quasar | a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c

Analysis

max time kernel
134s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
08-05-2022 18:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe
Size

629KB
MD5

4df6edc58b2aee8108bbf41a5281a0b3
SHA1

372c881c85e6dd404ff65a086b0c7dd8e300ec19
SHA256

a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c
SHA512

3787c1833a05a31e1aa9a92e5b2dc081911ca98a490bd78c978d20d3d6ff5c4ab9081e6f0d4fe31e190bc454a73ddd641391969e310ecfa65f79963f2e3e2455

Score

10^/10

quasar venomrat windows defender security host evasion persistence rat rootkit spyware stealer suricata trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Windows Defender Security Host

vilvaraj-32652.portmap.io:32652

Mutex

VNM_MUTEX_s1ArJSYbui8dt0HUpJ

Attributes

encryption_key
8gl4TCjsLQUmqCIxalku
install_name
Windows Defender Security Host.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Defender Security Host
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/2064-136-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Quasar Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2064-136-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata

Executes dropped EXE 4 IoCs

Processes:

Windows Defender Security Host.exeWindows Defender Security Host.exeWindows Defender Security Host.exeWindows Defender Security Host.exe

pid	Process
4736	Windows Defender Security Host.exe
4424	Windows Defender Security Host.exe
1688	Windows Defender Security Host.exe
1860	Windows Defender Security Host.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Windows Defender Security Host.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	Windows Defender Security Host.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exea640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zHRMiXKHpW = "C:\\Users\\Admin\\AppData\\Roaming\\LbFPJdQtDA\\ZmFSAqsNCM.exe"	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender Security Host = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe\""	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
27	ip-api.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exeWindows Defender Security Host.exeWindows Defender Security Host.exe

description	pid	Process	procid_target
PID 392 set thread context of 2064	392	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe	84
PID 4736 set thread context of 4424	4736	Windows Defender Security Host.exe	91
PID 1688 set thread context of 1860	1688	Windows Defender Security Host.exe	102

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
1232	4424	WerFault.exe	91

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exe

pid	Process
3028	schtasks.exe
4880	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
4004	PING.EXE

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exepowershell.exeWindows Defender Security Host.exe

pid	Process
392	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe
392	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe
4368	powershell.exe
4368	powershell.exe
1860	Windows Defender Security Host.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exea640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exepowershell.exeWindows Defender Security Host.exeWindows Defender Security Host.exe

description	pid	Process
Token: SeDebugPrivilege	392	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe
Token: SeDebugPrivilege	2064	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe
Token: SeDebugPrivilege	4368	powershell.exe
Token: SeDebugPrivilege	4424	Windows Defender Security Host.exe
Token: SeDebugPrivilege	4424	Windows Defender Security Host.exe
Token: SeDebugPrivilege	1860	Windows Defender Security Host.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Windows Defender Security Host.exe

pid	Process
4424	Windows Defender Security Host.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exea640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exeWindows Defender Security Host.exeWindows Defender Security Host.execmd.exeWindows Defender Security Host.exe

description	pid	Process	procid_target
PID 392 wrote to memory of 2956	392	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe	83
PID 392 wrote to memory of 2956	392	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe	83
PID 392 wrote to memory of 2956	392	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe	83
PID 392 wrote to memory of 2064	392	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe	84
PID 392 wrote to memory of 2064	392	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe	84
PID 392 wrote to memory of 2064	392	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe	84
PID 392 wrote to memory of 2064	392	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe	84
PID 392 wrote to memory of 2064	392	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe	84
PID 392 wrote to memory of 2064	392	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe	84
PID 392 wrote to memory of 2064	392	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe	84
PID 392 wrote to memory of 2064	392	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe	84
PID 2064 wrote to memory of 4880	2064	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe	86
PID 2064 wrote to memory of 4880	2064	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe	86
PID 2064 wrote to memory of 4880	2064	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe	86
PID 2064 wrote to memory of 4736	2064	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe	88
PID 2064 wrote to memory of 4736	2064	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe	88
PID 2064 wrote to memory of 4736	2064	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe	88
PID 2064 wrote to memory of 4368	2064	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe	89
PID 2064 wrote to memory of 4368	2064	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe	89
PID 2064 wrote to memory of 4368	2064	a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe	89
PID 4736 wrote to memory of 4424	4736	Windows Defender Security Host.exe	91
PID 4736 wrote to memory of 4424	4736	Windows Defender Security Host.exe	91
PID 4736 wrote to memory of 4424	4736	Windows Defender Security Host.exe	91
PID 4736 wrote to memory of 4424	4736	Windows Defender Security Host.exe	91
PID 4736 wrote to memory of 4424	4736	Windows Defender Security Host.exe	91
PID 4736 wrote to memory of 4424	4736	Windows Defender Security Host.exe	91
PID 4736 wrote to memory of 4424	4736	Windows Defender Security Host.exe	91
PID 4736 wrote to memory of 4424	4736	Windows Defender Security Host.exe	91
PID 4424 wrote to memory of 3028	4424	Windows Defender Security Host.exe	92
PID 4424 wrote to memory of 3028	4424	Windows Defender Security Host.exe	92
PID 4424 wrote to memory of 3028	4424	Windows Defender Security Host.exe	92
PID 4424 wrote to memory of 228	4424	Windows Defender Security Host.exe	94
PID 4424 wrote to memory of 228	4424	Windows Defender Security Host.exe	94
PID 4424 wrote to memory of 228	4424	Windows Defender Security Host.exe	94
PID 228 wrote to memory of 1332	228	cmd.exe	96
PID 228 wrote to memory of 1332	228	cmd.exe	96
PID 228 wrote to memory of 1332	228	cmd.exe	96
PID 228 wrote to memory of 4004	228	cmd.exe	97
PID 228 wrote to memory of 4004	228	cmd.exe	97
PID 228 wrote to memory of 4004	228	cmd.exe	97
PID 228 wrote to memory of 1688	228	cmd.exe	101
PID 228 wrote to memory of 1688	228	cmd.exe	101
PID 228 wrote to memory of 1688	228	cmd.exe	101
PID 1688 wrote to memory of 1860	1688	Windows Defender Security Host.exe	102
PID 1688 wrote to memory of 1860	1688	Windows Defender Security Host.exe	102
PID 1688 wrote to memory of 1860	1688	Windows Defender Security Host.exe	102
PID 1688 wrote to memory of 1860	1688	Windows Defender Security Host.exe	102
PID 1688 wrote to memory of 1860	1688	Windows Defender Security Host.exe	102
PID 1688 wrote to memory of 1860	1688	Windows Defender Security Host.exe	102
PID 1688 wrote to memory of 1860	1688	Windows Defender Security Host.exe	102
PID 1688 wrote to memory of 1860	1688	Windows Defender Security Host.exe	102

C:\Users\Admin\AppData\Local\Temp\a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe
"C:\Users\Admin\AppData\Local\Temp\a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:392
- C:\Users\Admin\AppData\Local\Temp\a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe
  "C:\Users\Admin\AppData\Local\Temp\a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe"
  2⤵
  PID:2956
- C:\Users\Admin\AppData\Local\Temp\a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe
  "C:\Users\Admin\AppData\Local\Temp\a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe"
  2⤵
  - Windows security modification
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Windows Defender Security Host" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:4880
- - C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4736
  - - C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4424
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Defender Security Host" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:3028
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RHFNI30qHKkT.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:228
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1332
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        Runs ping.exe
        
        PID:4004
      - C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1860
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 2004
        5⤵
        Program crash
        
        PID:1232
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4424 -ip 4424
1⤵
PID:3924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Windows Defender Security Host.exe.log

Filesize
507B

MD5
76ffb2f33cb32ade8fc862a67599e9d8

SHA1
920cc4ab75b36d2f9f6e979b74db568973c49130

SHA256
f1a3724670e3379318ec9c73f6f39058cab0ab013ba3cd90c047c3d701362310

SHA512
f33502c2e1bb30c05359bfc6819ca934642a1e01874e3060349127d792694d56ad22fccd6c9477b8ee50d66db35785779324273f509576b48b7f85577e001b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RHFNI30qHKkT.bat

Filesize
231B

MD5
1ef09ff8ef8fab873a10492ba0fd84ac

SHA1
7c68ef68374b4b68e25f7ca108cd902bdceaf3ea

SHA256
dcd37242b5608167608764c5643571cffc7e4ae8445271142d10005f92265a62

SHA512
79efeb499ce7a44657170170862c9f7930369cb85383335c01ddfa6b6826513059f7f51ca37897e9d00a7cf386ecdc6856beefd444e6fb5362a97f093f94b7d5

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe

Filesize
629KB

MD5
4df6edc58b2aee8108bbf41a5281a0b3

SHA1
372c881c85e6dd404ff65a086b0c7dd8e300ec19

SHA256
a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c

SHA512
3787c1833a05a31e1aa9a92e5b2dc081911ca98a490bd78c978d20d3d6ff5c4ab9081e6f0d4fe31e190bc454a73ddd641391969e310ecfa65f79963f2e3e2455

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe

Filesize
629KB

MD5
4df6edc58b2aee8108bbf41a5281a0b3

SHA1
372c881c85e6dd404ff65a086b0c7dd8e300ec19

SHA256
a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c

SHA512
3787c1833a05a31e1aa9a92e5b2dc081911ca98a490bd78c978d20d3d6ff5c4ab9081e6f0d4fe31e190bc454a73ddd641391969e310ecfa65f79963f2e3e2455

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe

Filesize
629KB

MD5
4df6edc58b2aee8108bbf41a5281a0b3

SHA1
372c881c85e6dd404ff65a086b0c7dd8e300ec19

SHA256
a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c

SHA512
3787c1833a05a31e1aa9a92e5b2dc081911ca98a490bd78c978d20d3d6ff5c4ab9081e6f0d4fe31e190bc454a73ddd641391969e310ecfa65f79963f2e3e2455

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe

Filesize
629KB

MD5
4df6edc58b2aee8108bbf41a5281a0b3

SHA1
372c881c85e6dd404ff65a086b0c7dd8e300ec19

SHA256
a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c

SHA512
3787c1833a05a31e1aa9a92e5b2dc081911ca98a490bd78c978d20d3d6ff5c4ab9081e6f0d4fe31e190bc454a73ddd641391969e310ecfa65f79963f2e3e2455

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Windows Defender Security Host.exe

Filesize
629KB

MD5
4df6edc58b2aee8108bbf41a5281a0b3

SHA1
372c881c85e6dd404ff65a086b0c7dd8e300ec19

SHA256
a640fa0ec1f3da74886079154feb39fcdc8f03b850ab8ae47c35602e4df29d8c

SHA512
3787c1833a05a31e1aa9a92e5b2dc081911ca98a490bd78c978d20d3d6ff5c4ab9081e6f0d4fe31e190bc454a73ddd641391969e310ecfa65f79963f2e3e2455

Download Submit
memory/228-156-0x0000000000000000-mapping.dmp

Download
memory/392-133-0x00000000052B0000-0x000000000534C000-memory.dmp

Filesize
624KB

Download
memory/392-130-0x00000000006B0000-0x0000000000754000-memory.dmp

Filesize
656KB

Download
memory/392-132-0x0000000005170000-0x0000000005202000-memory.dmp

Filesize
584KB

Download
memory/392-131-0x0000000005860000-0x0000000005E04000-memory.dmp

Filesize
5.6MB

Download
memory/1332-158-0x0000000000000000-mapping.dmp

Download
memory/1688-166-0x0000000000000000-mapping.dmp

Download
memory/1860-168-0x0000000000000000-mapping.dmp

Download
memory/2064-139-0x00000000063E0000-0x000000000641C000-memory.dmp

Filesize
240KB

Download
memory/2064-138-0x0000000005E80000-0x0000000005E92000-memory.dmp

Filesize
72KB

Download
memory/2064-137-0x0000000005270000-0x00000000052D6000-memory.dmp

Filesize
408KB

Download
memory/2064-136-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2064-135-0x0000000000000000-mapping.dmp

Download
memory/2956-134-0x0000000000000000-mapping.dmp

Download
memory/3028-154-0x0000000000000000-mapping.dmp

Download
memory/4004-159-0x0000000000000000-mapping.dmp

Download
memory/4368-162-0x0000000006900000-0x000000000691E000-memory.dmp

Filesize
120KB

Download
memory/4368-164-0x0000000007680000-0x000000000769A000-memory.dmp

Filesize
104KB

Download
memory/4368-153-0x0000000006370000-0x000000000638E000-memory.dmp

Filesize
120KB

Download
memory/4368-152-0x0000000005DE0000-0x0000000005E46000-memory.dmp

Filesize
408KB

Download
memory/4368-151-0x0000000005BE0000-0x0000000005C02000-memory.dmp

Filesize
136KB

Download
memory/4368-150-0x0000000005540000-0x0000000005B68000-memory.dmp

Filesize
6.2MB

Download
memory/4368-160-0x0000000007550000-0x0000000007582000-memory.dmp

Filesize
200KB

Download
memory/4368-149-0x0000000002A50000-0x0000000002A86000-memory.dmp

Filesize
216KB

Download
memory/4368-161-0x00000000702B0000-0x00000000702FC000-memory.dmp

Filesize
304KB

Download
memory/4368-174-0x0000000007890000-0x0000000007898000-memory.dmp

Filesize
32KB

Download
memory/4368-163-0x0000000007CC0000-0x000000000833A000-memory.dmp

Filesize
6.5MB

Download
memory/4368-165-0x00000000050B0000-0x00000000050BA000-memory.dmp

Filesize
40KB

Download
memory/4368-173-0x00000000078B0000-0x00000000078CA000-memory.dmp

Filesize
104KB

Download
memory/4368-144-0x0000000000000000-mapping.dmp

Download
memory/4368-172-0x0000000005470000-0x000000000547E000-memory.dmp

Filesize
56KB

Download
memory/4368-171-0x00000000078D0000-0x0000000007966000-memory.dmp

Filesize
600KB

Download
memory/4424-145-0x0000000000000000-mapping.dmp

Download
memory/4424-155-0x0000000007050000-0x000000000705A000-memory.dmp

Filesize
40KB

Download
memory/4736-141-0x0000000000000000-mapping.dmp

Download
memory/4880-140-0x0000000000000000-mapping.dmp

Download