asyncrat | cb22cebed97d6363239f63cf28816b8a8c06977c6d8625a43a61f0afa8823b26

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
29-06-2024 01:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb22cebed97d6363239f63cf28816b8a8c06977c6d8625a43a61f0afa8823b26.exe
Size

748KB
MD5

457143901d9ca2f0bc836c1dd1faefe3
SHA1

11e554dcfca0dd51c5bfe92d35b9c13b21b81691
SHA256

cb22cebed97d6363239f63cf28816b8a8c06977c6d8625a43a61f0afa8823b26
SHA512

0bd04e37e8f3bb869783661972b83ec8fb6b06727eff27374d2855e714b31cd51b15ada8e46d8b09eda9367dd002f65436785b7962f80f5812396aff3c03c0d0
SSDEEP

12288:Ykpcy+P2t8ysP8ZURBmtxjlk/u6ntgJ2E3P0DtaxoisMLHsXxteTX:Ykpcy5tVZqBmTji/PQP0Zaxd5LHxT

Score

10^/10

asyncrat quasar xworm default slave execution rat spyware trojan

Malware Config

Extracted

Family

xworm

head-experimental.gl.at.ply.gg:46178

best-bird.gl.at.ply.gg:27196

super-nearest.gl.at.ply.gg:17835

Attributes

install_file
USB.exe

Extracted

Family

asyncrat

Botnet

Default

finally-grande.gl.at.ply.gg:25844

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

quasar

Version

3.1.5

Botnet

Slave

stop-largely.gl.at.ply.gg:27116

Mutex

$Sxr-kl1r656AGsPQksTmi8

Attributes

encryption_key
ql4fQ8TV9ZFP9vRX2myA
install_name
$sxr~Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
$77STARTUP~MSF
subdirectory
$sxr~SubDir

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect Xworm Payload 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Part1.exe	family_xworm
behavioral1/memory/2392-7-0x0000000001140000-0x0000000001158000-memory.dmp	family_xworm
behavioral1/memory/2636-34-0x00000000012D0000-0x00000000012E8000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Local\Temp\Part 4.exe	family_xworm
C:\Users\Admin\AppData\Local\Temp\Part 1.exe	family_xworm
behavioral1/memory/2812-43-0x0000000000390000-0x00000000003AA000-memory.dmp	family_xworm

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar payload 2 IoCs

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\Part 2.exe family_quasar
behavioral1/memory/2652-46-0x00000000000A0000-0x000000000010C000-memory.dmp family_quasar
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Async RAT payload 1 IoCs
rat

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\Part 3.exe family_asyncrat
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

1688 powershell.exe
2112 powershell.exe
1948 powershell.exe
572 powershell.exe
1520 powershell.exe
1368 powershell.exe
Executes dropped EXE 7 IoCs

Processes:

Part1.exePart2.exePart 1.exePart 2.exePart 3.exePart 4.exeWindows PowerShell.exe

pid process

2392 Part1.exe
2656 Part2.exe
2636 Part 1.exe
2652 Part 2.exe
2752 Part 3.exe
2812 Part 4.exe
2640 Windows PowerShell.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

1148 schtasks.exe

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Part 2.exe	family_quasar
behavioral1/memory/2652-46-0x00000000000A0000-0x000000000010C000-memory.dmp	family_quasar

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Part 3.exe	family_asyncrat

pid	process
1688	powershell.exe
2112	powershell.exe
1948	powershell.exe
572	powershell.exe
1520	powershell.exe
1368	powershell.exe

pid	process
2392	Part1.exe
2656	Part2.exe
2636	Part 1.exe
2652	Part 2.exe
2752	Part 3.exe
2812	Part 4.exe
2640	Windows PowerShell.exe

flow	ioc
2	ip-api.com

pid	process
1148	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Windows PowerShell.exe

pid	process
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe
2640	Windows PowerShell.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

Windows PowerShell.exePart 2.exePart 3.exePart 1.exePart1.exePart 4.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2640	Windows PowerShell.exe
Token: SeDebugPrivilege	2652	Part 2.exe
Token: SeDebugPrivilege	2752	Part 3.exe
Token: SeDebugPrivilege	2636	Part 1.exe
Token: SeDebugPrivilege	2392	Part1.exe
Token: SeDebugPrivilege	2812	Part 4.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeDebugPrivilege	2636	Part 1.exe
Token: SeDebugPrivilege	572	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	2392	Part1.exe
Token: SeDebugPrivilege	1368	powershell.exe
Token: SeDebugPrivilege	2812	Part 4.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

Part 2.exePart 1.exePart1.exePart 4.exe

pid process

2652 Part 2.exe
2636 Part 1.exe
2392 Part1.exe
2812 Part 4.exe

pid	process
2652	Part 2.exe
2636	Part 1.exe
2392	Part1.exe
2812	Part 4.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

cb22cebed97d6363239f63cf28816b8a8c06977c6d8625a43a61f0afa8823b26.exePart2.exePart 2.exePart 1.exePart1.exePart 4.exe

description	pid	process	target process
PID 1740 wrote to memory of 2392	1740	cb22cebed97d6363239f63cf28816b8a8c06977c6d8625a43a61f0afa8823b26.exe	Part1.exe
PID 1740 wrote to memory of 2392	1740	cb22cebed97d6363239f63cf28816b8a8c06977c6d8625a43a61f0afa8823b26.exe	Part1.exe
PID 1740 wrote to memory of 2392	1740	cb22cebed97d6363239f63cf28816b8a8c06977c6d8625a43a61f0afa8823b26.exe	Part1.exe
PID 1740 wrote to memory of 2656	1740	cb22cebed97d6363239f63cf28816b8a8c06977c6d8625a43a61f0afa8823b26.exe	Part2.exe
PID 1740 wrote to memory of 2656	1740	cb22cebed97d6363239f63cf28816b8a8c06977c6d8625a43a61f0afa8823b26.exe	Part2.exe
PID 1740 wrote to memory of 2656	1740	cb22cebed97d6363239f63cf28816b8a8c06977c6d8625a43a61f0afa8823b26.exe	Part2.exe
PID 2656 wrote to memory of 2636	2656	Part2.exe	Part 1.exe
PID 2656 wrote to memory of 2636	2656	Part2.exe	Part 1.exe
PID 2656 wrote to memory of 2636	2656	Part2.exe	Part 1.exe
PID 2656 wrote to memory of 2652	2656	Part2.exe	Part 2.exe
PID 2656 wrote to memory of 2652	2656	Part2.exe	Part 2.exe
PID 2656 wrote to memory of 2652	2656	Part2.exe	Part 2.exe
PID 2656 wrote to memory of 2652	2656	Part2.exe	Part 2.exe
PID 2656 wrote to memory of 2652	2656	Part2.exe	Part 2.exe
PID 2656 wrote to memory of 2652	2656	Part2.exe	Part 2.exe
PID 2656 wrote to memory of 2652	2656	Part2.exe	Part 2.exe
PID 2656 wrote to memory of 2752	2656	Part2.exe	Part 3.exe
PID 2656 wrote to memory of 2752	2656	Part2.exe	Part 3.exe
PID 2656 wrote to memory of 2752	2656	Part2.exe	Part 3.exe
PID 2656 wrote to memory of 2812	2656	Part2.exe	Part 4.exe
PID 2656 wrote to memory of 2812	2656	Part2.exe	Part 4.exe
PID 2656 wrote to memory of 2812	2656	Part2.exe	Part 4.exe
PID 2656 wrote to memory of 2640	2656	Part2.exe	Windows PowerShell.exe
PID 2656 wrote to memory of 2640	2656	Part2.exe	Windows PowerShell.exe
PID 2656 wrote to memory of 2640	2656	Part2.exe	Windows PowerShell.exe
PID 2656 wrote to memory of 2640	2656	Part2.exe	Windows PowerShell.exe
PID 2652 wrote to memory of 1148	2652	Part 2.exe	schtasks.exe
PID 2652 wrote to memory of 1148	2652	Part 2.exe	schtasks.exe
PID 2652 wrote to memory of 1148	2652	Part 2.exe	schtasks.exe
PID 2652 wrote to memory of 1148	2652	Part 2.exe	schtasks.exe
PID 2636 wrote to memory of 1688	2636	Part 1.exe	powershell.exe
PID 2636 wrote to memory of 1688	2636	Part 1.exe	powershell.exe
PID 2636 wrote to memory of 1688	2636	Part 1.exe	powershell.exe
PID 2636 wrote to memory of 2112	2636	Part 1.exe	powershell.exe
PID 2636 wrote to memory of 2112	2636	Part 1.exe	powershell.exe
PID 2636 wrote to memory of 2112	2636	Part 1.exe	powershell.exe
PID 2392 wrote to memory of 1948	2392	Part1.exe	powershell.exe
PID 2392 wrote to memory of 1948	2392	Part1.exe	powershell.exe
PID 2392 wrote to memory of 1948	2392	Part1.exe	powershell.exe
PID 2392 wrote to memory of 572	2392	Part1.exe	powershell.exe
PID 2392 wrote to memory of 572	2392	Part1.exe	powershell.exe
PID 2392 wrote to memory of 572	2392	Part1.exe	powershell.exe
PID 2812 wrote to memory of 1520	2812	Part 4.exe	powershell.exe
PID 2812 wrote to memory of 1520	2812	Part 4.exe	powershell.exe
PID 2812 wrote to memory of 1520	2812	Part 4.exe	powershell.exe
PID 2812 wrote to memory of 1368	2812	Part 4.exe	powershell.exe
PID 2812 wrote to memory of 1368	2812	Part 4.exe	powershell.exe
PID 2812 wrote to memory of 1368	2812	Part 4.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\cb22cebed97d6363239f63cf28816b8a8c06977c6d8625a43a61f0afa8823b26.exe
"C:\Users\Admin\AppData\Local\Temp\cb22cebed97d6363239f63cf28816b8a8c06977c6d8625a43a61f0afa8823b26.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1740

C:\Users\Admin\AppData\Local\Temp\Part1.exe
"C:\Users\Admin\AppData\Local\Temp\Part1.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Part1.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Part1.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:572

C:\Users\Admin\AppData\Local\Temp\Part2.exe
"C:\Users\Admin\AppData\Local\Temp\Part2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2656

C:\Users\Admin\AppData\Local\Temp\Part 1.exe
"C:\Users\Admin\AppData\Local\Temp\Part 1.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Part 1.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Part 1.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2112

C:\Users\Admin\AppData\Local\Temp\Part 2.exe
"C:\Users\Admin\AppData\Local\Temp\Part 2.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2652

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "$77STARTUP~MSF" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Part 2.exe" /rl HIGHEST /f
4⤵
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Users\Admin\AppData\Local\Temp\Part 3.exe
"C:\Users\Admin\AppData\Local\Temp\Part 3.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2752

C:\Users\Admin\AppData\Local\Temp\Part 4.exe
"C:\Users\Admin\AppData\Local\Temp\Part 4.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Part 4.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Part 4.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1368

C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe
"C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Part 1.exe
Filesize
67KB

MD5
092a0c6fe885844fd74947e64e7fc11e

SHA1
bfe46f64f36f2e927d862a1a787f146ed2c01219

SHA256
91431cb73305e0f1fdc698907301b6d312a350f667c50765615672e7f10a68f2

SHA512
022589bd17b46e5486971a59b2517956bb15815266e48dc73a7ae9ac9efd42a348af09df471562eb71ffc94ce1e1845d54ca2994663d1496a385bce50ae595f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Part 2.exe
Filesize
409KB

MD5
e10c7425705b2bd3214fa96247ee21c4

SHA1
7603536b97ab6337fa023bafcf80579c2b4059e6

SHA256
021068ac225e479b124c33d9e7582c17fdea6e625b165b79e2c818479d8094e4

SHA512
47e031992d637fef2a67e4fb08d2d82eaba03eba6b80f3e0e0997153acf0d979d0294276c4a10a97daa50130540230865c56191e6fe8df07dbea11c50fa48a2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Part 3.exe
Filesize
63KB

MD5
27fe9341167a34f606b800303ac54b1f

SHA1
86373d218b48361bff1c23ddd08b6ab1803a51d0

SHA256
29e13a91af9b0ac77e9b7f8b0c26e5702f46bd8aea0333ca2d191d1d09c70c5d

SHA512
05b83ad544862d9c0cfc2651b2842624cff59fc4f454e0b1a2b36a705b558fad5a834f9f1af9f2626c57f1e3cd9aa400e290eaafb6efeb680422992bcbbde5b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Part 4.exe
Filesize
79KB

MD5
1f1b23752df3d29e7604ba52aea85862

SHA1
bb582c6cf022098b171c4c9c7318a51de29ebcf4

SHA256
4834d31394f19d42e8d2a035b4c3c9c36441340ea19fe766396848ecfb608960

SHA512
d52722ab73bb15d4a5b0033351f98f168192f382677e6d474f6cf506cf8dc2f5e421e45279b6cac0f074857f41a865d87b5d989450bfcb8eba925b7baa12fbde

Download Submit
C:\Users\Admin\AppData\Local\Temp\Part1.exe
Filesize
74KB

MD5
e35a7249966beef31a45272c53e06727

SHA1
cc54648f9c9423f7a625e96256c608791b1ab275

SHA256
ecb87965ad5fdc76a30721226b1cb8a6263bbbce476a0446ff730b6399022998

SHA512
1dc30dc4a690aa87211db37b8fbc152e2e9e2b2554927296ff62bd4d2a7ab542777faaa4752399719cfe816cf3886b3bb4a90539f3f197dedd52298f2a315114

Download Submit
C:\Users\Admin\AppData\Local\Temp\Part2.exe
Filesize
661KB

MD5
c47c0d681b491091209c54147c33da81

SHA1
58cb51be41aa576ce56d4c16c9c443e70e648f62

SHA256
429c5dd3f4af9dcaa0ebaefda12281af7c84b3e3aa05d1034ddf89d2bdefb720

SHA512
f3a6f9af783910dd94622bb0408385228dfe322487d9d89c140e2e49b8abbc3b9c9f3cb580635166d1ddf6f5b7feeac51380044cf100476d6994adc7cac6cc5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows PowerShell.exe
Filesize
27KB

MD5
4daae2de5a31125d02b057c1ff18d58f

SHA1
e1d603edfcc150a4718e2916ae3dda3aa9548dc8

SHA256
25510f3aa1b879ea92a3cba9583d73e447b8765bae6dfcc4954bb72df5beaa7f

SHA512
7cda96a69f9cddab307f3f08e1f38a4d059f0cc7f7119d4a48891efdb01cf101ebcc06cb2ce0702ea2d689d27ee45faddc0a13cd72503c609c4e544919549a2a

Download Submit
memory/1740-1-0x0000000001260000-0x0000000001322000-memory.dmp

Filesize
776KB

Download
memory/1740-0-0x000007FEF6283000-0x000007FEF6284000-memory.dmp

Filesize
4KB

Download
memory/2392-7-0x0000000001140000-0x0000000001158000-memory.dmp

Filesize
96KB

Download
memory/2392-22-0x000007FEF6280000-0x000007FEF6C6C000-memory.dmp

Filesize
9.9MB

Download
memory/2636-34-0x00000000012D0000-0x00000000012E8000-memory.dmp

Filesize
96KB

Download
memory/2640-45-0x0000000000950000-0x000000000095E000-memory.dmp

Filesize
56KB

Download
memory/2640-47-0x00000000001C0000-0x00000000001D0000-memory.dmp

Filesize
64KB

Download
memory/2652-46-0x00000000000A0000-0x000000000010C000-memory.dmp

Filesize
432KB

Download
memory/2656-13-0x0000000000970000-0x0000000000A1C000-memory.dmp

Filesize
688KB

Download
memory/2752-33-0x0000000000DE0000-0x0000000000DF6000-memory.dmp

Filesize
88KB

Download
memory/2812-43-0x0000000000390000-0x00000000003AA000-memory.dmp

Filesize
104KB

Download