Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-12-2024 02:32

General

  • Target

    533d8476431fefd3f83fd39d66366277b2420a549cb01e9232f558b2617871fc.exe

  • Size

    502KB

  • MD5

    a9c9735f6e34482c1cdd09e347a98787

  • SHA1

    6214e43cdc3fd17978955abf9c01a8d8c3ea791e

  • SHA256

    533d8476431fefd3f83fd39d66366277b2420a549cb01e9232f558b2617871fc

  • SHA512

    084b40e683d88e8eda7a60047f1a640310455986629a63382b3b6ffa6a91f295b47963e2ba52115cb113f57f1f727f2adb98f910a9adca1596af242f266b4a50

  • SSDEEP

    6144:sTEgdc0YeX1uRabMR0FdOWbYZTR9UbGzcEKVb8F9ywLlqlHcTR3t:sTEgdfYzRa9uza6FL4lHcdt

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Target

C2

127.0.0.1:6070

affasdqa.ddns.net:6070

haffasdqa.duckdns.org:6070

Mutex

670d21b7-71ed-4958-9ba7-a58fa54d8203

Attributes
  • encryption_key

    25B2622CE0635F9A273AB61B1B7D7B94220AC509

  • install_name

    svhoste.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    svhoste

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 7 IoCs
  • Executes dropped EXE 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 10 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 10 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\533d8476431fefd3f83fd39d66366277b2420a549cb01e9232f558b2617871fc.exe
    "C:\Users\Admin\AppData\Local\Temp\533d8476431fefd3f83fd39d66366277b2420a549cb01e9232f558b2617871fc.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2092
    • C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\533d8476431fefd3f83fd39d66366277b2420a549cb01e9232f558b2617871fc.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2720
    • C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2852
      • C:\Windows\system32\schtasks.exe
        "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2732
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\zvh9vyrPF3j2.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2568
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:2636
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2644
          • C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
            "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2024
            • C:\Windows\system32\schtasks.exe
              "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:1476
            • C:\Windows\system32\cmd.exe
              cmd /c ""C:\Users\Admin\AppData\Local\Temp\ElBujVtdE0cW.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2628
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:1308
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:1864
                • C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
                  "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:1148
                  • C:\Windows\system32\schtasks.exe
                    "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
                    7⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:1068
                  • C:\Windows\system32\cmd.exe
                    cmd /c ""C:\Users\Admin\AppData\Local\Temp\TX8pE5lSoOeb.bat" "
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2344
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      8⤵
                        PID:1096
                      • C:\Windows\system32\PING.EXE
                        ping -n 10 localhost
                        8⤵
                        • System Network Configuration Discovery: Internet Connection Discovery
                        • Runs ping.exe
                        PID:1944
                      • C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
                        "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
                        8⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of SetWindowsHookEx
                        • Suspicious use of WriteProcessMemory
                        PID:2188
                        • C:\Windows\system32\schtasks.exe
                          "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
                          9⤵
                          • Scheduled Task/Job: Scheduled Task
                          PID:2232
                        • C:\Windows\system32\cmd.exe
                          cmd /c ""C:\Users\Admin\AppData\Local\Temp\qIsj0phW37qv.bat" "
                          9⤵
                          • Suspicious use of WriteProcessMemory
                          PID:2432
                          • C:\Windows\system32\chcp.com
                            chcp 65001
                            10⤵
                              PID:1596
                            • C:\Windows\system32\PING.EXE
                              ping -n 10 localhost
                              10⤵
                              • System Network Configuration Discovery: Internet Connection Discovery
                              • Runs ping.exe
                              PID:1132
                            • C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
                              "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
                              10⤵
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of SetWindowsHookEx
                              PID:944
                              • C:\Windows\system32\schtasks.exe
                                "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
                                11⤵
                                • Scheduled Task/Job: Scheduled Task
                                PID:1752
                              • C:\Windows\system32\cmd.exe
                                cmd /c ""C:\Users\Admin\AppData\Local\Temp\GMPVncMSh6HC.bat" "
                                11⤵
                                  PID:1676
                                  • C:\Windows\system32\chcp.com
                                    chcp 65001
                                    12⤵
                                      PID:1848
                                    • C:\Windows\system32\PING.EXE
                                      ping -n 10 localhost
                                      12⤵
                                      • System Network Configuration Discovery: Internet Connection Discovery
                                      • Runs ping.exe
                                      PID:608
                                    • C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
                                      "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
                                      12⤵
                                      • Executes dropped EXE
                                      • Suspicious use of AdjustPrivilegeToken
                                      • Suspicious use of SetWindowsHookEx
                                      PID:2192
                                      • C:\Windows\system32\schtasks.exe
                                        "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
                                        13⤵
                                        • Scheduled Task/Job: Scheduled Task
                                        PID:1268
                                      • C:\Windows\system32\cmd.exe
                                        cmd /c ""C:\Users\Admin\AppData\Local\Temp\mMtRQaY4sJ4j.bat" "
                                        13⤵
                                          PID:1548
                                          • C:\Windows\system32\chcp.com
                                            chcp 65001
                                            14⤵
                                              PID:2160
                                            • C:\Windows\system32\PING.EXE
                                              ping -n 10 localhost
                                              14⤵
                                              • System Network Configuration Discovery: Internet Connection Discovery
                                              • Runs ping.exe
                                              PID:572
                                            • C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
                                              "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
                                              14⤵
                                              • Executes dropped EXE
                                              • Suspicious use of AdjustPrivilegeToken
                                              • Suspicious use of SetWindowsHookEx
                                              PID:1376
                                              • C:\Windows\system32\schtasks.exe
                                                "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
                                                15⤵
                                                • Scheduled Task/Job: Scheduled Task
                                                PID:2904
                                              • C:\Windows\system32\cmd.exe
                                                cmd /c ""C:\Users\Admin\AppData\Local\Temp\Dhi2RRYXCLKl.bat" "
                                                15⤵
                                                  PID:2688
                                                  • C:\Windows\system32\chcp.com
                                                    chcp 65001
                                                    16⤵
                                                      PID:2648
                                                    • C:\Windows\system32\PING.EXE
                                                      ping -n 10 localhost
                                                      16⤵
                                                      • System Network Configuration Discovery: Internet Connection Discovery
                                                      • Runs ping.exe
                                                      PID:2612
                                                    • C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
                                                      "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
                                                      16⤵
                                                      • Executes dropped EXE
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • Suspicious use of SetWindowsHookEx
                                                      PID:2692
                                                      • C:\Windows\system32\schtasks.exe
                                                        "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
                                                        17⤵
                                                        • Scheduled Task/Job: Scheduled Task
                                                        PID:2568
                                                      • C:\Windows\system32\cmd.exe
                                                        cmd /c ""C:\Users\Admin\AppData\Local\Temp\eJYgjeMHE5Fe.bat" "
                                                        17⤵
                                                          PID:1048
                                                          • C:\Windows\system32\chcp.com
                                                            chcp 65001
                                                            18⤵
                                                              PID:3016
                                                            • C:\Windows\system32\PING.EXE
                                                              ping -n 10 localhost
                                                              18⤵
                                                              • System Network Configuration Discovery: Internet Connection Discovery
                                                              • Runs ping.exe
                                                              PID:2548
                                                            • C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
                                                              "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
                                                              18⤵
                                                              • Executes dropped EXE
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              • Suspicious use of SetWindowsHookEx
                                                              PID:2272
                                                              • C:\Windows\system32\schtasks.exe
                                                                "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
                                                                19⤵
                                                                • Scheduled Task/Job: Scheduled Task
                                                                PID:2628
                                                              • C:\Windows\system32\cmd.exe
                                                                cmd /c ""C:\Users\Admin\AppData\Local\Temp\YprSOotxXDqu.bat" "
                                                                19⤵
                                                                  PID:1644
                                                                  • C:\Windows\system32\chcp.com
                                                                    chcp 65001
                                                                    20⤵
                                                                      PID:2668
                                                                    • C:\Windows\system32\PING.EXE
                                                                      ping -n 10 localhost
                                                                      20⤵
                                                                      • System Network Configuration Discovery: Internet Connection Discovery
                                                                      • Runs ping.exe
                                                                      PID:448
                                                                    • C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
                                                                      "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
                                                                      20⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      • Suspicious use of SetWindowsHookEx
                                                                      PID:2372
                                                                      • C:\Windows\system32\schtasks.exe
                                                                        "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
                                                                        21⤵
                                                                        • Scheduled Task/Job: Scheduled Task
                                                                        PID:756
                                                                      • C:\Windows\system32\cmd.exe
                                                                        cmd /c ""C:\Users\Admin\AppData\Local\Temp\iFgxloxYEzeR.bat" "
                                                                        21⤵
                                                                          PID:1716
                                                                          • C:\Windows\system32\chcp.com
                                                                            chcp 65001
                                                                            22⤵
                                                                              PID:2388
                                                                            • C:\Windows\system32\PING.EXE
                                                                              ping -n 10 localhost
                                                                              22⤵
                                                                              • System Network Configuration Discovery: Internet Connection Discovery
                                                                              • Runs ping.exe
                                                                              PID:2208
                                                                            • C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe
                                                                              "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe"
                                                                              22⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:1288
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                "schtasks" /create /tn "svhoste" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe" /rl HIGHEST /f
                                                                                23⤵
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:2332

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\Local\Temp\Dhi2RRYXCLKl.bat

                                    Filesize

                                    208B

                                    MD5

                                    ba0e4cec213c2fcfb54456287dc073a3

                                    SHA1

                                    7f098bd89f4aa650a1e7f019bd9adab09e228334

                                    SHA256

                                    31548f7e923e329e64cdd5c9f7d870f35b6194247f969dffcbde76a99ab59acc

                                    SHA512

                                    8ad103a2782456d1fc7407701756d3a1e778691b610fe0fbb8b081dacf188cc02a803a27379a14d7b8b2fd64abc5e35a7007d5eabbb8293598db4d0d6607b75c

                                  • C:\Users\Admin\AppData\Local\Temp\ElBujVtdE0cW.bat

                                    Filesize

                                    208B

                                    MD5

                                    798f2f502ec4223a71abd78878154221

                                    SHA1

                                    afc2b339e0cb3b781dedd9b4270326c7a9698b2f

                                    SHA256

                                    6e6bb006f7a00e9bb5b443dd5ba7808c7de67f4c8870874b73c10b63e597c043

                                    SHA512

                                    7c3c9a5798c4f0ce29027d611a394b6926d4a343090bac6f951c26f4f7e92b7bf53cfc0d4b0e25f69070abc08afbf419ef017a5bdd0a96045c93f1982256c2b0

                                  • C:\Users\Admin\AppData\Local\Temp\GMPVncMSh6HC.bat

                                    Filesize

                                    208B

                                    MD5

                                    24983eadbea5eed0938edfd7861e95bd

                                    SHA1

                                    7e7484eb95c6c15c275ef59cd301083e34c8f299

                                    SHA256

                                    9efc6b0728eba77253f175d2d2f88d621a4fd88f93e431e7866ea48820ecf75d

                                    SHA512

                                    6c602bd837d3d165415487995aced8bae01d7c545e343790da05ea274cbc4b18376dff860429cde5889d7f2fedb3985dc31ed67369765d8d2d9a6b0da12bdb2f

                                  • C:\Users\Admin\AppData\Local\Temp\TX8pE5lSoOeb.bat

                                    Filesize

                                    208B

                                    MD5

                                    74f1cb1abf263170874099ec75c20912

                                    SHA1

                                    1bf340ac4c795714f151940607ab1b2810f8b0a0

                                    SHA256

                                    2ef3eaf29aea3649535f9f01765519fafb93d402f487c3bbca52991de756dee4

                                    SHA512

                                    0f2751990c289aec9f7746466116115a122e8393f46c9ee0f79dbab708133ccb817c0254f8a3fff00d6b4b828c213d46fb23bc0bf9da59596ee758f566254671

                                  • C:\Users\Admin\AppData\Local\Temp\YprSOotxXDqu.bat

                                    Filesize

                                    208B

                                    MD5

                                    9bd772145903c27b8eea7855e076f33e

                                    SHA1

                                    0d0f8f2a41b24aa3f0c79b825ebb476f3e82665e

                                    SHA256

                                    c2c1bb23d497a9412b655f94e97c173f8fe276aae2ec05c3aa26e9cb3b6e54ec

                                    SHA512

                                    aa79f3ec0f3d07b26b4b37f5d108a8ec3433fd3bad1d4fb1f1c8ac5ed3c143e7710cc0280abca33ff9f604e8f3c40cbbd616010f5e1afc932562d8f63be02566

                                  • C:\Users\Admin\AppData\Local\Temp\eJYgjeMHE5Fe.bat

                                    Filesize

                                    208B

                                    MD5

                                    e1bb18cb17fffa623a3f5a23a95f68aa

                                    SHA1

                                    be7947fb91b3cfe8132f6fe94c4d37f81a945789

                                    SHA256

                                    ee2c3b90cca6f9209e3c7939a10db1daa5a7bf56442e689aa6f4802db2fad523

                                    SHA512

                                    fba02421868bf23f0d74995e140e9bd0e6988dda61e3b8682e6324ac0b57ad45394cb37c8294c053d41b4d46d2b75d4bf3321afdd43e0425bce01151cbdf1def

                                  • C:\Users\Admin\AppData\Local\Temp\iFgxloxYEzeR.bat

                                    Filesize

                                    208B

                                    MD5

                                    2f8730cbce04353dab3e55659d67f77c

                                    SHA1

                                    64feba6973513e9f688a3640d6f1270f3ed78a05

                                    SHA256

                                    832becd512860bb3a197e41321d19a13eef34fdd500343c76e6cfc6e0b9bbf23

                                    SHA512

                                    863f9b6047db1657cdcd5b8394e6a0502a9c168cfc90c2987710cffc5c7ab97f916b348f9f2224ad83871745c42609e29cd6281af79545b3bc97df10a879abbe

                                  • C:\Users\Admin\AppData\Local\Temp\mMtRQaY4sJ4j.bat

                                    Filesize

                                    208B

                                    MD5

                                    fe5491df0c0783111624d247ca4cc18a

                                    SHA1

                                    ebb088a7559d90cc635479a3b2dd1b6b7032770d

                                    SHA256

                                    6b3c86c5ebd9e75b48bd73f8147b2995bceb1f11953b4d666f4c21ee8319ee48

                                    SHA512

                                    e4c212da64fe22fde8493f8f4516110627b8fd08b2b5e02e9634319bbf0ba4eeee9b827556b30b7608e8e04e1cdcea320b05eec5277404fa2cfa250605d7353c

                                  • C:\Users\Admin\AppData\Local\Temp\qIsj0phW37qv.bat

                                    Filesize

                                    208B

                                    MD5

                                    2544fd663cedc1390b0545f0172a6739

                                    SHA1

                                    02c2f7f133704e6566207e031d6a2634f9b7fad4

                                    SHA256

                                    10204f5d79a8f13b5b5886c90e67e8fc5a5264e5f65cf0d69f62dc1b6c13fb43

                                    SHA512

                                    c17682358018f946f4a60b7625b67742a144d4fbf12e843a0dcf44fdcc97d8ca4b5bcfbb2742a172752cfe5351f8df10fa107e72b64c9cce8f63bd9d4a6a0b7d

                                  • C:\Users\Admin\AppData\Local\Temp\zvh9vyrPF3j2.bat

                                    Filesize

                                    208B

                                    MD5

                                    2e25975587bc2b93985dc83e38ab21a2

                                    SHA1

                                    0861fbee0fa16b71c82810d81315c1c539dadcc7

                                    SHA256

                                    1fb1005dbe018e62e09dec1a4b27e5fef64a68652d262b87ae85b9c3e624c915

                                    SHA512

                                    abe01e9d3938e21cdb94bb5d9fa530215fb8015b0a0b13d26ae6eba6002b395bf0823b4d676f30270b63f962dcce4d7862929b02faafc794348e4b6264f83e59

                                  • C:\Users\Admin\AppData\Roaming\SubDir\svhoste.exe

                                    Filesize

                                    502KB

                                    MD5

                                    a9c9735f6e34482c1cdd09e347a98787

                                    SHA1

                                    6214e43cdc3fd17978955abf9c01a8d8c3ea791e

                                    SHA256

                                    533d8476431fefd3f83fd39d66366277b2420a549cb01e9232f558b2617871fc

                                    SHA512

                                    084b40e683d88e8eda7a60047f1a640310455986629a63382b3b6ffa6a91f295b47963e2ba52115cb113f57f1f727f2adb98f910a9adca1596af242f266b4a50

                                  • memory/944-54-0x00000000000F0000-0x0000000000174000-memory.dmp

                                    Filesize

                                    528KB

                                  • memory/1148-33-0x0000000000A70000-0x0000000000AF4000-memory.dmp

                                    Filesize

                                    528KB

                                  • memory/2024-22-0x0000000000A10000-0x0000000000A94000-memory.dmp

                                    Filesize

                                    528KB

                                  • memory/2092-0-0x000007FEF6163000-0x000007FEF6164000-memory.dmp

                                    Filesize

                                    4KB

                                  • memory/2092-7-0x000007FEF6160000-0x000007FEF6B4C000-memory.dmp

                                    Filesize

                                    9.9MB

                                  • memory/2092-2-0x000007FEF6160000-0x000007FEF6B4C000-memory.dmp

                                    Filesize

                                    9.9MB

                                  • memory/2092-1-0x0000000000110000-0x0000000000194000-memory.dmp

                                    Filesize

                                    528KB

                                  • memory/2192-65-0x00000000012C0000-0x0000000001344000-memory.dmp

                                    Filesize

                                    528KB

                                  • memory/2852-19-0x000007FEF6160000-0x000007FEF6B4C000-memory.dmp

                                    Filesize

                                    9.9MB

                                  • memory/2852-10-0x000007FEF6160000-0x000007FEF6B4C000-memory.dmp

                                    Filesize

                                    9.9MB

                                  • memory/2852-8-0x00000000008B0000-0x0000000000934000-memory.dmp

                                    Filesize

                                    528KB

                                  • memory/2852-9-0x000007FEF6160000-0x000007FEF6B4C000-memory.dmp

                                    Filesize

                                    9.9MB