Overview

overview

10

Static

static

3

sqlmap GUI v.2.0.exe

windows10-ltsc 2021-x64

10

sqlmap GUI v.2.0.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250128-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    30-01-2025 15:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sqlmap GUI v.2.0.exe

  • Size

    2.6MB

  • MD5

    74965febb08e87910b0f9d29eced3ff5

  • SHA1

    3228699546d63437dc845a5bb1d63f86591fa91e

  • SHA256

    ee1fd2fda74829875c8c27d05b4e6296459988d19549f30e4ed3ecb513bd2f43

  • SHA512

    9c316c01101e0601b363f85d7ba42fc488af4aa2ee107100ff6b0efd70e1179910594edc735a3aad2964f518c741bd188bf17736cc07c90914526222fb00e869

  • SSDEEP

    49152:eibqIZcBH4W4FyCBEmS35w6OBcVQh2scABeMkOV0cu68:1bqIM2BEZ5w6GcpSxRV0a8

Score
10/10
njrathackeddefense_evasiondiscoveryexecutionpersistenceprivilege_escalationtrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

cpanel.hackcrack.io:1111

Mutex

Windows Explorer

Attributes
  • reg_key

    Windows Explorer

  • splitter

    |'|'|

Signatures

  • Njrat family
    njrat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

    Run Powershell and hide display window.

    execution
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    defense_evasion
  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops desktop.ini file(s) 2 IoCs
  • Hide Artifacts: Hidden Window 1 TTPs 8 IoCs

    Windows that would typically be displayed when an application carries out an operation can be hidden.

    defense_evasion
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 1 IoCs
    defense_evasion
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\sqlmap GUI v.2.0.exe
    "C:\Users\Admin\AppData\Local\Temp\sqlmap GUI v.2.0.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3520
    • C:\Users\Admin\AppData\Local\TempSetup.exe
      "C:\Users\Admin\AppData\Local\TempSetup.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1208
      • C:\Users\Admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7800\svchost.exe
        "C:\Users\Admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7800\svchost.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:5000
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\8.1.7601.17587\svchost.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\8.1.7601.17587\svchost.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1916
          • C:\Users\Admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7900\explorer.exe
            "C:\Users\Admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7900\explorer.exe"
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2392
            • \??\c:\windows\system32\cmstp.exe
              "c:\windows\system32\cmstp.exe" /au C:\Users\Admin\AppData\Local\Temp\tufm3ekd.inf
              6⤵
                PID:3120
              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
                "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"
                6⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • Suspicious use of WriteProcessMemory
                PID:2140
                • C:\Windows\SYSTEM32\netsh.exe
                  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" "explorer.exe" ENABLE
                  7⤵
                  • Modifies Windows Firewall
                  • Event Triggered Execution: Netsh Helper DLL
                  PID:2684
      • C:\Users\Admin\AppData\Local\Temp\~sqlmap_GUI_v_2_0.exe
        "C:\Users\Admin\AppData\Local\Temp\~sqlmap_GUI_v_2_0.exe"
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1184
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1184 -s 1072
          3⤵
          • Program crash
          PID:860
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1184 -ip 1184
      1⤵
        PID:4992
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
        1⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3648
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
          2⤵
          • Hide Artifacts: Hidden Window
          • Suspicious use of WriteProcessMemory
          PID:1980
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2476
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe
          2⤵
          • Hide Artifacts: Hidden Window
          • Suspicious use of WriteProcessMemory
          PID:2320
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:3340
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe
          2⤵
          • Hide Artifacts: Hidden Window
          • Suspicious use of WriteProcessMemory
          PID:324
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2368
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
          2⤵
          • Hide Artifacts: Hidden Window
          • Suspicious use of WriteProcessMemory
          PID:4664
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2732
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe
          2⤵
          • Hide Artifacts: Hidden Window
          • Suspicious use of WriteProcessMemory
          PID:2116
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:544
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Taskmgr.exe
          2⤵
          • Hide Artifacts: Hidden Window
          • Suspicious use of WriteProcessMemory
          PID:4720
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Taskmgr.exe
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:4388
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\msedge.exe
          2⤵
          • Hide Artifacts: Hidden Window
          • Suspicious use of WriteProcessMemory
          PID:5032
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\msedge.exe
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:3584
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\SystemSettingsBroker.exe
          2⤵
          • Hide Artifacts: Hidden Window
          • Suspicious use of WriteProcessMemory
          PID:2724
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\SystemSettingsBroker.exe
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:4620
      • C:\Windows\system32\taskkill.exe
        taskkill /IM cmstp.exe /F
        1⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4464

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Event Triggered Execution

      1
      T1546

      Netsh Helper DLL

      1
      T1546.007

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Event Triggered Execution

      1
      T1546

      Netsh Helper DLL

      1
      T1546.007

      Defense Evasion

      Hide Artifacts

      1
      T1564

      Hidden Window

      1
      T1564.003

      Impair Defenses

      1
      T1562

      Disable or Modify System Firewall

      1
      T1562.004

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      2
      T1012

      System Information Discovery

      2
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Lateral Movement

      Collection

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        3KB

        MD5

        3eb3833f769dd890afc295b977eab4b4

        SHA1

        e857649b037939602c72ad003e5d3698695f436f

        SHA256

        c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

        SHA512

        c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        f0731f5760fdaec554ebeac92c5b858a

        SHA1

        4ac0a7f4cac1a8993d8d2e41490519b203272aec

        SHA256

        994163ee07fb3c0657229e7adbe8e3468d8f134c607552668a48660f70067e2e

        SHA512

        7fdbf4c8b22f2a36b32212dc41c5379496c8a4a670a6b13eeac02ebfbc394035ff25a8d79ae0a16c4f5f22bd5f59a141bb5774ba5439d1894e5363b3214dde33

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        60b3262c3163ee3d466199160b9ed07d

        SHA1

        994ece4ea4e61de0be2fdd580f87e3415f9e1ff6

        SHA256

        e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb

        SHA512

        081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        6a807b1c91ac66f33f88a787d64904c1

        SHA1

        83c554c7de04a8115c9005709e5cd01fca82c5d3

        SHA256

        155314c1c86d8d4e5b802f1eef603c5dd4a2f7c949f069a38af5ba4959bd8256

        SHA512

        29f2d9f30fc081e7fe6e9fb772c810c9be0422afdc6aff5a286f49a990ededebcf0d083798c2d9f41ad8434393c6d0f5fa6df31226d9c3511ba2a41eb4a65200

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        af1cc13f412ef37a00e668df293b1584

        SHA1

        8973b3e622f187fcf484a0eb9fa692bf3e2103cb

        SHA256

        449c0c61734cf23f28ad05a7e528f55dd8a7c6ae7a723253707e5f73de187037

        SHA512

        75d954ec8b98f804d068635875fac06e9594874f0f5d6e2ad9d6267285d1d4a1de6309009de9e2956c6477a888db648396f77a1a49b58287d2683b8214e7a3d3

        Download Submit

      • C:\Users\Admin\AppData\Local\TempSetup.exe
        Filesize

        548KB

        MD5

        bc366b2c1803069f350f4192cd676d47

        SHA1

        f4cb2c5127d8ea90883c0f60c660d0ab92720768

        SHA256

        5ecf311d38dcc488b93e22c7e7175557f8733dbbb8d6fcd452b911f7821acac8

        SHA512

        1dacc54d9f2c0b826a29f6683e6e13fc5291c058912922fd9c112ccabb67e7e797d604c99bc16abcf7bfc49a8934cbcc5920d98cab0b44a6001c0f770c53fac5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h4n5zkco.4lr.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tufm3ekd.inf
        Filesize

        619B

        MD5

        6f1420f2133f3e08fd8cdea0e1f5fe27

        SHA1

        3aa41ec75adc0cf50e001ca91bbfa7f763adf70b

        SHA256

        aed1ac2424a255f231168bcb02f16b6ea89603e0045465c2149abcde33a06242

        SHA512

        d5629e9835f881cd271e88d9ec2d2c27b9d5d1b25329ade5cfb9824a6358c9e98e66f1b89ac9459b4c540c02af2728129dd8523bdf007cadf28b5fa2d199a2aa

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\~sqlmap_GUI_v_2_0.exe
        Filesize

        1.9MB

        MD5

        5d60754656f1f151c16b1fc549fd49f1

        SHA1

        e3f8119de8a81cf65493226c0f22f90fe1f1796c

        SHA256

        01622451923785e4584d2f48ec2b5533199e88edc3394b764dca1d553464bfbd

        SHA512

        226ef88e2486309d5dbc2a88753966d7a5778e6ad23abd675d75902fd88a4b42190cb0c12a6ada7f416e93c5c3862538713b5b3b2e5420d1cd69ec2d79ef3a2b

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7800\svchost.exe
        Filesize

        298KB

        MD5

        c147ef135d6d64a43181f44d918c9170

        SHA1

        4ad5bb062d448f425e443726a2a367374590068d

        SHA256

        48039323e06bea728304fb0dd5482a628f699815ca8b0786cf3e98055c3baa63

        SHA512

        1fcf850ca909cdb29e423abc5d32c887975affb5afba59062c2963c21083e07b0427e0f09a681dbd92dc3a96db9a5217a78247d403dab8f2dbc74a2b67c60992

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7900\explorer.exe
        Filesize

        354KB

        MD5

        ec083dd6fe961b2c477bc74c6f1361be

        SHA1

        e376915cefc5f1d52fca177340df1514d0fdb7f1

        SHA256

        c9b60d139b8aef93d08ece38127ef1a9f52a61703c944cabe1b3fab82b5314c0

        SHA512

        f21dedf2aed85be465ceae022888632d3ecb00f6d3690b8ef84820e4c902b7f56b54d16d83b2c498d8e6590ba71d65760ac86061d4bc21eff52abee3c0a428bc

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\8.1.7601.17587\svchost.exe
        Filesize

        263KB

        MD5

        fdea3876296a5159163aa307f23ec4af

        SHA1

        3ee1911770107d2e872fc514818ace437f0f205e

        SHA256

        e35d2f11ad7aee4bc758e068ad82406e99cd2310db82ab6c879b4a048da3896b

        SHA512

        c55851a91f08f130096e05e591913e3a6f73d70b0b6567bbc5fb9c939a2d79b6f96273ad7d8abf90ad4e6c9e175eb5507ab95b8a774c434f5463951e5c61e26b

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
        Filesize

        84KB

        MD5

        15ee95bc8e2e65416f2a30cf05ef9c2e

        SHA1

        107ca99d3414642450dec196febcd787ac8d7596

        SHA256

        c55b3aaf558c1cd8768f3d22b3fcc908a0e8c33e3f4e1f051d2b1b9315223d4d

        SHA512

        ed1cceb8894fb02cd585ec799e7c8564536976e50c04bf0c3e246a24a6eef719079455f1d6664fa09181979260db16903c60a0ef938472ca71ccaabe16ea1a98

        Download Submit

      • memory/1184-47-0x0000000005020000-0x000000000502A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1184-48-0x0000000005240000-0x0000000005296000-memory.dmp

        Filesize

        344KB

        Download

      • memory/1184-42-0x00000000004A0000-0x000000000068E000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/1184-43-0x0000000005060000-0x00000000050FC000-memory.dmp

        Filesize

        624KB

        Download

      • memory/1184-44-0x00000000056B0000-0x0000000005C56000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/1184-45-0x00000000051A0000-0x0000000005232000-memory.dmp

        Filesize

        584KB

        Download

      • memory/1208-25-0x00007FFE9D670000-0x00007FFE9E011000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1208-38-0x000000001C2B0000-0x000000001C2D0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/1208-49-0x000000001E150000-0x000000001E184000-memory.dmp

        Filesize

        208KB

        Download

      • memory/1208-52-0x000000001F940000-0x000000001FA12000-memory.dmp

        Filesize

        840KB

        Download

      • memory/1208-27-0x00007FFE9D670000-0x00007FFE9E011000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1208-77-0x00007FFE9D670000-0x00007FFE9E011000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1208-26-0x00007FFE9D670000-0x00007FFE9E011000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1208-46-0x00007FFE9D670000-0x00007FFE9E011000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1916-148-0x000000001E370000-0x000000001E3D2000-memory.dmp

        Filesize

        392KB

        Download

      • memory/2368-188-0x000002A2EC350000-0x000002A2EC372000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2392-180-0x0000000000F80000-0x0000000000F8C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/3520-4-0x000000001C610000-0x000000001C6AC000-memory.dmp

        Filesize

        624KB

        Download

      • memory/3520-0-0x00007FFE9D925000-0x00007FFE9D926000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3520-9-0x00007FFE9D670000-0x00007FFE9E011000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/3520-7-0x000000001C770000-0x000000001C7BC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/3520-150-0x00007FFE9D670000-0x00007FFE9E011000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/3520-6-0x000000001B990000-0x000000001B998000-memory.dmp

        Filesize

        32KB

        Download

      • memory/3520-5-0x00007FFE9D670000-0x00007FFE9E011000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/3520-149-0x00007FFE9D925000-0x00007FFE9D926000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3520-3-0x000000001BFE0000-0x000000001C4AE000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/3520-2-0x00007FFE9D670000-0x00007FFE9E011000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/3520-1-0x000000001BA60000-0x000000001BB06000-memory.dmp

        Filesize

        664KB

        Download

      • memory/5000-147-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download