quasar | 8fa822e17a1199c462d0c7c417f86771e2049934bb469f15cfa464168d2734c8

Analysis

max time kernel
65s
max time network
69s
platform
windows11-21h2_x64
resource
win11-20241023-en
resource tags

arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
submitted
04-02-2025 11:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DarkStreamtool.exe
Size

4.1MB
MD5

6d9183425590b05efc503b0d0e780f49
SHA1

e3ac46bf52e48cf98988bc908a3a3de431f735a4
SHA256

8fa822e17a1199c462d0c7c417f86771e2049934bb469f15cfa464168d2734c8
SHA512

7fdbe76f8b502197972255cefd1acd5870052f7a2c2e2b4fdefe62cfd8d7870a93b2e24ff77f113bfe4f7c604ff8df7e54228091ff82cd8128886492365f701c
SSDEEP

49152:DBFc8ar83KZDGR8+IMJupLUFFFFFA9MQ195PS096hbHITCOPyWtjXQStUCV4S3I:DBCzDCR8dKFFFFF5IS096ZlGtSYIQJ

Score

10^/10

quasar xworm system use discovery execution persistence rat spyware trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:38692

search-varies.gl.at.ply.gg:38692

Attributes

Install_directory
%Userprofile%
install_file
USB.exe

Extracted

Family

quasar

Version

1.4.1

Botnet

System Use

search-varies.gl.at.ply.gg:4782

Mutex

b190c4c7-b07b-4e91-b02a-b4c0db119749

Attributes

encryption_key
7EFB9B56C32456D72E73A7558DE372F4393A10ED
install_name
Client.exe
log_directory
Discord
reconnect_delay
3000
startup_key
Discord
subdirectory
SubDir

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x001f00000002ab02-17.dat	family_xworm
behavioral2/memory/1636-30-0x00000000009D0000-0x0000000000A2A000-memory.dmp	family_xworm

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/files/0x001c00000002aadf-6.dat	family_quasar
behavioral2/memory/276-42-0x0000000000A10000-0x0000000000D34000-memory.dmp	family_quasar

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4068	powershell.exe
5000	powershell.exe
1484	powershell.exe
3532	powershell.exe
3660	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnk	DarkStream rat.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnk	DarkStream rat.exe

Executes dropped EXE 6 IoCs

pid	Process
276	Client-built.exe
1636	DarkStream rat.exe
1000	DarkStream.exe
2388	SilverClient1.exe
3508	Client.exe
3412	System User

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Run\System User = "C:\\Users\\Admin\\System User"	DarkStream rat.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	discord.com
2	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SubDir	Client.exe
File created	C:\Windows\system32\SubDir\Client.exe	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir	Client-built.exe
File opened for modification	C:\Windows\system32\SubDir\Client.exe	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DarkStream.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3756	schtasks.exe
1400	schtasks.exe
4320	schtasks.exe
1072	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1636	DarkStream rat.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

pid	Process
4068	powershell.exe
4068	powershell.exe
3660	powershell.exe
3660	powershell.exe
5000	powershell.exe
5000	powershell.exe
1484	powershell.exe
1484	powershell.exe
3532	powershell.exe
3532	powershell.exe
1636	DarkStream rat.exe
1636	DarkStream rat.exe
1636	DarkStream rat.exe
1636	DarkStream rat.exe
1636	DarkStream rat.exe
1636	DarkStream rat.exe
1636	DarkStream rat.exe
1636	DarkStream rat.exe
1636	DarkStream rat.exe
1636	DarkStream rat.exe
1636	DarkStream rat.exe
1636	DarkStream rat.exe
1636	DarkStream rat.exe
1636	DarkStream rat.exe
1636	DarkStream rat.exe
1636	DarkStream rat.exe
1636	DarkStream rat.exe
1636	DarkStream rat.exe
1636	DarkStream rat.exe
1636	DarkStream rat.exe
1636	DarkStream rat.exe
1636	DarkStream rat.exe
1636	DarkStream rat.exe
1636	DarkStream rat.exe
1636	DarkStream rat.exe
1636	DarkStream rat.exe
1636	DarkStream rat.exe
1636	DarkStream rat.exe
1636	DarkStream rat.exe
1636	DarkStream rat.exe
1636	DarkStream rat.exe
1636	DarkStream rat.exe
1636	DarkStream rat.exe
1636	DarkStream rat.exe
1636	DarkStream rat.exe
1636	DarkStream rat.exe
1636	DarkStream rat.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	1636	DarkStream rat.exe
Token: SeDebugPrivilege	276	Client-built.exe
Token: SeDebugPrivilege	2388	SilverClient1.exe
Token: SeDebugPrivilege	4068	powershell.exe
Token: SeDebugPrivilege	3508	Client.exe
Token: SeDebugPrivilege	3660	powershell.exe
Token: SeDebugPrivilege	5000	powershell.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	3532	powershell.exe
Token: SeDebugPrivilege	1636	DarkStream rat.exe
Token: SeDebugPrivilege	3412	System User

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3508	Client.exe
1636	DarkStream rat.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 276	2784	DarkStreamtool.exe	77
PID 2784 wrote to memory of 276	2784	DarkStreamtool.exe	77
PID 2784 wrote to memory of 1636	2784	DarkStreamtool.exe	78
PID 2784 wrote to memory of 1636	2784	DarkStreamtool.exe	78
PID 2784 wrote to memory of 1000	2784	DarkStreamtool.exe	79
PID 2784 wrote to memory of 1000	2784	DarkStreamtool.exe	79
PID 2784 wrote to memory of 1000	2784	DarkStreamtool.exe	79
PID 2784 wrote to memory of 2388	2784	DarkStreamtool.exe	80
PID 2784 wrote to memory of 2388	2784	DarkStreamtool.exe	80
PID 2388 wrote to memory of 4068	2388	SilverClient1.exe	82
PID 2388 wrote to memory of 4068	2388	SilverClient1.exe	82
PID 1000 wrote to memory of 1968	1000	DarkStream.exe	84
PID 1000 wrote to memory of 1968	1000	DarkStream.exe	84
PID 2388 wrote to memory of 3756	2388	SilverClient1.exe	85
PID 2388 wrote to memory of 3756	2388	SilverClient1.exe	85
PID 276 wrote to memory of 1400	276	Client-built.exe	88
PID 276 wrote to memory of 1400	276	Client-built.exe	88
PID 276 wrote to memory of 3508	276	Client-built.exe	90
PID 276 wrote to memory of 3508	276	Client-built.exe	90
PID 3508 wrote to memory of 4320	3508	Client.exe	91
PID 3508 wrote to memory of 4320	3508	Client.exe	91
PID 1636 wrote to memory of 3660	1636	DarkStream rat.exe	93
PID 1636 wrote to memory of 3660	1636	DarkStream rat.exe	93
PID 1636 wrote to memory of 5000	1636	DarkStream rat.exe	95
PID 1636 wrote to memory of 5000	1636	DarkStream rat.exe	95
PID 1636 wrote to memory of 1484	1636	DarkStream rat.exe	97
PID 1636 wrote to memory of 1484	1636	DarkStream rat.exe	97
PID 1636 wrote to memory of 3532	1636	DarkStream rat.exe	99
PID 1636 wrote to memory of 3532	1636	DarkStream rat.exe	99
PID 1636 wrote to memory of 1072	1636	DarkStream rat.exe	101
PID 1636 wrote to memory of 1072	1636	DarkStream rat.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\DarkStreamtool.exe
"C:\Users\Admin\AppData\Local\Temp\DarkStreamtool.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Users\Admin\AppData\Roaming\Client-built.exe
  "C:\Users\Admin\AppData\Roaming\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:276
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1400
- - C:\Windows\system32\SubDir\Client.exe
    "C:\Windows\system32\SubDir\Client.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3508
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4320
- C:\Users\Admin\AppData\Roaming\DarkStream rat.exe
  "C:\Users\Admin\AppData\Roaming\DarkStream rat.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\DarkStream rat.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3660
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'DarkStream rat.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5000
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\System User'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1484
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System User'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3532
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\Admin\System User"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1072
- C:\Users\Admin\AppData\Roaming\DarkStream.exe
  "C:\Users\Admin\AppData\Roaming\DarkStream.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1000
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\BFB6.tmp\BFB7.tmp\BFB8.bat C:\Users\Admin\AppData\Roaming\DarkStream.exe"
    3⤵
    PID:1968
- C:\Users\Admin\AppData\Roaming\SilverClient1.exe
  "C:\Users\Admin\AppData\Roaming\SilverClient1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4068
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc daily /tn "_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3756

C:\Users\Admin\System User
"C:\Users\Admin\System User"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3fca72bce0a730023d4632708575f791

SHA1
2e61ed866852bde74593b6fc435cf50ac277c045

SHA256
c3d6f5f1c6a7b910fba87e5298c97d2541dcf36b2e0df334cbd084afde040ae8

SHA512
3c62214fa7260fc85d1cd231db1266f12a569b4c393c0af0ce1b27f5b2acc9c5497a171348d64d68af0e2f87ac86a52b7f982842e3b3d2c89b9ff9ef791708e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cef328ddb1ee8916e7a658919323edd8

SHA1
a676234d426917535e174f85eabe4ef8b88256a5

SHA256
a1b5b7ada8ebc910f20f91ada3991d3321104e9da598c958b1edac9f9aca0e90

SHA512
747400c20ca5b5fd1b54bc24e75e6a78f15af61df263be932d2ee7b2f34731c2de8ce03b2706954fb098c1ac36f0b761cf37e418738fa91f2a8ea78572f545cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d0363bfd5c9ae6af61f6a2fce9a024da

SHA1
d38f31fb85c98277a7d67017b8647740fb7a748c

SHA256
0f4e0256706ef753da64d5a47101c53ccaee4a25d59019d228ef4461edf66d83

SHA512
9c4d9ddc2d044ab704df826abf7d3842dcf7b49673a2644b9018a5ab215e3f41c5d964dfdb9b77e7545f643745bcad270baf781922ddd6ebe7253db71b3d2ca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\BFB6.tmp\BFB7.tmp\BFB8.bat

Filesize
3KB

MD5
d9c237dadc0e155944d2b84dff601e0a

SHA1
3ccb2f199e177a0b4604141a238225c6480be5ff

SHA256
11b56089d5a7ecef6f269cf35e0d16d5d8a617d5950dbaca1d1a6961e9bcb1ab

SHA512
bbe9d2c2a081be2facf147510fa076b54a8b98d7bb5268dad4d92b5b76aa385574fea6545ea729b00b0dda83af3115471272fb25784eefaac66341ee8b21aed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ladexjfc.uic.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Client-built.exe

Filesize
3.1MB

MD5
3fe1ee7622b3c2a1963b19492be48f94

SHA1
2bd82d9bc775e51812d8b79dd50dfacf27cc8fbe

SHA256
6e0d421546daee69c012b490df597fa44f12e3f231de7d47d2cc63fb58caf222

SHA512
dfbf124a4bffe65f3ae3caae2cdd9ce8b1968f0b07181b3053ee3cb46a90348a7d7f7b9a98012483485f71c523fc1076c28cdd42c9db4f96fce61114505f70be

Download Submit
C:\Users\Admin\AppData\Roaming\DarkStream rat.exe

Filesize
336KB

MD5
0af66d0aceba9b0bd6c9afa1db47f3ea

SHA1
7332728e637c0d3eb37337b853a5f7bb15269f1f

SHA256
406e38f3a4ecb5c65c553c5cb9d50d801d23a054cc85a92fc02e9ee91423fae1

SHA512
d87bd47bd178e655f69b15389410cced6560d8623dbb2463a7b161c0a6ea22386257f05d60fc40c0862ab6c29bfa5030272353bcfb8957ffc89d9022b7b65029

Download Submit
C:\Users\Admin\AppData\Roaming\DarkStream.exe

Filesize
356KB

MD5
2842a6174f32275bb7f0d60424eceedc

SHA1
1aa05132bf6bd5235aa59520d3b78f0710b44031

SHA256
d2fe7f3dacce7205dd6a3b951bf9d215c9175540e7ec6ef460d0767893ddcb8f

SHA512
e79d553b9f29e6d3745adc712c73d6ed587ff4d7f80d55b0422f6127999d6a298dccb7d4d543b31645d433e7945950c472eaeb386577e402b733cc1f7393a023

Download Submit
C:\Users\Admin\AppData\Roaming\SilverClient1.exe

Filesize
35KB

MD5
d5fed599d7b568f20b8e81e1f4246366

SHA1
a6e80d11f33ccda19984a793a97f99e79124d4bf

SHA256
4b2ee2022a19530f6e4db15f866c5e5f713f254e578edd4cee0c5c1fe2c05a2e

SHA512
88d3d560c79799ae163b8bfee461b8ccba703035cf8e7ee06d004e3836afa4c5c1d44888929ebb16d0e05799a5fff8d9a741cdc25d94a3e907a76a0705186663

Download Submit
memory/276-66-0x00007FFF7EC70000-0x00007FFF7F732000-memory.dmp

Filesize
10.8MB

Download
memory/276-44-0x00007FFF7EC70000-0x00007FFF7F732000-memory.dmp

Filesize
10.8MB

Download
memory/276-42-0x0000000000A10000-0x0000000000D34000-memory.dmp

Filesize
3.1MB

Download
memory/1636-47-0x00007FFF7EC70000-0x00007FFF7F732000-memory.dmp

Filesize
10.8MB

Download
memory/1636-115-0x00007FFF7EC70000-0x00007FFF7F732000-memory.dmp

Filesize
10.8MB

Download
memory/1636-30-0x00000000009D0000-0x0000000000A2A000-memory.dmp

Filesize
360KB

Download
memory/2388-46-0x0000000000170000-0x000000000017E000-memory.dmp

Filesize
56KB

Download
memory/2784-0-0x00007FFF7EC73000-0x00007FFF7EC75000-memory.dmp

Filesize
8KB

Download
memory/2784-1-0x0000000000B60000-0x0000000000F80000-memory.dmp

Filesize
4.1MB

Download
memory/3508-69-0x000000001C310000-0x000000001C360000-memory.dmp

Filesize
320KB

Download
memory/3508-70-0x000000001C420000-0x000000001C4D2000-memory.dmp

Filesize
712KB

Download
memory/3508-117-0x000000001CC10000-0x000000001D138000-memory.dmp

Filesize
5.2MB

Download
memory/4068-56-0x0000013A4FC20000-0x0000013A4FC42000-memory.dmp

Filesize
136KB

Download