quasar | 6cffbcd23aeb7ea8c813cda4dad413b9c24d983c0fa6da03931b690b04502411

Analysis

max time kernel
83s
max time network
87s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
25-12-2024 00:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

emmasBackdoor.exe
Size

2.9MB
MD5

0266f80fe6efd3e3e4bd0363d17bcbde
SHA1

b144914eb53d2e35e410be64d2db052d06d680df
SHA256

6cffbcd23aeb7ea8c813cda4dad413b9c24d983c0fa6da03931b690b04502411
SHA512

21174624b988b26d16ba96c57b65a0dd0c0fa02d5396ca29c5cc11851f7546a528e1343f3216b224f3deebb1e749ac1dfd02fc5485bf4a0dd5b6d0983c496ac8
SSDEEP

49152:EwREDDMVBq77B4L8lXQn/zJNGJ7YTpZIn+lD2GgWinoaDFO/82:EwRE8q77B44+zJNN1aHNo2O/82

Score

10^/10

quasar emmassub discovery execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

EmmasSub

rath3r.xyz:4782

Mutex

7126373e-e872-4f94-bbbb-42e88d57137b

Attributes

encryption_key
4DC093FC202D016F95DCEE92AAF2874F56ACC3F2
install_name
Windows.WARP.JITService.exe
log_directory
Logs
reconnect_delay
3000
startup_key
MicrosoftUpdateTaskMachineCore
subdirectory
ice

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001900000002abd8-69.dat	family_quasar
behavioral1/memory/4244-76-0x0000000000E90000-0x00000000011B4000-memory.dmp	family_quasar

Executes dropped EXE 11 IoCs

pid	Process
3116	emmasBackdoor.tmp
4244	Client.exe
4952	Windows.WARP.JITService.exe
1320	unins000.exe
5380	_unins.tmp
404	Client.exe
5352	Client.exe
3180	Client.exe
1444	Client.exe
2420	unins000.exe
2280	_unins.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\system32\ice\Windows.WARP.JITService.exe	Client.exe
File opened for modification	C:\Windows\system32\ice\Windows.WARP.JITService.exe	Client.exe
File opened for modification	C:\Windows\system32\ice	Client.exe
File opened for modification	C:\Windows\system32\ice\Windows.WARP.JITService.exe	Windows.WARP.JITService.exe
File opened for modification	C:\Windows\system32\ice	Windows.WARP.JITService.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\EmmasBackdoor\unins000.dat	emmasBackdoor.tmp
File opened for modification	C:\Program Files (x86)\EmmasBackdoor\unins000.dat	_unins.tmp
File opened for modification	C:\Program Files (x86)\EmmasBackdoor\unins000.dat	_unins.tmp
File opened for modification	C:\Program Files (x86)\EmmasBackdoor\Client.exe	emmasBackdoor.tmp
File created	C:\Program Files (x86)\EmmasBackdoor\unins000.dat	emmasBackdoor.tmp
File created	C:\Program Files (x86)\EmmasBackdoor\is-OUAAS.tmp	emmasBackdoor.tmp
File created	C:\Program Files (x86)\EmmasBackdoor\is-HK3IP.tmp	emmasBackdoor.tmp

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1284	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unins000.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_unins.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unins000.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_unins.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	emmasBackdoor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	emmasBackdoor.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies registry class 25 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Applications\Client.exe\SupportedTypes	emmasBackdoor.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\EMMASBACKDOORFILE.MYP\DEFAULTICON	_unins.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	_unins.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EmmasBackdoorFile.myp\ = "EmmasBackdoor File"	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EmmasBackdoorFile.myp\shell\open\command	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Client.exe\SupportedTypes	emmasBackdoor.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\EMMASBACKDOORFILE.MYP\SHELL\OPEN\COMMAND	_unins.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\.myp\OpenWithProgids	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EmmasBackdoorFile.myp	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\EmmasBackdoorFile.myp\DefaultIcon	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EmmasBackdoorFile.myp\shell	emmasBackdoor.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EmmasBackdoorFile.myp\shell\open\command\ = "\"C:\\Program Files (x86)\\EmmasBackdoor\\Client.exe\" \"%1\""	emmasBackdoor.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\EmmasBackdoorFile.myp\shell\open	_unins.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\EmmasBackdoorFile.myp\shell	_unins.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\EmmasBackdoorFile.myp	_unins.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.myp	emmasBackdoor.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.myp\OpenWithProgids\EmmasBackdoorFile.myp	emmasBackdoor.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EmmasBackdoorFile.myp\DefaultIcon\ = "C:\\Program Files (x86)\\EmmasBackdoor\\Client.exe,0"	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\EmmasBackdoorFile.myp\shell\open\command	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EmmasBackdoorFile.myp\shell\open	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Client.exe	emmasBackdoor.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Client.exe\SupportedTypes\.myp	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.myp\OpenWithProgids	emmasBackdoor.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\EmmasBackdoorFile.myp	emmasBackdoor.tmp

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5856	schtasks.exe
4348	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1284	powershell.exe
1284	powershell.exe
3116	emmasBackdoor.tmp
3116	emmasBackdoor.tmp

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1284	powershell.exe
Token: SeDebugPrivilege	4244	Client.exe
Token: SeDebugPrivilege	4952	Windows.WARP.JITService.exe
Token: SeDebugPrivilege	404	Client.exe
Token: SeDebugPrivilege	5352	Client.exe
Token: SeDebugPrivilege	3180	Client.exe
Token: SeDebugPrivilege	1444	Client.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3116	emmasBackdoor.tmp
2280	_unins.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4952	Windows.WARP.JITService.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3500 wrote to memory of 3116	3500	emmasBackdoor.exe	79
PID 3500 wrote to memory of 3116	3500	emmasBackdoor.exe	79
PID 3500 wrote to memory of 3116	3500	emmasBackdoor.exe	79
PID 3116 wrote to memory of 1284	3116	emmasBackdoor.tmp	80
PID 3116 wrote to memory of 1284	3116	emmasBackdoor.tmp	80
PID 3116 wrote to memory of 1284	3116	emmasBackdoor.tmp	80
PID 3116 wrote to memory of 4244	3116	emmasBackdoor.tmp	83
PID 3116 wrote to memory of 4244	3116	emmasBackdoor.tmp	83
PID 4244 wrote to memory of 5856	4244	Client.exe	84
PID 4244 wrote to memory of 5856	4244	Client.exe	84
PID 4244 wrote to memory of 4952	4244	Client.exe	86
PID 4244 wrote to memory of 4952	4244	Client.exe	86
PID 4952 wrote to memory of 4348	4952	Windows.WARP.JITService.exe	87
PID 4952 wrote to memory of 4348	4952	Windows.WARP.JITService.exe	87
PID 1320 wrote to memory of 5380	1320	unins000.exe	95
PID 1320 wrote to memory of 5380	1320	unins000.exe	95
PID 1320 wrote to memory of 5380	1320	unins000.exe	95
PID 2420 wrote to memory of 2280	2420	unins000.exe	101
PID 2420 wrote to memory of 2280	2420	unins000.exe	101
PID 2420 wrote to memory of 2280	2420	unins000.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\emmasBackdoor.exe
"C:\Users\Admin\AppData\Local\Temp\emmasBackdoor.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3500
- C:\Users\Admin\AppData\Local\Temp\is-GOISH.tmp\emmasBackdoor.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-GOISH.tmp\emmasBackdoor.tmp" /SL5="$602E4,1909968,965632,C:\Users\Admin\AppData\Local\Temp\emmasBackdoor.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3116
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\is-0QL3U.tmp\disable_defender.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1284
- - C:\Program Files (x86)\EmmasBackdoor\Client.exe
    "C:\Program Files (x86)\EmmasBackdoor\Client.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4244
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "MicrosoftUpdateTaskMachineCore" /sc ONLOGON /tr "C:\Windows\system32\ice\Windows.WARP.JITService.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5856
  - - C:\Windows\system32\ice\Windows.WARP.JITService.exe
      "C:\Windows\system32\ice\Windows.WARP.JITService.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4952
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "MicrosoftUpdateTaskMachineCore" /sc ONLOGON /tr "C:\Windows\system32\ice\Windows.WARP.JITService.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4348

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4520

C:\Program Files (x86)\EmmasBackdoor\unins000.exe
"C:\Program Files (x86)\EmmasBackdoor\unins000.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Users\Admin\AppData\Local\Temp\iu-14D2N.tmp\_unins.tmp
  "C:\Users\Admin\AppData\Local\Temp\iu-14D2N.tmp\_unins.tmp" /SECONDPHASE="C:\Program Files (x86)\EmmasBackdoor\unins000.exe" /FIRSTPHASEWND=$5002A
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:5380

C:\Program Files (x86)\EmmasBackdoor\Client.exe
"C:\Program Files (x86)\EmmasBackdoor\Client.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:404

C:\Program Files (x86)\EmmasBackdoor\Client.exe
"C:\Program Files (x86)\EmmasBackdoor\Client.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5352

C:\Program Files (x86)\EmmasBackdoor\Client.exe
"C:\Program Files (x86)\EmmasBackdoor\Client.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3180

C:\Program Files (x86)\EmmasBackdoor\Client.exe
"C:\Program Files (x86)\EmmasBackdoor\Client.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1444

C:\Program Files (x86)\EmmasBackdoor\unins000.exe
"C:\Program Files (x86)\EmmasBackdoor\unins000.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Local\Temp\iu-14D2N.tmp\_unins.tmp
  "C:\Users\Admin\AppData\Local\Temp\iu-14D2N.tmp\_unins.tmp" /SECONDPHASE="C:\Program Files (x86)\EmmasBackdoor\unins000.exe" /FIRSTPHASEWND=$B02E2
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\EmmasBackdoor\Client.exe

Filesize
3.1MB

MD5
66ebe604ddf4d6ab60a183f515536528

SHA1
278782873ae0a5cac94add051edfc12e223be55c

SHA256
37e733731381c02941e4a8da30350cf968532d08012b6bb91e525241e8ee2c86

SHA512
756de51b5f6116640736f7dd37faf6172db79c8eaf8da17ba1e3d788d5c0179a01746f7d30044ca5c535c1b3d938bfde3e5d810b7fe50815030be8a5288c2bf9

Download Submit
C:\Program Files (x86)\EmmasBackdoor\unins000.dat

Filesize
5KB

MD5
7a16ea47635829ee28cec05eb69e7739

SHA1
5f2d285a6ddad7bc25628c8bdcf377320744143c

SHA256
17f56538f4a3a76289c9962431b0a9dd7d8f7ce06b16b540e911a6bb476649ce

SHA512
e11f19a68a1ac599b54934f64d188f109a92dde0f403c492b37f4283ea6f865f9c63045e99c5bb40632ec309dc0b7495909c62ef0697e7eda6f806770df2ca64

Download Submit
C:\Program Files (x86)\EmmasBackdoor\unins000.exe

Filesize
3.3MB

MD5
40241dd8f313363eaa5757d57dee2f1d

SHA1
42669c3dc9080eb7aed3e2c3235412922ea3e731

SHA256
8908c91c6c53b346cf416e28027132e10f399da42aee6e82b086fe79e8f964ff

SHA512
33f05439f0318e89dc38e05519c9662d97f0d0125d7f7236815973a0da13181ac99cb5cbc80b558e361bc04118b00379a341c8ead652897d2927400ee0322b8c

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EmmasBackdoor.lnk

Filesize
1KB

MD5
811bd01946498cc37637ed7718a453d0

SHA1
5af22e4f0f025e4fd321d6168ba5cf9929944292

SHA256
211a9351c34726b08f6a5f4b6d86141ff37a4eae3832704672d8792b3d68996b

SHA512
395e2f996172a16da2c1301740e5dad7d709648ba3bdc620447296ff3cae2fa835d0a7c208ef2f9d5b13d153c1f3a3f624a3f04683bcf90bf8a6e7087569a756

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
1KB

MD5
b4e91d2e5f40d5e2586a86cf3bb4df24

SHA1
31920b3a41aa4400d4a0230a7622848789b38672

SHA256
5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

SHA512
968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tlwkolmy.wgt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0QL3U.tmp\disable_defender.ps1

Filesize
544B

MD5
3568227fbb730d48fa31d13e87f9a370

SHA1
83ac8fbb2b9c35337f372977fe3323f63060c5ff

SHA256
a06e1c77a4ab2a13f90dc2f86bbb4cb662f2bd10b1f805b1b7745af4c2ad3698

SHA512
2b8863dbdc4c980eac867e600ca008261d046a99bf40cfc02a350ec45a04e3a7b958b21219ad0a26b339336f779ba167aa84c45dbe4d9d9ada004c4515ba6d17

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GOISH.tmp\emmasBackdoor.tmp

Filesize
3.3MB

MD5
95c49a50069cf27284ac7b186df5aae0

SHA1
4120193848e7726aac277f9ea6e4b3670342ed03

SHA256
9f62b6f4c234ded050162b55a9c6de0c604578dee34462b96615e48169a485bb

SHA512
f6d3fd7454943aac838cd81e17c35787747185e0736823424453ffbf375da1e921dba0a5ce88a05f7a71e2ac367d47ee8fbabbd529f48997b99f1a3afa5370cd

Download Submit
C:\Users\Public\Desktop\EmmasBackdoor.lnk

Filesize
1KB

MD5
2d1d45a4b6667099cbcaaaaf08f467f2

SHA1
efe9a4d393a5bb7bbfec3436cbae6dd2218d4e73

SHA256
b2d69b36b5b3162e46571af1a363def3af44c5a1243815c493b6b267bc834f8c

SHA512
a4ac492bc2a2abdc5f9394caf42c8bfb47562364db9180ef0764927fadcbcc8e32fe1b297ae51331bb9acd1798710662407a711ade6c2eb3669c93f483ca42fd

Download Submit
memory/1284-46-0x00000000076A0000-0x00000000076AA000-memory.dmp

Filesize
40KB

Download
memory/1284-52-0x0000000007990000-0x0000000007998000-memory.dmp

Filesize
32KB

Download
memory/1284-16-0x0000000005550000-0x00000000055B6000-memory.dmp

Filesize
408KB

Download
memory/1284-14-0x0000000005430000-0x0000000005452000-memory.dmp

Filesize
136KB

Download
memory/1284-25-0x0000000005E60000-0x00000000061B7000-memory.dmp

Filesize
3.3MB

Download
memory/1284-26-0x00000000062E0000-0x00000000062FE000-memory.dmp

Filesize
120KB

Download
memory/1284-27-0x0000000006320000-0x000000000636C000-memory.dmp

Filesize
304KB

Download
memory/1284-13-0x00000000742E0000-0x0000000074A91000-memory.dmp

Filesize
7.7MB

Download
memory/1284-39-0x0000000006920000-0x000000000693E000-memory.dmp

Filesize
120KB

Download
memory/1284-29-0x00000000068E0000-0x0000000006914000-memory.dmp

Filesize
208KB

Download
memory/1284-30-0x00000000704F0000-0x000000007053C000-memory.dmp

Filesize
304KB

Download
memory/1284-40-0x00000000742E0000-0x0000000074A91000-memory.dmp

Filesize
7.7MB

Download
memory/1284-41-0x00000000742E0000-0x0000000074A91000-memory.dmp

Filesize
7.7MB

Download
memory/1284-42-0x0000000007510000-0x00000000075B4000-memory.dmp

Filesize
656KB

Download
memory/1284-43-0x00000000742E0000-0x0000000074A91000-memory.dmp

Filesize
7.7MB

Download
memory/1284-44-0x0000000007C90000-0x000000000830A000-memory.dmp

Filesize
6.5MB

Download
memory/1284-45-0x0000000007640000-0x000000000765A000-memory.dmp

Filesize
104KB

Download
memory/1284-9-0x00000000742EE000-0x00000000742EF000-memory.dmp

Filesize
4KB

Download
memory/1284-47-0x00000000078D0000-0x0000000007966000-memory.dmp

Filesize
600KB

Download
memory/1284-48-0x0000000007840000-0x0000000007851000-memory.dmp

Filesize
68KB

Download
memory/1284-49-0x0000000007880000-0x000000000788E000-memory.dmp

Filesize
56KB

Download
memory/1284-50-0x0000000007890000-0x00000000078A5000-memory.dmp

Filesize
84KB

Download
memory/1284-51-0x0000000007970000-0x000000000798A000-memory.dmp

Filesize
104KB

Download
memory/1284-15-0x00000000054E0000-0x0000000005546000-memory.dmp

Filesize
408KB

Download
memory/1284-53-0x00000000079C0000-0x00000000079E2000-memory.dmp

Filesize
136KB

Download
memory/1284-54-0x00000000088C0000-0x0000000008E66000-memory.dmp

Filesize
5.6MB

Download
memory/1284-57-0x00000000742E0000-0x0000000074A91000-memory.dmp

Filesize
7.7MB

Download
memory/1284-10-0x0000000002AD0000-0x0000000002B06000-memory.dmp

Filesize
216KB

Download
memory/1284-12-0x0000000005780000-0x0000000005DAA000-memory.dmp

Filesize
6.2MB

Download
memory/1284-11-0x00000000742E0000-0x0000000074A91000-memory.dmp

Filesize
7.7MB

Download
memory/1320-99-0x0000000000D30000-0x0000000001089000-memory.dmp

Filesize
3.3MB

Download
memory/2280-118-0x00000000007D0000-0x0000000000B29000-memory.dmp

Filesize
3.3MB

Download
memory/2420-116-0x0000000000D30000-0x0000000001089000-memory.dmp

Filesize
3.3MB

Download
memory/3116-58-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

Filesize
4KB

Download
memory/3116-84-0x0000000000490000-0x00000000007E9000-memory.dmp

Filesize
3.3MB

Download
memory/3116-60-0x0000000000490000-0x00000000007E9000-memory.dmp

Filesize
3.3MB

Download
memory/3116-6-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

Filesize
4KB

Download
memory/3500-85-0x0000000000AD0000-0x0000000000BCA000-memory.dmp

Filesize
1000KB

Download
memory/3500-59-0x0000000000AD0000-0x0000000000BCA000-memory.dmp

Filesize
1000KB

Download
memory/3500-2-0x0000000000AD1000-0x0000000000B79000-memory.dmp

Filesize
672KB

Download
memory/3500-0-0x0000000000AD0000-0x0000000000BCA000-memory.dmp

Filesize
1000KB

Download
memory/4244-76-0x0000000000E90000-0x00000000011B4000-memory.dmp

Filesize
3.1MB

Download
memory/4952-87-0x000000001BDF0000-0x000000001BEA2000-memory.dmp

Filesize
712KB

Download
memory/4952-86-0x000000001B1C0000-0x000000001B210000-memory.dmp

Filesize
320KB

Download
memory/5380-98-0x0000000000FB0000-0x0000000001309000-memory.dmp

Filesize
3.3MB

Download