quasar | 39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065

Analysis

max time kernel
157s
max time network
209s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
11-05-2022 23:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
Size

488KB
MD5

33ce258b07afea582cc317a398b8770c
SHA1

9a81235b698e5477847280626b729f5347ed2585
SHA256

39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065
SHA512

4fbd58e79881313b8c29ccafd9ef7c479e9bbc427869a44981bc4077bd81ed1532c5bcb679e8973470833e18dc5c81a54c69d958030f31f053e92f35a6d2ad66

Score

10^/10

quasar venomrat awtes evasion rat rootkit spyware stealer suricata trojan

Malware Config

Extracted

Family

quasar

Attributes

encryption_key
install_name
log_directory
reconnect_delay
3000
startup_key
subdirectory

Extracted

Family

quasar

Version

2.1.0.0

Botnet

awtes

193.161.193.99:25334

Mutex

VNM_MUTEX_kCeYnA1EuESMOTFzJZ

Attributes

encryption_key
mUjLzgxM95Q9fARNfgET
install_name
_isdel.exe
log_directory
SetupDir
reconnect_delay
3000
startup_key
_isdel
subdirectory
Shield

Signatures

Contains code to disable Windows Defender 9 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral2/memory/1596-130-0x0000000000400000-0x00000000004A9000-memory.dmp	disable_win_def
behavioral2/memory/1596-132-0x0000000000400000-0x00000000004A9000-memory.dmp	disable_win_def
behavioral2/memory/1596-134-0x0000000000400000-0x00000000004A9000-memory.dmp	disable_win_def
behavioral2/memory/1596-135-0x0000000000400000-0x00000000004A9000-memory.dmp	disable_win_def
behavioral2/files/0x00060000000231c1-144.dat	disable_win_def
behavioral2/files/0x00060000000231c1-145.dat	disable_win_def
behavioral2/memory/4496-146-0x0000000000260000-0x00000000002EC000-memory.dmp	disable_win_def
behavioral2/files/0x00060000000231cd-153.dat	disable_win_def
behavioral2/files/0x00060000000231cd-152.dat	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Quasar Payload 9 IoCs

resource	yara_rule
behavioral2/memory/1596-130-0x0000000000400000-0x00000000004A9000-memory.dmp	family_quasar
behavioral2/memory/1596-132-0x0000000000400000-0x00000000004A9000-memory.dmp	family_quasar
behavioral2/memory/1596-134-0x0000000000400000-0x00000000004A9000-memory.dmp	family_quasar
behavioral2/memory/1596-135-0x0000000000400000-0x00000000004A9000-memory.dmp	family_quasar
behavioral2/files/0x00060000000231c1-144.dat	family_quasar
behavioral2/files/0x00060000000231c1-145.dat	family_quasar
behavioral2/memory/4496-146-0x0000000000260000-0x00000000002EC000-memory.dmp	family_quasar
behavioral2/files/0x00060000000231cd-153.dat	family_quasar
behavioral2/files/0x00060000000231cd-152.dat	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata
suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3
suricata: ET MALWARE W32/Quasar 1.3/Venom RAT Connectivity Check 3
suricata

Executes dropped EXE 2 IoCs

pid	Process
4496	wwlraag2.exe
2412	_isdel.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	wwlraag2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	wwlraag2.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
43	ip-api.com
47	api.ipify.org

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Shield\_isdel.exe	wwlraag2.exe
File opened for modification	C:\Windows\SysWOW64\Shield\_isdel.exe	wwlraag2.exe
File opened for modification	C:\Windows\SysWOW64\Shield\_isdel.exe	_isdel.exe
File opened for modification	C:\Windows\SysWOW64\Shield	_isdel.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4872	schtasks.exe
2904	schtasks.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4520	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
Token: SeDebugPrivilege	4520	taskkill.exe
Token: SeDebugPrivilege	4496	wwlraag2.exe
Token: SeDebugPrivilege	4576	powershell.exe
Token: SeDebugPrivilege	2412	_isdel.exe
Token: SeDebugPrivilege	2412	_isdel.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2412	_isdel.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 2692	1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe	82
PID 1596 wrote to memory of 2692	1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe	82
PID 1596 wrote to memory of 2692	1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe	82
PID 1156 wrote to memory of 3084	1156	DllHost.exe	84
PID 1156 wrote to memory of 3084	1156	DllHost.exe	84
PID 1156 wrote to memory of 3084	1156	DllHost.exe	84
PID 3084 wrote to memory of 4496	3084	cmd.exe	86
PID 3084 wrote to memory of 4496	3084	cmd.exe	86
PID 3084 wrote to memory of 4496	3084	cmd.exe	86
PID 1156 wrote to memory of 4520	1156	DllHost.exe	88
PID 1156 wrote to memory of 4520	1156	DllHost.exe	88
PID 1156 wrote to memory of 4520	1156	DllHost.exe	88
PID 4496 wrote to memory of 4872	4496	wwlraag2.exe	92
PID 4496 wrote to memory of 4872	4496	wwlraag2.exe	92
PID 4496 wrote to memory of 4872	4496	wwlraag2.exe	92
PID 4496 wrote to memory of 2412	4496	wwlraag2.exe	94
PID 4496 wrote to memory of 2412	4496	wwlraag2.exe	94
PID 4496 wrote to memory of 2412	4496	wwlraag2.exe	94
PID 4496 wrote to memory of 4576	4496	wwlraag2.exe	95
PID 4496 wrote to memory of 4576	4496	wwlraag2.exe	95
PID 4496 wrote to memory of 4576	4496	wwlraag2.exe	95
PID 2412 wrote to memory of 2904	2412	_isdel.exe	99
PID 2412 wrote to memory of 2904	2412	_isdel.exe	99
PID 2412 wrote to memory of 2904	2412	_isdel.exe	99

C:\Users\Admin\AppData\Local\Temp\39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
"C:\Users\Admin\AppData\Local\Temp\39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1596
- \??\c:\windows\SysWOW64\cmstp.exe
  "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\m0orains.inf
  2⤵
  PID:2692

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
1⤵
- Suspicious use of WriteProcessMemory
PID:1156
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start C:\Windows\temp\wwlraag2.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3084
- - C:\Windows\temp\wwlraag2.exe
    C:\Windows\temp\wwlraag2.exe
    3⤵
    - Executes dropped EXE
    - Windows security modification
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4496
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "_isdel" /sc ONLOGON /tr "C:\Windows\temp\wwlraag2.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:4872
  - - C:\Windows\SysWOW64\Shield\_isdel.exe
      "C:\Windows\SysWOW64\Shield\_isdel.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2412
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "_isdel" /sc ONLOGON /tr "C:\Windows\SysWOW64\Shield\_isdel.exe" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:2904
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4576
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
      4⤵
      PID:3356
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /IM cmstp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
1⤵
PID:932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Shield\_isdel.exe

Filesize
535KB

MD5
bda9d685fbd2a365b038dd46e13cd270

SHA1
feb414e6c698fc4764bbb00ed71c3f210021e33a

SHA256
ea7248f135df4164ea025f6bbda2a48e3a02d992cadaaa43b737264463268c14

SHA512
c0d56be6d9418fde56fc85d320b45d087c59604fba0b2fb65045d3fa97176c35628d4132b065601faf2f446044e42a39676c0c950bc92df4ea3f88bd6803b241

Download Submit
C:\Windows\SysWOW64\Shield\_isdel.exe

Filesize
535KB

MD5
bda9d685fbd2a365b038dd46e13cd270

SHA1
feb414e6c698fc4764bbb00ed71c3f210021e33a

SHA256
ea7248f135df4164ea025f6bbda2a48e3a02d992cadaaa43b737264463268c14

SHA512
c0d56be6d9418fde56fc85d320b45d087c59604fba0b2fb65045d3fa97176c35628d4132b065601faf2f446044e42a39676c0c950bc92df4ea3f88bd6803b241

Download Submit
C:\Windows\Temp\wwlraag2.exe

Filesize
535KB

MD5
bda9d685fbd2a365b038dd46e13cd270

SHA1
feb414e6c698fc4764bbb00ed71c3f210021e33a

SHA256
ea7248f135df4164ea025f6bbda2a48e3a02d992cadaaa43b737264463268c14

SHA512
c0d56be6d9418fde56fc85d320b45d087c59604fba0b2fb65045d3fa97176c35628d4132b065601faf2f446044e42a39676c0c950bc92df4ea3f88bd6803b241

Download Submit
C:\Windows\temp\m0orains.inf

Filesize
606B

MD5
cc2f2152184e994680ac81fcd1178149

SHA1
9a4dcbf4ebd72a8379131898085260602f61232e

SHA256
e302f2ea24f2137a928535173802e7308ebee102213a8323504ab47bc6975402

SHA512
ead4e17fce1966cc266b50e2d40598725af867e58bb3cb098d50f25f65d86a785064daed10d9e0dbcff8f679ea5eb509bf8ffcc5dd80c7fb49ae599d6ea88df9

Download Submit
C:\Windows\temp\wwlraag2.exe

Filesize
535KB

MD5
bda9d685fbd2a365b038dd46e13cd270

SHA1
feb414e6c698fc4764bbb00ed71c3f210021e33a

SHA256
ea7248f135df4164ea025f6bbda2a48e3a02d992cadaaa43b737264463268c14

SHA512
c0d56be6d9418fde56fc85d320b45d087c59604fba0b2fb65045d3fa97176c35628d4132b065601faf2f446044e42a39676c0c950bc92df4ea3f88bd6803b241

Download Submit
memory/1596-133-0x0000000075D10000-0x0000000075F25000-memory.dmp

Filesize
2.1MB

Download
memory/1596-137-0x0000000004CD0000-0x0000000005274000-memory.dmp

Filesize
5.6MB

Download
memory/1596-138-0x0000000005280000-0x0000000005312000-memory.dmp

Filesize
584KB

Download
memory/1596-139-0x00000000775A0000-0x0000000077B53000-memory.dmp

Filesize
5.7MB

Download
memory/1596-130-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1596-136-0x0000000073500000-0x0000000073589000-memory.dmp

Filesize
548KB

Download
memory/1596-131-0x0000000002280000-0x00000000022C7000-memory.dmp

Filesize
284KB

Download
memory/1596-135-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1596-134-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1596-132-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2412-162-0x0000000006BD0000-0x0000000006BDA000-memory.dmp

Filesize
40KB

Download
memory/2412-160-0x0000000006880000-0x00000000068BC000-memory.dmp

Filesize
240KB

Download
memory/4496-149-0x00000000050E0000-0x00000000050F2000-memory.dmp

Filesize
72KB

Download
memory/4496-148-0x0000000005010000-0x0000000005076000-memory.dmp

Filesize
408KB

Download
memory/4496-146-0x0000000000260000-0x00000000002EC000-memory.dmp

Filesize
560KB

Download
memory/4576-167-0x0000000007250000-0x000000000726A000-memory.dmp

Filesize
104KB

Download
memory/4576-158-0x0000000005230000-0x0000000005296000-memory.dmp

Filesize
408KB

Download
memory/4576-157-0x0000000005090000-0x00000000050B2000-memory.dmp

Filesize
136KB

Download
memory/4576-155-0x0000000000E60000-0x0000000000E96000-memory.dmp

Filesize
216KB

Download
memory/4576-163-0x0000000007100000-0x0000000007132000-memory.dmp

Filesize
200KB

Download
memory/4576-164-0x0000000070680000-0x00000000706CC000-memory.dmp

Filesize
304KB

Download
memory/4576-165-0x0000000006500000-0x000000000651E000-memory.dmp

Filesize
120KB

Download
memory/4576-166-0x0000000007890000-0x0000000007F0A000-memory.dmp

Filesize
6.5MB

Download
memory/4576-159-0x0000000005F40000-0x0000000005F5E000-memory.dmp

Filesize
120KB

Download
memory/4576-168-0x00000000072B0000-0x00000000072BA000-memory.dmp

Filesize
40KB

Download
memory/4576-169-0x00000000074E0000-0x0000000007576000-memory.dmp

Filesize
600KB

Download
memory/4576-170-0x0000000007490000-0x000000000749E000-memory.dmp

Filesize
56KB

Download
memory/4576-171-0x0000000007580000-0x000000000759A000-memory.dmp

Filesize
104KB

Download
memory/4576-172-0x00000000074D0000-0x00000000074D8000-memory.dmp

Filesize
32KB

Download
memory/4576-156-0x0000000005360000-0x0000000005988000-memory.dmp

Filesize
6.2MB

Download