asyncrat | cd98f4893c2034931017624abd750ff706fd80559500e1f5ddaca4103ab32d42

Analysis

max time kernel
119s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15-07-2024 04:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8670471253cd842fa0a0afe38749d6c0N.exe
Size

4.5MB
MD5

8670471253cd842fa0a0afe38749d6c0
SHA1

c9b2075a0984ceb3c961c2bb6534a606a0891ad9
SHA256

cd98f4893c2034931017624abd750ff706fd80559500e1f5ddaca4103ab32d42
SHA512

ea1d2bf2437c31331cb916526126f2607d634872f9c429d1faf15fba8fb361070c9c3268d0c6fdfd7623af01e8ef8aaeda88aaaf3c665cc3c4a973bba7da57aa
SSDEEP

98304:IlMjkLSPPtL5u2/ZRkKsRmdcCZIa3FM+1ajfSEJsWOV1w98gdpTmH+my:VYEPt1uwRWm3Ia3FM+1amEalc8SpTM+/

Score

10^/10

asyncrat default execution rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

107.175.101.134:6606

107.175.101.134:7707

107.175.101.134:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
WinUpdate2.4.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2040	powershell.exe
4852	powershell.exe
3924	powershell.exe
540	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	8670471253cd842fa0a0afe38749d6c0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	8670471253cd842fa0a0afe38749d6c0N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation	WinUpdate2.4.exe

Executes dropped EXE 2 IoCs

pid	Process
1708	WinUpdate2.4.exe
3840	WinUpdate2.4.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3100 set thread context of 740	3100	8670471253cd842fa0a0afe38749d6c0N.exe	93
PID 1708 set thread context of 3840	1708	WinUpdate2.4.exe	109

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1112	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
208	schtasks.exe
368	schtasks.exe
2888	schtasks.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
3100	8670471253cd842fa0a0afe38749d6c0N.exe
3100	8670471253cd842fa0a0afe38749d6c0N.exe
2040	powershell.exe
4852	powershell.exe
3100	8670471253cd842fa0a0afe38749d6c0N.exe
2040	powershell.exe
4852	powershell.exe
3100	8670471253cd842fa0a0afe38749d6c0N.exe
3100	8670471253cd842fa0a0afe38749d6c0N.exe
3100	8670471253cd842fa0a0afe38749d6c0N.exe
740	8670471253cd842fa0a0afe38749d6c0N.exe
740	8670471253cd842fa0a0afe38749d6c0N.exe
740	8670471253cd842fa0a0afe38749d6c0N.exe
740	8670471253cd842fa0a0afe38749d6c0N.exe
740	8670471253cd842fa0a0afe38749d6c0N.exe
740	8670471253cd842fa0a0afe38749d6c0N.exe
740	8670471253cd842fa0a0afe38749d6c0N.exe
740	8670471253cd842fa0a0afe38749d6c0N.exe
740	8670471253cd842fa0a0afe38749d6c0N.exe
740	8670471253cd842fa0a0afe38749d6c0N.exe
740	8670471253cd842fa0a0afe38749d6c0N.exe
740	8670471253cd842fa0a0afe38749d6c0N.exe
740	8670471253cd842fa0a0afe38749d6c0N.exe
740	8670471253cd842fa0a0afe38749d6c0N.exe
740	8670471253cd842fa0a0afe38749d6c0N.exe
740	8670471253cd842fa0a0afe38749d6c0N.exe
740	8670471253cd842fa0a0afe38749d6c0N.exe
740	8670471253cd842fa0a0afe38749d6c0N.exe
740	8670471253cd842fa0a0afe38749d6c0N.exe
740	8670471253cd842fa0a0afe38749d6c0N.exe
740	8670471253cd842fa0a0afe38749d6c0N.exe
1708	WinUpdate2.4.exe
1708	WinUpdate2.4.exe
3924	powershell.exe
540	powershell.exe
1708	WinUpdate2.4.exe
3924	powershell.exe
540	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	3100	8670471253cd842fa0a0afe38749d6c0N.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	4852	powershell.exe
Token: SeDebugPrivilege	740	8670471253cd842fa0a0afe38749d6c0N.exe
Token: SeDebugPrivilege	1708	WinUpdate2.4.exe
Token: SeDebugPrivilege	540	powershell.exe
Token: SeDebugPrivilege	3924	powershell.exe
Token: SeDebugPrivilege	3840	WinUpdate2.4.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 3100 wrote to memory of 2040	3100	8670471253cd842fa0a0afe38749d6c0N.exe	86
PID 3100 wrote to memory of 2040	3100	8670471253cd842fa0a0afe38749d6c0N.exe	86
PID 3100 wrote to memory of 2040	3100	8670471253cd842fa0a0afe38749d6c0N.exe	86
PID 3100 wrote to memory of 4852	3100	8670471253cd842fa0a0afe38749d6c0N.exe	88
PID 3100 wrote to memory of 4852	3100	8670471253cd842fa0a0afe38749d6c0N.exe	88
PID 3100 wrote to memory of 4852	3100	8670471253cd842fa0a0afe38749d6c0N.exe	88
PID 3100 wrote to memory of 208	3100	8670471253cd842fa0a0afe38749d6c0N.exe	90
PID 3100 wrote to memory of 208	3100	8670471253cd842fa0a0afe38749d6c0N.exe	90
PID 3100 wrote to memory of 208	3100	8670471253cd842fa0a0afe38749d6c0N.exe	90
PID 3100 wrote to memory of 5096	3100	8670471253cd842fa0a0afe38749d6c0N.exe	92
PID 3100 wrote to memory of 5096	3100	8670471253cd842fa0a0afe38749d6c0N.exe	92
PID 3100 wrote to memory of 5096	3100	8670471253cd842fa0a0afe38749d6c0N.exe	92
PID 3100 wrote to memory of 740	3100	8670471253cd842fa0a0afe38749d6c0N.exe	93
PID 3100 wrote to memory of 740	3100	8670471253cd842fa0a0afe38749d6c0N.exe	93
PID 3100 wrote to memory of 740	3100	8670471253cd842fa0a0afe38749d6c0N.exe	93
PID 3100 wrote to memory of 740	3100	8670471253cd842fa0a0afe38749d6c0N.exe	93
PID 3100 wrote to memory of 740	3100	8670471253cd842fa0a0afe38749d6c0N.exe	93
PID 3100 wrote to memory of 740	3100	8670471253cd842fa0a0afe38749d6c0N.exe	93
PID 3100 wrote to memory of 740	3100	8670471253cd842fa0a0afe38749d6c0N.exe	93
PID 3100 wrote to memory of 740	3100	8670471253cd842fa0a0afe38749d6c0N.exe	93
PID 740 wrote to memory of 4580	740	8670471253cd842fa0a0afe38749d6c0N.exe	94
PID 740 wrote to memory of 4580	740	8670471253cd842fa0a0afe38749d6c0N.exe	94
PID 740 wrote to memory of 4580	740	8670471253cd842fa0a0afe38749d6c0N.exe	94
PID 740 wrote to memory of 4264	740	8670471253cd842fa0a0afe38749d6c0N.exe	95
PID 740 wrote to memory of 4264	740	8670471253cd842fa0a0afe38749d6c0N.exe	95
PID 740 wrote to memory of 4264	740	8670471253cd842fa0a0afe38749d6c0N.exe	95
PID 4264 wrote to memory of 1112	4264	cmd.exe	98
PID 4264 wrote to memory of 1112	4264	cmd.exe	98
PID 4264 wrote to memory of 1112	4264	cmd.exe	98
PID 4580 wrote to memory of 368	4580	cmd.exe	99
PID 4580 wrote to memory of 368	4580	cmd.exe	99
PID 4580 wrote to memory of 368	4580	cmd.exe	99
PID 4264 wrote to memory of 1708	4264	cmd.exe	100
PID 4264 wrote to memory of 1708	4264	cmd.exe	100
PID 4264 wrote to memory of 1708	4264	cmd.exe	100
PID 1708 wrote to memory of 3924	1708	WinUpdate2.4.exe	103
PID 1708 wrote to memory of 3924	1708	WinUpdate2.4.exe	103
PID 1708 wrote to memory of 3924	1708	WinUpdate2.4.exe	103
PID 1708 wrote to memory of 540	1708	WinUpdate2.4.exe	105
PID 1708 wrote to memory of 540	1708	WinUpdate2.4.exe	105
PID 1708 wrote to memory of 540	1708	WinUpdate2.4.exe	105
PID 1708 wrote to memory of 2888	1708	WinUpdate2.4.exe	106
PID 1708 wrote to memory of 2888	1708	WinUpdate2.4.exe	106
PID 1708 wrote to memory of 2888	1708	WinUpdate2.4.exe	106
PID 1708 wrote to memory of 3840	1708	WinUpdate2.4.exe	109
PID 1708 wrote to memory of 3840	1708	WinUpdate2.4.exe	109
PID 1708 wrote to memory of 3840	1708	WinUpdate2.4.exe	109
PID 1708 wrote to memory of 3840	1708	WinUpdate2.4.exe	109
PID 1708 wrote to memory of 3840	1708	WinUpdate2.4.exe	109
PID 1708 wrote to memory of 3840	1708	WinUpdate2.4.exe	109
PID 1708 wrote to memory of 3840	1708	WinUpdate2.4.exe	109
PID 1708 wrote to memory of 3840	1708	WinUpdate2.4.exe	109

C:\Users\Admin\AppData\Local\Temp\8670471253cd842fa0a0afe38749d6c0N.exe
"C:\Users\Admin\AppData\Local\Temp\8670471253cd842fa0a0afe38749d6c0N.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3100
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\8670471253cd842fa0a0afe38749d6c0N.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2040
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QjLDjouxSOu.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4852
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QjLDjouxSOu" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDE2B.tmp"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:208
- C:\Users\Admin\AppData\Local\Temp\8670471253cd842fa0a0afe38749d6c0N.exe
  "C:\Users\Admin\AppData\Local\Temp\8670471253cd842fa0a0afe38749d6c0N.exe"
  2⤵
  PID:5096
- C:\Users\Admin\AppData\Local\Temp\8670471253cd842fa0a0afe38749d6c0N.exe
  "C:\Users\Admin\AppData\Local\Temp\8670471253cd842fa0a0afe38749d6c0N.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:740
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WinUpdate2.4" /tr '"C:\Users\Admin\AppData\Roaming\WinUpdate2.4.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4580
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "WinUpdate2.4" /tr '"C:\Users\Admin\AppData\Roaming\WinUpdate2.4.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF6A4.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4264
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1112
  - - C:\Users\Admin\AppData\Roaming\WinUpdate2.4.exe
      "C:\Users\Admin\AppData\Roaming\WinUpdate2.4.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1708
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\WinUpdate2.4.exe"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3924
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QjLDjouxSOu.exe"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:540
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QjLDjouxSOu" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3CA6.tmp"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2888
    - - C:\Users\Admin\AppData\Roaming\WinUpdate2.4.exe
        
        "C:\Users\Admin\AppData\Roaming\WinUpdate2.4.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\8670471253cd842fa0a0afe38749d6c0N.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
2a227cc5e5c622fbbed76cd624d5454d

SHA1
9f00ce0b040611937efe35cf4ce89a7d5255b156

SHA256
8f50486444c99bd96743b513d92952af4621d76286193cc8cca3d7d8217b1604

SHA512
c6367e8a03a85ea3a92d3c51750754b2b63812134b184aabd15811e600f10f77021c126fafd1335616f14502f711c600982c4079a30600a3ad071bde2ef9f11a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
8545063fdfa9f86c4b7a516630dd0198

SHA1
585268d7d75c7ee7080eee4b55cda0bf62cb8d96

SHA256
ef91417853f1933ea98328b46a6000e2531e1cb4f9737905e497015dc3419ee8

SHA512
efb137537191061cdafb0b9f82fee852a07b69d4bd0fcb5f8baf92f8de76dbb12064748e2e2348bc31f30acfe022102d7c8e261390e49e19eadf186b93dfe847

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iflpze0u.nxr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDE2B.tmp

Filesize
1KB

MD5
4af5f4bcb5a98c13888fdcde757be2f1

SHA1
e8f52b658b3da5117b4b181779b7c6ff204758a4

SHA256
80b166a98cebc3951bd417854cf9ebe46c1f97ca024b2bd4470e2b2e714732c4

SHA512
714a8855c37f52d5dae734b9f55750bc424fc72eaca59a9a7241f55655ce802795a57ba96b1e25d92dc3a4f814d2621a8973d7827605191510dfbb68469ac624

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF6A4.tmp.bat

Filesize
156B

MD5
ee40851488829e78b066fe17b1a760f8

SHA1
2e3feaf16de6c34c2176ed108b79645c4b16625b

SHA256
fadc453fb3a422594a5e6159de60eb2bcf2b1b1a9660f5f087c39ab4dcd4439f

SHA512
886ab6ce56e53b2247f25f8319ccad01535571c3ff1fd0addb8d1a7a2bef6793db512d51efb57746dfdad9cae3e3b88fa525c2afa79e5cce255e8fd7a8687146

Download Submit
C:\Users\Admin\AppData\Roaming\WinUpdate2.4.exe

Filesize
4.5MB

MD5
8670471253cd842fa0a0afe38749d6c0

SHA1
c9b2075a0984ceb3c961c2bb6534a606a0891ad9

SHA256
cd98f4893c2034931017624abd750ff706fd80559500e1f5ddaca4103ab32d42

SHA512
ea1d2bf2437c31331cb916526126f2607d634872f9c429d1faf15fba8fb361070c9c3268d0c6fdfd7623af01e8ef8aaeda88aaaf3c665cc3c4a973bba7da57aa

Download Submit
memory/540-132-0x0000000075390000-0x00000000753DC000-memory.dmp

Filesize
304KB

Download
memory/540-121-0x00000000066F0000-0x000000000673C000-memory.dmp

Filesize
304KB

Download
memory/740-46-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2040-85-0x0000000074AB0000-0x0000000075260000-memory.dmp

Filesize
7.7MB

Download
memory/2040-75-0x0000000007900000-0x000000000791A000-memory.dmp

Filesize
104KB

Download
memory/2040-17-0x0000000005850000-0x0000000005E78000-memory.dmp

Filesize
6.2MB

Download
memory/2040-18-0x0000000074AB0000-0x0000000075260000-memory.dmp

Filesize
7.7MB

Download
memory/2040-19-0x0000000074AB0000-0x0000000075260000-memory.dmp

Filesize
7.7MB

Download
memory/2040-81-0x0000000007C40000-0x0000000007C5A000-memory.dmp

Filesize
104KB

Download
memory/2040-78-0x0000000007B00000-0x0000000007B11000-memory.dmp

Filesize
68KB

Download
memory/2040-15-0x0000000002CA0000-0x0000000002CD6000-memory.dmp

Filesize
216KB

Download
memory/2040-77-0x0000000007B80000-0x0000000007C16000-memory.dmp

Filesize
600KB

Download
memory/2040-24-0x0000000005720000-0x0000000005742000-memory.dmp

Filesize
136KB

Download
memory/2040-74-0x0000000007F40000-0x00000000085BA000-memory.dmp

Filesize
6.5MB

Download
memory/2040-26-0x0000000005E80000-0x0000000005EE6000-memory.dmp

Filesize
408KB

Download
memory/2040-25-0x00000000057C0000-0x0000000005826000-memory.dmp

Filesize
408KB

Download
memory/2040-32-0x0000000005FB0000-0x0000000006304000-memory.dmp

Filesize
3.3MB

Download
memory/2040-16-0x0000000074AB0000-0x0000000075260000-memory.dmp

Filesize
7.7MB

Download
memory/2040-48-0x0000000006860000-0x00000000068AC000-memory.dmp

Filesize
304KB

Download
memory/2040-47-0x00000000065B0000-0x00000000065CE000-memory.dmp

Filesize
120KB

Download
memory/2040-63-0x000000006FAA0000-0x000000006FAEC000-memory.dmp

Filesize
304KB

Download
memory/3100-4-0x0000000074AB0000-0x0000000075260000-memory.dmp

Filesize
7.7MB

Download
memory/3100-3-0x0000000005A50000-0x0000000005AE2000-memory.dmp

Filesize
584KB

Download
memory/3100-0-0x0000000074ABE000-0x0000000074ABF000-memory.dmp

Filesize
4KB

Download
memory/3100-50-0x0000000074AB0000-0x0000000075260000-memory.dmp

Filesize
7.7MB

Download
memory/3100-1-0x0000000000BD0000-0x000000000105E000-memory.dmp

Filesize
4.6MB

Download
memory/3100-9-0x0000000006500000-0x00000000068D0000-memory.dmp

Filesize
3.8MB

Download
memory/3100-10-0x0000000006E10000-0x0000000006EAC000-memory.dmp

Filesize
624KB

Download
memory/3100-6-0x00000000095B0000-0x000000000999E000-memory.dmp

Filesize
3.9MB

Download
memory/3100-5-0x0000000003310000-0x000000000331A000-memory.dmp

Filesize
40KB

Download
memory/3100-7-0x0000000005DA0000-0x0000000005DB0000-memory.dmp

Filesize
64KB

Download
memory/3100-2-0x0000000005F50000-0x00000000064F4000-memory.dmp

Filesize
5.6MB

Download
memory/3100-8-0x0000000005F10000-0x0000000005F1E000-memory.dmp

Filesize
56KB

Download
memory/3924-122-0x0000000075390000-0x00000000753DC000-memory.dmp

Filesize
304KB

Download
memory/3924-142-0x0000000006F90000-0x0000000007033000-memory.dmp

Filesize
652KB

Download
memory/3924-107-0x0000000005930000-0x0000000005C84000-memory.dmp

Filesize
3.3MB

Download
memory/3924-143-0x00000000072D0000-0x00000000072E1000-memory.dmp

Filesize
68KB

Download
memory/3924-144-0x0000000007300000-0x0000000007314000-memory.dmp

Filesize
80KB

Download
memory/4852-22-0x0000000074AB0000-0x0000000075260000-memory.dmp

Filesize
7.7MB

Download
memory/4852-80-0x0000000007660000-0x0000000007674000-memory.dmp

Filesize
80KB

Download
memory/4852-62-0x0000000006630000-0x000000000664E000-memory.dmp

Filesize
120KB

Download
memory/4852-69-0x0000000007120000-0x00000000071C3000-memory.dmp

Filesize
652KB

Download
memory/4852-51-0x00000000070E0000-0x0000000007112000-memory.dmp

Filesize
200KB

Download
memory/4852-82-0x0000000007740000-0x0000000007748000-memory.dmp

Filesize
32KB

Download
memory/4852-20-0x0000000074AB0000-0x0000000075260000-memory.dmp

Filesize
7.7MB

Download
memory/4852-79-0x0000000007650000-0x000000000765E000-memory.dmp

Filesize
56KB

Download
memory/4852-21-0x0000000074AB0000-0x0000000075260000-memory.dmp

Filesize
7.7MB

Download
memory/4852-52-0x000000006FAA0000-0x000000006FAEC000-memory.dmp

Filesize
304KB

Download
memory/4852-76-0x0000000007490000-0x000000000749A000-memory.dmp

Filesize
40KB

Download
memory/4852-86-0x0000000074AB0000-0x0000000075260000-memory.dmp

Filesize
7.7MB

Download