njrat | 4f04da82187c751bef7418649b8581ae26258687eb437293bc1580339de7a414

Analysis

max time kernel
238s
max time network
312s
platform
windows11-21h2_x64
resource
win11-20250314-en
resource tags

arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system
submitted
21/03/2025, 20:14

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Payload1234.exe
Size

54KB
MD5

036b3d9a4d952a24395e7bb611c343fc
SHA1

c22e1bd6a08cb355af0916d071c1bca492b71948
SHA256

4f04da82187c751bef7418649b8581ae26258687eb437293bc1580339de7a414
SHA512

2a0e6508fba8adec93929db094e664b252cfa635694a7d2e72c4b7d3ba2be6d30c37e5de17559dd728fdeda27fd5f843247a197339255b1d2c178dea34c6652b
SSDEEP

768:GmAQsCB2EsltNnVpladJr3N8JSNGExWQG35bmaePD5Pv42XXJdxIEpmJg:GmJtGtNnpabrmGGWWQcGD/X3xIEpmJg

Score

10^/10

njrat discovery trojan

Malware Config

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 6 IoCs

pid	Process
4972	8481586ac3154205a28789fa081eecec.exe
3920	1838934f547a46d59358777502ee0869.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
4972	8481586ac3154205a28789fa081eecec.exe
3920	1838934f547a46d59358777502ee0869.exe
5688	327c3354907e434fab7ec2c51f52e736.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	WScript.exe
File opened (read-only)	\??\S:	WScript.exe
File opened (read-only)	\??\E:	WScript.exe
File opened (read-only)	\??\H:	WScript.exe
File opened (read-only)	\??\J:	WScript.exe
File opened (read-only)	\??\K:	WScript.exe
File opened (read-only)	\??\L:	WScript.exe
File opened (read-only)	\??\P:	WScript.exe
File opened (read-only)	\??\V:	WScript.exe
File opened (read-only)	\??\X:	WScript.exe
File opened (read-only)	\??\G:	WScript.exe
File opened (read-only)	\??\I:	WScript.exe
File opened (read-only)	\??\M:	WScript.exe
File opened (read-only)	\??\T:	WScript.exe
File opened (read-only)	\??\U:	WScript.exe
File opened (read-only)	\??\Y:	WScript.exe
File opened (read-only)	\??\Z:	WScript.exe
File opened (read-only)	\??\A:	WScript.exe
File opened (read-only)	\??\B:	WScript.exe
File opened (read-only)	\??\O:	WScript.exe
File opened (read-only)	\??\Q:	WScript.exe
File opened (read-only)	\??\R:	WScript.exe
File opened (read-only)	\??\W:	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payload1234.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8481586ac3154205a28789fa081eecec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1838934f547a46d59358777502ee0869.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings	8481586ac3154205a28789fa081eecec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3920535620-1286624088-2946613906-1000\{1A0DD078-DB5B-48CF-9717-10C9AAE8EF31}	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe
5688	327c3354907e434fab7ec2c51f52e736.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5808	Payload1234.exe
5808	Payload1234.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5808	Payload1234.exe
Token: 33	5808	Payload1234.exe
Token: SeIncBasePriorityPrivilege	5808	Payload1234.exe
Token: 33	5808	Payload1234.exe
Token: SeIncBasePriorityPrivilege	5808	Payload1234.exe
Token: 33	5808	Payload1234.exe
Token: SeIncBasePriorityPrivilege	5808	Payload1234.exe
Token: 33	5808	Payload1234.exe
Token: SeIncBasePriorityPrivilege	5808	Payload1234.exe
Token: 33	5808	Payload1234.exe
Token: SeIncBasePriorityPrivilege	5808	Payload1234.exe
Token: SeShutdownPrivilege	5324	WScript.exe
Token: SeCreatePagefilePrivilege	5324	WScript.exe
Token: 33	432	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	432	AUDIODG.EXE
Token: SeShutdownPrivilege	5324	WScript.exe
Token: SeCreatePagefilePrivilege	5324	WScript.exe
Token: 33	5808	Payload1234.exe
Token: SeIncBasePriorityPrivilege	5808	Payload1234.exe
Token: 33	5808	Payload1234.exe
Token: SeIncBasePriorityPrivilege	5808	Payload1234.exe
Token: 33	5808	Payload1234.exe
Token: SeIncBasePriorityPrivilege	5808	Payload1234.exe
Token: 33	5808	Payload1234.exe
Token: SeIncBasePriorityPrivilege	5808	Payload1234.exe
Token: 33	5808	Payload1234.exe
Token: SeIncBasePriorityPrivilege	5808	Payload1234.exe
Token: 33	5808	Payload1234.exe
Token: SeIncBasePriorityPrivilege	5808	Payload1234.exe
Token: 33	5808	Payload1234.exe
Token: SeIncBasePriorityPrivilege	5808	Payload1234.exe
Token: 33	5808	Payload1234.exe
Token: SeIncBasePriorityPrivilege	5808	Payload1234.exe
Token: 33	5808	Payload1234.exe
Token: SeIncBasePriorityPrivilege	5808	Payload1234.exe
Token: 33	5808	Payload1234.exe
Token: SeIncBasePriorityPrivilege	5808	Payload1234.exe
Token: 33	5808	Payload1234.exe
Token: SeIncBasePriorityPrivilege	5808	Payload1234.exe
Token: 33	5808	Payload1234.exe
Token: SeIncBasePriorityPrivilege	5808	Payload1234.exe
Token: 33	5808	Payload1234.exe
Token: SeIncBasePriorityPrivilege	5808	Payload1234.exe
Token: 33	5808	Payload1234.exe
Token: SeIncBasePriorityPrivilege	5808	Payload1234.exe
Token: 33	5808	Payload1234.exe
Token: SeIncBasePriorityPrivilege	5808	Payload1234.exe
Token: 33	5808	Payload1234.exe
Token: SeIncBasePriorityPrivilege	5808	Payload1234.exe
Token: 33	5808	Payload1234.exe
Token: SeIncBasePriorityPrivilege	5808	Payload1234.exe
Token: 33	5808	Payload1234.exe
Token: SeIncBasePriorityPrivilege	5808	Payload1234.exe
Token: 33	5808	Payload1234.exe
Token: SeIncBasePriorityPrivilege	5808	Payload1234.exe
Token: 33	5808	Payload1234.exe
Token: SeIncBasePriorityPrivilege	5808	Payload1234.exe
Token: SeDebugPrivilege	5688	327c3354907e434fab7ec2c51f52e736.exe
Token: 33	5808	Payload1234.exe
Token: SeIncBasePriorityPrivilege	5808	Payload1234.exe
Token: 33	5808	Payload1234.exe
Token: SeIncBasePriorityPrivilege	5808	Payload1234.exe
Token: 33	5808	Payload1234.exe
Token: SeIncBasePriorityPrivilege	5808	Payload1234.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 5808 wrote to memory of 4972	5808	Payload1234.exe	79
PID 5808 wrote to memory of 4972	5808	Payload1234.exe	79
PID 5808 wrote to memory of 4972	5808	Payload1234.exe	79
PID 4972 wrote to memory of 5324	4972	8481586ac3154205a28789fa081eecec.exe	80
PID 4972 wrote to memory of 5324	4972	8481586ac3154205a28789fa081eecec.exe	80
PID 4972 wrote to memory of 5324	4972	8481586ac3154205a28789fa081eecec.exe	80
PID 5808 wrote to memory of 3920	5808	Payload1234.exe	83
PID 5808 wrote to memory of 3920	5808	Payload1234.exe	83
PID 5808 wrote to memory of 3920	5808	Payload1234.exe	83
PID 5808 wrote to memory of 5688	5808	Payload1234.exe	84
PID 5808 wrote to memory of 5688	5808	Payload1234.exe	84
PID 5808 wrote to memory of 4972	5808	Payload1234.exe	79
PID 5808 wrote to memory of 4972	5808	Payload1234.exe	79
PID 5808 wrote to memory of 4972	5808	Payload1234.exe	79
PID 4972 wrote to memory of 5324	4972	8481586ac3154205a28789fa081eecec.exe	80
PID 4972 wrote to memory of 5324	4972	8481586ac3154205a28789fa081eecec.exe	80
PID 4972 wrote to memory of 5324	4972	8481586ac3154205a28789fa081eecec.exe	80
PID 5808 wrote to memory of 3920	5808	Payload1234.exe	83
PID 5808 wrote to memory of 3920	5808	Payload1234.exe	83
PID 5808 wrote to memory of 3920	5808	Payload1234.exe	83
PID 5808 wrote to memory of 5688	5808	Payload1234.exe	84
PID 5808 wrote to memory of 5688	5808	Payload1234.exe	84

C:\Users\Admin\AppData\Local\Temp\Payload1234.exe
"C:\Users\Admin\AppData\Local\Temp\Payload1234.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5808
- C:\Users\Admin\AppData\Local\Temp\8481586ac3154205a28789fa081eecec.exe
  "C:\Users\Admin\AppData\Local\Temp\8481586ac3154205a28789fa081eecec.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\play.vbs"
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:5324
- C:\Users\Admin\AppData\Local\Temp\1838934f547a46d59358777502ee0869.exe
  "C:\Users\Admin\AppData\Local\Temp\1838934f547a46d59358777502ee0869.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3920
- C:\Users\Admin\AppData\Local\Temp\327c3354907e434fab7ec2c51f52e736.exe
  "C:\Users\Admin\AppData\Local\Temp\327c3354907e434fab7ec2c51f52e736.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5688

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004B8 0x00000000000004C4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
256KB

MD5
d187ddbf1a826977cc10dec5f16d867b

SHA1
5ea0b1bcb078e470e02f0c7493f5d059c4db9a83

SHA256
ee8ac257b091ecb17f7a908d86664609a5f98f3201bb767ca149a854b405f309

SHA512
0b0a26649f8fb5450398a2731e08ebc6bfd3e01d0677acb58d078aed1fdf69a0a7a7b026012608ce08a1f29f4e435b0474ed394d97b6f3353b05c3294b33f146

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1838934f547a46d59358777502ee0869.exe

Filesize
360KB

MD5
2f0c1f93f38047e74921bfd00599c37a

SHA1
a052301f981f4ab4c8667b543e16bd407e23348b

SHA256
70d56bc08d401f0903a9421fa2434a82df7e72d30774fa21a51b822148c51cce

SHA512
fc962d66fd5d0ae865ad53bd5d914789e83304b1fb2cef3bbe32630ad0680a34faf580a8e10e646329a169e31cf98e1d42e02ab5a88cc333fa57f65779e1fc0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\327c3354907e434fab7ec2c51f52e736.exe

Filesize
16KB

MD5
683bcb1f86f4410931abe39a63eb7057

SHA1
d338aac5ff479fc94d3c840e862665de1dac8c8f

SHA256
c9f03a39789f7322ae43604db6ce7da86765ad4b13207091683cf47bdea8de12

SHA512
60b596947d93fdb196fcf338af92d26cdd82396283316352ead078ce1a85943bb85264901318f7061e6b0e49058ace521831a9275c025526373d9168c757cdd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\8481586ac3154205a28789fa081eecec.exe

Filesize
418KB

MD5
0176aa2a2823bfdd677c59c4a044face

SHA1
f7464fce6ca9db13050290818b219cc031ed9ce6

SHA256
0bf4a5582d0cf1a117e7be96e62a7293a58f0f6548ac558cdce41e981f4f7cfa

SHA512
e3e4a4c37ee1febaebfd489bdb45b2da229fdc103d808c5b7310c6683ecd491258cd806e0ba8ba918e8633c65023f35c87122e72422deb0028e0f03dc11b2d89

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\play.vbs

Filesize
234B

MD5
448d64b7e2c09496500e077a00882dc6

SHA1
4796fb338dc81d16606ed76f63075b4fef8e051d

SHA256
b894b20027e433c8abe00659b972519d2e4166206de2cbc74cf41567581a099d

SHA512
c2160b4317670acea1cc9b5ba4a447ca1f95370eb119aa2299e2d3dad13d0aee1fd55ee4695b2883f2ce00339db88ec80cb0f104fb9fda8811bb3bd29afc25f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\pod.mp3

Filesize
100KB

MD5
a343ce0b977a91b39bbb4e357c5c0ff2

SHA1
e64167368927542a591399b3d97a7ade15a97a78

SHA256
2ca0d1e6f1ae8f36f1a00baeb18d97f0f2c0fdecd941be2abc147896e0554a42

SHA512
098cb874f636b79561a885cf31cb837278fd940e1a4824512e5eb3566dba3973c13f537017336c37019aa99a8d9751dca65fbfab838a0db877f4d72b8f5588a0

Download Submit
memory/3920-91-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3920-92-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3920-76-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3920-71-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3920-70-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3920-92-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3920-90-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3920-71-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3920-72-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3920-76-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3920-91-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3920-72-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3920-90-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3920-70-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/5324-36-0x0000000005E50000-0x0000000005E60000-memory.dmp

Filesize
64KB

Download
memory/5324-34-0x0000000005E50000-0x0000000005E60000-memory.dmp

Filesize
64KB

Download
memory/5324-37-0x0000000005E50000-0x0000000005E60000-memory.dmp

Filesize
64KB

Download
memory/5324-38-0x0000000005E50000-0x0000000005E60000-memory.dmp

Filesize
64KB

Download
memory/5324-34-0x0000000005E50000-0x0000000005E60000-memory.dmp

Filesize
64KB

Download
memory/5324-51-0x0000000005E50000-0x0000000005E60000-memory.dmp

Filesize
64KB

Download
memory/5324-37-0x0000000005E50000-0x0000000005E60000-memory.dmp

Filesize
64KB

Download
memory/5324-38-0x0000000005E50000-0x0000000005E60000-memory.dmp

Filesize
64KB

Download
memory/5324-35-0x0000000005E50000-0x0000000005E60000-memory.dmp

Filesize
64KB

Download
memory/5324-35-0x0000000005E50000-0x0000000005E60000-memory.dmp

Filesize
64KB

Download
memory/5324-36-0x0000000005E50000-0x0000000005E60000-memory.dmp

Filesize
64KB

Download
memory/5324-33-0x0000000005E50000-0x0000000005E60000-memory.dmp

Filesize
64KB

Download
memory/5324-33-0x0000000005E50000-0x0000000005E60000-memory.dmp

Filesize
64KB

Download
memory/5324-51-0x0000000005E50000-0x0000000005E60000-memory.dmp

Filesize
64KB

Download
memory/5688-87-0x000000001C280000-0x000000001C31C000-memory.dmp

Filesize
624KB

Download
memory/5688-85-0x000000001B790000-0x000000001B836000-memory.dmp

Filesize
664KB

Download
memory/5688-89-0x000000001C4E0000-0x000000001C52C000-memory.dmp

Filesize
304KB

Download
memory/5688-88-0x0000000000F30000-0x0000000000F38000-memory.dmp

Filesize
32KB

Download
memory/5688-86-0x000000001BD10000-0x000000001C1DE000-memory.dmp

Filesize
4.8MB

Download
memory/5688-87-0x000000001C280000-0x000000001C31C000-memory.dmp

Filesize
624KB

Download
memory/5688-86-0x000000001BD10000-0x000000001C1DE000-memory.dmp

Filesize
4.8MB

Download
memory/5688-85-0x000000001B790000-0x000000001B836000-memory.dmp

Filesize
664KB

Download
memory/5688-89-0x000000001C4E0000-0x000000001C52C000-memory.dmp

Filesize
304KB

Download
memory/5688-88-0x0000000000F30000-0x0000000000F38000-memory.dmp

Filesize
32KB

Download
memory/5808-5-0x0000000075050000-0x0000000075601000-memory.dmp

Filesize
5.7MB

Download
memory/5808-2-0x0000000075050000-0x0000000075601000-memory.dmp

Filesize
5.7MB

Download
memory/5808-0-0x0000000075051000-0x0000000075052000-memory.dmp

Filesize
4KB

Download
memory/5808-6-0x0000000075050000-0x0000000075601000-memory.dmp

Filesize
5.7MB

Download
memory/5808-5-0x0000000075050000-0x0000000075601000-memory.dmp

Filesize
5.7MB

Download
memory/5808-3-0x0000000075050000-0x0000000075601000-memory.dmp

Filesize
5.7MB

Download
memory/5808-2-0x0000000075050000-0x0000000075601000-memory.dmp

Filesize
5.7MB

Download
memory/5808-6-0x0000000075050000-0x0000000075601000-memory.dmp

Filesize
5.7MB

Download
memory/5808-0-0x0000000075051000-0x0000000075052000-memory.dmp

Filesize
4KB

Download
memory/5808-1-0x0000000075050000-0x0000000075601000-memory.dmp

Filesize
5.7MB

Download
memory/5808-4-0x0000000075050000-0x0000000075601000-memory.dmp

Filesize
5.7MB

Download
memory/5808-3-0x0000000075050000-0x0000000075601000-memory.dmp

Filesize
5.7MB

Download
memory/5808-4-0x0000000075050000-0x0000000075601000-memory.dmp

Filesize
5.7MB

Download
memory/5808-1-0x0000000075050000-0x0000000075601000-memory.dmp

Filesize
5.7MB

Download