71800e871e5ba0e16662a63adde65180a7353a75e5f63c9970f12162854c876b

Analysis

max time kernel
15s
max time network
24s
platform
windows10-1703_x64
resource
win10-20230915-de
resource tags

arch:x64arch:x86image:win10-20230915-delocale:de-deos:windows10-1703-x64systemwindows
submitted
03/10/2023, 11:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LICENSE ACTlVATlON - TrendingBot.bat
Size

199KB
MD5

10fffe8df427eed52e2ced1b71c47dec
SHA1

fc065b23dcf2047050033dc5cb8c9f46fe83c8ee
SHA256

71800e871e5ba0e16662a63adde65180a7353a75e5f63c9970f12162854c876b
SHA512

56e48bcfe2df01ab0df27ebf41caea8a66c6af2408d443a1595e646472da3483adfd3526580583a4f7761f43bcf0e770a74e35fb09022bd1b2cebec866023144
SSDEEP

3072:CbWXLnN1afKn4viIH5pF6eU6qXpHMfAa4dZ5ni4jiHiZSl/Z0G3c43X1a8yJEok5:7N16OKiUpFG6exa4HBi23Qc943Qp6QG

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
3632	powershell.exe
3632	powershell.exe
3632	powershell.exe
2240	powershell.exe
2240	powershell.exe
2240	powershell.exe
4552	powershell.exe
4552	powershell.exe
4552	powershell.exe
4236	powershell.exe
4236	powershell.exe
4236	powershell.exe
2736	powershell.exe
2736	powershell.exe
2736	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3632	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	4552	powershell.exe
Token: SeDebugPrivilege	4236	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3912 wrote to memory of 1460	3912	cmd.exe	70
PID 3912 wrote to memory of 1460	3912	cmd.exe	70
PID 3912 wrote to memory of 3236	3912	cmd.exe	71
PID 3912 wrote to memory of 3236	3912	cmd.exe	71
PID 3912 wrote to memory of 4744	3912	cmd.exe	72
PID 3912 wrote to memory of 4744	3912	cmd.exe	72
PID 3912 wrote to memory of 4728	3912	cmd.exe	73
PID 3912 wrote to memory of 4728	3912	cmd.exe	73
PID 3912 wrote to memory of 512	3912	cmd.exe	74
PID 3912 wrote to memory of 512	3912	cmd.exe	74
PID 3912 wrote to memory of 4420	3912	cmd.exe	75
PID 3912 wrote to memory of 4420	3912	cmd.exe	75
PID 3912 wrote to memory of 3600	3912	cmd.exe	76
PID 3912 wrote to memory of 3600	3912	cmd.exe	76
PID 3912 wrote to memory of 1012	3912	cmd.exe	77
PID 3912 wrote to memory of 1012	3912	cmd.exe	77
PID 3912 wrote to memory of 4668	3912	cmd.exe	78
PID 3912 wrote to memory of 4668	3912	cmd.exe	78
PID 3912 wrote to memory of 3664	3912	cmd.exe	79
PID 3912 wrote to memory of 3664	3912	cmd.exe	79
PID 3912 wrote to memory of 2704	3912	cmd.exe	80
PID 3912 wrote to memory of 2704	3912	cmd.exe	80
PID 3912 wrote to memory of 4632	3912	cmd.exe	81
PID 3912 wrote to memory of 4632	3912	cmd.exe	81
PID 3912 wrote to memory of 3632	3912	cmd.exe	82
PID 3912 wrote to memory of 3632	3912	cmd.exe	82
PID 3912 wrote to memory of 4680	3912	cmd.exe	84
PID 3912 wrote to memory of 4680	3912	cmd.exe	84
PID 3912 wrote to memory of 4072	3912	cmd.exe	85
PID 3912 wrote to memory of 4072	3912	cmd.exe	85
PID 3912 wrote to memory of 3916	3912	cmd.exe	86
PID 3912 wrote to memory of 3916	3912	cmd.exe	86
PID 3912 wrote to memory of 4228	3912	cmd.exe	87
PID 3912 wrote to memory of 4228	3912	cmd.exe	87
PID 3912 wrote to memory of 3300	3912	cmd.exe	88
PID 3912 wrote to memory of 3300	3912	cmd.exe	88
PID 3912 wrote to memory of 3452	3912	cmd.exe	89
PID 3912 wrote to memory of 3452	3912	cmd.exe	89
PID 3912 wrote to memory of 2240	3912	cmd.exe	90
PID 3912 wrote to memory of 2240	3912	cmd.exe	90
PID 3912 wrote to memory of 1152	3912	cmd.exe	91
PID 3912 wrote to memory of 1152	3912	cmd.exe	91
PID 3912 wrote to memory of 4552	3912	cmd.exe	92
PID 3912 wrote to memory of 4552	3912	cmd.exe	92
PID 3912 wrote to memory of 4036	3912	cmd.exe	93
PID 3912 wrote to memory of 4036	3912	cmd.exe	93
PID 3912 wrote to memory of 5072	3912	cmd.exe	94
PID 3912 wrote to memory of 5072	3912	cmd.exe	94
PID 3912 wrote to memory of 1972	3912	cmd.exe	95
PID 3912 wrote to memory of 1972	3912	cmd.exe	95
PID 3912 wrote to memory of 4024	3912	cmd.exe	96
PID 3912 wrote to memory of 4024	3912	cmd.exe	96
PID 3912 wrote to memory of 4932	3912	cmd.exe	97
PID 3912 wrote to memory of 4932	3912	cmd.exe	97
PID 3912 wrote to memory of 2180	3912	cmd.exe	98
PID 3912 wrote to memory of 2180	3912	cmd.exe	98
PID 3912 wrote to memory of 4236	3912	cmd.exe	99
PID 3912 wrote to memory of 4236	3912	cmd.exe	99
PID 3912 wrote to memory of 4324	3912	cmd.exe	100
PID 3912 wrote to memory of 4324	3912	cmd.exe	100
PID 3912 wrote to memory of 3156	3912	cmd.exe	101
PID 3912 wrote to memory of 3156	3912	cmd.exe	101
PID 3912 wrote to memory of 1032	3912	cmd.exe	102
PID 3912 wrote to memory of 1032	3912	cmd.exe	102

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\LICENSE ACTlVATlON - TrendingBot.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:1460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:3236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:4744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:4728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:4420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:3600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:1012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:4668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:3664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:2704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:4632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "$VM=Get-WmiObject -Class Win32_ComputerSystem ; if ($VM.Model -match 'Virtual') { Write-Host 'Virtual Machine Detected. Exiting script.' ; taskkill /F /IM cmd.exe }"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:4680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:4072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:3916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:4228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:3300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:3452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "$VM=Get-WmiObject -Class Win32_ComputerSystem ; if ($VM.Model -match 'Virtual') { Write-Host 'Virtual Machine Detected. Exiting script.' ; taskkill /F /IM cmd.exe }"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:1152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "$VM=Get-WmiObject -Class Win32_ComputerSystem ; if ($VM.Model -match 'Virtual') { Write-Host 'Virtual Machine Detected. Exiting script.' ; taskkill /F /IM cmd.exe }"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:4036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:5072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:1972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:4024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:4932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:2180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "$VM=Get-WmiObject -Class Win32_ComputerSystem ; if ($VM.Model -match 'Virtual') { Write-Host 'Virtual Machine Detected. Exiting script.' ; taskkill /F /IM cmd.exe }"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:4324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:3156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:1032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:4440
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:1888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:3724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:2412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:32
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:3272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:2328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:2140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:2440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:4160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:3440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:3152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:2428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:1644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:3568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:4792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:2608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:2928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:2492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:2732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:4856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:2628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:5000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "$VM=Get-WmiObject -Class Win32_ComputerSystem ; if ($VM.Model -match 'Virtual') { Write-Host 'Virtual Machine Detected. Exiting script.' ; taskkill /F /IM cmd.exe }"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:1012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:4668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:3664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:2704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:4632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c dir /b
  2⤵
  PID:3700
- C:\Windows\system32\wscript.exe
  wscript /b
  2⤵
  PID:312
- C:\Windows\system32\forfiles.exe
  forfiles /p C:\Users\Admin\AppData\Local\Temp /m RAT.exe /c 'cmd /c start @file'
  2⤵
  PID:4740

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
5d574dc518025fad52b7886c1bff0e13

SHA1
68217a5f9e9a64ca8fed9eefa4171786a8f9f8f7

SHA256
755c4768f6e384030805284ab88689a325431667e9ab11d9aeaa55e9739742f2

SHA512
21de152e07d269b265dae58d46e8c68a3268b2f78d771d4fc44377a14e0c6e73aadae923dcfd34ce2ef53c2eaa53d4df8f281d9b8a627edee213946c9ef37d13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bca723da2d2553cff17b80b366f6cf7e

SHA1
3cd8a733d6f6ebd118cf8c4cbaf1dcb343382440

SHA256
66d2145106ce35085074b88aba903c84e8a5e05d1afbdba3f69209c65ef6d118

SHA512
337635a128ba80cfd9aa7f236eb0521f9e80726eed637aec1ee88158bfa2a9743b7e4f4a0d3bf20200e337aa1a97d2867cb367e625ac9c0fef5cc67511a9b2db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8fe8e7d959d14e5dc842cd28d8291d5e

SHA1
39232661b9c410ee96ecd53b2c68ac5bd3c59559

SHA256
71add39d4e2e8806d41dc3088aa5055d17f42907d78b8ff69a6658028a483cc9

SHA512
75fb4d85358cb6ed05ff423aab980660d307e937483fba0c5deb10bc14f883b35055385db53420818fe8003fe186ad0a0a8f2dcb844760eac2d48c5c4decf5d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c18aa3d2ff2dca51f5313387f04cab91

SHA1
2a99b14622787182d021f06cdb962691d068a496

SHA256
12ae73abd5cb206721d62dfb8b9b1380ff2153231a7382d2249c60916268bc76

SHA512
9fcc38ab1c79dcb0defbe7364426d1adabd0cb548f1d1da2a4ee181955c720cfbc6fc3fec471dfd704ff60150c6ca558477c6581dc81c62ddc377226c13a3a9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
64d5c5deb62962a176cec319be7b6cb5

SHA1
63bf78ddc5f28f93c7ca0cc18020c101afaec095

SHA256
c7e104feb9b0bd86fe1dda72ef7424d0919bb7e385b7f17ce4ea509a8f3280ba

SHA512
33fa0f18b3dd06bf9ca24429181e083e46a6da4c74bfdbf24ec6c86194953dfde5f520e5dcde6ebda91da0dc55217ecfa27d09ddd497bfb9c026a97291330ae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4kmq3vnd.j30.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/2240-37-0x00007FFBB50B0000-0x00007FFBB5A9C000-memory.dmp

Filesize
9.9MB

Download
memory/2240-61-0x00007FFBB50B0000-0x00007FFBB5A9C000-memory.dmp

Filesize
9.9MB

Download
memory/2240-58-0x0000020A3AB20000-0x0000020A3AB30000-memory.dmp

Filesize
64KB

Download
memory/2240-40-0x0000020A3AB20000-0x0000020A3AB30000-memory.dmp

Filesize
64KB

Download
memory/2240-38-0x0000020A3AB20000-0x0000020A3AB30000-memory.dmp

Filesize
64KB

Download
memory/2736-121-0x00007FFBB50B0000-0x00007FFBB5A9C000-memory.dmp

Filesize
9.9MB

Download
memory/2736-123-0x000001B706490000-0x000001B7064A0000-memory.dmp

Filesize
64KB

Download
memory/2736-124-0x000001B706490000-0x000001B7064A0000-memory.dmp

Filesize
64KB

Download
memory/2736-142-0x000001B706490000-0x000001B7064A0000-memory.dmp

Filesize
64KB

Download
memory/2736-145-0x00007FFBB50B0000-0x00007FFBB5A9C000-memory.dmp

Filesize
9.9MB

Download
memory/3632-28-0x00000223B50F0000-0x00000223B5100000-memory.dmp

Filesize
64KB

Download
memory/3632-13-0x00000223CD6B0000-0x00000223CD726000-memory.dmp

Filesize
472KB

Download
memory/3632-5-0x00000223B5100000-0x00000223B5122000-memory.dmp

Filesize
136KB

Download
memory/3632-6-0x00007FFBB50B0000-0x00007FFBB5A9C000-memory.dmp

Filesize
9.9MB

Download
memory/3632-8-0x00000223B50F0000-0x00000223B5100000-memory.dmp

Filesize
64KB

Download
memory/3632-4-0x00000223CD300000-0x00000223CD386000-memory.dmp

Filesize
536KB

Download
memory/3632-9-0x00000223B50F0000-0x00000223B5100000-memory.dmp

Filesize
64KB

Download
memory/3632-7-0x00000223B50C0000-0x00000223B50D0000-memory.dmp

Filesize
64KB

Download
memory/3632-10-0x00000223CD5A0000-0x00000223CD6A4000-memory.dmp

Filesize
1.0MB

Download
memory/3632-32-0x00007FFBB50B0000-0x00007FFBB5A9C000-memory.dmp

Filesize
9.9MB

Download
memory/4236-95-0x000001653EF50000-0x000001653EF60000-memory.dmp

Filesize
64KB

Download
memory/4236-96-0x000001653EF50000-0x000001653EF60000-memory.dmp

Filesize
64KB

Download
memory/4236-114-0x000001653EF50000-0x000001653EF60000-memory.dmp

Filesize
64KB

Download
memory/4236-117-0x00007FFBB50B0000-0x00007FFBB5A9C000-memory.dmp

Filesize
9.9MB

Download
memory/4236-93-0x00007FFBB50B0000-0x00007FFBB5A9C000-memory.dmp

Filesize
9.9MB

Download
memory/4552-89-0x00007FFBB50B0000-0x00007FFBB5A9C000-memory.dmp

Filesize
9.9MB

Download
memory/4552-86-0x0000021975180000-0x0000021975190000-memory.dmp

Filesize
64KB

Download
memory/4552-68-0x0000021975180000-0x0000021975190000-memory.dmp

Filesize
64KB

Download
memory/4552-67-0x0000021975180000-0x0000021975190000-memory.dmp

Filesize
64KB

Download
memory/4552-64-0x00007FFBB50B0000-0x00007FFBB5A9C000-memory.dmp

Filesize
9.9MB

Download