asyncrat | 147f810affa8a7f95cc8a15cc5918933d3cf430232e132b340180d3878951974

Analysis

max time kernel
146s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25-04-2024 08:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d3f68d31efc5fc456850af228427c25.msi
Size

1.5MB
MD5

6d3f68d31efc5fc456850af228427c25
SHA1

487fcaaab61ce4e76d6a1e2568cf3602a5f6632b
SHA256

147f810affa8a7f95cc8a15cc5918933d3cf430232e132b340180d3878951974
SHA512

e1c26181065ad69078e281154f741d318ceec9d412c030a89397e6d27ff89c224ed7f106b68892f41309264830e48255ff114369985206efe9c5311f8725df3d
SSDEEP

24576:kt9cpVDhOXLcVXyEq9GRhv9cWP8rtPN01Mq7+xtA+w9TxDfoUBoiGt+eWilfdqF6:jpRhOXLcJyEq9GRhvVqtV01Mq7kctDAo

Score

10^/10

asyncrat mafiaexe discovery rat

Malware Config

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

mafiaexe

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

twinks234.duckdns.org:6606

twinks234.duckdns.org:7707

twinks234.duckdns.org:8808

Mutex

mafiaEXE

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0007000000016d1a-65.dat	family_asyncrat

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2276	ICACLS.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI35A1.tmp	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\f7634f5.msi	msiexec.exe
File created	C:\Windows\Installer\f7634f6.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f7634f5.msi	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
1564	mafiachroom.exe

Loads dropped DLL 5 IoCs

pid	Process
1096	MsiExec.exe
1096	MsiExec.exe
1096	MsiExec.exe
1096	MsiExec.exe
1096	MsiExec.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2980	msiexec.exe
2980	msiexec.exe
1564	mafiachroom.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2964	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	2980	msiexec.exe
Token: SeTakeOwnershipPrivilege	2980	msiexec.exe
Token: SeSecurityPrivilege	2980	msiexec.exe
Token: SeCreateTokenPrivilege	2964	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2964	msiexec.exe
Token: SeLockMemoryPrivilege	2964	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2964	msiexec.exe
Token: SeMachineAccountPrivilege	2964	msiexec.exe
Token: SeTcbPrivilege	2964	msiexec.exe
Token: SeSecurityPrivilege	2964	msiexec.exe
Token: SeTakeOwnershipPrivilege	2964	msiexec.exe
Token: SeLoadDriverPrivilege	2964	msiexec.exe
Token: SeSystemProfilePrivilege	2964	msiexec.exe
Token: SeSystemtimePrivilege	2964	msiexec.exe
Token: SeProfSingleProcessPrivilege	2964	msiexec.exe
Token: SeIncBasePriorityPrivilege	2964	msiexec.exe
Token: SeCreatePagefilePrivilege	2964	msiexec.exe
Token: SeCreatePermanentPrivilege	2964	msiexec.exe
Token: SeBackupPrivilege	2964	msiexec.exe
Token: SeRestorePrivilege	2964	msiexec.exe
Token: SeShutdownPrivilege	2964	msiexec.exe
Token: SeDebugPrivilege	2964	msiexec.exe
Token: SeAuditPrivilege	2964	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2964	msiexec.exe
Token: SeChangeNotifyPrivilege	2964	msiexec.exe
Token: SeRemoteShutdownPrivilege	2964	msiexec.exe
Token: SeUndockPrivilege	2964	msiexec.exe
Token: SeSyncAgentPrivilege	2964	msiexec.exe
Token: SeEnableDelegationPrivilege	2964	msiexec.exe
Token: SeManageVolumePrivilege	2964	msiexec.exe
Token: SeImpersonatePrivilege	2964	msiexec.exe
Token: SeCreateGlobalPrivilege	2964	msiexec.exe
Token: SeBackupPrivilege	2920	vssvc.exe
Token: SeRestorePrivilege	2920	vssvc.exe
Token: SeAuditPrivilege	2920	vssvc.exe
Token: SeBackupPrivilege	2980	msiexec.exe
Token: SeRestorePrivilege	2980	msiexec.exe
Token: SeRestorePrivilege	2604	DrvInst.exe
Token: SeRestorePrivilege	2604	DrvInst.exe
Token: SeRestorePrivilege	2604	DrvInst.exe
Token: SeRestorePrivilege	2604	DrvInst.exe
Token: SeRestorePrivilege	2604	DrvInst.exe
Token: SeRestorePrivilege	2604	DrvInst.exe
Token: SeRestorePrivilege	2604	DrvInst.exe
Token: SeLoadDriverPrivilege	2604	DrvInst.exe
Token: SeLoadDriverPrivilege	2604	DrvInst.exe
Token: SeLoadDriverPrivilege	2604	DrvInst.exe
Token: SeRestorePrivilege	2980	msiexec.exe
Token: SeTakeOwnershipPrivilege	2980	msiexec.exe
Token: SeRestorePrivilege	2980	msiexec.exe
Token: SeTakeOwnershipPrivilege	2980	msiexec.exe
Token: SeDebugPrivilege	1564	mafiachroom.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2964	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1564	mafiachroom.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 1096	2980	msiexec.exe	32
PID 2980 wrote to memory of 1096	2980	msiexec.exe	32
PID 2980 wrote to memory of 1096	2980	msiexec.exe	32
PID 2980 wrote to memory of 1096	2980	msiexec.exe	32
PID 2980 wrote to memory of 1096	2980	msiexec.exe	32
PID 2980 wrote to memory of 1096	2980	msiexec.exe	32
PID 2980 wrote to memory of 1096	2980	msiexec.exe	32
PID 1096 wrote to memory of 2276	1096	MsiExec.exe	33
PID 1096 wrote to memory of 2276	1096	MsiExec.exe	33
PID 1096 wrote to memory of 2276	1096	MsiExec.exe	33
PID 1096 wrote to memory of 2276	1096	MsiExec.exe	33
PID 1096 wrote to memory of 828	1096	MsiExec.exe	35
PID 1096 wrote to memory of 828	1096	MsiExec.exe	35
PID 1096 wrote to memory of 828	1096	MsiExec.exe	35
PID 1096 wrote to memory of 828	1096	MsiExec.exe	35
PID 1096 wrote to memory of 1564	1096	MsiExec.exe	37
PID 1096 wrote to memory of 1564	1096	MsiExec.exe	37
PID 1096 wrote to memory of 1564	1096	MsiExec.exe	37
PID 1096 wrote to memory of 1564	1096	MsiExec.exe	37

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\6d3f68d31efc5fc456850af228427c25.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2964

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 159F8E96D4BB8947CAC742AA53F346DB
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-4ac8d7e2-0e23-4246-9b6f-d959626db66c\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:2276
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:828
- - C:\Users\Admin\AppData\Local\Temp\MW-4ac8d7e2-0e23-4246-9b6f-d959626db66c\files\mafiachroom.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-4ac8d7e2-0e23-4246-9b6f-d959626db66c\files\mafiachroom.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1564

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2920

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000584" "000000000000056C"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MW-4ac8d7e2-0e23-4246-9b6f-d959626db66c\files.cab

Filesize
1.2MB

MD5
d4e7f05d7f6a7dc75f468dbcaa9f437f

SHA1
f377284434b0200c6ebeba730dfcddaff7f2de13

SHA256
943ef4c71d53ef383ee9591d460799c7e503e493c26abdd6ded50eb82f2dd47f

SHA512
9f8d960ee4367f388a0717b9a3991682a900f13db547dd51242a6c1686a2d9badbb94446db36700116c0c7753daacc7fb43ec35c09e94bc462e74c36e2b86bf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-4ac8d7e2-0e23-4246-9b6f-d959626db66c\files\mafiachroom.exe

Filesize
1.2MB

MD5
6e7ebd37b6095cb1a2f3ffa9d5598c81

SHA1
d4d0cfa65f6dd224af16ff81a29abdf6ab0eab69

SHA256
1cf774a50175eb7321b1366c585ccfc68bdf0916d8e78edf1fe24e079209eb9e

SHA512
f23d689393db2f8292018d8b303992b19dd8b9cfd4f226a84ddd70d30ec2d89083e9b1418d5f82e04a1a81d9014387e0450747b99a02fc32e094c987cc2c782b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-4ac8d7e2-0e23-4246-9b6f-d959626db66c\msiwrapper.ini

Filesize
364B

MD5
e6e616cb1a73ca11da8aa3b3bcb35f82

SHA1
237dbbb4670f50e907dbdf8731df39a34c10037b

SHA256
b2e9976a7733359ebd5f32eda5e537cd2eb58d0edf36ac4244a78acb7e074a2c

SHA512
ef07b8a492357bd9cc3c96d9c823d58b0a4a082c9fa89d9f9a61d704eb4a900f730e3ab90062a1b869b213d721bfe2cc1d5828448fc4a888911bc878c33ea05f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-4ac8d7e2-0e23-4246-9b6f-d959626db66c\msiwrapper.ini

Filesize
1KB

MD5
81d52f8d972a6e9943cd509fa5968019

SHA1
9dc7f85c2c7d434265e65041ef6b1e2ee7109b7d

SHA256
5f16504d409b5435579cbb04743bb315290a4d4e90ba9f90313450eb55ee82e1

SHA512
366f6bce1dfd2dc4a215601d349d8c3fc10753c99366aa13c5024c708ea78945840ddb5fc2e20c3ba026d9c9ff1dcfc8b6cc2d0ca89f808642f287976c004a09

Download Submit
C:\Windows\Installer\MSI35A1.tmp

Filesize
208KB

MD5
0c8921bbcc37c6efd34faf44cf3b0cb5

SHA1
dcfa71246157edcd09eecaf9d4c5e360b24b3e49

SHA256
fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1

SHA512
ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108

Download Submit
memory/1564-71-0x00000000011A0000-0x00000000012E0000-memory.dmp

Filesize
1.2MB

Download
memory/1564-72-0x0000000073840000-0x0000000073F2E000-memory.dmp

Filesize
6.9MB

Download
memory/1564-73-0x0000000004B70000-0x0000000004BB0000-memory.dmp

Filesize
256KB

Download
memory/1564-75-0x0000000073840000-0x0000000073F2E000-memory.dmp

Filesize
6.9MB

Download
memory/1564-76-0x0000000004B70000-0x0000000004BB0000-memory.dmp

Filesize
256KB

Download