quasar | b4f6e6290b1e185bff0baf1b1f3a16291bb2ceb3528051a2aa9528c43231e710

Resubmissions

17-04-2023 11:32

230417-nnmdnafe8v 10

05-08-2022 09:37

220805-lll9rshgh8 10

Analysis

max time kernel
9s
max time network
22s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
17-04-2023 11:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bby.exe
Size

16.0MB
MD5

d7e48e5a49efe9ed774546fa7d35d71a
SHA1

06212065ffe07d1321c8d85bf5c45871683fb197
SHA256

b4f6e6290b1e185bff0baf1b1f3a16291bb2ceb3528051a2aa9528c43231e710
SHA512

7dcfc267f527d27d6cb58bd950241b4a8a658b34bc4696f308fd5448b4111d64b93078fedf8d2c138eef83b6148372d8c887b74aae8291fc05c665fbe3d4eeb1
SSDEEP

393216:2U6K+uYp1UjvoWFd6vtcUyPaqIddvWiV3lbqSV6htNQcfzlRFGH:2zKnjvpK1cUhZWwbqM6htNQcffFGH

Score

10^/10

quasar redline office04 infostealer spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

cable-cp.at.playit.gg:21596

Mutex

VNM_MUTEX_c2q7y2ayYutZ2XaYe7

Attributes

encryption_key
GDDG0qqm5dHuoT6GjWWz
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Microsoft one Drive
subdirectory
SubDir

Signatures

Contains code to disable Windows Defender 6 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Paypal.exe	disable_win_def
C:\Users\Admin\AppData\Local\Temp\Paypal.exe	disable_win_def
C:\Users\Admin\AppData\Local\Temp\paypal.exe	disable_win_def
behavioral3/memory/780-156-0x0000000000DB0000-0x0000000000E5E000-memory.dmp	disable_win_def
C:\Windows\SysWOW64\SubDir\Client.exe	disable_win_def
C:\Windows\SysWOW64\SubDir\Client.exe	disable_win_def

Detects Redline Stealer samples 2 IoCs

This rule detects the presence of Redline Stealer samples based on their unique strings.

stealer

Processes:

resource	yara_rule
behavioral3/memory/780-179-0x0000000005900000-0x0000000005966000-memory.dmp	redline_stealer
behavioral3/memory/1304-191-0x00000000056F0000-0x0000000005D18000-memory.dmp	redline_stealer

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Paypal.exe	family_quasar
C:\Users\Admin\AppData\Local\Temp\Paypal.exe	family_quasar
C:\Users\Admin\AppData\Local\Temp\paypal.exe	family_quasar
behavioral3/memory/780-156-0x0000000000DB0000-0x0000000000E5E000-memory.dmp	family_quasar
C:\Windows\SysWOW64\SubDir\Client.exe	family_quasar
C:\Windows\SysWOW64\SubDir\Client.exe	family_quasar

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

bby.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation bby.exe
Executes dropped EXE 2 IoCs

Processes:

paypal.exeProxy Shifter.exe

pid process

780 paypal.exe
4436 Proxy Shifter.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1904 4316 WerFault.exe Client.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2704 schtasks.exe
3276 schtasks.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

4512 tasklist.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3704 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

3240 powershell.exe
3240 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 3240 powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	bby.exe

pid	process
780	paypal.exe
4436	Proxy Shifter.exe

flow	ioc
5	ip-api.com

pid	pid_target	process	target process
1904	4316	WerFault.exe	Client.exe

pid	process
2704	schtasks.exe
3276	schtasks.exe

pid	process
4512	tasklist.exe

pid	process
3704	PING.EXE

pid	process
3240	powershell.exe
3240	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3240	powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

bby.exeProxy Shifter.execmd.exe

description	pid	process	target process
PID 3704 wrote to memory of 780	3704	bby.exe	paypal.exe
PID 3704 wrote to memory of 780	3704	bby.exe	paypal.exe
PID 3704 wrote to memory of 780	3704	bby.exe	paypal.exe
PID 3704 wrote to memory of 4436	3704	bby.exe	Proxy Shifter.exe
PID 3704 wrote to memory of 4436	3704	bby.exe	Proxy Shifter.exe
PID 4436 wrote to memory of 4476	4436	Proxy Shifter.exe	cmd.exe
PID 4436 wrote to memory of 4476	4436	Proxy Shifter.exe	cmd.exe
PID 4476 wrote to memory of 3176	4476	cmd.exe	cmd.exe
PID 4476 wrote to memory of 3176	4476	cmd.exe	cmd.exe
PID 4476 wrote to memory of 3240	4476	cmd.exe	powershell.exe
PID 4476 wrote to memory of 3240	4476	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\bby.exe
"C:\Users\Admin\AppData\Local\Temp\bby.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3704
- C:\Users\Admin\AppData\Local\Temp\paypal.exe
  "C:\Users\Admin\AppData\Local\Temp\paypal.exe"
  2⤵
  - Executes dropped EXE
  PID:780
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Microsoft one Drive" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\paypal.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:2704
- - C:\Windows\SysWOW64\SubDir\Client.exe
    "C:\Windows\SysWOW64\SubDir\Client.exe"
    3⤵
    PID:4316
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "Microsoft one Drive" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:3276
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EHUjy3AXiiWO.bat" "
      4⤵
      PID:4256
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:3708
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        5⤵
        Runs ping.exe
        
        PID:3704
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4316 -s 2232
      4⤵
      Program crash
      PID:1904
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    PID:1304
- C:\Users\Admin\AppData\Local\Temp\Proxy Shifter.exe
  "C:\Users\Admin\AppData\Local\Temp\Proxy Shifter.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "type .\temp.ps1 | powershell.exe -noprofile -"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4476
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -noprofile -
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3240
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q1sh22rs\q1sh22rs.cmdline"
        5⤵
        
        PID:3076
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDEBC.tmp" "c:\Users\Admin\AppData\Local\Temp\q1sh22rs\CSC4FB2FE4C9F754A8AA8A8F4B4CCE7965.TMP"
        6⤵
        
        PID:1168
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" type .\temp.ps1 "
      4⤵
      PID:3176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3788
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4316 -ip 4316
1⤵
PID:4276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EHUjy3AXiiWO.bat

Filesize
196B

MD5
afb3a408baf5d043cc3ba431f5be6a6d

SHA1
5f7a3c7ee2db189c3e5c53b655c32d5bb8c09456

SHA256
7c58aa099a90d1e3f31a8e0914b3d2c1fcf060dce6a8221866ddb7228bc25762

SHA512
51dbdd7ddb32c07378ddceac7477579e3f8d2a764a0e2ef96e41b0921757678ca95cacc2adf2a19b186535252bdf55acdc65cc35362b58a602b1e6a4a22597b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Paypal.exe

Filesize
672KB

MD5
561a7ddda53177362dc0ac85ec84421e

SHA1
1d0f2a9dd397a6d435063fcdd76f02dd04ab1b7a

SHA256
b3e2c9fbc435b5e2f552234b0e1c4ec7bb2ebe5f53413268b1089038cfe5748b

SHA512
8dfcaf20f68e0c9ba7e768929e12e930a466d352ae8f5b452af0e603722e048b60fb4272c280a52f87eb3d3f25ce691ed6afd4285f440f18d68af22fe8d6f6d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Paypal.exe

Filesize
672KB

MD5
561a7ddda53177362dc0ac85ec84421e

SHA1
1d0f2a9dd397a6d435063fcdd76f02dd04ab1b7a

SHA256
b3e2c9fbc435b5e2f552234b0e1c4ec7bb2ebe5f53413268b1089038cfe5748b

SHA512
8dfcaf20f68e0c9ba7e768929e12e930a466d352ae8f5b452af0e603722e048b60fb4272c280a52f87eb3d3f25ce691ed6afd4285f440f18d68af22fe8d6f6d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Proxy Shifter.exe

Filesize
36.8MB

MD5
7cbac120d865d4c4c218b06144580b0a

SHA1
19afc5f464e84dc362459ab53dd3b6947b708d2e

SHA256
77f211fe4f26bbf491ee2a4eb6ac07a123a1ae40b59062d88c222e61b60c082b

SHA512
439ffd9e287b9c7468c9f85b52f0734b8b98e4b917576b2e87a6775b0d65b3da3103341c743b93722726795eadf86148c1b2c573a6f4a7b1c2cf5f307cfca625

Download Submit
C:\Users\Admin\AppData\Local\Temp\Proxy Shifter.exe

Filesize
36.8MB

MD5
7cbac120d865d4c4c218b06144580b0a

SHA1
19afc5f464e84dc362459ab53dd3b6947b708d2e

SHA256
77f211fe4f26bbf491ee2a4eb6ac07a123a1ae40b59062d88c222e61b60c082b

SHA512
439ffd9e287b9c7468c9f85b52f0734b8b98e4b917576b2e87a6775b0d65b3da3103341c743b93722726795eadf86148c1b2c573a6f4a7b1c2cf5f307cfca625

Download Submit
C:\Users\Admin\AppData\Local\Temp\Proxy Shifter.exe

Filesize
36.8MB

MD5
7cbac120d865d4c4c218b06144580b0a

SHA1
19afc5f464e84dc362459ab53dd3b6947b708d2e

SHA256
77f211fe4f26bbf491ee2a4eb6ac07a123a1ae40b59062d88c222e61b60c082b

SHA512
439ffd9e287b9c7468c9f85b52f0734b8b98e4b917576b2e87a6775b0d65b3da3103341c743b93722726795eadf86148c1b2c573a6f4a7b1c2cf5f307cfca625

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDEBC.tmp

Filesize
1KB

MD5
f7756ba802f3aaf17dbbeb18c24ac669

SHA1
6928f214f66784c82ff2037b657f370898c9b7ee

SHA256
c225a623ce9751a2045f396a5760cf5f2122b303c41ccaa68a08e69fba1dd2df

SHA512
9f9f140c386741f2daf76a6a35b825474788ec191d6a4b61ab385bb8aa42c4786c6e980a95171df0be010e3a60457b964e05830b74b4c2e76bdda789436e71b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i2r2ync5.sp3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\paypal.exe

Filesize
672KB

MD5
561a7ddda53177362dc0ac85ec84421e

SHA1
1d0f2a9dd397a6d435063fcdd76f02dd04ab1b7a

SHA256
b3e2c9fbc435b5e2f552234b0e1c4ec7bb2ebe5f53413268b1089038cfe5748b

SHA512
8dfcaf20f68e0c9ba7e768929e12e930a466d352ae8f5b452af0e603722e048b60fb4272c280a52f87eb3d3f25ce691ed6afd4285f440f18d68af22fe8d6f6d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\53b88af8a78050718e1a282af077701921f1e2c7e0b4592d197eab2018240282\better-sqlite3\build\Release\better_sqlite3.node

Filesize
2.6MB

MD5
4b25dfb983845ff57360c720a429eef4

SHA1
51a9cad777b37f1c521c6d50b6f49379fb6d0a06

SHA256
53b88af8a78050718e1a282af077701921f1e2c7e0b4592d197eab2018240282

SHA512
b808133885ef35cba2ea81d37a9f996b121a91e459c68cf5b98cab2a53f783927a0023ecc095b5664fef1bcd463f8b8b42b51f8511fda25e21141693aed4ec77

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\53b88af8a78050718e1a282af077701921f1e2c7e0b4592d197eab2018240282\better-sqlite3\build\Release\better_sqlite3.node

Filesize
2.6MB

MD5
4b25dfb983845ff57360c720a429eef4

SHA1
51a9cad777b37f1c521c6d50b6f49379fb6d0a06

SHA256
53b88af8a78050718e1a282af077701921f1e2c7e0b4592d197eab2018240282

SHA512
b808133885ef35cba2ea81d37a9f996b121a91e459c68cf5b98cab2a53f783927a0023ecc095b5664fef1bcd463f8b8b42b51f8511fda25e21141693aed4ec77

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\81aab2bb7227d24493d1f0d2483a307be716c84a733b54f69e671071715e10c2\win-dpapi\build\Release\node-dpapi.node

Filesize
141KB

MD5
dc92b8e77d869866a6af82409fae0af2

SHA1
a0edf2ddf35304854a134eac14637239fe319292

SHA256
81aab2bb7227d24493d1f0d2483a307be716c84a733b54f69e671071715e10c2

SHA512
dbfb1656b9aeb116993e9034d8a422a8d61d89f861221e15491d8dde04231eaa357573de59eab65b49533e03f06699a508dd27ed6b85ac94c882f505d22a0bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\81aab2bb7227d24493d1f0d2483a307be716c84a733b54f69e671071715e10c2\win-dpapi\build\Release\node-dpapi.node

Filesize
141KB

MD5
dc92b8e77d869866a6af82409fae0af2

SHA1
a0edf2ddf35304854a134eac14637239fe319292

SHA256
81aab2bb7227d24493d1f0d2483a307be716c84a733b54f69e671071715e10c2

SHA512
dbfb1656b9aeb116993e9034d8a422a8d61d89f861221e15491d8dde04231eaa357573de59eab65b49533e03f06699a508dd27ed6b85ac94c882f505d22a0bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\q1sh22rs\q1sh22rs.dll

Filesize
3KB

MD5
8e881b37ceb0e3a31adf3a5be3665a24

SHA1
5f4df3e02d4cee3fbc0bd95504db3164dc7c068c

SHA256
647430cf8555a56149cfa500c68f3bb2113cfca5f56336c6db3c1571ca3c5e27

SHA512
1728c476c3faf36639c431f74f6d0b6fcadd4b9f7f07dcdef870bd226d272a85641eef9b2520e6089554eded18b99795aa24aeb87dee8bfb9b77fb38446277be

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.ps1

Filesize
419B

MD5
bf77c98084bde13aa379a5527a0f5850

SHA1
8a4d1307c3952d00ab3279baee4a03f899de7f1c

SHA256
c88eb353b4e1fe7f02529f9e8b48b21cee2c813674b32843136861f885053e3f

SHA512
8237fb209695c2568f4d3ada3181eb9a65ad16140896a5f8013ae267048ecd6994cddb25fc7ca0849bb0c484ba7be7a738a3ca0cad6e85d75587c4a2c37c60ef

Download Submit
C:\Windows\SysWOW64\SubDir\Client.exe

Filesize
672KB

MD5
561a7ddda53177362dc0ac85ec84421e

SHA1
1d0f2a9dd397a6d435063fcdd76f02dd04ab1b7a

SHA256
b3e2c9fbc435b5e2f552234b0e1c4ec7bb2ebe5f53413268b1089038cfe5748b

SHA512
8dfcaf20f68e0c9ba7e768929e12e930a466d352ae8f5b452af0e603722e048b60fb4272c280a52f87eb3d3f25ce691ed6afd4285f440f18d68af22fe8d6f6d1

Download Submit
C:\Windows\SysWOW64\SubDir\Client.exe

Filesize
672KB

MD5
561a7ddda53177362dc0ac85ec84421e

SHA1
1d0f2a9dd397a6d435063fcdd76f02dd04ab1b7a

SHA256
b3e2c9fbc435b5e2f552234b0e1c4ec7bb2ebe5f53413268b1089038cfe5748b

SHA512
8dfcaf20f68e0c9ba7e768929e12e930a466d352ae8f5b452af0e603722e048b60fb4272c280a52f87eb3d3f25ce691ed6afd4285f440f18d68af22fe8d6f6d1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q1sh22rs\CSC4FB2FE4C9F754A8AA8A8F4B4CCE7965.TMP

Filesize
652B

MD5
6d84824b45a068a98e9f0c52f90abf56

SHA1
a3f66d09f2681cfb52e49e915a657bd3958c957c

SHA256
5ddca841d77db036f24735aafa20cdba08fbcdc7dab423e08f628486dd4055b7

SHA512
779c9c1ab7486ff20eebb6a1a35f829023367017ec6c933281510c882f5e506bc3be45d0bdce88d952ff74ab05b4cae564de424860d6abb032e936505bc1775d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q1sh22rs\q1sh22rs.0.cs

Filesize
331B

MD5
290cee718da5975e051415a46af47a4a

SHA1
8099250c47bb93d821def350b467521e7cf8d5de

SHA256
26d220f0926af717fb195e1ec05f2ecccee3fbd37fa92148774bb5604557c9c9

SHA512
306d86ec0c4bc64594b4ca336822030926eaea0873ccdbcf989a721d307b19831761a15b3a222f6ec0dcc44ba0fbacac6ffbe7da0f7a447d5d34d76f3f029510

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q1sh22rs\q1sh22rs.cmdline

Filesize
369B

MD5
b444bd2b547e6d0a9ff427f540176de8

SHA1
48ffd7a406aacbdde24ab550eea3a6ace9a2cfc5

SHA256
35655113799247e45793a5764a29390b02c64ddf6ad770b1a54788f6900c3a64

SHA512
75cd43eba645a4ee1e063cc3dd1cacd800ff22113f496e7dfd8baf3dee32a06ef6e7ac5ef9870d283520192b9b38adae5a59974c45c51778806b5b5fbee55058

Download Submit
memory/780-179-0x0000000005900000-0x0000000005966000-memory.dmp

Filesize
408KB

Download
memory/780-183-0x0000000006CA0000-0x0000000006CDC000-memory.dmp

Filesize
240KB

Download
memory/780-181-0x0000000005FA0000-0x0000000005FB2000-memory.dmp

Filesize
72KB

Download
memory/780-311-0x00000000059E0000-0x00000000059F0000-memory.dmp

Filesize
64KB

Download
memory/780-157-0x0000000005FF0000-0x0000000006594000-memory.dmp

Filesize
5.6MB

Download
memory/780-156-0x0000000000DB0000-0x0000000000E5E000-memory.dmp

Filesize
696KB

Download
memory/780-161-0x00000000059E0000-0x00000000059F0000-memory.dmp

Filesize
64KB

Download
memory/780-158-0x0000000005860000-0x00000000058F2000-memory.dmp

Filesize
584KB

Download
memory/1304-315-0x0000000007390000-0x00000000073C2000-memory.dmp

Filesize
200KB

Download
memory/1304-378-0x0000000007D40000-0x00000000083BA000-memory.dmp

Filesize
6.5MB

Download
memory/1304-198-0x0000000005630000-0x0000000005652000-memory.dmp

Filesize
136KB

Download
memory/1304-201-0x0000000005D90000-0x0000000005DF6000-memory.dmp

Filesize
408KB

Download
memory/1304-435-0x0000000007940000-0x000000000794E000-memory.dmp

Filesize
56KB

Download
memory/1304-193-0x0000000002CC0000-0x0000000002CD0000-memory.dmp

Filesize
64KB

Download
memory/1304-191-0x00000000056F0000-0x0000000005D18000-memory.dmp

Filesize
6.2MB

Download
memory/1304-217-0x00000000063F0000-0x000000000640E000-memory.dmp

Filesize
120KB

Download
memory/1304-188-0x0000000002AB0000-0x0000000002AE6000-memory.dmp

Filesize
216KB

Download
memory/1304-434-0x00000000079B0000-0x0000000007A46000-memory.dmp

Filesize
600KB

Download
memory/1304-420-0x0000000007770000-0x000000000777A000-memory.dmp

Filesize
40KB

Download
memory/1304-387-0x0000000007700000-0x000000000771A000-memory.dmp

Filesize
104KB

Download
memory/1304-383-0x000000007F610000-0x000000007F620000-memory.dmp

Filesize
64KB

Download
memory/1304-316-0x000000006FE60000-0x000000006FEAC000-memory.dmp

Filesize
304KB

Download
memory/1304-333-0x0000000007350000-0x000000000736E000-memory.dmp

Filesize
120KB

Download
memory/1304-195-0x0000000002CC0000-0x0000000002CD0000-memory.dmp

Filesize
64KB

Download
memory/3240-178-0x000001FFD6B40000-0x000001FFD6B84000-memory.dmp

Filesize
272KB

Download
memory/3240-177-0x000001FFD3960000-0x000001FFD3970000-memory.dmp

Filesize
64KB

Download
memory/3240-180-0x000001FFD3960000-0x000001FFD3970000-memory.dmp

Filesize
64KB

Download
memory/3240-176-0x000001FFD3960000-0x000001FFD3970000-memory.dmp

Filesize
64KB

Download
memory/3240-175-0x000001FFBB370000-0x000001FFBB392000-memory.dmp

Filesize
136KB

Download
memory/3240-182-0x000001FFD6B90000-0x000001FFD6C06000-memory.dmp

Filesize
472KB

Download
memory/4316-312-0x0000000006140000-0x000000000614A000-memory.dmp

Filesize
40KB

Download
memory/4316-194-0x0000000004A40000-0x0000000004A50000-memory.dmp

Filesize
64KB

Download