quasar | 0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095

Analysis

max time kernel
158s
max time network
166s
platform
windows10_x64
resource
win10-en-20211014
submitted
18-10-2021 17:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095.exe
Size

861KB
MD5

1b465c6989637df1d5c511919c43e457
SHA1

317f8bf5133176cd0f4125c6f2f0fdfc226754ab
SHA256

0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095
SHA512

e9dfd465ee22ebf67a73fdd873440d73f013b064e2a4aff3aedad2c5bd1b3027284af7912a383ad6c0a91ef8caad2b3c69cdfd29edb638563d89fd7e89e114dc

Score

10^/10

quasar venomrat office04 evasion rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

grace.adds-only.xyz:1609

Mutex

VNM_MUTEX_c2q7y2ayYutZ2XaYe7

Attributes

encryption_key
wHq4o3k6UfKZv19jkcxs
install_name
winrara.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Venom Client Startup
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 5 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/708-131-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/708-132-0x0000000000486C1E-mapping.dmp	disable_win_def
behavioral1/memory/708-139-0x0000000004E10000-0x000000000530E000-memory.dmp	disable_win_def
behavioral1/memory/1760-166-0x0000000007050000-0x000000000754E000-memory.dmp	disable_win_def
behavioral1/memory/4052-652-0x0000000000486C1E-mapping.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Quasar Payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/708-131-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/708-132-0x0000000000486C1E-mapping.dmp	family_quasar
behavioral1/memory/708-139-0x0000000004E10000-0x000000000530E000-memory.dmp	family_quasar
behavioral1/memory/1760-166-0x0000000007050000-0x000000000754E000-memory.dmp	family_quasar
behavioral1/memory/4052-652-0x0000000000486C1E-mapping.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat

Executes dropped EXE 2 IoCs

Processes:

winrara.exewinrara.exe

pid	Process
1760	winrara.exe
4052	winrara.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
37	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095.exewinrara.exe

description	pid	Process	procid_target
PID 1524 set thread context of 708	1524	0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095.exe	75
PID 1760 set thread context of 4052	1760	winrara.exe	87

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exe

pid	Process
612	schtasks.exe
1524	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095.exepowershell.exepowershell.exe0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095.exewinrara.exepowershell.exe

pid	Process
1524	0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095.exe
1524	0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095.exe
1524	0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095.exe
1524	0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095.exe
1524	0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095.exe
1908	powershell.exe
1908	powershell.exe
1596	powershell.exe
1596	powershell.exe
1908	powershell.exe
1596	powershell.exe
708	0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095.exe
708	0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095.exe
708	0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095.exe
708	0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095.exe
708	0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095.exe
708	0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095.exe
708	0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095.exe
1760	winrara.exe
1760	winrara.exe
1964	powershell.exe
1964	powershell.exe
1964	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095.exepowershell.exe0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095.exepowershell.exewinrara.exepowershell.exewinrara.exe

description	pid	Process
Token: SeDebugPrivilege	1524	0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	708	0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	1760	winrara.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	4052	winrara.exe
Token: SeDebugPrivilege	4052	winrara.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

winrara.exe

pid	Process
4052	winrara.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095.exe0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095.execmd.exewinrara.exe

description	pid	Process	procid_target
PID 1524 wrote to memory of 1908	1524	0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095.exe	71
PID 1524 wrote to memory of 1908	1524	0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095.exe	71
PID 1524 wrote to memory of 1908	1524	0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095.exe	71
PID 1524 wrote to memory of 612	1524	0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095.exe	73
PID 1524 wrote to memory of 612	1524	0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095.exe	73
PID 1524 wrote to memory of 612	1524	0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095.exe	73
PID 1524 wrote to memory of 708	1524	0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095.exe	75
PID 1524 wrote to memory of 708	1524	0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095.exe	75
PID 1524 wrote to memory of 708	1524	0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095.exe	75
PID 1524 wrote to memory of 708	1524	0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095.exe	75
PID 1524 wrote to memory of 708	1524	0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095.exe	75
PID 1524 wrote to memory of 708	1524	0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095.exe	75
PID 1524 wrote to memory of 708	1524	0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095.exe	75
PID 1524 wrote to memory of 708	1524	0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095.exe	75
PID 708 wrote to memory of 1760	708	0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095.exe	77
PID 708 wrote to memory of 1760	708	0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095.exe	77
PID 708 wrote to memory of 1760	708	0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095.exe	77
PID 708 wrote to memory of 1596	708	0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095.exe	78
PID 708 wrote to memory of 1596	708	0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095.exe	78
PID 708 wrote to memory of 1596	708	0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095.exe	78
PID 708 wrote to memory of 2636	708	0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095.exe	81
PID 708 wrote to memory of 2636	708	0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095.exe	81
PID 708 wrote to memory of 2636	708	0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095.exe	81
PID 2636 wrote to memory of 3112	2636	cmd.exe	83
PID 2636 wrote to memory of 3112	2636	cmd.exe	83
PID 2636 wrote to memory of 3112	2636	cmd.exe	83
PID 1760 wrote to memory of 1964	1760	winrara.exe	84
PID 1760 wrote to memory of 1964	1760	winrara.exe	84
PID 1760 wrote to memory of 1964	1760	winrara.exe	84
PID 1760 wrote to memory of 1524	1760	winrara.exe	86
PID 1760 wrote to memory of 1524	1760	winrara.exe	86
PID 1760 wrote to memory of 1524	1760	winrara.exe	86
PID 1760 wrote to memory of 4052	1760	winrara.exe	87
PID 1760 wrote to memory of 4052	1760	winrara.exe	87
PID 1760 wrote to memory of 4052	1760	winrara.exe	87
PID 1760 wrote to memory of 4052	1760	winrara.exe	87
PID 1760 wrote to memory of 4052	1760	winrara.exe	87
PID 1760 wrote to memory of 4052	1760	winrara.exe	87
PID 1760 wrote to memory of 4052	1760	winrara.exe	87
PID 1760 wrote to memory of 4052	1760	winrara.exe	87

C:\Users\Admin\AppData\Local\Temp\0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095.exe
"C:\Users\Admin\AppData\Local\Temp\0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1908
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kCCzCqEnSxl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1EAB.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:612
- C:\Users\Admin\AppData\Local\Temp\0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095.exe
  "C:\Users\Admin\AppData\Local\Temp\0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095.exe"
  2⤵
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:708
- - C:\Users\Admin\AppData\Roaming\SubDir\winrara.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\winrara.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1760
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\SubDir\winrara.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1964
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kCCzCqEnSxl" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF69C.tmp"
      4⤵
      Creates scheduled task(s)
      PID:1524
  - - C:\Users\Admin\AppData\Roaming\SubDir\winrara.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\winrara.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4052
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1596
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
      4⤵
      PID:3112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095.exe.log

MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5
e745b8b7681f5ae25b09a7b1eb2f8fd3

SHA1
cd55c3fcf95d11f5d4fb4a75233dc69494f74d80

SHA256
5a7e3072d483e8dc341b902b937b53a379dc4080f08b54410c3c2046dd500538

SHA512
65ff6cfa6b416c099612e9f00399514d52264a4a58f8c63e2f78111805bf623eecded3d18c36dc1be5431aef50a1c192eaed6122e10d722e94325e6412d4298e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
8145e1a26211cc72bc012268ba8b3c42

SHA1
a38a0a58072dd1045a4bf3f302f206082a61871e

SHA256
b340bf39f3d18b1eb40384a77561cb2d42a3e548b37e705e72b39ba75116ec1a

SHA512
84c0454651cc15da66dd025e6b8373a6aa814e66fa380fda50f8ffd1e2b89869c2bc9c519e35dbae6b172467bbc4e92fcb23edcc6c816eb9cd06fffb2e62bf35

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\winrara.exe

MD5
1b465c6989637df1d5c511919c43e457

SHA1
317f8bf5133176cd0f4125c6f2f0fdfc226754ab

SHA256
0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095

SHA512
e9dfd465ee22ebf67a73fdd873440d73f013b064e2a4aff3aedad2c5bd1b3027284af7912a383ad6c0a91ef8caad2b3c69cdfd29edb638563d89fd7e89e114dc

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\winrara.exe

MD5
1b465c6989637df1d5c511919c43e457

SHA1
317f8bf5133176cd0f4125c6f2f0fdfc226754ab

SHA256
0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095

SHA512
e9dfd465ee22ebf67a73fdd873440d73f013b064e2a4aff3aedad2c5bd1b3027284af7912a383ad6c0a91ef8caad2b3c69cdfd29edb638563d89fd7e89e114dc

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\winrara.exe

MD5
1b465c6989637df1d5c511919c43e457

SHA1
317f8bf5133176cd0f4125c6f2f0fdfc226754ab

SHA256
0b196e6b27ed15410bd946b1ccfd1de6b7af64a540cd0226b8eb9bd742d1b095

SHA512
e9dfd465ee22ebf67a73fdd873440d73f013b064e2a4aff3aedad2c5bd1b3027284af7912a383ad6c0a91ef8caad2b3c69cdfd29edb638563d89fd7e89e114dc

Download Submit
memory/612-128-0x0000000000000000-mapping.dmp

Download
memory/708-139-0x0000000004E10000-0x000000000530E000-memory.dmp

Filesize
5.0MB

Download
memory/708-131-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/708-132-0x0000000000486C1E-mapping.dmp

Download
memory/708-145-0x0000000005B90000-0x0000000005B91000-memory.dmp

Filesize
4KB

Download
memory/708-140-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/708-147-0x00000000060C0000-0x00000000060C1000-memory.dmp

Filesize
4KB

Download
memory/1524-121-0x0000000009F30000-0x0000000009F31000-memory.dmp

Filesize
4KB

Download
memory/1524-650-0x0000000000000000-mapping.dmp

Download
memory/1524-123-0x00000000014F0000-0x0000000001598000-memory.dmp

Filesize
672KB

Download
memory/1524-122-0x0000000009E90000-0x0000000009E98000-memory.dmp

Filesize
32KB

Download
memory/1524-120-0x0000000007BF0000-0x0000000007BF1000-memory.dmp

Filesize
4KB

Download
memory/1524-115-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/1524-119-0x00000000079D0000-0x0000000007ECE000-memory.dmp

Filesize
5.0MB

Download
memory/1524-118-0x0000000007A80000-0x0000000007A81000-memory.dmp

Filesize
4KB

Download
memory/1524-117-0x0000000007ED0000-0x0000000007ED1000-memory.dmp

Filesize
4KB

Download
memory/1596-198-0x000000007EE00000-0x000000007EE01000-memory.dmp

Filesize
4KB

Download
memory/1596-157-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/1596-165-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/1596-156-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/1596-168-0x0000000004D12000-0x0000000004D13000-memory.dmp

Filesize
4KB

Download
memory/1596-152-0x0000000000000000-mapping.dmp

Download
memory/1596-175-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/1596-217-0x0000000004D13000-0x0000000004D14000-memory.dmp

Filesize
4KB

Download
memory/1760-149-0x0000000000000000-mapping.dmp

Download
memory/1760-166-0x0000000007050000-0x000000000754E000-memory.dmp

Filesize
5.0MB

Download
memory/1908-130-0x0000000004F32000-0x0000000004F33000-memory.dmp

Filesize
4KB

Download
memory/1908-162-0x0000000008910000-0x0000000008911000-memory.dmp

Filesize
4KB

Download
memory/1908-127-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/1908-218-0x0000000004F33000-0x0000000004F34000-memory.dmp

Filesize
4KB

Download
memory/1908-146-0x0000000007930000-0x0000000007931000-memory.dmp

Filesize
4KB

Download
memory/1908-141-0x0000000007890000-0x0000000007891000-memory.dmp

Filesize
4KB

Download
memory/1908-138-0x0000000007980000-0x0000000007981000-memory.dmp

Filesize
4KB

Download
memory/1908-176-0x00000000034A0000-0x00000000034A1000-memory.dmp

Filesize
4KB

Download
memory/1908-189-0x0000000009660000-0x0000000009693000-memory.dmp

Filesize
204KB

Download
memory/1908-129-0x0000000004F30000-0x0000000004F31000-memory.dmp

Filesize
4KB

Download
memory/1908-202-0x000000007F6F0000-0x000000007F6F1000-memory.dmp

Filesize
4KB

Download
memory/1908-148-0x0000000008BE0000-0x0000000008BE1000-memory.dmp

Filesize
4KB

Download
memory/1908-124-0x0000000000000000-mapping.dmp

Download
memory/1908-144-0x0000000008270000-0x0000000008271000-memory.dmp

Filesize
4KB

Download
memory/1908-142-0x0000000008190000-0x0000000008191000-memory.dmp

Filesize
4KB

Download
memory/1908-125-0x00000000034A0000-0x00000000034A1000-memory.dmp

Filesize
4KB

Download
memory/1908-126-0x00000000034A0000-0x00000000034A1000-memory.dmp

Filesize
4KB

Download
memory/1964-649-0x0000000000000000-mapping.dmp

Download
memory/1964-662-0x0000000006840000-0x0000000006841000-memory.dmp

Filesize
4KB

Download
memory/1964-664-0x0000000006842000-0x0000000006843000-memory.dmp

Filesize
4KB

Download
memory/1964-767-0x0000000006843000-0x0000000006844000-memory.dmp

Filesize
4KB

Download
memory/1964-689-0x000000007EDC0000-0x000000007EDC1000-memory.dmp

Filesize
4KB

Download
memory/2636-646-0x0000000000000000-mapping.dmp

Download
memory/3112-647-0x0000000000000000-mapping.dmp

Download
memory/4052-652-0x0000000000486C1E-mapping.dmp

Download
memory/4052-663-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download