quasar | 4cdeb2eae1cec1ab07077142313c524e9cf360cdec63497538c4405c2d8ded62

Analysis

max time kernel
185s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Quasar.v1.4.1.zip
Size

3.3MB
MD5

13aa4bf4f5ed1ac503c69470b1ede5c1
SHA1

c0b7dadff8ac37f6d9fd00ae7f375e12812bfc00
SHA256

4cdeb2eae1cec1ab07077142313c524e9cf360cdec63497538c4405c2d8ded62
SHA512

767b03e4e0c2a97cb0282b523bcad734f0c6d226cd1e856f6861e6ae83401d0d30946ad219c8c5de3c90028a0141d3dc0111c85e0a0952156cf09e189709fa7d
SSDEEP

49152:lYLmNgMh/9yUsRFeWMyYISDSwtfxZQNemi57PdHmeFINp/lFnsDbNFNepL6DJo+J:mL9U1yUUQykOQ91XFYBlR8P9d5uNJo9

Score

10^/10

quasar spyware trojan

Malware Config

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3244-378-0x000001EAEAD20000-0x000001EAEAE58000-memory.dmp	family_quasar
behavioral1/memory/3244-379-0x000001EAEB240000-0x000001EAEB256000-memory.dmp	family_quasar

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

88 camo.githubusercontent.com
89 raw.githubusercontent.com

flow	ioc
88	camo.githubusercontent.com
89	raw.githubusercontent.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies registry class 35 IoCs

Processes:

msedge.exeexplorer.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 = 78003100000000009a5868641100557365727300640009000400efbe874f7748b758da7d2e000000c70500000000010000000000000000003a00000000003c960a0055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0 = 8400310000000000b7581b7e1100444f574e4c4f7e3100006c0009000400efbe9a586864b7581b7e2e00000088e101000000010000000000000000004200000000002882150144006f0077006e006c006f00610064007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370039003800000018000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{75F05382-C2AD-44E6-A5B3-1E78A2D9A06E}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0\NodeSlot = "6"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0 = 6600310000000000b758267e10005155415341527e312e3100004c0009000400efbeb7581b7eb758267e2e0000005a35020000000a000000000000000000000000000000d16828015100750061007300610072002000760031002e0034002e00310000001a000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0 = 50003100000000009a58dd6e100041646d696e003c0009000400efbe9a586864b758da7d2e00000080e101000000010000000000000000000000000000000a49c500410064006d0069006e00000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0 = 6600310000000000b7581b7e10005155415341527e312e3100004c0009000400efbeb7581b7eb7581b7e2e000000493502000000090000000000000000000000000000003e410f015100750061007300610072002e00760031002e0034002e00310000001a000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	explorer.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

explorer.exe

pid process

4736 explorer.exe

pid	process
4736	explorer.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	process
3644	msedge.exe
3644	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
2384	identity_helper.exe
2384	identity_helper.exe
3864	msedge.exe
3864	msedge.exe
3576	msedge.exe
3576	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exeQuasar.exe

pid process

4736 explorer.exe
3244 Quasar.exe

pid	process
4736	explorer.exe
3244	Quasar.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

Processes:

msedge.exe

pid	process
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Quasar.exe

description pid process

Token: SeDebugPrivilege 3244 Quasar.exe

description	pid	process
Token: SeDebugPrivilege	3244	Quasar.exe

Suspicious use of FindShellTrayWindow 36 IoCs

Processes:

msedge.exeQuasar.exerundll32.exe

pid	process
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
3244	Quasar.exe
3196	rundll32.exe
3244	Quasar.exe

Suspicious use of SendNotifyMessage 26 IoCs

Processes:

msedge.exeQuasar.exe

pid	process
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
1504	msedge.exe
3244	Quasar.exe
3244	Quasar.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

explorer.exe

pid process

4736 explorer.exe
4736 explorer.exe
4736 explorer.exe
4736 explorer.exe

pid	process
4736	explorer.exe
4736	explorer.exe
4736	explorer.exe
4736	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1504 wrote to memory of 2792	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 2792	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 4044	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 4044	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 4044	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 4044	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 4044	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 4044	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 4044	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 4044	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 4044	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 4044	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 4044	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 4044	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 4044	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 4044	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 4044	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 4044	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 4044	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 4044	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 4044	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 4044	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 4044	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 4044	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 4044	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 4044	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 4044	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 4044	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 4044	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 4044	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 4044	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 4044	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 4044	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 4044	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 4044	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 4044	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 4044	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 4044	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 4044	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 4044	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 4044	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 4044	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 3644	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 3644	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 2252	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 2252	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 2252	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 2252	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 2252	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 2252	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 2252	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 2252	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 2252	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 2252	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 2252	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 2252	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 2252	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 2252	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 2252	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 2252	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 2252	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 2252	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 2252	1504	msedge.exe	msedge.exe
PID 1504 wrote to memory of 2252	1504	msedge.exe	msedge.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Quasar.v1.4.1.zip
1⤵
PID:4752

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff82d9646f8,0x7ff82d964708,0x7ff82d964718
2⤵
PID:2792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,6150004481410859818,5878720236916120524,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2
2⤵
PID:4044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2192,6150004481410859818,5878720236916120524,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2192,6150004481410859818,5878720236916120524,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8
2⤵
PID:2252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,6150004481410859818,5878720236916120524,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
2⤵
PID:3372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,6150004481410859818,5878720236916120524,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
2⤵
PID:2400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,6150004481410859818,5878720236916120524,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
2⤵
PID:924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,6150004481410859818,5878720236916120524,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:1
2⤵
PID:3340

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,6150004481410859818,5878720236916120524,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4300 /prefetch:8
2⤵
PID:2572

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,6150004481410859818,5878720236916120524,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4300 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,6150004481410859818,5878720236916120524,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
2⤵
PID:2356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,6150004481410859818,5878720236916120524,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
2⤵
PID:2492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2192,6150004481410859818,5878720236916120524,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5596 /prefetch:8
2⤵
PID:3372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2192,6150004481410859818,5878720236916120524,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5272 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,6150004481410859818,5878720236916120524,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
2⤵
PID:4992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,6150004481410859818,5878720236916120524,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
2⤵
PID:1408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,6150004481410859818,5878720236916120524,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
2⤵
PID:2732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,6150004481410859818,5878720236916120524,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
2⤵
PID:1408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,6150004481410859818,5878720236916120524,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
2⤵
PID:4492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2192,6150004481410859818,5878720236916120524,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5504 /prefetch:8
2⤵
PID:3036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,6150004481410859818,5878720236916120524,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
2⤵
PID:4280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2192,6150004481410859818,5878720236916120524,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5456 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,6150004481410859818,5878720236916120524,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6368 /prefetch:1
2⤵
PID:4520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,6150004481410859818,5878720236916120524,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6404 /prefetch:1
2⤵
PID:4924

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2388

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3880

C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe
"C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\Quasar.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3244

C:\Windows\explorer.exe
"C:\Windows\explorer.exe" /select, "C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\quasar.p12"
2⤵
PID:432

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4736

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" cryptext.dll,CryptExtAddPFX C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\quasar.p12
2⤵
- Suspicious use of FindShellTrayWindow
PID:3196

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
537815e7cc5c694912ac0308147852e4

SHA1
2ccdd9d9dc637db5462fe8119c0df261146c363c

SHA256
b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f

SHA512
63969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8b167567021ccb1a9fdf073fa9112ef0

SHA1
3baf293fbfaa7c1e7cdacb5f2975737f4ef69898

SHA256
26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513

SHA512
726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
3KB

MD5
b6fcfdde5fb94ec00df450a79f6c4af3

SHA1
6fb601f1413a7720ab28e1d70c740e92e5b8794c

SHA256
693595da9fdf6abf6d098437194cda2148954560f4e050ece5c90a5254f3ac3f

SHA512
82277ed562a5479e7fc8a69ebd0eef8cd67afffbe4845a9effda526f62f8b0e20cde5e350adb9036a336b57ef2c8096587704b327c403d074093ae1cb28729b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
936B

MD5
f0625b8dd3feb9c32df3f1697898bb32

SHA1
b4f82c5a3f54dbc2b8c7379a88e7629d42257c42

SHA256
0f940fe5ad6c422ee122c0e320bdf415b14200092d29437531b32e2dd895bc56

SHA512
0fe910e5b3f7553125da98882bef7ea45446a0ee9a7fadfe15946d245459a460d213c6acc7058629fa1a349cfde976a1c6971f8e6ff01ba7f8da93baef55caea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
9e5f4d5f2c2358c626c980a111fdef72

SHA1
d8bd0bc718ee141aecb1241be0cbd314e37e1333

SHA256
e3b61b697d66f76182886b24b48ed6e7857827372db16e02e03bf8ea9aaa4646

SHA512
06d7c131f5018b9759e02e514ebc0045d956fa070201045ab6f5573da6eed46babceb3cfbe3154360a12c7382f71db9189d83bba04deb20e470dfa8a143a8f41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
8e13c90fb89f74c2761deb4c773bf1c5

SHA1
6017ab6937206ba1f954509a6c0b2f8e615c203f

SHA256
af5f85bb96ff0bc2814ff7b7ecd9f61034e66a29064d31004542fdf8c9d10ad8

SHA512
630e6fed3a51fb9d339f2a0c3c64c9ba69290fca0fe4431777a1ec4e364e6ab2719cb8c6b2b37047ab4ad904b0a940de48a67a2998fe363a2f2cdbe0667acb54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
0b7901d3de42bac6f6db641f469388bf

SHA1
af18c71a62781c6fbb9989e80abbe6e7737446f6

SHA256
27c22c8b77bdea9ae0f3d9eaa7ba50ea5581112665b29a655ef8b2894ce42c60

SHA512
402ff75736f631f24232d9bb652cb847b5acc345792df508a60235f87b5019b647db1e0366276b12cb0fcbeab2a41724ce4e11bd9b7e1e983a106101ee973396

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
c3cec95e869da4381e5cd833a20f2a19

SHA1
1938962d2977b7d5c71c4b71ade48ecb5fcba27f

SHA256
8cb9aae3be15cc30e91c6b64d5609a96391e44bcaef0fc7ab89d8d93b52a8868

SHA512
387e55e4b5f174af822523fa064ee1194c38643f8f3355cc7a803ba217aaf39f31166d8678eca0e15d4b03117ba097e39a7875fa46232c8e19a9c28d10f41cbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
fae02e16527f9a6e27d2a5d215e56a7b

SHA1
6e04c7d5a37e6c6bc3be14d87273e33c81c44e6b

SHA256
714d4f499a7174114bf8abe999f7a9ddb6d02ad3a766138e193b2f0115f7d1d6

SHA512
90d644e510aff0dbc7f6944ddb8bfa75af300f24fcf4a39bc646c3651ead07e6e9b2b095d879ccf24a456f3f773f391b47530b9aba9363ce93d4307f55819c06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58db67.TMP
Filesize
1KB

MD5
d769c2e08032bd04c800a91a9ee0a01d

SHA1
6f46d37548327536af66a3b52f8718b3c41c3b73

SHA256
f8c7f88468a4f893f6ce9d4f3b281677b1228de08b6f058e399cefaa99d405e1

SHA512
500218bfc309ecf942e83f59e131a1985c594708c23b4ab0b71e26f34024f9a23ea4160ffe8a300f65f5199c289753724950e6e573277d68ee36f3fc1402d4d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
42d1eb9ee3199754b2fd62dcdfe6a866

SHA1
da66a5778bff7d1b56727fb9c4e64f64c9666718

SHA256
54e84779372b97f549137ed9bd4035f0d5a307f337fdb14f54c91ab112d3ab2d

SHA512
581bb8f616cfbd74649e1f32ad5dd9041eb99f77c5a38eff81ffbe3cef0d67ecc9c317586418cd2dffc0a48fd5e19f5cf7b77127ae7418cd95b0bf3b85b092a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
824a2913bff47aca180b05d24d54d8fb

SHA1
93ac3da9992c9a7f730ee3e9ca167829d5a220b9

SHA256
df25f1c6a13781fde130267d321417c9146114d4c6f8c5711e033e4235245c85

SHA512
0718883acd60e6e6f5eace993f18446cb4084cf4aa7bbe5dcbf1cd0847bc57d4d33cf4ae05d9b389a8d1c78aec2716626d00eaf2c7f05d0b00c308ca5d35cbd5

Download Submit
C:\Users\Admin\Downloads\Quasar.v1.4.1.zip
Filesize
3.3MB

MD5
13aa4bf4f5ed1ac503c69470b1ede5c1

SHA1
c0b7dadff8ac37f6d9fd00ae7f375e12812bfc00

SHA256
4cdeb2eae1cec1ab07077142313c524e9cf360cdec63497538c4405c2d8ded62

SHA512
767b03e4e0c2a97cb0282b523bcad734f0c6d226cd1e856f6861e6ae83401d0d30946ad219c8c5de3c90028a0141d3dc0111c85e0a0952156cf09e189709fa7d

Download Submit
C:\Users\Admin\Downloads\Quasar.v1.4.1\Quasar v1.4.1\quasar.p12
Filesize
4KB

MD5
1fc5444349e93e1d2205d33c119329ad

SHA1
cdc01c306eb95b23ae39b43ffbcf5a7c16e466ec

SHA256
5dccaa068ebd6ce26e5c9536caaca928ecd883c43dfbdc475cf6653dd1307ee2

SHA512
4332af27061ae33f2d0bfdbdbc6b8d174ca307690a9c234ef600477f190f3799a9e9935efcd04cc2d642790c3be0de4019145e745ca26300860722215dfccd06

Download Submit
\??\pipe\LOCAL\crashpad_1504_QAVYMGNTKXDUJGZM
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3244-378-0x000001EAEAD20000-0x000001EAEAE58000-memory.dmp

Filesize
1.2MB

Download
memory/3244-384-0x000001EAF05D0000-0x000001EAF08FE000-memory.dmp

Filesize
3.2MB

Download
memory/3244-426-0x000001EAEF7C0000-0x000001EAEF7D8000-memory.dmp

Filesize
96KB

Download
memory/3244-427-0x000001EAEFA20000-0x000001EAEFA70000-memory.dmp

Filesize
320KB

Download
memory/3244-428-0x000001EAF0360000-0x000001EAF0412000-memory.dmp

Filesize
712KB

Download
memory/3244-429-0x000001EAF02A0000-0x000001EAF02EC000-memory.dmp

Filesize
304KB

Download
memory/3244-379-0x000001EAEB240000-0x000001EAEB256000-memory.dmp

Filesize
88KB

Download