Overview

overview

10

Static

static

10

AuroraALPH...2).exe

windows7-x64

10

AuroraALPH...2).exe

windows10-1703-x64

10

AuroraALPH...2).exe

windows10-2004-x64

10

AuroraALPH...2).exe

windows11-21h2-x64

AuroraALPH...3).exe

windows7-x64

AuroraALPH...3).exe

windows10-1703-x64

10

AuroraALPH...3).exe

windows10-2004-x64

AuroraALPH...3).exe

windows11-21h2-x64

10

AuroraALPH...4).exe

windows7-x64

10

AuroraALPH...4).exe

windows10-1703-x64

10

AuroraALPH...4).exe

windows10-2004-x64

10

AuroraALPH...4).exe

windows11-21h2-x64

10

AuroraALPH...5).exe

windows7-x64

10

AuroraALPH...5).exe

windows10-1703-x64

10

AuroraALPH...5).exe

windows10-2004-x64

10

AuroraALPH...5).exe

windows11-21h2-x64

10

AuroraALPH...py.exe

windows7-x64

10

AuroraALPH...py.exe

windows10-1703-x64

10

AuroraALPH...py.exe

windows10-2004-x64

10

AuroraALPH...py.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    262s
  • max time network
    281s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    13-09-2024 18:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AuroraALPHABUILD.0-6 - Copy (3).exe

  • Size

    231.7MB

  • MD5

    3cda647a8948f3ac4df14abf6f1d62c1

  • SHA1

    f4da28914a3938e7de76546bcf911f539672459a

  • SHA256

    c905d2c1b9df641f12daab74948cef579aa92b6f07c36f97ed70146b615411c1

  • SHA512

    77c0cd078ab2d2765237c3cc68a4872a81db653f1ad6a42122b786b27c7d48842577a65e88ad61e549e13b5be0df51e25b5f026089a19833e9da71f8c30c0cdd

  • SSDEEP

    6144:0MNHXf500MU8zfjEm0beDmcCl/QOqNgJyCqv7cc:Rd505jwmZmcgSNgJyrv7cc

Score
10/10
quasargimp1discoverylateral_movementspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

gimp1

C2

193.42.33.210:4444

gimpdns.ddns.net:4444
Mutex

QSR_MUTEX_XwuUSTCgYhmnf6vJ1L

Attributes
  • encryption_key

    lRzFKjYQKUKzh6RyUYYQ

  • install_name

    svchost.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    svchost

  • subdirectory

    SubDir

Signatures

  • Quasar RAT 4 IoCs

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Remote Services: SMB/Windows Admin Shares 1 TTPs 1 IoCs

    Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB).

    lateral_movement
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 9 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 1 IoCs
  • Runs ping.exe 1 TTPs 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 26 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AuroraALPHABUILD.0-6 - Copy (3).exe
    "C:\Users\Admin\AppData\Local\Temp\AuroraALPHABUILD.0-6 - Copy (3).exe"
    1⤵
    • Quasar RAT
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3984
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\AuroraALPHABUILD.0-6 - Copy (3).exe" /rl HIGHEST /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:3952
    • C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3608
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:3732
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /delete /tn "svchost" /f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4348
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0Td3HjLnzSnj.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2580
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4668
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 10 localhost
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3656
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2748
    • C:\Windows\system32\resmon.exe
      "C:\Windows\system32\resmon.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4384
      • C:\Windows\System32\perfmon.exe
        "C:\Windows\System32\perfmon.exe" /res
        3⤵
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:4988
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4412
    • C:\Users\Admin\AppData\Local\Temp\AuroraALPHABUILD.0-6 - Copy (2).exe
      "C:\Users\Admin\AppData\Local\Temp\AuroraALPHABUILD.0-6 - Copy (2).exe"
      1⤵
      • System Location Discovery: System Language Discovery
      PID:1496
    • C:\Users\Admin\AppData\Local\Temp\AuroraALPHABUILD.0-6 - Copy (3).exe
      "C:\Users\Admin\AppData\Local\Temp\AuroraALPHABUILD.0-6 - Copy (3).exe"
      1⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4400
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\AuroraALPHABUILD.0-6 - Copy (3).exe" /rl HIGHEST /f
        2⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2648
      • C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
        "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3952
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f
          3⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:2032
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks" /delete /tn "svchost" /f
          3⤵
          • System Location Discovery: System Language Discovery
          PID:428
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dpdnkHiYUVUr.bat" "
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4964
          • C:\Windows\SysWOW64\chcp.com
            chcp 65001
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1384
          • C:\Windows\SysWOW64\PING.EXE
            ping -n 10 localhost
            4⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:1464
    • C:\Users\Admin\AppData\Local\Temp\AuroraALPHABUILD.0-6 - Copy (4).exe
      "C:\Users\Admin\AppData\Local\Temp\AuroraALPHABUILD.0-6 - Copy (4).exe"
      1⤵
      • System Location Discovery: System Language Discovery
      PID:4232
    • C:\Users\Admin\AppData\Local\Temp\AuroraALPHABUILD.0-6 - Copy (5).exe
      "C:\Users\Admin\AppData\Local\Temp\AuroraALPHABUILD.0-6 - Copy (5).exe"
      1⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1204
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qWmyErfP9TEt.bat" "
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1240
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          3⤵
          • System Location Discovery: System Language Discovery
          PID:4420
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 10 localhost
          3⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1968
        • C:\Users\Admin\AppData\Local\Temp\AuroraALPHABUILD.0-6 - Copy (5).exe
          "C:\Users\Admin\AppData\Local\Temp\AuroraALPHABUILD.0-6 - Copy (5).exe"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:4980
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k netsvcs -s wlidsvc
      1⤵
      • Checks SCSI registry key(s)
      PID:1620
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s lmhosts
      1⤵
        PID:4908
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs -s Schedule
        1⤵
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4944
        • C:\Windows\system32\taskhostw.exe
          taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
          2⤵
            PID:196
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k LocalService -s nsi
          1⤵
            PID:4696
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -s SSDPSRV
            1⤵
              PID:4960
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -s Dhcp
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:4896
            • C:\Windows\System32\svchost.exe
              C:\Windows\System32\svchost.exe -k NetworkService -s NlaSvc
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1696
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k netsvcs -s ProfSvc
              1⤵
                PID:5084
              • C:\Windows\System32\svchost.exe
                C:\Windows\System32\svchost.exe -k LocalService -s netprofm
                1⤵
                  PID:3856
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k netsvcs -s UserManager
                  1⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4624
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                  1⤵
                    PID:2544
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k DcomLaunch -s PlugPlay
                    1⤵
                      PID:4756
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k netsvcs -s LanmanServer
                      1⤵
                      • Enumerates connected drives
                      • Remote Services: SMB/Windows Admin Shares
                      • Modifies data under HKEY_USERS
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4564
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
                      1⤵
                        PID:1844
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k netsvcs -s WpnService
                        1⤵
                          PID:1880
                        • C:\Users\Admin\AppData\Local\Temp\AuroraALPHABUILD.0-6 - Copy (4).exe
                          "C:\Users\Admin\AppData\Local\Temp\AuroraALPHABUILD.0-6 - Copy (4).exe"
                          1⤵
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:4000
                          • C:\Windows\SysWOW64\schtasks.exe
                            "schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\AuroraALPHABUILD.0-6 - Copy (4).exe" /rl HIGHEST /f
                            2⤵
                            • System Location Discovery: System Language Discovery
                            • Scheduled Task/Job: Scheduled Task
                            PID:1132
                          • C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
                            "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"
                            2⤵
                              PID:4152
                          • C:\Users\Admin\AppData\Local\Temp\AuroraALPHABUILD.0-6 - Copy (2).exe
                            "C:\Users\Admin\AppData\Local\Temp\AuroraALPHABUILD.0-6 - Copy (2).exe"
                            1⤵
                            • System Location Discovery: System Language Discovery
                            PID:972
                          • C:\Users\Admin\AppData\Local\Temp\AuroraALPHABUILD.0-6 - Copy (3).exe
                            "C:\Users\Admin\AppData\Local\Temp\AuroraALPHABUILD.0-6 - Copy (3).exe"
                            1⤵
                            • System Location Discovery: System Language Discovery
                            PID:4588

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AuroraALPHABUILD.0-6 - Copy (3).exe.log
                            Filesize

                            1KB

                            MD5

                            1efce85e583a7a2f123317a20f889d04

                            SHA1

                            60f71aa73ea2e2a48ed1c17e3c6d440abf39c914

                            SHA256

                            2b5532a94879134a876b11c188ade1a61deaba6a80fe1f3a3a77cc442f1cca0d

                            SHA512

                            45a5cd283e6a6ac34c3d8b1a6d73dc1cf52d8c974cf84624e8e9924eddaf354ccda929bce728b47db2b62175e47bdc3eaca6bc6b84d3565881fa87c50319d24c

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AuroraALPHABUILD.0-6 - Copy (4).exe.log
                            Filesize

                            701B

                            MD5

                            10ecf495fafaaeb7fdea5c8033a0fc87

                            SHA1

                            e81a0c0415cf5b13e58319e82e07f1ed5c10e491

                            SHA256

                            aaff4d50d7258fd2a5f8e6d073b6d32925d392b9f37209180f469a11d46a63b9

                            SHA512

                            87928fcbddafe42764db1de846b0349ceeb08b0af6ee190b0e4076a63c32e20a826a7e76b55f6a6786c69f3c1fc04e8e030bc1ad69c523c96b27cf75a78e53e0

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log
                            Filesize

                            1KB

                            MD5

                            7dc9f9a59e304480881535b54c0d620e

                            SHA1

                            bac465c503990ae49e54aaea0744b67766900f12

                            SHA256

                            d6459209493ab9b1bf090a6be9811006c619bfb0a5b4d04ada17e04ecac3a682

                            SHA512

                            79321c1859ce46ab4cd18838dc4eb79556b50166947fffc932c29d89afff7c64628f33e608eab2762166786d1014a9d7ca771710384da06b93502f3f9e1bd470

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\0Td3HjLnzSnj.bat
                            Filesize

                            263B

                            MD5

                            e4f28dd3abc5cacba31b373d14ccf6f1

                            SHA1

                            1d1fc5ceb144c35728f387a4d13d34968b9f2ec2

                            SHA256

                            6b34ac3d20e666a7566d5565496f58b5be5ee0359569894285b5b2d0ded45f42

                            SHA512

                            aeff95351e62c47bf87144145ef3176afe3b4904fca341ebd46bc149a7a9ac9aea8397a8a4137c9ceea429870b3a8813a8024d04596951f2175de1d6d0ea89b5

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\dpdnkHiYUVUr.bat
                            Filesize

                            263B

                            MD5

                            5699ccdfbf15547df55a0fdd0ea58ace

                            SHA1

                            d516c7ef7231ee690aebd9dd7be5b345cf901a57

                            SHA256

                            ecc507a057a6f245e72366aa015e3d1727bf63a950e27154eb6fec68ee46a554

                            SHA512

                            67f873d5fbfc79d746872cc60d190a3f82003f11a8be9d7a9640ea3b73278eed8f3a21837793887c08f102e37ba09d251814fea40ac5f9c05527993150988a1e

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\qWmyErfP9TEt.bat
                            Filesize

                            228B

                            MD5

                            b38fd028972063bea0cd6c3ecc6706f7

                            SHA1

                            ea57c59710563e7bfd8fb5ab6dbfe34f0c6fb38c

                            SHA256

                            1df549378c257a33d04d7a04541e6114ac88e4ed3c3ad6eb6b3507d718b3f118

                            SHA512

                            d460823285f2b51e407c9b601d45fda506afe2cb2ce117692fa29f5fcf443bfed7b99f1ebc5b56b126465b44b77b83f378a73fe717490fd20d582f431c5e6163

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Logs\09-13-~1
                            Filesize

                            224B

                            MD5

                            6e36522f6c4426b12536715760ab71e3

                            SHA1

                            e648413a83e8b62721f2de33b97bf5bbfaa914af

                            SHA256

                            39bcd461ca57e6eca011841157f86277929b0a6d9a3c181c14344e0ba8f3e8d3

                            SHA512

                            89b8e08a557ad8616ba644564720f1ec2990e0dfb48979d83af59602386579386d1f9e62536bb4045ad9e7b336f060850419a89c2ca60b571bdc5f5dd96c1e23

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Logs\09-13-~1
                            Filesize

                            224B

                            MD5

                            83410080bde6dcb503cd81ce24c0b2ed

                            SHA1

                            bd164328df31ba57b72935b84ffb16c2e0fd7628

                            SHA256

                            f65eb066830dd4eefed2319e19de9df961fb9f8acbe80bfc8c8bf8e5e71d8d6e

                            SHA512

                            2b6303d6cd9f1856cf7a2b4e24086b4ee2c05429c783fe3a814b79ab678f46814ec2f926326eb53aa570c1b6ce855e21efae900b7a6adce0da9531050a2d789e

                            Download Submit

                          • C:\Windows\Tasks\SA.DAT
                            Filesize

                            6B

                            MD5

                            f1a6cd5adaab953a6764ea364e17bfb8

                            SHA1

                            c99a1eb2d8974a667d2e0bc2dc1efcbe0ef23387

                            SHA256

                            12dc5ccd7fecafe070976a1916e9672e3d53085633c86957aee305ccc584184c

                            SHA512

                            da8cc20e0c0f48a975f97fc133ba4e99de6771163465d03f1cc0e3019fedfe0afa99799b9e343610a941218b19c9117b12e4ab86911d04c2908b6db44523e84c

                            Download Submit

                          • memory/3608-16-0x0000000073550000-0x0000000073C3E000-memory.dmp

                            Filesize

                            6.9MB

                            Download

                          • memory/3608-25-0x0000000073550000-0x0000000073C3E000-memory.dmp

                            Filesize

                            6.9MB

                            Download

                          • memory/3608-18-0x0000000006CD0000-0x0000000006CDA000-memory.dmp

                            Filesize

                            40KB

                            Download

                          • memory/3608-19-0x0000000073550000-0x0000000073C3E000-memory.dmp

                            Filesize

                            6.9MB

                            Download

                          • memory/3608-15-0x0000000073550000-0x0000000073C3E000-memory.dmp

                            Filesize

                            6.9MB

                            Download

                          • memory/3984-7-0x00000000059D0000-0x0000000005A0E000-memory.dmp

                            Filesize

                            248KB

                            Download

                          • memory/3984-14-0x0000000073550000-0x0000000073C3E000-memory.dmp

                            Filesize

                            6.9MB

                            Download

                          • memory/3984-0-0x000000007355E000-0x000000007355F000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/3984-6-0x00000000055E0000-0x00000000055F2000-memory.dmp

                            Filesize

                            72KB

                            Download

                          • memory/3984-5-0x0000000004A10000-0x0000000004A76000-memory.dmp

                            Filesize

                            408KB

                            Download

                          • memory/3984-4-0x0000000073550000-0x0000000073C3E000-memory.dmp

                            Filesize

                            6.9MB

                            Download

                          • memory/3984-3-0x0000000004970000-0x0000000004A02000-memory.dmp

                            Filesize

                            584KB

                            Download

                          • memory/3984-2-0x0000000004FA0000-0x000000000549E000-memory.dmp

                            Filesize

                            5.0MB

                            Download

                          • memory/3984-1-0x00000000000A0000-0x00000000000FE000-memory.dmp

                            Filesize

                            376KB

                            Download