Analysis

  • max time kernel
    99s
  • max time network
    105s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-07-2024 16:16

General

  • Target

    https://github.com/astzgotmotion/celery-executor

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

Joesnazzy-26854.portmap.host:26854

Mutex

0e3df0a7-c843-43da-81c8-d9c01f85801a

Attributes
  • encryption_key

    FE31C9B3146C7F6C565D8024D45CF71A2F7A3888

  • install_name

    celery.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    windows defender

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 5 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/astzgotmotion/celery-executor
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4976
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8d09246f8,0x7ff8d0924708,0x7ff8d0924718
      2⤵
        PID:2424
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,12705790403552854047,10478900679581240616,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
        2⤵
          PID:4320
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,12705790403552854047,10478900679581240616,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1856
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,12705790403552854047,10478900679581240616,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
          2⤵
            PID:2628
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12705790403552854047,10478900679581240616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
            2⤵
              PID:220
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12705790403552854047,10478900679581240616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
              2⤵
                PID:1100
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,12705790403552854047,10478900679581240616,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5632 /prefetch:8
                2⤵
                  PID:1464
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,12705790403552854047,10478900679581240616,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5632 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1844
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12705790403552854047,10478900679581240616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
                  2⤵
                    PID:2568
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12705790403552854047,10478900679581240616,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
                    2⤵
                      PID:1068
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2140,12705790403552854047,10478900679581240616,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5184 /prefetch:8
                      2⤵
                        PID:5060
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12705790403552854047,10478900679581240616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4356 /prefetch:1
                        2⤵
                          PID:3068
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12705790403552854047,10478900679581240616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3932 /prefetch:1
                          2⤵
                            PID:3648
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12705790403552854047,10478900679581240616,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6308 /prefetch:1
                            2⤵
                              PID:220
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,12705790403552854047,10478900679581240616,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 /prefetch:8
                              2⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:6012
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:4816
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:3464
                              • C:\Windows\System32\rundll32.exe
                                C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                1⤵
                                  PID:6140
                                • C:\Users\Admin\Downloads\celery-executor-main\celery-executor-main\celery installer.exe
                                  "C:\Users\Admin\Downloads\celery-executor-main\celery-executor-main\celery installer.exe"
                                  1⤵
                                  • Drops file in System32 directory
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:5240
                                  • C:\Windows\SYSTEM32\schtasks.exe
                                    "schtasks" /create /tn "windows defender" /sc ONLOGON /tr "C:\Windows\system32\SubDir\celery.exe" /rl HIGHEST /f
                                    2⤵
                                    • Scheduled Task/Job: Scheduled Task
                                    PID:592
                                  • C:\Windows\system32\SubDir\celery.exe
                                    "C:\Windows\system32\SubDir\celery.exe"
                                    2⤵
                                    • Executes dropped EXE
                                    • Drops file in System32 directory
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of SetWindowsHookEx
                                    PID:5396
                                    • C:\Windows\SYSTEM32\schtasks.exe
                                      "schtasks" /create /tn "windows defender" /sc ONLOGON /tr "C:\Windows\system32\SubDir\celery.exe" /rl HIGHEST /f
                                      3⤵
                                      • Scheduled Task/Job: Scheduled Task
                                      PID:5480
                                • C:\Windows\system32\OpenWith.exe
                                  C:\Windows\system32\OpenWith.exe -Embedding
                                  1⤵
                                  • Modifies registry class
                                  • Suspicious use of SetWindowsHookEx
                                  PID:5268

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                  Filesize

                                  152B

                                  MD5

                                  c00b0d6e0f836dfa596c6df9d3b2f8f2

                                  SHA1

                                  69ad27d9b4502630728f98917f67307e9dd12a30

                                  SHA256

                                  578481cd359c669455e24983b13723c25584f58925b47283cb580019ef3142b1

                                  SHA512

                                  0e098ab5f5772fec17880e228a0dccbbaa06dc1af14e0fd827f361599c61899fe07d612a7f7b049ff6661d27fdc495566dd20fc28ceed022b87c212bf00be5da

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                  Filesize

                                  152B

                                  MD5

                                  54f1b76300ce15e44e5cc1a3947f5ca9

                                  SHA1

                                  c978bfaa6ec6dae05464c6426eaa6cb3c3e2f3b7

                                  SHA256

                                  43dec5d87b7ee892a3d99cb61f772ba403882ac0772423f36034e84244c1ca24

                                  SHA512

                                  ac26e5676c675be329eb62b5d5a36a0e6014ab8a6366684b0fc2a59ae5f061f596f462b82eb4e9f135d2235a0cbd4af96680d234eecc873a8397fd81507d277a

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                  Filesize

                                  2KB

                                  MD5

                                  c865d1d9aee04211060a0e28121aea25

                                  SHA1

                                  8c203adb2d699ef33227d7f597e0eb49609e0731

                                  SHA256

                                  1f47e88154cb91606612345ea69bde1ce920b167a349cf12ab8999798b277d1f

                                  SHA512

                                  5b1317bf8c89b7e410f06cdc262b6c4caa050724995bbca946f05470ac9258bfc1341aefa724dd855d860a9f6ee92d2c7735880764244be890baed58fdd5bcb8

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                  Filesize

                                  111B

                                  MD5

                                  807419ca9a4734feaf8d8563a003b048

                                  SHA1

                                  a723c7d60a65886ffa068711f1e900ccc85922a6

                                  SHA256

                                  aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

                                  SHA512

                                  f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                  Filesize

                                  573B

                                  MD5

                                  50c600c1f2b35a9d8e4cc91841e162dd

                                  SHA1

                                  0a6b8f1c5cd6a6c49171495923e1b323bc238852

                                  SHA256

                                  ff59033765c671fc2374aba7ab23f8441b985a729fd7222d2e03dfcc0584849d

                                  SHA512

                                  bccdc1056574b039d198317aed84f6e4d31080dd86b4def18d88915f5e65f6a656243520e66c7b94cce70161c6b896140fbdb96093ae7009186932ada04c797f

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                  Filesize

                                  6KB

                                  MD5

                                  e4bd05c0977bcae76debde1cd32c446a

                                  SHA1

                                  d863063c4b1e58ccb7630ce4db587f612dd3c237

                                  SHA256

                                  3acc4114fd19fabcbcab454a3437575231a2b672157ab10a682b61926c1450cf

                                  SHA512

                                  6199a5d7e7d0e07a952a19477ef72c44401deab1a3fa3f7d6fe55f6c5b5672c30f950b33a4f5a97732a0b146535ddd5ce61ff41d4d18383842bc21b6a4545766

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                  Filesize

                                  5KB

                                  MD5

                                  a8a5755ec5fd202d081c5c40b0e1a049

                                  SHA1

                                  2affc536f82baf51be9d3c4ed30b3392b4d381e3

                                  SHA256

                                  c775d3cd6a30db371b6180d4b1900d368f1adbf913e1be60374ba38183368dd3

                                  SHA512

                                  fe98f0c3170707a2ed468f1bb5335ae83c1b55c62a1e4c9a30f42810e2cd0281f53ddc5d54674119e8208f48ca12bea7f3a995a4e069f0a8fa781949bebd8946

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                  Filesize

                                  6KB

                                  MD5

                                  5b6240f60e694171ad409e6d625fc0b4

                                  SHA1

                                  b5b98ff49e4b2c1e9b72290433785c82c9558486

                                  SHA256

                                  d7840c561d534ce07261489ba63d709692dc11962ba36be0ebde7ffb5cfdfa71

                                  SHA512

                                  6a69b1fb42456805afaf25aa3e2fabd80fb4e8f9cb07d4ba6a2984a0decb8bbde84d6803aaf5440f4f52605b4c1ba6a10abc991d535bea99f3ae43abd1c7fe54

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                  Filesize

                                  1KB

                                  MD5

                                  807bdab740e68f11e00875d47469de67

                                  SHA1

                                  904c0532b03ec75e1ac3955587e11e12751ddf98

                                  SHA256

                                  8dec1b0ac757133220c1db4a3ca29fe68063929c70e27083576ad6905b2b126d

                                  SHA512

                                  84fc7520c09338a47dcab6607774e151f91461798c578976fb9d3370b87e0becff73af0796b199e6d462611acfbdf0bb34edf24bdff23365ac6a4d061696916b

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580d59.TMP

                                  Filesize

                                  371B

                                  MD5

                                  5dbecfcc350426098ffe675b1144e662

                                  SHA1

                                  cfb9ec9a6ff8378d6f1ebc97066ce02b0e16f7e7

                                  SHA256

                                  b4ff95706344a174a29fb59a090c63c9719a272f18004289464927436aba5950

                                  SHA512

                                  08bab4c4ded7a735e8d7c9bc8d851de975463e6928a85428a18a0b7ffbe4c3986d515e4506936d285e30bddd526337011373bb939284e2ffb35729a67fc5701d

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                  Filesize

                                  16B

                                  MD5

                                  6752a1d65b201c13b62ea44016eb221f

                                  SHA1

                                  58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                  SHA256

                                  0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                  SHA512

                                  9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                  Filesize

                                  10KB

                                  MD5

                                  684e7bd95fb903fdaee2aed61fe72350

                                  SHA1

                                  702ceddecac3aa40d77b37550945a0115ae371a7

                                  SHA256

                                  2138a7cc4d654fc3846ce925a6689ab3a4e0d3e1ddcaca7051ad51b901a92bae

                                  SHA512

                                  7e3527da700b77fc525ae9ca7fdbcabd3b4bfc920b22ca86ed58aaca5c399ba958b6006acf00ad47b7e7e1627a4a539d3f10c13c05c0dfa107986c9b0351574f

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                  Filesize

                                  11KB

                                  MD5

                                  6316e6e3f16b17207665d256e73f3a4b

                                  SHA1

                                  efc4523d01ae2d9d3b3fb10176813772d24a8fa6

                                  SHA256

                                  ed6db7bff26ddc536456081f3cdb81049726994b5f49cd60bad0eff3b2670aff

                                  SHA512

                                  8aacda49e89eafc423cccf43cb0f602e15a8c6d83f90ff29a2b1d252676ffb11507808446c620eae6e82a9920b3c02bcf18efc13917f2b85ac10dc3722f7bafd

                                • C:\Users\Admin\Downloads\Unconfirmed 147314.crdownload

                                  Filesize

                                  1.2MB

                                  MD5

                                  594936eac422b9e04fab2e61d57c4ccd

                                  SHA1

                                  086fb95ec0385ff87bc650f1063cf0786b7464ba

                                  SHA256

                                  436aa10990fe2fcd863d73702480170cd97fe03e57bd82001272a46fb08d1b1c

                                  SHA512

                                  09e7dc3a9d0d23f8296ea6c60d0bc36da494682dccdc3f97379b1803bb3755392d3f51f3263b72fdf5f4c1800cf217e327b0b6dc85919adb79e04b2eeeae3fa3

                                • C:\Windows\System32\SubDir\celery.exe

                                  Filesize

                                  3.1MB

                                  MD5

                                  45f959942912fbcd1653b538332c5ec9

                                  SHA1

                                  7fdcd65b7bd7d5bdbc279e0b4fa6eebb8c36fca1

                                  SHA256

                                  6b400e1fc91d48c849aa79f355b641d35658188d668686ad7192333e9b92a1ae

                                  SHA512

                                  9072548e7a5e8f92a910c8621ff1a67fba6dcc4aa3c7af82047bdfdb86165d6d3466ed32081ef87816ccc04b6549367ec65fa2d69e8865ef0d42b6befe26f466

                                • \??\pipe\LOCAL\crashpad_4976_BEGGOCSLUAANAVMC

                                  MD5

                                  d41d8cd98f00b204e9800998ecf8427e

                                  SHA1

                                  da39a3ee5e6b4b0d3255bfef95601890afd80709

                                  SHA256

                                  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                  SHA512

                                  cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                • memory/5240-269-0x00000000007A0000-0x0000000000AC4000-memory.dmp

                                  Filesize

                                  3.1MB

                                • memory/5396-283-0x000000001BBA0000-0x000000001BBF0000-memory.dmp

                                  Filesize

                                  320KB

                                • memory/5396-284-0x000000001C420000-0x000000001C4D2000-memory.dmp

                                  Filesize

                                  712KB