quasar | 1f40225b21f035d11c1d21b13e51fcc1be6be091825cf876977fe63ee51ff5e6

Analysis

max time kernel
120s
max time network
34s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/01/2025, 15:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f40225b21f035d11c1d21b13e51fcc1be6be091825cf876977fe63ee51ff5e6N.exe
Size

349KB
MD5

dabfb0447a6890da9fe713ac91062340
SHA1

fd57dd243e2a0ef131433eb433c9f007bed44a90
SHA256

1f40225b21f035d11c1d21b13e51fcc1be6be091825cf876977fe63ee51ff5e6
SHA512

87d156130e4aecb2fc163ebc2784674c11fc0941e794655031b0c4261d2f602665863972989ac55485c097cf475c5f4801ef618cf0fe5cab284411fd708d1066
SSDEEP

6144:UsLqdufVUNDaq5/uqlCWuXecmE4b3eJRB/W:PFUNDa0uqlCWXcmEAeJRBW

Score

10^/10

quasar new world discovery evasion persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

New World

x75tjpwatl2uyunijiq6jwqhlar3j5fkpi5optv7tfreijbpylwnnbqd.onion:8880

Mutex

QSR_MUTEX_d2kuBEHahLdNktTZE5

Attributes

encryption_key
gAMhb8JSxFP4DNFkynoe
install_name
Java.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Java
subdirectory
Java

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00070000000186ea-6.dat	family_quasar
behavioral1/memory/2716-12-0x00000000003B0000-0x00000000003EC000-memory.dmp	family_quasar

Executes dropped EXE 6 IoCs

pid	Process
2716	1f40225b21f035d11c1d21b13e51fcc1be6be091825cf876977fe63ee51ff5e6n.exe
2700	icsys.icn.exe
2872	explorer.exe
2748	spoolsv.exe
2596	svchost.exe
2112	spoolsv.exe

Loads dropped DLL 11 IoCs

pid	Process
2412	1f40225b21f035d11c1d21b13e51fcc1be6be091825cf876977fe63ee51ff5e6N.exe
2412	1f40225b21f035d11c1d21b13e51fcc1be6be091825cf876977fe63ee51ff5e6N.exe
2700	icsys.icn.exe
2872	explorer.exe
2748	spoolsv.exe
2596	svchost.exe
2972	WerFault.exe
2972	WerFault.exe
2972	WerFault.exe
2972	WerFault.exe
2972	WerFault.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	1f40225b21f035d11c1d21b13e51fcc1be6be091825cf876977fe63ee51ff5e6N.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2972	2716	WerFault.exe	31

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1f40225b21f035d11c1d21b13e51fcc1be6be091825cf876977fe63ee51ff5e6n.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1f40225b21f035d11c1d21b13e51fcc1be6be091825cf876977fe63ee51ff5e6N.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1772	schtasks.exe
3032	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2412	1f40225b21f035d11c1d21b13e51fcc1be6be091825cf876977fe63ee51ff5e6N.exe
2412	1f40225b21f035d11c1d21b13e51fcc1be6be091825cf876977fe63ee51ff5e6N.exe
2412	1f40225b21f035d11c1d21b13e51fcc1be6be091825cf876977fe63ee51ff5e6N.exe
2412	1f40225b21f035d11c1d21b13e51fcc1be6be091825cf876977fe63ee51ff5e6N.exe
2412	1f40225b21f035d11c1d21b13e51fcc1be6be091825cf876977fe63ee51ff5e6N.exe
2412	1f40225b21f035d11c1d21b13e51fcc1be6be091825cf876977fe63ee51ff5e6N.exe
2412	1f40225b21f035d11c1d21b13e51fcc1be6be091825cf876977fe63ee51ff5e6N.exe
2412	1f40225b21f035d11c1d21b13e51fcc1be6be091825cf876977fe63ee51ff5e6N.exe
2412	1f40225b21f035d11c1d21b13e51fcc1be6be091825cf876977fe63ee51ff5e6N.exe
2412	1f40225b21f035d11c1d21b13e51fcc1be6be091825cf876977fe63ee51ff5e6N.exe
2412	1f40225b21f035d11c1d21b13e51fcc1be6be091825cf876977fe63ee51ff5e6N.exe
2412	1f40225b21f035d11c1d21b13e51fcc1be6be091825cf876977fe63ee51ff5e6N.exe
2412	1f40225b21f035d11c1d21b13e51fcc1be6be091825cf876977fe63ee51ff5e6N.exe
2412	1f40225b21f035d11c1d21b13e51fcc1be6be091825cf876977fe63ee51ff5e6N.exe
2412	1f40225b21f035d11c1d21b13e51fcc1be6be091825cf876977fe63ee51ff5e6N.exe
2412	1f40225b21f035d11c1d21b13e51fcc1be6be091825cf876977fe63ee51ff5e6N.exe
2700	icsys.icn.exe
2700	icsys.icn.exe
2700	icsys.icn.exe
2700	icsys.icn.exe
2700	icsys.icn.exe
2700	icsys.icn.exe
2700	icsys.icn.exe
2700	icsys.icn.exe
2700	icsys.icn.exe
2700	icsys.icn.exe
2700	icsys.icn.exe
2700	icsys.icn.exe
2700	icsys.icn.exe
2700	icsys.icn.exe
2700	icsys.icn.exe
2700	icsys.icn.exe
2700	icsys.icn.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2872	explorer.exe
2596	svchost.exe
2596	svchost.exe
2596	svchost.exe
2596	svchost.exe
2596	svchost.exe
2596	svchost.exe
2596	svchost.exe
2596	svchost.exe
2596	svchost.exe
2596	svchost.exe
2596	svchost.exe
2596	svchost.exe
2596	svchost.exe
2596	svchost.exe
2596	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2596	svchost.exe
2872	explorer.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2716	1f40225b21f035d11c1d21b13e51fcc1be6be091825cf876977fe63ee51ff5e6n.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2412	1f40225b21f035d11c1d21b13e51fcc1be6be091825cf876977fe63ee51ff5e6N.exe
2412	1f40225b21f035d11c1d21b13e51fcc1be6be091825cf876977fe63ee51ff5e6N.exe
2700	icsys.icn.exe
2700	icsys.icn.exe
2872	explorer.exe
2872	explorer.exe
2748	spoolsv.exe
2748	spoolsv.exe
2596	svchost.exe
2596	svchost.exe
2112	spoolsv.exe
2112	spoolsv.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 2716	2412	1f40225b21f035d11c1d21b13e51fcc1be6be091825cf876977fe63ee51ff5e6N.exe	31
PID 2412 wrote to memory of 2716	2412	1f40225b21f035d11c1d21b13e51fcc1be6be091825cf876977fe63ee51ff5e6N.exe	31
PID 2412 wrote to memory of 2716	2412	1f40225b21f035d11c1d21b13e51fcc1be6be091825cf876977fe63ee51ff5e6N.exe	31
PID 2412 wrote to memory of 2716	2412	1f40225b21f035d11c1d21b13e51fcc1be6be091825cf876977fe63ee51ff5e6N.exe	31
PID 2412 wrote to memory of 2700	2412	1f40225b21f035d11c1d21b13e51fcc1be6be091825cf876977fe63ee51ff5e6N.exe	32
PID 2412 wrote to memory of 2700	2412	1f40225b21f035d11c1d21b13e51fcc1be6be091825cf876977fe63ee51ff5e6N.exe	32
PID 2412 wrote to memory of 2700	2412	1f40225b21f035d11c1d21b13e51fcc1be6be091825cf876977fe63ee51ff5e6N.exe	32
PID 2412 wrote to memory of 2700	2412	1f40225b21f035d11c1d21b13e51fcc1be6be091825cf876977fe63ee51ff5e6N.exe	32
PID 2700 wrote to memory of 2872	2700	icsys.icn.exe	33
PID 2700 wrote to memory of 2872	2700	icsys.icn.exe	33
PID 2700 wrote to memory of 2872	2700	icsys.icn.exe	33
PID 2700 wrote to memory of 2872	2700	icsys.icn.exe	33
PID 2872 wrote to memory of 2748	2872	explorer.exe	34
PID 2872 wrote to memory of 2748	2872	explorer.exe	34
PID 2872 wrote to memory of 2748	2872	explorer.exe	34
PID 2872 wrote to memory of 2748	2872	explorer.exe	34
PID 2748 wrote to memory of 2596	2748	spoolsv.exe	35
PID 2748 wrote to memory of 2596	2748	spoolsv.exe	35
PID 2748 wrote to memory of 2596	2748	spoolsv.exe	35
PID 2748 wrote to memory of 2596	2748	spoolsv.exe	35
PID 2596 wrote to memory of 2112	2596	svchost.exe	36
PID 2596 wrote to memory of 2112	2596	svchost.exe	36
PID 2596 wrote to memory of 2112	2596	svchost.exe	36
PID 2596 wrote to memory of 2112	2596	svchost.exe	36
PID 2872 wrote to memory of 2772	2872	explorer.exe	37
PID 2872 wrote to memory of 2772	2872	explorer.exe	37
PID 2872 wrote to memory of 2772	2872	explorer.exe	37
PID 2872 wrote to memory of 2772	2872	explorer.exe	37
PID 2596 wrote to memory of 1772	2596	svchost.exe	38
PID 2596 wrote to memory of 1772	2596	svchost.exe	38
PID 2596 wrote to memory of 1772	2596	svchost.exe	38
PID 2596 wrote to memory of 1772	2596	svchost.exe	38
PID 2716 wrote to memory of 2972	2716	1f40225b21f035d11c1d21b13e51fcc1be6be091825cf876977fe63ee51ff5e6n.exe	41
PID 2716 wrote to memory of 2972	2716	1f40225b21f035d11c1d21b13e51fcc1be6be091825cf876977fe63ee51ff5e6n.exe	41
PID 2716 wrote to memory of 2972	2716	1f40225b21f035d11c1d21b13e51fcc1be6be091825cf876977fe63ee51ff5e6n.exe	41
PID 2716 wrote to memory of 2972	2716	1f40225b21f035d11c1d21b13e51fcc1be6be091825cf876977fe63ee51ff5e6n.exe	41
PID 2596 wrote to memory of 3032	2596	svchost.exe	42
PID 2596 wrote to memory of 3032	2596	svchost.exe	42
PID 2596 wrote to memory of 3032	2596	svchost.exe	42
PID 2596 wrote to memory of 3032	2596	svchost.exe	42

C:\Users\Admin\AppData\Local\Temp\1f40225b21f035d11c1d21b13e51fcc1be6be091825cf876977fe63ee51ff5e6N.exe
"C:\Users\Admin\AppData\Local\Temp\1f40225b21f035d11c1d21b13e51fcc1be6be091825cf876977fe63ee51ff5e6N.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2412
- \??\c:\users\admin\appdata\local\temp\1f40225b21f035d11c1d21b13e51fcc1be6be091825cf876977fe63ee51ff5e6n.exe
  c:\users\admin\appdata\local\temp\1f40225b21f035d11c1d21b13e51fcc1be6be091825cf876977fe63ee51ff5e6n.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 1084
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2972
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2700
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2748
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2596
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2112
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 15:28 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1772
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 15:29 /f
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3032
  - - C:\Windows\Explorer.exe
      C:\Windows\Explorer.exe
      4⤵
      PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
657a4193aea8f71ab6845ad1e99f95f1

SHA1
b5c2b49e04edb0a0dc9b88d432365d0c057fbd41

SHA256
eb5abdfb067dcc6cfcd2448347d40c6203065d32fcf2978ca2bcee2dc290b9ad

SHA512
7a72d728cb8fcd2614436b72d0416a0144f764c47dcbcfd19dc5af10ea5bb88e2e4d9219e46fefbca07dcc3952832c9ed7cd47edfa67384e159ba2bc134c3e56

Download Submit
\Users\Admin\AppData\Local\Temp\1f40225b21f035d11c1d21b13e51fcc1be6be091825cf876977fe63ee51ff5e6n.exe

Filesize
214KB

MD5
862d9a823ae99b9181b749ae66198bca

SHA1
b89eaa81779e4c7f6109cd67ad69fc8a99ce7f16

SHA256
af74be686e4636701f86e56d1129cdacdda93b863bb45ab491237d093b8101bf

SHA512
d80bd737a4af4d07b104551bf1c91cedc91cfb463b8af2ae78b0aac6e75862a4dd31cd2de37daa0e4d5857e785987f43e994f0623286adfbe61e656274207507

Download Submit
\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
d8dc406bf8d197c04dcff330056f8973

SHA1
f8cc9cd479fd010721862839c7ea52914f1fbf93

SHA256
9ef8896115ec433657a4943b7f839d9828d27af7c7772ec60f2f764b6974a0c8

SHA512
ca039a49da2b7c173f9eebde5dbb64ba340557eea5c50a2b8c5338d8251c999d4d965244be450e4a7898792539d9bb65c8cb37ae75cdf287c0fbc822804fc9cd

Download Submit
\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
defe9ad9a44e723296072a005c0cd785

SHA1
6b2d16ac5e35ac16e2822f85e49555ec8d8f2b2b

SHA256
4a7f921363132127615eaafdc602e94f30e15bc20e3bc7a1c21b9bafa1acb4df

SHA512
85bee358ddee89eb930c994e41f4f70abd8e7f3dcfadd5f8e78545fa50af15f9f12d5f8926cbb2fcf4cda09ec2ce3b3fc4074e664f64f0591e09da6fa0ab0fa2

Download Submit
\Windows\Resources\svchost.exe

Filesize
135KB

MD5
ff2840898642b65dc493b7bb5a23cfa9

SHA1
5a014664d9cd349171d857a846c8c601af884583

SHA256
a91fe8293b56afcc5b251ee93db947651248ce185a4700073aebba69da3e52f4

SHA512
c2b31533931a18a636d95211a2105119287ddf18e66d0ae864a787afb3e6c5d675dd625bdcd3e36a83c3cbc29d2e4a5d3be0940fded19d37ba2cfb22b9616615

Download Submit
memory/2112-62-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2412-18-0x0000000000300000-0x000000000031F000-memory.dmp

Filesize
124KB

Download
memory/2412-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2412-64-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2596-74-0x0000000000280000-0x000000000029F000-memory.dmp

Filesize
124KB

Download
memory/2596-73-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2700-29-0x00000000002E0000-0x00000000002FF000-memory.dmp

Filesize
124KB

Download
memory/2700-65-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2716-11-0x000000007428E000-0x000000007428F000-memory.dmp

Filesize
4KB

Download
memory/2716-61-0x0000000074280000-0x000000007496E000-memory.dmp

Filesize
6.9MB

Download
memory/2716-56-0x000000007428E000-0x000000007428F000-memory.dmp

Filesize
4KB

Download
memory/2716-71-0x0000000074280000-0x000000007496E000-memory.dmp

Filesize
6.9MB

Download
memory/2716-13-0x0000000074280000-0x000000007496E000-memory.dmp

Filesize
6.9MB

Download
memory/2716-12-0x00000000003B0000-0x00000000003EC000-memory.dmp

Filesize
240KB

Download
memory/2748-63-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2748-49-0x00000000003E0000-0x00000000003FF000-memory.dmp

Filesize
124KB

Download
memory/2872-72-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download