asyncrat | 7382071535d0b83a8ee62e72c29e8f42d433b29238c4c86cfba7c4de4d6ad6b1

Analysis

max time kernel
140s
max time network
154s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
20-12-2024 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PureRcsAdvTokenGrabbernls..scr
Size

3.0MB
MD5

29ee9836013142f0f63c6813944c7021
SHA1

90781c0a4d3fe85d1582eb1ca4c5aa910ee85b78
SHA256

7382071535d0b83a8ee62e72c29e8f42d433b29238c4c86cfba7c4de4d6ad6b1
SHA512

482d95357c48dbe380b90980a626fc04446de10e83e31dfbe850de94942091b86f01b83c2efe4517b887b8c288b0689e64809f5ad174deca759eeb9594d2e47e
SSDEEP

49152:oXWsTEkwghTKv4jysGUqgCoOtt1JKLBuhFapNyPn7MU4HcOL:oXFEkwghTKv4jysGUqgCxttiBmas7+8

Score

10^/10

asyncrat expoler google chrome metamask windows defender discovery execution persistence rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

MetaMask

51.103.217.70:6677

Mutex

MetaMask

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

Google Chrome

51.103.217.70:8585

Mutex

Google Chrome

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

Windows Defender

51.103.217.70:8585

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Expoler

51.103.217.70:6677

Mutex

Expoler

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	EDGE.EXE

Executes dropped EXE 6 IoCs

pid	Process
2604	EDGE.EXE
1708	GOOGLE CHROME.EXE
2168	METAMASK.EXE
584	RUNING.EXE
2812	EDGE.EXE
2952	EDGE.EXE

Loads dropped DLL 6 IoCs

pid	Process
2240	PureRcsAdvTokenGrabbernls..scr
2240	PureRcsAdvTokenGrabbernls..scr
2240	PureRcsAdvTokenGrabbernls..scr
2240	PureRcsAdvTokenGrabbernls..scr
2604	EDGE.EXE
2604	EDGE.EXE

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\MetaMask = "C:\\Users\\Admin\\AppData\\Roaming\\MetaMask\\MetaMask.exe"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Chrome = "C:\\Users\\Admin\\AppData\\Roaming\\Google Chrome\\Google Chrome.exe"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Runing = "C:\\Users\\Admin\\AppData\\Roaming\\Runing\\Runing.exe"	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2512	powershell.exe
1264	powershell.exe
2932	powershell.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 2604 set thread context of 2952	2604	EDGE.EXE	37
PID 2168 set thread context of 2680	2168	METAMASK.EXE	40
PID 584 set thread context of 2696	584	RUNING.EXE	42
PID 1708 set thread context of 2688	1708	GOOGLE CHROME.EXE	41
PID 2696 set thread context of 1764	2696	RegAsm.exe	45

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RUNING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EDGE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GOOGLE CHROME.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	METAMASK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EDGE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PureRcsAdvTokenGrabbernls..scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
584	RUNING.EXE
1708	GOOGLE CHROME.EXE
2168	METAMASK.EXE
584	RUNING.EXE
2168	METAMASK.EXE
2168	METAMASK.EXE
584	RUNING.EXE
1708	GOOGLE CHROME.EXE
1708	GOOGLE CHROME.EXE
2604	EDGE.EXE
2604	EDGE.EXE
2512	powershell.exe
1264	powershell.exe
2932	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	584	RUNING.EXE
Token: SeDebugPrivilege	2168	METAMASK.EXE
Token: SeDebugPrivilege	1708	GOOGLE CHROME.EXE
Token: SeDebugPrivilege	2604	EDGE.EXE
Token: SeDebugPrivilege	2696	RegAsm.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	1264	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2604	2240	PureRcsAdvTokenGrabbernls..scr	30
PID 2240 wrote to memory of 2604	2240	PureRcsAdvTokenGrabbernls..scr	30
PID 2240 wrote to memory of 2604	2240	PureRcsAdvTokenGrabbernls..scr	30
PID 2240 wrote to memory of 2604	2240	PureRcsAdvTokenGrabbernls..scr	30
PID 2240 wrote to memory of 1708	2240	PureRcsAdvTokenGrabbernls..scr	31
PID 2240 wrote to memory of 1708	2240	PureRcsAdvTokenGrabbernls..scr	31
PID 2240 wrote to memory of 1708	2240	PureRcsAdvTokenGrabbernls..scr	31
PID 2240 wrote to memory of 1708	2240	PureRcsAdvTokenGrabbernls..scr	31
PID 2240 wrote to memory of 2168	2240	PureRcsAdvTokenGrabbernls..scr	32
PID 2240 wrote to memory of 2168	2240	PureRcsAdvTokenGrabbernls..scr	32
PID 2240 wrote to memory of 2168	2240	PureRcsAdvTokenGrabbernls..scr	32
PID 2240 wrote to memory of 2168	2240	PureRcsAdvTokenGrabbernls..scr	32
PID 2240 wrote to memory of 584	2240	PureRcsAdvTokenGrabbernls..scr	33
PID 2240 wrote to memory of 584	2240	PureRcsAdvTokenGrabbernls..scr	33
PID 2240 wrote to memory of 584	2240	PureRcsAdvTokenGrabbernls..scr	33
PID 2240 wrote to memory of 584	2240	PureRcsAdvTokenGrabbernls..scr	33
PID 2604 wrote to memory of 2812	2604	EDGE.EXE	34
PID 2604 wrote to memory of 2812	2604	EDGE.EXE	34
PID 2604 wrote to memory of 2812	2604	EDGE.EXE	34
PID 2604 wrote to memory of 2812	2604	EDGE.EXE	34
PID 2168 wrote to memory of 2512	2168	METAMASK.EXE	35
PID 2168 wrote to memory of 2512	2168	METAMASK.EXE	35
PID 2168 wrote to memory of 2512	2168	METAMASK.EXE	35
PID 2168 wrote to memory of 2512	2168	METAMASK.EXE	35
PID 1708 wrote to memory of 2932	1708	GOOGLE CHROME.EXE	36
PID 1708 wrote to memory of 2932	1708	GOOGLE CHROME.EXE	36
PID 1708 wrote to memory of 2932	1708	GOOGLE CHROME.EXE	36
PID 1708 wrote to memory of 2932	1708	GOOGLE CHROME.EXE	36
PID 2604 wrote to memory of 2952	2604	EDGE.EXE	37
PID 2604 wrote to memory of 2952	2604	EDGE.EXE	37
PID 2604 wrote to memory of 2952	2604	EDGE.EXE	37
PID 2604 wrote to memory of 2952	2604	EDGE.EXE	37
PID 2604 wrote to memory of 2952	2604	EDGE.EXE	37
PID 2604 wrote to memory of 2952	2604	EDGE.EXE	37
PID 2604 wrote to memory of 2952	2604	EDGE.EXE	37
PID 2604 wrote to memory of 2952	2604	EDGE.EXE	37
PID 2604 wrote to memory of 2952	2604	EDGE.EXE	37
PID 584 wrote to memory of 1264	584	RUNING.EXE	38
PID 584 wrote to memory of 1264	584	RUNING.EXE	38
PID 584 wrote to memory of 1264	584	RUNING.EXE	38
PID 584 wrote to memory of 1264	584	RUNING.EXE	38
PID 584 wrote to memory of 2696	584	RUNING.EXE	42
PID 584 wrote to memory of 2696	584	RUNING.EXE	42
PID 584 wrote to memory of 2696	584	RUNING.EXE	42
PID 584 wrote to memory of 2696	584	RUNING.EXE	42
PID 584 wrote to memory of 2696	584	RUNING.EXE	42
PID 584 wrote to memory of 2696	584	RUNING.EXE	42
PID 584 wrote to memory of 2696	584	RUNING.EXE	42
PID 2168 wrote to memory of 2680	2168	METAMASK.EXE	40
PID 2168 wrote to memory of 2680	2168	METAMASK.EXE	40
PID 2168 wrote to memory of 2680	2168	METAMASK.EXE	40
PID 2168 wrote to memory of 2680	2168	METAMASK.EXE	40
PID 2168 wrote to memory of 2680	2168	METAMASK.EXE	40
PID 2168 wrote to memory of 2680	2168	METAMASK.EXE	40
PID 2168 wrote to memory of 2680	2168	METAMASK.EXE	40
PID 584 wrote to memory of 2696	584	RUNING.EXE	42
PID 2168 wrote to memory of 2680	2168	METAMASK.EXE	40
PID 584 wrote to memory of 2696	584	RUNING.EXE	42
PID 2168 wrote to memory of 2680	2168	METAMASK.EXE	40
PID 584 wrote to memory of 2696	584	RUNING.EXE	42
PID 2168 wrote to memory of 2680	2168	METAMASK.EXE	40
PID 2168 wrote to memory of 2680	2168	METAMASK.EXE	40
PID 584 wrote to memory of 2696	584	RUNING.EXE	42
PID 2168 wrote to memory of 2680	2168	METAMASK.EXE	40

C:\Users\Admin\AppData\Local\Temp\PureRcsAdvTokenGrabbernls..scr
"C:\Users\Admin\AppData\Local\Temp\PureRcsAdvTokenGrabbernls..scr" /S
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Users\Admin\AppData\Local\Temp\EDGE.EXE
  "C:\Users\Admin\AppData\Local\Temp\EDGE.EXE"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Users\Admin\AppData\Local\Temp\EDGE.EXE
    "C:\Users\Admin\AppData\Local\Temp\EDGE.EXE"
    3⤵
    - Executes dropped EXE
    PID:2812
- - C:\Users\Admin\AppData\Local\Temp\EDGE.EXE
    "C:\Users\Admin\AppData\Local\Temp\EDGE.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2952
- C:\Users\Admin\AppData\Local\Temp\GOOGLE CHROME.EXE
  "C:\Users\Admin\AppData\Local\Temp\GOOGLE CHROME.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Google Chrome';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Google Chrome' -Value '"C:\Users\Admin\AppData\Roaming\Google Chrome\Google Chrome.exe"' -PropertyType 'String'
    3⤵
    - Adds Run key to start application
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2932
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    #cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2688
- C:\Users\Admin\AppData\Local\Temp\METAMASK.EXE
  "C:\Users\Admin\AppData\Local\Temp\METAMASK.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'MetaMask';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'MetaMask' -Value '"C:\Users\Admin\AppData\Roaming\MetaMask\MetaMask.exe"' -PropertyType 'String'
    3⤵
    - Adds Run key to start application
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2512
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    #cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2680
- C:\Users\Admin\AppData\Local\Temp\RUNING.EXE
  "C:\Users\Admin\AppData\Local\Temp\RUNING.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:584
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Runing';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Runing' -Value '"C:\Users\Admin\AppData\Roaming\Runing\Runing.exe"' -PropertyType 'String'
    3⤵
    - Adds Run key to start application
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1264
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    #cmd
    3⤵
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2696
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
eb867da4fd2e691aba1a5e469f7731a3

SHA1
d19efd624104363491e10d8089ee2caae0a47869

SHA256
ebb3de95f0a8a2cc1b58efe9093ac33de693266b3ec9fe7d5a85212dd4a2ee50

SHA512
3ef13eacd49370fb929480c516db9f0be2b41e5b0a812e22beeba093da2f10e42749e70e2887411336d0de474fb12ebb269989888c54a9db8c6c6d0c3e1aac14

Download Submit
\Users\Admin\AppData\Local\Temp\EDGE.EXE

Filesize
2.6MB

MD5
7820977c8b4d71e342f1a9500c1c631d

SHA1
d7e474fbe898efce9d91fa0efe8d9c5819377ad8

SHA256
b7a375b496836bdb609b2ad063a8909dd3f35e045a6e75f951d3d7f5d224c945

SHA512
ec4060c357f2b690b93ae27e6b9662cb50ee4149964418d6fb957fc9f613909cc01fe50a133d737057ff540335dd6979f2cef383df534fef07c60ba0b2d10713

Download Submit
\Users\Admin\AppData\Local\Temp\GOOGLE CHROME.EXE

Filesize
79KB

MD5
a19ec34df640568c43c292a89c383ee1

SHA1
23753f88ff613085e363fed6246a3b08a78bf1df

SHA256
9b4298ad3fef1f609e9c34fa9471fc2b76bd6f5542823b66ace638b8c2edb079

SHA512
735f633aa99b70b486b895421841c5b7dd88e475e8c7e120d9b4054fad0989a23c61c13519a10fca9b575ec92949f7475065af34983606f4ba551e82b76e3f91

Download Submit
\Users\Admin\AppData\Local\Temp\METAMASK.EXE

Filesize
79KB

MD5
fa838d62246223fa79f7a7358691584c

SHA1
23d6f3ae392937a6c28d2159cc816dc5ee96d82a

SHA256
24e0ae5106103bb66889229dd18b796f4923727093113ca289c7039189bda19c

SHA512
b9a2ad7eb1f415f492e68fab97b302cd56e6ac1f0f4523a46078b8fbd5d22ac2178b9d5968a0abe9fb3855ac33ef26421b760dbdfb962343cbd291fa6a2a4b8c

Download Submit
\Users\Admin\AppData\Local\Temp\RUNING.EXE

Filesize
189KB

MD5
31c7b3f88bae3c9072ceb9c78cef1281

SHA1
43a5bd5efc6d7d91ccd41041f4532ad7813c5a57

SHA256
9dd3d01dc695d1e89ee6b31df506edb50d986bfae0f9082f945d0d802901cc24

SHA512
a9273ef41c7f4677bd6c2d328bd47cc57219eb36c04d96acc10c4da16d3525183fe2ba08ff91a7067a50d8be5623240ca3d09fc645576b4b1dedd16277ebadf9

Download Submit
memory/584-30-0x0000000001160000-0x0000000001196000-memory.dmp

Filesize
216KB

Download
memory/1708-31-0x0000000000AA0000-0x0000000000ABA000-memory.dmp

Filesize
104KB

Download
memory/1764-117-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1764-112-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1764-110-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1764-114-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1764-116-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1764-118-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1764-119-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2168-29-0x0000000000050000-0x000000000006A000-memory.dmp

Filesize
104KB

Download
memory/2604-32-0x00000000008C0000-0x0000000000B5E000-memory.dmp

Filesize
2.6MB

Download
memory/2604-14-0x00000000745FE000-0x00000000745FF000-memory.dmp

Filesize
4KB

Download
memory/2604-34-0x0000000002110000-0x000000000214A000-memory.dmp

Filesize
232KB

Download
memory/2680-88-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2680-70-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2680-74-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2680-78-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2680-86-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2680-105-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2680-81-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2680-84-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2688-101-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2688-98-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2688-94-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2688-96-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2688-104-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2688-102-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2696-68-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2696-72-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2696-75-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2696-80-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2696-87-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2696-90-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2696-106-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2696-107-0x0000000000250000-0x000000000025A000-memory.dmp

Filesize
40KB

Download
memory/2952-43-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2952-45-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2952-49-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2952-50-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2952-52-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2952-54-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2952-47-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2952-41-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download