quasar | f09f54a8c694a8b026051b90fd0f92040d952b75446af726de55522ef1e13dda

Analysis

max time kernel
101s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2022 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f09f54a8c694a8b026051b90fd0f92040d952b75446af726de55522ef1e13dda.xls
Size

140KB
MD5

784c8beac43a6f6de17a8f05299d528f
SHA1

636573702a1feec449e3e13e1366221e1baff96d
SHA256

f09f54a8c694a8b026051b90fd0f92040d952b75446af726de55522ef1e13dda
SHA512

af399f746e803c9f709a99c0430a8c7faca696fb59fbfde53f12e386fb9f116f8175b61835d86ed02bac26c535a903e88b4cb9add91ed6cedb9a5f8fad030de4
SSDEEP

3072:HrxEtjPOtioVjDGUU1qfDlaGGx+cL2QnAIWpnUXB7pqkCkGSjrU91z+M/7OmGie:LxEtjPOtioVjDGUU1qfDlavx+W2QnA1d

Score

10^/10

quasar voop spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

voop

dnuocc.com:64594

www.dnuocc.com:64594

Mutex

QSR_MUTEX_jVITO6bRbVmJHVOAi1

Attributes

encryption_key
3yswT16VMWc6VjRIJeXD
install_name
vcv.exe
log_directory
Logs
reconnect_delay
30000
startup_key
vcr
subdirectory
vcv

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/668-154-0x0000000000000000-mapping.dmp	family_quasar
behavioral2/memory/668-155-0x0000000000400000-0x0000000000464000-memory.dmp	family_quasar
behavioral2/memory/3728-165-0x0000000000000000-mapping.dmp	family_quasar

Executes dropped EXE 6 IoCs

Processes:

ORDGKYG.exePOkonjhjjrst.sfx.exePOkonjhjjrst.exePOkonjhjjrst.exevcv.exevcv.exe

pid process

3672 ORDGKYG.exe
4380 POkonjhjjrst.sfx.exe
3440 POkonjhjjrst.exe
668 POkonjhjjrst.exe
4072 vcv.exe
3728 vcv.exe

pid	process
3672	ORDGKYG.exe
4380	POkonjhjjrst.sfx.exe
3440	POkonjhjjrst.exe
668	POkonjhjjrst.exe
4072	vcv.exe
3728	vcv.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ORDGKYG.exePOkonjhjjrst.sfx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	ORDGKYG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	POkonjhjjrst.sfx.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

42 ip-api.com

flow	ioc
42	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

POkonjhjjrst.exevcv.exe

description	pid	process	target process
PID 3440 set thread context of 668	3440	POkonjhjjrst.exe	POkonjhjjrst.exe
PID 4072 set thread context of 3728	4072	vcv.exe	vcv.exe

Drops file in Program Files directory 6 IoCs

Processes:

ORDGKYG.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\%AppDat%	ORDGKYG.exe
File created	C:\Program Files (x86)\%AppDat%\__tmp_rar_sfx_access_check_240573250	ORDGKYG.exe
File created	C:\Program Files (x86)\%AppDat%\POkonjhjjrst.bat	ORDGKYG.exe
File opened for modification	C:\Program Files (x86)\%AppDat%\POkonjhjjrst.bat	ORDGKYG.exe
File created	C:\Program Files (x86)\%AppDat%\POkonjhjjrst.sfx.exe	ORDGKYG.exe
File opened for modification	C:\Program Files (x86)\%AppDat%\POkonjhjjrst.sfx.exe	ORDGKYG.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4032 schtasks.exe
4512 schtasks.exe

pid	process
4032	schtasks.exe
4512	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

5016 EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

POkonjhjjrst.exePOkonjhjjrst.exevcv.exevcv.exe

description	pid	process
Token: SeDebugPrivilege	3440	POkonjhjjrst.exe
Token: SeDebugPrivilege	668	POkonjhjjrst.exe
Token: SeDebugPrivilege	4072	vcv.exe
Token: SeDebugPrivilege	3728	vcv.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

EXCEL.EXE

pid	process
5016	EXCEL.EXE
5016	EXCEL.EXE
5016	EXCEL.EXE
5016	EXCEL.EXE
5016	EXCEL.EXE
5016	EXCEL.EXE
5016	EXCEL.EXE
5016	EXCEL.EXE
5016	EXCEL.EXE
5016	EXCEL.EXE
5016	EXCEL.EXE
5016	EXCEL.EXE
5016	EXCEL.EXE
5016	EXCEL.EXE
5016	EXCEL.EXE
5016	EXCEL.EXE

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

EXCEL.EXEORDGKYG.execmd.exePOkonjhjjrst.sfx.exePOkonjhjjrst.exePOkonjhjjrst.exevcv.exevcv.exe

description	pid	process	target process
PID 5016 wrote to memory of 3672	5016	EXCEL.EXE	ORDGKYG.exe
PID 5016 wrote to memory of 3672	5016	EXCEL.EXE	ORDGKYG.exe
PID 5016 wrote to memory of 3672	5016	EXCEL.EXE	ORDGKYG.exe
PID 3672 wrote to memory of 788	3672	ORDGKYG.exe	cmd.exe
PID 3672 wrote to memory of 788	3672	ORDGKYG.exe	cmd.exe
PID 3672 wrote to memory of 788	3672	ORDGKYG.exe	cmd.exe
PID 788 wrote to memory of 4380	788	cmd.exe	POkonjhjjrst.sfx.exe
PID 788 wrote to memory of 4380	788	cmd.exe	POkonjhjjrst.sfx.exe
PID 788 wrote to memory of 4380	788	cmd.exe	POkonjhjjrst.sfx.exe
PID 4380 wrote to memory of 3440	4380	POkonjhjjrst.sfx.exe	POkonjhjjrst.exe
PID 4380 wrote to memory of 3440	4380	POkonjhjjrst.sfx.exe	POkonjhjjrst.exe
PID 4380 wrote to memory of 3440	4380	POkonjhjjrst.sfx.exe	POkonjhjjrst.exe
PID 3440 wrote to memory of 668	3440	POkonjhjjrst.exe	POkonjhjjrst.exe
PID 3440 wrote to memory of 668	3440	POkonjhjjrst.exe	POkonjhjjrst.exe
PID 3440 wrote to memory of 668	3440	POkonjhjjrst.exe	POkonjhjjrst.exe
PID 3440 wrote to memory of 668	3440	POkonjhjjrst.exe	POkonjhjjrst.exe
PID 3440 wrote to memory of 668	3440	POkonjhjjrst.exe	POkonjhjjrst.exe
PID 3440 wrote to memory of 668	3440	POkonjhjjrst.exe	POkonjhjjrst.exe
PID 3440 wrote to memory of 668	3440	POkonjhjjrst.exe	POkonjhjjrst.exe
PID 3440 wrote to memory of 668	3440	POkonjhjjrst.exe	POkonjhjjrst.exe
PID 668 wrote to memory of 4032	668	POkonjhjjrst.exe	schtasks.exe
PID 668 wrote to memory of 4032	668	POkonjhjjrst.exe	schtasks.exe
PID 668 wrote to memory of 4032	668	POkonjhjjrst.exe	schtasks.exe
PID 668 wrote to memory of 4072	668	POkonjhjjrst.exe	vcv.exe
PID 668 wrote to memory of 4072	668	POkonjhjjrst.exe	vcv.exe
PID 668 wrote to memory of 4072	668	POkonjhjjrst.exe	vcv.exe
PID 4072 wrote to memory of 3728	4072	vcv.exe	vcv.exe
PID 4072 wrote to memory of 3728	4072	vcv.exe	vcv.exe
PID 4072 wrote to memory of 3728	4072	vcv.exe	vcv.exe
PID 4072 wrote to memory of 3728	4072	vcv.exe	vcv.exe
PID 4072 wrote to memory of 3728	4072	vcv.exe	vcv.exe
PID 4072 wrote to memory of 3728	4072	vcv.exe	vcv.exe
PID 4072 wrote to memory of 3728	4072	vcv.exe	vcv.exe
PID 4072 wrote to memory of 3728	4072	vcv.exe	vcv.exe
PID 3728 wrote to memory of 4512	3728	vcv.exe	schtasks.exe
PID 3728 wrote to memory of 4512	3728	vcv.exe	schtasks.exe
PID 3728 wrote to memory of 4512	3728	vcv.exe	schtasks.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\f09f54a8c694a8b026051b90fd0f92040d952b75446af726de55522ef1e13dda.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5016

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\ORDGKYG.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\ORDGKYG.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\%AppDat%\POkonjhjjrst.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:788

C:\Program Files (x86)\%AppDat%\POkonjhjjrst.sfx.exe
POkonjhjjrst.sfx.exe -pyUTVhbVgcVKLNhJvgCVklNHUiFcfXFxcfXdxHCJnjkjHhjghgVHFfdhfhrdrytreswessWESEsdtrHvJHVhklkBHJSerhBjkvHGvhjgcjgcjhvxCjgVGcGVHjlbJKB -dC:\Users\Admin\AppData\Roaming
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4380

C:\Users\Admin\AppData\Roaming\POkonjhjjrst.exe
"C:\Users\Admin\AppData\Roaming\POkonjhjjrst.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3440

C:\Users\Admin\AppData\Roaming\POkonjhjjrst.exe
C:\Users\Admin\AppData\Roaming\POkonjhjjrst.exe
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:668

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "vcr" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\POkonjhjjrst.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:4032

C:\Users\Admin\AppData\Roaming\vcv\vcv.exe
"C:\Users\Admin\AppData\Roaming\vcv\vcv.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4072

C:\Users\Admin\AppData\Roaming\vcv\vcv.exe
C:\Users\Admin\AppData\Roaming\vcv\vcv.exe
8⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3728

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "vcr" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\vcv\vcv.exe" /rl HIGHEST /f
9⤵
- Creates scheduled task(s)
PID:4512

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\%AppDat%\POkonjhjjrst.bat
Filesize
161B

MD5
c1086bd5b26c11935e11c229ce1a4cc4

SHA1
4c876db4c81d3f59ac7166a6023994f75f1138f3

SHA256
4d97d4d7e99cb94dcda8da71b934fa61477fb500bf83d90fa7507d3b1a9ed450

SHA512
f5eb899e8c517b65dd84022e9c5ac9f52299b1b3fa6f2cb915de4bdba8af8caf389dfa90d9ec15c58514b3c2177af34b0a3945cee851d9f9e31a0e69cc597f32

Download Submit
C:\Program Files (x86)\%AppDat%\POkonjhjjrst.sfx.exe
Filesize
1.3MB

MD5
e9771ee08ba4a8f833bb59ee8b0b494f

SHA1
82b3bd9be1600bf4dbc940d6b999a805da032b0d

SHA256
bf3d808c651249ddb51fabc93db759a2f9b5bf3396caa895665588fc0a7e2565

SHA512
0388e1138f216eec7e26ae32606f874c209c3e27b2d55724bb2729bf7fec09c0cd47f05a955315241593e6b06c70925886e1920c2395ac3dad4434fa73efd10b

Download Submit
C:\Program Files (x86)\%AppDat%\POkonjhjjrst.sfx.exe
Filesize
1.3MB

MD5
e9771ee08ba4a8f833bb59ee8b0b494f

SHA1
82b3bd9be1600bf4dbc940d6b999a805da032b0d

SHA256
bf3d808c651249ddb51fabc93db759a2f9b5bf3396caa895665588fc0a7e2565

SHA512
0388e1138f216eec7e26ae32606f874c209c3e27b2d55724bb2729bf7fec09c0cd47f05a955315241593e6b06c70925886e1920c2395ac3dad4434fa73efd10b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\POkonjhjjrst.exe.log
Filesize
706B

MD5
d95c58e609838928f0f49837cab7dfd2

SHA1
55e7139a1e3899195b92ed8771d1ca2c7d53c916

SHA256
0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339

SHA512
405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vcv.exe.log
Filesize
706B

MD5
d95c58e609838928f0f49837cab7dfd2

SHA1
55e7139a1e3899195b92ed8771d1ca2c7d53c916

SHA256
0407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339

SHA512
405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\ORDGKYG.exe
Filesize
1.5MB

MD5
af40551051172d9522bbbbd40ad445ff

SHA1
c44977a0cb3f7fea554daefe2c0c39cd60a7b964

SHA256
35020abeb97dd5d5b0ffd41dd87ae103345da06b7944069ec84bea776449c424

SHA512
b0e8c4f79564abc269f4c2ba5bdb3ccef3e497b97a25c2b94afef5c47a0da025452b177d517f5d114616485f436ea19efa4a0810b1ce14aef8581c98e02e1e4d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\ORDGKYG.exe
Filesize
1.5MB

MD5
af40551051172d9522bbbbd40ad445ff

SHA1
c44977a0cb3f7fea554daefe2c0c39cd60a7b964

SHA256
35020abeb97dd5d5b0ffd41dd87ae103345da06b7944069ec84bea776449c424

SHA512
b0e8c4f79564abc269f4c2ba5bdb3ccef3e497b97a25c2b94afef5c47a0da025452b177d517f5d114616485f436ea19efa4a0810b1ce14aef8581c98e02e1e4d

Download Submit
C:\Users\Admin\AppData\Roaming\POkonjhjjrst.exe
Filesize
1.4MB

MD5
92df68a960df50a57f78b068ac78aea5

SHA1
02ba5b5a3658d4157cf3d221e2a1b308828ee2a4

SHA256
929dc8a4232b94344baf6e0d35cf9d145341825e507bd2cbec1ffe3241e5a357

SHA512
0eecdd1d353d5ef43dcd28425136b8a5311a71eba8cb41c67663c164be05bb93e529ef2c0ddc536e04d6234435a28d48285b840bd0652aca5663ed340498fb1e

Download Submit
C:\Users\Admin\AppData\Roaming\POkonjhjjrst.exe
Filesize
1.4MB

MD5
92df68a960df50a57f78b068ac78aea5

SHA1
02ba5b5a3658d4157cf3d221e2a1b308828ee2a4

SHA256
929dc8a4232b94344baf6e0d35cf9d145341825e507bd2cbec1ffe3241e5a357

SHA512
0eecdd1d353d5ef43dcd28425136b8a5311a71eba8cb41c67663c164be05bb93e529ef2c0ddc536e04d6234435a28d48285b840bd0652aca5663ed340498fb1e

Download Submit
C:\Users\Admin\AppData\Roaming\POkonjhjjrst.exe
Filesize
1.4MB

MD5
92df68a960df50a57f78b068ac78aea5

SHA1
02ba5b5a3658d4157cf3d221e2a1b308828ee2a4

SHA256
929dc8a4232b94344baf6e0d35cf9d145341825e507bd2cbec1ffe3241e5a357

SHA512
0eecdd1d353d5ef43dcd28425136b8a5311a71eba8cb41c67663c164be05bb93e529ef2c0ddc536e04d6234435a28d48285b840bd0652aca5663ed340498fb1e

Download Submit
C:\Users\Admin\AppData\Roaming\vcv\vcv.exe
Filesize
1.4MB

MD5
92df68a960df50a57f78b068ac78aea5

SHA1
02ba5b5a3658d4157cf3d221e2a1b308828ee2a4

SHA256
929dc8a4232b94344baf6e0d35cf9d145341825e507bd2cbec1ffe3241e5a357

SHA512
0eecdd1d353d5ef43dcd28425136b8a5311a71eba8cb41c67663c164be05bb93e529ef2c0ddc536e04d6234435a28d48285b840bd0652aca5663ed340498fb1e

Download Submit
C:\Users\Admin\AppData\Roaming\vcv\vcv.exe
Filesize
1.4MB

MD5
92df68a960df50a57f78b068ac78aea5

SHA1
02ba5b5a3658d4157cf3d221e2a1b308828ee2a4

SHA256
929dc8a4232b94344baf6e0d35cf9d145341825e507bd2cbec1ffe3241e5a357

SHA512
0eecdd1d353d5ef43dcd28425136b8a5311a71eba8cb41c67663c164be05bb93e529ef2c0ddc536e04d6234435a28d48285b840bd0652aca5663ed340498fb1e

Download Submit
C:\Users\Admin\AppData\Roaming\vcv\vcv.exe
Filesize
1.4MB

MD5
92df68a960df50a57f78b068ac78aea5

SHA1
02ba5b5a3658d4157cf3d221e2a1b308828ee2a4

SHA256
929dc8a4232b94344baf6e0d35cf9d145341825e507bd2cbec1ffe3241e5a357

SHA512
0eecdd1d353d5ef43dcd28425136b8a5311a71eba8cb41c67663c164be05bb93e529ef2c0ddc536e04d6234435a28d48285b840bd0652aca5663ed340498fb1e

Download Submit
memory/668-159-0x0000000006850000-0x0000000006862000-memory.dmp

Filesize
72KB

Download
memory/668-158-0x0000000005830000-0x0000000005896000-memory.dmp

Filesize
408KB

Download
memory/668-154-0x0000000000000000-mapping.dmp

Download
memory/668-160-0x0000000006DC0000-0x0000000006DFC000-memory.dmp

Filesize
240KB

Download
memory/668-155-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/788-142-0x0000000000000000-mapping.dmp

Download
memory/3440-152-0x000000000E050000-0x000000000E5F4000-memory.dmp

Filesize
5.6MB

Download
memory/3440-153-0x000000000DAA0000-0x000000000DB32000-memory.dmp

Filesize
584KB

Download
memory/3440-150-0x00000000000F0000-0x0000000000262000-memory.dmp

Filesize
1.4MB

Download
memory/3440-147-0x0000000000000000-mapping.dmp

Download
memory/3440-151-0x000000000DA00000-0x000000000DA9C000-memory.dmp

Filesize
624KB

Download
memory/3672-139-0x0000000000000000-mapping.dmp

Download
memory/3728-170-0x0000000007790000-0x000000000779A000-memory.dmp

Filesize
40KB

Download
memory/3728-165-0x0000000000000000-mapping.dmp

Download
memory/4032-161-0x0000000000000000-mapping.dmp

Download
memory/4072-162-0x0000000000000000-mapping.dmp

Download
memory/4380-144-0x0000000000000000-mapping.dmp

Download
memory/4512-169-0x0000000000000000-mapping.dmp

Download
memory/5016-136-0x00007FF7C7010000-0x00007FF7C7020000-memory.dmp

Filesize
64KB

Download
memory/5016-135-0x00007FF7C7010000-0x00007FF7C7020000-memory.dmp

Filesize
64KB

Download
memory/5016-137-0x00007FF7C4B50000-0x00007FF7C4B60000-memory.dmp

Filesize
64KB

Download
memory/5016-138-0x00007FF7C4B50000-0x00007FF7C4B60000-memory.dmp

Filesize
64KB

Download
memory/5016-134-0x00007FF7C7010000-0x00007FF7C7020000-memory.dmp

Filesize
64KB

Download
memory/5016-133-0x00007FF7C7010000-0x00007FF7C7020000-memory.dmp

Filesize
64KB

Download
memory/5016-132-0x00007FF7C7010000-0x00007FF7C7020000-memory.dmp

Filesize
64KB

Download
memory/5016-173-0x00007FF7C7010000-0x00007FF7C7020000-memory.dmp

Filesize
64KB

Download
memory/5016-172-0x00007FF7C7010000-0x00007FF7C7020000-memory.dmp

Filesize
64KB

Download
memory/5016-174-0x00007FF7C7010000-0x00007FF7C7020000-memory.dmp

Filesize
64KB

Download
memory/5016-175-0x00007FF7C7010000-0x00007FF7C7020000-memory.dmp

Filesize
64KB

Download