quasar | e7b175e7b4e579fe314e56c1a195a937c0e7780fbc0f3def13b7dae08560000f

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-08-2024 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ExeFile (275).exe
Size

491KB
MD5

fcc248bdb9b56bdd926a13bbff61fadd
SHA1

45bf684e6add3acf6fd8b3e8f6e923195f7994d7
SHA256

e7b175e7b4e579fe314e56c1a195a937c0e7780fbc0f3def13b7dae08560000f
SHA512

b02fdae03adbee721d853053a95bea188b5453f0d270c71fe9a613bbb40f0c9d4e4e57a8d8eab117316ada9cde45223171f89c2e05a8a4fe7254b884ad3e731c
SSDEEP

12288:kK0rI0JwBzjDtVqGcrX4vLH2mTMGG5D8ajXBnGBF5XlXJZSo:f0XGvDtVqGkX4vz/ID8ajXByXlXJZ

Score

10^/10

quasar moasa discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Moasa

neji.w0rld.ga:7777

Mutex

DerPeeekshsaPjTQXfNVygAvPX

Attributes

encryption_key
3xF1E8vK84C8qCe7p0kkroBeQvMxMIry
install_name
Client.exe
log_directory
Harsh
reconnect_delay
2000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1744-5-0x000000001B600000-0x000000001B68C000-memory.dmp	family_quasar

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ExeFile (275).exeExeFile (275).exeExeFile (275).exeExeFile (275).exeExeFile (275).exeExeFile (275).exeExeFile (275).exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	ExeFile (275).exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	ExeFile (275).exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	ExeFile (275).exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	ExeFile (275).exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	ExeFile (275).exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	ExeFile (275).exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	ExeFile (275).exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
26	ip-api.com
54	ip-api.com
78	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 7 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
1324	PING.EXE
3808	PING.EXE
4596	PING.EXE
4120	PING.EXE
4300	PING.EXE
4032	PING.EXE
2880	PING.EXE

Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
4032	PING.EXE
2880	PING.EXE
1324	PING.EXE
3808	PING.EXE
4596	PING.EXE
4120	PING.EXE
4300	PING.EXE

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

ExeFile (275).exeExeFile (275).exeExeFile (275).exeExeFile (275).exeExeFile (275).exeExeFile (275).exeExeFile (275).exe

description	pid	Process
Token: SeDebugPrivilege	1744	ExeFile (275).exe
Token: SeDebugPrivilege	4980	ExeFile (275).exe
Token: SeDebugPrivilege	4324	ExeFile (275).exe
Token: SeDebugPrivilege	3380	ExeFile (275).exe
Token: SeDebugPrivilege	3576	ExeFile (275).exe
Token: SeDebugPrivilege	2388	ExeFile (275).exe
Token: SeDebugPrivilege	2208	ExeFile (275).exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

ExeFile (275).exeExeFile (275).exeExeFile (275).exeExeFile (275).exeExeFile (275).exeExeFile (275).exe

pid	Process
1744	ExeFile (275).exe
4980	ExeFile (275).exe
4324	ExeFile (275).exe
3380	ExeFile (275).exe
3576	ExeFile (275).exe
2208	ExeFile (275).exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

ExeFile (275).execmd.exeExeFile (275).execmd.exeExeFile (275).execmd.exeExeFile (275).execmd.exeExeFile (275).execmd.exeExeFile (275).execmd.exeExeFile (275).execmd.exe

description	pid	Process	procid_target
PID 1744 wrote to memory of 4044	1744	ExeFile (275).exe	94
PID 1744 wrote to memory of 4044	1744	ExeFile (275).exe	94
PID 4044 wrote to memory of 1380	4044	cmd.exe	97
PID 4044 wrote to memory of 1380	4044	cmd.exe	97
PID 4044 wrote to memory of 4032	4044	cmd.exe	98
PID 4044 wrote to memory of 4032	4044	cmd.exe	98
PID 4044 wrote to memory of 4980	4044	cmd.exe	101
PID 4044 wrote to memory of 4980	4044	cmd.exe	101
PID 4980 wrote to memory of 4888	4980	ExeFile (275).exe	103
PID 4980 wrote to memory of 4888	4980	ExeFile (275).exe	103
PID 4888 wrote to memory of 4256	4888	cmd.exe	107
PID 4888 wrote to memory of 4256	4888	cmd.exe	107
PID 4888 wrote to memory of 2880	4888	cmd.exe	108
PID 4888 wrote to memory of 2880	4888	cmd.exe	108
PID 4888 wrote to memory of 4324	4888	cmd.exe	111
PID 4888 wrote to memory of 4324	4888	cmd.exe	111
PID 4324 wrote to memory of 3788	4324	ExeFile (275).exe	112
PID 4324 wrote to memory of 3788	4324	ExeFile (275).exe	112
PID 3788 wrote to memory of 5092	3788	cmd.exe	115
PID 3788 wrote to memory of 5092	3788	cmd.exe	115
PID 3788 wrote to memory of 1324	3788	cmd.exe	117
PID 3788 wrote to memory of 1324	3788	cmd.exe	117
PID 3788 wrote to memory of 3380	3788	cmd.exe	118
PID 3788 wrote to memory of 3380	3788	cmd.exe	118
PID 3380 wrote to memory of 536	3380	ExeFile (275).exe	120
PID 3380 wrote to memory of 536	3380	ExeFile (275).exe	120
PID 536 wrote to memory of 3512	536	cmd.exe	123
PID 536 wrote to memory of 3512	536	cmd.exe	123
PID 536 wrote to memory of 3808	536	cmd.exe	124
PID 536 wrote to memory of 3808	536	cmd.exe	124
PID 536 wrote to memory of 3576	536	cmd.exe	126
PID 536 wrote to memory of 3576	536	cmd.exe	126
PID 3576 wrote to memory of 3176	3576	ExeFile (275).exe	127
PID 3576 wrote to memory of 3176	3576	ExeFile (275).exe	127
PID 3176 wrote to memory of 3120	3176	cmd.exe	130
PID 3176 wrote to memory of 3120	3176	cmd.exe	130
PID 3176 wrote to memory of 4596	3176	cmd.exe	132
PID 3176 wrote to memory of 4596	3176	cmd.exe	132
PID 3176 wrote to memory of 2388	3176	cmd.exe	139
PID 3176 wrote to memory of 2388	3176	cmd.exe	139
PID 2388 wrote to memory of 800	2388	ExeFile (275).exe	140
PID 2388 wrote to memory of 800	2388	ExeFile (275).exe	140
PID 800 wrote to memory of 3776	800	cmd.exe	144
PID 800 wrote to memory of 3776	800	cmd.exe	144
PID 800 wrote to memory of 4120	800	cmd.exe	145
PID 800 wrote to memory of 4120	800	cmd.exe	145
PID 800 wrote to memory of 2208	800	cmd.exe	146
PID 800 wrote to memory of 2208	800	cmd.exe	146
PID 2208 wrote to memory of 2412	2208	ExeFile (275).exe	150
PID 2208 wrote to memory of 2412	2208	ExeFile (275).exe	150
PID 2412 wrote to memory of 552	2412	cmd.exe	153
PID 2412 wrote to memory of 552	2412	cmd.exe	153
PID 2412 wrote to memory of 4300	2412	cmd.exe	155
PID 2412 wrote to memory of 4300	2412	cmd.exe	155
PID 2412 wrote to memory of 2564	2412	cmd.exe	156
PID 2412 wrote to memory of 2564	2412	cmd.exe	156

C:\Users\Admin\AppData\Local\Temp\ExeFile (275).exe
"C:\Users\Admin\AppData\Local\Temp\ExeFile (275).exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ppXPiwVV6U44.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4044
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1380
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4032
- - C:\Users\Admin\AppData\Local\Temp\ExeFile (275).exe
    "C:\Users\Admin\AppData\Local\Temp\ExeFile (275).exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4980
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\quSO44gcxdue.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4888
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:4256
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2880
    - - C:\Users\Admin\AppData\Local\Temp\ExeFile (275).exe
        
        "C:\Users\Admin\AppData\Local\Temp\ExeFile (275).exe"
        5⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4324
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ymYBlbjjLlHR.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3788
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:5092
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\ExeFile (275).exe
        
        "C:\Users\Admin\AppData\Local\Temp\ExeFile (275).exe"
        7⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3380
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\voXQA3NKTrFO.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:3512
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\ExeFile (275).exe
        
        "C:\Users\Admin\AppData\Local\Temp\ExeFile (275).exe"
        9⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vqEUAmzo9Wv7.bat" "
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3176
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:3120
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\ExeFile (275).exe
        
        "C:\Users\Admin\AppData\Local\Temp\ExeFile (275).exe"
        11⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MZ5NYfyE1yQB.bat" "
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:800
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:3776
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\ExeFile (275).exe
        
        "C:\Users\Admin\AppData\Local\Temp\ExeFile (275).exe"
        13⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KKd807SmDcfI.bat" "
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:552
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\ExeFile (275).exe
        
        "C:\Users\Admin\AppData\Local\Temp\ExeFile (275).exe"
        15⤵
        
        PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\KKd807SmDcfI.bat

Filesize
210B

MD5
d0dab63b7252498a29a83a2024eaec25

SHA1
b4868094d1d9190506f2dbd0b6f764a8791db4ef

SHA256
7771916ea9a7c876e9d9aefe3b4108a32ea5b49d0bfecf1b5b448ba220307f3f

SHA512
67a014471c9bf396bb277b5444129ae173aac3f67fe5cc033bd5138b4e3d940470d229577f03a7c446c251b7a4d79acf3fb385f2e8cf20cd8b55e92efaa8dbb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MZ5NYfyE1yQB.bat

Filesize
210B

MD5
d646886b71cafac29b0cd183fa5c4118

SHA1
ddfa25e5af5ade62e6cf90a3d4649f4125da0834

SHA256
08b5df82adec46de554851315209e09f9209df6f0cf2268beb0eddeb50af407d

SHA512
34cd48b7150c7767c6c320337d9251508bec96250495646ae29ad4fbe9a7355f60f94f84e26af468093aa1d692282affa0c37e5c1be1e6def8c37a3880849d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\ppXPiwVV6U44.bat

Filesize
210B

MD5
7eeddd74d75d490de220a436ec661614

SHA1
3abaf61df66b06e6c6111b50c41185efd12b0a69

SHA256
03e703bde86e2e1ed94d2a5274d6793d75df7617db47020e2a146eb184e07b90

SHA512
24c6cb3a5386d435f2b9c84e3a1d2511699f5cb9a469045819c554cfd227ba25a6cc607421cb37f6f119ffc23be54574f308f49cf1b61573af2fcf688f6fa54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\quSO44gcxdue.bat

Filesize
210B

MD5
e2e6c13ee4f09ea73d7e1e1c90702a33

SHA1
e4debc8f349fcf82f5e8edf797384499e9361ef4

SHA256
8078b63bea4fbe63c2cfe6f5b342c30c6110a8a1c78382e026e5634cd26bd67e

SHA512
29f09230be3852cac1ebb48b4415840a3124b6f21a325283cd2d9a428d494d3ca8ced9afa2c4482cc609deb2b2ef34f71439bb5b559ab1414a05f364786886ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\voXQA3NKTrFO.bat

Filesize
210B

MD5
3482906b833f43c3fcc64cc6a876c992

SHA1
7f031e2e566e633f184c97b31e6d98cfa830784c

SHA256
4a254fb6d34c321cca449167193498febc567f7e606931c4013a586abf21d3a2

SHA512
0327f7b9b75ad4e0200d5d89bb69e6ebde7c08f8625da19ab49fc29d5fcff209460aeec248c1b87964b8366bc11569ea1f6586cf46b239b0afddd86676fecdcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\vqEUAmzo9Wv7.bat

Filesize
210B

MD5
cbceffe4784ac0a7c935fa49995ff39f

SHA1
c56a26c43f090e507a487e8e2d28e6c177ae3163

SHA256
89ad7e66df237a2e94bb8313e06572b563da67378d023669e306a6f4ba375d81

SHA512
a84c98795f87d3c7c44d4b94d6ac823ae1a0c6f17dc7806dd909e3edd71d913bddaf1eef93fcd62eeb78c52e99789b3e58c5baf04769936bd15a9bb2cd8ea83a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ymYBlbjjLlHR.bat

Filesize
210B

MD5
2290879b503ca8e95bad76771c6d7cc8

SHA1
320d147b2f5e27af64a8e7381b6d9efcceebfbc8

SHA256
be12b8179a159e210bc484306498dce607c9a3b9f70f9cf578ee39f70db43f3e

SHA512
23cd887817be9a7a2cbe6de6428d5751773395d97a66ca1def63d26c9f7003eb69795719e43aea8cfc9fdb2836b69d55b46227f022813d85d9fa95131acc8ae3

Download Submit
C:\Users\Admin\AppData\Roaming\Harsh\08-20-2024

Filesize
224B

MD5
bf0663386cca1b1e7c6b0bc3b8f7a8ff

SHA1
3a4ee627fafa12f13905739f54706a04b845196b

SHA256
f38f5145a1dd7721540767dae08636a073aeece31d408575ea4e2dd7c7dca090

SHA512
c9b1e34f420e50a7a2a61cfe1fd08e418a59d3d49da35ed8ee1cd6f7189214ba2ff49358b219ef4d3d4d656d7f014b1bb893276b5892381bb63b78709dd5844b

Download Submit
C:\Users\Admin\AppData\Roaming\Harsh\08-20-2024

Filesize
224B

MD5
48eca8be813b3788946ede7866251ca8

SHA1
f2b09d617ab7c1af33a6bf404dfffda0160cfe8d

SHA256
716e011e75a23cd2645e80f17d7726e8fe337596be0f160a0d81c835eea43902

SHA512
668c19644f98967a6d8f6257fd7978100516c5ad7d760bc32acffb2330ee9a0fb2bf7a69b5bfac4102656d10a21c5893c5394f87f2bc20a3978066bb8e205473

Download Submit
C:\Users\Admin\AppData\Roaming\Harsh\08-20-2024

Filesize
224B

MD5
6b0d4c3441000dad0f7455c7fb2fea6b

SHA1
ff8a90d1422d3dc31e25587079b1777fdc9321ac

SHA256
147f41e10b94c7ea2b86ff89689ff6f88261d4c5d0152e24f3de2dffd1c047bd

SHA512
252475a2fcd5d106dae924e193699bae8cce64816a25643c8bc4239c59cc6efcd870d6d7d54b303b81a3624c6fc3ed6dd0a63c4b09f05bfb91e8b4e3660252c6

Download Submit
C:\Users\Admin\AppData\Roaming\Harsh\08-20-2024

Filesize
224B

MD5
83b401ffa8c6091bcecd6184976bf51c

SHA1
b01ce1d20972440321b5a0c42e31d28d0f29c327

SHA256
80f965dcffc9b345ca032b70924e14a08cafdfb4c14c619b5215bcfbb56d40ea

SHA512
0bb97b0cb21317ea78b3c906e22b5c0d117cf9c4bcab43f628bbcef5a97e21072bf2c196b97280eb47c9032e98e7e6d0bc5bfb49681616a70f455df76bf3531e

Download Submit
memory/1744-6-0x00007FFA4A050000-0x00007FFA4AB11000-memory.dmp

Filesize
10.8MB

Download
memory/1744-8-0x000000001B840000-0x000000001B87C000-memory.dmp

Filesize
240KB

Download
memory/1744-1-0x0000000000950000-0x00000000009D2000-memory.dmp

Filesize
520KB

Download
memory/1744-2-0x0000000002B40000-0x0000000002B9E000-memory.dmp

Filesize
376KB

Download
memory/1744-10-0x000000001CFC0000-0x000000001D072000-memory.dmp

Filesize
712KB

Download
memory/1744-9-0x000000001CEB0000-0x000000001CF00000-memory.dmp

Filesize
320KB

Download
memory/1744-3-0x00007FFA4A050000-0x00007FFA4AB11000-memory.dmp

Filesize
10.8MB

Download
memory/1744-16-0x00007FFA4A050000-0x00007FFA4AB11000-memory.dmp

Filesize
10.8MB

Download
memory/1744-7-0x000000001B6B0000-0x000000001B6C2000-memory.dmp

Filesize
72KB

Download
memory/1744-0-0x00007FFA4A053000-0x00007FFA4A055000-memory.dmp

Filesize
8KB

Download
memory/1744-5-0x000000001B600000-0x000000001B68C000-memory.dmp

Filesize
560KB

Download
memory/1744-4-0x00007FFA4A053000-0x00007FFA4A055000-memory.dmp

Filesize
8KB

Download
memory/4980-25-0x00007FFA4A050000-0x00007FFA4AB11000-memory.dmp

Filesize
10.8MB

Download
memory/4980-18-0x00007FFA4A050000-0x00007FFA4AB11000-memory.dmp

Filesize
10.8MB

Download
memory/4980-17-0x00007FFA4A050000-0x00007FFA4AB11000-memory.dmp

Filesize
10.8MB

Download