quasar | 8b39d5495b5ad64cb4f0a35024485f0e757e25a2e5c0eee0a671c0d125f87ec6

Analysis

max time kernel
142s
max time network
134s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-12-2024 05:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb52f7cdf8f075d4cee664dd8182279f_JaffaCakes118.exe
Size

348KB
MD5

cb52f7cdf8f075d4cee664dd8182279f
SHA1

7410934fda7cf600da5a309a466b4e3d6f73a504
SHA256

8b39d5495b5ad64cb4f0a35024485f0e757e25a2e5c0eee0a671c0d125f87ec6
SHA512

4d61f8b558b31fce2fc225b1d7751cdf2b7d914fe7ef1a6a3ca6c223d93d13b43147f462b4b2b0b1c4c2e0e38787c3693d2c085a33febaf0ea3a10f113ad0744
SSDEEP

3072:WZF9/SKX4/gIDdcD0+oS0JiIflpUvbNigdkJsnCr7qiafsPOy0krbNfh9v5UtfkF:WJ74/ghQS00WQvBEH3UybNvMkfl5

Score

10^/10

quasar qsr2 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

QSR2

qs.ouaswiqidghqawkers.xyz:4782

Mutex

OKd50o1ewKMMcmSiMW

Attributes

encryption_key
9tKro7Ph8XQSQdTATDlJ
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral1/memory/2236-3-0x00000000001F0000-0x000000000024E000-memory.dmp	family_quasar

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com
6	ip-api.com
10	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb52f7cdf8f075d4cee664dd8182279f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb52f7cdf8f075d4cee664dd8182279f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb52f7cdf8f075d4cee664dd8182279f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb52f7cdf8f075d4cee664dd8182279f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb52f7cdf8f075d4cee664dd8182279f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb52f7cdf8f075d4cee664dd8182279f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cb52f7cdf8f075d4cee664dd8182279f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2080	PING.EXE
2792	PING.EXE
1328	PING.EXE
1372	PING.EXE
1384	PING.EXE
2420	PING.EXE

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery

T1018

pid	Process
1372	PING.EXE
1384	PING.EXE
2420	PING.EXE
2080	PING.EXE
2792	PING.EXE
1328	PING.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2236	cb52f7cdf8f075d4cee664dd8182279f_JaffaCakes118.exe
Token: SeDebugPrivilege	2868	cb52f7cdf8f075d4cee664dd8182279f_JaffaCakes118.exe
Token: SeDebugPrivilege	1916	cb52f7cdf8f075d4cee664dd8182279f_JaffaCakes118.exe
Token: SeDebugPrivilege	2152	cb52f7cdf8f075d4cee664dd8182279f_JaffaCakes118.exe
Token: SeDebugPrivilege	628	cb52f7cdf8f075d4cee664dd8182279f_JaffaCakes118.exe
Token: SeDebugPrivilege	2972	cb52f7cdf8f075d4cee664dd8182279f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2304	2236	cb52f7cdf8f075d4cee664dd8182279f_JaffaCakes118.exe	32
PID 2236 wrote to memory of 2304	2236	cb52f7cdf8f075d4cee664dd8182279f_JaffaCakes118.exe	32
PID 2236 wrote to memory of 2304	2236	cb52f7cdf8f075d4cee664dd8182279f_JaffaCakes118.exe	32
PID 2236 wrote to memory of 2304	2236	cb52f7cdf8f075d4cee664dd8182279f_JaffaCakes118.exe	32
PID 2304 wrote to memory of 2776	2304	cmd.exe	34
PID 2304 wrote to memory of 2776	2304	cmd.exe	34
PID 2304 wrote to memory of 2776	2304	cmd.exe	34
PID 2304 wrote to memory of 2776	2304	cmd.exe	34
PID 2304 wrote to memory of 2792	2304	cmd.exe	35
PID 2304 wrote to memory of 2792	2304	cmd.exe	35
PID 2304 wrote to memory of 2792	2304	cmd.exe	35
PID 2304 wrote to memory of 2792	2304	cmd.exe	35
PID 2304 wrote to memory of 2868	2304	cmd.exe	36
PID 2304 wrote to memory of 2868	2304	cmd.exe	36
PID 2304 wrote to memory of 2868	2304	cmd.exe	36
PID 2304 wrote to memory of 2868	2304	cmd.exe	36
PID 2868 wrote to memory of 536	2868	cb52f7cdf8f075d4cee664dd8182279f_JaffaCakes118.exe	37
PID 2868 wrote to memory of 536	2868	cb52f7cdf8f075d4cee664dd8182279f_JaffaCakes118.exe	37
PID 2868 wrote to memory of 536	2868	cb52f7cdf8f075d4cee664dd8182279f_JaffaCakes118.exe	37
PID 2868 wrote to memory of 536	2868	cb52f7cdf8f075d4cee664dd8182279f_JaffaCakes118.exe	37
PID 536 wrote to memory of 1940	536	cmd.exe	39
PID 536 wrote to memory of 1940	536	cmd.exe	39
PID 536 wrote to memory of 1940	536	cmd.exe	39
PID 536 wrote to memory of 1940	536	cmd.exe	39
PID 536 wrote to memory of 1328	536	cmd.exe	40
PID 536 wrote to memory of 1328	536	cmd.exe	40
PID 536 wrote to memory of 1328	536	cmd.exe	40
PID 536 wrote to memory of 1328	536	cmd.exe	40
PID 536 wrote to memory of 1916	536	cmd.exe	41
PID 536 wrote to memory of 1916	536	cmd.exe	41
PID 536 wrote to memory of 1916	536	cmd.exe	41
PID 536 wrote to memory of 1916	536	cmd.exe	41
PID 1916 wrote to memory of 1148	1916	cb52f7cdf8f075d4cee664dd8182279f_JaffaCakes118.exe	42
PID 1916 wrote to memory of 1148	1916	cb52f7cdf8f075d4cee664dd8182279f_JaffaCakes118.exe	42
PID 1916 wrote to memory of 1148	1916	cb52f7cdf8f075d4cee664dd8182279f_JaffaCakes118.exe	42
PID 1916 wrote to memory of 1148	1916	cb52f7cdf8f075d4cee664dd8182279f_JaffaCakes118.exe	42
PID 1148 wrote to memory of 1432	1148	cmd.exe	44
PID 1148 wrote to memory of 1432	1148	cmd.exe	44
PID 1148 wrote to memory of 1432	1148	cmd.exe	44
PID 1148 wrote to memory of 1432	1148	cmd.exe	44
PID 1148 wrote to memory of 1372	1148	cmd.exe	45
PID 1148 wrote to memory of 1372	1148	cmd.exe	45
PID 1148 wrote to memory of 1372	1148	cmd.exe	45
PID 1148 wrote to memory of 1372	1148	cmd.exe	45
PID 1148 wrote to memory of 2152	1148	cmd.exe	46
PID 1148 wrote to memory of 2152	1148	cmd.exe	46
PID 1148 wrote to memory of 2152	1148	cmd.exe	46
PID 1148 wrote to memory of 2152	1148	cmd.exe	46
PID 2152 wrote to memory of 1296	2152	cb52f7cdf8f075d4cee664dd8182279f_JaffaCakes118.exe	47
PID 2152 wrote to memory of 1296	2152	cb52f7cdf8f075d4cee664dd8182279f_JaffaCakes118.exe	47
PID 2152 wrote to memory of 1296	2152	cb52f7cdf8f075d4cee664dd8182279f_JaffaCakes118.exe	47
PID 2152 wrote to memory of 1296	2152	cb52f7cdf8f075d4cee664dd8182279f_JaffaCakes118.exe	47
PID 1296 wrote to memory of 956	1296	cmd.exe	49
PID 1296 wrote to memory of 956	1296	cmd.exe	49
PID 1296 wrote to memory of 956	1296	cmd.exe	49
PID 1296 wrote to memory of 956	1296	cmd.exe	49
PID 1296 wrote to memory of 1384	1296	cmd.exe	50
PID 1296 wrote to memory of 1384	1296	cmd.exe	50
PID 1296 wrote to memory of 1384	1296	cmd.exe	50
PID 1296 wrote to memory of 1384	1296	cmd.exe	50
PID 1296 wrote to memory of 628	1296	cmd.exe	51
PID 1296 wrote to memory of 628	1296	cmd.exe	51
PID 1296 wrote to memory of 628	1296	cmd.exe	51
PID 1296 wrote to memory of 628	1296	cmd.exe	51

C:\Users\Admin\AppData\Local\Temp\cb52f7cdf8f075d4cee664dd8182279f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cb52f7cdf8f075d4cee664dd8182279f_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\aRepvzwYwTLy.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2776
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2792
- - C:\Users\Admin\AppData\Local\Temp\cb52f7cdf8f075d4cee664dd8182279f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\cb52f7cdf8f075d4cee664dd8182279f_JaffaCakes118.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\nirsMKkAWosZ.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:536
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1940
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1328
    - - C:\Users\Admin\AppData\Local\Temp\cb52f7cdf8f075d4cee664dd8182279f_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb52f7cdf8f075d4cee664dd8182279f_JaffaCakes118.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1916
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\alQrlOgBmb7m.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1432
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\cb52f7cdf8f075d4cee664dd8182279f_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb52f7cdf8f075d4cee664dd8182279f_JaffaCakes118.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CDy8BuHs2oKn.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1296
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:956
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\cb52f7cdf8f075d4cee664dd8182279f_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb52f7cdf8f075d4cee664dd8182279f_JaffaCakes118.exe"
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:628
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\CsqebcehxsEC.bat" "
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1028
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1732
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\cb52f7cdf8f075d4cee664dd8182279f_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb52f7cdf8f075d4cee664dd8182279f_JaffaCakes118.exe"
        11⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\bFjI12MqMdbz.bat" "
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\cb52f7cdf8f075d4cee664dd8182279f_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cb52f7cdf8f075d4cee664dd8182279f_JaffaCakes118.exe"
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CDy8BuHs2oKn.bat

Filesize
243B

MD5
ea0d7344058e41b56dd475fd33021a1b

SHA1
e6efa659f3d9fe16d20eeffe81ba836d771b56ed

SHA256
404ebfda18450f2676447a938987a518ed20ac7d836970ac5de1b0de855b24a8

SHA512
53225e42401e447f931b787c8015755d36481cb650b4e2589d4210d4da43a8d796fd5663ae8f09f30627f4a9d6756c227b6f7f63d740748ce99aa7d0d18e35b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CsqebcehxsEC.bat

Filesize
243B

MD5
0a4406afed8cbffb5719e2d7321e8ff6

SHA1
398205a2593d6883f7d442f3bab0cef228cce2a5

SHA256
b4a611bccb4ea567e2b69db843f4f413a6d7468f2061393cbc776e66c73fbce1

SHA512
184d51a034f030e2f8f09402883c764e6a730788a441cb5fc9e62d030ec59ee2d87637bab257d2de6288f7e76f29d995771e6cf9d2bf2f3b171d9a99ec6655b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\aRepvzwYwTLy.bat

Filesize
243B

MD5
042470b4a18b11931524c15c285a4b7b

SHA1
82f85208da2bd41327c94c6654c13bb3375ba079

SHA256
2f50a2d1894198694789dea0ee7604a1edf68ee1971fa431fbafd02c14c3eb69

SHA512
4d5ea1c36b4a67f64d87e82a1159a2f3adfaecf88f7d35bf149d9c41a0fa2da30a23925ce699ee3978a0ff5cb901383f1c62c868da89940cdd36f4776795b376

Download Submit
C:\Users\Admin\AppData\Local\Temp\alQrlOgBmb7m.bat

Filesize
243B

MD5
9cde75962b225c671713d16a67515537

SHA1
a1f54651efe0e1b2bb8ab78e6b4d54f66a24fa86

SHA256
1a09827276248343d3ed2cbb64d556b66bfaabef9a0d1c5bfbcdc2787579a58a

SHA512
40afb2aea877f55bfbf18e3f59ea3653233ae9a6411a6a8487aaee598059cd0673fb3ed03c04470ab080176434446c95322d05fca02a717a58a472b3b6f5a3ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\bFjI12MqMdbz.bat

Filesize
243B

MD5
2b4fd2863142b6f473b273568b6c4947

SHA1
1addd073b8df89f4e9c8e7e7e33528ba54ae8b31

SHA256
1c6a9737f398d5e12048b17ba867a54f470b97add53a220607f51a88da161bfb

SHA512
bd07c5ffa16325a1811f4d20e9b3b190de81954ebab1c6d4b3f20cbf37b93a2a121aee245f0e98331cf42e5d5bed1a935a0ef0ee92e86f82504f3b13ff18adf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nirsMKkAWosZ.bat

Filesize
243B

MD5
8e6e4e0205edccbbdd21628a3a890569

SHA1
9d66e40754e0ea66d4d30b219c97a8fc96dbac0d

SHA256
d8b8ea0a1995ce2bdff1f7d92c1d6a48366acedcf506fbce170e5a6fd60cb191

SHA512
7cbaf9ebbe53addd67a871db389ec8800477f354c561516334efbf44712731ab8a003e19c8b7ac43a40038c3685f9ffd56431fde55a1df74144d48d9bb3e123e

Download Submit
memory/628-45-0x0000000000D40000-0x0000000000D9C000-memory.dmp

Filesize
368KB

Download
memory/1428-65-0x00000000009F0000-0x0000000000A4C000-memory.dmp

Filesize
368KB

Download
memory/1916-25-0x0000000000ED0000-0x0000000000F2C000-memory.dmp

Filesize
368KB

Download
memory/2152-35-0x0000000000110000-0x000000000016C000-memory.dmp

Filesize
368KB

Download
memory/2236-14-0x0000000074530000-0x0000000074C1E000-memory.dmp

Filesize
6.9MB

Download
memory/2236-0-0x000000007453E000-0x000000007453F000-memory.dmp

Filesize
4KB

Download
memory/2236-4-0x0000000074530000-0x0000000074C1E000-memory.dmp

Filesize
6.9MB

Download
memory/2236-3-0x00000000001F0000-0x000000000024E000-memory.dmp

Filesize
376KB

Download
memory/2236-2-0x000000007453E000-0x000000007453F000-memory.dmp

Filesize
4KB

Download
memory/2236-1-0x0000000001080000-0x00000000010DC000-memory.dmp

Filesize
368KB

Download
memory/2868-15-0x0000000000090000-0x00000000000EC000-memory.dmp

Filesize
368KB

Download
memory/2972-55-0x00000000001D0000-0x000000000022C000-memory.dmp

Filesize
368KB

Download