quasar | cdd44caceb600c73a01b95c572142a59a35a23b1fb8e8e70cf920140366d3d09

Analysis

max time kernel
147s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
28-06-2024 23:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Neo.exe
Size

348KB
MD5

1e7a43037ad795c85258f3543636cae6
SHA1

634d8def0e80e4791698d7e94b20dd8c5aba063c
SHA256

cdd44caceb600c73a01b95c572142a59a35a23b1fb8e8e70cf920140366d3d09
SHA512

443dc2ea997bc3dc51371313161ab9990ac3a1eed30cd2f414e08c9fdbc32c36a2b97813759b67394b3de8f19649256d8a1e1d87636efee065f8fc5487a71853
SSDEEP

6144:ILL3HRsM+OFZcAHCJbFnrMr1TuT8igmMu:OVP+Myry1TuT8igmMu

Score

10^/10

quasar slave spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.1.0

Botnet

Slave

runderscore00-42512.portmap.io:42512

Mutex

QSR_MUTEX_aYgVTolyJfnSo2kPQj

Attributes

encryption_key
PK7SpR1WESSqHBwmTfVi
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar payload 1 IoCs

Processes:

resource yara_rule

behavioral3/memory/4404-1-0x0000000000D20000-0x0000000000D7E000-memory.dmp family_quasar
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

13 ip-api.com
15 ip-api.com
17 ip-api.com
19 ip-api.com
22 ip-api.com
1 ip-api.com
7 api.ipify.org
10 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

4744 4404 WerFault.exe Neo.exe
2220 2556 WerFault.exe Neo.exe
3244 3660 WerFault.exe Neo.exe
4028 4480 WerFault.exe Neo.exe
4812 420 WerFault.exe Neo.exe
4004 964 WerFault.exe Neo.exe
Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

568 PING.EXE
4276 PING.EXE
2700 PING.EXE
4896 PING.EXE
1668 PING.EXE
4672 PING.EXE

resource	yara_rule
behavioral3/memory/4404-1-0x0000000000D20000-0x0000000000D7E000-memory.dmp	family_quasar

flow	ioc
13	ip-api.com
15	ip-api.com
17	ip-api.com
19	ip-api.com
22	ip-api.com
1	ip-api.com
7	api.ipify.org
10	ip-api.com

pid	pid_target	process	target process
4744	4404	WerFault.exe	Neo.exe
2220	2556	WerFault.exe	Neo.exe
3244	3660	WerFault.exe	Neo.exe
4028	4480	WerFault.exe	Neo.exe
4812	420	WerFault.exe	Neo.exe
4004	964	WerFault.exe	Neo.exe

pid	process
568	PING.EXE
4276	PING.EXE
2700	PING.EXE
4896	PING.EXE
1668	PING.EXE
4672	PING.EXE

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

Neo.exeNeo.exeNeo.exeNeo.exeNeo.exeNeo.exeNeo.exe

description	pid	process
Token: SeDebugPrivilege	4404	Neo.exe
Token: SeDebugPrivilege	2556	Neo.exe
Token: SeDebugPrivilege	3660	Neo.exe
Token: SeDebugPrivilege	4480	Neo.exe
Token: SeDebugPrivilege	420	Neo.exe
Token: SeDebugPrivilege	964	Neo.exe
Token: SeDebugPrivilege	5008	Neo.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

Neo.exeNeo.exeNeo.exeNeo.exeNeo.exeNeo.exe

pid process

4404 Neo.exe
2556 Neo.exe
3660 Neo.exe
4480 Neo.exe
420 Neo.exe
964 Neo.exe

pid	process
4404	Neo.exe
2556	Neo.exe
3660	Neo.exe
4480	Neo.exe
420	Neo.exe
964	Neo.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Neo.execmd.exeNeo.execmd.exeNeo.execmd.exeNeo.execmd.exeNeo.execmd.exeNeo.execmd.exe

description	pid	process	target process
PID 4404 wrote to memory of 2308	4404	Neo.exe	cmd.exe
PID 4404 wrote to memory of 2308	4404	Neo.exe	cmd.exe
PID 4404 wrote to memory of 2308	4404	Neo.exe	cmd.exe
PID 2308 wrote to memory of 1692	2308	cmd.exe	chcp.com
PID 2308 wrote to memory of 1692	2308	cmd.exe	chcp.com
PID 2308 wrote to memory of 1692	2308	cmd.exe	chcp.com
PID 2308 wrote to memory of 568	2308	cmd.exe	PING.EXE
PID 2308 wrote to memory of 568	2308	cmd.exe	PING.EXE
PID 2308 wrote to memory of 568	2308	cmd.exe	PING.EXE
PID 2308 wrote to memory of 2556	2308	cmd.exe	Neo.exe
PID 2308 wrote to memory of 2556	2308	cmd.exe	Neo.exe
PID 2308 wrote to memory of 2556	2308	cmd.exe	Neo.exe
PID 2556 wrote to memory of 3088	2556	Neo.exe	cmd.exe
PID 2556 wrote to memory of 3088	2556	Neo.exe	cmd.exe
PID 2556 wrote to memory of 3088	2556	Neo.exe	cmd.exe
PID 3088 wrote to memory of 4048	3088	cmd.exe	chcp.com
PID 3088 wrote to memory of 4048	3088	cmd.exe	chcp.com
PID 3088 wrote to memory of 4048	3088	cmd.exe	chcp.com
PID 3088 wrote to memory of 4276	3088	cmd.exe	PING.EXE
PID 3088 wrote to memory of 4276	3088	cmd.exe	PING.EXE
PID 3088 wrote to memory of 4276	3088	cmd.exe	PING.EXE
PID 3088 wrote to memory of 3660	3088	cmd.exe	Neo.exe
PID 3088 wrote to memory of 3660	3088	cmd.exe	Neo.exe
PID 3088 wrote to memory of 3660	3088	cmd.exe	Neo.exe
PID 3660 wrote to memory of 480	3660	Neo.exe	cmd.exe
PID 3660 wrote to memory of 480	3660	Neo.exe	cmd.exe
PID 3660 wrote to memory of 480	3660	Neo.exe	cmd.exe
PID 480 wrote to memory of 3444	480	cmd.exe	chcp.com
PID 480 wrote to memory of 3444	480	cmd.exe	chcp.com
PID 480 wrote to memory of 3444	480	cmd.exe	chcp.com
PID 480 wrote to memory of 2700	480	cmd.exe	PING.EXE
PID 480 wrote to memory of 2700	480	cmd.exe	PING.EXE
PID 480 wrote to memory of 2700	480	cmd.exe	PING.EXE
PID 480 wrote to memory of 4480	480	cmd.exe	Neo.exe
PID 480 wrote to memory of 4480	480	cmd.exe	Neo.exe
PID 480 wrote to memory of 4480	480	cmd.exe	Neo.exe
PID 4480 wrote to memory of 4928	4480	Neo.exe	cmd.exe
PID 4480 wrote to memory of 4928	4480	Neo.exe	cmd.exe
PID 4480 wrote to memory of 4928	4480	Neo.exe	cmd.exe
PID 4928 wrote to memory of 2540	4928	cmd.exe	chcp.com
PID 4928 wrote to memory of 2540	4928	cmd.exe	chcp.com
PID 4928 wrote to memory of 2540	4928	cmd.exe	chcp.com
PID 4928 wrote to memory of 4896	4928	cmd.exe	PING.EXE
PID 4928 wrote to memory of 4896	4928	cmd.exe	PING.EXE
PID 4928 wrote to memory of 4896	4928	cmd.exe	PING.EXE
PID 4928 wrote to memory of 420	4928	cmd.exe	Neo.exe
PID 4928 wrote to memory of 420	4928	cmd.exe	Neo.exe
PID 4928 wrote to memory of 420	4928	cmd.exe	Neo.exe
PID 420 wrote to memory of 2368	420	Neo.exe	cmd.exe
PID 420 wrote to memory of 2368	420	Neo.exe	cmd.exe
PID 420 wrote to memory of 2368	420	Neo.exe	cmd.exe
PID 2368 wrote to memory of 3560	2368	cmd.exe	chcp.com
PID 2368 wrote to memory of 3560	2368	cmd.exe	chcp.com
PID 2368 wrote to memory of 3560	2368	cmd.exe	chcp.com
PID 2368 wrote to memory of 1668	2368	cmd.exe	PING.EXE
PID 2368 wrote to memory of 1668	2368	cmd.exe	PING.EXE
PID 2368 wrote to memory of 1668	2368	cmd.exe	PING.EXE
PID 2368 wrote to memory of 964	2368	cmd.exe	Neo.exe
PID 2368 wrote to memory of 964	2368	cmd.exe	Neo.exe
PID 2368 wrote to memory of 964	2368	cmd.exe	Neo.exe
PID 964 wrote to memory of 3640	964	Neo.exe	cmd.exe
PID 964 wrote to memory of 3640	964	Neo.exe	cmd.exe
PID 964 wrote to memory of 3640	964	Neo.exe	cmd.exe
PID 3640 wrote to memory of 856	3640	cmd.exe	chcp.com

C:\Users\Admin\AppData\Local\Temp\Neo.exe
"C:\Users\Admin\AppData\Local\Temp\Neo.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\auqSeYGAeAWw.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2308

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:1692

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
3⤵
- Runs ping.exe
PID:568

C:\Users\Admin\AppData\Local\Temp\Neo.exe
"C:\Users\Admin\AppData\Local\Temp\Neo.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XTKZCmWdLsmp.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:3088

C:\Windows\SysWOW64\chcp.com
chcp 65001
5⤵
PID:4048

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
5⤵
- Runs ping.exe
PID:4276

C:\Users\Admin\AppData\Local\Temp\Neo.exe
"C:\Users\Admin\AppData\Local\Temp\Neo.exe"
5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0oqyBKgNL7xW.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:480

C:\Windows\SysWOW64\chcp.com
chcp 65001
7⤵
PID:3444

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
7⤵
- Runs ping.exe
PID:2700

C:\Users\Admin\AppData\Local\Temp\Neo.exe
"C:\Users\Admin\AppData\Local\Temp\Neo.exe"
7⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1wEPOxth9gmu.bat" "
8⤵
- Suspicious use of WriteProcessMemory
PID:4928

C:\Windows\SysWOW64\chcp.com
chcp 65001
9⤵
PID:2540

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
9⤵
- Runs ping.exe
PID:4896

C:\Users\Admin\AppData\Local\Temp\Neo.exe
"C:\Users\Admin\AppData\Local\Temp\Neo.exe"
9⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0ZS1qOVwGHhN.bat" "
10⤵
- Suspicious use of WriteProcessMemory
PID:2368

C:\Windows\SysWOW64\chcp.com
chcp 65001
11⤵
PID:3560

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
11⤵
- Runs ping.exe
PID:1668

C:\Users\Admin\AppData\Local\Temp\Neo.exe
"C:\Users\Admin\AppData\Local\Temp\Neo.exe"
11⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IJScb3OD73vl.bat" "
12⤵
- Suspicious use of WriteProcessMemory
PID:3640

C:\Windows\SysWOW64\chcp.com
chcp 65001
13⤵
PID:856

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
13⤵
- Runs ping.exe
PID:4672

C:\Users\Admin\AppData\Local\Temp\Neo.exe
"C:\Users\Admin\AppData\Local\Temp\Neo.exe"
13⤵
- Suspicious use of AdjustPrivilegeToken
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1732
12⤵
- Program crash
PID:4004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 420 -s 2288
10⤵
- Program crash
PID:4812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 1740
8⤵
- Program crash
PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 2280
6⤵
- Program crash
PID:3244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 2280
4⤵
- Program crash
PID:2220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 1764
2⤵
- Program crash
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4404 -ip 4404
1⤵
PID:1152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2556 -ip 2556
1⤵
PID:2332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3660 -ip 3660
1⤵
PID:4160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4480 -ip 4480
1⤵
PID:3960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 420 -ip 420
1⤵
PID:1440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 964 -ip 964
1⤵
PID:240

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0ZS1qOVwGHhN.bat
Filesize
200B

MD5
bffeec51d6304bf87b63600db985b5ae

SHA1
ab41c9435d52f8f7be2755ed4b193ef39f537037

SHA256
36b478bf8567956f76e95a4cd3ffa97bcd1b6dac3d7832a7f4075808f06acab7

SHA512
318b0a22ecf58d3451f145c7aa0f682356c664f48c5af81e0e8c301457756499ca1e0523a00f88e268849fc01e01cf1000451bb8a5b3633d2ba99fc099beefd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\0oqyBKgNL7xW.bat
Filesize
200B

MD5
06459ffe905af9169d520355fbf52ae2

SHA1
bdb4a81c12afb535a521ea88f6a187641c316372

SHA256
598672fc7c458a69cd035cd41ecd4c969f805db753fcd2966c121f5efc15d63e

SHA512
23de4f07c1d442a91345bbac94ff24de710f52dfdb06648c64fa13b21c15120a6e4acad952b7f678752fb258e3a71c81aa23766798c7c1d97ba304f49b877a52

Download Submit
C:\Users\Admin\AppData\Local\Temp\1wEPOxth9gmu.bat
Filesize
200B

MD5
63b8ed976d07a21ba87e2a29c34bf172

SHA1
9bba7ac45cd60a7dcd60245fad4e21b5845937fc

SHA256
b39db3319e121ec18ae6a36f7d55861adc63c9b34260c93152c3fd4465d48818

SHA512
112960184a20ccd2b571bf5487372dc3dbcb282050ed232bba6e99af5df90a11b5b0e6806e243cd368aab4f305ae68a8be90c0dbdade01b74cdb502fa5222980

Download Submit
C:\Users\Admin\AppData\Local\Temp\IJScb3OD73vl.bat
Filesize
200B

MD5
3bd4ef514aaca70fcfc33367ddda0c98

SHA1
9cbfc93f99e6b05597c405766fffd463599de4bc

SHA256
c49685f70b806c37faf748ddff9ecc4a8ebe84feea3a54c4f5dc5aacb5d0c906

SHA512
a5df3cd54a912aff7830d7dd962483cf47d29dc953fcdf1222da47f6a494e0dcd2ca9bfac09631d6e021fbe4b45b822921cf4230da8d9daaec903bb508238848

Download Submit
C:\Users\Admin\AppData\Local\Temp\XTKZCmWdLsmp.bat
Filesize
200B

MD5
0500e8aa143e67dd29690fab697471f1

SHA1
bfb26e63e797f25851447dd45d6b3f4fc37645c7

SHA256
f30ae98f4395706f6d114b535812fdc062f4f81c8a3afcde790a385cdc76dc7a

SHA512
ea9835d44e299a2fab13b2b041d61b87b6c75b84ce23382e1e14c05c7e9ed0b61288f6bbe4330ecf251cf5615454c5aee09312a8def4b1bb9e23dd00602f8f3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\auqSeYGAeAWw.bat
Filesize
200B

MD5
cd9a8eb90f7ceba284e1d226d6cc179b

SHA1
a583a3c03d88e5cc4abbf81b848dc289c67f873e

SHA256
32e9c4e8d227db053b9d6f553c02cea860bd6627481341fdfb5fc3c63e1ef4fb

SHA512
5c7f31f513fb143be1b461fd0100facb3d30c89656ff0069f763bdb08ca4248919239c643e11a595c62bdc280bcfb4a89298b2d673e0c95c0e05b5a0ddfefe61

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-28-2024
Filesize
224B

MD5
fd4d7d3968061f3841648a91a16fa2a7

SHA1
b2ff92c27605d87f75a62fc90d0e653d6088145a

SHA256
4d79c6f488370faa00a2d038f1aeb6466e1ba229c595ecc071a5995f94c3d805

SHA512
7d20fb7ae9da5b0014c5fa74ffb885989df618b5347f3d1d88e126ac6b47d6e43616b114b3d4468a6bb512daec77d0807528920f9cb1015c7cec42931e309d0f

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-28-2024
Filesize
224B

MD5
ee23701f7a528b43fd0ef10abac12eac

SHA1
36f933e13277e42d3b73667b31ddfda7474d83b7

SHA256
a241ad4d53706d0137b934b1f54773c4cc2293eadfe27aeb01b48d0750a99a1b

SHA512
664ae64dcfa02e18a365877c007f5b905016792fe02c36ca4f32dc6f1de6c9b61f595569374797ffbd81080bb9c8d103503d48efb0507a33508980023d5d92e1

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-28-2024
Filesize
224B

MD5
cbf6c7bfd2abb457934b78b39baad599

SHA1
8831e7f058ec24aa0cf2dbe82357aedf9dfb13c9

SHA256
0992844e01b266de5fe84376ad6b224e3c6de02c033222cbe5e56aec60096c3e

SHA512
c22846f4d11275f7b36763ee1742684971b2cc1e68965dd17348979348a529631e7fb77a3ee256cb73bdb9a94c5abf7c2c53d640a064fbb943ebb2c8d421c239

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-28-2024
Filesize
224B

MD5
ee22619e9822954363de7211917e4568

SHA1
3924ac0b8edb6bf3be937819c6fc18afa4ed61db

SHA256
22b6daa4c6b7326d66503134cd9fa30a832309ab4e4b2a30c52a9e1fbc5dfc08

SHA512
acd27ae3acbf797b7ec6643023297ff8b4c43406da6ba7cf427453e2aea14fe6dc94991bb59c36371b363af4d23df56fdea9b7a001200491e8f885ff9a1e7755

Download Submit
C:\Users\Admin\AppData\Roaming\Logs\06-28-2024
Filesize
224B

MD5
64c3d5ac911ba4bb780f8f4b63b62701

SHA1
d18c6504a703781f5dded612731874f1e054bdfc

SHA256
3f8d488cc4df3f050ca7af1d5b22ad1aa0d1c5ea82b78a22acc999521c17a50c

SHA512
79ea0037d24f4060c2c01c2678f855e931d7cdd903cf4846a68c4d70ee8d5f06445cd85abd1b935f2afb9c812d766fc5eae468c303f9debaf61b8d66055f2ff5

Download Submit
memory/2556-16-0x00000000747F0000-0x0000000074FA1000-memory.dmp

Filesize
7.7MB

Download
memory/2556-24-0x00000000747F0000-0x0000000074FA1000-memory.dmp

Filesize
7.7MB

Download
memory/2556-17-0x00000000747F0000-0x0000000074FA1000-memory.dmp

Filesize
7.7MB

Download
memory/4404-7-0x00000000747FE000-0x00000000747FF000-memory.dmp

Filesize
4KB

Download
memory/4404-10-0x0000000006F00000-0x0000000006F0A000-memory.dmp

Filesize
40KB

Download
memory/4404-15-0x00000000747F0000-0x0000000074FA1000-memory.dmp

Filesize
7.7MB

Download
memory/4404-8-0x00000000747F0000-0x0000000074FA1000-memory.dmp

Filesize
7.7MB

Download
memory/4404-0-0x00000000747FE000-0x00000000747FF000-memory.dmp

Filesize
4KB

Download
memory/4404-6-0x0000000006420000-0x0000000006432000-memory.dmp

Filesize
72KB

Download
memory/4404-5-0x0000000005700000-0x0000000005766000-memory.dmp

Filesize
408KB

Download
memory/4404-4-0x00000000747F0000-0x0000000074FA1000-memory.dmp

Filesize
7.7MB

Download
memory/4404-3-0x00000000057A0000-0x0000000005832000-memory.dmp

Filesize
584KB

Download
memory/4404-2-0x0000000005C30000-0x00000000061D6000-memory.dmp

Filesize
5.6MB

Download
memory/4404-1-0x0000000000D20000-0x0000000000D7E000-memory.dmp

Filesize
376KB

Download