quasar | 67edbefe621aabd00b18f98816b872a87abeb3334e24f535732d02915aa82058

Resubmissions

26/01/2025, 04:48

250126-fff8nssmbz 3

26/01/2025, 04:44

250126-fdcgpsslez 10

Analysis

max time kernel
108s
max time network
111s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
26/01/2025, 04:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PrudaTweak.zip
Size

10.6MB
MD5

c83d23532d6dd591ffc0d6fd75597dd7
SHA1

06b3ad285f681700d5f9d43fed6a45e18368f7e8
SHA256

67edbefe621aabd00b18f98816b872a87abeb3334e24f535732d02915aa82058
SHA512

a0f49ce993f803200f493dbacc1bd9cb615fab63878ad80d00b77155cce2e48f9dcb706c4e3d2009ef47d7aedd9253da26a9ace83689718accf1dfdf3998f88b
SSDEEP

196608:7saahvSji7LYOSIlr3vTPzz3Uh33HUxxqM3PBOfo6cakJrdfLjPQbUINfkotWep:7z0SjkL/lT7jUhUxMM3PB5JrVAbVyotL

Score

10^/10

quasar prudabackend execution spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

PrudaBackend

45.131.108.110:4782

Mutex

8f8e6059-ac4f-4e47-8d62-3ce070083ecf

Attributes

encryption_key
D82EC4913FC5B28DDFF5AC48635D190A9342C6BD
install_name
update.exe
log_directory
Logs
reconnect_delay
2500
startup_key
Runtime Broker.exe

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001d00000002aabb-108.dat	family_quasar
behavioral1/memory/3272-110-0x00000000000A0000-0x00000000003C4000-memory.dmp	family_quasar

Executes dropped EXE 4 IoCs

pid	Process
3544	!PrudaTweak.exe
3296	crashpad_handler.exe
3272	Spotify.exe
928	update.exe

Loads dropped DLL 5 IoCs

pid	Process
3544	!PrudaTweak.exe
3544	!PrudaTweak.exe
3544	!PrudaTweak.exe
3544	!PrudaTweak.exe
3544	!PrudaTweak.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3432	powershell.exe
2408	powershell.exe
4148	powershell.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\update.exe	update.exe
File created	C:\Windows\system32\update.exe	Spotify.exe
File opened for modification	C:\Windows\system32\update.exe	Spotify.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	7zFM.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5112	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5044	schtasks.exe
2396	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1812	7zFM.exe
1812	7zFM.exe
3544	!PrudaTweak.exe
3544	!PrudaTweak.exe
3432	powershell.exe
3432	powershell.exe
2408	powershell.exe
2408	powershell.exe
4148	powershell.exe
4148	powershell.exe
3544	!PrudaTweak.exe
3544	!PrudaTweak.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1812	7zFM.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeRestorePrivilege	1812	7zFM.exe
Token: 35	1812	7zFM.exe
Token: SeSecurityPrivilege	1812	7zFM.exe
Token: SeSecurityPrivilege	1812	7zFM.exe
Token: SeDebugPrivilege	3544	!PrudaTweak.exe
Token: SeDebugPrivilege	3432	powershell.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	4148	powershell.exe
Token: SeDebugPrivilege	3272	Spotify.exe
Token: SeDebugPrivilege	928	update.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1812	7zFM.exe
1812	7zFM.exe
1812	7zFM.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
928	update.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 5112	1812	7zFM.exe	78
PID 1812 wrote to memory of 5112	1812	7zFM.exe	78
PID 3544 wrote to memory of 3296	3544	!PrudaTweak.exe	83
PID 3544 wrote to memory of 3296	3544	!PrudaTweak.exe	83
PID 3544 wrote to memory of 3432	3544	!PrudaTweak.exe	85
PID 3544 wrote to memory of 3432	3544	!PrudaTweak.exe	85
PID 3544 wrote to memory of 2408	3544	!PrudaTweak.exe	87
PID 3544 wrote to memory of 2408	3544	!PrudaTweak.exe	87
PID 3544 wrote to memory of 4148	3544	!PrudaTweak.exe	89
PID 3544 wrote to memory of 4148	3544	!PrudaTweak.exe	89
PID 3544 wrote to memory of 3272	3544	!PrudaTweak.exe	91
PID 3544 wrote to memory of 3272	3544	!PrudaTweak.exe	91
PID 3272 wrote to memory of 5044	3272	Spotify.exe	92
PID 3272 wrote to memory of 5044	3272	Spotify.exe	92
PID 3272 wrote to memory of 928	3272	Spotify.exe	94
PID 3272 wrote to memory of 928	3272	Spotify.exe	94
PID 928 wrote to memory of 2396	928	update.exe	95
PID 928 wrote to memory of 2396	928	update.exe	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\PrudaTweak.zip"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO4175F6E8\ReadMe.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:5112

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:424

C:\Users\Admin\Desktop\PrudaTweak\!PrudaTweak.exe
"C:\Users\Admin\Desktop\PrudaTweak\!PrudaTweak.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3544
- C:\Users\Admin\Desktop\PrudaTweak\crashpad_handler.exe
  C:\Users\Admin\Desktop\PrudaTweak\crashpad_handler.exe --no-rate-limit --database=C:\Users\Admin\Desktop\PrudaTweak\cache --metrics-dir=C:\Users\Admin\Desktop\PrudaTweak\cache --url=https://sentry.pruda.de:443/api/2/minidump/?sentry_client=sentry.native/0.7.16&sentry_key=ae11f7dd565c2b26983cff3e1a33de87 --attachment=C:\Users\Admin\Desktop\PrudaTweak\cache\8da2b3e0-5d2c-42f0-c510-0b1da3459a95.run\__sentry-event --attachment=C:\Users\Admin\Desktop\PrudaTweak\cache\8da2b3e0-5d2c-42f0-c510-0b1da3459a95.run\__sentry-breadcrumb1 --attachment=C:\Users\Admin\Desktop\PrudaTweak\cache\8da2b3e0-5d2c-42f0-c510-0b1da3459a95.run\__sentry-breadcrumb2 --initial-client-data=0x5c0,0x5c8,0x5cc,0x5bc,0x5d0,0x7ffe815b3b70,0x7ffe815b3b88,0x7ffe815b3ba0
  2⤵
  - Executes dropped EXE
  PID:3296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -Command "Set-MpPreference -DisableBlockAtFirstSeen $true"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -Command "Set-MpPreference -DisableIOAVProtection $true"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4148
- C:\Users\Admin\AppData\Local\Temp\Spotify.exe
  "C:\Users\Admin\AppData\Local\Temp\Spotify.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3272
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Runtime Broker.exe" /sc ONLOGON /tr "C:\Windows\system32\update.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5044
- - C:\Windows\system32\update.exe
    "C:\Windows\system32\update.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:928
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "Runtime Broker.exe" /sc ONLOGON /tr "C:\Windows\system32\update.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8cb7f4b4ab204cacd1af6b29c2a2042c

SHA1
244540c38e33eac05826d54282a0bfa60340d6a1

SHA256
4994013dabe4f131d401879278eee147add6349124ea6452358dca7e2344c7a6

SHA512
7651cb6863a425840db610253151e271d3e8da26a8c633ce484247266fa226792ecb84b9578df3ab17fef84a5dfcad417b63a7df59c9650a907e08d59b91dd6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d0a4a3b9a52b8fe3b019f6cd0ef3dad6

SHA1
fed70ce7834c3b97edbd078eccda1e5effa527cd

SHA256
21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

SHA512
1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE4173E8E8\PrudaTweak\cache\4ad14509-b7df-46ad-9762-2eb94b7bb35b.run\__sentry-event

Filesize
305B

MD5
4d3bf9c62481386d99e2a5a0828341d2

SHA1
f359b6c105b8b1ece4569075a5781eecf61ecd21

SHA256
7407a8986ef45d2c6d7438d5d2d2664ab4089d23b6a02dc786987b375a07833a

SHA512
cf250facbff061775678b7be429763a6ca818587824e622341f986acd9e4e8f81dd82e49fb5d75759c5b186c327f7f89854c54f204dc6eb1af5eef5201537993

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO4175F6E8\ReadMe.txt

Filesize
54B

MD5
499de9d9188c430a05577a37ca55eb25

SHA1
38e94adbe669972e47ce5c8f9f7c1856b736325e

SHA256
4097e09dc2992caddd40ed08a80f6bd96ee15c9077cc1f81e82062b755341df0

SHA512
8926b484501ce4dd77d89960535e2bd1520f319a655efaecd565f18baedc4d80aa7f53c3b0429b4afcc540d713a6d2f317accfebab6be7d23a37d05aa0fcd6ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Spotify.exe

Filesize
3.1MB

MD5
c965446805dc5c40e1bffe859716bea7

SHA1
7d6b257f8f830f512552bd11b36bb1fc88a1e966

SHA256
874dc85b74f8ee6a116d38453078905ee487949425e97a42de9b258dd6b8bbf5

SHA512
157b7d59cb94d83dceba138207f1d335df6f9da90c510cbad8e0b252173be05679352de83d2aef2e3ae3d7de58f7253f93422b44680d2cb63e6c3640fd68233b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l3gq3xlf.ypx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\PrudaTweak\!PrudaTweak.exe

Filesize
135KB

MD5
b919c1037e70d3db56f5a5ddb67d9e86

SHA1
e96772ca1fe8e044c3a03b46a9535c67c063bec0

SHA256
86c4260b065071bb0e89c3b6ea67a1065a63dd23cf03ad4e27cdcbeaf9748398

SHA512
502a5252a1ae87f93e272689da3fd206538ffde5e01aa281b3ee3905c273af79cfe9aa3759e675197f7ff6c166f898307789263429cdf34b7402b07a99511b04

Download Submit
C:\Users\Admin\Desktop\PrudaTweak\Sentry.dll

Filesize
547KB

MD5
f634f84cf9f0244b3c62b04b21c69bbf

SHA1
e0a09946aad5cf6d402b617fc1679b139ddcb79f

SHA256
1e28984f8e08bcf2c902b9621a3b9646c695f12cd5b059b820bdbd735f706651

SHA512
50a15ef80f5ec00169a214cc8b26c8a5a81209760c48a6108d16b0ccc2a63fa8f0a22f3d8db235a74abfc4db65fc3e4a4eb8b46e06342c183c2c1f5b52b42fb3

Download Submit
C:\Users\Admin\Desktop\PrudaTweak\application.deps.json

Filesize
2KB

MD5
81dba0ada628b279fdd419ae8b6cdb51

SHA1
856a511842dca4955c6b99f2154ac71c1d3053cb

SHA256
38c88f3aec2b0cbc7136020ec13eba93225e96cdca13d2f6941398900a905178

SHA512
2545810e4d8f96ee3e54608a7ffc0e3fa33f8bbdfd7ca781d63fad287a965ec6765bbb61cac25d6c9ee8f8e8670b5736b4b9671d0aed677f21615186a59ac87f

Download Submit
C:\Users\Admin\Desktop\PrudaTweak\application.dll

Filesize
122KB

MD5
69c33683d8a85555a7d6c46ae03f5a9b

SHA1
52d0dbf8509944a14de7a1628e87868a13323828

SHA256
fa79404124b3bee4aa13cb36f0fbbb886daf68f083ad4f59e1825645ce1b2194

SHA512
e67c988c46d8c69293d6aa6f78fac724933769bf9c810e254883543fd60fa32210d01b0733f2d886126c2c905889b3b8e2cde7bdc59f60c1e0862405d8081997

Download Submit
C:\Users\Admin\Desktop\PrudaTweak\application.runtimeconfig.json

Filesize
515B

MD5
e0f6f18f9b152bc2d8c710b0214805d6

SHA1
ae3d39e59fd6edc05792a76cdf4f02a637f52e29

SHA256
89ad1ea5c9c20b6b266547ef27c0ae3840cab5642d3c2aedf06b7026245671dd

SHA512
80a6a9ff925bd1ba6f57fa1f7dd40de962001af97f8c2477d0b502728e23b6f412c74134e33efb36ccfeb08bbbeb678beb7e2e52fad24a763967eba8cf09b29e

Download Submit
C:\Users\Admin\Desktop\PrudaTweak\cache\4ad14509-b7df-46ad-9762-2eb94b7bb35b.run\session.json

Filesize
205B

MD5
a9a8c0495255b0d780a48beeff331553

SHA1
73d7a0d2e5a607f2cb8f4b3e05c9303dafa577fe

SHA256
3a3b4b38fcdaa295a36a57636ec96cd84afa40a32fdd5a1b39720b56cbbd4064

SHA512
e98e09d71b8f00783d0a1d5bc3967345c0f4671b5dd68781bee34e2cddad59790649aa8649724aac1393f0e8569ab714b494fefe4a13e27fdc3c3dcc462a253b

Download Submit
C:\Users\Admin\Desktop\PrudaTweak\cache\8b8eaff1-9501-4d58-3a5e-90f8a6f28619.run\session.json

Filesize
205B

MD5
06df072958cdbd820f13b70130c8f8a0

SHA1
94c378762ff9a19a503160bd05814a8fc3ef5cd9

SHA256
98902d8d2f18e29169cb60d5ba46974b79d841dcd0d0c243f47d7c6d663a9254

SHA512
6212959e85dbc965de7406f2a596bdb1746efead9bec35fb861f57c75e33de6c3006c6798cc09583335e1705c3771ec45621a4c84f059803823cbca8fed924a5

Download Submit
C:\Users\Admin\Desktop\PrudaTweak\cache\settings.dat

Filesize
40B

MD5
f0695e361eda3407c992d4042c98bd96

SHA1
4750f5d01ec5434f4852e06f1a0d6867c8eaa700

SHA256
31bc96d2a96b589e9d3fbae934e22112f847415081e54ff60cf21d2c7a0f3797

SHA512
19058ec366abad9414c26ad0acc5a22a870ca4e75aa8f60626a41e3bb8814a27be5d1b37e80b5f4e608b1c9fe991584d2430dba3ebb090b75a12cb63953cdecb

Download Submit
C:\Users\Admin\Desktop\PrudaTweak\core.dll

Filesize
7.8MB

MD5
2812dc85be549cb7ac9f2af2fd33bf23

SHA1
397162303b15457cd883c20da2a51c08fd47414b

SHA256
c0c06a8ad06ca18771acb39d53eeb4222606d817c0fd51b31f58f9bb11c08610

SHA512
0720cd21fb2f52f7b64785f1083ef8ca9a2cc0e1bfc7ae3226145a02e21befd001e4b98aaed04f2535c9d4f3c6d7f11d814f2a154836a0a78f81277b5650381c

Download Submit
C:\Users\Admin\Desktop\PrudaTweak\crashpad_handler.exe

Filesize
2.3MB

MD5
3334755210b904abcb67d187770e8cbf

SHA1
27d22593374bb6611ff54562b18422ef515cf8b3

SHA256
c3f4c395b7ab3caa33dfc30a05a1e0ffba81d05ecbdc6eb9f2c901421e31c8ff

SHA512
9d8a3eadd27733dae3025542c4ac46eb3fe6923770c41b178f96f99751cb8809b3965ea1b2fd1585be5af3803e3046f47337d3fb2aa6130fd51b018549775c52

Download Submit
C:\Users\Admin\Desktop\PrudaTweak\libcrypto-3-x64.dll

Filesize
4.5MB

MD5
5a6752a89ddc99da064d5f7ddad70888

SHA1
c0aeefaa763c50ed4403f9d881d75aa1304ae81d

SHA256
523708e61d7509314047baf84d8d23a2c9dea59fa962ac58eec85c01c9877408

SHA512
4df9556a06c883c5e4dc8b37acc5be54f62cc471d482c19af54d52f160e00be98ce07bf54650cea881f9ddcf65f4c53b7f6e91aba178f64c3bff5201154b914f

Download Submit
C:\Users\Admin\Desktop\PrudaTweak\libssl-3-x64.dll

Filesize
879KB

MD5
4a8dde272f6015afe307853acd2b21e1

SHA1
7b5c07d101e4aab1ad246f4cd1c55e497b02ee8b

SHA256
befc04fbac884fd3bbe09131efa7f6dd6713a732e31f839e6145680a41827e0f

SHA512
ff45450f195d8440fb99fbb6bcffbf1c08201c4a9b146a703bc2474d31adfbb98444657acf4d9c0be73072dba8353026d26f3dbd4b53d044099fc4c84b2c9329

Download Submit
C:\Users\Admin\Desktop\PrudaTweak\runtimeconfig.json

Filesize
170B

MD5
351f746426eecd5f6dab7a8549706845

SHA1
25fa3a53604551783aaab0f7a47936c9b1368653

SHA256
8dc2877edafe9f042088b9ba55b5193177dc4569b36bfbd0f9141e4489fc6e94

SHA512
ce310761a102e7f0a17ddd4c07f668e746c304a7c6ea7b02e94eea3e129eff5ac49384da9cd5ee046ba150f4759afe3834b16f8a5111f037c288c464735496bd

Download Submit
memory/928-117-0x0000000002620000-0x0000000002670000-memory.dmp

Filesize
320KB

Download
memory/928-122-0x000000001BD50000-0x000000001BD8C000-memory.dmp

Filesize
240KB

Download
memory/928-121-0x000000001B0C0000-0x000000001B0D2000-memory.dmp

Filesize
72KB

Download
memory/928-118-0x000000001BDD0000-0x000000001BE82000-memory.dmp

Filesize
712KB

Download
memory/3272-110-0x00000000000A0000-0x00000000003C4000-memory.dmp

Filesize
3.1MB

Download
memory/3432-74-0x0000027EFEFB0000-0x0000027EFEFD2000-memory.dmp

Filesize
136KB

Download
memory/3544-56-0x00007FFEA71F0000-0x00007FFEA71F2000-memory.dmp

Filesize
8KB

Download
memory/3544-57-0x00007FFE814D0000-0x00007FFE82322000-memory.dmp

Filesize
14.3MB

Download