quasar | 358b3681682b402dba9c1bf1297193fe257d8cc11e51c2924c657eb2057beb04

Analysis

max time kernel
1s
max time network
138s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22-12-2023 00:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

380cd105672b970a3783c0036ebaf09d.exe
Size

1.0MB
MD5

380cd105672b970a3783c0036ebaf09d
SHA1

112ee91c03921b1aaa3ca9b901054a62a11b0268
SHA256

358b3681682b402dba9c1bf1297193fe257d8cc11e51c2924c657eb2057beb04
SHA512

e3e7954328a98af7b4dd3ec0efa2c390f6d10b8e2037e582043902482f7e90241b0565c0da7972f14193efe517a305441306cb7c32b2f444ba5c58c1c7c5f2da
SSDEEP

24576:Lw/UH7Q9OEKM4TbVOD6s6F+2iYNenwhhWZ0ZnLsm:FH7QAHTbVOD6sl2Zhh

Score

10^/10

quasar venomrat sep05 evasion persistence rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

SEP05

23.105.131.187:7812

Mutex

VNM_MUTEX_mn3z5p1P4yabWtL9nJ

Attributes

encryption_key
R5zGfMq4QEUio50PoLwo
install_name
Windows Defender Security.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Update Service
subdirectory
Windows Security Firewall

Signatures

Contains code to disable Windows Defender 5 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/2792-17-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/2792-14-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/2792-12-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/2792-9-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def
behavioral1/memory/2792-8-0x0000000000400000-0x000000000048C000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

380cd105672b970a3783c0036ebaf09d.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	380cd105672b970a3783c0036ebaf09d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	380cd105672b970a3783c0036ebaf09d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	380cd105672b970a3783c0036ebaf09d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	380cd105672b970a3783c0036ebaf09d.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2792-17-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/2792-14-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/2792-12-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/2792-9-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar
behavioral1/memory/2792-8-0x0000000000400000-0x000000000048C000-memory.dmp	family_quasar

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat
Executes dropped EXE 1 IoCs

Processes:

Windows Defender Security.exe

pid process

2596 Windows Defender Security.exe
Loads dropped DLL 1 IoCs

Processes:

380cd105672b970a3783c0036ebaf09d.exe

pid process

2792 380cd105672b970a3783c0036ebaf09d.exe

pid	process
2596	Windows Defender Security.exe

pid	process
2792	380cd105672b970a3783c0036ebaf09d.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

380cd105672b970a3783c0036ebaf09d.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	380cd105672b970a3783c0036ebaf09d.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	380cd105672b970a3783c0036ebaf09d.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

380cd105672b970a3783c0036ebaf09d.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rQDLJjyJSH = "C:\\Users\\Admin\\AppData\\Roaming\\AyBtHTTCxa\\gSGYsYDHyz.exe"	380cd105672b970a3783c0036ebaf09d.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

380cd105672b970a3783c0036ebaf09d.exe

description pid process target process

PID 2844 set thread context of 2792 2844 380cd105672b970a3783c0036ebaf09d.exe 380cd105672b970a3783c0036ebaf09d.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1408 schtasks.exe
2628 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

580 PING.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

380cd105672b970a3783c0036ebaf09d.exe

description pid process

Token: SeDebugPrivilege 2792 380cd105672b970a3783c0036ebaf09d.exe

flow	ioc
2	ip-api.com

description	pid	process	target process
PID 2844 set thread context of 2792	2844	380cd105672b970a3783c0036ebaf09d.exe	380cd105672b970a3783c0036ebaf09d.exe

pid	process
1408	schtasks.exe
2628	schtasks.exe

pid	process
580	PING.EXE

description	pid	process
Token: SeDebugPrivilege	2792	380cd105672b970a3783c0036ebaf09d.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

380cd105672b970a3783c0036ebaf09d.exe380cd105672b970a3783c0036ebaf09d.exe

description	pid	process	target process
PID 2844 wrote to memory of 2792	2844	380cd105672b970a3783c0036ebaf09d.exe	380cd105672b970a3783c0036ebaf09d.exe
PID 2844 wrote to memory of 2792	2844	380cd105672b970a3783c0036ebaf09d.exe	380cd105672b970a3783c0036ebaf09d.exe
PID 2844 wrote to memory of 2792	2844	380cd105672b970a3783c0036ebaf09d.exe	380cd105672b970a3783c0036ebaf09d.exe
PID 2844 wrote to memory of 2792	2844	380cd105672b970a3783c0036ebaf09d.exe	380cd105672b970a3783c0036ebaf09d.exe
PID 2844 wrote to memory of 2792	2844	380cd105672b970a3783c0036ebaf09d.exe	380cd105672b970a3783c0036ebaf09d.exe
PID 2844 wrote to memory of 2792	2844	380cd105672b970a3783c0036ebaf09d.exe	380cd105672b970a3783c0036ebaf09d.exe
PID 2844 wrote to memory of 2792	2844	380cd105672b970a3783c0036ebaf09d.exe	380cd105672b970a3783c0036ebaf09d.exe
PID 2844 wrote to memory of 2792	2844	380cd105672b970a3783c0036ebaf09d.exe	380cd105672b970a3783c0036ebaf09d.exe
PID 2844 wrote to memory of 2792	2844	380cd105672b970a3783c0036ebaf09d.exe	380cd105672b970a3783c0036ebaf09d.exe
PID 2792 wrote to memory of 2628	2792	380cd105672b970a3783c0036ebaf09d.exe	schtasks.exe
PID 2792 wrote to memory of 2628	2792	380cd105672b970a3783c0036ebaf09d.exe	schtasks.exe
PID 2792 wrote to memory of 2628	2792	380cd105672b970a3783c0036ebaf09d.exe	schtasks.exe
PID 2792 wrote to memory of 2628	2792	380cd105672b970a3783c0036ebaf09d.exe	schtasks.exe
PID 2792 wrote to memory of 2596	2792	380cd105672b970a3783c0036ebaf09d.exe	Windows Defender Security.exe
PID 2792 wrote to memory of 2596	2792	380cd105672b970a3783c0036ebaf09d.exe	Windows Defender Security.exe
PID 2792 wrote to memory of 2596	2792	380cd105672b970a3783c0036ebaf09d.exe	Windows Defender Security.exe
PID 2792 wrote to memory of 2596	2792	380cd105672b970a3783c0036ebaf09d.exe	Windows Defender Security.exe
PID 2792 wrote to memory of 2664	2792	380cd105672b970a3783c0036ebaf09d.exe	powershell.exe
PID 2792 wrote to memory of 2664	2792	380cd105672b970a3783c0036ebaf09d.exe	powershell.exe
PID 2792 wrote to memory of 2664	2792	380cd105672b970a3783c0036ebaf09d.exe	powershell.exe
PID 2792 wrote to memory of 2664	2792	380cd105672b970a3783c0036ebaf09d.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\380cd105672b970a3783c0036ebaf09d.exe
"C:\Users\Admin\AppData\Local\Temp\380cd105672b970a3783c0036ebaf09d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Users\Admin\AppData\Local\Temp\380cd105672b970a3783c0036ebaf09d.exe
  "C:\Users\Admin\AppData\Local\Temp\380cd105672b970a3783c0036ebaf09d.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Loads dropped DLL
  - Windows security modification
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks" /create /tn "Windows Update Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\380cd105672b970a3783c0036ebaf09d.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:2628
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    PID:2664
- - C:\Users\Admin\AppData\Roaming\Windows Security Firewall\Windows Defender Security.exe
    "C:\Users\Admin\AppData\Roaming\Windows Security Firewall\Windows Defender Security.exe"
    3⤵
    - Executes dropped EXE
    PID:2596
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
    3⤵
    PID:772
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
      4⤵
      PID:2952
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\Z9fvllG1TBWI.bat" "
    3⤵
    PID:488
  - - C:\Users\Admin\AppData\Local\Temp\380cd105672b970a3783c0036ebaf09d.exe
      "C:\Users\Admin\AppData\Local\Temp\380cd105672b970a3783c0036ebaf09d.exe"
      4⤵
      PID:2080

C:\Users\Admin\AppData\Roaming\Windows Security Firewall\Windows Defender Security.exe
"C:\Users\Admin\AppData\Roaming\Windows Security Firewall\Windows Defender Security.exe"
1⤵
PID:2888
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks" /create /tn "Windows Update Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Security Firewall\Windows Defender Security.exe" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:1408

C:\Users\Admin\AppData\Roaming\Windows Security Firewall\Windows Defender Security.exe
"C:\Users\Admin\AppData\Roaming\Windows Security Firewall\Windows Defender Security.exe"
1⤵
PID:2880

C:\Windows\SysWOW64\chcp.com
chcp 65001
1⤵
PID:1340

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
1⤵
- Runs ping.exe
PID:580

C:\Users\Admin\AppData\Local\Temp\380cd105672b970a3783c0036ebaf09d.exe
"C:\Users\Admin\AppData\Local\Temp\380cd105672b970a3783c0036ebaf09d.exe"
1⤵
PID:1088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab1FB3.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1FC5.tmp

Filesize
12KB

MD5
4df9f62a1ac1d604d0de419156af88ae

SHA1
feb02092d7cf0feb43d1fa034b1e7606d1acdb50

SHA256
1046018aef0d662fa4a4b5a41c8350a0e12e208054abee2b913de9376e818bff

SHA512
fe7459488544cdaf5d1dc5fc44d8d36b00dcb3a10c08e821c9c196b021ba05eeedc323aea28eb21e06b842052db5e1a4920dafddcb29617ae476402ce0131605

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z9fvllG1TBWI.bat

Filesize
229B

MD5
889ccd5c4acd8af170985597ce296039

SHA1
0ef17594c7b86de88763b8f62b315af1d8b79910

SHA256
c9a47de84ede4f61d77939fba17a28414eb4f87dfb9033f780486b95d5c7ec88

SHA512
ca50637b3313e4ec9b907b14b864f233b3b7584e86b452ecaa2574bfa4705c7c286e31511d0c2a3350d3dd417b98a2309e5f8c7d38d36839de189fb9ae60d149

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Security Firewall\Windows Defender Security.exe

Filesize
121KB

MD5
bb70bb6ce1778f19a233ba1d44f9c434

SHA1
4430431c8150ee500308f75e77131b42da5a2ab4

SHA256
333290b9dc401ccfc0f07f9c66a40373697b72d3edf54175ef865917d2ad7123

SHA512
b8bf32c707d19d487590fb837bed9e7ec55c5d83bb9c1c58303bce2a86de7c9c3cf7bdde8233954b08620e3b25fd7ff89845c0821969b99aa64c6eae5670c4de

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Security Firewall\Windows Defender Security.exe

Filesize
64KB

MD5
485f7df9976dd4a8baaec486583d02d3

SHA1
4cfc683be192ae066507edf2d1db6af7227e972e

SHA256
801d9cf8428c1e9d8f2b550cb570c4774eff8f6e0bb7f6d7d7cafa7e3983c97d

SHA512
be37c3f2dcde3812f5e26043bd9b2113aef1c0560007f26e9cd3e159488cb011c73da7a62ac983c854f9cb8790df5f7979d0b7d62def8653e74bddbe0e38e581

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Security Firewall\Windows Defender Security.exe

Filesize
154KB

MD5
1b21f5589003a1c8d4ad325ab76712cd

SHA1
3debea8d13ff0df91635226d01c61d225d6b0046

SHA256
855544565c69b285fbcfc358a3762a7774f92862121c4d841e75bf209a4d9385

SHA512
546d58c4f44e8a930c735a985eab5ab2fe5419a751f0ce0520c5ce1562db9d649e86127783783d8888bc0c478ceff18e4a92c4f73488427ac1e0d8df0498c1b5

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Security Firewall\Windows Defender Security.exe

Filesize
14KB

MD5
23a6a879c59b11485bc64e5a0fa9f676

SHA1
725336743744bcfb8871fcb5fe8bd3e41ae22632

SHA256
b6f7a148fa8078c98c478599c3eb1ccc74e38ae6e6b7a4defc5f868e22cbdf30

SHA512
f29faa771c3365178ba4f8d0edfb435b4bf78103a0bca452d4095866dcf76d167ee3edee448a2d5260b7e9fe32a0e70f26c1153845256bd90bc6aebe9b4e1cb9

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Security Firewall\Windows Defender Security.exe

Filesize
11KB

MD5
b34a6e838d9834d6aec06e77ed9ab073

SHA1
2344c3eaabc6468734056a46abdbae8d716b637a

SHA256
ea8321a0025efd8eae505eac15cf32eee4b1282bfe69cbed5ff552e5e902b996

SHA512
a11c6b2e68e191615fa1306d69bdfe375e13d5361fc29115712d1af1bf20acae81b8ade4a0f1232661fbef57fabef5641a53d08e9311b980940f2fb04ef1a1b0

Download Submit
\Users\Admin\AppData\Roaming\Windows Security Firewall\Windows Defender Security.exe

Filesize
44KB

MD5
77388c5d7d14323fb4f45439200864b3

SHA1
64df624617c7c0fcf4a5d18e5e13cb0d611e68d2

SHA256
e5e1b572afa767f3ca888c035e1aecdb25d5d81bbc9fa89243ce13d877a78510

SHA512
a1758c532788ddbc6a0c99f24c83e780b4b941b94814dd646017e493ccda7a3515abe0ed62e4fb66afee098d8382adfa6fd39f7987cf670a7afb8c95ace9f7b8

Download Submit
memory/1088-130-0x00000000737E0000-0x0000000073ECE000-memory.dmp

Filesize
6.9MB

Download
memory/1088-132-0x0000000000FE0000-0x0000000001020000-memory.dmp

Filesize
256KB

Download
memory/1088-122-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1088-133-0x00000000737E0000-0x0000000073ECE000-memory.dmp

Filesize
6.9MB

Download
memory/2080-127-0x00000000737E0000-0x0000000073ECE000-memory.dmp

Filesize
6.9MB

Download
memory/2080-117-0x0000000000CA0000-0x0000000000CE0000-memory.dmp

Filesize
256KB

Download
memory/2080-116-0x00000000737E0000-0x0000000073ECE000-memory.dmp

Filesize
6.9MB

Download
memory/2596-42-0x00000000737E0000-0x0000000073ECE000-memory.dmp

Filesize
6.9MB

Download
memory/2596-27-0x0000000000040000-0x0000000000148000-memory.dmp

Filesize
1.0MB

Download
memory/2596-29-0x00000000048C0000-0x0000000004900000-memory.dmp

Filesize
256KB

Download
memory/2596-28-0x00000000737E0000-0x0000000073ECE000-memory.dmp

Filesize
6.9MB

Download
memory/2664-52-0x000000006EFB0000-0x000000006F55B000-memory.dmp

Filesize
5.7MB

Download
memory/2664-48-0x0000000002A50000-0x0000000002A90000-memory.dmp

Filesize
256KB

Download
memory/2664-51-0x0000000002A50000-0x0000000002A90000-memory.dmp

Filesize
256KB

Download
memory/2664-49-0x000000006EFB0000-0x000000006F55B000-memory.dmp

Filesize
5.7MB

Download
memory/2664-47-0x000000006EFB0000-0x000000006F55B000-memory.dmp

Filesize
5.7MB

Download
memory/2792-19-0x0000000000A10000-0x0000000000A50000-memory.dmp

Filesize
256KB

Download
memory/2792-14-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2792-17-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2792-6-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2792-18-0x00000000737E0000-0x0000000073ECE000-memory.dmp

Filesize
6.9MB

Download
memory/2792-115-0x00000000737E0000-0x0000000073ECE000-memory.dmp

Filesize
6.9MB

Download
memory/2792-8-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2792-9-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2792-7-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2792-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2792-12-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2844-0-0x0000000001030000-0x0000000001138000-memory.dmp

Filesize
1.0MB

Download
memory/2844-16-0x0000000074710000-0x0000000074DFE000-memory.dmp

Filesize
6.9MB

Download
memory/2844-5-0x0000000000A10000-0x0000000000A1A000-memory.dmp

Filesize
40KB

Download
memory/2844-1-0x0000000074710000-0x0000000074DFE000-memory.dmp

Filesize
6.9MB

Download
memory/2844-2-0x0000000004B40000-0x0000000004B80000-memory.dmp

Filesize
256KB

Download
memory/2844-3-0x0000000000310000-0x000000000031C000-memory.dmp

Filesize
48KB

Download
memory/2888-37-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2888-50-0x0000000000570000-0x00000000005B0000-memory.dmp

Filesize
256KB

Download
memory/2888-131-0x00000000737E0000-0x0000000073ECE000-memory.dmp

Filesize
6.9MB

Download
memory/2888-46-0x00000000737E0000-0x0000000073ECE000-memory.dmp

Filesize
6.9MB

Download