asyncrat | 2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d

Analysis

max time kernel
141s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
16-02-2024 12:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rNewOrder.bat.exe
Size

679KB
MD5

170ed51ddb22cd75bf0fa4fa2a1bb6c4
SHA1

2e74fd6be27a77a883208db0d09524f15dfa7d00
SHA256

2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d
SHA512

ac43b87484e0158b24c5c2a65ca6ab394b0b1bae62b03fb28588749066f04520ac10c6307bb45bf334d18a81c3a2b6ae68107b330e134a273f60e12d1c612865
SSDEEP

12288:ijWQ4W3K9jGCN0TPsnAH7UA51BlkOUCIV/VKMSiyyjK:7AK96jXQA51BCObIVNKMd8

Score

10^/10

asyncrat 2024 rat

Malware Config

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

2024

rat.loseyourip.com:6606

rat.loseyourip.com:7707

rat.loseyourip.com:8808

Mutex

Async_2024

Attributes

delay
3
install
true
install_file
csrss.exe
install_folder
%Temp%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rNewOrder.bat.execsrss.exerNewOrder.bat.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	rNewOrder.bat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	rNewOrder.bat.exe

Executes dropped EXE 2 IoCs

Processes:

csrss.execsrss.exe

pid process

3780 csrss.exe
4372 csrss.exe

pid	process
3780	csrss.exe
4372	csrss.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

rNewOrder.bat.execsrss.exe

description	pid	process	target process
PID 4840 set thread context of 4024	4840	rNewOrder.bat.exe	rNewOrder.bat.exe
PID 3780 set thread context of 4372	3780	csrss.exe	csrss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1756 schtasks.exe
492 schtasks.exe
1664 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4972 timeout.exe

pid	process
1756	schtasks.exe
492	schtasks.exe
1664	schtasks.exe

pid	process
4972	timeout.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

Processes:

rNewOrder.bat.exepowershell.exepowershell.exerNewOrder.bat.execsrss.exepowershell.exepowershell.execsrss.exe

pid	process
4840	rNewOrder.bat.exe
4840	rNewOrder.bat.exe
4840	rNewOrder.bat.exe
4840	rNewOrder.bat.exe
4840	rNewOrder.bat.exe
4840	rNewOrder.bat.exe
4840	rNewOrder.bat.exe
4840	rNewOrder.bat.exe
4840	rNewOrder.bat.exe
4840	rNewOrder.bat.exe
4248	powershell.exe
2056	powershell.exe
4840	rNewOrder.bat.exe
4248	powershell.exe
2056	powershell.exe
4024	rNewOrder.bat.exe
4024	rNewOrder.bat.exe
4024	rNewOrder.bat.exe
4024	rNewOrder.bat.exe
4024	rNewOrder.bat.exe
4024	rNewOrder.bat.exe
4024	rNewOrder.bat.exe
4024	rNewOrder.bat.exe
4024	rNewOrder.bat.exe
4024	rNewOrder.bat.exe
4024	rNewOrder.bat.exe
4024	rNewOrder.bat.exe
4024	rNewOrder.bat.exe
4024	rNewOrder.bat.exe
4024	rNewOrder.bat.exe
4024	rNewOrder.bat.exe
4024	rNewOrder.bat.exe
4024	rNewOrder.bat.exe
4024	rNewOrder.bat.exe
4024	rNewOrder.bat.exe
4024	rNewOrder.bat.exe
3780	csrss.exe
3780	csrss.exe
3780	csrss.exe
3780	csrss.exe
3780	csrss.exe
3780	csrss.exe
3780	csrss.exe
3780	csrss.exe
3780	csrss.exe
3380	powershell.exe
3900	powershell.exe
3780	csrss.exe
3780	csrss.exe
3380	powershell.exe
3900	powershell.exe
4372	csrss.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

rNewOrder.bat.exepowershell.exepowershell.exerNewOrder.bat.execsrss.exepowershell.exepowershell.execsrss.exe

description	pid	process
Token: SeDebugPrivilege	4840	rNewOrder.bat.exe
Token: SeDebugPrivilege	4248	powershell.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	4024	rNewOrder.bat.exe
Token: SeDebugPrivilege	3780	csrss.exe
Token: SeDebugPrivilege	3380	powershell.exe
Token: SeDebugPrivilege	3900	powershell.exe
Token: SeDebugPrivilege	4372	csrss.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

csrss.exe

pid process

4372 csrss.exe

pid	process
4372	csrss.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

rNewOrder.bat.exerNewOrder.bat.execmd.execmd.execsrss.exe

description	pid	process	target process
PID 4840 wrote to memory of 4248	4840	rNewOrder.bat.exe	powershell.exe
PID 4840 wrote to memory of 4248	4840	rNewOrder.bat.exe	powershell.exe
PID 4840 wrote to memory of 4248	4840	rNewOrder.bat.exe	powershell.exe
PID 4840 wrote to memory of 2056	4840	rNewOrder.bat.exe	powershell.exe
PID 4840 wrote to memory of 2056	4840	rNewOrder.bat.exe	powershell.exe
PID 4840 wrote to memory of 2056	4840	rNewOrder.bat.exe	powershell.exe
PID 4840 wrote to memory of 1756	4840	rNewOrder.bat.exe	schtasks.exe
PID 4840 wrote to memory of 1756	4840	rNewOrder.bat.exe	schtasks.exe
PID 4840 wrote to memory of 1756	4840	rNewOrder.bat.exe	schtasks.exe
PID 4840 wrote to memory of 4024	4840	rNewOrder.bat.exe	rNewOrder.bat.exe
PID 4840 wrote to memory of 4024	4840	rNewOrder.bat.exe	rNewOrder.bat.exe
PID 4840 wrote to memory of 4024	4840	rNewOrder.bat.exe	rNewOrder.bat.exe
PID 4840 wrote to memory of 4024	4840	rNewOrder.bat.exe	rNewOrder.bat.exe
PID 4840 wrote to memory of 4024	4840	rNewOrder.bat.exe	rNewOrder.bat.exe
PID 4840 wrote to memory of 4024	4840	rNewOrder.bat.exe	rNewOrder.bat.exe
PID 4840 wrote to memory of 4024	4840	rNewOrder.bat.exe	rNewOrder.bat.exe
PID 4840 wrote to memory of 4024	4840	rNewOrder.bat.exe	rNewOrder.bat.exe
PID 4024 wrote to memory of 848	4024	rNewOrder.bat.exe	cmd.exe
PID 4024 wrote to memory of 848	4024	rNewOrder.bat.exe	cmd.exe
PID 4024 wrote to memory of 848	4024	rNewOrder.bat.exe	cmd.exe
PID 4024 wrote to memory of 4788	4024	rNewOrder.bat.exe	cmd.exe
PID 4024 wrote to memory of 4788	4024	rNewOrder.bat.exe	cmd.exe
PID 4024 wrote to memory of 4788	4024	rNewOrder.bat.exe	cmd.exe
PID 4788 wrote to memory of 4972	4788	cmd.exe	timeout.exe
PID 4788 wrote to memory of 4972	4788	cmd.exe	timeout.exe
PID 4788 wrote to memory of 4972	4788	cmd.exe	timeout.exe
PID 848 wrote to memory of 492	848	cmd.exe	schtasks.exe
PID 848 wrote to memory of 492	848	cmd.exe	schtasks.exe
PID 848 wrote to memory of 492	848	cmd.exe	schtasks.exe
PID 4788 wrote to memory of 3780	4788	cmd.exe	csrss.exe
PID 4788 wrote to memory of 3780	4788	cmd.exe	csrss.exe
PID 4788 wrote to memory of 3780	4788	cmd.exe	csrss.exe
PID 3780 wrote to memory of 3380	3780	csrss.exe	powershell.exe
PID 3780 wrote to memory of 3380	3780	csrss.exe	powershell.exe
PID 3780 wrote to memory of 3380	3780	csrss.exe	powershell.exe
PID 3780 wrote to memory of 3900	3780	csrss.exe	powershell.exe
PID 3780 wrote to memory of 3900	3780	csrss.exe	powershell.exe
PID 3780 wrote to memory of 3900	3780	csrss.exe	powershell.exe
PID 3780 wrote to memory of 1664	3780	csrss.exe	schtasks.exe
PID 3780 wrote to memory of 1664	3780	csrss.exe	schtasks.exe
PID 3780 wrote to memory of 1664	3780	csrss.exe	schtasks.exe
PID 3780 wrote to memory of 4372	3780	csrss.exe	csrss.exe
PID 3780 wrote to memory of 4372	3780	csrss.exe	csrss.exe
PID 3780 wrote to memory of 4372	3780	csrss.exe	csrss.exe
PID 3780 wrote to memory of 4372	3780	csrss.exe	csrss.exe
PID 3780 wrote to memory of 4372	3780	csrss.exe	csrss.exe
PID 3780 wrote to memory of 4372	3780	csrss.exe	csrss.exe
PID 3780 wrote to memory of 4372	3780	csrss.exe	csrss.exe
PID 3780 wrote to memory of 4372	3780	csrss.exe	csrss.exe

C:\Users\Admin\AppData\Local\Temp\rNewOrder.bat.exe
"C:\Users\Admin\AppData\Local\Temp\rNewOrder.bat.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4840

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\rNewOrder.bat.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4248

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eOmdWxIgIyhoBN.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2056

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eOmdWxIgIyhoBN" /XML "C:\Users\Admin\AppData\Local\Temp\tmp887.tmp"
2⤵
- Creates scheduled task(s)
PID:1756

C:\Users\Admin\AppData\Local\Temp\rNewOrder.bat.exe
"C:\Users\Admin\AppData\Local\Temp\rNewOrder.bat.exe"
2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4024

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "csrss" /tr '"C:\Users\Admin\AppData\Local\Temp\csrss.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "csrss" /tr '"C:\Users\Admin\AppData\Local\Temp\csrss.exe"'
4⤵
- Creates scheduled task(s)
PID:492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2575.tmp.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:4788

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:4972

C:\Users\Admin\AppData\Local\Temp\csrss.exe
"C:\Users\Admin\AppData\Local\Temp\csrss.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3780

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\csrss.exe"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3380

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eOmdWxIgIyhoBN.exe"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3900

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eOmdWxIgIyhoBN" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA709.tmp"
5⤵
- Creates scheduled task(s)
PID:1664

C:\Users\Admin\AppData\Local\Temp\csrss.exe
"C:\Users\Admin\AppData\Local\Temp\csrss.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4372

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rNewOrder.bat.exe.log
Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
00604b13a225a0e2f67bb5ebd3f900b9

SHA1
b0ad22a374e0b966408256e8a57abe4aa230ec7e

SHA256
4bae3adc565e2cb950afc992b701593753e71cff51f50d053bfe9f20acb7270e

SHA512
83d4d9e7fca55c343b123280d62313ff6f3ddf5295efd231bb27093b0e8dbe4ca7d9f55cedebb4135219c564a0decd2db490aabbdf52a0094e33b7930f0636f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
68238756a6ca04193e38539ee9e4b711

SHA1
fdbd9d0b0d348d642b29c9bc83d6bf6167225067

SHA256
968df97b0c7bcfdb596d70773f4bc5365f3f24da0013d08bb0bd161a337e649c

SHA512
39cf0603bdd4470622332001f65d090ad9bb66463465e5b02ade020e994f00ae3bc4cd171de9ccd77a7758e8fb48a8b5da6fdd7ba12c0ca7c2b1957dd1c6a7ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5iq15za0.gcm.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss.exe
Filesize
679KB

MD5
170ed51ddb22cd75bf0fa4fa2a1bb6c4

SHA1
2e74fd6be27a77a883208db0d09524f15dfa7d00

SHA256
2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d

SHA512
ac43b87484e0158b24c5c2a65ca6ab394b0b1bae62b03fb28588749066f04520ac10c6307bb45bf334d18a81c3a2b6ae68107b330e134a273f60e12d1c612865

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2575.tmp.bat
Filesize
152B

MD5
15b274ce93f998db4d489dcd3be8e5b7

SHA1
330a5ccdddd576f2c3dba6135d007d4947685ede

SHA256
34280efb9ceac271ca1f699a5314a46c5aded6591c085f615cad22acd6556bff

SHA512
371306141263639c71944f37266e35094471413730a3add71a6adb8bb57300b4e3be7055e3b9668017d0fb3747f4cc33cd340e021b12f205b79a948e96a027ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp887.tmp
Filesize
1KB

MD5
5518cb1299589afa7fe271d88c67f0f3

SHA1
baac205b1409e76d8f8f769f31d7bbb7fe1954b1

SHA256
488eb58dd0b142fdcd65225ee343533c6eb17be36809cdebc7d5c7771e4d2902

SHA512
ab78053ae63026e528408818423833741edaf717c3e6c21bdc7719fd5dcc1f7049950e2567fc63fe85478aa3a1546031c4d17fc437f5c1e0d1ac23414de22cac

Download Submit
memory/2056-100-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/2056-81-0x0000000007850000-0x000000000786A000-memory.dmp

Filesize
104KB

Download
memory/2056-83-0x0000000007AD0000-0x0000000007B66000-memory.dmp

Filesize
600KB

Download
memory/2056-53-0x000000007F0F0000-0x000000007F100000-memory.dmp

Filesize
64KB

Download
memory/2056-85-0x0000000007A80000-0x0000000007A8E000-memory.dmp

Filesize
56KB

Download
memory/2056-80-0x0000000007E90000-0x000000000850A000-memory.dmp

Filesize
6.5MB

Download
memory/2056-54-0x0000000007710000-0x0000000007742000-memory.dmp

Filesize
200KB

Download
memory/2056-55-0x0000000074C90000-0x0000000074CDC000-memory.dmp

Filesize
304KB

Download
memory/2056-78-0x0000000007750000-0x00000000077F3000-memory.dmp

Filesize
652KB

Download
memory/2056-51-0x0000000006530000-0x000000000657C000-memory.dmp

Filesize
304KB

Download
memory/2056-23-0x0000000002AC0000-0x0000000002AD0000-memory.dmp

Filesize
64KB

Download
memory/2056-21-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/2056-88-0x0000000007B70000-0x0000000007B78000-memory.dmp

Filesize
32KB

Download
memory/3380-121-0x0000000005B90000-0x0000000005EE4000-memory.dmp

Filesize
3.3MB

Download
memory/3380-139-0x0000000006570000-0x00000000065BC000-memory.dmp

Filesize
304KB

Download
memory/3380-140-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/3380-110-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/3380-109-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/3380-108-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/3380-142-0x0000000074CF0000-0x0000000074D3C000-memory.dmp

Filesize
304KB

Download
memory/3780-104-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/3780-105-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/3780-138-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/3900-116-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/3900-122-0x00000000050A0000-0x00000000050B0000-memory.dmp

Filesize
64KB

Download
memory/3900-141-0x00000000050A0000-0x00000000050B0000-memory.dmp

Filesize
64KB

Download
memory/3900-152-0x000000007F4D0000-0x000000007F4E0000-memory.dmp

Filesize
64KB

Download
memory/4024-79-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/4024-29-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/4024-93-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/4024-25-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4248-24-0x0000000005640000-0x0000000005662000-memory.dmp

Filesize
136KB

Download
memory/4248-52-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/4248-16-0x0000000005050000-0x0000000005086000-memory.dmp

Filesize
216KB

Download
memory/4248-56-0x0000000074C90000-0x0000000074CDC000-memory.dmp

Filesize
304KB

Download
memory/4248-67-0x0000000006B80000-0x0000000006B9E000-memory.dmp

Filesize
120KB

Download
memory/4248-84-0x0000000007B50000-0x0000000007B61000-memory.dmp

Filesize
68KB

Download
memory/4248-77-0x000000007F200000-0x000000007F210000-memory.dmp

Filesize
64KB

Download
memory/4248-86-0x0000000007B90000-0x0000000007BA4000-memory.dmp

Filesize
80KB

Download
memory/4248-87-0x0000000007C90000-0x0000000007CAA000-memory.dmp

Filesize
104KB

Download
memory/4248-57-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/4248-19-0x00000000056D0000-0x0000000005CF8000-memory.dmp

Filesize
6.2MB

Download
memory/4248-82-0x00000000079C0000-0x00000000079CA000-memory.dmp

Filesize
40KB

Download
memory/4248-18-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/4248-20-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/4248-99-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/4248-26-0x0000000005F30000-0x0000000005F96000-memory.dmp

Filesize
408KB

Download
memory/4248-27-0x0000000005FA0000-0x0000000006006000-memory.dmp

Filesize
408KB

Download
memory/4248-17-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/4248-50-0x0000000006620000-0x000000000663E000-memory.dmp

Filesize
120KB

Download
memory/4248-39-0x0000000006110000-0x0000000006464000-memory.dmp

Filesize
3.3MB

Download
memory/4372-132-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/4840-3-0x00000000050D0000-0x0000000005162000-memory.dmp

Filesize
584KB

Download
memory/4840-7-0x0000000006790000-0x00000000067A2000-memory.dmp

Filesize
72KB

Download
memory/4840-2-0x0000000005770000-0x0000000005D14000-memory.dmp

Filesize
5.6MB

Download
memory/4840-0-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/4840-8-0x00000000069D0000-0x0000000006A28000-memory.dmp

Filesize
352KB

Download
memory/4840-40-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/4840-4-0x00000000052E0000-0x00000000052F0000-memory.dmp

Filesize
64KB

Download
memory/4840-5-0x00000000052B0000-0x00000000052BA000-memory.dmp

Filesize
40KB

Download
memory/4840-6-0x0000000005740000-0x000000000575C000-memory.dmp

Filesize
112KB

Download
memory/4840-9-0x0000000009030000-0x00000000090CC000-memory.dmp

Filesize
624KB

Download
memory/4840-11-0x00000000052E0000-0x00000000052F0000-memory.dmp

Filesize
64KB

Download
memory/4840-10-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/4840-1-0x0000000000650000-0x0000000000700000-memory.dmp

Filesize
704KB

Download