asyncrat | 70c7ef5fc6bc175a30fc1436ee76e05118d1a0c8310a454c373bc5e851689e08

Resubmissions

04-08-2024 08:26

240804-kcac6s1brl 10

04-08-2024 08:23

240804-kahlrs1bmq 10

Analysis

max time kernel
145s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
04-08-2024 08:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.exe
Size

45KB
MD5

7f29206fc82a922c7f468f1a8c626040
SHA1

583ba79e6acd22bfafcef10a13b30a0043f73537
SHA256

70c7ef5fc6bc175a30fc1436ee76e05118d1a0c8310a454c373bc5e851689e08
SHA512

1896d659e381dbbbd208945bde36991efaef57eb515121adfb5e8a4d2a241e4098ef31815c523782c880d8a98b5f2c5e39a9e1984a5c86b523b3f66e9c158be9
SSDEEP

768:Cu/dRTUo0HQbWUnmjSmo2qMh8V1NpxTcPI1zjbkgX3iQ90K6oayV9BDZ2x:Cu/dRTUPE2l8VXPTh13brXSQ90mVTd2x

Score

10^/10

asyncrat quasar default office04 defense_evasion discovery rat spyware trojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

Mutex

RFI09QOr7ybB

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.56.1:4782

Mutex

3522b5e7-fd11-42bb-9280-22f54d1cccc8

Attributes

encryption_key
2D52AD41C338B574A26194A4216A466F75485BFB
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000100000002aa4f-274.dat	family_quasar
behavioral1/memory/3392-375-0x0000000000D70000-0x0000000001094000-memory.dmp	family_quasar

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
3392	XDDOSX.exe
228	Client.exe
3340	XDDOSX.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\XDDOSX.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 623027.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\XDDOSX.exe:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\SubDir\Client.exe\:SmartScreen:$DATA	XDDOSX.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5048	schtasks.exe
4364	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1012	msedge.exe
1012	msedge.exe
1616	msedge.exe
1616	msedge.exe
3668	msedge.exe
3668	msedge.exe
2272	msedge.exe
2272	msedge.exe
1428	identity_helper.exe
1428	identity_helper.exe
3956	msedge.exe
3956	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe
4068	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4240	test.exe
Token: SeDebugPrivilege	4240	test.exe
Token: SeDebugPrivilege	3392	XDDOSX.exe
Token: SeDebugPrivilege	228	Client.exe
Token: SeDebugPrivilege	3340	XDDOSX.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe
1616	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
228	Client.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1616 wrote to memory of 4772	1616	msedge.exe	85
PID 1616 wrote to memory of 4772	1616	msedge.exe	85
PID 3364 wrote to memory of 1016	3364	msedge.exe	87
PID 3364 wrote to memory of 1016	3364	msedge.exe	87
PID 1616 wrote to memory of 976	1616	msedge.exe	88
PID 1616 wrote to memory of 976	1616	msedge.exe	88
PID 1616 wrote to memory of 976	1616	msedge.exe	88
PID 1616 wrote to memory of 976	1616	msedge.exe	88
PID 1616 wrote to memory of 976	1616	msedge.exe	88
PID 1616 wrote to memory of 976	1616	msedge.exe	88
PID 1616 wrote to memory of 976	1616	msedge.exe	88
PID 1616 wrote to memory of 976	1616	msedge.exe	88
PID 1616 wrote to memory of 976	1616	msedge.exe	88
PID 1616 wrote to memory of 976	1616	msedge.exe	88
PID 1616 wrote to memory of 976	1616	msedge.exe	88
PID 1616 wrote to memory of 976	1616	msedge.exe	88
PID 1616 wrote to memory of 976	1616	msedge.exe	88
PID 1616 wrote to memory of 976	1616	msedge.exe	88
PID 1616 wrote to memory of 976	1616	msedge.exe	88
PID 1616 wrote to memory of 976	1616	msedge.exe	88
PID 1616 wrote to memory of 976	1616	msedge.exe	88
PID 1616 wrote to memory of 976	1616	msedge.exe	88
PID 1616 wrote to memory of 976	1616	msedge.exe	88
PID 1616 wrote to memory of 976	1616	msedge.exe	88
PID 1616 wrote to memory of 976	1616	msedge.exe	88
PID 1616 wrote to memory of 976	1616	msedge.exe	88
PID 1616 wrote to memory of 976	1616	msedge.exe	88
PID 1616 wrote to memory of 976	1616	msedge.exe	88
PID 1616 wrote to memory of 976	1616	msedge.exe	88
PID 1616 wrote to memory of 976	1616	msedge.exe	88
PID 1616 wrote to memory of 976	1616	msedge.exe	88
PID 1616 wrote to memory of 976	1616	msedge.exe	88
PID 1616 wrote to memory of 976	1616	msedge.exe	88
PID 1616 wrote to memory of 976	1616	msedge.exe	88
PID 1616 wrote to memory of 976	1616	msedge.exe	88
PID 1616 wrote to memory of 976	1616	msedge.exe	88
PID 1616 wrote to memory of 976	1616	msedge.exe	88
PID 1616 wrote to memory of 976	1616	msedge.exe	88
PID 1616 wrote to memory of 976	1616	msedge.exe	88
PID 1616 wrote to memory of 976	1616	msedge.exe	88
PID 1616 wrote to memory of 976	1616	msedge.exe	88
PID 1616 wrote to memory of 976	1616	msedge.exe	88
PID 1616 wrote to memory of 976	1616	msedge.exe	88
PID 1616 wrote to memory of 976	1616	msedge.exe	88
PID 1616 wrote to memory of 1012	1616	msedge.exe	89
PID 1616 wrote to memory of 1012	1616	msedge.exe	89
PID 1616 wrote to memory of 1624	1616	msedge.exe	90
PID 1616 wrote to memory of 1624	1616	msedge.exe	90
PID 1616 wrote to memory of 1624	1616	msedge.exe	90
PID 1616 wrote to memory of 1624	1616	msedge.exe	90
PID 1616 wrote to memory of 1624	1616	msedge.exe	90
PID 1616 wrote to memory of 1624	1616	msedge.exe	90
PID 1616 wrote to memory of 1624	1616	msedge.exe	90
PID 1616 wrote to memory of 1624	1616	msedge.exe	90
PID 1616 wrote to memory of 1624	1616	msedge.exe	90
PID 1616 wrote to memory of 1624	1616	msedge.exe	90
PID 1616 wrote to memory of 1624	1616	msedge.exe	90
PID 1616 wrote to memory of 1624	1616	msedge.exe	90
PID 1616 wrote to memory of 1624	1616	msedge.exe	90
PID 1616 wrote to memory of 1624	1616	msedge.exe	90
PID 1616 wrote to memory of 1624	1616	msedge.exe	90
PID 1616 wrote to memory of 1624	1616	msedge.exe	90
PID 1616 wrote to memory of 1624	1616	msedge.exe	90
PID 1616 wrote to memory of 1624	1616	msedge.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaf7ad3cb8,0x7ffaf7ad3cc8,0x7ffaf7ad3cd8
  2⤵
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,17775188815212563683,10678103628782069891,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1892 /prefetch:2
  2⤵
  PID:976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,17775188815212563683,10678103628782069891,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,17775188815212563683,10678103628782069891,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
  2⤵
  PID:1624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,17775188815212563683,10678103628782069891,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:1364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,17775188815212563683,10678103628782069891,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:3596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,17775188815212563683,10678103628782069891,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
  2⤵
  PID:4616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,17775188815212563683,10678103628782069891,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
  2⤵
  PID:4624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,17775188815212563683,10678103628782069891,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
  2⤵
  PID:4636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1884,17775188815212563683,10678103628782069891,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3316 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,17775188815212563683,10678103628782069891,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
  2⤵
  PID:2684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,17775188815212563683,10678103628782069891,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
  2⤵
  PID:2820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,17775188815212563683,10678103628782069891,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:4508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,17775188815212563683,10678103628782069891,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
  2⤵
  PID:4312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,17775188815212563683,10678103628782069891,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
  2⤵
  PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,17775188815212563683,10678103628782069891,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6124 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,17775188815212563683,10678103628782069891,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
  2⤵
  PID:1600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,17775188815212563683,10678103628782069891,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:1848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,17775188815212563683,10678103628782069891,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
  2⤵
  PID:1576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,17775188815212563683,10678103628782069891,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3892 /prefetch:1
  2⤵
  PID:2676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,17775188815212563683,10678103628782069891,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1
  2⤵
  PID:1352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,17775188815212563683,10678103628782069891,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6456 /prefetch:1
  2⤵
  PID:444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,17775188815212563683,10678103628782069891,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6580 /prefetch:1
  2⤵
  PID:2900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,17775188815212563683,10678103628782069891,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1884,17775188815212563683,10678103628782069891,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6996 /prefetch:8
  2⤵
  PID:4024
- C:\Users\Admin\Downloads\XDDOSX.exe
  "C:\Users\Admin\Downloads\XDDOSX.exe"
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  PID:3392
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5048
- - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:228
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,17775188815212563683,10678103628782069891,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4716 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Suspicious use of WriteProcessMemory
PID:3364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffaf7ad3cb8,0x7ffaf7ad3cc8,0x7ffaf7ad3cd8
  2⤵
  PID:1016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,2346638154045196143,12608167151189449421,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:2
  2⤵
  PID:868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,2346638154045196143,12608167151189449421,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3668

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1356

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:900

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:944

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3508

C:\Users\Admin\Downloads\XDDOSX.exe
"C:\Users\Admin\Downloads\XDDOSX.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XDDOSX.exe.log

Filesize
1KB

MD5
b4e91d2e5f40d5e2586a86cf3bb4df24

SHA1
31920b3a41aa4400d4a0230a7622848789b38672

SHA256
5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

SHA512
968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9af507866fb23dace6259791c377531f

SHA1
5a5914fc48341ac112bfcd71b946fc0b2619f933

SHA256
5fb3ec65ce1e6f47694e56a07c63e3b8af9876d80387a71f1917deae690d069f

SHA512
c58c963ecd2c53f0c427f91dc41d9b2a9b766f2e04d7dae5236cb3c769d1f048e4a342ea75e4a690f3a207baa1d3add672160c1f317abfe703fd1d2216b1baf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b0177afa818e013394b36a04cb111278

SHA1
dbc5c47e7a7df24259d67edf5fbbfa1b1fae3fe5

SHA256
ffc2c53bfd37576b435309c750a5b81580a076c83019d34172f6635ff20c2a9d

SHA512
d3b9e3a0a99f191edcf33f3658abd3c88afbb12d7b14d3b421b72b74d551b64d2a13d07db94c90b85606198ee6c9e52072e1017f8c8c6144c03acf509793a9db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
672B

MD5
9ac68a41a87bdadf45894caaf8b7d702

SHA1
d06ae7555d90ce0af71eba87baf7ce8c1fcd26bc

SHA256
e4cd124c146ea37fedd39ebf56a5fc4e2b753bcc247380464a81b171a014e5ec

SHA512
8ceef2c52393e06a7a525d5b427d9dd83658583a4b3e5201202c0a0a0ab4bd51cd877fcffdd22020e753b4cc3d547a4e092a20f00506c74c0e79765658338353

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
db9a33ce02dc376f9eb1104856974025

SHA1
601f7a34ab035ac4a3647d2630e6583454f2ad15

SHA256
dda1de7c1e9fbb176985488ac06f5c109f779e7f5bb829f5bcbe7e8d91f48171

SHA512
09fc039ab1e4fd40b75eb1d671180a4b56d993dc53f06c4cd8199ba798ebc99ab22e5fa54ed65008dc18ece627cc240149efd0d9ceb941e5f4773f824f899675

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c731c2de2dca88eef56b98b7ea56bbe0

SHA1
e6a24e687027ab1920f4d218cf2d802ee8eb0975

SHA256
40b78e492a84bca2686d61616d283197106b6ef57c30aaac735e832af62abdb0

SHA512
6060f9e28ab8cb2feb0f8ed1c70e90ae369d30c5bebc7eaa245d8cc1cdbed6738fa4724118d1ca135109dc457305347cba04f8770c61b05f41a17a764f78c44b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5061f64464d384ecd9ce4fab0786518e

SHA1
8058137f050002ed958d6a84ed11dac1bd404e41

SHA256
627145af4946701f541101ec98d81a9e412dcb88e33d0c232e6b35410d6e5cab

SHA512
aac59687dc8501af770dc576dee7c601eedc3d269cba8c0e4600d11fe78186a30e3a09c38d8a1de8234685b8ad630043dc66884d0ea4d7b9a4437f68fe4a8932

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
398b2626b4708cdd8961eb91b13ecdf0

SHA1
dd0dcae7a7518ae3cd8ae00cc6de785f29f6c2c4

SHA256
5ec15511f328f85ba1f2549e399db7da38a905d217d272a823de387169b1ead2

SHA512
9ad4e213365aacc3ba97d81c23e754a09939351913aaa10fad50833c2348c8da961a0259f54c943bcf4e29754062f96fad3832ec9a6076f7f36131b8542b15c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
318b86fc0fa0ffc06abc5a0a372546ae

SHA1
ec48449192af3dd443358b8bb64b2387b482e4a4

SHA256
70355070b5eb9102a64ba9f01fbcf9a32cdf1fe9365cef0744bbef18735b72bf

SHA512
b82b08eb25eab1f5b1ded81aca19dff9148e7aa9ab540c27ddafdd229839d71dea5b799080a60d4f95b9bb97e6aa2b033c8ee0b26e63275c58d5a045f70673a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
b9d3d0ba2cd6c1b30c18eedda5f55e36

SHA1
773bd91bd1ad7406cb79a31120e21de524bb9523

SHA256
abc04a1494e7d5d870c3750ef2ed285f4cc2d633a7efef1c76e666471e8e644f

SHA512
d0c6667de1a31d86d743a4f37dc29b4787b6ff553d128b0f3b76352bf7d47f15dce4693c788a58707267df306e4e64632c800a319bbb2922276219f59e8d2b9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3fb007f4308b1ba62b6671edf91d9c23

SHA1
980140a72826575d1f887d069cbcbce91d7417a1

SHA256
18ca51984b5f694e4c8eba26618d4b627d34f314db0e6682bd253310cdaa8018

SHA512
46749f4694084bf426208708127d0b097206369e568dc3552b53ae77fd4604906200e09e0a9e84885faf17fd818bd9cdc995424d09bcce80349a69c77d684dbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6aba513fac0d36b4a188df25a759839e

SHA1
c2234a1e662620bff7c8178e57e6099feca28bcb

SHA256
86d6c84ad361b1e5f3e9bf0270c10e484ece0fb4d4bc5b704a1079f8c14ab352

SHA512
462a5dfc4e5728ae54a9eb72b4650e0646715227b4709267d5413109558f0b0a0edb15bc3d1ba3fa7d04eb218054214a4aa57b7cdfca4b02a240eaf58180d1e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe584997.TMP

Filesize
203B

MD5
f2514747c7ba8e9f3fe9328304971202

SHA1
1b13d4460a185b6f20697f992331cbb49f4cfe9c

SHA256
d747e1aa85a0fec1ce0315ebbb0dfef54a1e315c3003daf071b3246443256cde

SHA512
fe195b14f53a1659a73ef916190ceee585d7e897282d01e074b3f101c02cdef75e7d70a30afe38c1ce89d1c512c3b5ebe2aab8406cd5e23e280e20b157fcd228

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4a33a4e5c26a2e571f60e12cd7a83d3f

SHA1
6aae5904b8d4226c07d4dfbbc71fbf0600242f46

SHA256
1a65bb466394642ae478d58b17a546fd797d5dcf1702dd44351ffd1065218ece

SHA512
487a49faf975e3aadb001c7e41022a02b53ae9b7d76b4dbe81843073bb5ee5fe3187e988fd70400c897b8218686926bcb010889a02506916fe80ef18b2d852cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
824e2edf66831b66e55177485269b994

SHA1
57e3e4f1b440d242010c7a805afda987018f3804

SHA256
c5e54494823581c2dd570b4f56cd5c7e305fee0c38f6b29ad01925fc4e95da88

SHA512
e0b5c1d24bc6045ff0d9ab741878f8c67957b2b795c3a1f1897a16fca8914ad79552faca6fafb88b4557636443ed5a3dc4e39bea78af800b551fcbe80c36e0aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
fe4ffbb932bd528c30192f00edc59658

SHA1
51a035cc5a1200778bfb3d34633404ff0962017a

SHA256
b2aef0a6ba31d20ff0670e1e2408ac9783eb7a691349d9153f362386c78bdc9d

SHA512
193a6b9c94ec7cc79a19398fd329783b589d0f5351b87c9e41673ded2324984da2fb61746b31dfe80fc3636101ae68a27d0c8bb1535e508463d07d2df523f582

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9502ff15959a9db9b5759ed1e2931b1c

SHA1
22316ce526b4b680800b07ec44d87b90b97a3647

SHA256
d3125d26faab66d0d256f3f0935344739b0294189077b24198e3f422faabd563

SHA512
97dc86043bf9042c90f4536bc409ac084035fecc0693812e67d2a2fee1d260a79954f89eeca4fd19747a2984ff086eb05e13816e93400281db80cb906091b49f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d58b288a9b1c051e807fdfe9aeb0d739

SHA1
dc4b0761e8b81d385be2750a0a8eec527a553ef7

SHA256
562e232cf752c320a362d02e2e29dcb76b980c6c56ef067d2a02c20ce834e91b

SHA512
04bcba608b9f118507c26b8f31d9e1e9daa67b2076311e332b325898f0015f4ff66c32fe2a74ed7a9bb79ce5429831fcd8098913f63f7346a4d4be0d9c0d0fb2

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 623027.crdownload

Filesize
3.1MB

MD5
7008f41c7ec54ba516f846b418884492

SHA1
fcea18435b70cfca9785a2404dee07ee6b9ab6a2

SHA256
419318a1c50872ef04a8fd9b75812d3e0d4087030cdd32ce35707dc314acad74

SHA512
6c980b32aa59bbf0f6382781b11414be0bf6080137da09212b38d27cb9b8035f6240e82a84b0fc0872ce3a8083ab5d4994e9ee3597ff3afeff82bd4db888dacc

Download Submit
C:\Users\Admin\Downloads\XDDOSX.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/228-401-0x000000001C110000-0x000000001C160000-memory.dmp

Filesize
320KB

Download
memory/228-402-0x000000001C220000-0x000000001C2D2000-memory.dmp

Filesize
712KB

Download
memory/3392-375-0x0000000000D70000-0x0000000001094000-memory.dmp

Filesize
3.1MB

Download
memory/4240-259-0x0000000074C30000-0x00000000753E1000-memory.dmp

Filesize
7.7MB

Download
memory/4240-3-0x00000000057B0000-0x0000000005816000-memory.dmp

Filesize
408KB

Download
memory/4240-155-0x0000000074C3E000-0x0000000074C3F000-memory.dmp

Filesize
4KB

Download
memory/4240-2-0x0000000074C30000-0x00000000753E1000-memory.dmp

Filesize
7.7MB

Download
memory/4240-0-0x0000000074C3E000-0x0000000074C3F000-memory.dmp

Filesize
4KB

Download
memory/4240-4-0x0000000005C80000-0x0000000005D1C000-memory.dmp

Filesize
624KB

Download
memory/4240-1-0x0000000000D60000-0x0000000000D72000-memory.dmp

Filesize
72KB

Download