Receipt-#202431029B3.exe	35
PID 2128 wrote to memory of 1076	2128	Receipt-#202431029B3.exe	35
PID 2128 wrote to memory of 1076	2128	Receipt-#202431029B3.exe	35
PID 2128 wrote to memory of 1076	2128	Receipt-#202431029B3.exe	35
PID 2128 wrote to memory of 1076	2128	Receipt-#202431029B3.exe	35
PID 2128 wrote to memory of 1076	2128	Receipt-#202431029B3.exe	35
PID 1076 wrote to memory of 2400	1076	Receipt-#202431029B3.exe	36
PID 1076 wrote to memory of 2400	1076	Receipt-#202431029B3.exe	36
PID 1076 wrote to memory of 2400	1076	Receipt-#202431029B3.exe	36
PID 1076 wrote to memory of 2400	1076	Receipt-#202431029B3.exe	36
PID 2400 wrote to memory of 884	2400	WScript.exe	37
PID 2400 wrote to memory of 884	2400	WScript.exe	37
PID 2400 wrote to memory of 884	2400	WScript.exe	37
PID 2400 wrote to memory of 884	2400	WScript.exe	37
PID 884 wrote to memory of 2600	884	cmd.exe	39
PID 884 wrote to memory of 2600	884	cmd.exe	39
PID 884 wrote to memory of 2600	884	cmd.exe	39
PID 884 wrote to memory of 2600	884	cmd.exe	39
PID 2600 wrote to memory of 2920	2600	JavaRuntime.exe	40
PID 2600 wrote to memory of 2920	2600	JavaRuntime.exe	40
PID 2600 wrote to memory of 2920	2600	JavaRuntime.exe	40
PID 2600 wrote to memory of 2920	2600	JavaRuntime.exe	40
PID 2600 wrote to memory of 992	2600	JavaRuntime.exe	41
PID 2600 wrote to memory of 992	2600	JavaRuntime.exe	41
PID 2600 wrote to memory of 992	2600	JavaRuntime.exe	41
PID 2600 wrote to memory of 992	2600	JavaRuntime.exe	41
PID 2600 wrote to memory of 2236	2600	JavaRuntime.exe	44
PID 2600 wrote to memory of 2236	2600	JavaRuntime.exe	44
PID 2600 wrote to memory of 2236	2600	JavaRuntime.exe	44
PID 2600 wrote to memory of 2236	2600	JavaRuntime.exe	44
PID 2600 wrote to memory of 1800	2600	JavaRuntime.exe	45
PID 2600 wrote to memory of 1800	2600	JavaRuntime.exe	45
PID 2600 wrote to memory of 1800	2600	JavaRuntime.exe	45
PID 2600 wrote to memory of 1800	2600	JavaRuntime.exe	45
PID 2600 wrote to memory of 1800	2600	JavaRuntime.exe	45
PID 2600 wrote to memory of 1800	2600	JavaRuntime.exe	45
PID 2600 wrote to memory of 1800	2600	JavaRuntime.exe	45
PID 2600 wrote to memory of 1800	2600	JavaRuntime.exe	45
PID 2600 wrote to memory of 1800	2600	JavaRuntime.exe	45
PID 2600 wrote to memory of 1800	2600	JavaRuntime.exe	45
PID 2600 wrote to memory of 1800	2600	JavaRuntime.exe	45
PID 2600 wrote to memory of 1800	2600	JavaRuntime.exe	45
PID 2600 wrote to memory of 1800	2600	JavaRuntime.exe	45

C:\Users\Admin\AppData\Local\Temp\Receipt-#202431029B3.exe
"C:\Users\Admin\AppData\Local\Temp\Receipt-#202431029B3.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\EtEJXD.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3064
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EtEJXD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB9ED.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2932
- C:\Users\Admin\AppData\Local\Temp\Receipt-#202431029B3.exe
  "C:\Users\Admin\AppData\Local\Temp\Receipt-#202431029B3.exe"
  2⤵
  PID:3004
- C:\Users\Admin\AppData\Local\Temp\Receipt-#202431029B3.exe
  "C:\Users\Admin\AppData\Local\Temp\Receipt-#202431029B3.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1076
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2400
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\Java\JavaRuntime.exe"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:884
    - - C:\ProgramData\Java\JavaRuntime.exe
        
        C:\ProgramData\Java\JavaRuntime.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2600
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\EtEJXD.exe"
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EtEJXD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp196.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:992
      - C:\ProgramData\Java\JavaRuntime.exe
        
        "C:\ProgramData\Java\JavaRuntime.exe"
        6⤵
        Executes dropped EXE
        
        PID:2236
      - C:\ProgramData\Java\JavaRuntime.exe
        
        "C:\ProgramData\Java\JavaRuntime.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Java\JavaRuntime.exe

Filesize
1.2MB

MD5
152c7485cbeb3bc280d028e065891d6e

SHA1
0ddffbb675b4569217ea960b288da13a67801983

SHA256
1420ee82c4ec66f06a832f01c43b0aca270fa9990f82f23fb36b899cabe11590

SHA512
1dc27627c964b8d39251833e4a97b3c51b334fd9cdc132094082a1ac4cae4a6d97258e04e9b87de929c18340d4af53768fa99469085db777bafb59559b1208b3

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
a53499a82efc9daad689f14989621d1d

SHA1
58035f7b976e92179a1c623176e561b9ff085f7b

SHA256
721cadb252259dfc12c67aaf876c5a299685a53ade0660f1919d3e98956c9c9e

SHA512
204db72814f5931752e9fd84165994a63e178cbb4ef8110d5978c7f25f49b2606ad0242af6f17b41830a8cc396ce2d347fa8d14b5626cca9a5ecfdf6b7ba3c53

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
392B

MD5
7935d3c5851b7744eaf93d733908c25c

SHA1
d4eea4f1943a84663fa887cea509f2527dc04e49

SHA256
bced2446ec2ee988dd2060e4a02be9b7413485da23be0be4e34934827518cb42

SHA512
25556efb93a58d6ba43345c1e5f39ba642a90fc1c051c3094e0e70b79d4a9d31221f1f1d9c6b03c59e852cf6a7a27ee2ce8124d885e14dd5ccca89062f0943cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB9ED.tmp

Filesize
1KB

MD5
867c887203d0ed1e0d9d4a9734d14fd0

SHA1
d4d4696e768abe5169eda17448f0a9e5b14dccbe

SHA256
011323aa0680503548126c7dfd8bb6c9ff7588e325b053daf7481848d8fc9c4b

SHA512
44b2e477e34d838baa3fbf9e263b071ed90429eb642377c62db3d740f8c5f0d04b72c3d7b8eff98c547902bd279feb969dbffb8e62e8a82e26886914cad9b623

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
52836f52abc829cd98cb2eb846770453

SHA1
79c84d9b1d19e4966afd00687bfb5bc883b04ad6

SHA256
e51cb4de3162e22d9f1d28e27308adaa5c8012fc4c00c37eff8348475c8a8dab

SHA512
44aa1a11145a908bf6dbfbde8db9e5a6b6dee395eb4a7ae7ba29dedf26185fb851ff8fad1693eeaed9b1da1e9827a82260968e6ac3d986a9806e8c5b4c3ba6da

Download Submit
memory/1076-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1076-20-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1076-26-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1076-24-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1076-22-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1076-29-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1076-30-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1076-12-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1076-14-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1076-16-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1076-18-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1800-69-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1800-108-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1800-118-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1800-117-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1800-116-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1800-115-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1800-113-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1800-70-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1800-112-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1800-66-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1800-65-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1800-62-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1800-111-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1800-76-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1800-77-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1800-78-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1800-81-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1800-110-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1800-93-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1800-95-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1800-96-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1800-97-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1800-98-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1800-106-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1800-107-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2128-33-0x0000000074490000-0x0000000074B7E000-memory.dmp

Filesize
6.9MB

Download
memory/2128-0-0x000000007449E000-0x000000007449F000-memory.dmp

Filesize
4KB

Download
memory/2128-1-0x0000000000850000-0x0000000000980000-memory.dmp

Filesize
1.2MB

Download
memory/2128-2-0x0000000074490000-0x0000000074B7E000-memory.dmp

Filesize
6.9MB

Download
memory/2128-3-0x0000000000810000-0x0000000000836000-memory.dmp

Filesize
152KB

Download
memory/2128-4-0x000000007449E000-0x000000007449F000-memory.dmp

Filesize
4KB

Download
memory/2128-5-0x0000000074490000-0x0000000074B7E000-memory.dmp

Filesize
6.9MB

Download
memory/2128-6-0x000000000A410000-0x000000000A4D0000-memory.dmp

Filesize
768KB

Download
memory/2600-42-0x0000000001100000-0x0000000001230000-memory.dmp

Filesize
1.2MB

Download