quasar | c2361c29db867d86c9f6d361b3d3394d0d847775ebcb84422c095369ccde5acd

Analysis

max time kernel
2s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2023 13:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f052ffa940763ede6b28dc1ebd4757e.exe
Size

654KB
MD5

9f052ffa940763ede6b28dc1ebd4757e
SHA1

0a4f3e7f6a573c0fe321ebf46aee344e08a28e25
SHA256

c2361c29db867d86c9f6d361b3d3394d0d847775ebcb84422c095369ccde5acd
SHA512

ebc566c0794b9edd8a7373636c065e3d67ee0156b33969a30950116b984cad81c352d96290cf4607fec7d3c2bf2e7a1d87f6231db6543a74df26da63ff5cbbbc
SSDEEP

12288:c6bJhnrd2Qsm/+/dnGz7O0Y244sMYcoFMVyMg+Yy1Wcwemn58GVuv:ckJhngpn9kNsMwbMgkK58guv

Score

10^/10

quasar venomrat sep05 evasion persistence rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

SEP05

23.105.131.187:7812

Mutex

VNM_MUTEX_ea14HLQ5adxyrFdD2X

Attributes

encryption_key
jUWfdDb1toPE0KAlGJWH
install_name
Windows Security.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Update Service
subdirectory
Windows Security Update

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/4852-8-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

9f052ffa940763ede6b28dc1ebd4757e.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	9f052ffa940763ede6b28dc1ebd4757e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	9f052ffa940763ede6b28dc1ebd4757e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	9f052ffa940763ede6b28dc1ebd4757e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	9f052ffa940763ede6b28dc1ebd4757e.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4852-8-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat
Executes dropped EXE 3 IoCs

Processes:

Windows Security.exeWindows Security.exeWindows Security.exe

pid process

3848 Windows Security.exe
4504 Windows Security.exe
4804 Windows Security.exe

pid	process
3848	Windows Security.exe
4504	Windows Security.exe
4804	Windows Security.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

9f052ffa940763ede6b28dc1ebd4757e.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	9f052ffa940763ede6b28dc1ebd4757e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	9f052ffa940763ede6b28dc1ebd4757e.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

9f052ffa940763ede6b28dc1ebd4757e.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jEWDfCdAGM = "C:\\Users\\Admin\\AppData\\Roaming\\EcGASfXzFi\\SgBSNdRiPF.exe"	9f052ffa940763ede6b28dc1ebd4757e.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

27 ip-api.com

flow	ioc
27	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

9f052ffa940763ede6b28dc1ebd4757e.exeWindows Security.exe

description	pid	process	target process
PID 4004 set thread context of 4852	4004	9f052ffa940763ede6b28dc1ebd4757e.exe	9f052ffa940763ede6b28dc1ebd4757e.exe
PID 3848 set thread context of 4804	3848	Windows Security.exe	Windows Security.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2492 schtasks.exe
5092 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

644 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Windows Security.exe

pid process

3848 Windows Security.exe
3848 Windows Security.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

9f052ffa940763ede6b28dc1ebd4757e.exeWindows Security.exe

description pid process

Token: SeDebugPrivilege 4852 9f052ffa940763ede6b28dc1ebd4757e.exe
Token: SeDebugPrivilege 3848 Windows Security.exe

pid	process
2492	schtasks.exe
5092	schtasks.exe

pid	process
644	PING.EXE

pid	process
3848	Windows Security.exe
3848	Windows Security.exe

description	pid	process
Token: SeDebugPrivilege	4852	9f052ffa940763ede6b28dc1ebd4757e.exe
Token: SeDebugPrivilege	3848	Windows Security.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

9f052ffa940763ede6b28dc1ebd4757e.exe9f052ffa940763ede6b28dc1ebd4757e.exeWindows Security.exe

description	pid	process	target process
PID 4004 wrote to memory of 4852	4004	9f052ffa940763ede6b28dc1ebd4757e.exe	9f052ffa940763ede6b28dc1ebd4757e.exe
PID 4004 wrote to memory of 4852	4004	9f052ffa940763ede6b28dc1ebd4757e.exe	9f052ffa940763ede6b28dc1ebd4757e.exe
PID 4004 wrote to memory of 4852	4004	9f052ffa940763ede6b28dc1ebd4757e.exe	9f052ffa940763ede6b28dc1ebd4757e.exe
PID 4004 wrote to memory of 4852	4004	9f052ffa940763ede6b28dc1ebd4757e.exe	9f052ffa940763ede6b28dc1ebd4757e.exe
PID 4004 wrote to memory of 4852	4004	9f052ffa940763ede6b28dc1ebd4757e.exe	9f052ffa940763ede6b28dc1ebd4757e.exe
PID 4004 wrote to memory of 4852	4004	9f052ffa940763ede6b28dc1ebd4757e.exe	9f052ffa940763ede6b28dc1ebd4757e.exe
PID 4004 wrote to memory of 4852	4004	9f052ffa940763ede6b28dc1ebd4757e.exe	9f052ffa940763ede6b28dc1ebd4757e.exe
PID 4004 wrote to memory of 4852	4004	9f052ffa940763ede6b28dc1ebd4757e.exe	9f052ffa940763ede6b28dc1ebd4757e.exe
PID 4852 wrote to memory of 2492	4852	9f052ffa940763ede6b28dc1ebd4757e.exe	schtasks.exe
PID 4852 wrote to memory of 2492	4852	9f052ffa940763ede6b28dc1ebd4757e.exe	schtasks.exe
PID 4852 wrote to memory of 2492	4852	9f052ffa940763ede6b28dc1ebd4757e.exe	schtasks.exe
PID 4852 wrote to memory of 3848	4852	9f052ffa940763ede6b28dc1ebd4757e.exe	Windows Security.exe
PID 4852 wrote to memory of 3848	4852	9f052ffa940763ede6b28dc1ebd4757e.exe	Windows Security.exe
PID 4852 wrote to memory of 3848	4852	9f052ffa940763ede6b28dc1ebd4757e.exe	Windows Security.exe
PID 4852 wrote to memory of 4244	4852	9f052ffa940763ede6b28dc1ebd4757e.exe	powershell.exe
PID 4852 wrote to memory of 4244	4852	9f052ffa940763ede6b28dc1ebd4757e.exe	powershell.exe
PID 4852 wrote to memory of 4244	4852	9f052ffa940763ede6b28dc1ebd4757e.exe	powershell.exe
PID 3848 wrote to memory of 4504	3848	Windows Security.exe	Windows Security.exe
PID 3848 wrote to memory of 4504	3848	Windows Security.exe	Windows Security.exe
PID 3848 wrote to memory of 4504	3848	Windows Security.exe	Windows Security.exe
PID 3848 wrote to memory of 4804	3848	Windows Security.exe	Windows Security.exe
PID 3848 wrote to memory of 4804	3848	Windows Security.exe	Windows Security.exe
PID 3848 wrote to memory of 4804	3848	Windows Security.exe	Windows Security.exe
PID 3848 wrote to memory of 4804	3848	Windows Security.exe	Windows Security.exe
PID 3848 wrote to memory of 4804	3848	Windows Security.exe	Windows Security.exe
PID 3848 wrote to memory of 4804	3848	Windows Security.exe	Windows Security.exe
PID 3848 wrote to memory of 4804	3848	Windows Security.exe	Windows Security.exe
PID 3848 wrote to memory of 4804	3848	Windows Security.exe	Windows Security.exe

C:\Users\Admin\AppData\Local\Temp\9f052ffa940763ede6b28dc1ebd4757e.exe
"C:\Users\Admin\AppData\Local\Temp\9f052ffa940763ede6b28dc1ebd4757e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4004
- C:\Users\Admin\AppData\Local\Temp\9f052ffa940763ede6b28dc1ebd4757e.exe
  "C:\Users\Admin\AppData\Local\Temp\9f052ffa940763ede6b28dc1ebd4757e.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Windows security modification
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4852
- - C:\Users\Admin\AppData\Roaming\Windows Security Update\Windows Security.exe
    "C:\Users\Admin\AppData\Roaming\Windows Security Update\Windows Security.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3848
  - - C:\Users\Admin\AppData\Roaming\Windows Security Update\Windows Security.exe
      "C:\Users\Admin\AppData\Roaming\Windows Security Update\Windows Security.exe"
      4⤵
      Executes dropped EXE
      PID:4804
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Windows Update Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Security Update\Windows Security.exe" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:5092
  - - C:\Users\Admin\AppData\Roaming\Windows Security Update\Windows Security.exe
      "C:\Users\Admin\AppData\Roaming\Windows Security Update\Windows Security.exe"
      4⤵
      Executes dropped EXE
      PID:4504
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Windows Update Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\9f052ffa940763ede6b28dc1ebd4757e.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:2492
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    PID:4244
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
    3⤵
    PID:2560
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
      4⤵
      PID:4792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dIklSIj0stBP.bat" "
    3⤵
    PID:4636
  - - C:\Users\Admin\AppData\Local\Temp\9f052ffa940763ede6b28dc1ebd4757e.exe
      "C:\Users\Admin\AppData\Local\Temp\9f052ffa940763ede6b28dc1ebd4757e.exe"
      4⤵
      PID:2900
    - - C:\Users\Admin\AppData\Local\Temp\9f052ffa940763ede6b28dc1ebd4757e.exe
        
        "C:\Users\Admin\AppData\Local\Temp\9f052ffa940763ede6b28dc1ebd4757e.exe"
        5⤵
        
        PID:2168

C:\Windows\SysWOW64\chcp.com
chcp 65001
1⤵
PID:2460

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\9f052ffa940763ede6b28dc1ebd4757e.exe.log

Filesize
507B

MD5
8cf94b5356be60247d331660005941ec

SHA1
fdedb361f40f22cb6a086c808fc0056d4e421131

SHA256
52a5b2d36f2b72cb02c695cf7ef46444dda73d4ea82a73e0894c805fa9987bc0

SHA512
b886dfc8bf03f8627f051fb6e2ac40ae2e7713584695a365728eb2e2c87217830029aa35bd129c642fa03dde3f7a7dd5690b16248676be60a6bb5f497fb23651

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vg3l10d0.mx5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dIklSIj0stBP.bat

Filesize
229B

MD5
bb11429741210327e7b085e404ef9365

SHA1
79eb0e104ec4abb7fe282c57c51965ceea2fad95

SHA256
bfda9f6f98369deb3a209755b8b37011fa70756fe38d10195f82d57b1afde2b7

SHA512
b6dd92690d77af8dfeb58e78636eee2795f68e5bb7a849d7490e9a8d0bc2c444d4d6a5ee5d7592de2cbb6ce5d24630a0f06564c0f72bea6e60b6231e30c3ba8e

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Security Update\Windows Security.exe

Filesize
224KB

MD5
6ee37c840c2afe8e36df28ed586094c9

SHA1
5bf8335caa833640832a72ba03c97f7d51cdbf95

SHA256
b9ac91efe340806e793bf7e9557f8e3a1f027e092cb647dc35a177aca4ca3840

SHA512
01524d03a21a0a4c8a92a5d2ec1e977b1cef3dac9a6910f5590111c947dc0fef4adb76a1476c04129585794ea9ee353f7f5f4a2fd376cbdbb42c398246752040

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Security Update\Windows Security.exe

Filesize
134KB

MD5
ea644d7ffbd9fa7ec94de8563670800b

SHA1
23854baf484570d35ead63728214c1f3d0ca2fee

SHA256
68393549a3118b97d70cecd8fff454b18a6d04072e0c1be8aaa7a7a67d01475b

SHA512
5cf81392be5053ad54f6bd86f9744a01a262e284e23aa26602f70347220aa672df30e8c32b66db384d1e1f0c50d4ea942f7ad0978c8af850214a6288e061320c

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Security Update\Windows Security.exe

Filesize
121KB

MD5
f9a1e036d8c0e3724655506cfeb90c2a

SHA1
aa8f6af4564b4eefabc76c96f02595293f3413d4

SHA256
1947cf9075912881196c3edb2afaaeafbdfff87719f7d3128fdfa3d51ae72742

SHA512
00075e0b9cff8e6890b9f753ca393a18014f33395374534f02d78feb974b370972e745c2a2167be63cf5472fb6f6e9d9249a04d6050e516b37939e4f72dd29df

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Security Update\Windows Security.exe

Filesize
64KB

MD5
40a7d50868a03c1eb75cb9d8fb3a5600

SHA1
e55fc6a9427674360420513033289a39bef7f4bb

SHA256
713f4fc4d911766b4120e35cf66c8097bf9654a0f22910b65bd05ee28fcadd2f

SHA512
e8263b907b5d52a9ac7cf8caae7efa8e6195b38213587bbbde4e36dd757e5d2fc72c751d15a4525b85bbf211307b9e206330f6fe551be12da140fd9c1a8b33ca

Download Submit
memory/2168-94-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/2168-93-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/2168-92-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/2900-88-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/2900-89-0x0000000005690000-0x00000000056A0000-memory.dmp

Filesize
64KB

Download
memory/2900-91-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/3848-22-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/3848-33-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/3848-23-0x0000000001130000-0x0000000001140000-memory.dmp

Filesize
64KB

Download
memory/4004-4-0x0000000004E30000-0x0000000004EC2000-memory.dmp

Filesize
584KB

Download
memory/4004-3-0x00000000053E0000-0x0000000005984000-memory.dmp

Filesize
5.6MB

Download
memory/4004-2-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/4004-7-0x0000000004D40000-0x0000000004D4A000-memory.dmp

Filesize
40KB

Download
memory/4004-12-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/4004-0-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/4004-1-0x00000000002D0000-0x000000000037A000-memory.dmp

Filesize
680KB

Download
memory/4004-5-0x0000000004ED0000-0x0000000004F6C000-memory.dmp

Filesize
624KB

Download
memory/4244-49-0x0000000006880000-0x000000000689E000-memory.dmp

Filesize
120KB

Download
memory/4244-54-0x0000000007850000-0x0000000007882000-memory.dmp

Filesize
200KB

Download
memory/4244-38-0x0000000006180000-0x00000000061E6000-memory.dmp

Filesize
408KB

Download
memory/4244-24-0x00000000052E0000-0x0000000005316000-memory.dmp

Filesize
216KB

Download
memory/4244-79-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/4244-32-0x0000000005420000-0x0000000005430000-memory.dmp

Filesize
64KB

Download
memory/4244-36-0x00000000059B0000-0x00000000059D2000-memory.dmp

Filesize
136KB

Download
memory/4244-50-0x00000000068A0000-0x00000000068EC000-memory.dmp

Filesize
304KB

Download
memory/4244-35-0x0000000005420000-0x0000000005430000-memory.dmp

Filesize
64KB

Download
memory/4244-28-0x0000000005A60000-0x0000000006088000-memory.dmp

Filesize
6.2MB

Download
memory/4244-27-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/4244-74-0x0000000007DF0000-0x0000000007E04000-memory.dmp

Filesize
80KB

Download
memory/4244-66-0x0000000005420000-0x0000000005430000-memory.dmp

Filesize
64KB

Download
memory/4244-67-0x0000000007B10000-0x0000000007BB3000-memory.dmp

Filesize
652KB

Download
memory/4244-65-0x0000000006E20000-0x0000000006E3E000-memory.dmp

Filesize
120KB

Download
memory/4244-55-0x000000006FB70000-0x000000006FBBC000-memory.dmp

Filesize
304KB

Download
memory/4244-69-0x0000000007BC0000-0x0000000007BDA000-memory.dmp

Filesize
104KB

Download
memory/4244-68-0x0000000008240000-0x00000000088BA000-memory.dmp

Filesize
6.5MB

Download
memory/4244-70-0x0000000007C20000-0x0000000007C2A000-memory.dmp

Filesize
40KB

Download
memory/4244-44-0x0000000006270000-0x00000000065C4000-memory.dmp

Filesize
3.3MB

Download
memory/4244-71-0x0000000007E30000-0x0000000007EC6000-memory.dmp

Filesize
600KB

Download
memory/4244-53-0x000000007F7A0000-0x000000007F7B0000-memory.dmp

Filesize
64KB

Download
memory/4244-72-0x0000000007DB0000-0x0000000007DC1000-memory.dmp

Filesize
68KB

Download
memory/4244-73-0x0000000007DE0000-0x0000000007DEE000-memory.dmp

Filesize
56KB

Download
memory/4244-75-0x0000000007EF0000-0x0000000007F0A000-memory.dmp

Filesize
104KB

Download
memory/4244-76-0x0000000007ED0000-0x0000000007ED8000-memory.dmp

Filesize
32KB

Download
memory/4804-34-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/4804-37-0x00000000056F0000-0x0000000005700000-memory.dmp

Filesize
64KB

Download
memory/4804-81-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/4804-82-0x00000000056F0000-0x0000000005700000-memory.dmp

Filesize
64KB

Download
memory/4804-52-0x0000000006EE0000-0x0000000006EEA000-memory.dmp

Filesize
40KB

Download
memory/4852-80-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/4852-87-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/4852-16-0x0000000006AF0000-0x0000000006B2C000-memory.dmp

Filesize
240KB

Download
memory/4852-15-0x0000000005DC0000-0x0000000005DD2000-memory.dmp

Filesize
72KB

Download
memory/4852-14-0x0000000005850000-0x00000000058B6000-memory.dmp

Filesize
408KB

Download
memory/4852-8-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4852-13-0x0000000003160000-0x0000000003170000-memory.dmp

Filesize
64KB

Download
memory/4852-11-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download