quasar | af454978c652f9acb95b7c2f45d41ee0ba7923d6e3b3f554af853ef9efff9440

Analysis

max time kernel
130s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Celestial.exe
Size

3.1MB
MD5

12bdd4b4c107fc3ffec7f9b29d7d6a93
SHA1

04bb395848578e22cef0c90215463e4efe4965c3
SHA256

af454978c652f9acb95b7c2f45d41ee0ba7923d6e3b3f554af853ef9efff9440
SHA512

ff4a2c42ac1fed5421955a949cf28c9abb714484bb68259f160516d10a7a179cc6e6327ab2fc2f099ba51a98b25fa5f41ea2af4f3815159e1ce7f75a698b8251
SSDEEP

49152:nv6lL26AaNeWgPhlmVqvMQ7XSKZkxNESElk/iULoGdldTHHB72eh2NT:nviL26AaNeWgPhlmVqkQ7XSKGxsa

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

147.185.221.19:33365

Mutex

ba5220e2-c4e8-4381-aad8-a85115ef955e

Attributes

encryption_key
67C139F3E9A16FF8132A3DCF42197B8BA3C38609
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Miicrosoft Securiity
subdirectory
Miicrosoft Securiity

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar payload 2 IoCs

Processes:

resource yara_rule

behavioral1/memory/2272-1-0x0000000000D60000-0x0000000001084000-memory.dmp family_quasar
C:\Program Files\Miicrosoft Securiity\Client.exe family_quasar
Executes dropped EXE 1 IoCs

Processes:

Client.exe

pid process

1412 Client.exe

resource	yara_rule
behavioral1/memory/2272-1-0x0000000000D60000-0x0000000001084000-memory.dmp	family_quasar
C:\Program Files\Miicrosoft Securiity\Client.exe	family_quasar

pid	process
1412	Client.exe

Drops file in Program Files directory 4 IoCs

Processes:

Celestial.exeClient.exe

description	ioc	process
File created	C:\Program Files\Miicrosoft Securiity\Client.exe	Celestial.exe
File opened for modification	C:\Program Files\Miicrosoft Securiity\Client.exe	Celestial.exe
File opened for modification	C:\Program Files\Miicrosoft Securiity	Celestial.exe
File opened for modification	C:\Program Files\Miicrosoft Securiity	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

3208 schtasks.exe
4992 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Celestial.exeClient.exe

description pid process

Token: SeDebugPrivilege 2272 Celestial.exe
Token: SeDebugPrivilege 1412 Client.exe
Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

Client.exe

pid process

1412 Client.exe
1412 Client.exe
1412 Client.exe
1412 Client.exe
1412 Client.exe
1412 Client.exe
Suspicious use of SendNotifyMessage 6 IoCs

Processes:

Client.exe

pid process

1412 Client.exe
1412 Client.exe
1412 Client.exe
1412 Client.exe
1412 Client.exe
1412 Client.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Client.exe

pid process

1412 Client.exe

pid	process
3208	schtasks.exe
4992	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	2272	Celestial.exe
Token: SeDebugPrivilege	1412	Client.exe

pid	process
1412	Client.exe
1412	Client.exe
1412	Client.exe
1412	Client.exe
1412	Client.exe
1412	Client.exe

pid	process
1412	Client.exe
1412	Client.exe
1412	Client.exe
1412	Client.exe
1412	Client.exe
1412	Client.exe

pid	process
1412	Client.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

Celestial.exeClient.exe

description	pid	process	target process
PID 2272 wrote to memory of 3208	2272	Celestial.exe	schtasks.exe
PID 2272 wrote to memory of 3208	2272	Celestial.exe	schtasks.exe
PID 2272 wrote to memory of 1412	2272	Celestial.exe	Client.exe
PID 2272 wrote to memory of 1412	2272	Celestial.exe	Client.exe
PID 1412 wrote to memory of 4992	1412	Client.exe	schtasks.exe
PID 1412 wrote to memory of 4992	1412	Client.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Celestial.exe
"C:\Users\Admin\AppData\Local\Temp\Celestial.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2272

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Miicrosoft Securiity" /sc ONLOGON /tr "C:\Program Files\Miicrosoft Securiity\Client.exe" /rl HIGHEST /f
2⤵
- Scheduled Task/Job: Scheduled Task
PID:3208

C:\Program Files\Miicrosoft Securiity\Client.exe
"C:\Program Files\Miicrosoft Securiity\Client.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1412

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Miicrosoft Securiity" /sc ONLOGON /tr "C:\Program Files\Miicrosoft Securiity\Client.exe" /rl HIGHEST /f
3⤵
- Scheduled Task/Job: Scheduled Task
PID:4992

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Miicrosoft Securiity\Client.exe
Filesize
3.1MB

MD5
12bdd4b4c107fc3ffec7f9b29d7d6a93

SHA1
04bb395848578e22cef0c90215463e4efe4965c3

SHA256
af454978c652f9acb95b7c2f45d41ee0ba7923d6e3b3f554af853ef9efff9440

SHA512
ff4a2c42ac1fed5421955a949cf28c9abb714484bb68259f160516d10a7a179cc6e6327ab2fc2f099ba51a98b25fa5f41ea2af4f3815159e1ce7f75a698b8251

Download Submit
C:\Users\Admin\Desktop\BlockConfirm.ocx
Filesize
457KB

MD5
faa971ee8688eba3127f235356a09a8e

SHA1
932a6dc718d482ff26410feb78320418f940cb4b

SHA256
be0c547700237b672739ff48414704427eb37a5d172c410906a6acd6810aaeb7

SHA512
06e4c1ff8a87a0549616fc4b11550aa03ef6588e31b0ff5ce63c4a440488044c3c598942aa8d7b6926d0037f91a42dc21e2c2eea6116c0e27a6f802ace8b283b

Download Submit
C:\Users\Admin\Desktop\ComparePop.clr
Filesize
1005KB

MD5
ee5789f2230a279fb73f0451483120d4

SHA1
a2c189b18d5a1748412319bfc04979105ccbffe7

SHA256
bc70e5ace66a3cc9b21374597c054c68cf7517e1f7cf5efaa98657726747bff3

SHA512
7eaa55338cf300d5e817eb3579f27a4a7fb4f87a731861c701cc05138b9fb67e96a48c95a3870723d0323e947f4a9b4e493ca9e1b4e5200edddfcac53b15e4c9

Download Submit
C:\Users\Admin\Desktop\ConnectPublish.temp
Filesize
658KB

MD5
f80497054699e37a866724dca39cc97c

SHA1
ba60bb02f89f0661955f4beba5ec9f1c864604cd

SHA256
3f7828d9f09f702d77ab8d291525fbe992fcb9b1cb6bf2d0cccbbdc7f8c917ad

SHA512
072cafdda9fbc01740c664c478cacdf719d59c8e6ed726c22ad4216470fa88f0bc6d5d6605c6c0986b4c886925c970da03c1debe7d66e43791744b6834b331b1

Download Submit
C:\Users\Admin\Desktop\ConvertToOut.M2TS
Filesize
292KB

MD5
26ec39cbb8992250d08eb95d5d7525ba

SHA1
e541899bd3013a083b1cada4c8cc0dcd69ae99d5

SHA256
e75b89bbfe03077828e2e70627c445161735374f8d0dfeae6df00eb6a4c95049

SHA512
df4c077941f216e1ff562d979564fd7e311fa6cf16ee815606684ecb0a90c0dca4f48f478f66ec368e3261c37afd8a8b317402bed34dbd45d5afc189ecaf583d

Download Submit
C:\Users\Admin\Desktop\CopyHide.mp4
Filesize
402KB

MD5
47165329a08d135a10352cb191d19d09

SHA1
aba2351e22b448fa1ec18074ad35e87463f477d6

SHA256
6161d0f85b0d06de20d296c9fbe36ae836d471f3047b307918751f24e4bbc8b8

SHA512
8f7d8189cac19ea5de8b821a715626aedc17f5248f8a0a013958633129c2dba242a9a67d87106ef0792c1aadc21459785549b1d350a1bebbc87f807c4403a32c

Download Submit
C:\Users\Admin\Desktop\DenyExport.M2T
Filesize
585KB

MD5
84810338dc2f912360386f3b88c71e7d

SHA1
296196dcc6bc1d2c63ee999c3c586a3d6b2b232a

SHA256
64eb20780d53624fb88747f3ec2a1f5b9d1079b132e4c0f0aa12b88e35b8980f

SHA512
5a1f0640480eb193071a9c5fae33c79eaae8ac83af8bbd8ecb970fbf1270d23ef340ec69fbb1a58cc7a4d99e3c11ef9a51a027cd3e3954ca6b70b7301dafbcb4

Download Submit
C:\Users\Admin\Desktop\DisconnectLock.inf
Filesize
566KB

MD5
565d088092502c972b646893f4a5a5da

SHA1
bf72a9227e1429a4348bae9c693a6ff91ba02717

SHA256
854fa600ec436f48a56549b472ed38edb7fd3adb6758c4939637cc553871fa65

SHA512
a3fc34c67817aa47a5cf81d499a77932d68049018866f886c6744b5ce85919e104486004683e3376a84f965cb792e66049296e5f740741cc0b7bed622b715e4e

Download Submit
C:\Users\Admin\Desktop\EditSwitch.mpa
Filesize
676KB

MD5
3acc5926df29bba89fecaa641a89c294

SHA1
8b3b10b34dba81d37e50550f3bcc59cb08d37f6c

SHA256
dff9aeb6c335812e507b6c8c6123f3073a050c560159adb4416c3e30f0f9a063

SHA512
9cedaa29f08b19fb193c1c6a007480aff2a37653882d313bb333fcd69c6d0c8f0a1ba68228f2e249efe0caea85bf3e003a5b71d934d4047b7621d22bcef8e807

Download Submit
C:\Users\Admin\Desktop\ExitCheckpoint.scf
Filesize
548KB

MD5
775437c80b7cdeebfc914933ebc88a9b

SHA1
379c45870e85181f665f88e6d792a1d8005dd202

SHA256
8e659d06cabc84575d3b03e16694b5dc4121bf6e5961a12df0c4b84fe9d72184

SHA512
d3f9a40f3bcc32e21e1b4ac9404211ab4ee3b2b3f61aa8bf6797f50547d7306769a135507042eaa0abf9f2ff6795c3c24102cffe09431037f21a72416fed6c8b

Download Submit
C:\Users\Admin\Desktop\ExpandUnlock.midi
Filesize
347KB

MD5
d4873b78f0415ed38b6b7470ea3d355f

SHA1
009d6a46ff0849cb50bab6fac8ca7a36e9b39983

SHA256
563c07d601780072c405bd2e98b04590853cfd9d1ae275637018781ea074ca79

SHA512
b481867b6a5a31ac9e115bf4f2e308c9e94b5551369b714edc1e30dcc76dc0ac50e1e9c06586e3e82fc8c683885db6a611fd6db64425383576f53f83d4c076a5

Download Submit
C:\Users\Admin\Desktop\FindComplete.emf
Filesize
493KB

MD5
081f84a4571190e1530063492885eddf

SHA1
ce19f8688aaf08c51657fb939b74974dbe545916

SHA256
02ed148a6382a7c0f03fa243439e351baa4ea54b17967f56d02b23a622cfbccf

SHA512
4293f066e209f4d8b377c4282215b8066f8420f3f3c017ae3a8f090dac19af3c58074d9dcc241c262aaabd1d4100c50361845f0c97af2dddd9e1618ef61674eb

Download Submit
C:\Users\Admin\Desktop\FormatClear.m4a
Filesize
365KB

MD5
76f54555a3df000bd487f435a7c8d288

SHA1
b22725a80f3ddbb0fb2d5fad3eeaf7792e52b40d

SHA256
4c17b3bc8df649be2311ec4818a98db69915fde067aa954a1243124a9dbd7ff7

SHA512
a682bf9d39a0576ac80a046cdbdabf1d2043a38617a3f1b8c58fd000bca026e56612d2ef28e2593c00a2bd659c73ff5699c71d5a7b44bb8c8d989cb7cc705616

Download Submit
C:\Users\Admin\Desktop\GrantUse.vstx
Filesize
621KB

MD5
7fdf988b577489bacc4d6c650ec393f4

SHA1
737fe739d4e202e7fb7c8f498b0754927dc3c781

SHA256
0ec3140dc61c03a871702a9e8354279e975c0839088e67c91daac8255c5b3dbe

SHA512
e60c1d1b168ee92b47713d99ba1010ddbb877d52d4eba7ddc8db2223aa6dd7c7a5cd9aa22ec873076ebd1ec7fcb0b57038d03895970d9c52acbdadeb4321856a

Download Submit
C:\Users\Admin\Desktop\HideBlock.ppt
Filesize
713KB

MD5
7319f130d7831a88da187f9a310b3526

SHA1
9acd87cccbe80d6afa6430116953ce26e6758913

SHA256
19b0a0f6eaba86af7a851c3198716b5b0614c2aea370744d0cbaba42d6257686

SHA512
82680ccc3afe79ac06db17f46a9607fbfecc1926decd0711c98e0ce107afc632e629327be8617f006771b328bff596936f5d14c99f0f54cd578c99a37b04b85b

Download Submit
C:\Users\Admin\Desktop\JoinGrant.potm
Filesize
384KB

MD5
b9ad81cddefdd9de74ac85d0b6724c07

SHA1
400a4dfa07bdba8459c1c0df759d6a92808832a8

SHA256
616d7013f553b38443d34be2e5935a1b3ced8546f009c9a15ba2316c5b21e643

SHA512
ac4ea721f671b17d1ba457db8bc54aaa9f14615c75a366ddc66d8fa1da102eb21b023a8ee3892461349fcd751c0c73d596cd75a713bd3406d44e8a19dd64544e

Download Submit
C:\Users\Admin\Desktop\MeasureSend.wma
Filesize
420KB

MD5
fc4cf30ddb7a334d66337c129df50931

SHA1
875474e75c8072bc23288868bb151a3eb13b8724

SHA256
c44c34e7b184922006c42e55093dd432c9ab7961abc05ef7a67e357e876ec46a

SHA512
2bf2f8a0300a19fcc29dbbc9677543f1fcd9ff7e050b95791a9d2807cea1cc6aa823b9a0c2d8904a376abf9b2f41b75db3b665d5ef7097ed73bf91d1c0e06883

Download Submit
C:\Users\Admin\Desktop\MergePing.vstx
Filesize
438KB

MD5
cba2b3fce34bf075222351b19b062f9e

SHA1
b977794966d3bd183a58fbf564e6b562bf6839b0

SHA256
0ff695160be483665c2aaa9b1e9b85f74c8a08148eec023ae354bf8ad332fe2b

SHA512
122bf4e06dec8dd604ade04b64bd0493ff5389fefcfb872864a94da199a230aa53a20c420caf61905395b03ce0cab8387940bec6356d722eb4422cd85116d450

Download Submit
C:\Users\Admin\Desktop\MoveRevoke.jtx
Filesize
475KB

MD5
5fa0d3e406af012aa64444a0279ea8c6

SHA1
ca325c03fc42cc6b92014bd9c26d6445df667e4d

SHA256
3e93b7fc6886287184f214b38af780c790236ec94649a768c5cb4d23ac420576

SHA512
7226c5a3a620c537d6b4238e5d27b4edb6ebe694698a37b54bcaa6afa7b71abd8a8c89bcaaa9d74c159914e20e801db24d70e7cdd40ff92a0c3ba001f00431a4

Download Submit
C:\Users\Admin\Desktop\OptimizeInstall.mpv2
Filesize
694KB

MD5
b2e5a1e921bd7b9d5114c477bb52f68a

SHA1
99c88c7af46e7953fe5c0c77eb77ab231b2e7993

SHA256
7f28c7c59346d93371941b8480ca64f9ea151ebee1a6f9e9ea8cfb61848f1343

SHA512
a36aaa28e42ed422cf6f84ce41c501e92275c00fb536b57766cd40a2c43071006da0836be892b4deec3b77a641312828a2bffe91381610e2d1ddbbb192165f5d

Download Submit
C:\Users\Admin\Desktop\PushOptimize.mpeg
Filesize
603KB

MD5
b76a84d9df3f70de4824149158a6c1fa

SHA1
1b8e20524c45e527afdd4578b54c5afe10307e71

SHA256
e365c75d2d0e83613035027d2790f42c9fe49f784262889cf8f20a6452c0f648

SHA512
c33874a2da1ddb1f58ad6d14543e605183a4baec435e153af20605abefd4e1143f0b9cf2b655edeef3a6d4f9185ba3c978be48c2a6703a2f16727018f93bac3c

Download Submit
C:\Users\Admin\Desktop\PushResolve.odt
Filesize
310KB

MD5
d1dd391a85cb1e630d5244d4d9564816

SHA1
7095a5b5f69cec0f28f60c0cd5217718ea429da7

SHA256
1c04f00fa8052169e7a77b87084269bd6045e1b151054196d02fd4786c2ae26b

SHA512
acab377558801931b1e10d4961e2e8c6eabbc1e66943546c8bbb516bd8f6633c557094b9ae4101cab5d8166711754af27093ff5f6e0e0802c31a3f753a89907d

Download Submit
C:\Users\Admin\Desktop\RequestUnlock.js
Filesize
640KB

MD5
4265abb8dd85a7a72941d01a91d175ee

SHA1
477d85a2682daf43ad43fb93a9d19d2b0bb7f58b

SHA256
9a7908f71822006719795df9cadae861f564ab4abe6f780f2fb1ab37ae32c3d6

SHA512
e1925223bd5f04b7e32ef1d5c3773f4b369a5b72acef1cfb1c038de786fec0f710c41dc87d0fe6ea756610284dc77fdeab45f376c8e64851e470139e15000fef

Download Submit
C:\Users\Admin\Desktop\RestoreBackup.shtml
Filesize
256KB

MD5
9f810711903c4dbc2ded6084d4350457

SHA1
03d8551d084bee3804b9d86b8313aa3004f78be1

SHA256
9961800e64062cf7aa5ec15f3cdd411ec4a794748ed4e0ac68519d4f8fe7d950

SHA512
7e11cf1a50ee42ee72d8a06e0b3a82dc3194dfa4e187115a53e51eeb4620b3ac4d976751bfc63eb32c474515ca8359a42019a419277bf95d6fd558649e3868b2

Download Submit
C:\Users\Admin\Desktop\RevokeTrace.ttc
Filesize
530KB

MD5
00b6e5d406b03ca6b4239de9c6eb9ff3

SHA1
cc55d02075afb8254ca1a06204e746085426bceb

SHA256
242ce6c2881e74c290e204ed13ca47929a9dbe4ef260c2b0a1c0b076ecb6a855

SHA512
ee657f4e92d4cf48167e18d9af871a2f035bbb0cc304d4eddfd88f31147e5d44d50a28dd3a4bffb2cc8f13fceaa02a01b79f1c7677d7fdb2d83c4f0d019a3b47

Download Submit
C:\Users\Admin\Desktop\SavePing.contact
Filesize
731KB

MD5
b206bfb820001b67317f7925d6eea761

SHA1
209d917ed7cd3b6abb3869e3f5d5c3faee59328b

SHA256
9fde0c2424404f10078e56fa5ed4784ffe3c66cbd8a50003ee29525c8da63b38

SHA512
ed90be2a2dfc025a23514d8ed6a340caa4fbfd08dd91164c08369ca9b1ff2e641a835540aad6a587568711295e827a2b4694e60e4cbffde9263e1d2d676ec1ee

Download Submit
C:\Users\Admin\Desktop\StopEnter.pot
Filesize
329KB

MD5
b5e544c4fb920c84d67199353f1a476e

SHA1
a545fdd91751ff6e1308e526358985da8f50f926

SHA256
ee85c0b87f280a615f1bcd6711eb3cce9bcee9fde2e989925512eb028372629c

SHA512
258984a8e5fdc899629eb49c27ef6b3eebe68c9e7ad1bd8519693123a57410a9fafa463c15d0142c87c031fc26d63f1e253bf54ff2fd2e62bf1430e4fffee8ae

Download Submit
C:\Users\Admin\Desktop\UndoAssert.wmf
Filesize
274KB

MD5
c2aefc0ffadb6f0a85d01949658d1854

SHA1
ef0201824f318a2b694886eba8967b269f0e2c1b

SHA256
acce52c3dd35eef2df0119dcbe15cc483b6d0a1905e12e80fea4594b512fe795

SHA512
dd3d9b1e02a3a23f5494787af3000921cc691dd84d0ce5b0964d4edf44d7da884356c25205d5aa7e9a89040ecdd50733c1d36f1b0dd0c9c0ec33d2ecbd434733

Download Submit
C:\Users\Admin\Desktop\UnprotectSkip.vstm
Filesize
512KB

MD5
620232e14996447e07ac91ef5aaff37e

SHA1
c4867eb3890e95660e4a91e7e09aa484da8d311c

SHA256
bc8c28620a9d7669a92c4dea2f4795f21deefbc7aff79a9de30cc01e608a5f5a

SHA512
3e4442d4fe8a7e82fd5d91365e439b1afec7b06bf6d13878b1b7987e2a952aadbe7371a986e8ee2c1124199e9db796b1eb8c2711f0912e74d988a948a2484477

Download Submit
memory/1412-16-0x000000001D120000-0x000000001D15C000-memory.dmp

Filesize
240KB

Download
memory/1412-17-0x000000001D690000-0x000000001DBB8000-memory.dmp

Filesize
5.2MB

Download
memory/1412-15-0x000000001C9A0000-0x000000001C9B2000-memory.dmp

Filesize
72KB

Download
memory/1412-12-0x000000001CA20000-0x000000001CAD2000-memory.dmp

Filesize
712KB

Download
memory/1412-11-0x000000001C910000-0x000000001C960000-memory.dmp

Filesize
320KB

Download
memory/1412-10-0x00007FFEDEBB0000-0x00007FFEDF671000-memory.dmp

Filesize
10.8MB

Download
memory/1412-9-0x00007FFEDEBB0000-0x00007FFEDF671000-memory.dmp

Filesize
10.8MB

Download
memory/1412-47-0x00007FFEDEBB0000-0x00007FFEDF671000-memory.dmp

Filesize
10.8MB

Download
memory/1412-48-0x00007FFEDEBB0000-0x00007FFEDF671000-memory.dmp

Filesize
10.8MB

Download
memory/2272-0-0x00007FFEDEBB3000-0x00007FFEDEBB5000-memory.dmp

Filesize
8KB

Download
memory/2272-8-0x00007FFEDEBB0000-0x00007FFEDF671000-memory.dmp

Filesize
10.8MB

Download
memory/2272-2-0x00007FFEDEBB0000-0x00007FFEDF671000-memory.dmp

Filesize
10.8MB

Download
memory/2272-1-0x0000000000D60000-0x0000000001084000-memory.dmp

Filesize
3.1MB

Download