Overview

overview

10

Static

static

3

2e28406397...7N.exe

windows7-x64

7

2e28406397...7N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    95s
  • max time network
    112s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-12-2024 06:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2e284063972d9c16b37eba5bf7503f6a79aab6dbc3f26b60627302be448f3897N.exe

  • Size

    6.0MB

  • MD5

    6b8c0e3bab587b028a11ef1aacc32b90

  • SHA1

    4c64932f679115a04005996fe7fec25984952cfb

  • SHA256

    2e284063972d9c16b37eba5bf7503f6a79aab6dbc3f26b60627302be448f3897

  • SHA512

    1e51f5f8262cabce43cd8176fdcfe78e4c796a2d840f3c6be93af559b8c8572a2496049ced6da0d76a7657d950e63b7c08bdf7254ef07ebd9f688825ad7beeb2

  • SSDEEP

    98304:zssvcXkkICDN8PEIvec1K88905+bUs9BAMgFhwvjEt88HoMyj6u2WRJtvT:tvc0khx8PScrkVjhgFhJ4Ksj

Score
10/10
quasarblackmagic design davincidiscoveryexecutionpersistencespywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Blackmagic Design DaVinci

C2

craftsgamer.4cloud.click:1985

Mutex

uGm7g3absZJuT8qYO2

Attributes
  • encryption_key

    wiNbJAVdnQikiC3Y0wx7

  • install_name

    Client.exe

  • log_directory

    18HD

  • reconnect_delay

    10000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Power Settings 1 TTPs 8 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Embeds OpenSSL 1 IoCs

    Embeds OpenSSL, may be used to circumvent TLS interception.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2e284063972d9c16b37eba5bf7503f6a79aab6dbc3f26b60627302be448f3897N.exe
    "C:\Users\Admin\AppData\Local\Temp\2e284063972d9c16b37eba5bf7503f6a79aab6dbc3f26b60627302be448f3897N.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3364
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup DVREMU2 Manager v1.0.0.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup DVREMU2 Manager v1.0.0.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1432
      • C:\Users\Admin\AppData\Local\Temp\is-AM4EU.tmp\Setup DVREMU2 Manager v1.0.0.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-AM4EU.tmp\Setup DVREMU2 Manager v1.0.0.tmp" /SL5="$6023A,7881415,121344,C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup DVREMU2 Manager v1.0.0.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1616
        • C:\Windows\SysWOW64\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\TEAM R2R\DVREMU2 Manager\Readme.txt
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2760
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Resolveserves.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Resolveserves.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4220
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2800
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" Powercfg /x -standby-timeout-ac 0
          4⤵
          • Power Settings
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2780
          • C:\Windows\SysWOW64\powercfg.exe
            "C:\Windows\system32\powercfg.exe" /x -standby-timeout-ac 0
            5⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:3476
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" powercfg /x -monitor-timeout-ac 0
          4⤵
          • Power Settings
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3340
          • C:\Windows\SysWOW64\powercfg.exe
            "C:\Windows\system32\powercfg.exe" /x -monitor-timeout-ac 0
            5⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:1704
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" powercfg /x -monitor-timeout-dc 0
          4⤵
          • Power Settings
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:5076
          • C:\Windows\SysWOW64\powercfg.exe
            "C:\Windows\system32\powercfg.exe" /x -monitor-timeout-dc 0
            5⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:5116
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "powershell" powercfg /SETDCVALUEINDEX SCHEME_CURRENT 238C9FA8-0AAD-41ED-83F4-97BE242C8F20 29f6c1db-86da-48c5-9fdb-f2b67b1f44da 000
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Power Settings
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1424
          • C:\Windows\SysWOW64\powercfg.exe
            "C:\Windows\system32\powercfg.exe" /SETDCVALUEINDEX SCHEME_CURRENT 238C9FA8-0AAD-41ED-83F4-97BE242C8F20 29f6c1db-86da-48c5-9fdb-f2b67b1f44da 000
            5⤵
            • Power Settings
            • Suspicious use of AdjustPrivilegeToken
            PID:1540

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\TEAM R2R\DVREMU2 Manager\DVREMU2MAN.exe
    Filesize

    102KB

    MD5

    2a052d9b7bdd115e24b7bc4b8475edce

    SHA1

    2018370cf1cb6e8fdefab2444c086bc98a39e99a

    SHA256

    2083beb78b4ceba4a8fe819ed2307b4c0a22622f32caea60fcea7de0bcbd76b8

    SHA512

    85eab43585c93fcd2456593beca8664f74c22203baab67aac284cf34220be109aa4a7e71da795617d39d7f4a09c68e8452901be3f277a5f73f96661e64812348

    Download Submit

  • C:\Program Files\TEAM R2R\DVREMU2 Manager\Readme.txt
    Filesize

    2KB

    MD5

    0de76ea95b6ecf3866d834fa1b078018

    SHA1

    69848f81de145ee8f2c5466aa87e6b7278018da7

    SHA256

    632e2772f9536a30dda7e1f61f267ccec1aac7dd5f568260377c0573570a32a8

    SHA512

    1c10ae889dbdad83b9bc135d2c1adc6de988d502624c2a3cf3cc08639bc3f07959a5ccecf4c5dd1a8e1f1581457ebe11a03b06493bc59052d54d967c104e6f6f

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    1KB

    MD5

    33b19d75aa77114216dbc23f43b195e3

    SHA1

    36a6c3975e619e0c5232aa4f5b7dc1fec9525535

    SHA256

    b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2

    SHA512

    676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    11KB

    MD5

    bb4f688fdfd304290aaf3b8141c9ff9d

    SHA1

    d7508150d50ef12fef33b23ec4e903fd9e94fef9

    SHA256

    dab38b0209832dabb032e12e2e86cd597a62d0696b80a1cc8f7a943155f2ed03

    SHA512

    7842afa7edb76629997fc7a616f60273e035bcbe9fa8d7395d9a871db885dd321049c0d47fd3e6ec4bce7c5dadaca9183bc17652381d27a8fae7b5c7c4c8d9db

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    11KB

    MD5

    0af3fd0fe030db5e230723981bcf7d67

    SHA1

    ead6b2f9210577a77cf218dff517b8d1ef98320e

    SHA256

    0e827d0808fc2b798d4c35f298e532c851c9184de6798fd0371b7c4009f45680

    SHA512

    44441cf8e4b816b5f576ac5e4a92b62ea13c98c6d66687f18b0b46d8dc0693ef1b2862e560124a4cfe7c0d00329ac2f05123093863f9c949481984546a0ac855

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    11KB

    MD5

    8ef2a8ea5c4a3ac0736ccb3097af9e2f

    SHA1

    824ef0ba92650b9a1fa847521298f6378ab3a704

    SHA256

    7507aacf1b9ccff9187f50c9c0d49af3b32742735ccd898779167bf3b446ffab

    SHA512

    e1485aeaadb81ca93d3c4b65e9d4a08aee144d057da60b1b9e8cd5f538bee8992e262449a3b138027f19246a815c8667cee70b8b73ae78f69687ae73a32825a7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Resolveserves.exe
    Filesize

    1.5MB

    MD5

    16ef27011883d9e9f9ae7e7a871e25be

    SHA1

    7f579bada6cb595102dbfb260f0921d46389d697

    SHA256

    6566264df2eed3e76803f4ec9e494a928fda85efe00b8b0a83702fa244fb0a26

    SHA512

    13529f1b13c10a2539a31d7d4df1060d6ff173c34ca7a508f7bf8e8167158509a3dd730e2ea388eff7cbcd99c7fb23a6361818cbb63beafa471e45bcbae9d8ff

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup DVREMU2 Manager v1.0.0.exe
    Filesize

    7.9MB

    MD5

    712694288f0a36efead1b9ba8b4c0ab0

    SHA1

    543a71e15c14cb6a080f16aea554ec2f5257d6c7

    SHA256

    8d31d34083335dc0cc3c76bd5f418846e8f4daad5a437cefd8e47df332401b08

    SHA512

    aa73c45724196a4e7b171c403c69b7c84fbe2550e245a6bc8c0c24d4b9f474e5d0d6aef0cbe7aa7d916630c2245161066516055c9567959f01baed093f4c7b65

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Torchtray.dll
    Filesize

    2.7MB

    MD5

    7b27ce839ce147f86c63f0ae10b0ee27

    SHA1

    88f8a898aaf9f6d1ddd33ecb86a9e6b9f5f9d74f

    SHA256

    a2b6c9520fc290f3ac3b170743d06c9131f84d5e448b0c3573638507b1b626ec

    SHA512

    36e024db17ba61d091393bbcdd6a3653d11a89bc702273cc1003a53e3690d60eaeb6421038ba214ac5dc19e2769f37e4831ec4ec9273d14ad15555fb0726b144

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\concrt140e.dll
    Filesize

    356KB

    MD5

    65e470fce7f5a938dabdc824f4a9756d

    SHA1

    da02412280511f8b5ec6978c24c3db9c91af1bc1

    SHA256

    aaea7473d3ab2ec37443981bd9e718cb74cae5d974ce02719aaf02dc3e041633

    SHA512

    13c98751fcd81c346fcdaf7805e58eaaa21fab487c67bd932d103b9513287d29b2f6e7686a3e317d4cb38fde5df18ff9718126744b74b01d180f4ffac803c4f2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\libcrypto-1_1.dll
    Filesize

    3.3MB

    MD5

    f05c15601460b252257ba78b9dea914b

    SHA1

    4b493b2f12365d93657e391fb856012a78ca2da9

    SHA256

    716074e646072e9f3313c7bde7dd931eeac49109b2492e97cbf6438a3f9a9605

    SHA512

    a1409d8149a48301de95df8e500a185ea5fff8f56ad5d64ab161353d536fda36b44a6904846306628268fd571524f8b804da5a55f3775ce73758563e9df346b3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\libgcc_s_seh-1.dll
    Filesize

    93KB

    MD5

    9de67adc52e42f99ec6e8e2efb6c416f

    SHA1

    1586fdb1979736e82b96d183d7fee15a53b32226

    SHA256

    f34e2fb573e1eac888496799de3a391e4f5162e250cf4fd93ebab28da4b3b6d8

    SHA512

    2bcc06144cbf682da67573f62c922c9ac4bb15e617a836645e73e059f9a26f4ee03b162ba4c3b655d1911c28493435294928a55af4edfa3e81bdbef2ee4103b1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\libstdc++-6.dll
    Filesize

    983KB

    MD5

    e19223a1728e37265938696b99a2f740

    SHA1

    d0607aa523de5f562c889734c64dd533baacd37b

    SHA256

    d1d0c1899eb497f8a3d3d2e7b7096ed85176d1cf96f651f24bad0a762a194e90

    SHA512

    555b102c79be2ff55843eb8d1a36c4260145625f5e471ff0e7d0c3f6987773917a949e32b4cb94dbfb8a66c7bf56420f331a791dfe75ed2c3e0675277fa4c94c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\libwinpthread-1.dll
    Filesize

    2.0MB

    MD5

    d28fdc37f8ad7a79326752c5cd8ffa0c

    SHA1

    23956581ba8055419300ebe46daaaedf46ca0bfa

    SHA256

    7ca8142b91c84285116f8d57f57d9f6d9b06e96c933d5f0fb8f3b2180363ffb8

    SHA512

    eacd56b203483e8e0ad6b026df035811a7f104c788a33835a35709fc3e541e960226399cef60793a0113461f86b6cd87e367023f27f688608b83e93383e2b6a1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\vcruntime140.dll
    Filesize

    108KB

    MD5

    2ca046334d99e58d4dc7ab599860ef74

    SHA1

    01cd5d941c51e7ffc06bf1c61f2d1b7afa843a75

    SHA256

    b1a97356c021370b9cf5ca4565ddce4fbac39f6baaa6b896801b08f25521e92a

    SHA512

    8e00d291cad68d20f4a9a1027363d5e489334a6c4f00598605368e94ed6784cca079938f7b01fdde7eeab5ebbd22d00d3ba5588dcba84f735e2ff24020ec2afe

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\vcruntime140_1.dll
    Filesize

    49KB

    MD5

    9e7e2a9bded531cbceb445291a51360a

    SHA1

    394d41d48875f4bb8d0c9ba6095d668bd24d3028

    SHA256

    e0f826dc704e75d9f60dba248365975122c365d30048d66d3a14fc9963e13042

    SHA512

    16978f9947edb65dbc0bcc1d444d9197639b0e0ca8835c2fc3a2a4f37eb2340d436eb6e6e139942e3a89a31f8870ed9471797ad663ccae80782ae76975f49c4e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ucgcgob0.1uv.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-26GJ0.tmp\ISSKINU.DLL
    Filesize

    357KB

    MD5

    f30afccd6fafc1cad4567ada824c9358

    SHA1

    60a65b72f208563f90fba0da6af013a36707caa9

    SHA256

    e28d16fad16bca8198c47d7dd44acfd362dd6ba1654f700add8aaf2c0732622d

    SHA512

    59b199085ed4b59ef2b385a09d0901ff2efde7b344db1e900684a425fc2df8e2010ca73d2f2bffa547040cb1dd4c8938b175c463ccc5e39a840a19f9aa301a6c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-26GJ0.tmp\R2RINNO.dll
    Filesize

    4KB

    MD5

    5df8ada84a16f5dfc24096ef90a5ce3a

    SHA1

    5e7e9c68119c3a0a1afc92c60674bc8714492823

    SHA256

    48a9c8c332fde541b571d9d522d0e37834b452f55af8cbdc341b12222e78fb5b

    SHA512

    661b5219c74dd6e3a8e899a1b1a3002689d148e337d7323a174519366c9548c284ee76e2faa2f9600cd483db21093ee62399f0d7403c39523c654266760191c2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-26GJ0.tmp\SKIN.CJSTYLES
    Filesize

    813KB

    MD5

    5f87caf3f7cf63dde8e6af53bdf31289

    SHA1

    a2c3cc3d9d831acd797155b667db59a32000d7a8

    SHA256

    4731982b02b067d3f5a5a7518279a9265a49fb0f7b3f8dc3d61b82a5359d4940

    SHA512

    4875298d82037ef1fff1ee3c58a9059d8480274326c862729fcc56664ecb49e2692c3838948c66dc8336e4050469d831cbf1fbd79b66565ab673d2a67765109d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-AM4EU.tmp\Setup DVREMU2 Manager v1.0.0.tmp
    Filesize

    1.1MB

    MD5

    34acc2bdb45a9c436181426828c4cb49

    SHA1

    5adaa1ac822e6128b8d4b59a54d19901880452ae

    SHA256

    9c81817acd4982632d8c7f1df3898fca1477577738184265d735f49fc5480f07

    SHA512

    134ff4022571efd46f7a62e99b857ebe834e9916c786345908010f9e1fb90be226b740ddee16ae9290fe45c86be7238c4555e422abe66a461d11545e19734beb

    Download Submit

  • memory/1432-29-0x0000000000400000-0x0000000000428000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1432-32-0x0000000000401000-0x0000000000412000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1616-97-0x0000000075070000-0x00000000750E4000-memory.dmp

    Filesize

    464KB

    Download

  • memory/1616-56-0x0000000075B00000-0x0000000075B7A000-memory.dmp

    Filesize

    488KB

    Download

  • memory/1616-98-0x0000000073190000-0x00000000732B2000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1616-100-0x0000000077150000-0x000000007722C000-memory.dmp

    Filesize

    880KB

    Download

  • memory/1616-95-0x00000000759A0000-0x0000000075A4F000-memory.dmp

    Filesize

    700KB

    Download

  • memory/1616-94-0x00000000753E0000-0x0000000075993000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1616-93-0x0000000010000000-0x0000000010061000-memory.dmp

    Filesize

    388KB

    Download

  • memory/1616-92-0x0000000073190000-0x00000000732B2000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1616-91-0x0000000075070000-0x00000000750E4000-memory.dmp

    Filesize

    464KB

    Download

  • memory/1616-90-0x00000000765C0000-0x00000000765E5000-memory.dmp

    Filesize

    148KB

    Download

  • memory/1616-89-0x0000000074D30000-0x0000000074F40000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/1616-88-0x00000000759A0000-0x0000000075A4F000-memory.dmp

    Filesize

    700KB

    Download

  • memory/1616-87-0x00000000753E0000-0x0000000075993000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1616-86-0x0000000010000000-0x0000000010061000-memory.dmp

    Filesize

    388KB

    Download

  • memory/1616-85-0x0000000073190000-0x00000000732B2000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1616-84-0x0000000075070000-0x00000000750E4000-memory.dmp

    Filesize

    464KB

    Download

  • memory/1616-83-0x0000000074D30000-0x0000000074F40000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/1616-82-0x00000000759A0000-0x0000000075A4F000-memory.dmp

    Filesize

    700KB

    Download

  • memory/1616-81-0x00000000753E0000-0x0000000075993000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1616-80-0x0000000010000000-0x0000000010061000-memory.dmp

    Filesize

    388KB

    Download

  • memory/1616-76-0x00000000759A0000-0x0000000075A4F000-memory.dmp

    Filesize

    700KB

    Download

  • memory/1616-75-0x00000000753E0000-0x0000000075993000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1616-110-0x0000000010000000-0x0000000010061000-memory.dmp

    Filesize

    388KB

    Download

  • memory/1616-107-0x0000000010000000-0x0000000010061000-memory.dmp

    Filesize

    388KB

    Download

  • memory/1616-71-0x0000000073190000-0x00000000732B2000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1616-70-0x0000000074D30000-0x0000000074F40000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/1616-96-0x0000000074D30000-0x0000000074F40000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/1616-69-0x00000000759A0000-0x0000000075A4F000-memory.dmp

    Filesize

    700KB

    Download

  • memory/1616-68-0x00000000753E0000-0x0000000075993000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1616-79-0x0000000073190000-0x00000000732B2000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1616-78-0x0000000075070000-0x00000000750E4000-memory.dmp

    Filesize

    464KB

    Download

  • memory/1616-77-0x0000000074D30000-0x0000000074F40000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/1616-72-0x0000000010000000-0x0000000010061000-memory.dmp

    Filesize

    388KB

    Download

  • memory/1616-67-0x0000000076EE0000-0x0000000076FC3000-memory.dmp

    Filesize

    908KB

    Download

  • memory/1616-64-0x00000000765C0000-0x00000000765E5000-memory.dmp

    Filesize

    148KB

    Download

  • memory/1616-63-0x0000000010000000-0x0000000010061000-memory.dmp

    Filesize

    388KB

    Download

  • memory/1616-62-0x0000000010000000-0x0000000010061000-memory.dmp

    Filesize

    388KB

    Download

  • memory/1616-61-0x0000000073330000-0x0000000073360000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1616-60-0x00000000765C0000-0x00000000765E5000-memory.dmp

    Filesize

    148KB

    Download

  • memory/1616-59-0x0000000075B00000-0x0000000075B7A000-memory.dmp

    Filesize

    488KB

    Download

  • memory/1616-58-0x0000000010000000-0x0000000010061000-memory.dmp

    Filesize

    388KB

    Download

  • memory/1616-99-0x0000000010000000-0x0000000010061000-memory.dmp

    Filesize

    388KB

    Download

  • memory/1616-55-0x0000000010000000-0x0000000010061000-memory.dmp

    Filesize

    388KB

    Download

  • memory/1616-53-0x0000000010000000-0x0000000010061000-memory.dmp

    Filesize

    388KB

    Download

  • memory/1616-52-0x0000000075B00000-0x0000000075B7A000-memory.dmp

    Filesize

    488KB

    Download

  • memory/1616-50-0x0000000075B00000-0x0000000075B7A000-memory.dmp

    Filesize

    488KB

    Download

  • memory/1616-54-0x0000000075B00000-0x0000000075B7A000-memory.dmp

    Filesize

    488KB

    Download

  • memory/1616-188-0x0000000000400000-0x000000000052E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1616-101-0x0000000076EE0000-0x0000000076FC3000-memory.dmp

    Filesize

    908KB

    Download

  • memory/1616-102-0x00000000753E0000-0x0000000075993000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1616-365-0x0000000000400000-0x000000000052E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1616-103-0x00000000759A0000-0x0000000075A4F000-memory.dmp

    Filesize

    700KB

    Download

  • memory/1616-104-0x0000000074D30000-0x0000000074F40000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/1616-105-0x0000000075070000-0x00000000750E4000-memory.dmp

    Filesize

    464KB

    Download

  • memory/1616-106-0x0000000073190000-0x00000000732B2000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1616-109-0x0000000074D30000-0x0000000074F40000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/1616-108-0x00000000753E0000-0x0000000075993000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1616-74-0x0000000076EE0000-0x0000000076FC3000-memory.dmp

    Filesize

    908KB

    Download

  • memory/1616-73-0x0000000077150000-0x000000007722C000-memory.dmp

    Filesize

    880KB

    Download

  • memory/1616-65-0x0000000010000000-0x0000000010061000-memory.dmp

    Filesize

    388KB

    Download

  • memory/1616-36-0x0000000000400000-0x000000000052E000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1616-44-0x0000000010000000-0x0000000010061000-memory.dmp

    Filesize

    388KB

    Download

  • memory/1616-51-0x0000000010000000-0x0000000010061000-memory.dmp

    Filesize

    388KB

    Download

  • memory/1616-57-0x00000000765C0000-0x00000000765E5000-memory.dmp

    Filesize

    148KB

    Download

  • memory/1616-66-0x0000000010000000-0x0000000010061000-memory.dmp

    Filesize

    388KB

    Download

  • memory/2780-404-0x00000000057D0000-0x00000000057F2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2780-405-0x0000000005970000-0x00000000059D6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2780-406-0x00000000059E0000-0x0000000005A46000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2780-403-0x0000000005160000-0x0000000005788000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2780-416-0x0000000005A50000-0x0000000005DA4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2780-417-0x0000000006030000-0x000000000604E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2780-418-0x0000000006070000-0x00000000060BC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2780-402-0x0000000004A90000-0x0000000004AC6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2800-396-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

    Download

  • memory/2800-398-0x00000000053B0000-0x0000000005442000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2800-397-0x0000000005810000-0x0000000005DB4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2800-457-0x0000000006200000-0x0000000006212000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2800-458-0x00000000068E0000-0x000000000691C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2800-460-0x0000000006BD0000-0x0000000006BDA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3340-433-0x0000000006C40000-0x0000000006C8C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3340-431-0x0000000005EF0000-0x0000000006244000-memory.dmp

    Filesize

    3.3MB

    Download