asyncrat | 832506397be8817683e8dcac4604eaee19f0add472b9332cb667067562487896

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
22-02-2024 05:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

832506397be8817683e8dcac4604eaee19f0add472b9332cb667067562487896.exe
Size

480KB
MD5

2eff738980e22cf3f48b9cf8b78663ac
SHA1

419d1ae415f048372bc9fbb99f7a050f0f7f88e5
SHA256

832506397be8817683e8dcac4604eaee19f0add472b9332cb667067562487896
SHA512

7d4973802a0615d6f64a1941f38f6d12d01b49315b07ddbc157261b32572745ae4bc07a9ff3d780596ed1f6bc9c873ffef20e8842d572dadbaea5e6d68964e3f
SSDEEP

12288:j50R0MugiOXNbIxUTcKtt904GBfo3Jqlpjg:jyOMugiOCxUAitQu3Jqb

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.6B

185.222.58.40:1978

Mutex

qmwtmuxejofbqhzba

Attributes

delay
5
install
true
install_file
windocv.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detects file containing reversed ASEP Autorun registry keys 1 IoCs

resource	yara_rule
behavioral2/memory/760-18-0x0000000000400000-0x0000000000412000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\Control Panel\International\Geo\Nation	832506397be8817683e8dcac4604eaee19f0add472b9332cb667067562487896.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\Control Panel\International\Geo\Nation	832506397be8817683e8dcac4604eaee19f0add472b9332cb667067562487896.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\Control Panel\International\Geo\Nation	windocv.exe

Executes dropped EXE 2 IoCs

pid	Process
880	windocv.exe
4080	windocv.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4340 set thread context of 760	4340	832506397be8817683e8dcac4604eaee19f0add472b9332cb667067562487896.exe	89
PID 880 set thread context of 4080	880	windocv.exe	100

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2644	schtasks.exe
732	schtasks.exe
1716	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2232	timeout.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
4340	832506397be8817683e8dcac4604eaee19f0add472b9332cb667067562487896.exe
4340	832506397be8817683e8dcac4604eaee19f0add472b9332cb667067562487896.exe
3812	powershell.exe
3812	powershell.exe
760	832506397be8817683e8dcac4604eaee19f0add472b9332cb667067562487896.exe
760	832506397be8817683e8dcac4604eaee19f0add472b9332cb667067562487896.exe
760	832506397be8817683e8dcac4604eaee19f0add472b9332cb667067562487896.exe
760	832506397be8817683e8dcac4604eaee19f0add472b9332cb667067562487896.exe
760	832506397be8817683e8dcac4604eaee19f0add472b9332cb667067562487896.exe
760	832506397be8817683e8dcac4604eaee19f0add472b9332cb667067562487896.exe
760	832506397be8817683e8dcac4604eaee19f0add472b9332cb667067562487896.exe
760	832506397be8817683e8dcac4604eaee19f0add472b9332cb667067562487896.exe
760	832506397be8817683e8dcac4604eaee19f0add472b9332cb667067562487896.exe
760	832506397be8817683e8dcac4604eaee19f0add472b9332cb667067562487896.exe
760	832506397be8817683e8dcac4604eaee19f0add472b9332cb667067562487896.exe
760	832506397be8817683e8dcac4604eaee19f0add472b9332cb667067562487896.exe
760	832506397be8817683e8dcac4604eaee19f0add472b9332cb667067562487896.exe
760	832506397be8817683e8dcac4604eaee19f0add472b9332cb667067562487896.exe
760	832506397be8817683e8dcac4604eaee19f0add472b9332cb667067562487896.exe
760	832506397be8817683e8dcac4604eaee19f0add472b9332cb667067562487896.exe
760	832506397be8817683e8dcac4604eaee19f0add472b9332cb667067562487896.exe
760	832506397be8817683e8dcac4604eaee19f0add472b9332cb667067562487896.exe
760	832506397be8817683e8dcac4604eaee19f0add472b9332cb667067562487896.exe
880	windocv.exe
880	windocv.exe
3136	powershell.exe
3136	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4340	832506397be8817683e8dcac4604eaee19f0add472b9332cb667067562487896.exe
Token: SeDebugPrivilege	3812	powershell.exe
Token: SeDebugPrivilege	760	832506397be8817683e8dcac4604eaee19f0add472b9332cb667067562487896.exe
Token: SeDebugPrivilege	880	windocv.exe
Token: SeDebugPrivilege	3136	powershell.exe
Token: SeDebugPrivilege	4080	windocv.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 4340 wrote to memory of 3812	4340	832506397be8817683e8dcac4604eaee19f0add472b9332cb667067562487896.exe	85
PID 4340 wrote to memory of 3812	4340	832506397be8817683e8dcac4604eaee19f0add472b9332cb667067562487896.exe	85
PID 4340 wrote to memory of 3812	4340	832506397be8817683e8dcac4604eaee19f0add472b9332cb667067562487896.exe	85
PID 4340 wrote to memory of 1716	4340	832506397be8817683e8dcac4604eaee19f0add472b9332cb667067562487896.exe	87
PID 4340 wrote to memory of 1716	4340	832506397be8817683e8dcac4604eaee19f0add472b9332cb667067562487896.exe	87
PID 4340 wrote to memory of 1716	4340	832506397be8817683e8dcac4604eaee19f0add472b9332cb667067562487896.exe	87
PID 4340 wrote to memory of 760	4340	832506397be8817683e8dcac4604eaee19f0add472b9332cb667067562487896.exe	89
PID 4340 wrote to memory of 760	4340	832506397be8817683e8dcac4604eaee19f0add472b9332cb667067562487896.exe	89
PID 4340 wrote to memory of 760	4340	832506397be8817683e8dcac4604eaee19f0add472b9332cb667067562487896.exe	89
PID 4340 wrote to memory of 760	4340	832506397be8817683e8dcac4604eaee19f0add472b9332cb667067562487896.exe	89
PID 4340 wrote to memory of 760	4340	832506397be8817683e8dcac4604eaee19f0add472b9332cb667067562487896.exe	89
PID 4340 wrote to memory of 760	4340	832506397be8817683e8dcac4604eaee19f0add472b9332cb667067562487896.exe	89
PID 4340 wrote to memory of 760	4340	832506397be8817683e8dcac4604eaee19f0add472b9332cb667067562487896.exe	89
PID 4340 wrote to memory of 760	4340	832506397be8817683e8dcac4604eaee19f0add472b9332cb667067562487896.exe	89
PID 760 wrote to memory of 2644	760	832506397be8817683e8dcac4604eaee19f0add472b9332cb667067562487896.exe	90
PID 760 wrote to memory of 2644	760	832506397be8817683e8dcac4604eaee19f0add472b9332cb667067562487896.exe	90
PID 760 wrote to memory of 2644	760	832506397be8817683e8dcac4604eaee19f0add472b9332cb667067562487896.exe	90
PID 760 wrote to memory of 5084	760	832506397be8817683e8dcac4604eaee19f0add472b9332cb667067562487896.exe	92
PID 760 wrote to memory of 5084	760	832506397be8817683e8dcac4604eaee19f0add472b9332cb667067562487896.exe	92
PID 760 wrote to memory of 5084	760	832506397be8817683e8dcac4604eaee19f0add472b9332cb667067562487896.exe	92
PID 5084 wrote to memory of 2232	5084	cmd.exe	94
PID 5084 wrote to memory of 2232	5084	cmd.exe	94
PID 5084 wrote to memory of 2232	5084	cmd.exe	94
PID 5084 wrote to memory of 880	5084	cmd.exe	95
PID 5084 wrote to memory of 880	5084	cmd.exe	95
PID 5084 wrote to memory of 880	5084	cmd.exe	95
PID 880 wrote to memory of 3136	880	windocv.exe	96
PID 880 wrote to memory of 3136	880	windocv.exe	96
PID 880 wrote to memory of 3136	880	windocv.exe	96
PID 880 wrote to memory of 732	880	windocv.exe	98
PID 880 wrote to memory of 732	880	windocv.exe	98
PID 880 wrote to memory of 732	880	windocv.exe	98
PID 880 wrote to memory of 4080	880	windocv.exe	100
PID 880 wrote to memory of 4080	880	windocv.exe	100
PID 880 wrote to memory of 4080	880	windocv.exe	100
PID 880 wrote to memory of 4080	880	windocv.exe	100
PID 880 wrote to memory of 4080	880	windocv.exe	100
PID 880 wrote to memory of 4080	880	windocv.exe	100
PID 880 wrote to memory of 4080	880	windocv.exe	100
PID 880 wrote to memory of 4080	880	windocv.exe	100

C:\Users\Admin\AppData\Local\Temp\832506397be8817683e8dcac4604eaee19f0add472b9332cb667067562487896.exe
"C:\Users\Admin\AppData\Local\Temp\832506397be8817683e8dcac4604eaee19f0add472b9332cb667067562487896.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4340
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\iYZWyW.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3812
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iYZWyW" /XML "C:\Users\Admin\AppData\Local\Temp\tmp929B.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1716
- C:\Users\Admin\AppData\Local\Temp\832506397be8817683e8dcac4604eaee19f0add472b9332cb667067562487896.exe
  "C:\Users\Admin\AppData\Local\Temp\832506397be8817683e8dcac4604eaee19f0add472b9332cb667067562487896.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:760
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'windocv"' /tr "'C:\Users\Admin\AppData\Roaming\windocv.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:2644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpDADF.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5084
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:2232
  - - C:\Users\Admin\AppData\Roaming\windocv.exe
      "C:\Users\Admin\AppData\Roaming\windocv.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:880
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\iYZWyW.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3136
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iYZWyW" /XML "C:\Users\Admin\AppData\Local\Temp\tmp15C5.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:732
    - - C:\Users\Admin\AppData\Roaming\windocv.exe
        
        "C:\Users\Admin\AppData\Roaming\windocv.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\832506397be8817683e8dcac4604eaee19f0add472b9332cb667067562487896.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
ad068725d407b97ee7901ec279e70014

SHA1
1857fe2ddf071e9c77d43236d2d3d33b415ffa51

SHA256
dce3aa43c5b7088a318a72e307273147b82cd89ca68398ecfc923d65d8fccf36

SHA512
4147efcd3a21dfd349fcbf7f230161a1cdd400dc2293709a799ac222c7d1bfd3c0ed041d7d2dff8dc683c54c5f03f73a5e33c53449b582c4fe561089278a8629

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qhu2r0jq.ux4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp929B.tmp

Filesize
1KB

MD5
52920512b77e1a4bdc8747f50bed2200

SHA1
089cbd853fa6e5a8b86943c5a8eae52ec42ab9fd

SHA256
b1540f02e1524ff859cf3567f6949047d4ece016733cf123b5bd86e3e1bc4304

SHA512
085e09c379a63dbcdf8a25355ba2cfec7cd48d7713c018acf6b0f7247f47364a8f0d2a7e71616b0719ff383197dc275e8bc46692f89cd287ed95cfec628ea84a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDADF.tmp.bat

Filesize
151B

MD5
de2e9c7373eba17eb425653bb7d12aac

SHA1
d48813ccc44314cf2bde2f1659c8efb5092ca6a9

SHA256
e0194edd61b02caafec9462e61b4b7bbd69efe037a2c08e0d73d91bc18a9d7cf

SHA512
a74e87ba1f49049b1a8739919ba2ef0658e133a7c5524e50629f6db30af30c2f5c553a1e9a0e390de4d8cc677623b68b7956829eb98dbb3cff057b6868a129f2

Download Submit
C:\Users\Admin\AppData\Roaming\windocv.exe

Filesize
2.3MB

MD5
0addf4d0b9a206a32a658f718be9cae5

SHA1
4f4ae06f83c1e133ee32a5e67868464d04cd7eec

SHA256
3da1f542af556118a1670c47f66a4e9f0e287b3abbd47b07fa2489bdb94ffe2f

SHA512
820b52e7e80c4723a2ce87cae56ceb275b0a1009408d10a95419d059c60ef2d533f4ad4983ce282f61f37a00ee097ae35fb397fb49160a2f4de26847472844e4

Download Submit
C:\Users\Admin\AppData\Roaming\windocv.exe

Filesize
2.4MB

MD5
432ea519a1f67b56cf00c33f34073a77

SHA1
34c0800fb6411b3f245df2535bae676de579d30d

SHA256
b3fce6c882cb31f3841e901eeb53652722a9b2e7ade5fd3badee2e01101d9773

SHA512
7426ce08166b40f348c13667b0ba14b2b024ce22e0a06b4cfe96d82ddf9732c7001f90e0c8f17f7c6684a6b715fa2980283c57140893b46bd84da07fd314bd19

Download Submit
C:\Users\Admin\AppData\Roaming\windocv.exe

Filesize
2.3MB

MD5
c4d668c91fceeeb8c1447a39c57c8635

SHA1
1242a09084a35cdcfe22ea88c9ed36644460a601

SHA256
8e852b210756a37cc7966eb7497f81240d49611a8636f712fb25d9d4084e9796

SHA512
5f5f6bf3cf7db05475f0521244eda39f78fe4e710328b2b70de6c24562daf7eb1abdef7c3a668589662ef2113a63f74147613ddbc3fcae33f8e49dfb3ca374a6

Download Submit
C:\Users\Admin\AppData\Roaming\windocv.exe

Filesize
2.9MB

MD5
4edb3242e29eb90c2591297f26133a25

SHA1
d607c16dc693ca3c9075757d445d2973115589fa

SHA256
264bd230a3e5df7fd6fa6f30b7928171b796dfc68d645645d650f57bf15ffee3

SHA512
587f6e9f1d59b6bd0ba77970685391d6d968587bfa542f23ac03b83a77534d63141b387e640c4b03d69432a688944000e7778f1a4ba4a9cee994f41a28e82761

Download Submit
memory/760-18-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/760-64-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/760-72-0x0000000074D80000-0x0000000075530000-memory.dmp

Filesize
7.7MB

Download
memory/760-23-0x0000000074D80000-0x0000000075530000-memory.dmp

Filesize
7.7MB

Download
memory/880-88-0x0000000074D40000-0x00000000754F0000-memory.dmp

Filesize
7.7MB

Download
memory/880-78-0x00000000058B0000-0x00000000058C2000-memory.dmp

Filesize
72KB

Download
memory/880-76-0x0000000074D40000-0x00000000754F0000-memory.dmp

Filesize
7.7MB

Download
memory/880-77-0x0000000005A20000-0x0000000005A30000-memory.dmp

Filesize
64KB

Download
memory/3136-101-0x0000000005CA0000-0x0000000005CEC000-memory.dmp

Filesize
304KB

Download
memory/3136-81-0x0000000074D40000-0x00000000754F0000-memory.dmp

Filesize
7.7MB

Download
memory/3136-82-0x00000000045A0000-0x00000000045B0000-memory.dmp

Filesize
64KB

Download
memory/3136-84-0x00000000045A0000-0x00000000045B0000-memory.dmp

Filesize
64KB

Download
memory/3136-95-0x0000000005540000-0x0000000005894000-memory.dmp

Filesize
3.3MB

Download
memory/3136-102-0x00000000045A0000-0x00000000045B0000-memory.dmp

Filesize
64KB

Download
memory/3136-103-0x0000000071640000-0x000000007168C000-memory.dmp

Filesize
304KB

Download
memory/3136-113-0x0000000006DC0000-0x0000000006E63000-memory.dmp

Filesize
652KB

Download
memory/3136-114-0x0000000007100000-0x0000000007111000-memory.dmp

Filesize
68KB

Download
memory/3136-115-0x0000000007150000-0x0000000007164000-memory.dmp

Filesize
80KB

Download
memory/3136-117-0x0000000074D40000-0x00000000754F0000-memory.dmp

Filesize
7.7MB

Download
memory/3812-17-0x0000000074D80000-0x0000000075530000-memory.dmp

Filesize
7.7MB

Download
memory/3812-26-0x0000000006120000-0x0000000006186000-memory.dmp

Filesize
408KB

Download
memory/3812-53-0x0000000006E30000-0x0000000006E4E000-memory.dmp

Filesize
120KB

Download
memory/3812-54-0x0000000007860000-0x0000000007903000-memory.dmp

Filesize
652KB

Download
memory/3812-43-0x0000000071270000-0x00000000712BC000-memory.dmp

Filesize
304KB

Download
memory/3812-56-0x0000000007BA0000-0x0000000007BBA000-memory.dmp

Filesize
104KB

Download
memory/3812-55-0x00000000081E0000-0x000000000885A000-memory.dmp

Filesize
6.5MB

Download
memory/3812-57-0x0000000007C10000-0x0000000007C1A000-memory.dmp

Filesize
40KB

Download
memory/3812-58-0x0000000007E20000-0x0000000007EB6000-memory.dmp

Filesize
600KB

Download
memory/3812-59-0x0000000007DA0000-0x0000000007DB1000-memory.dmp

Filesize
68KB

Download
memory/3812-60-0x0000000007DD0000-0x0000000007DDE000-memory.dmp

Filesize
56KB

Download
memory/3812-61-0x0000000007DE0000-0x0000000007DF4000-memory.dmp

Filesize
80KB

Download
memory/3812-62-0x0000000007EE0000-0x0000000007EFA000-memory.dmp

Filesize
104KB

Download
memory/3812-63-0x0000000007EC0000-0x0000000007EC8000-memory.dmp

Filesize
32KB

Download
memory/3812-41-0x000000007F180000-0x000000007F190000-memory.dmp

Filesize
64KB

Download
memory/3812-66-0x0000000074D80000-0x0000000075530000-memory.dmp

Filesize
7.7MB

Download
memory/3812-40-0x0000000003000000-0x0000000003010000-memory.dmp

Filesize
64KB

Download
memory/3812-39-0x0000000006940000-0x000000000698C000-memory.dmp

Filesize
304KB

Download
memory/3812-38-0x00000000068B0000-0x00000000068CE000-memory.dmp

Filesize
120KB

Download
memory/3812-37-0x00000000063D0000-0x0000000006724000-memory.dmp

Filesize
3.3MB

Download
memory/3812-32-0x0000000006200000-0x0000000006266000-memory.dmp

Filesize
408KB

Download
memory/3812-42-0x0000000006E50000-0x0000000006E82000-memory.dmp

Filesize
200KB

Download
memory/3812-25-0x0000000006080000-0x00000000060A2000-memory.dmp

Filesize
136KB

Download
memory/3812-15-0x0000000002EC0000-0x0000000002EF6000-memory.dmp

Filesize
216KB

Download
memory/3812-20-0x0000000005A20000-0x0000000006048000-memory.dmp

Filesize
6.2MB

Download
memory/3812-19-0x0000000003000000-0x0000000003010000-memory.dmp

Filesize
64KB

Download
memory/3812-21-0x0000000003000000-0x0000000003010000-memory.dmp

Filesize
64KB

Download
memory/4080-118-0x00000000051C0000-0x00000000051D0000-memory.dmp

Filesize
64KB

Download
memory/4080-120-0x00000000051C0000-0x00000000051D0000-memory.dmp

Filesize
64KB

Download
memory/4080-119-0x0000000074D40000-0x00000000754F0000-memory.dmp

Filesize
7.7MB

Download
memory/4080-89-0x0000000074D40000-0x00000000754F0000-memory.dmp

Filesize
7.7MB

Download
memory/4340-5-0x0000000004F50000-0x0000000004F5A000-memory.dmp

Filesize
40KB

Download
memory/4340-8-0x0000000005120000-0x0000000005132000-memory.dmp

Filesize
72KB

Download
memory/4340-7-0x0000000004F70000-0x0000000004F7E000-memory.dmp

Filesize
56KB

Download
memory/4340-6-0x00000000054C0000-0x00000000054E0000-memory.dmp

Filesize
128KB

Download
memory/4340-0-0x0000000074D80000-0x0000000075530000-memory.dmp

Filesize
7.7MB

Download
memory/4340-4-0x0000000002A10000-0x0000000002A20000-memory.dmp

Filesize
64KB

Download
memory/4340-3-0x0000000004E90000-0x0000000004F22000-memory.dmp

Filesize
584KB

Download
memory/4340-2-0x0000000005540000-0x0000000005AE4000-memory.dmp

Filesize
5.6MB

Download
memory/4340-1-0x0000000000440000-0x00000000004BE000-memory.dmp

Filesize
504KB

Download
memory/4340-9-0x0000000006770000-0x00000000067C4000-memory.dmp

Filesize
336KB

Download
memory/4340-10-0x0000000008D80000-0x0000000008E1C000-memory.dmp

Filesize
624KB

Download
memory/4340-24-0x0000000074D80000-0x0000000075530000-memory.dmp

Filesize
7.7MB

Download