asyncrat | fc1ad8d1483f0b1c94b55be7b7587b86485022ca4e62e6fb0c06e392dfaeecd2

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19-04-2024 20:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

C11Bootstrapper/Start.bat
Size

1KB
MD5

4e3179e79f11708b60c3af67718cc0ae
SHA1

e22536c444427ce73dcc50091c28477c44e23210
SHA256

6953af9e22a172b023757199cc77c0ea2353bfe7ab1843516a161081f0c1d76d
SHA512

aaf2402399fe8887fe516a3be50054129298970dc322652dc02578a523be74135e02b6856f0b7b774df3c827b131d54828143583038bc5350c40e89dcd1409e1

Score

10^/10

asyncrat umbral default rat stealer

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

127.0.0.1:4449

Mutex

tazbtpfpfzpxti

Attributes

delay
1
install
true
install_file
PageEditor.exe
install_folder
%Temp%
pastebin_config
https://pastebin.com/raw/xZqBe1fC

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral12/memory/5104-0-0x0000020DFF3A0000-0x0000020DFF3E4000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	GuiLoader.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
75	discord.com
76	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
67	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 4 IoCs

evasion

pid	Process
4976	timeout.exe
4204	timeout.exe
4512	timeout.exe
3672	timeout.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4324	wmic.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings	cmd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1356	PING.EXE

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
368	C11Setup.exe
368	C11Setup.exe
368	C11Setup.exe
5104	GuiLoader.exe
5104	GuiLoader.exe
4208	powershell.exe
4208	powershell.exe
4208	powershell.exe
952	powershell.exe
952	powershell.exe
952	powershell.exe
2104	powershell.exe
2104	powershell.exe
2104	powershell.exe
348	powershell.exe
348	powershell.exe
348	powershell.exe
3484	powershell.exe
3484	powershell.exe
3484	powershell.exe
368	C11Setup.exe
368	C11Setup.exe
368	C11Setup.exe
368	C11Setup.exe
368	C11Setup.exe
368	C11Setup.exe
368	C11Setup.exe
368	C11Setup.exe
368	C11Setup.exe
368	C11Setup.exe
368	C11Setup.exe
368	C11Setup.exe
368	C11Setup.exe
368	C11Setup.exe
368	C11Setup.exe
368	C11Setup.exe
368	C11Setup.exe
368	C11Setup.exe
368	C11Setup.exe
368	C11Setup.exe
368	C11Setup.exe
368	C11Setup.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3868	PageEditor.exe
Token: SeDebugPrivilege	368	C11Setup.exe
Token: SeDebugPrivilege	5104	GuiLoader.exe
Token: SeIncreaseQuotaPrivilege	2844	wmic.exe
Token: SeSecurityPrivilege	2844	wmic.exe
Token: SeTakeOwnershipPrivilege	2844	wmic.exe
Token: SeLoadDriverPrivilege	2844	wmic.exe
Token: SeSystemProfilePrivilege	2844	wmic.exe
Token: SeSystemtimePrivilege	2844	wmic.exe
Token: SeProfSingleProcessPrivilege	2844	wmic.exe
Token: SeIncBasePriorityPrivilege	2844	wmic.exe
Token: SeCreatePagefilePrivilege	2844	wmic.exe
Token: SeBackupPrivilege	2844	wmic.exe
Token: SeRestorePrivilege	2844	wmic.exe
Token: SeShutdownPrivilege	2844	wmic.exe
Token: SeDebugPrivilege	2844	wmic.exe
Token: SeSystemEnvironmentPrivilege	2844	wmic.exe
Token: SeRemoteShutdownPrivilege	2844	wmic.exe
Token: SeUndockPrivilege	2844	wmic.exe
Token: SeManageVolumePrivilege	2844	wmic.exe
Token: 33	2844	wmic.exe
Token: 34	2844	wmic.exe
Token: 35	2844	wmic.exe
Token: 36	2844	wmic.exe
Token: SeIncreaseQuotaPrivilege	2844	wmic.exe
Token: SeSecurityPrivilege	2844	wmic.exe
Token: SeTakeOwnershipPrivilege	2844	wmic.exe
Token: SeLoadDriverPrivilege	2844	wmic.exe
Token: SeSystemProfilePrivilege	2844	wmic.exe
Token: SeSystemtimePrivilege	2844	wmic.exe
Token: SeProfSingleProcessPrivilege	2844	wmic.exe
Token: SeIncBasePriorityPrivilege	2844	wmic.exe
Token: SeCreatePagefilePrivilege	2844	wmic.exe
Token: SeBackupPrivilege	2844	wmic.exe
Token: SeRestorePrivilege	2844	wmic.exe
Token: SeShutdownPrivilege	2844	wmic.exe
Token: SeDebugPrivilege	2844	wmic.exe
Token: SeSystemEnvironmentPrivilege	2844	wmic.exe
Token: SeRemoteShutdownPrivilege	2844	wmic.exe
Token: SeUndockPrivilege	2844	wmic.exe
Token: SeManageVolumePrivilege	2844	wmic.exe
Token: 33	2844	wmic.exe
Token: 34	2844	wmic.exe
Token: 35	2844	wmic.exe
Token: 36	2844	wmic.exe
Token: SeIncreaseQuotaPrivilege	3868	PageEditor.exe
Token: SeSecurityPrivilege	3868	PageEditor.exe
Token: SeTakeOwnershipPrivilege	3868	PageEditor.exe
Token: SeLoadDriverPrivilege	3868	PageEditor.exe
Token: SeSystemProfilePrivilege	3868	PageEditor.exe
Token: SeSystemtimePrivilege	3868	PageEditor.exe
Token: SeProfSingleProcessPrivilege	3868	PageEditor.exe
Token: SeIncBasePriorityPrivilege	3868	PageEditor.exe
Token: SeCreatePagefilePrivilege	3868	PageEditor.exe
Token: SeBackupPrivilege	3868	PageEditor.exe
Token: SeRestorePrivilege	3868	PageEditor.exe
Token: SeShutdownPrivilege	3868	PageEditor.exe
Token: SeDebugPrivilege	3868	PageEditor.exe
Token: SeSystemEnvironmentPrivilege	3868	PageEditor.exe
Token: SeRemoteShutdownPrivilege	3868	PageEditor.exe
Token: SeUndockPrivilege	3868	PageEditor.exe
Token: SeManageVolumePrivilege	3868	PageEditor.exe
Token: 33	3868	PageEditor.exe
Token: 34	3868	PageEditor.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
368	C11Setup.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 3796 wrote to memory of 932	3796	cmd.exe	100
PID 3796 wrote to memory of 932	3796	cmd.exe	100
PID 932 wrote to memory of 4976	932	cmd.exe	102
PID 932 wrote to memory of 4976	932	cmd.exe	102
PID 932 wrote to memory of 4204	932	cmd.exe	103
PID 932 wrote to memory of 4204	932	cmd.exe	103
PID 932 wrote to memory of 4512	932	cmd.exe	104
PID 932 wrote to memory of 4512	932	cmd.exe	104
PID 932 wrote to memory of 4304	932	cmd.exe	106
PID 932 wrote to memory of 4304	932	cmd.exe	106
PID 932 wrote to memory of 3672	932	cmd.exe	107
PID 932 wrote to memory of 3672	932	cmd.exe	107
PID 932 wrote to memory of 368	932	cmd.exe	108
PID 932 wrote to memory of 368	932	cmd.exe	108
PID 932 wrote to memory of 5104	932	cmd.exe	109
PID 932 wrote to memory of 5104	932	cmd.exe	109
PID 932 wrote to memory of 3868	932	cmd.exe	110
PID 932 wrote to memory of 3868	932	cmd.exe	110
PID 5104 wrote to memory of 2844	5104	GuiLoader.exe	111
PID 5104 wrote to memory of 2844	5104	GuiLoader.exe	111
PID 5104 wrote to memory of 4196	5104	GuiLoader.exe	116
PID 5104 wrote to memory of 4196	5104	GuiLoader.exe	116
PID 5104 wrote to memory of 4208	5104	GuiLoader.exe	118
PID 5104 wrote to memory of 4208	5104	GuiLoader.exe	118
PID 5104 wrote to memory of 952	5104	GuiLoader.exe	120
PID 5104 wrote to memory of 952	5104	GuiLoader.exe	120
PID 5104 wrote to memory of 2104	5104	GuiLoader.exe	122
PID 5104 wrote to memory of 2104	5104	GuiLoader.exe	122
PID 5104 wrote to memory of 348	5104	GuiLoader.exe	125
PID 5104 wrote to memory of 348	5104	GuiLoader.exe	125
PID 5104 wrote to memory of 2588	5104	GuiLoader.exe	127
PID 5104 wrote to memory of 2588	5104	GuiLoader.exe	127
PID 5104 wrote to memory of 2300	5104	GuiLoader.exe	129
PID 5104 wrote to memory of 2300	5104	GuiLoader.exe	129
PID 5104 wrote to memory of 2220	5104	GuiLoader.exe	131
PID 5104 wrote to memory of 2220	5104	GuiLoader.exe	131
PID 5104 wrote to memory of 3484	5104	GuiLoader.exe	133
PID 5104 wrote to memory of 3484	5104	GuiLoader.exe	133
PID 5104 wrote to memory of 4324	5104	GuiLoader.exe	135
PID 5104 wrote to memory of 4324	5104	GuiLoader.exe	135
PID 5104 wrote to memory of 2576	5104	GuiLoader.exe	137
PID 5104 wrote to memory of 2576	5104	GuiLoader.exe	137
PID 2576 wrote to memory of 1356	2576	cmd.exe	139
PID 2576 wrote to memory of 1356	2576	cmd.exe	139

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4196	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Start.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K IndependenciesInstallation.bat
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:932
- - C:\Windows\system32\timeout.exe
    timeout /t 5
    3⤵
    - Delays execution with timeout.exe
    PID:4976
- - C:\Windows\system32\timeout.exe
    timeout /t 1
    3⤵
    - Delays execution with timeout.exe
    PID:4204
- - C:\Windows\system32\timeout.exe
    timeout /t 3
    3⤵
    - Delays execution with timeout.exe
    PID:4512
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\msgbox.vbs"
    3⤵
    PID:4304
- - C:\Windows\system32\timeout.exe
    timeout /t 4
    3⤵
    - Delays execution with timeout.exe
    PID:3672
- - C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\C11Setup.exe
    C11Setup.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:368
- - C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\GuiLoader.exe
    GuiLoader.exe
    3⤵
    - Drops file in Drivers directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5104
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2844
  - - C:\Windows\SYSTEM32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\GuiLoader.exe"
      4⤵
      Views/modifies file attributes
      PID:4196
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\GuiLoader.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4208
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:952
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2104
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:348
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      PID:2588
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      PID:2300
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:2220
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3484
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4324
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\GuiLoader.exe" && pause
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2576
    - - C:\Windows\system32\PING.EXE
        
        ping localhost
        5⤵
        Runs ping.exe
        
        PID:1356
- - C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\PageEditor.exe
    PageEditor.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
43475d20ed96d7c6627d7f7f5726a901

SHA1
2e1704dc14bcfe8bc0311e26cb48c3fb884407c4

SHA256
299720508b495a169d1cd56c6ab6d75a829c6b2edfd4a7816b4f581c0c8eae9a

SHA512
d9a05e8e473fc9bfb56b882d09772c99518675a7c99769f95df2466ae11ed3b62d01cb70e07db9bc51961c14fdc778efad3393213c0f08dff7bed9ea5b44623f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
74a6b79d36b4aae8b027a218bc6e1af7

SHA1
0350e46c1df6934903c4820a00b0bc4721779e5f

SHA256
60c64f6803d7ad1408d0a8628100470859b16ef332d5f1bd8bb2debe51251d04

SHA512
60e71435a9a23f4c144d641844f4182ddc9aa4ccd3e99232149a187112dce96458aab9587e9fea46f5dc5a52f5ca758969a04657a2b5b10241d3e4554f7c85e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
227556da5e65f6819f477756808c17e4

SHA1
6ffce766e881ca2a60180bb25f4981b183f78279

SHA256
101f5fe8a4192f14e9f0a12c105ca81c9f176860930af44747185dd1bedb59a4

SHA512
d46b935809d2c4b7a041ad790f2db11c0a808df022c91ae9152b8769021b884fde49653a7a46557ef9ee65e274fe0b6c8503df9b50e6b3b849fefacf51f8bd6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ble2cpf5.qnt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
memory/348-88-0x00007FFFAE3B0000-0x00007FFFAEE71000-memory.dmp

Filesize
10.8MB

Download
memory/348-90-0x000001937A8E0000-0x000001937A8F0000-memory.dmp

Filesize
64KB

Download
memory/348-89-0x000001937A8E0000-0x000001937A8F0000-memory.dmp

Filesize
64KB

Download
memory/348-92-0x000001937A8E0000-0x000001937A8F0000-memory.dmp

Filesize
64KB

Download
memory/348-94-0x00007FFFAE3B0000-0x00007FFFAEE71000-memory.dmp

Filesize
10.8MB

Download
memory/368-91-0x00007FFFAE3B0000-0x00007FFFAEE71000-memory.dmp

Filesize
10.8MB

Download
memory/368-8-0x000000001AFB0000-0x000000001AFC0000-memory.dmp

Filesize
64KB

Download
memory/368-2-0x0000000000180000-0x00000000001C4000-memory.dmp

Filesize
272KB

Download
memory/368-3-0x00007FFFAE3B0000-0x00007FFFAEE71000-memory.dmp

Filesize
10.8MB

Download
memory/368-96-0x000000001AFB0000-0x000000001AFC0000-memory.dmp

Filesize
64KB

Download
memory/952-44-0x00007FFFAE3B0000-0x00007FFFAEE71000-memory.dmp

Filesize
10.8MB

Download
memory/952-30-0x000001DFAA170000-0x000001DFAA180000-memory.dmp

Filesize
64KB

Download
memory/952-31-0x000001DFAA170000-0x000001DFAA180000-memory.dmp

Filesize
64KB

Download
memory/952-42-0x000001DFAA170000-0x000001DFAA180000-memory.dmp

Filesize
64KB

Download
memory/952-29-0x00007FFFAE3B0000-0x00007FFFAEE71000-memory.dmp

Filesize
10.8MB

Download
memory/2104-50-0x00007FFFAE3B0000-0x00007FFFAEE71000-memory.dmp

Filesize
10.8MB

Download
memory/2104-77-0x00007FFFAE3B0000-0x00007FFFAEE71000-memory.dmp

Filesize
10.8MB

Download
memory/2104-75-0x000001EE9A030000-0x000001EE9A040000-memory.dmp

Filesize
64KB

Download
memory/2104-52-0x000001EE9A030000-0x000001EE9A040000-memory.dmp

Filesize
64KB

Download
memory/2104-51-0x000001EE9A030000-0x000001EE9A040000-memory.dmp

Filesize
64KB

Download
memory/3484-113-0x00007FFFAE3B0000-0x00007FFFAEE71000-memory.dmp

Filesize
10.8MB

Download
memory/3484-117-0x00007FFFAE3B0000-0x00007FFFAEE71000-memory.dmp

Filesize
10.8MB

Download
memory/3484-114-0x0000023022AD0000-0x0000023022AE0000-memory.dmp

Filesize
64KB

Download
memory/3484-115-0x0000023022AD0000-0x0000023022AE0000-memory.dmp

Filesize
64KB

Download
memory/3868-6-0x00007FFFAE3B0000-0x00007FFFAEE71000-memory.dmp

Filesize
10.8MB

Download
memory/3868-23-0x00007FFFAE3B0000-0x00007FFFAEE71000-memory.dmp

Filesize
10.8MB

Download
memory/3868-1-0x0000000000FB0000-0x0000000000FC8000-memory.dmp

Filesize
96KB

Download
memory/4208-11-0x000002327DB10000-0x000002327DB20000-memory.dmp

Filesize
64KB

Download
memory/4208-10-0x00007FFFAE3B0000-0x00007FFFAEE71000-memory.dmp

Filesize
10.8MB

Download
memory/4208-12-0x000002327DB10000-0x000002327DB20000-memory.dmp

Filesize
64KB

Download
memory/4208-13-0x000002327DA90000-0x000002327DAB2000-memory.dmp

Filesize
136KB

Download
memory/4208-27-0x00007FFFAE3B0000-0x00007FFFAEE71000-memory.dmp

Filesize
10.8MB

Download
memory/4208-24-0x000002327DB10000-0x000002327DB20000-memory.dmp

Filesize
64KB

Download
memory/5104-95-0x0000020D9A2C0000-0x0000020D9A2D0000-memory.dmp

Filesize
64KB

Download
memory/5104-47-0x0000020DFF7C0000-0x0000020DFF836000-memory.dmp

Filesize
472KB

Download
memory/5104-98-0x0000020DFF740000-0x0000020DFF74A000-memory.dmp

Filesize
40KB

Download
memory/5104-99-0x0000020DFF7A0000-0x0000020DFF7B2000-memory.dmp

Filesize
72KB

Download
memory/5104-102-0x00007FFFAE3B0000-0x00007FFFAEE71000-memory.dmp

Filesize
10.8MB

Download
memory/5104-0-0x0000020DFF3A0000-0x0000020DFF3E4000-memory.dmp

Filesize
272KB

Download
memory/5104-48-0x0000020DFF840000-0x0000020DFF890000-memory.dmp

Filesize
320KB

Download
memory/5104-49-0x0000020DFF760000-0x0000020DFF77E000-memory.dmp

Filesize
120KB

Download
memory/5104-9-0x00007FFFAE3B0000-0x00007FFFAEE71000-memory.dmp

Filesize
10.8MB

Download
memory/5104-7-0x0000020D9A2C0000-0x0000020D9A2D0000-memory.dmp

Filesize
64KB

Download
memory/5104-122-0x00007FFFAE3B0000-0x00007FFFAEE71000-memory.dmp

Filesize
10.8MB

Download