quasar | ef7a777d354433cc1398552311446bbc0be13e34407ca6fd7a67e4c750e76183

Analysis

max time kernel
1796s
max time network
1802s
platform
windows11-21h2_x64
resource
win11-20240319-en
resource tags

arch:x64arch:x86image:win11-20240319-enlocale:en-usos:windows11-21h2-x64system
submitted
09-04-2024 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Tiktok Share Bot byDenmark.exe
Size

774KB
MD5

4e27884494531416bd41504c7e0ba4ac
SHA1

f806c283c32bb43380c2636e2382a70484ea4b89
SHA256

40278019afe364e36be0e88470cb626a5aba0f78c23b171b4eb30e80db159763
SHA512

e2e5c8be79d1e0ddb70d667e6fd79023e9e34306f9a987d661aa1e9d46c5c2fe574ec6d52f871483455f5be1f722d76b396a9121450d9e7c824d4648bbc445ce
SSDEEP

24576:ML2wAwspzLMrL8vuJB98x1i09m6qfsTtUzF/B:1wAwspzLMrxB98x1i09vJUzJB

Score

10^/10

quasar redline sectoprat venomrat awsr v/r/b evasion infostealer rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

AwsR

siyatermi.duckdns.org:17044

Extracted

Family

quasar

Version

2.1.0.0

Botnet

V/R/B

siyatermi.duckdns.org:1518

Mutex

VNM_MUTEX_mJ6pCWZMe3OMOha5bj

Attributes

encryption_key
g1Bi32PXFGwyBI9DJGTD
install_name
Start Process.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Browser Module
subdirectory
Sys Resources

Signatures

Contains code to disable Windows Defender 3 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Start Process.exe	disable_win_def
behavioral1/memory/1128-48-0x0000000000E30000-0x0000000000EBC000-memory.dmp	disable_win_def
behavioral1/memory/3184-74-0x00000000058D0000-0x00000000058E0000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

Start Process.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Start Process.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Start Process.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Start Process.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Start Process.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar payload 2 IoCs

Processes:

resource yara_rule

C:\Users\Admin\AppData\Roaming\Start Process.exe family_quasar
behavioral1/memory/1128-48-0x0000000000E30000-0x0000000000EBC000-memory.dmp family_quasar
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
RedLine payload 2 IoCs

Processes:

resource yara_rule

C:\Users\Admin\AppData\Roaming\Software Check.exe family_redline
behavioral1/memory/1920-44-0x0000000000B00000-0x0000000000B1E000-memory.dmp family_redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat
SectopRAT payload 2 IoCs

Processes:

resource yara_rule

C:\Users\Admin\AppData\Roaming\Software Check.exe family_sectoprat
behavioral1/memory/1920-44-0x0000000000B00000-0x0000000000B1E000-memory.dmp family_sectoprat
VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Start Process.exe	family_quasar
behavioral1/memory/1128-48-0x0000000000E30000-0x0000000000EBC000-memory.dmp	family_quasar

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Software Check.exe	family_redline
behavioral1/memory/1920-44-0x0000000000B00000-0x0000000000B1E000-memory.dmp	family_redline

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Software Check.exe	family_sectoprat
behavioral1/memory/1920-44-0x0000000000B00000-0x0000000000B1E000-memory.dmp	family_sectoprat

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Tiktok Share Bot byDenmark.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Tiktok Share Bot byDenmark.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Tiktok Share Bot byDenmark.exe

Executes dropped EXE 6 IoCs

Processes:

vshost.exewinst.exeSoftware Check.exeStart Process.exeTiktok Share Bot byDenmark.exeStart Process.exe

pid process

1008 vshost.exe
3668 winst.exe
1920 Software Check.exe
1128 Start Process.exe
4516 Tiktok Share Bot byDenmark.exe
3184 Start Process.exe

pid	process
1008	vshost.exe
3668	winst.exe
1920	Software Check.exe
1128	Start Process.exe
4516	Tiktok Share Bot byDenmark.exe
3184	Start Process.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

Start Process.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	Start Process.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	Start Process.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3756 1128 WerFault.exe Start Process.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2624 schtasks.exe
3320 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vshost.exe

pid process

1008 vshost.exe

flow	ioc
3	ip-api.com

pid	pid_target	process	target process
3756	1128	WerFault.exe	Start Process.exe

pid	process
2624	schtasks.exe
3320	schtasks.exe

pid	process
1008	vshost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Tiktok Share Bot byDenmark.exe

pid	process
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe
4516	Tiktok Share Bot byDenmark.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

Software Check.exeTiktok Share Bot byDenmark.exeStart Process.exepowershell.exeStart Process.exe

description	pid	process
Token: SeDebugPrivilege	1920	Software Check.exe
Token: SeDebugPrivilege	4516	Tiktok Share Bot byDenmark.exe
Token: SeDebugPrivilege	1128	Start Process.exe
Token: SeDebugPrivilege	5072	powershell.exe
Token: SeDebugPrivilege	3184	Start Process.exe
Token: SeDebugPrivilege	3184	Start Process.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Start Process.exe

pid process

3184 Start Process.exe

pid	process
3184	Start Process.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

Tiktok Share Bot byDenmark.exelibGLESV2.libStart Process.exeStart Process.execmd.exe

description	pid	process	target process
PID 3988 wrote to memory of 1008	3988	Tiktok Share Bot byDenmark.exe	vshost.exe
PID 3988 wrote to memory of 1008	3988	Tiktok Share Bot byDenmark.exe	vshost.exe
PID 3988 wrote to memory of 1008	3988	Tiktok Share Bot byDenmark.exe	vshost.exe
PID 3988 wrote to memory of 4040	3988	Tiktok Share Bot byDenmark.exe	libGLESV2.lib
PID 3988 wrote to memory of 4040	3988	Tiktok Share Bot byDenmark.exe	libGLESV2.lib
PID 3988 wrote to memory of 4040	3988	Tiktok Share Bot byDenmark.exe	libGLESV2.lib
PID 3988 wrote to memory of 3668	3988	Tiktok Share Bot byDenmark.exe	winst.exe
PID 3988 wrote to memory of 3668	3988	Tiktok Share Bot byDenmark.exe	winst.exe
PID 3988 wrote to memory of 3668	3988	Tiktok Share Bot byDenmark.exe	winst.exe
PID 4040 wrote to memory of 1920	4040	libGLESV2.lib	Software Check.exe
PID 4040 wrote to memory of 1920	4040	libGLESV2.lib	Software Check.exe
PID 4040 wrote to memory of 1920	4040	libGLESV2.lib	Software Check.exe
PID 4040 wrote to memory of 1128	4040	libGLESV2.lib	Start Process.exe
PID 4040 wrote to memory of 1128	4040	libGLESV2.lib	Start Process.exe
PID 4040 wrote to memory of 1128	4040	libGLESV2.lib	Start Process.exe
PID 4040 wrote to memory of 4516	4040	libGLESV2.lib	Tiktok Share Bot byDenmark.exe
PID 4040 wrote to memory of 4516	4040	libGLESV2.lib	Tiktok Share Bot byDenmark.exe
PID 1128 wrote to memory of 2624	1128	Start Process.exe	schtasks.exe
PID 1128 wrote to memory of 2624	1128	Start Process.exe	schtasks.exe
PID 1128 wrote to memory of 2624	1128	Start Process.exe	schtasks.exe
PID 1128 wrote to memory of 3184	1128	Start Process.exe	Start Process.exe
PID 1128 wrote to memory of 3184	1128	Start Process.exe	Start Process.exe
PID 1128 wrote to memory of 3184	1128	Start Process.exe	Start Process.exe
PID 1128 wrote to memory of 5072	1128	Start Process.exe	powershell.exe
PID 1128 wrote to memory of 5072	1128	Start Process.exe	powershell.exe
PID 1128 wrote to memory of 5072	1128	Start Process.exe	powershell.exe
PID 3184 wrote to memory of 3320	3184	Start Process.exe	schtasks.exe
PID 3184 wrote to memory of 3320	3184	Start Process.exe	schtasks.exe
PID 3184 wrote to memory of 3320	3184	Start Process.exe	schtasks.exe
PID 1128 wrote to memory of 1148	1128	Start Process.exe	cmd.exe
PID 1128 wrote to memory of 1148	1128	Start Process.exe	cmd.exe
PID 1128 wrote to memory of 1148	1128	Start Process.exe	cmd.exe
PID 1148 wrote to memory of 3768	1148	cmd.exe	cmd.exe
PID 1148 wrote to memory of 3768	1148	cmd.exe	cmd.exe
PID 1148 wrote to memory of 3768	1148	cmd.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Tiktok Share Bot byDenmark.exe
"C:\Users\Admin\AppData\Local\Temp\Tiktok Share Bot byDenmark.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3988

C:\ProgramData\vshost\vshost.exe
C:\ProgramData\\vshost\\vshost.exe ,.
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:1008

C:\Users\Admin\AppData\Local\Temp\libGLESV2.lib
libGLESV2.lib
2⤵
- Suspicious use of WriteProcessMemory
PID:4040

C:\Users\Admin\AppData\Roaming\Software Check.exe
"C:\Users\Admin\AppData\Roaming\Software Check.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Users\Admin\AppData\Roaming\Start Process.exe
"C:\Users\Admin\AppData\Roaming\Start Process.exe"
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Browser Module" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Start Process.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:2624

C:\Users\Admin\AppData\Roaming\Sys Resources\Start Process.exe
"C:\Users\Admin\AppData\Roaming\Sys Resources\Start Process.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3184

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Browser Module" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Sys Resources\Start Process.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:3320

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5072

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
5⤵
PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 2516
4⤵
- Program crash
PID:3756

C:\Users\Admin\AppData\Roaming\Tiktok Share Bot byDenmark.exe
"C:\Users\Admin\AppData\Roaming\Tiktok Share Bot byDenmark.exe"
3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4516

C:\ProgramData\winst\winst.exe
C:\ProgramData\\winst\\winst.exe RC0oGof9aiyQiHsCSl8CAEx1yqpy4RwCdmtX3NYSkrgGqLZrf27fRVc6DdJSenwi
2⤵
- Executes dropped EXE
PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1128 -ip 1128
1⤵
PID:4216

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3512

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\vshost\vshost.exe
Filesize
238KB

MD5
4e6a7ee0e286ab61d36c26bd38996821

SHA1
820674b4c75290f8f667764bfb474ca8c1242732

SHA256
f67daf4bf2ad0e774bbd53f243e66806397036e5fde694f3856b27bc0463c0a3

SHA512
f9d99d960afce980421e654d1d541c1fdb81252615c48eed5c4a5c962cb20123d06dbdf383a37a476aa41e4ffabca30e95a8735739c35f66efbaa1dee8a9ba8a

Download Submit
C:\ProgramData\winst\winst.exe
Filesize
211KB

MD5
59238144771807b1cbc407b250d6b2c3

SHA1
6c9f87cca7e857e888cb19ea45cf82d2e2d29695

SHA256
8baa5811836c0b4a64810f6a7d6e1d31d7f80350c69643dc9594f58fd0233a7b

SHA512
cf2f8b84526ae8a1445a2d8a2b9099b164f80a7b7290f68058583b0b235395d749ad0b726c4e36d5e901c18d6946fd9b0dd76c20016b65dc7a3977f68ee4a220

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1lgp2yyz.js2.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\vXHMzK5QCAer.bat
Filesize
207B

MD5
fd0b806fb3c804c8d1fc78602c5e934c

SHA1
76d10dc89b6136a47cb92fcccf46c4f38e1959b9

SHA256
7eedd601a1eb0caf558eb1f5807895d05cf03e0e60d698c55a89fbc2b23b8c57

SHA512
beab6c8322f8c1aa11449337b6aef9584133bc0b3597381eee5797ba4cb8460fc80a82f3c9932503c93ece981951da1c10117287ccf201a683f310dd15b91edd

Download Submit
C:\Users\Admin\AppData\Roaming\Software Check.exe
Filesize
95KB

MD5
27c2436f6a1c111bef78597d37751138

SHA1
f1dabacffc82bbfc7d8db578f0a5653d7fe84bca

SHA256
bcac81c69094ea47c3a00cae028ac4c64dd6cbd4fe85e11363e3e35b48c04842

SHA512
97e717b9ad5b063e4ff1209684b27d033c5a4a8d9679e3d42d7308fbac1c885a1d3c85d3fed70b7a9adc82203d0e943777d7819456599276c61549186e319636

Download Submit
C:\Users\Admin\AppData\Roaming\Start Process.exe
Filesize
535KB

MD5
4d97786ab8047ad6c08532ed7a017573

SHA1
a64d07233d813f9a085722295dca62ca726e291a

SHA256
5a72c2a12e0e42313c5d01277d3b26f52810a9753e31883f5f3e7a73a0021870

SHA512
9224f6c0af0bb3aa6804e09b36617d2ecf762caf81ec0f2627553788f7045d09878b41ddb63a1d0779973cba52d2f1d59f69bc6c826ad8bb0d807444abab87d2

Download Submit
C:\Users\Admin\AppData\Roaming\Tiktok Share Bot byDenmark.exe
Filesize
9.8MB

MD5
6720bbc01a878d9003076c2b22bfe0cf

SHA1
6f2e7acde97d9847400013880d2796428504e580

SHA256
90529087bb4c13893ee9e5f3808ace6cdc1bffa2f85aa2f5005b19c2865d143e

SHA512
fa41ec8c1baa2e371987402c57dbef31e377897c6154ee290455fbc1e42d90e82c504036165bdc467c25696e4c455fac8bb89e6f7631f961f2282d5d3667bcf9

Download Submit
memory/1128-61-0x00000000057F0000-0x0000000005800000-memory.dmp

Filesize
64KB

Download
memory/1128-53-0x0000000005F00000-0x00000000064A6000-memory.dmp

Filesize
5.6MB

Download
memory/1128-123-0x0000000071390000-0x0000000071B41000-memory.dmp

Filesize
7.7MB

Download
memory/1128-48-0x0000000000E30000-0x0000000000EBC000-memory.dmp

Filesize
560KB

Download
memory/1128-64-0x0000000005A50000-0x0000000005AB6000-memory.dmp

Filesize
408KB

Download
memory/1128-56-0x00000000058A0000-0x0000000005932000-memory.dmp

Filesize
584KB

Download
memory/1128-55-0x0000000071390000-0x0000000071B41000-memory.dmp

Filesize
7.7MB

Download
memory/1920-44-0x0000000000B00000-0x0000000000B1E000-memory.dmp

Filesize
120KB

Download
memory/1920-51-0x0000000005A60000-0x0000000006078000-memory.dmp

Filesize
6.1MB

Download
memory/1920-52-0x0000000005460000-0x0000000005472000-memory.dmp

Filesize
72KB

Download
memory/1920-58-0x0000000005500000-0x000000000554C000-memory.dmp

Filesize
304KB

Download
memory/1920-54-0x00000000054C0000-0x00000000054FC000-memory.dmp

Filesize
240KB

Download
memory/1920-124-0x0000000071390000-0x0000000071B41000-memory.dmp

Filesize
7.7MB

Download
memory/1920-125-0x0000000005430000-0x0000000005440000-memory.dmp

Filesize
64KB

Download
memory/1920-49-0x0000000071390000-0x0000000071B41000-memory.dmp

Filesize
7.7MB

Download
memory/1920-62-0x0000000005430000-0x0000000005440000-memory.dmp

Filesize
64KB

Download
memory/1920-63-0x0000000005750000-0x000000000585A000-memory.dmp

Filesize
1.0MB

Download
memory/3184-93-0x0000000007270000-0x000000000727A000-memory.dmp

Filesize
40KB

Download
memory/3184-74-0x00000000058D0000-0x00000000058E0000-memory.dmp

Filesize
64KB

Download
memory/3184-126-0x0000000071390000-0x0000000071B41000-memory.dmp

Filesize
7.7MB

Download
memory/3184-127-0x00000000058D0000-0x00000000058E0000-memory.dmp

Filesize
64KB

Download
memory/3184-73-0x0000000071390000-0x0000000071B41000-memory.dmp

Filesize
7.7MB

Download
memory/4040-17-0x0000000002290000-0x00000000022A0000-memory.dmp

Filesize
64KB

Download
memory/4040-50-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download
memory/4040-16-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download
memory/4040-14-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download
memory/4516-68-0x000002DA3C7C0000-0x000002DA3C7D0000-memory.dmp

Filesize
64KB

Download
memory/4516-66-0x000002DA3C7A0000-0x000002DA3C7B0000-memory.dmp

Filesize
64KB

Download
memory/4516-65-0x000002DA3C790000-0x000002DA3C7A0000-memory.dmp

Filesize
64KB

Download
memory/4516-60-0x00007FFADD3C0000-0x00007FFADD5C9000-memory.dmp

Filesize
2.0MB

Download
memory/4516-59-0x00007FF6DE390000-0x00007FF6DFD31000-memory.dmp

Filesize
25.6MB

Download
memory/4516-122-0x00007FFADD3C0000-0x00007FFADD5C9000-memory.dmp

Filesize
2.0MB

Download
memory/4516-121-0x00007FF6DE390000-0x00007FF6DFD31000-memory.dmp

Filesize
25.6MB

Download
memory/4516-91-0x00007FF6DE390000-0x00007FF6DFD31000-memory.dmp

Filesize
25.6MB

Download
memory/5072-78-0x00000000057C0000-0x0000000005DEA000-memory.dmp

Filesize
6.2MB

Download
memory/5072-95-0x0000000006AD0000-0x0000000006B04000-memory.dmp

Filesize
208KB

Download
memory/5072-96-0x00000000746C0000-0x000000007470C000-memory.dmp

Filesize
304KB

Download
memory/5072-105-0x00000000074C0000-0x00000000074DE000-memory.dmp

Filesize
120KB

Download
memory/5072-106-0x00000000074F0000-0x0000000007594000-memory.dmp

Filesize
656KB

Download
memory/5072-107-0x0000000007E60000-0x00000000084DA000-memory.dmp

Filesize
6.5MB

Download
memory/5072-108-0x0000000007820000-0x000000000783A000-memory.dmp

Filesize
104KB

Download
memory/5072-109-0x00000000078A0000-0x00000000078AA000-memory.dmp

Filesize
40KB

Download
memory/5072-110-0x0000000007AB0000-0x0000000007B46000-memory.dmp

Filesize
600KB

Download
memory/5072-111-0x0000000007A30000-0x0000000007A41000-memory.dmp

Filesize
68KB

Download
memory/5072-112-0x0000000007A60000-0x0000000007A6E000-memory.dmp

Filesize
56KB

Download
memory/5072-113-0x0000000007A70000-0x0000000007A85000-memory.dmp

Filesize
84KB

Download
memory/5072-114-0x0000000007B70000-0x0000000007B8A000-memory.dmp

Filesize
104KB

Download
memory/5072-115-0x0000000007B60000-0x0000000007B68000-memory.dmp

Filesize
32KB

Download
memory/5072-118-0x0000000071390000-0x0000000071B41000-memory.dmp

Filesize
7.7MB

Download
memory/5072-94-0x0000000002CE0000-0x0000000002CF0000-memory.dmp

Filesize
64KB

Download
memory/5072-90-0x00000000064F0000-0x000000000650E000-memory.dmp

Filesize
120KB

Download
memory/5072-89-0x00000000060A0000-0x00000000063F7000-memory.dmp

Filesize
3.3MB

Download
memory/5072-88-0x0000000005F60000-0x0000000005FC6000-memory.dmp

Filesize
408KB

Download
memory/5072-79-0x0000000005730000-0x0000000005752000-memory.dmp

Filesize
136KB

Download
memory/5072-77-0x0000000002CE0000-0x0000000002CF0000-memory.dmp

Filesize
64KB

Download
memory/5072-76-0x0000000071390000-0x0000000071B41000-memory.dmp

Filesize
7.7MB

Download
memory/5072-75-0x0000000002CF0000-0x0000000002D26000-memory.dmp

Filesize
216KB

Download