njrat | 0a9d287a3539c979a8c215ca003ca35293c324644e2f2c4dc3a38b4c7f9fa143

Analysis

max time kernel
151s
max time network
147s
platform
windows10_x64
resource
win10-en-20211208
submitted
13-01-2022 22:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

A81N2M36CINV0ICERECEIPT.exe
Size

679KB
MD5

ba79aabe98bf01d3f35359a9332be48f
SHA1

0dbca5bfa445fca16f31bddfe3be23b1a41a80c0
SHA256

0a9d287a3539c979a8c215ca003ca35293c324644e2f2c4dc3a38b4c7f9fa143
SHA512

ad16e94537e80d6a185c6be021eb3b459e204fcc424366d89b222849f60ba00478335a036e66c197609f9a77161b093f7240c7ef1d699ff842fd9289d6e828d3

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

1.9

Botnet

HacKed

Mutex

Microsoft.Exe

Attributes

reg_key
Microsoft.Exe

Signatures

Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

A81N2M36CINV0ICERECEIPT.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	A81N2M36CINV0ICERECEIPT.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	A81N2M36CINV0ICERECEIPT.exe

Drops startup file 2 IoCs

Processes:

ilasm.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.Exe	ilasm.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.Exe	ilasm.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

A81N2M36CINV0ICERECEIPT.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Microsoft.NET\Framework\CADCDADBAEDEFBCBFCADB\svchost.exe = "0"	A81N2M36CINV0ICERECEIPT.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\A81N2M36CINV0ICERECEIPT.exe = "0"	A81N2M36CINV0ICERECEIPT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	A81N2M36CINV0ICERECEIPT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	A81N2M36CINV0ICERECEIPT.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ilasm.exeA81N2M36CINV0ICERECEIPT.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft.Exe = "\"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\ilasm.exe\" .."	ilasm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft.Exe = "\"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\ilasm.exe\" .."	ilasm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\BEABFBACFFDDAFBFBAEECFC = "C:\\Windows\\Microsoft.NET\\Framework\\CADCDADBAEDEFBCBFCADB\\svchost.exe"	A81N2M36CINV0ICERECEIPT.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

A81N2M36CINV0ICERECEIPT.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	A81N2M36CINV0ICERECEIPT.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	A81N2M36CINV0ICERECEIPT.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

A81N2M36CINV0ICERECEIPT.exe

description pid process target process

PID 1008 set thread context of 956 1008 A81N2M36CINV0ICERECEIPT.exe ilasm.exe
Drops file in Windows directory 1 IoCs

Processes:

A81N2M36CINV0ICERECEIPT.exe

description ioc process

File created C:\Windows\Microsoft.NET\Framework\CADCDADBAEDEFBCBFCADB\svchost.exe A81N2M36CINV0ICERECEIPT.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1008 set thread context of 956	1008	A81N2M36CINV0ICERECEIPT.exe	ilasm.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\CADCDADBAEDEFBCBFCADB\svchost.exe	A81N2M36CINV0ICERECEIPT.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

A81N2M36CINV0ICERECEIPT.exepowershell.exepowershell.exepowershell.exe

pid	process
1008	A81N2M36CINV0ICERECEIPT.exe
1008	A81N2M36CINV0ICERECEIPT.exe
1008	A81N2M36CINV0ICERECEIPT.exe
1008	A81N2M36CINV0ICERECEIPT.exe
2832	powershell.exe
2188	powershell.exe
1512	powershell.exe
1512	powershell.exe
2188	powershell.exe
2832	powershell.exe
1008	A81N2M36CINV0ICERECEIPT.exe
1008	A81N2M36CINV0ICERECEIPT.exe
1008	A81N2M36CINV0ICERECEIPT.exe
1008	A81N2M36CINV0ICERECEIPT.exe
1008	A81N2M36CINV0ICERECEIPT.exe
1008	A81N2M36CINV0ICERECEIPT.exe
1008	A81N2M36CINV0ICERECEIPT.exe
1008	A81N2M36CINV0ICERECEIPT.exe
2188	powershell.exe
1512	powershell.exe
2832	powershell.exe
1008	A81N2M36CINV0ICERECEIPT.exe
1008	A81N2M36CINV0ICERECEIPT.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

A81N2M36CINV0ICERECEIPT.exepowershell.exepowershell.exepowershell.exeilasm.exe

description	pid	process
Token: SeDebugPrivilege	1008	A81N2M36CINV0ICERECEIPT.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	956	ilasm.exe
Token: 33	956	ilasm.exe
Token: SeIncBasePriorityPrivilege	956	ilasm.exe
Token: 33	956	ilasm.exe
Token: SeIncBasePriorityPrivilege	956	ilasm.exe
Token: 33	956	ilasm.exe
Token: SeIncBasePriorityPrivilege	956	ilasm.exe
Token: 33	956	ilasm.exe
Token: SeIncBasePriorityPrivilege	956	ilasm.exe
Token: 33	956	ilasm.exe
Token: SeIncBasePriorityPrivilege	956	ilasm.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

A81N2M36CINV0ICERECEIPT.exeilasm.exe

description	pid	process	target process
PID 1008 wrote to memory of 2188	1008	A81N2M36CINV0ICERECEIPT.exe	powershell.exe
PID 1008 wrote to memory of 2188	1008	A81N2M36CINV0ICERECEIPT.exe	powershell.exe
PID 1008 wrote to memory of 2188	1008	A81N2M36CINV0ICERECEIPT.exe	powershell.exe
PID 1008 wrote to memory of 1512	1008	A81N2M36CINV0ICERECEIPT.exe	powershell.exe
PID 1008 wrote to memory of 1512	1008	A81N2M36CINV0ICERECEIPT.exe	powershell.exe
PID 1008 wrote to memory of 1512	1008	A81N2M36CINV0ICERECEIPT.exe	powershell.exe
PID 1008 wrote to memory of 2832	1008	A81N2M36CINV0ICERECEIPT.exe	powershell.exe
PID 1008 wrote to memory of 2832	1008	A81N2M36CINV0ICERECEIPT.exe	powershell.exe
PID 1008 wrote to memory of 2832	1008	A81N2M36CINV0ICERECEIPT.exe	powershell.exe
PID 1008 wrote to memory of 2096	1008	A81N2M36CINV0ICERECEIPT.exe	CasPol.exe
PID 1008 wrote to memory of 2096	1008	A81N2M36CINV0ICERECEIPT.exe	CasPol.exe
PID 1008 wrote to memory of 2096	1008	A81N2M36CINV0ICERECEIPT.exe	CasPol.exe
PID 1008 wrote to memory of 980	1008	A81N2M36CINV0ICERECEIPT.exe	ComSvcConfig.exe
PID 1008 wrote to memory of 980	1008	A81N2M36CINV0ICERECEIPT.exe	ComSvcConfig.exe
PID 1008 wrote to memory of 956	1008	A81N2M36CINV0ICERECEIPT.exe	ilasm.exe
PID 1008 wrote to memory of 956	1008	A81N2M36CINV0ICERECEIPT.exe	ilasm.exe
PID 1008 wrote to memory of 956	1008	A81N2M36CINV0ICERECEIPT.exe	ilasm.exe
PID 1008 wrote to memory of 956	1008	A81N2M36CINV0ICERECEIPT.exe	ilasm.exe
PID 1008 wrote to memory of 956	1008	A81N2M36CINV0ICERECEIPT.exe	ilasm.exe
PID 1008 wrote to memory of 956	1008	A81N2M36CINV0ICERECEIPT.exe	ilasm.exe
PID 1008 wrote to memory of 956	1008	A81N2M36CINV0ICERECEIPT.exe	ilasm.exe
PID 1008 wrote to memory of 956	1008	A81N2M36CINV0ICERECEIPT.exe	ilasm.exe
PID 956 wrote to memory of 3432	956	ilasm.exe	netsh.exe
PID 956 wrote to memory of 3432	956	ilasm.exe	netsh.exe
PID 956 wrote to memory of 3432	956	ilasm.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\A81N2M36CINV0ICERECEIPT.exe
"C:\Users\Admin\AppData\Local\Temp\A81N2M36CINV0ICERECEIPT.exe"
1⤵
- Checks BIOS information in registry
- Windows security modification
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\CADCDADBAEDEFBCBFCADB\svchost.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2188
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\CADCDADBAEDEFBCBFCADB\svchost.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1512
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\A81N2M36CINV0ICERECEIPT.exe" -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
  2⤵
  PID:2096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe"
  2⤵
  PID:980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:956
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe" "ilasm.exe" ENABLE
    3⤵
    PID:3432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
b4eae4e8bfcf56dd0b73d98f164fcc13

SHA1
fa82e02565878224c464602775a5a78448ca65b1

SHA256
448c6aabc96c91ea3df8a5b57cc36835535714fa8da095808e0f00d785ccdf98

SHA512
63764b8d20509aeb0371d896b9e9937933938362e0aeae19d069a4fff70f6b4458fd3e9ad0818213ad566f65c5deb32e47c6eb03058bd06bec15b789ea62c5ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
8e13cfac91dc4c412baf594834232106

SHA1
80e6e400ae28dcda64bee9038f341ce783aedd3b

SHA256
9c2d55f2ba0a71db6752267d327b3242a7e4872d5c39eccd2b199ccb5786d8ae

SHA512
93fe553627de4b37d6658fc0c58ac4bd152fd0ddb58b02e07b8b169a93b8cd3daaa3711dc5b49782806e721cddd04ea8d72a8f199bf9fd1c876833bd72fc6547

Download Submit
memory/956-169-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/956-170-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/956-177-0x0000000009D70000-0x0000000009E02000-memory.dmp

Filesize
584KB

Download
memory/956-176-0x0000000009F30000-0x000000000A42E000-memory.dmp

Filesize
5.0MB

Download
memory/956-172-0x0000000009990000-0x0000000009A2C000-memory.dmp

Filesize
624KB

Download
memory/956-171-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/956-168-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/956-167-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/956-166-0x000000000040BBF2-mapping.dmp

Download
memory/956-165-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1008-116-0x0000000004C60000-0x0000000004CFC000-memory.dmp

Filesize
624KB

Download
memory/1008-117-0x0000000004D00000-0x0000000004D76000-memory.dmp

Filesize
472KB

Download
memory/1008-115-0x00000000002E0000-0x0000000000390000-memory.dmp

Filesize
704KB

Download
memory/1008-118-0x0000000005280000-0x000000000577E000-memory.dmp

Filesize
5.0MB

Download
memory/1008-124-0x0000000006880000-0x00000000068E6000-memory.dmp

Filesize
408KB

Download
memory/1008-140-0x0000000007010000-0x000000000701A000-memory.dmp

Filesize
40KB

Download
memory/1008-119-0x0000000004D80000-0x0000000004E12000-memory.dmp

Filesize
584KB

Download
memory/1008-123-0x0000000004E90000-0x0000000004EAA000-memory.dmp

Filesize
104KB

Download
memory/1008-122-0x0000000004EF0000-0x0000000004F92000-memory.dmp

Filesize
648KB

Download
memory/1008-121-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/1008-120-0x0000000004E20000-0x0000000004E3E000-memory.dmp

Filesize
120KB

Download
memory/1512-126-0x0000000000000000-mapping.dmp

Download
memory/1512-137-0x0000000006D70000-0x0000000007398000-memory.dmp

Filesize
6.2MB

Download
memory/1512-179-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/1512-175-0x0000000007DD0000-0x0000000007E46000-memory.dmp

Filesize
472KB

Download
memory/1512-203-0x0000000006D70000-0x0000000007398000-memory.dmp

Filesize
6.2MB

Download
memory/1512-206-0x0000000008C40000-0x0000000008C73000-memory.dmp

Filesize
204KB

Download
memory/1512-146-0x0000000004292000-0x0000000004293000-memory.dmp

Filesize
4KB

Download
memory/1512-143-0x0000000004290000-0x0000000004291000-memory.dmp

Filesize
4KB

Download
memory/1512-136-0x00000000042A0000-0x00000000042D6000-memory.dmp

Filesize
216KB

Download
memory/1512-209-0x0000000008C40000-0x0000000008C73000-memory.dmp

Filesize
204KB

Download
memory/1512-149-0x0000000006CE0000-0x0000000006D02000-memory.dmp

Filesize
136KB

Download
memory/1512-133-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/1512-212-0x0000000006CE0000-0x0000000006D02000-memory.dmp

Filesize
136KB

Download
memory/1512-215-0x0000000007410000-0x0000000007476000-memory.dmp

Filesize
408KB

Download
memory/1512-130-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/1512-153-0x0000000007480000-0x00000000074E6000-memory.dmp

Filesize
408KB

Download
memory/1512-150-0x0000000007410000-0x0000000007476000-memory.dmp

Filesize
408KB

Download
memory/1512-162-0x0000000007AC0000-0x0000000007B0B000-memory.dmp

Filesize
300KB

Download
memory/1512-158-0x0000000007530000-0x0000000007880000-memory.dmp

Filesize
3.3MB

Download
memory/1512-159-0x0000000007980000-0x000000000799C000-memory.dmp

Filesize
112KB

Download
memory/2188-156-0x0000000007980000-0x0000000007CD0000-memory.dmp

Filesize
3.3MB

Download
memory/2188-180-0x0000000004420000-0x0000000004421000-memory.dmp

Filesize
4KB

Download
memory/2188-161-0x0000000007CD0000-0x0000000007CEC000-memory.dmp

Filesize
112KB

Download
memory/2188-125-0x0000000000000000-mapping.dmp

Download
memory/2188-204-0x0000000007070000-0x0000000007698000-memory.dmp

Filesize
6.2MB

Download
memory/2188-163-0x00000000082F0000-0x000000000833B000-memory.dmp

Filesize
300KB

Download
memory/2188-151-0x0000000007710000-0x0000000007776000-memory.dmp

Filesize
408KB

Download
memory/2188-207-0x0000000008F90000-0x0000000008FC3000-memory.dmp

Filesize
204KB

Download
memory/2188-154-0x00000000078F0000-0x0000000007956000-memory.dmp

Filesize
408KB

Download
memory/2188-210-0x0000000008F90000-0x0000000008FC3000-memory.dmp

Filesize
204KB

Download
memory/2188-148-0x0000000007040000-0x0000000007062000-memory.dmp

Filesize
136KB

Download
memory/2188-129-0x0000000004420000-0x0000000004421000-memory.dmp

Filesize
4KB

Download
memory/2188-145-0x0000000006A32000-0x0000000006A33000-memory.dmp

Filesize
4KB

Download
memory/2188-173-0x00000000080E0000-0x0000000008156000-memory.dmp

Filesize
472KB

Download
memory/2188-214-0x0000000007040000-0x0000000007062000-memory.dmp

Filesize
136KB

Download
memory/2188-142-0x0000000006A30000-0x0000000006A31000-memory.dmp

Filesize
4KB

Download
memory/2188-132-0x0000000004420000-0x0000000004421000-memory.dmp

Filesize
4KB

Download
memory/2188-134-0x0000000006920000-0x0000000006956000-memory.dmp

Filesize
216KB

Download
memory/2188-138-0x0000000007070000-0x0000000007698000-memory.dmp

Filesize
6.2MB

Download
memory/2832-147-0x00000000074E0000-0x0000000007502000-memory.dmp

Filesize
136KB

Download
memory/2832-160-0x0000000007C70000-0x0000000007C8C000-memory.dmp

Filesize
112KB

Download
memory/2832-178-0x00000000031B0000-0x00000000031B1000-memory.dmp

Filesize
4KB

Download
memory/2832-202-0x00000000075B0000-0x0000000007BD8000-memory.dmp

Filesize
6.2MB

Download
memory/2832-135-0x0000000004A60000-0x0000000004A96000-memory.dmp

Filesize
216KB

Download
memory/2832-174-0x0000000008610000-0x0000000008686000-memory.dmp

Filesize
472KB

Download
memory/2832-208-0x0000000009440000-0x0000000009473000-memory.dmp

Filesize
204KB

Download
memory/2832-131-0x00000000031B0000-0x00000000031B1000-memory.dmp

Filesize
4KB

Download
memory/2832-141-0x0000000006F70000-0x0000000006F71000-memory.dmp

Filesize
4KB

Download
memory/2832-144-0x0000000006F72000-0x0000000006F73000-memory.dmp

Filesize
4KB

Download
memory/2832-216-0x0000000007E80000-0x0000000007EE6000-memory.dmp

Filesize
408KB

Download
memory/2832-139-0x00000000075B0000-0x0000000007BD8000-memory.dmp

Filesize
6.2MB

Download
memory/2832-213-0x0000000007BE0000-0x0000000007C46000-memory.dmp

Filesize
408KB

Download
memory/2832-211-0x00000000074E0000-0x0000000007502000-memory.dmp

Filesize
136KB

Download
memory/2832-155-0x0000000007E80000-0x0000000007EE6000-memory.dmp

Filesize
408KB

Download
memory/2832-152-0x0000000007BE0000-0x0000000007C46000-memory.dmp

Filesize
408KB

Download
memory/2832-205-0x0000000009440000-0x0000000009473000-memory.dmp

Filesize
204KB

Download
memory/2832-164-0x0000000008300000-0x000000000834B000-memory.dmp

Filesize
300KB

Download
memory/2832-157-0x0000000007EF0000-0x0000000008240000-memory.dmp

Filesize
3.3MB

Download
memory/2832-128-0x00000000031B0000-0x00000000031B1000-memory.dmp

Filesize
4KB

Download
memory/2832-127-0x0000000000000000-mapping.dmp

Download
memory/3432-265-0x0000000000000000-mapping.dmp

Download