asyncrat | 89609c6e1373264312594816f10bb5c7b4c742fd674f1d6c1c87c032df69d673

Analysis

max time kernel
132s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 13:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe
Size

694KB
MD5

32c67f99f3c95ba5e1816ca208f9b723
SHA1

c1e29ecea3c87d671448b9dbcc8d8c67b0d14b7e
SHA256

38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7
SHA512

578526bda2f08948475726f36bf247aabeb8f3941f95153d6786bc0db6e43bad44502ef1757bae2bb7c6f6bd0a4bd51e9b33ae363be293b75f490a26c03795f8
SSDEEP

12288:btoKggb2iNdvpc++pd1yIBbrk4ct0gdK/5SVns2M2TgN/0s:5oKgK1XpSpGIZn9+YSVsggi

Score

10^/10

asyncrat default discovery execution rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

37.0.14.198:6161

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2172	powershell.exe
2796	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	.exe

Executes dropped EXE 2 IoCs

pid	Process
4100	.exe
4092	.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4988 set thread context of 4440	4988	38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe	103
PID 4100 set thread context of 4092	4100	.exe	116

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3988	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4488	schtasks.exe
1644	schtasks.exe
2908	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2796	powershell.exe
2796	powershell.exe
4440	38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe
4440	38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe
4440	38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe
4440	38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe
4440	38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe
4440	38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe
4440	38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe
4440	38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe
4440	38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe
4440	38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe
4440	38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe
4440	38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe
4440	38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe
4440	38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe
4440	38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe
4440	38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe
4440	38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe
4440	38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe
4440	38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe
4440	38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe
4440	38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe
2172	powershell.exe
2172	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	4440	38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe
Token: SeDebugPrivilege	2172	powershell.exe
Token: SeDebugPrivilege	4092	.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 4988 wrote to memory of 2796	4988	38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe	99
PID 4988 wrote to memory of 2796	4988	38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe	99
PID 4988 wrote to memory of 2796	4988	38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe	99
PID 4988 wrote to memory of 2908	4988	38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe	101
PID 4988 wrote to memory of 2908	4988	38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe	101
PID 4988 wrote to memory of 2908	4988	38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe	101
PID 4988 wrote to memory of 4440	4988	38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe	103
PID 4988 wrote to memory of 4440	4988	38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe	103
PID 4988 wrote to memory of 4440	4988	38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe	103
PID 4988 wrote to memory of 4440	4988	38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe	103
PID 4988 wrote to memory of 4440	4988	38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe	103
PID 4988 wrote to memory of 4440	4988	38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe	103
PID 4988 wrote to memory of 4440	4988	38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe	103
PID 4988 wrote to memory of 4440	4988	38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe	103
PID 4440 wrote to memory of 3864	4440	38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe	104
PID 4440 wrote to memory of 3864	4440	38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe	104
PID 4440 wrote to memory of 3864	4440	38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe	104
PID 4440 wrote to memory of 3032	4440	38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe	106
PID 4440 wrote to memory of 3032	4440	38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe	106
PID 4440 wrote to memory of 3032	4440	38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe	106
PID 3032 wrote to memory of 3988	3032	cmd.exe	108
PID 3032 wrote to memory of 3988	3032	cmd.exe	108
PID 3032 wrote to memory of 3988	3032	cmd.exe	108
PID 3864 wrote to memory of 4488	3864	cmd.exe	109
PID 3864 wrote to memory of 4488	3864	cmd.exe	109
PID 3864 wrote to memory of 4488	3864	cmd.exe	109
PID 3032 wrote to memory of 4100	3032	cmd.exe	110
PID 3032 wrote to memory of 4100	3032	cmd.exe	110
PID 3032 wrote to memory of 4100	3032	cmd.exe	110
PID 4100 wrote to memory of 2172	4100	.exe	112
PID 4100 wrote to memory of 2172	4100	.exe	112
PID 4100 wrote to memory of 2172	4100	.exe	112
PID 4100 wrote to memory of 1644	4100	.exe	114
PID 4100 wrote to memory of 1644	4100	.exe	114
PID 4100 wrote to memory of 1644	4100	.exe	114
PID 4100 wrote to memory of 4092	4100	.exe	116
PID 4100 wrote to memory of 4092	4100	.exe	116
PID 4100 wrote to memory of 4092	4100	.exe	116
PID 4100 wrote to memory of 4092	4100	.exe	116
PID 4100 wrote to memory of 4092	4100	.exe	116
PID 4100 wrote to memory of 4092	4100	.exe	116
PID 4100 wrote to memory of 4092	4100	.exe	116
PID 4100 wrote to memory of 4092	4100	.exe	116

C:\Users\Admin\AppData\Local\Temp\38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe
"C:\Users\Admin\AppData\Local\Temp\38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\nxBIuIS.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2796
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nxBIuIS" /XML "C:\Users\Admin\AppData\Local\Temp\tmp586C.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2908
- C:\Users\Admin\AppData\Local\Temp\38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe
  "C:\Users\Admin\AppData\Local\Temp\38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4440
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "" /tr '"C:\Users\Admin\AppData\Roaming\.exe"' & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3864
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "" /tr '"C:\Users\Admin\AppData\Roaming\.exe"'
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6BE4.tmp.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:3988
  - - C:\Users\Admin\AppData\Roaming\.exe
      "C:\Users\Admin\AppData\Roaming\.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4100
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\nxBIuIS.exe"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nxBIuIS" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2DCD.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1644
    - - C:\Users\Admin\AppData\Roaming\.exe
        
        "C:\Users\Admin\AppData\Roaming\.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7.exe.log

Filesize
1KB

MD5
e08f822522c617a40840c62e4b0fb45e

SHA1
ae516dca4da5234be6676d3f234c19ec55725be7

SHA256
bd9d5e9f7fe6fcff17d873555d4077d15f7d6cdda1183e7f7d278b735ffe1fd7

SHA512
894a7fb7bbc18ac6ba13378f58a7db80ad00d6080be9a66b01cae8e23e41d9d2d4cd53c1e20669356b73590c8a3ebfda4bdda3258f81240db56c4a81b7313fe4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
ee6222746b50cc97121ed5c188a34d3a

SHA1
810e8836878330a058f60be40fd621077a24565a

SHA256
057ea8be82d45992cbe3fa1d10110a01c1003a8d83d88c62c13e6f0fb498d4b5

SHA512
2c5684ffced3b0e6098eaf05dbae69c3229d937f8d4404da709e3135ac03f0ac199deb2bf106f3a9b0417f07090dd43a492977e0b7b4526194812b57e88f47e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gdpqqj1u.qcw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp586C.tmp

Filesize
1KB

MD5
904b75d49029974177559065b77db0cf

SHA1
86caf63ff0774dbb6496a52a95ff73e04f812433

SHA256
7373062f27fbd09b1e9ee62cd0c11500b5e973eeffcafe338a8af42925581d83

SHA512
0628281aaf0aca842008a506e711f552be337502dbd06ee90b84f6d9de60220154a97b5c712b8aaf1892d6a2acd4b2b656376479e4778cbbbed9f9b3dd62115e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6BE4.tmp.bat

Filesize
144B

MD5
faa4d323a349cfe730a62c78db44aa01

SHA1
2bce8e5648421aec4c384748257f1c8a64bbdf14

SHA256
89c62a3a3d18bab0278f5645aecc102813a2d432480fcd78f196fa4b0e6dcc5f

SHA512
89a27ab80e8ca1d998a6f47a957a1c6e586f19f101fe12996dd5f529fcb28700be48713ee30011b20ac72250bcb59827b341a82d925c55710d096537b71546ae

Download Submit
C:\Users\Admin\AppData\Roaming\.exe

Filesize
694KB

MD5
32c67f99f3c95ba5e1816ca208f9b723

SHA1
c1e29ecea3c87d671448b9dbcc8d8c67b0d14b7e

SHA256
38e1bbae005365e92cf80aa6ef199d5107af57fde3afb02c31dc1bde875c68f7

SHA512
578526bda2f08948475726f36bf247aabeb8f3941f95153d6786bc0db6e43bad44502ef1757bae2bb7c6f6bd0a4bd51e9b33ae363be293b75f490a26c03795f8

Download Submit
memory/2172-90-0x00000000059E0000-0x0000000005D34000-memory.dmp

Filesize
3.3MB

Download
memory/2172-92-0x0000000005FE0000-0x000000000602C000-memory.dmp

Filesize
304KB

Download
memory/2172-93-0x0000000075440000-0x000000007548C000-memory.dmp

Filesize
304KB

Download
memory/2172-103-0x0000000007070000-0x0000000007113000-memory.dmp

Filesize
652KB

Download
memory/2172-104-0x0000000007350000-0x0000000007361000-memory.dmp

Filesize
68KB

Download
memory/2172-105-0x00000000073A0000-0x00000000073B4000-memory.dmp

Filesize
80KB

Download
memory/2796-40-0x00000000061C0000-0x000000000620C000-memory.dmp

Filesize
304KB

Download
memory/2796-71-0x0000000074B50000-0x0000000075300000-memory.dmp

Filesize
7.7MB

Download
memory/2796-20-0x0000000005350000-0x0000000005978000-memory.dmp

Filesize
6.2MB

Download
memory/2796-17-0x00000000028A0000-0x00000000028D6000-memory.dmp

Filesize
216KB

Download
memory/2796-18-0x0000000074B50000-0x0000000075300000-memory.dmp

Filesize
7.7MB

Download
memory/2796-22-0x0000000074B50000-0x0000000075300000-memory.dmp

Filesize
7.7MB

Download
memory/2796-62-0x00000000077D0000-0x00000000077D8000-memory.dmp

Filesize
32KB

Download
memory/2796-25-0x00000000051D0000-0x00000000051F2000-memory.dmp

Filesize
136KB

Download
memory/2796-26-0x0000000005270000-0x00000000052D6000-memory.dmp

Filesize
408KB

Download
memory/2796-61-0x00000000077F0000-0x000000000780A000-memory.dmp

Filesize
104KB

Download
memory/2796-29-0x0000000005B40000-0x0000000005E94000-memory.dmp

Filesize
3.3MB

Download
memory/2796-60-0x00000000076F0000-0x0000000007704000-memory.dmp

Filesize
80KB

Download
memory/2796-59-0x00000000076E0000-0x00000000076EE000-memory.dmp

Filesize
56KB

Download
memory/2796-39-0x0000000006190000-0x00000000061AE000-memory.dmp

Filesize
120KB

Download
memory/2796-58-0x00000000076B0000-0x00000000076C1000-memory.dmp

Filesize
68KB

Download
memory/2796-41-0x0000000006750000-0x0000000006782000-memory.dmp

Filesize
200KB

Download
memory/2796-42-0x0000000073620000-0x000000007366C000-memory.dmp

Filesize
304KB

Download
memory/2796-52-0x0000000006730000-0x000000000674E000-memory.dmp

Filesize
120KB

Download
memory/2796-53-0x0000000007170000-0x0000000007213000-memory.dmp

Filesize
652KB

Download
memory/2796-54-0x0000000007B00000-0x000000000817A000-memory.dmp

Filesize
6.5MB

Download
memory/2796-55-0x00000000074B0000-0x00000000074CA000-memory.dmp

Filesize
104KB

Download
memory/2796-56-0x0000000007520000-0x000000000752A000-memory.dmp

Filesize
40KB

Download
memory/2796-57-0x0000000007730000-0x00000000077C6000-memory.dmp

Filesize
600KB

Download
memory/4440-27-0x0000000074B50000-0x0000000075300000-memory.dmp

Filesize
7.7MB

Download
memory/4440-67-0x0000000074B50000-0x0000000075300000-memory.dmp

Filesize
7.7MB

Download
memory/4440-23-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4988-21-0x00000000064F0000-0x0000000006504000-memory.dmp

Filesize
80KB

Download
memory/4988-8-0x0000000074B50000-0x0000000075300000-memory.dmp

Filesize
7.7MB

Download
memory/4988-11-0x0000000006560000-0x00000000065FC000-memory.dmp

Filesize
624KB

Download
memory/4988-28-0x0000000074B50000-0x0000000075300000-memory.dmp

Filesize
7.7MB

Download
memory/4988-10-0x0000000006460000-0x00000000064B4000-memory.dmp

Filesize
336KB

Download
memory/4988-0-0x0000000074B5E000-0x0000000074B5F000-memory.dmp

Filesize
4KB

Download
memory/4988-9-0x0000000006320000-0x000000000632C000-memory.dmp

Filesize
48KB

Download
memory/4988-15-0x0000000006600000-0x0000000006666000-memory.dmp

Filesize
408KB

Download
memory/4988-7-0x0000000074B5E000-0x0000000074B5F000-memory.dmp

Filesize
4KB

Download
memory/4988-6-0x00000000057E0000-0x0000000005804000-memory.dmp

Filesize
144KB

Download
memory/4988-5-0x0000000074B50000-0x0000000075300000-memory.dmp

Filesize
7.7MB

Download
memory/4988-4-0x0000000004CC0000-0x0000000004CCA000-memory.dmp

Filesize
40KB

Download
memory/4988-3-0x0000000004B20000-0x0000000004BB2000-memory.dmp

Filesize
584KB

Download
memory/4988-2-0x0000000004FF0000-0x0000000005594000-memory.dmp

Filesize
5.6MB

Download
memory/4988-1-0x0000000000050000-0x0000000000104000-memory.dmp

Filesize
720KB

Download