njrat | f434f44ae7c461b9f88f955cc0977cbf0ae163267b38b5e6ad7989dbcc2d5047

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-01-2025 15:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MoonHub.exe
Size

55KB
MD5

d33c25da94cb95d1e34f9d22cfd51f99
SHA1

b0e82ba0f916dd2e104e612c9a5dc73a96a7b2e1
SHA256

f434f44ae7c461b9f88f955cc0977cbf0ae163267b38b5e6ad7989dbcc2d5047
SHA512

460d29f349edf87720b4841bbbd5f8c9b63c81b11d893b9625622ef5912e1f6ded6c85fbe2ed670a31788df9eb4c1d149994cc14f23413d62023e51a2b30e5e1
SSDEEP

1536:V/pMDnE4uNRty4XzPhhDVwsNMDHXExI3pm+m:rMDnlYk4XdhDVwsNMDHXExI3pm

Score

10^/10

njrat nigger discovery evasion execution persistence trojan

Malware Config

Extracted

Family

njrat

Version

<- NjRAT 0.7d Horror Edition ->

Botnet

nigger

2.tcp.eu.ngrok.io:13018

Mutex

49a48a7812fddb0d43bb9f70f2221a57

Attributes

reg_key
49a48a7812fddb0d43bb9f70f2221a57
splitter
Y262SUCZ4UJJ

Signatures

Njrat family
njrat

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\49a48a7812fddb0d43bb9f70f2221a57.exe	MoonHub.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\49a48a7812fddb0d43bb9f70f2221a57.exe	MoonHub.exe

Executes dropped EXE 2 IoCs

pid	Process
2640	MoonHub.exe
1648	MoonHub.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\49a48a7812fddb0d43bb9f70f2221a57 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\MoonHub.exe\" .."	MoonHub.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\49a48a7812fddb0d43bb9f70f2221a57 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\MoonHub.exe\" .."	MoonHub.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1940	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
19	2.tcp.eu.ngrok.io
53	2.tcp.eu.ngrok.io
69	2.tcp.eu.ngrok.io

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4168	sc.exe
2676	sc.exe
3500	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MoonHub.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MoonHub.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MoonHub.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1568	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4180	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe
4068	MoonHub.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4068	MoonHub.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeDebugPrivilege	4068	MoonHub.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: 33	4068	MoonHub.exe
Token: SeIncBasePriorityPrivilege	4068	MoonHub.exe
Token: 33	4068	MoonHub.exe
Token: SeIncBasePriorityPrivilege	4068	MoonHub.exe
Token: 33	4068	MoonHub.exe
Token: SeIncBasePriorityPrivilege	4068	MoonHub.exe
Token: 33	4068	MoonHub.exe
Token: SeIncBasePriorityPrivilege	4068	MoonHub.exe
Token: 33	4068	MoonHub.exe
Token: SeIncBasePriorityPrivilege	4068	MoonHub.exe
Token: 33	4068	MoonHub.exe
Token: SeIncBasePriorityPrivilege	4068	MoonHub.exe
Token: 33	4068	MoonHub.exe
Token: SeIncBasePriorityPrivilege	4068	MoonHub.exe
Token: SeDebugPrivilege	2640	MoonHub.exe
Token: 33	4068	MoonHub.exe
Token: SeIncBasePriorityPrivilege	4068	MoonHub.exe
Token: 33	4068	MoonHub.exe
Token: SeIncBasePriorityPrivilege	4068	MoonHub.exe
Token: 33	4068	MoonHub.exe
Token: SeIncBasePriorityPrivilege	4068	MoonHub.exe
Token: 33	4068	MoonHub.exe
Token: SeIncBasePriorityPrivilege	4068	MoonHub.exe
Token: 33	4068	MoonHub.exe
Token: SeIncBasePriorityPrivilege	4068	MoonHub.exe
Token: 33	4068	MoonHub.exe
Token: SeIncBasePriorityPrivilege	4068	MoonHub.exe
Token: 33	4068	MoonHub.exe
Token: SeIncBasePriorityPrivilege	4068	MoonHub.exe
Token: 33	4068	MoonHub.exe
Token: SeIncBasePriorityPrivilege	4068	MoonHub.exe
Token: SeDebugPrivilege	1648	MoonHub.exe
Token: 33	4068	MoonHub.exe
Token: SeIncBasePriorityPrivilege	4068	MoonHub.exe
Token: 33	4068	MoonHub.exe
Token: SeIncBasePriorityPrivilege	4068	MoonHub.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 4068 wrote to memory of 428	4068	MoonHub.exe	91
PID 4068 wrote to memory of 428	4068	MoonHub.exe	91
PID 4068 wrote to memory of 428	4068	MoonHub.exe	91
PID 4068 wrote to memory of 3280	4068	MoonHub.exe	93
PID 4068 wrote to memory of 3280	4068	MoonHub.exe	93
PID 4068 wrote to memory of 3280	4068	MoonHub.exe	93
PID 3280 wrote to memory of 1940	3280	cmd.exe	95
PID 3280 wrote to memory of 1940	3280	cmd.exe	95
PID 3280 wrote to memory of 1940	3280	cmd.exe	95
PID 4068 wrote to memory of 2260	4068	MoonHub.exe	101
PID 4068 wrote to memory of 2260	4068	MoonHub.exe	101
PID 4068 wrote to memory of 2260	4068	MoonHub.exe	101
PID 2260 wrote to memory of 4168	2260	cmd.exe	103
PID 2260 wrote to memory of 4168	2260	cmd.exe	103
PID 2260 wrote to memory of 4168	2260	cmd.exe	103
PID 4068 wrote to memory of 2436	4068	MoonHub.exe	104
PID 4068 wrote to memory of 2436	4068	MoonHub.exe	104
PID 4068 wrote to memory of 2436	4068	MoonHub.exe	104
PID 2436 wrote to memory of 2676	2436	cmd.exe	106
PID 2436 wrote to memory of 2676	2436	cmd.exe	106
PID 2436 wrote to memory of 2676	2436	cmd.exe	106
PID 4068 wrote to memory of 2972	4068	MoonHub.exe	107
PID 4068 wrote to memory of 2972	4068	MoonHub.exe	107
PID 4068 wrote to memory of 2972	4068	MoonHub.exe	107
PID 2972 wrote to memory of 3500	2972	cmd.exe	109
PID 2972 wrote to memory of 3500	2972	cmd.exe	109
PID 2972 wrote to memory of 3500	2972	cmd.exe	109
PID 4068 wrote to memory of 1928	4068	MoonHub.exe	110
PID 4068 wrote to memory of 1928	4068	MoonHub.exe	110
PID 4068 wrote to memory of 1928	4068	MoonHub.exe	110
PID 4068 wrote to memory of 4180	4068	MoonHub.exe	112
PID 4068 wrote to memory of 4180	4068	MoonHub.exe	112
PID 4068 wrote to memory of 4180	4068	MoonHub.exe	112
PID 4068 wrote to memory of 2028	4068	MoonHub.exe	114
PID 4068 wrote to memory of 2028	4068	MoonHub.exe	114
PID 4068 wrote to memory of 2028	4068	MoonHub.exe	114
PID 2028 wrote to memory of 1568	2028	cmd.exe	116
PID 2028 wrote to memory of 1568	2028	cmd.exe	116
PID 2028 wrote to memory of 1568	2028	cmd.exe	116

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
428	attrib.exe

C:\Users\Admin\AppData\Local\Temp\MoonHub.exe
"C:\Users\Admin\AppData\Local\Temp\MoonHub.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4068
- C:\Windows\SysWOW64\attrib.exe
  attrib +h "C:\Users\Admin\AppData\Local\Temp\MoonHub.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:428
- C:\Windows\SysWOW64\cmd.exe
  cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3280
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1940
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc query windefend
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Windows\SysWOW64\sc.exe
    sc query windefend
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:4168
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc stop windefend
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\SysWOW64\sc.exe
    sc stop windefend
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2676
- C:\Windows\SysWOW64\cmd.exe
  cmd /c sc delete windefend
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\SysWOW64\sc.exe
    sc delete windefend
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:3500
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /delete /tn CleanSweepCheck /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1928
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /sc minute /mo 1 /tn CleanSweepCheck /tr C:\Users\Admin\AppData\Local\Temp\MoonHub.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:4180
- C:\Windows\SysWOW64\cmd.exe
  cmd /c reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\SysWOW64\reg.exe
    reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1568

C:\Users\Admin\AppData\Local\Temp\MoonHub.exe
C:\Users\Admin\AppData\Local\Temp\MoonHub.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2640

C:\Users\Admin\AppData\Local\Temp\MoonHub.exe
C:\Users\Admin\AppData\Local\Temp\MoonHub.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\MoonHub.exe.log

Filesize
319B

MD5
da4fafeffe21b7cb3a8c170ca7911976

SHA1
50ef77e2451ab60f93f4db88325b897d215be5ad

SHA256
7341a4a13e81cbb5b7f39ec47bb45f84836b08b8d8e3ea231d2c7dad982094f7

SHA512
0bc24b69460f31a0ebc0628b99908d818ee85feb7e4b663271d9375b30cced0cd55a0bbf8edff1281a4c886ddf4476ffc989c283069cdcb1235ffcb265580fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MoonHub.exe

Filesize
55KB

MD5
d33c25da94cb95d1e34f9d22cfd51f99

SHA1
b0e82ba0f916dd2e104e612c9a5dc73a96a7b2e1

SHA256
f434f44ae7c461b9f88f955cc0977cbf0ae163267b38b5e6ad7989dbcc2d5047

SHA512
460d29f349edf87720b4841bbbd5f8c9b63c81b11d893b9625622ef5912e1f6ded6c85fbe2ed670a31788df9eb4c1d149994cc14f23413d62023e51a2b30e5e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bgtj4n0w.lbb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1940-37-0x0000000007610000-0x000000000762E000-memory.dmp

Filesize
120KB

Download
memory/1940-10-0x0000000005DB0000-0x0000000005E16000-memory.dmp

Filesize
408KB

Download
memory/1940-52-0x0000000072D70000-0x0000000073520000-memory.dmp

Filesize
7.7MB

Download
memory/1940-26-0x000000006F1F0000-0x000000006F23C000-memory.dmp

Filesize
304KB

Download
memory/1940-7-0x0000000005680000-0x0000000005CA8000-memory.dmp

Filesize
6.2MB

Download
memory/1940-8-0x0000000072D70000-0x0000000073520000-memory.dmp

Filesize
7.7MB

Download
memory/1940-9-0x00000000055A0000-0x00000000055C2000-memory.dmp

Filesize
136KB

Download
memory/1940-25-0x0000000006A20000-0x0000000006A52000-memory.dmp

Filesize
200KB

Download
memory/1940-11-0x0000000005E20000-0x0000000005E86000-memory.dmp

Filesize
408KB

Download
memory/1940-3-0x0000000072D7E000-0x0000000072D7F000-memory.dmp

Filesize
4KB

Download
memory/1940-21-0x0000000005E90000-0x00000000061E4000-memory.dmp

Filesize
3.3MB

Download
memory/1940-49-0x0000000007AA0000-0x0000000007AA8000-memory.dmp

Filesize
32KB

Download
memory/1940-23-0x0000000006450000-0x000000000646E000-memory.dmp

Filesize
120KB

Download
memory/1940-38-0x0000000007640000-0x00000000076E3000-memory.dmp

Filesize
652KB

Download
memory/1940-36-0x0000000072D70000-0x0000000073520000-memory.dmp

Filesize
7.7MB

Download
memory/1940-48-0x0000000007AC0000-0x0000000007ADA000-memory.dmp

Filesize
104KB

Download
memory/1940-47-0x00000000079C0000-0x00000000079D4000-memory.dmp

Filesize
80KB

Download
memory/1940-5-0x0000000004EC0000-0x0000000004EF6000-memory.dmp

Filesize
216KB

Download
memory/1940-24-0x00000000064F0000-0x000000000653C000-memory.dmp

Filesize
304KB

Download
memory/1940-39-0x0000000072D70000-0x0000000073520000-memory.dmp

Filesize
7.7MB

Download
memory/1940-40-0x0000000072D70000-0x0000000073520000-memory.dmp

Filesize
7.7MB

Download
memory/1940-41-0x0000000007DC0000-0x000000000843A000-memory.dmp

Filesize
6.5MB

Download
memory/1940-42-0x0000000007780000-0x000000000779A000-memory.dmp

Filesize
104KB

Download
memory/1940-43-0x00000000077F0000-0x00000000077FA000-memory.dmp

Filesize
40KB

Download
memory/1940-44-0x0000000007A00000-0x0000000007A96000-memory.dmp

Filesize
600KB

Download
memory/1940-45-0x0000000007980000-0x0000000007991000-memory.dmp

Filesize
68KB

Download
memory/1940-46-0x00000000079B0000-0x00000000079BE000-memory.dmp

Filesize
56KB

Download
memory/4068-4-0x0000000074FD2000-0x0000000074FD3000-memory.dmp

Filesize
4KB

Download
memory/4068-0-0x0000000074FD2000-0x0000000074FD3000-memory.dmp

Filesize
4KB

Download
memory/4068-22-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/4068-6-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/4068-2-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download
memory/4068-1-0x0000000074FD0000-0x0000000075581000-memory.dmp

Filesize
5.7MB

Download