quasar | f476d4a86bf9063ba1334eee663c9a45845ba503c8401dad9de284efa6e89e64

Analysis

max time kernel
55s
max time network
56s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
29-10-2024 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.1MB
MD5

1e6dc980a23fe52763adff15539cde1a
SHA1

1c98e8583b306a7c8b5d85b98af872f9658e95da
SHA256

f476d4a86bf9063ba1334eee663c9a45845ba503c8401dad9de284efa6e89e64
SHA512

2ad6297bf837bd10ea5ceb328940c56ddc6e85015d087e37e3edb2ebebbd28155019879211edeb9df4190e3b22c8b18ab5c316519bff0d3b99c54a67a0941d68
SSDEEP

49152:fvhgo2QSaNpzyPllgamb0CZof/JB6x31v4LoG5STHHB72eh2NT:fvSo2QSaNpzyPllgamYCZof/JB6x4

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

testforum.ddns.net:4782

91.240.139.230:4782

testforum.ddns.net:4444

testforum.ddns.net:443

warm-shirts-stop.loca.lt:4782

Mutex

3d4f7428-4c44-4610-9897-073f6812e70a

Attributes

encryption_key
81646F2B6BFC1777912CC29649A1EF0DF8102344
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3504-1-0x0000000000200000-0x0000000000524000-memory.dmp	family_quasar
behavioral1/files/0x00280000000450c9-3.dat	family_quasar

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation	Client.exe

Executes dropped EXE 6 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	Process
4428	Client.exe
3380	Client.exe
4152	Client.exe
1044	Client.exe
952	Client.exe
1752	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
3084	PING.EXE
2568	PING.EXE
1460	PING.EXE
1956	PING.EXE
4060	PING.EXE
1216	PING.EXE

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
4060	PING.EXE
1216	PING.EXE
3084	PING.EXE
2568	PING.EXE
1460	PING.EXE
1956	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
3764	schtasks.exe
4792	schtasks.exe
4288	schtasks.exe
5044	schtasks.exe
2516	schtasks.exe
5008	schtasks.exe
3480	schtasks.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

Client-built.exeClient.exeClient.exeClient.exeClient.exeClient.exeClient.exe

description	pid	Process
Token: SeDebugPrivilege	3504	Client-built.exe
Token: SeDebugPrivilege	4428	Client.exe
Token: SeDebugPrivilege	3380	Client.exe
Token: SeDebugPrivilege	4152	Client.exe
Token: SeDebugPrivilege	1044	Client.exe
Token: SeDebugPrivilege	952	Client.exe
Token: SeDebugPrivilege	1752	Client.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	Process
4428	Client.exe
3380	Client.exe
4152	Client.exe
1044	Client.exe
952	Client.exe
1752	Client.exe

Suspicious use of SendNotifyMessage 6 IoCs

Processes:

Client.exeClient.exeClient.exeClient.exeClient.exeClient.exe

pid	Process
4428	Client.exe
3380	Client.exe
4152	Client.exe
1044	Client.exe
952	Client.exe
1752	Client.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

Client-built.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exeClient.execmd.exe

description	pid	Process	procid_target
PID 3504 wrote to memory of 4792	3504	Client-built.exe	83
PID 3504 wrote to memory of 4792	3504	Client-built.exe	83
PID 3504 wrote to memory of 4428	3504	Client-built.exe	85
PID 3504 wrote to memory of 4428	3504	Client-built.exe	85
PID 4428 wrote to memory of 4288	4428	Client.exe	86
PID 4428 wrote to memory of 4288	4428	Client.exe	86
PID 4428 wrote to memory of 1372	4428	Client.exe	88
PID 4428 wrote to memory of 1372	4428	Client.exe	88
PID 1372 wrote to memory of 1748	1372	cmd.exe	90
PID 1372 wrote to memory of 1748	1372	cmd.exe	90
PID 1372 wrote to memory of 4060	1372	cmd.exe	91
PID 1372 wrote to memory of 4060	1372	cmd.exe	91
PID 1372 wrote to memory of 3380	1372	cmd.exe	92
PID 1372 wrote to memory of 3380	1372	cmd.exe	92
PID 3380 wrote to memory of 5044	3380	Client.exe	93
PID 3380 wrote to memory of 5044	3380	Client.exe	93
PID 3380 wrote to memory of 3432	3380	Client.exe	95
PID 3380 wrote to memory of 3432	3380	Client.exe	95
PID 3432 wrote to memory of 4600	3432	cmd.exe	97
PID 3432 wrote to memory of 4600	3432	cmd.exe	97
PID 3432 wrote to memory of 1216	3432	cmd.exe	98
PID 3432 wrote to memory of 1216	3432	cmd.exe	98
PID 3432 wrote to memory of 4152	3432	cmd.exe	99
PID 3432 wrote to memory of 4152	3432	cmd.exe	99
PID 4152 wrote to memory of 2516	4152	Client.exe	100
PID 4152 wrote to memory of 2516	4152	Client.exe	100
PID 4152 wrote to memory of 2072	4152	Client.exe	102
PID 4152 wrote to memory of 2072	4152	Client.exe	102
PID 2072 wrote to memory of 2240	2072	cmd.exe	104
PID 2072 wrote to memory of 2240	2072	cmd.exe	104
PID 2072 wrote to memory of 3084	2072	cmd.exe	105
PID 2072 wrote to memory of 3084	2072	cmd.exe	105
PID 2072 wrote to memory of 1044	2072	cmd.exe	108
PID 2072 wrote to memory of 1044	2072	cmd.exe	108
PID 1044 wrote to memory of 5008	1044	Client.exe	109
PID 1044 wrote to memory of 5008	1044	Client.exe	109
PID 1044 wrote to memory of 3464	1044	Client.exe	111
PID 1044 wrote to memory of 3464	1044	Client.exe	111
PID 3464 wrote to memory of 1692	3464	cmd.exe	113
PID 3464 wrote to memory of 1692	3464	cmd.exe	113
PID 3464 wrote to memory of 2568	3464	cmd.exe	114
PID 3464 wrote to memory of 2568	3464	cmd.exe	114
PID 3464 wrote to memory of 952	3464	cmd.exe	115
PID 3464 wrote to memory of 952	3464	cmd.exe	115
PID 952 wrote to memory of 3480	952	Client.exe	116
PID 952 wrote to memory of 3480	952	Client.exe	116
PID 952 wrote to memory of 4124	952	Client.exe	118
PID 952 wrote to memory of 4124	952	Client.exe	118
PID 4124 wrote to memory of 1680	4124	cmd.exe	120
PID 4124 wrote to memory of 1680	4124	cmd.exe	120
PID 4124 wrote to memory of 1460	4124	cmd.exe	121
PID 4124 wrote to memory of 1460	4124	cmd.exe	121
PID 4124 wrote to memory of 1752	4124	cmd.exe	122
PID 4124 wrote to memory of 1752	4124	cmd.exe	122
PID 1752 wrote to memory of 3764	1752	Client.exe	123
PID 1752 wrote to memory of 3764	1752	Client.exe	123
PID 1752 wrote to memory of 4184	1752	Client.exe	125
PID 1752 wrote to memory of 4184	1752	Client.exe	125
PID 4184 wrote to memory of 3888	4184	cmd.exe	127
PID 4184 wrote to memory of 3888	4184	cmd.exe	127
PID 4184 wrote to memory of 1956	4184	cmd.exe	128
PID 4184 wrote to memory of 1956	4184	cmd.exe	128

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3504
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4792
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4428
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kSH7gzXyT47B.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1372
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1748
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4060
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3380
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5044
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WvN2oY4nVDK0.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3432
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4600
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1216
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4152
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2516
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DW82EvYB8Itz.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2240
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3084
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5008
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ej4kbkuWVhWg.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1692
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2568
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3480
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qTEvcthkMb6W.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4124
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1680
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1460
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3764
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\G1SMXZd5fmYL.bat" "
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4184
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:3888
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
2KB

MD5
7787ce173dfface746f5a9cf5477883d

SHA1
4587d870e914785b3a8fb017fec0c0f1c7ec0004

SHA256
c339149818fa8f9e5af4627715c3afe4f42bc1267df17d77a278d4c811ed8df1

SHA512
3a630053ae99114292f8cf8d45600f8fe72125795252bf76677663476bd2275be084a1af2fcb4ce30409ba1b5829b2b3ffb6795de46d2a703c3314017a86f1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\DW82EvYB8Itz.bat

Filesize
207B

MD5
3b9e56acfad1897330d12dd591f79c9c

SHA1
1ba682ad875a9466cb4541c004979e76fd362f64

SHA256
843bfb780393bf11867dd99e2dcac0b4bd5bb15078527056f809a1bf712f905f

SHA512
13e22ccdc95bccb7abbc881905d0d8987d5034e51abaae9d315f551cfec02760c982efec65f43bc90e2002d83e2478f3ef95da2867cd70c989e63d55f278b023

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ej4kbkuWVhWg.bat

Filesize
207B

MD5
5fcf3c7b862803d0a82988250870bcdd

SHA1
01478a279e24b61b99639dace5224523a344832b

SHA256
b843733c790be0a129129feec8890ba1bc46638ea6ed4a325635b3abc21e2561

SHA512
6572f73d53218b4ffcf8d9ab42b57954a566d2e0ee04fa9106488b173873502c46f4d025220e4591f492cc3a0cce161b1e650a4b8a8d814f9955cecacdf8d107

Download Submit
C:\Users\Admin\AppData\Local\Temp\G1SMXZd5fmYL.bat

Filesize
207B

MD5
f2a72ba5635b2c451bb88482ffe75508

SHA1
1a7774965061a6ff49fa8ad8b236acd19168b2bc

SHA256
939f194509657e6e4c0f4d26de15123a0f81c34de1b7f8ed06d5b063c2e80ecf

SHA512
af926e5e024dab3e02892ab1fb542266a15994aa499608f586fa86da17914488890e6b29ca8154a3af65285c3f8ce089adb8b30eaac891f7c6a838cc627c4675

Download Submit
C:\Users\Admin\AppData\Local\Temp\WvN2oY4nVDK0.bat

Filesize
207B

MD5
c0aba8f3833a33ef0f6bf0a73cb57eb6

SHA1
4bc141f5594bd9096a2a2aa124c5d830bcb65812

SHA256
a3597048c9796299d8426736d68da90601561045047ca2f51d99fe06763e663f

SHA512
524071a4c4d12a7587335fdd803568f664fff00c892020abe8c3aed84abef48dffad201758a298d3d47ba89f932cce609b211888cb66a137278ff5b36d5cb300

Download Submit
C:\Users\Admin\AppData\Local\Temp\kSH7gzXyT47B.bat

Filesize
207B

MD5
66387d9db442d9ccaa7a29ed9b1fcff2

SHA1
e84d082a19e058ef18421835ec35a83c7c6a4e98

SHA256
b8db2c2499278235a648a0b746dff96950f1d857eab3834fa09ecb80e4b11394

SHA512
38642e62a4ccbc54a42e7f69674884ba3c69ac429456269ea094accb20f1620d6432ca8772d6f9412cfe6afc25f6542bb8adc6c0829122e9446dd1be51e372a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\qTEvcthkMb6W.bat

Filesize
207B

MD5
392c069bb65a298c2ac9502d703d2ffb

SHA1
7ea6807eed3a2a4c38aff709790e50aff1e6b793

SHA256
4d7a463a49221eb1403e21cc1acd0350c540dcdb43189c222d9f91a8e72e083b

SHA512
923540b68c51a9e10cfba0b8a06a6425285c202567b2af2231c22c51d6c5e4a3019f417879b88c85755d72f4b25e527e8a04eba6f4ab1641667496c334a3b827

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
1e6dc980a23fe52763adff15539cde1a

SHA1
1c98e8583b306a7c8b5d85b98af872f9658e95da

SHA256
f476d4a86bf9063ba1334eee663c9a45845ba503c8401dad9de284efa6e89e64

SHA512
2ad6297bf837bd10ea5ceb328940c56ddc6e85015d087e37e3edb2ebebbd28155019879211edeb9df4190e3b22c8b18ab5c316519bff0d3b99c54a67a0941d68

Download Submit
memory/3504-5-0x00007FFCF4240000-0x00007FFCF4D02000-memory.dmp

Filesize
10.8MB

Download
memory/3504-0-0x00007FFCF4243000-0x00007FFCF4245000-memory.dmp

Filesize
8KB

Download
memory/3504-2-0x00007FFCF4240000-0x00007FFCF4D02000-memory.dmp

Filesize
10.8MB

Download
memory/3504-1-0x0000000000200000-0x0000000000524000-memory.dmp

Filesize
3.1MB

Download
memory/4428-9-0x000000001CD60000-0x000000001CE12000-memory.dmp

Filesize
712KB

Download
memory/4428-17-0x00007FFCF4240000-0x00007FFCF4D02000-memory.dmp

Filesize
10.8MB

Download
memory/4428-8-0x000000001CC50000-0x000000001CCA0000-memory.dmp

Filesize
320KB

Download
memory/4428-7-0x00007FFCF4240000-0x00007FFCF4D02000-memory.dmp

Filesize
10.8MB

Download
memory/4428-6-0x00007FFCF4240000-0x00007FFCF4D02000-memory.dmp

Filesize
10.8MB

Download