remcos | 09b19d6f3a6a0a0e574a2fdf8963ae5a67964a87a08361df3437bae37cb9a7fd

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2023, 10:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

List Of Product Order!!.exe
Size

823KB
MD5

285709b486f7370beb1c11a560c5105e
SHA1

a0b7492f106d1ee262ff1dfcc7ad7de39ee05d27
SHA256

03a6ac61b13b44d81d585695020546c9d7a4aff18433ac396f7fcc3d8a60148e
SHA512

c765ea1e0e31260bb6fd8ca0a468c3d2d03da40ed3f1da9d3e054e2a541cb6cfc58e861b58567e199d9dcd9075632e583d05128788b5444c93bb6dc9f7dbe7ab
SSDEEP

24576:EqerVZINr2Cmu4g8JwTGLyrCcY1qqKGeOf:ENZa4u49Jw7V/G

Score

10^/10

remcos grace collection rat

Malware Config

Extracted

Family

remcos

Botnet

Grace

grantadistciaret.com:3212

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-3ANIE5
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/2568-71-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView
behavioral2/memory/2568-74-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView
behavioral2/memory/2568-76-0x0000000000400000-0x0000000000457000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/3468-72-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView
behavioral2/memory/3468-83-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 8 IoCs

resource	yara_rule
behavioral2/memory/1104-69-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/3468-72-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/2568-71-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral2/memory/1104-73-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/2568-74-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral2/memory/1104-75-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/2568-76-0x0000000000400000-0x0000000000457000-memory.dmp	Nirsoft
behavioral2/memory/3468-83-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	List Of Product Order!!.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1852 set thread context of 4056	1852	List Of Product Order!!.exe	105
PID 4056 set thread context of 3468	4056	vbc.exe	107
PID 4056 set thread context of 2568	4056	vbc.exe	108
PID 4056 set thread context of 1104	4056	vbc.exe	109

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1288	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4352	powershell.exe
4352	powershell.exe
3376	powershell.exe
3376	powershell.exe
3468	vbc.exe
3468	vbc.exe
1104	vbc.exe
1104	vbc.exe
3376	powershell.exe
4352	powershell.exe
3468	vbc.exe
3468	vbc.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
4056	vbc.exe
4056	vbc.exe
4056	vbc.exe
4056	vbc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4352	powershell.exe
Token: SeDebugPrivilege	3376	powershell.exe
Token: SeDebugPrivilege	1104	vbc.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 4352	1852	List Of Product Order!!.exe	99
PID 1852 wrote to memory of 4352	1852	List Of Product Order!!.exe	99
PID 1852 wrote to memory of 4352	1852	List Of Product Order!!.exe	99
PID 1852 wrote to memory of 3376	1852	List Of Product Order!!.exe	101
PID 1852 wrote to memory of 3376	1852	List Of Product Order!!.exe	101
PID 1852 wrote to memory of 3376	1852	List Of Product Order!!.exe	101
PID 1852 wrote to memory of 1288	1852	List Of Product Order!!.exe	103
PID 1852 wrote to memory of 1288	1852	List Of Product Order!!.exe	103
PID 1852 wrote to memory of 1288	1852	List Of Product Order!!.exe	103
PID 1852 wrote to memory of 4056	1852	List Of Product Order!!.exe	105
PID 1852 wrote to memory of 4056	1852	List Of Product Order!!.exe	105
PID 1852 wrote to memory of 4056	1852	List Of Product Order!!.exe	105
PID 1852 wrote to memory of 4056	1852	List Of Product Order!!.exe	105
PID 1852 wrote to memory of 4056	1852	List Of Product Order!!.exe	105
PID 1852 wrote to memory of 4056	1852	List Of Product Order!!.exe	105
PID 1852 wrote to memory of 4056	1852	List Of Product Order!!.exe	105
PID 1852 wrote to memory of 4056	1852	List Of Product Order!!.exe	105
PID 1852 wrote to memory of 4056	1852	List Of Product Order!!.exe	105
PID 1852 wrote to memory of 4056	1852	List Of Product Order!!.exe	105
PID 1852 wrote to memory of 4056	1852	List Of Product Order!!.exe	105
PID 1852 wrote to memory of 4056	1852	List Of Product Order!!.exe	105
PID 4056 wrote to memory of 4016	4056	vbc.exe	106
PID 4056 wrote to memory of 4016	4056	vbc.exe	106
PID 4056 wrote to memory of 4016	4056	vbc.exe	106
PID 4056 wrote to memory of 3468	4056	vbc.exe	107
PID 4056 wrote to memory of 3468	4056	vbc.exe	107
PID 4056 wrote to memory of 3468	4056	vbc.exe	107
PID 4056 wrote to memory of 3468	4056	vbc.exe	107
PID 4056 wrote to memory of 2568	4056	vbc.exe	108
PID 4056 wrote to memory of 2568	4056	vbc.exe	108
PID 4056 wrote to memory of 2568	4056	vbc.exe	108
PID 4056 wrote to memory of 2568	4056	vbc.exe	108
PID 4056 wrote to memory of 1104	4056	vbc.exe	109
PID 4056 wrote to memory of 1104	4056	vbc.exe	109
PID 4056 wrote to memory of 1104	4056	vbc.exe	109
PID 4056 wrote to memory of 1104	4056	vbc.exe	109

C:\Users\Admin\AppData\Local\Temp\List Of Product Order!!.exe
"C:\Users\Admin\AppData\Local\Temp\List Of Product Order!!.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\List Of Product Order!!.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4352
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\zsqbgCwSUtag.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3376
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zsqbgCwSUtag" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6481.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1288
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4056
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\httwsxxgtjc"
    3⤵
    PID:4016
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\httwsxxgtjc"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3468
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\knzotqiahruwga"
    3⤵
    - Accesses Microsoft Outlook accounts
    PID:2568
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\upezuiabdzmaqgdyvr"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4ieaqoax.esw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\httwsxxgtjc

Filesize
4KB

MD5
298ed3330d2b60f0acf928ebacb445ac

SHA1
6cb619943bfe51ce0c1e11e94a4dd817b679c0ba

SHA256
f570da620b3a8b2164229a570f3def9463bd2db97bc46f5e5ffd32d795b1885c

SHA512
560abfabc9259d0a4be6ddad10dbc7f56029aff14845ca3d8b9ec8a8eb8bafc0b7a235c12ccf20dce317893473f39c06489bcb5b13d14c6ac5a11c3f9ec8ef7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6481.tmp

Filesize
1KB

MD5
a7f5a70443cfd367f68d025a0f84e40e

SHA1
b8546d178b24e511a838a229af8f2a7d2377c501

SHA256
2d0be6d76e5bc5d13d570b1fb8b05d163c644cdbbfa6bf971ffaeb375485435d

SHA512
8b504ab5f36cb42757fc9969740457fe3840ba60d4ef49bd664a6c6730ddcdf8be9ede51d849c35af4c16ff74434b9324e0ad88eabd22517bc800285ba381df3

Download Submit
memory/1104-65-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1104-68-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1104-69-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1104-73-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1104-75-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1852-0-0x0000000075250000-0x0000000075A00000-memory.dmp

Filesize
7.7MB

Download
memory/1852-3-0x0000000004C90000-0x0000000004D22000-memory.dmp

Filesize
584KB

Download
memory/1852-11-0x0000000006280000-0x000000000631C000-memory.dmp

Filesize
624KB

Download
memory/1852-12-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/1852-9-0x0000000005E90000-0x0000000005E9A000-memory.dmp

Filesize
40KB

Download
memory/1852-8-0x0000000005E80000-0x0000000005E88000-memory.dmp

Filesize
32KB

Download
memory/1852-7-0x0000000075250000-0x0000000075A00000-memory.dmp

Filesize
7.7MB

Download
memory/1852-1-0x00000000001F0000-0x00000000002C4000-memory.dmp

Filesize
848KB

Download
memory/1852-6-0x0000000005130000-0x0000000005140000-memory.dmp

Filesize
64KB

Download
memory/1852-29-0x0000000075250000-0x0000000075A00000-memory.dmp

Filesize
7.7MB

Download
memory/1852-5-0x0000000004E20000-0x0000000004E2A000-memory.dmp

Filesize
40KB

Download
memory/1852-4-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/1852-2-0x0000000005160000-0x0000000005704000-memory.dmp

Filesize
5.6MB

Download
memory/1852-10-0x0000000005F00000-0x0000000005FB8000-memory.dmp

Filesize
736KB

Download
memory/2568-71-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2568-74-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2568-76-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2568-66-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2568-62-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3376-122-0x0000000006ED0000-0x0000000006F73000-memory.dmp

Filesize
652KB

Download
memory/3376-96-0x0000000004820000-0x0000000004830000-memory.dmp

Filesize
64KB

Download
memory/3376-137-0x0000000075250000-0x0000000075A00000-memory.dmp

Filesize
7.7MB

Download
memory/3376-132-0x00000000072E0000-0x00000000072FA000-memory.dmp

Filesize
104KB

Download
memory/3376-46-0x0000000005630000-0x0000000005984000-memory.dmp

Filesize
3.3MB

Download
memory/3376-131-0x0000000075250000-0x0000000075A00000-memory.dmp

Filesize
7.7MB

Download
memory/3376-128-0x0000000007270000-0x000000000727E000-memory.dmp

Filesize
56KB

Download
memory/3376-126-0x0000000007180000-0x0000000007216000-memory.dmp

Filesize
600KB

Download
memory/3376-124-0x00000000062A0000-0x00000000062BA000-memory.dmp

Filesize
104KB

Download
memory/3376-123-0x0000000007600000-0x0000000007C7A000-memory.dmp

Filesize
6.5MB

Download
memory/3376-22-0x0000000004820000-0x0000000004830000-memory.dmp

Filesize
64KB

Download
memory/3376-21-0x0000000004820000-0x0000000004830000-memory.dmp

Filesize
64KB

Download
memory/3376-33-0x0000000004DD0000-0x0000000004E36000-memory.dmp

Filesize
408KB

Download
memory/3376-112-0x00000000061E0000-0x00000000061FE000-memory.dmp

Filesize
120KB

Download
memory/3376-30-0x0000000004CC0000-0x0000000004CE2000-memory.dmp

Filesize
136KB

Download
memory/3376-100-0x00000000715A0000-0x00000000715EC000-memory.dmp

Filesize
304KB

Download
memory/3376-20-0x0000000075250000-0x0000000075A00000-memory.dmp

Filesize
7.7MB

Download
memory/3468-72-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3468-83-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3468-63-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3468-60-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4056-93-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4056-142-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4056-81-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4056-25-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4056-145-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4056-144-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4056-143-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4056-87-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4056-91-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4056-92-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4056-34-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4056-58-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4056-95-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/4056-26-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4056-141-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4056-140-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4056-139-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4056-28-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4056-35-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4056-32-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4056-56-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4056-57-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4056-59-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4352-94-0x0000000075250000-0x0000000075A00000-memory.dmp

Filesize
7.7MB

Download
memory/4352-125-0x0000000007D40000-0x0000000007D4A000-memory.dmp

Filesize
40KB

Download
memory/4352-14-0x00000000053E0000-0x0000000005416000-memory.dmp

Filesize
216KB

Download
memory/4352-127-0x0000000008010000-0x0000000008021000-memory.dmp

Filesize
68KB

Download
memory/4352-101-0x000000007F4F0000-0x000000007F500000-memory.dmp

Filesize
64KB

Download
memory/4352-129-0x0000000008050000-0x0000000008064000-memory.dmp

Filesize
80KB

Download
memory/4352-130-0x00000000054F0000-0x0000000005500000-memory.dmp

Filesize
64KB

Download
memory/4352-47-0x00000000063F0000-0x0000000006744000-memory.dmp

Filesize
3.3MB

Download
memory/4352-31-0x0000000005A20000-0x0000000005A86000-memory.dmp

Filesize
408KB

Download
memory/4352-133-0x0000000008090000-0x0000000008098000-memory.dmp

Filesize
32KB

Download
memory/4352-13-0x0000000075250000-0x0000000075A00000-memory.dmp

Filesize
7.7MB

Download
memory/4352-138-0x0000000075250000-0x0000000075A00000-memory.dmp

Filesize
7.7MB

Download
memory/4352-111-0x00000000715A0000-0x00000000715EC000-memory.dmp

Filesize
304KB

Download
memory/4352-99-0x0000000006F70000-0x0000000006FA2000-memory.dmp

Filesize
200KB

Download
memory/4352-98-0x00000000054F0000-0x0000000005500000-memory.dmp

Filesize
64KB

Download
memory/4352-97-0x00000000054F0000-0x0000000005500000-memory.dmp

Filesize
64KB

Download
memory/4352-23-0x0000000005B30000-0x0000000006158000-memory.dmp

Filesize
6.2MB

Download
memory/4352-17-0x00000000054F0000-0x0000000005500000-memory.dmp

Filesize
64KB

Download
memory/4352-85-0x0000000006AD0000-0x0000000006B1C000-memory.dmp

Filesize
304KB

Download
memory/4352-84-0x00000000063B0000-0x00000000063CE000-memory.dmp

Filesize
120KB

Download