asyncrat | 8c8aee950d1420d409169010b6a9e475c2d0d78ecf9c6d31a3a7542c15735e4f

Analysis

max time kernel
146s
max time network
150s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
04/10/2023, 18:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c8aee950d1420d409169010b6a9e475c2d0d78ecf9c6d31a3a7542c15735e4f_JC.exe
Size

666KB
MD5

07478a5c4795897c09745378c750f8ca
SHA1

1ae0911fd5fa57d1b94ecef287af30d4845c3019
SHA256

8c8aee950d1420d409169010b6a9e475c2d0d78ecf9c6d31a3a7542c15735e4f
SHA512

5af0fde061350ee63b8e0b31104397c4be2ceacbba2ba08557c9872b6fefc676676f18b0f51d4d2504d1b0f5c8123d004e262e77cb4697867cb6406e26ce56b2
SSDEEP

12288:JcrNS33L10QdrX4FBojL8DPNYnzENFuUftj8Y+JxeIlTPYQZjDa321uz:0NA3R5drX4GcPNYo7vljEUIlLY+Da34K

Score

10^/10

asyncrat default10 rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default10

qpurrybeatmecamtest.ddns.net:5987

qpurrybeatmecamtest.ddns.net:6978

Mutex

AsyncMutex_4SI8ObPTc

Attributes

delay
3
install
true
install_file
cestm.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 6 IoCs

rat

resource	yara_rule
behavioral1/memory/2608-43-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/2608-46-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/2608-48-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/2848-72-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/2848-74-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/2848-76-0x0000000004C20000-0x0000000004C60000-memory.dmp	asyncrat

Executes dropped EXE 5 IoCs

pid	Process
2732	zxdfser.exe
2584	yunkynotes.exe
2608	yunkynotes.exe
2424	cestm.exe
2848	cestm.exe

Loads dropped DLL 7 IoCs

pid	Process
2648	cmd.exe
2732	zxdfser.exe
2732	zxdfser.exe
2732	zxdfser.exe
2732	zxdfser.exe
2584	yunkynotes.exe
280	cmd.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2584 set thread context of 2608	2584	yunkynotes.exe	34
PID 2424 set thread context of 2848	2424	cestm.exe	42

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2012	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2164	timeout.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3004	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2608	yunkynotes.exe
2608	yunkynotes.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2584	yunkynotes.exe
Token: SeDebugPrivilege	2608	yunkynotes.exe
Token: SeDebugPrivilege	2424	cestm.exe
Token: SeDebugPrivilege	2848	cestm.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2648	2180	8c8aee950d1420d409169010b6a9e475c2d0d78ecf9c6d31a3a7542c15735e4f_JC.exe	29
PID 2180 wrote to memory of 2648	2180	8c8aee950d1420d409169010b6a9e475c2d0d78ecf9c6d31a3a7542c15735e4f_JC.exe	29
PID 2180 wrote to memory of 2648	2180	8c8aee950d1420d409169010b6a9e475c2d0d78ecf9c6d31a3a7542c15735e4f_JC.exe	29
PID 2180 wrote to memory of 2648	2180	8c8aee950d1420d409169010b6a9e475c2d0d78ecf9c6d31a3a7542c15735e4f_JC.exe	29
PID 2648 wrote to memory of 2732	2648	cmd.exe	31
PID 2648 wrote to memory of 2732	2648	cmd.exe	31
PID 2648 wrote to memory of 2732	2648	cmd.exe	31
PID 2648 wrote to memory of 2732	2648	cmd.exe	31
PID 2732 wrote to memory of 2584	2732	zxdfser.exe	32
PID 2732 wrote to memory of 2584	2732	zxdfser.exe	32
PID 2732 wrote to memory of 2584	2732	zxdfser.exe	32
PID 2732 wrote to memory of 2584	2732	zxdfser.exe	32
PID 2732 wrote to memory of 3004	2732	zxdfser.exe	33
PID 2732 wrote to memory of 3004	2732	zxdfser.exe	33
PID 2732 wrote to memory of 3004	2732	zxdfser.exe	33
PID 2732 wrote to memory of 3004	2732	zxdfser.exe	33
PID 2584 wrote to memory of 2608	2584	yunkynotes.exe	34
PID 2584 wrote to memory of 2608	2584	yunkynotes.exe	34
PID 2584 wrote to memory of 2608	2584	yunkynotes.exe	34
PID 2584 wrote to memory of 2608	2584	yunkynotes.exe	34
PID 2584 wrote to memory of 2608	2584	yunkynotes.exe	34
PID 2584 wrote to memory of 2608	2584	yunkynotes.exe	34
PID 2584 wrote to memory of 2608	2584	yunkynotes.exe	34
PID 2584 wrote to memory of 2608	2584	yunkynotes.exe	34
PID 2584 wrote to memory of 2608	2584	yunkynotes.exe	34
PID 2608 wrote to memory of 320	2608	yunkynotes.exe	35
PID 2608 wrote to memory of 320	2608	yunkynotes.exe	35
PID 2608 wrote to memory of 320	2608	yunkynotes.exe	35
PID 2608 wrote to memory of 320	2608	yunkynotes.exe	35
PID 2608 wrote to memory of 280	2608	yunkynotes.exe	37
PID 2608 wrote to memory of 280	2608	yunkynotes.exe	37
PID 2608 wrote to memory of 280	2608	yunkynotes.exe	37
PID 2608 wrote to memory of 280	2608	yunkynotes.exe	37
PID 320 wrote to memory of 2012	320	cmd.exe	40
PID 320 wrote to memory of 2012	320	cmd.exe	40
PID 320 wrote to memory of 2012	320	cmd.exe	40
PID 320 wrote to memory of 2012	320	cmd.exe	40
PID 280 wrote to memory of 2164	280	cmd.exe	39
PID 280 wrote to memory of 2164	280	cmd.exe	39
PID 280 wrote to memory of 2164	280	cmd.exe	39
PID 280 wrote to memory of 2164	280	cmd.exe	39
PID 280 wrote to memory of 2424	280	cmd.exe	41
PID 280 wrote to memory of 2424	280	cmd.exe	41
PID 280 wrote to memory of 2424	280	cmd.exe	41
PID 280 wrote to memory of 2424	280	cmd.exe	41
PID 2424 wrote to memory of 2848	2424	cestm.exe	42
PID 2424 wrote to memory of 2848	2424	cestm.exe	42
PID 2424 wrote to memory of 2848	2424	cestm.exe	42
PID 2424 wrote to memory of 2848	2424	cestm.exe	42
PID 2424 wrote to memory of 2848	2424	cestm.exe	42
PID 2424 wrote to memory of 2848	2424	cestm.exe	42
PID 2424 wrote to memory of 2848	2424	cestm.exe	42
PID 2424 wrote to memory of 2848	2424	cestm.exe	42
PID 2424 wrote to memory of 2848	2424	cestm.exe	42

C:\Users\Admin\AppData\Local\Temp\8c8aee950d1420d409169010b6a9e475c2d0d78ecf9c6d31a3a7542c15735e4f_JC.exe
"C:\Users\Admin\AppData\Local\Temp\8c8aee950d1420d409169010b6a9e475c2d0d78ecf9c6d31a3a7542c15735e4f_JC.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\ystickyrealen34.cmd" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Users\Admin\AppData\Local\Temp\zxdfser.exe
    zxdfser.exe -pqoutgfbdmsigsohdfuishgrkgysgfghsithngmkaswodtyuiofxvflfadfdyehngfszafugyRygfysrsoihfihgsoirsugsudbfrgsfskfshbrhhguhrhgnmePvqxsSb -dC:\Users\Admin\AppData\Local\Temp
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Users\Admin\AppData\Local\Temp\yunkynotes.exe
      "C:\Users\Admin\AppData\Local\Temp\yunkynotes.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Users\Admin\AppData\Local\Temp\yunkynotes.exe
        
        C:\Users\Admin\AppData\Local\Temp\yunkynotes.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2608
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "cestm" /tr '"C:\Users\Admin\AppData\Roaming\cestm.exe"' & exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "cestm" /tr '"C:\Users\Admin\AppData\Roaming\cestm.exe"'
        7⤵
        Creates scheduled task(s)
        
        PID:2012
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp5A31.tmp.bat""
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:280
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        7⤵
        Delays execution with timeout.exe
        
        PID:2164
        
        C:\Users\Admin\AppData\Roaming\cestm.exe
        
        "C:\Users\Admin\AppData\Roaming\cestm.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Users\Admin\AppData\Roaming\cestm.exe
        
        C:\Users\Admin\AppData\Roaming\cestm.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
  - - C:\Windows\SysWOW64\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\OdemeInfo.txt
      4⤵
      Opens file in notepad (likely ransom note)
      PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5A31.tmp.bat

Filesize
149B

MD5
5ebe26ee0998c6ac3d2266a890f81344

SHA1
ef69d2b6e800699928ccdd8c3d73f3b1eeb4809c

SHA256
7ae81cf99d965a4c8cc6daafe23aa72e9260d3ae748293d29bc0b132f2dcac2a

SHA512
0825fe4bbe85b37c0064d452879f4e5b2b2f9e659704bf6e9349f3559f6c9562c2bf77a9cb5183e883aff7f1515ea4a884fd4c36bdb2ae0668794799a2f70f7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5A31.tmp.bat

Filesize
149B

MD5
5ebe26ee0998c6ac3d2266a890f81344

SHA1
ef69d2b6e800699928ccdd8c3d73f3b1eeb4809c

SHA256
7ae81cf99d965a4c8cc6daafe23aa72e9260d3ae748293d29bc0b132f2dcac2a

SHA512
0825fe4bbe85b37c0064d452879f4e5b2b2f9e659704bf6e9349f3559f6c9562c2bf77a9cb5183e883aff7f1515ea4a884fd4c36bdb2ae0668794799a2f70f7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ystickyrealen34.cmd

Filesize
19KB

MD5
1b55772b37920b2ecf27a077fa10a82c

SHA1
812bd60efdb5befa5e19852f4875f30c77a81922

SHA256
ab9f1e57aedb0f8c5912e00bf9d93a1a3b2cc25db971bad4c633a0a529cfaa27

SHA512
f74624f441151bfe7a4421ee5aa962dcf074ceb9ca2feb1712bb4947b1b22de88b2570e6d7870b473d629165994ca0ed704a0038fb55f284fa60f957a9bed5c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ystickyrealen34.cmd

Filesize
19KB

MD5
1b55772b37920b2ecf27a077fa10a82c

SHA1
812bd60efdb5befa5e19852f4875f30c77a81922

SHA256
ab9f1e57aedb0f8c5912e00bf9d93a1a3b2cc25db971bad4c633a0a529cfaa27

SHA512
f74624f441151bfe7a4421ee5aa962dcf074ceb9ca2feb1712bb4947b1b22de88b2570e6d7870b473d629165994ca0ed704a0038fb55f284fa60f957a9bed5c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\yunkynotes.exe

Filesize
188KB

MD5
4ef70f9463402797a33c9c57cb0bb4ae

SHA1
50d9169302d0df4cfab1421e280a3c5654979c16

SHA256
6a9d3d2a4eaa850159fcddf238be20521d711c2ee75bfa01145cca1e9bacfae5

SHA512
db362a4056601f461cffff246a40d8caa328e9c50f72915bf233ffdd69b8b70a37efb7e47639c40bc7e98961c06284a8ea6cd486ffe4779978c2e329544184fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\yunkynotes.exe

Filesize
188KB

MD5
4ef70f9463402797a33c9c57cb0bb4ae

SHA1
50d9169302d0df4cfab1421e280a3c5654979c16

SHA256
6a9d3d2a4eaa850159fcddf238be20521d711c2ee75bfa01145cca1e9bacfae5

SHA512
db362a4056601f461cffff246a40d8caa328e9c50f72915bf233ffdd69b8b70a37efb7e47639c40bc7e98961c06284a8ea6cd486ffe4779978c2e329544184fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\yunkynotes.exe

Filesize
188KB

MD5
4ef70f9463402797a33c9c57cb0bb4ae

SHA1
50d9169302d0df4cfab1421e280a3c5654979c16

SHA256
6a9d3d2a4eaa850159fcddf238be20521d711c2ee75bfa01145cca1e9bacfae5

SHA512
db362a4056601f461cffff246a40d8caa328e9c50f72915bf233ffdd69b8b70a37efb7e47639c40bc7e98961c06284a8ea6cd486ffe4779978c2e329544184fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\yunkynotes.exe

Filesize
188KB

MD5
4ef70f9463402797a33c9c57cb0bb4ae

SHA1
50d9169302d0df4cfab1421e280a3c5654979c16

SHA256
6a9d3d2a4eaa850159fcddf238be20521d711c2ee75bfa01145cca1e9bacfae5

SHA512
db362a4056601f461cffff246a40d8caa328e9c50f72915bf233ffdd69b8b70a37efb7e47639c40bc7e98961c06284a8ea6cd486ffe4779978c2e329544184fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zxdfser.exe

Filesize
428KB

MD5
5fd800cb1df5f757e1d5dcc8cb2433e6

SHA1
bac9641fbdc9c6d5ad69bd8b9dcbb564fe478552

SHA256
57e333d9c1199d0be9b3219d1f510c62ce366227828e8cd49442a6c5785d644a

SHA512
06e93672eca7e5df8d6e2d18f44da9926be0019d2f8680c2c9b70c3aa505e49582cad3d2d9ee329bccc58974693af5090ee419c63c47c7655a88b5b547c8bc00

Download Submit
C:\Users\Admin\AppData\Local\Temp\zxdfser.exe

Filesize
428KB

MD5
5fd800cb1df5f757e1d5dcc8cb2433e6

SHA1
bac9641fbdc9c6d5ad69bd8b9dcbb564fe478552

SHA256
57e333d9c1199d0be9b3219d1f510c62ce366227828e8cd49442a6c5785d644a

SHA512
06e93672eca7e5df8d6e2d18f44da9926be0019d2f8680c2c9b70c3aa505e49582cad3d2d9ee329bccc58974693af5090ee419c63c47c7655a88b5b547c8bc00

Download Submit
C:\Users\Admin\AppData\Roaming\cestm.exe

Filesize
188KB

MD5
4ef70f9463402797a33c9c57cb0bb4ae

SHA1
50d9169302d0df4cfab1421e280a3c5654979c16

SHA256
6a9d3d2a4eaa850159fcddf238be20521d711c2ee75bfa01145cca1e9bacfae5

SHA512
db362a4056601f461cffff246a40d8caa328e9c50f72915bf233ffdd69b8b70a37efb7e47639c40bc7e98961c06284a8ea6cd486ffe4779978c2e329544184fc

Download Submit
C:\Users\Admin\AppData\Roaming\cestm.exe

Filesize
188KB

MD5
4ef70f9463402797a33c9c57cb0bb4ae

SHA1
50d9169302d0df4cfab1421e280a3c5654979c16

SHA256
6a9d3d2a4eaa850159fcddf238be20521d711c2ee75bfa01145cca1e9bacfae5

SHA512
db362a4056601f461cffff246a40d8caa328e9c50f72915bf233ffdd69b8b70a37efb7e47639c40bc7e98961c06284a8ea6cd486ffe4779978c2e329544184fc

Download Submit
C:\Users\Admin\AppData\Roaming\cestm.exe

Filesize
188KB

MD5
4ef70f9463402797a33c9c57cb0bb4ae

SHA1
50d9169302d0df4cfab1421e280a3c5654979c16

SHA256
6a9d3d2a4eaa850159fcddf238be20521d711c2ee75bfa01145cca1e9bacfae5

SHA512
db362a4056601f461cffff246a40d8caa328e9c50f72915bf233ffdd69b8b70a37efb7e47639c40bc7e98961c06284a8ea6cd486ffe4779978c2e329544184fc

Download Submit
\Users\Admin\AppData\Local\Temp\yunkynotes.exe

Filesize
188KB

MD5
4ef70f9463402797a33c9c57cb0bb4ae

SHA1
50d9169302d0df4cfab1421e280a3c5654979c16

SHA256
6a9d3d2a4eaa850159fcddf238be20521d711c2ee75bfa01145cca1e9bacfae5

SHA512
db362a4056601f461cffff246a40d8caa328e9c50f72915bf233ffdd69b8b70a37efb7e47639c40bc7e98961c06284a8ea6cd486ffe4779978c2e329544184fc

Download Submit
\Users\Admin\AppData\Local\Temp\yunkynotes.exe

Filesize
188KB

MD5
4ef70f9463402797a33c9c57cb0bb4ae

SHA1
50d9169302d0df4cfab1421e280a3c5654979c16

SHA256
6a9d3d2a4eaa850159fcddf238be20521d711c2ee75bfa01145cca1e9bacfae5

SHA512
db362a4056601f461cffff246a40d8caa328e9c50f72915bf233ffdd69b8b70a37efb7e47639c40bc7e98961c06284a8ea6cd486ffe4779978c2e329544184fc

Download Submit
\Users\Admin\AppData\Local\Temp\yunkynotes.exe

Filesize
188KB

MD5
4ef70f9463402797a33c9c57cb0bb4ae

SHA1
50d9169302d0df4cfab1421e280a3c5654979c16

SHA256
6a9d3d2a4eaa850159fcddf238be20521d711c2ee75bfa01145cca1e9bacfae5

SHA512
db362a4056601f461cffff246a40d8caa328e9c50f72915bf233ffdd69b8b70a37efb7e47639c40bc7e98961c06284a8ea6cd486ffe4779978c2e329544184fc

Download Submit
\Users\Admin\AppData\Local\Temp\yunkynotes.exe

Filesize
188KB

MD5
4ef70f9463402797a33c9c57cb0bb4ae

SHA1
50d9169302d0df4cfab1421e280a3c5654979c16

SHA256
6a9d3d2a4eaa850159fcddf238be20521d711c2ee75bfa01145cca1e9bacfae5

SHA512
db362a4056601f461cffff246a40d8caa328e9c50f72915bf233ffdd69b8b70a37efb7e47639c40bc7e98961c06284a8ea6cd486ffe4779978c2e329544184fc

Download Submit
\Users\Admin\AppData\Local\Temp\yunkynotes.exe

Filesize
188KB

MD5
4ef70f9463402797a33c9c57cb0bb4ae

SHA1
50d9169302d0df4cfab1421e280a3c5654979c16

SHA256
6a9d3d2a4eaa850159fcddf238be20521d711c2ee75bfa01145cca1e9bacfae5

SHA512
db362a4056601f461cffff246a40d8caa328e9c50f72915bf233ffdd69b8b70a37efb7e47639c40bc7e98961c06284a8ea6cd486ffe4779978c2e329544184fc

Download Submit
\Users\Admin\AppData\Local\Temp\zxdfser.exe

Filesize
428KB

MD5
5fd800cb1df5f757e1d5dcc8cb2433e6

SHA1
bac9641fbdc9c6d5ad69bd8b9dcbb564fe478552

SHA256
57e333d9c1199d0be9b3219d1f510c62ce366227828e8cd49442a6c5785d644a

SHA512
06e93672eca7e5df8d6e2d18f44da9926be0019d2f8680c2c9b70c3aa505e49582cad3d2d9ee329bccc58974693af5090ee419c63c47c7655a88b5b547c8bc00

Download Submit
\Users\Admin\AppData\Roaming\cestm.exe

Filesize
188KB

MD5
4ef70f9463402797a33c9c57cb0bb4ae

SHA1
50d9169302d0df4cfab1421e280a3c5654979c16

SHA256
6a9d3d2a4eaa850159fcddf238be20521d711c2ee75bfa01145cca1e9bacfae5

SHA512
db362a4056601f461cffff246a40d8caa328e9c50f72915bf233ffdd69b8b70a37efb7e47639c40bc7e98961c06284a8ea6cd486ffe4779978c2e329544184fc

Download Submit
memory/2424-67-0x0000000004860000-0x00000000048A0000-memory.dmp

Filesize
256KB

Download
memory/2424-71-0x0000000074880000-0x0000000074F6E000-memory.dmp

Filesize
6.9MB

Download
memory/2424-66-0x0000000074880000-0x0000000074F6E000-memory.dmp

Filesize
6.9MB

Download
memory/2424-65-0x0000000000FD0000-0x0000000001004000-memory.dmp

Filesize
208KB

Download
memory/2584-49-0x0000000074650000-0x0000000074D3E000-memory.dmp

Filesize
6.9MB

Download
memory/2584-38-0x0000000074650000-0x0000000074D3E000-memory.dmp

Filesize
6.9MB

Download
memory/2584-37-0x00000000013E0000-0x0000000001414000-memory.dmp

Filesize
208KB

Download
memory/2584-39-0x0000000000C80000-0x0000000000CC0000-memory.dmp

Filesize
256KB

Download
memory/2584-41-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/2584-40-0x0000000000620000-0x000000000065A000-memory.dmp

Filesize
232KB

Download
memory/2608-43-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2608-50-0x0000000074650000-0x0000000074D3E000-memory.dmp

Filesize
6.9MB

Download
memory/2608-46-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2608-48-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2608-60-0x0000000074650000-0x0000000074D3E000-memory.dmp

Filesize
6.9MB

Download
memory/2608-51-0x0000000000C90000-0x0000000000CD0000-memory.dmp

Filesize
256KB

Download
memory/2848-72-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2848-74-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2848-75-0x0000000073B40000-0x000000007422E000-memory.dmp

Filesize
6.9MB

Download
memory/2848-76-0x0000000004C20000-0x0000000004C60000-memory.dmp

Filesize
256KB

Download
memory/2848-77-0x0000000073B40000-0x000000007422E000-memory.dmp

Filesize
6.9MB

Download
memory/2848-78-0x0000000004C20000-0x0000000004C60000-memory.dmp

Filesize
256KB

Download