quasar | 5a72c2a12e0e42313c5d01277d3b26f52810a9753e31883f5f3e7a73a0021870

Analysis

max time kernel
84s
max time network
151s
platform
windows7_x64
resource
win7-20220414-en
submitted
04-06-2022 19:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0x0008000000013a18-65.exe
Size

535KB
MD5

4d97786ab8047ad6c08532ed7a017573
SHA1

a64d07233d813f9a085722295dca62ca726e291a
SHA256

5a72c2a12e0e42313c5d01277d3b26f52810a9753e31883f5f3e7a73a0021870
SHA512

9224f6c0af0bb3aa6804e09b36617d2ecf762caf81ec0f2627553788f7045d09878b41ddb63a1d0779973cba52d2f1d59f69bc6c826ad8bb0d807444abab87d2

Score

10^/10

quasar venomrat v/r/b evasion persistence rat rootkit spyware stealer suricata trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

V/R/B

siyatermi.duckdns.org:1518

Mutex

VNM_MUTEX_mJ6pCWZMe3OMOha5bj

Attributes

encryption_key
g1Bi32PXFGwyBI9DJGTD
install_name
Start Process.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Browser Module
subdirectory
Sys Resources

Signatures

Contains code to disable Windows Defender 6 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/1972-54-0x00000000009F0000-0x0000000000A7C000-memory.dmp	disable_win_def
\Users\Admin\AppData\Roaming\Sys Resources\Start Process.exe	disable_win_def
C:\Users\Admin\AppData\Roaming\Sys Resources\Start Process.exe	disable_win_def
C:\Users\Admin\AppData\Roaming\Sys Resources\Start Process.exe	disable_win_def
behavioral1/memory/896-68-0x0000000000270000-0x00000000002FC000-memory.dmp	disable_win_def
behavioral1/memory/1704-131-0x0000000000FD0000-0x000000000105C000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

0x0008000000013a18-65.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	0x0008000000013a18-65.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	0x0008000000013a18-65.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	0x0008000000013a18-65.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	0x0008000000013a18-65.exe

Quasar Payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1972-54-0x00000000009F0000-0x0000000000A7C000-memory.dmp	family_quasar
\Users\Admin\AppData\Roaming\Sys Resources\Start Process.exe	family_quasar
C:\Users\Admin\AppData\Roaming\Sys Resources\Start Process.exe	family_quasar
C:\Users\Admin\AppData\Roaming\Sys Resources\Start Process.exe	family_quasar
behavioral1/memory/896-68-0x0000000000270000-0x00000000002FC000-memory.dmp	family_quasar
behavioral1/memory/1704-131-0x0000000000FD0000-0x000000000105C000-memory.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata
Executes dropped EXE 1 IoCs

Processes:

Start Process.exe

pid process

896 Start Process.exe
Loads dropped DLL 1 IoCs

Processes:

0x0008000000013a18-65.exe

pid process

1972 0x0008000000013a18-65.exe

pid	process
896	Start Process.exe

pid	process
1972	0x0008000000013a18-65.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

0x0008000000013a18-65.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	0x0008000000013a18-65.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	0x0008000000013a18-65.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Start Process.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Browser Module = "\"C:\\Users\\Admin\\AppData\\Roaming\\Sys Resources\\Start Process.exe\""	Start Process.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1684 schtasks.exe
2032 schtasks.exe

flow	ioc
1	ip-api.com

pid	process
1684	schtasks.exe
2032	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

0x0008000000013a18-65.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	0x0008000000013a18-65.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	0x0008000000013a18-65.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1960 PING.EXE

pid	process
1960	PING.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exe0x0008000000013a18-65.exe0x0008000000013a18-65.exe

pid	process
1120	powershell.exe
1972	0x0008000000013a18-65.exe
1972	0x0008000000013a18-65.exe
1972	0x0008000000013a18-65.exe
1972	0x0008000000013a18-65.exe
1972	0x0008000000013a18-65.exe
1972	0x0008000000013a18-65.exe
1972	0x0008000000013a18-65.exe
1704	0x0008000000013a18-65.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

0x0008000000013a18-65.exeStart Process.exepowershell.exe0x0008000000013a18-65.exe

description	pid	process
Token: SeDebugPrivilege	1972	0x0008000000013a18-65.exe
Token: SeDebugPrivilege	896	Start Process.exe
Token: SeDebugPrivilege	1120	powershell.exe
Token: SeDebugPrivilege	896	Start Process.exe
Token: SeDebugPrivilege	1704	0x0008000000013a18-65.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Start Process.exe

pid process

896 Start Process.exe

pid	process
896	Start Process.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

0x0008000000013a18-65.exeStart Process.execmd.execmd.exe

description	pid	process	target process
PID 1972 wrote to memory of 1684	1972	0x0008000000013a18-65.exe	schtasks.exe
PID 1972 wrote to memory of 1684	1972	0x0008000000013a18-65.exe	schtasks.exe
PID 1972 wrote to memory of 1684	1972	0x0008000000013a18-65.exe	schtasks.exe
PID 1972 wrote to memory of 1684	1972	0x0008000000013a18-65.exe	schtasks.exe
PID 1972 wrote to memory of 896	1972	0x0008000000013a18-65.exe	Start Process.exe
PID 1972 wrote to memory of 896	1972	0x0008000000013a18-65.exe	Start Process.exe
PID 1972 wrote to memory of 896	1972	0x0008000000013a18-65.exe	Start Process.exe
PID 1972 wrote to memory of 896	1972	0x0008000000013a18-65.exe	Start Process.exe
PID 1972 wrote to memory of 1120	1972	0x0008000000013a18-65.exe	powershell.exe
PID 1972 wrote to memory of 1120	1972	0x0008000000013a18-65.exe	powershell.exe
PID 1972 wrote to memory of 1120	1972	0x0008000000013a18-65.exe	powershell.exe
PID 1972 wrote to memory of 1120	1972	0x0008000000013a18-65.exe	powershell.exe
PID 896 wrote to memory of 2032	896	Start Process.exe	schtasks.exe
PID 896 wrote to memory of 2032	896	Start Process.exe	schtasks.exe
PID 896 wrote to memory of 2032	896	Start Process.exe	schtasks.exe
PID 896 wrote to memory of 2032	896	Start Process.exe	schtasks.exe
PID 1972 wrote to memory of 1696	1972	0x0008000000013a18-65.exe	cmd.exe
PID 1972 wrote to memory of 1696	1972	0x0008000000013a18-65.exe	cmd.exe
PID 1972 wrote to memory of 1696	1972	0x0008000000013a18-65.exe	cmd.exe
PID 1972 wrote to memory of 1696	1972	0x0008000000013a18-65.exe	cmd.exe
PID 1696 wrote to memory of 1512	1696	cmd.exe	cmd.exe
PID 1696 wrote to memory of 1512	1696	cmd.exe	cmd.exe
PID 1696 wrote to memory of 1512	1696	cmd.exe	cmd.exe
PID 1696 wrote to memory of 1512	1696	cmd.exe	cmd.exe
PID 1972 wrote to memory of 1124	1972	0x0008000000013a18-65.exe	cmd.exe
PID 1972 wrote to memory of 1124	1972	0x0008000000013a18-65.exe	cmd.exe
PID 1972 wrote to memory of 1124	1972	0x0008000000013a18-65.exe	cmd.exe
PID 1972 wrote to memory of 1124	1972	0x0008000000013a18-65.exe	cmd.exe
PID 1124 wrote to memory of 1152	1124	cmd.exe	chcp.com
PID 1124 wrote to memory of 1152	1124	cmd.exe	chcp.com
PID 1124 wrote to memory of 1152	1124	cmd.exe	chcp.com
PID 1124 wrote to memory of 1152	1124	cmd.exe	chcp.com
PID 1124 wrote to memory of 1960	1124	cmd.exe	PING.EXE
PID 1124 wrote to memory of 1960	1124	cmd.exe	PING.EXE
PID 1124 wrote to memory of 1960	1124	cmd.exe	PING.EXE
PID 1124 wrote to memory of 1960	1124	cmd.exe	PING.EXE
PID 1124 wrote to memory of 1704	1124	cmd.exe	0x0008000000013a18-65.exe
PID 1124 wrote to memory of 1704	1124	cmd.exe	0x0008000000013a18-65.exe
PID 1124 wrote to memory of 1704	1124	cmd.exe	0x0008000000013a18-65.exe
PID 1124 wrote to memory of 1704	1124	cmd.exe	0x0008000000013a18-65.exe

C:\Users\Admin\AppData\Local\Temp\0x0008000000013a18-65.exe
"C:\Users\Admin\AppData\Local\Temp\0x0008000000013a18-65.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Loads dropped DLL
- Windows security modification
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "Browser Module" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\0x0008000000013a18-65.exe" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:1684
- C:\Users\Admin\AppData\Roaming\Sys Resources\Start Process.exe
  "C:\Users\Admin\AppData\Roaming\Sys Resources\Start Process.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:896
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Browser Module" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Sys Resources\Start Process.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:2032
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1120
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
    3⤵
    PID:1512
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\ovMP9J8H5WIY.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1124
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:1152
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 10 localhost
    3⤵
    - Runs ping.exe
    PID:1960
- - C:\Users\Admin\AppData\Local\Temp\0x0008000000013a18-65.exe
    "C:\Users\Admin\AppData\Local\Temp\0x0008000000013a18-65.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ovMP9J8H5WIY.bat

Filesize
218B

MD5
5c574a8cda8cdc7ca34626ea6dfe9737

SHA1
6f2e56d699eaf3cfb4bc0412df872755c1b1ca0a

SHA256
21664899404682a4b38e689266bd0dac36c6a566a60228c0e65ae5529dd4bb07

SHA512
b0cfd8fd38856700a5c9216dc9825bf848bc99e920a9c8e968a8945b1bd8a44f9e9172dfa1dc10785fa8addc8a65a184f4d3f452c5bf35c0f9084eb73659ed02

Download Submit
C:\Users\Admin\AppData\Roaming\Sys Resources\Start Process.exe

Filesize
535KB

MD5
4d97786ab8047ad6c08532ed7a017573

SHA1
a64d07233d813f9a085722295dca62ca726e291a

SHA256
5a72c2a12e0e42313c5d01277d3b26f52810a9753e31883f5f3e7a73a0021870

SHA512
9224f6c0af0bb3aa6804e09b36617d2ecf762caf81ec0f2627553788f7045d09878b41ddb63a1d0779973cba52d2f1d59f69bc6c826ad8bb0d807444abab87d2

Download Submit
C:\Users\Admin\AppData\Roaming\Sys Resources\Start Process.exe

Filesize
535KB

MD5
4d97786ab8047ad6c08532ed7a017573

SHA1
a64d07233d813f9a085722295dca62ca726e291a

SHA256
5a72c2a12e0e42313c5d01277d3b26f52810a9753e31883f5f3e7a73a0021870

SHA512
9224f6c0af0bb3aa6804e09b36617d2ecf762caf81ec0f2627553788f7045d09878b41ddb63a1d0779973cba52d2f1d59f69bc6c826ad8bb0d807444abab87d2

Download Submit
\Users\Admin\AppData\Roaming\Sys Resources\Start Process.exe

Filesize
535KB

MD5
4d97786ab8047ad6c08532ed7a017573

SHA1
a64d07233d813f9a085722295dca62ca726e291a

SHA256
5a72c2a12e0e42313c5d01277d3b26f52810a9753e31883f5f3e7a73a0021870

SHA512
9224f6c0af0bb3aa6804e09b36617d2ecf762caf81ec0f2627553788f7045d09878b41ddb63a1d0779973cba52d2f1d59f69bc6c826ad8bb0d807444abab87d2

Download Submit
memory/896-84-0x00000000740B0000-0x000000007436B000-memory.dmp

Filesize
2.7MB

Download
memory/896-79-0x0000000071370000-0x000000007208D000-memory.dmp

Filesize
13.1MB

Download
memory/896-117-0x0000000072090000-0x0000000072AA0000-memory.dmp

Filesize
10.1MB

Download
memory/896-86-0x0000000070A90000-0x0000000070B8C000-memory.dmp

Filesize
1008KB

Download
memory/896-116-0x0000000072AA0000-0x0000000073E2F000-memory.dmp

Filesize
19.6MB

Download
memory/896-85-0x0000000073EC0000-0x0000000073EE0000-memory.dmp

Filesize
128KB

Download
memory/896-108-0x0000000070050000-0x0000000070119000-memory.dmp

Filesize
804KB

Download
memory/896-65-0x0000000000000000-mapping.dmp

Download
memory/896-107-0x0000000074520000-0x0000000074643000-memory.dmp

Filesize
1.1MB

Download
memory/896-106-0x0000000070B90000-0x0000000071370000-memory.dmp

Filesize
7.9MB

Download
memory/896-68-0x0000000000270000-0x00000000002FC000-memory.dmp

Filesize
560KB

Download
memory/896-87-0x0000000070350000-0x0000000070A8E000-memory.dmp

Filesize
7.2MB

Download
memory/896-118-0x0000000074700000-0x0000000074894000-memory.dmp

Filesize
1.6MB

Download
memory/896-121-0x0000000074520000-0x0000000074643000-memory.dmp

Filesize
1.1MB

Download
memory/896-120-0x0000000070B90000-0x0000000071370000-memory.dmp

Filesize
7.9MB

Download
memory/896-119-0x0000000071370000-0x000000007208D000-memory.dmp

Filesize
13.1MB

Download
memory/896-76-0x0000000072AA0000-0x0000000073E2F000-memory.dmp

Filesize
19.6MB

Download
memory/896-77-0x0000000072090000-0x0000000072AA0000-memory.dmp

Filesize
10.1MB

Download
memory/896-78-0x0000000074700000-0x0000000074894000-memory.dmp

Filesize
1.6MB

Download
memory/1120-97-0x000000006CA60000-0x000000006CF96000-memory.dmp

Filesize
5.2MB

Download
memory/1120-96-0x000000006F1D0000-0x000000006F77B000-memory.dmp

Filesize
5.7MB

Download
memory/1120-81-0x000000006E6D0000-0x000000006F1C8000-memory.dmp

Filesize
11.0MB

Download
memory/1120-82-0x000000006FBF0000-0x000000006FC71000-memory.dmp

Filesize
516KB

Download
memory/1120-83-0x000000006D3C0000-0x000000006DC3A000-memory.dmp

Filesize
8.5MB

Download
memory/1120-105-0x000000006D330000-0x000000006D3B5000-memory.dmp

Filesize
532KB

Download
memory/1120-104-0x000000006C950000-0x000000006CA54000-memory.dmp

Filesize
1.0MB

Download
memory/1120-103-0x000000006FBF0000-0x000000006FC71000-memory.dmp

Filesize
516KB

Download
memory/1120-69-0x0000000000000000-mapping.dmp

Download
memory/1120-88-0x000000006F860000-0x000000006FA95000-memory.dmp

Filesize
2.2MB

Download
memory/1120-89-0x000000006FBA0000-0x000000006FBEB000-memory.dmp

Filesize
300KB

Download
memory/1120-90-0x000000006FB70000-0x000000006FB95000-memory.dmp

Filesize
148KB

Download
memory/1120-91-0x000000006D330000-0x000000006D3B5000-memory.dmp

Filesize
532KB

Download
memory/1120-92-0x000000006D290000-0x000000006D32C000-memory.dmp

Filesize
624KB

Download
memory/1120-93-0x000000006D0F0000-0x000000006D28E000-memory.dmp

Filesize
1.6MB

Download
memory/1120-94-0x000000006D020000-0x000000006D0E3000-memory.dmp

Filesize
780KB

Download
memory/1120-95-0x000000006FB30000-0x000000006FB5D000-memory.dmp

Filesize
180KB

Download
memory/1120-102-0x000000006D3C0000-0x000000006DC3A000-memory.dmp

Filesize
8.5MB

Download
memory/1120-101-0x000000006E6D0000-0x000000006F1C8000-memory.dmp

Filesize
11.0MB

Download
memory/1120-98-0x000000006C830000-0x000000006C944000-memory.dmp

Filesize
1.1MB

Download
memory/1120-99-0x000000006DF30000-0x000000006E6CC000-memory.dmp

Filesize
7.6MB

Download
memory/1120-100-0x000000006C1D0000-0x000000006C821000-memory.dmp

Filesize
6.3MB

Download
memory/1124-122-0x0000000000000000-mapping.dmp

Download
memory/1152-124-0x0000000000000000-mapping.dmp

Download
memory/1512-110-0x0000000000000000-mapping.dmp

Download
memory/1684-63-0x0000000000000000-mapping.dmp

Download
memory/1696-109-0x0000000000000000-mapping.dmp

Download
memory/1704-130-0x0000000000000000-mapping.dmp

Download
memory/1704-131-0x0000000000FD0000-0x000000000105C000-memory.dmp

Filesize
560KB

Download
memory/1704-135-0x0000000074700000-0x0000000074894000-memory.dmp

Filesize
1.6MB

Download
memory/1704-134-0x0000000072090000-0x0000000072AA0000-memory.dmp

Filesize
10.1MB

Download
memory/1704-133-0x0000000072AA0000-0x0000000073E2F000-memory.dmp

Filesize
19.6MB

Download
memory/1960-125-0x0000000000000000-mapping.dmp

Download
memory/1972-74-0x00000000740B0000-0x000000007436B000-memory.dmp

Filesize
2.7MB

Download
memory/1972-128-0x0000000071370000-0x000000007208D000-memory.dmp

Filesize
13.1MB

Download
memory/1972-114-0x0000000070350000-0x0000000070A8E000-memory.dmp

Filesize
7.2MB

Download
memory/1972-115-0x0000000073EC0000-0x0000000073EE0000-memory.dmp

Filesize
128KB

Download
memory/1972-112-0x0000000072090000-0x0000000072AA0000-memory.dmp

Filesize
10.1MB

Download
memory/1972-111-0x0000000072AA0000-0x0000000073E2F000-memory.dmp

Filesize
19.6MB

Download
memory/1972-55-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download
memory/1972-75-0x0000000070050000-0x0000000070119000-memory.dmp

Filesize
804KB

Download
memory/1972-54-0x00000000009F0000-0x0000000000A7C000-memory.dmp

Filesize
560KB

Download
memory/1972-73-0x0000000074520000-0x0000000074643000-memory.dmp

Filesize
1.1MB

Download
memory/1972-72-0x0000000070B90000-0x0000000071370000-memory.dmp

Filesize
7.9MB

Download
memory/1972-62-0x0000000070350000-0x0000000070A8E000-memory.dmp

Filesize
7.2MB

Download
memory/1972-61-0x0000000070A90000-0x0000000070B8C000-memory.dmp

Filesize
1008KB

Download
memory/1972-60-0x0000000073EC0000-0x0000000073EE0000-memory.dmp

Filesize
128KB

Download
memory/1972-126-0x0000000072AA0000-0x0000000073E2F000-memory.dmp

Filesize
19.6MB

Download
memory/1972-127-0x0000000072090000-0x0000000072AA0000-memory.dmp

Filesize
10.1MB

Download
memory/1972-113-0x0000000071370000-0x000000007208D000-memory.dmp

Filesize
13.1MB

Download
memory/1972-129-0x0000000070050000-0x0000000070119000-memory.dmp

Filesize
804KB

Download
memory/1972-59-0x0000000071370000-0x000000007208D000-memory.dmp

Filesize
13.1MB

Download
memory/1972-58-0x0000000074700000-0x0000000074894000-memory.dmp

Filesize
1.6MB

Download
memory/1972-57-0x0000000072090000-0x0000000072AA0000-memory.dmp

Filesize
10.1MB

Download
memory/1972-56-0x0000000072AA0000-0x0000000073E2F000-memory.dmp

Filesize
19.6MB

Download
memory/2032-80-0x0000000000000000-mapping.dmp

Download