Overview

overview

10

Static

static

5

e606ebb8d0...41.exe

windows7-x64

10

e606ebb8d0...41.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    188s
  • max time network
    241s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2022 06:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e606ebb8d01184c9bb6f684b03acae1f54b8f4faafcbf6c8f0be404b32a61441.exe

  • Size

    1.2MB

  • MD5

    6ed29f629da1a85b7b854aafda1e369a

  • SHA1

    25cdd05e00d1900aabca3e8a7d11f1a9e4547e3a

  • SHA256

    e606ebb8d01184c9bb6f684b03acae1f54b8f4faafcbf6c8f0be404b32a61441

  • SHA512

    75833a06204dc1d763105ccd427d667cfab5f060e310ab329d243e71f00ae0aa65ecc322ff35291a6ddfcea912a84506d6a99c62d4c38dc4a1958d0b31bd176b

  • SSDEEP

    24576:0tb20pkaCqT5TBWgNQ7ar3YKEBCd1s31LgABGkoyXtkcnO16A:dVg5tQ7ar3GB+1eLFtvnG5

Score
10/10
njrata0ayfj0pjtxgl9pajatevasionpersistencetrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

A0AYFJ0PJtXGl9PaJat

C2

193.0.200.131:35689

Mutex

0dcfc9e55379c2e16a422bb33c97d277

Attributes
  • reg_key

    0dcfc9e55379c2e16a422bb33c97d277

  • splitter

    |'|'|

Signatures

  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
    evasion
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Blocks application from running via registry modification 64 IoCs

    Adds application to list of disallowed applications.

    evasion
  • Drops file in Drivers directory 13 IoCs
  • Executes dropped EXE 5 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets file to hidden 1 TTPs 16 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 7 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SendNotifyMessage 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 16 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\e606ebb8d01184c9bb6f684b03acae1f54b8f4faafcbf6c8f0be404b32a61441.exe
    "C:\Users\Admin\AppData\Local\Temp\e606ebb8d01184c9bb6f684b03acae1f54b8f4faafcbf6c8f0be404b32a61441.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:520
    • C:\Users\Admin\AppData\Local\Temp\WINDOWS\TEMPARCHIVE\wtUs15F2v7wsLSM6A1JpKC7TJMmva6R8ZjW2svISYXjH4g0CcWY3Vs94mTlnF5R3ZFYsy5MYR.exe
      C:\Users\Admin\AppData\Local\Temp\WINDOWS\TEMPARCHIVE\wtUs15F2v7wsLSM6A1JpKC7TJMmva6R8ZjW2svISYXjH4g0CcWY3Vs94mTlnF5R3ZFYsy5MYR.exe
      2⤵
      • Modifies WinLogon for persistence
      • Blocks application from running via registry modification
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Adds Run key to start application
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      PID:1108
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IyQoe.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2000
        • C:\Windows\system32\cacls.exe
          cacls C:\Users\Admin\AppData\Local\Temp\WINDOWS\TEMPARCHIVE /E /P everyone:n
          4⤵
            PID:1512
          • C:\Windows\system32\cacls.exe
            cacls C:\Users\Admin\AppData\Local\Temp\WINDOWS /E /P everyone:n
            4⤵
              PID:1640
            • C:\Windows\system32\cacls.exe
              cacls C:\Users\Admin\AppData\Local\Temp\WorkspaceRuntime /E /P everyone:n
              4⤵
                PID:760
              • C:\Windows\system32\attrib.exe
                attrib +a +h +s +r "C:\Windows\System32\drivers\etc\*.*"
                4⤵
                • Drops file in Drivers directory
                • Sets file to hidden
                • Views/modifies file attributes
                PID:1536
              • C:\Windows\system32\attrib.exe
                attrib +a +h +s +r "C:\Windows\System32\drivers\etc"
                4⤵
                • Drops file in Drivers directory
                • Sets file to hidden
                • Views/modifies file attributes
                PID:1804
              • C:\Windows\system32\attrib.exe
                attrib +a +h +s +r "C:\Users\Admin\AppData\Local\Temp\WINDOWS\TEMPARCHIVE\*.*"
                4⤵
                • Sets file to hidden
                • Views/modifies file attributes
                PID:1572
              • C:\Windows\system32\attrib.exe
                attrib +a +h +s +r "C:\Users\Admin\AppData\Local\Temp\WINDOWS\TEMPARCHIVE"
                4⤵
                • Sets file to hidden
                • Views/modifies file attributes
                PID:1744
              • C:\Windows\system32\attrib.exe
                attrib +a +h +s +r "C:\Users\Admin\AppData\Local\Temp\WINDOWS\*.*"
                4⤵
                • Sets file to hidden
                • Views/modifies file attributes
                PID:1352
              • C:\Windows\system32\attrib.exe
                attrib +a +h +s +r "C:\Users\Admin\AppData\Local\Temp\WINDOWS"
                4⤵
                • Sets file to hidden
                • Views/modifies file attributes
                PID:744
              • C:\Windows\system32\attrib.exe
                attrib +a +h +s +r "C:\Users\Admin\AppData\Local\Temp\WorkspaceRuntime\*.*"
                4⤵
                • Sets file to hidden
                • Views/modifies file attributes
                PID:1680
              • C:\Windows\system32\attrib.exe
                attrib +a +h +s +r "C:\Users\Admin\AppData\Local\Temp\WorkspaceRuntime"
                4⤵
                • Sets file to hidden
                • Views/modifies file attributes
                PID:1820
          • C:\Users\Admin\AppData\Local\Temp\WINDOWS\TEMPARCHIVE\taskeng.exe
            C:\Users\Admin\AppData\Local\Temp\WINDOWS\TEMPARCHIVE\taskeng.exe
            2⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:468
            • C:\Users\Admin\AppData\Local\temp\WINDOWS\TEMPARCHIVE\ucsvc.exe
              "C:\Users\Admin\AppData\Local\temp\WINDOWS\TEMPARCHIVE\ucsvc.exe"
              3⤵
              • Modifies WinLogon for persistence
              • Executes dropped EXE
              • Adds Run key to start application
              • Modifies Internet Explorer settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:564
              • C:\Users\Admin\AppData\Local\temp\WorkspaceRuntime\wksprt.exe
                "C:\Users\Admin\AppData\Local\temp\WorkspaceRuntime\wksprt.exe"
                4⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetThreadContext
                • Suspicious use of AdjustPrivilegeToken
                PID:1628
                • C:\Users\Admin\AppData\Local\temp\WorkspaceRuntime\wksprt.exe
                  C:\Users\Admin\AppData\Local\temp\WorkspaceRuntime\wksprt.exe
                  5⤵
                  • Executes dropped EXE
                  PID:336
                  • C:\Windows\SysWOW64\netsh.exe
                    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\temp\WorkspaceRuntime\wksprt.exe" "wksprt.exe" ENABLE
                    6⤵
                    • Modifies Windows Firewall
                    PID:1652
            • C:\Windows\system32\cmd.exe
              cmd /c ""C:\Users\Admin\AppData\Local\Temp\v.bat" "
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:1196
              • C:\Windows\system32\attrib.exe
                attrib +a +h +s +r "C:\Windows\System32\drivers\etc\*.*"
                4⤵
                • Drops file in Drivers directory
                • Sets file to hidden
                • Views/modifies file attributes
                PID:2032
              • C:\Windows\system32\attrib.exe
                attrib +a +h +s +r "C:\Windows\System32\drivers\etc"
                4⤵
                • Drops file in Drivers directory
                • Sets file to hidden
                • Views/modifies file attributes
                PID:1608
              • C:\Windows\system32\attrib.exe
                attrib +a +h +s +r "C:\Users\Admin\AppData\Local\Temp\WINDOWS\TEMPARCHIVE\*.*"
                4⤵
                • Sets file to hidden
                • Views/modifies file attributes
                PID:1764
              • C:\Windows\system32\attrib.exe
                attrib +a +h +s +r "C:\Users\Admin\AppData\Local\Temp\WINDOWS\TEMPARCHIVE"
                4⤵
                • Sets file to hidden
                • Views/modifies file attributes
                PID:1504
              • C:\Windows\system32\attrib.exe
                attrib +a +h +s +r "C:\Users\Admin\AppData\Local\Temp\WorkspaceRuntime\*.*"
                4⤵
                • Sets file to hidden
                • Views/modifies file attributes
                PID:1156
              • C:\Windows\system32\attrib.exe
                attrib +a +h +s +r "C:\Users\Admin\AppData\Local\Temp\WINDOWS"
                4⤵
                • Sets file to hidden
                • Views/modifies file attributes
                PID:1568
              • C:\Windows\system32\attrib.exe
                attrib +a +h +s +r "C:\Users\Admin\AppData\Local\Temp\WINDOWS\*.*"
                4⤵
                • Sets file to hidden
                • Views/modifies file attributes
                PID:1496
              • C:\Windows\system32\attrib.exe
                attrib +a +h +s +r "C:\Users\Admin\AppData\Local\Temp\WorkspaceRuntime"
                4⤵
                • Sets file to hidden
                • Views/modifies file attributes
                PID:872
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c %temp%\WINDOWS\TEMPARCHIVE\kFUh8z3gTk3.vbs
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:612
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\WINDOWS\TEMPARCHIVE\kFUh8z3gTk3.vbs"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:628
              • C:\Windows\SysWOW64\regini.exe
                "C:\Windows\System32\regini.exe" rad024BA.tmp
                4⤵
                  PID:1352

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Winlogon Helper DLL

          1
          T1004

          Hidden Files and Directories

          3
          T1158

          Modify Existing Service

          1
          T1031

          Registry Run Keys / Startup Folder

          1
          T1060

          Privilege Escalation

          Defense Evasion

          Modify Registry

          4
          T1112

          Hidden Files and Directories

          3
          T1158

          Credential Access

          Discovery

          System Information Discovery

          1
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\IyQoe.bat
            Filesize

            522B

            MD5

            254160d9b9287bff589b6246f99d8eec

            SHA1

            876310cdd302898f5c8f4041037f18bacf07bcbe

            SHA256

            16e99344bda2b1338204f4e89c3c6b6a8efbb168a76ed624cba9f4d1ad3fd9a4

            SHA512

            002d0415387e60b9ef11a6e95787f03ec34c571676d7e5cafd54b6352855ca24e9099d1faa970a5cabdaa1f26620676cbb56e028cfdc54045119e0535a70444a

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\WINDOWS\TEMPARCHIVE\kFUh8z3gTk3.vbs
            Filesize

            348B

            MD5

            a0926bc919989b99c9e0a6b4ce4aa30e

            SHA1

            92d4f4352f8779b9b3d027ecaa3bbfc1a3490714

            SHA256

            fe2cb98959883d7523f401652fe2e60b691fb4d79cd14d7e02602df0eda8edc0

            SHA512

            2fc1533fa9a77e80f266e88ecafd9de501705f3b8ae50d4994517c0aececb8d7609fb644772e4d9b9e5fa2b6f23ccf3a9181c03217a59b90d94f002b4cf8415f

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\WINDOWS\TEMPARCHIVE\taskeng.exe
            Filesize

            59KB

            MD5

            3aa31ccc52e5f05188e5ac84f55fb06f

            SHA1

            b334aeff292fec54909810e44cfdf6d9fa6c4fb6

            SHA256

            155e963480151497924d5220e5a373e37a4298d9399e551e0694a5f2be930282

            SHA512

            4f294a1c76ad0b720791ee93c0e91ce3acc7128a30c521e106adbffe5ee9ce679533d887a2437478c2f51bafde9e2e15658165440fa4fa590d6b14ed14c3ab11

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\WINDOWS\TEMPARCHIVE\taskeng.exe
            Filesize

            59KB

            MD5

            3aa31ccc52e5f05188e5ac84f55fb06f

            SHA1

            b334aeff292fec54909810e44cfdf6d9fa6c4fb6

            SHA256

            155e963480151497924d5220e5a373e37a4298d9399e551e0694a5f2be930282

            SHA512

            4f294a1c76ad0b720791ee93c0e91ce3acc7128a30c521e106adbffe5ee9ce679533d887a2437478c2f51bafde9e2e15658165440fa4fa590d6b14ed14c3ab11

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\WINDOWS\TEMPARCHIVE\ucsvc.exe
            Filesize

            70KB

            MD5

            6b4f12869c822faff28fe9377531655b

            SHA1

            784fb31f33a92695e4dc6eefeaccc13086ae277f

            SHA256

            06688797d34750928fc847a12db9d2c747d97ea514b1f7d077d6620b160ac958

            SHA512

            5a65c6e30903790ed4c557ffa3ccae0c1a177b0a3b7cacade93faf84c8e7f20f410b5a710ebfd58e0e23e57addf9dc96391254db660f74618f7057204baafae3

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\WINDOWS\TEMPARCHIVE\wtUs15F2v7wsLSM6A1JpKC7TJMmva6R8ZjW2svISYXjH4g0CcWY3Vs94mTlnF5R3ZFYsy5MYR.exe
            Filesize

            126KB

            MD5

            aedddd810b0fbb4b5346be5a71d6b8dc

            SHA1

            91e567a984004e467c8067eb334b010531354681

            SHA256

            0fa8e108788bc2b65e9b524de5b198261f5cd1503d53f390cdb5c75a83e524ff

            SHA512

            a67786b66aab1b2ccbd19269349e5b5ca82858936b1f5ba970f851ddb750e1f87041eae5b7a014fbba516984061022726a897e28ab1b489381bc0223d4b9495a

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\WINDOWS\TEMPARCHIVE\wtUs15F2v7wsLSM6A1JpKC7TJMmva6R8ZjW2svISYXjH4g0CcWY3Vs94mTlnF5R3ZFYsy5MYR.exe
            Filesize

            126KB

            MD5

            aedddd810b0fbb4b5346be5a71d6b8dc

            SHA1

            91e567a984004e467c8067eb334b010531354681

            SHA256

            0fa8e108788bc2b65e9b524de5b198261f5cd1503d53f390cdb5c75a83e524ff

            SHA512

            a67786b66aab1b2ccbd19269349e5b5ca82858936b1f5ba970f851ddb750e1f87041eae5b7a014fbba516984061022726a897e28ab1b489381bc0223d4b9495a

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\WorkspaceRuntime\wksprt.exe
            Filesize

            173KB

            MD5

            c3e0b61d64ccdb38323478d58beee899

            SHA1

            60a31e51017f6e1a860b0144562662672765fcee

            SHA256

            c345e50343e02438fe02fada1fea45caa2901b774f5d1bd3ab228f605b874c7c

            SHA512

            79530f1b91e6400cd02fe9e51d1b6620550a4df24604e323e755126fc527ee2e67e5278e87a4fd8e79096bb6eab398d882cef5d5524fe420db5b068ccd978dbc

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\WorkspaceRuntime\wksprt.exe
            Filesize

            173KB

            MD5

            c3e0b61d64ccdb38323478d58beee899

            SHA1

            60a31e51017f6e1a860b0144562662672765fcee

            SHA256

            c345e50343e02438fe02fada1fea45caa2901b774f5d1bd3ab228f605b874c7c

            SHA512

            79530f1b91e6400cd02fe9e51d1b6620550a4df24604e323e755126fc527ee2e67e5278e87a4fd8e79096bb6eab398d882cef5d5524fe420db5b068ccd978dbc

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\WorkspaceRuntime\wksprt.exe
            Filesize

            173KB

            MD5

            c3e0b61d64ccdb38323478d58beee899

            SHA1

            60a31e51017f6e1a860b0144562662672765fcee

            SHA256

            c345e50343e02438fe02fada1fea45caa2901b774f5d1bd3ab228f605b874c7c

            SHA512

            79530f1b91e6400cd02fe9e51d1b6620550a4df24604e323e755126fc527ee2e67e5278e87a4fd8e79096bb6eab398d882cef5d5524fe420db5b068ccd978dbc

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\rad024BA.tmp
            Filesize

            68B

            MD5

            036fe9e90e1573c91f9f99bcf8170df0

            SHA1

            71009f2ea2955bd48c602d9c76c35b93ba141565

            SHA256

            562c327100cf8ebbe415fa3aff9ff7c7ec8ce8c3bb680cfc0315e7d677469648

            SHA512

            ddb09e217f812527568a959695976b3c1812b0015a3600cf1bec87bd6e9a20bea50c44b72e76702e75af340bfdaa88eee386c7081952372ffab16ac2bc03a820

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\v.bat
            Filesize

            384B

            MD5

            2ec56e11d99afad1e6fba39be82df172

            SHA1

            8ace61da9bf03dfa3f05e4a2eee2311ade93040f

            SHA256

            fe08f1f73ef0636a84ff7b757a04f2f99c417b4c0d63d9da8952c4154830b929

            SHA512

            5fb85766c7ae10f5839fcdb02518caabb9cc44012ea8cc108c0c4ee78f0a04549cf4a2e0d33ce03a00748baa79f25f63e288513d869d967658fa222fbd11cc21

            Download Submit
          • C:\Users\Admin\AppData\Local\temp\WINDOWS\TEMPARCHIVE\ucsvc.exe
            Filesize

            70KB

            MD5

            6b4f12869c822faff28fe9377531655b

            SHA1

            784fb31f33a92695e4dc6eefeaccc13086ae277f

            SHA256

            06688797d34750928fc847a12db9d2c747d97ea514b1f7d077d6620b160ac958

            SHA512

            5a65c6e30903790ed4c557ffa3ccae0c1a177b0a3b7cacade93faf84c8e7f20f410b5a710ebfd58e0e23e57addf9dc96391254db660f74618f7057204baafae3

            Download Submit
          • C:\Windows\System32\drivers\etc\hosts
            Filesize

            1KB

            MD5

            01ae587c73cd331fd2da4caeca584612

            SHA1

            ee2f06eba879af91442b137c36861c131f9fbc26

            SHA256

            464da2c16792622be63fb6e5795853c24d84473080d7090948147dc1c1c27e68

            SHA512

            650e69fa28985a4fd79a530f4fd5f08ae0590160e9db25872f0d3ea50a612674c076090e9d1f8ec7335a2473fa51088577436a2ec8e702e9402f16d467fbb1e5

            Download Submit
          • \Users\Admin\AppData\Local\Temp\WINDOWS\TEMPARCHIVE\taskeng.exe
            Filesize

            59KB

            MD5

            3aa31ccc52e5f05188e5ac84f55fb06f

            SHA1

            b334aeff292fec54909810e44cfdf6d9fa6c4fb6

            SHA256

            155e963480151497924d5220e5a373e37a4298d9399e551e0694a5f2be930282

            SHA512

            4f294a1c76ad0b720791ee93c0e91ce3acc7128a30c521e106adbffe5ee9ce679533d887a2437478c2f51bafde9e2e15658165440fa4fa590d6b14ed14c3ab11

            Download Submit
          • \Users\Admin\AppData\Local\Temp\WINDOWS\TEMPARCHIVE\wtUs15F2v7wsLSM6A1JpKC7TJMmva6R8ZjW2svISYXjH4g0CcWY3Vs94mTlnF5R3ZFYsy5MYR.exe
            Filesize

            126KB

            MD5

            aedddd810b0fbb4b5346be5a71d6b8dc

            SHA1

            91e567a984004e467c8067eb334b010531354681

            SHA256

            0fa8e108788bc2b65e9b524de5b198261f5cd1503d53f390cdb5c75a83e524ff

            SHA512

            a67786b66aab1b2ccbd19269349e5b5ca82858936b1f5ba970f851ddb750e1f87041eae5b7a014fbba516984061022726a897e28ab1b489381bc0223d4b9495a

            Download Submit
          • \Users\Admin\AppData\Local\Temp\WorkspaceRuntime\wksprt.exe
            Filesize

            173KB

            MD5

            c3e0b61d64ccdb38323478d58beee899

            SHA1

            60a31e51017f6e1a860b0144562662672765fcee

            SHA256

            c345e50343e02438fe02fada1fea45caa2901b774f5d1bd3ab228f605b874c7c

            SHA512

            79530f1b91e6400cd02fe9e51d1b6620550a4df24604e323e755126fc527ee2e67e5278e87a4fd8e79096bb6eab398d882cef5d5524fe420db5b068ccd978dbc

            Download Submit
          • memory/336-119-0x0000000000400000-0x000000000040C000-memory.dmp
            Filesize

            48KB

            Download
          • memory/336-116-0x000000000040749E-mapping.dmp
            Download
          • memory/336-122-0x0000000000400000-0x000000000040C000-memory.dmp
            Filesize

            48KB

            Download
          • memory/336-125-0x0000000073F30000-0x00000000744DB000-memory.dmp
            Filesize

            5.7MB

            Download
          • memory/336-115-0x0000000000400000-0x000000000040C000-memory.dmp
            Filesize

            48KB

            Download
          • memory/336-124-0x0000000073F30000-0x00000000744DB000-memory.dmp
            Filesize

            5.7MB

            Download
          • memory/468-112-0x0000000001EC6000-0x0000000001EE5000-memory.dmp
            Filesize

            124KB

            Download
          • memory/468-74-0x0000000001EC6000-0x0000000001EE5000-memory.dmp
            Filesize

            124KB

            Download
          • memory/468-73-0x000007FEF2910000-0x000007FEF39A6000-memory.dmp
            Filesize

            16.6MB

            Download
          • memory/468-64-0x000007FEF39B0000-0x000007FEF43D3000-memory.dmp
            Filesize

            10.1MB

            Download
          • memory/468-60-0x0000000000000000-mapping.dmp
            Download
          • memory/520-54-0x0000000075351000-0x0000000075353000-memory.dmp
            Filesize

            8KB

            Download
          • memory/564-80-0x000007FEF2910000-0x000007FEF39A6000-memory.dmp
            Filesize

            16.6MB

            Download
          • memory/564-78-0x000007FEF39B0000-0x000007FEF43D3000-memory.dmp
            Filesize

            10.1MB

            Download
          • memory/564-82-0x0000000000AB6000-0x0000000000AD5000-memory.dmp
            Filesize

            124KB

            Download
          • memory/564-113-0x0000000000AB6000-0x0000000000AD5000-memory.dmp
            Filesize

            124KB

            Download
          • memory/564-76-0x0000000000000000-mapping.dmp
            Download
          • memory/612-65-0x0000000000000000-mapping.dmp
            Download
          • memory/628-68-0x0000000000000000-mapping.dmp
            Download
          • memory/744-105-0x0000000000000000-mapping.dmp
            Download
          • memory/760-97-0x0000000000000000-mapping.dmp
            Download
          • memory/872-99-0x0000000000000000-mapping.dmp
            Download
          • memory/1108-89-0x0000000002086000-0x00000000020A5000-memory.dmp
            Filesize

            124KB

            Download
          • memory/1108-81-0x0000000002086000-0x00000000020A5000-memory.dmp
            Filesize

            124KB

            Download
          • memory/1108-72-0x000007FEF2910000-0x000007FEF39A6000-memory.dmp
            Filesize

            16.6MB

            Download
          • memory/1108-63-0x000007FEF39B0000-0x000007FEF43D3000-memory.dmp
            Filesize

            10.1MB

            Download
          • memory/1108-56-0x0000000000000000-mapping.dmp
            Download
          • memory/1156-96-0x0000000000000000-mapping.dmp
            Download
          • memory/1196-79-0x0000000000000000-mapping.dmp
            Download
          • memory/1352-104-0x0000000000000000-mapping.dmp
            Download
          • memory/1352-70-0x0000000000000000-mapping.dmp
            Download
          • memory/1496-93-0x0000000000000000-mapping.dmp
            Download
          • memory/1504-92-0x0000000000000000-mapping.dmp
            Download
          • memory/1512-91-0x0000000000000000-mapping.dmp
            Download
          • memory/1536-100-0x0000000000000000-mapping.dmp
            Download
          • memory/1568-94-0x0000000000000000-mapping.dmp
            Download
          • memory/1572-102-0x0000000000000000-mapping.dmp
            Download
          • memory/1608-86-0x0000000000000000-mapping.dmp
            Download
          • memory/1628-108-0x0000000000000000-mapping.dmp
            Download
          • memory/1628-111-0x00000000744E0000-0x0000000074A8B000-memory.dmp
            Filesize

            5.7MB

            Download
          • memory/1628-121-0x00000000744E0000-0x0000000074A8B000-memory.dmp
            Filesize

            5.7MB

            Download
          • memory/1640-95-0x0000000000000000-mapping.dmp
            Download
          • memory/1652-126-0x0000000000000000-mapping.dmp
            Download
          • memory/1680-106-0x0000000000000000-mapping.dmp
            Download
          • memory/1744-103-0x0000000000000000-mapping.dmp
            Download
          • memory/1764-88-0x0000000000000000-mapping.dmp
            Download
          • memory/1804-101-0x0000000000000000-mapping.dmp
            Download
          • memory/1820-107-0x0000000000000000-mapping.dmp
            Download
          • memory/2000-87-0x0000000000000000-mapping.dmp
            Download
          • memory/2032-84-0x0000000000000000-mapping.dmp
            Download