Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

eb7bb76f88...23.exe

windows7-x64

10

eb7bb76f88...23.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    114s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/11/2024, 16:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eb7bb76f88a533fa23d80ddf0e2e1a2afc10c1b1c7c9033eed2b677a3f979223.exe

  • Size

    3.2MB

  • MD5

    44cc23376d14c764d1d731bc49b540b6

  • SHA1

    fe03c3dac8a4f9ecf366a30e64ccf693fe854a12

  • SHA256

    eb7bb76f88a533fa23d80ddf0e2e1a2afc10c1b1c7c9033eed2b677a3f979223

  • SHA512

    d079129a42e62e4b31bf78610d45865963d7f74dc970265824c4a5523af8c59997ed5e719551a0dc3879687794723c023ba5c31e11d7461b4489ef47a78287ab

  • SSDEEP

    98304:H3h6d68gwIteZNiiPwVpU3h6d68gwIteZNiiPwVpt:HR668aaELAR668aaELh

Score
10/10
remcosxredbackdoordiscoveryexecutionpersistencerat

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eb7bb76f88a533fa23d80ddf0e2e1a2afc10c1b1c7c9033eed2b677a3f979223.exe
    "C:\Users\Admin\AppData\Local\Temp\eb7bb76f88a533fa23d80ddf0e2e1a2afc10c1b1c7c9033eed2b677a3f979223.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3876
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\eb7bb76f88a533fa23d80ddf0e2e1a2afc10c1b1c7c9033eed2b677a3f979223.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5096
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BLznCuyzwk.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2068
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BLznCuyzwk" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB84.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2272
    • C:\Users\Admin\AppData\Local\Temp\eb7bb76f88a533fa23d80ddf0e2e1a2afc10c1b1c7c9033eed2b677a3f979223.exe
      "C:\Users\Admin\AppData\Local\Temp\eb7bb76f88a533fa23d80ddf0e2e1a2afc10c1b1c7c9033eed2b677a3f979223.exe"
      2⤵
      • Checks computer location settings
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3392
      • C:\Users\Admin\AppData\Local\Temp\._cache_eb7bb76f88a533fa23d80ddf0e2e1a2afc10c1b1c7c9033eed2b677a3f979223.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_eb7bb76f88a533fa23d80ddf0e2e1a2afc10c1b1c7c9033eed2b677a3f979223.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:732
      • C:\ProgramData\Synaptics\Synaptics.exe
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2208
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\Synaptics\Synaptics.exe"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4540
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\BLznCuyzwk.exe"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1096
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BLznCuyzwk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6404.tmp"
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:3676
        • C:\ProgramData\Synaptics\Synaptics.exe
          "C:\ProgramData\Synaptics\Synaptics.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:4940
          • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
            "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:2116
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:3948

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe
    Filesize

    3.2MB

    MD5

    44cc23376d14c764d1d731bc49b540b6

    SHA1

    fe03c3dac8a4f9ecf366a30e64ccf693fe854a12

    SHA256

    eb7bb76f88a533fa23d80ddf0e2e1a2afc10c1b1c7c9033eed2b677a3f979223

    SHA512

    d079129a42e62e4b31bf78610d45865963d7f74dc970265824c4a5523af8c59997ed5e719551a0dc3879687794723c023ba5c31e11d7461b4489ef47a78287ab

    Download Submit

  • C:\ProgramData\remcos\logs.dat
    Filesize

    144B

    MD5

    04c16a3b3e528032e5944df28caa36c5

    SHA1

    b01f68e6dc8b36e9ae31a0b356665d8ce004f323

    SHA256

    9ca409a10b6fb16fa91015c6f9d0fd1e39cf4d73010ae24780351f8b65e7b3be

    SHA512

    ae1e0832284b381d3baf5b36af25d4904a1592fc1128031965969a06050ac18561b77b09155d513ea38f718ff440b1a513d7ab92c9e4846b023726e0197faf87

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    3d086a433708053f9bf9523e1d87a4e8

    SHA1

    b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

    SHA256

    6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

    SHA512

    931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    bc919cb3b801c2e064531d10dacb4e4d

    SHA1

    60c2440d10ef181deb4ddd8860a4e19df641cd57

    SHA256

    0a22548f770f8e890d2a543978c4f5a4ae80af5a7e1344816d42df67ba823a63

    SHA512

    cae0b437286ce943de0f55ddd1bb081916d15f98701b92ccd8a2088385167d54021d2b904d70f422859a318fd977e58423b86660af6e0a78cc07a9b2065cdf8e

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    2cf1c65b2e0465b4d3914ee66191192c

    SHA1

    4bcf1cbb2f4599b422c869b0c38ef4ee4240af1d

    SHA256

    b44c6119e61b70125e25aa5c5a1d6e9b89d428732656cc7f31dd99d9db82496a

    SHA512

    008f9be9724927e6709bfbedd566ddb9bb72aed62a5a31d0dd257dc74ade409fa6f48f9e65c5a025701327145307b6fc3ee763086e81b253a26ae86d507ff10e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\._cache_eb7bb76f88a533fa23d80ddf0e2e1a2afc10c1b1c7c9033eed2b677a3f979223.exe
    Filesize

    483KB

    MD5

    f3b57ccad1c0a308635e17aa591e4038

    SHA1

    ca67ad3c74523b844fc23563f7b288f0389fd645

    SHA256

    5ad6b9a917f35be0a1d66c771069c2143ad765737eedd85436acbc0f95a4c0e7

    SHA512

    5ed754a1b254e8a4b03e0445ac0081c94aaf179c2974827ce4ff10b7deb765d819243b2084212d7c91be9ddc07bf94f55e35f85564781b4124b61647a2f0977a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\00785E00
    Filesize

    26KB

    MD5

    86b528972737d0e3dd115b081e04f773

    SHA1

    1371c74c448c7ff68ac9bbacc6b61ced7b1dc13a

    SHA256

    c2257f9f63bf9ad9cd1e3fa3d9453ef8c6668618e1ca259f85530e2d6a90565d

    SHA512

    a804a31ce026936f2dea792b3ca806e33855608fb9b2d060fe741dcb76270bfc2caf2379432e017b02cdc82b6394a08ed55160f1d65f837f0c9170d884fffc37

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Qn9FJcXD.xlsm
    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_in0blkwn.g3u.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpB84.tmp
    Filesize

    1KB

    MD5

    8feeed50d5506f3f684e6ac7f38003bb

    SHA1

    281697aed4b626558e522a87e8a8e22a8662c08e

    SHA256

    456d9b34b6d8f880fa5ac56ae14a6265e1e84db2b59ffa5387c54ef22edfed4c

    SHA512

    3d6be4a829c62615850d324c58a5130f4ef9c3fe3f0d9ee062b59f326b40b4f787b416aecb93eb59c8bca458866b67468cd036d135a771579dfeecb17759dd03

    Download Submit

  • memory/1096-270-0x00000000718F0000-0x000000007193C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2068-175-0x00000000072A0000-0x00000000072BA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2068-180-0x00000000074E0000-0x00000000074F4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2068-188-0x0000000075330000-0x0000000075AE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2068-181-0x00000000075E0000-0x00000000075FA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2068-179-0x00000000074D0000-0x00000000074DE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2068-20-0x0000000075330000-0x0000000075AE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2068-21-0x0000000075330000-0x0000000075AE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2068-178-0x00000000074A0000-0x00000000074B1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2068-177-0x0000000007520000-0x00000000075B6000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2068-176-0x0000000007310000-0x000000000731A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2068-174-0x00000000078E0000-0x0000000007F5A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/2068-151-0x0000000006F20000-0x0000000006F52000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2068-44-0x0000000005AE0000-0x0000000005E34000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2068-163-0x0000000007160000-0x0000000007203000-memory.dmp

    Filesize

    652KB

    Download

  • memory/2068-162-0x0000000006550000-0x000000000656E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2068-152-0x00000000719F0000-0x0000000071A3C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2068-51-0x0000000005F70000-0x0000000005F8E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2068-52-0x0000000006310000-0x000000000635C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3392-46-0x0000000000400000-0x000000000053B000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3392-45-0x0000000000400000-0x000000000053B000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3876-4-0x0000000005BA0000-0x0000000005BAA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3876-7-0x000000007533E000-0x000000007533F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3876-1-0x0000000000E50000-0x0000000001194000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3876-8-0x0000000075330000-0x0000000075AE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3876-2-0x00000000061C0000-0x0000000006764000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3876-0-0x000000007533E000-0x000000007533F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3876-10-0x00000000073E0000-0x000000000747C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/3876-3-0x0000000005C10000-0x0000000005CA2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3876-9-0x00000000075C0000-0x000000000773E000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/3876-50-0x0000000075330000-0x0000000075AE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3876-6-0x0000000006170000-0x0000000006188000-memory.dmp

    Filesize

    96KB

    Download

  • memory/3876-5-0x0000000075330000-0x0000000075AE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3948-281-0x00007FFC0A200000-0x00007FFC0A210000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3948-265-0x00007FFC0C470000-0x00007FFC0C480000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3948-269-0x00007FFC0C470000-0x00007FFC0C480000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3948-280-0x00007FFC0A200000-0x00007FFC0A210000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3948-266-0x00007FFC0C470000-0x00007FFC0C480000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3948-267-0x00007FFC0C470000-0x00007FFC0C480000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3948-268-0x00007FFC0C470000-0x00007FFC0C480000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4540-195-0x0000000006010000-0x0000000006364000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4540-223-0x0000000006CB0000-0x0000000006CFC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4540-254-0x00000000718F0000-0x000000007193C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4540-264-0x0000000007910000-0x00000000079B3000-memory.dmp

    Filesize

    652KB

    Download

  • memory/4540-283-0x0000000007C50000-0x0000000007C64000-memory.dmp

    Filesize

    80KB

    Download

  • memory/4540-282-0x0000000007C10000-0x0000000007C21000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4940-217-0x0000000000400000-0x000000000053B000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4940-372-0x0000000000400000-0x000000000053B000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4940-336-0x0000000000400000-0x000000000053B000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4940-331-0x0000000000400000-0x000000000053B000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4940-330-0x0000000000400000-0x000000000053B000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/5096-16-0x0000000000D90000-0x0000000000DC6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/5096-19-0x0000000075330000-0x0000000075AE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5096-15-0x0000000075330000-0x0000000075AE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5096-25-0x0000000005820000-0x0000000005886000-memory.dmp

    Filesize

    408KB

    Download

  • memory/5096-24-0x00000000057B0000-0x0000000005816000-memory.dmp

    Filesize

    408KB

    Download

  • memory/5096-23-0x00000000050C0000-0x00000000050E2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/5096-18-0x0000000005110000-0x0000000005738000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/5096-182-0x00000000074D0000-0x00000000074D8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/5096-164-0x00000000719F0000-0x0000000071A3C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/5096-17-0x0000000075330000-0x0000000075AE0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5096-189-0x0000000075330000-0x0000000075AE0000-memory.dmp

    Filesize

    7.7MB

    Download