quasar | 01f148ef47dccb8c73a46f64e849f1249915dc5cf4423b9cc4690ad303a70fd9

Analysis

max time kernel
151s
max time network
152s
platform
windows7_x64
resource
win7v20201028
submitted
09-11-2020 11:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mouse.exe
Size

679KB
MD5

c650cb14934aa96f98034b617b054f71
SHA1

f63eaef9965425612ed33aa28598e493099071e2
SHA256

01f148ef47dccb8c73a46f64e849f1249915dc5cf4423b9cc4690ad303a70fd9
SHA512

160d7ce2f48497198b1e51f039cb808b7878ec6227cc19cc5996a0eb69cd8fc100b7a63a2ef9a919c5bf64c937dadb7bbcce87095172bf6c8d6cfa2ca594640f

Score

10^/10

quasar persistence rezer0 spyware trojan

Malware Config

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

rezer0 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/308-7-0x0000000004390000-0x00000000043E0000-memory.dmp	rezer0

Executes dropped EXE 9 IoCs

Processes:

Client96.exeClient96.exeClient96.exeClient96.exeClient96.exeClient96.exeClient96.exeClient96.exeClient96.exe

pid	process
1620	Client96.exe
1632	Client96.exe
1640	Client96.exe
1544	Client96.exe
836	Client96.exe
1904	Client96.exe
1604	Client96.exe
1220	Client96.exe
1584	Client96.exe

Loads dropped DLL 1 IoCs

Processes:

mouse.exe

pid process

560 mouse.exe

pid	process
560	mouse.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Client96.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Quasat Client Startup = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client96.exe\""	Client96.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 ip-api.com
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

flow	ioc
6	ip-api.com

Suspicious use of SetThreadContext 4 IoCs

Processes:

mouse.exeClient96.exeClient96.exeClient96.exe

description	pid	process	target process
PID 308 set thread context of 560	308	mouse.exe	mouse.exe
PID 1620 set thread context of 1640	1620	Client96.exe	Client96.exe
PID 1544 set thread context of 836	1544	Client96.exe	Client96.exe
PID 1904 set thread context of 1220	1904	Client96.exe	Client96.exe

Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

316 schtasks.exe
1100 schtasks.exe
1684 schtasks.exe
948 schtasks.exe
576 schtasks.exe
1576 schtasks.exe
1416 schtasks.exe

pid	process
316	schtasks.exe
1100	schtasks.exe
1684	schtasks.exe
948	schtasks.exe
576	schtasks.exe
1576	schtasks.exe
1416	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

mouse.exeClient96.exeClient96.exeClient96.exe

pid	process
308	mouse.exe
308	mouse.exe
308	mouse.exe
308	mouse.exe
1620	Client96.exe
1620	Client96.exe
1620	Client96.exe
1620	Client96.exe
1620	Client96.exe
1544	Client96.exe
1544	Client96.exe
1544	Client96.exe
1544	Client96.exe
1904	Client96.exe
1904	Client96.exe
1904	Client96.exe
1904	Client96.exe
1904	Client96.exe
1904	Client96.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

mouse.exemouse.exeClient96.exeClient96.exeClient96.exeClient96.exeClient96.exe

description	pid	process
Token: SeDebugPrivilege	308	mouse.exe
Token: SeDebugPrivilege	560	mouse.exe
Token: SeDebugPrivilege	1620	Client96.exe
Token: SeDebugPrivilege	1640	Client96.exe
Token: SeDebugPrivilege	1544	Client96.exe
Token: SeDebugPrivilege	1904	Client96.exe
Token: SeDebugPrivilege	1584	Client96.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Client96.exe

pid process

1640 Client96.exe

pid	process
1640	Client96.exe

Suspicious use of WriteProcessMemory 88 IoCs

Processes:

mouse.exemouse.exeClient96.exeClient96.exetaskeng.exeClient96.exe

description	pid	process	target process
PID 308 wrote to memory of 316	308	mouse.exe	schtasks.exe
PID 308 wrote to memory of 316	308	mouse.exe	schtasks.exe
PID 308 wrote to memory of 316	308	mouse.exe	schtasks.exe
PID 308 wrote to memory of 316	308	mouse.exe	schtasks.exe
PID 308 wrote to memory of 560	308	mouse.exe	mouse.exe
PID 308 wrote to memory of 560	308	mouse.exe	mouse.exe
PID 308 wrote to memory of 560	308	mouse.exe	mouse.exe
PID 308 wrote to memory of 560	308	mouse.exe	mouse.exe
PID 308 wrote to memory of 560	308	mouse.exe	mouse.exe
PID 308 wrote to memory of 560	308	mouse.exe	mouse.exe
PID 308 wrote to memory of 560	308	mouse.exe	mouse.exe
PID 308 wrote to memory of 560	308	mouse.exe	mouse.exe
PID 308 wrote to memory of 560	308	mouse.exe	mouse.exe
PID 560 wrote to memory of 1100	560	mouse.exe	schtasks.exe
PID 560 wrote to memory of 1100	560	mouse.exe	schtasks.exe
PID 560 wrote to memory of 1100	560	mouse.exe	schtasks.exe
PID 560 wrote to memory of 1100	560	mouse.exe	schtasks.exe
PID 560 wrote to memory of 1620	560	mouse.exe	Client96.exe
PID 560 wrote to memory of 1620	560	mouse.exe	Client96.exe
PID 560 wrote to memory of 1620	560	mouse.exe	Client96.exe
PID 560 wrote to memory of 1620	560	mouse.exe	Client96.exe
PID 1620 wrote to memory of 1684	1620	Client96.exe	schtasks.exe
PID 1620 wrote to memory of 1684	1620	Client96.exe	schtasks.exe
PID 1620 wrote to memory of 1684	1620	Client96.exe	schtasks.exe
PID 1620 wrote to memory of 1684	1620	Client96.exe	schtasks.exe
PID 1620 wrote to memory of 1632	1620	Client96.exe	Client96.exe
PID 1620 wrote to memory of 1632	1620	Client96.exe	Client96.exe
PID 1620 wrote to memory of 1632	1620	Client96.exe	Client96.exe
PID 1620 wrote to memory of 1632	1620	Client96.exe	Client96.exe
PID 1620 wrote to memory of 1640	1620	Client96.exe	Client96.exe
PID 1620 wrote to memory of 1640	1620	Client96.exe	Client96.exe
PID 1620 wrote to memory of 1640	1620	Client96.exe	Client96.exe
PID 1620 wrote to memory of 1640	1620	Client96.exe	Client96.exe
PID 1620 wrote to memory of 1640	1620	Client96.exe	Client96.exe
PID 1620 wrote to memory of 1640	1620	Client96.exe	Client96.exe
PID 1620 wrote to memory of 1640	1620	Client96.exe	Client96.exe
PID 1620 wrote to memory of 1640	1620	Client96.exe	Client96.exe
PID 1620 wrote to memory of 1640	1620	Client96.exe	Client96.exe
PID 1640 wrote to memory of 948	1640	Client96.exe	schtasks.exe
PID 1640 wrote to memory of 948	1640	Client96.exe	schtasks.exe
PID 1640 wrote to memory of 948	1640	Client96.exe	schtasks.exe
PID 1640 wrote to memory of 948	1640	Client96.exe	schtasks.exe
PID 1640 wrote to memory of 576	1640	Client96.exe	schtasks.exe
PID 1640 wrote to memory of 576	1640	Client96.exe	schtasks.exe
PID 1640 wrote to memory of 576	1640	Client96.exe	schtasks.exe
PID 1640 wrote to memory of 576	1640	Client96.exe	schtasks.exe
PID 1616 wrote to memory of 1544	1616	taskeng.exe	Client96.exe
PID 1616 wrote to memory of 1544	1616	taskeng.exe	Client96.exe
PID 1616 wrote to memory of 1544	1616	taskeng.exe	Client96.exe
PID 1616 wrote to memory of 1544	1616	taskeng.exe	Client96.exe
PID 1544 wrote to memory of 1576	1544	Client96.exe	schtasks.exe
PID 1544 wrote to memory of 1576	1544	Client96.exe	schtasks.exe
PID 1544 wrote to memory of 1576	1544	Client96.exe	schtasks.exe
PID 1544 wrote to memory of 1576	1544	Client96.exe	schtasks.exe
PID 1544 wrote to memory of 836	1544	Client96.exe	Client96.exe
PID 1544 wrote to memory of 836	1544	Client96.exe	Client96.exe
PID 1544 wrote to memory of 836	1544	Client96.exe	Client96.exe
PID 1544 wrote to memory of 836	1544	Client96.exe	Client96.exe
PID 1544 wrote to memory of 836	1544	Client96.exe	Client96.exe
PID 1544 wrote to memory of 836	1544	Client96.exe	Client96.exe
PID 1544 wrote to memory of 836	1544	Client96.exe	Client96.exe
PID 1544 wrote to memory of 836	1544	Client96.exe	Client96.exe
PID 1544 wrote to memory of 836	1544	Client96.exe	Client96.exe
PID 1616 wrote to memory of 1904	1616	taskeng.exe	Client96.exe

C:\Users\Admin\AppData\Local\Temp\mouse.exe
"C:\Users\Admin\AppData\Local\Temp\mouse.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:308

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xLyRKFHJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA045.tmp"
2⤵
- Creates scheduled task(s)
PID:316

C:\Users\Admin\AppData\Local\Temp\mouse.exe
"{path}"
2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:560

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Quasat Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\mouse.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1100

C:\Users\Admin\AppData\Roaming\SubDir\Client96.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client96.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xLyRKFHJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB7F9.tmp"
4⤵
- Creates scheduled task(s)
PID:1684

C:\Users\Admin\AppData\Roaming\SubDir\Client96.exe
"{path}"
4⤵
- Executes dropped EXE
PID:1632

C:\Users\Admin\AppData\Roaming\SubDir\Client96.exe
"{path}"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Quasat Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client96.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:948

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client96.exe" /sc MINUTE /MO 1
5⤵
- Creates scheduled task(s)
PID:576

C:\Windows\system32\taskeng.exe
taskeng.exe {3118D4D3-877C-4A09-A505-902595A16F89} S-1-5-21-293278959-2699126792-324916226-1000:TUICJFPF\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1616

C:\Users\Admin\AppData\Roaming\SubDir\Client96.exe
C:\Users\Admin\AppData\Roaming\SubDir\Client96.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xLyRKFHJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE34D.tmp"
3⤵
- Creates scheduled task(s)
PID:1576

C:\Users\Admin\AppData\Roaming\SubDir\Client96.exe
"{path}"
3⤵
- Executes dropped EXE
PID:836

C:\Users\Admin\AppData\Roaming\SubDir\Client96.exe
C:\Users\Admin\AppData\Roaming\SubDir\Client96.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1904

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xLyRKFHJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCCA2.tmp"
3⤵
- Creates scheduled task(s)
PID:1416

C:\Users\Admin\AppData\Roaming\SubDir\Client96.exe
"{path}"
3⤵
- Executes dropped EXE
PID:1604

C:\Users\Admin\AppData\Roaming\SubDir\Client96.exe
"{path}"
3⤵
- Executes dropped EXE
PID:1220

C:\Users\Admin\AppData\Roaming\SubDir\Client96.exe
C:\Users\Admin\AppData\Roaming\SubDir\Client96.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1584

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

T1091

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpA045.tmp
MD5
9c5e1326eb8f6c7616db0bef76bceafb

SHA1
a1e35c9420ac35dbde3e62c9dd223f721b8317d6

SHA256
fecbe3c172bbea428b94d63e43004242aecfcd1103e7117b7e945cd943a3dd15

SHA512
a9fd35f689ef4d646351a4fcc84584edab8508a759d1dde03269b85620dc74576bfc5c15f9f48f76621332ff40ce06c6e9e80966239fe2677f7497a31af9e74f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB7F9.tmp
MD5
9c5e1326eb8f6c7616db0bef76bceafb

SHA1
a1e35c9420ac35dbde3e62c9dd223f721b8317d6

SHA256
fecbe3c172bbea428b94d63e43004242aecfcd1103e7117b7e945cd943a3dd15

SHA512
a9fd35f689ef4d646351a4fcc84584edab8508a759d1dde03269b85620dc74576bfc5c15f9f48f76621332ff40ce06c6e9e80966239fe2677f7497a31af9e74f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCCA2.tmp
MD5
9c5e1326eb8f6c7616db0bef76bceafb

SHA1
a1e35c9420ac35dbde3e62c9dd223f721b8317d6

SHA256
fecbe3c172bbea428b94d63e43004242aecfcd1103e7117b7e945cd943a3dd15

SHA512
a9fd35f689ef4d646351a4fcc84584edab8508a759d1dde03269b85620dc74576bfc5c15f9f48f76621332ff40ce06c6e9e80966239fe2677f7497a31af9e74f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE34D.tmp
MD5
9c5e1326eb8f6c7616db0bef76bceafb

SHA1
a1e35c9420ac35dbde3e62c9dd223f721b8317d6

SHA256
fecbe3c172bbea428b94d63e43004242aecfcd1103e7117b7e945cd943a3dd15

SHA512
a9fd35f689ef4d646351a4fcc84584edab8508a759d1dde03269b85620dc74576bfc5c15f9f48f76621332ff40ce06c6e9e80966239fe2677f7497a31af9e74f

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client96.exe
MD5
c650cb14934aa96f98034b617b054f71

SHA1
f63eaef9965425612ed33aa28598e493099071e2

SHA256
01f148ef47dccb8c73a46f64e849f1249915dc5cf4423b9cc4690ad303a70fd9

SHA512
160d7ce2f48497198b1e51f039cb808b7878ec6227cc19cc5996a0eb69cd8fc100b7a63a2ef9a919c5bf64c937dadb7bbcce87095172bf6c8d6cfa2ca594640f

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client96.exe
MD5
c650cb14934aa96f98034b617b054f71

SHA1
f63eaef9965425612ed33aa28598e493099071e2

SHA256
01f148ef47dccb8c73a46f64e849f1249915dc5cf4423b9cc4690ad303a70fd9

SHA512
160d7ce2f48497198b1e51f039cb808b7878ec6227cc19cc5996a0eb69cd8fc100b7a63a2ef9a919c5bf64c937dadb7bbcce87095172bf6c8d6cfa2ca594640f

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client96.exe
MD5
c650cb14934aa96f98034b617b054f71

SHA1
f63eaef9965425612ed33aa28598e493099071e2

SHA256
01f148ef47dccb8c73a46f64e849f1249915dc5cf4423b9cc4690ad303a70fd9

SHA512
160d7ce2f48497198b1e51f039cb808b7878ec6227cc19cc5996a0eb69cd8fc100b7a63a2ef9a919c5bf64c937dadb7bbcce87095172bf6c8d6cfa2ca594640f

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client96.exe
MD5
c650cb14934aa96f98034b617b054f71

SHA1
f63eaef9965425612ed33aa28598e493099071e2

SHA256
01f148ef47dccb8c73a46f64e849f1249915dc5cf4423b9cc4690ad303a70fd9

SHA512
160d7ce2f48497198b1e51f039cb808b7878ec6227cc19cc5996a0eb69cd8fc100b7a63a2ef9a919c5bf64c937dadb7bbcce87095172bf6c8d6cfa2ca594640f

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client96.exe
MD5
c650cb14934aa96f98034b617b054f71

SHA1
f63eaef9965425612ed33aa28598e493099071e2

SHA256
01f148ef47dccb8c73a46f64e849f1249915dc5cf4423b9cc4690ad303a70fd9

SHA512
160d7ce2f48497198b1e51f039cb808b7878ec6227cc19cc5996a0eb69cd8fc100b7a63a2ef9a919c5bf64c937dadb7bbcce87095172bf6c8d6cfa2ca594640f

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client96.exe
MD5
c650cb14934aa96f98034b617b054f71

SHA1
f63eaef9965425612ed33aa28598e493099071e2

SHA256
01f148ef47dccb8c73a46f64e849f1249915dc5cf4423b9cc4690ad303a70fd9

SHA512
160d7ce2f48497198b1e51f039cb808b7878ec6227cc19cc5996a0eb69cd8fc100b7a63a2ef9a919c5bf64c937dadb7bbcce87095172bf6c8d6cfa2ca594640f

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client96.exe
MD5
c650cb14934aa96f98034b617b054f71

SHA1
f63eaef9965425612ed33aa28598e493099071e2

SHA256
01f148ef47dccb8c73a46f64e849f1249915dc5cf4423b9cc4690ad303a70fd9

SHA512
160d7ce2f48497198b1e51f039cb808b7878ec6227cc19cc5996a0eb69cd8fc100b7a63a2ef9a919c5bf64c937dadb7bbcce87095172bf6c8d6cfa2ca594640f

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client96.exe
MD5
c650cb14934aa96f98034b617b054f71

SHA1
f63eaef9965425612ed33aa28598e493099071e2

SHA256
01f148ef47dccb8c73a46f64e849f1249915dc5cf4423b9cc4690ad303a70fd9

SHA512
160d7ce2f48497198b1e51f039cb808b7878ec6227cc19cc5996a0eb69cd8fc100b7a63a2ef9a919c5bf64c937dadb7bbcce87095172bf6c8d6cfa2ca594640f

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client96.exe
MD5
c650cb14934aa96f98034b617b054f71

SHA1
f63eaef9965425612ed33aa28598e493099071e2

SHA256
01f148ef47dccb8c73a46f64e849f1249915dc5cf4423b9cc4690ad303a70fd9

SHA512
160d7ce2f48497198b1e51f039cb808b7878ec6227cc19cc5996a0eb69cd8fc100b7a63a2ef9a919c5bf64c937dadb7bbcce87095172bf6c8d6cfa2ca594640f

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client96.exe
MD5
c650cb14934aa96f98034b617b054f71

SHA1
f63eaef9965425612ed33aa28598e493099071e2

SHA256
01f148ef47dccb8c73a46f64e849f1249915dc5cf4423b9cc4690ad303a70fd9

SHA512
160d7ce2f48497198b1e51f039cb808b7878ec6227cc19cc5996a0eb69cd8fc100b7a63a2ef9a919c5bf64c937dadb7bbcce87095172bf6c8d6cfa2ca594640f

Download Submit
\Users\Admin\AppData\Roaming\SubDir\Client96.exe
MD5
c650cb14934aa96f98034b617b054f71

SHA1
f63eaef9965425612ed33aa28598e493099071e2

SHA256
01f148ef47dccb8c73a46f64e849f1249915dc5cf4423b9cc4690ad303a70fd9

SHA512
160d7ce2f48497198b1e51f039cb808b7878ec6227cc19cc5996a0eb69cd8fc100b7a63a2ef9a919c5bf64c937dadb7bbcce87095172bf6c8d6cfa2ca594640f

Download Submit
memory/308-6-0x0000000000550000-0x0000000000553000-memory.dmp

Filesize
12KB

Download
memory/308-1-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/308-3-0x00000000004D0000-0x0000000000526000-memory.dmp

Filesize
344KB

Download
memory/308-0-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download
memory/308-7-0x0000000004390000-0x00000000043E0000-memory.dmp

Filesize
320KB

Download
memory/316-8-0x0000000000000000-mapping.dmp

Download
memory/560-12-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/560-10-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/560-14-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download
memory/560-13-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/560-11-0x000000000044943E-mapping.dmp

Download
memory/576-41-0x0000000000000000-mapping.dmp

Download
memory/836-66-0x000000000044943E-mapping.dmp

Download
memory/836-70-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download
memory/948-40-0x0000000000000000-mapping.dmp

Download
memory/1100-17-0x0000000000000000-mapping.dmp

Download
memory/1220-93-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download
memory/1220-89-0x000000000044943E-mapping.dmp

Download
memory/1416-85-0x0000000000000000-mapping.dmp

Download
memory/1544-56-0x0000000007150000-0x0000000007152000-memory.dmp

Filesize
8KB

Download
memory/1544-58-0x0000000007150000-0x0000000007152000-memory.dmp

Filesize
8KB

Download
memory/1544-62-0x0000000007150000-0x0000000007152000-memory.dmp

Filesize
8KB

Download
memory/1544-42-0x0000000000000000-mapping.dmp

Download
memory/1544-44-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download
memory/1576-63-0x0000000000000000-mapping.dmp

Download
memory/1584-98-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download
memory/1584-96-0x0000000000000000-mapping.dmp

Download
memory/1620-22-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download
memory/1620-23-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/1620-19-0x0000000000000000-mapping.dmp

Download
memory/1640-32-0x000000000044943E-mapping.dmp

Download
memory/1640-37-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download
memory/1684-28-0x0000000000000000-mapping.dmp

Download
memory/1904-75-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download
memory/1904-73-0x0000000000000000-mapping.dmp

Download