quasar | 39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 09:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
Size

488KB
MD5

33ce258b07afea582cc317a398b8770c
SHA1

9a81235b698e5477847280626b729f5347ed2585
SHA256

39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065
SHA512

4fbd58e79881313b8c29ccafd9ef7c479e9bbc427869a44981bc4077bd81ed1532c5bcb679e8973470833e18dc5c81a54c69d958030f31f053e92f35a6d2ad66
SSDEEP

12288:ayJgDWpL20Rr3oPm1PC8CcxZsfi8H8fxQpwW2R7NoBE:aAgDWWm1HCX9cz1dNoS

Score

10^/10

quasar venomrat awtes evasion rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Attributes

reconnect_delay
3000

Extracted

Family

quasar

Version

2.1.0.0

Botnet

awtes

193.161.193.99:25334

Mutex

VNM_MUTEX_kCeYnA1EuESMOTFzJZ

Attributes

encryption_key
mUjLzgxM95Q9fARNfgET
install_name
_isdel.exe
log_directory
SetupDir
reconnect_delay
3000
startup_key
_isdel
subdirectory
Shield

Signatures

Contains code to disable Windows Defender 10 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral2/memory/3536-2-0x0000000000400000-0x00000000004A9000-memory.dmp	disable_win_def
behavioral2/memory/3536-5-0x0000000000402000-0x0000000000489000-memory.dmp	disable_win_def
behavioral2/memory/3536-7-0x0000000000400000-0x00000000004A9000-memory.dmp	disable_win_def
behavioral2/memory/3536-9-0x0000000000400000-0x00000000004A9000-memory.dmp	disable_win_def
behavioral2/memory/3536-11-0x0000000000400000-0x00000000004A9000-memory.dmp	disable_win_def
behavioral2/memory/3536-19-0x0000000000400000-0x00000000004A9000-memory.dmp	disable_win_def
behavioral2/memory/3536-23-0x0000000000400000-0x00000000004A9000-memory.dmp	disable_win_def
behavioral2/files/0x00080000000234b5-33.dat	disable_win_def
behavioral2/memory/2252-35-0x0000000000670000-0x00000000006FC000-memory.dmp	disable_win_def
behavioral2/memory/3536-48-0x0000000000402000-0x0000000000489000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	dvljkxja.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	dvljkxja.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	dvljkxja.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	dvljkxja.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 10 IoCs

resource	yara_rule
behavioral2/memory/3536-2-0x0000000000400000-0x00000000004A9000-memory.dmp	family_quasar
behavioral2/memory/3536-5-0x0000000000402000-0x0000000000489000-memory.dmp	family_quasar
behavioral2/memory/3536-7-0x0000000000400000-0x00000000004A9000-memory.dmp	family_quasar
behavioral2/memory/3536-9-0x0000000000400000-0x00000000004A9000-memory.dmp	family_quasar
behavioral2/memory/3536-11-0x0000000000400000-0x00000000004A9000-memory.dmp	family_quasar
behavioral2/memory/3536-19-0x0000000000400000-0x00000000004A9000-memory.dmp	family_quasar
behavioral2/memory/3536-23-0x0000000000400000-0x00000000004A9000-memory.dmp	family_quasar
behavioral2/files/0x00080000000234b5-33.dat	family_quasar
behavioral2/memory/2252-35-0x0000000000670000-0x00000000006FC000-memory.dmp	family_quasar
behavioral2/memory/3536-48-0x0000000000402000-0x0000000000489000-memory.dmp	family_quasar

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	dvljkxja.exe

Executes dropped EXE 3 IoCs

pid	Process
2252	dvljkxja.exe
5056	_isdel.exe
2968	dvljkxja.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	dvljkxja.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	dvljkxja.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	ip-api.com

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Shield	_isdel.exe
File created	C:\Windows\SysWOW64\Shield\r77-x64.dll	dvljkxja.exe
File created	C:\Windows\SysWOW64\Shield\_isdel.exe	dvljkxja.exe
File opened for modification	C:\Windows\SysWOW64\Shield\_isdel.exe	dvljkxja.exe
File opened for modification	C:\Windows\SysWOW64\Shield\_isdel.exe	_isdel.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3188	schtasks.exe
1568	schtasks.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1228	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3828	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
Token: SeDebugPrivilege	1228	taskkill.exe
Token: SeDebugPrivilege	2252	dvljkxja.exe
Token: SeDebugPrivilege	1492	powershell.exe
Token: SeDebugPrivilege	5056	_isdel.exe
Token: SeDebugPrivilege	5056	_isdel.exe
Token: SeDebugPrivilege	2968	dvljkxja.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
5056	_isdel.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3536 wrote to memory of 720	3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe	83
PID 3536 wrote to memory of 720	3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe	83
PID 3536 wrote to memory of 720	3536	33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe	83
PID 2376 wrote to memory of 1444	2376	DllHost.exe	87
PID 2376 wrote to memory of 1444	2376	DllHost.exe	87
PID 2376 wrote to memory of 1444	2376	DllHost.exe	87
PID 1444 wrote to memory of 2252	1444	cmd.exe	89
PID 1444 wrote to memory of 2252	1444	cmd.exe	89
PID 1444 wrote to memory of 2252	1444	cmd.exe	89
PID 2376 wrote to memory of 1228	2376	DllHost.exe	90
PID 2376 wrote to memory of 1228	2376	DllHost.exe	90
PID 2376 wrote to memory of 1228	2376	DllHost.exe	90
PID 2252 wrote to memory of 3188	2252	dvljkxja.exe	95
PID 2252 wrote to memory of 3188	2252	dvljkxja.exe	95
PID 2252 wrote to memory of 3188	2252	dvljkxja.exe	95
PID 2252 wrote to memory of 5056	2252	dvljkxja.exe	97
PID 2252 wrote to memory of 5056	2252	dvljkxja.exe	97
PID 2252 wrote to memory of 5056	2252	dvljkxja.exe	97
PID 2252 wrote to memory of 1492	2252	dvljkxja.exe	98
PID 2252 wrote to memory of 1492	2252	dvljkxja.exe	98
PID 2252 wrote to memory of 1492	2252	dvljkxja.exe	98
PID 5056 wrote to memory of 1568	5056	_isdel.exe	100
PID 5056 wrote to memory of 1568	5056	_isdel.exe	100
PID 5056 wrote to memory of 1568	5056	_isdel.exe	100
PID 2252 wrote to memory of 1236	2252	dvljkxja.exe	107
PID 2252 wrote to memory of 1236	2252	dvljkxja.exe	107
PID 2252 wrote to memory of 1236	2252	dvljkxja.exe	107
PID 1236 wrote to memory of 116	1236	cmd.exe	110
PID 1236 wrote to memory of 116	1236	cmd.exe	110
PID 1236 wrote to memory of 116	1236	cmd.exe	110
PID 2252 wrote to memory of 2140	2252	dvljkxja.exe	117
PID 2252 wrote to memory of 2140	2252	dvljkxja.exe	117
PID 2252 wrote to memory of 2140	2252	dvljkxja.exe	117
PID 2140 wrote to memory of 540	2140	cmd.exe	119
PID 2140 wrote to memory of 540	2140	cmd.exe	119
PID 2140 wrote to memory of 540	2140	cmd.exe	119
PID 2140 wrote to memory of 3828	2140	cmd.exe	120
PID 2140 wrote to memory of 3828	2140	cmd.exe	120
PID 2140 wrote to memory of 3828	2140	cmd.exe	120
PID 2140 wrote to memory of 2968	2140	cmd.exe	124
PID 2140 wrote to memory of 2968	2140	cmd.exe	124
PID 2140 wrote to memory of 2968	2140	cmd.exe	124

C:\Users\Admin\AppData\Local\Temp\33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\33ce258b07afea582cc317a398b8770c_JaffaCakes118.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3536
- \??\c:\windows\SysWOW64\cmstp.exe
  "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\fnl0bpbf.inf
  2⤵
  PID:720

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
1⤵
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start C:\Windows\temp\dvljkxja.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1444
- - C:\Windows\temp\dvljkxja.exe
    C:\Windows\temp\dvljkxja.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Checks computer location settings
    - Executes dropped EXE
    - Windows security modification
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2252
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "_isdel" /sc ONLOGON /tr "C:\Windows\temp\dvljkxja.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:3188
  - - C:\Windows\SysWOW64\Shield\_isdel.exe
      "C:\Windows\SysWOW64\Shield\_isdel.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:5056
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "_isdel" /sc ONLOGON /tr "C:\Windows\SysWOW64\Shield\_isdel.exe" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:1568
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1492
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1236
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
        5⤵
        
        PID:116
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Tm3nLkMTPSPy.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2140
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:540
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        5⤵
        Runs ping.exe
        
        PID:3828
    - - C:\Windows\temp\dvljkxja.exe
        
        "C:\Windows\temp\dvljkxja.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /IM cmstp.exe /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dvljkxja.exe.log

Filesize
1KB

MD5
10eab9c2684febb5327b6976f2047587

SHA1
a12ed54146a7f5c4c580416aecb899549712449e

SHA256
f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928

SHA512
7e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tm3nLkMTPSPy.bat

Filesize
187B

MD5
9ae763b911cfc5a4df06d9917a461006

SHA1
0d39b3c3b6cc2304dc7cd1b578bbbff4db7fb283

SHA256
abe5b3f69f4066f3a9146c5fdf36096d21021dd39b745d7430d64e12cbcf197c

SHA512
a5676d87b430a246d8b51643346b069c86cce9d3477474b173dcde8ddc2ca0de54b125352ed882d2ae49808a4845a6ab4e9ddeee8f1b255635a58d76dbf4d33d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qeg515eh.kpw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\temp\dvljkxja.exe

Filesize
535KB

MD5
bda9d685fbd2a365b038dd46e13cd270

SHA1
feb414e6c698fc4764bbb00ed71c3f210021e33a

SHA256
ea7248f135df4164ea025f6bbda2a48e3a02d992cadaaa43b737264463268c14

SHA512
c0d56be6d9418fde56fc85d320b45d087c59604fba0b2fb65045d3fa97176c35628d4132b065601faf2f446044e42a39676c0c950bc92df4ea3f88bd6803b241

Download Submit
C:\Windows\temp\fnl0bpbf.inf

Filesize
606B

MD5
8728c620d1610ec5270bd46ab1b15972

SHA1
2d73288dfe17c3bc35f5091b1f489066a34f08f6

SHA256
06be5f77be4c3c3b7c81e7619a5971786c941456755e393218bc270963031e43

SHA512
1bff2cf5aaa2b575fbc576b45685e8a8cb489bd9d81e40a979e86f271503a649b50aca85ab7b6bcfaf87f42fe3d924c8250117a3d8335a8788808cc1a9593ee0

Download Submit
memory/1492-86-0x0000000007780000-0x0000000007823000-memory.dmp

Filesize
652KB

Download
memory/1492-93-0x0000000007AF0000-0x0000000007B04000-memory.dmp

Filesize
80KB

Download
memory/1492-91-0x0000000007AB0000-0x0000000007AC1000-memory.dmp

Filesize
68KB

Download
memory/1492-90-0x0000000007B30000-0x0000000007BC6000-memory.dmp

Filesize
600KB

Download
memory/1492-89-0x0000000007920000-0x000000000792A000-memory.dmp

Filesize
40KB

Download
memory/1492-87-0x0000000007EF0000-0x000000000856A000-memory.dmp

Filesize
6.5MB

Download
memory/1492-88-0x00000000078B0000-0x00000000078CA000-memory.dmp

Filesize
104KB

Download
memory/1492-74-0x0000000007740000-0x0000000007772000-memory.dmp

Filesize
200KB

Download
memory/1492-75-0x000000006FE30000-0x000000006FE7C000-memory.dmp

Filesize
304KB

Download
memory/1492-95-0x0000000007BD0000-0x0000000007BD8000-memory.dmp

Filesize
32KB

Download
memory/1492-85-0x0000000006B60000-0x0000000006B7E000-memory.dmp

Filesize
120KB

Download
memory/1492-92-0x0000000007AE0000-0x0000000007AEE000-memory.dmp

Filesize
56KB

Download
memory/1492-72-0x0000000006620000-0x000000000666C000-memory.dmp

Filesize
304KB

Download
memory/1492-71-0x0000000006590000-0x00000000065AE000-memory.dmp

Filesize
120KB

Download
memory/1492-94-0x0000000007BF0000-0x0000000007C0A000-memory.dmp

Filesize
104KB

Download
memory/1492-70-0x0000000005FE0000-0x0000000006334000-memory.dmp

Filesize
3.3MB

Download
memory/1492-60-0x0000000005CD0000-0x0000000005D36000-memory.dmp

Filesize
408KB

Download
memory/1492-59-0x00000000054D0000-0x00000000054F2000-memory.dmp

Filesize
136KB

Download
memory/1492-58-0x00000000056A0000-0x0000000005CC8000-memory.dmp

Filesize
6.2MB

Download
memory/1492-57-0x0000000002C60000-0x0000000002C96000-memory.dmp

Filesize
216KB

Download
memory/2252-51-0x0000000006220000-0x000000000625C000-memory.dmp

Filesize
240KB

Download
memory/2252-50-0x0000000005CE0000-0x0000000005CF2000-memory.dmp

Filesize
72KB

Download
memory/2252-35-0x0000000000670000-0x00000000006FC000-memory.dmp

Filesize
560KB

Download
memory/2252-49-0x00000000050D0000-0x0000000005136000-memory.dmp

Filesize
408KB

Download
memory/3536-19-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/3536-24-0x0000000075C20000-0x0000000075E35000-memory.dmp

Filesize
2.1MB

Download
memory/3536-34-0x0000000075190000-0x00000000751E2000-memory.dmp

Filesize
328KB

Download
memory/3536-41-0x00000000749D0000-0x00000000749D8000-memory.dmp

Filesize
32KB

Download
memory/3536-40-0x00000000749E0000-0x00000000749EF000-memory.dmp

Filesize
60KB

Download
memory/3536-39-0x00000000749F0000-0x0000000074A7D000-memory.dmp

Filesize
564KB

Download
memory/3536-38-0x00000000757E0000-0x0000000075825000-memory.dmp

Filesize
276KB

Download
memory/3536-37-0x0000000076000000-0x0000000076096000-memory.dmp

Filesize
600KB

Download
memory/3536-42-0x0000000074220000-0x00000000749D0000-memory.dmp

Filesize
7.7MB

Download
memory/3536-47-0x00000000755C0000-0x00000000755D9000-memory.dmp

Filesize
100KB

Download
memory/3536-48-0x0000000000402000-0x0000000000489000-memory.dmp

Filesize
540KB

Download
memory/3536-44-0x0000000074150000-0x00000000741FB000-memory.dmp

Filesize
684KB

Download
memory/3536-46-0x0000000072CB0000-0x0000000072D39000-memory.dmp

Filesize
548KB

Download
memory/3536-45-0x0000000075420000-0x0000000075503000-memory.dmp

Filesize
908KB

Download
memory/3536-43-0x0000000074200000-0x0000000074214000-memory.dmp

Filesize
80KB

Download
memory/3536-30-0x0000000076E90000-0x0000000077443000-memory.dmp

Filesize
5.7MB

Download
memory/3536-28-0x0000000076890000-0x000000007694F000-memory.dmp

Filesize
764KB

Download
memory/3536-29-0x0000000075A60000-0x0000000075B1F000-memory.dmp

Filesize
764KB

Download
memory/3536-23-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/3536-25-0x0000000076950000-0x0000000076974000-memory.dmp

Filesize
144KB

Download
memory/3536-27-0x0000000075830000-0x0000000075950000-memory.dmp

Filesize
1.1MB

Download
memory/3536-36-0x00000000765B0000-0x0000000076831000-memory.dmp

Filesize
2.5MB

Download
memory/3536-26-0x0000000075BA0000-0x0000000075C1B000-memory.dmp

Filesize
492KB

Download
memory/3536-22-0x00000000022B0000-0x00000000022F7000-memory.dmp

Filesize
284KB

Download
memory/3536-20-0x0000000002A30000-0x0000000002A3A000-memory.dmp

Filesize
40KB

Download
memory/3536-1-0x00000000022B0000-0x00000000022F7000-memory.dmp

Filesize
284KB

Download
memory/3536-15-0x0000000076E90000-0x0000000077443000-memory.dmp

Filesize
5.7MB

Download
memory/3536-14-0x0000000005300000-0x0000000005392000-memory.dmp

Filesize
584KB

Download
memory/3536-13-0x0000000004D50000-0x00000000052F4000-memory.dmp

Filesize
5.6MB

Download
memory/3536-12-0x0000000072CB0000-0x0000000072D39000-memory.dmp

Filesize
548KB

Download
memory/3536-10-0x0000000075420000-0x0000000075503000-memory.dmp

Filesize
908KB

Download
memory/3536-11-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/3536-8-0x00000000765B0000-0x0000000076831000-memory.dmp

Filesize
2.5MB

Download
memory/3536-9-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/3536-7-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/3536-6-0x0000000075C20000-0x0000000075E35000-memory.dmp

Filesize
2.1MB

Download
memory/3536-5-0x0000000000402000-0x0000000000489000-memory.dmp

Filesize
540KB

Download
memory/3536-3-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/3536-2-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/3536-4-0x00000000022B0000-0x00000000022F7000-memory.dmp

Filesize
284KB

Download
memory/3536-0-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download