quasar | e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758

Analysis

max time kernel
120s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2024 21:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe
Size

637KB
MD5

f1c3e7d4f2ea34ded96047cc76392340
SHA1

60683db56a96afe8ef1557c10fb861ae1081097b
SHA256

e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758
SHA512

9d8cf3b1bc0bb153a364618f0e1038a87549ce9d3c89ae4fd65c24737cb1a07f31a8618fdbb7d66ef9f2e410e3616593f7ba2e2ec4fa1325b8f86147956d4e47
SSDEEP

12288:PFUNDaJTEgdfYe/iKg3qFE4/ywNFpdrdwzTCcdjv:PFOaKUwC5F9ywNFpdJ7cdjv

Score

10^/10

quasar office04 discovery evasion persistence spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

192.168.31.99:4782

2001:4bc9:1f98:a4e::676:4782

255.255.255.0:4782

fe80::cabf:4cff:fe84:9572%17:4782

Mutex

1f65a787-81b8-4955-95e4-b7751e10cd50

Attributes

encryption_key
A0B82A50BBC49EC084E3E53A9E34DF58BD7050B9
install_name
Java Updater.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Java Updater
subdirectory
SubDir

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023cb5-7.dat	family_quasar
behavioral2/memory/780-10-0x00000000000B0000-0x0000000000134000-memory.dmp	family_quasar
behavioral2/files/0x0007000000023cb7-22.dat	family_quasar

Executes dropped EXE 8 IoCs

pid	Process
780	e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758n.exe
4844	icsys.icn.exe
2080	Java Updater.exe
668	explorer.exe
332	spoolsv.exe
1724	svchost.exe
2036	java updater.exe
3220	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	Java Updater.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Java Updater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3152	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4784	e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe
4784	e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe
4784	e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe
4784	e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe
4784	e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe
4784	e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe
4784	e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe
4784	e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe
4784	e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe
4784	e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe
4784	e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe
4784	e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe
4784	e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe
4784	e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe
4784	e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe
4784	e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe
4784	e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe
4784	e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe
4784	e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe
4784	e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe
4784	e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe
4784	e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe
4784	e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe
4784	e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe
4784	e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe
4784	e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe
4784	e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe
4784	e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe
4784	e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe
4784	e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe
4784	e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe
4784	e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe
4844	icsys.icn.exe
4844	icsys.icn.exe
4844	icsys.icn.exe
4844	icsys.icn.exe
4844	icsys.icn.exe
4844	icsys.icn.exe
4844	icsys.icn.exe
4844	icsys.icn.exe
4844	icsys.icn.exe
4844	icsys.icn.exe
4844	icsys.icn.exe
4844	icsys.icn.exe
4844	icsys.icn.exe
4844	icsys.icn.exe
4844	icsys.icn.exe
4844	icsys.icn.exe
4844	icsys.icn.exe
4844	icsys.icn.exe
4844	icsys.icn.exe
4844	icsys.icn.exe
4844	icsys.icn.exe
4844	icsys.icn.exe
4844	icsys.icn.exe
4844	icsys.icn.exe
4844	icsys.icn.exe
4844	icsys.icn.exe
4844	icsys.icn.exe
4844	icsys.icn.exe
4844	icsys.icn.exe
4844	icsys.icn.exe
4844	icsys.icn.exe
4844	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
668	explorer.exe
1724	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	780	e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758n.exe
Token: SeDebugPrivilege	2036	java updater.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
4784	e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe
4784	e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe
4844	icsys.icn.exe
4844	icsys.icn.exe
2080	Java Updater.exe
668	explorer.exe
668	explorer.exe
2080	Java Updater.exe
332	spoolsv.exe
332	spoolsv.exe
1724	svchost.exe
1724	svchost.exe
3220	spoolsv.exe
3220	spoolsv.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4784 wrote to memory of 780	4784	e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe	83
PID 4784 wrote to memory of 780	4784	e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe	83
PID 780 wrote to memory of 3152	780	e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758n.exe	84
PID 780 wrote to memory of 3152	780	e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758n.exe	84
PID 4784 wrote to memory of 4844	4784	e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe	86
PID 4784 wrote to memory of 4844	4784	e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe	86
PID 4784 wrote to memory of 4844	4784	e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe	86
PID 780 wrote to memory of 2080	780	e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758n.exe	87
PID 780 wrote to memory of 2080	780	e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758n.exe	87
PID 780 wrote to memory of 2080	780	e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758n.exe	87
PID 4844 wrote to memory of 668	4844	icsys.icn.exe	88
PID 4844 wrote to memory of 668	4844	icsys.icn.exe	88
PID 4844 wrote to memory of 668	4844	icsys.icn.exe	88
PID 668 wrote to memory of 332	668	explorer.exe	89
PID 668 wrote to memory of 332	668	explorer.exe	89
PID 668 wrote to memory of 332	668	explorer.exe	89
PID 332 wrote to memory of 1724	332	spoolsv.exe	90
PID 332 wrote to memory of 1724	332	spoolsv.exe	90
PID 332 wrote to memory of 1724	332	spoolsv.exe	90
PID 2080 wrote to memory of 2036	2080	Java Updater.exe	91
PID 2080 wrote to memory of 2036	2080	Java Updater.exe	91
PID 1724 wrote to memory of 3220	1724	svchost.exe	92
PID 1724 wrote to memory of 3220	1724	svchost.exe	92
PID 1724 wrote to memory of 3220	1724	svchost.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe
"C:\Users\Admin\AppData\Local\Temp\e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758N.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4784
- \??\c:\users\admin\appdata\local\temp\e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758n.exe
  c:\users\admin\appdata\local\temp\e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758n.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:780
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "c:\users\admin\appdata\local\temp\e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758n.exe " /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3152
- - C:\Users\Admin\AppData\Roaming\SubDir\Java Updater.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\Java Updater.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2080
  - - \??\c:\users\admin\appdata\roaming\subdir\java updater.exe
      "c:\users\admin\appdata\roaming\subdir\java updater.exe "
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2036
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4844
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:668
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:332
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1724
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758n.exe

Filesize
502KB

MD5
1441905fc4082ee6055ea39f5875a6c5

SHA1
78f91f9f9ffe47e5f47e9844bd026d150146744e

SHA256
1b05c4d74e0d17a983f9b91aa706a7a60f37ec270b7e2433d6798afa1c7be766

SHA512
70e9ab0e49b4bf89505f16c499538daebc1e8da72488cd63ff60747d15a1d486ba38802b0622c9240d10ff68ab32e6bb36a0b809e7cd0e2ec4945d023ce86c5c

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Java Updater.exe

Filesize
637KB

MD5
f1c3e7d4f2ea34ded96047cc76392340

SHA1
60683db56a96afe8ef1557c10fb861ae1081097b

SHA256
e05b6849f06853651630e79b77c52d8ca886299047d79e6ee2ace928d2105758

SHA512
9d8cf3b1bc0bb153a364618f0e1038a87549ce9d3c89ae4fd65c24737cb1a07f31a8618fdbb7d66ef9f2e410e3616593f7ba2e2ec4fa1325b8f86147956d4e47

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
5aa1659409d4efe19b3d5ba5da1463d2

SHA1
c385546d9d1be280c090bd6104d696973b5bcc49

SHA256
80b433f216e6d5461820920bf8d7d7422b0aa8041eb7987a6cbd66c734815d76

SHA512
17765661b5fa3a549290d542458622f8053a5956ff1dbf0d93f46d90655e3cdb989483d412afd134cb226d4a7b0553982694bd2da95f89d0bbccc58f9431f34f

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
1da395d37e7dd10adb656cb9e7d04a18

SHA1
98798831f8ba6ce8bc828e7763a338d1b420ee7b

SHA256
88d4c30796ca2930da72d706969da545632cf2d85b2a663ee5ec0a0c9e2c1b54

SHA512
f9c9c6e94bb41123ea2f3306463cafcc3152df7df0d9f04767784f4defabeeec4419def661b43f47cc3b6073e7d771e418078b231ae8003a99b387c546a883d9

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
dbba5ff380631b2f28f3a9e8fce4d681

SHA1
1aae5c4ab6f9fc5b078162fe318e678f58f8454f

SHA256
bcfd62a94f02bc49a1ca4d946f461519cf16d5b4797f55c3a8a919235e99eba4

SHA512
f01db3242006eb2225e31694ac51116042336a9aaa6487e231de78410f8b8ff559e64bfc9250d6b934ae6cd89f232ee15a4328aca74b5904647a169e4c8ce68e

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
f2297ccd3333cd3c1c56a4bb4ef720fd

SHA1
0e0175493d59529c7040b164f6e20847b3aa8967

SHA256
180b0d31f28438786c49bbee42c27abef45a2b00bc6a6eb08adacd74bf205615

SHA512
8076124ac96668141e45deead261163459d1b64e08c72bd6973abd3c0de3384d31c13a48d484f9633a0a5e56015e09f6363d02c89e7ecf7c45dafdac767f1573

Download Submit
memory/332-62-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/668-27-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/668-66-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/780-35-0x00007FFBE9020000-0x00007FFBE9AE1000-memory.dmp

Filesize
10.8MB

Download
memory/780-9-0x00007FFBE9023000-0x00007FFBE9025000-memory.dmp

Filesize
8KB

Download
memory/780-10-0x00000000000B0000-0x0000000000134000-memory.dmp

Filesize
528KB

Download
memory/780-11-0x00007FFBE9020000-0x00007FFBE9AE1000-memory.dmp

Filesize
10.8MB

Download
memory/1724-67-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2080-65-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3220-59-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3220-61-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4784-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4784-64-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4844-63-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download