Analysis

  • max time kernel
    1799s
  • max time network
    1691s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231127-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-12-2023 15:16

General

  • Target

    dream_TradingCard (3).jpg

  • Size

    315KB

  • MD5

    db656096fb43707d3715a81082c26329

  • SHA1

    0b9a7e9fb083fbfe3f1737cb4d29fdbd09e16f28

  • SHA256

    b76679275457665ff82c8fc110933f860ff555280420c81c76dc2328110da6d6

  • SHA512

    32b4b00418adb25ee223150ef2a6d07c439fe71823dd5663420061742b86038bbc5c58bbbfa9f1ae9f3c78b2ba1acf9562cc7a41ce84813f6fd173fd58e4a564

  • SSDEEP

    6144:8eXNKLQECzuNZXZoHs7A4M5i4GpNSICyVqW4qk9mjGxRQfqEALKrC:r9KL3CqNZXHPMQpF74qkbTQiHLB

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

10.127.0.135:4782

Mutex

14340f65-9950-4e4b-8350-0ad336406252

Attributes
  • encryption_key

    A2C73B9484F3A2B93B5E62BE3BE1D153A827BE62

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    SystemShell

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 8 IoCs
  • Executes dropped EXE 3 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 3 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 42 IoCs
  • Suspicious use of SendNotifyMessage 33 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\dream_TradingCard (3).jpg"
    1⤵
      PID:2364
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
      1⤵
      • Enumerates system info in registry
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1812
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9193646f8,0x7ff919364708,0x7ff919364718
        2⤵
          PID:412
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
          2⤵
            PID:4756
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:4844
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
            2⤵
              PID:5016
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
              2⤵
                PID:1776
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
                2⤵
                  PID:2608
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
                  2⤵
                    PID:4628
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4040 /prefetch:1
                    2⤵
                      PID:8
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3404 /prefetch:8
                      2⤵
                        PID:5392
                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3404 /prefetch:8
                        2⤵
                        • Suspicious behavior: EnumeratesProcesses
                        PID:5408
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
                        2⤵
                          PID:5032
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
                          2⤵
                            PID:732
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
                            2⤵
                              PID:764
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2228 /prefetch:1
                              2⤵
                                PID:3652
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3856 /prefetch:1
                                2⤵
                                  PID:5820
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
                                  2⤵
                                    PID:5588
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5828 /prefetch:8
                                    2⤵
                                    • Modifies registry class
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:5932
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5532 /prefetch:8
                                    2⤵
                                      PID:5840
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4120 /prefetch:1
                                      2⤵
                                        PID:6116
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:1
                                        2⤵
                                          PID:5784
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2228 /prefetch:1
                                          2⤵
                                            PID:6032
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 /prefetch:8
                                            2⤵
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:3880
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
                                            2⤵
                                              PID:5628
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6192 /prefetch:8
                                              2⤵
                                                PID:3356
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,17800604280937424344,11416512195660245359,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6524 /prefetch:2
                                                2⤵
                                                • Suspicious behavior: EnumeratesProcesses
                                                PID:3340
                                            • C:\Windows\System32\CompPkgSrv.exe
                                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                                              1⤵
                                                PID:4588
                                              • C:\Windows\System32\CompPkgSrv.exe
                                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                1⤵
                                                  PID:3700
                                                • C:\Windows\System32\rundll32.exe
                                                  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                  1⤵
                                                    PID:764
                                                  • C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe
                                                    "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe"
                                                    1⤵
                                                    • Modifies registry class
                                                    • Suspicious behavior: GetForegroundWindowSpam
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    • Suspicious use of FindShellTrayWindow
                                                    • Suspicious use of SendNotifyMessage
                                                    • Suspicious use of SetWindowsHookEx
                                                    PID:4032
                                                    • C:\Windows\explorer.exe
                                                      "C:\Windows\explorer.exe" /select, "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\quasar.p12"
                                                      2⤵
                                                        PID:4832
                                                    • C:\Windows\explorer.exe
                                                      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
                                                      1⤵
                                                      • Modifies Internet Explorer settings
                                                      • Modifies registry class
                                                      • Suspicious behavior: AddClipboardFormatListener
                                                      • Suspicious behavior: GetForegroundWindowSpam
                                                      • Suspicious use of SetWindowsHookEx
                                                      PID:5184
                                                      • C:\Windows\system32\rundll32.exe
                                                        "C:\Windows\system32\rundll32.exe" cryptext.dll,CryptExtAddPFX C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\quasar.p12
                                                        2⤵
                                                          PID:3264
                                                      • C:\Windows\system32\cmd.exe
                                                        "C:\Windows\system32\cmd.exe"
                                                        1⤵
                                                          PID:6064
                                                          • C:\Windows\system32\ipconfig.exe
                                                            ipconfig
                                                            2⤵
                                                            • Gathers network information
                                                            PID:5932
                                                        • C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe
                                                          "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe"
                                                          1⤵
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          • Suspicious use of FindShellTrayWindow
                                                          • Suspicious use of SendNotifyMessage
                                                          PID:2712
                                                        • C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe
                                                          "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe"
                                                          1⤵
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          • Suspicious use of FindShellTrayWindow
                                                          • Suspicious use of SendNotifyMessage
                                                          PID:5984
                                                        • C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe
                                                          "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe"
                                                          1⤵
                                                          • Executes dropped EXE
                                                          • Drops file in System32 directory
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:776
                                                          • C:\Windows\SYSTEM32\schtasks.exe
                                                            "schtasks" /create /tn "SystemShell" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
                                                            2⤵
                                                            • Creates scheduled task(s)
                                                            PID:1720
                                                          • C:\Windows\system32\SubDir\Client.exe
                                                            "C:\Windows\system32\SubDir\Client.exe"
                                                            2⤵
                                                            • Executes dropped EXE
                                                            • Drops file in System32 directory
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            • Suspicious use of FindShellTrayWindow
                                                            • Suspicious use of SendNotifyMessage
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:4244
                                                            • C:\Windows\SYSTEM32\schtasks.exe
                                                              "schtasks" /create /tn "SystemShell" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
                                                              3⤵
                                                              • Creates scheduled task(s)
                                                              PID:4300
                                                        • C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe
                                                          "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe"
                                                          1⤵
                                                          • Executes dropped EXE
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:5416
                                                        • C:\Windows\system32\rundll32.exe
                                                          "C:\Windows\system32\rundll32.exe" cryptext.dll,CryptExtAddPFX C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\quasar.p12
                                                          1⤵
                                                            PID:3128
                                                          • C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe
                                                            "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe"
                                                            1⤵
                                                            • Suspicious behavior: GetForegroundWindowSpam
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            • Suspicious use of FindShellTrayWindow
                                                            • Suspicious use of SendNotifyMessage
                                                            PID:2868

                                                          Network

                                                          MITRE ATT&CK Enterprise v15

                                                          Replay Monitor

                                                          Loading Replay Monitor...

                                                          Downloads

                                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client-built.exe.log

                                                            Filesize

                                                            1KB

                                                            MD5

                                                            baf55b95da4a601229647f25dad12878

                                                            SHA1

                                                            abc16954ebfd213733c4493fc1910164d825cac8

                                                            SHA256

                                                            ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

                                                            SHA512

                                                            24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

                                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Quasar.exe.log

                                                            Filesize

                                                            2KB

                                                            MD5

                                                            e07c3925c4e8b60a8ea6300a1437ef3a

                                                            SHA1

                                                            101e086eed0ac5cde21219343545f5042fb1cb12

                                                            SHA256

                                                            98dd0707ee1844d0b0ad3f44d21c9bbfd1c135e18ea22061c9bc4e0e45736156

                                                            SHA512

                                                            8ba1327624a4225082e608d9f7689796a5fdfaeb042f9870164436ff0022e94379e8b98774665e3ccc73d8cc1d3c510fbabd10f39b0f164c4fe3310570da5b8d

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                            Filesize

                                                            152B

                                                            MD5

                                                            e5c27b4a4d5a3c9c60ba18cb867266e3

                                                            SHA1

                                                            dea55f1d4cdc831f943f4e56f4f8e9a926777600

                                                            SHA256

                                                            860ed0acc83eb0096cc8911725e2c631ff879ad8c35854577651af502c4b69c9

                                                            SHA512

                                                            56eda28e9c61e8081dadc220d23e7bb3320a9ba557eb7511d17a3d2836aa61f301d1d714a3d611eedd7c4b91886c790af7366b01acdb3b637f3dc4fb024f3f6b

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                            Filesize

                                                            3KB

                                                            MD5

                                                            9c86c13db22ffdb9c60338e740507c6a

                                                            SHA1

                                                            2eb29e2bad107dc2bd967ef777aaef77d5d53a38

                                                            SHA256

                                                            05d502fe097ac253214eaaf8652fa3b6c5d0a3d4afb83786ddca176d10c0695b

                                                            SHA512

                                                            f6f466184ccd7b6ab82499c19c4962f1c24e7bd9d9f32ca355f5b67edb7d44f6ae102d2baefe6e1439b3b77396a371e064ea4f15571244e3c0ccd8d81b20086c

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                            Filesize

                                                            111B

                                                            MD5

                                                            285252a2f6327d41eab203dc2f402c67

                                                            SHA1

                                                            acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

                                                            SHA256

                                                            5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

                                                            SHA512

                                                            11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                            Filesize

                                                            784B

                                                            MD5

                                                            b6ef8d01093124240f580da4dbb5086a

                                                            SHA1

                                                            af8e246b9d4b7c0baf60cb137c7d2776c2490a2a

                                                            SHA256

                                                            3cefead3e0321dfbe9cdc3088fbd8abfef1277ddd33be1fd8a0faba5b44d5a4c

                                                            SHA512

                                                            9d816f0fdf6113e94424a92a76fcc1b6dfa1923d7544d3febde8e107449238eefa14c71b663fe0d28d7db61777c07d5966de3f6a19e707184d5784d00641a062

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                            Filesize

                                                            5KB

                                                            MD5

                                                            2c680866191e41cd8ffd5274da671193

                                                            SHA1

                                                            d9d61473bcf551016bc5d53d252d0574da9e9000

                                                            SHA256

                                                            bbd753f1ac202c749cbf3830f1b3579a18ad1b2a3fc5d0005088c7a2fb6a3dd2

                                                            SHA512

                                                            4c1afba3910b73d5c3c5a10d2a1776ca100e2b5549b3e09c0b158e73aa7539a9742edfcdef7eaad94922291d81d4b774f700de7fc1756bef628e554a84bbc6a5

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                            Filesize

                                                            5KB

                                                            MD5

                                                            601674c72ab6432255af673b850fcb6d

                                                            SHA1

                                                            9d966cb6e50342ecdf42788e748fa34b1d1c0550

                                                            SHA256

                                                            4e55bf87d293ec916aa3acc02917c7614c91755737184347166b669c229744e8

                                                            SHA512

                                                            69caa304301a860c399d1010dddf4363d78b859f0c662849ec562c30f60b7d5f392999c278efd5ac6aa560d4aaae4fc14aa20724d686611e8500bc3bd1188c84

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                            Filesize

                                                            6KB

                                                            MD5

                                                            4858993618695a949086e34cc9513485

                                                            SHA1

                                                            d68dbc2a2a3b21e0d5125065cca28c2cfa7cb0b6

                                                            SHA256

                                                            771d8f331a5dbcf8d957f13fb85aa4f8d6340abbd1a48fa7f29fe64b00d8b41e

                                                            SHA512

                                                            96182c7474f8ae441d090280917049fbc4b18af66d4420e39aff99871cd1ef1740f07b50574c797c194e7e20c0642f8663af690d77b48515ea3764b2184e788a

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                            Filesize

                                                            5KB

                                                            MD5

                                                            f857614d988720fc329022cd1d853174

                                                            SHA1

                                                            977c51d89a224a54e698f5c2401922712e60e392

                                                            SHA256

                                                            fb9c40badb12e3cfb61045c7645f48518cab518700552b4d944607a78670719e

                                                            SHA512

                                                            cb2f02048e38c1d79ed933add07a01ef99e71a9ec710cc2d3c2a6e9a840aae6cdd6226173debe6209ee441235f69063f0fe702d5eaa26f181ce54ca73edf0680

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

                                                            Filesize

                                                            24KB

                                                            MD5

                                                            e30738d93d6789672ce8e1c4bfe275a8

                                                            SHA1

                                                            ce2195ec1f2e3830b9a106a9dc8d7fa5397d10fc

                                                            SHA256

                                                            7d60046d1238ff11bdf616d83c212ad6866a7cc630ee9be8580050dee7f74832

                                                            SHA512

                                                            e39c9590f558477a1b823de555bf27542a725566d8bd839a1c493459444d49d755445d8ff34f59681ede12a8e654c5a7fc34b6008c9abcfd65d09f6b1b523a65

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                            Filesize

                                                            1KB

                                                            MD5

                                                            88de2fb63d4206477749f5267a619938

                                                            SHA1

                                                            414d256d6a3c872ade35d46a0d99abba8484b520

                                                            SHA256

                                                            398c5ef7f3536324af021761d8f9b88967b38be3f8fa30cf58ea70551640e483

                                                            SHA512

                                                            f9336cd91a78f9d93f4af2eedf0c83f57ae711cfd26854721b9a99bc46d0121f0112ec66c3a8c67b519669f724db7cf7e896d653e16d4c1caa214e4727a5814e

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58029b.TMP

                                                            Filesize

                                                            1KB

                                                            MD5

                                                            07a2bd3ee7ee4d4b0657453738f01143

                                                            SHA1

                                                            9da5251519ea345365877c04f28e925f5708c564

                                                            SHA256

                                                            8d07a09396965cc231af5faed2f057842a68c5116fcecfdf7e60b9d2e6c2c30c

                                                            SHA512

                                                            9aec4206c60977986ff7aa78c2e46fd07bb54e279d739b61b222e6db00ce7ea8924dbcabedee218c185e7af6cb897ffe85053ede4ea6f8807cf98ae20a4f31d7

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                            Filesize

                                                            16B

                                                            MD5

                                                            6752a1d65b201c13b62ea44016eb221f

                                                            SHA1

                                                            58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                            SHA256

                                                            0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                            SHA512

                                                            9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                            Filesize

                                                            11KB

                                                            MD5

                                                            bfedf7a990c614b1d6ba797edfec858f

                                                            SHA1

                                                            3ef3806424a7c468fbce915425e57bd3cd11a86b

                                                            SHA256

                                                            6f9cb6d4a636c4793f20d72653005e2e1b0b9d50094cb91193efb9e6dc52dd41

                                                            SHA512

                                                            8178ae744cc05359a2d460311c64314d3a42730a1958264126e1c1891b343669797606ad303f73a332ee3dee67a1e33e8585222fb7e00a68ce42786fc540cbb0

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                            Filesize

                                                            10KB

                                                            MD5

                                                            325494bf6ddd22186090bd03431f880e

                                                            SHA1

                                                            bf9ff425f9c5e96b52a06611ef197e8138fbc875

                                                            SHA256

                                                            fe4c130a1ea56f60f361071cf104d92b7b8c4738e7971d7e9c1156c01a14cc15

                                                            SHA512

                                                            5ad7bd29c11dd28e723506124f9463ea0bcbc135e4a9569bcc1581e1b05ce13116b5f36df108e3c2e17aa6752ee676d80c29baaec93d65c0cff25e41807ca55a

                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2037190880-819243489-950462038-1000\7458e761378f037c3876e5f758c99c96_35514afb-ef24-48fa-8662-3709156a3dd3

                                                            Filesize

                                                            3KB

                                                            MD5

                                                            46219c1fcf707aea671af71ca1192130

                                                            SHA1

                                                            81b5beffde2d3b1cc026e52d195e44f369960cc9

                                                            SHA256

                                                            1905919490282158abbfe54762d5e1bc7ab64edb03b4f75ecb541615151642dc

                                                            SHA512

                                                            ec33d8f8ba87272cb432739824f3abc360d2be969d02d4cf6c4c46f7edfc7198a7d57c077f645c40592d34e966a5e553c159e7d5e4dc891159e001592d7e1ced

                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2037190880-819243489-950462038-1000\cf14ba5cbdcd2150f058a146d1c9f188_35514afb-ef24-48fa-8662-3709156a3dd3

                                                            Filesize

                                                            3KB

                                                            MD5

                                                            524e3d1096a630bcd1e7895034a19f00

                                                            SHA1

                                                            f4677c2040bd71ad928fc57a3204063e6ae01332

                                                            SHA256

                                                            c0a66345056e5540589cd0abe634246349b518ee79aa8cdf8dc411ee0c9cc242

                                                            SHA512

                                                            2879b1451d49c9f4de704c9ac363e4c21dd2cf85053368f235b46e21418796ef4b81dc749ecd1c7e8960f18d4756ad6f190f69819eb09e377c4b38245f8779d0

                                                          • C:\Users\Admin\Downloads\Quasar.v1.4.1.zip

                                                            Filesize

                                                            1.5MB

                                                            MD5

                                                            7420a4094de8f85ed0e8d54bd169706a

                                                            SHA1

                                                            e3b9dc5052b11c4b85e5ed738e03b28d629501ab

                                                            SHA256

                                                            a124c6ec9cf80806f93f53e1642ce0d103eda8573989547e759c104a7adc6b46

                                                            SHA512

                                                            559ae981dec35f611356e720f7bfc71a83070cf5467eb94cf1662af3473aab3fcdb4039ca5ebc0b55cc864070559de017709c9ebcd10c45a241654d13928b60c

                                                          • C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe

                                                            Filesize

                                                            2.6MB

                                                            MD5

                                                            d30b83058acbcdd7d9ee4eba0bef74c5

                                                            SHA1

                                                            6fafd8d40d0da37aaa294d3781522838be1b8c1a

                                                            SHA256

                                                            27ef0c502a2fdc5e04d226ee931a55f50ae398af2b52560ffcd63f96a2bb80cf

                                                            SHA512

                                                            4ab647bd46f7fbfec4ca2f7608a574659992e7db94795333b90df4f2e3de9043c09dc30d6a2768981bb16728f46d2edebb658cd37b048a095b43260e9bd3c289

                                                          • C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe

                                                            Filesize

                                                            2.6MB

                                                            MD5

                                                            d971e0808c073882348af05d706eef77

                                                            SHA1

                                                            0b4f84e016cdb2e3178229b2cbca88076fe89c63

                                                            SHA256

                                                            4f484d6aee58371249f6da4bed0355898ceb6ce7f6b2b944bd0b51e91bff460d

                                                            SHA512

                                                            94f64a9ac40a9ccff1f2aaa1eddef3a7a6b6945be0256fea3714df13e16a9fdfaa42b39a43bc841e2169fdd43db7be124e0e4ebc403d346e9fcf67c0b9a91f8d

                                                          • C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe

                                                            Filesize

                                                            3.0MB

                                                            MD5

                                                            602c27df6c369b2ec1fad3021420c5b7

                                                            SHA1

                                                            5cd0e1426e194299df4d1377060e0b148213d0bc

                                                            SHA256

                                                            ddc869ca514f497d89e629021f161abf069942bfd66fb6cbd05090267e93b518

                                                            SHA512

                                                            d3008af83b09374dbb3f652eee901a59def9399baea1e6db40ecab9f9f60c9494021ff33d6fc421f56ad4fe3c931fbe5d79842eff970922778f7d123e2107368

                                                          • C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Profiles\Default.xml

                                                            Filesize

                                                            1011B

                                                            MD5

                                                            89e111942b5b2963d5df306e8fde1db0

                                                            SHA1

                                                            5183193ded73ccaffbb0268899bcae9024f8fae4

                                                            SHA256

                                                            ad1e0ebd483c4e62b07e6a814e59f888246046e2a57cbfec5196754cc0f3e0d9

                                                            SHA512

                                                            6ceeebd46423395068399649e115962e286b5f24f60ac689359df5e7a35797e5b07b75d1d71b468e6a4e6f53af5b127b0fbc0a4a0fc42fa8db0c7dd3871e2e47

                                                          • C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\quasar.p12

                                                            Filesize

                                                            4KB

                                                            MD5

                                                            89162a296cde6d2a65d1635193f0be45

                                                            SHA1

                                                            795f2e9ac3aa50648633b0e4321dda8f7ce340c0

                                                            SHA256

                                                            c873797c0f3f6f062b15b4202cc73e549d2afc37708eb740fc8f12d2a3936f33

                                                            SHA512

                                                            2def3c712a1fc0974d7ce7b5335c94fce727708785c9b8e1ad0428b928515737c61b2c75d51a61eddab57fc8d4c3020ee728f2eb3f4fe21acb253686d28e8d3c

                                                          • C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\settings.xml

                                                            Filesize

                                                            406B

                                                            MD5

                                                            c82d7a10fc3d28db9ced285da845b675

                                                            SHA1

                                                            6efc4ce5b173f2d21d9ea3db192ec80697b1d8dc

                                                            SHA256

                                                            a15318198806ff22f5437996a15e1bc4db0cc19db1f096f4a6b81010efec7c6d

                                                            SHA512

                                                            e2e42d1ef92ba2caf8b2a0fc32c6ea6784c4b0ea4e17812ceacf8d5612fba74dcdcdee582b5a8a16e25d5538c09ca1772344a038b0441b73837742e376cd9297

                                                          • C:\Windows\System32\SubDir\Client.exe

                                                            Filesize

                                                            1.8MB

                                                            MD5

                                                            331d7cce7d22db9332047e99499137da

                                                            SHA1

                                                            9cab5e4ada8ed2ce87a5956042497b223b9ab468

                                                            SHA256

                                                            7e1919518d0d3e0ea0f26f62879333bd88bb933a66473c8142d8f3a39fac600f

                                                            SHA512

                                                            a8c7586b9a580f9f07a8a7c4b4dce99cdc17869ad23cf5594d5844a5aca1c390cbff58bd2a43fcdba83ce8e9055c3f544ba9474ec8f55d14b9e082356c447841

                                                          • C:\Windows\system32\SubDir\Client.exe

                                                            Filesize

                                                            1.4MB

                                                            MD5

                                                            26cf4a99858e3d5a3f26952490b4444e

                                                            SHA1

                                                            dded2c521d8fb1733829cf4767e39c3352b2393b

                                                            SHA256

                                                            50a78fb3e115a56ab3e604aa7ed0ede22c279f3a234068b571b611ad9a6bf839

                                                            SHA512

                                                            736052798785670d4779a786a1cd7e8fb55d6348f4d6629c0497f95b6959019c3e878ce63b14ed9d4b6436a5f13d686dfc6c4147b1a08e109a93fa360b3f9332

                                                          • memory/776-645-0x0000000000C40000-0x0000000000F64000-memory.dmp

                                                            Filesize

                                                            3.1MB

                                                          • memory/776-646-0x000000001BD30000-0x000000001BD40000-memory.dmp

                                                            Filesize

                                                            64KB

                                                          • memory/776-644-0x00007FF914460000-0x00007FF914F21000-memory.dmp

                                                            Filesize

                                                            10.8MB

                                                          • memory/776-654-0x00007FF914460000-0x00007FF914F21000-memory.dmp

                                                            Filesize

                                                            10.8MB

                                                          • memory/2712-620-0x0000023EA0840000-0x0000023EA0850000-memory.dmp

                                                            Filesize

                                                            64KB

                                                          • memory/2712-629-0x00007FF913B30000-0x00007FF9145F1000-memory.dmp

                                                            Filesize

                                                            10.8MB

                                                          • memory/2712-621-0x0000023EA0840000-0x0000023EA0850000-memory.dmp

                                                            Filesize

                                                            64KB

                                                          • memory/2712-619-0x00007FF913B30000-0x00007FF9145F1000-memory.dmp

                                                            Filesize

                                                            10.8MB

                                                          • memory/2868-667-0x00007FF914460000-0x00007FF914F21000-memory.dmp

                                                            Filesize

                                                            10.8MB

                                                          • memory/2868-668-0x0000029EB84A0000-0x0000029EB84B0000-memory.dmp

                                                            Filesize

                                                            64KB

                                                          • memory/2868-669-0x0000029EB84A0000-0x0000029EB84B0000-memory.dmp

                                                            Filesize

                                                            64KB

                                                          • memory/2868-672-0x0000029EB84A0000-0x0000029EB84B0000-memory.dmp

                                                            Filesize

                                                            64KB

                                                          • memory/2868-675-0x00007FF914460000-0x00007FF914F21000-memory.dmp

                                                            Filesize

                                                            10.8MB

                                                          • memory/4032-410-0x000001DA0FB60000-0x000001DA0FB76000-memory.dmp

                                                            Filesize

                                                            88KB

                                                          • memory/4032-481-0x000001DA2A820000-0x000001DA2A8D2000-memory.dmp

                                                            Filesize

                                                            712KB

                                                          • memory/4032-557-0x000001DA2EB90000-0x000001DA2EBEE000-memory.dmp

                                                            Filesize

                                                            376KB

                                                          • memory/4032-556-0x000001DA29DB0000-0x000001DA29DC0000-memory.dmp

                                                            Filesize

                                                            64KB

                                                          • memory/4032-555-0x000001DA29DB0000-0x000001DA29DC0000-memory.dmp

                                                            Filesize

                                                            64KB

                                                          • memory/4032-633-0x00007FF913B30000-0x00007FF9145F1000-memory.dmp

                                                            Filesize

                                                            10.8MB

                                                          • memory/4032-407-0x000001DA0F620000-0x000001DA0F758000-memory.dmp

                                                            Filesize

                                                            1.2MB

                                                          • memory/4032-408-0x00007FF913B30000-0x00007FF9145F1000-memory.dmp

                                                            Filesize

                                                            10.8MB

                                                          • memory/4032-409-0x000001DA29DB0000-0x000001DA29DC0000-memory.dmp

                                                            Filesize

                                                            64KB

                                                          • memory/4032-411-0x000001DA29DB0000-0x000001DA29DC0000-memory.dmp

                                                            Filesize

                                                            64KB

                                                          • memory/4032-482-0x000001DA2A760000-0x000001DA2A7AC000-memory.dmp

                                                            Filesize

                                                            304KB

                                                          • memory/4032-558-0x000001DA2C2B0000-0x000001DA2C2CA000-memory.dmp

                                                            Filesize

                                                            104KB

                                                          • memory/4032-480-0x000001DA2A710000-0x000001DA2A760000-memory.dmp

                                                            Filesize

                                                            320KB

                                                          • memory/4032-479-0x000001DA2A6A0000-0x000001DA2A6B8000-memory.dmp

                                                            Filesize

                                                            96KB

                                                          • memory/4032-453-0x000001DA2ECC0000-0x000001DA2EFEE000-memory.dmp

                                                            Filesize

                                                            3.2MB

                                                          • memory/4032-451-0x000001DA29DB0000-0x000001DA29DC0000-memory.dmp

                                                            Filesize

                                                            64KB

                                                          • memory/4032-450-0x000001DA29DB0000-0x000001DA29DC0000-memory.dmp

                                                            Filesize

                                                            64KB

                                                          • memory/4032-412-0x000001DA29DB0000-0x000001DA29DC0000-memory.dmp

                                                            Filesize

                                                            64KB

                                                          • memory/4032-440-0x000001DA29DB0000-0x000001DA29DC0000-memory.dmp

                                                            Filesize

                                                            64KB

                                                          • memory/4032-417-0x000001DA29DB0000-0x000001DA29DC0000-memory.dmp

                                                            Filesize

                                                            64KB

                                                          • memory/4032-439-0x000001DA29DB0000-0x000001DA29DC0000-memory.dmp

                                                            Filesize

                                                            64KB

                                                          • memory/4032-420-0x00007FF913B30000-0x00007FF9145F1000-memory.dmp

                                                            Filesize

                                                            10.8MB

                                                          • memory/4244-661-0x000000001C910000-0x000000001CE38000-memory.dmp

                                                            Filesize

                                                            5.2MB

                                                          • memory/4244-663-0x00007FF914460000-0x00007FF914F21000-memory.dmp

                                                            Filesize

                                                            10.8MB

                                                          • memory/4244-664-0x00000000027F0000-0x0000000002800000-memory.dmp

                                                            Filesize

                                                            64KB

                                                          • memory/4244-655-0x00000000027F0000-0x0000000002800000-memory.dmp

                                                            Filesize

                                                            64KB

                                                          • memory/4244-653-0x00007FF914460000-0x00007FF914F21000-memory.dmp

                                                            Filesize

                                                            10.8MB

                                                          • memory/5416-659-0x000000001B660000-0x000000001B670000-memory.dmp

                                                            Filesize

                                                            64KB

                                                          • memory/5416-660-0x00007FF914460000-0x00007FF914F21000-memory.dmp

                                                            Filesize

                                                            10.8MB

                                                          • memory/5416-658-0x00007FF914460000-0x00007FF914F21000-memory.dmp

                                                            Filesize

                                                            10.8MB

                                                          • memory/5984-641-0x00007FF914460000-0x00007FF914F21000-memory.dmp

                                                            Filesize

                                                            10.8MB

                                                          • memory/5984-636-0x00000268B6BE0000-0x00000268B6BF0000-memory.dmp

                                                            Filesize

                                                            64KB

                                                          • memory/5984-635-0x00000268B6BE0000-0x00000268B6BF0000-memory.dmp

                                                            Filesize

                                                            64KB

                                                          • memory/5984-634-0x00007FF914460000-0x00007FF914F21000-memory.dmp

                                                            Filesize

                                                            10.8MB