asyncrat | fc1ad8d1483f0b1c94b55be7b7587b86485022ca4e62e6fb0c06e392dfaeecd2

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19-04-2024 20:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

C11Bootstrapper/Properties/PageEditor.exe
Size

74KB
MD5

71887b035c3be525364fccc5281bd451
SHA1

4a6ae558ee5a81b8282f44ffb270b82188431c79
SHA256

ff6f8d1b16defe87d9f6b1c39e3864ed35b965728f6f58629ae0eae70ee88e1b
SHA512

ab61935aaf3e08f369a2fbdea2fee45b0e964c962f4a54b79ed0d4d94f483a331020148dc012991133f08c4a51d53ebb5ea9ea05561197f95e61723156978cb6
SSDEEP

1536:rUokcx5v/5CxSPMV7jCBevPIaH1b8/x4YqGQzcx8VclN:rUlcx5vx2SPMV3CCrH1b875Q0+Y

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

Mutex

tazbtpfpfzpxti

Attributes

delay
1
install
true
install_file
PageEditor.exe
install_folder
%Temp%
pastebin_config
https://pastebin.com/raw/xZqBe1fC

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007ed2fd579c92da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004e1604599c92da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000079f1a589c92da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f3e510589c92da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000099ea94579c92da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eb9e0d599c92da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b835b4599c92da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003cf0de579c92da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1232	PageEditor.exe
Token: SeIncreaseQuotaPrivilege	1232	PageEditor.exe
Token: SeSecurityPrivilege	1232	PageEditor.exe
Token: SeTakeOwnershipPrivilege	1232	PageEditor.exe
Token: SeLoadDriverPrivilege	1232	PageEditor.exe
Token: SeSystemProfilePrivilege	1232	PageEditor.exe
Token: SeSystemtimePrivilege	1232	PageEditor.exe
Token: SeProfSingleProcessPrivilege	1232	PageEditor.exe
Token: SeIncBasePriorityPrivilege	1232	PageEditor.exe
Token: SeCreatePagefilePrivilege	1232	PageEditor.exe
Token: SeBackupPrivilege	1232	PageEditor.exe
Token: SeRestorePrivilege	1232	PageEditor.exe
Token: SeShutdownPrivilege	1232	PageEditor.exe
Token: SeDebugPrivilege	1232	PageEditor.exe
Token: SeSystemEnvironmentPrivilege	1232	PageEditor.exe
Token: SeRemoteShutdownPrivilege	1232	PageEditor.exe
Token: SeUndockPrivilege	1232	PageEditor.exe
Token: SeManageVolumePrivilege	1232	PageEditor.exe
Token: 33	1232	PageEditor.exe
Token: 34	1232	PageEditor.exe
Token: 35	1232	PageEditor.exe
Token: 36	1232	PageEditor.exe
Token: SeIncreaseQuotaPrivilege	1232	PageEditor.exe
Token: SeSecurityPrivilege	1232	PageEditor.exe
Token: SeTakeOwnershipPrivilege	1232	PageEditor.exe
Token: SeLoadDriverPrivilege	1232	PageEditor.exe
Token: SeSystemProfilePrivilege	1232	PageEditor.exe
Token: SeSystemtimePrivilege	1232	PageEditor.exe
Token: SeProfSingleProcessPrivilege	1232	PageEditor.exe
Token: SeIncBasePriorityPrivilege	1232	PageEditor.exe
Token: SeCreatePagefilePrivilege	1232	PageEditor.exe
Token: SeBackupPrivilege	1232	PageEditor.exe
Token: SeRestorePrivilege	1232	PageEditor.exe
Token: SeShutdownPrivilege	1232	PageEditor.exe
Token: SeDebugPrivilege	1232	PageEditor.exe
Token: SeSystemEnvironmentPrivilege	1232	PageEditor.exe
Token: SeRemoteShutdownPrivilege	1232	PageEditor.exe
Token: SeUndockPrivilege	1232	PageEditor.exe
Token: SeManageVolumePrivilege	1232	PageEditor.exe
Token: 33	1232	PageEditor.exe
Token: 34	1232	PageEditor.exe
Token: 35	1232	PageEditor.exe
Token: 36	1232	PageEditor.exe
Token: 33	3896	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3896	SearchIndexer.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3896 wrote to memory of 3424	3896	SearchIndexer.exe	125
PID 3896 wrote to memory of 3424	3896	SearchIndexer.exe	125
PID 3896 wrote to memory of 1976	3896	SearchIndexer.exe	126
PID 3896 wrote to memory of 1976	3896	SearchIndexer.exe	126

C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\PageEditor.exe
"C:\Users\Admin\AppData\Local\Temp\C11Bootstrapper\Properties\PageEditor.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1232

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3896
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3424
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 808 812 760 8192 816 792
  2⤵
  - Modifies data under HKEY_USERS
  PID:1976

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1232-0-0x0000000000FC0000-0x0000000000FD8000-memory.dmp

Filesize
96KB

Download
memory/1232-2-0x00007FFE7C450000-0x00007FFE7CF11000-memory.dmp

Filesize
10.8MB

Download
memory/1232-3-0x000000001BDF0000-0x000000001BE00000-memory.dmp

Filesize
64KB

Download
memory/1232-4-0x00007FFE7C450000-0x00007FFE7CF11000-memory.dmp

Filesize
10.8MB

Download
memory/1976-43-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp

Filesize
64KB

Download
memory/1976-44-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp

Filesize
64KB

Download
memory/1976-45-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp

Filesize
64KB

Download
memory/1976-46-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp

Filesize
64KB

Download
memory/1976-47-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp

Filesize
64KB

Download
memory/1976-50-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp

Filesize
64KB

Download
memory/1976-49-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp

Filesize
64KB

Download
memory/1976-48-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp

Filesize
64KB

Download
memory/1976-51-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp

Filesize
64KB

Download
memory/1976-52-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp

Filesize
64KB

Download
memory/1976-54-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp

Filesize
64KB

Download
memory/1976-57-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp

Filesize
64KB

Download
memory/1976-56-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp

Filesize
64KB

Download
memory/1976-59-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp

Filesize
64KB

Download
memory/1976-61-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp

Filesize
64KB

Download
memory/1976-60-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp

Filesize
64KB

Download
memory/1976-58-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp

Filesize
64KB

Download
memory/1976-55-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp

Filesize
64KB

Download
memory/1976-53-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp

Filesize
64KB

Download
memory/1976-62-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp

Filesize
64KB

Download
memory/1976-63-0x000001DD7ED70000-0x000001DD7ED80000-memory.dmp

Filesize
64KB

Download
memory/1976-64-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp

Filesize
64KB

Download
memory/1976-65-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp

Filesize
64KB

Download
memory/1976-66-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp

Filesize
64KB

Download
memory/1976-69-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp

Filesize
64KB

Download
memory/1976-68-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp

Filesize
64KB

Download
memory/1976-67-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp

Filesize
64KB

Download
memory/1976-70-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp

Filesize
64KB

Download
memory/1976-71-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp

Filesize
64KB

Download
memory/1976-73-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp

Filesize
64KB

Download
memory/1976-74-0x000001DD7EEC0000-0x000001DD7EED0000-memory.dmp

Filesize
64KB

Download
memory/1976-75-0x000001DD7EEC0000-0x000001DD7EED0000-memory.dmp

Filesize
64KB

Download
memory/1976-77-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp

Filesize
64KB

Download
memory/1976-80-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp

Filesize
64KB

Download
memory/1976-79-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp

Filesize
64KB

Download
memory/1976-78-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp

Filesize
64KB

Download
memory/1976-85-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp

Filesize
64KB

Download
memory/1976-87-0x000001DD7EEC0000-0x000001DD7EED0000-memory.dmp

Filesize
64KB

Download
memory/1976-86-0x000001DD7EEC0000-0x000001DD7EED0000-memory.dmp

Filesize
64KB

Download
memory/1976-76-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp

Filesize
64KB

Download
memory/1976-92-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp

Filesize
64KB

Download
memory/1976-103-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp

Filesize
64KB

Download
memory/1976-105-0x000001DD7EEC0000-0x000001DD7EED0000-memory.dmp

Filesize
64KB

Download
memory/1976-104-0x000001DD7EEC0000-0x000001DD7EED0000-memory.dmp

Filesize
64KB

Download
memory/1976-107-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp

Filesize
64KB

Download
memory/1976-113-0x000001DD7ED40000-0x000001DD7ED50000-memory.dmp

Filesize
64KB

Download
memory/1976-114-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp

Filesize
64KB

Download
memory/1976-115-0x000001DD7EEC0000-0x000001DD7EED0000-memory.dmp

Filesize
64KB

Download
memory/1976-125-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp

Filesize
64KB

Download
memory/1976-126-0x000001DD7EEC0000-0x000001DD7EED0000-memory.dmp

Filesize
64KB

Download
memory/1976-127-0x000001DD7EEC0000-0x000001DD7EED0000-memory.dmp

Filesize
64KB

Download
memory/1976-129-0x000001DD7ED70000-0x000001DD7ED80000-memory.dmp

Filesize
64KB

Download
memory/1976-130-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp

Filesize
64KB

Download
memory/1976-132-0x000001DD7EEC0000-0x000001DD7EED0000-memory.dmp

Filesize
64KB

Download
memory/1976-133-0x000001DD7EEC0000-0x000001DD7EED0000-memory.dmp

Filesize
64KB

Download
memory/1976-137-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp

Filesize
64KB

Download
memory/1976-141-0x000001DD7EEC0000-0x000001DD7EED0000-memory.dmp

Filesize
64KB

Download
memory/1976-142-0x000001DD7EEC0000-0x000001DD7EED0000-memory.dmp

Filesize
64KB

Download
memory/1976-143-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp

Filesize
64KB

Download
memory/1976-146-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp

Filesize
64KB

Download
memory/1976-154-0x000001DD7EEC0000-0x000001DD7EED0000-memory.dmp

Filesize
64KB

Download
memory/1976-156-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp

Filesize
64KB

Download
memory/1976-157-0x000001DD7F180000-0x000001DD7F190000-memory.dmp

Filesize
64KB

Download
memory/1976-158-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp

Filesize
64KB

Download
memory/1976-161-0x000001DD7EEC0000-0x000001DD7EED0000-memory.dmp

Filesize
64KB

Download
memory/1976-162-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp

Filesize
64KB

Download
memory/1976-163-0x000001DD7F180000-0x000001DD7F190000-memory.dmp

Filesize
64KB

Download
memory/1976-168-0x000001DD7EEC0000-0x000001DD7EED0000-memory.dmp

Filesize
64KB

Download
memory/1976-169-0x000001DD7EEC0000-0x000001DD7EED0000-memory.dmp

Filesize
64KB

Download
memory/1976-170-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp

Filesize
64KB

Download
memory/1976-171-0x000001DD7F180000-0x000001DD7F190000-memory.dmp

Filesize
64KB

Download
memory/1976-178-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp

Filesize
64KB

Download
memory/1976-184-0x000001DD7ED30000-0x000001DD7ED40000-memory.dmp

Filesize
64KB

Download
memory/1976-183-0x000001DD7F180000-0x000001DD7F190000-memory.dmp

Filesize
64KB

Download
memory/1976-186-0x000001DD7F180000-0x000001DD7F190000-memory.dmp

Filesize
64KB

Download
memory/3896-5-0x0000020A6D960000-0x0000020A6D970000-memory.dmp

Filesize
64KB

Download
memory/3896-21-0x0000020A6DB90000-0x0000020A6DBA0000-memory.dmp

Filesize
64KB

Download
memory/3896-37-0x0000020A71F50000-0x0000020A71F58000-memory.dmp

Filesize
32KB

Download
memory/3896-41-0x0000020A728C0000-0x0000020A728C8000-memory.dmp

Filesize
32KB

Download