njrat | bab8b77c6c6aa926cf3eb3811ebe77706775883db759e5344e6e663bd2253b4c

Analysis

max time kernel
152s
max time network
100s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04-10-2022 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bab8b77c6c6aa926cf3eb3811ebe77706775883db759e5344e6e663bd2253b4c.exe
Size

135KB
MD5

5545ae28ff0bebf154aef083b82850b0
SHA1

475f7df3a0fd6c97fa5b3f7847e67e259f144cb5
SHA256

bab8b77c6c6aa926cf3eb3811ebe77706775883db759e5344e6e663bd2253b4c
SHA512

a6b1ba07a7a1786625dee19d412ed27e6ba4380f89c00681e662b4162f56d46527189f8a0d4e9962875360998be1e29fb654397e2534f60b777466d585ee451f
SSDEEP

3072:2nj9jtfU+INndIc0J45iTgmygDgRrmIWdoQGq00D:2jbeiVVDgRI3GqN

Score

10^/10

njrat hacked evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

turkmurat.no-ip.org:1604

Mutex

632188ae0b130ac89e674b99bc07ac55

Attributes

reg_key
632188ae0b130ac89e674b99bc07ac55
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 4 IoCs

Processes:

B.exeB.exeserver.exeserver.exe

pid process

2012 B.exe
1364 B.exe
1184 server.exe
804 server.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1412 netsh.exe

pid	process
2012	B.exe
1364	B.exe
1184	server.exe
804	server.exe

pid	process
1412	netsh.exe

Loads dropped DLL 8 IoCs

Processes:

bab8b77c6c6aa926cf3eb3811ebe77706775883db759e5344e6e663bd2253b4c.exeB.exeB.exeserver.exeserver.exe

pid	process
1928	bab8b77c6c6aa926cf3eb3811ebe77706775883db759e5344e6e663bd2253b4c.exe
2012	B.exe
2012	B.exe
1364	B.exe
1364	B.exe
1184	server.exe
1184	server.exe
804	server.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

server.exebab8b77c6c6aa926cf3eb3811ebe77706775883db759e5344e6e663bd2253b4c.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\632188ae0b130ac89e674b99bc07ac55 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	bab8b77c6c6aa926cf3eb3811ebe77706775883db759e5344e6e663bd2253b4c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bab8b77c6c6aa926cf3eb3811ebe77706775883db759e5344e6e663bd2253b4c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\632188ae0b130ac89e674b99bc07ac55 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

B.exeserver.exe

description pid process target process

PID 2012 set thread context of 1364 2012 B.exe B.exe
PID 1184 set thread context of 804 1184 server.exe server.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

B.exeserver.exe

pid process

2012 B.exe
1184 server.exe

description	pid	process	target process
PID 2012 set thread context of 1364	2012	B.exe	B.exe
PID 1184 set thread context of 804	1184	server.exe	server.exe

pid	process
2012	B.exe
1184	server.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

B.exeserver.exeserver.exe

description	pid	process
Token: SeDebugPrivilege	2012	B.exe
Token: SeDebugPrivilege	1184	server.exe
Token: SeDebugPrivilege	804	server.exe
Token: 33	804	server.exe
Token: SeIncBasePriorityPrivilege	804	server.exe
Token: 33	804	server.exe
Token: SeIncBasePriorityPrivilege	804	server.exe
Token: 33	804	server.exe
Token: SeIncBasePriorityPrivilege	804	server.exe
Token: 33	804	server.exe
Token: SeIncBasePriorityPrivilege	804	server.exe
Token: 33	804	server.exe
Token: SeIncBasePriorityPrivilege	804	server.exe
Token: 33	804	server.exe
Token: SeIncBasePriorityPrivilege	804	server.exe

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

bab8b77c6c6aa926cf3eb3811ebe77706775883db759e5344e6e663bd2253b4c.exeB.exeB.exeserver.exeserver.exe

description	pid	process	target process
PID 1928 wrote to memory of 2012	1928	bab8b77c6c6aa926cf3eb3811ebe77706775883db759e5344e6e663bd2253b4c.exe	B.exe
PID 1928 wrote to memory of 2012	1928	bab8b77c6c6aa926cf3eb3811ebe77706775883db759e5344e6e663bd2253b4c.exe	B.exe
PID 1928 wrote to memory of 2012	1928	bab8b77c6c6aa926cf3eb3811ebe77706775883db759e5344e6e663bd2253b4c.exe	B.exe
PID 1928 wrote to memory of 2012	1928	bab8b77c6c6aa926cf3eb3811ebe77706775883db759e5344e6e663bd2253b4c.exe	B.exe
PID 1928 wrote to memory of 2012	1928	bab8b77c6c6aa926cf3eb3811ebe77706775883db759e5344e6e663bd2253b4c.exe	B.exe
PID 1928 wrote to memory of 2012	1928	bab8b77c6c6aa926cf3eb3811ebe77706775883db759e5344e6e663bd2253b4c.exe	B.exe
PID 1928 wrote to memory of 2012	1928	bab8b77c6c6aa926cf3eb3811ebe77706775883db759e5344e6e663bd2253b4c.exe	B.exe
PID 2012 wrote to memory of 1364	2012	B.exe	B.exe
PID 2012 wrote to memory of 1364	2012	B.exe	B.exe
PID 2012 wrote to memory of 1364	2012	B.exe	B.exe
PID 2012 wrote to memory of 1364	2012	B.exe	B.exe
PID 2012 wrote to memory of 1364	2012	B.exe	B.exe
PID 2012 wrote to memory of 1364	2012	B.exe	B.exe
PID 2012 wrote to memory of 1364	2012	B.exe	B.exe
PID 2012 wrote to memory of 1364	2012	B.exe	B.exe
PID 2012 wrote to memory of 1364	2012	B.exe	B.exe
PID 2012 wrote to memory of 1364	2012	B.exe	B.exe
PID 2012 wrote to memory of 1364	2012	B.exe	B.exe
PID 2012 wrote to memory of 1364	2012	B.exe	B.exe
PID 2012 wrote to memory of 1364	2012	B.exe	B.exe
PID 1364 wrote to memory of 1184	1364	B.exe	server.exe
PID 1364 wrote to memory of 1184	1364	B.exe	server.exe
PID 1364 wrote to memory of 1184	1364	B.exe	server.exe
PID 1364 wrote to memory of 1184	1364	B.exe	server.exe
PID 1364 wrote to memory of 1184	1364	B.exe	server.exe
PID 1364 wrote to memory of 1184	1364	B.exe	server.exe
PID 1364 wrote to memory of 1184	1364	B.exe	server.exe
PID 1184 wrote to memory of 804	1184	server.exe	server.exe
PID 1184 wrote to memory of 804	1184	server.exe	server.exe
PID 1184 wrote to memory of 804	1184	server.exe	server.exe
PID 1184 wrote to memory of 804	1184	server.exe	server.exe
PID 1184 wrote to memory of 804	1184	server.exe	server.exe
PID 1184 wrote to memory of 804	1184	server.exe	server.exe
PID 1184 wrote to memory of 804	1184	server.exe	server.exe
PID 1184 wrote to memory of 804	1184	server.exe	server.exe
PID 1184 wrote to memory of 804	1184	server.exe	server.exe
PID 1184 wrote to memory of 804	1184	server.exe	server.exe
PID 1184 wrote to memory of 804	1184	server.exe	server.exe
PID 1184 wrote to memory of 804	1184	server.exe	server.exe
PID 1184 wrote to memory of 804	1184	server.exe	server.exe
PID 804 wrote to memory of 1412	804	server.exe	netsh.exe
PID 804 wrote to memory of 1412	804	server.exe	netsh.exe
PID 804 wrote to memory of 1412	804	server.exe	netsh.exe
PID 804 wrote to memory of 1412	804	server.exe	netsh.exe
PID 804 wrote to memory of 1412	804	server.exe	netsh.exe
PID 804 wrote to memory of 1412	804	server.exe	netsh.exe
PID 804 wrote to memory of 1412	804	server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\bab8b77c6c6aa926cf3eb3811ebe77706775883db759e5344e6e663bd2253b4c.exe
"C:\Users\Admin\AppData\Local\Temp\bab8b77c6c6aa926cf3eb3811ebe77706775883db759e5344e6e663bd2253b4c.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\B.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\B.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\B.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\B.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1364
  - - C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1184
    - - C:\Users\Admin\AppData\Local\Temp\server.exe
        
        C:\Users\Admin\AppData\Local\Temp\server.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:804
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        6⤵
        Modifies Windows Firewall
        
        PID:1412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\CSIDL_

Filesize
64KB

MD5
fcf8da848c845080ab04a566acd93885

SHA1
2c20c067cf7fa01f55b903bdd6f90c639d8cb344

SHA256
a23200380432574ccf72fcd4f63769bc9b700c1c0f6dda9aad88b4331a2f25e8

SHA512
b0d0d078a2f32d102f7819ac0627c893f52f94b2dc1661836b8256029e902828e5f858bc7f4ff6189c2a2e28a9b1914c31cbbfda6105109c645e56ecae83376c

Download Submit
C:\Users\Admin\AppData\Local\CSIDL_X

Filesize
64KB

MD5
fcf8da848c845080ab04a566acd93885

SHA1
2c20c067cf7fa01f55b903bdd6f90c639d8cb344

SHA256
a23200380432574ccf72fcd4f63769bc9b700c1c0f6dda9aad88b4331a2f25e8

SHA512
b0d0d078a2f32d102f7819ac0627c893f52f94b2dc1661836b8256029e902828e5f858bc7f4ff6189c2a2e28a9b1914c31cbbfda6105109c645e56ecae83376c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\B.ex_

Filesize
64KB

MD5
fcf8da848c845080ab04a566acd93885

SHA1
2c20c067cf7fa01f55b903bdd6f90c639d8cb344

SHA256
a23200380432574ccf72fcd4f63769bc9b700c1c0f6dda9aad88b4331a2f25e8

SHA512
b0d0d078a2f32d102f7819ac0627c893f52f94b2dc1661836b8256029e902828e5f858bc7f4ff6189c2a2e28a9b1914c31cbbfda6105109c645e56ecae83376c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\B.exe

Filesize
32KB

MD5
7beafd70412d229ad4dae8ce293e0e4d

SHA1
76c919ff14a4cd2b1f03688063f713679f6d0395

SHA256
b492b86e80c8a03d837d7021d18d833f3c870cffb7b67de61574d7e2e4267ffb

SHA512
2b4bb48b4283ab49af2cb13295273ffb2f21713840d9d23c8bde3cc5c1cf26c4b5b761c4a68bc6abf8250b12981b2bf5202872849ba2968181c42b9a998a82d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\B.exe

Filesize
32KB

MD5
7beafd70412d229ad4dae8ce293e0e4d

SHA1
76c919ff14a4cd2b1f03688063f713679f6d0395

SHA256
b492b86e80c8a03d837d7021d18d833f3c870cffb7b67de61574d7e2e4267ffb

SHA512
2b4bb48b4283ab49af2cb13295273ffb2f21713840d9d23c8bde3cc5c1cf26c4b5b761c4a68bc6abf8250b12981b2bf5202872849ba2968181c42b9a998a82d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\B.exe

Filesize
32KB

MD5
7beafd70412d229ad4dae8ce293e0e4d

SHA1
76c919ff14a4cd2b1f03688063f713679f6d0395

SHA256
b492b86e80c8a03d837d7021d18d833f3c870cffb7b67de61574d7e2e4267ffb

SHA512
2b4bb48b4283ab49af2cb13295273ffb2f21713840d9d23c8bde3cc5c1cf26c4b5b761c4a68bc6abf8250b12981b2bf5202872849ba2968181c42b9a998a82d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
32KB

MD5
7beafd70412d229ad4dae8ce293e0e4d

SHA1
76c919ff14a4cd2b1f03688063f713679f6d0395

SHA256
b492b86e80c8a03d837d7021d18d833f3c870cffb7b67de61574d7e2e4267ffb

SHA512
2b4bb48b4283ab49af2cb13295273ffb2f21713840d9d23c8bde3cc5c1cf26c4b5b761c4a68bc6abf8250b12981b2bf5202872849ba2968181c42b9a998a82d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
32KB

MD5
7beafd70412d229ad4dae8ce293e0e4d

SHA1
76c919ff14a4cd2b1f03688063f713679f6d0395

SHA256
b492b86e80c8a03d837d7021d18d833f3c870cffb7b67de61574d7e2e4267ffb

SHA512
2b4bb48b4283ab49af2cb13295273ffb2f21713840d9d23c8bde3cc5c1cf26c4b5b761c4a68bc6abf8250b12981b2bf5202872849ba2968181c42b9a998a82d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
32KB

MD5
7beafd70412d229ad4dae8ce293e0e4d

SHA1
76c919ff14a4cd2b1f03688063f713679f6d0395

SHA256
b492b86e80c8a03d837d7021d18d833f3c870cffb7b67de61574d7e2e4267ffb

SHA512
2b4bb48b4283ab49af2cb13295273ffb2f21713840d9d23c8bde3cc5c1cf26c4b5b761c4a68bc6abf8250b12981b2bf5202872849ba2968181c42b9a998a82d7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startupx\system.pif

Filesize
32KB

MD5
7beafd70412d229ad4dae8ce293e0e4d

SHA1
76c919ff14a4cd2b1f03688063f713679f6d0395

SHA256
b492b86e80c8a03d837d7021d18d833f3c870cffb7b67de61574d7e2e4267ffb

SHA512
2b4bb48b4283ab49af2cb13295273ffb2f21713840d9d23c8bde3cc5c1cf26c4b5b761c4a68bc6abf8250b12981b2bf5202872849ba2968181c42b9a998a82d7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\B.exe

Filesize
32KB

MD5
7beafd70412d229ad4dae8ce293e0e4d

SHA1
76c919ff14a4cd2b1f03688063f713679f6d0395

SHA256
b492b86e80c8a03d837d7021d18d833f3c870cffb7b67de61574d7e2e4267ffb

SHA512
2b4bb48b4283ab49af2cb13295273ffb2f21713840d9d23c8bde3cc5c1cf26c4b5b761c4a68bc6abf8250b12981b2bf5202872849ba2968181c42b9a998a82d7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\B.exe

Filesize
32KB

MD5
7beafd70412d229ad4dae8ce293e0e4d

SHA1
76c919ff14a4cd2b1f03688063f713679f6d0395

SHA256
b492b86e80c8a03d837d7021d18d833f3c870cffb7b67de61574d7e2e4267ffb

SHA512
2b4bb48b4283ab49af2cb13295273ffb2f21713840d9d23c8bde3cc5c1cf26c4b5b761c4a68bc6abf8250b12981b2bf5202872849ba2968181c42b9a998a82d7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\B.exe

Filesize
32KB

MD5
7beafd70412d229ad4dae8ce293e0e4d

SHA1
76c919ff14a4cd2b1f03688063f713679f6d0395

SHA256
b492b86e80c8a03d837d7021d18d833f3c870cffb7b67de61574d7e2e4267ffb

SHA512
2b4bb48b4283ab49af2cb13295273ffb2f21713840d9d23c8bde3cc5c1cf26c4b5b761c4a68bc6abf8250b12981b2bf5202872849ba2968181c42b9a998a82d7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\B.exe

Filesize
32KB

MD5
7beafd70412d229ad4dae8ce293e0e4d

SHA1
76c919ff14a4cd2b1f03688063f713679f6d0395

SHA256
b492b86e80c8a03d837d7021d18d833f3c870cffb7b67de61574d7e2e4267ffb

SHA512
2b4bb48b4283ab49af2cb13295273ffb2f21713840d9d23c8bde3cc5c1cf26c4b5b761c4a68bc6abf8250b12981b2bf5202872849ba2968181c42b9a998a82d7

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
32KB

MD5
7beafd70412d229ad4dae8ce293e0e4d

SHA1
76c919ff14a4cd2b1f03688063f713679f6d0395

SHA256
b492b86e80c8a03d837d7021d18d833f3c870cffb7b67de61574d7e2e4267ffb

SHA512
2b4bb48b4283ab49af2cb13295273ffb2f21713840d9d23c8bde3cc5c1cf26c4b5b761c4a68bc6abf8250b12981b2bf5202872849ba2968181c42b9a998a82d7

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
32KB

MD5
7beafd70412d229ad4dae8ce293e0e4d

SHA1
76c919ff14a4cd2b1f03688063f713679f6d0395

SHA256
b492b86e80c8a03d837d7021d18d833f3c870cffb7b67de61574d7e2e4267ffb

SHA512
2b4bb48b4283ab49af2cb13295273ffb2f21713840d9d23c8bde3cc5c1cf26c4b5b761c4a68bc6abf8250b12981b2bf5202872849ba2968181c42b9a998a82d7

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
32KB

MD5
7beafd70412d229ad4dae8ce293e0e4d

SHA1
76c919ff14a4cd2b1f03688063f713679f6d0395

SHA256
b492b86e80c8a03d837d7021d18d833f3c870cffb7b67de61574d7e2e4267ffb

SHA512
2b4bb48b4283ab49af2cb13295273ffb2f21713840d9d23c8bde3cc5c1cf26c4b5b761c4a68bc6abf8250b12981b2bf5202872849ba2968181c42b9a998a82d7

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe

Filesize
32KB

MD5
7beafd70412d229ad4dae8ce293e0e4d

SHA1
76c919ff14a4cd2b1f03688063f713679f6d0395

SHA256
b492b86e80c8a03d837d7021d18d833f3c870cffb7b67de61574d7e2e4267ffb

SHA512
2b4bb48b4283ab49af2cb13295273ffb2f21713840d9d23c8bde3cc5c1cf26c4b5b761c4a68bc6abf8250b12981b2bf5202872849ba2968181c42b9a998a82d7

Download Submit
memory/804-114-0x0000000073E60000-0x000000007440B000-memory.dmp

Filesize
5.7MB

Download
memory/804-110-0x0000000073E60000-0x000000007440B000-memory.dmp

Filesize
5.7MB

Download
memory/804-102-0x000000000040747E-mapping.dmp

Download
memory/1184-111-0x0000000073E60000-0x000000007440B000-memory.dmp

Filesize
5.7MB

Download
memory/1184-96-0x0000000073E60000-0x000000007440B000-memory.dmp

Filesize
5.7MB

Download
memory/1184-83-0x0000000000000000-mapping.dmp

Download
memory/1364-68-0x0000000000400000-0x00000000032E0000-memory.dmp

Filesize
46.9MB

Download
memory/1364-81-0x0000000073E60000-0x000000007440B000-memory.dmp

Filesize
5.7MB

Download
memory/1364-70-0x0000000000400000-0x00000000032E0000-memory.dmp

Filesize
46.9MB

Download
memory/1364-88-0x0000000073E60000-0x000000007440B000-memory.dmp

Filesize
5.7MB

Download
memory/1364-66-0x0000000000400000-0x00000000032E0000-memory.dmp

Filesize
46.9MB

Download
memory/1364-65-0x0000000000400000-0x00000000032E0000-memory.dmp

Filesize
46.9MB

Download
memory/1364-63-0x0000000000090000-0x000000000018A000-memory.dmp

Filesize
1000KB

Download
memory/1364-69-0x0000000000400000-0x00000000032E0000-memory.dmp

Filesize
46.9MB

Download
memory/1364-71-0x000000000040747E-mapping.dmp

Download
memory/1364-75-0x0000000000400000-0x00000000032E0000-memory.dmp

Filesize
46.9MB

Download
memory/1364-77-0x0000000000400000-0x00000000032E0000-memory.dmp

Filesize
46.9MB

Download
memory/1412-112-0x0000000000000000-mapping.dmp

Download
memory/1928-54-0x0000000076031000-0x0000000076033000-memory.dmp

Filesize
8KB

Download
memory/2012-78-0x0000000073DE0000-0x000000007438B000-memory.dmp

Filesize
5.7MB

Download
memory/2012-56-0x0000000000000000-mapping.dmp

Download
memory/2012-73-0x0000000000520000-0x0000000000524000-memory.dmp

Filesize
16KB

Download