asyncrat | 1d7c22396b5d7fd7e169f2a676d6d934ac8b957e9cab956d3d51ce09460392a3

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ORDER-2411210684CAV.XLS.js
Size

5.8MB
MD5

0e9a4efd656e8f726c99639a15b46afa
SHA1

83c3929d2d526e96b6eab13dbeca60511720ccac
SHA256

17c8a2339fd77b428d7802f12bb967d6bef393b0c16da336126506c8f83c750e
SHA512

a67d35216768dea1aeac8519861879814abcded338a9368e1a53ac6dcb0788e81ca3bef3dd9258e3a02fd52297cbc8558f7801c62e65b1fd1578c80b46365f83
SSDEEP

49152:fyW+X3Bcfv+0oelkeQ74+Tey2Gxj7ReW+q4HXZhCrtwzXltdHRe:8

Score

10^/10

asyncrat wshrat default-nov-24 discovery execution persistence rat trojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default-NOV-24

chongmei33.publicvm.com:2703

chongmei33.publicvm.com:7031

jinvestments.duckdns.org:2703

jinvestments.duckdns.org:7031

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_file
Windows Update.exe
install_folder
%AppData%

aes.plain

Extracted

Family

wshrat

http://chongmei33.publicvm.com:7044

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat
Wshrat family
wshrat

Blocklisted process makes network request 25 IoCs

flow	pid	Process
5	4476	wscript.exe
18	4476	wscript.exe
21	4476	wscript.exe
28	4476	wscript.exe
30	4476	wscript.exe
37	4476	wscript.exe
42	4476	wscript.exe
49	4476	wscript.exe
51	4476	wscript.exe
52	4476	wscript.exe
53	4476	wscript.exe
57	4476	wscript.exe
58	4476	wscript.exe
62	4476	wscript.exe
63	4476	wscript.exe
67	4476	wscript.exe
68	4476	wscript.exe
69	4476	wscript.exe
70	4476	wscript.exe
71	4476	wscript.exe
72	4476	wscript.exe
73	4476	wscript.exe
74	4476	wscript.exe
75	4476	wscript.exe
76	4476	wscript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1264	powershell.exe
4848	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	CZQi.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\word.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\word.js	wscript.exe

Executes dropped EXE 4 IoCs

pid	Process
4568	CZQi.exe
2292	CZQi.exe
3060	CZQi.exe
3400	CZQi.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\word = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\word.js\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\word = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\word.js\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\word = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\word.js\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\word = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\word.js\""	wscript.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4568 set thread context of 3400	4568	CZQi.exe	104

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CZQi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CZQi.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	wscript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3300	schtasks.exe

Script User-Agent 25 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	71	WSHRAT\|3601BB45\|GYHASOLS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 21/11/2024\|JavaScript
HTTP User-Agent header	72	WSHRAT\|3601BB45\|GYHASOLS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 21/11/2024\|JavaScript
HTTP User-Agent header	57	WSHRAT\|3601BB45\|GYHASOLS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 21/11/2024\|JavaScript
HTTP User-Agent header	58	WSHRAT\|3601BB45\|GYHASOLS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 21/11/2024\|JavaScript
HTTP User-Agent header	62	WSHRAT\|3601BB45\|GYHASOLS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 21/11/2024\|JavaScript
HTTP User-Agent header	67	WSHRAT\|3601BB45\|GYHASOLS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 21/11/2024\|JavaScript
HTTP User-Agent header	69	WSHRAT\|3601BB45\|GYHASOLS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 21/11/2024\|JavaScript
HTTP User-Agent header	70	WSHRAT\|3601BB45\|GYHASOLS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 21/11/2024\|JavaScript
HTTP User-Agent header	74	WSHRAT\|3601BB45\|GYHASOLS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 21/11/2024\|JavaScript
HTTP User-Agent header	75	WSHRAT\|3601BB45\|GYHASOLS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 21/11/2024\|JavaScript
HTTP User-Agent header	5	WSHRAT\|3601BB45\|GYHASOLS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 21/11/2024\|JavaScript
HTTP User-Agent header	28	WSHRAT\|3601BB45\|GYHASOLS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 21/11/2024\|JavaScript
HTTP User-Agent header	30	WSHRAT\|3601BB45\|GYHASOLS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 21/11/2024\|JavaScript
HTTP User-Agent header	52	WSHRAT\|3601BB45\|GYHASOLS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 21/11/2024\|JavaScript
HTTP User-Agent header	63	WSHRAT\|3601BB45\|GYHASOLS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 21/11/2024\|JavaScript
HTTP User-Agent header	73	WSHRAT\|3601BB45\|GYHASOLS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 21/11/2024\|JavaScript
HTTP User-Agent header	49	WSHRAT\|3601BB45\|GYHASOLS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 21/11/2024\|JavaScript
HTTP User-Agent header	68	WSHRAT\|3601BB45\|GYHASOLS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 21/11/2024\|JavaScript
HTTP User-Agent header	76	WSHRAT\|3601BB45\|GYHASOLS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 21/11/2024\|JavaScript
HTTP User-Agent header	18	WSHRAT\|3601BB45\|GYHASOLS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 21/11/2024\|JavaScript
HTTP User-Agent header	21	WSHRAT\|3601BB45\|GYHASOLS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 21/11/2024\|JavaScript
HTTP User-Agent header	37	WSHRAT\|3601BB45\|GYHASOLS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 21/11/2024\|JavaScript
HTTP User-Agent header	42	WSHRAT\|3601BB45\|GYHASOLS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 21/11/2024\|JavaScript
HTTP User-Agent header	51	WSHRAT\|3601BB45\|GYHASOLS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 21/11/2024\|JavaScript
HTTP User-Agent header	53	WSHRAT\|3601BB45\|GYHASOLS\|Admin\|Microsoft Windows 10 Pro\|plus\|nan-av\|false - 21/11/2024\|JavaScript

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
4568	CZQi.exe
4568	CZQi.exe
4568	CZQi.exe
4568	CZQi.exe
4568	CZQi.exe
4568	CZQi.exe
1264	powershell.exe
4848	powershell.exe
4568	CZQi.exe
4568	CZQi.exe
4568	CZQi.exe
4568	CZQi.exe
4568	CZQi.exe
1264	powershell.exe
4848	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4568	CZQi.exe
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeDebugPrivilege	4848	powershell.exe
Token: SeDebugPrivilege	3400	CZQi.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2600 wrote to memory of 64	2600	wscript.exe	84
PID 2600 wrote to memory of 64	2600	wscript.exe	84
PID 2600 wrote to memory of 4372	2600	wscript.exe	85
PID 2600 wrote to memory of 4372	2600	wscript.exe	85
PID 64 wrote to memory of 4568	64	WScript.exe	86
PID 64 wrote to memory of 4568	64	WScript.exe	86
PID 64 wrote to memory of 4568	64	WScript.exe	86
PID 4372 wrote to memory of 4476	4372	WScript.exe	87
PID 4372 wrote to memory of 4476	4372	WScript.exe	87
PID 4568 wrote to memory of 1264	4568	CZQi.exe	96
PID 4568 wrote to memory of 1264	4568	CZQi.exe	96
PID 4568 wrote to memory of 1264	4568	CZQi.exe	96
PID 4568 wrote to memory of 4848	4568	CZQi.exe	98
PID 4568 wrote to memory of 4848	4568	CZQi.exe	98
PID 4568 wrote to memory of 4848	4568	CZQi.exe	98
PID 4568 wrote to memory of 3300	4568	CZQi.exe	100
PID 4568 wrote to memory of 3300	4568	CZQi.exe	100
PID 4568 wrote to memory of 3300	4568	CZQi.exe	100
PID 4568 wrote to memory of 2292	4568	CZQi.exe	102
PID 4568 wrote to memory of 2292	4568	CZQi.exe	102
PID 4568 wrote to memory of 2292	4568	CZQi.exe	102
PID 4568 wrote to memory of 3060	4568	CZQi.exe	103
PID 4568 wrote to memory of 3060	4568	CZQi.exe	103
PID 4568 wrote to memory of 3060	4568	CZQi.exe	103
PID 4568 wrote to memory of 3400	4568	CZQi.exe	104
PID 4568 wrote to memory of 3400	4568	CZQi.exe	104
PID 4568 wrote to memory of 3400	4568	CZQi.exe	104
PID 4568 wrote to memory of 3400	4568	CZQi.exe	104
PID 4568 wrote to memory of 3400	4568	CZQi.exe	104
PID 4568 wrote to memory of 3400	4568	CZQi.exe	104
PID 4568 wrote to memory of 3400	4568	CZQi.exe	104
PID 4568 wrote to memory of 3400	4568	CZQi.exe	104

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER-2411210684CAV.XLS.js
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\adobe.js"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:64
- - C:\Users\Admin\AppData\Local\Temp\CZQi.exe
    "C:\Users\Admin\AppData\Local\Temp\CZQi.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4568
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\CZQi.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1264
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\qQwuocCgNPPLU.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4848
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qQwuocCgNPPLU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3DC0.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:3300
  - - C:\Users\Admin\AppData\Local\Temp\CZQi.exe
      "C:\Users\Admin\AppData\Local\Temp\CZQi.exe"
      4⤵
      Executes dropped EXE
      PID:2292
  - - C:\Users\Admin\AppData\Local\Temp\CZQi.exe
      "C:\Users\Admin\AppData\Local\Temp\CZQi.exe"
      4⤵
      Executes dropped EXE
      PID:3060
  - - C:\Users\Admin\AppData\Local\Temp\CZQi.exe
      "C:\Users\Admin\AppData\Local\Temp\CZQi.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3400
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\word.js"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4372
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\word.js"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    - Adds Run key to start application
    PID:4476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CZQi.exe

Filesize
429KB

MD5
3fd6653902c9fe6829c2ff418415bd5c

SHA1
10db3132f7ecc3cb40c6b2d9ed7752212321d43b

SHA256
ef08c45261e6f6007826942a2b772217d0318d89ba9ca9674ae9f5a3e514d6ae

SHA512
9c4992514491e94ebf95e40639fd0044af28bc2974edd00ed954fef4b46a02cf22dc0700d61e82cf75aa4b4206bb8ea86f23ce10433dd15cb6e4ea701bea60b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_duzdbrkd.kon.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\adobe.js

Filesize
595KB

MD5
ce87d990a20f13f79269cb9801a2b09a

SHA1
11ddbe5f5dfc13ee9a7052937504475ce61d3132

SHA256
8844902f3cbcc50fceb46c6d0006ec59e728abbe63ca732e185fa57e37f337bf

SHA512
b1431ea7b6220c82e085883e0c479408b9e1c09378e79a43cb8c7a5edc41dd79724c77a2b16f0fb8e7f934e5d788b2e571490ec0f09f9771cd52a7b04ce9163a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3DC0.tmp

Filesize
1KB

MD5
3602fc54fd5b62aad1f4db8301272961

SHA1
4b3274c8332ab311f2719c91860799ecc2892745

SHA256
c5e0ee2bf242aeb058a67c00f8734062cfd50792f9a1b1428c7e99dc29e73a1a

SHA512
8aaa806388c936ce8a2524691b61d452afc073204dd82fac3a57ac2c5a3fff583fe20297cad9e7034904f3e6743362fecebfd8fe875c53df42784ea8e1ee69fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\word.js

Filesize
283KB

MD5
805074ef02a61e38a12780b74148345e

SHA1
d9c8120e315b8792902f213081403e7a627cd194

SHA256
ae62fbf751ed2dd1cb21ee7bcf2005664f5d1302c9f98b504425444f85f4ee75

SHA512
dcd95db5b8cc631a7d2686cdc4440c0e4ee6f1cfc5eb69b38915aca80cc5b6d5e5289cf3d2a13a2743528100bce18926c24631d616c5cb513dd14dc3e87f13cc

Download Submit
memory/1264-41-0x0000000004850000-0x0000000004886000-memory.dmp

Filesize
216KB

Download
memory/1264-98-0x0000000007120000-0x000000000713A000-memory.dmp

Filesize
104KB

Download
memory/1264-85-0x00000000063B0000-0x00000000063CE000-memory.dmp

Filesize
120KB

Download
memory/1264-97-0x0000000007770000-0x0000000007DEA000-memory.dmp

Filesize
6.5MB

Download
memory/1264-74-0x00000000063D0000-0x0000000006402000-memory.dmp

Filesize
200KB

Download
memory/1264-73-0x0000000005E90000-0x0000000005EDC000-memory.dmp

Filesize
304KB

Download
memory/1264-42-0x0000000004FB0000-0x00000000055D8000-memory.dmp

Filesize
6.2MB

Download
memory/1264-86-0x0000000006FD0000-0x0000000007073000-memory.dmp

Filesize
652KB

Download
memory/1264-45-0x0000000004ED0000-0x0000000004F36000-memory.dmp

Filesize
408KB

Download
memory/1264-46-0x00000000056E0000-0x0000000005746000-memory.dmp

Filesize
408KB

Download
memory/1264-47-0x00000000057D0000-0x0000000005B24000-memory.dmp

Filesize
3.3MB

Download
memory/1264-72-0x0000000005E00000-0x0000000005E1E000-memory.dmp

Filesize
120KB

Download
memory/1264-99-0x0000000007190000-0x000000000719A000-memory.dmp

Filesize
40KB

Download
memory/1264-75-0x0000000075150000-0x000000007519C000-memory.dmp

Filesize
304KB

Download
memory/3400-70-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4568-31-0x0000000005AC0000-0x0000000005AD2000-memory.dmp

Filesize
72KB

Download
memory/4568-26-0x0000000005F70000-0x0000000006514000-memory.dmp

Filesize
5.6MB

Download
memory/4568-34-0x0000000007230000-0x0000000007286000-memory.dmp

Filesize
344KB

Download
memory/4568-29-0x0000000005C30000-0x0000000005CCC000-memory.dmp

Filesize
624KB

Download
memory/4568-25-0x0000000000E30000-0x0000000000EA2000-memory.dmp

Filesize
456KB

Download
memory/4568-28-0x00000000058A0000-0x00000000058AA000-memory.dmp

Filesize
40KB

Download
memory/4568-27-0x00000000058B0000-0x0000000005942000-memory.dmp

Filesize
584KB

Download
memory/4848-87-0x0000000075150000-0x000000007519C000-memory.dmp

Filesize
304KB

Download
memory/4848-44-0x0000000005580000-0x00000000055A2000-memory.dmp

Filesize
136KB

Download
memory/4848-100-0x0000000007BF0000-0x0000000007C86000-memory.dmp

Filesize
600KB

Download
memory/4848-101-0x0000000007B70000-0x0000000007B81000-memory.dmp

Filesize
68KB

Download
memory/4848-103-0x0000000007BA0000-0x0000000007BAE000-memory.dmp

Filesize
56KB

Download
memory/4848-104-0x0000000007BB0000-0x0000000007BC4000-memory.dmp

Filesize
80KB

Download
memory/4848-105-0x0000000007CB0000-0x0000000007CCA000-memory.dmp

Filesize
104KB

Download
memory/4848-106-0x0000000007C90000-0x0000000007C98000-memory.dmp

Filesize
32KB

Download