adwind | 590d68d18c4f1e312d351cfce5f9e0ffb1dfd16e80b5979f19155c7f2f843648

Analysis

max time kernel
146s
max time network
150s
platform
windows7_x64
resource
win7-20220414-en
submitted
04-07-2022 07:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Re Order 4500324718-CIMELECT.jar
Size

694KB
MD5

7c5d4887188330ff9c6eb853f2e58847
SHA1

91fdfe9ee9bc580ec2440f7485f71e3d34d4c883
SHA256

ead8106d04189a9765d0e125d5d504e30c2c1bc3223a8d9d3ee897af82846b96
SHA512

7b907daaf146bbc06657d33f7a7b5e0254615c080de46ebabb16fea282b0cea67dcb164c0a42a489fbcd7ca70624aef19d58ddc2ae36571867225f936c01f12f

Score

10^/10

adwind asyncrat default rat trojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

franmhort.duia.ro:8153

Mutex

Mutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
win.exe
install_folder
%AppData%

aes.plain

Signatures

AdWind
A Java-based RAT family operated as malware-as-a-service.
trojan adwind
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\AsyncClient.exe	asyncrat
C:\Users\Admin\AppData\Roaming\AsyncClient.exe	asyncrat
behavioral1/memory/1944-87-0x00000000001F0000-0x0000000000202000-memory.dmp	asyncrat
\Users\Admin\AppData\Roaming\win.exe	asyncrat
C:\Users\Admin\AppData\Roaming\win.exe	asyncrat
C:\Users\Admin\AppData\Roaming\win.exe	asyncrat
behavioral1/memory/1580-129-0x0000000000DF0000-0x0000000000E02000-memory.dmp	asyncrat

Executes dropped EXE 2 IoCs

Processes:

AsyncClient.exewin.exe

pid process

1944 AsyncClient.exe
1580 win.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2012 cmd.exe
Drops file in System32 directory 1 IoCs

Processes:

java.exe

description ioc process

File created C:\Windows\System32\test.txt java.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1756 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

904 timeout.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

AsyncClient.exe

pid process

1944 AsyncClient.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AsyncClient.exewin.exe

description pid process

Token: SeDebugPrivilege 1944 AsyncClient.exe
Token: SeDebugPrivilege 1580 win.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

java.exejavaw.exe

pid process

1676 java.exe
1712 javaw.exe

pid	process
1944	AsyncClient.exe
1580	win.exe

pid	process
2012	cmd.exe

description	ioc	process
File created	C:\Windows\System32\test.txt	java.exe

pid	process
1756	schtasks.exe

pid	process
904	timeout.exe

pid	process
1944	AsyncClient.exe

description	pid	process
Token: SeDebugPrivilege	1944	AsyncClient.exe
Token: SeDebugPrivilege	1580	win.exe

pid	process
1676	java.exe
1712	javaw.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

java.exewscript.exeWScript.exejavaw.exejava.execmd.execmd.execmd.execmd.exeAsyncClient.execmd.execmd.exe

description	pid	process	target process
PID 872 wrote to memory of 1128	872	java.exe	wscript.exe
PID 872 wrote to memory of 1128	872	java.exe	wscript.exe
PID 872 wrote to memory of 1128	872	java.exe	wscript.exe
PID 1128 wrote to memory of 320	1128	wscript.exe	WScript.exe
PID 1128 wrote to memory of 320	1128	wscript.exe	WScript.exe
PID 1128 wrote to memory of 320	1128	wscript.exe	WScript.exe
PID 1128 wrote to memory of 1712	1128	wscript.exe	javaw.exe
PID 1128 wrote to memory of 1712	1128	wscript.exe	javaw.exe
PID 1128 wrote to memory of 1712	1128	wscript.exe	javaw.exe
PID 320 wrote to memory of 1944	320	WScript.exe	AsyncClient.exe
PID 320 wrote to memory of 1944	320	WScript.exe	AsyncClient.exe
PID 320 wrote to memory of 1944	320	WScript.exe	AsyncClient.exe
PID 320 wrote to memory of 1944	320	WScript.exe	AsyncClient.exe
PID 1712 wrote to memory of 1676	1712	javaw.exe	java.exe
PID 1712 wrote to memory of 1676	1712	javaw.exe	java.exe
PID 1712 wrote to memory of 1676	1712	javaw.exe	java.exe
PID 1712 wrote to memory of 1760	1712	javaw.exe	cmd.exe
PID 1712 wrote to memory of 1760	1712	javaw.exe	cmd.exe
PID 1712 wrote to memory of 1760	1712	javaw.exe	cmd.exe
PID 1676 wrote to memory of 240	1676	java.exe	cmd.exe
PID 1676 wrote to memory of 240	1676	java.exe	cmd.exe
PID 1676 wrote to memory of 240	1676	java.exe	cmd.exe
PID 1760 wrote to memory of 852	1760	cmd.exe	cscript.exe
PID 1760 wrote to memory of 852	1760	cmd.exe	cscript.exe
PID 1760 wrote to memory of 852	1760	cmd.exe	cscript.exe
PID 240 wrote to memory of 1612	240	cmd.exe	cscript.exe
PID 240 wrote to memory of 1612	240	cmd.exe	cscript.exe
PID 240 wrote to memory of 1612	240	cmd.exe	cscript.exe
PID 1712 wrote to memory of 1528	1712	javaw.exe	cmd.exe
PID 1712 wrote to memory of 1528	1712	javaw.exe	cmd.exe
PID 1712 wrote to memory of 1528	1712	javaw.exe	cmd.exe
PID 1676 wrote to memory of 1868	1676	java.exe	cmd.exe
PID 1676 wrote to memory of 1868	1676	java.exe	cmd.exe
PID 1676 wrote to memory of 1868	1676	java.exe	cmd.exe
PID 1528 wrote to memory of 588	1528	cmd.exe	cscript.exe
PID 1528 wrote to memory of 588	1528	cmd.exe	cscript.exe
PID 1528 wrote to memory of 588	1528	cmd.exe	cscript.exe
PID 1868 wrote to memory of 1512	1868	cmd.exe	cscript.exe
PID 1868 wrote to memory of 1512	1868	cmd.exe	cscript.exe
PID 1868 wrote to memory of 1512	1868	cmd.exe	cscript.exe
PID 1676 wrote to memory of 1540	1676	java.exe	xcopy.exe
PID 1676 wrote to memory of 1540	1676	java.exe	xcopy.exe
PID 1676 wrote to memory of 1540	1676	java.exe	xcopy.exe
PID 1712 wrote to memory of 768	1712	javaw.exe	xcopy.exe
PID 1712 wrote to memory of 768	1712	javaw.exe	xcopy.exe
PID 1712 wrote to memory of 768	1712	javaw.exe	xcopy.exe
PID 1944 wrote to memory of 1504	1944	AsyncClient.exe	cmd.exe
PID 1944 wrote to memory of 1504	1944	AsyncClient.exe	cmd.exe
PID 1944 wrote to memory of 1504	1944	AsyncClient.exe	cmd.exe
PID 1944 wrote to memory of 1504	1944	AsyncClient.exe	cmd.exe
PID 1944 wrote to memory of 2012	1944	AsyncClient.exe	cmd.exe
PID 1944 wrote to memory of 2012	1944	AsyncClient.exe	cmd.exe
PID 1944 wrote to memory of 2012	1944	AsyncClient.exe	cmd.exe
PID 1944 wrote to memory of 2012	1944	AsyncClient.exe	cmd.exe
PID 1504 wrote to memory of 1756	1504	cmd.exe	schtasks.exe
PID 1504 wrote to memory of 1756	1504	cmd.exe	schtasks.exe
PID 1504 wrote to memory of 1756	1504	cmd.exe	schtasks.exe
PID 1504 wrote to memory of 1756	1504	cmd.exe	schtasks.exe
PID 2012 wrote to memory of 904	2012	cmd.exe	timeout.exe
PID 2012 wrote to memory of 904	2012	cmd.exe	timeout.exe
PID 2012 wrote to memory of 904	2012	cmd.exe	timeout.exe
PID 2012 wrote to memory of 904	2012	cmd.exe	timeout.exe
PID 1676 wrote to memory of 1616	1676	java.exe	cmd.exe
PID 1676 wrote to memory of 1616	1676	java.exe	cmd.exe

C:\Windows\system32\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\Re Order 4500324718-CIMELECT.jar"
1⤵
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\system32\wscript.exe
wscript C:\Users\Admin\slrtghxwgp.js
2⤵
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\xRKCVudFNp.js"
3⤵
- Suspicious use of WriteProcessMemory
PID:320

C:\Users\Admin\AppData\Roaming\AsyncClient.exe
"C:\Users\Admin\AppData\Roaming\AsyncClient.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "win" /tr '"C:\Users\Admin\AppData\Roaming\win.exe"' & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "win" /tr '"C:\Users\Admin\AppData\Roaming\win.exe"'
6⤵
- Creates scheduled task(s)
PID:1756

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp92DE.tmp.bat""
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SysWOW64\timeout.exe
timeout 3
6⤵
- Delays execution with timeout.exe
PID:904

C:\Users\Admin\AppData\Roaming\win.exe
"C:\Users\Admin\AppData\Roaming\win.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Program Files\Java\jre7\bin\javaw.exe
"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\bwbkyusyvl.txt"
3⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1712

C:\Program Files\Java\jre7\bin\java.exe
"C:\Program Files\Java\jre7\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.69496036936904772396323987121633275.class
4⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\system32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive404031182877290472.vbs
5⤵
- Suspicious use of WriteProcessMemory
PID:240

C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive404031182877290472.vbs
6⤵
PID:1612

C:\Windows\system32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7673477011849406345.vbs
5⤵
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7673477011849406345.vbs
6⤵
PID:1512

C:\Windows\system32\xcopy.exe
xcopy "C:\Program Files\Java\jre7" "C:\Users\Admin\AppData\Roaming\Oracle\" /e
5⤵
PID:1540

C:\Windows\system32\cmd.exe
cmd.exe
5⤵
PID:1616

C:\Windows\system32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive2934314058063850074.vbs
4⤵
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive2934314058063850074.vbs
5⤵
PID:852

C:\Windows\system32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6524257857729156963.vbs
4⤵
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6524257857729156963.vbs
5⤵
PID:588

C:\Windows\system32\xcopy.exe
xcopy "C:\Program Files\Java\jre7" "C:\Users\Admin\AppData\Roaming\Oracle\" /e
4⤵
PID:768

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Retrive2934314058063850074.vbs
Filesize
276B

MD5
3bdfd33017806b85949b6faa7d4b98e4

SHA1
f92844fee69ef98db6e68931adfaa9a0a0f8ce66

SHA256
9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6

SHA512
ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive404031182877290472.vbs
Filesize
276B

MD5
3bdfd33017806b85949b6faa7d4b98e4

SHA1
f92844fee69ef98db6e68931adfaa9a0a0f8ce66

SHA256
9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6

SHA512
ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive6524257857729156963.vbs
Filesize
281B

MD5
a32c109297ed1ca155598cd295c26611

SHA1
dc4a1fdbaad15ddd6fe22d3907c6b03727b71510

SHA256
45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7

SHA512
70372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive7673477011849406345.vbs
Filesize
281B

MD5
a32c109297ed1ca155598cd295c26611

SHA1
dc4a1fdbaad15ddd6fe22d3907c6b03727b71510

SHA256
45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7

SHA512
70372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887

Download Submit
C:\Users\Admin\AppData\Local\Temp\_0.69496036936904772396323987121633275.class
Filesize
241KB

MD5
781fb531354d6f291f1ccab48da6d39f

SHA1
9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

SHA256
97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

SHA512
3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp92DE.tmp.bat
Filesize
147B

MD5
eb4df0d662ad53d1abd87630b22750a0

SHA1
393a2033d99a9ca326416552bff24e434036fc38

SHA256
9b7631b2f8871b965995d2752b47997475b567303338770d64829f010b468242

SHA512
6daec5f20c5e8b1063bd21c814195e98bbf5fd38840a327713931332204271a232fb10bc93aece7925b724efdf4aab151f84e3cfcc777a515ee59a2bb7dc8cb6

Download Submit
C:\Users\Admin\AppData\Roaming\AsyncClient.exe
Filesize
45KB

MD5
cbdce3b5e2939fe92312004dcb31151f

SHA1
6f11f275c611decd4659f23a4593103f327806a6

SHA256
6ccc49875c2d837f462c4c3bd81f80b3be93f8435e8a22e042b5db025a31a6e3

SHA512
6240f21957016db0607987c81b110e78640d20eeba2dc0274cf6e6741cfd7924ca3b42325405e620f423157c34f355f188dbf60de96421e87f0d53e271fcc2c8

Download Submit
C:\Users\Admin\AppData\Roaming\AsyncClient.exe
Filesize
45KB

MD5
cbdce3b5e2939fe92312004dcb31151f

SHA1
6f11f275c611decd4659f23a4593103f327806a6

SHA256
6ccc49875c2d837f462c4c3bd81f80b3be93f8435e8a22e042b5db025a31a6e3

SHA512
6240f21957016db0607987c81b110e78640d20eeba2dc0274cf6e6741cfd7924ca3b42325405e620f423157c34f355f188dbf60de96421e87f0d53e271fcc2c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1083475884-596052423-1669053738-1000\83aa4cc77f591dfc2374580bbd95f6ba_206ac020-9434-4197-af4e-48c8ff9cae6c
Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\AppData\Roaming\bwbkyusyvl.txt
Filesize
479KB

MD5
e6e49d6575a99dc7eaf81091e02190b6

SHA1
d7abf421d1a9d080d89b2922003a0d869d64ac2c

SHA256
3df792e3ab0c1efd66231647b0369e5805d359403d5b534a2562a7ba301b0757

SHA512
98743a430ab0490aed350a800d057dbaf7b29d2ce9833ca7cefc3e52a18dc5918c315918f64b193ca6d42f0250f7d93f001606689852de3f56182de42e0a7d3f

Download Submit
C:\Users\Admin\AppData\Roaming\win.exe
Filesize
45KB

MD5
cbdce3b5e2939fe92312004dcb31151f

SHA1
6f11f275c611decd4659f23a4593103f327806a6

SHA256
6ccc49875c2d837f462c4c3bd81f80b3be93f8435e8a22e042b5db025a31a6e3

SHA512
6240f21957016db0607987c81b110e78640d20eeba2dc0274cf6e6741cfd7924ca3b42325405e620f423157c34f355f188dbf60de96421e87f0d53e271fcc2c8

Download Submit
C:\Users\Admin\AppData\Roaming\win.exe
Filesize
45KB

MD5
cbdce3b5e2939fe92312004dcb31151f

SHA1
6f11f275c611decd4659f23a4593103f327806a6

SHA256
6ccc49875c2d837f462c4c3bd81f80b3be93f8435e8a22e042b5db025a31a6e3

SHA512
6240f21957016db0607987c81b110e78640d20eeba2dc0274cf6e6741cfd7924ca3b42325405e620f423157c34f355f188dbf60de96421e87f0d53e271fcc2c8

Download Submit
C:\Users\Admin\AppData\Roaming\xRKCVudFNp.js
Filesize
88KB

MD5
63649fb5e85e7f8c93a1ad99a27b7b22

SHA1
ae8e7a2215151a271d983e52ba8a56a77ae6baed

SHA256
e5d86ad0a6d4aaf17667fc846727326d86608c9cbee572b6aef70c92b028d86d

SHA512
7bd802d530f5b752a8b9ec2e0e45ade04b70d0edf29b007852682e25cc3a63531fde3d2c57e03d5fb8478caeff823b028d9bd83ef693876d5f803868428d5f3a

Download Submit
C:\Users\Admin\slrtghxwgp.js
Filesize
1.0MB

MD5
a0feff107f173acc9b411620b16cfddf

SHA1
b7b5985ad225aef80e1e0e08297330f2257f7f59

SHA256
100de96a9a0778b9d66d919de429cecb7ee54c4e3ddce9911d40a0ded003d185

SHA512
99d7ca04f65e2cadd0678166a5b1c07e476873bd43c90290982731e3657bd43a4ddcfb57a1317381529eb50dd1dadd7e87273006f4179e43b4a3251184ed7000

Download Submit
\Users\Admin\AppData\Roaming\win.exe
Filesize
45KB

MD5
cbdce3b5e2939fe92312004dcb31151f

SHA1
6f11f275c611decd4659f23a4593103f327806a6

SHA256
6ccc49875c2d837f462c4c3bd81f80b3be93f8435e8a22e042b5db025a31a6e3

SHA512
6240f21957016db0607987c81b110e78640d20eeba2dc0274cf6e6741cfd7924ca3b42325405e620f423157c34f355f188dbf60de96421e87f0d53e271fcc2c8

Download Submit
memory/240-106-0x0000000000000000-mapping.dmp

Download
memory/320-69-0x0000000000000000-mapping.dmp

Download
memory/588-113-0x0000000000000000-mapping.dmp

Download
memory/768-118-0x0000000000000000-mapping.dmp

Download
memory/852-107-0x0000000000000000-mapping.dmp

Download
memory/872-64-0x00000000020C0000-0x00000000050C0000-memory.dmp

Filesize
48.0MB

Download
memory/872-54-0x000007FEFBD41000-0x000007FEFBD43000-memory.dmp

Filesize
8KB

Download
memory/904-123-0x0000000000000000-mapping.dmp

Download
memory/1128-65-0x0000000000000000-mapping.dmp

Download
memory/1504-119-0x0000000000000000-mapping.dmp

Download
memory/1512-114-0x0000000000000000-mapping.dmp

Download
memory/1528-111-0x0000000000000000-mapping.dmp

Download
memory/1540-117-0x0000000000000000-mapping.dmp

Download
memory/1580-127-0x0000000000000000-mapping.dmp

Download
memory/1580-129-0x0000000000DF0000-0x0000000000E02000-memory.dmp

Filesize
72KB

Download
memory/1612-108-0x0000000000000000-mapping.dmp

Download
memory/1616-124-0x0000000000000000-mapping.dmp

Download
memory/1676-97-0x0000000002290000-0x0000000005290000-memory.dmp

Filesize
48.0MB

Download
memory/1676-88-0x0000000000000000-mapping.dmp

Download
memory/1676-132-0x0000000002290000-0x0000000005290000-memory.dmp

Filesize
48.0MB

Download
memory/1712-86-0x0000000002320000-0x0000000005320000-memory.dmp

Filesize
48.0MB

Download
memory/1712-130-0x0000000002320000-0x0000000005320000-memory.dmp

Filesize
48.0MB

Download
memory/1712-70-0x0000000000000000-mapping.dmp

Download
memory/1756-121-0x0000000000000000-mapping.dmp

Download
memory/1760-105-0x0000000000000000-mapping.dmp

Download
memory/1868-112-0x0000000000000000-mapping.dmp

Download
memory/1944-102-0x00000000764C1000-0x00000000764C3000-memory.dmp

Filesize
8KB

Download
memory/1944-87-0x00000000001F0000-0x0000000000202000-memory.dmp

Filesize
72KB

Download
memory/1944-81-0x0000000000000000-mapping.dmp

Download
memory/2012-120-0x0000000000000000-mapping.dmp

Download