asyncrat | 044cacd5ac37289f51cb2560deec5d5eb2a299f37cc7632673fefc70196e5452

Analysis

max time kernel
147s
max time network
151s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
19/03/2023, 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Odeme.exe
Size

637KB
MD5

0747b82b235f4d06fc693569fac9ffbd
SHA1

d639f2c7345800ae12b6dea8655cdab16df64daf
SHA256

044cacd5ac37289f51cb2560deec5d5eb2a299f37cc7632673fefc70196e5452
SHA512

08a9ee3dbd779b8b4c689ddf54f9d57bfa68f61b18e80c8a2240a3feae5e0bf98603e68ecc55aee0d9da7efe909d09a306f5f69feb4e49668520eef7ecfab552
SSDEEP

12288:NcrNS33L10QdrXjcDn6gl1f6NWU6TvfXCT8NqRu0VWYQw6zx6TaFOo:wNA3R5drXoD60ZMNg3TuWYJ2x6/o

Score

10^/10

asyncrat mnock rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Mnock

mooroopecamroy.sytes.net:1452

mooroopecamroy.sytes.net:1432

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
true
install_file
crssi.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 5 IoCs

rat

resource	yara_rule
behavioral1/memory/1364-101-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1364-104-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1364-106-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1980-125-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/1980-127-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Executes dropped EXE 5 IoCs

pid	Process
1136	fxgdxfg.sfx.exe
936	fxgdxfg.exe
1364	fxgdxfg.exe
272	crssi.exe
1980	crssi.exe

Loads dropped DLL 7 IoCs

pid	Process
1848	cmd.exe
1136	fxgdxfg.sfx.exe
1136	fxgdxfg.sfx.exe
1136	fxgdxfg.sfx.exe
1136	fxgdxfg.sfx.exe
936	fxgdxfg.exe
1268	cmd.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 936 set thread context of 1364	936	fxgdxfg.exe	33
PID 272 set thread context of 1980	272	crssi.exe	42

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1740	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
108	timeout.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1364	fxgdxfg.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	936	fxgdxfg.exe
Token: SeDebugPrivilege	1364	fxgdxfg.exe
Token: SeDebugPrivilege	272	crssi.exe
Token: SeDebugPrivilege	1980	crssi.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1104	DllHost.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 1848	1760	Odeme.exe	29
PID 1760 wrote to memory of 1848	1760	Odeme.exe	29
PID 1760 wrote to memory of 1848	1760	Odeme.exe	29
PID 1760 wrote to memory of 1848	1760	Odeme.exe	29
PID 1848 wrote to memory of 1136	1848	cmd.exe	31
PID 1848 wrote to memory of 1136	1848	cmd.exe	31
PID 1848 wrote to memory of 1136	1848	cmd.exe	31
PID 1848 wrote to memory of 1136	1848	cmd.exe	31
PID 1136 wrote to memory of 936	1136	fxgdxfg.sfx.exe	32
PID 1136 wrote to memory of 936	1136	fxgdxfg.sfx.exe	32
PID 1136 wrote to memory of 936	1136	fxgdxfg.sfx.exe	32
PID 1136 wrote to memory of 936	1136	fxgdxfg.sfx.exe	32
PID 936 wrote to memory of 1364	936	fxgdxfg.exe	33
PID 936 wrote to memory of 1364	936	fxgdxfg.exe	33
PID 936 wrote to memory of 1364	936	fxgdxfg.exe	33
PID 936 wrote to memory of 1364	936	fxgdxfg.exe	33
PID 936 wrote to memory of 1364	936	fxgdxfg.exe	33
PID 936 wrote to memory of 1364	936	fxgdxfg.exe	33
PID 936 wrote to memory of 1364	936	fxgdxfg.exe	33
PID 936 wrote to memory of 1364	936	fxgdxfg.exe	33
PID 936 wrote to memory of 1364	936	fxgdxfg.exe	33
PID 1364 wrote to memory of 1564	1364	fxgdxfg.exe	35
PID 1364 wrote to memory of 1564	1364	fxgdxfg.exe	35
PID 1364 wrote to memory of 1564	1364	fxgdxfg.exe	35
PID 1364 wrote to memory of 1564	1364	fxgdxfg.exe	35
PID 1364 wrote to memory of 1268	1364	fxgdxfg.exe	37
PID 1364 wrote to memory of 1268	1364	fxgdxfg.exe	37
PID 1364 wrote to memory of 1268	1364	fxgdxfg.exe	37
PID 1364 wrote to memory of 1268	1364	fxgdxfg.exe	37
PID 1564 wrote to memory of 1740	1564	cmd.exe	39
PID 1564 wrote to memory of 1740	1564	cmd.exe	39
PID 1564 wrote to memory of 1740	1564	cmd.exe	39
PID 1564 wrote to memory of 1740	1564	cmd.exe	39
PID 1268 wrote to memory of 108	1268	cmd.exe	40
PID 1268 wrote to memory of 108	1268	cmd.exe	40
PID 1268 wrote to memory of 108	1268	cmd.exe	40
PID 1268 wrote to memory of 108	1268	cmd.exe	40
PID 1268 wrote to memory of 272	1268	cmd.exe	41
PID 1268 wrote to memory of 272	1268	cmd.exe	41
PID 1268 wrote to memory of 272	1268	cmd.exe	41
PID 1268 wrote to memory of 272	1268	cmd.exe	41
PID 272 wrote to memory of 1980	272	crssi.exe	42
PID 272 wrote to memory of 1980	272	crssi.exe	42
PID 272 wrote to memory of 1980	272	crssi.exe	42
PID 272 wrote to memory of 1980	272	crssi.exe	42
PID 272 wrote to memory of 1980	272	crssi.exe	42
PID 272 wrote to memory of 1980	272	crssi.exe	42
PID 272 wrote to memory of 1980	272	crssi.exe	42
PID 272 wrote to memory of 1980	272	crssi.exe	42
PID 272 wrote to memory of 1980	272	crssi.exe	42

C:\Users\Admin\AppData\Local\Temp\Odeme.exe
"C:\Users\Admin\AppData\Local\Temp\Odeme.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\niychjo.cmd" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1848
- - C:\Users\Admin\AppData\Local\Temp\fxgdxfg.sfx.exe
    fxgdxfg.sfx.exe -dC:\Users\Admin\AppData\Local\Temp -pkqcaszjnhdeekeafugBtrfapofdgatdbjfthfegdyddfbshhheuyhdqboofhhddghdgvxcVohobthtigdge
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1136
  - - C:\Users\Admin\AppData\Local\Temp\fxgdxfg.exe
      "C:\Users\Admin\AppData\Local\Temp\fxgdxfg.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:936
    - - C:\Users\Admin\AppData\Local\Temp\fxgdxfg.exe
        
        C:\Users\Admin\AppData\Local\Temp\fxgdxfg.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1364
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "crssi" /tr '"C:\Users\Admin\AppData\Roaming\crssi.exe"' & exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "crssi" /tr '"C:\Users\Admin\AppData\Roaming\crssi.exe"'
        7⤵
        Creates scheduled task(s)
        
        PID:1740
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2BD2.tmp.bat""
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        7⤵
        Delays execution with timeout.exe
        
        PID:108
        
        C:\Users\Admin\AppData\Roaming\crssi.exe
        
        "C:\Users\Admin\AppData\Roaming\crssi.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:272
        
        C:\Users\Admin\AppData\Roaming\crssi.exe
        
        C:\Users\Admin\AppData\Roaming\crssi.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fxgdxfg.exe

Filesize
228KB

MD5
4981301b8b72b18e3f36313edf39c494

SHA1
b8d8db735a8ca2d5c0a1f7d2088037a2b1cdd27e

SHA256
e3fb4e330e0dc4c5014831fd287ac49eddfc62ecd627a087310af569ea1a1655

SHA512
2590aa4ac41297c18ba719713d0ef1cb63b0582b10bc27f391b6d1152fb1aef706b9b3b3a2658ea23d00786ee0939db20196a736ef9b46d8671b6dd72d6e7fcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\fxgdxfg.exe

Filesize
228KB

MD5
4981301b8b72b18e3f36313edf39c494

SHA1
b8d8db735a8ca2d5c0a1f7d2088037a2b1cdd27e

SHA256
e3fb4e330e0dc4c5014831fd287ac49eddfc62ecd627a087310af569ea1a1655

SHA512
2590aa4ac41297c18ba719713d0ef1cb63b0582b10bc27f391b6d1152fb1aef706b9b3b3a2658ea23d00786ee0939db20196a736ef9b46d8671b6dd72d6e7fcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\fxgdxfg.exe

Filesize
228KB

MD5
4981301b8b72b18e3f36313edf39c494

SHA1
b8d8db735a8ca2d5c0a1f7d2088037a2b1cdd27e

SHA256
e3fb4e330e0dc4c5014831fd287ac49eddfc62ecd627a087310af569ea1a1655

SHA512
2590aa4ac41297c18ba719713d0ef1cb63b0582b10bc27f391b6d1152fb1aef706b9b3b3a2658ea23d00786ee0939db20196a736ef9b46d8671b6dd72d6e7fcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\fxgdxfg.exe

Filesize
228KB

MD5
4981301b8b72b18e3f36313edf39c494

SHA1
b8d8db735a8ca2d5c0a1f7d2088037a2b1cdd27e

SHA256
e3fb4e330e0dc4c5014831fd287ac49eddfc62ecd627a087310af569ea1a1655

SHA512
2590aa4ac41297c18ba719713d0ef1cb63b0582b10bc27f391b6d1152fb1aef706b9b3b3a2658ea23d00786ee0939db20196a736ef9b46d8671b6dd72d6e7fcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\fxgdxfg.sfx.exe

Filesize
446KB

MD5
bba0c2f36a07c47043cdf79438caa5c6

SHA1
756ea32a4fd067ec1e89348931250d518dbffaa8

SHA256
91b53575361b2edfb410d537d8f9656cf6c897cf499c5e69c1a87070b041805a

SHA512
1e278dbe58ef39127f52c2dbf1df28957c8c15be79bc8bd877141a7c85aa49863655b9903ab8b6ae5d845bc8c5a6b90c4192b3240d72f082cff0eb95faab54bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\fxgdxfg.sfx.exe

Filesize
446KB

MD5
bba0c2f36a07c47043cdf79438caa5c6

SHA1
756ea32a4fd067ec1e89348931250d518dbffaa8

SHA256
91b53575361b2edfb410d537d8f9656cf6c897cf499c5e69c1a87070b041805a

SHA512
1e278dbe58ef39127f52c2dbf1df28957c8c15be79bc8bd877141a7c85aa49863655b9903ab8b6ae5d845bc8c5a6b90c4192b3240d72f082cff0eb95faab54bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\niychjo.cmd

Filesize
10KB

MD5
e5e149b889c00e5bb7ccb24f657de3b6

SHA1
27c48613662cf340487399277c7da01a3459bbd7

SHA256
918b067d618b93734f5fd18a2304d58fa3de64c40e57f8c61aa20721ad859b4a

SHA512
806ef27e28e05bb61a54b06c5dd47885e30aba9d9a28657120c0c24d27899486835604c0ccb5d53ea069986f00a5d4bc2e695db6fd1e3fa16e067e1e7a550b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\niychjo.cmd

Filesize
10KB

MD5
e5e149b889c00e5bb7ccb24f657de3b6

SHA1
27c48613662cf340487399277c7da01a3459bbd7

SHA256
918b067d618b93734f5fd18a2304d58fa3de64c40e57f8c61aa20721ad859b4a

SHA512
806ef27e28e05bb61a54b06c5dd47885e30aba9d9a28657120c0c24d27899486835604c0ccb5d53ea069986f00a5d4bc2e695db6fd1e3fa16e067e1e7a550b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\odSwift.jpg

Filesize
46KB

MD5
57cbd6c513298c42618373a0f752460a

SHA1
3dd60b7e98d93f4c2b0b7aa11b9bba3708a5e5c6

SHA256
c58d4f70b28185fad7a7411f08731c13ab5c19decad07fc2e422090c090268c2

SHA512
0624fe01af7f450b5ed5aef39e1678d66642de0a07edcce74a801a2051e62c7a5d2c057cf6e4b549122583df8f618ecddb81e23200187fecfd7695061fd9d68c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2BD2.tmp.bat

Filesize
149B

MD5
f32317efe1f366e7b2a8841f5dba26fb

SHA1
bfc0cb2f6fc1fdc8224954c98d245a7a83b576e6

SHA256
36ebe66fb83f6ebc4025c359ed32b2a3d55c1bc03673c9f8474fb773dd93ca27

SHA512
e744f6f177eeada5af7087c6e1d229f591dfccab4847ad68ed3bab40dc5fda60038e63f5d4b56941b173e1c55ca20a1c544ad82d87a14b2277c801f17809fdf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2BD2.tmp.bat

Filesize
149B

MD5
f32317efe1f366e7b2a8841f5dba26fb

SHA1
bfc0cb2f6fc1fdc8224954c98d245a7a83b576e6

SHA256
36ebe66fb83f6ebc4025c359ed32b2a3d55c1bc03673c9f8474fb773dd93ca27

SHA512
e744f6f177eeada5af7087c6e1d229f591dfccab4847ad68ed3bab40dc5fda60038e63f5d4b56941b173e1c55ca20a1c544ad82d87a14b2277c801f17809fdf9

Download Submit
C:\Users\Admin\AppData\Roaming\crssi.exe

Filesize
228KB

MD5
4981301b8b72b18e3f36313edf39c494

SHA1
b8d8db735a8ca2d5c0a1f7d2088037a2b1cdd27e

SHA256
e3fb4e330e0dc4c5014831fd287ac49eddfc62ecd627a087310af569ea1a1655

SHA512
2590aa4ac41297c18ba719713d0ef1cb63b0582b10bc27f391b6d1152fb1aef706b9b3b3a2658ea23d00786ee0939db20196a736ef9b46d8671b6dd72d6e7fcd

Download Submit
C:\Users\Admin\AppData\Roaming\crssi.exe

Filesize
228KB

MD5
4981301b8b72b18e3f36313edf39c494

SHA1
b8d8db735a8ca2d5c0a1f7d2088037a2b1cdd27e

SHA256
e3fb4e330e0dc4c5014831fd287ac49eddfc62ecd627a087310af569ea1a1655

SHA512
2590aa4ac41297c18ba719713d0ef1cb63b0582b10bc27f391b6d1152fb1aef706b9b3b3a2658ea23d00786ee0939db20196a736ef9b46d8671b6dd72d6e7fcd

Download Submit
C:\Users\Admin\AppData\Roaming\crssi.exe

Filesize
228KB

MD5
4981301b8b72b18e3f36313edf39c494

SHA1
b8d8db735a8ca2d5c0a1f7d2088037a2b1cdd27e

SHA256
e3fb4e330e0dc4c5014831fd287ac49eddfc62ecd627a087310af569ea1a1655

SHA512
2590aa4ac41297c18ba719713d0ef1cb63b0582b10bc27f391b6d1152fb1aef706b9b3b3a2658ea23d00786ee0939db20196a736ef9b46d8671b6dd72d6e7fcd

Download Submit
\Users\Admin\AppData\Local\Temp\fxgdxfg.exe

Filesize
228KB

MD5
4981301b8b72b18e3f36313edf39c494

SHA1
b8d8db735a8ca2d5c0a1f7d2088037a2b1cdd27e

SHA256
e3fb4e330e0dc4c5014831fd287ac49eddfc62ecd627a087310af569ea1a1655

SHA512
2590aa4ac41297c18ba719713d0ef1cb63b0582b10bc27f391b6d1152fb1aef706b9b3b3a2658ea23d00786ee0939db20196a736ef9b46d8671b6dd72d6e7fcd

Download Submit
\Users\Admin\AppData\Local\Temp\fxgdxfg.exe

Filesize
228KB

MD5
4981301b8b72b18e3f36313edf39c494

SHA1
b8d8db735a8ca2d5c0a1f7d2088037a2b1cdd27e

SHA256
e3fb4e330e0dc4c5014831fd287ac49eddfc62ecd627a087310af569ea1a1655

SHA512
2590aa4ac41297c18ba719713d0ef1cb63b0582b10bc27f391b6d1152fb1aef706b9b3b3a2658ea23d00786ee0939db20196a736ef9b46d8671b6dd72d6e7fcd

Download Submit
\Users\Admin\AppData\Local\Temp\fxgdxfg.exe

Filesize
228KB

MD5
4981301b8b72b18e3f36313edf39c494

SHA1
b8d8db735a8ca2d5c0a1f7d2088037a2b1cdd27e

SHA256
e3fb4e330e0dc4c5014831fd287ac49eddfc62ecd627a087310af569ea1a1655

SHA512
2590aa4ac41297c18ba719713d0ef1cb63b0582b10bc27f391b6d1152fb1aef706b9b3b3a2658ea23d00786ee0939db20196a736ef9b46d8671b6dd72d6e7fcd

Download Submit
\Users\Admin\AppData\Local\Temp\fxgdxfg.exe

Filesize
228KB

MD5
4981301b8b72b18e3f36313edf39c494

SHA1
b8d8db735a8ca2d5c0a1f7d2088037a2b1cdd27e

SHA256
e3fb4e330e0dc4c5014831fd287ac49eddfc62ecd627a087310af569ea1a1655

SHA512
2590aa4ac41297c18ba719713d0ef1cb63b0582b10bc27f391b6d1152fb1aef706b9b3b3a2658ea23d00786ee0939db20196a736ef9b46d8671b6dd72d6e7fcd

Download Submit
\Users\Admin\AppData\Local\Temp\fxgdxfg.exe

Filesize
228KB

MD5
4981301b8b72b18e3f36313edf39c494

SHA1
b8d8db735a8ca2d5c0a1f7d2088037a2b1cdd27e

SHA256
e3fb4e330e0dc4c5014831fd287ac49eddfc62ecd627a087310af569ea1a1655

SHA512
2590aa4ac41297c18ba719713d0ef1cb63b0582b10bc27f391b6d1152fb1aef706b9b3b3a2658ea23d00786ee0939db20196a736ef9b46d8671b6dd72d6e7fcd

Download Submit
\Users\Admin\AppData\Local\Temp\fxgdxfg.sfx.exe

Filesize
446KB

MD5
bba0c2f36a07c47043cdf79438caa5c6

SHA1
756ea32a4fd067ec1e89348931250d518dbffaa8

SHA256
91b53575361b2edfb410d537d8f9656cf6c897cf499c5e69c1a87070b041805a

SHA512
1e278dbe58ef39127f52c2dbf1df28957c8c15be79bc8bd877141a7c85aa49863655b9903ab8b6ae5d845bc8c5a6b90c4192b3240d72f082cff0eb95faab54bb

Download Submit
\Users\Admin\AppData\Roaming\crssi.exe

Filesize
228KB

MD5
4981301b8b72b18e3f36313edf39c494

SHA1
b8d8db735a8ca2d5c0a1f7d2088037a2b1cdd27e

SHA256
e3fb4e330e0dc4c5014831fd287ac49eddfc62ecd627a087310af569ea1a1655

SHA512
2590aa4ac41297c18ba719713d0ef1cb63b0582b10bc27f391b6d1152fb1aef706b9b3b3a2658ea23d00786ee0939db20196a736ef9b46d8671b6dd72d6e7fcd

Download Submit
memory/272-121-0x0000000000D60000-0x0000000000D9E000-memory.dmp

Filesize
248KB

Download
memory/936-98-0x0000000000730000-0x000000000076C000-memory.dmp

Filesize
240KB

Download
memory/936-97-0x0000000000470000-0x0000000000476000-memory.dmp

Filesize
24KB

Download
memory/936-99-0x00000000003F0000-0x00000000003F6000-memory.dmp

Filesize
24KB

Download
memory/936-96-0x0000000000E50000-0x0000000000E8E000-memory.dmp

Filesize
248KB

Download
memory/1104-128-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1104-61-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download
memory/1104-69-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1364-106-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1364-108-0x00000000007E0000-0x0000000000820000-memory.dmp

Filesize
256KB

Download
memory/1364-104-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1364-101-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1760-60-0x00000000024A0000-0x00000000024A2000-memory.dmp

Filesize
8KB

Download
memory/1980-125-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1980-127-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1980-129-0x0000000000C40000-0x0000000000C80000-memory.dmp

Filesize
256KB

Download
memory/1980-130-0x0000000000C40000-0x0000000000C80000-memory.dmp

Filesize
256KB

Download