Analysis

  • max time kernel
    137s
  • max time network
    159s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    05-12-2023 02:15

General

  • Target

    aa23b43f65fa9e50bee474e0461c23f92e4390691e7ec4f5f32f42a6bc71159c.exe

  • Size

    155.0MB

  • MD5

    64282b6b4d579449c2ad7799f06f86b6

  • SHA1

    2b468af1d1a656d666d8137cb1ca42476d975643

  • SHA256

    aa23b43f65fa9e50bee474e0461c23f92e4390691e7ec4f5f32f42a6bc71159c

  • SHA512

    1474b425d80eae5507d76235ff08dde303d1d4ef8287ef408621530fe9ae7983a5face388968b078671b6db0bc85053e80a600eeaafddd67b7b980ded9579977

  • SSDEEP

    1572864:gFysNpDQKKr7VskunAMTp9d6vN2EzzyPsYpeU9EK:g4snQ/rxsnnAw6vUEzlYB

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

192.168.10.145:4782

Mutex

4f9fc524-eb7d-412c-82e9-60d973f2e68b

Attributes
  • encryption_key

    25C16D5BA2F06B33ED6B1D041FCCCC89A74FFA91

  • install_name

    System32.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 7 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 11 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 5 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies registry class 6 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aa23b43f65fa9e50bee474e0461c23f92e4390691e7ec4f5f32f42a6bc71159c.exe
    "C:\Users\Admin\AppData\Local\Temp\aa23b43f65fa9e50bee474e0461c23f92e4390691e7ec4f5f32f42a6bc71159c.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2852
    • C:\Users\Admin\AppData\Local\Temp\wwwwwww.exe
      "C:\Users\Admin\AppData\Local\Temp\wwwwwww.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2700
      • C:\Windows\system32\SubDir\System32.exe
        "C:\Windows\system32\SubDir\System32.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2580
    • C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe
      "C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies system certificate store
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2568
      • C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-6.0.15-win-x64.exe
        "windowsdesktop-runtime-6.0.15-win-x64.exe" /S
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2056
        • C:\Windows\Temp\{35C8092F-130D-4048-B409-63C3A692F46B}\.cr\windowsdesktop-runtime-6.0.15-win-x64.exe
          "C:\Windows\Temp\{35C8092F-130D-4048-B409-63C3A692F46B}\.cr\windowsdesktop-runtime-6.0.15-win-x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-6.0.15-win-x64.exe" -burn.filehandle.attached=184 -burn.filehandle.self=192 /S
          4⤵
          • Executes dropped EXE
          PID:2352
          • C:\Windows\Temp\{B29C5AA8-44CA-4AD1-B93D-6A464D8C7322}\.be\windowsdesktop-runtime-6.0.21-win-x64.exe
            "C:\Windows\Temp\{B29C5AA8-44CA-4AD1-B93D-6A464D8C7322}\.be\windowsdesktop-runtime-6.0.21-win-x64.exe" -q -burn.elevated BurnPipe.{BFD06905-3FC7-41AE-8DDF-8872F31DDB7D} {607D96EA-69A2-43BE-AFEF-AA2E8D611217} 2352
            5⤵
            • Adds Run key to start application
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Modifies registry class
            PID:852
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 332
            5⤵
            • Loads dropped DLL
            • Program crash
            PID:2692

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Package Cache\{0f39db03-9030-48f3-82ef-5384bed81d85}\windowsdesktop-runtime-6.0.21-win-x64.exe

    Filesize

    610KB

    MD5

    ff67a2a55ed6998ab527273d547fc00f

    SHA1

    852712b95ca05de8f336f07ff9ac672281b91215

    SHA256

    71dc12e39274b7a94f1a44b1ebe1a1507adf9884db5fdcd4cd9346b4c9fbe0c9

    SHA512

    48eb6bcb087d23ffb4e85501d23e55a4a15e8e0d2b4ca402a46df5946640f7e33c47deb785142af0fbc8cb10b6f9731500a370168cb43fd02642b29a880151d9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    344B

    MD5

    8607a9247810ad6029d0dca93c2b76aa

    SHA1

    e56cd3223c14833400c81afeac451d1558cd7249

    SHA256

    e6953f66a991dcb92d77640475077318dc9da139d4ecc821c1a6bc9f4622af82

    SHA512

    7ba98b07247d084ebb21ca0641fdfbdb5291e98752d1f5354df951a48e0b70e9abd19b620ad57703eb33987b19a3ec85721a074ff9f83219a0fe8854384fd2ec

  • C:\Users\Admin\AppData\Local\Temp\Cab4472.tmp

    Filesize

    61KB

    MD5

    f3441b8572aae8801c04f3060b550443

    SHA1

    4ef0a35436125d6821831ef36c28ffaf196cda15

    SHA256

    6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

    SHA512

    5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

  • C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe

    Filesize

    152.1MB

    MD5

    6196a6ac54713dc0d11c7ebab96bc6d0

    SHA1

    594c07c73f5844f74dc80b79f9d29ae0c9591f3f

    SHA256

    74db4ae35512c9a7be17f01544b2a5bd56b3b256edb3f179e76b59951f222175

    SHA512

    613b185438c693c25e55174eaf2dc5e8d36b57f462c82ab318276219b0bdadb1f145712b9dbb4bd49ad60dfc8e9176428c6cceaac3ff615c13e60e74153724c7

  • C:\Users\Admin\AppData\Local\Temp\NovaInstaller.exe

    Filesize

    152.1MB

    MD5

    6196a6ac54713dc0d11c7ebab96bc6d0

    SHA1

    594c07c73f5844f74dc80b79f9d29ae0c9591f3f

    SHA256

    74db4ae35512c9a7be17f01544b2a5bd56b3b256edb3f179e76b59951f222175

    SHA512

    613b185438c693c25e55174eaf2dc5e8d36b57f462c82ab318276219b0bdadb1f145712b9dbb4bd49ad60dfc8e9176428c6cceaac3ff615c13e60e74153724c7

  • C:\Users\Admin\AppData\Local\Temp\Tar4524.tmp

    Filesize

    171KB

    MD5

    9c0c641c06238516f27941aa1166d427

    SHA1

    64cd549fb8cf014fcd9312aa7a5b023847b6c977

    SHA256

    4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

    SHA512

    936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

  • C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-6.0.15-win-x64.exe

    Filesize

    54.7MB

    MD5

    1a6d60add2d112dd73e83fb46dca474d

    SHA1

    8b374a54f508cfdb8c8176bfaef96f37edf7170b

    SHA256

    aa0c922c9c65f11b75747343b4711a0bdc8dc8ac1bd38da7c3ecd01ce28c8545

    SHA512

    49192c5141bb04dc19483e8b1adec9c6f56fa54ef8c55e2f4fa4aae73abf9119bb7b1dff3d8f9b3307c50de8989669398a5f6d8dc4323b81b6a1def5ee6c6e79

  • C:\Users\Admin\AppData\Local\Temp\windowsdesktop-runtime-6.0.15-win-x64.exe

    Filesize

    54.7MB

    MD5

    1a6d60add2d112dd73e83fb46dca474d

    SHA1

    8b374a54f508cfdb8c8176bfaef96f37edf7170b

    SHA256

    aa0c922c9c65f11b75747343b4711a0bdc8dc8ac1bd38da7c3ecd01ce28c8545

    SHA512

    49192c5141bb04dc19483e8b1adec9c6f56fa54ef8c55e2f4fa4aae73abf9119bb7b1dff3d8f9b3307c50de8989669398a5f6d8dc4323b81b6a1def5ee6c6e79

  • C:\Users\Admin\AppData\Local\Temp\wwwwwww.exe

    Filesize

    3.1MB

    MD5

    7404ded83ef64d354248abcd89e798ef

    SHA1

    56c2b966dba0daf00f52c6d23a2cdb105709c96c

    SHA256

    57317f63924c831e660426f5805f82dbf59b8a9d0f46313b71e271a35195dbff

    SHA512

    f57b9ef76f0534eb4994134979ddef8b86e7290a501bbd333265f027c43906f057cb07c27bde27709603362e6b1a2327d4c65342966ac785a8ac58af1162fb26

  • C:\Users\Admin\AppData\Local\Temp\wwwwwww.exe

    Filesize

    3.1MB

    MD5

    7404ded83ef64d354248abcd89e798ef

    SHA1

    56c2b966dba0daf00f52c6d23a2cdb105709c96c

    SHA256

    57317f63924c831e660426f5805f82dbf59b8a9d0f46313b71e271a35195dbff

    SHA512

    f57b9ef76f0534eb4994134979ddef8b86e7290a501bbd333265f027c43906f057cb07c27bde27709603362e6b1a2327d4c65342966ac785a8ac58af1162fb26

  • C:\Windows\System32\SubDir\System32.exe

    Filesize

    3.1MB

    MD5

    7404ded83ef64d354248abcd89e798ef

    SHA1

    56c2b966dba0daf00f52c6d23a2cdb105709c96c

    SHA256

    57317f63924c831e660426f5805f82dbf59b8a9d0f46313b71e271a35195dbff

    SHA512

    f57b9ef76f0534eb4994134979ddef8b86e7290a501bbd333265f027c43906f057cb07c27bde27709603362e6b1a2327d4c65342966ac785a8ac58af1162fb26

  • C:\Windows\System32\SubDir\System32.exe

    Filesize

    3.1MB

    MD5

    7404ded83ef64d354248abcd89e798ef

    SHA1

    56c2b966dba0daf00f52c6d23a2cdb105709c96c

    SHA256

    57317f63924c831e660426f5805f82dbf59b8a9d0f46313b71e271a35195dbff

    SHA512

    f57b9ef76f0534eb4994134979ddef8b86e7290a501bbd333265f027c43906f057cb07c27bde27709603362e6b1a2327d4c65342966ac785a8ac58af1162fb26

  • C:\Windows\Temp\{35C8092F-130D-4048-B409-63C3A692F46B}\.cr\windowsdesktop-runtime-6.0.15-win-x64.exe

    Filesize

    610KB

    MD5

    ff67a2a55ed6998ab527273d547fc00f

    SHA1

    852712b95ca05de8f336f07ff9ac672281b91215

    SHA256

    71dc12e39274b7a94f1a44b1ebe1a1507adf9884db5fdcd4cd9346b4c9fbe0c9

    SHA512

    48eb6bcb087d23ffb4e85501d23e55a4a15e8e0d2b4ca402a46df5946640f7e33c47deb785142af0fbc8cb10b6f9731500a370168cb43fd02642b29a880151d9

  • C:\Windows\system32\SubDir\System32.exe

    Filesize

    3.1MB

    MD5

    7404ded83ef64d354248abcd89e798ef

    SHA1

    56c2b966dba0daf00f52c6d23a2cdb105709c96c

    SHA256

    57317f63924c831e660426f5805f82dbf59b8a9d0f46313b71e271a35195dbff

    SHA512

    f57b9ef76f0534eb4994134979ddef8b86e7290a501bbd333265f027c43906f057cb07c27bde27709603362e6b1a2327d4c65342966ac785a8ac58af1162fb26

  • \Users\Admin\AppData\Local\Temp\.net\NovaInstaller\uWcU5_6FXSwQ4UMNThCcNYZC4UGolsg=\D3DCompiler_47_cor3.dll

    Filesize

    4.7MB

    MD5

    2191e768cc2e19009dad20dc999135a3

    SHA1

    f49a46ba0e954e657aaed1c9019a53d194272b6a

    SHA256

    7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d

    SHA512

    5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970

  • \Users\Admin\AppData\Local\Temp\.net\NovaInstaller\uWcU5_6FXSwQ4UMNThCcNYZC4UGolsg=\PresentationNative_cor3.dll

    Filesize

    1.2MB

    MD5

    c7bcc68b81e965fe74ef58d503c58deb

    SHA1

    99990f204f7318eeb8de6f9664ebcd0d42ea81b7

    SHA256

    06cb4da78f5cfddece86329241a2af9d6390ce1082b02f7db2e3bf320215a23e

    SHA512

    cab2bc27eca0ee097324a2471c8228f1723cfef5df9971359eec7710082c122b26a7aa1d1e6faab75389438a358bbff2973ad67e8dd9046455b4c4ac880d858c

  • \Users\Admin\AppData\Local\Temp\.net\NovaInstaller\uWcU5_6FXSwQ4UMNThCcNYZC4UGolsg=\wpfgfx_cor3.dll

    Filesize

    1.9MB

    MD5

    1b01746fe61beb761a643050823190b0

    SHA1

    927b12e4a733bcc51545c6a005838a24b8dc4dda

    SHA256

    f8c4d6eb1cfa9c5b6fb322a0c818a4f5d5ee44043c259e0262c0460513953fb8

    SHA512

    83eeb187e554588a5a4efbce0fcb7e9c30e718ec9f6d797a7add28036e3d4506cd3e78386522467d7ac967a60ac509a23edd79a1b9032a7e230d980b9f36080a

  • \Users\Admin\AppData\Local\Temp\NovaInstaller.exe

    Filesize

    152.1MB

    MD5

    6196a6ac54713dc0d11c7ebab96bc6d0

    SHA1

    594c07c73f5844f74dc80b79f9d29ae0c9591f3f

    SHA256

    74db4ae35512c9a7be17f01544b2a5bd56b3b256edb3f179e76b59951f222175

    SHA512

    613b185438c693c25e55174eaf2dc5e8d36b57f462c82ab318276219b0bdadb1f145712b9dbb4bd49ad60dfc8e9176428c6cceaac3ff615c13e60e74153724c7

  • \Users\Admin\AppData\Local\Temp\NovaInstaller.exe

    Filesize

    152.1MB

    MD5

    6196a6ac54713dc0d11c7ebab96bc6d0

    SHA1

    594c07c73f5844f74dc80b79f9d29ae0c9591f3f

    SHA256

    74db4ae35512c9a7be17f01544b2a5bd56b3b256edb3f179e76b59951f222175

    SHA512

    613b185438c693c25e55174eaf2dc5e8d36b57f462c82ab318276219b0bdadb1f145712b9dbb4bd49ad60dfc8e9176428c6cceaac3ff615c13e60e74153724c7

  • \Windows\Temp\{35C8092F-130D-4048-B409-63C3A692F46B}\.cr\windowsdesktop-runtime-6.0.15-win-x64.exe

    Filesize

    610KB

    MD5

    ff67a2a55ed6998ab527273d547fc00f

    SHA1

    852712b95ca05de8f336f07ff9ac672281b91215

    SHA256

    71dc12e39274b7a94f1a44b1ebe1a1507adf9884db5fdcd4cd9346b4c9fbe0c9

    SHA512

    48eb6bcb087d23ffb4e85501d23e55a4a15e8e0d2b4ca402a46df5946640f7e33c47deb785142af0fbc8cb10b6f9731500a370168cb43fd02642b29a880151d9

  • \Windows\Temp\{35C8092F-130D-4048-B409-63C3A692F46B}\.cr\windowsdesktop-runtime-6.0.15-win-x64.exe

    Filesize

    610KB

    MD5

    ff67a2a55ed6998ab527273d547fc00f

    SHA1

    852712b95ca05de8f336f07ff9ac672281b91215

    SHA256

    71dc12e39274b7a94f1a44b1ebe1a1507adf9884db5fdcd4cd9346b4c9fbe0c9

    SHA512

    48eb6bcb087d23ffb4e85501d23e55a4a15e8e0d2b4ca402a46df5946640f7e33c47deb785142af0fbc8cb10b6f9731500a370168cb43fd02642b29a880151d9

  • \Windows\Temp\{35C8092F-130D-4048-B409-63C3A692F46B}\.cr\windowsdesktop-runtime-6.0.15-win-x64.exe

    Filesize

    610KB

    MD5

    ff67a2a55ed6998ab527273d547fc00f

    SHA1

    852712b95ca05de8f336f07ff9ac672281b91215

    SHA256

    71dc12e39274b7a94f1a44b1ebe1a1507adf9884db5fdcd4cd9346b4c9fbe0c9

    SHA512

    48eb6bcb087d23ffb4e85501d23e55a4a15e8e0d2b4ca402a46df5946640f7e33c47deb785142af0fbc8cb10b6f9731500a370168cb43fd02642b29a880151d9

  • \Windows\Temp\{35C8092F-130D-4048-B409-63C3A692F46B}\.cr\windowsdesktop-runtime-6.0.15-win-x64.exe

    Filesize

    610KB

    MD5

    ff67a2a55ed6998ab527273d547fc00f

    SHA1

    852712b95ca05de8f336f07ff9ac672281b91215

    SHA256

    71dc12e39274b7a94f1a44b1ebe1a1507adf9884db5fdcd4cd9346b4c9fbe0c9

    SHA512

    48eb6bcb087d23ffb4e85501d23e55a4a15e8e0d2b4ca402a46df5946640f7e33c47deb785142af0fbc8cb10b6f9731500a370168cb43fd02642b29a880151d9

  • \Windows\Temp\{35C8092F-130D-4048-B409-63C3A692F46B}\.cr\windowsdesktop-runtime-6.0.15-win-x64.exe

    Filesize

    610KB

    MD5

    ff67a2a55ed6998ab527273d547fc00f

    SHA1

    852712b95ca05de8f336f07ff9ac672281b91215

    SHA256

    71dc12e39274b7a94f1a44b1ebe1a1507adf9884db5fdcd4cd9346b4c9fbe0c9

    SHA512

    48eb6bcb087d23ffb4e85501d23e55a4a15e8e0d2b4ca402a46df5946640f7e33c47deb785142af0fbc8cb10b6f9731500a370168cb43fd02642b29a880151d9

  • \Windows\Temp\{35C8092F-130D-4048-B409-63C3A692F46B}\.cr\windowsdesktop-runtime-6.0.15-win-x64.exe

    Filesize

    610KB

    MD5

    ff67a2a55ed6998ab527273d547fc00f

    SHA1

    852712b95ca05de8f336f07ff9ac672281b91215

    SHA256

    71dc12e39274b7a94f1a44b1ebe1a1507adf9884db5fdcd4cd9346b4c9fbe0c9

    SHA512

    48eb6bcb087d23ffb4e85501d23e55a4a15e8e0d2b4ca402a46df5946640f7e33c47deb785142af0fbc8cb10b6f9731500a370168cb43fd02642b29a880151d9

  • memory/2568-69-0x0000000001D70000-0x0000000001D89000-memory.dmp

    Filesize

    100KB

  • memory/2568-152-0x0000000022EB0000-0x0000000022EBA000-memory.dmp

    Filesize

    40KB

  • memory/2568-57-0x0000000000610000-0x000000000061D000-memory.dmp

    Filesize

    52KB

  • memory/2568-60-0x0000000000620000-0x0000000000625000-memory.dmp

    Filesize

    20KB

  • memory/2568-63-0x0000000001D90000-0x0000000001DA3000-memory.dmp

    Filesize

    76KB

  • memory/2568-66-0x0000000000630000-0x0000000000637000-memory.dmp

    Filesize

    28KB

  • memory/2568-32-0x0000000180000000-0x0000000180A25000-memory.dmp

    Filesize

    10.1MB

  • memory/2568-72-0x0000000001EB0000-0x0000000001EC6000-memory.dmp

    Filesize

    88KB

  • memory/2568-78-0x0000000002160000-0x0000000002178000-memory.dmp

    Filesize

    96KB

  • memory/2568-81-0x0000000002330000-0x0000000002342000-memory.dmp

    Filesize

    72KB

  • memory/2568-75-0x0000000022BD0000-0x0000000022C10000-memory.dmp

    Filesize

    256KB

  • memory/2568-51-0x0000000024F20000-0x0000000025762000-memory.dmp

    Filesize

    8.3MB

  • memory/2568-87-0x00000000235F0000-0x00000000236E4000-memory.dmp

    Filesize

    976KB

  • memory/2568-90-0x0000000001DC0000-0x0000000001DC8000-memory.dmp

    Filesize

    32KB

  • memory/2568-93-0x0000000022B80000-0x0000000022BC7000-memory.dmp

    Filesize

    284KB

  • memory/2568-96-0x0000000022C50000-0x0000000022C7A000-memory.dmp

    Filesize

    168KB

  • memory/2568-99-0x0000000025F90000-0x00000000267AC000-memory.dmp

    Filesize

    8.1MB

  • memory/2568-48-0x00000000022F0000-0x000000000232E000-memory.dmp

    Filesize

    248KB

  • memory/2568-45-0x0000000001DD0000-0x0000000001E14000-memory.dmp

    Filesize

    272KB

  • memory/2568-54-0x0000000022980000-0x00000000229FF000-memory.dmp

    Filesize

    508KB

  • memory/2568-155-0x0000000022EB0000-0x0000000022EBA000-memory.dmp

    Filesize

    40KB

  • memory/2568-42-0x0000000023290000-0x00000000233EE000-memory.dmp

    Filesize

    1.4MB

  • memory/2568-36-0x000000013FA20000-0x000000014034D000-memory.dmp

    Filesize

    9.2MB

  • memory/2568-35-0x0000000023F90000-0x0000000024F18000-memory.dmp

    Filesize

    15.5MB

  • memory/2568-202-0x000000013FA20000-0x000000014034D000-memory.dmp

    Filesize

    9.2MB

  • memory/2568-203-0x0000000022EB0000-0x0000000022EBA000-memory.dmp

    Filesize

    40KB

  • memory/2568-39-0x0000000023060000-0x0000000023288000-memory.dmp

    Filesize

    2.2MB

  • memory/2580-18-0x000000001B470000-0x000000001B4F0000-memory.dmp

    Filesize

    512KB

  • memory/2580-200-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

    Filesize

    9.9MB

  • memory/2580-201-0x000000001B470000-0x000000001B4F0000-memory.dmp

    Filesize

    512KB

  • memory/2580-16-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

    Filesize

    9.9MB

  • memory/2580-17-0x00000000001F0000-0x0000000000514000-memory.dmp

    Filesize

    3.1MB

  • memory/2700-8-0x0000000000F60000-0x0000000001284000-memory.dmp

    Filesize

    3.1MB

  • memory/2700-19-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

    Filesize

    9.9MB

  • memory/2700-10-0x000000001B460000-0x000000001B4E0000-memory.dmp

    Filesize

    512KB

  • memory/2700-9-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

    Filesize

    9.9MB

  • memory/2852-28-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

    Filesize

    9.9MB

  • memory/2852-0-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

    Filesize

    9.9MB

  • memory/2852-2-0x000000001C0C0000-0x000000001C140000-memory.dmp

    Filesize

    512KB

  • memory/2852-1-0x000000013FB50000-0x0000000143B5C000-memory.dmp

    Filesize

    64.0MB