quasar | 508c07e6984238119e1a58ce0a07b48d90261b02e1bd39dd1666c13830a476db

Analysis

max time kernel
39s
max time network
41s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
04-02-2025 22:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

3.2MB
MD5

0da7fe61b0019dc10698dfa187fec202
SHA1

600f670bcefc050e9a2d52d22f719a02789d53b9
SHA256

508c07e6984238119e1a58ce0a07b48d90261b02e1bd39dd1666c13830a476db
SHA512

5c89f26c367568dbb79a940328e42f62942652cbca6b6bd3297676ea7560cddd8a6c6795ffc57af54a78d9c6514edfd4bc654bb76c7985b0759ec50538bc560c
SSDEEP

49152:Evkt62XlaSFNWPjljiFa2RoUYI00CxP7JoGdkUTHHB72eh2NT:Ev462XlaSFNWPjljiFXRoUYI7CxPlU

Score

10^/10

quasar office04 discovery spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

98.218.3.74:4800

Mutex

dd229ccb-39cd-4301-9413-ea14fa25ce22

Attributes

encryption_key
F023A1C93603AFE96871B3F0323AA7B852FA745F
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
discord
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/1388-1-0x0000000000CD0000-0x0000000001004000-memory.dmp	family_quasar
behavioral1/files/0x001d00000002ab66-6.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
2940	Client.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2836	schtasks.exe
3080	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4220	msedge.exe
4220	msedge.exe
2308	msedge.exe
2308	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1388	Client-built.exe
Token: SeDebugPrivilege	2940	Client.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2940	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 2836	1388	Client-built.exe	77
PID 1388 wrote to memory of 2836	1388	Client-built.exe	77
PID 1388 wrote to memory of 2940	1388	Client-built.exe	79
PID 1388 wrote to memory of 2940	1388	Client-built.exe	79
PID 2940 wrote to memory of 3080	2940	Client.exe	80
PID 2940 wrote to memory of 3080	2940	Client.exe	80
PID 2308 wrote to memory of 1212	2308	msedge.exe	95
PID 2308 wrote to memory of 1212	2308	msedge.exe	95
PID 2308 wrote to memory of 1108	2308	msedge.exe	96
PID 2308 wrote to memory of 1108	2308	msedge.exe	96
PID 2308 wrote to memory of 1108	2308	msedge.exe	96
PID 2308 wrote to memory of 1108	2308	msedge.exe	96
PID 2308 wrote to memory of 1108	2308	msedge.exe	96
PID 2308 wrote to memory of 1108	2308	msedge.exe	96
PID 2308 wrote to memory of 1108	2308	msedge.exe	96
PID 2308 wrote to memory of 1108	2308	msedge.exe	96
PID 2308 wrote to memory of 1108	2308	msedge.exe	96
PID 2308 wrote to memory of 1108	2308	msedge.exe	96
PID 2308 wrote to memory of 1108	2308	msedge.exe	96
PID 2308 wrote to memory of 1108	2308	msedge.exe	96
PID 2308 wrote to memory of 1108	2308	msedge.exe	96
PID 2308 wrote to memory of 1108	2308	msedge.exe	96
PID 2308 wrote to memory of 1108	2308	msedge.exe	96
PID 2308 wrote to memory of 1108	2308	msedge.exe	96
PID 2308 wrote to memory of 1108	2308	msedge.exe	96
PID 2308 wrote to memory of 1108	2308	msedge.exe	96
PID 2308 wrote to memory of 1108	2308	msedge.exe	96
PID 2308 wrote to memory of 1108	2308	msedge.exe	96
PID 2308 wrote to memory of 1108	2308	msedge.exe	96
PID 2308 wrote to memory of 1108	2308	msedge.exe	96
PID 2308 wrote to memory of 1108	2308	msedge.exe	96
PID 2308 wrote to memory of 1108	2308	msedge.exe	96
PID 2308 wrote to memory of 1108	2308	msedge.exe	96
PID 2308 wrote to memory of 1108	2308	msedge.exe	96
PID 2308 wrote to memory of 1108	2308	msedge.exe	96
PID 2308 wrote to memory of 1108	2308	msedge.exe	96
PID 2308 wrote to memory of 1108	2308	msedge.exe	96
PID 2308 wrote to memory of 1108	2308	msedge.exe	96
PID 2308 wrote to memory of 1108	2308	msedge.exe	96
PID 2308 wrote to memory of 1108	2308	msedge.exe	96
PID 2308 wrote to memory of 1108	2308	msedge.exe	96
PID 2308 wrote to memory of 1108	2308	msedge.exe	96
PID 2308 wrote to memory of 1108	2308	msedge.exe	96
PID 2308 wrote to memory of 1108	2308	msedge.exe	96
PID 2308 wrote to memory of 1108	2308	msedge.exe	96
PID 2308 wrote to memory of 1108	2308	msedge.exe	96
PID 2308 wrote to memory of 1108	2308	msedge.exe	96
PID 2308 wrote to memory of 1108	2308	msedge.exe	96
PID 2308 wrote to memory of 4220	2308	msedge.exe	97
PID 2308 wrote to memory of 4220	2308	msedge.exe	97
PID 2308 wrote to memory of 1044	2308	msedge.exe	98
PID 2308 wrote to memory of 1044	2308	msedge.exe	98
PID 2308 wrote to memory of 1044	2308	msedge.exe	98
PID 2308 wrote to memory of 1044	2308	msedge.exe	98
PID 2308 wrote to memory of 1044	2308	msedge.exe	98
PID 2308 wrote to memory of 1044	2308	msedge.exe	98
PID 2308 wrote to memory of 1044	2308	msedge.exe	98
PID 2308 wrote to memory of 1044	2308	msedge.exe	98
PID 2308 wrote to memory of 1044	2308	msedge.exe	98
PID 2308 wrote to memory of 1044	2308	msedge.exe	98
PID 2308 wrote to memory of 1044	2308	msedge.exe	98
PID 2308 wrote to memory of 1044	2308	msedge.exe	98
PID 2308 wrote to memory of 1044	2308	msedge.exe	98
PID 2308 wrote to memory of 1044	2308	msedge.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2836
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3340

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:2848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb78a93cb8,0x7ffb78a93cc8,0x7ffb78a93cd8
  2⤵
  PID:1212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1948,16741919207532501373,16729536412502765274,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1972 /prefetch:2
  2⤵
  PID:1108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1948,16741919207532501373,16729536412502765274,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1948,16741919207532501373,16729536412502765274,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
  2⤵
  PID:1044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,16741919207532501373,16729536412502765274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:3508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,16741919207532501373,16729536412502765274,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:2448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,16741919207532501373,16729536412502765274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:1
  2⤵
  PID:1168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,16741919207532501373,16729536412502765274,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:1
  2⤵
  PID:4524

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4856

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
02a4b762e84a74f9ee8a7d8ddd34fedb

SHA1
4a870e3bd7fd56235062789d780610f95e3b8785

SHA256
366e497233268d7cdf699242e4b2c7ecc1999d0a84e12744f5af2b638e9d86da

SHA512
19028c45f2e05a0cb32865a2554513c1536bf9da63512ff4e964c94a3e171f373493c7787d2d2a6df8012648bbefab63a9de924f119c50c39c727cf81bdc659f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
826c7cac03e3ae47bfe2a7e50281605e

SHA1
100fbea3e078edec43db48c3312fbbf83f11fca0

SHA256
239b1d7cc6f76e1d1832b0587664f114f38a21539cb8548e25626ed5053ea2ab

SHA512
a82f3c817a6460fd8907a4ac6ab37c2129fb5466707edcfb565c255680d7f7212a5669fe2a42976150f16e4e549ea8310078f22ed35514ee1b7b45b46d8cc96e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3ae60ed954477039a00066b99c866214

SHA1
02c85909ca70c9fab7ae897b3a2612c5c89fdc6f

SHA256
b89dc110e4e131e24ce5195f45fda2913686088a9e137b92daeb24a0ad79d455

SHA512
c43ce286465385cb70c57fcfc6df3114ae6ec0d57025b7c5ae0ea769aa48072c5f2e08591da13f5a79e046abd2ee404c93db40731025fd9850e72349a09bdb5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1ff7f795c7422ca06369738de9a84e79

SHA1
3d471adbc5dd318175cc26f4ba113e563020bdfe

SHA256
55d39a3087124986cd795eb6e3092b4cce7e43ecc50f8959f48589a489e3fcc8

SHA512
52b90198f762d724abcec3fcd8d0260beeb1900128119b1168ef4a7f3cde64eca4415d91fd7d4f81a4e95760b7c106c18371db4ae6133c79bc0ce180659f7c71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
373bbbaac329874bbe08d7430854710f

SHA1
8515ed34ace8bb6a9015a323d150bb82043eda7c

SHA256
533e7c5dd5454fa860252ae9952a79cbd8b241d7502a873fa01eeed804804626

SHA512
b71a074ce91ad314b92d6db13d65ad99c4b59da93fcb966c9cc33828d8e44ca3c658315ebbd4f49c12c06eb10969ca184f96a24b29094b91096273bbb7f44593

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\5b732358-78c6-4e37-98e9-0393fa4cb38d.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.2MB

MD5
0da7fe61b0019dc10698dfa187fec202

SHA1
600f670bcefc050e9a2d52d22f719a02789d53b9

SHA256
508c07e6984238119e1a58ce0a07b48d90261b02e1bd39dd1666c13830a476db

SHA512
5c89f26c367568dbb79a940328e42f62942652cbca6b6bd3297676ea7560cddd8a6c6795ffc57af54a78d9c6514edfd4bc654bb76c7985b0759ec50538bc560c

Download Submit
memory/1388-10-0x00007FFB801F0000-0x00007FFB80CB2000-memory.dmp

Filesize
10.8MB

Download
memory/1388-0-0x00007FFB801F3000-0x00007FFB801F5000-memory.dmp

Filesize
8KB

Download
memory/1388-2-0x00007FFB801F0000-0x00007FFB80CB2000-memory.dmp

Filesize
10.8MB

Download
memory/1388-1-0x0000000000CD0000-0x0000000001004000-memory.dmp

Filesize
3.2MB

Download
memory/2940-15-0x000000001D0E0000-0x000000001D608000-memory.dmp

Filesize
5.2MB

Download
memory/2940-14-0x00007FFB801F0000-0x00007FFB80CB2000-memory.dmp

Filesize
10.8MB

Download
memory/2940-13-0x000000001C9F0000-0x000000001CAA2000-memory.dmp

Filesize
712KB

Download
memory/2940-12-0x000000001C8E0000-0x000000001C930000-memory.dmp

Filesize
320KB

Download
memory/2940-11-0x00007FFB801F0000-0x00007FFB80CB2000-memory.dmp

Filesize
10.8MB

Download
memory/2940-9-0x00007FFB801F0000-0x00007FFB80CB2000-memory.dmp

Filesize
10.8MB

Download