njrat | c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
28-11-2022 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87.exe
Size

158KB
MD5

f8fb5200c192966250611f9ddbda3d50
SHA1

0c1566727d34c9403073bbb24b89bd04155864ff
SHA256

c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87
SHA512

db55e806b3a4f46f203677e5897833966122ec7d6a12a22c15e061e2a54aa46d3953641e3cee7ce113be1e61c0ca7dbec630a2bd2ac2c3ace37bbedc12df2351
SSDEEP

3072:X7sYnxbYIVwsOmVZNFPYuoE2Ol/uyQT2v+6:XgYxbYtu7PYPE2Ol

Score

10^/10

njrat clients evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.6.4

Botnet

Clients

nyheu3938.no-ip.biz:1199

Mutex

749e61bd02cc756ea373bd81808cdf08

Attributes

reg_key
749e61bd02cc756ea373bd81808cdf08
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 5 IoCs

Processes:

AppMgmt.exenotepad.exenotepad.exehkmsvc.exehkmsvc.exe

pid process

892 AppMgmt.exe
772 notepad.exe
2044 notepad.exe
1060 hkmsvc.exe
628 hkmsvc.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

2000 netsh.exe

pid	process
892	AppMgmt.exe
772	notepad.exe
2044	notepad.exe
1060	hkmsvc.exe
628	hkmsvc.exe

pid	process
2000	netsh.exe

Drops startup file 2 IoCs

Processes:

notepad.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\749e61bd02cc756ea373bd81808cdf08.exe	notepad.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\749e61bd02cc756ea373bd81808cdf08.exe	notepad.exe

Loads dropped DLL 3 IoCs

Processes:

c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87.exec2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87.exeAppMgmt.exe

pid	process
1444	c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87.exe
1864	c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87.exe
892	AppMgmt.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

notepad.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\749e61bd02cc756ea373bd81808cdf08 = "\"C:\\Users\\Admin\\AppData\\Roaming\\notepad.exe\" .."	notepad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\749e61bd02cc756ea373bd81808cdf08 = "\"C:\\Users\\Admin\\AppData\\Roaming\\notepad.exe\" .."	notepad.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87.exenotepad.exehkmsvc.exe

description	pid	process	target process
PID 1444 set thread context of 1864	1444	c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87.exe	c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87.exe
PID 772 set thread context of 2044	772	notepad.exe	notepad.exe
PID 1060 set thread context of 628	1060	hkmsvc.exe	hkmsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87.exeAppMgmt.exenotepad.exehkmsvc.exe

pid	process
1444	c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87.exe
1444	c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87.exe
892	AppMgmt.exe
772	notepad.exe
892	AppMgmt.exe
772	notepad.exe
772	notepad.exe
892	AppMgmt.exe
772	notepad.exe
892	AppMgmt.exe
772	notepad.exe
892	AppMgmt.exe
772	notepad.exe
892	AppMgmt.exe
1060	hkmsvc.exe
772	notepad.exe
892	AppMgmt.exe
1060	hkmsvc.exe
772	notepad.exe
892	AppMgmt.exe
1060	hkmsvc.exe
772	notepad.exe
892	AppMgmt.exe
1060	hkmsvc.exe
772	notepad.exe
892	AppMgmt.exe
1060	hkmsvc.exe
772	notepad.exe
892	AppMgmt.exe
1060	hkmsvc.exe
772	notepad.exe
892	AppMgmt.exe
1060	hkmsvc.exe
772	notepad.exe
892	AppMgmt.exe
1060	hkmsvc.exe
772	notepad.exe
892	AppMgmt.exe
1060	hkmsvc.exe
772	notepad.exe
892	AppMgmt.exe
1060	hkmsvc.exe
772	notepad.exe
892	AppMgmt.exe
1060	hkmsvc.exe
772	notepad.exe
892	AppMgmt.exe
1060	hkmsvc.exe
772	notepad.exe
892	AppMgmt.exe
1060	hkmsvc.exe
772	notepad.exe
892	AppMgmt.exe
1060	hkmsvc.exe
772	notepad.exe
892	AppMgmt.exe
1060	hkmsvc.exe
772	notepad.exe
892	AppMgmt.exe
1060	hkmsvc.exe
772	notepad.exe
892	AppMgmt.exe
1060	hkmsvc.exe
772	notepad.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87.exenotepad.exeAppMgmt.exehkmsvc.exenotepad.exe

description	pid	process
Token: SeDebugPrivilege	1444	c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87.exe
Token: SeDebugPrivilege	772	notepad.exe
Token: SeDebugPrivilege	892	AppMgmt.exe
Token: SeDebugPrivilege	1060	hkmsvc.exe
Token: SeDebugPrivilege	2044	notepad.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87.exec2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87.exenotepad.exeAppMgmt.exehkmsvc.exenotepad.exe

description	pid	process	target process
PID 1444 wrote to memory of 1864	1444	c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87.exe	c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87.exe
PID 1444 wrote to memory of 1864	1444	c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87.exe	c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87.exe
PID 1444 wrote to memory of 1864	1444	c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87.exe	c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87.exe
PID 1444 wrote to memory of 1864	1444	c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87.exe	c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87.exe
PID 1444 wrote to memory of 1864	1444	c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87.exe	c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87.exe
PID 1444 wrote to memory of 1864	1444	c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87.exe	c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87.exe
PID 1444 wrote to memory of 1864	1444	c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87.exe	c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87.exe
PID 1444 wrote to memory of 1864	1444	c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87.exe	c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87.exe
PID 1444 wrote to memory of 1864	1444	c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87.exe	c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87.exe
PID 1444 wrote to memory of 892	1444	c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87.exe	AppMgmt.exe
PID 1444 wrote to memory of 892	1444	c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87.exe	AppMgmt.exe
PID 1444 wrote to memory of 892	1444	c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87.exe	AppMgmt.exe
PID 1444 wrote to memory of 892	1444	c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87.exe	AppMgmt.exe
PID 1864 wrote to memory of 772	1864	c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87.exe	notepad.exe
PID 1864 wrote to memory of 772	1864	c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87.exe	notepad.exe
PID 1864 wrote to memory of 772	1864	c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87.exe	notepad.exe
PID 1864 wrote to memory of 772	1864	c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87.exe	notepad.exe
PID 772 wrote to memory of 2044	772	notepad.exe	notepad.exe
PID 772 wrote to memory of 2044	772	notepad.exe	notepad.exe
PID 772 wrote to memory of 2044	772	notepad.exe	notepad.exe
PID 772 wrote to memory of 2044	772	notepad.exe	notepad.exe
PID 772 wrote to memory of 2044	772	notepad.exe	notepad.exe
PID 772 wrote to memory of 2044	772	notepad.exe	notepad.exe
PID 772 wrote to memory of 2044	772	notepad.exe	notepad.exe
PID 772 wrote to memory of 2044	772	notepad.exe	notepad.exe
PID 772 wrote to memory of 2044	772	notepad.exe	notepad.exe
PID 892 wrote to memory of 1060	892	AppMgmt.exe	hkmsvc.exe
PID 892 wrote to memory of 1060	892	AppMgmt.exe	hkmsvc.exe
PID 892 wrote to memory of 1060	892	AppMgmt.exe	hkmsvc.exe
PID 892 wrote to memory of 1060	892	AppMgmt.exe	hkmsvc.exe
PID 1060 wrote to memory of 628	1060	hkmsvc.exe	hkmsvc.exe
PID 1060 wrote to memory of 628	1060	hkmsvc.exe	hkmsvc.exe
PID 1060 wrote to memory of 628	1060	hkmsvc.exe	hkmsvc.exe
PID 1060 wrote to memory of 628	1060	hkmsvc.exe	hkmsvc.exe
PID 1060 wrote to memory of 628	1060	hkmsvc.exe	hkmsvc.exe
PID 1060 wrote to memory of 628	1060	hkmsvc.exe	hkmsvc.exe
PID 1060 wrote to memory of 628	1060	hkmsvc.exe	hkmsvc.exe
PID 1060 wrote to memory of 628	1060	hkmsvc.exe	hkmsvc.exe
PID 1060 wrote to memory of 628	1060	hkmsvc.exe	hkmsvc.exe
PID 2044 wrote to memory of 2000	2044	notepad.exe	netsh.exe
PID 2044 wrote to memory of 2000	2044	notepad.exe	netsh.exe
PID 2044 wrote to memory of 2000	2044	notepad.exe	netsh.exe
PID 2044 wrote to memory of 2000	2044	notepad.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87.exe
"C:\Users\Admin\AppData\Local\Temp\c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1444

C:\Users\Admin\AppData\Local\Temp\c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87.exe
"C:\Users\Admin\AppData\Local\Temp\c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1864

C:\Users\Admin\AppData\Roaming\notepad.exe
"C:\Users\Admin\AppData\Roaming\notepad.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:772

C:\Users\Admin\AppData\Roaming\notepad.exe
"C:\Users\Admin\AppData\Roaming\notepad.exe"
4⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\notepad.exe" "notepad.exe" ENABLE
5⤵
- Modifies Windows Firewall
PID:2000

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgmt.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgmt.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:892

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hkmsvc.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hkmsvc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1060

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hkmsvc.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hkmsvc.exe"
4⤵
- Executes dropped EXE
PID:628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgmt.exe
Filesize
11KB

MD5
d9545d0b3e923742216f06c0b026d770

SHA1
144bda18c45a70471978cbeb9b7e7915efd22b31

SHA256
69404f1a879a594baf3bf02e4bc51d96984f466580be3f7bc65c69b7b1286bef

SHA512
488d7c735a45fd057d724723e6efbd03496afaab32915ace9b35b1655b929bb997ffa178a15d5e9825ab4003a3bedd0c18397a7f5bcdc20f318ed9f3370f87f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgmt.exe
Filesize
11KB

MD5
d9545d0b3e923742216f06c0b026d770

SHA1
144bda18c45a70471978cbeb9b7e7915efd22b31

SHA256
69404f1a879a594baf3bf02e4bc51d96984f466580be3f7bc65c69b7b1286bef

SHA512
488d7c735a45fd057d724723e6efbd03496afaab32915ace9b35b1655b929bb997ffa178a15d5e9825ab4003a3bedd0c18397a7f5bcdc20f318ed9f3370f87f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hkmsvc.exe
Filesize
158KB

MD5
f8fb5200c192966250611f9ddbda3d50

SHA1
0c1566727d34c9403073bbb24b89bd04155864ff

SHA256
c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87

SHA512
db55e806b3a4f46f203677e5897833966122ec7d6a12a22c15e061e2a54aa46d3953641e3cee7ce113be1e61c0ca7dbec630a2bd2ac2c3ace37bbedc12df2351

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hkmsvc.exe
Filesize
158KB

MD5
f8fb5200c192966250611f9ddbda3d50

SHA1
0c1566727d34c9403073bbb24b89bd04155864ff

SHA256
c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87

SHA512
db55e806b3a4f46f203677e5897833966122ec7d6a12a22c15e061e2a54aa46d3953641e3cee7ce113be1e61c0ca7dbec630a2bd2ac2c3ace37bbedc12df2351

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hkmsvc.exe
Filesize
158KB

MD5
f8fb5200c192966250611f9ddbda3d50

SHA1
0c1566727d34c9403073bbb24b89bd04155864ff

SHA256
c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87

SHA512
db55e806b3a4f46f203677e5897833966122ec7d6a12a22c15e061e2a54aa46d3953641e3cee7ce113be1e61c0ca7dbec630a2bd2ac2c3ace37bbedc12df2351

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\hkmsvc.exe
Filesize
158KB

MD5
f8fb5200c192966250611f9ddbda3d50

SHA1
0c1566727d34c9403073bbb24b89bd04155864ff

SHA256
c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87

SHA512
db55e806b3a4f46f203677e5897833966122ec7d6a12a22c15e061e2a54aa46d3953641e3cee7ce113be1e61c0ca7dbec630a2bd2ac2c3ace37bbedc12df2351

Download Submit
C:\Users\Admin\AppData\Roaming\notepad.exe
Filesize
158KB

MD5
f8fb5200c192966250611f9ddbda3d50

SHA1
0c1566727d34c9403073bbb24b89bd04155864ff

SHA256
c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87

SHA512
db55e806b3a4f46f203677e5897833966122ec7d6a12a22c15e061e2a54aa46d3953641e3cee7ce113be1e61c0ca7dbec630a2bd2ac2c3ace37bbedc12df2351

Download Submit
C:\Users\Admin\AppData\Roaming\notepad.exe
Filesize
158KB

MD5
f8fb5200c192966250611f9ddbda3d50

SHA1
0c1566727d34c9403073bbb24b89bd04155864ff

SHA256
c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87

SHA512
db55e806b3a4f46f203677e5897833966122ec7d6a12a22c15e061e2a54aa46d3953641e3cee7ce113be1e61c0ca7dbec630a2bd2ac2c3ace37bbedc12df2351

Download Submit
C:\Users\Admin\AppData\Roaming\notepad.exe
Filesize
158KB

MD5
f8fb5200c192966250611f9ddbda3d50

SHA1
0c1566727d34c9403073bbb24b89bd04155864ff

SHA256
c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87

SHA512
db55e806b3a4f46f203677e5897833966122ec7d6a12a22c15e061e2a54aa46d3953641e3cee7ce113be1e61c0ca7dbec630a2bd2ac2c3ace37bbedc12df2351

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\AppMgmt.exe
Filesize
11KB

MD5
d9545d0b3e923742216f06c0b026d770

SHA1
144bda18c45a70471978cbeb9b7e7915efd22b31

SHA256
69404f1a879a594baf3bf02e4bc51d96984f466580be3f7bc65c69b7b1286bef

SHA512
488d7c735a45fd057d724723e6efbd03496afaab32915ace9b35b1655b929bb997ffa178a15d5e9825ab4003a3bedd0c18397a7f5bcdc20f318ed9f3370f87f2

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\hkmsvc.exe
Filesize
158KB

MD5
f8fb5200c192966250611f9ddbda3d50

SHA1
0c1566727d34c9403073bbb24b89bd04155864ff

SHA256
c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87

SHA512
db55e806b3a4f46f203677e5897833966122ec7d6a12a22c15e061e2a54aa46d3953641e3cee7ce113be1e61c0ca7dbec630a2bd2ac2c3ace37bbedc12df2351

Download Submit
\Users\Admin\AppData\Roaming\notepad.exe
Filesize
158KB

MD5
f8fb5200c192966250611f9ddbda3d50

SHA1
0c1566727d34c9403073bbb24b89bd04155864ff

SHA256
c2d029be62759c1e0016130491c4961acb6895938b0d6df6d1086a407d36aa87

SHA512
db55e806b3a4f46f203677e5897833966122ec7d6a12a22c15e061e2a54aa46d3953641e3cee7ce113be1e61c0ca7dbec630a2bd2ac2c3ace37bbedc12df2351

Download Submit
memory/628-121-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/628-114-0x0000000000408B0E-mapping.dmp

Download
memory/772-73-0x0000000000000000-mapping.dmp

Download
memory/772-124-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/772-82-0x00000000004F0000-0x0000000000503000-memory.dmp

Filesize
76KB

Download
memory/772-81-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/892-85-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/892-71-0x0000000000000000-mapping.dmp

Download
memory/892-125-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/1060-105-0x0000000000740000-0x0000000000753000-memory.dmp

Filesize
76KB

Download
memory/1060-102-0x0000000000000000-mapping.dmp

Download
memory/1060-127-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/1060-107-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/1444-84-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/1444-55-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/1444-56-0x000000000053F000-0x0000000000552000-memory.dmp

Filesize
76KB

Download
memory/1444-57-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/1444-54-0x0000000075D71000-0x0000000075D73000-memory.dmp

Filesize
8KB

Download
memory/1864-58-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1864-66-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1864-61-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1864-63-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1864-83-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/1864-64-0x0000000000408B0E-mapping.dmp

Download
memory/1864-59-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1864-75-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/1864-68-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1864-62-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2000-122-0x0000000000000000-mapping.dmp

Download
memory/2044-93-0x0000000000408B0E-mapping.dmp

Download
memory/2044-126-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/2044-106-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download