Overview

overview

10

Static

static

3

sqlmap GUI v.2.0.exe

windows10-ltsc 2021-x64

10

sqlmap GUI v.2.0.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241023-en
  • resource tags

    arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    30-01-2025 15:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sqlmap GUI v.2.0.exe

  • Size

    2.6MB

  • MD5

    74965febb08e87910b0f9d29eced3ff5

  • SHA1

    3228699546d63437dc845a5bb1d63f86591fa91e

  • SHA256

    ee1fd2fda74829875c8c27d05b4e6296459988d19549f30e4ed3ecb513bd2f43

  • SHA512

    9c316c01101e0601b363f85d7ba42fc488af4aa2ee107100ff6b0efd70e1179910594edc735a3aad2964f518c741bd188bf17736cc07c90914526222fb00e869

  • SSDEEP

    49152:eibqIZcBH4W4FyCBEmS35w6OBcVQh2scABeMkOV0cu68:1bqIM2BEZ5w6GcpSxRV0a8

Score
10/10
njrathackeddefense_evasiondiscoveryexecutionpersistenceprivilege_escalationtrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

cpanel.hackcrack.io:1111

Mutex

Windows Explorer

Attributes
  • reg_key

    Windows Explorer

  • splitter

    |'|'|

Signatures

  • Njrat family
    njrat
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    defense_evasion
  • Executes dropped EXE 7 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops desktop.ini file(s) 2 IoCs
  • Hide Artifacts: Hidden Window 1 TTPs 8 IoCs

    Windows that would typically be displayed when an application carries out an operation can be hidden.

    defense_evasion
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 1 IoCs
    defense_evasion
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\sqlmap GUI v.2.0.exe
    "C:\Users\Admin\AppData\Local\Temp\sqlmap GUI v.2.0.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4016
    • C:\Users\Admin\AppData\Local\TempSetup.exe
      "C:\Users\Admin\AppData\Local\TempSetup.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2784
      • C:\Users\Admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7800\svchost.exe
        "C:\Users\Admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7800\svchost.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3608
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\8.1.7601.17587\svchost.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\8.1.7601.17587\svchost.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1996
          • C:\Users\Admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7900\explorer.exe
            "C:\Users\Admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7900\explorer.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2172
            • \??\c:\windows\system32\cmstp.exe
              "c:\windows\system32\cmstp.exe" /au C:\Users\Admin\AppData\Local\Temp\qnk3vloh.inf
              6⤵
                PID:2776
              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
                "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe"
                6⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:3404
                • C:\Windows\SYSTEM32\netsh.exe
                  netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe" "explorer.exe" ENABLE
                  7⤵
                  • Modifies Windows Firewall
                  • Event Triggered Execution: Netsh Helper DLL
                  PID:1992
      • C:\Users\Admin\AppData\Local\Temp\~sqlmap_GUI_v_2_0.exe
        "C:\Users\Admin\AppData\Local\Temp\~sqlmap_GUI_v_2_0.exe"
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4424
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 1096
          3⤵
          • Program crash
          PID:4264
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4424 -ip 4424
      1⤵
        PID:3048
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1264
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
          2⤵
          • Hide Artifacts: Hidden Window
          • Suspicious use of WriteProcessMemory
          PID:4200
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\explorer.exe
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:4116
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe
          2⤵
          • Hide Artifacts: Hidden Window
          • Suspicious use of WriteProcessMemory
          PID:4352
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cortana.exe
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:4776
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe
          2⤵
          • Hide Artifacts: Hidden Window
          • Suspicious use of WriteProcessMemory
          PID:3496
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\OneDrive.exe
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:4080
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
          2⤵
          • Hide Artifacts: Hidden Window
          • Suspicious use of WriteProcessMemory
          PID:3476
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchost.exe
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:4960
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe
          2⤵
          • Hide Artifacts: Hidden Window
          • Suspicious use of WriteProcessMemory
          PID:3944
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SystemSettings.exe
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:568
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Taskmgr.exe
          2⤵
          • Hide Artifacts: Hidden Window
          • Suspicious use of WriteProcessMemory
          PID:896
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Taskmgr.exe
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2540
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\msedge.exe
          2⤵
          • Hide Artifacts: Hidden Window
          • Suspicious use of WriteProcessMemory
          PID:1336
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\msedge.exe
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:2332
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\SystemSettingsBroker.exe
          2⤵
          • Hide Artifacts: Hidden Window
          • Suspicious use of WriteProcessMemory
          PID:1964
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            PowerShell.exe -windowstyle hidden Add-Mppreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\SystemSettingsBroker.exe
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious use of AdjustPrivilegeToken
            PID:1904
      • C:\Windows\system32\taskkill.exe
        taskkill /IM cmstp.exe /F
        1⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1960

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Event Triggered Execution

      1
      T1546

      Netsh Helper DLL

      1
      T1546.007

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Event Triggered Execution

      1
      T1546

      Netsh Helper DLL

      1
      T1546.007

      Defense Evasion

      Hide Artifacts

      1
      T1564

      Hidden Window

      1
      T1564.003

      Impair Defenses

      1
      T1562

      Disable or Modify System Firewall

      1
      T1562.004

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      1
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Lateral Movement

      Collection

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        627073ee3ca9676911bee35548eff2b8

        SHA1

        4c4b68c65e2cab9864b51167d710aa29ebdcff2e

        SHA256

        85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

        SHA512

        3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        6903d57eed54e89b68ebb957928d1b99

        SHA1

        fade011fbf2e4bc044d41e380cf70bd6a9f73212

        SHA256

        36cbb00b016c9f97645fb628ef72b524dfbdf6e08d626e5c837bbbb9075dcb52

        SHA512

        c192ea9810fd22de8378269235c1035aa1fe1975a53c876fe4a7acc726c020f94773c21e4e4771133f9fcedb0209f0a5324c594c1db5b28fe1b27644db4fdc9e

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        e3840d9bcedfe7017e49ee5d05bd1c46

        SHA1

        272620fb2605bd196df471d62db4b2d280a363c6

        SHA256

        3ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f

        SHA512

        76adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        aa4f31835d07347297d35862c9045f4a

        SHA1

        83e728008935d30f98e5480fba4fbccf10cefb05

        SHA256

        99c83bc5c531e49d4240700142f3425aba74e18ebcc23556be32238ffde9cce0

        SHA512

        ec3a4bee8335007b8753ae8ac42287f2b3bcbb258f7fc3fb15c9f8d3e611cb9bf6ae2d3034953286a34f753e9ec33f7495e064bab0e8c7fcedd75d6e5eb66629

        Download Submit

      • C:\Users\Admin\AppData\Local\TempSetup.exe
        Filesize

        548KB

        MD5

        bc366b2c1803069f350f4192cd676d47

        SHA1

        f4cb2c5127d8ea90883c0f60c660d0ab92720768

        SHA256

        5ecf311d38dcc488b93e22c7e7175557f8733dbbb8d6fcd452b911f7821acac8

        SHA512

        1dacc54d9f2c0b826a29f6683e6e13fc5291c058912922fd9c112ccabb67e7e797d604c99bc16abcf7bfc49a8934cbcc5920d98cab0b44a6001c0f770c53fac5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uvhf0akw.nh3.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\qnk3vloh.inf
        Filesize

        619B

        MD5

        6f1420f2133f3e08fd8cdea0e1f5fe27

        SHA1

        3aa41ec75adc0cf50e001ca91bbfa7f763adf70b

        SHA256

        aed1ac2424a255f231168bcb02f16b6ea89603e0045465c2149abcde33a06242

        SHA512

        d5629e9835f881cd271e88d9ec2d2c27b9d5d1b25329ade5cfb9824a6358c9e98e66f1b89ac9459b4c540c02af2728129dd8523bdf007cadf28b5fa2d199a2aa

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\~sqlmap_GUI_v_2_0.exe
        Filesize

        1.9MB

        MD5

        5d60754656f1f151c16b1fc549fd49f1

        SHA1

        e3f8119de8a81cf65493226c0f22f90fe1f1796c

        SHA256

        01622451923785e4584d2f48ec2b5533199e88edc3394b764dca1d553464bfbd

        SHA512

        226ef88e2486309d5dbc2a88753966d7a5778e6ad23abd675d75902fd88a4b42190cb0c12a6ada7f416e93c5c3862538713b5b3b2e5420d1cd69ec2d79ef3a2b

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7800\svchost.exe
        Filesize

        298KB

        MD5

        c147ef135d6d64a43181f44d918c9170

        SHA1

        4ad5bb062d448f425e443726a2a367374590068d

        SHA256

        48039323e06bea728304fb0dd5482a628f699815ca8b0786cf3e98055c3baa63

        SHA512

        1fcf850ca909cdb29e423abc5d32c887975affb5afba59062c2963c21083e07b0427e0f09a681dbd92dc3a96db9a5217a78247d403dab8f2dbc74a2b67c60992

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Intel Corporation\Intel(R) Common User Interface\8.1.1.7900\explorer.exe
        Filesize

        354KB

        MD5

        ec083dd6fe961b2c477bc74c6f1361be

        SHA1

        e376915cefc5f1d52fca177340df1514d0fdb7f1

        SHA256

        c9b60d139b8aef93d08ece38127ef1a9f52a61703c944cabe1b3fab82b5314c0

        SHA512

        f21dedf2aed85be465ceae022888632d3ecb00f6d3690b8ef84820e4c902b7f56b54d16d83b2c498d8e6590ba71d65760ac86061d4bc21eff52abee3c0a428bc

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\8.1.7601.17587\svchost.exe
        Filesize

        263KB

        MD5

        fdea3876296a5159163aa307f23ec4af

        SHA1

        3ee1911770107d2e872fc514818ace437f0f205e

        SHA256

        e35d2f11ad7aee4bc758e068ad82406e99cd2310db82ab6c879b4a048da3896b

        SHA512

        c55851a91f08f130096e05e591913e3a6f73d70b0b6567bbc5fb9c939a2d79b6f96273ad7d8abf90ad4e6c9e175eb5507ab95b8a774c434f5463951e5c61e26b

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\version.exe
        Filesize

        84KB

        MD5

        15ee95bc8e2e65416f2a30cf05ef9c2e

        SHA1

        107ca99d3414642450dec196febcd787ac8d7596

        SHA256

        c55b3aaf558c1cd8768f3d22b3fcc908a0e8c33e3f4e1f051d2b1b9315223d4d

        SHA512

        ed1cceb8894fb02cd585ec799e7c8564536976e50c04bf0c3e246a24a6eef719079455f1d6664fa09181979260db16903c60a0ef938472ca71ccaabe16ea1a98

        Download Submit

      • memory/1996-136-0x000000001E970000-0x000000001E9D2000-memory.dmp

        Filesize

        392KB

        Download

      • memory/2172-165-0x00000000012E0000-0x00000000012EC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2784-25-0x000000001C4A0000-0x000000001C4C0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2784-46-0x000000001F210000-0x000000001F2E2000-memory.dmp

        Filesize

        840KB

        Download

      • memory/2784-23-0x00007FFD658A0000-0x00007FFD66241000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2784-24-0x00007FFD658A0000-0x00007FFD66241000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2784-68-0x00007FFD658A0000-0x00007FFD66241000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2784-22-0x00007FFD658A0000-0x00007FFD66241000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2784-42-0x00007FFD658A0000-0x00007FFD66241000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/2784-43-0x000000001DA30000-0x000000001DA64000-memory.dmp

        Filesize

        208KB

        Download

      • memory/3608-135-0x0000000000400000-0x0000000000433000-memory.dmp

        Filesize

        204KB

        Download

      • memory/4016-138-0x00007FFD658A0000-0x00007FFD66241000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/4016-5-0x00007FFD658A0000-0x00007FFD66241000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/4016-1-0x000000001B600000-0x000000001B6A6000-memory.dmp

        Filesize

        664KB

        Download

      • memory/4016-2-0x00007FFD658A0000-0x00007FFD66241000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/4016-3-0x000000001BB80000-0x000000001C04E000-memory.dmp

        Filesize

        4.8MB

        Download

      • memory/4016-4-0x000000001C110000-0x000000001C1AC000-memory.dmp

        Filesize

        624KB

        Download

      • memory/4016-137-0x00007FFD65B55000-0x00007FFD65B56000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4016-0-0x00007FFD65B55000-0x00007FFD65B56000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4016-6-0x0000000000EA0000-0x0000000000EA8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/4016-9-0x00007FFD658A0000-0x00007FFD66241000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/4016-7-0x000000001C270000-0x000000001C2BC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4116-172-0x0000018662C50000-0x0000018662C72000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4424-36-0x0000000000F80000-0x000000000116E000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/4424-41-0x0000000005F20000-0x0000000005F76000-memory.dmp

        Filesize

        344KB

        Download

      • memory/4424-37-0x0000000005BA0000-0x0000000005C3C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/4424-38-0x00000000062B0000-0x0000000006856000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4424-39-0x0000000005D00000-0x0000000005D92000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4424-40-0x0000000005CA0000-0x0000000005CAA000-memory.dmp

        Filesize

        40KB

        Download