quasar | 282d6f5ddc83351dab51e6decc1293b078638f0cfd0baca4673afc8246fd32bd

Analysis

max time kernel
98s
max time network
95s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
06-11-2024 02:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kreo q zi.7z
Size

922KB
MD5

ec516db688f94e98d5141f4bade557e9
SHA1

198ffbae5eed415ac673f5e371774759f1a53de1
SHA256

282d6f5ddc83351dab51e6decc1293b078638f0cfd0baca4673afc8246fd32bd
SHA512

ecc34ad7d15fbedbbc4e62b469f5e6e5e71099e19831574da61dc9f751ed5b2faad1676b8b3dbf0911c4dac628c7a15e9d07d953692c5ab1b700ea07f6396985
SSDEEP

24576:yScP7qLl4iGQATiKL0aywxTodSrUF+nVZLLymvgDoSAWcNtMXqWOU:07qLl4KATiJUo0UEnLmmvqiWcNtMXDOU

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

hola435-24858.portmap.host:24858

Mutex

e51e2b65-e963-4051-9736-67d57ed46798

Attributes

encryption_key
AEA258EF65BF1786F0F767C0BE2497ECC304C46F
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00280000000450dd-2.dat	family_quasar
behavioral1/memory/1684-5-0x0000000000CE0000-0x0000000001004000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

pid	Process
1684	kreo q zi.exe
2056	Client.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133753328686988721"	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4804	schtasks.exe
448	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1948	chrome.exe
1948	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
436	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeRestorePrivilege	436	7zFM.exe
Token: 35	436	7zFM.exe
Token: SeSecurityPrivilege	436	7zFM.exe
Token: SeDebugPrivilege	1684	kreo q zi.exe
Token: SeDebugPrivilege	2056	Client.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
436	7zFM.exe
436	7zFM.exe
436	7zFM.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2056	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 448	1684	kreo q zi.exe	93
PID 1684 wrote to memory of 448	1684	kreo q zi.exe	93
PID 1684 wrote to memory of 2056	1684	kreo q zi.exe	95
PID 1684 wrote to memory of 2056	1684	kreo q zi.exe	95
PID 2056 wrote to memory of 4804	2056	Client.exe	96
PID 2056 wrote to memory of 4804	2056	Client.exe	96
PID 1948 wrote to memory of 4872	1948	chrome.exe	100
PID 1948 wrote to memory of 4872	1948	chrome.exe	100
PID 1948 wrote to memory of 1600	1948	chrome.exe	101
PID 1948 wrote to memory of 1600	1948	chrome.exe	101
PID 1948 wrote to memory of 1600	1948	chrome.exe	101
PID 1948 wrote to memory of 1600	1948	chrome.exe	101
PID 1948 wrote to memory of 1600	1948	chrome.exe	101
PID 1948 wrote to memory of 1600	1948	chrome.exe	101
PID 1948 wrote to memory of 1600	1948	chrome.exe	101
PID 1948 wrote to memory of 1600	1948	chrome.exe	101
PID 1948 wrote to memory of 1600	1948	chrome.exe	101
PID 1948 wrote to memory of 1600	1948	chrome.exe	101
PID 1948 wrote to memory of 1600	1948	chrome.exe	101
PID 1948 wrote to memory of 1600	1948	chrome.exe	101
PID 1948 wrote to memory of 1600	1948	chrome.exe	101
PID 1948 wrote to memory of 1600	1948	chrome.exe	101
PID 1948 wrote to memory of 1600	1948	chrome.exe	101
PID 1948 wrote to memory of 1600	1948	chrome.exe	101
PID 1948 wrote to memory of 1600	1948	chrome.exe	101
PID 1948 wrote to memory of 1600	1948	chrome.exe	101
PID 1948 wrote to memory of 1600	1948	chrome.exe	101
PID 1948 wrote to memory of 1600	1948	chrome.exe	101
PID 1948 wrote to memory of 1600	1948	chrome.exe	101
PID 1948 wrote to memory of 1600	1948	chrome.exe	101
PID 1948 wrote to memory of 1600	1948	chrome.exe	101
PID 1948 wrote to memory of 1600	1948	chrome.exe	101
PID 1948 wrote to memory of 1600	1948	chrome.exe	101
PID 1948 wrote to memory of 1600	1948	chrome.exe	101
PID 1948 wrote to memory of 1600	1948	chrome.exe	101
PID 1948 wrote to memory of 1600	1948	chrome.exe	101
PID 1948 wrote to memory of 1600	1948	chrome.exe	101
PID 1948 wrote to memory of 1600	1948	chrome.exe	101
PID 1948 wrote to memory of 3252	1948	chrome.exe	102
PID 1948 wrote to memory of 3252	1948	chrome.exe	102
PID 1948 wrote to memory of 4456	1948	chrome.exe	103
PID 1948 wrote to memory of 4456	1948	chrome.exe	103
PID 1948 wrote to memory of 4456	1948	chrome.exe	103
PID 1948 wrote to memory of 4456	1948	chrome.exe	103
PID 1948 wrote to memory of 4456	1948	chrome.exe	103
PID 1948 wrote to memory of 4456	1948	chrome.exe	103
PID 1948 wrote to memory of 4456	1948	chrome.exe	103
PID 1948 wrote to memory of 4456	1948	chrome.exe	103
PID 1948 wrote to memory of 4456	1948	chrome.exe	103
PID 1948 wrote to memory of 4456	1948	chrome.exe	103
PID 1948 wrote to memory of 4456	1948	chrome.exe	103
PID 1948 wrote to memory of 4456	1948	chrome.exe	103
PID 1948 wrote to memory of 4456	1948	chrome.exe	103
PID 1948 wrote to memory of 4456	1948	chrome.exe	103
PID 1948 wrote to memory of 4456	1948	chrome.exe	103
PID 1948 wrote to memory of 4456	1948	chrome.exe	103
PID 1948 wrote to memory of 4456	1948	chrome.exe	103
PID 1948 wrote to memory of 4456	1948	chrome.exe	103
PID 1948 wrote to memory of 4456	1948	chrome.exe	103
PID 1948 wrote to memory of 4456	1948	chrome.exe	103
PID 1948 wrote to memory of 4456	1948	chrome.exe	103
PID 1948 wrote to memory of 4456	1948	chrome.exe	103
PID 1948 wrote to memory of 4456	1948	chrome.exe	103
PID 1948 wrote to memory of 4456	1948	chrome.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\kreo q zi.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:436

C:\Users\Admin\Desktop\kreo q zi.exe
"C:\Users\Admin\Desktop\kreo q zi.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:448
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff9121fcc40,0x7ff9121fcc4c,0x7ff9121fcc58
  2⤵
  PID:4872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2016,i,15444828141725514432,13350099222091336597,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2012 /prefetch:2
  2⤵
  PID:1600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1860,i,15444828141725514432,13350099222091336597,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1920 /prefetch:3
  2⤵
  PID:3252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2292,i,15444828141725514432,13350099222091336597,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2444 /prefetch:8
  2⤵
  PID:4456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,15444828141725514432,13350099222091336597,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3192,i,15444828141725514432,13350099222091336597,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:3936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3780,i,15444828141725514432,13350099222091336597,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3768 /prefetch:1
  2⤵
  PID:2224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4060,i,15444828141725514432,13350099222091336597,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4616 /prefetch:8
  2⤵
  PID:5056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3716,i,15444828141725514432,13350099222091336597,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4880 /prefetch:8
  2⤵
  PID:1532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4492,i,15444828141725514432,13350099222091336597,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5032 /prefetch:8
  2⤵
  PID:1524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4824,i,15444828141725514432,13350099222091336597,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4760 /prefetch:8
  2⤵
  PID:4296

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
ade4353aadcf70c89ee21684cea911da

SHA1
fdf7b35852215ec8f99ffc53104458e605a5f098

SHA256
87c8966ff71a162a897380f4998a1080ab93cec3ac6d587ff61fa23d3bbd90ef

SHA512
7bdd79c79c2c886ffb4adffb90f76b1aee88b1a836c86282de8970dcb07eec984b2a46dbce14775e3c801f35c64720e4246099b206c4278ee5dbff1012434901

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
7252a2e691f9528a880112e7992904a6

SHA1
30faf2805d1b1409d9dbd4ab96b560487a00655d

SHA256
28b354f62eda20793760b0c1fd11a18678ce1687b58906328998d3fef795f081

SHA512
caf80b4bd1638681212188c24ac3531b00f4b7205aee820dafd8aa333760ec2b68a28f7f1c8bfc9c2bfdef7dfa81cce0f1bbf8f89022097281c72b48513d59fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
7ad183f9045543f3b0b84d9553082593

SHA1
32b95a28e2fe7078d1777a2a8ae729e52d19dd67

SHA256
b862c03222e9b0b32ef4140a235ef3c4468b365828aee2393d49b58cfdb40dd3

SHA512
e5596f8bdef43c9b8597dabf49ff3913f3cf09339cbdba82bf2a241fc4807ff17ea10605a927422e9c9dc8a51e3772bec70735fc0aa08609bd617b607eedd16d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
a2e12a791e28f6540227d1f7cedfce9a

SHA1
313f296304aacfbf75978960d6a14a7d7b1a1d4a

SHA256
447874ac878b7bbdcf88a9289cb025ae7a6e009e36aa7b8d16861329c12abf09

SHA512
e4a1a47a7a2a6eaf6764af4f8ef721159972def0bfcfb8d0ca229a2b78fbb74014d547426147d4fe3066ac560c85cd6b78f2de1bf23093e00fd9a8fcc434264e

Download Submit
C:\Users\Admin\Desktop\kreo q zi.exe

Filesize
3.1MB

MD5
28ac02fc40c8f1c2a8989ee3c09a1372

SHA1
b182758b62a1482142c0fce4be78c786e08b7025

SHA256
0fe81f9a51cf0068408de3c3605ce2033a00bd7ec90cc9516c38f6069e06433b

SHA512
2cbf2f6af46e5fae8e67144e1ac70bc748036c7adb7f7810d7d7d9f255ccf5d163cce07f11fb6526f9ab61c39f28bdf2356cc315b19a61cd2115612882eab767

Download Submit
memory/1684-9-0x00007FF917CF0000-0x00007FF9187B2000-memory.dmp

Filesize
10.8MB

Download
memory/1684-6-0x00007FF917CF0000-0x00007FF9187B2000-memory.dmp

Filesize
10.8MB

Download
memory/1684-5-0x0000000000CE0000-0x0000000001004000-memory.dmp

Filesize
3.1MB

Download
memory/1684-4-0x00007FF917CF3000-0x00007FF917CF5000-memory.dmp

Filesize
8KB

Download
memory/2056-14-0x00000000030E0000-0x00000000030F2000-memory.dmp

Filesize
72KB

Download
memory/2056-16-0x000000001F180000-0x000000001F6A8000-memory.dmp

Filesize
5.2MB

Download
memory/2056-15-0x000000001BB10000-0x000000001BB4C000-memory.dmp

Filesize
240KB

Download
memory/2056-11-0x000000001CBA0000-0x000000001CC52000-memory.dmp

Filesize
712KB

Download
memory/2056-10-0x0000000002EF0000-0x0000000002F40000-memory.dmp

Filesize
320KB

Download