njrat | 3577afb909325c2982c63bc78b6f888fa3e68ae29ca2c788afbb95bcd04feeaa

Analysis

max time kernel
150s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
24-03-2023 20:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.exe
Size

4.6MB
MD5

7e8ba9fb61fa408145919b871075e1c9
SHA1

d166c427649f37085719c0591fb0b8da077dc0db
SHA256

3577afb909325c2982c63bc78b6f888fa3e68ae29ca2c788afbb95bcd04feeaa
SHA512

3be86970072d578cda053b4823075f5e3ec9600b16cb6073e4c0cb0b248547fb152521aedad2fbcdfdd6fac5cb3214e0ac2bd62337c702a07f4ae440ce6d80cf
SSDEEP

49152:Op+gbAnNQKwjVqrtjMAg5myuPvD3ZOYWrKvn+V3peuTTpGT3s/Z4N+CKsoY0r:8

Score

10^/10

njrat hacked agilenet persistence trojan

Malware Config

Extracted

Family

njrat

Version

v2.0

Botnet

HacKed

vesperiskindagoated.hopto.org:5552

Mutex

WSecurityKey

Attributes

reg_key
WSecurityKey
splitter
|-F-|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Drops startup file 5 IoCs

Processes:

paylod.exePayload.exeattrib.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WSecurityKey.lnk	paylod.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WSecurityKey.lnk	Payload.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WSecurityKey.exe	Payload.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WSecurityKey.exe	Payload.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WSecurityKey.exe	attrib.exe

Executes dropped EXE 3 IoCs

Processes:

paylod.exeMercurial.exePayload.exe

pid process

780 paylod.exe
688 Mercurial.exe
1112 Payload.exe
Loads dropped DLL 5 IoCs

Processes:

sample.exepaylod.exe

pid process

924 sample.exe
924 sample.exe
924 sample.exe
780 paylod.exe
780 paylod.exe

pid	process
780	paylod.exe
688	Mercurial.exe
1112	Payload.exe

pid	process
924	sample.exe
924	sample.exe
924	sample.exe
780	paylod.exe
780	paylod.exe

Obfuscated with Agile.Net obfuscator 12 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/688-76-0x00000000003D0000-0x00000000003EC000-memory.dmp	agile_net
behavioral1/memory/688-77-0x00000000003F0000-0x0000000000410000-memory.dmp	agile_net
behavioral1/memory/688-78-0x00000000005C0000-0x00000000005E0000-memory.dmp	agile_net
behavioral1/memory/688-79-0x0000000004BF0000-0x0000000004C30000-memory.dmp	agile_net
behavioral1/memory/688-80-0x00000000005E0000-0x00000000005F0000-memory.dmp	agile_net
behavioral1/memory/688-81-0x0000000000680000-0x0000000000694000-memory.dmp	agile_net
behavioral1/memory/688-82-0x0000000002270000-0x00000000022DE000-memory.dmp	agile_net
behavioral1/memory/688-83-0x0000000000960000-0x000000000097E000-memory.dmp	agile_net
behavioral1/memory/688-84-0x00000000043E0000-0x0000000004416000-memory.dmp	agile_net
behavioral1/memory/688-85-0x0000000004470000-0x000000000447E000-memory.dmp	agile_net
behavioral1/memory/688-86-0x0000000004480000-0x000000000448E000-memory.dmp	agile_net
behavioral1/memory/688-87-0x0000000004F10000-0x000000000505A000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

paylod.exePayload.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\WSecurityKey2 = "C:\\Users\\Admin\\AppData\\Roaming\\Payload.exe"	paylod.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\WSecurityKey2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\WSecurityKey.URL"	Payload.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WSecurityKey2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\WSecurityKey.URL"	Payload.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\WSecurityKey = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\WSecurityKey.URL"	Payload.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WSecurityKey = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\WSecurityKey.URL"	Payload.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

Mercurial.exe

pid process

688 Mercurial.exe
688 Mercurial.exe
688 Mercurial.exe
688 Mercurial.exe
688 Mercurial.exe
688 Mercurial.exe
688 Mercurial.exe
688 Mercurial.exe

pid	process
688	Mercurial.exe
688	Mercurial.exe
688	Mercurial.exe
688	Mercurial.exe
688	Mercurial.exe
688	Mercurial.exe
688	Mercurial.exe
688	Mercurial.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

Mercurial.exePayload.exe

description	pid	process
Token: SeDebugPrivilege	688	Mercurial.exe
Token: SeDebugPrivilege	1112	Payload.exe
Token: 33	1112	Payload.exe
Token: SeIncBasePriorityPrivilege	1112	Payload.exe
Token: 33	1112	Payload.exe
Token: SeIncBasePriorityPrivilege	1112	Payload.exe
Token: 33	1112	Payload.exe
Token: SeIncBasePriorityPrivilege	1112	Payload.exe
Token: 33	1112	Payload.exe
Token: SeIncBasePriorityPrivilege	1112	Payload.exe
Token: 33	1112	Payload.exe
Token: SeIncBasePriorityPrivilege	1112	Payload.exe
Token: 33	1112	Payload.exe
Token: SeIncBasePriorityPrivilege	1112	Payload.exe
Token: 33	1112	Payload.exe
Token: SeIncBasePriorityPrivilege	1112	Payload.exe
Token: 33	1112	Payload.exe
Token: SeIncBasePriorityPrivilege	1112	Payload.exe
Token: 33	1112	Payload.exe
Token: SeIncBasePriorityPrivilege	1112	Payload.exe
Token: 33	1112	Payload.exe
Token: SeIncBasePriorityPrivilege	1112	Payload.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

sample.exepaylod.exePayload.exe

description	pid	process	target process
PID 924 wrote to memory of 780	924	sample.exe	paylod.exe
PID 924 wrote to memory of 780	924	sample.exe	paylod.exe
PID 924 wrote to memory of 780	924	sample.exe	paylod.exe
PID 924 wrote to memory of 780	924	sample.exe	paylod.exe
PID 924 wrote to memory of 688	924	sample.exe	Mercurial.exe
PID 924 wrote to memory of 688	924	sample.exe	Mercurial.exe
PID 924 wrote to memory of 688	924	sample.exe	Mercurial.exe
PID 924 wrote to memory of 688	924	sample.exe	Mercurial.exe
PID 780 wrote to memory of 1112	780	paylod.exe	Payload.exe
PID 780 wrote to memory of 1112	780	paylod.exe	Payload.exe
PID 780 wrote to memory of 1112	780	paylod.exe	Payload.exe
PID 780 wrote to memory of 1112	780	paylod.exe	Payload.exe
PID 780 wrote to memory of 1064	780	paylod.exe	attrib.exe
PID 780 wrote to memory of 1064	780	paylod.exe	attrib.exe
PID 780 wrote to memory of 1064	780	paylod.exe	attrib.exe
PID 780 wrote to memory of 1064	780	paylod.exe	attrib.exe
PID 1112 wrote to memory of 752	1112	Payload.exe	attrib.exe
PID 1112 wrote to memory of 752	1112	Payload.exe	attrib.exe
PID 1112 wrote to memory of 752	1112	Payload.exe	attrib.exe
PID 1112 wrote to memory of 752	1112	Payload.exe	attrib.exe
PID 1112 wrote to memory of 1236	1112	Payload.exe	attrib.exe
PID 1112 wrote to memory of 1236	1112	Payload.exe	attrib.exe
PID 1112 wrote to memory of 1236	1112	Payload.exe	attrib.exe
PID 1112 wrote to memory of 1236	1112	Payload.exe	attrib.exe

Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exe

pid process

1064 attrib.exe
752 attrib.exe
1236 attrib.exe

pid	process
1064	attrib.exe
752	attrib.exe
1236	attrib.exe

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:924

C:\Users\Admin\AppData\Local\Temp\paylod.exe
"C:\Users\Admin\AppData\Local\Temp\paylod.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:780

C:\Users\Admin\AppData\Roaming\Payload.exe
"C:\Users\Admin\AppData\Roaming\Payload.exe"
3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WSecurityKey.exe"
4⤵
- Drops startup file
- Views/modifies file attributes
PID:752

C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WSecurityKey.exe"
4⤵
- Views/modifies file attributes
PID:1236

C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Payload.exe"
3⤵
- Views/modifies file attributes
PID:1064

C:\Users\Admin\AppData\Local\Temp\Mercurial.exe
"C:\Users\Admin\AppData\Local\Temp\Mercurial.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:688

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Mercurial.exe
Filesize
3.2MB

MD5
a9477b3e21018b96fc5d2264d4016e65

SHA1
493fa8da8bf89ea773aeb282215f78219a5401b7

SHA256
890fd59af3370e2ce12e0d11916d1ad4ee9b9c267c434347dbed11e9572e8645

SHA512
66529a656865400fe37d40ae125a1d057f8be5aa17da80d367ebbe1a9dcea38f5174870d0dc5b56771f6ca5a13e2fad22d803f5357f3ef59a46e3bdf0cc5ee9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mercurial.exe
Filesize
3.2MB

MD5
a9477b3e21018b96fc5d2264d4016e65

SHA1
493fa8da8bf89ea773aeb282215f78219a5401b7

SHA256
890fd59af3370e2ce12e0d11916d1ad4ee9b9c267c434347dbed11e9572e8645

SHA512
66529a656865400fe37d40ae125a1d057f8be5aa17da80d367ebbe1a9dcea38f5174870d0dc5b56771f6ca5a13e2fad22d803f5357f3ef59a46e3bdf0cc5ee9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\paylod.exe
Filesize
26KB

MD5
43bcd1fc21d211f63d3bc96d870a3a81

SHA1
edeb0193808d4fe309cbd5e2c8a7e61d5b2e5c40

SHA256
fc3f42e235d5338bd7b45b834c16f26345ad57a530e485b8f8dd3fafe78951dd

SHA512
4dd20fbb7b91d1f2abed8721cb439fcda075ee079964e4f0dafbb6b62dc2ab87736e01d63b86efc62e5f74a42db648ed7be3a6540048f6791402a4b12a7ed942

Download Submit
C:\Users\Admin\AppData\Local\Temp\paylod.exe
Filesize
26KB

MD5
43bcd1fc21d211f63d3bc96d870a3a81

SHA1
edeb0193808d4fe309cbd5e2c8a7e61d5b2e5c40

SHA256
fc3f42e235d5338bd7b45b834c16f26345ad57a530e485b8f8dd3fafe78951dd

SHA512
4dd20fbb7b91d1f2abed8721cb439fcda075ee079964e4f0dafbb6b62dc2ab87736e01d63b86efc62e5f74a42db648ed7be3a6540048f6791402a4b12a7ed942

Download Submit
C:\Users\Admin\AppData\Local\Temp\paylod.exe
Filesize
26KB

MD5
43bcd1fc21d211f63d3bc96d870a3a81

SHA1
edeb0193808d4fe309cbd5e2c8a7e61d5b2e5c40

SHA256
fc3f42e235d5338bd7b45b834c16f26345ad57a530e485b8f8dd3fafe78951dd

SHA512
4dd20fbb7b91d1f2abed8721cb439fcda075ee079964e4f0dafbb6b62dc2ab87736e01d63b86efc62e5f74a42db648ed7be3a6540048f6791402a4b12a7ed942

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WSecurityKey.exe
Filesize
26KB

MD5
43bcd1fc21d211f63d3bc96d870a3a81

SHA1
edeb0193808d4fe309cbd5e2c8a7e61d5b2e5c40

SHA256
fc3f42e235d5338bd7b45b834c16f26345ad57a530e485b8f8dd3fafe78951dd

SHA512
4dd20fbb7b91d1f2abed8721cb439fcda075ee079964e4f0dafbb6b62dc2ab87736e01d63b86efc62e5f74a42db648ed7be3a6540048f6791402a4b12a7ed942

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WSecurityKey.lnk
Filesize
1KB

MD5
1b1cb327e9904967b7bdb8e1d988cf8a

SHA1
a48b02dc1ef55d592772d05a2ff5ade1a522ea9b

SHA256
8826549ce42181fb7a05759da14509caf2d84cb449f069e286d69381dfd22320

SHA512
fdad1e495d6130e2d91a738ed145f413f0fd5a053ea1cd345f48718e951c0196a772f481c17f5e17f0b05a87115faa16d7bf7795cf9b180374ff27c0944432fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\WSecurityKey.lnk
Filesize
1KB

MD5
01751f808bc17e687be639e39dd3e9f5

SHA1
a307030d8ec4bd46661a04bc9c12e549f3f88f1b

SHA256
311e6f4e3832052fb5fdd981e438aed8d2c40ead581878402a680ce4096ccc6d

SHA512
487d43dca7998eeabca4efa89ddd774b1e3430ed73e5b6f5403dc4ee4dd3c113d20e74ea7173f85555f46e3fb4fc73f83d4c7939537603bc2944ccb4ca176a3d

Download Submit
C:\Users\Admin\AppData\Roaming\Payload.exe
Filesize
26KB

MD5
43bcd1fc21d211f63d3bc96d870a3a81

SHA1
edeb0193808d4fe309cbd5e2c8a7e61d5b2e5c40

SHA256
fc3f42e235d5338bd7b45b834c16f26345ad57a530e485b8f8dd3fafe78951dd

SHA512
4dd20fbb7b91d1f2abed8721cb439fcda075ee079964e4f0dafbb6b62dc2ab87736e01d63b86efc62e5f74a42db648ed7be3a6540048f6791402a4b12a7ed942

Download Submit
C:\Users\Admin\AppData\Roaming\Payload.exe
Filesize
26KB

MD5
43bcd1fc21d211f63d3bc96d870a3a81

SHA1
edeb0193808d4fe309cbd5e2c8a7e61d5b2e5c40

SHA256
fc3f42e235d5338bd7b45b834c16f26345ad57a530e485b8f8dd3fafe78951dd

SHA512
4dd20fbb7b91d1f2abed8721cb439fcda075ee079964e4f0dafbb6b62dc2ab87736e01d63b86efc62e5f74a42db648ed7be3a6540048f6791402a4b12a7ed942

Download Submit
\Users\Admin\AppData\Local\Temp\Mercurial.exe
Filesize
3.2MB

MD5
a9477b3e21018b96fc5d2264d4016e65

SHA1
493fa8da8bf89ea773aeb282215f78219a5401b7

SHA256
890fd59af3370e2ce12e0d11916d1ad4ee9b9c267c434347dbed11e9572e8645

SHA512
66529a656865400fe37d40ae125a1d057f8be5aa17da80d367ebbe1a9dcea38f5174870d0dc5b56771f6ca5a13e2fad22d803f5357f3ef59a46e3bdf0cc5ee9c

Download Submit
\Users\Admin\AppData\Local\Temp\paylod.exe
Filesize
26KB

MD5
43bcd1fc21d211f63d3bc96d870a3a81

SHA1
edeb0193808d4fe309cbd5e2c8a7e61d5b2e5c40

SHA256
fc3f42e235d5338bd7b45b834c16f26345ad57a530e485b8f8dd3fafe78951dd

SHA512
4dd20fbb7b91d1f2abed8721cb439fcda075ee079964e4f0dafbb6b62dc2ab87736e01d63b86efc62e5f74a42db648ed7be3a6540048f6791402a4b12a7ed942

Download Submit
\Users\Admin\AppData\Local\Temp\paylod.exe
Filesize
26KB

MD5
43bcd1fc21d211f63d3bc96d870a3a81

SHA1
edeb0193808d4fe309cbd5e2c8a7e61d5b2e5c40

SHA256
fc3f42e235d5338bd7b45b834c16f26345ad57a530e485b8f8dd3fafe78951dd

SHA512
4dd20fbb7b91d1f2abed8721cb439fcda075ee079964e4f0dafbb6b62dc2ab87736e01d63b86efc62e5f74a42db648ed7be3a6540048f6791402a4b12a7ed942

Download Submit
\Users\Admin\AppData\Roaming\Payload.exe
Filesize
26KB

MD5
43bcd1fc21d211f63d3bc96d870a3a81

SHA1
edeb0193808d4fe309cbd5e2c8a7e61d5b2e5c40

SHA256
fc3f42e235d5338bd7b45b834c16f26345ad57a530e485b8f8dd3fafe78951dd

SHA512
4dd20fbb7b91d1f2abed8721cb439fcda075ee079964e4f0dafbb6b62dc2ab87736e01d63b86efc62e5f74a42db648ed7be3a6540048f6791402a4b12a7ed942

Download Submit
\Users\Admin\AppData\Roaming\Payload.exe
Filesize
26KB

MD5
43bcd1fc21d211f63d3bc96d870a3a81

SHA1
edeb0193808d4fe309cbd5e2c8a7e61d5b2e5c40

SHA256
fc3f42e235d5338bd7b45b834c16f26345ad57a530e485b8f8dd3fafe78951dd

SHA512
4dd20fbb7b91d1f2abed8721cb439fcda075ee079964e4f0dafbb6b62dc2ab87736e01d63b86efc62e5f74a42db648ed7be3a6540048f6791402a4b12a7ed942

Download Submit
memory/688-75-0x00000000009A0000-0x0000000000CDA000-memory.dmp

Filesize
3.2MB

Download
memory/688-80-0x00000000005E0000-0x00000000005F0000-memory.dmp

Filesize
64KB

Download
memory/688-82-0x0000000002270000-0x00000000022DE000-memory.dmp

Filesize
440KB

Download
memory/688-83-0x0000000000960000-0x000000000097E000-memory.dmp

Filesize
120KB

Download
memory/688-84-0x00000000043E0000-0x0000000004416000-memory.dmp

Filesize
216KB

Download
memory/688-85-0x0000000004470000-0x000000000447E000-memory.dmp

Filesize
56KB

Download
memory/688-86-0x0000000004480000-0x000000000448E000-memory.dmp

Filesize
56KB

Download
memory/688-87-0x0000000004F10000-0x000000000505A000-memory.dmp

Filesize
1.3MB

Download
memory/688-88-0x0000000005310000-0x0000000005426000-memory.dmp

Filesize
1.1MB

Download
memory/688-89-0x00000000044A0000-0x00000000044D0000-memory.dmp

Filesize
192KB

Download
memory/688-90-0x0000000005140000-0x0000000005148000-memory.dmp

Filesize
32KB

Download
memory/688-91-0x0000000004BF0000-0x0000000004C30000-memory.dmp

Filesize
256KB

Download
memory/688-92-0x0000000004BF0000-0x0000000004C30000-memory.dmp

Filesize
256KB

Download
memory/688-81-0x0000000000680000-0x0000000000694000-memory.dmp

Filesize
80KB

Download
memory/688-79-0x0000000004BF0000-0x0000000004C30000-memory.dmp

Filesize
256KB

Download
memory/688-78-0x00000000005C0000-0x00000000005E0000-memory.dmp

Filesize
128KB

Download
memory/688-77-0x00000000003F0000-0x0000000000410000-memory.dmp

Filesize
128KB

Download
memory/688-76-0x00000000003D0000-0x00000000003EC000-memory.dmp

Filesize
112KB

Download
memory/688-114-0x0000000004BF0000-0x0000000004C30000-memory.dmp

Filesize
256KB

Download
memory/688-107-0x0000000004BF0000-0x0000000004C30000-memory.dmp

Filesize
256KB

Download
memory/688-108-0x0000000004BF0000-0x0000000004C30000-memory.dmp

Filesize
256KB

Download
memory/688-109-0x0000000004BF0000-0x0000000004C30000-memory.dmp

Filesize
256KB

Download
memory/688-113-0x0000000004BF0000-0x0000000004C30000-memory.dmp

Filesize
256KB

Download
memory/688-112-0x0000000004BF0000-0x0000000004C30000-memory.dmp

Filesize
256KB

Download
memory/780-72-0x0000000000230000-0x0000000000270000-memory.dmp

Filesize
256KB

Download
memory/924-70-0x0000000002140000-0x0000000002180000-memory.dmp

Filesize
256KB

Download