quasar | ef7a777d354433cc1398552311446bbc0be13e34407ca6fd7a67e4c750e76183

Analysis

max time kernel
1799s
max time network
1801s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
09-04-2024 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

libGLESV2.exe
Size

10.4MB
MD5

621c28cd39d9d6f9a3377b8da8a8849b
SHA1

5a025ed5f5baae77496e27fb2996fcb22d67ed40
SHA256

54c1dc44cd458da7ec96343973fa7f350df27517715f41483f9cab748d3a9203
SHA512

b5600b871ac950ec10d7bd0c38bb242a9921b1bccd2dacaa709471475a4c410eb2b43b693e2c18db40349f5c8e15b2c0ee93dde4eb3cbce2f47db880fe48033f
SSDEEP

196608:4nIMYy23CPc/V0VjfJcPE8Yw6QodKh7Ls85JxhVgE+uBd1ub:4nIRyEN08s8Yw6Qg1IgEzE

Score

10^/10

quasar redline sectoprat venomrat awsr v/r/b evasion infostealer rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

V/R/B

siyatermi.duckdns.org:1518

Mutex

VNM_MUTEX_mJ6pCWZMe3OMOha5bj

Attributes

encryption_key
g1Bi32PXFGwyBI9DJGTD
install_name
Start Process.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Browser Module
subdirectory
Sys Resources

Extracted

Family

redline

Botnet

AwsR

siyatermi.duckdns.org:17044

Signatures

Contains code to disable Windows Defender 2 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral3/files/0x000700000002a722-17.dat	disable_win_def
behavioral3/memory/2908-37-0x0000000000970000-0x00000000009FC000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

Start Process.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Start Process.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Start Process.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Start Process.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Start Process.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral3/files/0x000700000002a722-17.dat	family_quasar
behavioral3/memory/2908-37-0x0000000000970000-0x00000000009FC000-memory.dmp	family_quasar

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral3/files/0x000a00000002a626-7.dat	family_redline
behavioral3/memory/576-33-0x0000000000E70000-0x0000000000E8E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

Processes:

resource	yara_rule
behavioral3/files/0x000a00000002a626-7.dat	family_sectoprat
behavioral3/memory/576-33-0x0000000000E70000-0x0000000000E8E000-memory.dmp	family_sectoprat

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Tiktok Share Bot byDenmark.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Tiktok Share Bot byDenmark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Tiktok Share Bot byDenmark.exe

Executes dropped EXE 5 IoCs

Processes:

Software Check.exeStart Process.exeTiktok Share Bot byDenmark.exeStart Process.exeStart Process.exe

pid	Process
576	Software Check.exe
2908	Start Process.exe
4824	Tiktok Share Bot byDenmark.exe
892	Start Process.exe
1636	Start Process.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

Start Process.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	Start Process.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	Start Process.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
1	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exe

pid	Process
4224	schtasks.exe
2484	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
2764	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Tiktok Share Bot byDenmark.exe

pid	Process
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe
4824	Tiktok Share Bot byDenmark.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

Software Check.exeTiktok Share Bot byDenmark.exeStart Process.exepowershell.exeStart Process.exeStart Process.exe

description	pid	Process
Token: SeDebugPrivilege	576	Software Check.exe
Token: SeDebugPrivilege	4824	Tiktok Share Bot byDenmark.exe
Token: SeDebugPrivilege	2908	Start Process.exe
Token: SeDebugPrivilege	480	powershell.exe
Token: SeDebugPrivilege	892	Start Process.exe
Token: SeDebugPrivilege	892	Start Process.exe
Token: SeDebugPrivilege	1636	Start Process.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Start Process.exe

pid	Process
892	Start Process.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

libGLESV2.exeStart Process.exeStart Process.execmd.execmd.exe

description	pid	Process	procid_target
PID 3756 wrote to memory of 576	3756	libGLESV2.exe	77
PID 3756 wrote to memory of 576	3756	libGLESV2.exe	77
PID 3756 wrote to memory of 576	3756	libGLESV2.exe	77
PID 3756 wrote to memory of 2908	3756	libGLESV2.exe	78
PID 3756 wrote to memory of 2908	3756	libGLESV2.exe	78
PID 3756 wrote to memory of 2908	3756	libGLESV2.exe	78
PID 3756 wrote to memory of 4824	3756	libGLESV2.exe	80
PID 3756 wrote to memory of 4824	3756	libGLESV2.exe	80
PID 2908 wrote to memory of 4224	2908	Start Process.exe	83
PID 2908 wrote to memory of 4224	2908	Start Process.exe	83
PID 2908 wrote to memory of 4224	2908	Start Process.exe	83
PID 2908 wrote to memory of 892	2908	Start Process.exe	85
PID 2908 wrote to memory of 892	2908	Start Process.exe	85
PID 2908 wrote to memory of 892	2908	Start Process.exe	85
PID 2908 wrote to memory of 480	2908	Start Process.exe	86
PID 2908 wrote to memory of 480	2908	Start Process.exe	86
PID 2908 wrote to memory of 480	2908	Start Process.exe	86
PID 892 wrote to memory of 2484	892	Start Process.exe	88
PID 892 wrote to memory of 2484	892	Start Process.exe	88
PID 892 wrote to memory of 2484	892	Start Process.exe	88
PID 2908 wrote to memory of 1368	2908	Start Process.exe	91
PID 2908 wrote to memory of 1368	2908	Start Process.exe	91
PID 2908 wrote to memory of 1368	2908	Start Process.exe	91
PID 1368 wrote to memory of 2004	1368	cmd.exe	94
PID 1368 wrote to memory of 2004	1368	cmd.exe	94
PID 1368 wrote to memory of 2004	1368	cmd.exe	94
PID 2908 wrote to memory of 5024	2908	Start Process.exe	96
PID 2908 wrote to memory of 5024	2908	Start Process.exe	96
PID 2908 wrote to memory of 5024	2908	Start Process.exe	96
PID 5024 wrote to memory of 4396	5024	cmd.exe	98
PID 5024 wrote to memory of 4396	5024	cmd.exe	98
PID 5024 wrote to memory of 4396	5024	cmd.exe	98
PID 5024 wrote to memory of 2764	5024	cmd.exe	99
PID 5024 wrote to memory of 2764	5024	cmd.exe	99
PID 5024 wrote to memory of 2764	5024	cmd.exe	99
PID 5024 wrote to memory of 1636	5024	cmd.exe	100
PID 5024 wrote to memory of 1636	5024	cmd.exe	100
PID 5024 wrote to memory of 1636	5024	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\libGLESV2.exe
"C:\Users\Admin\AppData\Local\Temp\libGLESV2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3756
- C:\Users\Admin\AppData\Roaming\Software Check.exe
  "C:\Users\Admin\AppData\Roaming\Software Check.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:576
- C:\Users\Admin\AppData\Roaming\Start Process.exe
  "C:\Users\Admin\AppData\Roaming\Start Process.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Windows security modification
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Browser Module" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Start Process.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:4224
- - C:\Users\Admin\AppData\Roaming\Sys Resources\Start Process.exe
    "C:\Users\Admin\AppData\Roaming\Sys Resources\Start Process.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:892
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "Browser Module" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Sys Resources\Start Process.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:2484
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:480
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1368
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
      4⤵
      PID:2004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NgnPRp9I0AsM.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5024
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:4396
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      Runs ping.exe
      PID:2764
  - - C:\Users\Admin\AppData\Roaming\Start Process.exe
      "C:\Users\Admin\AppData\Roaming\Start Process.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1636
- C:\Users\Admin\AppData\Roaming\Tiktok Share Bot byDenmark.exe
  "C:\Users\Admin\AppData\Roaming\Tiktok Share Bot byDenmark.exe"
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Start Process.exe.log

Filesize
1KB

MD5
0d57fc33826cdd8ab7f1fd188829748d

SHA1
40fab51cd74493d07e0c37af6bfee896e9d0cef6

SHA256
4ff6a3eca1a0964fa036fcc54b2fa2137de9ade61e8140cee7e3136352445c41

SHA512
dd02119b787943e580156d89ea75ad38eff863bf560d4ec33fa4e52202f0b6252e928322f73e3a3e11685fb0cff204af4d67c6818bdf9812d7b458c362965aaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\NgnPRp9I0AsM.bat

Filesize
207B

MD5
e8eef91bd244eb49cd9eeb23b3781235

SHA1
706cf6a11efb89ffb742af4ad6bd289bb380ec37

SHA256
4833ba0fecceab191f63a2b57475552edb1f16957c20bee5452b93cbe73578ad

SHA512
a79e399afbb7e720d71da526523396f1ea883e3207b56f0b595a646a6f36a2bc0a8e56c47103f222163a293050825eb3411b71f693d6e969296d80aed50a668e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_13kxb3au.0kh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Software Check.exe

Filesize
95KB

MD5
27c2436f6a1c111bef78597d37751138

SHA1
f1dabacffc82bbfc7d8db578f0a5653d7fe84bca

SHA256
bcac81c69094ea47c3a00cae028ac4c64dd6cbd4fe85e11363e3e35b48c04842

SHA512
97e717b9ad5b063e4ff1209684b27d033c5a4a8d9679e3d42d7308fbac1c885a1d3c85d3fed70b7a9adc82203d0e943777d7819456599276c61549186e319636

Download Submit
C:\Users\Admin\AppData\Roaming\Start Process.exe

Filesize
535KB

MD5
4d97786ab8047ad6c08532ed7a017573

SHA1
a64d07233d813f9a085722295dca62ca726e291a

SHA256
5a72c2a12e0e42313c5d01277d3b26f52810a9753e31883f5f3e7a73a0021870

SHA512
9224f6c0af0bb3aa6804e09b36617d2ecf762caf81ec0f2627553788f7045d09878b41ddb63a1d0779973cba52d2f1d59f69bc6c826ad8bb0d807444abab87d2

Download Submit
C:\Users\Admin\AppData\Roaming\Tiktok Share Bot byDenmark.exe

Filesize
9.8MB

MD5
6720bbc01a878d9003076c2b22bfe0cf

SHA1
6f2e7acde97d9847400013880d2796428504e580

SHA256
90529087bb4c13893ee9e5f3808ace6cdc1bffa2f85aa2f5005b19c2865d143e

SHA512
fa41ec8c1baa2e371987402c57dbef31e377897c6154ee290455fbc1e42d90e82c504036165bdc467c25696e4c455fac8bb89e6f7631f961f2282d5d3667bcf9

Download Submit
memory/480-97-0x0000000007160000-0x00000000071F6000-memory.dmp

Filesize
600KB

Download
memory/480-99-0x0000000007110000-0x000000000711E000-memory.dmp

Filesize
56KB

Download
memory/480-77-0x0000000005B80000-0x0000000005B9E000-memory.dmp

Filesize
120KB

Download
memory/480-80-0x0000000006B30000-0x0000000006B64000-memory.dmp

Filesize
208KB

Download
memory/480-81-0x000000007F340000-0x000000007F350000-memory.dmp

Filesize
64KB

Download
memory/480-92-0x00000000047C0000-0x00000000047D0000-memory.dmp

Filesize
64KB

Download
memory/480-91-0x0000000006B10000-0x0000000006B2E000-memory.dmp

Filesize
120KB

Download
memory/480-76-0x0000000005720000-0x0000000005A77000-memory.dmp

Filesize
3.3MB

Download
memory/480-93-0x0000000006D70000-0x0000000006E14000-memory.dmp

Filesize
656KB

Download
memory/480-105-0x0000000071E90000-0x0000000072641000-memory.dmp

Filesize
7.7MB

Download
memory/480-75-0x00000000055D0000-0x0000000005636000-memory.dmp

Filesize
408KB

Download
memory/480-102-0x0000000007210000-0x0000000007218000-memory.dmp

Filesize
32KB

Download
memory/480-101-0x0000000007220000-0x000000000723A000-memory.dmp

Filesize
104KB

Download
memory/480-68-0x0000000005530000-0x0000000005552000-memory.dmp

Filesize
136KB

Download
memory/480-65-0x00000000047C0000-0x00000000047D0000-memory.dmp

Filesize
64KB

Download
memory/480-63-0x0000000004E00000-0x000000000542A000-memory.dmp

Filesize
6.2MB

Download
memory/480-100-0x0000000007120000-0x0000000007135000-memory.dmp

Filesize
84KB

Download
memory/480-82-0x0000000073C70000-0x0000000073CBC000-memory.dmp

Filesize
304KB

Download
memory/480-98-0x00000000070E0000-0x00000000070F1000-memory.dmp

Filesize
68KB

Download
memory/480-96-0x0000000006F50000-0x0000000006F5A000-memory.dmp

Filesize
40KB

Download
memory/480-95-0x0000000006ED0000-0x0000000006EEA000-memory.dmp

Filesize
104KB

Download
memory/480-60-0x00000000046D0000-0x0000000004706000-memory.dmp

Filesize
216KB

Download
memory/480-94-0x0000000007510000-0x0000000007B8A000-memory.dmp

Filesize
6.5MB

Download
memory/480-62-0x0000000071E90000-0x0000000072641000-memory.dmp

Filesize
7.7MB

Download
memory/480-64-0x00000000047C0000-0x00000000047D0000-memory.dmp

Filesize
64KB

Download
memory/576-49-0x0000000005AC0000-0x0000000005BCA000-memory.dmp

Filesize
1.0MB

Download
memory/576-48-0x0000000005710000-0x0000000005720000-memory.dmp

Filesize
64KB

Download
memory/576-36-0x0000000005D40000-0x0000000006358000-memory.dmp

Filesize
6.1MB

Download
memory/576-47-0x0000000071E90000-0x0000000072641000-memory.dmp

Filesize
7.7MB

Download
memory/576-44-0x0000000005860000-0x00000000058AC000-memory.dmp

Filesize
304KB

Download
memory/576-42-0x0000000005820000-0x000000000585C000-memory.dmp

Filesize
240KB

Download
memory/576-38-0x00000000057C0000-0x00000000057D2000-memory.dmp

Filesize
72KB

Download
memory/576-117-0x0000000071E90000-0x0000000072641000-memory.dmp

Filesize
7.7MB

Download
memory/576-33-0x0000000000E70000-0x0000000000E8E000-memory.dmp

Filesize
120KB

Download
memory/576-118-0x0000000005710000-0x0000000005720000-memory.dmp

Filesize
64KB

Download
memory/892-120-0x0000000004D10000-0x0000000004D20000-memory.dmp

Filesize
64KB

Download
memory/892-59-0x0000000071E90000-0x0000000072641000-memory.dmp

Filesize
7.7MB

Download
memory/892-114-0x0000000071E90000-0x0000000072641000-memory.dmp

Filesize
7.7MB

Download
memory/892-79-0x00000000062C0000-0x00000000062CA000-memory.dmp

Filesize
40KB

Download
memory/892-61-0x0000000004D10000-0x0000000004D20000-memory.dmp

Filesize
64KB

Download
memory/1636-122-0x0000000005440000-0x0000000005450000-memory.dmp

Filesize
64KB

Download
memory/1636-121-0x0000000071E90000-0x0000000072641000-memory.dmp

Filesize
7.7MB

Download
memory/1636-119-0x0000000071E90000-0x0000000072641000-memory.dmp

Filesize
7.7MB

Download
memory/2908-53-0x0000000005430000-0x0000000005496000-memory.dmp

Filesize
408KB

Download
memory/2908-111-0x0000000071E90000-0x0000000072641000-memory.dmp

Filesize
7.7MB

Download
memory/2908-34-0x0000000071E90000-0x0000000072641000-memory.dmp

Filesize
7.7MB

Download
memory/2908-39-0x00000000058A0000-0x0000000005E46000-memory.dmp

Filesize
5.6MB

Download
memory/2908-45-0x00000000054B0000-0x00000000054C0000-memory.dmp

Filesize
64KB

Download
memory/2908-41-0x0000000005390000-0x0000000005422000-memory.dmp

Filesize
584KB

Download
memory/2908-37-0x0000000000970000-0x00000000009FC000-memory.dmp

Filesize
560KB

Download
memory/3756-1-0x0000000002340000-0x0000000002350000-memory.dmp

Filesize
64KB

Download
memory/3756-2-0x0000000074D90000-0x0000000075341000-memory.dmp

Filesize
5.7MB

Download
memory/3756-35-0x0000000074D90000-0x0000000075341000-memory.dmp

Filesize
5.7MB

Download
memory/3756-0-0x0000000074D90000-0x0000000075341000-memory.dmp

Filesize
5.7MB

Download
memory/4824-112-0x00007FF732FE0000-0x00007FF734981000-memory.dmp

Filesize
25.6MB

Download
memory/4824-113-0x00007FF947240000-0x00007FF947449000-memory.dmp

Filesize
2.0MB

Download
memory/4824-43-0x00007FF732FE0000-0x00007FF734981000-memory.dmp

Filesize
25.6MB

Download
memory/4824-46-0x00007FF947240000-0x00007FF947449000-memory.dmp

Filesize
2.0MB

Download
memory/4824-50-0x0000024565160000-0x0000024565170000-memory.dmp

Filesize
64KB

Download
memory/4824-51-0x0000024565170000-0x0000024565180000-memory.dmp

Filesize
64KB

Download
memory/4824-52-0x0000024565190000-0x00000245651A0000-memory.dmp

Filesize
64KB

Download