remcos | 2a9b0ed40f1f0bc0c13ff35d304689e9cadd633781cbcad1c2d2b92ced3f1c85

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2025 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test1.exe
Size

792KB
MD5

f0882b09aebf9b37f740d9a42e3fa4bb
SHA1

e1068da52875b055ec58d2c2b8110932e863f981
SHA256

2a9b0ed40f1f0bc0c13ff35d304689e9cadd633781cbcad1c2d2b92ced3f1c85
SHA512

a6788652b4123a3618ff79d379cc291623e9c3126ba18831fc7c574b5ac8b52309ca6b6d5497b645e5de0fa7e2bdcbd4410cc29a7a9ce87d86f8da50fbe6fadd
SSDEEP

3072:675U501c5GWp1icKAArDZz4N9GhbkrNEk1yjBwpewrFT13tc1RnmImKZIy9lPx6x:1pp0yN90QEDmwmT1dctm+rjAiEDZ

Score

10^/10

remcos remotehost discovery persistence rat

Malware Config

Extracted

Family

remcos

Version

2.3.0 Pro

Botnet

RemoteHost

toptoptop1.online:2404

toptoptop2.online:2404

toptoptop3.online:2404

toptoptop1.site:2404

toptoptop2.site:2404

toptoptop3.site:2404

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
3
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-RKAPUX
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	ADDSTA~2.EXE

Executes dropped EXE 4 IoCs

pid	Process
1364	ADDSTA~2.EXE
3708	ADDSTA~2.EXE
1016	FYRINGSSEDDELEN.exe
3768	FYRINGSSEDDELEN.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	test1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\SUSPIRATIVE = "wscript \"C:\\Users\\Admin\\AppData\\Local\\Temp\\FYRINGSSEDDELEN.vbs\""	FYRINGSSEDDELEN.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	ADDSTA~2.EXE
File opened for modification	C:\Windows\win.ini	ADDSTA~2.EXE
File opened for modification	C:\Windows\win.ini	FYRINGSSEDDELEN.exe
File opened for modification	C:\Windows\win.ini	FYRINGSSEDDELEN.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ADDSTA~2.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ADDSTA~2.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FYRINGSSEDDELEN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FYRINGSSEDDELEN.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2308	chrome.exe
2308	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1364	ADDSTA~2.EXE
3708	ADDSTA~2.EXE
1016	FYRINGSSEDDELEN.exe
3768	FYRINGSSEDDELEN.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 1364	2204	test1.exe	82
PID 2204 wrote to memory of 1364	2204	test1.exe	82
PID 2204 wrote to memory of 1364	2204	test1.exe	82
PID 2308 wrote to memory of 4892	2308	chrome.exe	97
PID 2308 wrote to memory of 4892	2308	chrome.exe	97
PID 2308 wrote to memory of 1520	2308	chrome.exe	98
PID 2308 wrote to memory of 1520	2308	chrome.exe	98
PID 2308 wrote to memory of 1520	2308	chrome.exe	98
PID 2308 wrote to memory of 1520	2308	chrome.exe	98
PID 2308 wrote to memory of 1520	2308	chrome.exe	98
PID 2308 wrote to memory of 1520	2308	chrome.exe	98
PID 2308 wrote to memory of 1520	2308	chrome.exe	98
PID 2308 wrote to memory of 1520	2308	chrome.exe	98
PID 2308 wrote to memory of 1520	2308	chrome.exe	98
PID 2308 wrote to memory of 1520	2308	chrome.exe	98
PID 2308 wrote to memory of 1520	2308	chrome.exe	98
PID 2308 wrote to memory of 1520	2308	chrome.exe	98
PID 2308 wrote to memory of 1520	2308	chrome.exe	98
PID 2308 wrote to memory of 1520	2308	chrome.exe	98
PID 2308 wrote to memory of 1520	2308	chrome.exe	98
PID 2308 wrote to memory of 1520	2308	chrome.exe	98
PID 2308 wrote to memory of 1520	2308	chrome.exe	98
PID 2308 wrote to memory of 1520	2308	chrome.exe	98
PID 2308 wrote to memory of 1520	2308	chrome.exe	98
PID 2308 wrote to memory of 1520	2308	chrome.exe	98
PID 2308 wrote to memory of 1520	2308	chrome.exe	98
PID 2308 wrote to memory of 1520	2308	chrome.exe	98
PID 2308 wrote to memory of 1520	2308	chrome.exe	98
PID 2308 wrote to memory of 1520	2308	chrome.exe	98
PID 2308 wrote to memory of 1520	2308	chrome.exe	98
PID 2308 wrote to memory of 1520	2308	chrome.exe	98
PID 2308 wrote to memory of 1520	2308	chrome.exe	98
PID 2308 wrote to memory of 1520	2308	chrome.exe	98
PID 2308 wrote to memory of 1520	2308	chrome.exe	98
PID 2308 wrote to memory of 1520	2308	chrome.exe	98
PID 2308 wrote to memory of 656	2308	chrome.exe	99
PID 2308 wrote to memory of 656	2308	chrome.exe	99
PID 2308 wrote to memory of 4980	2308	chrome.exe	100
PID 2308 wrote to memory of 4980	2308	chrome.exe	100
PID 2308 wrote to memory of 4980	2308	chrome.exe	100
PID 2308 wrote to memory of 4980	2308	chrome.exe	100
PID 2308 wrote to memory of 4980	2308	chrome.exe	100
PID 2308 wrote to memory of 4980	2308	chrome.exe	100
PID 2308 wrote to memory of 4980	2308	chrome.exe	100
PID 2308 wrote to memory of 4980	2308	chrome.exe	100
PID 2308 wrote to memory of 4980	2308	chrome.exe	100
PID 2308 wrote to memory of 4980	2308	chrome.exe	100
PID 2308 wrote to memory of 4980	2308	chrome.exe	100
PID 2308 wrote to memory of 4980	2308	chrome.exe	100
PID 2308 wrote to memory of 4980	2308	chrome.exe	100
PID 2308 wrote to memory of 4980	2308	chrome.exe	100
PID 2308 wrote to memory of 4980	2308	chrome.exe	100
PID 2308 wrote to memory of 4980	2308	chrome.exe	100
PID 2308 wrote to memory of 4980	2308	chrome.exe	100
PID 2308 wrote to memory of 4980	2308	chrome.exe	100
PID 2308 wrote to memory of 4980	2308	chrome.exe	100
PID 2308 wrote to memory of 4980	2308	chrome.exe	100
PID 2308 wrote to memory of 4980	2308	chrome.exe	100
PID 2308 wrote to memory of 4980	2308	chrome.exe	100
PID 2308 wrote to memory of 4980	2308	chrome.exe	100
PID 2308 wrote to memory of 4980	2308	chrome.exe	100
PID 2308 wrote to memory of 4980	2308	chrome.exe	100
PID 2308 wrote to memory of 4980	2308	chrome.exe	100
PID 2308 wrote to memory of 4980	2308	chrome.exe	100

C:\Users\Admin\AppData\Local\Temp\test1.exe
"C:\Users\Admin\AppData\Local\Temp\test1.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ADDSTA~2.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ADDSTA~2.EXE
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1364
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ADDSTA~2.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ADDSTA~2.EXE
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3708
  - - C:\Users\Admin\AppData\Local\Temp\FYRINGSSEDDELEN.exe
      "C:\Users\Admin\AppData\Local\Temp\FYRINGSSEDDELEN.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1016
    - - C:\Users\Admin\AppData\Local\Temp\FYRINGSSEDDELEN.exe
        
        "C:\Users\Admin\AppData\Local\Temp\FYRINGSSEDDELEN.exe"
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffffbafcc40,0x7ffffbafcc4c,0x7ffffbafcc58
  2⤵
  PID:4892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1916,i,2109337798889011037,3672271703726386510,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:1520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1980,i,2109337798889011037,3672271703726386510,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2148 /prefetch:3
  2⤵
  PID:656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,2109337798889011037,3672271703726386510,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2280 /prefetch:8
  2⤵
  PID:4980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,2109337798889011037,3672271703726386510,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:2472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3208,i,2109337798889011037,3672271703726386510,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4580,i,2109337798889011037,3672271703726386510,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4548 /prefetch:1
  2⤵
  PID:2184

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
8bc8ec59f6956d4d59909f5ab05b9d99

SHA1
92ad9b2c80decd839d468f99f65d8c6887aee1a7

SHA256
419635f6746ed71ec173b6d7eaddecfa0e3f7d639c06b814ed8d5b7314eca657

SHA512
7c610b16c22764134ba61bb2c836be280f82ee4686d4fc5fe644671575ed22e1fc5dac2ad1a357e3e7ee83c75f151049cff20de3ce9d8eb2a50f679bec69470f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
80621cd7f07adae258c824b8ac50ca8f

SHA1
5d68200adcc6dc3ea6daaf27564ee59d8e86257d

SHA256
7b0f90eba41ed7e6b3ee12a6a0a0167557c62795e388d65055f5862c6c25ff17

SHA512
83cf791db46a231da4ad612b3fbe9daf6e8b649bff10c470bcb02300aa84f5a5eed5984c138f71cfd9b7381acbe0534350b446d65973dbbffb6b16ecd6cef38f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
6278c138dc955a88832adaa48b7a2b18

SHA1
243a91cd26beca97ad410b8a34678048c818ad03

SHA256
95d25e548d33b65bfd4bdc761be0069bba353834d94d0facc2e5275370c7a0b0

SHA512
bd83bbf33660916622199192a7e3b6986696b61c5e3e7f4a00ce19adb76d41498fb44617d9e1239b007bf3b3f34cec51845f871a4066e937d36d4a19a7382116

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
47ec964047132d2c4f3c87fb06cdd324

SHA1
9fc9f9b30377900bb585a9b0d8e266b9698eae58

SHA256
d12b77f772bc21306aa6d84f9e4e184ec83d7eb54d4d67eb31d45f00c47b75dc

SHA512
a1310a8e1c287e2d4ee02f64e4dcac21d1eea5def07a8eca1b1117b8daf0c6696e93d7789377cb613af1ec6449fc2ebbdcf2a6fab78d554e65e453db378e0d72

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Windows\win.ini

Filesize
123B

MD5
6bf517432f65eb7f0d18d574bf14124c

SHA1
5b9f37c1dd1318ebbec3bd2f07c109eb9d22c727

SHA256
6e2b70dfccabf3cc651545676a3a566c9cfae03f15f772886646abce1da35b46

SHA512
7b0cb8c20034585ec8bf4b45eda5eda5993a56e24931a7426dc5a9f081ec1f82545f3e26a48a4df885c8691fc6e8026d0808aebe3cc3358ba85ddca08ac4cb06

Download Submit
memory/1364-114-0x0000000076EF1000-0x0000000077011000-memory.dmp

Filesize
1.1MB

Download
memory/1364-118-0x0000000076EF1000-0x0000000077011000-memory.dmp

Filesize
1.1MB

Download
memory/3768-143-0x00000000020E0000-0x00000000020E7000-memory.dmp

Filesize
28KB

Download
memory/3768-142-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download