quasar | 435385b409d5a3b1868b6d25016b9deb9ae6dd488341a0ab7af6ba345be1b376

Analysis

max time kernel
135s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-01-2025 08:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe
Size

844KB
MD5

98600590c6930d77cb2436917e666cb9
SHA1

e31ab0e597082ee1e415d0523a13b5d9175963c9
SHA256

435385b409d5a3b1868b6d25016b9deb9ae6dd488341a0ab7af6ba345be1b376
SHA512

55f3d5ebb77d2448bc961406967e2642dd720bba0d8278421cba27c8e3a18578f8ba85edb3a7072ed3032edd6f411225245ab9ff42cb85afd40b697d3e6af237
SSDEEP

12288:1l94NkE0XOHXzMidGXY4LzPkTOAO+u8ixFUibMcXVY+RWb/vu7ZxNRf9XB5b:XVE0SdGXY4n4O+KIIYm6ebNh9RN

Score

10^/10

quasar discovery execution spyware trojan

Malware Config

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 7 IoCs

resource	yara_rule
behavioral1/memory/2904-16-0x0000000000400000-0x000000000047A000-memory.dmp	family_quasar
behavioral1/memory/2904-18-0x0000000000400000-0x000000000047A000-memory.dmp	family_quasar
behavioral1/memory/2904-21-0x0000000000400000-0x000000000047A000-memory.dmp	family_quasar
behavioral1/memory/2904-26-0x0000000000400000-0x000000000047A000-memory.dmp	family_quasar
behavioral1/memory/2904-24-0x0000000000400000-0x000000000047A000-memory.dmp	family_quasar
behavioral1/memory/1192-57-0x0000000000400000-0x000000000047A000-memory.dmp	family_quasar
behavioral1/memory/1192-56-0x0000000000400000-0x000000000047A000-memory.dmp	family_quasar

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1408	powershell.exe
1760	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2756 set thread context of 2904	2756	JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe	32
PID 344 set thread context of 1192	344	JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe	42

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2916	PING.EXE
688	PING.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2916	PING.EXE
688	PING.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2756	JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe
2756	JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe
2756	JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe
1408	powershell.exe
344	JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe
344	JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe
344	JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe
1760	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2756	JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe
Token: SeDebugPrivilege	2904	JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe
Token: SeDebugPrivilege	1408	powershell.exe
Token: SeDebugPrivilege	344	JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe
Token: SeDebugPrivilege	1192	JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe
Token: SeDebugPrivilege	1760	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2904	JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe
1192	JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2904	JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe
1192	JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2104	2756	JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe	31
PID 2756 wrote to memory of 2104	2756	JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe	31
PID 2756 wrote to memory of 2104	2756	JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe	31
PID 2756 wrote to memory of 2104	2756	JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe	31
PID 2756 wrote to memory of 2904	2756	JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe	32
PID 2756 wrote to memory of 2904	2756	JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe	32
PID 2756 wrote to memory of 2904	2756	JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe	32
PID 2756 wrote to memory of 2904	2756	JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe	32
PID 2756 wrote to memory of 2904	2756	JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe	32
PID 2756 wrote to memory of 2904	2756	JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe	32
PID 2756 wrote to memory of 2904	2756	JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe	32
PID 2756 wrote to memory of 2904	2756	JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe	32
PID 2756 wrote to memory of 2904	2756	JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe	32
PID 2104 wrote to memory of 1408	2104	WScript.exe	33
PID 2104 wrote to memory of 1408	2104	WScript.exe	33
PID 2104 wrote to memory of 1408	2104	WScript.exe	33
PID 2104 wrote to memory of 1408	2104	WScript.exe	33
PID 2904 wrote to memory of 2896	2904	JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe	35
PID 2904 wrote to memory of 2896	2904	JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe	35
PID 2904 wrote to memory of 2896	2904	JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe	35
PID 2904 wrote to memory of 2896	2904	JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe	35
PID 2896 wrote to memory of 2892	2896	cmd.exe	37
PID 2896 wrote to memory of 2892	2896	cmd.exe	37
PID 2896 wrote to memory of 2892	2896	cmd.exe	37
PID 2896 wrote to memory of 2892	2896	cmd.exe	37
PID 2896 wrote to memory of 2916	2896	cmd.exe	38
PID 2896 wrote to memory of 2916	2896	cmd.exe	38
PID 2896 wrote to memory of 2916	2896	cmd.exe	38
PID 2896 wrote to memory of 2916	2896	cmd.exe	38
PID 2896 wrote to memory of 344	2896	cmd.exe	39
PID 2896 wrote to memory of 344	2896	cmd.exe	39
PID 2896 wrote to memory of 344	2896	cmd.exe	39
PID 2896 wrote to memory of 344	2896	cmd.exe	39
PID 344 wrote to memory of 1324	344	JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe	41
PID 344 wrote to memory of 1324	344	JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe	41
PID 344 wrote to memory of 1324	344	JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe	41
PID 344 wrote to memory of 1324	344	JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe	41
PID 344 wrote to memory of 1192	344	JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe	42
PID 344 wrote to memory of 1192	344	JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe	42
PID 344 wrote to memory of 1192	344	JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe	42
PID 344 wrote to memory of 1192	344	JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe	42
PID 344 wrote to memory of 1192	344	JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe	42
PID 344 wrote to memory of 1192	344	JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe	42
PID 344 wrote to memory of 1192	344	JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe	42
PID 344 wrote to memory of 1192	344	JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe	42
PID 344 wrote to memory of 1192	344	JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe	42
PID 1324 wrote to memory of 1760	1324	WScript.exe	43
PID 1324 wrote to memory of 1760	1324	WScript.exe	43
PID 1324 wrote to memory of 1760	1324	WScript.exe	43
PID 1324 wrote to memory of 1760	1324	WScript.exe	43
PID 1192 wrote to memory of 1416	1192	JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe	45
PID 1192 wrote to memory of 1416	1192	JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe	45
PID 1192 wrote to memory of 1416	1192	JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe	45
PID 1192 wrote to memory of 1416	1192	JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe	45
PID 1416 wrote to memory of 1716	1416	cmd.exe	47
PID 1416 wrote to memory of 1716	1416	cmd.exe	47
PID 1416 wrote to memory of 1716	1416	cmd.exe	47
PID 1416 wrote to memory of 1716	1416	cmd.exe	47
PID 1416 wrote to memory of 688	1416	cmd.exe	48
PID 1416 wrote to memory of 688	1416	cmd.exe	48
PID 1416 wrote to memory of 688	1416	cmd.exe	48
PID 1416 wrote to memory of 688	1416	cmd.exe	48
PID 1416 wrote to memory of 1436	1416	cmd.exe	49
PID 1416 wrote to memory of 1436	1416	cmd.exe	49

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Tahpdhij.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR\WinRAR.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1408
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\xF6XUFcvnMkx.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:2892
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 10 localhost
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2916
  - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe
      "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe"
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:344
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Tahpdhij.vbs"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1324
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR\WinRAR.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
    - - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1192
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\t33pKnvN6w34.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_98600590c6930d77cb2436917e666cb9.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_Tahpdhij.vbs

Filesize
181B

MD5
f1502081d1172131e3d33d384d1adb56

SHA1
85e44eb1e8c5b2911f8d6fcd339d4b3079b61eb4

SHA256
e39b7fbb84070e09b663dde6fe11b1048eeeede75c5eb521af28530389cae0c4

SHA512
5b61adb8ba73ef00db17183c9d569f9eb20196d05946ae082bcbf21aaca483b76ca83fb108329f73150bf43108a9c970474037861bc12a09f3d998de8d4057f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\t33pKnvN6w34.bat

Filesize
243B

MD5
7d2c675f1b81750b9c32d8b35e778605

SHA1
83b49eb0aa71da3c0ccbaba0344511a25f8d1bc7

SHA256
cbb4d981e016ad968563ec4441a35dbf594f8223dee2c5ba3bf636a33971e1e0

SHA512
0bb97409c8d42488f500a3fc11febf12029e71724bf0dcf064ec00d92579c756d2286c8b5ebf4b0570c7b2d16b3e6d35282009900ae4ceef349016d7725ad22f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xF6XUFcvnMkx.bat

Filesize
243B

MD5
43c836a3bbd1c28c493d3c76a3fe6cc7

SHA1
b925dbc0765408d2490e1d1e58436f16e67ca7a7

SHA256
72c6047b1aff1eb054cd5dd285c7b7159eec0feb7d9060301addc43bce7ac4da

SHA512
5d5e88c0072ba46580f659a709470cdc19ecbd57727edf2f4947e748b412537392e26606e6927b61f09dd8cad2e8753e1a009b6349acbe2f5e4e3053ec514740

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
43e8cd9086c9d0e8364dccde88a5e816

SHA1
258e32c1e710a1b686eb0b40bc897aa755a1fee9

SHA256
d82dc737cb53e200f9534ffecc71a25ef20ed03f9157a412a7ca20975e7ba11e

SHA512
a64e2fbfef64fb377bd727942ebe58867c078f843aa701bcbde9976c93718bc925b139cd0b78ca5edae9a024b3c78c47f92a827e6f525d6c90adf47cff9d7c32

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR\WinRAR.exe

Filesize
844KB

MD5
98600590c6930d77cb2436917e666cb9

SHA1
e31ab0e597082ee1e415d0523a13b5d9175963c9

SHA256
435385b409d5a3b1868b6d25016b9deb9ae6dd488341a0ab7af6ba345be1b376

SHA512
55f3d5ebb77d2448bc961406967e2642dd720bba0d8278421cba27c8e3a18578f8ba85edb3a7072ed3032edd6f411225245ab9ff42cb85afd40b697d3e6af237

Download Submit
memory/344-39-0x0000000001070000-0x000000000114A000-memory.dmp

Filesize
872KB

Download
memory/1192-54-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1192-56-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1192-57-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1436-73-0x0000000000010000-0x00000000000EA000-memory.dmp

Filesize
872KB

Download
memory/2756-11-0x0000000000790000-0x00000000007D6000-memory.dmp

Filesize
280KB

Download
memory/2756-0-0x00000000748EE000-0x00000000748EF000-memory.dmp

Filesize
4KB

Download
memory/2756-1-0x0000000000F90000-0x000000000106A000-memory.dmp

Filesize
872KB

Download
memory/2756-27-0x00000000748E0000-0x0000000074FCE000-memory.dmp

Filesize
6.9MB

Download
memory/2756-2-0x00000000748EE000-0x00000000748EF000-memory.dmp

Filesize
4KB

Download
memory/2756-3-0x0000000004CD0000-0x0000000004D8C000-memory.dmp

Filesize
752KB

Download
memory/2756-4-0x00000000748E0000-0x0000000074FCE000-memory.dmp

Filesize
6.9MB

Download
memory/2756-5-0x00000000748E0000-0x0000000074FCE000-memory.dmp

Filesize
6.9MB

Download
memory/2904-24-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2904-12-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2904-16-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2904-14-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2904-18-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2904-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2904-21-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2904-26-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download