asyncrat | 936f58b1813856c65f6206acce0b9711d4ac41598b5492b6951352ac04cc3c62

Analysis

max time kernel
156s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
30-06-2022 14:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ctfmon.exe
Size

300.0MB
MD5

eb62cecfbe36eeaeab3ea25a65967f9d
SHA1

2a4eb3fc914111cf67939b28ae5833d16b3315db
SHA256

936f58b1813856c65f6206acce0b9711d4ac41598b5492b6951352ac04cc3c62
SHA512

d1239c3a0dc408ba4d7b605adc897bdd183b7b4085847559ba4586a3978c34f414176e680d325b8e50386b5d4366ff3f0edeeab7f04b139e8e6c5defbc87a7db

Score

10^/10

asyncrat nigatex persistence rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Nigatex

nigatex.ml:25565

Mutex

huieqwgehqweqduia

Attributes

delay
1
install
false
install_file
MpCopyAccelerator.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2020-134-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Executes dropped EXE 4 IoCs

Processes:

nvcontainer.exenvcontainer.exenvcontainer.exenvcontainer.exe

pid process

4660 nvcontainer.exe
2916 nvcontainer.exe
940 nvcontainer.exe
2864 nvcontainer.exe

pid	process
4660	nvcontainer.exe
2916	nvcontainer.exe
940	nvcontainer.exe
2864	nvcontainer.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

nvcontainer.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	nvcontainer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	WScript.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

nvcontainer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nvcontainer = "\"C:\\Users\\Admin\\AppData\\Roaming\\nvcontainer.exe\""	nvcontainer.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

ctfmon.exenvcontainer.exenvcontainer.exe

description	pid	process	target process
PID 4352 set thread context of 2020	4352	ctfmon.exe	vbc.exe
PID 4660 set thread context of 2916	4660	nvcontainer.exe	nvcontainer.exe
PID 940 set thread context of 2864	940	nvcontainer.exe	nvcontainer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2460 schtasks.exe
4740 schtasks.exe
3132 schtasks.exe
Modifies registry class 1 IoCs

Processes:

nvcontainer.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings nvcontainer.exe

pid	process
2460	schtasks.exe
4740	schtasks.exe
3132	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings	nvcontainer.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exevbc.exepowershell.exenvcontainer.exe

pid	process
3796	powershell.exe
2020	vbc.exe
3796	powershell.exe
3556	powershell.exe
3556	powershell.exe
2916	nvcontainer.exe
2916	nvcontainer.exe
2916	nvcontainer.exe
2916	nvcontainer.exe
2916	nvcontainer.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

ctfmon.exevbc.exepowershell.exenvcontainer.exenvcontainer.exepowershell.exenvcontainer.exe

description	pid	process
Token: SeDebugPrivilege	4352	ctfmon.exe
Token: SeDebugPrivilege	2020	vbc.exe
Token: SeDebugPrivilege	3796	powershell.exe
Token: SeDebugPrivilege	4660	nvcontainer.exe
Token: SeDebugPrivilege	2916	nvcontainer.exe
Token: SeDebugPrivilege	3556	powershell.exe
Token: SeDebugPrivilege	940	nvcontainer.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

ctfmon.execmd.exevbc.execmd.exepowershell.exenvcontainer.execmd.exenvcontainer.exeWScript.exenvcontainer.execmd.exe

description	pid	process	target process
PID 4352 wrote to memory of 2020	4352	ctfmon.exe	vbc.exe
PID 4352 wrote to memory of 2020	4352	ctfmon.exe	vbc.exe
PID 4352 wrote to memory of 2020	4352	ctfmon.exe	vbc.exe
PID 4352 wrote to memory of 2020	4352	ctfmon.exe	vbc.exe
PID 4352 wrote to memory of 2020	4352	ctfmon.exe	vbc.exe
PID 4352 wrote to memory of 2020	4352	ctfmon.exe	vbc.exe
PID 4352 wrote to memory of 2020	4352	ctfmon.exe	vbc.exe
PID 4352 wrote to memory of 2020	4352	ctfmon.exe	vbc.exe
PID 4352 wrote to memory of 3448	4352	ctfmon.exe	cmd.exe
PID 4352 wrote to memory of 3448	4352	ctfmon.exe	cmd.exe
PID 4352 wrote to memory of 3448	4352	ctfmon.exe	cmd.exe
PID 3448 wrote to memory of 2460	3448	cmd.exe	schtasks.exe
PID 3448 wrote to memory of 2460	3448	cmd.exe	schtasks.exe
PID 3448 wrote to memory of 2460	3448	cmd.exe	schtasks.exe
PID 4352 wrote to memory of 1596	4352	ctfmon.exe	cmd.exe
PID 4352 wrote to memory of 1596	4352	ctfmon.exe	cmd.exe
PID 4352 wrote to memory of 1596	4352	ctfmon.exe	cmd.exe
PID 2020 wrote to memory of 5084	2020	vbc.exe	cmd.exe
PID 2020 wrote to memory of 5084	2020	vbc.exe	cmd.exe
PID 2020 wrote to memory of 5084	2020	vbc.exe	cmd.exe
PID 5084 wrote to memory of 3796	5084	cmd.exe	powershell.exe
PID 5084 wrote to memory of 3796	5084	cmd.exe	powershell.exe
PID 5084 wrote to memory of 3796	5084	cmd.exe	powershell.exe
PID 3796 wrote to memory of 4660	3796	powershell.exe	nvcontainer.exe
PID 3796 wrote to memory of 4660	3796	powershell.exe	nvcontainer.exe
PID 4660 wrote to memory of 2916	4660	nvcontainer.exe	nvcontainer.exe
PID 4660 wrote to memory of 2916	4660	nvcontainer.exe	nvcontainer.exe
PID 4660 wrote to memory of 2916	4660	nvcontainer.exe	nvcontainer.exe
PID 4660 wrote to memory of 2916	4660	nvcontainer.exe	nvcontainer.exe
PID 4660 wrote to memory of 2916	4660	nvcontainer.exe	nvcontainer.exe
PID 4660 wrote to memory of 2916	4660	nvcontainer.exe	nvcontainer.exe
PID 4660 wrote to memory of 1392	4660	nvcontainer.exe	cmd.exe
PID 4660 wrote to memory of 1392	4660	nvcontainer.exe	cmd.exe
PID 1392 wrote to memory of 4740	1392	cmd.exe	schtasks.exe
PID 1392 wrote to memory of 4740	1392	cmd.exe	schtasks.exe
PID 4660 wrote to memory of 3080	4660	nvcontainer.exe	cmd.exe
PID 4660 wrote to memory of 3080	4660	nvcontainer.exe	cmd.exe
PID 2916 wrote to memory of 1892	2916	nvcontainer.exe	WScript.exe
PID 2916 wrote to memory of 1892	2916	nvcontainer.exe	WScript.exe
PID 1892 wrote to memory of 3556	1892	WScript.exe	powershell.exe
PID 1892 wrote to memory of 3556	1892	WScript.exe	powershell.exe
PID 940 wrote to memory of 2864	940	nvcontainer.exe	nvcontainer.exe
PID 940 wrote to memory of 2864	940	nvcontainer.exe	nvcontainer.exe
PID 940 wrote to memory of 2864	940	nvcontainer.exe	nvcontainer.exe
PID 940 wrote to memory of 2864	940	nvcontainer.exe	nvcontainer.exe
PID 940 wrote to memory of 2864	940	nvcontainer.exe	nvcontainer.exe
PID 940 wrote to memory of 2864	940	nvcontainer.exe	nvcontainer.exe
PID 940 wrote to memory of 2940	940	nvcontainer.exe	cmd.exe
PID 940 wrote to memory of 2940	940	nvcontainer.exe	cmd.exe
PID 2940 wrote to memory of 3132	2940	cmd.exe	schtasks.exe
PID 2940 wrote to memory of 3132	2940	cmd.exe	schtasks.exe
PID 940 wrote to memory of 3356	940	nvcontainer.exe	cmd.exe
PID 940 wrote to memory of 3356	940	nvcontainer.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\ctfmon.exe
"C:\Users\Admin\AppData\Local\Temp\ctfmon.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\nvcontainer.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:5084

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\nvcontainer.exe"'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3796

C:\Users\Admin\AppData\Local\Temp\nvcontainer.exe
"C:\Users\Admin\AppData\Local\Temp\nvcontainer.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4660

C:\Users\Admin\AppData\Local\Temp\nvcontainer.exe
C:\Users\Admin\AppData\Local\Temp\nvcontainer.exe
6⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\jzq5D.vbs"
7⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1892

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3556

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\nvcontainer\nvcontainer.exe'" /f
6⤵
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\nvcontainer\nvcontainer.exe'" /f
7⤵
- Creates scheduled task(s)
PID:4740

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\nvcontainer.exe" "C:\Users\Admin\AppData\Roaming\nvcontainer\nvcontainer.exe"
6⤵
PID:3080

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\ctfmon32\ctfmon32.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3448

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\ctfmon32\ctfmon32.exe'" /f
3⤵
- Creates scheduled task(s)
PID:2460

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\ctfmon.exe" "C:\Users\Admin\AppData\Roaming\ctfmon32\ctfmon32.exe"
2⤵
PID:1596

C:\Users\Admin\AppData\Roaming\nvcontainer\nvcontainer.exe
C:\Users\Admin\AppData\Roaming\nvcontainer\nvcontainer.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:940

C:\Users\Admin\AppData\Roaming\nvcontainer\nvcontainer.exe
C:\Users\Admin\AppData\Roaming\nvcontainer\nvcontainer.exe
2⤵
- Executes dropped EXE
PID:2864

C:\Windows\system32\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\nvcontainer\nvcontainer.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2940

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\nvcontainer\nvcontainer.exe'" /f
3⤵
- Creates scheduled task(s)
PID:3132

C:\Windows\system32\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\nvcontainer\nvcontainer.exe" "C:\Users\Admin\AppData\Roaming\nvcontainer\nvcontainer.exe"
2⤵
PID:3356

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\nvcontainer.exe.log
Filesize
1KB

MD5
4de0e77d535f3cb568442a6af4546a62

SHA1
d6b0507582d6c1a1c8811b02a29197fbb0ac1432

SHA256
913af39d6fd885c4495c7616e5d23629a44a61e33a6edc6f2ca5523ec701b9f2

SHA512
e3974c19ac3173889f5678564bf1d502e6dcab3b47a4e17c33f3f74973345f3ba0297778e53e8a7cd650bb78a34bf96da8ef9b623956879a3e809f43665838cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
d3ebff08580c8c8ed61dc648ed99559a

SHA1
015d6392b8a26458a3f80c763dd1670837fcb648

SHA256
bfa015c381ff49589d28671b62a53de996c7cfe6012fb8e510c1a6365ae23390

SHA512
ff8e809f7befbbc7dfa55b68aa96e89871c9b1b87a57c5a888141643468cfaf7b1fd818b9a9a5aa742a0aaa946815e46220fcfca8934b7965b5663a1d9affe32

Download Submit
C:\Users\Admin\AppData\Local\Temp\jzq5D.vbs
Filesize
92B

MD5
4b13abd262e6f452b680b7c404285a32

SHA1
a5b55774c48678a82ab377a7d23a00ec6a174dea

SHA256
e09b4b2ffbca61fbfaa017d9a6c7c60ec4242bfc468bf2f58887e79c97966eff

SHA512
8dc590452e549d1dbb582e6552e5cfe960adeb43987435b67d6d1f18d3ff44e7be01f638a7f62f7f47da561303fdc5203ca4412639662f170b6e0022e3ae6bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nvcontainer.exe
Filesize
300.0MB

MD5
e407c7a0f100ef58922d20b19e4e8c35

SHA1
f7972f88dcec0b023fec33cb1b36e7fca5ec83e9

SHA256
da8f0aeae9a1ba45e7ac2f6a8fa31133ead466e88ea46a7f715fb29864fc1eb9

SHA512
72c9e6435b3f56da010aca568d9065283efee6cbb33896a70655cab254c853747692d5ca027cbcf846983fcb2451dad7fd4da944f201156ea6eea2fcc93899d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nvcontainer.exe
Filesize
300.0MB

MD5
e407c7a0f100ef58922d20b19e4e8c35

SHA1
f7972f88dcec0b023fec33cb1b36e7fca5ec83e9

SHA256
da8f0aeae9a1ba45e7ac2f6a8fa31133ead466e88ea46a7f715fb29864fc1eb9

SHA512
72c9e6435b3f56da010aca568d9065283efee6cbb33896a70655cab254c853747692d5ca027cbcf846983fcb2451dad7fd4da944f201156ea6eea2fcc93899d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nvcontainer.exe
Filesize
300.0MB

MD5
e407c7a0f100ef58922d20b19e4e8c35

SHA1
f7972f88dcec0b023fec33cb1b36e7fca5ec83e9

SHA256
da8f0aeae9a1ba45e7ac2f6a8fa31133ead466e88ea46a7f715fb29864fc1eb9

SHA512
72c9e6435b3f56da010aca568d9065283efee6cbb33896a70655cab254c853747692d5ca027cbcf846983fcb2451dad7fd4da944f201156ea6eea2fcc93899d9

Download Submit
C:\Users\Admin\AppData\Roaming\nvcontainer\nvcontainer.exe
Filesize
157.1MB

MD5
e4876dfd7b9df5d59b0e02e88fe8c0b5

SHA1
122f330d01f4e920bd84787b5cffb31e9056f0d1

SHA256
4b91f8fc39e581254754fe68341d616dcceb415c8236dd488d7ff641bf8efae2

SHA512
170d4116175fd99a9ea382ce6141e6557ce950bbeed6e277df2b1b01011a1904835673db0de55f9fb8fc75c79908cef254ce73e4909b11402920bf4799c6cd02

Download Submit
C:\Users\Admin\AppData\Roaming\nvcontainer\nvcontainer.exe
Filesize
157.6MB

MD5
2dc1c05ae0e5b9261d7f9bc14b2cfc4f

SHA1
5502f54c1a1c1447a3fde5deb5a6b6cc3a847014

SHA256
5d7b9b4e63490a6405913f97c5ae6950b4948b7143a68e572d4614ba758e96f6

SHA512
97b9ee439e897526a66e856cd3bb68539a51e2198a5ebbe29d30700e1ffc1a24a3e6e2bfd50c9a3d7eebbf2ec59409916af39c7213d6fbadda93cf4e40a14eaf

Download Submit
C:\Users\Admin\AppData\Roaming\nvcontainer\nvcontainer.exe
Filesize
70.5MB

MD5
cd86dee1f071d21c312053d658020d97

SHA1
e222445963964227c5490daa17c0a619191547ef

SHA256
3945658fe1bff224ca7461b6fe30a3aed8a26008291edc88c6208dc7b57510a9

SHA512
2a0955ca6f852a62a0e2e334a21b503350f4a14862127b0521a2c66eab965497b8a05fb32d65a2d394c9f5eae397b7dbb7c73a03851c5a67eb363098e8269afa

Download Submit
memory/940-177-0x00007FFF93B80000-0x00007FFF94641000-memory.dmp

Filesize
10.8MB

Download
memory/940-176-0x00007FF60E8F0000-0x00007FF60E9E6000-memory.dmp

Filesize
984KB

Download
memory/1392-159-0x0000000000000000-mapping.dmp

Download
memory/1596-137-0x0000000000000000-mapping.dmp

Download
memory/1892-166-0x0000000000000000-mapping.dmp

Download
memory/2020-134-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2020-140-0x0000000007090000-0x00000000070AE000-memory.dmp

Filesize
120KB

Download
memory/2020-138-0x0000000005F10000-0x0000000005FAC000-memory.dmp

Filesize
624KB

Download
memory/2020-139-0x00000000070D0000-0x0000000007146000-memory.dmp

Filesize
472KB

Download
memory/2020-133-0x0000000000000000-mapping.dmp

Download
memory/2460-136-0x0000000000000000-mapping.dmp

Download
memory/2864-179-0x0000000140000000-mapping.dmp

Download
memory/2916-165-0x00007FFF93B80000-0x00007FFF94641000-memory.dmp

Filesize
10.8MB

Download
memory/2916-163-0x00007FFF93B80000-0x00007FFF94641000-memory.dmp

Filesize
10.8MB

Download
memory/2916-156-0x0000000140000000-0x000000014009A000-memory.dmp

Filesize
616KB

Download
memory/2916-157-0x0000000140000000-mapping.dmp

Download
memory/2940-181-0x0000000000000000-mapping.dmp

Download
memory/3080-161-0x0000000000000000-mapping.dmp

Download
memory/3132-182-0x0000000000000000-mapping.dmp

Download
memory/3356-183-0x0000000000000000-mapping.dmp

Download
memory/3448-135-0x0000000000000000-mapping.dmp

Download
memory/3556-169-0x00007FFF93B80000-0x00007FFF94641000-memory.dmp

Filesize
10.8MB

Download
memory/3556-168-0x0000000000000000-mapping.dmp

Download
memory/3556-172-0x00007FFF93B80000-0x00007FFF94641000-memory.dmp

Filesize
10.8MB

Download
memory/3556-170-0x000001A0D7B90000-0x000001A0D7BB2000-memory.dmp

Filesize
136KB

Download
memory/3796-145-0x0000000004E80000-0x0000000004EA2000-memory.dmp

Filesize
136KB

Download
memory/3796-144-0x0000000004F00000-0x0000000005528000-memory.dmp

Filesize
6.2MB

Download
memory/3796-142-0x0000000000000000-mapping.dmp

Download
memory/3796-150-0x0000000006170000-0x0000000006192000-memory.dmp

Filesize
136KB

Download
memory/3796-143-0x0000000002310000-0x0000000002346000-memory.dmp

Filesize
216KB

Download
memory/3796-146-0x00000000056A0000-0x0000000005706000-memory.dmp

Filesize
408KB

Download
memory/3796-147-0x0000000005C00000-0x0000000005C1E000-memory.dmp

Filesize
120KB

Download
memory/3796-149-0x00000000060F0000-0x000000000610A000-memory.dmp

Filesize
104KB

Download
memory/3796-148-0x0000000006C20000-0x0000000006CB6000-memory.dmp

Filesize
600KB

Download
memory/4352-130-0x0000000000640000-0x0000000000690000-memory.dmp

Filesize
320KB

Download
memory/4352-132-0x0000000005B90000-0x0000000006134000-memory.dmp

Filesize
5.6MB

Download
memory/4352-131-0x00000000054A0000-0x0000000005506000-memory.dmp

Filesize
408KB

Download
memory/4660-162-0x00007FFF93B80000-0x00007FFF94641000-memory.dmp

Filesize
10.8MB

Download
memory/4660-155-0x00007FFF93B80000-0x00007FFF94641000-memory.dmp

Filesize
10.8MB

Download
memory/4660-154-0x00007FF784FE0000-0x00007FF7850D6000-memory.dmp

Filesize
984KB

Download
memory/4660-164-0x00007FFF93B80000-0x00007FFF94641000-memory.dmp

Filesize
10.8MB

Download
memory/4660-152-0x0000000000000000-mapping.dmp

Download
memory/4740-160-0x0000000000000000-mapping.dmp

Download
memory/5084-141-0x0000000000000000-mapping.dmp

Download