Analysis Overview
SHA256
244b20fc9114e2434daded7633dbdd44e625fa9cdcd326b2449e80fbe141cf5b
Threat Level: Known bad
The file dream_TradingCard (4).jpg was found to be: Known bad.
Malicious Activity Summary
Quasar payload
Quasar RAT
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
Enumerates physical storage devices
Suspicious behavior: AddClipboardFormatListener
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
Creates scheduled task(s)
Suspicious use of FindShellTrayWindow
Gathers network information
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-15 08:12
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-15 08:12
Reported
2023-12-15 08:43
Platform
win7-20231020-en
Max time kernel
1566s
Max time network
1569s
Command Line
Signatures
Processes
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen "C:\Users\Admin\AppData\Local\Temp\dream_TradingCard (4).jpg"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-15 08:12
Reported
2023-12-15 08:43
Platform
win10v2004-20231127-en
Max time kernel
1734s
Max time network
1699s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\Client.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\SubDir\Client.exe | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir\Client.exe | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir | C:\Windows\system32\SubDir\Client.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\explorer.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1 | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1 | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0 | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "5" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0 = 66003100000000008f57134210005155415341527e312e3100004c0009000400efbe8f57ee418f5713422e00000011330200000007000000000000000000000000000000ba3819015100750061007300610072002000760031002e0034002e00310000001a000000 | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic" | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616209" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0 = 66003100000000008f57ee4110005155415341527e312e3100004c0009000400efbe8f57ee418f57ee412e00000023310200000007000000000000000000000000000000b2c6e2005100750061007300610072002e00760031002e0034002e00310000001a000000 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4 | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5 | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 19002f433a5c000000000000000000000000000000000000000000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0 = 50003100000000007b57b591100041646d696e003c0009000400efbe7b57968b8f57a9412e0000007de10100000001000000000000000000000000000000a5cac600410064006d0069006e00000014000000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616209" | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" | C:\Windows\explorer.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\SubDir\Client.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\system32\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\dream_TradingCard (4).jpg"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffacb6a46f8,0x7ffacb6a4708,0x7ffacb6a4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1976,6487615347712569281,3396435368711515313,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,6487615347712569281,3396435368711515313,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1948 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1976,6487615347712569281,3396435368711515313,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,6487615347712569281,3396435368711515313,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,6487615347712569281,3396435368711515313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,6487615347712569281,3396435368711515313,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,6487615347712569281,3396435368711515313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1976,6487615347712569281,3396435368711515313,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1976,6487615347712569281,3396435368711515313,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,6487615347712569281,3396435368711515313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,6487615347712569281,3396435368711515313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1976,6487615347712569281,3396435368711515313,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5536 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1976,6487615347712569281,3396435368711515313,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5448 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,6487615347712569281,3396435368711515313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,6487615347712569281,3396435368711515313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,6487615347712569281,3396435368711515313,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,6487615347712569281,3396435368711515313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,6487615347712569281,3396435368711515313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,6487615347712569281,3396435368711515313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,6487615347712569281,3396435368711515313,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,6487615347712569281,3396435368711515313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1976,6487615347712569281,3396435368711515313,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6596 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,6487615347712569281,3396435368711515313,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6568 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1976,6487615347712569281,3396435368711515313,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6604 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,6487615347712569281,3396435368711515313,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2728 /prefetch:2
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe
"C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe" /select, "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\quasar.p12"
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe
"C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\system32\ipconfig.exe
ipconfig
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe
"C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 92.123.128.146:443 | www.bing.com | tcp |
| US | 92.123.128.146:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 146.128.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | th.bing.com | udp |
| US | 8.8.8.8:53 | r.bing.com | udp |
| US | 92.123.128.149:443 | r.bing.com | tcp |
| US | 92.123.128.148:443 | r.bing.com | tcp |
| US | 92.123.128.148:443 | r.bing.com | tcp |
| US | 92.123.128.149:443 | r.bing.com | tcp |
| US | 8.8.8.8:53 | 149.128.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.128.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | login.microsoftonline.com | udp |
| FR | 20.190.177.22:443 | login.microsoftonline.com | tcp |
| US | 8.8.8.8:53 | 22.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | services.bingapis.com | udp |
| US | 13.107.5.80:443 | services.bingapis.com | tcp |
| US | 8.8.8.8:53 | 80.5.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.4:443 | github.com | tcp |
| DE | 140.82.121.4:443 | github.com | tcp |
| US | 8.8.8.8:53 | 2.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.133:443 | avatars.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 8.8.8.8:53 | camo.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 154.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 140.82.114.21:443 | collector.github.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 140.82.114.21:443 | collector.github.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| DE | 140.82.121.6:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | 6.121.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | aefd.nelreports.net | udp |
| GB | 88.221.134.106:443 | aefd.nelreports.net | tcp |
| US | 8.8.8.8:53 | 106.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.239.69.13.in-addr.arpa | udp |
| N/A | 10.127.1.19:4782 | tcp | |
| US | 8.8.8.8:53 | ipwho.is | udp |
| DE | 195.201.57.90:443 | ipwho.is | tcp |
| US | 8.8.8.8:53 | 90.57.201.195.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ef2ab50a3d368243b8203ac219278a5d |
| SHA1 | 2d154d63c4371354ff607656a4d94bc3734658a9 |
| SHA256 | 2e2faf2873e0b8d58788da8603acdd772642a396fff661c4e32f8a581362cbdf |
| SHA512 | 4533997bf4070f99306337b8ff553691d4cf1d1b53401628524ad4dc9d29bd0536a3f2df4ecdd0a8afa81b7f917f40524c9a1898b566ee499a358abc5c84b27a |
\??\pipe\LOCAL\crashpad_2848_ZQLBIFELUPWGPAMQ
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | a0f1b7205e4eeb1a292e48c4d9e2222a |
| SHA1 | de7024be766981eb2ad7ff983218534cd15edb0c |
| SHA256 | 19c6be7aa8b68e05d15a517a07f225a743e7434d6cfc60e03bf2776b797ddf49 |
| SHA512 | 428f07496ce3da0231dc20ebc4d4b69c9a8c88a13acfdd40318160cce5ecb9304723e4c9989bf636b665e964bcce1655e9003aa04ce8a645c01ebedf868efe02 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | cd8f1985daa93edc98cac3583f97a946 |
| SHA1 | 3955fb69aff49d048fce85686fd8dfc2c6036596 |
| SHA256 | c33531cb9d0f044df2bbf5a61d2161b997a84d08f5240c0ea2db7f9015a28ff3 |
| SHA512 | 3d572d7f4e24b8f47d3d58a6c85c0d01f8b029742dd30ec328c9732de9edaa93796f61d1a562d80abe812d4db6777794fcb55d6b84e6b6840e73e9ab65888706 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 9825c4e0409ce0cabf069928a8e33d12 |
| SHA1 | 08e9f0d10df4369f79c556a068ae04920ea9b922 |
| SHA256 | 789ddef68177e6a36f7b48b1ed2dedf28360987322fc225e60cef1baa159aaef |
| SHA512 | 5b2abc5fde079dd5593ec11b69e39685b3a128dba26678533e9109c8c23cab553a68b2f8052334d0a4d5546412f778ebd86bda814ca6e7346e9147c04d158542 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | bf38e67347aea6d520cda5fde321a1e5 |
| SHA1 | 0e7a8def4c923201d76b41dfa9918bb1052827ea |
| SHA256 | 0f0744f36e30e64949c41835aa5666f25c1ab4f3636d9247b8350fd8ad4f8025 |
| SHA512 | f62478dd4e38c6bef2bfc24f46caa03840613711e2b6fda2aad707df5cbd33b25af4fc3954521e203b981c4a10e5c8fd2520cabc16cdad858eed819b45a6f366 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006
| MD5 | de49e39687e06cc5533b84d3a37b861f |
| SHA1 | 8c2c09b8f17e5c6bc20dd050ee7a88ab23f93e55 |
| SHA256 | 73c2a51f287192796dc8e6e33ed40cb8427bd6d9d4088ced267052c6be90f416 |
| SHA512 | 446f81670ba584787ec54a183df4c419ccc0f48ea6a25b35b2bab0a07e29c85a66d3a41d1016fdaf00cbafed6e4b932c8747400896f99f7d7a23c6d526a93664 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005
| MD5 | c33c3755c9bc5c370e51bd72a524da35 |
| SHA1 | 7b4d2ef2b5e0188562afcd4c87060a809a7d2919 |
| SHA256 | e30aeba2b555fe999989e290128024451d7b1bccd13060ce16990a39937a3113 |
| SHA512 | 7c656b1f7e9806208c87b1f22d27f07f400c5bdd3fd258056a4046c7999d4f83f6c473800b09e36450eff9ff9dd86d045eedead515aeb4bdb55e9d9889e90de5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007
| MD5 | 76a3f1e9a452564e0f8dce6c0ee111e8 |
| SHA1 | 11c3d925cbc1a52d53584fd8606f8f713aa59114 |
| SHA256 | 381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c |
| SHA512 | a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004
| MD5 | c3c0eb5e044497577bec91b5970f6d30 |
| SHA1 | d833f81cf21f68d43ba64a6c28892945adc317a6 |
| SHA256 | eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb |
| SHA512 | 83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008
| MD5 | 56d57bc655526551f217536f19195495 |
| SHA1 | 28b430886d1220855a805d78dc5d6414aeee6995 |
| SHA256 | f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4 |
| SHA512 | 7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009
| MD5 | 45a177b92bc3dac4f6955a68b5b21745 |
| SHA1 | eac969dc4f81a857fdd380b3e9c0963d8d5b87d1 |
| SHA256 | 2db3b6356f027b2185f1ca4bc6b53e64e428201e70e94d1977f8aab9b24afaeb |
| SHA512 | f6a599340db91e2a4f48babd5f5939f87b907a66a82609347f53381e8712069c3002596156de79650511c644a287cbd8c607be0f877a918ae1392456d76b90ca |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a
| MD5 | aaa3bfbfb2e4d619eed90ea229e3b8d4 |
| SHA1 | dbb45e2e5ef5025a2c02ae7456525b968bf74335 |
| SHA256 | fa84161b327968256f1bce5d0383b121466152cd16f94ae19d9d9c07b29906b8 |
| SHA512 | 65bef3e0893b3ddc2861b2908e8b5497848b165e01a4fc10e2440d62855486dbdad575342b771e56c8b0be564320b676fe6716cfa6e13958b6b955b52c88d88d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 8a4bbc009cfa01d034ff668977261287 |
| SHA1 | 3220d22972cf5aabe5ecf87a739c3baffb271482 |
| SHA256 | 10575c7c06e87896188ec532c7713e1c027c27039f8f9b31c610b1a0e5da5965 |
| SHA512 | 2a6e51d92bc7fcef69d989f5b7654bea9a951df58e7f180ccf8c700d582bec94f51a1a799a35e3ddcecbffa0502fa88acd03c4ba1ad572b65197e6037ca7aa14 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe585724.TMP
| MD5 | 72b8f604c40e19f8ac4d611846dacd00 |
| SHA1 | 6cd1d053f448ba01d52cd81783b534bf34fbc013 |
| SHA256 | d581efb7087c65e3ea55cbfc1a86c7516e379d6b1b80dbca1603ce2c67200f05 |
| SHA512 | 9b0e097d9e16b9c2c0da627d42e2ce3940ba3031fc40d7f30f6c21356e096fe14fd2bbb3d8e0e13b363e73fc0a7770789a4e6ae1d1d1181c1acb95731c5b4a66 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | c93ff6eb596412cf569353262da8d030 |
| SHA1 | 3db9e126304596d854c6a42b8849c8dfb9e5d4b7 |
| SHA256 | aa2e206fd50bafcc43c9594a747a5df3070e0c1468f78d02b261179d2248a070 |
| SHA512 | 3a5abb3b54662cdfcd7b512519c40748898cea5b18f95ae3d9bd697b224023b6f63e4e768ae8fdfa285daea2b2362f0e0890038d2acc2c5ce766662b92f21893 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 63948d02352358c73a80d767c9b24d7f |
| SHA1 | 2bc2da43fb996b9a7e69bb4a1e52afe606ff88ac |
| SHA256 | a148e3949d6cb38888c19c2c0b02944a546088596f35001399ab29a1ac54ee53 |
| SHA512 | aabe523f0cd77c052fb67ab84230ca7d1a0dc96b22bb33995f6cf3e2aabbb0ad48c4dc72cc4b0baa4fbd3b5fe7c5e3a0d9e4b7d21d8028a05c2d0d3c4d10a5b8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 2749699fbcaf5f3e5b4cde15931b9a38 |
| SHA1 | 3b3c0bb36eef925f44f8bbad580eda203dd1f0d1 |
| SHA256 | 4e7b17a1d6711fc62c84192c502193970fd678d3727bf548a3186c69eefb7db4 |
| SHA512 | baa81e720d5c7636cc7ec3e5eba48d13f7ac863d1f70fea4cfbafb2fc4f0504bdf00761f229013b011bc442c96b979a815ed907eba3e0a2499c9aa9806763151 |
C:\Users\Admin\Downloads\Unconfirmed 707796.crdownload
| MD5 | 13aa4bf4f5ed1ac503c69470b1ede5c1 |
| SHA1 | c0b7dadff8ac37f6d9fd00ae7f375e12812bfc00 |
| SHA256 | 4cdeb2eae1cec1ab07077142313c524e9cf360cdec63497538c4405c2d8ded62 |
| SHA512 | 767b03e4e0c2a97cb0282b523bcad734f0c6d226cd1e856f6861e6ae83401d0d30946ad219c8c5de3c90028a0141d3dc0111c85e0a0952156cf09e189709fa7d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 5fd84f8f80b6a9c778a427926b422c34 |
| SHA1 | 7b9f8b6e4c35f9f2f743511cd07f85f81564e705 |
| SHA256 | 8a1c91b68e135765db39d41dcdcb750ca2986f589e4f3ebe0549a363d6fd17fb |
| SHA512 | cc0ea1fcf4b4180ad163d694430325ae62aebe3b2828e4f533101dc1123efaff00b0bfe8c3c6903174dcfe7c160ac30194da99de7ba30f7660815510b7d628ec |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 0c6150644fb705b27ab20774a1e1d922 |
| SHA1 | 12b4675eee5735053784394ba6d2b98337837aee |
| SHA256 | a0b5a4cea7083f3711df8e21456272da96edef2bb6bde3750591b09cc3a76ce3 |
| SHA512 | 0f57732795b7aaf6938cf3b06166872b14bddf4328b4b7f5d2449876e7f16b8d40e731b684f1772dfa8d4ffaaf06a40407fe29adb22dcb4f36c5289affce26be |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | d536e2b9cb48a4690b0d277ebf24c4a1 |
| SHA1 | 17ca91f0d66b46c4db2616aae64de581b41a26ce |
| SHA256 | 964ed6cb3949bcd31e96b4dc661e232d0c7fa290327aa57f84456227ad68a73d |
| SHA512 | f47ccede65fcdfe7fc4a33244a6cb78e4ac5110925d63796e52ce2a38b23e7f7194de61ff7ebc132f48f6005d83d1a464a01c676c76e4625496f4ee21cf7cec1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | c17cb606ac94aa5755438f741d510a40 |
| SHA1 | 84cab38d22373279459720e85895e92009ce1113 |
| SHA256 | 1b7badec443e636b9b8db82872e1973f9c945649551796a994d54015c4616995 |
| SHA512 | 8fc0e6afbc8c2cbaa03091a03e7b9b5de11fa7a2b2457ed502b741140b19c575087ada9f2837a5a85df482397d2d6de445781960a71ed6cf4f10b5918aed2980 |
memory/5764-586-0x00000246E8050000-0x00000246E8188000-memory.dmp
memory/5764-587-0x00007FFAC80D0000-0x00007FFAC8B91000-memory.dmp
memory/5764-589-0x00000246E9D30000-0x00000246E9D46000-memory.dmp
memory/5764-588-0x00000246EA820000-0x00000246EA830000-memory.dmp
memory/5764-590-0x00000246EA820000-0x00000246EA830000-memory.dmp
memory/5764-591-0x00000246ED7E0000-0x00000246EDB0E000-memory.dmp
memory/5764-592-0x00007FFAC80D0000-0x00007FFAC8B91000-memory.dmp
memory/5764-596-0x00000246EA820000-0x00000246EA830000-memory.dmp
memory/5764-597-0x00000246EA820000-0x00000246EA830000-memory.dmp
memory/5764-601-0x00000246EA820000-0x00000246EA830000-memory.dmp
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\quasar.p12
| MD5 | 8d218e424f9498869160c204e32e31fb |
| SHA1 | 22e7fcd8b3c701a1465cd7bcc647f8d70d6026c0 |
| SHA256 | 961a9c1fbaa5360d30e5d01cb94f8c3df9995d82fe7f024b3fad28bcc2513f4e |
| SHA512 | 5481b73afdf1a918f40221258cf8f8039880c15cf2c2b88f01148f41560d421c86004486fc978cc4bf03d8d633c86336d19bec77c4ffb1100c5433ca9087e6f6 |
memory/5764-623-0x00000246EB080000-0x00000246EB098000-memory.dmp
memory/5764-624-0x00000246ED550000-0x00000246ED5A0000-memory.dmp
memory/5764-625-0x00000246ED660000-0x00000246ED712000-memory.dmp
memory/5764-626-0x00000246ED5A0000-0x00000246ED5EC000-memory.dmp
memory/3684-629-0x00007FFAC80D0000-0x00007FFAC8B91000-memory.dmp
memory/3684-630-0x000001759BB50000-0x000001759BB60000-memory.dmp
memory/3684-631-0x000001759BB50000-0x000001759BB60000-memory.dmp
memory/3684-632-0x000001759BB50000-0x000001759BB60000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1067295379-1486014338-1703171060-1000\f3e5e21d93f7d775339efc995a776feb_e1378635-0580-4c5a-a4c4-bfb7e4f637be
| MD5 | a6d11d463fa2a2629828a8fe4090a980 |
| SHA1 | 07e519abc8110189b6c9eaa97326f74dd870b485 |
| SHA256 | 6869f91da7da8061853defd516dd3e6bf13398c46f1d615ff7c1ed6704a7a352 |
| SHA512 | 2abe72e464f5b4e8154ce4493b51e7faed1727afab8287e63addbf44de1e32fbf10c4c9a043a4bdffe623ad975bf476740c5fc3e673756fc1fffa781075704e0 |
memory/3684-637-0x000001759BB50000-0x000001759BB60000-memory.dmp
memory/3684-638-0x00007FFAC80D0000-0x00007FFAC8B91000-memory.dmp
memory/3684-639-0x000001759BB50000-0x000001759BB60000-memory.dmp
memory/3684-640-0x000001759BB50000-0x000001759BB60000-memory.dmp
memory/3684-641-0x000001759BB50000-0x000001759BB60000-memory.dmp
memory/3684-642-0x000001759BB50000-0x000001759BB60000-memory.dmp
memory/3684-643-0x00000175BABF0000-0x00000175BAC4E000-memory.dmp
memory/3684-644-0x00000175B68B0000-0x00000175B68CA000-memory.dmp
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Client-built.exe
| MD5 | 9308f453ad0600d606afe45d6c7d221c |
| SHA1 | 338a7df52851aa8ad461269e8f6d1f33377f74c7 |
| SHA256 | 746c86f7ad2c05960ff79be17c8d99ce94dfccddd9a5b89def70ef849c0c2b7f |
| SHA512 | c241e7586862d3ea83b5d0ff446dee96bc856c6df14a542ddaa9c2ec9143fb8b1b0f0511ee45fb2364eb15701dd150532d25bf2f2659a78a765c86f9e4473963 |
memory/3684-652-0x000001759BB50000-0x000001759BB60000-memory.dmp
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Profiles\Default.xml
| MD5 | d7d4dda022346822b86235649688eab3 |
| SHA1 | c1c2af37d24f277c617f0b15384ee82775fb6873 |
| SHA256 | 9a5191b14f3adc3fbf259b8522aabd33a7641ddf836f786e8279c9dc956d772d |
| SHA512 | 87988db2e6178f9f78bd4620a1b2547b5f691f59efd57d54e98cc339bc2f99313a795c15e444aee521a13bcc5498db16146c24713d6fcf4b4f98cdb7b071b7b0 |
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\settings.xml
| MD5 | 4080ac8ca23a2589f3a557e0bc8a3558 |
| SHA1 | 38656168dcade5d44a4fe4d7fb695033d8627f9c |
| SHA256 | 211e8c50f375a72700b8674f692e895d17583cf93f774197e5dc45dbc17694ed |
| SHA512 | 416c6fe67190aaf0fa40e5ff8d2ed28ae1e5cd81b0976e696a585b80b44b92b9b86f340bb865a75e1fc93bfdbe974f10ef1ebc95fca338b901d5cc748f8676bc |
memory/5128-728-0x0000000000560000-0x0000000000884000-memory.dmp
memory/5128-729-0x00007FFAC80D0000-0x00007FFAC8B91000-memory.dmp
memory/5128-730-0x000000001B600000-0x000000001B610000-memory.dmp
memory/5128-736-0x00007FFAC80D0000-0x00007FFAC8B91000-memory.dmp
memory/1156-737-0x00007FFAC80D0000-0x00007FFAC8B91000-memory.dmp
memory/1156-738-0x000000001B400000-0x000000001B410000-memory.dmp
memory/1156-739-0x000000001C0F0000-0x000000001C102000-memory.dmp
memory/1156-740-0x000000001C150000-0x000000001C18C000-memory.dmp
memory/1156-741-0x00007FFAC80D0000-0x00007FFAC8B91000-memory.dmp
memory/1156-742-0x000000001B400000-0x000000001B410000-memory.dmp