quasar | 5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/12/2024, 15:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe
Size

3.2MB
MD5

3dc1d39a2ebeb5dc85da7e8c3d6e3aaa
SHA1

4cfcddc23cc0949ca620474edef6c82a2c2280d3
SHA256

5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4
SHA512

77dfdb50b408c3e88a18b0aae3eac9e2001f6041b406aef2d298e35cf49b51d921afeb5526930a44dc4e12294cd31c3f9fed74871c8bb0e9989e6a912131a65a
SSDEEP

49152:tkvXI22SsaNYfdPBldt698dBcjHIGRJ6ybR3LoGdJTHHB72eh2NTC:OvY22SsaNYfdPBldt6+dBcjHIGRJ6sZ

Score

10^/10

quasar hacked-fud1 discovery evasion persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

hacked-fud1

192.168.100.10:1412

Mutex

a685d3ed-d174-40b7-9655-c2bfab3ed130

Attributes

encryption_key
2A5F3DAC380078962166175BD172DE2D4AA07E26
install_name
fud2.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Microsoft Service
subdirectory
SubDir

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b97-7.dat	family_quasar
behavioral2/memory/4468-10-0x0000000000350000-0x0000000000674000-memory.dmp	family_quasar
behavioral2/files/0x000a000000023b98-21.dat	family_quasar

Executes dropped EXE 8 IoCs

pid	Process
4468	5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe
1260	icsys.icn.exe
32	fud2.exe
1020	explorer.exe
4416	spoolsv.exe
3108	explorer.exe
1284	svchost.exe
4196	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SubDir	5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe
File created	C:\Windows\system32\SubDir\fud2.exe	5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe
File opened for modification	C:\Windows\system32\SubDir\fud2.exe	5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fud2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2108	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4264	5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe
4264	5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe
4264	5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe
4264	5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe
4264	5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe
4264	5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe
4264	5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe
4264	5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe
4264	5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe
4264	5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe
4264	5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe
4264	5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe
4264	5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe
4264	5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe
4264	5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe
4264	5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe
4264	5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe
4264	5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe
4264	5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe
4264	5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe
4264	5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe
4264	5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe
4264	5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe
4264	5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe
4264	5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe
4264	5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe
4264	5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe
4264	5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe
4264	5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe
4264	5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe
4264	5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe
4264	5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe
1260	icsys.icn.exe
1260	icsys.icn.exe
1260	icsys.icn.exe
1260	icsys.icn.exe
1260	icsys.icn.exe
1260	icsys.icn.exe
1260	icsys.icn.exe
1260	icsys.icn.exe
1260	icsys.icn.exe
1260	icsys.icn.exe
1260	icsys.icn.exe
1260	icsys.icn.exe
1260	icsys.icn.exe
1260	icsys.icn.exe
1260	icsys.icn.exe
1260	icsys.icn.exe
1260	icsys.icn.exe
1260	icsys.icn.exe
1260	icsys.icn.exe
1260	icsys.icn.exe
1260	icsys.icn.exe
1260	icsys.icn.exe
1260	icsys.icn.exe
1260	icsys.icn.exe
1260	icsys.icn.exe
1260	icsys.icn.exe
1260	icsys.icn.exe
1260	icsys.icn.exe
1260	icsys.icn.exe
1260	icsys.icn.exe
1260	icsys.icn.exe
1260	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1020	explorer.exe
1284	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4468	5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
4264	5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe
4264	5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe
1260	icsys.icn.exe
1260	icsys.icn.exe
32	fud2.exe
32	fud2.exe
1020	explorer.exe
1020	explorer.exe
4416	spoolsv.exe
4416	spoolsv.exe
3108	explorer.exe
3108	explorer.exe
1284	svchost.exe
1284	svchost.exe
4196	spoolsv.exe
4196	spoolsv.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4264 wrote to memory of 4468	4264	5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe	82
PID 4264 wrote to memory of 4468	4264	5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe	82
PID 4468 wrote to memory of 2108	4468	5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe	83
PID 4468 wrote to memory of 2108	4468	5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe	83
PID 4264 wrote to memory of 1260	4264	5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe	85
PID 4264 wrote to memory of 1260	4264	5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe	85
PID 4264 wrote to memory of 1260	4264	5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe	85
PID 4468 wrote to memory of 32	4468	5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe	86
PID 4468 wrote to memory of 32	4468	5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe	86
PID 4468 wrote to memory of 32	4468	5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe	86
PID 1260 wrote to memory of 1020	1260	icsys.icn.exe	87
PID 1260 wrote to memory of 1020	1260	icsys.icn.exe	87
PID 1260 wrote to memory of 1020	1260	icsys.icn.exe	87
PID 1020 wrote to memory of 4416	1020	explorer.exe	88
PID 1020 wrote to memory of 4416	1020	explorer.exe	88
PID 1020 wrote to memory of 4416	1020	explorer.exe	88
PID 32 wrote to memory of 3108	32	fud2.exe	89
PID 32 wrote to memory of 3108	32	fud2.exe	89
PID 32 wrote to memory of 3108	32	fud2.exe	89
PID 4416 wrote to memory of 1284	4416	spoolsv.exe	90
PID 4416 wrote to memory of 1284	4416	spoolsv.exe	90
PID 4416 wrote to memory of 1284	4416	spoolsv.exe	90
PID 1284 wrote to memory of 4196	1284	svchost.exe	91
PID 1284 wrote to memory of 4196	1284	svchost.exe	91
PID 1284 wrote to memory of 4196	1284	svchost.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe
"C:\Users\Admin\AppData\Local\Temp\5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4264
- \??\c:\users\admin\appdata\local\temp\5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe
  c:\users\admin\appdata\local\temp\5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4468
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Microsoft Service" /sc ONLOGON /tr "C:\Windows\system32\SubDir\fud2.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2108
- - C:\Windows\system32\SubDir\fud2.exe
    "C:\Windows\system32\SubDir\fud2.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:32
  - - \??\c:\windows\resources\themes\explorer.exe
      c:\windows\resources\themes\explorer.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3108
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1260
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1020
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4416
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1284
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4.exe

Filesize
3.1MB

MD5
f2fde7b36d929112d10c35f88597e643

SHA1
ecfb40c3f75cbabf3787d7cc466f4ab3e0bfb59a

SHA256
2a1b24e284eb329bcac58cfe90ef04e390aef10f4c0cc4eddf6077d113e5e591

SHA512
99dda7073d391e3ada814df8bad4f3e817adb2d274e005cedcf378d2031a3695ddd8afeecfa8ceacf9569f400b08f1dc357d4d90d72b9ba0372f267668f399df

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
be6a948cee3d2ad35e246fca7d9d9937

SHA1
553b33fbaa73d71a13fdb8900171fb1f0dcc1de7

SHA256
92b1088df4de47f88b0cf3f73d961de13d0c7e307a4db07a9067cd0ce3441264

SHA512
05a09a2f447751898f72c08b93457a8a182cc5be2ec7711f87ac71a61855335836406f4970c8b50ad7aa7a13099cf0b74156ee74efd9ea2f4a9c7ce28689a3d0

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
dba332c1832b99f7c7d078a0082874ed

SHA1
f339233684c867e70ec06f09cae6f938ba7f6dd0

SHA256
d14ca80e7ae57bfa56b7614372feb89b5c35397451dd2c38156558b3a577c397

SHA512
410746bd8242436f4c8ea8700f9e4dd93270aab3dd494e539b877fcbefc76a5e9111e4de720ba3daeb21722ce568adffa347407b798fc8e87e8fa8b5b7b42482

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
315558f2466c66af0fe4b4e58a0415db

SHA1
1d48fa871a55da9fc78e9f9198a3bb13b932ea1a

SHA256
e540e66d7e47e456dbe0ebe9e4eac7ebf8bb2ffa8e20ffbad414e8d4c01f7800

SHA512
50e8348eb1a364b5b8d439b5220304ce5f3438ae1249eb1400bc6cc7bb380b08c9f575e317ed205dd7902680692ec4d91bd37c4cd57d699ccda9d7453bccee32

Download Submit
C:\Windows\System32\SubDir\fud2.exe

Filesize
3.2MB

MD5
3dc1d39a2ebeb5dc85da7e8c3d6e3aaa

SHA1
4cfcddc23cc0949ca620474edef6c82a2c2280d3

SHA256
5ee53e7e25a03aff5a92dd99804ecc38795f7513437e82be670b9e0b61a98ea4

SHA512
77dfdb50b408c3e88a18b0aae3eac9e2001f6041b406aef2d298e35cf49b51d921afeb5526930a44dc4e12294cd31c3f9fed74871c8bb0e9989e6a912131a65a

Download Submit
\??\c:\windows\resources\svchost.exe

Filesize
135KB

MD5
d29573cbf2a0fa4ee58564f2a36aea8c

SHA1
85daa52ba6cc4fea125a4ae0255964ffdc933e7c

SHA256
39496ffe3a4f6bf9f35e12fa06db0511bd0db095cdf1af6f23f2718535f14299

SHA512
5c0a6378cf8e5b383708b11541c1983908bc1ea784ce38581114e383a545dc229c598c4b0b83404c2ea22d60115b766060db773d68f14480848fd7304cd9cabb

Download Submit
memory/32-57-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1020-67-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1260-16-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1260-64-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1284-68-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3108-55-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4196-62-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4264-65-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4264-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4416-42-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4416-63-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4468-11-0x00007FF868440000-0x00007FF868F01000-memory.dmp

Filesize
10.8MB

Download
memory/4468-66-0x00007FF868440000-0x00007FF868F01000-memory.dmp

Filesize
10.8MB

Download
memory/4468-10-0x0000000000350000-0x0000000000674000-memory.dmp

Filesize
3.1MB

Download
memory/4468-9-0x00007FF868443000-0x00007FF868445000-memory.dmp

Filesize
8KB

Download