asyncrat | 462342db316acd9578f80e1b80471237fecc9479d2d70f7f413b1b47cd302400

Analysis

max time kernel
61s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27-09-2022 14:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

1018KB
MD5

f58357e2f32909d85790128c9f6d08c0
SHA1

b75dea10a3f9ebcce95c2dbf9d20a98fe3c5bd78
SHA256

462342db316acd9578f80e1b80471237fecc9479d2d70f7f413b1b47cd302400
SHA512

52aec13d3af40f0396a31ed278f3d243bf3eb6bebaac425bd8cc050cf399e47eb1e6ec851eb024c56d4ccc1d76d958aa2ba87ec94e2a7e72c9bf6484cdf949d8
SSDEEP

12288:ithx+HhW51Ur3EUfGTLX+fw0aSdpjRAvqYzlJLO/xbf:aD4h/jtfw0PmzlJLO/hf

Score

10^/10

asyncrat persistence rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

cmorzp.exetmp.exemrcuqd.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\SystemVisual\\VisualStudio.exe\","	cmorzp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\SystemCPU\\CPU-SOCKET.exe\","	tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Meow\\Meow.exe\","	mrcuqd.exe

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/344-138-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Executes dropped EXE 3 IoCs

Processes:

mrcuqd.execmorzp.exeqixdmy.exe

pid process

3428 mrcuqd.exe
3296 cmorzp.exe
4156 qixdmy.exe

pid	process
3428	mrcuqd.exe
3296	cmorzp.exe
4156	qixdmy.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegAsm.execmorzp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	cmorzp.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

tmp.exemrcuqd.execmorzp.exe

description	pid	process	target process
PID 2268 set thread context of 344	2268	tmp.exe	RegAsm.exe
PID 3428 set thread context of 2900	3428	mrcuqd.exe	RegAsm.exe
PID 3296 set thread context of 628	3296	cmorzp.exe	InstallUtil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

InstallUtil.exe

pid process

628 InstallUtil.exe

pid	process
628	InstallUtil.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

powershell.exeRegAsm.exemrcuqd.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4596	powershell.exe
344	RegAsm.exe
4596	powershell.exe
3428	mrcuqd.exe
3428	mrcuqd.exe
3600	powershell.exe
3600	powershell.exe
344	RegAsm.exe
528	powershell.exe
528	powershell.exe
4804	powershell.exe
4804	powershell.exe
344	RegAsm.exe
1412	powershell.exe
1412	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegAsm.exe

pid process

2900 RegAsm.exe

pid	process
2900	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

tmp.exeRegAsm.exepowershell.exemrcuqd.exepowershell.execmorzp.exepowershell.exepowershell.exeqixdmy.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2268	tmp.exe
Token: SeDebugPrivilege	344	RegAsm.exe
Token: SeDebugPrivilege	4596	powershell.exe
Token: SeDebugPrivilege	3428	mrcuqd.exe
Token: SeDebugPrivilege	3600	powershell.exe
Token: SeDebugPrivilege	3296	cmorzp.exe
Token: SeDebugPrivilege	528	powershell.exe
Token: SeDebugPrivilege	4804	powershell.exe
Token: SeDebugPrivilege	4156	qixdmy.exe
Token: SeDebugPrivilege	1412	powershell.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

tmp.exeRegAsm.execmd.exepowershell.exemrcuqd.execmd.exepowershell.execmorzp.execmd.exepowershell.exe

description	pid	process	target process
PID 2268 wrote to memory of 344	2268	tmp.exe	RegAsm.exe
PID 2268 wrote to memory of 344	2268	tmp.exe	RegAsm.exe
PID 2268 wrote to memory of 344	2268	tmp.exe	RegAsm.exe
PID 2268 wrote to memory of 344	2268	tmp.exe	RegAsm.exe
PID 2268 wrote to memory of 344	2268	tmp.exe	RegAsm.exe
PID 2268 wrote to memory of 344	2268	tmp.exe	RegAsm.exe
PID 2268 wrote to memory of 344	2268	tmp.exe	RegAsm.exe
PID 2268 wrote to memory of 344	2268	tmp.exe	RegAsm.exe
PID 344 wrote to memory of 3452	344	RegAsm.exe	cmd.exe
PID 344 wrote to memory of 3452	344	RegAsm.exe	cmd.exe
PID 344 wrote to memory of 3452	344	RegAsm.exe	cmd.exe
PID 3452 wrote to memory of 4596	3452	cmd.exe	powershell.exe
PID 3452 wrote to memory of 4596	3452	cmd.exe	powershell.exe
PID 3452 wrote to memory of 4596	3452	cmd.exe	powershell.exe
PID 4596 wrote to memory of 3428	4596	powershell.exe	mrcuqd.exe
PID 4596 wrote to memory of 3428	4596	powershell.exe	mrcuqd.exe
PID 3428 wrote to memory of 2900	3428	mrcuqd.exe	RegAsm.exe
PID 3428 wrote to memory of 2900	3428	mrcuqd.exe	RegAsm.exe
PID 3428 wrote to memory of 2900	3428	mrcuqd.exe	RegAsm.exe
PID 3428 wrote to memory of 2900	3428	mrcuqd.exe	RegAsm.exe
PID 3428 wrote to memory of 2900	3428	mrcuqd.exe	RegAsm.exe
PID 3428 wrote to memory of 2900	3428	mrcuqd.exe	RegAsm.exe
PID 3428 wrote to memory of 2900	3428	mrcuqd.exe	RegAsm.exe
PID 3428 wrote to memory of 2900	3428	mrcuqd.exe	RegAsm.exe
PID 3428 wrote to memory of 2900	3428	mrcuqd.exe	RegAsm.exe
PID 344 wrote to memory of 3568	344	RegAsm.exe	cmd.exe
PID 344 wrote to memory of 3568	344	RegAsm.exe	cmd.exe
PID 344 wrote to memory of 3568	344	RegAsm.exe	cmd.exe
PID 3568 wrote to memory of 3600	3568	cmd.exe	powershell.exe
PID 3568 wrote to memory of 3600	3568	cmd.exe	powershell.exe
PID 3568 wrote to memory of 3600	3568	cmd.exe	powershell.exe
PID 3600 wrote to memory of 3296	3600	powershell.exe	cmorzp.exe
PID 3600 wrote to memory of 3296	3600	powershell.exe	cmorzp.exe
PID 3600 wrote to memory of 3296	3600	powershell.exe	cmorzp.exe
PID 3296 wrote to memory of 528	3296	cmorzp.exe	powershell.exe
PID 3296 wrote to memory of 528	3296	cmorzp.exe	powershell.exe
PID 3296 wrote to memory of 528	3296	cmorzp.exe	powershell.exe
PID 344 wrote to memory of 2316	344	RegAsm.exe	cmd.exe
PID 344 wrote to memory of 2316	344	RegAsm.exe	cmd.exe
PID 344 wrote to memory of 2316	344	RegAsm.exe	cmd.exe
PID 2316 wrote to memory of 4804	2316	cmd.exe	powershell.exe
PID 2316 wrote to memory of 4804	2316	cmd.exe	powershell.exe
PID 2316 wrote to memory of 4804	2316	cmd.exe	powershell.exe
PID 4804 wrote to memory of 4156	4804	powershell.exe	qixdmy.exe
PID 4804 wrote to memory of 4156	4804	powershell.exe	qixdmy.exe
PID 4804 wrote to memory of 4156	4804	powershell.exe	qixdmy.exe
PID 3296 wrote to memory of 628	3296	cmorzp.exe	InstallUtil.exe
PID 3296 wrote to memory of 628	3296	cmorzp.exe	InstallUtil.exe
PID 3296 wrote to memory of 628	3296	cmorzp.exe	InstallUtil.exe
PID 3296 wrote to memory of 628	3296	cmorzp.exe	InstallUtil.exe
PID 3296 wrote to memory of 628	3296	cmorzp.exe	InstallUtil.exe
PID 3296 wrote to memory of 628	3296	cmorzp.exe	InstallUtil.exe
PID 3296 wrote to memory of 628	3296	cmorzp.exe	InstallUtil.exe
PID 3296 wrote to memory of 628	3296	cmorzp.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:344

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\mrcuqd.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:3452

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\mrcuqd.exe"'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4596

C:\Users\Admin\AppData\Local\Temp\mrcuqd.exe
"C:\Users\Admin\AppData\Local\Temp\mrcuqd.exe"
5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3428

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
6⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:2900

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\cmorzp.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:3568

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\cmorzp.exe"'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3600

C:\Users\Admin\AppData\Local\Temp\cmorzp.exe
"C:\Users\Admin\AppData\Local\Temp\cmorzp.exe"
5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3296

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
6⤵
- Suspicious behavior: AddClipboardFormatListener
PID:628

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\qixdmy.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:2316

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\qixdmy.exe"'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4804

C:\Users\Admin\AppData\Local\Temp\qixdmy.exe
"C:\Users\Admin\AppData\Local\Temp\qixdmy.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4156

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1412

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
5315900105942deb090a358a315b06fe

SHA1
22fe5d2e1617c31afbafb91c117508d41ef0ce44

SHA256
e8bd7d8d1d0437c71aceb032f9fb08dd1147f41c048540254971cc60e95d6cd7

SHA512
77e8d15b8c34a1cb01dbee7147987e2cc25c747e0f80d254714a93937a6d2fe08cb5a772cf85ceb8fec56415bfa853234a003173718c4229ba8cfcf2ce6335a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
7a2e34397847da88b6b30d65c9b7790d

SHA1
7b809d4ba8afd22b81eddbcfb83dd879fd111fdb

SHA256
2267327cf8b48382d10e19d3ecb451745415dd0ed11c50d14af814483d5ff64b

SHA512
e7df36da214f303a57840d70209319c7ed4aea2cf10e9e918eb0e117a9cfba5a1b581764c4cfa4928ead0b472633d13cdac381100bdb06f830f158c7200a234a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
54fc014473b1cae48845086a1bb30134

SHA1
5c2c8b47ca46aad5274836ed8a30f08401c30ead

SHA256
aa3e63d92a502df93e893348dd5be32ba91194501f4e7aad5fb9f2e0fd4128cf

SHA512
b9e543d4a0eceb2e7cd0b67008dc7316b7aca49fb80824d3a57dcae04c4f4707a6e87a88baef82a8a051907244aeaa979d971546c4cda6032e67673c25bd7f5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
a181ca7d0b63767baa33c507ce273d9c

SHA1
1a32c5abf560191fc92c960b3904bee5578f8c30

SHA256
e305e03cff9ea74594c77ed96950d5091855ab6b7ca6c505698f30aa0cf94261

SHA512
2a827a50bcb0329c64e3fcc40f958bc41c1e0c90d5d933a8a25222c3a246a7adc9844420b912debee193b448984bd83aeb58b252978adf77ab484ae662af0350

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
a181ca7d0b63767baa33c507ce273d9c

SHA1
1a32c5abf560191fc92c960b3904bee5578f8c30

SHA256
e305e03cff9ea74594c77ed96950d5091855ab6b7ca6c505698f30aa0cf94261

SHA512
2a827a50bcb0329c64e3fcc40f958bc41c1e0c90d5d933a8a25222c3a246a7adc9844420b912debee193b448984bd83aeb58b252978adf77ab484ae662af0350

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmorzp.exe
Filesize
1.0MB

MD5
7217f672995942607eba0cd4fb1bb117

SHA1
c0079cdb09360d3e2e9f449035f38c9dad5cad1d

SHA256
ed18053ff11ef58b9ec9c8cf2d7e999dd72effba8c4558b0c7e50b081caae4e1

SHA512
d642540a341d8d982bb808b576f4153922c5d0118fa8d314d81b9bc362035773bc26fff2cd5f6204d3ed3f58312f365f3b81f918cb03094534b7b0b16eb503c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmorzp.exe
Filesize
1.0MB

MD5
7217f672995942607eba0cd4fb1bb117

SHA1
c0079cdb09360d3e2e9f449035f38c9dad5cad1d

SHA256
ed18053ff11ef58b9ec9c8cf2d7e999dd72effba8c4558b0c7e50b081caae4e1

SHA512
d642540a341d8d982bb808b576f4153922c5d0118fa8d314d81b9bc362035773bc26fff2cd5f6204d3ed3f58312f365f3b81f918cb03094534b7b0b16eb503c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrcuqd.exe
Filesize
828KB

MD5
494969d84ee004227da4051403cbc098

SHA1
befd216439b68c83899476ea7bf5c7eff025bdc6

SHA256
c92db9ae788154a5b6f08a648e663000803dfba5aa893cfaef69b18c06d7fc48

SHA512
ddc6d8745fb4b5c89990da7e85c5475a1fe91ece05b127258c85ad78d63a137a383bbf5a798c1b54d49d7506b53c03677bafa17ef7c8080f8f5bde1ebf552676

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrcuqd.exe
Filesize
828KB

MD5
494969d84ee004227da4051403cbc098

SHA1
befd216439b68c83899476ea7bf5c7eff025bdc6

SHA256
c92db9ae788154a5b6f08a648e663000803dfba5aa893cfaef69b18c06d7fc48

SHA512
ddc6d8745fb4b5c89990da7e85c5475a1fe91ece05b127258c85ad78d63a137a383bbf5a798c1b54d49d7506b53c03677bafa17ef7c8080f8f5bde1ebf552676

Download Submit
C:\Users\Admin\AppData\Local\Temp\qixdmy.exe
Filesize
493KB

MD5
acba20ad390f3688738f688f262adf63

SHA1
b732d2ffafa3b6237c3fe40d3172497bf556df6e

SHA256
1b47454a02aee81578865fc1b2ae9545392544073c8dca9eb399b53d402bd877

SHA512
6b044f95566581a9f2f9c7bc0ea9bc032072c0bc099035d388e86ce1c1a3bf963366c7b5e221acf3602a1bb8c5a9c425a8c783d27d4a927f3dc978f222091a14

Download Submit
C:\Users\Admin\AppData\Local\Temp\qixdmy.exe
Filesize
493KB

MD5
acba20ad390f3688738f688f262adf63

SHA1
b732d2ffafa3b6237c3fe40d3172497bf556df6e

SHA256
1b47454a02aee81578865fc1b2ae9545392544073c8dca9eb399b53d402bd877

SHA512
6b044f95566581a9f2f9c7bc0ea9bc032072c0bc099035d388e86ce1c1a3bf963366c7b5e221acf3602a1bb8c5a9c425a8c783d27d4a927f3dc978f222091a14

Download Submit
memory/344-139-0x0000000005CF0000-0x0000000005D8C000-memory.dmp

Filesize
624KB

Download
memory/344-138-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/344-137-0x0000000000000000-mapping.dmp

Download
memory/344-140-0x0000000006E40000-0x0000000006EB6000-memory.dmp

Filesize
472KB

Download
memory/344-141-0x0000000006E10000-0x0000000006E2E000-memory.dmp

Filesize
120KB

Download
memory/528-183-0x0000000006F50000-0x0000000006F58000-memory.dmp

Filesize
32KB

Download
memory/528-177-0x0000000006A90000-0x0000000006A9A000-memory.dmp

Filesize
40KB

Download
memory/528-175-0x000000006F720000-0x000000006F76C000-memory.dmp

Filesize
304KB

Download
memory/528-181-0x0000000007020000-0x000000000703A000-memory.dmp

Filesize
104KB

Download
memory/528-180-0x0000000006F00000-0x0000000006F0E000-memory.dmp

Filesize
56KB

Download
memory/528-171-0x0000000000000000-mapping.dmp

Download
memory/528-173-0x0000000007330000-0x00000000079AA000-memory.dmp

Filesize
6.5MB

Download
memory/528-174-0x0000000006A20000-0x0000000006A52000-memory.dmp

Filesize
200KB

Download
memory/528-176-0x0000000006020000-0x000000000603E000-memory.dmp

Filesize
120KB

Download
memory/628-188-0x0000000000000000-mapping.dmp

Download
memory/628-189-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/628-190-0x00000000057E0000-0x00000000057EA000-memory.dmp

Filesize
40KB

Download
memory/1412-193-0x00007FFA07180000-0x00007FFA07C41000-memory.dmp

Filesize
10.8MB

Download
memory/1412-192-0x00007FFA07180000-0x00007FFA07C41000-memory.dmp

Filesize
10.8MB

Download
memory/2268-133-0x00000000053D0000-0x00000000053F2000-memory.dmp

Filesize
136KB

Download
memory/2268-134-0x000000003F170000-0x000000003F1D6000-memory.dmp

Filesize
408KB

Download
memory/2268-132-0x0000000000760000-0x0000000000864000-memory.dmp

Filesize
1.0MB

Download
memory/2268-135-0x000000003F620000-0x000000003F6B2000-memory.dmp

Filesize
584KB

Download
memory/2268-136-0x000000003FC70000-0x0000000040214000-memory.dmp

Filesize
5.6MB

Download
memory/2316-178-0x0000000000000000-mapping.dmp

Download
memory/2900-159-0x0000000140000000-0x00000001400D9000-memory.dmp

Filesize
868KB

Download
memory/2900-158-0x0000000140095CF4-mapping.dmp

Download
memory/2900-157-0x0000000140000000-0x00000001400D9000-memory.dmp

Filesize
868KB

Download
memory/2900-160-0x0000000140000000-0x00000001400D9000-memory.dmp

Filesize
868KB

Download
memory/2900-162-0x0000000140000000-0x00000001400D9000-memory.dmp

Filesize
868KB

Download
memory/3296-168-0x0000000000000000-mapping.dmp

Download
memory/3296-170-0x0000000000F50000-0x0000000001062000-memory.dmp

Filesize
1.1MB

Download
memory/3428-161-0x00007FFA07180000-0x00007FFA07C41000-memory.dmp

Filesize
10.8MB

Download
memory/3428-156-0x00007FFA07180000-0x00007FFA07C41000-memory.dmp

Filesize
10.8MB

Download
memory/3428-155-0x000000001C120000-0x000000001C142000-memory.dmp

Filesize
136KB

Download
memory/3428-154-0x0000000000360000-0x0000000000432000-memory.dmp

Filesize
840KB

Download
memory/3428-152-0x0000000000000000-mapping.dmp

Download
memory/3452-142-0x0000000000000000-mapping.dmp

Download
memory/3568-163-0x0000000000000000-mapping.dmp

Download
memory/3600-164-0x0000000000000000-mapping.dmp

Download
memory/4156-184-0x0000000000000000-mapping.dmp

Download
memory/4156-186-0x0000000000760000-0x00000000007E2000-memory.dmp

Filesize
520KB

Download
memory/4596-149-0x00000000062A0000-0x00000000062BA000-memory.dmp

Filesize
104KB

Download
memory/4596-150-0x0000000006F60000-0x0000000006F82000-memory.dmp

Filesize
136KB

Download
memory/4596-148-0x0000000006310000-0x00000000063A6000-memory.dmp

Filesize
600KB

Download
memory/4596-147-0x0000000005DA0000-0x0000000005DBE000-memory.dmp

Filesize
120KB

Download
memory/4596-146-0x00000000056C0000-0x0000000005726000-memory.dmp

Filesize
408KB

Download
memory/4596-145-0x0000000004FC0000-0x00000000055E8000-memory.dmp

Filesize
6.2MB

Download
memory/4596-144-0x0000000002490000-0x00000000024C6000-memory.dmp

Filesize
216KB

Download
memory/4596-143-0x0000000000000000-mapping.dmp

Download
memory/4804-179-0x0000000000000000-mapping.dmp

Download